7 Network Working Group K. Zeilenga, Ed.
8 Request for Comments: 4524 OpenLDAP Foundation
9 Obsoletes: 1274 June 2006
11 Category: Standards Track
14 COSINE LDAP/X.500 Schema
18 This document specifies an Internet standards track protocol for the
19 Internet community, and requests discussion and suggestions for
20 improvements. Please refer to the current edition of the "Internet
21 Official Protocol Standards" (STD 1) for the standardization state
22 and status of this protocol. Distribution of this memo is unlimited.
26 Copyright (C) The Internet Society (2006).
30 This document provides a collection of schema elements for use with
31 the Lightweight Directory Access Protocol (LDAP) from the COSINE and
32 Internet X.500 pilot projects.
34 This document obsoletes RFC 1274 and updates RFCs 2247 and 2798.
38 1. Introduction ....................................................3
39 1.1. Relationship to Other Documents ............................3
40 1.2. Terminology and Conventions ................................4
41 2. COSINE Attribute Types ..........................................4
42 2.1. associatedDomain ...........................................4
43 2.2. associatedName .............................................5
44 2.3. buildingName ...............................................5
45 2.4. co .........................................................5
46 2.5. documentAuthor .............................................6
47 2.6. documentIdentifier .........................................6
48 2.7. documentLocation ...........................................6
49 2.8. documentPublisher ..........................................7
50 2.9. documentTitle ..............................................7
51 2.10. documentVersion ...........................................7
52 2.11. drink .....................................................8
53 2.12. homePhone .................................................8
54 2.13. homePostalAddress .........................................8
58 Zeilenga Standards Track [Page 1]
60 RFC 4524 COSINE LDAP/X.500 Schema June 2006
63 2.14. host ......................................................9
64 2.15. info ......................................................9
65 2.16. mail ......................................................9
66 2.17. manager ..................................................10
67 2.18. mobile ...................................................10
68 2.19. organizationalStatus .....................................11
69 2.20. pager ....................................................11
70 2.21. personalTitle ............................................11
71 2.22. roomNumber ...............................................12
72 2.23. secretary ................................................12
73 2.24. uniqueIdentifier .........................................12
74 2.25. userClass ................................................13
75 3. COSINE Object Classes ..........................................13
76 3.1. account ...................................................13
77 3.2. document ..................................................14
78 3.3. documentSeries ............................................14
79 3.4. domain ....................................................15
80 3.5. domainRelatedObject .......................................16
81 3.6. friendlyCountry ...........................................16
82 3.7. rFC822LocalPart ...........................................17
83 3.8. room ......................................................18
84 3.9. simpleSecurityObject ......................................18
85 4. Security Considerations ........................................18
86 5. IANA Considerations ............................................19
87 6. Acknowledgements ...............................................20
88 7. References .....................................................20
89 7.1. Normative References ......................................20
90 7.2. Informative References ....................................21
91 Appendix A. Changes since RFC 1274 ...............................23
92 A.1. LDAP Short Names .........................................23
93 A.2. pilotObject ..............................................23
94 A.3. pilotPerson ..............................................23
95 A.4. dNSDomain ................................................24
96 A.5. pilotDSA and qualityLabelledData .........................24
97 A.6. Attribute Syntaxes .......................................24
98 Appendix B. Changes since RFC 2247 ...............................24
114 Zeilenga Standards Track [Page 2]
116 RFC 4524 COSINE LDAP/X.500 Schema June 2006
121 In the late 1980s, X.500 Directory Services were standardized by the
122 CCITT (Commite' Consultatif International de Telegraphique et
123 Telephonique), now a part of the ITU (International Telephone Union).
124 This lead to Directory Service piloting activities in the early
125 1990s, including the COSINE (Co-operation and Open Systems
126 Interconnection in Europe) PARADISE Project pilot [COSINEpilot] in
127 Europe. Motivated by needs for large-scale directory pilots, RFC
128 1274 was published to standardize the directory schema and naming
129 architecture for use in the COSINE and other Internet X.500 pilots
132 In the years that followed, X.500 Directory Services have evolved to
133 incorporate new capabilities and even new protocols. In particular,
134 the Lightweight Directory Access Protocol (LDAP) [RFC4510] was
135 introduced in the early 1990s [RFC1487], with Version 3 of LDAP
136 introduced in the late 1990s [RFC2251] and subsequently revised in
139 While much of the material in RFC 1274 has been superceded by
140 subsequently published ITU-T Recommendations and IETF RFCs, many of
141 the schema elements lack standardized schema descriptions for use in
142 modern X.500 and LDAP directory services despite the fact that these
143 schema elements are in wide use today. As the old schema
144 descriptions cannot be used without adaptation, interoperability
145 issues may arise due to lack of standardized modern schema
148 This document addresses these issues by offering standardized schema
149 descriptions, where needed, for widely used COSINE schema elements.
151 1.1. Relationship to Other Documents
153 This document, together with [RFC4519] and [RFC4517], obsoletes RFC
154 1274 in its entirety. [RFC4519] replaces Sections 9.3.1 (Userid) and
155 9.3.21 (Domain Component) of RFC 1274. [RFC4517] replaces Section
156 9.4 (Generally useful syntaxes) of RFC 1274.
158 This document replaces the remainder of RFC 1274. Appendix A
159 discusses changes since RFC 1274, as well as why certain schema
160 elements were not brought forward in this revision of the COSINE
161 schema. All elements not brought are to be regarded as Historic.
163 The description of the 'domain' object class provided in this
164 document supercedes that found in RFC 2247. That is, Section 3.4 of
165 this document replaces Section 5.2 of [RFC2247].
170 Zeilenga Standards Track [Page 3]
172 RFC 4524 COSINE LDAP/X.500 Schema June 2006
175 Some of the schema elements specified here were described in RFC 2798
176 (inetOrgPerson schema). This document supersedes these descriptions.
177 This document, together with [RFC4519], replaces Section 9.1.3 of RFC
180 1.2. Terminology and Conventions
182 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
183 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
184 document are to be interpreted as described in BCP 14 [RFC2119].
186 DIT stands for Directory Information Tree.
187 DN stands for Distinguished Name.
188 DSA stands for Directory System Agent, a server.
189 DSE stands for DSA-Specific Entry.
190 DUA stands for Directory User Agent, a client.
192 These terms are discussed in [RFC4512].
194 Schema definitions are provided using LDAP description formats
195 [RFC4512]. Definitions provided here are formatted (line wrapped)
198 2. COSINE Attribute Types
200 This section details COSINE attribute types for use in LDAP.
202 2.1. associatedDomain
204 The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181]
205 host names [RFC1123] that are associated with an object. That is,
206 values of this attribute should conform to the following ABNF:
208 domain = root / label *( DOT label )
210 label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ]
211 LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z"
212 SPACE = %x20 ; space (" ")
213 HYPHEN = %x2D ; hyphen ("-")
214 DOT = %x2E ; period (".")
216 For example, the entry in the DIT with a DN <DC=example,DC=com> might
217 have an associated domain of "example.com".
219 ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
220 EQUALITY caseIgnoreIA5Match
221 SUBSTR caseIgnoreIA5SubstringsMatch
222 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
226 Zeilenga Standards Track [Page 4]
228 RFC 4524 COSINE LDAP/X.500 Schema June 2006
231 The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
232 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
233 described in [RFC4517].
235 Note that the directory will not ensure that values of this attribute
236 conform to the <domain> production provided above. It is the
237 application's responsibility to ensure that domains it stores in this
238 attribute are appropriately represented.
240 Also note that applications supporting Internationalized Domain Names
241 SHALL use the ToASCII method [RFC3490] to produce <label> components
242 of the <domain> production.
246 The 'associatedName' attribute specifies names of entries in the
247 organizational DIT associated with a DNS domain [RFC1034][RFC2181].
249 ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
250 EQUALITY distinguishedNameMatch
251 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
253 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
254 'distinguishedNameMatch' rule are described in [RFC4517].
258 The 'buildingName' attribute specifies names of the buildings where
259 an organization or organizational unit is based, for example, "The
262 ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
263 EQUALITY caseIgnoreMatch
264 SUBSTR caseIgnoreSubstringsMatch
265 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
267 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
268 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
273 The 'co' (Friendly Country Name) attribute specifies names of
274 countries in human-readable format, for example, "Germany" and
275 "Federal Republic of Germany". It is commonly used in conjunction
276 with the 'c' (Country Name) [RFC4519] attribute (whose values are
277 restricted to the two-letter codes defined in [ISO3166]).
282 Zeilenga Standards Track [Page 5]
284 RFC 4524 COSINE LDAP/X.500 Schema June 2006
287 ( 0.9.2342.19200300.100.1.43 NAME 'co'
288 EQUALITY caseIgnoreMatch
289 SUBSTR caseIgnoreSubstringsMatch
290 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
292 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
293 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
298 The 'documentAuthor' attribute specifies the distinguished names of
299 authors (or editors) of a document. For example,
301 ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
302 EQUALITY distinguishedNameMatch
303 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
305 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
306 'distinguishedNameMatch' rule are described in [RFC4517].
308 2.6. documentIdentifier
310 The 'documentIdentifier' attribute specifies unique identifiers for a
311 document. A document may be identified by more than one unique
312 identifier. For example, RFC 3383 and BCP 64 are unique identifiers
313 that (presently) refer to the same document.
315 ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
316 EQUALITY caseIgnoreMatch
317 SUBSTR caseIgnoreSubstringsMatch
318 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
320 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
321 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
324 2.7. documentLocation
326 The 'documentLocation' attribute specifies locations of the document
329 ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
330 EQUALITY caseIgnoreMatch
331 SUBSTR caseIgnoreSubstringsMatch
332 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
338 Zeilenga Standards Track [Page 6]
340 RFC 4524 COSINE LDAP/X.500 Schema June 2006
343 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
344 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
347 2.8. documentPublisher
349 The 'documentPublisher' attribute is the persons and/or organizations
350 that published the document. Documents that are jointly published
351 have one value for each publisher.
353 ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
354 EQUALITY caseIgnoreMatch
355 SUBSTR caseIgnoreSubstringsMatch
356 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
358 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
359 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
364 The 'documentTitle' attribute specifies the titles of a document.
365 Multiple values are allowed to accommodate both long and short
366 titles, or other situations where a document has multiple titles, for
367 example, "The Lightweight Directory Access Protocol Technical
368 Specification" and "The LDAP Technical Specification".
370 ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
371 EQUALITY caseIgnoreMatch
372 SUBSTR caseIgnoreSubstringsMatch
373 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
375 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
376 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
379 2.10. documentVersion
381 The 'documentVersion' attribute specifies the version information of
384 ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
385 EQUALITY caseIgnoreMatch
386 SUBSTR caseIgnoreSubstringsMatch
387 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
394 Zeilenga Standards Track [Page 7]
396 RFC 4524 COSINE LDAP/X.500 Schema June 2006
399 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
400 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
405 The 'drink' (favoriteDrink) attribute specifies the favorite drinks
406 of an object (or person), for instance, "cola" and "beer".
408 ( 0.9.2342.19200300.100.1.5 NAME 'drink'
409 EQUALITY caseIgnoreMatch
410 SUBSTR caseIgnoreSubstringsMatch
411 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
413 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
414 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
419 The 'homePhone' (Home Telephone Number) attribute specifies home
420 telephone numbers (e.g., "+1 775 555 1234") associated with a person.
422 ( 0.9.2342.19200300.100.1.20 NAME 'homePhone'
423 EQUALITY telephoneNumberMatch
424 SUBSTR telephoneNumberSubstringsMatch
425 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
427 The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
428 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
429 described in [RFC4517].
431 2.13. homePostalAddress
433 The 'homePostalAddress' attribute specifies home postal addresses for
434 an object. Each value should be limited to up to 6 directory strings
435 of 30 characters each. (Note: It is not intended that the directory
436 service enforce these limits.)
438 ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
439 EQUALITY caseIgnoreListMatch
440 SUBSTR caseIgnoreListSubstringsMatch
441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
443 The PostalAddress (1.3.6.1.4.1.1466.115.121.1.41) syntax and the
444 'caseIgnoreListMatch' and 'caseIgnoreListSubstringsMatch' rules are
445 described in [RFC4517].
450 Zeilenga Standards Track [Page 8]
452 RFC 4524 COSINE LDAP/X.500 Schema June 2006
457 The 'host' attribute specifies host computers, generally by their
458 primary fully qualified domain name (e.g., my-host.example.com).
460 ( 0.9.2342.19200300.100.1.9 NAME 'host'
461 EQUALITY caseIgnoreMatch
462 SUBSTR caseIgnoreSubstringsMatch
463 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
465 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
466 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
471 The 'info' attribute specifies any general information pertinent to
472 an object. This information is not necessarily descriptive of the
475 Applications should not attach specific semantics to values of this
476 attribute. The 'description' attribute [RFC4519] is available for
477 specifying descriptive information pertinent to an object.
479 ( 0.9.2342.19200300.100.1.4 NAME 'info'
480 EQUALITY caseIgnoreMatch
481 SUBSTR caseIgnoreSubstringsMatch
482 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
484 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
485 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
490 The 'mail' (rfc822mailbox) attribute type holds Internet mail
491 addresses in Mailbox [RFC2821] form (e.g., user@example.com).
493 ( 0.9.2342.19200300.100.1.3 NAME 'mail'
494 EQUALITY caseIgnoreIA5Match
495 SUBSTR caseIgnoreIA5SubstringsMatch
496 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
498 The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
499 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
500 described in [RFC4517].
506 Zeilenga Standards Track [Page 9]
508 RFC 4524 COSINE LDAP/X.500 Schema June 2006
511 Note that the directory will not ensure that values of this attribute
512 conform to the <Mailbox> production [RFC2821]. It is the
513 application's responsibility to ensure that domains it stores in this
514 attribute are appropriately represented.
516 Additionally, the directory will compare values per the matching
517 rules named in the above attribute type description. As these rules
518 differ from rules that normally apply to <Mailbox> comparisons,
519 operational issues may arise. For example, the assertion
520 (mail=joe@example.com) will match "JOE@example.com" even though the
521 <local-parts> differ. Also, where a user has two <Mailbox>es whose
522 addresses differ only by case of the <local-part>, both cannot be
523 listed as values of the user's mail attribute (as they are considered
524 equal by the 'caseIgnoreIA5Match' rule).
526 Also note that applications supporting internationalized domain names
527 SHALL use the ToASCII method [RFC3490] to produce <sub-domain>
528 components of the <Mailbox> production.
532 The 'manager' attribute specifies managers, by distinguished name, of
533 the person (or entity).
535 ( 0.9.2342.19200300.100.1.10 NAME 'manager'
536 EQUALITY distinguishedNameMatch
537 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
539 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
540 'distinguishedNameMatch' rule are described in [RFC4517].
544 The 'mobile' (mobileTelephoneNumber) attribute specifies mobile
545 telephone numbers (e.g., "+1 775 555 6789") associated with a person
548 ( 0.9.2342.19200300.100.1.41 NAME 'mobile'
549 EQUALITY telephoneNumberMatch
550 SUBSTR telephoneNumberSubstringsMatch
551 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
553 The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
554 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
555 described in [RFC4517].
562 Zeilenga Standards Track [Page 10]
564 RFC 4524 COSINE LDAP/X.500 Schema June 2006
567 2.19. organizationalStatus
569 The 'organizationalStatus' attribute specifies categories by which a
570 person is often referred to in an organization. Examples of usage in
571 academia might include "undergraduate student", "researcher",
572 "professor", and "staff". Multiple values are allowed where the
573 person is in multiple categories.
575 Directory administrators and application designers SHOULD consider
576 carefully the distinctions between this and the 'title' and
577 'userClass' attributes.
579 ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus'
580 EQUALITY caseIgnoreMatch
581 SUBSTR caseIgnoreSubstringsMatch
582 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
584 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
585 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
590 The 'pager' (pagerTelephoneNumber) attribute specifies pager
591 telephone numbers (e.g., "+1 775 555 5555") for an object.
593 ( 0.9.2342.19200300.100.1.42 NAME 'pager'
594 EQUALITY telephoneNumberMatch
595 SUBSTR telephoneNumberSubstringsMatch
596 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
598 The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
599 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
600 described in [RFC4517].
604 The 'personalTitle' attribute specifies personal titles for a person.
605 Examples of personal titles are "Frau", "Dr.", "Herr", and
608 ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
609 EQUALITY caseIgnoreMatch
610 SUBSTR caseIgnoreSubstringsMatch
611 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
618 Zeilenga Standards Track [Page 11]
620 RFC 4524 COSINE LDAP/X.500 Schema June 2006
623 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
624 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
629 The 'roomNumber' attribute specifies the room number of an object.
630 During periods of renumbering, or in other circumstances where a room
631 has multiple valid room numbers associated with it, multiple values
632 may be provided. Note that the 'cn' (commonName) attribute type
633 SHOULD be used for naming room objects.
635 ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber'
636 EQUALITY caseIgnoreMatch
637 SUBSTR caseIgnoreSubstringsMatch
638 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
640 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
641 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
646 The 'secretary' attribute specifies secretaries and/or administrative
647 assistants, by distinguished name.
649 ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
650 EQUALITY distinguishedNameMatch
651 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
653 The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
654 'distinguishedNameMatch' rule are described in [RFC4517].
656 2.24. uniqueIdentifier
658 The 'uniqueIdentifier' attribute specifies a unique identifier for an
659 object represented in the Directory. The domain within which the
660 identifier is unique and the exact semantics of the identifier are
661 for local definition. For a person, this might be an institution-
662 wide payroll number. For an organizational unit, it might be a
665 ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
666 EQUALITY caseIgnoreMatch
667 SUBSTR caseIgnoreSubstringsMatch
668 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
674 Zeilenga Standards Track [Page 12]
676 RFC 4524 COSINE LDAP/X.500 Schema June 2006
679 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
680 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
683 Note: X.520 also describes an attribute called 'uniqueIdentifier'
684 (2.5.4.45), which is called 'x500UniqueIdentifier' in LDAP
685 [RFC4519]. The attribute detailed here ought not be confused
686 with 'x500UniqueIdentifier'.
690 The 'userClass' attribute specifies categories of computer or
691 application user. The semantics placed on this attribute are for
692 local interpretation. Examples of current usage of this attribute in
693 academia are "student", "staff", and "faculty". Note that the
694 'organizationalStatus' attribute type is now often preferred, as it
695 makes no distinction between persons as opposed to users.
697 ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
698 EQUALITY caseIgnoreMatch
699 SUBSTR caseIgnoreSubstringsMatch
700 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
702 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
703 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
706 3. COSINE Object Classes
708 This section details COSINE object classes for use in LDAP.
712 The 'account' object class is used to define entries representing
713 computer accounts. The 'uid' attribute SHOULD be used for naming
714 entries of this object class.
716 ( 0.9.2342.19200300.100.4.5 NAME 'account'
719 MAY ( description $ seeAlso $ l $ o $ ou $ host ) )
721 The 'top' object class is described in [RFC4512]. The 'description',
722 'seeAlso', 'l', 'o', 'ou', and 'uid' attribute types are described in
723 [RFC4519]. The 'host' attribute type is described in Section 2 of
730 Zeilenga Standards Track [Page 13]
732 RFC 4524 COSINE LDAP/X.500 Schema June 2006
735 3.3. documentSeriesExample:
737 dn: uid=kdz,cn=Accounts,dc=Example,dc=COM
740 seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
744 The 'document' object class is used to define entries that represent
747 ( 0.9.2342.19200300.100.4.6 NAME 'document'
749 MUST documentIdentifier
750 MAY ( cn $ description $ seeAlso $ l $ o $ ou $
751 documentTitle $ documentVersion $ documentAuthor $
752 documentLocation $ documentPublisher ) )
754 The 'top' object class is described in [RFC4512]. The 'cn',
755 'description', 'seeAlso', 'l', 'o', and 'ou' attribute types are
756 described in [RFC4519]. The 'documentIdentifier', 'documentTitle',
757 'documentVersion', 'documentAuthor', 'documentLocation', and
758 'documentPublisher' attribute types are described in Section 2 of
763 dn: documentIdentifier=RFC 4524,cn=RFC,dc=Example,dc=COM
764 objectClass: document
765 documentIdentifier: RFC 4524
766 documentTitle: COSINE LDAP/X.500 Schema
767 documentAuthor: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
768 documentLocation: http://www.rfc-editor.org/rfc/rfc4524.txt
769 documentPublisher: Internet Engineering Task Force
770 description: A collection of schema elements for use in LDAP
771 description: Obsoletes RFC 1274
772 seeAlso: documentIdentifier=RFC 4510,cn=RFC,dc=Example,dc=COM
773 seeAlso: documentIdentifier=RFC 1274,cn=RFC,dc=Example,dc=COM
777 The 'documentSeries' object class is used to define an entry that
778 represents a series of documents (e.g., The Request For Comments
786 Zeilenga Standards Track [Page 14]
788 RFC 4524 COSINE LDAP/X.500 Schema June 2006
791 ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries'
794 MAY ( description $ l $ o $ ou $ seeAlso $
797 The 'top' object class is described in [RFC4512]. The 'description',
798 'l', 'o', 'ou', 'seeAlso', and 'telephoneNumber' attribute types are
799 described in [RFC4519].
803 dn: cn=RFC,dc=Example,dc=COM
804 objectClass: documentSeries
805 cn: Request for Comments
807 description: a series of memos about the Internet
811 The 'domain' object class is used to define entries that represent
812 DNS domains for objects that are not organizations, organizational
813 units, or other kinds of objects more appropriately defined using an
814 object class specific to the kind of object being defined (e.g.,
815 'organization', 'organizationUnit').
817 The 'dc' attribute should be used for naming entries of the 'domain'
820 ( 0.9.2342.19200300.100.4.13 NAME 'domain'
823 MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
824 x121Address $ registeredAddress $ destinationIndicator $
825 preferredDeliveryMethod $ telexNumber $
826 teletexTerminalIdentifier $ telephoneNumber $
827 internationaliSDNNumber $ facsimileTelephoneNumber $ street $
828 postOfficeBox $ postalCode $ postalAddress $
829 physicalDeliveryOfficeName $ st $ l $ description $ o $
832 The 'top' object class and the 'dc', 'userPassword', 'searchGuide',
833 'seeAlso', 'businessCategory', 'x121Address', 'registeredAddress',
834 'destinationIndicator', 'preferredDeliveryMethod', 'telexNumber',
835 'teletexTerminalIdentifier', 'telephoneNumber',
836 'internationaliSDNNumber', 'facsimileTelephoneNumber', 'street',
837 'postOfficeBox', 'postalCode', 'postalAddress',
838 'physicalDeliveryOfficeName', 'st', 'l', 'description', and 'o' types
842 Zeilenga Standards Track [Page 15]
844 RFC 4524 COSINE LDAP/X.500 Schema June 2006
847 are described in [RFC4519]. The 'associatedName' attribute type is
848 described in Section 2 of this document.
855 description: the .COM TLD
857 3.5. domainRelatedObject
859 The 'domainRelatedObject' object class is used to define entries that
860 represent DNS domains that are "equivalent" to an X.500 domain, e.g.,
861 an organization or organizational unit.
863 ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'
865 MUST associatedDomain )
867 The 'top' object class is described in [RFC4512]. The
868 'associatedDomain' attribute type is described in Section 2 of this
873 dn: dc=example,dc=com
874 objectClass: organization
875 objectClass: dcObject
876 objectClass: domainRelatedObject
878 associatedDomain: example.com
879 o: Example Organization
881 The 'organization' and 'dcObject' object classes and the 'dc' and 'o'
882 attribute types are described in [RFC4519].
886 The 'friendlyCountry' object class is used to define entries
887 representing countries in the DIT. The object class is used to allow
888 friendlier naming of countries than that allowed by the object class
891 ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry'
892 SUP country STRUCTURAL
898 Zeilenga Standards Track [Page 16]
900 RFC 4524 COSINE LDAP/X.500 Schema June 2006
903 The 'country' object class is described in [RFC4519]. The 'co'
904 attribute type is described in Section 2 of this document.
910 objectClass: friendlyCountry
914 co: Federal Republic of Germany
917 The 'c' attribute type is described in [RFC4519].
921 The 'rFC822LocalPart' object class is used to define entries that
922 represent the local part of Internet mail addresses [RFC2822]. This
923 treats the local part of the address as a 'domain' object.
925 ( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart'
926 SUP domain STRUCTURAL
927 MAY ( cn $ description $ destinationIndicator $
928 facsimileTelephoneNumber $ internationaliSDNNumber $
929 physicalDeliveryOfficeName $ postalAddress $ postalCode $
930 postOfficeBox $ preferredDeliveryMethod $ registeredAddress $
931 seeAlso $ sn $ street $ telephoneNumber $
932 teletexTerminalIdentifier $ telexNumber $ x121Address ) )
934 The 'domain' object class is described in Section 3.4 of this
935 document. The 'cn', 'description', 'destinationIndicator',
936 'facsimileTelephoneNumber', 'internationaliSDNNumber,
937 'physicalDeliveryOfficeName', 'postalAddress', 'postalCode',
938 'postOfficeBox', 'preferredDeliveryMethod', 'registeredAddress',
939 'seeAlso', 'sn, 'street', 'telephoneNumber',
940 'teletexTerminalIdentifier', 'telexNumber', and 'x121Address'
941 attribute types are described in [RFC4519].
945 dn: dc=kdz,dc=example,dc=com
947 objectClass: rFC822LocalPart
949 associatedName: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
954 Zeilenga Standards Track [Page 17]
956 RFC 4524 COSINE LDAP/X.500 Schema June 2006
959 The 'dc' attribute type is described in [RFC4519].
963 The 'room' object class is used to define entries representing rooms.
964 The 'cn' (commonName) attribute SHOULD be used for naming entries of
967 ( 0.9.2342.19200300.100.4.7 NAME 'room'
970 MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
972 The 'top' object class is described in [RFC4512]. The 'cn',
973 'description', 'seeAlso', and 'telephoneNumber' attribute types are
974 described in [RFC4519]. The 'roomNumber' attribute type is described
975 in Section 2 of this document.
977 dn: cn=conference room,dc=example,dc=com
980 telephoneNumber: +1 755 555 1111
982 3.9. simpleSecurityObject
984 The 'simpleSecurityObject' object class is used to require an entry
985 to have a 'userPassword' attribute when the entry's structural object
986 class does not require (or allow) the 'userPassword attribute'.
988 ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
992 The 'top' object class is described in [RFC4512]. The 'userPassword'
993 attribute type is described in [RFC4519].
995 dn: dc=kdz,dc=Example,dc=COM
997 objectClass: simpleSecurityObject
999 userPassword: My Password
1000 seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
1002 4. Security Considerations
1004 General LDAP security considerations [RFC4510] are applicable to the
1005 use of this schema. Additional considerations are noted above where
1010 Zeilenga Standards Track [Page 18]
1012 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1015 Directories administrators should ensure that access to sensitive
1016 information be restricted to authorized entities and that appropriate
1017 data security services, including data integrity and data
1018 confidentiality, are used to protect against eavesdropping.
1020 Simple authentication (e.g., plain text passwords) mechanisms should
1021 only be used when adequate data security services are in place. LDAP
1022 offers reasonably strong authentication and data security services
1025 5. IANA Considerations
1027 The Internet Assigned Numbers Authority (IANA) has updated the LDAP
1028 descriptors registry [RFC4520] as indicated in the following
1031 Subject: Request for LDAP Descriptor Registration Update
1032 Descriptor (short name): see comment
1033 Object Identifier: see comments
1034 Person & email address to contact for further information:
1035 Kurt Zeilenga <kurt@OpenLDAP.org>
1037 Specification: RFC 4524
1038 Author/Change Controller: IESG
1041 The following descriptors have been updated to refer to RFC 4524.
1044 ------------------------ ---- --------------------------
1045 account O 0.9.2342.19200300.100.4.5
1046 associatedDomain A 0.9.2342.19200300.100.1.37
1047 associatedName A 0.9.2342.19200300.100.1.38
1048 buildingName A 0.9.2342.19200300.100.1.48
1049 co A 0.9.2342.19200300.100.1.43
1050 document O 0.9.2342.19200300.100.4.6
1051 documentAuthor A 0.9.2342.19200300.100.1.14
1052 documentIdentifier A 0.9.2342.19200300.100.1.11
1053 documentLocation A 0.9.2342.19200300.100.1.15
1054 documentPublisher A 0.9.2342.19200300.100.1.56
1055 documentSeries O 0.9.2342.19200300.100.4.8
1056 documentTitle A 0.9.2342.19200300.100.1.12
1057 documentVersion A 0.9.2342.19200300.100.1.13
1058 domain O 0.9.2342.19200300.100.4.13
1059 domainRelatedObject O 0.9.2342.19200300.100.4.17
1060 drink A 0.9.2342.19200300.100.1.5
1061 favouriteDrink A* 0.9.2342.19200300.100.1.5
1062 friendlyCountry O 0.9.2342.19200300.100.4.18
1066 Zeilenga Standards Track [Page 19]
1068 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1071 friendlyCountryName A* 0.9.2342.19200300.100.1.43
1072 homePhone A 0.9.2342.19200300.100.1.20
1073 homePostalAddress A 0.9.2342.19200300.100.1.39
1074 homeTelephone A* 0.9.2342.19200300.100.1.20
1075 host A 0.9.2342.19200300.100.1.9
1076 info A 0.9.2342.19200300.100.1.4
1077 mail A 0.9.2342.19200300.100.1.3
1078 manager A 0.9.2342.19200300.100.1.10
1079 mobile A 0.9.2342.19200300.100.1.41
1080 mobileTelephoneNumber A* 0.9.2342.19200300.100.1.41
1081 organizationalStatus A 0.9.2342.19200300.100.1.45
1082 pager A 0.9.2342.19200300.100.1.42
1083 pagerTelephoneNumber A* 0.9.2342.19200300.100.1.42
1084 personalTitle A 0.9.2342.19200300.100.1.40
1085 rFC822LocalPart O 0.9.2342.19200300.100.4.14
1086 rfc822Mailbox A* 0.9.2342.19200300.100.1.3
1087 room O 0.9.2342.19200300.100.4.7
1088 roomNumber A 0.9.2342.19200300.100.1.6
1089 secretary A 0.9.2342.19200300.100.1.21
1090 simpleSecurityObject O 0.9.2342.19200300.100.4.19
1091 singleLevelQuality A 0.9.2342.19200300.100.1.50
1092 uniqueIdentifier A 0.9.2342.19200300.100.1.44
1093 userClass A 0.9.2342.19200300.100.1.8
1095 where Type A is Attribute, Type O is ObjectClass, and *
1096 indicates that the registration is historic in nature.
1100 This document is based on RFC 1274, by Paul Barker and Steve Kille,
1101 as well as on RFC 2247, by Steve Kill, Mark Wahl, Al Grimstad, Rick
1102 Huber, and Sri Satulari.
1106 7.1. Normative References
1108 [RFC1034] Mockapetris, P., "Domain names - concepts and
1109 facilities", STD 13, RFC 1034, November 1987.
1111 [RFC1123] Braden, R., "Requirements for Internet Hosts -
1112 Application and Support", STD 3, RFC 1123, October
1115 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1116 Requirement Levels", BCP 14, RFC 2119, March 1997.
1122 Zeilenga Standards Track [Page 20]
1124 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1127 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
1128 Specification", RFC 2181, July 1997.
1130 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S.
1131 Sataluri, "Using Domains in LDAP/X.500 Distinguished
1132 Names", RFC 2247, January 1998.
1134 [RFC2821] Klensin, J., Ed., "Simple Mail Transfer Protocol", RFC
1137 [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April
1140 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
1141 "Internationalizing Domain Names in Applications
1142 (IDNA)", RFC 3490, March 2003.
1144 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
1145 Protocol (LDAP): Technical Specification Road Map", RFC
1148 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
1149 (LDAP): Directory Information Models", RFC 4512, June
1152 [RFC4513] Harrison, R., "Lightweight Directory Access Protocol
1153 (LDAP): Authentication Methods and Security
1154 Mechanisms", RFC 4513, June 2006.
1156 [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
1157 (LDAP): Syntaxes and Matching Rules", RC 4517, June
1160 [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
1161 Protocol (LDAP): Schema for User Applications", RFC
1164 [X.501] International Telecommunication Union -
1165 Telecommunication Standardization Sector, "The
1166 Directory -- Models," X.501(1993) (also ISO/IEC 9594-
1169 7.2. Informative References
1171 [COSINEpilot] Goodman, D., "PARADISE" section of the March 1991
1172 INTERNET MONTHLY REPORTS (p. 28-29),
1173 http://www.iana.org/periodic-reports/imr-mar91.txt
1178 Zeilenga Standards Track [Page 21]
1180 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1183 [ISO3166] International Organization for Standardization, "Codes
1184 for the representation of names of countries", ISO
1187 [RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500
1188 Schema", RFC 1274, November 1991.
1190 [RFC1279] Hardcastle-Kille, S., "X.500 and Domains", RFC 1279,
1193 [RFC1487] Yeong, W., Howes, T., and S. Kille, "X.500 Lightweight
1194 Directory Access Protocol", RFC 1487, July 1993.
1196 [RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight
1197 Directory Access Protocol (v3)", RFC 2251, December
1200 [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
1201 Class", RFC 2798, April 2000.
1203 [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
1204 version 2 (LDAPv2) to Historic Status", RFC 3494, March
1207 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
1208 (IANA) Considerations for the Lightweight Directory
1209 Access Protocol (LDAP)", BCP 64, RFC 4520.
1234 Zeilenga Standards Track [Page 22]
1236 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1239 Appendix A. Changes since RFC 1274
1241 This document represents a substantial rewrite of RFC 1274. The
1242 following sections summarize the substantive changes.
1244 A.1. LDAP Short Names
1246 A number of COSINE attribute types have short names in LDAP.
1248 X.500 Name LDAP Short Name
1249 ------------- ---------------
1252 friendCountryName co
1253 homeTelephoneNumber homePhone
1254 mobileTelephoneNumber mobile
1255 pagerTelephoneNumber pager
1259 While the LDAP short names are generally used in LDAP, some
1260 implementations may (for legacy reasons [RFC3494]) recognize the
1261 attribute type by its X.500 name. Hence, the X.500 names have been
1262 reserved solely for this purpose.
1264 Note: 'uid' and 'dc' are described in [RFC4519].
1268 The 'pilotObject' object class was not brought forward as its
1269 function is largely replaced by operational attributes introduced in
1270 X.500(93) [X.501] and version 3 of LDAP [RFC4512]. For instance, the
1271 function of the 'lastModifiedBy' and 'lastModifiedTime' attribute
1272 types is now served by the 'creatorsName', 'createTimestamp',
1273 'modifiersName', and 'modifyTimestamp' operational attributes
1278 The 'pilotPerson' object class was not brought forward as its
1279 function is largely replaced by the 'organizationalPerson' [RFC4512]
1280 object class and its subclasses, such as 'inetOrgPerson' [RFC2798].
1282 Most of the related attribute types (e.g., 'mail', 'manager') were
1283 brought forward as they are used in other object classes.
1290 Zeilenga Standards Track [Page 23]
1292 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1297 The 'dNSDomain' object class and related attribute types were not
1298 brought forward as its use is primarily experimental [RFC1279].
1300 A.5. pilotDSA and qualityLabelledData
1302 The 'pilotDSA' and 'qualityLabelledData' object classes, as well as
1303 related attribute types, were not brought forward as its use is
1304 primarily experimental [QoS].
1306 A.6. Attribute Syntaxes
1308 RFC 1274 defined and used caseIgnoreIA5StringSyntax attribute syntax.
1309 This has been replaced with the IA5String syntax and appropriate
1310 matching rules in 'mail' and 'associatedDomain'.
1312 RFC 1274 restricted 'mail' to have non-zero length values. This
1313 restriction is not reflected in the IA5String syntax used in the
1314 definitions provided in this specification. However, as values are
1315 to conform to the <Mailbox> production, the 'mail' should not contain
1316 zero-length values. Unfortunately, the directory service will not
1317 enforce this restriction.
1319 Appendix B. Changes since RFC 2247
1321 The 'domainNameForm' name form was not brought forward as
1322 specification of name forms used in LDAP is left to a future
1330 EMail: Kurt@OpenLDAP.org
1346 Zeilenga Standards Track [Page 24]
1348 RFC 4524 COSINE LDAP/X.500 Schema June 2006
1351 Full Copyright Statement
1353 Copyright (C) The Internet Society (2006).
1355 This document is subject to the rights, licenses and restrictions
1356 contained in BCP 78, and except as set forth therein, the authors
1357 retain all their rights.
1359 This document and the information contained herein are provided on an
1360 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1361 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1362 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1363 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1364 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1365 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1367 Intellectual Property
1369 The IETF takes no position regarding the validity or scope of any
1370 Intellectual Property Rights or other rights that might be claimed to
1371 pertain to the implementation or use of the technology described in
1372 this document or the extent to which any license under such rights
1373 might or might not be available; nor does it represent that it has
1374 made any independent effort to identify any such rights. Information
1375 on the procedures with respect to rights in RFC documents can be
1376 found in BCP 78 and BCP 79.
1378 Copies of IPR disclosures made to the IETF Secretariat and any
1379 assurances of licenses to be made available, or the result of an
1380 attempt made to obtain a general license or permission for the use of
1381 such proprietary rights by implementers or users of this
1382 specification can be obtained from the IETF on-line IPR repository at
1383 http://www.ietf.org/ipr.
1385 The IETF invites any interested party to bring to its attention any
1386 copyrights, patents or patent applications, or other proprietary
1387 rights that may cover technology that may be required to implement
1388 this standard. Please address the information to the IETF at
1393 Funding for the RFC Editor function is provided by the IETF
1394 Administrative Support Activity (IASA).
1402 Zeilenga Standards Track [Page 25]
projects / openldap / blob