1 2 3 4 5 6 7Network Working Group A. Sciberras, Ed. 8Request for Comments: 4519 eB2Bcom 9Obsoletes: 2256 June 2006 10Updates: 2247, 2798, 2377 11Category: Standards Track 12 13 14 Lightweight Directory Access Protocol (LDAP): 15 Schema for User Applications 16 17Status of This Memo 18 19 This document specifies an Internet standards track protocol for the 20 Internet community, and requests discussion and suggestions for 21 improvements. Please refer to the current edition of the "Internet 22 Official Protocol Standards" (STD 1) for the standardization state 23 and status of this protocol. Distribution of this memo is unlimited. 24 25Copyright Notice 26 27 Copyright (C) The Internet Society (2006). 28 29Abstract 30 31 This document is an integral part of the Lightweight Directory Access 32 Protocol (LDAP) technical specification. It provides a technical 33 specification of attribute types and object classes intended for use 34 by LDAP directory clients for many directory services, such as White 35 Pages. These objects are widely used as a basis for the schema in 36 many LDAP directories. This document does not cover attributes used 37 for the administration of directory servers, nor does it include 38 directory objects defined for specific uses in other documents. 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58Sciberras Standards Track [Page 1] 59 60RFC 4519 LDAP: Schema for User Applications June 2006 61 62 63Table of Contents 64 65 1. Introduction ....................................................3 66 1.1. Relationship with Other Specifications .....................3 67 1.2. Conventions ................................................4 68 1.3. General Issues .............................................4 69 2. Attribute Types .................................................4 70 2.1. 'businessCategory' .........................................5 71 2.2. 'c' ........................................................5 72 2.3. 'cn' .......................................................5 73 2.4. 'dc' .......................................................6 74 2.5. 'description' ..............................................6 75 2.6. 'destinationIndicator' .....................................7 76 2.7. 'distinguishedName' ........................................7 77 2.8. 'dnQualifier' ..............................................8 78 2.9. 'enhancedSearchGuide' ......................................8 79 2.10. 'facsimileTelephoneNumber' ................................9 80 2.11. 'generationQualifier' .....................................9 81 2.12. 'givenName' ...............................................9 82 2.13. 'houseIdentifier' .........................................9 83 2.14. 'initials' ...............................................10 84 2.15. 'internationalISDNNumber' ................................10 85 2.16. 'l' ......................................................10 86 2.17. 'member' .................................................11 87 2.18. 'name' ...................................................11 88 2.19. 'o' ......................................................11 89 2.20. 'ou' .....................................................12 90 2.21. 'owner' ..................................................12 91 2.22. 'physicalDeliveryOfficeName' .............................12 92 2.23. 'postalAddress' ..........................................13 93 2.24. 'postalCode' .............................................13 94 2.25. 'postOfficeBox' ..........................................14 95 2.26. 'preferredDeliveryMethod' ................................14 96 2.27. 'registeredAddress' ......................................14 97 2.28. 'roleOccupant' ...........................................15 98 2.29. 'searchGuide' ............................................15 99 2.30. 'seeAlso' ................................................15 100 2.31. 'serialNumber' ...........................................16 101 2.32. 'sn' .....................................................16 102 2.33. 'st' .....................................................16 103 2.34. 'street' .................................................17 104 2.35. 'telephoneNumber' ........................................17 105 2.36. 'teletexTerminalIdentifier' ..............................17 106 2.37. 'telexNumber' ............................................18 107 2.38. 'title' ..................................................18 108 2.39. 'uid' ....................................................18 109 2.40. 'uniqueMember' ...........................................19 110 2.41. 'userPassword' ...........................................19 111 112 113 114Sciberras Standards Track [Page 2] 115 116RFC 4519 LDAP: Schema for User Applications June 2006 117 118 119 2.42. 'x121Address' ............................................20 120 2.43. 'x500UniqueIdentifier' ...................................20 121 3. Object Classes .................................................20 122 3.1. 'applicationProcess' ......................................21 123 3.2. 'country' .................................................21 124 3.3. 'dcObject' ................................................21 125 3.4. 'device' ..................................................21 126 3.5. 'groupOfNames' ............................................22 127 3.6. 'groupOfUniqueNames' ......................................22 128 3.7. 'locality' ................................................23 129 3.8. 'organization' ............................................23 130 3.9. 'organizationalPerson' ....................................24 131 3.10. 'organizationalRole' .....................................24 132 3.11. 'organizationalUnit' .....................................24 133 3.12. 'person' .................................................25 134 3.13. 'residentialPerson' ......................................25 135 3.14. 'uidObject' ..............................................26 136 4. IANA Considerations ............................................26 137 5. Security Considerations ........................................28 138 6. Acknowledgements ...............................................28 139 7. References .....................................................29 140 7.1. Normative References ......................................29 141 7.2. Informative References ....................................30 142 Appendix A Changes Made Since RFC 2256 ...........................32 143 1441. Introduction 145 146 This document provides an overview of attribute types and object 147 classes intended for use by Lightweight Directory Access Protocol 148 (LDAP) directory clients for many directory services, such as White 149 Pages. Originally specified in the X.500 [X.500] documents, these 150 objects are widely used as a basis for the schema in many LDAP 151 directories. This document does not cover attributes used for the 152 administration of directory servers, nor does it include directory 153 objects defined for specific uses in other documents. 154 1551.1. Relationship with Other Specifications 156 157 This document is an integral part of the LDAP technical specification 158 [RFC4510], which obsoletes the previously defined LDAP technical 159 specification, RFC 3377, in its entirety. In terms of RFC 2256, 160 Sections 6 and 8 of RFC 2256 are obsoleted by [RFC4517]. Sections 161 5.1, 5.2, 7.1, and 7.2 of RFC 2256 are obsoleted by [RFC4512]. The 162 remainder of RFC 2256 is obsoleted by this document. The technical 163 specification for the 'dc' attribute type and 'dcObject' object class 164 found in RFC 2247 are superseded by sections 2.4 and 3.3 of this 165 document. The remainder of RFC 2247 remains in force. 166 167 168 169 170Sciberras Standards Track [Page 3] 171 172RFC 4519 LDAP: Schema for User Applications June 2006 173 174 175 This document updates RFC 2798 by replacing the informative 176 description of the 'uid' attribute type with the definitive 177 description provided in Section 2.39 of this document. 178 179 This document updates RFC 2377 by replacing the informative 180 description of the 'uidObject' object class with the definitive 181 description provided in Section 3.14 of this document. 182 183 A number of schema elements that were included in the previous 184 revision of the LDAP Technical Specification are not included in this 185 revision of LDAP. PKI-related schema elements are now specified in 186 [RFC4523]. Unless reintroduced in future technical specifications, 187 the remainder are to be considered Historic. 188 189 The descriptions in this document SHALL be considered definitive for 190 use in LDAP. 191 1921.2. Conventions 193 194 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 195 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 196 document are to be interpreted as described in RFC 2119 [RFC2119]. 197 1981.3. General Issues 199 200 This document references Syntaxes defined in Section 3 of [RFC4517] 201 and Matching Rules defined in Section 4 of [RFC4517]. 202 203 The definitions of Attribute Types and Object Classes are written 204 using the Augmented Backus-Naur Form (ABNF) [RFC4234] of 205 AttributeTypeDescription and ObjectClassDescription given in 206 [RFC4512]. Lines have been folded for readability. When such values 207 are transferred as attribute values in the LDAP Protocol, the values 208 will not contain line breaks. 209 2102. Attribute Types 211 212 The attribute types contained in this section hold user information. 213 214 There is no requirement that servers implement the 'searchGuide' and 215 'teletexTerminalIdentifier' attribute types. In fact, their use is 216 greatly discouraged. 217 218 An LDAP server implementation SHOULD recognize the rest of the 219 attribute types described in this section. 220 221 222 223 224 225 226Sciberras Standards Track [Page 4] 227 228RFC 4519 LDAP: Schema for User Applications June 2006 229 230 2312.1. 'businessCategory' 232 233 The 'businessCategory' attribute type describes the kinds of business 234 performed by an organization. Each kind is one value of this 235 multi-valued attribute. 236 (Source: X.520 [X.520]) 237 238 ( 2.5.4.15 NAME 'businessCategory' 239 EQUALITY caseIgnoreMatch 240 SUBSTR caseIgnoreSubstringsMatch 241 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 242 243 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 244 [RFC4517]. 245 246 Examples: "banking", "transportation", and "real estate". 247 2482.2. 'c' 249 250 The 'c' ('countryName' in X.500) attribute type contains a two-letter 251 ISO 3166 [ISO3166] country code. 252 (Source: X.520 [X.520]) 253 254 ( 2.5.4.6 NAME 'c' 255 SUP name 256 SYNTAX 1.3.6.1.4.1.1466.115.121.1.11 257 SINGLE-VALUE ) 258 259 1.3.6.1.4.1.1466.115.121.1.11 refers to the Country String syntax 260 [RFC4517]. 261 262 Examples: "DE", "AU" and "FR". 263 2642.3. 'cn' 265 266 The 'cn' ('commonName' in X.500) attribute type contains names of an 267 object. Each name is one value of this multi-valued attribute. If 268 the object corresponds to a person, it is typically the person's full 269 name. 270 (Source: X.520 [X.520]) 271 272 ( 2.5.4.3 NAME 'cn' 273 SUP name ) 274 275 Examples: "Martin K Smith", "Marty Smith" and "printer12". 276 277 278 279 280 281 282Sciberras Standards Track [Page 5] 283 284RFC 4519 LDAP: Schema for User Applications June 2006 285 286 2872.4. 'dc' 288 289 The 'dc' ('domainComponent' in RFC 1274) attribute type is a string 290 holding one component, a label, of a DNS domain name 291 [RFC1034][RFC2181] naming a host [RFC1123]. That is, a value of this 292 attribute is a string of ASCII characters adhering to the following 293 ABNF [RFC4234]: 294 295 label = (ALPHA / DIGIT) [*61(ALPHA / DIGIT / HYPHEN) (ALPHA / DIGIT)] 296 ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z" 297 DIGIT = %x30-39 ; "0"-"9" 298 HYPHEN = %x2D ; hyphen ("-") 299 300 The encoding of IA5String for use in LDAP is simply the characters of 301 the ASCII label. The equality matching rule is case insensitive, as 302 is today's DNS. (Source: RFC 2247 [RFC2247] and RFC 1274 [RFC 1274]) 303 304 ( 0.9.2342.19200300.100.1.25 NAME 'dc' 305 EQUALITY caseIgnoreIA5Match 306 SUBSTR caseIgnoreIA5SubstringsMatch 307 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 308 SINGLE-VALUE ) 309 310 1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String syntax 311 [RFC4517]. 312 313 Examples: Valid values include "example" and "com" but not 314 "example.com". The latter is invalid as it contains multiple domain 315 components. 316 317 It is noted that the directory service will not ensure that values of 318 this attribute conform to the host label restrictions [RFC1123] 319 illustrated by the <label> production provided above. It is the 320 directory client's responsibility to ensure that the labels it stores 321 in this attribute are appropriately restricted. 322 323 Directory applications supporting International Domain Names SHALL 324 use the ToASCII method [RFC3490] to produce the domain component 325 label. The special considerations discussed in Section 4 of RFC 3490 326 [RFC3490] should be taken, depending on whether the domain component 327 is used for "stored" or "query" purposes. 328 3292.5. 'description' 330 331 The 'description' attribute type contains human-readable descriptive 332 phrases about the object. Each description is one value of this 333 multi-valued attribute. 334 (Source: X.520 [X.520]) 335 336 337 338Sciberras Standards Track [Page 6] 339 340RFC 4519 LDAP: Schema for User Applications June 2006 341 342 343 ( 2.5.4.13 NAME 'description' 344 EQUALITY caseIgnoreMatch 345 SUBSTR caseIgnoreSubstringsMatch 346 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 347 348 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 349 [RFC4517]. 350 351 Examples: "a color printer", "Maintenance is done every Monday, at 352 1pm.", and "distribution list for all technical staff". 353 3542.6. 'destinationIndicator' 355 356 The 'destinationIndicator' attribute type contains country and city 357 strings associated with the object (the addressee) needed to provide 358 the Public Telegram Service. The strings are composed in accordance 359 with CCITT Recommendations F.1 [F.1] and F.31 [F.31]. Each string is 360 one value of this multi-valued attribute. 361 (Source: X.520 [X.520]) 362 363 ( 2.5.4.27 NAME 'destinationIndicator' 364 EQUALITY caseIgnoreMatch 365 SUBSTR caseIgnoreSubstringsMatch 366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 367 368 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax 369 [RFC4517]. 370 371 Examples: "AASD" as a destination indicator for Sydney, Australia. 372 "GBLD" as a destination indicator for London, United 373 Kingdom. 374 375 It is noted that the directory will not ensure that values of this 376 attribute conform to the F.1 and F.31 CCITT Recommendations. It is 377 the application's responsibility to ensure destination indicators 378 that it stores in this attribute are appropriately constructed. 379 3802.7. 'distinguishedName' 381 382 The 'distinguishedName' attribute type is not used as the name of the 383 object itself, but it is instead a base type from which some user 384 attribute types with a DN syntax can inherit. 385 386 It is unlikely that values of this type itself will occur in an 387 entry. LDAP server implementations that do not support attribute 388 subtyping need not recognize this attribute in requests. Client 389 implementations MUST NOT assume that LDAP servers are capable of 390 performing attribute subtyping. 391 392 393 394Sciberras Standards Track [Page 7] 395 396RFC 4519 LDAP: Schema for User Applications June 2006 397 398 399 (Source: X.520 [X.520]) 400 401 ( 2.5.4.49 NAME 'distinguishedName' 402 EQUALITY distinguishedNameMatch 403 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 404 405 1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [RFC4517]. 406 4072.8. 'dnQualifier' 408 409 The 'dnQualifier' attribute type contains disambiguating information 410 strings to add to the relative distinguished name of an entry. The 411 information is intended for use when merging data from multiple 412 sources in order to prevent conflicts between entries that would 413 otherwise have the same name. Each string is one value of this 414 multi-valued attribute. It is recommended that a value of the 415 'dnQualifier' attribute be the same for all entries from a particular 416 source. 417 (Source: X.520 [X.520]) 418 419 ( 2.5.4.46 NAME 'dnQualifier' 420 EQUALITY caseIgnoreMatch 421 ORDERING caseIgnoreOrderingMatch 422 SUBSTR caseIgnoreSubstringsMatch 423 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 424 425 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax 426 [RFC4517]. 427 428 Examples: "20050322123345Z" - timestamps can be used to disambiguate 429 information. 430 "123456A" - serial numbers can be used to disambiguate 431 information. 432 4332.9. 'enhancedSearchGuide' 434 435 The 'enhancedSearchGuide' attribute type contains sets of information 436 for use by directory clients in constructing search filters. Each 437 set is one value of this multi-valued attribute. 438 (Source: X.520 [X.520]) 439 440 ( 2.5.4.47 NAME 'enhancedSearchGuide' 441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) 442 443 1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide syntax 444 [RFC4517]. 445 446 447 448 449 450Sciberras Standards Track [Page 8] 451 452RFC 4519 LDAP: Schema for User Applications June 2006 453 454 455 Examples: "person#(sn$APPROX)#wholeSubtree" and 456 "organizationalUnit#(ou$SUBSTR)#oneLevel". 457 4582.10. 'facsimileTelephoneNumber' 459 460 The 'facsimileTelephoneNumber' attribute type contains telephone 461 numbers (and, optionally, the parameters) for facsimile terminals. 462 Each telephone number is one value of this multi-valued attribute. 463 (Source: X.520 [X.520]) 464 465 ( 2.5.4.23 NAME 'facsimileTelephoneNumber' 466 SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) 467 468 1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone 469 Number syntax [RFC4517]. 470 471 Examples: "+61 3 9896 7801" and "+81 3 347 7418$fineResolution". 472 4732.11. 'generationQualifier' 474 475 The 'generationQualifier' attribute type contains name strings that 476 are typically the suffix part of a person's name. Each string is one 477 value of this multi-valued attribute. 478 (Source: X.520 [X.520]) 479 480 ( 2.5.4.44 NAME 'generationQualifier' 481 SUP name ) 482 483 Examples: "III", "3rd", and "Jr.". 484 4852.12. 'givenName' 486 487 The 'givenName' attribute type contains name strings that are the 488 part of a person's name that is not their surname. Each string is 489 one value of this multi-valued attribute. 490 (Source: X.520 [X.520]) 491 492 ( 2.5.4.42 NAME 'givenName' 493 SUP name ) 494 495 Examples: "Andrew", "Charles", and "Joanne". 496 4972.13. 'houseIdentifier' 498 499 The 'houseIdentifier' attribute type contains identifiers for a 500 building within a location. Each identifier is one value of this 501 multi-valued attribute. 502 (Source: X.520 [X.520]) 503 504 505 506Sciberras Standards Track [Page 9] 507 508RFC 4519 LDAP: Schema for User Applications June 2006 509 510 511 ( 2.5.4.51 NAME 'houseIdentifier' 512 EQUALITY caseIgnoreMatch 513 SUBSTR caseIgnoreSubstringsMatch 514 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 515 516 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 517 [RFC4517]. 518 519 Example: "20" to represent the house number 20. 520 5212.14. 'initials' 522 523 The 'initials' attribute type contains strings of initials of some or 524 all of an individual's names, except the surname(s). Each string is 525 one value of this multi-valued attribute. 526 (Source: X.520 [X.520]) 527 528 ( 2.5.4.43 NAME 'initials' 529 SUP name ) 530 531 Examples: "K. A." and "K". 532 5332.15. 'internationalISDNNumber' 534 535 The 'internationalISDNNumber' attribute type contains Integrated 536 Services Digital Network (ISDN) addresses, as defined in the 537 International Telecommunication Union (ITU) Recommendation E.164 538 [E.164]. Each address is one value of this multi-valued attribute. 539 (Source: X.520 [X.520]) 540 541 ( 2.5.4.25 NAME 'internationalISDNNumber' 542 EQUALITY numericStringMatch 543 SUBSTR numericStringSubstringsMatch 544 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) 545 546 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax 547 [RFC4517]. 548 549 Example: "0198 333 333". 550 5512.16. 'l' 552 553 The 'l' ('localityName' in X.500) attribute type contains names of a 554 locality or place, such as a city, county, or other geographic 555 region. Each name is one value of this multi-valued attribute. 556 (Source: X.520 [X.520]) 557 558 559 560 561 562Sciberras Standards Track [Page 10] 563 564RFC 4519 LDAP: Schema for User Applications June 2006 565 566 567 ( 2.5.4.7 NAME 'l' 568 SUP name ) 569 570 Examples: "Geneva", "Paris", and "Edinburgh". 571 5722.17. 'member' 573 574 The 'member' attribute type contains the distinguished names of 575 objects that are on a list or in a group. Each name is one value of 576 this multi-valued attribute. 577 (Source: X.520 [X.520]) 578 579 ( 2.5.4.31 NAME 'member' 580 SUP distinguishedName ) 581 582 Examples: "cn=James Clarke,ou=Finance,o=Widget\, Inc." and 583 "cn=John Xerri,ou=Finance,o=Widget\, Inc." may 584 be two members of the financial team (group) at Widget, 585 Inc., in which case, both of these distinguished names 586 would be present as individual values of the member 587 attribute. 588 5892.18. 'name' 590 591 The 'name' attribute type is the attribute supertype from which user 592 attribute types with the name syntax inherit. Such attribute types 593 are typically used for naming. The attribute type is multi-valued. 594 595 It is unlikely that values of this type itself will occur in an 596 entry. LDAP server implementations that do not support attribute 597 subtyping need not recognize this attribute in requests. Client 598 implementations MUST NOT assume that LDAP servers are capable of 599 performing attribute subtyping. 600 (Source: X.520 [X.520]) 601 602 ( 2.5.4.41 NAME 'name' 603 EQUALITY caseIgnoreMatch 604 SUBSTR caseIgnoreSubstringsMatch 605 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 606 607 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 608 [RFC4517]. 609 6102.19. 'o' 611 612 The 'o' ('organizationName' in X.500) attribute type contains the 613 names of an organization. Each name is one value of this 614 multi-valued attribute. 615 616 617 618Sciberras Standards Track [Page 11] 619 620RFC 4519 LDAP: Schema for User Applications June 2006 621 622 623 (Source: X.520 [X.520]) 624 625 ( 2.5.4.10 NAME 'o' 626 SUP name ) 627 628 Examples: "Widget", "Widget, Inc.", and "Widget, Incorporated.". 629 6302.20. 'ou' 631 632 The 'ou' ('organizationalUnitName' in X.500) attribute type contains 633 the names of an organizational unit. Each name is one value of this 634 multi-valued attribute. 635 (Source: X.520 [X.520]) 636 637 ( 2.5.4.11 NAME 'ou' 638 SUP name ) 639 640 Examples: "Finance", "Human Resources", and "Research and 641 Development". 642 6432.21. 'owner' 644 645 The 'owner' attribute type contains the distinguished names of 646 objects that have an ownership responsibility for the object that is 647 owned. Each owner's name is one value of this multi-valued 648 attribute. 649 (Source: X.520 [X.520]) 650 651 ( 2.5.4.32 NAME 'owner' 652 SUP distinguishedName ) 653 654 Example: The mailing list object, whose DN is "cn=All Employees, 655 ou=Mailing List,o=Widget\, Inc.", is owned by the Human 656 Resources Director. 657 658 Therefore, the value of the 'owner' attribute within the 659 mailing list object, would be the DN of the director (role): 660 "cn=Human Resources Director,ou=employee,o=Widget\, Inc.". 661 6622.22. 'physicalDeliveryOfficeName' 663 664 The 'physicalDeliveryOfficeName' attribute type contains names that a 665 Postal Service uses to identify a post office. 666 (Source: X.520 [X.520]) 667 668 669 670 671 672 673 674Sciberras Standards Track [Page 12] 675 676RFC 4519 LDAP: Schema for User Applications June 2006 677 678 679 ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' 680 EQUALITY caseIgnoreMatch 681 SUBSTR caseIgnoreSubstringsMatch 682 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 683 684 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 685 [RFC4517]. 686 687 Examples: "Bremerhaven, Main" and "Bremerhaven, Bonnstrasse". 688 6892.23. 'postalAddress' 690 691 The 'postalAddress' attribute type contains addresses used by a 692 Postal Service to perform services for the object. Each address is 693 one value of this multi-valued attribute. 694 (Source: X.520 [X.520]) 695 696 ( 2.5.4.16 NAME 'postalAddress' 697 EQUALITY caseIgnoreListMatch 698 SUBSTR caseIgnoreListSubstringsMatch 699 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 700 701 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax 702 [RFC4517]. 703 704 Example: "15 Main St.$Ottawa$Canada". 705 7062.24. 'postalCode' 707 708 The 'postalCode' attribute type contains codes used by a Postal 709 Service to identify postal service zones. Each code is one value of 710 this multi-valued attribute. 711 (Source: X.520 [X.520]) 712 713 ( 2.5.4.17 NAME 'postalCode' 714 EQUALITY caseIgnoreMatch 715 SUBSTR caseIgnoreSubstringsMatch 716 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 717 718 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 719 [RFC4517]. 720 721 Example: "22180", to identify Vienna, VA, in the USA. 722 723 724 725 726 727 728 729 730Sciberras Standards Track [Page 13] 731 732RFC 4519 LDAP: Schema for User Applications June 2006 733 734 7352.25. 'postOfficeBox' 736 737 The 'postOfficeBox' attribute type contains postal box identifiers 738 that a Postal Service uses when a customer arranges to receive mail 739 at a box on the premises of the Postal Service. Each postal box 740 identifier is a single value of this multi-valued attribute. 741 (Source: X.520 [X.520]) 742 743 ( 2.5.4.18 NAME 'postOfficeBox' 744 EQUALITY caseIgnoreMatch 745 SUBSTR caseIgnoreSubstringsMatch 746 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 747 748 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 749 [RFC4517]. 750 751 Example: "Box 45". 752 7532.26. 'preferredDeliveryMethod' 754 755 The 'preferredDeliveryMethod' attribute type contains an indication 756 of the preferred method of getting a message to the object. 757 (Source: X.520 [X.520]) 758 759 ( 2.5.4.28 NAME 'preferredDeliveryMethod' 760 SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 761 SINGLE-VALUE ) 762 763 1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method syntax 764 [RFC4517]. 765 766 Example: If the mhs-delivery Delivery Method is preferred over 767 telephone-delivery, which is preferred over all other 768 methods, the value would be: "mhs $ telephone". 769 7702.27. 'registeredAddress' 771 772 The 'registeredAddress' attribute type contains postal addresses 773 suitable for reception of telegrams or expedited documents, where it 774 is necessary to have the recipient accept delivery. Each address is 775 one value of this multi-valued attribute. 776 (Source: X.520 [X.520]) 777 778 ( 2.5.4.26 NAME 'registeredAddress' 779 SUP postalAddress 780 SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) 781 782 783 784 785 786Sciberras Standards Track [Page 14] 787 788RFC 4519 LDAP: Schema for User Applications June 2006 789 790 791 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax 792 [RFC4517]. 793 794 Example: "Receptionist$Widget, Inc.$15 Main St.$Ottawa$Canada". 795 7962.28. 'roleOccupant' 797 798 The 'roleOccupant' attribute type contains the distinguished names of 799 objects (normally people) that fulfill the responsibilities of a role 800 object. Each distinguished name is one value of this multi-valued 801 attribute. 802 (Source: X.520 [X.520]) 803 804 ( 2.5.4.33 NAME 'roleOccupant' 805 SUP distinguishedName ) 806 807 Example: The role object, "cn=Human Resources 808 Director,ou=Position,o=Widget\, Inc.", is fulfilled by two 809 people whose object names are "cn=Mary 810 Smith,ou=employee,o=Widget\, Inc." and "cn=James 811 Brown,ou=employee,o=Widget\, Inc.". The 'roleOccupant' 812 attribute will contain both of these distinguished names, 813 since they are the occupants of this role. 814 8152.29. 'searchGuide' 816 817 The 'searchGuide' attribute type contains sets of information for use 818 by clients in constructing search filters. It is superseded by 819 'enhancedSearchGuide', described above in Section 2.9. Each set is 820 one value of this multi-valued attribute. 821 (Source: X.520 [X.520]) 822 823 ( 2.5.4.14 NAME 'searchGuide' 824 SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) 825 826 1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [RFC4517]. 827 828 Example: "person#sn$EQ". 829 8302.30. 'seeAlso' 831 832 The 'seeAlso' attribute type contains the distinguished names of 833 objects that are related to the subject object. Each related object 834 name is one value of this multi-valued attribute. 835 (Source: X.520 [X.520]) 836 837 ( 2.5.4.34 NAME 'seeAlso' 838 SUP distinguishedName ) 839 840 841 842Sciberras Standards Track [Page 15] 843 844RFC 4519 LDAP: Schema for User Applications June 2006 845 846 847 Example: The person object "cn=James Brown,ou=employee,o=Widget\, 848 Inc." is related to the role objects "cn=Football Team 849 Captain,ou=sponsored activities,o=Widget\, Inc." and 850 "cn=Chess Team,ou=sponsored activities,o=Widget\, Inc.". 851 Since the role objects are related to the person object, the 852 'seeAlso' attribute will contain the distinguished name of 853 each role object as separate values. 854 8552.31. 'serialNumber' 856 857 The 'serialNumber' attribute type contains the serial numbers of 858 devices. Each serial number is one value of this multi-valued 859 attribute. 860 (Source: X.520 [X.520]) 861 862 ( 2.5.4.5 NAME 'serialNumber' 863 EQUALITY caseIgnoreMatch 864 SUBSTR caseIgnoreSubstringsMatch 865 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) 866 867 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax 868 [RFC4517]. 869 870 Examples: "WI-3005" and "XF551426". 871 8722.32. 'sn' 873 874 The 'sn' ('surname' in X.500) attribute type contains name strings 875 for the family names of a person. Each string is one value of this 876 multi-valued attribute. 877 (Source: X.520 [X.520]) 878 879 ( 2.5.4.4 NAME 'sn' 880 SUP name ) 881 882 Example: "Smith". 883 8842.33. 'st' 885 886 The 'st' ('stateOrProvinceName' in X.500) attribute type contains the 887 full names of states or provinces. Each name is one value of this 888 multi-valued attribute. 889 (Source: X.520 [X.520]) 890 891 ( 2.5.4.8 NAME 'st' 892 SUP name ) 893 894 Example: "California". 895 896 897 898Sciberras Standards Track [Page 16] 899 900RFC 4519 LDAP: Schema for User Applications June 2006 901 902 9032.34. 'street' 904 905 The 'street' ('streetAddress' in X.500) attribute type contains site 906 information from a postal address (i.e., the street name, place, 907 avenue, and the house number). Each street is one value of this 908 multi-valued attribute. 909 (Source: X.520 [X.520]) 910 911 ( 2.5.4.9 NAME 'street' 912 EQUALITY caseIgnoreMatch 913 SUBSTR caseIgnoreSubstringsMatch 914 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 915 916 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 917 [RFC4517]. 918 919 Example: "15 Main St.". 920 9212.35. 'telephoneNumber' 922 923 The 'telephoneNumber' attribute type contains telephone numbers that 924 comply with the ITU Recommendation E.123 [E.123]. Each number is one 925 value of this multi-valued attribute. 926 (Source: X.520 [X.520]) 927 928 ( 2.5.4.20 NAME 'telephoneNumber' 929 EQUALITY telephoneNumberMatch 930 SUBSTR telephoneNumberSubstringsMatch 931 SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) 932 933 1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number syntax 934 [RFC4517]. 935 936 Example: "+1 234 567 8901". 937 9382.36. 'teletexTerminalIdentifier' 939 940 The withdrawal of Recommendation F.200 has resulted in the withdrawal 941 of this attribute. 942 (Source: X.520 [X.520]) 943 944 ( 2.5.4.22 NAME 'teletexTerminalIdentifier' 945 SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) 946 947 1.3.6.1.4.1.1466.115.121.1.51 refers to the Teletex Terminal 948 Identifier syntax [RFC4517]. 949 950 951 952 953 954Sciberras Standards Track [Page 17] 955 956RFC 4519 LDAP: Schema for User Applications June 2006 957 958 9592.37. 'telexNumber' 960 961 The 'telexNumber' attribute type contains sets of strings that are a 962 telex number, country code, and answerback code of a telex terminal. 963 Each set is one value of this multi-valued attribute. 964 (Source: X.520 [X.520]) 965 966 ( 2.5.4.21 NAME 'telexNumber' 967 SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) 968 969 1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number syntax 970 [RFC4517]. 971 972 Example: "12345$023$ABCDE". 973 9742.38. 'title' 975 976 The 'title' attribute type contains the title of a person in their 977 organizational context. Each title is one value of this multi-valued 978 attribute. 979 (Source: X.520 [X.520]) 980 981 ( 2.5.4.12 NAME 'title' 982 SUP name ) 983 Examples: "Vice President", "Software Engineer", and "CEO". 984 9852.39. 'uid' 986 987 The 'uid' ('userid' in RFC 1274) attribute type contains computer 988 system login names associated with the object. Each name is one 989 value of this multi-valued attribute. 990 (Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274]) 991 992 ( 0.9.2342.19200300.100.1.1 NAME 'uid' 993 EQUALITY caseIgnoreMatch 994 SUBSTR caseIgnoreSubstringsMatch 995 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 996 997 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax 998 [RFC4517]. 999 1000 Examples: "s9709015", "admin", and "Administrator". 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010Sciberras Standards Track [Page 18] 1011 1012RFC 4519 LDAP: Schema for User Applications June 2006 1013 1014 10152.40. 'uniqueMember' 1016 1017 The 'uniqueMember' attribute type contains the distinguished names of 1018 an object that is on a list or in a group, where the relative 1019 distinguished names of the object include a value that distinguishes 1020 between objects when a distinguished name has been reused. Each 1021 distinguished name is one value of this multi-valued attribute. 1022 (Source: X.520 [X.520]) 1023 1024 ( 2.5.4.50 NAME 'uniqueMember' 1025 EQUALITY uniqueMemberMatch 1026 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) 1027 1028 1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID 1029 syntax [RFC4517]. 1030 1031 Example: If "ou=1st Battalion,o=Defense,c=US" is a battalion that was 1032 disbanded, establishing a new battalion with the "same" name 1033 would have a unique identifier value added, resulting in 1034 "ou=1st Battalion, o=Defense,c=US#'010101'B". 1035 10362.41. 'userPassword' 1037 1038 The 'userPassword' attribute contains octet strings that are known 1039 only to the user and the system to which the user has access. Each 1040 string is one value of this multi-valued attribute. 1041 1042 The application SHOULD prepare textual strings used as passwords by 1043 transcoding them to Unicode, applying SASLprep [RFC4013], and 1044 encoding as UTF-8. The determination of whether a password is 1045 textual is a local client matter. 1046 (Source: X.509 [X.509]) 1047 1048 ( 2.5.4.35 NAME 'userPassword' 1049 EQUALITY octetStringMatch 1050 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 1051 1052 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax 1053 [RFC4517]. 1054 1055 Passwords are stored using an Octet String syntax and are not 1056 encrypted. Transfer of cleartext passwords is strongly discouraged 1057 where the underlying transport service cannot guarantee 1058 confidentiality and may result in disclosure of the password to 1059 unauthorized parties. 1060 1061 An example of a need for multiple values in the 'userPassword' 1062 attribute is an environment where every month the user is expected to 1063 1064 1065 1066Sciberras Standards Track [Page 19] 1067 1068RFC 4519 LDAP: Schema for User Applications June 2006 1069 1070 1071 use a different password generated by some automated system. During 1072 transitional periods, like the last and first day of the periods, it 1073 may be necessary to allow two passwords for the two consecutive 1074 periods to be valid in the system. 1075 10762.42. 'x121Address' 1077 1078 The 'x121Address' attribute type contains data network addresses as 1079 defined by ITU Recommendation X.121 [X.121]. Each address is one 1080 value of this multi-valued attribute. 1081 (Source: X.520 [X.520]) 1082 1083 ( 2.5.4.24 NAME 'x121Address' 1084 EQUALITY numericStringMatch 1085 SUBSTR numericStringSubstringsMatch 1086 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) 1087 1088 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax 1089 [RFC4517]. 1090 1091 Example: "36111222333444555". 1092 10932.43. 'x500UniqueIdentifier' 1094 1095 The 'x500UniqueIdentifier' attribute type contains binary strings 1096 that are used to distinguish between objects when a distinguished 1097 name has been reused. Each string is one value of this multi-valued 1098 attribute. 1099 1100 In X.520 [X.520], this attribute type is called 'uniqueIdentifier'. 1101 This is a different attribute type from both the 'uid' and 1102 'uniqueIdentifier' LDAP attribute types. The 'uniqueIdentifier' 1103 attribute type is defined in [RFC4524]. 1104 (Source: X.520 [X.520]) 1105 1106 ( 2.5.4.45 NAME 'x500UniqueIdentifier' 1107 EQUALITY bitStringMatch 1108 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) 1109 1110 1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String syntax 1111 [RFC4517]. 1112 11133. Object Classes 1114 1115 LDAP servers SHOULD recognize all the Object Classes listed here as 1116 values of the 'objectClass' attribute (see [RFC4512]). 1117 1118 1119 1120 1121 1122Sciberras Standards Track [Page 20] 1123 1124RFC 4519 LDAP: Schema for User Applications June 2006 1125 1126 11273.1. 'applicationProcess' 1128 1129 The 'applicationProcess' object class definition is the basis of an 1130 entry that represents an application executing in a computer system. 1131 (Source: X.521 [X.521]) 1132 1133 ( 2.5.6.11 NAME 'applicationProcess' 1134 SUP top 1135 STRUCTURAL 1136 MUST cn 1137 MAY ( seeAlso $ 1138 ou $ 1139 l $ 1140 description ) ) 1141 11423.2. 'country' 1143 1144 The 'country' object class definition is the basis of an entry that 1145 represents a country. 1146 (Source: X.521 [X.521]) 1147 1148 ( 2.5.6.2 NAME 'country' 1149 SUP top 1150 STRUCTURAL 1151 MUST c 1152 MAY ( searchGuide $ 1153 description ) ) 1154 11553.3. 'dcObject' 1156 1157 The 'dcObject' object class permits an entry to contains domain 1158 component information. This object class is defined as auxiliary, 1159 because it will be used in conjunction with an existing structural 1160 object class. 1161 (Source: RFC 2247 [RFC2247]) 1162 1163 ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' 1164 SUP top 1165 AUXILIARY 1166 MUST dc ) 1167 11683.4. 'device' 1169 1170 The 'device' object class is the basis of an entry that represents an 1171 appliance, computer, or network element. 1172 (Source: X.521 [X.521]) 1173 1174 1175 1176 1177 1178Sciberras Standards Track [Page 21] 1179 1180RFC 4519 LDAP: Schema for User Applications June 2006 1181 1182 1183 ( 2.5.6.14 NAME 'device' 1184 SUP top 1185 STRUCTURAL 1186 MUST cn 1187 MAY ( serialNumber $ 1188 seeAlso $ 1189 owner $ 1190 ou $ 1191 o $ 1192 l $ 1193 description ) ) 1194 11953.5. 'groupOfNames' 1196 1197 The 'groupOfNames' object class is the basis of an entry that 1198 represents a set of named objects including information related to 1199 the purpose or maintenance of the set. 1200 (Source: X.521 [X.521]) 1201 1202 ( 2.5.6.9 NAME 'groupOfNames' 1203 SUP top 1204 STRUCTURAL 1205 MUST ( member $ 1206 cn ) 1207 MAY ( businessCategory $ 1208 seeAlso $ 1209 owner $ 1210 ou $ 1211 o $ 1212 description ) ) 1213 12143.6. 'groupOfUniqueNames' 1215 1216 The 'groupOfUniqueNames' object class is the same as the 1217 'groupOfNames' object class except that the object names are not 1218 repeated or reassigned within a set scope. 1219 (Source: X.521 [X.521]) 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234Sciberras Standards Track [Page 22] 1235 1236RFC 4519 LDAP: Schema for User Applications June 2006 1237 1238 1239 ( 2.5.6.17 NAME 'groupOfUniqueNames' 1240 SUP top 1241 STRUCTURAL 1242 MUST ( uniqueMember $ 1243 cn ) 1244 MAY ( businessCategory $ 1245 seeAlso $ 1246 owner $ 1247 ou $ 1248 o $ 1249 description ) ) 1250 12513.7. 'locality' 1252 1253 The 'locality' object class is the basis of an entry that represents 1254 a place in the physical world. 1255 (Source: X.521 [X.521]) 1256 1257 ( 2.5.6.3 NAME 'locality' 1258 SUP top 1259 STRUCTURAL 1260 MAY ( street $ 1261 seeAlso $ 1262 searchGuide $ 1263 st $ 1264 l $ 1265 description ) ) 1266 12673.8. 'organization' 1268 1269 The 'organization' object class is the basis of an entry that 1270 represents a structured group of people. 1271 (Source: X.521 [X.521]) 1272 1273 ( 2.5.6.4 NAME 'organization' 1274 SUP top 1275 STRUCTURAL 1276 MUST o 1277 MAY ( userPassword $ searchGuide $ seeAlso $ 1278 businessCategory $ x121Address $ registeredAddress $ 1279 destinationIndicator $ preferredDeliveryMethod $ 1280 telexNumber $ teletexTerminalIdentifier $ 1281 telephoneNumber $ internationalISDNNumber $ 1282 facsimileTelephoneNumber $ street $ postOfficeBox $ 1283 postalCode $ postalAddress $ physicalDeliveryOfficeName $ 1284 st $ l $ description ) ) 1285 1286 1287 1288 1289 1290Sciberras Standards Track [Page 23] 1291 1292RFC 4519 LDAP: Schema for User Applications June 2006 1293 1294 12953.9. 'organizationalPerson' 1296 1297 The 'organizationalPerson' object class is the basis of an entry that 1298 represents a person in relation to an organization. 1299 (Source: X.521 [X.521]) 1300 1301 ( 2.5.6.7 NAME 'organizationalPerson' 1302 SUP person 1303 STRUCTURAL 1304 MAY ( title $ x121Address $ registeredAddress $ 1305 destinationIndicator $ preferredDeliveryMethod $ 1306 telexNumber $ teletexTerminalIdentifier $ 1307 telephoneNumber $ internationalISDNNumber $ 1308 facsimileTelephoneNumber $ street $ postOfficeBox $ 1309 postalCode $ postalAddress $ physicalDeliveryOfficeName $ 1310 ou $ st $ l ) ) 1311 13123.10. 'organizationalRole' 1313 1314 The 'organizationalRole' object class is the basis of an entry that 1315 represents a job, function, or position in an organization. 1316 (Source: X.521 [X.521]) 1317 1318 ( 2.5.6.8 NAME 'organizationalRole' 1319 SUP top 1320 STRUCTURAL 1321 MUST cn 1322 MAY ( x121Address $ registeredAddress $ destinationIndicator $ 1323 preferredDeliveryMethod $ telexNumber $ 1324 teletexTerminalIdentifier $ telephoneNumber $ 1325 internationalISDNNumber $ facsimileTelephoneNumber $ 1326 seeAlso $ roleOccupant $ preferredDeliveryMethod $ 1327 street $ postOfficeBox $ postalCode $ postalAddress $ 1328 physicalDeliveryOfficeName $ ou $ st $ l $ 1329 description ) ) 1330 13313.11. 'organizationalUnit' 1332 1333 The 'organizationalUnit' object class is the basis of an entry that 1334 represents a piece of an organization. 1335 (Source: X.521 [X.521]) 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346Sciberras Standards Track [Page 24] 1347 1348RFC 4519 LDAP: Schema for User Applications June 2006 1349 1350 1351 ( 2.5.6.5 NAME 'organizationalUnit' 1352 SUP top 1353 STRUCTURAL 1354 MUST ou 1355 MAY ( businessCategory $ description $ destinationIndicator $ 1356 facsimileTelephoneNumber $ internationalISDNNumber $ l $ 1357 physicalDeliveryOfficeName $ postalAddress $ postalCode $ 1358 postOfficeBox $ preferredDeliveryMethod $ 1359 registeredAddress $ searchGuide $ seeAlso $ st $ street $ 1360 telephoneNumber $ teletexTerminalIdentifier $ 1361 telexNumber $ userPassword $ x121Address ) ) 1362 13633.12 'person' 1364 1365 The 'person' object class is the basis of an entry that represents a 1366 human being. 1367 (Source: X.521 [X.521]) 1368 1369 ( 2.5.6.6 NAME 'person' 1370 SUP top 1371 STRUCTURAL 1372 MUST ( sn $ 1373 cn ) 1374 MAY ( userPassword $ 1375 telephoneNumber $ 1376 seeAlso $ description ) ) 1377 13783.13. 'residentialPerson' 1379 1380 The 'residentialPerson' object class is the basis of an entry that 1381 includes a person's residence in the representation of the person. 1382 (Source: X.521 [X.521]) 1383 1384 ( 2.5.6.10 NAME 'residentialPerson' 1385 SUP person 1386 STRUCTURAL 1387 MUST l 1388 MAY ( businessCategory $ x121Address $ registeredAddress $ 1389 destinationIndicator $ preferredDeliveryMethod $ 1390 telexNumber $ teletexTerminalIdentifier $ 1391 telephoneNumber $ internationalISDNNumber $ 1392 facsimileTelephoneNumber $ preferredDeliveryMethod $ 1393 street $ postOfficeBox $ postalCode $ postalAddress $ 1394 physicalDeliveryOfficeName $ st $ l ) ) 1395 1396 1397 1398 1399 1400 1401 1402Sciberras Standards Track [Page 25] 1403 1404RFC 4519 LDAP: Schema for User Applications June 2006 1405 1406 14073.14. 'uidObject' 1408 1409 The 'uidObject' object class permits an entry to contains user 1410 identification information. This object class is defined as 1411 auxiliary, because it will be used in conjunction with an existing 1412 structural object class. 1413 (Source: RFC 2377 [RFC2377]) 1414 1415 ( 1.3.6.1.1.3.1 NAME 'uidObject' 1416 SUP top 1417 AUXILIARY 1418 MUST uid ) 1419 14204. IANA Considerations 1421 1422 The Internet Assigned Numbers Authority (IANA) has updated the LDAP 1423 descriptors registry as indicated in the following template: 1424 1425 Subject: Request for LDAP Descriptor Registration Update 1426 Descriptor (short name): see comments 1427 Object Identifier: see comments 1428 Person & email address to contact for further information: 1429 Andrew Sciberras <andrew.sciberras@eb2bcom.com> 1430 Usage: (A = attribute type, O = Object Class) see comment 1431 Specification: RFC 4519 1432 Author/Change Controller: IESG 1433 1434 Comments 1435 1436 In the LDAP descriptors registry, the following descriptors (short 1437 names) have been updated to refer to RFC 4519. Names that need to 1438 be reserved, rather than assigned to an Object Identifier, will 1439 contain an Object Identifier value of RESERVED. 1440 1441 NAME Type OID 1442 ------------------------ ---- ---------------------------- 1443 applicationProcess O 2.5.6.11 1444 businessCategory A 2.5.4.15 1445 c A 2.5.4.6 1446 cn A 2.5.4.3 1447 commonName A 2.5.4.3 1448 country O 2.5.6.2 1449 countryName A 2.5.4.6 1450 dc A 0.9.2342.19200300.100.1.25 1451 dcObject O 1.3.6.1.4.1.1466.344 1452 description A 2.5.4.13 1453 destinationIndicator A 2.5.4.27 1454 device O 2.5.6.14 1455 1456 1457 1458Sciberras Standards Track [Page 26] 1459 1460RFC 4519 LDAP: Schema for User Applications June 2006 1461 1462 1463 NAME Type OID 1464 ------------------------ ---- ---------------------------- 1465 distinguishedName A 2.5.4.49 1466 dnQualifier A 2.5.4.46 1467 domainComponent A 0.9.2342.19200300.100.1.25 1468 enhancedSearchGuide A 2.5.4.47 1469 facsimileTelephoneNumber A 2.5.4.23 1470 generationQualifier A 2.5.4.44 1471 givenName A 2.5.4.42 1472 gn A RESERVED 1473 groupOfNames O 2.5.6.9 1474 groupOfUniqueNames O 2.5.6.17 1475 houseIdentifier A 2.5.4.51 1476 initials A 2.5.4.43 1477 internationalISDNNumber A 2.5.4.25 1478 l A 2.5.4.7 1479 locality O 2.5.6.3 1480 localityName A 2.5.4.7 1481 member A 2.5.4.31 1482 name A 2.5.4.41 1483 o A 2.5.4.10 1484 organization O 2.5.6.4 1485 organizationName A 2.5.4.10 1486 organizationalPerson O 2.5.6.7 1487 organizationalRole O 2.5.6.8 1488 organizationalUnit O 2.5.6.5 1489 organizationalUnitName A 2.5.4.11 1490 ou A 2.5.4.11 1491 owner A 2.5.4.32 1492 person O 2.5.6.6 1493 physicalDeliveryOfficeName A 2.5.4.19 1494 postalAddress A 2.5.4.16 1495 postalCode A 2.5.4.17 1496 postOfficeBox A 2.5.4.18 1497 preferredDeliveryMethod A 2.5.4.28 1498 registeredAddress A 2.5.4.26 1499 residentialPerson O 2.5.6.10 1500 roleOccupant A 2.5.4.33 1501 searchGuide A 2.5.4.14 1502 seeAlso A 2.5.4.34 1503 serialNumber A 2.5.4.5 1504 sn A 2.5.4.4 1505 st A 2.5.4.8 1506 street A 2.5.4.9 1507 surname A 2.5.4.4 1508 telephoneNumber A 2.5.4.20 1509 teletexTerminalIdentifier A 2.5.4.22 1510 telexNumber A 2.5.4.21 1511 1512 1513 1514Sciberras Standards Track [Page 27] 1515 1516RFC 4519 LDAP: Schema for User Applications June 2006 1517 1518 1519 NAME Type OID 1520 ------------------------ ---- ---------------------------- 1521 title A 2.5.4.12 1522 uid A 0.9.2342.19200300.100.1.1 1523 uidObject O 1.3.6.1.1.3.1 1524 uniqueMember A 2.5.4.50 1525 userid A 0.9.2342.19200300.100.1.1 1526 userPassword A 2.5.4.35 1527 x121Address A 2.5.4.24 1528 x500UniqueIdentifier A 2.5.4.45 1529 15305. Security Considerations 1531 1532 Attributes of directory entries are used to provide descriptive 1533 information about the real-world objects they represent, which can be 1534 people, organizations, or devices. Most countries have privacy laws 1535 regarding the publication of information about people. 1536 1537 Transfer of cleartext passwords is strongly discouraged where the 1538 underlying transport service cannot guarantee confidentiality and 1539 integrity, since this may result in disclosure of the password to 1540 unauthorized parties. 1541 1542 Multiple attribute values for the 'userPassword' attribute need to be 1543 used with care. Especially reset/deletion of a password by an 1544 administrator without knowing the old user password gets tricky or 1545 impossible if multiple values for different applications are present. 1546 1547 Certainly, applications that intend to replace the 'userPassword' 1548 value(s) with new value(s) should use modify/replaceValues (or 1549 modify/deleteAttribute+addAttribute). In addition, server 1550 implementations are encouraged to provide administrative controls 1551 that, if enabled, restrict the 'userPassword' attribute to one value. 1552 1553 Note that when used for authentication purposes [RFC4513], the user 1554 need only prove knowledge of one of the values, not all of the 1555 values. 1556 15576. Acknowledgements 1558 1559 The definitions, on which this document is based, have been developed 1560 by committees for telecommunications and international standards. 1561 1562 This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a 1563 product of the IETF ASID Working Group. 1564 1565 1566 1567 1568 1569 1570Sciberras Standards Track [Page 28] 1571 1572RFC 4519 LDAP: Schema for User Applications June 2006 1573 1574 1575 The 'dc' attribute type definition and the 'dcObject' object class 1576 definition in this document supersede the specification in RFC 2247 1577 by S. Kille, M. Wahl, A. Grimstad, R. Huber, and S. Sataluri. 1578 1579 The 'uid' attribute type definition in this document supersedes the 1580 specification of the 'userid' in RFC 1274 by P. Barker and S. Kille 1581 and of the uid in RFC 2798 by M. Smith. 1582 1583 The 'uidObject' object class definition in this document supersedes 1584 the specification of the 'uidObject' in RFC 2377 by A. Grimstad, R. 1585 Huber, S. Sataluri, and M. Wahl. 1586 1587 This document is based upon input of the IETF LDAPBIS working group. 1588 The author wishes to thank S. Legg and K. Zeilenga for their 1589 significant contribution to this update. The author would also like 1590 to thank Kathy Dally, who edited early versions of this document. 1591 15927. References 1593 15947.1. Normative References 1595 1596 [E.123] Notation for national and international telephone numbers, 1597 ITU-T Recommendation E.123, 1988 1598 1599 [E.164] The international public telecommunication numbering plan, 1600 ITU-T Recommendation E.164, 1997 1601 1602 [F.1] Operational Provisions For The International Public 1603 Telegram Service Transmission System, CCITT Recommendation 1604 F.1, 1992 1605 1606 [F.31] Telegram Retransmission System, CCITT Recommendation F.31, 1607 1988 1608 1609 [ISO3166] ISO 3166, "Codes for the representation of names of 1610 countries". 1611 1612 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1613 STD 13, RFC 1034, November 1987. 1614 1615 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 1616 and Support", STD 3, RFC 1123, October 1989. 1617 1618 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1619 Requirement Levels", BCP 14, RFC 2119, March 1997. 1620 1621 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 1622 Specification", RFC 2181, July 1997. 1623 1624 1625 1626Sciberras Standards Track [Page 29] 1627 1628RFC 4519 LDAP: Schema for User Applications June 2006 1629 1630 1631 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, 1632 "Internationalizing Domain Names in Applications (IDNA)", 1633 RFC 3490, March 2003. 1634 1635 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names 1636 and Passwords", RFC 4013, February 2005. 1637 1638 [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 1639 Specifications: ABNF", RFC 4234, October 2005. 1640 1641 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 1642 (LDAP): Technical Specification Road Map", RFC 4510, June 1643 2006. 1644 1645 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 1646 (LDAP): Directory Information Models", RFC 4512, June 1647 2006. 1648 1649 [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol 1650 (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006. 1651 1652 [X.121] International numbering plan for public data networks, 1653 ITU-T Recommendation X.121, 1996 1654 1655 [X.509] The Directory: Authentication Framework, ITU-T 1656 Recommendation X.509, 1993 1657 1658 [X.520] The Directory: Selected Attribute Types, ITU-T 1659 Recommendation X.520, 1993 1660 1661 [X.521] The Directory: Selected Object Classes. ITU-T 1662 Recommendation X.521, 1993 1663 16647.2. Informative References 1665 1666 [RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500 1667 Schema", RFC 1274, November 1991. 1668 1669 [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. 1670 Sataluri, "Using Domains in LDAP/X.500 Distinguished 1671 Names", RFC 2247, January 1998. 1672 1673 [RFC2377] Grimstad, A., Huber, R., Sataluri, S., and M. Wahl, 1674 "Naming Plan for Internet Directory-Enabled Applications", 1675 RFC 2377, September 1998. 1676 1677 [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object 1678 Class", RFC 2798, April 2000. 1679 1680 1681 1682Sciberras Standards Track [Page 30] 1683 1684RFC 4519 LDAP: Schema for User Applications June 2006 1685 1686 1687 [RFC4513] Harrison R., Ed., "Lightweight Directory Access Protocol 1688 (LDAP): Authentication Methods and Security Mechanisms", 1689 RFC 4513, June 2006. 1690 1691 [RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol 1692 (LDAP) Schema Definitions for X.509 Certificates", RFC 1693 4523, June 2006. 1694 1695 [RFC4524] Zeilenga, E., Ed., "COSINE LDAP/X.500 Schema", RFC 4524, 1696 June 2006. 1697 1698 [X.500] ITU-T Recommendations X.500 (1993) | ISO/IEC 9594-1:1994, 1699 Information Technology - Open Systems Interconnection - 1700 The Directory: Overview of concepts, models and services. 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738Sciberras Standards Track [Page 31] 1739 1740RFC 4519 LDAP: Schema for User Applications June 2006 1741 1742 1743Appendix A. Changes Made Since RFC 2256 1744 1745 This appendix lists the changes that have been made from RFC 2256 to 1746 RFC 4519. 1747 1748 This appendix is not a normative part of this specification, which 1749 has been provided for informational purposes only. 1750 1751 1. Replaced the document title. 1752 1753 2. Removed the IESG Note. 1754 1755 3. Dependencies on RFC 1274 have been eliminated. 1756 1757 4. Added a Security Considerations section and an IANA 1758 Considerations section. 1759 1760 5. Deleted the conformance requirement for subschema object 1761 classes in favor of a statement in [RFC4517]. 1762 1763 6. Added explanation to attribute types and to each object class. 1764 1765 7. Removed Section 4, Syntaxes, and Section 6, Matching Rules, 1766 (moved to [RFC4517]). 1767 1768 8. Removed the certificate-related attribute types: 1769 authorityRevocationList, cACertificate, 1770 certificateRevocationList, crossCertificatePair, 1771 deltaRevocationList, supportedAlgorithms, and userCertificate. 1772 1773 Removed the certificate-related Object Classes: 1774 certificationAuthority, certificationAuthority-V2, 1775 cRLDistributionPoint, strongAuthenticationUser, and 1776 userSecurityInformation 1777 1778 LDAP PKI is now discussed in [RFC4523]. 1779 1780 9. Removed the dmdName, knowledgeInformation, 1781 presentationAddress, protocolInformation, and 1782 supportedApplicationContext attribute types and the dmd, 1783 applicationEntity, and dSA object classes. 1784 1785 10. Deleted the aliasedObjectName and objectClass attribute type 1786 definitions. Deleted the alias and top object class 1787 definitions. They are included in [RFC4512]. 1788 1789 1790 1791 1792 1793 1794Sciberras Standards Track [Page 32] 1795 1796RFC 4519 LDAP: Schema for User Applications June 2006 1797 1798 1799 11. Added the 'dc' attribute type from RFC 2247, making the 1800 distinction between 'stored' and 'query' values when preparing 1801 IDN strings. 1802 1803 12. Numerous editorial changes. 1804 1805 13. Removed upper bound after the SYNTAX oid in all attribute 1806 definitions where it appeared. 1807 1808 14. Added text about Unicode, SASLprep [RFC4013], and UTF-8 for 1809 userPassword. 1810 1811 15. Included definitions, comments and references for 'dcObject' 1812 and 'uidObject'. 1813 1814 16. Replaced PKI schema references to use RFC 4523. 1815 1816 17. Spelt out and referenced ABNF on first usage. 1817 1818 18. Removed Section 2.4 (Source). Replaced the source table with 1819 explicit references for each definition. 1820 1821 19. All references to an attribute type or object class are 1822 enclosed in single quotes. 1823 1824 20. The layout of attribute type definitions has been changed to 1825 provide consistency throughout the document: 1826 > Section Heading 1827 > Description of Attribute type 1828 > Multivalued description 1829 > Source Information 1830 > Definition 1831 > Example 1832 > Additional Comments 1833 1834 Adding this consistent output included the addition of 1835 examples to some definitions. 1836 1837 21. References to alternate names for attributes types are 1838 provided with a reference to where they were originally 1839 specified. 1840 1841 22. Clarification of the description of 'distinguishedName' and 1842 'name', in regards to these attribute types being supertypes. 1843 1844 23. Spelt out ISDN on first usage. 1845 1846 1847 1848 1849 1850Sciberras Standards Track [Page 33] 1851 1852RFC 4519 LDAP: Schema for User Applications June 2006 1853 1854 1855 24. Inserted a reference to [RFC4517] for the 1856 'teletexTerminalIdentifier' definition's SYNTAX OID. 1857 1858 25. Additional names were added to the IANA Considerations. Names 1859 include 'commonName', 'dcObject', 'domainComponent', 'GN', 1860 'localityName', 'organizationName', 'organizationUnitName', 1861 'surname', 'uidObject' and 'userid'. 1862 1863 26. Renamed all instances of supercede to supersede. 1864 1865 27. Moved [F.1], [F.31] and [RFC4013] from informative to 1866 normative references. 1867 1868 28. Changed the 'c' definition to be consistent with X.500. 1869 1870Author's Address 1871 1872 Andrew Sciberras 1873 eB2Bcom 1874 Suite 3, Woodhouse Corporate Centre, 1875 935 Station Street, 1876 Box Hill North, Victoria 3129 1877 AUSTRALIA 1878 1879 Phone: +61 3 9896 7833 1880 EMail: andrew.sciberras@eb2bcom.com 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906Sciberras Standards Track [Page 34] 1907 1908RFC 4519 LDAP: Schema for User Applications June 2006 1909 1910 1911Full Copyright Statement 1912 1913 Copyright (C) The Internet Society (2006). 1914 1915 This document is subject to the rights, licenses and restrictions 1916 contained in BCP 78, and except as set forth therein, the authors 1917 retain all their rights. 1918 1919 This document and the information contained herein are provided on an 1920 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1921 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1922 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1923 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1924 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1925 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1926 1927Intellectual Property 1928 1929 The IETF takes no position regarding the validity or scope of any 1930 Intellectual Property Rights or other rights that might be claimed to 1931 pertain to the implementation or use of the technology described in 1932 this document or the extent to which any license under such rights 1933 might or might not be available; nor does it represent that it has 1934 made any independent effort to identify any such rights. Information 1935 on the procedures with respect to rights in RFC documents can be 1936 found in BCP 78 and BCP 79. 1937 1938 Copies of IPR disclosures made to the IETF Secretariat and any 1939 assurances of licenses to be made available, or the result of an 1940 attempt made to obtain a general license or permission for the use of 1941 such proprietary rights by implementers or users of this 1942 specification can be obtained from the IETF on-line IPR repository at 1943 http://www.ietf.org/ipr. 1944 1945 The IETF invites any interested party to bring to its attention any 1946 copyrights, patents or patent applications, or other proprietary 1947 rights that may cover technology that may be required to implement 1948 this standard. Please address the information to the IETF at 1949 ietf-ipr@ietf.org. 1950 1951Acknowledgement 1952 1953 Funding for the RFC Editor function is provided by the IETF 1954 Administrative Support Activity (IASA). 1955 1956 1957 1958 1959 1960 1961 1962Sciberras Standards Track [Page 35] 1963 1964