The Wayback Machine - https://web.archive.org/web/20190425051048/https://tools.ietf.org/html/rfc4524
[Docs] [txt|pdf] [draft-zeilenga-...] [Tracker] [Diff1] [Diff2] [Errata] PROPOSED STANDARDErrata ExistNetwork Working Group K. Zeilenga, Ed.Request for Comments: 4524 OpenLDAP FoundationObsoletes:1274 June 2006Updates:2247,2798Category: Standards TrackCOSINE LDAP/X.500 SchemaStatus of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (2006).Abstract This document provides a collection of schema elements for use with the Lightweight Directory Access Protocol (LDAP) from the COSINE and Internet X.500 pilot projects. This document obsoletesRFC 1274 and updates RFCs 2247 and 2798.Table of Contents1. Introduction ....................................................31.1. Relationship to Other Documents ............................31.2. Terminology and Conventions ................................42. COSINE Attribute Types ..........................................42.1. associatedDomain ...........................................42.2. associatedName .............................................52.3. buildingName ...............................................52.4. co .........................................................52.5. documentAuthor .............................................62.6. documentIdentifier .........................................62.7. documentLocation ...........................................62.8. documentPublisher ..........................................72.9. documentTitle ..............................................72.10. documentVersion ...........................................72.11. drink .....................................................82.12. homePhone .................................................82.13. homePostalAddress .........................................8Zeilenga Standards Track [Page 1]
RFC 4524 COSINE LDAP/X.500 Schema June 20062.14. host ......................................................92.15. info ......................................................92.16. mail ......................................................92.17. manager ..................................................102.18. mobile ...................................................102.19. organizationalStatus .....................................112.20. pager ....................................................112.21. personalTitle ............................................112.22. roomNumber ...............................................122.23. secretary ................................................122.24. uniqueIdentifier .........................................122.25. userClass ................................................133. COSINE Object Classes ..........................................133.1. account ...................................................133.2. document ..................................................143.3. documentSeries ............................................143.4. domain ....................................................153.5. domainRelatedObject .......................................163.6. friendlyCountry ...........................................163.7. rFC822LocalPart ...........................................173.8. room ......................................................183.9. simpleSecurityObject ......................................184. Security Considerations ........................................185. IANA Considerations ............................................196. Acknowledgements ...............................................207. References .....................................................207.1. Normative References ......................................207.2. Informative References ....................................21Appendix A. Changes sinceRFC 1274 ...............................23A.1. LDAP Short Names .........................................23A.2. pilotObject ..............................................23A.3. pilotPerson ..............................................23A.4. dNSDomain ................................................24A.5. pilotDSA and qualityLabelledData .........................24A.6. Attribute Syntaxes .......................................24Appendix B. Changes sinceRFC 2247 ...............................24Zeilenga Standards Track [Page 2]
RFC 4524 COSINE LDAP/X.500 Schema June 20061. Introduction In the late 1980s, X.500 Directory Services were standardized by the CCITT (Commite' Consultatif International de Telegraphique et Telephonique), now a part of the ITU (International Telephone Union). This lead to Directory Service piloting activities in the early 1990s, including the COSINE (Co-operation and Open Systems Interconnection in Europe) PARADISE Project pilot [COSINEpilot] in Europe. Motivated by needs for large-scale directory pilots,RFC1274 was published to standardize the directory schema and naming architecture for use in the COSINE and other Internet X.500 pilots [RFC1274]. In the years that followed, X.500 Directory Services have evolved to incorporate new capabilities and even new protocols. In particular, the Lightweight Directory Access Protocol (LDAP) [RFC4510] was introduced in the early 1990s [RFC1487], with Version 3 of LDAP introduced in the late 1990s [RFC2251] and subsequently revised in 2005 [RFC4510]. While much of the material inRFC 1274 has been superceded by subsequently published ITU-T Recommendations and IETF RFCs, many of the schema elements lack standardized schema descriptions for use in modern X.500 and LDAP directory services despite the fact that these schema elements are in wide use today. As the old schema descriptions cannot be used without adaptation, interoperability issues may arise due to lack of standardized modern schema descriptions. This document addresses these issues by offering standardized schema descriptions, where needed, for widely used COSINE schema elements.1.1. Relationship to Other Documents This document, together with [RFC4519] and [RFC4517], obsoletesRFC1274 in its entirety. [RFC4519] replaces Sections9.3.1 (Userid) and 9.3.21 (Domain Component) ofRFC 1274. [RFC4517] replacesSection9.4 (Generally useful syntaxes) ofRFC 1274. This document replaces the remainder ofRFC 1274.Appendix A discusses changes sinceRFC 1274, as well as why certain schema elements were not brought forward in this revision of the COSINE schema. All elements not brought are to be regarded as Historic. The description of the 'domain' object class provided in this document supercedes that found inRFC 2247. That is,Section 3.4 of this document replacesSection 5.2 of [RFC2247].Zeilenga Standards Track [Page 3]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 Some of the schema elements specified here were described inRFC 2798 (inetOrgPerson schema). This document supersedes these descriptions. This document, together with [RFC4519], replaces Section 9.1.3 ofRFC2798.1.2. Terminology and Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described inBCP 14 [RFC2119]. DIT stands for Directory Information Tree. DN stands for Distinguished Name. DSA stands for Directory System Agent, a server. DSE stands for DSA-Specific Entry. DUA stands for Directory User Agent, a client. These terms are discussed in [RFC4512]. Schema definitions are provided using LDAP description formats [RFC4512]. Definitions provided here are formatted (line wrapped) for readability.2. COSINE Attribute Types This section details COSINE attribute types for use in LDAP.2.1. associatedDomain The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181] host names [RFC1123] that are associated with an object. That is, values of this attribute should conform to the following ABNF: domain = root / label *( DOT label ) root = SPACE label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ] LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z" SPACE = %x20 ; space (" ") HYPHEN = %x2D ; hyphen ("-") DOT = %x2E ; period (".") For example, the entry in the DIT with a DN <DC=example,DC=com> might have an associated domain of "example.com". ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )Zeilenga Standards Track [Page 4]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are described in [RFC4517]. Note that the directory will not ensure that values of this attribute conform to the <domain> production provided above. It is the application's responsibility to ensure that domains it stores in this attribute are appropriately represented. Also note that applications supporting Internationalized Domain Names SHALL use the ToASCII method [RFC3490] to produce <label> components of the <domain> production.2.2. associatedName The 'associatedName' attribute specifies names of entries in the organizational DIT associated with a DNS domain [RFC1034][RFC2181]. ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the 'distinguishedNameMatch' rule are described in [RFC4517].2.3. buildingName The 'buildingName' attribute specifies names of the buildings where an organization or organizational unit is based, for example, "The White House". ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.4. co The 'co' (Friendly Country Name) attribute specifies names of countries in human-readable format, for example, "Germany" and "Federal Republic of Germany". It is commonly used in conjunction with the 'c' (Country Name) [RFC4519] attribute (whose values are restricted to the two-letter codes defined in [ISO3166]).Zeilenga Standards Track [Page 5]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 ( 0.9.2342.19200300.100.1.43 NAME 'co' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.5. documentAuthor The 'documentAuthor' attribute specifies the distinguished names of authors (or editors) of a document. For example, ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the 'distinguishedNameMatch' rule are described in [RFC4517].2.6. documentIdentifier The 'documentIdentifier' attribute specifies unique identifiers for a document. A document may be identified by more than one unique identifier. For example,RFC 3383 andBCP 64 are unique identifiers that (presently) refer to the same document. ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.7. documentLocation The 'documentLocation' attribute specifies locations of the document original. ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )Zeilenga Standards Track [Page 6]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.8. documentPublisher The 'documentPublisher' attribute is the persons and/or organizations that published the document. Documents that are jointly published have one value for each publisher. ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.9. documentTitle The 'documentTitle' attribute specifies the titles of a document. Multiple values are allowed to accommodate both long and short titles, or other situations where a document has multiple titles, for example, "The Lightweight Directory Access Protocol Technical Specification" and "The LDAP Technical Specification". ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.10. documentVersion The 'documentVersion' attribute specifies the version information of a document. ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )Zeilenga Standards Track [Page 7]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.11. drink The 'drink' (favoriteDrink) attribute specifies the favorite drinks of an object (or person), for instance, "cola" and "beer". ( 0.9.2342.19200300.100.1.5 NAME 'drink' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.12. homePhone The 'homePhone' (Home Telephone Number) attribute specifies home telephone numbers (e.g., "+1 775 555 1234") associated with a person. ( 0.9.2342.19200300.100.1.20 NAME 'homePhone' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are described in [RFC4517].2.13. homePostalAddress The 'homePostalAddress' attribute specifies home postal addresses for an object. Each value should be limited to up to 6 directory strings of 30 characters each. (Note: It is not intended that the directory service enforce these limits.) ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) The PostalAddress (1.3.6.1.4.1.1466.115.121.1.41) syntax and the 'caseIgnoreListMatch' and 'caseIgnoreListSubstringsMatch' rules are described in [RFC4517].Zeilenga Standards Track [Page 8]
RFC 4524 COSINE LDAP/X.500 Schema June 20062.14. host The 'host' attribute specifies host computers, generally by their primary fully qualified domain name (e.g., my-host.example.com). ( 0.9.2342.19200300.100.1.9 NAME 'host' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.15. info The 'info' attribute specifies any general information pertinent to an object. This information is not necessarily descriptive of the object. Applications should not attach specific semantics to values of this attribute. The 'description' attribute [RFC4519] is available for specifying descriptive information pertinent to an object. ( 0.9.2342.19200300.100.1.4 NAME 'info' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.16. mail The 'mail' (rfc822mailbox) attribute type holds Internet mail addresses in Mailbox [RFC2821] form (e.g., user@example.com). ( 0.9.2342.19200300.100.1.3 NAME 'mail' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are described in [RFC4517].Zeilenga Standards Track [Page 9]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 Note that the directory will not ensure that values of this attribute conform to the <Mailbox> production [RFC2821]. It is the application's responsibility to ensure that domains it stores in this attribute are appropriately represented. Additionally, the directory will compare values per the matching rules named in the above attribute type description. As these rules differ from rules that normally apply to <Mailbox> comparisons, operational issues may arise. For example, the assertion (mail=joe@example.com) will match "JOE@example.com" even though the <local-parts> differ. Also, where a user has two <Mailbox>es whose addresses differ only by case of the <local-part>, both cannot be listed as values of the user's mail attribute (as they are considered equal by the 'caseIgnoreIA5Match' rule). Also note that applications supporting internationalized domain names SHALL use the ToASCII method [RFC3490] to produce <sub-domain> components of the <Mailbox> production.2.17. manager The 'manager' attribute specifies managers, by distinguished name, of the person (or entity). ( 0.9.2342.19200300.100.1.10 NAME 'manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the 'distinguishedNameMatch' rule are described in [RFC4517].2.18. mobile The 'mobile' (mobileTelephoneNumber) attribute specifies mobile telephone numbers (e.g., "+1 775 555 6789") associated with a person (or entity). ( 0.9.2342.19200300.100.1.41 NAME 'mobile' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are described in [RFC4517].Zeilenga Standards Track [Page 10]
RFC 4524 COSINE LDAP/X.500 Schema June 20062.19. organizationalStatus The 'organizationalStatus' attribute specifies categories by which a person is often referred to in an organization. Examples of usage in academia might include "undergraduate student", "researcher", "professor", and "staff". Multiple values are allowed where the person is in multiple categories. Directory administrators and application designers SHOULD consider carefully the distinctions between this and the 'title' and 'userClass' attributes. ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.20. pager The 'pager' (pagerTelephoneNumber) attribute specifies pager telephone numbers (e.g., "+1 775 555 5555") for an object. ( 0.9.2342.19200300.100.1.42 NAME 'pager' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are described in [RFC4517].2.21. personalTitle The 'personalTitle' attribute specifies personal titles for a person. Examples of personal titles are "Frau", "Dr.", "Herr", and "Professor". ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )Zeilenga Standards Track [Page 11]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.22. roomNumber The 'roomNumber' attribute specifies the room number of an object. During periods of renumbering, or in other circumstances where a room has multiple valid room numbers associated with it, multiple values may be provided. Note that the 'cn' (commonName) attribute type SHOULD be used for naming room objects. ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].2.23. secretary The 'secretary' attribute specifies secretaries and/or administrative assistants, by distinguished name. ( 0.9.2342.19200300.100.1.21 NAME 'secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the 'distinguishedNameMatch' rule are described in [RFC4517].2.24. uniqueIdentifier The 'uniqueIdentifier' attribute specifies a unique identifier for an object represented in the Directory. The domain within which the identifier is unique and the exact semantics of the identifier are for local definition. For a person, this might be an institution- wide payroll number. For an organizational unit, it might be a department code. ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )Zeilenga Standards Track [Page 12]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517]. Note: X.520 also describes an attribute called 'uniqueIdentifier' (2.5.4.45), which is called 'x500UniqueIdentifier' in LDAP [RFC4519]. The attribute detailed here ought not be confused with 'x500UniqueIdentifier'.2.25. userClass The 'userClass' attribute specifies categories of computer or application user. The semantics placed on this attribute are for local interpretation. Examples of current usage of this attribute in academia are "student", "staff", and "faculty". Note that the 'organizationalStatus' attribute type is now often preferred, as it makes no distinction between persons as opposed to users. ( 0.9.2342.19200300.100.1.8 NAME 'userClass' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517].3. COSINE Object Classes This section details COSINE object classes for use in LDAP.3.1. account The 'account' object class is used to define entries representing computer accounts. The 'uid' attribute SHOULD be used for naming entries of this object class. ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST uid MAY ( description $ seeAlso $ l $ o $ ou $ host ) ) The 'top' object class is described in [RFC4512]. The 'description', 'seeAlso', 'l', 'o', 'ou', and 'uid' attribute types are described in [RFC4519]. The 'host' attribute type is described inSection 2 of this document.Zeilenga Standards Track [Page 13]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 3.3. documentSeriesExample: dn: uid=kdz,cn=Accounts,dc=Example,dc=COM objectClass: account uid: kdz seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM3.2. document The 'document' object class is used to define entries that represent documents. ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( cn $ description $ seeAlso $ l $ o $ ou $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) The 'top' object class is described in [RFC4512]. The 'cn', 'description', 'seeAlso', 'l', 'o', and 'ou' attribute types are described in [RFC4519]. The 'documentIdentifier', 'documentTitle', 'documentVersion', 'documentAuthor', 'documentLocation', and 'documentPublisher' attribute types are described inSection 2 of this document. Example: dn: documentIdentifier=RFC 4524,cn=RFC,dc=Example,dc=COM objectClass: document documentIdentifier:RFC 4524 documentTitle: COSINE LDAP/X.500 Schema documentAuthor: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM documentLocation:http://www.rfc-editor.org/rfc/rfc4524.txt documentPublisher: Internet Engineering Task Force description: A collection of schema elements for use in LDAP description: ObsoletesRFC 1274 seeAlso: documentIdentifier=RFC 4510,cn=RFC,dc=Example,dc=COM seeAlso: documentIdentifier=RFC 1274,cn=RFC,dc=Example,dc=COM3.3. documentSeries The 'documentSeries' object class is used to define an entry that represents a series of documents (e.g., The Request For Comments memos).Zeilenga Standards Track [Page 14]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST cn MAY ( description $ l $ o $ ou $ seeAlso $ telephonenumber ) ) The 'top' object class is described in [RFC4512]. The 'description', 'l', 'o', 'ou', 'seeAlso', and 'telephoneNumber' attribute types are described in [RFC4519]. Example: dn: cn=RFC,dc=Example,dc=COM objectClass: documentSeries cn: Request for Comments cn: RFC description: a series of memos about the Internet3.4. domain The 'domain' object class is used to define entries that represent DNS domains for objects that are not organizations, organizational units, or other kinds of objects more appropriately defined using an object class specific to the kind of object being defined (e.g., 'organization', 'organizationUnit'). The 'dc' attribute should be used for naming entries of the 'domain' object class. ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST dc MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ o $ associatedName ) ) The 'top' object class and the 'dc', 'userPassword', 'searchGuide', 'seeAlso', 'businessCategory', 'x121Address', 'registeredAddress', 'destinationIndicator', 'preferredDeliveryMethod', 'telexNumber', 'teletexTerminalIdentifier', 'telephoneNumber', 'internationaliSDNNumber', 'facsimileTelephoneNumber', 'street', 'postOfficeBox', 'postalCode', 'postalAddress', 'physicalDeliveryOfficeName', 'st', 'l', 'description', and 'o' typesZeilenga Standards Track [Page 15]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 are described in [RFC4519]. The 'associatedName' attribute type is described inSection 2 of this document. Example: dn: dc=com objectClass: domain dc: com description: the .COM TLD3.5. domainRelatedObject The 'domainRelatedObject' object class is used to define entries that represent DNS domains that are "equivalent" to an X.500 domain, e.g., an organization or organizational unit. ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' SUP top AUXILIARY MUST associatedDomain ) The 'top' object class is described in [RFC4512]. The 'associatedDomain' attribute type is described inSection 2 of this document. Example: dn: dc=example,dc=com objectClass: organization objectClass: dcObject objectClass: domainRelatedObject dc: example associatedDomain: example.com o: Example Organization The 'organization' and 'dcObject' object classes and the 'dc' and 'o' attribute types are described in [RFC4519].3.6. friendlyCountry The 'friendlyCountry' object class is used to define entries representing countries in the DIT. The object class is used to allow friendlier naming of countries than that allowed by the object class 'country' [RFC4519]. ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST co )Zeilenga Standards Track [Page 16]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The 'country' object class is described in [RFC4519]. The 'co' attribute type is described inSection 2 of this document. Example: dn: c=DE objectClass: country objectClass: friendlyCountry c: DE co: Deutschland co: Germany co: Federal Republic of Germany co: FRG The 'c' attribute type is described in [RFC4519].3.7. rFC822LocalPart The 'rFC822LocalPart' object class is used to define entries that represent the local part of Internet mail addresses [RFC2822]. This treats the local part of the address as a 'domain' object. ( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart' SUP domain STRUCTURAL MAY ( cn $ description $ destinationIndicator $ facsimileTelephoneNumber $ internationaliSDNNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ preferredDeliveryMethod $ registeredAddress $ seeAlso $ sn $ street $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ x121Address ) ) The 'domain' object class is described inSection 3.4 of this document. The 'cn', 'description', 'destinationIndicator', 'facsimileTelephoneNumber', 'internationaliSDNNumber, 'physicalDeliveryOfficeName', 'postalAddress', 'postalCode', 'postOfficeBox', 'preferredDeliveryMethod', 'registeredAddress', 'seeAlso', 'sn, 'street', 'telephoneNumber', 'teletexTerminalIdentifier', 'telexNumber', and 'x121Address' attribute types are described in [RFC4519]. Example: dn: dc=kdz,dc=example,dc=com objectClass: domain objectClass: rFC822LocalPart dc: kdz associatedName: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COMZeilenga Standards Track [Page 17]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 The 'dc' attribute type is described in [RFC4519].3.8. room The 'room' object class is used to define entries representing rooms. The 'cn' (commonName) attribute SHOULD be used for naming entries of this object class. ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST cn MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) ) The 'top' object class is described in [RFC4512]. The 'cn', 'description', 'seeAlso', and 'telephoneNumber' attribute types are described in [RFC4519]. The 'roomNumber' attribute type is described inSection 2 of this document. dn: cn=conference room,dc=example,dc=com objectClass: room cn: conference room telephoneNumber: +1 755 555 11113.9. simpleSecurityObject The 'simpleSecurityObject' object class is used to require an entry to have a 'userPassword' attribute when the entry's structural object class does not require (or allow) the 'userPassword attribute'. ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' SUP top AUXILIARY MUST userPassword ) The 'top' object class is described in [RFC4512]. The 'userPassword' attribute type is described in [RFC4519]. dn: dc=kdz,dc=Example,dc=COM objectClass: account objectClass: simpleSecurityObject uid: kdz userPassword: My Password seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM4. Security Considerations General LDAP security considerations [RFC4510] are applicable to the use of this schema. Additional considerations are noted above where appropriate.Zeilenga Standards Track [Page 18]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 Directories administrators should ensure that access to sensitive information be restricted to authorized entities and that appropriate data security services, including data integrity and data confidentiality, are used to protect against eavesdropping. Simple authentication (e.g., plain text passwords) mechanisms should only be used when adequate data security services are in place. LDAP offers reasonably strong authentication and data security services [RFC4513].5. IANA Considerations The Internet Assigned Numbers Authority (IANA) has updated the LDAP descriptors registry [RFC4520] as indicated in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comments Person & email address to contact for further information: Kurt Zeilenga <kurt@OpenLDAP.org> Usage: see comments Specification:RFC 4524 Author/Change Controller: IESG Comments: The following descriptors have been updated to refer toRFC 4524. NAME Type OID ------------------------ ---- -------------------------- account O 0.9.2342.19200300.100.4.5 associatedDomain A 0.9.2342.19200300.100.1.37 associatedName A 0.9.2342.19200300.100.1.38 buildingName A 0.9.2342.19200300.100.1.48 co A 0.9.2342.19200300.100.1.43 document O 0.9.2342.19200300.100.4.6 documentAuthor A 0.9.2342.19200300.100.1.14 documentIdentifier A 0.9.2342.19200300.100.1.11 documentLocation A 0.9.2342.19200300.100.1.15 documentPublisher A 0.9.2342.19200300.100.1.56 documentSeries O 0.9.2342.19200300.100.4.8 documentTitle A 0.9.2342.19200300.100.1.12 documentVersion A 0.9.2342.19200300.100.1.13 domain O 0.9.2342.19200300.100.4.13 domainRelatedObject O 0.9.2342.19200300.100.4.17 drink A 0.9.2342.19200300.100.1.5 favouriteDrink A* 0.9.2342.19200300.100.1.5 friendlyCountry O 0.9.2342.19200300.100.4.18Zeilenga Standards Track [Page 19]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 friendlyCountryName A* 0.9.2342.19200300.100.1.43 homePhone A 0.9.2342.19200300.100.1.20 homePostalAddress A 0.9.2342.19200300.100.1.39 homeTelephone A* 0.9.2342.19200300.100.1.20 host A 0.9.2342.19200300.100.1.9 info A 0.9.2342.19200300.100.1.4 mail A 0.9.2342.19200300.100.1.3 manager A 0.9.2342.19200300.100.1.10 mobile A 0.9.2342.19200300.100.1.41 mobileTelephoneNumber A* 0.9.2342.19200300.100.1.41 organizationalStatus A 0.9.2342.19200300.100.1.45 pager A 0.9.2342.19200300.100.1.42 pagerTelephoneNumber A* 0.9.2342.19200300.100.1.42 personalTitle A 0.9.2342.19200300.100.1.40 rFC822LocalPart O 0.9.2342.19200300.100.4.14 rfc822Mailbox A* 0.9.2342.19200300.100.1.3 room O 0.9.2342.19200300.100.4.7 roomNumber A 0.9.2342.19200300.100.1.6 secretary A 0.9.2342.19200300.100.1.21 simpleSecurityObject O 0.9.2342.19200300.100.4.19 singleLevelQuality A 0.9.2342.19200300.100.1.50 uniqueIdentifier A 0.9.2342.19200300.100.1.44 userClass A 0.9.2342.19200300.100.1.8 where Type A is Attribute, Type O is ObjectClass, and * indicates that the registration is historic in nature.6. Acknowledgements This document is based onRFC 1274, by Paul Barker and Steve Kille, as well as onRFC 2247, by Steve Kill, Mark Wahl, Al Grimstad, Rick Huber, and Sri Satulari.7. References7.1. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13,RFC 1034, November 1987. [RFC1123] Braden, R., "Requirements for Internet Hosts - Application and Support", STD 3,RFC 1123, October 1989. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels",BCP 14,RFC 2119, March 1997.Zeilenga Standards Track [Page 20]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS Specification",RFC 2181, July 1997. [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri, "Using Domains in LDAP/X.500 Distinguished Names",RFC 2247, January 1998. [RFC2821] Klensin, J., Ed., "Simple Mail Transfer Protocol",RFC2821, April 2001. [RFC2822] Resnick, P., "Internet Message Format",RFC 2822, April 2001. [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, "Internationalizing Domain Names in Applications (IDNA)",RFC 3490, March 2003. [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map",RFC4510, June 2006. [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models",RFC 4512, June 2006. [RFC4513] Harrison, R., "Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms",RFC 4513, June 2006. [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules", RC 4517, June 2006. [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications",RFC4519, June 2006. [X.501] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory -- Models," X.501(1993) (also ISO/IEC 9594- 2:1994).7.2. Informative References [COSINEpilot] Goodman, D., "PARADISE" section of the March 1991 INTERNET MONTHLY REPORTS (p. 28-29),http://www.iana.org/periodic-reports/imr-mar91.txtZeilenga Standards Track [Page 21]
RFC 4524 COSINE LDAP/X.500 Schema June 2006 [ISO3166] International Organization for Standardization, "Codes for the representation of names of countries", ISO 3166. [RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500 Schema",RFC 1274, November 1991. [RFC1279] Hardcastle-Kille, S., "X.500 and Domains",RFC 1279, November 1991. [RFC1487] Yeong, W., Howes, T., and S. Kille, "X.500 Lightweight Directory Access Protocol",RFC 1487, July 1993. [RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access Protocol (v3)",RFC 2251, December 1997. [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object Class",RFC 2798, April 2000. [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status",RFC 3494, March 2003. [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)",BCP 64,RFC 4520.Zeilenga Standards Track [Page 22]
RFC 4524 COSINE LDAP/X.500 Schema June 2006Appendix A. Changes sinceRFC 1274 This document represents a substantial rewrite ofRFC 1274. The following sections summarize the substantive changes.A.1. LDAP Short Names A number of COSINE attribute types have short names in LDAP. X.500 Name LDAP Short Name ------------- --------------- domainComponent dc favoriteDrink drink friendCountryName co homeTelephoneNumber homePhone mobileTelephoneNumber mobile pagerTelephoneNumber pager rfc822Mailbox mail userid uid While the LDAP short names are generally used in LDAP, some implementations may (for legacy reasons [RFC3494]) recognize the attribute type by its X.500 name. Hence, the X.500 names have been reserved solely for this purpose. Note: 'uid' and 'dc' are described in [RFC4519].A.2. pilotObject The 'pilotObject' object class was not brought forward as its function is largely replaced by operational attributes introduced in X.500(93) [X.501] and version 3 of LDAP [RFC4512]. For instance, the function of the 'lastModifiedBy' and 'lastModifiedTime' attribute types is now served by the 'creatorsName', 'createTimestamp', 'modifiersName', and 'modifyTimestamp' operational attributes [RFC4512].A.3. pilotPerson The 'pilotPerson' object class was not brought forward as its function is largely replaced by the 'organizationalPerson' [RFC4512] object class and its subclasses, such as 'inetOrgPerson' [RFC2798]. Most of the related attribute types (e.g., 'mail', 'manager') were brought forward as they are used in other object classes.Zeilenga Standards Track [Page 23]
RFC 4524 COSINE LDAP/X.500 Schema June 2006A.4. dNSDomain The 'dNSDomain' object class and related attribute types were not brought forward as its use is primarily experimental [RFC1279].A.5. pilotDSA and qualityLabelledData The 'pilotDSA' and 'qualityLabelledData' object classes, as well as related attribute types, were not brought forward as its use is primarily experimental [QoS].A.6. Attribute SyntaxesRFC 1274 defined and used caseIgnoreIA5StringSyntax attribute syntax. This has been replaced with the IA5String syntax and appropriate matching rules in 'mail' and 'associatedDomain'.RFC 1274 restricted 'mail' to have non-zero length values. This restriction is not reflected in the IA5String syntax used in the definitions provided in this specification. However, as values are to conform to the <Mailbox> production, the 'mail' should not contain zero-length values. Unfortunately, the directory service will not enforce this restriction.Appendix B. Changes sinceRFC 2247 The 'domainNameForm' name form was not brought forward as specification of name forms used in LDAP is left to a future specification.Editor's Address Kurt D. Zeilenga OpenLDAP Foundation EMail: Kurt@OpenLDAP.orgZeilenga Standards Track [Page 24]
RFC 4524 COSINE LDAP/X.500 Schema June 2006Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained inBCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found inBCP 78 andBCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository athttp://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.Acknowledgement Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).Zeilenga Standards Track [Page 25]
Html markup produced by rfcmarkup 1.129c, available fromhttps://tools.ietf.org/tools/rfcmarkup/
