Network Working Group A. Sciberras, Ed.
Request for Comments: 4519 eB2Bcom
Obsoletes: 2256 June 2006
Updates: 2247, 2798, 2377
Category: Standards Track
Lightweight Directory Access Protocol (LDAP):
Schema for User Applications
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document is an integral part of the Lightweight Directory Access
Protocol (LDAP) technical specification. It provides a technical
specification of attribute types and object classes intended for use
by LDAP directory clients for many directory services, such as White
Pages. These objects are widely used as a basis for the schema in
many LDAP directories. This document does not cover attributes used
for the administration of directory servers, nor does it include
directory objects defined for specific uses in other documents.
Sciberras Standards Track [Page 1]
�
RFC 4519 LDAP: Schema for User Applications June 2006
Table of Contents
1. Introduction ....................................................3
1.1. Relationship with Other Specifications .....................3
1.2. Conventions ................................................4
1.3. General Issues .............................................4
2. Attribute Types .................................................4
2.1. 'businessCategory' .........................................5
2.2. 'c' ........................................................5
2.3. 'cn' .......................................................5
2.4. 'dc' .......................................................6
2.5. 'description' ..............................................6
2.6. 'destinationIndicator' .....................................7
2.7. 'distinguishedName' ........................................7
2.8. 'dnQualifier' ..............................................8
2.9. 'enhancedSearchGuide' ......................................8
2.10. 'facsimileTelephoneNumber' ................................9
2.11. 'generationQualifier' .....................................9
2.12. 'givenName' ...............................................9
2.13. 'houseIdentifier' .........................................9
2.14. 'initials' ...............................................10
2.15. 'internationalISDNNumber' ................................10
2.16. 'l' ......................................................10
2.17. 'member' .................................................11
2.18. 'name' ...................................................11
2.19. 'o' ......................................................11
2.20. 'ou' .....................................................12
2.21. 'owner' ..................................................12
2.22. 'physicalDeliveryOfficeName' .............................12
2.23. 'postalAddress' ..........................................13
2.24. 'postalCode' .............................................13
2.25. 'postOfficeBox' ..........................................14
2.26. 'preferredDeliveryMethod' ................................14
2.27. 'registeredAddress' ......................................14
2.28. 'roleOccupant' ...........................................15
2.29. 'searchGuide' ............................................15
2.30. 'seeAlso' ................................................15
2.31. 'serialNumber' ...........................................16
2.32. 'sn' .....................................................16
2.33. 'st' .....................................................16
2.34. 'street' .................................................17
2.35. 'telephoneNumber' ........................................17
2.36. 'teletexTerminalIdentifier' ..............................17
2.37. 'telexNumber' ............................................18
2.38. 'title' ..................................................18
2.39. 'uid' ....................................................18
2.40. 'uniqueMember' ...........................................19
2.41. 'userPassword' ...........................................19
Sciberras Standards Track [Page 2]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.42. 'x121Address' ............................................20
2.43. 'x500UniqueIdentifier' ...................................20
3. Object Classes .................................................20
3.1. 'applicationProcess' ......................................21
3.2. 'country' .................................................21
3.3. 'dcObject' ................................................21
3.4. 'device' ..................................................21
3.5. 'groupOfNames' ............................................22
3.6. 'groupOfUniqueNames' ......................................22
3.7. 'locality' ................................................23
3.8. 'organization' ............................................23
3.9. 'organizationalPerson' ....................................24
3.10. 'organizationalRole' .....................................24
3.11. 'organizationalUnit' .....................................24
3.12. 'person' .................................................25
3.13. 'residentialPerson' ......................................25
3.14. 'uidObject' ..............................................26
4. IANA Considerations ............................................26
5. Security Considerations ........................................28
6. Acknowledgements ...............................................28
7. References .....................................................29
7.1. Normative References ......................................29
7.2. Informative References ....................................30
Appendix A Changes Made Since RFC 2256 ...........................32
1. Introduction
This document provides an overview of attribute types and object
classes intended for use by Lightweight Directory Access Protocol
(LDAP) directory clients for many directory services, such as White
Pages. Originally specified in the X.500 [X.500] documents, these
objects are widely used as a basis for the schema in many LDAP
directories. This document does not cover attributes used for the
administration of directory servers, nor does it include directory
objects defined for specific uses in other documents.
1.1. Relationship with Other Specifications
This document is an integral part of the LDAP technical specification
[RFC4510], which obsoletes the previously defined LDAP technical
specification, RFC 3377, in its entirety. In terms of RFC 2256,
Sections 6 and 8 of RFC 2256 are obsoleted by [RFC4517]. Sections
5.1, 5.2, 7.1, and 7.2 of RFC 2256 are obsoleted by [RFC4512]. The
remainder of RFC 2256 is obsoleted by this document. The technical
specification for the 'dc' attribute type and 'dcObject' object class
found in RFC 2247 are superseded by sections 2.4 and 3.3 of this
document. The remainder of RFC 2247 remains in force.
Sciberras Standards Track [Page 3]
�
RFC 4519 LDAP: Schema for User Applications June 2006
This document updates RFC 2798 by replacing the informative
description of the 'uid' attribute type with the definitive
description provided in Section 2.39 of this document.
This document updates RFC 2377 by replacing the informative
description of the 'uidObject' object class with the definitive
description provided in Section 3.14 of this document.
A number of schema elements that were included in the previous
revision of the LDAP Technical Specification are not included in this
revision of LDAP. PKI-related schema elements are now specified in
[RFC4523]. Unless reintroduced in future technical specifications,
the remainder are to be considered Historic.
The descriptions in this document SHALL be considered definitive for
use in LDAP.
1.2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.3. General Issues
This document references Syntaxes defined in Section 3 of [RFC4517]
and Matching Rules defined in Section 4 of [RFC4517].
The definitions of Attribute Types and Object Classes are written
using the Augmented Backus-Naur Form (ABNF) [RFC4234] of
AttributeTypeDescription and ObjectClassDescription given in
[RFC4512]. Lines have been folded for readability. When such values
are transferred as attribute values in the LDAP Protocol, the values
will not contain line breaks.
2. Attribute Types
The attribute types contained in this section hold user information.
There is no requirement that servers implement the 'searchGuide' and
'teletexTerminalIdentifier' attribute types. In fact, their use is
greatly discouraged.
An LDAP server implementation SHOULD recognize the rest of the
attribute types described in this section.
Sciberras Standards Track [Page 4]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.1. 'businessCategory'
The 'businessCategory' attribute type describes the kinds of business
performed by an organization. Each kind is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.15 NAME 'businessCategory'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Examples: "banking", "transportation", and "real estate".
2.2. 'c'
The 'c' ('countryName' in X.500) attribute type contains a two-letter
ISO 3166 [ISO3166] country code.
(Source: X.520 [X.520])
( 2.5.4.6 NAME 'c'
SUP name
SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
SINGLE-VALUE )
1.3.6.1.4.1.1466.115.121.1.11 refers to the Country String syntax
[RFC4517].
Examples: "DE", "AU" and "FR".
2.3. 'cn'
The 'cn' ('commonName' in X.500) attribute type contains names of an
object. Each name is one value of this multi-valued attribute. If
the object corresponds to a person, it is typically the person's full
name.
(Source: X.520 [X.520])
( 2.5.4.3 NAME 'cn'
SUP name )
Examples: "Martin K Smith", "Marty Smith" and "printer12".
Sciberras Standards Track [Page 5]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.4. 'dc'
The 'dc' ('domainComponent' in RFC 1274) attribute type is a string
holding one component, a label, of a DNS domain name
[RFC1034][RFC2181] naming a host [RFC1123]. That is, a value of this
attribute is a string of ASCII characters adhering to the following
ABNF [RFC4234]:
label = (ALPHA / DIGIT) [*61(ALPHA / DIGIT / HYPHEN) (ALPHA / DIGIT)]
ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
DIGIT = %x30-39 ; "0"-"9"
HYPHEN = %x2D ; hyphen ("-")
The encoding of IA5String for use in LDAP is simply the characters of
the ASCII label. The equality matching rule is case insensitive, as
is today's DNS. (Source: RFC 2247 [RFC2247] and RFC 1274 [RFC 1274])
( 0.9.2342.19200300.100.1.25 NAME 'dc'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String syntax
[RFC4517].
Examples: Valid values include "example" and "com" but not
"example.com". The latter is invalid as it contains multiple domain
components.
It is noted that the directory service will not ensure that values of
this attribute conform to the host label restrictions [RFC1123]
illustrated by the production provided above. It is the
directory client's responsibility to ensure that the labels it stores
in this attribute are appropriately restricted.
Directory applications supporting International Domain Names SHALL
use the ToASCII method [RFC3490] to produce the domain component
label. The special considerations discussed in Section 4 of RFC 3490
[RFC3490] should be taken, depending on whether the domain component
is used for "stored" or "query" purposes.
2.5. 'description'
The 'description' attribute type contains human-readable descriptive
phrases about the object. Each description is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
Sciberras Standards Track [Page 6]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.4.13 NAME 'description'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Examples: "a color printer", "Maintenance is done every Monday, at
1pm.", and "distribution list for all technical staff".
2.6. 'destinationIndicator'
The 'destinationIndicator' attribute type contains country and city
strings associated with the object (the addressee) needed to provide
the Public Telegram Service. The strings are composed in accordance
with CCITT Recommendations F.1 [F.1] and F.31 [F.31]. Each string is
one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.27 NAME 'destinationIndicator'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
[RFC4517].
Examples: "AASD" as a destination indicator for Sydney, Australia.
"GBLD" as a destination indicator for London, United
Kingdom.
It is noted that the directory will not ensure that values of this
attribute conform to the F.1 and F.31 CCITT Recommendations. It is
the application's responsibility to ensure destination indicators
that it stores in this attribute are appropriately constructed.
2.7. 'distinguishedName'
The 'distinguishedName' attribute type is not used as the name of the
object itself, but it is instead a base type from which some user
attribute types with a DN syntax can inherit.
It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations that do not support attribute
subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
Sciberras Standards Track [Page 7]
�
RFC 4519 LDAP: Schema for User Applications June 2006
(Source: X.520 [X.520])
( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [RFC4517].
2.8. 'dnQualifier'
The 'dnQualifier' attribute type contains disambiguating information
strings to add to the relative distinguished name of an entry. The
information is intended for use when merging data from multiple
sources in order to prevent conflicts between entries that would
otherwise have the same name. Each string is one value of this
multi-valued attribute. It is recommended that a value of the
'dnQualifier' attribute be the same for all entries from a particular
source.
(Source: X.520 [X.520])
( 2.5.4.46 NAME 'dnQualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
[RFC4517].
Examples: "20050322123345Z" - timestamps can be used to disambiguate
information.
"123456A" - serial numbers can be used to disambiguate
information.
2.9. 'enhancedSearchGuide'
The 'enhancedSearchGuide' attribute type contains sets of information
for use by directory clients in constructing search filters. Each
set is one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.47 NAME 'enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide syntax
[RFC4517].
Sciberras Standards Track [Page 8]
�
RFC 4519 LDAP: Schema for User Applications June 2006
Examples: "person#(sn$APPROX)#wholeSubtree" and
"organizationalUnit#(ou$SUBSTR)#oneLevel".
2.10. 'facsimileTelephoneNumber'
The 'facsimileTelephoneNumber' attribute type contains telephone
numbers (and, optionally, the parameters) for facsimile terminals.
Each telephone number is one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.23 NAME 'facsimileTelephoneNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
Number syntax [RFC4517].
Examples: "+61 3 9896 7801" and "+81 3 347 7418$fineResolution".
2.11. 'generationQualifier'
The 'generationQualifier' attribute type contains name strings that
are typically the suffix part of a person's name. Each string is one
value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.44 NAME 'generationQualifier'
SUP name )
Examples: "III", "3rd", and "Jr.".
2.12. 'givenName'
The 'givenName' attribute type contains name strings that are the
part of a person's name that is not their surname. Each string is
one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.42 NAME 'givenName'
SUP name )
Examples: "Andrew", "Charles", and "Joanne".
2.13. 'houseIdentifier'
The 'houseIdentifier' attribute type contains identifiers for a
building within a location. Each identifier is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
Sciberras Standards Track [Page 9]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.4.51 NAME 'houseIdentifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Example: "20" to represent the house number 20.
2.14. 'initials'
The 'initials' attribute type contains strings of initials of some or
all of an individual's names, except the surname(s). Each string is
one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.43 NAME 'initials'
SUP name )
Examples: "K. A." and "K".
2.15. 'internationalISDNNumber'
The 'internationalISDNNumber' attribute type contains Integrated
Services Digital Network (ISDN) addresses, as defined in the
International Telecommunication Union (ITU) Recommendation E.164
[E.164]. Each address is one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.25 NAME 'internationalISDNNumber'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
[RFC4517].
Example: "0198 333 333".
2.16. 'l'
The 'l' ('localityName' in X.500) attribute type contains names of a
locality or place, such as a city, county, or other geographic
region. Each name is one value of this multi-valued attribute.
(Source: X.520 [X.520])
Sciberras Standards Track [Page 10]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.4.7 NAME 'l'
SUP name )
Examples: "Geneva", "Paris", and "Edinburgh".
2.17. 'member'
The 'member' attribute type contains the distinguished names of
objects that are on a list or in a group. Each name is one value of
this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.31 NAME 'member'
SUP distinguishedName )
Examples: "cn=James Clarke,ou=Finance,o=Widget\, Inc." and
"cn=John Xerri,ou=Finance,o=Widget\, Inc." may
be two members of the financial team (group) at Widget,
Inc., in which case, both of these distinguished names
would be present as individual values of the member
attribute.
2.18. 'name'
The 'name' attribute type is the attribute supertype from which user
attribute types with the name syntax inherit. Such attribute types
are typically used for naming. The attribute type is multi-valued.
It is unlikely that values of this type itself will occur in an
entry. LDAP server implementations that do not support attribute
subtyping need not recognize this attribute in requests. Client
implementations MUST NOT assume that LDAP servers are capable of
performing attribute subtyping.
(Source: X.520 [X.520])
( 2.5.4.41 NAME 'name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
2.19. 'o'
The 'o' ('organizationName' in X.500) attribute type contains the
names of an organization. Each name is one value of this
multi-valued attribute.
Sciberras Standards Track [Page 11]
�
RFC 4519 LDAP: Schema for User Applications June 2006
(Source: X.520 [X.520])
( 2.5.4.10 NAME 'o'
SUP name )
Examples: "Widget", "Widget, Inc.", and "Widget, Incorporated.".
2.20. 'ou'
The 'ou' ('organizationalUnitName' in X.500) attribute type contains
the names of an organizational unit. Each name is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.11 NAME 'ou'
SUP name )
Examples: "Finance", "Human Resources", and "Research and
Development".
2.21. 'owner'
The 'owner' attribute type contains the distinguished names of
objects that have an ownership responsibility for the object that is
owned. Each owner's name is one value of this multi-valued
attribute.
(Source: X.520 [X.520])
( 2.5.4.32 NAME 'owner'
SUP distinguishedName )
Example: The mailing list object, whose DN is "cn=All Employees,
ou=Mailing List,o=Widget\, Inc.", is owned by the Human
Resources Director.
Therefore, the value of the 'owner' attribute within the
mailing list object, would be the DN of the director (role):
"cn=Human Resources Director,ou=employee,o=Widget\, Inc.".
2.22. 'physicalDeliveryOfficeName'
The 'physicalDeliveryOfficeName' attribute type contains names that a
Postal Service uses to identify a post office.
(Source: X.520 [X.520])
Sciberras Standards Track [Page 12]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Examples: "Bremerhaven, Main" and "Bremerhaven, Bonnstrasse".
2.23. 'postalAddress'
The 'postalAddress' attribute type contains addresses used by a
Postal Service to perform services for the object. Each address is
one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.16 NAME 'postalAddress'
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
[RFC4517].
Example: "15 Main St.$Ottawa$Canada".
2.24. 'postalCode'
The 'postalCode' attribute type contains codes used by a Postal
Service to identify postal service zones. Each code is one value of
this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.17 NAME 'postalCode'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Example: "22180", to identify Vienna, VA, in the USA.
Sciberras Standards Track [Page 13]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.25. 'postOfficeBox'
The 'postOfficeBox' attribute type contains postal box identifiers
that a Postal Service uses when a customer arranges to receive mail
at a box on the premises of the Postal Service. Each postal box
identifier is a single value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.18 NAME 'postOfficeBox'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Example: "Box 45".
2.26. 'preferredDeliveryMethod'
The 'preferredDeliveryMethod' attribute type contains an indication
of the preferred method of getting a message to the object.
(Source: X.520 [X.520])
( 2.5.4.28 NAME 'preferredDeliveryMethod'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE )
1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method syntax
[RFC4517].
Example: If the mhs-delivery Delivery Method is preferred over
telephone-delivery, which is preferred over all other
methods, the value would be: "mhs $ telephone".
2.27. 'registeredAddress'
The 'registeredAddress' attribute type contains postal addresses
suitable for reception of telegrams or expedited documents, where it
is necessary to have the recipient accept delivery. Each address is
one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.26 NAME 'registeredAddress'
SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
Sciberras Standards Track [Page 14]
�
RFC 4519 LDAP: Schema for User Applications June 2006
1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
[RFC4517].
Example: "Receptionist$Widget, Inc.$15 Main St.$Ottawa$Canada".
2.28. 'roleOccupant'
The 'roleOccupant' attribute type contains the distinguished names of
objects (normally people) that fulfill the responsibilities of a role
object. Each distinguished name is one value of this multi-valued
attribute.
(Source: X.520 [X.520])
( 2.5.4.33 NAME 'roleOccupant'
SUP distinguishedName )
Example: The role object, "cn=Human Resources
Director,ou=Position,o=Widget\, Inc.", is fulfilled by two
people whose object names are "cn=Mary
Smith,ou=employee,o=Widget\, Inc." and "cn=James
Brown,ou=employee,o=Widget\, Inc.". The 'roleOccupant'
attribute will contain both of these distinguished names,
since they are the occupants of this role.
2.29. 'searchGuide'
The 'searchGuide' attribute type contains sets of information for use
by clients in constructing search filters. It is superseded by
'enhancedSearchGuide', described above in Section 2.9. Each set is
one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.14 NAME 'searchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [RFC4517].
Example: "person#sn$EQ".
2.30. 'seeAlso'
The 'seeAlso' attribute type contains the distinguished names of
objects that are related to the subject object. Each related object
name is one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.34 NAME 'seeAlso'
SUP distinguishedName )
Sciberras Standards Track [Page 15]
�
RFC 4519 LDAP: Schema for User Applications June 2006
Example: The person object "cn=James Brown,ou=employee,o=Widget\,
Inc." is related to the role objects "cn=Football Team
Captain,ou=sponsored activities,o=Widget\, Inc." and
"cn=Chess Team,ou=sponsored activities,o=Widget\, Inc.".
Since the role objects are related to the person object, the
'seeAlso' attribute will contain the distinguished name of
each role object as separate values.
2.31. 'serialNumber'
The 'serialNumber' attribute type contains the serial numbers of
devices. Each serial number is one value of this multi-valued
attribute.
(Source: X.520 [X.520])
( 2.5.4.5 NAME 'serialNumber'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
[RFC4517].
Examples: "WI-3005" and "XF551426".
2.32. 'sn'
The 'sn' ('surname' in X.500) attribute type contains name strings
for the family names of a person. Each string is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.4 NAME 'sn'
SUP name )
Example: "Smith".
2.33. 'st'
The 'st' ('stateOrProvinceName' in X.500) attribute type contains the
full names of states or provinces. Each name is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.8 NAME 'st'
SUP name )
Example: "California".
Sciberras Standards Track [Page 16]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.34. 'street'
The 'street' ('streetAddress' in X.500) attribute type contains site
information from a postal address (i.e., the street name, place,
avenue, and the house number). Each street is one value of this
multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.9 NAME 'street'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Example: "15 Main St.".
2.35. 'telephoneNumber'
The 'telephoneNumber' attribute type contains telephone numbers that
comply with the ITU Recommendation E.123 [E.123]. Each number is one
value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.20 NAME 'telephoneNumber'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number syntax
[RFC4517].
Example: "+1 234 567 8901".
2.36. 'teletexTerminalIdentifier'
The withdrawal of Recommendation F.200 has resulted in the withdrawal
of this attribute.
(Source: X.520 [X.520])
( 2.5.4.22 NAME 'teletexTerminalIdentifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
1.3.6.1.4.1.1466.115.121.1.51 refers to the Teletex Terminal
Identifier syntax [RFC4517].
Sciberras Standards Track [Page 17]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.37. 'telexNumber'
The 'telexNumber' attribute type contains sets of strings that are a
telex number, country code, and answerback code of a telex terminal.
Each set is one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.21 NAME 'telexNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number syntax
[RFC4517].
Example: "12345$023$ABCDE".
2.38. 'title'
The 'title' attribute type contains the title of a person in their
organizational context. Each title is one value of this multi-valued
attribute.
(Source: X.520 [X.520])
( 2.5.4.12 NAME 'title'
SUP name )
Examples: "Vice President", "Software Engineer", and "CEO".
2.39. 'uid'
The 'uid' ('userid' in RFC 1274) attribute type contains computer
system login names associated with the object. Each name is one
value of this multi-valued attribute.
(Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274])
( 0.9.2342.19200300.100.1.1 NAME 'uid'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
[RFC4517].
Examples: "s9709015", "admin", and "Administrator".
Sciberras Standards Track [Page 18]
�
RFC 4519 LDAP: Schema for User Applications June 2006
2.40. 'uniqueMember'
The 'uniqueMember' attribute type contains the distinguished names of
an object that is on a list or in a group, where the relative
distinguished names of the object include a value that distinguishes
between objects when a distinguished name has been reused. Each
distinguished name is one value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.50 NAME 'uniqueMember'
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
syntax [RFC4517].
Example: If "ou=1st Battalion,o=Defense,c=US" is a battalion that was
disbanded, establishing a new battalion with the "same" name
would have a unique identifier value added, resulting in
"ou=1st Battalion, o=Defense,c=US#'010101'B".
2.41. 'userPassword'
The 'userPassword' attribute contains octet strings that are known
only to the user and the system to which the user has access. Each
string is one value of this multi-valued attribute.
The application SHOULD prepare textual strings used as passwords by
transcoding them to Unicode, applying SASLprep [RFC4013], and
encoding as UTF-8. The determination of whether a password is
textual is a local client matter.
(Source: X.509 [X.509])
( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
[RFC4517].
Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to
unauthorized parties.
An example of a need for multiple values in the 'userPassword'
attribute is an environment where every month the user is expected to
Sciberras Standards Track [Page 19]
�
RFC 4519 LDAP: Schema for User Applications June 2006
use a different password generated by some automated system. During
transitional periods, like the last and first day of the periods, it
may be necessary to allow two passwords for the two consecutive
periods to be valid in the system.
2.42. 'x121Address'
The 'x121Address' attribute type contains data network addresses as
defined by ITU Recommendation X.121 [X.121]. Each address is one
value of this multi-valued attribute.
(Source: X.520 [X.520])
( 2.5.4.24 NAME 'x121Address'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
[RFC4517].
Example: "36111222333444555".
2.43. 'x500UniqueIdentifier'
The 'x500UniqueIdentifier' attribute type contains binary strings
that are used to distinguish between objects when a distinguished
name has been reused. Each string is one value of this multi-valued
attribute.
In X.520 [X.520], this attribute type is called 'uniqueIdentifier'.
This is a different attribute type from both the 'uid' and
'uniqueIdentifier' LDAP attribute types. The 'uniqueIdentifier'
attribute type is defined in [RFC4524].
(Source: X.520 [X.520])
( 2.5.4.45 NAME 'x500UniqueIdentifier'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String syntax
[RFC4517].
3. Object Classes
LDAP servers SHOULD recognize all the Object Classes listed here as
values of the 'objectClass' attribute (see [RFC4512]).
Sciberras Standards Track [Page 20]
�
RFC 4519 LDAP: Schema for User Applications June 2006
3.1. 'applicationProcess'
The 'applicationProcess' object class definition is the basis of an
entry that represents an application executing in a computer system.
(Source: X.521 [X.521])
( 2.5.6.11 NAME 'applicationProcess'
SUP top
STRUCTURAL
MUST cn
MAY ( seeAlso $
ou $
l $
description ) )
3.2. 'country'
The 'country' object class definition is the basis of an entry that
represents a country.
(Source: X.521 [X.521])
( 2.5.6.2 NAME 'country'
SUP top
STRUCTURAL
MUST c
MAY ( searchGuide $
description ) )
3.3. 'dcObject'
The 'dcObject' object class permits an entry to contains domain
component information. This object class is defined as auxiliary,
because it will be used in conjunction with an existing structural
object class.
(Source: RFC 2247 [RFC2247])
( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
SUP top
AUXILIARY
MUST dc )
3.4. 'device'
The 'device' object class is the basis of an entry that represents an
appliance, computer, or network element.
(Source: X.521 [X.521])
Sciberras Standards Track [Page 21]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.6.14 NAME 'device'
SUP top
STRUCTURAL
MUST cn
MAY ( serialNumber $
seeAlso $
owner $
ou $
o $
l $
description ) )
3.5. 'groupOfNames'
The 'groupOfNames' object class is the basis of an entry that
represents a set of named objects including information related to
the purpose or maintenance of the set.
(Source: X.521 [X.521])
( 2.5.6.9 NAME 'groupOfNames'
SUP top
STRUCTURAL
MUST ( member $
cn )
MAY ( businessCategory $
seeAlso $
owner $
ou $
o $
description ) )
3.6. 'groupOfUniqueNames'
The 'groupOfUniqueNames' object class is the same as the
'groupOfNames' object class except that the object names are not
repeated or reassigned within a set scope.
(Source: X.521 [X.521])
Sciberras Standards Track [Page 22]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top
STRUCTURAL
MUST ( uniqueMember $
cn )
MAY ( businessCategory $
seeAlso $
owner $
ou $
o $
description ) )
3.7. 'locality'
The 'locality' object class is the basis of an entry that represents
a place in the physical world.
(Source: X.521 [X.521])
( 2.5.6.3 NAME 'locality'
SUP top
STRUCTURAL
MAY ( street $
seeAlso $
searchGuide $
st $
l $
description ) )
3.8. 'organization'
The 'organization' object class is the basis of an entry that
represents a structured group of people.
(Source: X.521 [X.521])
( 2.5.6.4 NAME 'organization'
SUP top
STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $
businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationalISDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $
postalCode $ postalAddress $ physicalDeliveryOfficeName $
st $ l $ description ) )
Sciberras Standards Track [Page 23]
�
RFC 4519 LDAP: Schema for User Applications June 2006
3.9. 'organizationalPerson'
The 'organizationalPerson' object class is the basis of an entry that
represents a person in relation to an organization.
(Source: X.521 [X.521])
( 2.5.6.7 NAME 'organizationalPerson'
SUP person
STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationalISDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $
postalCode $ postalAddress $ physicalDeliveryOfficeName $
ou $ st $ l ) )
3.10. 'organizationalRole'
The 'organizationalRole' object class is the basis of an entry that
represents a job, function, or position in an organization.
(Source: X.521 [X.521])
( 2.5.6.8 NAME 'organizationalRole'
SUP top
STRUCTURAL
MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationalISDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $
description ) )
3.11. 'organizationalUnit'
The 'organizationalUnit' object class is the basis of an entry that
represents a piece of an organization.
(Source: X.521 [X.521])
Sciberras Standards Track [Page 24]
�
RFC 4519 LDAP: Schema for User Applications June 2006
( 2.5.6.5 NAME 'organizationalUnit'
SUP top
STRUCTURAL
MUST ou
MAY ( businessCategory $ description $ destinationIndicator $
facsimileTelephoneNumber $ internationalISDNNumber $ l $
physicalDeliveryOfficeName $ postalAddress $ postalCode $
postOfficeBox $ preferredDeliveryMethod $
registeredAddress $ searchGuide $ seeAlso $ st $ street $
telephoneNumber $ teletexTerminalIdentifier $
telexNumber $ userPassword $ x121Address ) )
3.12 'person'
The 'person' object class is the basis of an entry that represents a
human being.
(Source: X.521 [X.521])
( 2.5.6.6 NAME 'person'
SUP top
STRUCTURAL
MUST ( sn $
cn )
MAY ( userPassword $
telephoneNumber $
seeAlso $ description ) )
3.13. 'residentialPerson'
The 'residentialPerson' object class is the basis of an entry that
includes a person's residence in the representation of the person.
(Source: X.521 [X.521])
( 2.5.6.10 NAME 'residentialPerson'
SUP person
STRUCTURAL
MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationalISDNNumber $
facsimileTelephoneNumber $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l ) )
Sciberras Standards Track [Page 25]
�
RFC 4519 LDAP: Schema for User Applications June 2006
3.14. 'uidObject'
The 'uidObject' object class permits an entry to contains user
identification information. This object class is defined as
auxiliary, because it will be used in conjunction with an existing
structural object class.
(Source: RFC 2377 [RFC2377])
( 1.3.6.1.1.3.1 NAME 'uidObject'
SUP top
AUXILIARY
MUST uid )
4. IANA Considerations
The Internet Assigned Numbers Authority (IANA) has updated the LDAP
descriptors registry as indicated in the following template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comments
Object Identifier: see comments
Person & email address to contact for further information:
Andrew Sciberras
Usage: (A = attribute type, O = Object Class) see comment
Specification: RFC 4519
Author/Change Controller: IESG
Comments
In the LDAP descriptors registry, the following descriptors (short
names) have been updated to refer to RFC 4519. Names that need to
be reserved, rather than assigned to an Object Identifier, will
contain an Object Identifier value of RESERVED.
NAME Type OID
------------------------ ---- ----------------------------
applicationProcess O 2.5.6.11
businessCategory A 2.5.4.15
c A 2.5.4.6
cn A 2.5.4.3
commonName A 2.5.4.3
country O 2.5.6.2
countryName A 2.5.4.6
dc A 0.9.2342.19200300.100.1.25
dcObject O 1.3.6.1.4.1.1466.344
description A 2.5.4.13
destinationIndicator A 2.5.4.27
device O 2.5.6.14
Sciberras Standards Track [Page 26]
�
RFC 4519 LDAP: Schema for User Applications June 2006
NAME Type OID
------------------------ ---- ----------------------------
distinguishedName A 2.5.4.49
dnQualifier A 2.5.4.46
domainComponent A 0.9.2342.19200300.100.1.25
enhancedSearchGuide A 2.5.4.47
facsimileTelephoneNumber A 2.5.4.23
generationQualifier A 2.5.4.44
givenName A 2.5.4.42
gn A RESERVED
groupOfNames O 2.5.6.9
groupOfUniqueNames O 2.5.6.17
houseIdentifier A 2.5.4.51
initials A 2.5.4.43
internationalISDNNumber A 2.5.4.25
l A 2.5.4.7
locality O 2.5.6.3
localityName A 2.5.4.7
member A 2.5.4.31
name A 2.5.4.41
o A 2.5.4.10
organization O 2.5.6.4
organizationName A 2.5.4.10
organizationalPerson O 2.5.6.7
organizationalRole O 2.5.6.8
organizationalUnit O 2.5.6.5
organizationalUnitName A 2.5.4.11
ou A 2.5.4.11
owner A 2.5.4.32
person O 2.5.6.6
physicalDeliveryOfficeName A 2.5.4.19
postalAddress A 2.5.4.16
postalCode A 2.5.4.17
postOfficeBox A 2.5.4.18
preferredDeliveryMethod A 2.5.4.28
registeredAddress A 2.5.4.26
residentialPerson O 2.5.6.10
roleOccupant A 2.5.4.33
searchGuide A 2.5.4.14
seeAlso A 2.5.4.34
serialNumber A 2.5.4.5
sn A 2.5.4.4
st A 2.5.4.8
street A 2.5.4.9
surname A 2.5.4.4
telephoneNumber A 2.5.4.20
teletexTerminalIdentifier A 2.5.4.22
telexNumber A 2.5.4.21
Sciberras Standards Track [Page 27]
�
RFC 4519 LDAP: Schema for User Applications June 2006
NAME Type OID
------------------------ ---- ----------------------------
title A 2.5.4.12
uid A 0.9.2342.19200300.100.1.1
uidObject O 1.3.6.1.1.3.1
uniqueMember A 2.5.4.50
userid A 0.9.2342.19200300.100.1.1
userPassword A 2.5.4.35
x121Address A 2.5.4.24
x500UniqueIdentifier A 2.5.4.45
5. Security Considerations
Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can be
people, organizations, or devices. Most countries have privacy laws
regarding the publication of information about people.
Transfer of cleartext passwords is strongly discouraged where the
underlying transport service cannot guarantee confidentiality and
integrity, since this may result in disclosure of the password to
unauthorized parties.
Multiple attribute values for the 'userPassword' attribute need to be
used with care. Especially reset/deletion of a password by an
administrator without knowing the old user password gets tricky or
impossible if multiple values for different applications are present.
Certainly, applications that intend to replace the 'userPassword'
value(s) with new value(s) should use modify/replaceValues (or
modify/deleteAttribute+addAttribute). In addition, server
implementations are encouraged to provide administrative controls
that, if enabled, restrict the 'userPassword' attribute to one value.
Note that when used for authentication purposes [RFC4513], the user
need only prove knowledge of one of the values, not all of the
values.
6. Acknowledgements
The definitions, on which this document is based, have been developed
by committees for telecommunications and international standards.
This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
product of the IETF ASID Working Group.
Sciberras Standards Track [Page 28]
�
RFC 4519 LDAP: Schema for User Applications June 2006
The 'dc' attribute type definition and the 'dcObject' object class
definition in this document supersede the specification in RFC 2247
by S. Kille, M. Wahl, A. Grimstad, R. Huber, and S. Sataluri.
The 'uid' attribute type definition in this document supersedes the
specification of the 'userid' in RFC 1274 by P. Barker and S. Kille
and of the uid in RFC 2798 by M. Smith.
The 'uidObject' object class definition in this document supersedes
the specification of the 'uidObject' in RFC 2377 by A. Grimstad, R.
Huber, S. Sataluri, and M. Wahl.
This document is based upon input of the IETF LDAPBIS working group.
The author wishes to thank S. Legg and K. Zeilenga for their
significant contribution to this update. The author would also like
to thank Kathy Dally, who edited early versions of this document.
7. References
7.1. Normative References
[E.123] Notation for national and international telephone numbers,
ITU-T Recommendation E.123, 1988
[E.164] The international public telecommunication numbering plan,
ITU-T Recommendation E.164, 1997
[F.1] Operational Provisions For The International Public
Telegram Service Transmission System, CCITT Recommendation
F.1, 1992
[F.31] Telegram Retransmission System, CCITT Recommendation F.31,
1988
[ISO3166] ISO 3166, "Codes for the representation of names of
countries".
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1123] Braden, R., "Requirements for Internet Hosts - Application
and Support", STD 3, RFC 1123, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997.
Sciberras Standards Track [Page 29]
�
RFC 4519 LDAP: Schema for User Applications June 2006
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names
and Passwords", RFC 4013, February 2005.
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510, June
2006.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June
2006.
[RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
(LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006.
[X.121] International numbering plan for public data networks,
ITU-T Recommendation X.121, 1996
[X.509] The Directory: Authentication Framework, ITU-T
Recommendation X.509, 1993
[X.520] The Directory: Selected Attribute Types, ITU-T
Recommendation X.520, 1993
[X.521] The Directory: Selected Object Classes. ITU-T
Recommendation X.521, 1993
7.2. Informative References
[RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500
Schema", RFC 1274, November 1991.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S.
Sataluri, "Using Domains in LDAP/X.500 Distinguished
Names", RFC 2247, January 1998.
[RFC2377] Grimstad, A., Huber, R., Sataluri, S., and M. Wahl,
"Naming Plan for Internet Directory-Enabled Applications",
RFC 2377, September 1998.
[RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
Class", RFC 2798, April 2000.
Sciberras Standards Track [Page 30]
�
RFC 4519 LDAP: Schema for User Applications June 2006
[RFC4513] Harrison R., Ed., "Lightweight Directory Access Protocol
(LDAP): Authentication Methods and Security Mechanisms",
RFC 4513, June 2006.
[RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP) Schema Definitions for X.509 Certificates", RFC
4523, June 2006.
[RFC4524] Zeilenga, E., Ed., "COSINE LDAP/X.500 Schema", RFC 4524,
June 2006.
[X.500] ITU-T Recommendations X.500 (1993) | ISO/IEC 9594-1:1994,
Information Technology - Open Systems Interconnection -
The Directory: Overview of concepts, models and services.
Sciberras Standards Track [Page 31]
�
RFC 4519 LDAP: Schema for User Applications June 2006
Appendix A. Changes Made Since RFC 2256
This appendix lists the changes that have been made from RFC 2256 to
RFC 4519.
This appendix is not a normative part of this specification, which
has been provided for informational purposes only.
1. Replaced the document title.
2. Removed the IESG Note.
3. Dependencies on RFC 1274 have been eliminated.
4. Added a Security Considerations section and an IANA
Considerations section.
5. Deleted the conformance requirement for subschema object
classes in favor of a statement in [RFC4517].
6. Added explanation to attribute types and to each object class.
7. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
(moved to [RFC4517]).
8. Removed the certificate-related attribute types:
authorityRevocationList, cACertificate,
certificateRevocationList, crossCertificatePair,
deltaRevocationList, supportedAlgorithms, and userCertificate.
Removed the certificate-related Object Classes:
certificationAuthority, certificationAuthority-V2,
cRLDistributionPoint, strongAuthenticationUser, and
userSecurityInformation
LDAP PKI is now discussed in [RFC4523].
9. Removed the dmdName, knowledgeInformation,
presentationAddress, protocolInformation, and
supportedApplicationContext attribute types and the dmd,
applicationEntity, and dSA object classes.
10. Deleted the aliasedObjectName and objectClass attribute type
definitions. Deleted the alias and top object class
definitions. They are included in [RFC4512].
Sciberras Standards Track [Page 32]
�
RFC 4519 LDAP: Schema for User Applications June 2006
11. Added the 'dc' attribute type from RFC 2247, making the
distinction between 'stored' and 'query' values when preparing
IDN strings.
12. Numerous editorial changes.
13. Removed upper bound after the SYNTAX oid in all attribute
definitions where it appeared.
14. Added text about Unicode, SASLprep [RFC4013], and UTF-8 for
userPassword.
15. Included definitions, comments and references for 'dcObject'
and 'uidObject'.
16. Replaced PKI schema references to use RFC 4523.
17. Spelt out and referenced ABNF on first usage.
18. Removed Section 2.4 (Source). Replaced the source table with
explicit references for each definition.
19. All references to an attribute type or object class are
enclosed in single quotes.
20. The layout of attribute type definitions has been changed to
provide consistency throughout the document:
> Section Heading
> Description of Attribute type
> Multivalued description
> Source Information
> Definition
> Example
> Additional Comments
Adding this consistent output included the addition of
examples to some definitions.
21. References to alternate names for attributes types are
provided with a reference to where they were originally
specified.
22. Clarification of the description of 'distinguishedName' and
'name', in regards to these attribute types being supertypes.
23. Spelt out ISDN on first usage.
Sciberras Standards Track [Page 33]
�
RFC 4519 LDAP: Schema for User Applications June 2006
24. Inserted a reference to [RFC4517] for the
'teletexTerminalIdentifier' definition's SYNTAX OID.
25. Additional names were added to the IANA Considerations. Names
include 'commonName', 'dcObject', 'domainComponent', 'GN',
'localityName', 'organizationName', 'organizationUnitName',
'surname', 'uidObject' and 'userid'.
26. Renamed all instances of supercede to supersede.
27. Moved [F.1], [F.31] and [RFC4013] from informative to
normative references.
28. Changed the 'c' definition to be consistent with X.500.
Author's Address
Andrew Sciberras
eB2Bcom
Suite 3, Woodhouse Corporate Centre,
935 Station Street,
Box Hill North, Victoria 3129
AUSTRALIA
Phone: +61 3 9896 7833
EMail: andrew.sciberras@eb2bcom.com
Sciberras Standards Track [Page 34]
�
RFC 4519 LDAP: Schema for User Applications June 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Sciberras Standards Track [Page 35]
�