draft-ietf-asid-ldapv3-attributes-04.txt   draft-ietf-asid-ldapv3-attributes-05.txt 
skipping to change at line 12 skipping to change at line 12
Network Working Group M. Wahl Network Working Group M. Wahl
INTERNET-DRAFT Critical Angle Inc. INTERNET-DRAFT Critical Angle Inc.
Obsoletes: RFC 1778 A. Coulbeck Obsoletes: RFC 1778 A. Coulbeck
Isode Limited Isode Limited
T. Howes T. Howes
Netscape Communications Corp. Netscape Communications Corp.
S. Kille S. Kille
Isode Limited Isode Limited
Lightweight Directory Access Protocol (v3): Lightweight Directory Access Protocol (v3):
Attribute Syntax Definitions Attribute Syntax Definitions
<draft-ietf-asid-ldapv3-attributes-04.txt> <draft-ietf-asid-ldapv3-attributes-05.txt>
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working its working groups. Note that other groups may also distribute working
documents as Internet-Drafts. documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress." or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
2. Abstract 2. Abstract
The Lightweight Directory Access Protocol (LDAP) [1] requires that the The Lightweight Directory Access Protocol (LDAP) [1] requires that
contents of AttributeValue fields in protocol elements be octet the contents of AttributeValue fields in protocol elements be octet
strings. This document defines a set of syntaxes for LDAPv3, and the strings. This document defines a set of syntaxes for LDAPv3, and the
rules by which attribute values of these syntaxes are represented as rules by which attribute values of these syntaxes are represented as
octet strings for transmission in the LDAP protocol. The syntaxes octet strings for transmission in the LDAP protocol. The syntaxes
defined in this document are referenced by this and other documents that defined in this document are referenced by this and other documents
define attribute types. This document also defines the set of attribute that define attribute types. This document also defines the set of
types which LDAP servers should support. attribute types which LDAP servers should support.
3. Overview 3. Overview
This document defines the framework for developing schemas for
directories accessible via the Lightweight Directory Access Protocol.
Schema is the collection of attribute type definitions, object class
definitions and other information which a server uses to determine
how to match a filter or attribute value assertion (in a compare
operation) against the attributes of an entry, and whether to permit
add and modify operations.
Section 4 states the general requirements and notations for attribute Section 4 states the general requirements and notations for attribute
types, object classes, syntax and matching rule definitions. types, object classes, syntax and matching rule definitions.
Section 5 lists attributes, section 6 syntaxes and section 7 object Section 5 lists attributes, section 6 syntaxes and section 7 object
classes. classes.
Additional documents define schemas for representing real-world
objects as directory entries.
4. General Issues 4. General Issues
This document describes encodings used in an Internet protocol. Terms are This document describes encodings used in an Internet protocol.
defined in [4].
4.1. Attribute Types The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119 [4].
4.1. Common Encoding Aspects
For the purposes of defining the encoding rules for attribute
syntaxes, the following BNF definitions will be used. They are
based on the BNF styles of RFC 822 [13].
a = "a" / "b" / "c" / "d" / "e" / "f" / "g" / "h" / "i" /
"j" / "k" / "l" / "m" / "n" / "o" / "p" / "q" / "r" /
"s" / "t" / "u" / "v" / "w" / "x" / "y" / "z" / "A" /
"B" / "C" / "D" / "E" / "F" / "G" / "H" / "I" / "J" /
"K" / "L" / "M" / "N" / "O" / "P" / "Q" / "R" / "S" /
"T" / "U" / "V" / "W" / "X" / "Y" / "Z"
d = "0" / "1" / "2" / "3" / "4" /
"5" / "6" / "7" / "8" / "9"
hex-digit = d / "a" / "b" / "c" / "d" / "e" / "f" /
"A" / "B" / "C" / "D" / "E" / "F"
k = a / d / "-"
p = a / d / """ / "(" / ")" / "+" / "," /
"-" / "." / "/" / ":" / "?" / " "
letterstring = 1*a
numericstring = 1*d
anhstring = 1*k
keystring = a [ anhstring ]
printablestring = 1*p
space = 1*" "
whsp = [ space ]
utf8 = <any sequence of octets formed from the UTF-8 [9]
transformation of a character from ISO10646 [10]>
dstring = 1*utf8
qdstring = whsp "'" dstring "'" whsp
qdstringlist = ( qdstringlist qdstring ) / ""
qdstrings = qdstring / ( whsp "(" qdstringlist ")" whsp )
In the following BNF for the string representation of OBJECT
IDENTIFIERs, descr is the syntactic representation of an object
descriptor, which consists of letters and digits, starting with a
letter. An OBJECT IDENTIFIER in the numericoid format should not
have leading zeroes (e.g. "0.9.3" is permitted but "0.09.3" should
not be generated).
When encoding values in syntax, the descr encoding option SHOULD
be used in preference to the numericoid. An object descriptor is
a more readable alias for a number OBJECT IDENTIFIER, and these
(where assigned and known by the implementation) SHOULD be used in
preference to numeric oids to the greatest extent possible.
Examples of object descriptors in LDAP are attribute type, object
class and matching rule names.
oid = descr / numericoid
descr = keystring
numericoid = numericstring *( "." numericstring )
woid = whsp oid whsp
; set of oids of either form
oids = woid / ( "(" oidlist ")" )
oidlist = woid *( "$" woid )
; object descriptors used as schema element names
qdescrs = qdescr / ( whsp "(" qdescrlist ")" whsp )
qdescrlist = ( qdescrlist qdescr ) / ""
qdescr = whsp "'" descr "'" whsp
4.2. Attribute Types
The attribute types are described by sample values for the subschema The attribute types are described by sample values for the subschema
"attributeTypes" attribute, which is written in the "attributeTypes" attribute, which is written in the
AttributeTypeDescription syntax. While lines have been folded for AttributeTypeDescription syntax. While lines have been folded for
readability, the values transferred in protocol would not contain readability, the values transferred in protocol would not contain
newlines. newlines.
The AttributeTypeDescription is encoded according to the following BNF, The AttributeTypeDescription is encoded according to the following
and the productions for <oid>, <DirectoryStrings> and <DirectoryString> BNF, and the productions for oid, qdsescrs and qdstring are given
are given in sections 4.2.1. in section 4.1. Implementors should note that future versions of this
document may have expanded this BNF to include additional terms.
<AttributeTypeDescription> ::= "(" AttributeTypeDescription = "(" whsp
<oid> -- AttributeType identifier numericoid whsp ; AttributeType identifier
[ "NAME" <DirectoryStrings> ] -- name used in AttributeType [ "NAME" qdescrs ] ; name used in AttributeType
[ "DESC" <DirectoryString> ] [ "DESC" qdstring ] ; description
[ "OBSOLETE" ] [ "OBSOLETE" whsp ]
[ "SUP" <oid> ] -- derived from this other AttributeType [ "SUP" woid ] ; derived from this other
[ "EQUALITY" <oid> ] -- Matching Rule name ; AttributeType
[ "ORDERING" <oid> ] -- Matching Rule name [ "EQUALITY" woid ; Matching Rule name
[ "SUBSTR" <oid> ] -- Matching Rule name [ "ORDERING" woid ; Matching Rule name
[ "SYNTAX" <DirectoryString> ] -- see section 4.2 [ "SUBSTR" woid ] ; Matching Rule name
[ "SINGLE-VALUE" ] -- default multi-valued [ "SYNTAX" whsp numericoid whsp ] ; see section 4.2
[ "COLLECTIVE" ] -- default not collective [ "SINGLE-VALUE" whsp ] ; default multi-valued
[ "NO-USER-MODIFICATION" ] -- default user modifiable [ "COLLECTIVE" whsp ] ; default not collective
[ "USAGE" <AttributeUsage> ] -- default user applications [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
")" [ "USAGE" whsp AttributeUsage ]; default user applications
whsp ")"
<AttributeUsage> ::= AttributeUsage =
"userApplications" "userApplications" /
| "directoryOperation" "directoryOperation" /
| "distributedOperation" -- DSA-shared "distributedOperation" / ; DSA-shared
| "dSAOperation" -- DSA-specific, value depends on server "dSAOperation" ; DSA-specific, value depends on server
Servers are not required to provide the same or any text Servers are not required to provide the same or any text
in the description part of the subschema values they maintain. in the description part of the subschema values they maintain.
Servers SHOULD provide at least one of the "SUP" and "SYNTAX" fields
for each AttributeTypeDescription.
Servers SHOULD implement all the attribute types referenced in section 5: Servers SHOULD implement all the attribute types referenced in
they MUST be able to perform equality matching of values, but need not section 5. Servers MUST be able to evaluate presence filters,
perform any additional validity checks on attribute values. SHOULD be able to perform equality matching of values of all user
attributes known to the server, and MAY be able to perform matching
with the other kinds of filters. If a server allows values of an
attribute of a particular type to be added or removed over protocol,
the server MUST be able to perform equality matching of values of
that attribute, but need not perform any additional validity checks
on attribute values.
Servers MAY recognize additional names and attributes not listed in this Servers MAY recognize additional names and attributes not listed in
document, and if they do so, SHOULD publish the definitions of the types this document, and if they do so, SHOULD publish the definitions of
in the attributeTypes attribute of their subschema subentries. the types in the attributeTypes attribute of their subschema
entries.
AttributeDescriptions can be used as the value in a NAME part of an AttributeDescriptions can be used as the value in a NAME part of an
AttributeTypeDescription. Note that these are case insensitive. AttributeTypeDescription. Note that these are case insensitive.
Note that the AttributeTypeDescription does not list the matching
rules which can can be used with that attribute type in an
extensibleMatch search filter. This is done using the matchingRuleUse
attribute described in section 4.4.
4.2. Syntaxes 4.2. Syntaxes
This section defines general requirements for LDAP attribute value This section defines general requirements for LDAP attribute value
syntax encodings. All documents defining attribute syntax encodings for syntax encodings. All documents defining attribute syntax encodings
use with LDAP are expected to conform to these requirements. for use with LDAP are expected to conform to these requirements.
The encoding rules defined for a given attribute syntax must produce The encoding rules defined for a given attribute syntax must produce
octet strings. To the greatest extent possible, encoded octet octet strings. To the greatest extent possible, encoded octet
strings should be usable in their native encoded form for display strings should be usable in their native encoded form for display
purposes. In particular, encoding rules for attribute syntaxes purposes. In particular, encoding rules for attribute syntaxes
defining non-binary values should produce strings that can be defining non-binary values should produce strings that can be
displayed with little or no translation by clients implementing displayed with little or no translation by clients implementing
LDAP. There are a few cases (e.g. Audio) however, when it is not sensible LDAP. There are a few cases (e.g. audio) however, when it is not
to produce a printable representation, and clients MUST NOT assume that sensible to produce a printable representation, and clients MUST NOT
an unrecognized syntax is a string representation. assume that an unrecognized syntax is a string representation.
4.2.1. Common Encoding Aspects
In these encodings where an arbitrary string is used as part of a larger
production (other than a Distinguished Name), a backslash quoting mechanism
is used to encode the following separator symbol character (such as ''',
'$' or '#') if it should occur in that string. The backslash is followed
by a pair of hexadecimal digits representing the next character. A
backslash itself in the string which forms part of a larger syntax is
always transmitted as '\5C' or '\5c'.
For the purposes of defining the encoding rules for attribute syntaxes,
the following auxiliary BNF definitions will be used:
<a> ::= 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'g' | 'h' | 'i' |
'j' | 'k' | 'l' | 'm' | 'n' | 'o' | 'p' | 'q' | 'r' |
's' | 't' | 'u' | 'v' | 'w' | 'x' | 'y' | 'z' | 'A' |
'B' | 'C' | 'D' | 'E' | 'F' | 'G' | 'H' | 'I' | 'J' |
'K' | 'L' | 'M' | 'N' | 'O' | 'P' | 'Q' | 'R' | 'S' |
'T' | 'U' | 'V' | 'W' | 'X' | 'Y' | 'Z'
<d> ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9'
<hex-digit> ::= <d> | 'a' | 'b' | 'c' | 'd' | 'e' | 'f' |
'A' | 'B' | 'C' | 'D' | 'E' | 'F'
<k> ::= <a> | <d> | '-'
<p> ::= <a> | <d> | ''' | '(' | ')' | '+' | ',' | '-' | '.' |
'/' | ':' | '?' | ' '
<letterstring> ::= <a> | <a> <letterstring>
<numericstring> ::= <d> | <d> <numericstring>
<keystring> ::= <a> | <a> <anhstring>
<anhstring> ::= <k> | <k> <anhstring>
<printablestring> ::= <p> | <p> <printablestring>
<space> ::= ' ' | ' ' <space>
<whsp> ::= <space> | empty In encodings where an arbitrary string is used as part of a larger
<utf8> ::= any sequence of octets formed from the UTF-8 [9] production (other than a Distinguished Name), a backslash quoting
transformation of a character from ISO 10646 [10] mechanism is used to encode the following separator symbol character
(such as "'", "$" or "#") if it should occur in that string. The
backslash is followed by a pair of hexadecimal digits representing the
next character. A backslash itself in the string which forms part of
a larger syntax is always transmitted as '\5C' or '\5c'.
<dstring> ::= <utf8> | <utf8> <dstring> Syntaxes are also defined for matching rules whose assertion value
syntax is different from the attribute value syntax.
<DirectoryStrings> ::= <DirectoryString> | '(' <DirectoryStringList> ')' 4.2.1 Binary Transfer of Values
<DirectoryStringList> ::= <DirectoryStringList> <DirectoryString> | "" This encoding format is used if the binary encoding is requested by
the client for an attribute, or if the attribute syntax name is
"1.3.6.1.4.1.1466.115.121.1.5". The value, an instance of the ASN.1
AttributeValue type, is BER-encoded, subject to the restrictions of
section 5.1 of [1], and this sequence of octets is used as the value.
(E.g. the first byte inside the OCTET STRING wrapper is a tag byte.
However the OCTET STRING is still encoded in primitive form.)
<DirectoryString> ::= ''' <dstring> ''' All servers MUST implement this form for both generating attribute
values in search responses, and parsing attribute values in add,
compare and modify requests, if the attribute type is recognized and
the attribute syntax name is that of Binary. Clients which request
that all attributes be returned from entries MUST be prepared
to receive values in binary (e.g. userCertificate), and SHOULD NOT
simply display binary or unrecognized values to users.
<oids> ::= <oid> | '(' <oidlist> ')' 4.2.2. Syntax Object Identifiers
<oidlist> ::= <oidlist> '$' <oid> | <oid> Syntaxes for use with LDAP are named by OBJECT IDENTIFIERs, which
are dotted-decimal strings. These are not intended to be displayed
to users.
4.2.2 Binary Transfer of Values The following table lists some of the syntaxes that have been defined
for LDAP thus far. The H-R column suggests whether a value in that
syntax would likely be a human readable string. Clients and servers
need not implement all the syntaxes listed here, and MAY implement
other syntaxes.
This encoding format is used if the binary encoding is requested by the Other documents may define additional syntaxes. However, the
client for an attribute, or if the attribute syntax name is 'Binary'. The definition of additional arbitrary syntaxes is strongly depreciated
value, an instance of the ASN.1 AttributeValue type, is BER-encoded, since it will hinder interoperability: today's client and server
subject to the restrictions of section 5.1 of [1], and this sequence of implementations generally do not have the ability to dynamically
octets is used as the value. recognize new syntaxes. In most cases attributes will be defined
with the syntax for directory strings.
All servers MUST implement this form for both generating attribute values in Value being represented H-R OBJECT IDENTIFIER
search responses, and parsing attribute values in add, compare and modify =================================================================
requests, if the attribute type is recognized and the attribute syntax name ACI Item N 1.3.6.1.4.1.1466.115.121.1.1
is 'Binary'. Clients MUST be prepared receiving values in binary (e.g. Access Point Y 1.3.6.1.4.1.1466.115.121.1.2
userCertificate or audio), and MUST NOT simply display binary or Attribute Type Description Y 1.3.6.1.4.1.1466.115.121.1.3
unrecognized values to users. Audio N 1.3.6.1.4.1.1466.115.121.1.4
Binary N 1.3.6.1.4.1.1466.115.121.1.5
Bit String Y 1.3.6.1.4.1.1466.115.121.1.6
Boolean Y 1.3.6.1.4.1.1466.115.121.1.7
Certificate N 1.3.6.1.4.1.1466.115.121.1.8
Certificate List N 1.3.6.1.4.1.1466.115.121.1.9
Certificate Pair N 1.3.6.1.4.1.1466.115.121.1.10
Country String Y 1.3.6.1.4.1.1466.115.121.1.11
DN Y 1.3.6.1.4.1.1466.115.121.1.12
Data Quality Syntax Y 1.3.6.1.4.1.1466.115.121.1.13
Delivery Method Y 1.3.6.1.4.1.1466.115.121.1.14
Directory String Y 1.3.6.1.4.1.1466.115.121.1.15
DIT Content Rule Description Y 1.3.6.1.4.1.1466.115.121.1.16
DIT Structure Rule Description Y 1.3.6.1.4.1.1466.115.121.1.17
DL Submit Permission Y 1.3.6.1.4.1.1466.115.121.1.18
DSA Quality Syntax Y 1.3.6.1.4.1.1466.115.121.1.19
DSE Type Y 1.3.6.1.4.1.1466.115.121.1.20
Enhanced Guide Y 1.3.6.1.4.1.1466.115.121.1.21
Facsimile Telephone Number Y 1.3.6.1.4.1.1466.115.121.1.22
Fax N 1.3.6.1.4.1.1466.115.121.1.23
Generalized Time Y 1.3.6.1.4.1.1466.115.121.1.24
Guide Y 1.3.6.1.4.1.1466.115.121.1.25
IA5 String Y 1.3.6.1.4.1.1466.115.121.1.26
INTEGER Y 1.3.6.1.4.1.1466.115.121.1.27
JPEG N 1.3.6.1.4.1.1466.115.121.1.28
LDAP Syntax Description Y 1.3.6.1.4.1.1466.115.121.1.54
Master And Shadow Access Points Y 1.3.6.1.4.1.1466.115.121.1.29
Matching Rule Description Y 1.3.6.1.4.1.1466.115.121.1.30
Matching Rule Use Description Y 1.3.6.1.4.1.1466.115.121.1.31
Mail Preference Y 1.3.6.1.4.1.1466.115.121.1.32
MHS OR Address Y 1.3.6.1.4.1.1466.115.121.1.33
Name And Optional UID Y 1.3.6.1.4.1.1466.115.121.1.34
Name Form Description Y 1.3.6.1.4.1.1466.115.121.1.35
Numeric String Y 1.3.6.1.4.1.1466.115.121.1.36
Object Class Description Y 1.3.6.1.4.1.1466.115.121.1.37
OID Y 1.3.6.1.4.1.1466.115.121.1.38
Other Mailbox Y 1.3.6.1.4.1.1466.115.121.1.39
Password Y 1.3.6.1.4.1.1466.115.121.1.40
Postal Address Y 1.3.6.1.4.1.1466.115.121.1.41
Protocol Information Y 1.3.6.1.4.1.1466.115.121.1.42
Presentation Address Y 1.3.6.1.4.1.1466.115.121.1.43
Printable String Y 1.3.6.1.4.1.1466.115.121.1.44
Subtree Specification Y 1.3.6.1.4.1.1466.115.121.1.45
Supplier Information Y 1.3.6.1.4.1.1466.115.121.1.46
Supplier Or Consumer Y 1.3.6.1.4.1.1466.115.121.1.47
Supplier And Consumer Y 1.3.6.1.4.1.1466.115.121.1.48
Supported Algorithm N 1.3.6.1.4.1.1466.115.121.1.49
Telephone Number Y 1.3.6.1.4.1.1466.115.121.1.50
Teletex Terminal Identifier Y 1.3.6.1.4.1.1466.115.121.1.51
Telex Number Y 1.3.6.1.4.1.1466.115.121.1.52
UTC Time Y 1.3.6.1.4.1.1466.115.121.1.53
4.2.3. Syntax Names A suggested minimum upper bound on the number of characters in value
with a string-based syntax, or the number of bytes in a value for all
other syntaxes, may be indicated by appending this bound count inside
of curly braces following the syntax name's OBJECT IDENTIFIER. This
bound is not part of the syntax name itself. For instance,
"1.3.6.4.1.1466.0{64}" suggests that server implementations should
allow the string to be 64 characters long, although they may allow
longer strings. Note that a single character of the Directory String
syntax may be encoded in more than one byte since UTF-8 is a
variable-length encoding.
Names of syntaxes for use with LDAP are ASCII strings which either 4.2.3. Syntax Description
begin with a letter and contain only letters or digits. The names are
case insensitive. Historically since syntaxes correspond to ASN.1 types,
they have been named starting with a capital letter. A suggested minimum
upper bound on the number of characters in value with a DirectoryString or
IA5String syntax or the number of bytes in a value for all other syntaxes
may be indicated by appending this bound count inside of curly braces.
For instance, "DirectoryString{64}" suggests that server implementations
should allow the string to be 64 characters long, althoough they may allow
longer strings. Note that a single character of the DirectoryString may be
encoded in more than one byte since UTF-8 is a variable-length encoding.
Syntax names do not have global scope: two clients or servers may The following BNF may be used to associate a short description with
know of different syntaxes with the same name. a syntax OBJECT IDENTIFIER. Implementors should note that future
versions of this document may expand this definition to include
additional terms.
The definition of additional arbitrary syntaxes is strongly depreciated SyntaxDescription = "(" whsp
since it will hinder interoperability: today's client and server numericoid whsp
implementations generally do not have the ability to dynamically recognize [ "DESC" qdstring ]
new syntaxes. In most cases attributes will be defined with the whsp ")"
DirectoryString syntax.
4.3. Object Classes 4.3. Object Classes
Object class descriptions are written according to the following BNF: The format for representation of object classes is defined in X.501
[3]. In general every entry will contain an abstract class ("top" or
"alias"), at least one structural object class, and zero or more
auxiliary object classes. Whether an object class is abstract,
structural or auxiliary is defined when the object class identifier
is assigned. An object class definition should not be changed
without having a new identifier assigned to it.
<ObjectClassDescription> ::= "(" Object class descriptions are written according to the following BNF.
<oid> -- ObjectClass identifier Implementors should note that future versions of this document may
[ "NAME" <DirectoryStrings> ] expand this definition to include additional terms.
[ "DESC" <DirectoryString> ]
[ "OBSOLETE" ]
[ "SUP" <oids> ] -- Superior ObjectClasses
[ ( "ABSTRACT" | "STRUCTURAL" | "AUXILIARY" ) ] -- default structural
[ "MUST" <oids> ] -- AttributeTypes
[ "MAY" <oids> ] -- AttributeTypes
")"
These are described as sample values for the subschema "objectClasses" ObjectClassDescription = "(" whsp
attribute for a server which implements the LDAP schema. numericoid whsp ; ObjectClass identifier
While lines have been folded for readability, the values transferred in [ "NAME" qdescrs ]
protocol would not contain newlines. [ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
[ "SUP" oids ] ; Superior ObjectClasses
[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
; default structural
[ "MUST" oids ] ; AttributeTypes
[ "MAY" oids ] ; AttributeTypes
whsp ")"
Servers SHOULD implement all the object classes referenced in section 7, These are described as sample values for the subschema
except for extensibleObject, which is optional. "objectClasses" attribute for a server which implements the LDAP
schema. While lines have been folded for readability, the values
transferred in protocol would not contain newlines.
Servers SHOULD implement all the object classes referenced in
section 7, except for extensibleObject, which is optional.
Servers MAY implement additional object classes not listed in this Servers MAY implement additional object classes not listed in this
document, and if they do so, SHOULD publish the definitions of the classes document, and if they do so, SHOULD publish the definitions of the
in the objectClasses attribute of their subschema subentries. Later classes in the objectClasses attribute of their subschema entries.
documents may define additional object classes. Later documents may define additional object classes.
4.4. Matching Rules 4.4. Matching Rules
Matching rules are used by servers to compare attribute values against Matching rules are used by servers to compare attribute values
assertion values when performing Search and Compare operations. against assertion values when performing Search and Compare
operations. They are also used to identify the value to be added
or deleted when modifying entries, and are used when comparing a
purported distinguished name with the name of an entry.
Most of the attributes given in this document will have an equality Most of the attributes given in this document will have an equality
matching rule defined. matching rule defined.
Matching rule descriptions are written according to the following BNF: Matching rule descriptions are written according to the following
BNF. Implementors should note that future versions of this document
may have expanded this BNF to include additional terms.
<MatchingRuleDescription> ::= "(" MatchingRuleDescription = "(" whsp
<oid> -- MatchingRule identifier numericoid whsp ; MatchingRule identifier
[ "NAME" <DirectoryStrings> ] [ "NAME" qdescrs ]
[ "DESC" <DirectoryString> ] [ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
"SYNTAX" numericoid
whsp ")"
Values of the matchingRuleUse list the attributes which are suitable
for use with an extensible matching rule.
MatchingRuleUseDescription = "(" whsp
numericoid whsp ; MatchingRule identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" ] [ "OBSOLETE" ]
"SYNTAX" <DirectoryString> "APPLIES" oids ; AttributeType identifiers
")" whsp ")"
Servers SHOULD implement all the matching rules in section 8. Servers which support matching rules and the extensibleMatch SHOULD
implement all the matching rules in section 8.
Servers MAY implement additional matching rules not listed in this Servers MAY implement additional matching rules not listed in this
document, and if they do so, SHOULD publish the definitions of the document, and if they do so, SHOULD publish the definitions of the
matching rules in the matchingRules attribute of their matching rules in the matchingRules attribute of their
subschema subentries. subschema entries. If the server supports the extensibleMatch, then
the server SHOULD publish the relationship between the matching rules
and attributes in the matchingRuleUse attribute.
For example, a server which implements a privately-defined matching
rule for performing sound-alike matches on Directory String-valued
attributes would include the following in the subschema entry
(1.2.3.4.5 is an example, the OID of an actual matching rule would be
different):
matchingRule: ( 1.2.3.4.5 NAME 'soundAlikeMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
If this matching rule could be used with the attributes 2.5.4.41 and
2.5.4.15, the following would also be present:
matchingRuleUse: ( 1.2.3.4.5 APPLIES (2.5.4.41 $ 2.5.4.15) )
A client could then make use of this matching rule by sending a
search operation in which the filter is of the extensibleMatch choice,
the matchingRule field is "soundAlikeMatch", and the type field is
"2.5.4.41" of "2.5.4.15".
5. Attribute Types 5. Attribute Types
All LDAP server implementations MUST recognize the attribute types All LDAP server implementations MUST recognize the attribute types
defined in this section. These types are based on definitions in defined in this section. These types are based on definitions in
X.501(93) [3]. X.501(93) [3].
Servers SHOULD also recognize all the attributes from section 5 of [12], Servers SHOULD also recognize all the attributes from section 5 of
from section 5 of [13]. [12].
5.1. Standard Operational Attributes 5.1. Standard Operational Attributes
Servers MUST maintain values of these attributes in accordance with
the definitions in X.501(93).
5.1.1. createTimestamp 5.1.1. createTimestamp
This attribute SHOULD appear in entries which were created using
the Add operation.
( 2.5.18.1 NAME 'createTimestamp' EQUALITY generalizedTimeMatch ( 2.5.18.1 NAME 'createTimestamp' EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch SYNTAX 'GeneralizedTime' ORDERING generalizedTimeOrderingMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.24'
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
5.1.2. modifyTimestamp 5.1.2. modifyTimestamp
This attribute SHOULD appear in entries which have been modified
using the Modify operation.
( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY generalizedTimeMatch ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch SYNTAX 'GeneralizedTime' ORDERING generalizedTimeOrderingMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.24'
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
5.1.3. creatorsName 5.1.3. creatorsName
( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 'DN' This attribute SHOULD appear in entries which were created using
the Add operation.
( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.12'
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
5.1.4. modifiersName 5.1.4. modifiersName
( 2.5.18.4 NAME 'modifiersName' EQUALITY distinguishedNameMatch SYNTAX 'DN' This attribute SHOULD appear in entries which have been modified
using the Modify operation.
( 2.5.18.4 NAME 'modifiersName' EQUALITY distinguishedNameMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.12'
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
5.1.5. subschemaSubentry 5.1.5. subschemaSubentry
The value of this attribute is the name of a subschema subentry, an The value of this attribute is the name of a subschema entry (or
entry in which the server makes available attributes specifying subentry if the server is based on X.500(93)) in which the server
the schema. makes available attributes specifying the schema.
( 2.5.18.10 NAME 'subschemaSubentry' ( 2.5.18.10 NAME 'subschemaSubentry'
EQUALITY distinguishedNameMatch SYNTAX 'DN' NO-USER-MODIFICATION EQUALITY distinguishedNameMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION
SINGLE-VALUE USAGE directoryOperation ) SINGLE-VALUE USAGE directoryOperation )
5.1.6. attributeTypes 5.1.6. attributeTypes
This attribute is typically located in the subschema entry.
( 2.5.21.5 NAME 'attributeTypes' ( 2.5.21.5 NAME 'attributeTypes'
EQUALITY objectIdentifierFirstComponentMatch EQUALITY objectIdentifierFirstComponentMatch
SYNTAX 'AttributeTypeDescription' USAGE directoryOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.3' USAGE directoryOperation )
5.1.7. objectClasses 5.1.7. objectClasses
This attribute is typically located in the subschema entry.
( 2.5.21.6 NAME 'objectClasses' ( 2.5.21.6 NAME 'objectClasses'
EQUALITY objectIdentifierFirstComponentMatch EQUALITY objectIdentifierFirstComponentMatch
SYNTAX 'ObjectClassDescription' USAGE directoryOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.37' USAGE directoryOperation )
5.1.8. matchingRules
This attribute is typically located in the subschema entry.
( 2.5.21.4 NAME 'matchingRules'
EQUALITY objectIdentifierFirstComponentMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.30' USAGE directoryOperation )
5.1.9. matchingRuleUse
This attribute is typically located in the subschema entry.
( 2.5.21.8 NAME 'matchingRuleUse'
EQUALITY objectIdentifierFirstComponentMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.31' USAGE directoryOperation )
5.2. LDAP Operational Attributes 5.2. LDAP Operational Attributes
These attributes are only present in the root DSE. These attributes are only present in the root DSE (see [1] and [3]).
Servers MUST recognize these attribute names, but it is not required that Servers MUST recognize these attribute names, but it is not required
a server provide values for these attributes, when the attribute that a server provide values for these attributes, when the
corresponds to a feature which the server does not implement. attribute corresponds to a feature which the server does not
implement.
5.2.1. namingContexts 5.2.1. namingContexts
The values of this attribute correspond to naming contexts which this The values of this attribute correspond to naming contexts which this
server masters or shadows. If the server does not master any server masters or shadows. If the server does not master any
information (e.g. it is an LDAP gateway to a public X.500 directory) information (e.g. it is an LDAP gateway to a public X.500 directory)
this attribute will be absent. If the server believes it contains the this attribute will be absent. If the server believes it contains
entire directory, the attribute will have a single value, and that the entire directory, the attribute will have a single value, and
value will be the empty string (indicating the null DN of the root). that value will be the empty string (indicating the null DN of the
This attribute will allow a client to choose suitable base objects root). This attribute will allow a client to choose suitable base
for searching when it has contacted a server. objects for searching when it has contacted a server.
( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
SYNTAX 'DN' USAGE dSAOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' USAGE dSAOperation )
5.2.2. altServer 5.2.2. altServer
The values of this attribute are URLs of other servers which may be The values of this attribute are URLs of other servers which may be
contacted when this server becomes unavailable. If the server does not contacted when this server becomes unavailable. If the server does
know of any other servers which could be used this attribute will be not know of any other servers which could be used this attribute
absent. Clients may cache this information in case their preferred LDAP will be absent. Clients may cache this information in case their
server later becomes unavailable. preferred LDAP server later becomes unavailable.
( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
SYNTAX 'IA5String' USAGE dSAOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' USAGE dSAOperation )
5.2.3. supportedExtension 5.2.3. supportedExtension
The values of this attribute are OBJECT IDENTIFIERs identifying the The values of this attribute are OBJECT IDENTIFIERs identifying the
supported extended operations which the server supports. supported extended operations which the server supports.
If the server does not support any extensions this attribute will be If the server does not support any extensions this attribute will be
absent. absent.
( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
SYNTAX 'OID' USAGE dSAOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' USAGE dSAOperation )
5.2.4. supportedControl 5.2.4. supportedControl
The values of this attribute are the OBJECT IDENTIFIERS identifying The values of this attribute are the OBJECT IDENTIFIERS identifying
controls which the server supports. If the server does not controls which the server supports. If the server does not
support any controls, this attribute will be absent. support any controls, this attribute will be absent.
( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
SYNTAX 'OID' USAGE dSAOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' USAGE dSAOperation )
5.2.5. supportedSASLMechanisms 5.2.5. supportedSASLMechanisms
The values of this attribute are the names of supported SASL The values of this attribute are the names of supported SASL
mechanisms which the server supports. If the server does not mechanisms which the server supports. If the server does not
support any mechanisms this attribute will be absent. support any mechanisms this attribute will be absent.
( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms' ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
SYNTAX 'LDAPString' USAGE dSAOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' USAGE dSAOperation )
5.2.6. supportedLDAPVersion 5.2.6. supportedLDAPVersion
The values of this attribute are the versions of the LDAP protocol which The values of this attribute are the versions of the LDAP protocol
the server implements. which the server implements.
( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
SYNTAX 'INTEGER' USAGE dSAOperation ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' USAGE dSAOperation )
5.3. LDAP Subschema Attribute
This attribute is typically located in the subschema entry.
5.3.1. ldapSyntaxes
Servers MAY use this attribute to list the syntaxes which are
implemented. Each value corresponds to one syntax.
( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
EQUALITY objectIdentifierFirstComponentMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.54' USAGE directoryOperation )
6. Syntaxes 6. Syntaxes
Servers SHOULD recognize all the syntaxes described in this section Servers SHOULD recognize all the syntaxes described in this section.
(6.1 - 6.3). Each syntax begins with a sample value of the ldapSyntaxes attribute
which defines the OBJECT IDENTIFIER of the syntax. The descriptions
of syntax names are not carried in protocol, and are not guaranteed
to be unique.
6.1. AttributeTypeDescription 6.1. AttributeTypeDescription
Values with this syntax are encoded according to the BNF given at the ( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' )
start of section 4.1. For example,
( 2.5.4.0 NAME 'objectClass' SYNTAX 'OID' ) Values in this syntax are encoded according to the BNF given at the
start of section 4.2. For example,
6.2. Audio ( 2.5.4.0 NAME 'objectClass'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' )
The encoding of a value with Audio syntax is the octets of the value 6.2. Binary
itself, an 8KHz uncompressed encoding compatible with the SunOS
4.1.3 'play' utility. ( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' )
Values in this syntax are encoded as described in section 4.2.1.
6.3. BitString 6.3. BitString
The encoding of a value with BitString syntax is according to the ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
following BNF:
<bitstring> ::= ''' <binary-digits> ''B' Values in this syntax are encoded according to the following BNF:
<binary-digits> ::= '0' <binary-digits> | '1' <binary-digits> | bitstring = "'" *binary-digit "'B"
empty
binary-digit = "0" / "1"
Example: Example:
'0101111101'B '0101111101'B
6.4. Boolean 6.4. Boolean
Values with Boolean syntax are encoded according to the following ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
BNF:
<boolean> ::= "TRUE" | "FALSE" Values in this syntax are encoded according to the following BNF:
boolean = "TRUE" / "FALSE"
Boolean values have an encoding of "TRUE" if they are logically true, Boolean values have an encoding of "TRUE" if they are logically true,
and have an encoding of "FALSE" otherwise. and have an encoding of "FALSE" otherwise.
6.5. Certificate 6.5. Certificate
Because of the changes from X.509(1988) and X.509(1993) and additional ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' )
changes to the ASN.1 definition to support certificate extensions, no
string representation is defined, and values with Certificate syntax Because of the changes from X.509(1988) and X.509(1993) and
MUST only be transferred using the binary encoding, by requesting or additional changes to the ASN.1 definition to support certificate
returning the attributes with descriptions "userCertificate;binary" or extensions, no string representation is defined, and values in
"caCertificate;binary". The BNF notation in RFC 1778 for this syntax MUST only be transferred using the binary encoding, by
"User Certificate" is not recommended to be used. requesting or returning the attributes with descriptions
"userCertificate;binary" or "caCertificate;binary". The BNF notation
in RFC 1778 for "User Certificate" is not recommended to be used.
6.6. CertificateList 6.6. CertificateList
( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' )
Because of the incompatibility of the X.509(1988) and X.509(1993) Because of the incompatibility of the X.509(1988) and X.509(1993)
definitions of revocation lists, values with CertificateList syntax definitions of revocation lists, values in this syntax MUST only be
MUST only be transferred using a binary encoding, by requesting or transferred using a binary encoding, by requesting or returning the
returning the attributes with descriptions attributes with descriptions "certificateRevocationList;binary" or
"certificateRevocationList;binary" or "authorityRevocationList;binary". "authorityRevocationList;binary". The BNF notation in RFC 1778 for
The BNF notation in RFC 1778 for "Authority Revocation List" is not "Authority Revocation List" is not recommended to be used.
recommended to be used.
6.7. CertificatePair 6.7. CertificatePair
Because the Certificate is being carried in binary, values with ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' )
CertificatePair syntax MUST only be transferred using a binary encoding,
by requesting or returning the attribute description Because the Certificate is being carried in binary, values in this
"crossCertificatePair;binary". The BNF notation in RFC 1778 for syntax MUST only be transferred using a binary encoding, by requesting
"Certificate Pair" is not recommended to be used. or returning the attribute description "crossCertificatePair;binary".
The BNF notation in RFC 1778 for "Certificate Pair" is not
recommended to be used.
6.8. CountryString 6.8. CountryString
A value of CountryString syntax is encoded the same as a value of ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )
DirectoryString syntax. Note that this syntax is limited to values of
exactly two printable string characters.
<CountryString> ::= <p> <p> A value in this syntax is encoded the same as a value of
Directory String syntax. Note that this syntax is limited to values
of exactly two printable string characters.
CountryString = p p
Example: Example:
US US
6.9. DN 6.9. DN
Values with DN (Distinguished Name) syntax are encoded to have the ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'DN' )
Values in the Distinguished Name syntax are encoded to have the
representation defined in [5]. Note that this representation is not representation defined in [5]. Note that this representation is not
reversible to an ASN.1 encoding used in X.500 for Distinguished Names, as reversible to an ASN.1 encoding used in X.500 for Distinguished
the CHOICE of any DirectoryString element in an RDN is no longer known. Names, as the CHOICE of any DirectoryString element in an RDN is no
longer known.
Examples (from [5]): Examples (from [5]):
CN=Steve Kille,O=Isode Limited,C=GB CN=Steve Kille,O=Isode Limited,C=GB
OU=Sales+CN=J. Smith,O=Widget Inc.,C=US OU=Sales+CN=J. Smith,O=Widget Inc.,C=US
CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB
CN=Before\0DAfter,O=Test,C=GB CN=Before\0DAfter,O=Test,C=GB
1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB
SN=Lu\C4\8Di\C4\C7 SN=Lu\C4\8Di\C4\87
6.10. DirectoryString 6.10. DirectoryString
A string with DirectoryString syntax is encoded in the UTF-8 form of ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )
ISO 10646 (a superset of Unicode). Servers and clients MUST be prepared to
receive encodings of arbitrary Unicode characters, including characters
not presently assigned to any character set, in values.
For characters in the PrintableString form, the value is encoded as the A string in this syntax is encoded in the UTF-8 form of ISO 10646
string value itself. (a superset of Unicode). Servers and clients MUST be prepared to
receive encodings of arbitrary Unicode characters, including
characters not presently assigned to any character set.
If it is of the TeletexString form, then the characters are transliterated For characters in the PrintableString form, the value is encoded as
to their equivalents in UniversalString, and encoded in UTF-8 [9]. the string value itself.
If it is of the UniversalString or BMPString forms [10], UTF-8 is used to If it is of the TeletexString form, then the characters are
encode them. transliterated to their equivalents in UniversalString, and encoded
in UTF-8 [9].
Note: the form of DirectoryString is not indicated in protocol unless the If it is of the UniversalString or BMPString forms [10], UTF-8 is
attribute value is carried in binary. Servers which convert to DAP MUST used to encode them.
choose an appropriate form. Servers MUST NOT reject values merely because
they contain legal Unicode characters outside of the range of printable Note: the form of DirectoryString is not indicated in protocol
ASCII. unless the attribute value is carried in binary. Servers which
convert to DAP MUST choose an appropriate form. Servers MUST NOT
reject values merely because they contain legal Unicode characters
outside of the range of printable ASCII.
Example: Example:
This is a string of DirectoryString containing #!%#@ This is a string of DirectoryString containing #!%#@
6.11. DITContentRuleDescription 6.11. DITContentRuleDescription
Values with this syntax are encoded according to the following BNF: ( 1.3.6.1.4.1.1466.115.121.1.16 DESC 'DIT Content Rule Description' )
<DITContentRuleDescription> ::= "(" Values in this syntax are encoded according to the following BNF.
<oid> -- Structural ObjectClass identifier Implementors should note that future versions of this document
[ "NAME" <DirectoryStrings> ] may have expanded this BNF to include additional terms.
[ "DESC" <DirectoryString> ]
DITContentRuleDescription = "("
numericoid ; Structural ObjectClass identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" ] [ "OBSOLETE" ]
[ "AUX" <oids> ] -- Auxiliary ObjectClasses [ "AUX" oids ] ; Auxiliary ObjectClasses
[ "MUST" <oids> ] -- AttributeType identifiers [ "MUST" oids ] ; AttributeType identifiers
[ "MAY" <oids> ] -- AttributeType identifiers [ "MAY" oids ] ; AttributeType identifiers
[ "NOT" <oids> ] -- AttributeType identifiers [ "NOT" oids ] ; AttributeType identifiers
")" ")"
6.12. FacsimileTelephoneNumber 6.12. FacsimileTelephoneNumber
Values with the FacsimileTelephoneNumber syntax are encoded according ( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Number' )
to the following BNF:
<fax-number> ::= <printablestring> [ '$' <faxparameters> ] Values in this syntax are encoded according to the following BNF:
<faxparameters> ::= <faxparm> | <faxparm> '$' <faxparameters> fax-number = printablestring [ "$" faxparameters ]
<faxparm> ::= 'twoDimensional' | 'fineResolution' | 'unlimitedLength' | faxparameters = faxparm / ( faxparm "$" faxparameters )
'b4Length' | 'a3Width' | 'b4Width' | 'uncompressed'
In the above, the first <printablestring> is the actual fax number, faxparm = "twoDimensional" / "fineResolution" /
and the <faxparm> tokens represent fax parameters. "unlimitedLength" /
"b4Length" / "a3Width" / "b4Width" / "uncompressed"
In the above, the first printablestring is the actual fax number,
and the faxparm tokens represent fax parameters.
6.13. Fax 6.13. Fax
Values with Fax syntax are encoded as if they were octet strings ( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' )
Values in this syntax are encoded as if they were octet strings
containing Group 3 Fax images as defined in [7]. containing Group 3 Fax images as defined in [7].
6.14. GeneralizedTime 6.14. GeneralizedTime
Values of this syntax are encoded as printable strings, represented ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )
Values in this syntax are encoded as printable strings, represented
as specified in X.208. Note that the time zone must be specified. as specified in X.208. Note that the time zone must be specified.
It is strongly recommended that Zulu time zone be used. For example, It is strongly recommended that GMT time be used. For example,
199412161032Z 199412161032Z
6.15. IA5String 6.15. IA5String
The encoding of a value with IA5String syntax is the string value ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
itself.
The encoding of a value in this syntax is the string value itself.
6.16. INTEGER 6.16. INTEGER
Values with INTEGER syntax are encoded as the decimal representation ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'INTEGER' )
Values in this syntax are encoded as the decimal representation
of their values, with each decimal digit represented by the its of their values, with each decimal digit represented by the its
character equivalent. So the number 1321 is represented by the character character equivalent. So the number 1321 is represented by the
string "1321". character string "1321".
6.17. JPEG 6.17. JPEG
Values with JPEG syntax are encoded as if they were octet strings ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' )
containing JPEG images in the JPEG File Interchange Format (JFIF), as
described in [8].
6.18. MatchingRuleUseDescription Values in this syntax are encoded as strings containing JPEG images in
the JPEG File Interchange Format (JFIF), as described in [8].
Values of this syntax are encoded according to the following BNF: 6.18. Matching Rule Description
<MatchingRuleUseDescription> ::= "(" ( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Description' )
<oid> -- MatchingRule identifier
[ "NAME" <DirectoryStrings> ]
[ "DESC" <DirectoryString> ]
[ "OBSOLETE" ]
"APPLIES" <oids> -- AttributeType identifiers
")"
6.19. MHSORAddress Values of type matchingRules are encoded as strings according to
the BNF given in section 4.4.
Values of type MHSORAddress are encoded as strings, according to 6.19. Matching Rule Use Description
the format defined in [11].
6.20. NameAndOptionalUID ( 1.3.6.1.4.1.1466.115.121.1.31 DESC 'Matching Rule Use Description' )
The encoding of a value with the NameAndOptionalUID syntax is according Values of type matchingRuleUse are encoded as strings according to
to the following BNF: the BNF given in section 4.4.
<NameAndOptionalUID> ::= 6.20. MHS OR Address
<DistinguishedName> [ '#' <bitstring> ]
( 1.3.6.1.4.1.1466.115.121.1.33 DESC 'MHS OR Address' )
Values in this syntax are encoded as strings, according to the format
defined in [11].
6.21. Name And Optional UID
( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )
Values in this syntax are encoded according to the following BNF:
NameAndOptionalUID = DistinguishedName [ "#" bitstring ]
Although the '#' character may occur in a string representation of a Although the '#' character may occur in a string representation of a
distinguished name, no additional special quoting is done. distinguished name, no additional special quoting is done.
This syntax has been added subsequent to RFC 1778. This syntax has been added subsequent to RFC 1778.
Example: Example:
1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B
6.21. NameFormDescription 6.22. Name Form Description
Values of this syntax are encoded according to the following BNF: ( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' )
<NameFormDescription> ::= "(" Values in this syntax are encoded according to the following BNF.
<oid> -- NameForm identifier Implementors should note that future versions of this document
[ "NAME" <DirectoryStrings> ] may have expanded this BNF to include additional terms.
[ "DESC" <DirectoryString> ]
[ "OBSOLETE" ]
"OC" <oid> -- Structural ObjectClass
"MUST" <oids> -- AttributeTypes
[ "MAY" <oids> ] -- AttributeTypes
")"
6.22. NumericString NameFormDescription = "(" whsp
numericoid whsp ; NameForm identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
"OC" woid ; Structural ObjectClass
"MUST" oids ; AttributeTypes
[ "MAY" oids ] ; AttributeTypes
whsp ")"
The encoding of a string with the NumericString syntax is the string 6.23. Numeric String
value itself. Example:
1997 ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )
6.23. ObjectClassDescription The encoding of a string in this syntax is the string value itself.
Example:
Values of this syntax are encoded according to the BNF in section 4.3. 1997
6.24. OID 6.24. Object Class Description
Values with OID (Object Identifier) syntax are encoded according to the ( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Description' )
following BNF:
<oid> ::= <descr> | <numericoid> Values in this syntax are encoded according to the BNF in section 4.3.
<descr> ::= <keystring> 6.25. OID
<numericoid> ::= <numericstring> | <numericstring> '.' <numericoid> ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )
In the above BNF, <descr> is the syntactic representation of an Values in the Object Identifier syntax are encoded according to
object descriptor, which consists of letters and digits, starting the BNF in section 4.1 for "oid".
with a letter. When encoding values with OID syntax, the first encoding
option MUST be used in preference to the second. That is, in encoding
object identifiers, object descriptors (where assigned and known by
the implementation) must be used in preference to numeric oids to
the greatest extent possible. All permitted object descriptors for use
in LDAP are given in this document. No other object descriptors may be
used. (Note that clients should expect that LDAPv2 implementations
will return object descriptors other than those listed.)
Example: Example:
1.2.3.4 1.2.3.4
cn cn
6.25. OtherMailbox 6.26. Other Mailbox
Values of the OtherMailbox syntax are encoded according to the
following BNF:
<otherMailbox> ::= <mailbox-type> '$' <mailbox>
<mailbox-type> ::= an encoded Printable String
<mailbox> ::= an encoded IA5 String ( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )
In the above, <mailbox-type> represents the type of mail system in Values in this syntax are encoded according to the following BNF:
which the mailbox resides, for example "MCIMail"; and <mailbox> is the
actual mailbox in the mail system defined by <mailbox-type>.
6.26. Password otherMailbox = mailbox-type "$" mailbox
Values with Password syntax are encoded as octet strings. mailbox-type = printablestring
Example: mailbox = <an encoded IA5 String>
secret In the above, mailbox-type represents the type of mail system in
which the mailbox resides, for example "MCIMail"; and mailbox is
the actual mailbox in the mail system defined by mailbox-type.
6.27. PostalAddress 6.27. PostalAddress
Values with the PostalAddress syntax are encoded according to the ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
following BNF:
<postal-address> ::= <dstring> | <dstring> '$' <postal-address> Values in this syntax are encoded according to the following BNF:
In the above, each <dstring> component of a postal address value is postal-address = dstring *( "$" dstring )
In the above, each dstring component of a postal address value is
encoded as a value of type DirectoryString syntax. Backslashes and encoded as a value of type DirectoryString syntax. Backslashes and
dollar characters, if they occur in the component, are quoted as dollar characters, if they occur in the component, are quoted as
described in section 4.2. described in section 4.2.
Example: Example:
1234 Main St.$Anytown, CA 12345$USA 1234 Main St.$Anytown, CA 12345$USA
\241,000,000 Sweepstakes$PO Box 1000000$Anytown, CA 12345$USA \241,000,000 Sweepstakes$PO Box 1000000$Anytown, CA 12345$USA
6.28. PresentationAddress 6.28. PresentationAddress
Values with the PresentationAddress syntax are encoded to have the ( 1.3.6.1.4.1.1466.115.121.1.43 DESC 'Presentation Address' )
representation described in [6].
Values in this syntax are encoded with the representation described
in RFC 1278 [6].
6.29. PrintableString 6.29. PrintableString
The encoding of a value with PrintableString syntax is the string ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )
value itself. PrintableString is limited to the characters in
production <p> of section 4.1. The encoding of a value in this syntax is the string value itself.
PrintableString is limited to the characters in production p of
section 4.1.
Example: Example:
This is a PrintableString This is a PrintableString
6.30. TelephoneNumber 6.30. TelephoneNumber
Values with the TelephoneNumber syntax are encoded as if they were ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )
Printable String types. Telephone numbers are recommended in X.520 to
be in international form. Values in this syntax are encoded as if they were Printable String
types. Telephone numbers are recommended in X.520 to be in
international form.
Example: Example:
+1 512 305 0280 +1 512 305 0280
6.31. UTCTime 6.31. UTCTime
Values with UTCTime syntax are encoded as if they were printable ( 1.3.6.1.4.1.1466.115.121.1.53 DESC 'UTC Time' )
strings with the strings containing a UTCTime value. This is historical;
new attribute definitions will use GeneralizedTime instead. Values in this syntax are encoded as if they were printable
strings with the strings containing a UTCTime value. This is
historical; new attribute definitions SHOULD use GeneralizedTime
instead.
6.32. LDAP Syntax Description
( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description' )
Values in this syntax are encoded according to the BNF in section
4.2.3.
7. Object Classes 7. Object Classes
Servers SHOULD recognize all the names of standard classes from section Servers SHOULD recognize all the names of standard classes from
7 of [12], as well as the names of the Internet classes from section section 7 of [12].
7 of [13].
7.1. Extensible Object Class 7.1. Extensible Object Class
The extensibleObject object class, if present in an entry, permits that The extensibleObject object class, if present in an entry, permits
entry to optionally hold any attribute. The MAY attribute list of this that entry to optionally hold any attribute. The MAY attribute list
class is implicitly the set of all attributes known to the server. of this class is implicitly the set of all attributes.
( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
SUP top AUXILIARY ) SUP top AUXILIARY )
The mandatory attributes of the other object classes of this entry are The mandatory attributes of the other object classes of this entry
still required to be present. are still required to be present.
Note that not all servers will implement this object class, and those Note that not all servers will implement this object class, and those
which do not will reject requests to add entries which contain this which do not will reject requests to add entries which contain this
object class, or modify an entry to add this object class. object class, or modify an entry to add this object class.
8. Matching Rules 8. Matching Rules
Servers which implement extensibleMatch SHOULD recognize the following Servers which implement the extensibleMatch filter SHOULD allow
matching rules, used for equality matching, and be capable of all the matching rules listed in this section to be used in the
performing the matching rules. For all these rules, the extensibleMatch. In general these servers SHOULD allow matching
assertion syntax is the same as the value syntax. rules to be used with all attribute types known to the server, when
the assertion syntax of the matching rule is the same as the value
syntax of the attribute.
( 2.5.13.0 NAME 'objectIdentifierMatch' SYNTAX 'OID' ) Servers MAY implement additional matching rules.
( 2.5.13.1 NAME 'distinguishedNameMatch' SYNTAX 'DN' )
( 2.5.13.2 NAME 'caseIgnoreMatch' SYNTAX 'DirectoryString' ) 8.1. Matching Rules used in Equality Filters
( 2.5.13.8 NAME 'numericStringMatch' SYNTAX 'NumericString' )
( 2.5.13.11 NAME 'caseIgnoreListMatch' SYNTAX 'PostalAddress' ) Servers SHOULD be capable of performing the following matching rules.
( 2.5.13.14 NAME 'integerMatch' SYNTAX 'INTEGER' )
( 2.5.13.16 NAME 'bitStringMatch' SYNTAX 'BitString' ) For all these rules, the assertion syntax is the same as the value
( 2.5.13.17 NAME 'octetStringMatch' SYNTAX 'Password' ) syntax.
( 2.5.13.20 NAME 'telephoneNumberMatch' SYNTAX 'TelephoneNumber' )
( 2.5.13.22 NAME 'presentationAddressMatch' SYNTAX 'PresentationAddress' ) ( 2.5.13.0 NAME 'objectIdentifierMatch'
( 2.5.13.23 NAME 'uniqueMemberMatch' SYNTAX 'NameAndOptionalUID' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' )
( 2.5.13.24 NAME 'protocolInformationMatch' SYNTAX 'ProtocolInformation' )
( 2.5.13.27 NAME 'generalizedTimeMatch' SYNTAX 'GeneralizedTime' ) ( 2.5.13.1 NAME 'distinguishedNameMatch'
( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' SYNTAX 'IA5String' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' SYNTAX 'IA5String' )
( 2.5.13.2 NAME 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
( 2.5.13.8 NAME 'numericStringMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
( 2.5.13.11 NAME 'caseIgnoreListMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.41' )
( 2.5.13.14 NAME 'integerMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
( 2.5.13.16 NAME 'bitStringMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.6' )
( 2.5.13.20 NAME 'telephoneNumberMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.50' )
( 2.5.13.22 NAME 'presentationAddressMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.43' )
( 2.5.13.23 NAME 'uniqueMemberMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.34' )
( 2.5.13.24 NAME 'protocolInformationMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.42' )
( 2.5.13.27 NAME 'generalizedTimeMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.24' )
( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
When performing the caseIgnoreMatch, caseIgnoreListMatch, When performing the caseIgnoreMatch, caseIgnoreListMatch,
telephoneNumberMatch, caseExactIA5Match and caseIgnoreIA5Match, telephoneNumberMatch, caseExactIA5Match and caseIgnoreIA5Match,
multiple adjoining whitespace characters are treated the same as an multiple adjoining whitespace characters are treated the same as an
individual space, and leading and trailing whitespace is ignored. individual space, and leading and trailing whitespace is ignored.
8.2. Matching Rules used in Inequality Filters
Servers SHOULD be capable of performing the following matching rules,
which are used in greaterOrEqual and lessOrEqual filters.
( 2.5.13.28 NAME 'generalizedTimeOrderingMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.24' )
( 2.5.13.3 NAME 'caseIgnoreOrderingMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
8.3. Matching Rules for Subschema Attributes
Servers which allow subschema entries to be modified by clients MUST
support the following matching rule, as it is the equality matching
rule for several of the subschema attributes.
( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' )
Implementors should note that the assertion syntax of this matching
rule, an OID, is different from the value syntax of attributes for
which this is the equality matching rule.
9. Security Considerations 9. Security Considerations
Security issues are not discussed in this memo. 9.1. Disclosure
Attributes of directory entries are used to provide descriptive
information about the real-world objects they represent, which can
be people, organizations or devices. Most countries have privacy
laws regarding the publication of information about people.
9.2. Use of Attribute Values in Security Applications
The transformations of an AttributeValue value from its X.501 form to
an LDAP string representation are not always reversible back to the
same BER or DER form. An example of a situation which requires the
DER form of a distinguished name is the verification of an X.509
certificate.
For example, a distinguished name consisting of one RDN with one AVA,
in which the type is commonName and the value is of the TeletexString
choice with the letters 'Sam' would be represented in LDAP as the
string CN=Sam. Another distinguished name in which the value is
still 'Sam' but of the PrintableString choice would have the same
representation CN=Sam.
Applications which require the reconstruction of the DER form of the
value SHOULD NOT use the string representation of attribute syntaxes
when converting a value to LDAP format. Instead it SHOULD use the
Binary syntax.
10. Acknowledgements 10. Acknowledgements
This document is based substantially on RFC 1778, written by Tim Howes, This document is based substantially on RFC 1778, written by Tim
Steve Kille, Wengyik Yeong and Colin Robbins. Howes, Steve Kille, Wengyik Yeong and Colin Robbins.
Many of the attribute syntax encodings defined in this document are Many of the attribute syntax encodings defined in this and
adapted from those used in the QUIPU and the IC R3 X.500 related documents are adapted from those used in the QUIPU and the
implementations. The contributions of the authors of both these IC R3 X.500 implementations. The contributions of the authors of both
implementations in the specification of syntaxes in this document are these implementations in the specification of syntaxes are gratefully
gratefully acknowledged. acknowledged.
11. Authors Addresses 11. Authors Addresses
Mark Wahl Mark Wahl
Critical Angle Inc. Critical Angle Inc.
4815 West Braker Lane #502-385 4815 West Braker Lane #502-385
Austin, TX 78759 Austin, TX 78759
USA USA
EMail: M.Wahl@critical-angle.com EMail: M.Wahl@critical-angle.com
skipping to change at line 838 skipping to change at line 1210
The Dome, The Square The Dome, The Square
Richmond Richmond
TW9 1DT TW9 1DT
UK UK
Phone: +44-181-332-9091 Phone: +44-181-332-9091
EMail: S.Kille@isode.com EMail: S.Kille@isode.com
12. Bibliography 12. Bibliography
[1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
(Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-protocol-04.txt>, Protocol (Version 3)", INTERNET-DRAFT
March 1997. <draft-ietf-asid-ldapv3-protocol-05.txt>, June 1997.
[2] The Directory: Selected Attribute Types. ITU-T Recommendation [2] The Directory: Selected Attribute Types. ITU-T Recommendation
X.520, 1993. X.520, 1993.
[3] The Directory: Models. ITU-T Recommendation X.501, 1993. [3] The Directory: Models. ITU-T Recommendation X.501, 1993.
[4] S. Bradner, "Key words for use in RFCs to Indicate Requirement [4] S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels", INTERNET-DRAFT <draft-bradner-key-words-03.txt>. Levels", RFC 2119.
[5] M. Wahl, S. Kille, "A UTF-8 String Representation of Distinguished [5] M. Wahl, S. Kille, "A UTF-8 String Representation of
Names", INTERNET-DRAFT <draft-ietf-asid-ldapv3-dn-02.txt>, Distinguished Names", INTERNET-DRAFT
March 1997. <draft-ietf-asid-ldapv3-dn-03.txt>, April 1997.
[6] S. Kille, "A String Representation for Presentation Addresses", [6] S. Kille, "A String Representation for Presentation Addresses",
RFC 1278, University College London, November 1991. RFC 1278, University College London, November 1991.
[7] Terminal Equipment and Protocols for Telematic Services - [7] Terminal Equipment and Protocols for Telematic Services -
Standardization of Group 3 facsimile apparatus for document Standardization of Group 3 facsimile apparatus for document
transmission. CCITT, Recommendation T.4. transmission. CCITT, Recommendation T.4.
[8] JPEG File Interchange Format (Version 1.02). Eric Hamilton, [8] JPEG File Interchange Format (Version 1.02). Eric Hamilton,
C-Cube Microsystems, Milpitas, CA, September 1, 1992. C-Cube Microsystems, Milpitas, CA, September 1, 1992.
[9] F. Yergeau, "UTF-8, a transformation format of Unicode and ISO [9] F. Yergeau, "UTF-8, a transformation format of Unicode and ISO
10646", RFC 2044, October 1996. 10646", RFC 2044, October 1996.
[10] Universal Multiple-Octet Coded Character Set (UCS) - Architecture [10] Universal Multiple-Octet Coded Character Set (UCS) -
and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993. Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 :
1993 (With amendments).
[11] H. Alvestrand, S. Kille, R. Miles, M. Rose, S. Thompson, [11] S. Hardcastle-Kille, "Mapping between X.400(1988) / ISO 10021
"Mapping between X.400 and RFC-822 Message Bodies", RFC 1495, and RFC 822", RFC 1327, May 1992.
August 1993.
[12] M. Wahl, "X.500(93) User Schema for use with LDAP", [12] M. Wahl, "X.500(93) User Schema for use with LDAP",
INTERNET-DRAFT <draft-ietf-asid-ldapv3schema-x500-00.txt>, INTERNET-DRAFT <draft-ietf-asid-ldapv3schema-x500-01.txt>,
March 1997. June 1997.
[13] M. Wahl, "Pilot Internet Schema for use with LDAP", [13] D. Crocker, "Standard of the Format of ARPA-Internet Text
INTERNET-DRAFT <draft-ietf-asid-ldapv3schema-pilot-00.txt>, Messages", STD 11, RFC 822, August 1982.
March 1997.
<draft-ietf-asid-ldapv3-attributes-04.txt> <draft-ietf-asid-ldapv3-attributes-05.txt> Expires: November 1997
Expires: September 1997
 End of changes. 159 change blocks. 
408 lines changed or deleted 780 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/