INTERNET-DRAFT
-draft-ietf-ldup-subentry-00.txt
+draft-ietf-ldup-subentry-01.txt
Ed Reed
Novell, Inc.
- August 15, 1999
+ August 29, 1999
LDAP Subentry Schema
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
-This Internet-Draft expires on January 9, 1999.
+This Internet-Draft expires on February 29, 1999.
2. Abstract
-This document describes an object class called lDAPsubEntry which MAY
+This document describes an object class called ldapSubEntry which MAY
be used to indicate operations and management related entries in the
-directory, called LDAP Subentries.
+directory, called LDAP Subentries. This version of this document is
+updated with an assigned OID for the ldapSubEntry object class.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-
Reed [Page 1]
- Expires January 15, 2000\f
+ Expires February 29, 2000\f
-INTERNET-DRAFT 15 August 1999
+INTERNET-DRAFT 29 August 1999
LDAP Subentry Schema
3. Definition
-3.1 LDAPsubEntry Class
+3.1 ldapSubEntry Class
-( 1.3.6.1.4.1.1466.115.121.1.?? NAME 'LDAPsubEntry'
- DESC 'LDAP Subentry class, named by cn'
+( 2.16.840.1.113719.2.142.6.1.1 NAME 'ldapSubEntry'
+ DESC 'LDAP Subentry class, version 1'
SUP top STRUCTURAL
MUST ( cn ) )
-The class lDAPsubEntry is intended to be used as a super class when
+The class ldapSubEntry is intended to be used as a super class when
defining other structural classes to be used as LDAP Subentries. The
-presence of lDAPsubEntry in the list of super-classes of an entry in
+presence of ldapSubEntry in the list of super-classes of an entry in
the directory makes that entry an LDAP Subentry. Object classes
-derived from lDAPsubEntry are themselves considered lDAPsubEntry
+derived from ldapSubEntry are themselves considered ldapSubEntry
classes, for the purpose of this discussion.
LDAP Subentries MAY be named by their commonName attribute [LDAPv3].
Other naming attributes are also permitted.
-LDAP Subentries MAY be containers, unlike their [X.500] counterparts.
+LDAP Subentries MAY be containers, unlike their [X.501] counterparts.
LDAP Subentries MAY be contained by, and will usually be located in
the directory information tree immediately subordinate to,
search results and read operations when only user attributes are
requested).
-NOTE: No special treatment of LDAP Subentries by applications is
-required, but it might be worth considering creating an LDAPv3 control
-to indicate when LDAP Subentries are desired to be returned (subject
-to access controls and search filters, of course) for LDAP search
-operations.
+LDAP servers SHOULD implement the following special handling of
+ldapSubEntry entries:
+a) search operations which include a matching criteria
+"objectclass=ldapSubEntry" MUST include entries derived from the
+ldapSubEntry class in the scope of their operations;
+b) search operations which do not include a matching criteria
+"objectclass=ldapSubEntry" MUST IGNORE entries derived from the
+ldapSubEntry class, and exclude them from the scope of their
+operations.
-4. Security Considerations
-LDAP Subentries will frequently be used to hold data which reflects
-either the actual or intended behavior of the directory service. As
-such, permission to read such entries MAY need to be restricted to
Reed [Page 2]
- Expires January 15, 2000\f
+ Expires February 29, 2000\f
-INTERNET-DRAFT 15 August 1999
+INTERNET-DRAFT 29 August 1999
LDAP Subentry Schema
+The combination of SHOULD and MUST in the special handling
+instructions, above, are meant to convey this: Servers SHOULD support
+this special handling, and if they do they MUST do it as described,
+and not some other way.
+
+
+
+4. Security Considerations
+
+LDAP Subentries will frequently be used to hold data which reflects
+either the actual or intended behavior of the directory service. As
+such, permission to read such entries MAY need to be restricted to
authorized users. More importantly, IF a directory service treats the
information in an LDAP Subentry as the authoritative source of policy
to be used to control the behavior of the directory, then permission
[LDUPINFO] _ E. Reed, "LDUP Replication Information Model", draft-
ietf-ldup-infomod-01.txt
-[LDAPv3] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory
+[LDAPv3] S. Kille, M. Wahl, and T. Howes, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997
-[X.500] ITU-T Rec. X.501, "The Directory: Models", 1993
+[X.501] ITU-T Rec. X.501, "The Directory: Models", 1993
in the Internet Standards process must be followed, or as required to
translate it into languages other than English.
+Reed [Page 3]
+ Expires February 29, 2000\f
+
+
+INTERNET-DRAFT 29 August 1999
+ LDAP Subentry Schema
+
+
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
-
-Reed [Page 3]
- Expires January 15, 2000\f
-
-
-INTERNET-DRAFT 15 August 1999
- LDAP Subentry Schema
-
7. Acknowledgements
The use of subEntry object class to store Replica and Replication
USA
E-mail: Ed_Reed@Novell.com
+
+Reed [Page 4]
+ Expires February 29, 2000\f
+
+
+INTERNET-DRAFT 29 August 1999
+ LDAP Subentry Schema
+
LDUP Mailing List: ietf-ldup@imc.org
-Reed [Page 4]
- Expires January 15, 2000\f
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Reed [Page 5]
+ Expires February 29, 2000\f
projects / openldap / commitdiff