7 Network Working Group K. Zeilenga
8 Request for Comments: 4512 OpenLDAP Foundation
9 Obsoletes: 2251, 2252, 2256, 3674 June 2006
10 Category: Standards Track
13 Lightweight Directory Access Protocol (LDAP):
14 Directory Information Models
18 This document specifies an Internet standards track protocol for the
19 Internet community, and requests discussion and suggestions for
20 improvements. Please refer to the current edition of the "Internet
21 Official Protocol Standards" (STD 1) for the standardization state
22 and status of this protocol. Distribution of this memo is unlimited.
26 Copyright (C) The Internet Society (2006).
30 The Lightweight Directory Access Protocol (LDAP) is an Internet
31 protocol for accessing distributed directory services that act in
32 accordance with X.500 data and service models. This document
33 describes the X.500 Directory Information Models, as used in LDAP.
58 Zeilenga Standards Track [Page 1]
60 RFC 4512 LDAP Models June 2006
65 1. Introduction ....................................................3
66 1.1. Relationship to Other LDAP Specifications ..................3
67 1.2. Relationship to X.501 ......................................4
68 1.3. Conventions ................................................4
69 1.4. Common ABNF Productions ....................................4
70 2. Model of Directory User Information .............................6
71 2.1. The Directory Information Tree .............................7
72 2.2. Structure of an Entry ......................................7
73 2.3. Naming of Entries ..........................................8
74 2.4. Object Classes .............................................9
75 2.5. Attribute Descriptions ....................................12
76 2.6. Alias Entries .............................................16
77 3. Directory Administrative and Operational Information ...........17
78 3.1. Subtrees ..................................................17
79 3.2. Subentries ................................................18
80 3.3. The 'objectClass' attribute ...............................18
81 3.4. Operational Attributes ....................................19
82 4. Directory Schema ...............................................22
83 4.1. Schema Definitions ........................................23
84 4.2. Subschema Subentries ......................................32
85 4.3. 'extensibleObject' object class ...........................35
86 4.4. Subschema Discovery .......................................35
87 5. DSA (Server) Informational Model ...............................36
88 5.1. Server-Specific Data Requirements .........................36
89 6. Other Considerations ...........................................40
90 6.1. Preservation of User Information ..........................40
91 6.2. Short Names ...............................................41
92 6.3. Cache and Shadowing .......................................41
93 7. Implementation Guidelines ......................................42
94 7.1. Server Guidelines .........................................42
95 7.2. Client Guidelines .........................................42
96 8. Security Considerations ........................................43
97 9. IANA Considerations ............................................43
98 10. Acknowledgements ..............................................44
99 11. Normative References ..........................................45
100 Appendix A. Changes ...............................................47
101 A.1. Changes to RFC 2251 .......................................47
102 A.2. Changes to RFC 2252 .......................................49
103 A.3. Changes to RFC 2256 .......................................50
104 A.4. Changes to RFC 3674 .......................................51
114 Zeilenga Standards Track [Page 2]
116 RFC 4512 LDAP Models June 2006
121 This document discusses the X.500 Directory Information Models
122 [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
125 The Directory is "a collection of open systems cooperating to provide
126 directory services" [X.500]. The information held in the Directory
127 is collectively known as the Directory Information Base (DIB). A
128 Directory user, which may be a human or other entity, accesses the
129 Directory through a client (or Directory User Agent (DUA)). The
130 client, on behalf of the directory user, interacts with one or more
131 servers (or Directory System Agents (DSA)). A server holds a
134 The DIB contains two classes of information:
136 1) user information (e.g., information provided and administrated
137 by users). Section 2 describes the Model of User Information.
139 2) administrative and operational information (e.g., information
140 used to administer and/or operate the directory). Section 3
141 describes the model of Directory Administrative and Operational
144 These two models, referred to as the generic Directory Information
145 Models, describe how information is represented in the Directory.
146 These generic models provide a framework for other information
147 models. Section 4 discusses the subschema information model and
148 subschema discovery. Section 5 discusses the DSA (Server)
151 Other X.500 information models (such as access control distribution
152 knowledge and replication knowledge information models) may be
153 adapted for use in LDAP. Specification of how these models apply to
154 LDAP is left to future documents.
156 1.1. Relationship to Other LDAP Specifications
158 This document is a integral part of the LDAP technical specification
159 [RFC4510], which obsoletes the previously defined LDAP technical
160 specification, RFC 3377, in its entirety.
162 This document obsoletes RFC 2251, Sections 3.2 and 3.4, as well as
163 portions of Sections 4 and 6. Appendix A.1 summarizes changes to
164 these sections. The remainder of RFC 2251 is obsoleted by the
165 [RFC4511], [RFC4513], and [RFC4510] documents.
170 Zeilenga Standards Track [Page 3]
172 RFC 4512 LDAP Models June 2006
175 This document obsoletes RFC 2252, Sections 4, 5, and 7. Appendix A.2
176 summarizes changes to these sections. The remainder of RFC 2252 is
177 obsoleted by [RFC4517].
179 This document obsoletes RFC 2256, Sections 5.1, 5.2, 7.1, and 7.2.
180 Appendix A.3 summarizes changes to these sections. The remainder of
181 RFC 2256 is obsoleted by [RFC4519] and [RFC4517].
183 This document obsoletes RFC 3674 in its entirety. Appendix A.4
184 summarizes changes since RFC 3674.
186 1.2. Relationship to X.501
188 This document includes material, with and without adaptation, from
189 [X.501] as necessary to describe this protocol. These adaptations
190 (and any other differences herein) apply to this protocol, and only
195 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
196 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
197 document are to be interpreted as described in BCP 14 [RFC2119].
199 Schema definitions are provided using LDAP description formats (as
200 defined in Section 4.1). Definitions provided here are formatted
201 (line wrapped) for readability. Matching rules and LDAP syntaxes
202 referenced in these definitions are specified in [RFC4517].
204 1.4. Common ABNF Productions
206 A number of syntaxes in this document are described using Augmented
207 Backus-Naur Form (ABNF) [RFC4234]. These syntaxes (as well as a
208 number of syntaxes defined in other documents) rely on the following
211 keystring = leadkeychar *keychar
213 keychar = ALPHA / DIGIT / HYPHEN
214 number = DIGIT / ( LDIGIT 1*DIGIT )
216 ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
217 DIGIT = %x30 / LDIGIT ; "0"-"9"
218 LDIGIT = %x31-39 ; "1"-"9"
219 HEX = DIGIT / %x41-46 / %x61-66 ; "0"-"9" / "A"-"F" / "a"-"f"
221 SP = 1*SPACE ; one or more " "
222 WSP = 0*SPACE ; zero or more " "
226 Zeilenga Standards Track [Page 4]
228 RFC 4512 LDAP Models June 2006
231 NULL = %x00 ; null (0)
232 SPACE = %x20 ; space (" ")
233 DQUOTE = %x22 ; quote (""")
234 SHARP = %x23 ; octothorpe (or sharp sign) ("#")
235 DOLLAR = %x24 ; dollar sign ("$")
236 SQUOTE = %x27 ; single quote ("'")
237 LPAREN = %x28 ; left paren ("(")
238 RPAREN = %x29 ; right paren (")")
239 PLUS = %x2B ; plus sign ("+")
240 COMMA = %x2C ; comma (",")
241 HYPHEN = %x2D ; hyphen ("-")
242 DOT = %x2E ; period (".")
243 SEMI = %x3B ; semicolon (";")
244 LANGLE = %x3C ; left angle bracket ("<")
245 EQUALS = %x3D ; equals sign ("=")
246 RANGLE = %x3E ; right angle bracket (">")
247 ESC = %x5C ; backslash ("\")
248 USCORE = %x5F ; underscore ("_")
249 LCURLY = %x7B ; left curly brace "{"
250 RCURLY = %x7D ; right curly brace "}"
252 ; Any UTF-8 [RFC3629] encoded Unicode [Unicode] character
254 UTFMB = UTF2 / UTF3 / UTF4
258 UTF3 = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /
259 %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
260 UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
263 OCTET = %x00-FF ; Any octet (8-bit data unit)
265 Object identifiers (OIDs) [X.680] are represented in LDAP using a
266 dot-decimal format conforming to the ABNF:
268 numericoid = number 1*( DOT number )
270 Short names, also known as descriptors, are used as more readable
271 aliases for object identifiers. Short names are case insensitive and
282 Zeilenga Standards Track [Page 5]
284 RFC 4512 LDAP Models June 2006
287 Where either an object identifier or a short name may be specified,
288 the following production is used:
290 oid = descr / numericoid
292 While the <descr> form is generally preferred when the usage is
293 restricted to short names referring to object identifiers that
294 identify like kinds of objects (e.g., attribute type descriptions,
295 matching rule descriptions, object class descriptions), the
296 <numericoid> form should be used when the object identifiers may
297 identify multiple kinds of objects or when an unambiguous short name
298 (descriptor) is not available.
300 Implementations SHOULD treat short names (descriptors) used in an
301 ambiguous manner (as discussed above) as unrecognized.
303 Short Names (descriptors) are discussed further in Section 6.2.
305 2. Model of Directory User Information
309 The purpose of the Directory is to hold, and provide access to,
310 information about objects of interest (objects) in some 'world'.
311 An object can be anything which is identifiable (can be named).
313 An object class is an identified family of objects, or conceivable
314 objects, which share certain characteristics. Every object
315 belongs to at least one class. An object class may be a subclass
316 of other object classes, in which case the members of the former
317 class, the subclass, are also considered to be members of the
318 latter classes, the superclasses. There may be subclasses of
319 subclasses, etc., to an arbitrary depth.
321 A directory entry, a named collection of information, is the basic
322 unit of information held in the Directory. There are multiple kinds
323 of directory entries.
325 An object entry represents a particular object. An alias entry
326 provides alternative naming. A subentry holds administrative and/or
327 operational information.
329 The set of entries representing the DIB are organized hierarchically
330 in a tree structure known as the Directory Information Tree (DIT).
332 Section 2.1 describes the Directory Information Tree.
333 Section 2.2 discusses the structure of entries.
334 Section 2.3 discusses naming of entries.
338 Zeilenga Standards Track [Page 6]
340 RFC 4512 LDAP Models June 2006
343 Section 2.4 discusses object classes.
344 Section 2.5 discusses attribute descriptions.
345 Section 2.6 discusses alias entries.
347 2.1. The Directory Information Tree
349 As noted above, the DIB is composed of a set of entries organized
350 hierarchically in a tree structure known as the Directory Information
351 Tree (DIT); specifically, a tree where vertices are the entries.
353 The arcs between vertices define relations between entries. If an
354 arc exists from X to Y, then the entry at X is the immediate superior
355 of Y, and Y is the immediate subordinate of X. An entry's superiors
356 are the entry's immediate superior and its superiors. An entry's
357 subordinates are all of its immediate subordinates and their
360 Similarly, the superior/subordinate relationship between object
361 entries can be used to derive a relation between the objects they
362 represent. DIT structure rules can be used to govern relationships
365 Note: An entry's immediate superior is also known as the entry's
366 parent, and an entry's immediate subordinate is also known as
367 the entry's child. Entries that have the same parent are known
370 2.2. Structure of an Entry
372 An entry consists of a set of attributes that hold information about
373 the object that the entry represents. Some attributes represent user
374 information and are called user attributes. Other attributes
375 represent operational and/or administrative information and are
376 called operational attributes.
378 An attribute is an attribute description (a type and zero or more
379 options) with one or more associated values. An attribute is often
380 referred to by its attribute description. For example, the
381 'givenName' attribute is the attribute that consists of the attribute
382 description 'givenName' (the 'givenName' attribute type [RFC4519] and
383 zero options) and one or more associated values.
385 The attribute type governs whether the attribute can have multiple
386 values, the syntax and matching rules used to construct and compare
387 values of that attribute, and other functions. Options indicate
388 subtypes and other functions.
390 Attribute values conform to the defined syntax of the attribute type.
394 Zeilenga Standards Track [Page 7]
396 RFC 4512 LDAP Models June 2006
399 No two values of an attribute may be equivalent. Two values are
400 considered equivalent if and only if they would match according to
401 the equality matching rule of the attribute type. Or, if the
402 attribute type is defined with no equality matching rule, two values
403 are equivalent if and only if they are identical. (See 2.5.1 for
406 For example, a 'givenName' attribute can have more than one value,
407 they must be Directory Strings, and they are case insensitive. A
408 'givenName' attribute cannot hold both "John" and "JOHN", as these
409 are equivalent values per the equality matching rule of the attribute
412 Additionally, no attribute is to have a value that is not equivalent
413 to itself. For example, the 'givenName' attribute cannot have as a
414 value a directory string that includes the REPLACEMENT CHARACTER
415 (U+FFFD) code point, as matching involving that directory string is
416 Undefined per this attribute's equality matching rule.
418 When an attribute is used for naming of the entry, one and only one
419 value of the attribute is used in forming the Relative Distinguished
420 Name. This value is known as a distinguished value.
422 2.3. Naming of Entries
424 2.3.1. Relative Distinguished Names
426 Each entry is named relative to its immediate superior. This
427 relative name, known as its Relative Distinguished Name (RDN)
428 [X.501], is composed of an unordered set of one or more attribute
429 value assertions (AVA) consisting of an attribute description with
430 zero options and an attribute value. These AVAs are chosen to match
431 attribute values (each a distinguished value) of the entry.
433 An entry's relative distinguished name must be unique among all
434 immediate subordinates of the entry's immediate superior (i.e., all
437 The following are examples of string representations of RDNs
442 CN=Kurt Zeilenga+L=Redwood Shores
444 The last is an example of a multi-valued RDN; that is, an RDN
445 composed of multiple AVAs.
450 Zeilenga Standards Track [Page 8]
452 RFC 4512 LDAP Models June 2006
455 2.3.2. Distinguished Names
457 An entry's fully qualified name, known as its Distinguished Name (DN)
458 [X.501], is the concatenation of its RDN and its immediate superior's
459 DN. A Distinguished Name unambiguously refers to an entry in the
460 tree. The following are examples of string representations of DNs
463 UID=nobody@example.com,DC=example,DC=com
464 CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US
468 An alias, or alias name, is "an name for an object, provided by the
469 use of alias entries" [X.501]. Alias entries are described in
474 An object class is "an identified family of objects (or conceivable
475 objects) that share certain characteristics" [X.501].
477 As defined in [X.501]:
479 Object classes are used in the Directory for a number of purposes:
481 - describing and categorizing objects and the entries that
482 correspond to these objects;
484 - where appropriate, controlling the operation of the Directory;
486 - regulating, in conjunction with DIT structure rule
487 specifications, the position of entries in the DIT;
489 - regulating, in conjunction with DIT content rule
490 specifications, the attributes that are contained in entries;
492 - identifying classes of entry that are to be associated with a
493 particular policy by the appropriate administrative authority.
495 An object class (a subclass) may be derived from an object class
496 (its direct superclass) which is itself derived from an even more
497 generic object class. For structural object classes, this process
498 stops at the most generic object class, 'top' (defined in Section
499 2.4.1). An ordered set of superclasses up to the most superior
500 object class of an object class is its superclass chain.
506 Zeilenga Standards Track [Page 9]
508 RFC 4512 LDAP Models June 2006
511 An object class may be derived from two or more direct
512 superclasses (superclasses not part of the same superclass chain).
513 This feature of subclassing is termed multiple inheritance.
515 Each object class identifies the set of attributes required to be
516 present in entries belonging to the class and the set of attributes
517 allowed to be present in entries belonging to the class. As an entry
518 of a class must meet the requirements of each class it belongs to, it
519 can be said that an object class inherits the sets of allowed and
520 required attributes from its superclasses. A subclass can identify
521 an attribute allowed by its superclass as being required. If an
522 attribute is a member of both sets, it is required to be present.
524 Each object class is defined to be one of three kinds of object
525 classes: Abstract, Structural, or Auxiliary.
527 Each object class is identified by an object identifier (OID) and,
528 optionally, one or more short names (descriptors).
530 2.4.1. Abstract Object Classes
532 An abstract object class, as the name implies, provides a base of
533 characteristics from which other object classes can be defined to
534 inherit from. An entry cannot belong to an abstract object class
535 unless it belongs to a structural or auxiliary class that inherits
536 from that abstract class.
538 Abstract object classes cannot derive from structural or auxiliary
541 All structural object classes derive (directly or indirectly) from
542 the 'top' abstract object class. Auxiliary object classes do not
543 necessarily derive from 'top'.
545 The following is the object class definition (see Section 4.1.1) for
546 the 'top' object class:
548 ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
550 All entries belong to the 'top' abstract object class.
562 Zeilenga Standards Track [Page 10]
564 RFC 4512 LDAP Models June 2006
567 2.4.2. Structural Object Classes
569 As stated in [X.501]:
571 An object class defined for use in the structural specification of
572 the DIT is termed a structural object class. Structural object
573 classes are used in the definition of the structure of the names
574 of the objects for compliant entries.
576 An object or alias entry is characterized by precisely one
577 structural object class superclass chain which has a single
578 structural object class as the most subordinate object class.
579 This structural object class is referred to as the structural
580 object class of the entry.
582 Structural object classes are related to associated entries:
584 - an entry conforming to a structural object class shall
585 represent the real-world object constrained by the object
588 - DIT structure rules only refer to structural object classes;
589 the structural object class of an entry is used to specify the
590 position of the entry in the DIT;
592 - the structural object class of an entry is used, along with an
593 associated DIT content rule, to control the content of an
596 The structural object class of an entry shall not be changed.
598 Each structural object class is a (direct or indirect) subclass of
599 the 'top' abstract object class.
601 Structural object classes cannot subclass auxiliary object classes.
603 Each entry is said to belong to its structural object class as well
604 as all classes in its structural object class's superclass chain.
606 2.4.3. Auxiliary Object Classes
608 Auxiliary object classes are used to augment the characteristics of
609 entries. They are commonly used to augment the sets of attributes
610 required and allowed to be present in an entry. They can be used to
611 describe entries or classes of entries.
613 Auxiliary object classes cannot subclass structural object classes.
618 Zeilenga Standards Track [Page 11]
620 RFC 4512 LDAP Models June 2006
623 An entry can belong to any subset of the set of auxiliary object
624 classes allowed by the DIT content rule associated with the
625 structural object class of the entry. If no DIT content rule is
626 associated with the structural object class of the entry, the entry
627 cannot belong to any auxiliary object class.
629 The set of auxiliary object classes that an entry belongs to can
632 2.5. Attribute Descriptions
634 An attribute description is composed of an attribute type (see
635 Section 2.5.1) and a set of zero or more attribute options (see
638 An attribute description is represented by the ABNF:
640 attributedescription = attributetype options
642 options = *( SEMI option )
645 where <attributetype> identifies the attribute type and each <option>
646 identifies an attribute option. Both <attributetype> and <option>
647 productions are case insensitive. The order in which <option>s
648 appear is irrelevant. That is, any two <attributedescription>s that
649 consist of the same <attributetype> and same set of <option>s are
652 Examples of valid attribute descriptions:
658 An attribute description with an unrecognized attribute type is to be
659 treated as unrecognized. Servers SHALL treat an attribute
660 description with an unrecognized attribute option as unrecognized.
661 Clients MAY treat an unrecognized attribute option as a tagging
662 option (see Section 2.5.2.1).
664 All attributes of an entry must have distinct attribute descriptions.
666 2.5.1. Attribute Types
668 An attribute type governs whether the attribute can have multiple
669 values, the syntax and matching rules used to construct and compare
670 values of that attribute, and other functions.
674 Zeilenga Standards Track [Page 12]
676 RFC 4512 LDAP Models June 2006
679 If no equality matching is specified for the attribute type:
681 - the attribute (of the type) cannot be used for naming;
682 - when adding the attribute (or replacing all values), no two
683 values may be equivalent (see 2.2);
684 - individual values of a multi-valued attribute are not to be
685 independently added or deleted;
686 - attribute value assertions (such as matching in search filters
687 and comparisons) using values of such a type cannot be
690 Otherwise, the specified equality matching rule is to be used to
691 evaluate attribute value assertions concerning the attribute type.
692 The specified equality rule is to be transitive and commutative.
694 The attribute type indicates whether the attribute is a user
695 attribute or an operational attribute. If operational, the attribute
696 type indicates the operational usage and whether or not the attribute
697 is modifiable by users. Operational attributes are discussed in
700 An attribute type (a subtype) may derive from a more generic
701 attribute type (a direct supertype). The following restrictions
704 - a subtype must have the same usage as its direct supertype,
705 - a subtype's syntax must be the same, or a refinement of, its
706 supertype's syntax, and
707 - a subtype must be collective [RFC3671] if its supertype is
710 An attribute description consisting of a subtype and no options is
711 said to be the direct description subtype of the attribute
712 description consisting of the subtype's direct supertype and no
715 Each attribute type is identified by an object identifier (OID) and,
716 optionally, one or more short names (descriptors).
718 2.5.2. Attribute Options
720 There are multiple kinds of attribute description options. The LDAP
721 technical specification details one kind: tagging options.
723 Not all options can be associated with attributes held in the
724 directory. Tagging options can be.
730 Zeilenga Standards Track [Page 13]
732 RFC 4512 LDAP Models June 2006
735 Not all options can be used in conjunction with all attribute types.
736 In such cases, the attribute description is to be treated as
739 An attribute description that contains mutually exclusive options
740 shall be treated as unrecognized. That is, "cn;x-bar;x-foo", where
741 "x-foo" and "x-bar" are mutually exclusive, is to be treated as
744 Other kinds of options may be specified in future documents. These
745 documents must detail how new kinds of options they define relate to
746 tagging options. In particular, these documents must detail whether
747 or not new kinds of options can be associated with attributes held in
748 the directory, how new kinds of options affect transfer of attribute
749 values, and how new kinds of options are treated in attribute
750 description hierarchies.
752 Options are represented as short, case-insensitive textual strings
753 conforming to the <option> production defined in Section 2.5 of this
756 Procedures for registering options are detailed in BCP 64, RFC 4520
759 2.5.2.1. Tagging Options
761 Attributes held in the directory can have attribute descriptions with
762 any number of tagging options. Tagging options are never mutually
765 An attribute description with N tagging options is a direct
766 (description) subtype of all attribute descriptions of the same
767 attribute type and all but one of the N options. If the attribute
768 type has a supertype, then the attribute description is also a direct
769 (description) subtype of the attribute description of the supertype
770 and the N tagging options. That is, 'cn;lang-de;lang-en' is a direct
771 (description) subtype of 'cn;lang-de', 'cn;lang-en', and
772 'name;lang-de;lang-en' ('cn' is a subtype of 'name'; both are defined
775 2.5.3. Attribute Description Hierarchies
777 An attribute description can be the direct subtype of zero or more
778 other attribute descriptions as indicated by attribute type subtyping
779 (as described in Section 2.5.1) or attribute tagging option subtyping
780 (as described in Section 2.5.2.1). These subtyping relationships are
781 used to form hierarchies of attribute descriptions and attributes.
786 Zeilenga Standards Track [Page 14]
788 RFC 4512 LDAP Models June 2006
791 As adapted from [X.501]:
793 Attribute hierarchies allow access to the DIB with varying degrees
794 of granularity. This is achieved by allowing the value components
795 of attributes to be accessed by using either their specific
796 attribute description (a direct reference to the attribute) or a
797 more generic attribute description (an indirect reference).
799 Semantically related attributes may be placed in a hierarchical
800 relationship, the more specialized being placed subordinate to the
801 more generalized. Searching for or retrieving attributes and
802 their values is made easier by quoting the more generalized
803 attribute description; a filter item so specified is evaluated for
804 the more specialized descriptions as well as for the quoted
807 Where subordinate specialized descriptions are selected to be
808 returned as part of a search result these descriptions shall be
809 returned if available. Where the more general descriptions are
810 selected to be returned as part of a search result both the
811 general and the specialized descriptions shall be returned, if
812 available. An attribute value shall always be returned as a value
813 of its own attribute description.
815 All of the attribute descriptions in an attribute hierarchy are
816 treated as distinct and unrelated descriptions for user
817 modification of entry content.
819 An attribute value stored in an object or alias entry is of
820 precisely one attribute description. The description is indicated
821 when the value is originally added to the entry.
823 For the purpose of subschema administration of the entry, a
824 specification that an attribute is required is fulfilled if the entry
825 contains a value of an attribute description belonging to an
826 attribute hierarchy where the attribute type of that description is
827 the same as the required attribute's type. That is, a "MUST name"
828 specification is fulfilled by 'name' or 'name;x-tag-option', but is
829 not fulfilled by 'CN' or 'CN;x-tag-option' (even though 'CN' is a
830 subtype of 'name'). Likewise, an entry may contain a value of an
831 attribute description belonging to an attribute hierarchy where the
832 attribute type of that description is either explicitly included in
833 the definition of an object class to which the entry belongs or
834 allowed by the DIT content rule applicable to that entry. That is,
835 'name' and 'name;x-tag-option' are allowed by "MAY name" (or by "MUST
836 name"), but 'CN' and 'CN;x-tag-option' are not allowed by "MAY name"
842 Zeilenga Standards Track [Page 15]
844 RFC 4512 LDAP Models June 2006
847 For the purposes of other policy administration, unless stated
848 otherwise in the specification of the particular administrative
849 model, all of the attribute descriptions in an attribute hierarchy
850 are treated as distinct and unrelated descriptions.
854 As adapted from [X.501]:
856 An alias, or an alias name, for an object is an alternative name
857 for an object or object entry which is provided by the use of
860 Each alias entry contains, within the 'aliasedObjectName'
861 attribute (known as the 'aliasedEntryName' attribute in X.500), a
862 name of some object. The distinguished name of the alias entry is
863 thus also a name for this object.
865 NOTE - The name within the 'aliasedObjectName' is said to be
866 pointed to by the alias. It does not have to be the
867 distinguished name of any entry.
869 The conversion of an alias name to an object name is termed
870 (alias) dereferencing and comprises the systematic replacement of
871 alias names, where found within a purported name, by the value of
872 the corresponding 'aliasedObjectName' attribute. The process may
873 require the examination of more than one alias entry.
875 Any particular entry in the DIT may have zero or more alias names.
876 It therefore follows that several alias entries may point to the
877 same entry. An alias entry may point to an entry that is not a
878 leaf entry and may point to another alias entry.
880 An alias entry shall have no subordinates, so that an alias entry
881 is always a leaf entry.
883 Every alias entry shall belong to the 'alias' object class.
885 An entry with the 'alias' object class must also belong to an object
886 class (or classes), or be governed by a DIT content rule, which
887 allows suitable naming attributes to be present.
891 dn: cn=bar,dc=example,dc=com
894 objectClass: extensibleObject
898 Zeilenga Standards Track [Page 16]
900 RFC 4512 LDAP Models June 2006
904 aliasedObjectName: cn=foo,dc=example,dc=com
906 2.6.1. 'alias' Object Class
908 Alias entries belong to the 'alias' object class.
910 ( 2.5.6.1 NAME 'alias'
912 MUST aliasedObjectName )
914 2.6.2. 'aliasedObjectName' Attribute Type
916 The 'aliasedObjectName' attribute holds the name of the entry an
917 alias points to. The 'aliasedObjectName' attribute is known as the
918 'aliasedEntryName' attribute in X.500.
920 ( 2.5.4.1 NAME 'aliasedObjectName'
921 EQUALITY distinguishedNameMatch
922 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
925 The 'distinguishedNameMatch' matching rule and the DistinguishedName
926 (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
928 3. Directory Administrative and Operational Information
930 This section discusses select aspects of the X.500 Directory
931 Administrative and Operational Information model [X.501]. LDAP
932 implementations MAY support other aspects of this model.
936 As defined in [X.501]:
938 A subtree is a collection of object and alias entries situated at
939 the vertices of a tree. Subtrees do not contain subentries. The
940 prefix sub, in subtree, emphasizes that the base (or root) vertex
941 of this tree is usually subordinate to the root of the DIT.
943 A subtree begins at some vertex and extends to some identifiable
944 lower boundary, possibly extending to leaves. A subtree is always
945 defined within a context which implicitly bounds the subtree. For
946 example, the vertex and lower boundaries of a subtree defining a
947 replicated area are bounded by a naming context.
954 Zeilenga Standards Track [Page 17]
956 RFC 4512 LDAP Models June 2006
961 A subentry is a "special sort of entry, known by the Directory, used
962 to hold information associated with a subtree or subtree refinement"
963 [X.501]. Subentries are used in Directory to hold for administrative
964 and operational purposes as defined in [X.501]. Their use in LDAP is
965 detailed in [RFC3672].
967 The term "(sub)entry" in this specification indicates that servers
968 implementing X.500(93) models are, in accordance with X.500(93) as
969 described in [RFC3672], to use a subentry and that other servers are
970 to use an object entry belonging to the appropriate auxiliary class
971 normally used with the subentry (e.g., 'subschema' for subschema
972 subentries) to mimic the subentry. This object entry's RDN SHALL be
973 formed from a value of the 'cn' (commonName) attribute [RFC4519] (as
974 all subentries are named with 'cn').
976 3.3. The 'objectClass' attribute
978 Each entry in the DIT has an 'objectClass' attribute.
980 ( 2.5.4.0 NAME 'objectClass'
981 EQUALITY objectIdentifierMatch
982 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
984 The 'objectIdentifierMatch' matching rule and the OBJECT IDENTIFIER
985 (1.3.6.1.4.1.1466.115.121.1.38) syntax are defined in [RFC4517].
987 The 'objectClass' attribute specifies the object classes of an entry,
988 which (among other things) are used in conjunction with the
989 controlling schema to determine the permitted attributes of an entry.
990 Values of this attribute can be modified by clients, but the
991 'objectClass' attribute cannot be removed.
993 Servers that follow X.500(93) models SHALL restrict modifications of
994 this attribute to prevent the basic structural class of the entry
995 from being changed. That is, one cannot change a 'person' into a
998 When creating an entry or adding an 'objectClass' value to an entry,
999 all superclasses of the named classes SHALL be implicitly added as
1000 well if not already present. That is, if the auxiliary class 'x-a'
1001 is a subclass of the class 'x-b', adding 'x-a' to 'objectClass'
1002 causes 'x-b' to be implicitly added (if is not already present).
1004 Servers SHALL restrict modifications of this attribute to prevent
1005 superclasses of remaining 'objectClass' values from being deleted.
1006 That is, if the auxiliary class 'x-a' is a subclass of the auxiliary
1010 Zeilenga Standards Track [Page 18]
1012 RFC 4512 LDAP Models June 2006
1015 class 'x-b' and the 'objectClass' attribute contains 'x-a' and 'x-b',
1016 an attempt to delete only 'x-b' from the 'objectClass' attribute is
1019 3.4. Operational Attributes
1021 Some attributes, termed operational attributes, are used or
1022 maintained by servers for administrative and operational purposes.
1023 As stated in [X.501]: "There are three varieties of operational
1024 attributes: Directory operational attributes, DSA-shared operational
1025 attributes, and DSA-specific operational attributes".
1027 A directory operational attribute is used to represent operational
1028 and/or administrative information in the Directory Information Model.
1029 This includes operational attributes maintained by the server (e.g.,
1030 'createTimestamp') as well as operational attributes that hold values
1031 administrated by the user (e.g., 'ditContentRules').
1033 A DSA-shared operational attribute is used to represent information
1034 of the DSA Information Model that is shared between DSAs.
1036 A DSA-specific operational attribute is used to represent information
1037 of the DSA Information Model that is specific to the DSA (though, in
1038 some cases, may be derived from information shared between DSAs;
1039 e.g., 'namingContexts').
1041 The DSA Information Model operational attributes are detailed in
1044 Operational attributes are not normally visible. They are not
1045 returned in search results unless explicitly requested by name.
1047 Not all operational attributes are user modifiable.
1049 Entries may contain, among others, the following operational
1052 - creatorsName: the Distinguished Name of the user who added this
1053 entry to the directory,
1055 - createTimestamp: the time this entry was added to the directory,
1057 - modifiersName: the Distinguished Name of the user who last
1058 modified this entry, and
1060 - modifyTimestamp: the time this entry was last modified.
1066 Zeilenga Standards Track [Page 19]
1068 RFC 4512 LDAP Models June 2006
1071 Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
1072 'modifiersName', and 'modifyTimestamp' attributes for all entries of
1075 3.4.1. 'creatorsName'
1077 This attribute appears in entries that were added using the protocol
1078 (e.g., using the Add operation). The value is the distinguished name
1081 ( 2.5.18.3 NAME 'creatorsName'
1082 EQUALITY distinguishedNameMatch
1083 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1084 SINGLE-VALUE NO-USER-MODIFICATION
1085 USAGE directoryOperation )
1087 The 'distinguishedNameMatch' matching rule and the DistinguishedName
1088 (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
1090 3.4.2. 'createTimestamp'
1092 This attribute appears in entries that were added using the protocol
1093 (e.g., using the Add operation). The value is the time the entry was
1096 ( 2.5.18.1 NAME 'createTimestamp'
1097 EQUALITY generalizedTimeMatch
1098 ORDERING generalizedTimeOrderingMatch
1099 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1100 SINGLE-VALUE NO-USER-MODIFICATION
1101 USAGE directoryOperation )
1103 The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch'
1104 matching rules and the GeneralizedTime
1105 (1.3.6.1.4.1.1466.115.121.1.24) syntax are defined in [RFC4517].
1107 3.4.3. 'modifiersName'
1109 This attribute appears in entries that have been modified using the
1110 protocol (e.g., using the Modify operation). The value is the
1111 distinguished name of the last modifier.
1113 ( 2.5.18.4 NAME 'modifiersName'
1114 EQUALITY distinguishedNameMatch
1115 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1116 SINGLE-VALUE NO-USER-MODIFICATION
1117 USAGE directoryOperation )
1122 Zeilenga Standards Track [Page 20]
1124 RFC 4512 LDAP Models June 2006
1127 The 'distinguishedNameMatch' matching rule and the DistinguishedName
1128 (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
1130 3.4.4. 'modifyTimestamp'
1132 This attribute appears in entries that have been modified using the
1133 protocol (e.g., using the Modify operation). The value is the time
1134 the entry was last modified.
1136 ( 2.5.18.2 NAME 'modifyTimestamp'
1137 EQUALITY generalizedTimeMatch
1138 ORDERING generalizedTimeOrderingMatch
1139 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1140 SINGLE-VALUE NO-USER-MODIFICATION
1141 USAGE directoryOperation )
1143 The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch'
1144 matching rules and the GeneralizedTime
1145 (1.3.6.1.4.1.1466.115.121.1.24) syntax are defined in [RFC4517].
1147 3.4.5. 'structuralObjectClass'
1149 This attribute indicates the structural object class of the entry.
1151 ( 2.5.21.9 NAME 'structuralObjectClass'
1152 EQUALITY objectIdentifierMatch
1153 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
1154 SINGLE-VALUE NO-USER-MODIFICATION
1155 USAGE directoryOperation )
1157 The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
1158 (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [RFC4517].
1160 3.4.6. 'governingStructureRule'
1162 This attribute indicates the structure rule governing the entry.
1164 ( 2.5.21.10 NAME 'governingStructureRule'
1165 EQUALITY integerMatch
1166 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
1167 SINGLE-VALUE NO-USER-MODIFICATION
1168 USAGE directoryOperation )
1170 The 'integerMatch' matching rule and INTEGER
1171 (1.3.6.1.4.1.1466.115.121.1.27) syntax is defined in [RFC4517].
1178 Zeilenga Standards Track [Page 21]
1180 RFC 4512 LDAP Models June 2006
1185 As defined in [X.501]:
1187 The Directory Schema is a set of definitions and constraints
1188 concerning the structure of the DIT, the possible ways entries are
1189 named, the information that can be held in an entry, the
1190 attributes used to represent that information and their
1191 organization into hierarchies to facilitate search and retrieval
1192 of the information and the ways in which values of attributes may
1193 be matched in attribute value and matching rule assertions.
1195 NOTE 1 - The schema enables the Directory system to, for example:
1197 - prevent the creation of subordinate entries of the wrong
1198 object-class (e.g., a country as a subordinate of a person);
1200 - prevent the addition of attribute-types to an entry
1201 inappropriate to the object-class (e.g., a serial number to a
1204 - prevent the addition of an attribute value of a syntax not
1205 matching that defined for the attribute-type (e.g., a printable
1206 string to a bit string).
1208 Formally, the Directory Schema comprises a set of:
1210 a) Name Form definitions that define primitive naming relations
1211 for structural object classes;
1213 b) DIT Structure Rule definitions that define the names that
1214 entries may have and the ways in which the entries may be
1215 related to one another in the DIT;
1217 c) DIT Content Rule definitions that extend the specification of
1218 allowable attributes for entries beyond those indicated by the
1219 structural object classes of the entries;
1221 d) Object Class definitions that define the basic set of mandatory
1222 and optional attributes that shall be present, and may be
1223 present, respectively, in an entry of a given class, and which
1224 indicate the kind of object class that is being defined;
1234 Zeilenga Standards Track [Page 22]
1236 RFC 4512 LDAP Models June 2006
1239 e) Attribute Type definitions that identify the object identifier
1240 by which an attribute is known, its syntax, associated matching
1241 rules, whether it is an operational attribute and if so its
1242 type, whether it is a collective attribute, whether it is
1243 permitted to have multiple values and whether or not it is
1244 derived from another attribute type;
1246 f) Matching Rule definitions that define matching rules.
1250 g) LDAP Syntax definitions that define encodings used in LDAP.
1252 4.1. Schema Definitions
1254 Schema definitions in this section are described using ABNF and rely
1255 on the common productions specified in Section 1.2 as well as these:
1257 noidlen = numericoid [ LCURLY len RCURLY ]
1260 oids = oid / ( LPAREN WSP oidlist WSP RPAREN )
1261 oidlist = oid *( WSP DOLLAR WSP oid )
1263 extensions = *( SP xstring SP qdstrings )
1264 xstring = "X" HYPHEN 1*( ALPHA / HYPHEN / USCORE )
1266 qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )
1267 qdescrlist = [ qdescr *( SP qdescr ) ]
1268 qdescr = SQUOTE descr SQUOTE
1270 qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )
1271 qdstringlist = [ qdstring *( SP qdstring ) ]
1272 qdstring = SQUOTE dstring SQUOTE
1273 dstring = 1*( QS / QQ / QUTF8 ) ; escaped UTF-8 string
1275 QQ = ESC %x32 %x37 ; "\27"
1276 QS = ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"
1278 ; Any UTF-8 encoded Unicode character
1279 ; except %x27 ("\'") and %x5C ("\")
1280 QUTF8 = QUTF1 / UTFMB
1282 ; Any ASCII character except %x27 ("\'") and %x5C ("\")
1283 QUTF1 = %x00-26 / %x28-5B / %x5D-7F
1285 Schema definitions in this section also share a number of common
1290 Zeilenga Standards Track [Page 23]
1292 RFC 4512 LDAP Models June 2006
1295 The NAME field provides a set of short names (descriptors) that are
1296 to be used as aliases for the OID.
1298 The DESC field optionally allows a descriptive string to be provided
1299 by the directory administrator and/or implementor. While
1300 specifications may suggest a descriptive string, there is no
1301 requirement that the suggested (or any) descriptive string be used.
1303 The OBSOLETE field, if present, indicates the element is not active.
1305 Implementors should note that future versions of this document may
1306 expand these definitions to include additional terms. Terms whose
1307 identifier begins with "X-" are reserved for private experiments and
1308 are followed by <SP> and <qdstrings> tokens.
1310 4.1.1. Object Class Definitions
1312 Object Class definitions are written according to the ABNF:
1314 ObjectClassDescription = LPAREN WSP
1315 numericoid ; object identifier
1316 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1317 [ SP "DESC" SP qdstring ] ; description
1318 [ SP "OBSOLETE" ] ; not active
1319 [ SP "SUP" SP oids ] ; superior object classes
1320 [ SP kind ] ; kind of class
1321 [ SP "MUST" SP oids ] ; attribute types
1322 [ SP "MAY" SP oids ] ; attribute types
1323 extensions WSP RPAREN
1325 kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"
1328 <numericoid> is object identifier assigned to this object class;
1329 NAME <qdescrs> are short names (descriptors) identifying this
1331 DESC <qdstring> is a short descriptive string;
1332 OBSOLETE indicates this object class is not active;
1333 SUP <oids> specifies the direct superclasses of this object class;
1334 the kind of object class is indicated by one of ABSTRACT,
1335 STRUCTURAL, or AUXILIARY (the default is STRUCTURAL);
1336 MUST and MAY specify the sets of required and allowed attribute
1337 types, respectively; and
1338 <extensions> describe extensions.
1346 Zeilenga Standards Track [Page 24]
1348 RFC 4512 LDAP Models June 2006
1351 4.1.2. Attribute Types
1353 Attribute Type definitions are written according to the ABNF:
1355 AttributeTypeDescription = LPAREN WSP
1356 numericoid ; object identifier
1357 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1358 [ SP "DESC" SP qdstring ] ; description
1359 [ SP "OBSOLETE" ] ; not active
1360 [ SP "SUP" SP oid ] ; supertype
1361 [ SP "EQUALITY" SP oid ] ; equality matching rule
1362 [ SP "ORDERING" SP oid ] ; ordering matching rule
1363 [ SP "SUBSTR" SP oid ] ; substrings matching rule
1364 [ SP "SYNTAX" SP noidlen ] ; value syntax
1365 [ SP "SINGLE-VALUE" ] ; single-value
1366 [ SP "COLLECTIVE" ] ; collective
1367 [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
1368 [ SP "USAGE" SP usage ] ; usage
1369 extensions WSP RPAREN ; extensions
1371 usage = "userApplications" / ; user
1372 "directoryOperation" / ; directory operational
1373 "distributedOperation" / ; DSA-shared operational
1374 "dSAOperation" ; DSA-specific operational
1377 <numericoid> is object identifier assigned to this attribute type;
1378 NAME <qdescrs> are short names (descriptors) identifying this
1380 DESC <qdstring> is a short descriptive string;
1381 OBSOLETE indicates this attribute type is not active;
1382 SUP oid specifies the direct supertype of this type;
1383 EQUALITY, ORDERING, and SUBSTR provide the oid of the equality,
1384 ordering, and substrings matching rules, respectively;
1385 SYNTAX identifies value syntax by object identifier and may suggest
1386 a minimum upper bound;
1387 SINGLE-VALUE indicates attributes of this type are restricted to a
1389 COLLECTIVE indicates this attribute type is collective
1391 NO-USER-MODIFICATION indicates this attribute type is not user
1393 USAGE indicates the application of this attribute type; and
1394 <extensions> describe extensions.
1396 Each attribute type description must contain at least one of the SUP
1397 or SYNTAX fields. If no SYNTAX field is provided, the attribute type
1398 description takes its value from the supertype.
1402 Zeilenga Standards Track [Page 25]
1404 RFC 4512 LDAP Models June 2006
1407 If SUP field is provided, the EQUALITY, ORDERING, and SUBSTRING
1408 fields, if not specified, take their value from the supertype.
1410 Usage of userApplications, the default, indicates that attributes of
1411 this type represent user information. That is, they are user
1414 A usage of directoryOperation, distributedOperation, or dSAOperation
1415 indicates that attributes of this type represent operational and/or
1416 administrative information. That is, they are operational
1419 directoryOperation usage indicates that the attribute of this type is
1420 a directory operational attribute. distributedOperation usage
1421 indicates that the attribute of this type is a DSA-shared usage
1422 operational attribute. dSAOperation usage indicates that the
1423 attribute of this type is a DSA-specific operational attribute.
1425 COLLECTIVE requires usage userApplications. Use of collective
1426 attribute types in LDAP is discussed in [RFC3671].
1428 NO-USER-MODIFICATION requires an operational usage.
1430 Note that the <AttributeTypeDescription> does not list the matching
1431 rules that can be used with that attribute type in an extensibleMatch
1432 search filter [RFC4511]. This is done using the 'matchingRuleUse'
1433 attribute described in Section 4.1.4.
1435 This document refines the schema description of X.501 by requiring
1436 that the SYNTAX field in an <AttributeTypeDescription> be a string
1437 representation of an object identifier for the LDAP string syntax
1438 definition, with an optional indication of the suggested minimum
1439 bound of a value of this attribute.
1441 A suggested minimum upper bound on the number of characters in a
1442 value with a string-based syntax, or the number of bytes in a value
1443 for all other syntaxes, may be indicated by appending this bound
1444 count inside of curly braces following the syntax's OBJECT IDENTIFIER
1445 in an Attribute Type Description. This bound is not part of the
1446 syntax name itself. For instance, "1.3.6.4.1.1466.0{64}" suggests
1447 that server implementations should allow a string to be 64 characters
1448 long, although they may allow longer strings. Note that a single
1449 character of the Directory String syntax may be encoded in more than
1450 one octet since UTF-8 [RFC3629] is a variable-length encoding.
1458 Zeilenga Standards Track [Page 26]
1460 RFC 4512 LDAP Models June 2006
1463 4.1.3. Matching Rules
1465 Matching rules are used in performance of attribute value assertions,
1466 such as in performance of a Compare operation. They are also used in
1467 evaluating search filters, determining which individual values are to
1468 be added or deleted during performance of a Modify operation, and in
1469 comparing distinguished names.
1471 Each matching rule is identified by an object identifier (OID) and,
1472 optionally, one or more short names (descriptors).
1474 Matching rule definitions are written according to the ABNF:
1476 MatchingRuleDescription = LPAREN WSP
1477 numericoid ; object identifier
1478 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1479 [ SP "DESC" SP qdstring ] ; description
1480 [ SP "OBSOLETE" ] ; not active
1481 SP "SYNTAX" SP numericoid ; assertion syntax
1482 extensions WSP RPAREN ; extensions
1485 <numericoid> is object identifier assigned to this matching rule;
1486 NAME <qdescrs> are short names (descriptors) identifying this
1488 DESC <qdstring> is a short descriptive string;
1489 OBSOLETE indicates this matching rule is not active;
1490 SYNTAX identifies the assertion syntax (the syntax of the assertion
1491 value) by object identifier; and
1492 <extensions> describe extensions.
1494 4.1.4. Matching Rule Uses
1496 A matching rule use lists the attribute types that are suitable for
1497 use with an extensibleMatch search filter.
1499 Matching rule use descriptions are written according to the following
1502 MatchingRuleUseDescription = LPAREN WSP
1503 numericoid ; object identifier
1504 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1505 [ SP "DESC" SP qdstring ] ; description
1506 [ SP "OBSOLETE" ] ; not active
1507 SP "APPLIES" SP oids ; attribute types
1508 extensions WSP RPAREN ; extensions
1514 Zeilenga Standards Track [Page 27]
1516 RFC 4512 LDAP Models June 2006
1520 <numericoid> is the object identifier of the matching rule
1521 associated with this matching rule use description;
1522 NAME <qdescrs> are short names (descriptors) identifying this
1524 DESC <qdstring> is a short descriptive string;
1525 OBSOLETE indicates this matching rule use is not active;
1526 APPLIES provides a list of attribute types the matching rule
1528 <extensions> describe extensions.
1530 4.1.5. LDAP Syntaxes
1532 LDAP Syntaxes of (attribute and assertion) values are described in
1533 terms of ASN.1 [X.680] and, optionally, have an octet string encoding
1534 known as the LDAP-specific encoding. Commonly, the LDAP-specific
1535 encoding is constrained to a string of Unicode [Unicode] characters
1536 in UTF-8 [RFC3629] form.
1538 Each LDAP syntax is identified by an object identifier (OID).
1540 LDAP syntax definitions are written according to the ABNF:
1542 SyntaxDescription = LPAREN WSP
1543 numericoid ; object identifier
1544 [ SP "DESC" SP qdstring ] ; description
1545 extensions WSP RPAREN ; extensions
1548 <numericoid> is the object identifier assigned to this LDAP syntax;
1549 DESC <qdstring> is a short descriptive string; and
1550 <extensions> describe extensions.
1552 4.1.6. DIT Content Rules
1554 A DIT content rule is a "rule governing the content of entries of a
1555 particular structural object class" [X.501].
1557 For DIT entries of a particular structural object class, a DIT
1558 content rule specifies which auxiliary object classes the entries are
1559 allowed to belong to and which additional attributes (by type) are
1560 required, allowed, or not allowed to appear in the entries.
1562 The list of precluded attributes cannot include any attribute listed
1563 as mandatory in the rule, the structural object class, or any of the
1564 allowed auxiliary object classes.
1570 Zeilenga Standards Track [Page 28]
1572 RFC 4512 LDAP Models June 2006
1575 Each content rule is identified by the object identifier, as well as
1576 any short names (descriptors), of the structural object class it
1579 An entry may only belong to auxiliary object classes listed in the
1580 governing content rule.
1582 An entry must contain all attributes required by the object classes
1583 the entry belongs to as well as all attributes required by the
1584 governing content rule.
1586 An entry may contain any non-precluded attributes allowed by the
1587 object classes the entry belongs to as well as all attributes allowed
1588 by the governing content rule.
1590 An entry cannot include any attribute precluded by the governing
1593 An entry is governed by (if present and active in the subschema) the
1594 DIT content rule that applies to the structural object class of the
1595 entry (see Section 2.4.2). If no active rule is present for the
1596 entry's structural object class, the entry's content is governed by
1597 the structural object class (and possibly other aspects of user and
1598 system schema). DIT content rules for superclasses of the structural
1599 object class of an entry are not applicable to that entry.
1601 DIT content rule descriptions are written according to the ABNF:
1603 DITContentRuleDescription = LPAREN WSP
1604 numericoid ; object identifier
1605 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1606 [ SP "DESC" SP qdstring ] ; description
1607 [ SP "OBSOLETE" ] ; not active
1608 [ SP "AUX" SP oids ] ; auxiliary object classes
1609 [ SP "MUST" SP oids ] ; attribute types
1610 [ SP "MAY" SP oids ] ; attribute types
1611 [ SP "NOT" SP oids ] ; attribute types
1612 extensions WSP RPAREN ; extensions
1615 <numericoid> is the object identifier of the structural object
1616 class associated with this DIT content rule;
1617 NAME <qdescrs> are short names (descriptors) identifying this DIT
1619 DESC <qdstring> is a short descriptive string;
1620 OBSOLETE indicates this DIT content rule use is not active;
1621 AUX specifies a list of auxiliary object classes that entries
1622 subject to this DIT content rule may belong to;
1626 Zeilenga Standards Track [Page 29]
1628 RFC 4512 LDAP Models June 2006
1631 MUST, MAY, and NOT specify lists of attribute types that are
1632 required, allowed, or precluded, respectively, from appearing
1633 in entries subject to this DIT content rule; and
1634 <extensions> describe extensions.
1636 4.1.7. DIT Structure Rules and Name Forms
1638 It is sometimes desirable to regulate where object and alias entries
1639 can be placed in the DIT and how they can be named based upon their
1640 structural object class.
1642 4.1.7.1. DIT Structure Rules
1644 A DIT structure rule is a "rule governing the structure of the DIT by
1645 specifying a permitted superior to subordinate entry relationship. A
1646 structure rule relates a name form, and therefore a structural object
1647 class, to superior structure rules. This permits entries of the
1648 structural object class identified by the name form to exist in the
1649 DIT as subordinates to entries governed by the indicated superior
1650 structure rules" [X.501].
1652 DIT structure rule descriptions are written according to the ABNF:
1654 DITStructureRuleDescription = LPAREN WSP
1655 ruleid ; rule identifier
1656 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1657 [ SP "DESC" SP qdstring ] ; description
1658 [ SP "OBSOLETE" ] ; not active
1659 SP "FORM" SP oid ; NameForm
1660 [ SP "SUP" ruleids ] ; superior rules
1661 extensions WSP RPAREN ; extensions
1663 ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )
1664 ruleidlist = ruleid *( SP ruleid )
1668 <ruleid> is the rule identifier of this DIT structure rule;
1669 NAME <qdescrs> are short names (descriptors) identifying this DIT
1671 DESC <qdstring> is a short descriptive string;
1672 OBSOLETE indicates this DIT structure rule use is not active;
1673 FORM is specifies the name form associated with this DIT structure
1675 SUP identifies superior rules (by rule id); and
1676 <extensions> describe extensions.
1682 Zeilenga Standards Track [Page 30]
1684 RFC 4512 LDAP Models June 2006
1687 If no superior rules are identified, the DIT structure rule applies
1688 to an autonomous administrative point (e.g., the root vertex of the
1689 subtree controlled by the subschema) [X.501].
1693 A name form "specifies a permissible RDN for entries of a particular
1694 structural object class. A name form identifies a named object class
1695 and one or more attribute types to be used for naming (i.e., for the
1696 RDN). Name forms are primitive pieces of specification used in the
1697 definition of DIT structure rules" [X.501].
1699 Each name form indicates the structural object class to be named, a
1700 set of required attribute types, and a set of allowed attribute
1701 types. A particular attribute type cannot be in both sets.
1703 Entries governed by the form must be named using a value from each
1704 required attribute type and zero or more values from the allowed
1707 Each name form is identified by an object identifier (OID) and,
1708 optionally, one or more short names (descriptors).
1710 Name form descriptions are written according to the ABNF:
1712 NameFormDescription = LPAREN WSP
1713 numericoid ; object identifier
1714 [ SP "NAME" SP qdescrs ] ; short names (descriptors)
1715 [ SP "DESC" SP qdstring ] ; description
1716 [ SP "OBSOLETE" ] ; not active
1717 SP "OC" SP oid ; structural object class
1718 SP "MUST" SP oids ; attribute types
1719 [ SP "MAY" SP oids ] ; attribute types
1720 extensions WSP RPAREN ; extensions
1723 <numericoid> is object identifier that identifies this name form;
1724 NAME <qdescrs> are short names (descriptors) identifying this name
1726 DESC <qdstring> is a short descriptive string;
1727 OBSOLETE indicates this name form is not active;
1728 OC identifies the structural object class this rule applies to,
1729 MUST and MAY specify the sets of required and allowed,
1730 respectively, naming attributes for this name form; and
1731 <extensions> describe extensions.
1733 All attribute types in the required ("MUST") and allowed ("MAY")
1734 lists shall be different.
1738 Zeilenga Standards Track [Page 31]
1740 RFC 4512 LDAP Models June 2006
1743 4.2. Subschema Subentries
1745 Subschema (sub)entries are used for administering information about
1746 the directory schema. A single subschema (sub)entry contains all
1747 schema definitions (see Section 4.1) used by entries in a particular
1748 part of the directory tree.
1750 Servers that follow X.500(93) models SHOULD implement subschema using
1751 the X.500 subschema mechanisms (as detailed in Section 12 of
1752 [X.501]), so these are not ordinary object entries but subentries
1753 (see Section 3.2). LDAP clients SHOULD NOT assume that servers
1754 implement any of the other aspects of X.500 subschema.
1756 Servers MAY allow subschema modification. Procedures for subschema
1757 modification are discussed in Section 14.5 of [X.501].
1759 A server that masters entries and permits clients to modify these
1760 entries SHALL implement and provide access to these subschema
1761 (sub)entries including providing a 'subschemaSubentry' attribute in
1762 each modifiable entry. This is so clients may discover the
1763 attributes and object classes that are permitted to be present. It
1764 is strongly RECOMMENDED that all other servers implement this as
1767 The value of the 'subschemaSubentry' attribute is the name of the
1768 subschema (sub)entry holding the subschema controlling the entry.
1770 ( 2.5.18.10 NAME 'subschemaSubentry'
1771 EQUALITY distinguishedNameMatch
1772 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
1773 SINGLE-VALUE NO-USER-MODIFICATION
1774 USAGE directoryOperation )
1776 The 'distinguishedNameMatch' matching rule and the DistinguishedName
1777 (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
1779 Subschema is held in (sub)entries belonging to the subschema
1780 auxiliary object class.
1782 ( 2.5.20.1 NAME 'subschema' AUXILIARY
1783 MAY ( dITStructureRules $ nameForms $ ditContentRules $
1784 objectClasses $ attributeTypes $ matchingRules $
1787 The 'ldapSyntaxes' operational attribute may also be present in
1794 Zeilenga Standards Track [Page 32]
1796 RFC 4512 LDAP Models June 2006
1799 Servers MAY provide additional attributes (described in other
1800 documents) in subschema (sub)entries.
1802 Servers SHOULD provide the attributes 'createTimestamp' and
1803 'modifyTimestamp' in subschema (sub)entries, in order to allow
1804 clients to maintain their caches of schema information.
1806 The following subsections provide attribute type definitions for each
1807 of schema definition attribute types.
1809 4.2.1. 'objectClasses'
1811 This attribute holds definitions of object classes.
1813 ( 2.5.21.6 NAME 'objectClasses'
1814 EQUALITY objectIdentifierFirstComponentMatch
1815 SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
1816 USAGE directoryOperation )
1818 The 'objectIdentifierFirstComponentMatch' matching rule and the
1819 ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
1820 defined in [RFC4517].
1822 4.2.2. 'attributeTypes'
1824 This attribute holds definitions of attribute types.
1826 ( 2.5.21.5 NAME 'attributeTypes'
1827 EQUALITY objectIdentifierFirstComponentMatch
1828 SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
1829 USAGE directoryOperation )
1831 The 'objectIdentifierFirstComponentMatch' matching rule and the
1832 AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
1833 defined in [RFC4517].
1835 4.2.3. 'matchingRules'
1837 This attribute holds definitions of matching rules.
1839 ( 2.5.21.4 NAME 'matchingRules'
1840 EQUALITY objectIdentifierFirstComponentMatch
1841 SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
1842 USAGE directoryOperation )
1844 The 'objectIdentifierFirstComponentMatch' matching rule and the
1845 MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
1846 defined in [RFC4517].
1850 Zeilenga Standards Track [Page 33]
1852 RFC 4512 LDAP Models June 2006
1855 4.2.4 'matchingRuleUse'
1857 This attribute holds definitions of matching rule uses.
1859 ( 2.5.21.8 NAME 'matchingRuleUse'
1860 EQUALITY objectIdentifierFirstComponentMatch
1861 SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
1862 USAGE directoryOperation )
1864 The 'objectIdentifierFirstComponentMatch' matching rule and the
1865 MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
1866 defined in [RFC4517].
1868 4.2.5. 'ldapSyntaxes'
1870 This attribute holds definitions of LDAP syntaxes.
1872 ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
1873 EQUALITY objectIdentifierFirstComponentMatch
1874 SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
1875 USAGE directoryOperation )
1877 The 'objectIdentifierFirstComponentMatch' matching rule and the
1878 SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
1881 4.2.6. 'dITContentRules'
1883 This attribute lists DIT Content Rules that are present in the
1886 ( 2.5.21.2 NAME 'dITContentRules'
1887 EQUALITY objectIdentifierFirstComponentMatch
1888 SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
1889 USAGE directoryOperation )
1891 The 'objectIdentifierFirstComponentMatch' matching rule and the
1892 DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
1893 defined in [RFC4517].
1906 Zeilenga Standards Track [Page 34]
1908 RFC 4512 LDAP Models June 2006
1911 4.2.7. 'dITStructureRules'
1913 This attribute lists DIT Structure Rules that are present in the
1916 ( 2.5.21.1 NAME 'dITStructureRules'
1917 EQUALITY integerFirstComponentMatch
1918 SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
1919 USAGE directoryOperation )
1921 The 'integerFirstComponentMatch' matching rule and the
1922 DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax
1923 are defined in [RFC4517].
1927 This attribute lists Name Forms that are in force.
1929 ( 2.5.21.7 NAME 'nameForms'
1930 EQUALITY objectIdentifierFirstComponentMatch
1931 SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
1932 USAGE directoryOperation )
1934 The 'objectIdentifierFirstComponentMatch' matching rule and the
1935 NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are
1936 defined in [RFC4517].
1938 4.3. 'extensibleObject' object class
1940 The 'extensibleObject' auxiliary object class allows entries that
1941 belong to it to hold any user attribute. The set of allowed
1942 attribute types of this object class is implicitly the set of all
1943 attribute types of userApplications usage.
1945 ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
1948 The mandatory attributes of the other object classes of this entry
1949 are still required to be present, and any precluded attributes are
1950 still not allowed to be present.
1952 4.4. Subschema Discovery
1954 To discover the DN of the subschema (sub)entry holding the subschema
1955 controlling a particular entry, a client reads that entry's
1956 'subschemaSubentry' operational attribute. To read schema attributes
1957 from the subschema (sub)entry, clients MUST issue a Search operation
1958 [RFC4511] where baseObject is the DN of the subschema (sub)entry,
1962 Zeilenga Standards Track [Page 35]
1964 RFC 4512 LDAP Models June 2006
1967 scope is baseObject, filter is "(objectClass=subschema)" [RFC4515],
1968 and the attributes field lists the names of the desired schema
1969 attributes (as they are operational). Note: the
1970 "(objectClass=subschema)" filter allows LDAP servers that gateway to
1971 X.500 to detect that subentry information is being requested.
1973 Clients SHOULD NOT assume that a published subschema is complete,
1974 that the server supports all of the schema elements it publishes, or
1975 that the server does not support an unpublished element.
1977 5. DSA (Server) Informational Model
1979 The LDAP protocol assumes there are one or more servers that jointly
1980 provide access to a Directory Information Tree (DIT). The server
1981 holding the original information is called the "master" (for that
1982 information). Servers that hold copies of the original information
1983 are referred to as "shadowing" or "caching" servers.
1986 As defined in [X.501]:
1988 context prefix: The sequence of RDNs leading from the Root of the
1989 DIT to the initial vertex of a naming context; corresponds to
1990 the distinguished name of that vertex.
1992 naming context: A subtree of entries held in a single master DSA.
1994 That is, a naming context is the largest collection of entries,
1995 starting at an entry that is mastered by a particular server, and
1996 including all its subordinates and their subordinates, down to the
1997 entries that are mastered by different servers. The context prefix
1998 is the name of the initial entry.
2000 The root of the DIT is a DSA-specific Entry (DSE) and not part of any
2001 naming context (or any subtree); each server has different attribute
2002 values in the root DSE.
2004 5.1. Server-Specific Data Requirements
2006 An LDAP server SHALL provide information about itself and other
2007 information that is specific to each server. This is represented as
2008 a group of attributes located in the root DSE, which is named with
2009 the DN with zero RDNs (whose [RFC4514] representation is as the
2010 zero-length string).
2012 These attributes are retrievable, subject to access control and other
2013 restrictions, if a client performs a Search operation [RFC4511] with
2014 an empty baseObject, scope of baseObject, the filter
2018 Zeilenga Standards Track [Page 36]
2020 RFC 4512 LDAP Models June 2006
2023 "(objectClass=*)" [RFC4515], and the attributes field listing the
2024 names of the desired attributes. It is noted that root DSE
2025 attributes are operational and, like other operational attributes,
2026 are not returned in search requests unless requested by name.
2028 The root DSE SHALL NOT be included if the client performs a subtree
2029 search starting from the root.
2031 Servers may allow clients to modify attributes of the root DSE, where
2034 The following attributes of the root DSE are defined below.
2035 Additional attributes may be defined in other documents.
2037 - altServer: alternative servers;
2039 - namingContexts: naming contexts;
2041 - supportedControl: recognized LDAP controls;
2043 - supportedExtension: recognized LDAP extended operations;
2045 - supportedFeatures: recognized LDAP features;
2047 - supportedLDAPVersion: LDAP versions supported; and
2049 - supportedSASLMechanisms: recognized Simple Authentication and
2050 Security Layers (SASL) [RFC4422] mechanisms.
2052 The values provided for these attributes may depend on session-
2053 specific and other factors. For example, a server supporting the
2054 SASL EXTERNAL mechanism might only list "EXTERNAL" when the client's
2055 identity has been established by a lower level. See [RFC4513].
2057 The root DSE may also include a 'subschemaSubentry' attribute. If it
2058 does, the attribute refers to the subschema (sub)entry holding the
2059 schema controlling the root DSE. Clients SHOULD NOT assume that this
2060 subschema (sub)entry controls other entries held by the server.
2061 General subschema discovery procedures are provided in Section 4.4.
2074 Zeilenga Standards Track [Page 37]
2076 RFC 4512 LDAP Models June 2006
2081 The 'altServer' attribute lists URIs referring to alternative servers
2082 that may be contacted when this server becomes unavailable. URIs for
2083 servers implementing the LDAP are written according to [RFC4516].
2084 Other kinds of URIs may be provided. If the server does not know of
2085 any other servers that could be used, this attribute will be absent.
2086 Clients may cache this information in case their preferred server
2087 later becomes unavailable.
2089 ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
2090 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
2091 USAGE dSAOperation )
2093 The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
2096 5.1.2. 'namingContexts'
2098 The 'namingContexts' attribute lists the context prefixes of the
2099 naming contexts the server masters or shadows (in part or in whole).
2100 If the server is a first-level DSA [X.501], it should list (in
2101 addition) an empty string (indicating the root of the DIT). If the
2102 server does not master or shadow any information (e.g., it is an LDAP
2103 gateway to a public X.500 directory) this attribute will be absent.
2104 If the server believes it masters or shadows the entire directory,
2105 the attribute will have a single value, and that value will be the
2106 empty string (indicating the root of the DIT).
2108 This attribute may be used, for example, to select a suitable entry
2109 name for subsequent operations with this server.
2111 ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
2112 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
2113 USAGE dSAOperation )
2115 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
2116 defined in [RFC4517].
2118 5.1.3. 'supportedControl'
2120 The 'supportedControl' attribute lists object identifiers identifying
2121 the request controls [RFC4511] the server supports. If the server
2122 does not support any request controls, this attribute will be absent.
2123 Object identifiers identifying response controls need not be listed.
2125 Procedures for registering object identifiers used to discovery of
2126 protocol mechanisms are detailed in BCP 64, RFC 4520 [RFC4520].
2130 Zeilenga Standards Track [Page 38]
2132 RFC 4512 LDAP Models June 2006
2135 ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
2136 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
2137 USAGE dSAOperation )
2139 The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
2140 defined in [RFC4517].
2142 5.1.4. 'supportedExtension'
2144 The 'supportedExtension' attribute lists object identifiers
2145 identifying the extended operations [RFC4511] that the server
2146 supports. If the server does not support any extended operations,
2147 this attribute will be absent.
2149 An extended operation generally consists of an extended request and
2150 an extended response but may also include other protocol data units
2151 (such as intermediate responses). The object identifier assigned to
2152 the extended request is used to identify the extended operation.
2153 Other object identifiers used in the extended operation need not be
2154 listed as values of this attribute.
2156 Procedures for registering object identifiers used to discovery of
2157 protocol mechanisms are detailed in BCP 64, RFC 4520 [RFC4520].
2159 ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
2160 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
2161 USAGE dSAOperation )
2163 The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
2164 defined in [RFC4517].
2166 5.1.5. 'supportedFeatures'
2168 The 'supportedFeatures' attribute lists object identifiers
2169 identifying elective features that the server supports. If the
2170 server does not support any discoverable elective features, this
2171 attribute will be absent.
2173 ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures'
2174 EQUALITY objectIdentifierMatch
2175 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
2176 USAGE dSAOperation )
2178 Procedures for registering object identifiers used to discovery of
2179 protocol mechanisms are detailed in BCP 64, RFC 4520 [RFC4520].
2181 The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax and
2182 objectIdentifierMatch matching rule are defined in [RFC4517].
2186 Zeilenga Standards Track [Page 39]
2188 RFC 4512 LDAP Models June 2006
2191 5.1.6. 'supportedLDAPVersion'
2193 The 'supportedLDAPVersion' attribute lists the versions of LDAP that
2194 the server supports.
2196 ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
2197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
2198 USAGE dSAOperation )
2200 The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax is defined in
2203 5.1.7. 'supportedSASLMechanisms'
2205 The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
2206 [RFC4422] that the server recognizes and/or supports [RFC4513]. The
2207 contents of this attribute may depend on the current session state.
2208 If the server does not support any SASL mechanisms, this attribute
2209 will not be present.
2211 ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
2212 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
2213 USAGE dSAOperation )
2215 The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is
2216 defined in [RFC4517].
2218 6. Other Considerations
2220 6.1. Preservation of User Information
2222 Syntaxes may be defined that have specific value and/or value form
2223 (representation) preservation requirements. For example, a syntax
2224 containing digitally signed data can mandate that the server preserve
2225 both the value and form of value presented to ensure that the
2226 signature is not invalidated.
2228 Where such requirements have not been explicitly stated, servers
2229 SHOULD preserve the value of user information but MAY return the
2230 value in a different form. And where a server is unable (or
2231 unwilling) to preserve the value of user information, the server
2232 SHALL ensure that an equivalent value (per Section 2.3) is returned.
2242 Zeilenga Standards Track [Page 40]
2244 RFC 4512 LDAP Models June 2006
2249 Short names, also known as descriptors, are used as more readable
2250 aliases for object identifiers and are used to identify various
2251 schema elements. However, it is not expected that LDAP
2252 implementations with human user interface would display these short
2253 names (or the object identifiers they refer to) to the user.
2254 Instead, they would most likely be performing translations (such as
2255 expressing the short name in one of the local national languages).
2256 For example, the short name "st" (stateOrProvinceName) might be
2257 displayed to a German-speaking user as "Land".
2259 The same short name might have different meaning in different
2260 subschemas, and, within a particular subschema, the same short name
2261 might refer to different object identifiers each identifying a
2262 different kind of schema element.
2264 Implementations MUST be prepared that the same short name might be
2265 used in a subschema to refer to the different kinds of schema
2266 elements. That is, there might be an object class 'x-fubar' and an
2267 attribute type 'x-fubar' in a subschema.
2269 Implementations MUST be prepared that the same short name might be
2270 used in the different subschemas to refer to the different schema
2271 elements. That is, there might be two matching rules 'x-fubar', each
2272 in different subschemas.
2274 Procedures for registering short names (descriptors) are detailed in
2275 BCP 64, RFC 4520 [RFC4520].
2277 6.3. Cache and Shadowing
2279 Some servers may hold cache or shadow copies of entries, which can be
2280 used to answer search and comparison queries, but will return
2281 referrals or contact other servers if modification operations are
2282 requested. Servers that perform shadowing or caching MUST ensure
2283 that they do not violate any access control constraints placed on the
2284 data by the originating server.
2298 Zeilenga Standards Track [Page 41]
2300 RFC 4512 LDAP Models June 2006
2303 7. Implementation Guidelines
2305 7.1. Server Guidelines
2307 Servers MUST recognize all names of attribute types and object
2308 classes defined in this document but, unless stated otherwise, need
2309 not support the associated functionality. Servers SHOULD recognize
2310 all the names of attribute types and object classes defined in
2311 Section 3 and 4, respectively, of [RFC4519].
2313 Servers MUST ensure that entries conform to user and system schema
2314 rules or other data model constraints.
2316 Servers MAY support DIT Content Rules. Servers MAY support DIT
2317 Structure Rules and Name Forms.
2319 Servers MAY support alias entries.
2321 Servers MAY support the 'extensibleObject' object class.
2323 Servers MAY support subentries. If so, they MUST do so in accordance
2324 with [RFC3672]. Servers that do not support subentries SHOULD use
2325 object entries to mimic subentries as detailed in Section 3.2.
2327 Servers MAY implement additional schema elements. Servers SHOULD
2328 provide definitions of all schema elements they support in subschema
2331 7.2. Client Guidelines
2333 In the absence of prior agreements with servers, clients SHOULD NOT
2334 assume that servers support any particular schema elements beyond
2335 those referenced in Section 7.1. The client can retrieve subschema
2336 information as described in Section 4.4.
2338 Clients MUST NOT display or attempt to decode a value as ASN.1 if the
2339 value's syntax is not known. Clients MUST NOT assume the LDAP-
2340 specific string encoding is restricted to a UTF-8 encoded string of
2341 Unicode characters or any particular subset of Unicode (such as a
2342 printable subset) unless such restriction is explicitly stated.
2343 Clients SHOULD NOT send attribute values in a request that are not
2344 valid according to the syntax defined for the attributes.
2354 Zeilenga Standards Track [Page 42]
2356 RFC 4512 LDAP Models June 2006
2359 8. Security Considerations
2361 Attributes of directory entries are used to provide descriptive
2362 information about the real-world objects they represent, which can be
2363 people, organizations, or devices. Most countries have privacy laws
2364 regarding the publication of information about people.
2366 General security considerations for accessing directory information
2367 with LDAP are discussed in [RFC4511] and [RFC4513].
2369 9. IANA Considerations
2371 The Internet Assigned Numbers Authority (IANA) has updated the LDAP
2372 descriptors registry as indicated in the following template:
2374 Subject: Request for LDAP Descriptor Registration Update
2375 Descriptor (short name): see comment
2376 Object Identifier: see comment
2377 Person & email address to contact for further information:
2378 Kurt Zeilenga <kurt@OpenLDAP.org>
2380 Specification: RFC 4512
2381 Author/Change Controller: IESG
2384 The following descriptors (short names) has been added to
2388 ------------------------ ---- -----------------
2389 governingStructureRule A 2.5.21.10
2390 structuralObjectClass A 2.5.21.9
2392 The following descriptors (short names) have been updated to
2396 ------------------------ ---- -----------------
2398 aliasedObjectName A 2.5.4.1
2399 altServer A 1.3.6.1.4.1.1466.101.120.6
2400 attributeTypes A 2.5.21.5
2401 createTimestamp A 2.5.18.1
2402 creatorsName A 2.5.18.3
2403 dITContentRules A 2.5.21.2
2404 dITStructureRules A 2.5.21.1
2405 extensibleObject O 1.3.6.1.4.1.1466.101.120.111
2406 ldapSyntaxes A 1.3.6.1.4.1.1466.101.120.16
2410 Zeilenga Standards Track [Page 43]
2412 RFC 4512 LDAP Models June 2006
2415 matchingRuleUse A 2.5.21.8
2416 matchingRules A 2.5.21.4
2417 modifiersName A 2.5.18.4
2418 modifyTimestamp A 2.5.18.2
2419 nameForms A 2.5.21.7
2420 namingContexts A 1.3.6.1.4.1.1466.101.120.5
2421 objectClass A 2.5.4.0
2422 objectClasses A 2.5.21.6
2423 subschema O 2.5.20.1
2424 subschemaSubentry A 2.5.18.10
2425 supportedControl A 1.3.6.1.4.1.1466.101.120.13
2426 supportedExtension A 1.3.6.1.4.1.1466.101.120.7
2427 supportedFeatures A 1.3.6.1.4.1.4203.1.3.5
2428 supportedLDAPVersion A 1.3.6.1.4.1.1466.101.120.15
2429 supportedSASLMechanisms A 1.3.6.1.4.1.1466.101.120.14
2432 10. Acknowledgements
2434 This document is based in part on RFC 2251 by M. Wahl, T. Howes, and
2435 S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S. Kille; and
2436 RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
2437 Indexing of Directories (ASID) Working Group. This document is also
2438 based in part on "The Directory: Models" [X.501], a product of the
2439 International Telephone Union (ITU). Additional text was borrowed
2440 from RFC 2253 by M. Wahl, T. Howes, and S. Kille.
2442 This document is a product of the IETF LDAP Revision (LDAPBIS)
2466 Zeilenga Standards Track [Page 44]
2468 RFC 4512 LDAP Models June 2006
2471 11. Normative References
2473 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2474 Requirement Levels", BCP 14, RFC 2119, March 1997.
2476 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
2477 10646", STD 63, RFC 3629, November 2003.
2479 [RFC3671] Zeilenga, K., "Collective Attributes in the Lightweight
2480 Directory Access Protocol (LDAP)", RFC 3671, December
2483 [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
2484 Access Protocol (LDAP)", RFC 3672, December 2003.
2486 [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
2487 Specifications: ABNF", RFC 4234, October 2005.
2489 [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
2490 Authentication and Security Layer (SASL)", RFC 4422,
2493 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
2494 Protocol (LDAP): Technical Specification Road Map", RFC
2497 [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
2498 Protocol (LDAP): The Protocol", RFC 4511, June 2006.
2500 [RFC4513] Harrison, R., Ed., "Lightweight Directory Access
2501 Protocol (LDAP): Authentication Methods and Security
2502 Mechanisms", RFC 4513, June 2006.
2504 [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access
2505 Protocol (LDAP): String Representation of Distinguished
2506 Names", RFC 4514, June 2006.
2508 [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory
2509 Access Protocol (LDAP): String Representation of Search
2510 Filters", RFC 4515, June 2006.
2512 [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory
2513 Access Protocol (LDAP): Uniform Resource Locator", RFC
2516 [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
2517 (LDAP): Syntaxes and Matching Rules", RFC 4517, June
2522 Zeilenga Standards Track [Page 45]
2524 RFC 4512 LDAP Models June 2006
2527 [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
2528 Protocol (LDAP): Schema for User Applications", RFC
2531 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
2532 (IANA) Considerations for the Lightweight Directory
2533 Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
2535 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
2536 3.2.0" is defined by "The Unicode Standard, Version
2537 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
2538 61633-5), as amended by the "Unicode Standard Annex
2540 (http://www.unicode.org/reports/tr27/) and by the
2541 "Unicode Standard Annex #28: Unicode 3.2"
2542 (http://www.unicode.org/reports/tr28/).
2544 [X.500] International Telecommunication Union -
2545 Telecommunication Standardization Sector, "The
2546 Directory -- Overview of concepts, models and
2547 services," X.500(1993) (also ISO/IEC 9594-1:1994).
2549 [X.501] International Telecommunication Union -
2550 Telecommunication Standardization Sector, "The
2551 Directory -- Models," X.501(1993) (also ISO/IEC 9594-
2554 [X.680] International Telecommunication Union -
2555 Telecommunication Standardization Sector, "Abstract
2556 Syntax Notation One (ASN.1) - Specification of Basic
2557 Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
2578 Zeilenga Standards Track [Page 46]
2580 RFC 4512 LDAP Models June 2006
2585 This appendix is non-normative.
2587 This document amounts to nearly a complete rewrite of portions of RFC
2588 2251, RFC 2252, and RFC 2256. This rewrite was undertaken to improve
2589 overall clarity of technical specification. This appendix provides a
2590 summary of substantive changes made to the portions of these
2591 documents incorporated into this document. Readers should consult
2592 [RFC4510], [RFC4511], [RFC4517], and [RFC4519] for summaries of
2593 remaining portions of these documents.
2595 A.1. Changes to RFC 2251
2597 This document incorporates from RFC 2251, Sections 3.2 and 3.4, and
2598 portions of Sections 4 and 6 as summarized below.
2600 A.1.1. Section 3.2 of RFC 2251
2602 Section 3.2 of RFC 2251 provided a brief introduction to the X.500
2603 data model, as used by LDAP. The previous specification relied on
2604 [X.501] but lacked clarity in how X.500 models are adapted for use by
2605 LDAP. This document describes the X.500 data models, as used by
2606 LDAP, in greater detail, especially in areas where adaptation is
2609 Section 3.2.1 of RFC 2251 described an attribute as "a type with one
2610 or more associated values". In LDAP, an attribute is better
2611 described as an attribute description, a type with zero or more
2612 options, and one or more associated values.
2614 Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
2615 objectClasses and attributeTypes attributes, yet X.500(93) treats
2616 these attributes as optional. While generally all implementations
2617 that support X.500(93) subschema mechanisms will provide both of
2618 these attributes, it is not absolutely required for interoperability
2619 that all servers do. The mandate was removed for consistency with
2620 X.500(93). The subschema discovery mechanism was also clarified to
2621 indicate that subschema controlling an entry is obtained by reading
2622 the (sub)entry referred to by that entry's 'subschemaSubentry'
2634 Zeilenga Standards Track [Page 47]
2636 RFC 4512 LDAP Models June 2006
2639 A.1.2. Section 3.4 of RFC 2251
2641 Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
2642 This material, with changes, was incorporated in Section 5.1 of this
2647 - Clarify that attributes of the root DSE are subject to "other
2648 restrictions" in addition to access controls.
2650 - Clarify that only recognized extended requests need to be
2651 enumerated 'supportedExtension'.
2653 - Clarify that only recognized request controls need to be enumerated
2656 - Clarify that root DSE attributes are operational and, like other
2657 operational attributes, will not be returned in search requests
2658 unless requested by name.
2660 - Clarify that not all root DSE attributes are user modifiable.
2662 - Remove inconsistent text regarding handling of the
2663 'subschemaSubentry' attribute within the root DSE. The previous
2664 specification stated that the 'subschemaSubentry' attribute held in
2665 the root DSE referred to "subschema entries (or subentries) known
2666 by this server". This is inconsistent with the attribute's
2667 intended use as well as its formal definition as a single valued
2668 attribute [X.501]. It is also noted that a simple (possibly
2669 incomplete) list of subschema (sub)entries is not terribly useful.
2670 This document (in Section 5.1) specifies that the
2671 'subschemaSubentry' attribute of the root DSE refers to the
2672 subschema controlling the root DSE. It is noted that the general
2673 subschema discovery mechanism remains available (see Section 4.4 of
2676 A.1.3. Section 4 of RFC 2251
2678 Portions of Section 4 of RFC 2251 detailing aspects of the
2679 information model used by LDAP were incorporated in this document,
2682 - Restriction of distinguished values to attributes whose
2683 descriptions have no options (from Section 4.1.3);
2690 Zeilenga Standards Track [Page 48]
2692 RFC 4512 LDAP Models June 2006
2695 - Data model aspects of Attribute Types (from Section 4.1.4),
2696 Attribute Descriptions (from 4.1.5), Attribute (from 4.1.8),
2697 Matching Rule Identifier (from 4.1.9); and
2699 - User schema requirements (from Sections 4.1.6, 4.5.1, and 4.7).
2701 Clarifications to these portions include:
2703 - Subtyping and AttributeDescriptions with options.
2705 A.1.4. Section 6 of RFC 2251
2707 The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
2708 where incorporated into this document.
2710 A.2. Changes to RFC 2252
2712 This document incorporates Sections 4, 5, and 7 from RFC 2252.
2714 A.2.1. Section 4 of RFC 2252
2716 The specification was updated to use Augmented BNF [RFC4234]. The
2717 string representation of an OBJECT IDENTIFIER was tightened to
2718 disallow leading zeros as described in RFC 2252.
2720 The <descr> syntax was changed to disallow semicolon (U+003B)
2721 characters in order to appear to be consistent its natural language
2722 specification "descr is the syntactic representation of an object
2723 descriptor, which consists of letters and digits, starting with a
2724 letter". In a related change, the statement "an AttributeDescription
2725 can be used as the value in a NAME part of an
2726 AttributeTypeDescription" was deleted. RFC 2252 provided no
2727 specification of the semantics of attribute options appearing in NAME
2730 RFC 2252 stated that the <descr> form of <oid> SHOULD be preferred
2731 over the <numericoid> form. However, <descr> form can be ambiguous.
2732 To address this issue, the imperative was replaced with a statement
2733 (in Section 1.4) that while the <descr> form is generally preferred,
2734 <numericoid> should be used where an unambiguous <descr> is not
2735 available. Additionally, an expanded discussion of descriptor issues
2736 is in Section 6.2 ("Short Names").
2738 The ABNF for a quoted string (qdstring) was updated to reflect
2739 support for the escaping mechanism described in Section 4.3 of RFC
2746 Zeilenga Standards Track [Page 49]
2748 RFC 4512 LDAP Models June 2006
2751 A.2.2. Section 5 of RFC 2252
2753 Definitions of operational attributes provided in Section 5 of RFC
2754 2252 where incorporated into this document.
2756 The 'namingContexts' description was clarified. A first-level DSA
2757 should publish, in addition to other values, "" indicating the root
2760 The 'altServer' description was clarified. It may hold any URI.
2762 The 'supportedExtension' description was clarified. A server need
2763 only list the OBJECT IDENTIFIERs associated with the extended
2764 requests of the extended operations it recognizes.
2766 The 'supportedControl' description was clarified. A server need only
2767 list the OBJECT IDENTIFIERs associated with the request controls it
2770 Descriptions for the 'structuralObjectClass' and
2771 'governingStructureRule' operational attribute types were added.
2773 The attribute definition of 'subschemaSubentry' was corrected to list
2774 the terms SINGLE-VALUE and NO-USER-MODIFICATION in proper order.
2776 A.2.3. Section 7 of RFC 2252
2778 Section 7 of RFC 2252 provides definitions of the 'subschema' and
2779 'extensibleObject' object classes. These definitions where
2780 integrated into Section 4.2 and Section 4.3 of this document,
2781 respectively. Section 7 of RFC 2252 also contained the object class
2782 implementation requirement. This was incorporated into Section 7 of
2785 The specification of 'extensibleObject' was clarified regarding how
2786 it interacts with precluded attributes.
2788 A.3. Changes to RFC 2256
2790 This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
2793 Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
2794 attribute type. This was integrated into Section 2.4.1 of this
2795 document. The statement "One of the values is either 'top' or
2796 'alias'" was replaced with statement that one of the values is 'top'
2797 as entries belonging to 'alias' also belong to 'top'.
2802 Zeilenga Standards Track [Page 50]
2804 RFC 4512 LDAP Models June 2006
2807 Section 5.2 of RFC 2256 provided the definition of the
2808 'aliasedObjectName' attribute type. This was integrated into Section
2809 2.6.2 of this document.
2811 Section 7.1 of RFC 2256 provided the definition of the 'top' object
2812 class. This was integrated into Section 2.4.1 of this document.
2814 Section 7.2 of RFC 2256 provided the definition of the 'alias' object
2815 class. This was integrated into Section 2.6.1 of this document.
2817 A.4. Changes to RFC 3674
2819 This document made no substantive change to the 'supportedFeatures'
2820 technical specification provided in RFC 3674.
2827 EMail: Kurt@OpenLDAP.org
2858 Zeilenga Standards Track [Page 51]
2860 RFC 4512 LDAP Models June 2006
2863 Full Copyright Statement
2865 Copyright (C) The Internet Society (2006).
2867 This document is subject to the rights, licenses and restrictions
2868 contained in BCP 78, and except as set forth therein, the authors
2869 retain all their rights.
2871 This document and the information contained herein are provided on an
2872 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2873 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2874 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2875 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2876 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2877 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2879 Intellectual Property
2881 The IETF takes no position regarding the validity or scope of any
2882 Intellectual Property Rights or other rights that might be claimed to
2883 pertain to the implementation or use of the technology described in
2884 this document or the extent to which any license under such rights
2885 might or might not be available; nor does it represent that it has
2886 made any independent effort to identify any such rights. Information
2887 on the procedures with respect to rights in RFC documents can be
2888 found in BCP 78 and BCP 79.
2890 Copies of IPR disclosures made to the IETF Secretariat and any
2891 assurances of licenses to be made available, or the result of an
2892 attempt made to obtain a general license or permission for the use of
2893 such proprietary rights by implementers or users of this
2894 specification can be obtained from the IETF on-line IPR repository at
2895 http://www.ietf.org/ipr.
2897 The IETF invites any interested party to bring to its attention any
2898 copyrights, patents or patent applications, or other proprietary
2899 rights that may cover technology that may be required to implement
2900 this standard. Please address the information to the IETF at
2905 Funding for the RFC Editor function is provided by the IETF
2906 Administrative Support Activity (IASA).
2914 Zeilenga Standards Track [Page 52]
projects / openldap / blob