#
# OpenLDAP Core schema
#
-# Includes "standard" schema items from:
+# Includes LDAPv3 schema items from:
# RFC2251-RFC2256 (LDAPv3)
+#
+# select standard track schema items:
# RFC2079 (URI)
+# RFC1274 (uid/dc)
+# RFC2247 (dc/dcObject)
+# RFC2289 (Dynamic Directory Services)
+#
+# select informational schema items:
+# RFC2377 (uidObject)
#
-# and other "core" items
-# ldapsubentry draft
+# select experimental IETF LDAPext items
+# ldapSubentry draft
+# ldapRootDSE
# named referrals draft
# alias draft
-#
+
# Standard X.501(93) Operational Attribute Types from RFC2252
# Standard attribute types from RFC2256
-attributetype ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch
+attributetype ( 2.5.4.0 NAME 'objectClass'
+ EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-attributetype ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch
+attributetype ( 2.5.4.1 NAME 'aliasedObjectName'
+ EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
# Defined, but no longer used
-attributetype ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.2 NAME 'knowledgeInformation'
+ EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
# Place here since other attribute types derive from it
-attributetype ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.41 NAME 'name'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) SUP name )
-attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 2.5.4.12 NAME 'title' SUP name )
-attributetype ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.13 NAME 'description'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
-attributetype ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.15 NAME 'businessCategory'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-# Show stopper: we don't have the definition of caseIgnoreListSubstringsMatch
-#attribute ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
-# SUBSTR caseIgnoreListSubstringsMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-attributetype ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
+attribute ( 2.5.4.16 NAME 'postalAddress'
+ EQUALITY caseIgnoreListMatch
+ SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-attributetype ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.17 NAME 'postalCode'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
-attributetype ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.18 NAME 'postOfficeBox'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
-attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-attributetype ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch
+attributetype ( 2.5.4.20 NAME 'telephoneNumber'
+ EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
-attributetype ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch
+attributetype ( 2.5.4.24 NAME 'x121Address'
+ EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
-attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch
+attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber'
+ EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
attributetype ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-attributetype ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
+attributetype ( 2.5.4.27 NAME 'destinationIndicator'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
- SINGLE-VALUE )
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
+ SINGLE-VALUE )
attributetype ( 2.5.4.29 NAME 'presentationAddress'
- EQUALITY presentationAddressMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
- SINGLE-VALUE )
+ EQUALITY presentationAddressMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
+ SINGLE-VALUE )
attributetype ( 2.5.4.30 NAME 'supportedApplicationContext'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
# Placed here because others derive from it.
# distinguished name of an entry. On the other hand, the attribute
# type distinguishedName is meant to be an "abstract" type and other
# dn-valued attribute types derive from it. So at most, 'dn' would
-# be a subtype of distinguishedName.
+# be a subtype of distinguishedName, something like:
+# attributetype ( dnOID NAME 'dn' SUP distinguishedName
+# SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
attributetype ( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch
attributetype ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName )
-attributetype ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
+attributetype ( 2.5.4.35 NAME 'userPassword'
+ EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
# Must be stored and requested in the binary form, as
# userCertificate;binary
-
attributetype ( 2.5.4.36 NAME 'userCertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
# As above
-
attributetype ( 2.5.4.37 NAME 'cACertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
# As above
-
attributetype ( 2.5.4.38 NAME 'authorityRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
# As above
-
attributetype ( 2.5.4.39 NAME 'certificateRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
# As above
-
attributetype ( 2.5.4.40 NAME 'crossCertificatePair'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
# 2.5.4.41 is 'name', moved above since other attribute types derive from it
-attributetype ( 2.5.4.42 NAME 'givenName' SUP name )
+attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' ) SUP name )
attributetype ( 2.5.4.43 NAME 'initials' SUP name )
-attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatch
+attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier'
+ EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-attributetype ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch
- ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
+attributetype ( 2.5.4.46 NAME 'dnQualifier'
+ EQUALITY caseIgnoreMatch
+ ORDERING caseIgnoreOrderingMatch
+ SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide'
# 2.5.4.49 is distinguishedName, moved up
-attributetype ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch
+attributetype ( 2.5.4.50 NAME 'uniqueMember'
+ EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
-attributetype ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch
+attributetype ( 2.5.4.51 NAME 'houseIdentifier'
+ EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
# Standard object classes from RFC2256
-objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
+objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
+ MUST objectClass )
-objectclass ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )
+objectclass ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL
+ MUST aliasedObjectName )
-objectclass ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c
+objectclass ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL
+ MUST c
MAY ( searchGuide $ description ) )
objectclass ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL
MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
-objectclass ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o
+objectclass ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL
+ MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description ) )
-objectclass ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou
+objectclass ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL
+ MUST ou
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description ) )
-objectclass ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
+objectclass ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL
+ MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
objectclass ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL
# Notice that preferredDeliveryMethod is duplicate
-objectclass ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn
+objectclass ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL
+ MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
-objectclass ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn )
+objectclass ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL
+ MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
# Notice that preferredDeliveryMethod is duplicate
-# It seems they could not agree on wheter telephoneNumber is MAY
+# It seems they could not agree on whether telephoneNumber is MAY
# in person. Probably it wasn't originally at was added as an
# afterthought
-objectclass ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l
+objectclass ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL
+ MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l ) )
-objectclass ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn
+objectclass ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL
+ MUST cn
MAY ( seeAlso $ ou $ l $ description ) )
objectclass ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL
objectclass ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL
MAY knowledgeInformation )
-objectclass ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn
+objectclass ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL
+ MUST cn
MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY
# New
objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL
- MUST ( cn ) MAY ( certificateRevocationList $
- authorityRevocationList $
+ MUST ( cn )
+ MAY ( certificateRevocationList $ authorityRevocationList $
deltaRevocationList ) )
# New
-objectclass ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName )
+objectclass ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL
+ MUST ( dmdName )
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
# Next objectclass is defined in RFC2252, but has to be put after top
objectclass ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
- SUP top AUXILIARY )
+ DESC 'RFC2252 extensible object'
+ SUP top AUXILIARY )
#
# Standard Track URI label schema from RFC2079
#
attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
DESC 'Uniform Resource Identifier with optional label'
- EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
DESC 'object that contains the URI attribute type'
- MAY ( labeledURI ) SUP top AUXILIARY )
+ MAY ( labeledURI )
+ SUP top AUXILIARY )
+
+#
+# Standard Track Dynamic Directory Services from RFC2589
+#
+objectclass ( 1.3.6.1.4.1.1466.101.119.2 NAME 'dynamicObject'
+ DESC 'RFC2589 Dynamic Object'
+ SUP top AUXILIARY )
+
+attributetype ( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl'
+ DESC 'RFC2589 entry time-to-live'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+ NO-USER-MODIFICATION USAGE dSAOperation )
+
+attributetype ( 1.3.6.1.4.1.1466.101.119.4 NAME 'dynamicSubtrees'
+ DESC 'RFC2589 dynamic subtrees'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION
+ USAGE dSAOperation )
+
+# Derived from RFC1274, but with new "short names"
+attributetype ( 0.9.2342.19200300.100.1.1
+ NAME ( 'uid' 'userid' )
+ DESC 'RFC1274 user identifier'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+attributetype ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' )
+ DESC 'rfc822 mail box'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
+ SUP top AUXILIARY
+ MUST userPassword )
+
+
+# RFC1274 + RFC2247
+attributetype ( 0.9.2342.19200300.100.1.25
+ NAME ( 'dc' 'domainComponent' )
+ DESC 'RFC1274/2247 domain component'
+ EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+# RFC2247
+objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
+ SUP top AUXILIARY MUST dc )
+
+
+# From RFC2377
+objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject'
+ DESC 'RFC2377 uid object'
+ SUP top AUXILIARY MUST uid )
#
# From draft-ietf-ldapext-nameref-00.txt
# used to represent referrals in the directory
#
-attributetype ( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'URL Reference'
+attributetype ( 2.16.840.1.113730.3.1.34 NAME 'ref'
+ DESC 'nameref URL Reference'
EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE distributedOperation )
objectclass ( 2.16.840.1.113730.3.2.6 NAME 'referral'
- SUP top STRUCTURAL MAY ( ref ) )
+ DESC 'Named referral object'
+ SUP top STRUCTURAL MAY ref )
#
# LDAPsubEntry
-# OID not assigned (1.3.6.1.4.1.1466.115.121.1.??)
+# likely to change!
+objectclass ( 2.16.840.1.113719.2.142.6.1.1 NAME 'LDAPsubEntry'
+ DESC 'LDAP Subentry'
+ SUP top STRUCTURAL MAY cn )
+
+#
+# OpenLDAProotDSE
+# likely to change!
+objectclass ( 1.3.6.1.4.1.4203.666.3.2
+ NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' )
+ DESC 'OpenLDAP Root DSE object'
+ SUP top STRUCTURAL MAY cn )
+
#
-objectclass ( NAME 'LDAPsubEntry'
- DESC 'Limited X.501 Subentry class, named by cn'
- SUP top STRUCTURAL MUST ( cn ) )
+# IETF LDAPext WG Access Control Model
+# likely to change!
+attributetype ( supportedACIMechanismsOID NAME 'supportedACIMechanisms'
+ DESC 'list of access control mechanisms supported by this directory server'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
+
+attributetype ( aCIMechanismOID NAME 'aCIMechanism'
+ DESC 'list of access control mechanism supported in this subtree'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
+
+attributetype ( ldapACIOID NAME 'ldapACI'
+ DESC 'LDAP access control information'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ USAGE directoryOperation )