Network Working Group M. Wahl
Request for Comments: 2256 Critical Angle Inc.
Category: Standards Track December 1997
A Summary of the X.500(96) User Schema for use with LDAPv3
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1997). All Rights Reserved.
IESG Note
This document describes a directory access protocol that provides
both read and update access. Update access requires secure
authentication, but this document does not mandate implementation of
any satisfactory authentication mechanisms.
In accordance with RFC 2026, section 4.4.1, this specification is
being approved by IESG as a Proposed Standard despite this
limitation, for the following reasons:
a. to encourage implementation and interoperability testing of
these protocols (with or without update access) before they
are deployed, and
b. to encourage deployment and use of these protocols in read-only
applications. (e.g. applications where LDAPv3 is used as
a query language for directories which are updated by some
secure mechanism other than LDAP), and
c. to avoid delaying the advancement and deployment of other Internet
standards-track protocols which require the ability to query, but
not update, LDAPv3 directory servers.
Readers are hereby warned that until mandatory authentication
mechanisms are standardized, clients and servers written according to
this specification which make use of update functionality are
UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
Wahl Standards Track [Page 1]
RFC 2256 LDAPv3 Schema December 1997
Implementors are hereby discouraged from deploying LDAPv3 clients or
servers which implement the update functionality, until a Proposed
Standard for mandatory authentication in LDAPv3 has been approved and
published as an RFC.
This document provides an overview of the attribute types and object
classes defined by the ISO and ITU-T committees in the X.500
documents, in particular those intended for use by directory clients.
This is the most widely used schema for LDAP/X.500 directories, and
many other schema definitions for white pages objects use it as a
basis. This document does not cover attributes used for the
administration of X.500 directory servers, nor does it include
attributes defined by other ISO/ITU-T documents.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [6].
This document references syntaxes given in section 6 of this document
and section 6 of [1]. Matching rules are listed in section 8 of this
document and section 8 of [1].
The attribute type and object class definitions are written using the
BNF form of AttributeTypeDescription and ObjectClassDescription given
in [1]. Lines have been folded for readability.
The schema definitions in this document are based on those found in
X.500 [2],[3],[4],[5], and updates to these documents, specifically:
Sections Source
============ ============
5.1 - 5.2 X.501(93)
5.3 - 5.36 X.520(88)
5.37 - 5.41 X.509(93)
5.42 - 5.52 X.520(93)
5.53 - 5.54 X.509(96)
5.55 X.520(96)
6.1RFC 12746.2 (new syntax)
6.3 - 6.6 RFC 12747.1 - 7.2 X.501(93)
7.3 - 7.18 X.521(93)
Wahl Standards Track [Page 2]
RFC 2256 LDAPv3 Schema December 1997
7.19 - 7.21 X.509(96)
7.22 X.521(96)
Some attribute names are different from those found in X.520(93).
Three new attributes supportedAlgorithms, deltaRevocationList and
dmdName, and the objectClass dmd, are defined in the X.500(96)
documents.
The values of the objectClass attribute describe the kind of object
which an entry represents. The objectClass attribute is present in
every entry, with at least two values. One of the values is either
"top" or "alias".
( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
The aliasedObjectName attribute is used by the directory service if
the entry containing this attribute is an alias.
( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
This is the X.500 commonName attribute, which contains a name of an
object. If the object corresponds to a person, it is typically the
person's full name.
( 2.5.4.3 NAME 'cn' SUP name )
Wahl Standards Track [Page 3]
RFC 2256 LDAPv3 Schema December 1997
This attribute contains the serial number of a device.
( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
This attribute contains the physical address of the object to which
the entry corresponds, such as an address for package delivery
(streetAddress).
( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
Wahl Standards Track [Page 4]
RFC 2256 LDAPv3 Schema December 1997
This attribute contains the title, such as "Vice President", of a
person in their organizational context. The "personalTitle"
attribute would be used for a person's title independent of their job
function.
( 2.5.4.12 NAME 'title' SUP name )
This attribute contains a human-readable description of the object.
( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
This attribute is for use by X.500 clients in constructing search
filters. It is obsoleted by enhancedSearchGuide, described below in
5.48.
( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
This attribute describes the kind of business performed by an
organization.
( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
Wahl Standards Track [Page 5]
RFC 2256 LDAPv3 Schema December 1997
This attribute holds a postal address suitable for reception of
telegrams or expedited documents, where it is necessary to have the
recipient accept delivery.
( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
This attribute is used for the telegram service.
( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
This attribute contains the identifiers of OSI application contexts.
( 2.5.4.30 NAME 'supportedApplicationContext'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords are strongly discouraged
where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to
unauthorized parties.
This attribute is to be stored and requested in the binary form, as
'userCertificate;binary'.
( 2.5.4.36 NAME 'userCertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
This attribute is to be stored and requested in the binary form, as
'cACertificate;binary'.
Wahl Standards Track [Page 8]
RFC 2256 LDAPv3 Schema December 1997
( 2.5.4.37 NAME 'cACertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
This attribute is to be stored and requested in the binary form, as
'authorityRevocationList;binary'.
( 2.5.4.38 NAME 'authorityRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
This attribute is to be stored and requested in the binary form, as
'certificateRevocationList;binary'.
( 2.5.4.39 NAME 'certificateRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
This attribute is to be stored and requested in the binary form, as
'crossCertificatePair;binary'.
( 2.5.4.40 NAME 'crossCertificatePair'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
The name attribute type is the attribute supertype from which string
attribute types typically used for naming may be formed. It is
unlikely that values of this type itself will occur in an entry. LDAP
server implementations which do not support attribute subtyping need
not recognize this attribute in requests. Client implementations
MUST NOT assume that LDAP servers are capable of performing attribute
subtyping.
( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The givenName attribute is used to hold the part of a person's name
which is not their surname nor middle name.
( 2.5.4.42 NAME 'givenName' SUP name )
Wahl Standards Track [Page 9]
RFC 2256 LDAPv3 Schema December 1997
The generationQualifier attribute contains the part of the name which
typically is the suffix, as in "IIIrd".
( 2.5.4.44 NAME 'generationQualifier' SUP name )
The x500UniqueIdentifier attribute is used to distinguish between
objects when a distinguished name has been reused. This is a
different attribute type from both the "uid" and "uniqueIdentifier"
types.
( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
The dnQualifier attribute type specifies disambiguating information
to add to the relative distinguished name of an entry. It is
intended for use when merging data from multiple sources in order to
prevent conflicts between entries which would otherwise have the same
name. It is recommended that the value of the dnQualifier attribute
be the same for all entries from a particular source.
( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
This attribute is for use by X.500 clients in constructing search
filters.
( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
Wahl Standards Track [Page 10]
RFC 2256 LDAPv3 Schema December 1997
This attribute is used in conjunction with the presentationAddress
attribute, to provide additional information to the OSI network
service.
( 2.5.4.48 NAME 'protocolInformation'
EQUALITY protocolInformationMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
This attribute type is not used as the name of the object itself, but
it is instead a base type from which attributes with DN syntax
inherit.
It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations which do not support attribute
subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
This attribute is used to identify a building within a location.
( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
This attribute is to be stored and requested in the binary form, as
'supportedAlgorithms;binary'.
( 2.5.4.52 NAME 'supportedAlgorithms'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
Wahl Standards Track [Page 11]
RFC 2256 LDAPv3 Schema December 1997
This attribute is to be stored and requested in the binary form, as
'deltaRevocationList;binary'.
( 2.5.4.53 NAME 'deltaRevocationList'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
The value of this attribute specifies a directory management domain
(DMD), the administrative authority which operates the directory
server.
( 2.5.4.54 NAME 'dmdName' SUP name )
Servers SHOULD recognize the syntaxes defined in this section. Each
syntax begins with a sample value of the ldapSyntaxes attribute which
defines the OBJECT IDENTIFIER of the syntax. The descriptions of
syntax names are not carried in protocol, and are not guaranteed to
be unique.
( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' )
Values in this syntax are encoded according to the following BNF:
EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset
subset = "baseobject" / "oneLevel" / "wholeSubtree"
Wahl Standards Track [Page 12]
RFC 2256 LDAPv3 Schema December 1997
The criteria production is defined in the Guide syntax below. This
syntax has been added subsequent to RFC 1778.
Example:
person#(sn)#oneLevel
( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' )
Values in this syntax are encoded according to the following BNF:
teletex-id = ttx-term 0*("$" ttx-param)
ttx-term = printablestring
Wahl Standards Track [Page 13]
RFC 2256 LDAPv3 Schema December 1997
ttx-param = ttx-key ":" ttx-value
ttx-key = "graphic" / "control" / "misc" / "page" / "private"
ttx-value = octetstring
In the above, the first printablestring is the encoding of the first
portion of the teletex terminal identifier to be encoded, and the
subsequent 0 or more octetstrings are subsequent portions of the
teletex terminal identifier.
( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
Values in this syntax are encoded according to the following BNF:
telex-number = actual-number "$" country "$" answerback
actual-number = printablestring
country = printablestring
answerback = printablestring
In the above, actual-number is the syntactic representation of the
number portion of the TELEX number being encoded, country is the
TELEX country code, and answerback is the answerback code of a TELEX
terminal.
( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' )
No printable representation of values of the supportedAlgorithms
attribute is defined in this document. Clients which wish to store
and retrieve this attribute MUST use "supportedAlgorithms;binary", in
which the value is transferred as a binary encoding.
LDAP servers MUST recognize the object classes "top" and "subschema".
LDAP servers SHOULD recognize all the other object classes listed
here as values of the objectClass attribute.
( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL
MUST ( presentationAddress $ cn )
MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
description ) )
( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY
MUST ( authorityRevocationList $ certificateRevocationList $
cACertificate ) MAY crossCertificatePair )
( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL
MUST ( cn ) MAY ( certificateRevocationList $
authorityRevocationList $
deltaRevocationList ) )
Servers which implement the extensibleMatch filter SHOULD allow the
matching rule listed in this section to be used in the
extensibleMatch. In general these servers SHOULD allow matching
rules to be used with all attribute types known to the server, when
the assertion syntax of the matching rule is the same as the value
syntax of the attribute.
( 2.5.13.17 NAME 'octetStringMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be
people, organizations or devices. Most countries have privacy laws
regarding the publication of information about people.
Transfer of cleartext passwords are strongly discouraged where the
underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties.
The definitions on which this document have been developed by
committees for telecommunications and international standards. No
new attribute definitions have been added. The syntax definitions
are based on the ISODE "QUIPU" implementation of X.500.
Copyright (C) The Internet Society (1997). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Wahl Standards Track [Page 20]