RFC 2256 Schema in LDAP v3

2. Abstract

 

   This document provides an overview of the attribute types and object classes defined by the ISO and ITU-T committees in the X.500 documents, in particular those intended for use by directory clients. This is the most widely used schema for LDAP/X.500 directories, and many other schema definitions for white pages objects use it as a basis. This document does not cover attributes used for the administration of X.500 directory servers, nor does it include attributes defined by other ISO/ITU-T documents.

 

5. Attribute Types

 

   An LDAP server implementation SHOULD recognize the attribute types described in this section.

   (LDAP服务器的实现应该可以识别下面列出的属性类型)

 

5.1. objectClass

 

   The values of the objectClass attribute describe the kind of object which an entry represents. The objectClass attribute is present in every entry, with at least two values. One of the values is either "top" or "alias".

   objectClass属性描述了实体所表现的对象类型。objectClass存在于任意实体中，并且至少包含两个属性值，其中的一个值必须是top

或者alias。

 

5.2. aliasedObjectName

 

   The aliasedObjectName attribute is used by the directory service if the entry containing this attribute is an alias.

   如果包含这个属性的实体是alias的话，那么目录服务就使用aliasedObjectName。

 

5.3. knowledgeInformation

 

   This attribute is no longer used.

   这个属性已经不再使用。

 

5.4. cn

 

   This is the X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the

   person's full name.

   cn是X.500的commonName属性。包含一个对象的名字，如果对象是person的时候，cn经常代表用户的全名。

 

5.5. sn

 

   This is the X.500 surname attribute, which contains the family name of a person.

   sn是X.500的surname属性，保存了person的family name。

 

5.6. serialNumber

 

   This attribute contains the serial number of a device.

   serialNumber保存了一个设备的序列号。

 

5.7. c

 

   This attribute contains a two-letter ISO 3166 country code (countryName).

   c保存了一个两位数字的ISO国家代码(countryName)

 

5.8. l

 

   This attribute contains the name of a locality, such as a city, county or other geographic region (localityName).

   l属性保存了地域名称，例如城市，乡镇或者其他的地理区域(localityName)

 

5.9. st

 

   This attribute contains the full name of a state or province (stateOrProvinceName).

   st属性保存了州或者省的全名(stateOrProvinceName)

 

5.10. street

 

   This attribute contains the physical address of the object to which the entry corresponds, such as an address for package delivery (streetAddress).

   street属性保存了实体对应的对象的物理地址，例如包裹的邮寄地址。(streetAddress)

 

5.11. o

 

   This attribute contains the name of an organization (organizationName).

   o属性保存了组织的名字。(organizationName)

 

5.12. ou

 

   This attribute contains the name of an organizational unit (organizationalUnitName).

   ou属性保存了组织单元的名称(organizationalUnitName)

 

5.13. title

 

   This attribute contains the title, such as "Vice President", of person in their organizational context. The "personalTitle" attribute would be used for a person's title independent of their job function.

   title属性保存了person在组织体系中的头衔，例如”Vice President”，personTitle属性用于person的头衔独立于他们的工作范畴。

 

5.14. description

 

   This attribute contains a human-readable description of the object.

   description属性保存了对象的一个易于理解的描述。

 

5.15. searchGuide

 

   This attribute is for use by X.500 clients in constructing search filters. It is obsoleted by enhancedSearchGuide, described below in 5.48.

   searchGuide属性是由X.500客户端用来构造检索过滤器的。它由enhancedSearchGuide属性代替了。

 

5.16. businessCategory

 

   This attribute describes the kind of business performed by anorganization.

   businessCategory属性描述了一个组织的商业类型。

 

5.17. postalAddress

   邮寄地址属性。

 

5.18. postalCode

   邮政编码属性

 

5.19. postOfficeBox

   邮箱属性

 

5.20. physicalDeliveryOfficeName

 

   ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch

     SUBSTR caseIgnoreSubstringsMatch

     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

 

5.21. telephoneNumber

   电话号码属性

 

5.22. telexNumber

   电报号码属性

 

5.23. teletexTerminalIdentifier

   电报终端标识符

 

5.24. facsimileTelephoneNumber

   传真机号码。

 

5.25. x121Address

 

   ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch

     SUBSTR numericStringSubstringsMatch

     SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )

 

5.26. internationaliSDNNumber

 

   ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch

     SUBSTR numericStringSubstringsMatch

     SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )

 

5.27. registeredAddress

 

  This attribute holds a postal address suitable for reception of telegrams or expedited documents, where it is necessary to have the recipient accept delivery.

   registeredAddress属性保留一个适合接收电报或者加快文件的邮寄地址，这个地址必须有接受者接受投递。

 

5.28. destinationIndicator

 

   This attribute is used for the telegram service.

   destinationIndicator属性被使用于电报服务。

 

5.29. preferredDeliveryMethod

 

    ( 2.5.4.28 NAME 'preferredDeliveryMethod'

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.14

      SINGLE-VALUE )

 

5.30. presentationAddress

 

   This attribute contains an OSI presentation address.

   这个属性保存了一个OSI地址。

 

5.31. supportedApplicationContext

 

   This attribute contains the identifiers of OSI application contexts.

   supportedApplicationContext属性保存了OSI应用程序标识符。

 

5.32. member

 

    ( 2.5.4.31 NAME 'member' SUP distinguishedName )

 

5.33. owner

 

    ( 2.5.4.32 NAME 'owner' SUP distinguishedName )

 

5.34. roleOccupant

 

    ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName )

 

5.35. seeAlso

 

    ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName )

 

5.36. userPassword

 

    ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

 

   Passwords are stored using an Octet String syntax and are not encrypted. Transfer of cleartext passwords are strongly discouraged where the underlying transport service cannot guarantee confidentiality and may result in disclosure of the password to unauthorized parties.

   密码使用8位字节的字符串进行明文存储。

5.37. userCertificate

 

   This attribute is to be stored and requested in the binary form, as 'userCertificate;binary'.

   userCertificate属性通过二进制方式存储和请求，例如”userCertificate;binary”.

 

5.38. cACertificate

 

   This attribute is to be stored and requested in the binary form, as 'cACertificate;binary'.

cACertificate属性通过二进制方式存储和请求，例如”cACertificate;binary”.

 

5.39. authorityRevocationList

 

   This attribute is to be stored and requested in the binary form, as 'authorityRevocationList;binary'.

   authorityRevocationList属性通过二进制方式存储和请求，例如" authorityRevocationList;binary”.

 

5.40. certificateRevocationList

 

   This attribute is to be stored and requested in the binary form, as 'certificateRevocationList;binary'.

 

5.41. crossCertificatePair

 

   This attribute is to be stored and requested in the binary form, as 'crossCertificatePair;binary'.

 

5.42. name

 

   The name attribute type is the attribute supertype from which string attribute types typically used for naming may be formed. It is unlikely that values of this type itself will occur in an entry. LDAP server implementations which do not support attribute subtyping need not recognize this attribute in requests.   Client implementations MUST NOT assume that LDAP servers are capable of performing attribute subtyping.

    ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch

      SUBSTR caseIgnoreSubstringsMatch

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )

 

5.43. givenName

 

   The givenName attribute is used to hold the part of a person's name which is not their surname nor middle name.

   givenName属性用来表示person的部分名字，既不是surname也不是middlename。

 

5.44. initials

 

   The initials attribute contains the initials of some or all of an individuals names, but not the surname(s).

   initials属性包含了一个人的名字中的一些或者全部首字母，但不是surname(s)。

 

5.45. generationQualifier

 

   The generationQualifier attribute contains the part of the name which typically is the suffix, as in “IIIrd”.

 

5.46. x500UniqueIdentifier

 

   The x500UniqueIdentifier attribute is used to distinguish between objects when a distinguished name has been reused. This is a different attribute type from both the “uid” and “uniqueIdentifier” types.

 

5.47. dnQualifier

 

   The dnQualifier attribute type specifies disambiguating information to add to the relative distinguished name of an entry. It is intended for use when merging data from multiple sources in order to prevent conflicts between entries which would otherwise have the same name. It is recommended that the value of the dnQualifier attribute be the same for all entries from a particular source.

 

    ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch

      ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

 

5.48. enhancedSearchGuide

 

   This attribute is for use by X.500 clients in constructing search filters.

   enhancedSearchGuide属性由X.500客户端用来构造检索过滤器。

 

5.49. protocolInformation

 

   This attribute is used in conjunction with the presentationAddress attribute, to provide additional information to the OSI network service.

   protocolInformation属性用来和presentationAddress属性联合使用，提供OSI网络服务的其他信息。

 

5.50. distinguishedName

 

   This attribute type is not used as the name of the object itself, but it is instead a base type from which attributes with DN syntax inherit.

 

   It is unlikely that values of this type itself will occur in an entry. LDAP server implementations which do not support attribute subtyping need not recognize this attribute in requests.   Client implementations MUST NOT assume that LDAP servers are capable of performing attribute subtyping.

 

    ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

 

5.51. uniqueMember

   唯一的成员。

 

5.52. houseIdentifier

 

   This attribute is used to identify a building within a location.

 

    ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch

      SUBSTR caseIgnoreSubstringsMatch

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )

 

5.53. supportedAlgorithms

 

   This attribute is to be stored and requested in the binary form, as 'supportedAlgorithms;binary'.

   supportedAlgorithms属性包含了支持的算法。

 

5.54. deltaRevocationList

 

   This attribute is to be stored and requested in the binary form, as 'deltaRevocationList;binary'.

 

    ( 2.5.4.53 NAME 'deltaRevocationList'

      SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

 

5.55. dmdName

 

   The value of this attribute specifies a directory management domain (DMD), the administrative authority which operates the directory server.

 

    ( 2.5.4.54 NAME 'dmdName' SUP name )

 

7. Object Classes

 

   LDAP servers MUST recognize the object classes “top” and “subschema”.

   LDAP servers SHOULD recognize all the other object classes listed

   here as values of the objectClass attribute.

   LDAP服务器必须能够识别top和subschema这两个object class。LDAP服务器应该可以识别其他的object class。

7.1. top

 

   ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

7.2. alias

 

   ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )

 

7.3. country

 

   ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c

     MAY ( searchGuide $ description ) )

 

7.4. locality

 

   ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL

     MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )

 

7.5. organization

 

   ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o

     MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $

     x121Address $ registeredAddress $ destinationIndicator $

     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $

     telephoneNumber $ internationaliSDNNumber $

     facsimileTelephoneNumber $

     street $ postOfficeBox $ postalCode $ postalAddress $

     physicalDeliveryOfficeName $ st $ l $ description ) )

 

7.6. organizationalUnit

 

   ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou

     MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $

     x121Address $ registeredAddress $ destinationIndicator $

     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $

     telephoneNumber $ internationaliSDNNumber $

     facsimileTelephoneNumber $

     street $ postOfficeBox $ postalCode $ postalAddress $

     physicalDeliveryOfficeName $ st $ l $ description ) )

 

7.7. person

 

   ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )

     MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

 

7.8. organizationalPerson

 

   ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL

     MAY ( title $ x121Address $ registeredAddress $

     destinationIndicator $

     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $

     telephoneNumber $ internationaliSDNNumber $

     facsimileTelephoneNumber $

     street $ postOfficeBox $ postalCode $ postalAddress $

     physicalDeliveryOfficeName $ ou $ st $ l ) )

 

7.9. organizationalRole

 

   ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn

     MAY ( x121Address $ registeredAddress $ destinationIndicator $

     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $

     telephoneNumber $ internationaliSDNNumber $

     facsimileTelephoneNumber $

     seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $

     postOfficeBox $ postalCode $ postalAddress $

     physicalDeliveryOfficeName $ ou $ st $ l $ description ) )

 

7.10. groupOfNames

 

   ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn )

     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

 

7.11. residentialPerson

 

   ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l

     MAY ( businessCategory $ x121Address $ registeredAddress $

     destinationIndicator $ preferredDeliveryMethod $ telexNumber $

     teletexTerminalIdentifier $ telephoneNumber $

     internationaliSDNNumber $

     facsimileTelephoneNumber $ preferredDeliveryMethod $ street $

     postOfficeBox $ postalCode $ postalAddress $

     physicalDeliveryOfficeName $ st $ l ) )

 

7.12. applicationProcess

 

   ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn

     MAY ( seeAlso $ ou $ l $ description ) )

 

7.13. applicationEntity

 

   ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL

     MUST ( presentationAddress $ cn )

     MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $

     description ) )

 

7.14. dSA

 

   ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL

     MAY knowledgeInformation )

 

7.15. device

 

   ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn

     MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )

 

7.16. strongAuthenticationUser

 

   ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY

     MUST userCertificate )

 

7.17. certificationAuthority

 

   ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY

     MUST ( authorityRevocationList $ certificateRevocationList $

     cACertificate ) MAY crossCertificatePair )

 

7.18. groupOfUniqueNames

 

   ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL

     MUST ( uniqueMember $ cn )

     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

 

7.19. userSecurityInformation

 

   ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY

     MAY ( supportedAlgorithms ) )

 

7.20. certificationAuthority-V2

 

   ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP

     certificationAuthority

     AUXILIARY MAY ( deltaRevocationList ) )

 

7.21. cRLDistributionPoint

 

   ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL

     MUST ( cn ) MAY ( certificateRevocationList $

     authorityRevocationList $

     deltaRevocationList ) )

 

7.22. dmd

 

   ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName )

     MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $

     x121Address $ registeredAddress $ destinationIndicator $

     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $

     telephoneNumber $ internationaliSDNNumber $

     facsimileTelephoneNumber $

     street $ postOfficeBox $ postalCode $ postalAddress $

     physicalDeliveryOfficeName $ st $ l $ description ) )