1 # OpenLDAP X.509 PMI schema
3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2015 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 ## Portions Copyright (C) The Internet Society (1997-2006).
17 ## All Rights Reserved.
19 ## This document and translations of it may be copied and furnished to
20 ## others, and derivative works that comment on or otherwise explain it
21 ## or assist in its implementation may be prepared, copied, published
22 ## and distributed, in whole or in part, without restriction of any
23 ## kind, provided that the above copyright notice and this paragraph are
24 ## included on all such copies and derivative works. However, this
25 ## document itself may not be modified in any way, such as by removing
26 ## the copyright notice or references to the Internet Society or other
27 ## Internet organizations, except as needed for the purpose of
28 ## developing Internet standards in which case the procedures for
29 ## copyrights defined in the Internet Standards process must be
30 ## followed, or as required to translate it into languages other than
33 ## The limited permissions granted above are perpetual and will not be
34 ## revoked by the Internet Society or its successors or assigns.
36 ## This document and the information contained herein is provided on an
37 ## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
38 ## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
39 ## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
40 ## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
41 ## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
45 # Includes LDAPv3 schema items from:
48 ## X.509 (08/2005) pp. 120-121
50 ## -- object identifier assignments --
51 ## -- object classes --
52 ## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24}
53 ## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25}
54 ## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26}
55 ## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27}
56 ## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32}
57 ## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33}
58 ## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34}
59 ## -- directory attributes --
60 ## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
61 ## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
62 ## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61}
63 ## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62}
64 ## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63}
65 ## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71}
66 ## id-at-role OBJECT IDENTIFIER ::= {id-at 72}
67 ## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73}
68 ## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74}
69 ## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75}
70 ## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76}
71 ## -- attribute certificate extensions --
72 ## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
73 ## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
74 ## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
75 ## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
76 ## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
77 ## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
78 ## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
79 ## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
80 ## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
81 ## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
82 ## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
83 ## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
84 ## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
85 ## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
86 ## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
87 ## -- PMI matching rules --
88 ## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
89 ## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45}
90 ## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46}
91 ## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53}
92 ## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54}
93 ## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55}
94 ## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56}
95 ## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57}
96 ## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58}
97 ## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59}
98 ## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61}
99 ## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66}
100 ## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67}
103 ## X.509 (08/2005) pp. 71, 86-89
105 ## 14.4.1 Role attribute
106 ## role ATTRIBUTE ::= {
107 ## WITH SYNTAX RoleSyntax
109 ## RoleSyntax ::= SEQUENCE {
110 ## roleAuthority [0] GeneralNames OPTIONAL,
111 ## roleName [1] GeneralName }
113 ## 14.5 XML privilege information attribute
114 ## xmlPrivilegeInfo ATTRIBUTE ::= {
115 ## WITH SYNTAX UTF8String -- contains XML-encoded privilege information
116 ## ID id-at-xMLPrivilegeInfo }
118 ## 17.1 PMI directory object classes
120 ## 17.1.1 PMI user object class
121 ## pmiUser OBJECT-CLASS ::= {
122 ## -- a PMI user (i.e., a "holder")
125 ## MAY CONTAIN {attributeCertificateAttribute}
126 ## ID id-oc-pmiUser }
128 ## 17.1.2 PMI AA object class
129 ## pmiAA OBJECT-CLASS ::= {
133 ## MAY CONTAIN {aACertificate |
134 ## attributeCertificateRevocationList |
135 ## attributeAuthorityRevocationList}
138 ## 17.1.3 PMI SOA object class
139 ## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority
142 ## MAY CONTAIN {attributeCertificateRevocationList |
143 ## attributeAuthorityRevocationList |
144 ## attributeDescriptorCertificate}
147 ## 17.1.4 Attribute certificate CRL distribution point object class
148 ## attCertCRLDistributionPt OBJECT-CLASS ::= {
151 ## MAY CONTAIN { attributeCertificateRevocationList |
152 ## attributeAuthorityRevocationList }
153 ## ID id-oc-attCertCRLDistributionPts }
155 ## 17.1.5 PMI delegation path
156 ## pmiDelegationPath OBJECT-CLASS ::= {
159 ## MAY CONTAIN { delegationPath }
160 ## ID id-oc-pmiDelegationPath }
162 ## 17.1.6 Privilege policy object class
163 ## privilegePolicy OBJECT-CLASS ::= {
166 ## MAY CONTAIN {privPolicy }
167 ## ID id-oc-privilegePolicy }
169 ## 17.1.7 Protected privilege policy object class
170 ## protectedPrivilegePolicy OBJECT-CLASS ::= {
173 ## MAY CONTAIN {protPrivPolicy }
174 ## ID id-oc-protectedPrivilegePolicy }
176 ## 17.2 PMI Directory attributes
178 ## 17.2.1 Attribute certificate attribute
179 ## attributeCertificateAttribute ATTRIBUTE ::= {
180 ## WITH SYNTAX AttributeCertificate
181 ## EQUALITY MATCHING RULE attributeCertificateExactMatch
182 ## ID id-at-attributeCertificate }
184 ## 17.2.2 AA certificate attribute
185 ## aACertificate ATTRIBUTE ::= {
186 ## WITH SYNTAX AttributeCertificate
187 ## EQUALITY MATCHING RULE attributeCertificateExactMatch
188 ## ID id-at-aACertificate }
190 ## 17.2.3 Attribute descriptor certificate attribute
191 ## attributeDescriptorCertificate ATTRIBUTE ::= {
192 ## WITH SYNTAX AttributeCertificate
193 ## EQUALITY MATCHING RULE attributeCertificateExactMatch
194 ## ID id-at-attributeDescriptorCertificate }
196 ## 17.2.4 Attribute certificate revocation list attribute
197 ## attributeCertificateRevocationList ATTRIBUTE ::= {
198 ## WITH SYNTAX CertificateList
199 ## EQUALITY MATCHING RULE certificateListExactMatch
200 ## ID id-at-attributeCertificateRevocationList}
202 ## 17.2.5 AA certificate revocation list attribute
203 ## attributeAuthorityRevocationList ATTRIBUTE ::= {
204 ## WITH SYNTAX CertificateList
205 ## EQUALITY MATCHING RULE certificateListExactMatch
206 ## ID id-at-attributeAuthorityRevocationList }
208 ## 17.2.6 Delegation path attribute
209 ## delegationPath ATTRIBUTE ::= {
210 ## WITH SYNTAX AttCertPath
211 ## ID id-at-delegationPath }
212 ## AttCertPath ::= SEQUENCE OF AttributeCertificate
214 ## 17.2.7 Privilege policy attribute
215 ## privPolicy ATTRIBUTE ::= {
216 ## WITH SYNTAX PolicySyntax
217 ## ID id-at-privPolicy }
219 ## 17.2.8 Protected privilege policy attribute
220 ## protPrivPolicy ATTRIBUTE ::= {
221 ## WITH SYNTAX AttributeCertificate
222 ## EQUALITY MATCHING RULE attributeCertificateExactMatch
223 ## ID id-at-protPrivPolicy }
225 ## 17.2.9 XML Protected privilege policy attribute
226 ## xmlPrivPolicy ATTRIBUTE ::= {
227 ## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information
228 ## ID id-at-xMLPprotPrivPolicy }
231 ## -- object identifier assignments --
232 ## -- object classes --
233 objectidentifier id-oc-pmiUser 2.5.6.24
234 objectidentifier id-oc-pmiAA 2.5.6.25
235 objectidentifier id-oc-pmiSOA 2.5.6.26
236 objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27
237 objectidentifier id-oc-privilegePolicy 2.5.6.32
238 objectidentifier id-oc-pmiDelegationPath 2.5.6.33
239 objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34
240 ## -- directory attributes --
241 objectidentifier id-at-attributeCertificate 2.5.4.58
242 objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59
243 objectidentifier id-at-aACertificate 2.5.4.61
244 objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62
245 objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63
246 objectidentifier id-at-privPolicy 2.5.4.71
247 objectidentifier id-at-role 2.5.4.72
248 objectidentifier id-at-delegationPath 2.5.4.73
249 objectidentifier id-at-protPrivPolicy 2.5.4.74
250 objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75
251 objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76
252 ## -- attribute certificate extensions --
253 ## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
254 ## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
255 ## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
256 ## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
257 ## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
258 ## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
259 ## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
260 ## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
261 ## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
262 ## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
263 ## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
264 ## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
265 ## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
266 ## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
267 ## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
268 ## -- PMI matching rules --
269 objectidentifier id-mr 2.5.13
270 objectidentifier id-mr-attributeCertificateMatch id-mr:42
271 objectidentifier id-mr-attributeCertificateExactMatch id-mr:45
272 objectidentifier id-mr-holderIssuerMatch id-mr:46
273 objectidentifier id-mr-authAttIdMatch id-mr:53
274 objectidentifier id-mr-roleSpecCertIdMatch id-mr:54
275 objectidentifier id-mr-basicAttConstraintsMatch id-mr:55
276 objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56
277 objectidentifier id-mr-timeSpecMatch id-mr:57
278 objectidentifier id-mr-attDescriptorMatch id-mr:58
279 objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59
280 objectidentifier id-mr-delegationPathMatch id-mr:61
281 objectidentifier id-mr-sOAIdentifierMatch id-mr:66
282 objectidentifier id-mr-indirectIssuerMatch id-mr:67
284 ## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP
285 ## to this work in progress
286 objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1
287 objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9
288 objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4
289 objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5
290 objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6
291 # NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired)
292 #objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5
293 #objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10
294 #objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17
295 #objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13
297 ## Substitute syntaxes
300 ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4
302 DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate'
303 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
306 ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5
308 DESC 'X.509 PMI policy syntax'
309 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
312 ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6
314 DESC 'X.509 PMI role syntax'
315 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
317 ## X.509 (08/2005) pp. 71, 86-89
319 ## 14.4.1 Role attribute
320 attributeType ( id-at-role
322 DESC 'X.509 Role attribute, use ;binary'
325 ## 14.5 XML privilege information attribute
326 ## -- contains XML-encoded privilege information
327 attributeType ( id-at-xMLPrivilegeInfo
328 NAME 'xmlPrivilegeInfo'
329 DESC 'X.509 XML privilege information attribute'
330 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
332 ## 17.2 PMI Directory attributes
334 ## 17.2.1 Attribute certificate attribute
335 attributeType ( id-at-attributeCertificate
336 NAME 'attributeCertificateAttribute'
337 DESC 'X.509 Attribute certificate attribute, use ;binary'
338 SYNTAX AttributeCertificate
339 EQUALITY attributeCertificateExactMatch )
341 ## 17.2.2 AA certificate attribute
342 attributeType ( id-at-aACertificate
344 DESC 'X.509 AA certificate attribute, use ;binary'
345 SYNTAX AttributeCertificate
346 EQUALITY attributeCertificateExactMatch )
348 ## 17.2.3 Attribute descriptor certificate attribute
349 attributeType ( id-at-attributeDescriptorCertificate
350 NAME 'attributeDescriptorCertificate'
351 DESC 'X.509 Attribute descriptor certificate attribute, use ;binary'
352 SYNTAX AttributeCertificate
353 EQUALITY attributeCertificateExactMatch )
355 ## 17.2.4 Attribute certificate revocation list attribute
356 attributeType ( id-at-attributeCertificateRevocationList
357 NAME 'attributeCertificateRevocationList'
358 DESC 'X.509 Attribute certificate revocation list attribute, use ;binary'
359 SYNTAX CertificateList
360 X-EQUALITY 'certificateListExactMatch, not implemented yet' )
362 ## 17.2.5 AA certificate revocation list attribute
363 attributeType ( id-at-attributeAuthorityRevocationList
364 NAME 'attributeAuthorityRevocationList'
365 DESC 'X.509 AA certificate revocation list attribute, use ;binary'
366 SYNTAX CertificateList
367 X-EQUALITY 'certificateListExactMatch, not implemented yet' )
369 ## 17.2.6 Delegation path attribute
370 attributeType ( id-at-delegationPath
371 NAME 'delegationPath'
372 DESC 'X.509 Delegation path attribute, use ;binary'
374 ## AttCertPath ::= SEQUENCE OF AttributeCertificate
376 ## 17.2.7 Privilege policy attribute
377 attributeType ( id-at-privPolicy
379 DESC 'X.509 Privilege policy attribute, use ;binary'
380 SYNTAX PolicySyntax )
382 ## 17.2.8 Protected privilege policy attribute
383 attributeType ( id-at-protPrivPolicy
384 NAME 'protPrivPolicy'
385 DESC 'X.509 Protected privilege policy attribute, use ;binary'
386 SYNTAX AttributeCertificate
387 EQUALITY attributeCertificateExactMatch )
389 ## 17.2.9 XML Protected privilege policy attribute
390 ## -- contains XML-encoded privilege policy information
391 attributeType ( id-at-xMLPprotPrivPolicy
393 DESC 'X.509 XML Protected privilege policy attribute'
394 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
396 ## 17.1 PMI directory object classes
398 ## 17.1.1 PMI user object class
399 ## -- a PMI user (i.e., a "holder")
400 objectClass ( id-oc-pmiUser
402 DESC 'X.509 PMI user object class'
405 MAY ( attributeCertificateAttribute ) )
407 ## 17.1.2 PMI AA object class
409 objectClass ( id-oc-pmiAA
411 DESC 'X.509 PMI AA object class'
414 MAY ( aACertificate $
415 attributeCertificateRevocationList $
416 attributeAuthorityRevocationList
419 ## 17.1.3 PMI SOA object class
420 ## -- a PMI Source of Authority
421 objectClass ( id-oc-pmiSOA
423 DESC 'X.509 PMI SOA object class'
426 MAY ( attributeCertificateRevocationList $
427 attributeAuthorityRevocationList $
428 attributeDescriptorCertificate
431 ## 17.1.4 Attribute certificate CRL distribution point object class
432 objectClass ( id-oc-attCertCRLDistributionPts
433 NAME 'attCertCRLDistributionPt'
434 DESC 'X.509 Attribute certificate CRL distribution point object class'
437 MAY ( attributeCertificateRevocationList $
438 attributeAuthorityRevocationList
441 ## 17.1.5 PMI delegation path
442 objectClass ( id-oc-pmiDelegationPath
443 NAME 'pmiDelegationPath'
444 DESC 'X.509 PMI delegation path'
447 MAY ( delegationPath ) )
449 ## 17.1.6 Privilege policy object class
450 objectClass ( id-oc-privilegePolicy
451 NAME 'privilegePolicy'
452 DESC 'X.509 Privilege policy object class'
457 ## 17.1.7 Protected privilege policy object class
458 objectClass ( id-oc-protectedPrivilegePolicy
459 NAME 'protectedPrivilegePolicy'
460 DESC 'X.509 Protected privilege policy object class'
463 MAY ( protPrivPolicy ) )