解析LDAP的Schema（v3）

2. Abstract

   This document provides an overview of the attribute types and object classes defined by the ISO and ITU-T committees in the X.500 documents, in particular those intended for use by directory clients. This is the most widely used schema for LDAP/X.500 directories, and many other schema definitions for white pages objects use it as a basis. This document does not cover attributes used for the administration of X.500 directory servers, nor does it include attributes defined by other ISO/ITU-T documents.

5. Attribute Types

   An LDAP server implementation SHOULD recognize the attribute types described in this section.
   (LDAP服务器的实现应该可以识别下面列出的属性类型)

5.1. objectClass

   The values of the objectClass attribute describe the kind of object which an entry represents. The objectClass attribute is present in every entry, with at least two values. One of the values is either "top" or "alias".
   objectClass属性描述了实体所表现的对象类型。objectClass存在于任意实体中，并且至少包含两个属性值，其中的一个值必须是top
或者alias。

5.2. aliasedObjectName

   The aliasedObjectName attribute is used by the directory service if the entry containing this attribute is an alias.
   如果包含这个属性的实体是alias的话，那么目录服务就使用aliasedObjectName。

5.3. knowledgeInformation

   This attribute is no longer used.
   这个属性已经不再使用。

5.4. cn

   This is the X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the
   person's full name.
   cn是X.500的commonName属性。包含一个对象的名字，如果对象是person的时候，cn经常代表用户的全名，如：黄晓明。

5.5. sn

   This is the X.500 surname attribute, which contains the family name of a person.
   sn是X.500的surname属性，保存了person的family name，如：赵。

5.6. serialNumber

   This attribute contains the serial number of a device.
   serialNumber保存了一个设备的序列号。

5.7. c

   This attribute contains a two-letter ISO 3166 country code (countryName).
   c保存了一个两位数字的ISO国家代码(countryName)

5.8. l

   This attribute contains the name of a locality, such as a city, county or other geographic region (localityName).
   l属性保存了地域名称，例如城市，乡镇或者其他的地理区域(localityName)

5.9. st

   This attribute contains the full name of a state or province (stateOrProvinceName).
   st属性保存了州或者省的全名(stateOrProvinceName)

5.10. street

   This attribute contains the physical address of the object to which the entry corresponds, such as an address for package delivery (streetAddress).
   street属性保存了实体对应的对象的物理地址，例如包裹的邮寄地址。(streetAddress)

5.11. o

   This attribute contains the name of an organization (organizationName).
   o属性保存了组织的名字。(organizationName)。（可代表一个公司）

5.12. ou

   This attribute contains the name of an organizational unit (organizationalUnitName).
   ou属性保存了组织单元的名称(organizationalUnitName)。(可代表公司的一个部门)

5.13. title

   This attribute contains the title, such as "Vice President", of person in their organizational context. The "personalTitle" attribute would be used for a person's title independent of their job function.
   title属性保存了person在组织体系中的头衔，例如”Vice President”，personTitle属性用于person的头衔独立于他们的工作范畴。（可代表职位）

5.14. description

   This attribute contains a human-readable description of the object.
   description属性保存了对象的一个易于理解的描述。

5.15. searchGuide

   This attribute is for use by X.500 clients in constructing search filters. It is obsoleted by enhancedSearchGuide, described below in 5.48.
   searchGuide属性是由X.500客户端用来构造检索过滤器的。它由enhancedSearchGuide属性代替了。

5.16. businessCategory

   This attribute describes the kind of business performed by anorganization.
   businessCategory属性描述了一个组织的商业类型。

5.17. postalAddress
   邮寄地址属性。

5.18. postalCode
   邮政编码属性

5.19. postOfficeBox
   邮箱属性

5.20. physicalDeliveryOfficeName

   ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

5.21. telephoneNumber
   电话号码属性

5.22. telexNumber
   电报号码属性

5.23. teletexTerminalIdentifier
   电报终端标识符

5.24. facsimileTelephoneNumber
   传真机号码。

5.25. x121Address

   ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch
     SUBSTR numericStringSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )

5.26. internationaliSDNNumber

   ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch
     SUBSTR numericStringSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )

5.27. registeredAddress

  This attribute holds a postal address suitable for reception of telegrams or expedited documents, where it is necessary to have the recipient accept delivery.
   registeredAddress属性保留一个适合接收电报或者加快文件的邮寄地址，这个地址必须有接受者接受投递。

5.28. destinationIndicator

   This attribute is used for the telegram service.
   destinationIndicator属性被使用于电报服务。

5.29. preferredDeliveryMethod

    ( 2.5.4.28 NAME 'preferredDeliveryMethod'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
      SINGLE-VALUE )

5.30. presentationAddress

   This attribute contains an OSI presentation address.
   这个属性保存了一个OSI地址。

5.31. supportedApplicationContext

   This attribute contains the identifiers of OSI application contexts.
   supportedApplicationContext属性保存了OSI应用程序标识符。

5.32. member

    ( 2.5.4.31 NAME 'member' SUP distinguishedName )

5.33. owner

    ( 2.5.4.32 NAME 'owner' SUP distinguishedName )

5.34. roleOccupant

    ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName )

5.35. seeAlso

    ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName )

5.36. userPassword

    ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

   Passwords are stored using an Octet String syntax and are not encrypted. Transfer of cleartext passwords are strongly discouraged where the underlying transport service cannot guarantee confidentiality and may result in disclosure of the password to unauthorized parties.
   密码使用8位字节的字符串进行明文存储。

5.37. userCertificate

   This attribute is to be stored and requested in the binary form, as 'userCertificate;binary'.
   userCertificate属性通过二进制方式存储和请求，例如”userCertificate;binary”.

5.38. cACertificate

   This attribute is to be stored and requested in the binary form, as 'cACertificate;binary'.
cACertificate属性通过二进制方式存储和请求，例如”cACertificate;binary”.

5.39. authorityRevocationList

   This attribute is to be stored and requested in the binary form, as 'authorityRevocationList;binary'.
   authorityRevocationList属性通过二进制方式存储和请求，例如" authorityRevocationList;binary”.

5.40. certificateRevocationList

   This attribute is to be stored and requested in the binary form, as 'certificateRevocationList;binary'.

5.41. crossCertificatePair

   This attribute is to be stored and requested in the binary form, as 'crossCertificatePair;binary'.

5.42. name

   The name attribute type is the attribute supertype from which string attribute types typically used for naming may be formed. It is unlikely that values of this type itself will occur in an entry. LDAP server implementations which do not support attribute subtyping need not recognize this attribute in requests.   Client implementations MUST NOT assume that LDAP servers are capable of performing attribute subtyping.
    ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )

5.43. givenName

   The givenName attribute is used to hold the part of a person's name which is not their surname nor middle name.
   givenName属性用来表示person的部分名字，既不是surname也不是middlename。

5.44. initials

   The initials attribute contains the initials of some or all of an individuals names, but not the surname(s).
   initials属性包含了一个人的名字中的一些或者全部首字母，但不是surname(s)。

5.45. generationQualifier

   The generationQualifier attribute contains the part of the name which typically is the suffix, as in “IIIrd”.

5.46. x500UniqueIdentifier

   The x500UniqueIdentifier attribute is used to distinguish between objects when a distinguished name has been reused. This is a different attribute type from both the “uid” and “uniqueIdentifier” types.

5.47. dnQualifier

   The dnQualifier attribute type specifies disambiguating information to add to the relative distinguished name of an entry. It is intended for use when merging data from multiple sources in order to prevent conflicts between entries which would otherwise have the same name. It is recommended that the value of the dnQualifier attribute be the same for all entries from a particular source.

    ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch
      ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

5.48. enhancedSearchGuide

   This attribute is for use by X.500 clients in constructing search filters.
   enhancedSearchGuide属性由X.500客户端用来构造检索过滤器。

5.49. protocolInformation

   This attribute is used in conjunction with the presentationAddress attribute, to provide additional information to the OSI network service.
   protocolInformation属性用来和presentationAddress属性联合使用，提供OSI网络服务的其他信息。

5.50. distinguishedName

   This attribute type is not used as the name of the object itself, but it is instead a base type from which attributes with DN syntax inherit.

   It is unlikely that values of this type itself will occur in an entry. LDAP server implementations which do not support attribute subtyping need not recognize this attribute in requests.   Client implementations MUST NOT assume that LDAP servers are capable of performing attribute subtyping.

    ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

5.51. uniqueMember
   唯一的成员。

5.52. houseIdentifier

   This attribute is used to identify a building within a location.

    ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )

5.53. supportedAlgorithms

   This attribute is to be stored and requested in the binary form, as 'supportedAlgorithms;binary'.
   supportedAlgorithms属性包含了支持的算法。

5.54. deltaRevocationList

   This attribute is to be stored and requested in the binary form, as 'deltaRevocationList;binary'.

    ( 2.5.4.53 NAME 'deltaRevocationList'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

5.55. dmdName

   The value of this attribute specifies a directory management domain (DMD), the administrative authority which operates the directory server.

    ( 2.5.4.54 NAME 'dmdName' SUP name )

7. Object Classes

   LDAP servers MUST recognize the object classes “top” and “subschema”.
   LDAP servers SHOULD recognize all the other object classes listed
   here as values of the objectClass attribute.
   LDAP服务器必须能够识别top和subschema这两个object class。LDAP服务器应该可以识别其他的object class。
7.1. top

   ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
7.2. alias

   ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )

7.3. country

   ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c
     MAY ( searchGuide $ description ) )

7.4. locality

   ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL
     MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )

7.5. organization

   ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o
     MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
     x121Address $ registeredAddress $ destinationIndicator $
     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
     telephoneNumber $ internationaliSDNNumber $
     facsimileTelephoneNumber $
     street $ postOfficeBox $ postalCode $ postalAddress $
     physicalDeliveryOfficeName $ st $ l $ description ) )

7.6. organizationalUnit

   ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou
     MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
     x121Address $ registeredAddress $ destinationIndicator $
     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
     telephoneNumber $ internationaliSDNNumber $
     facsimileTelephoneNumber $
     street $ postOfficeBox $ postalCode $ postalAddress $
     physicalDeliveryOfficeName $ st $ l $ description ) )

7.7. person

   ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
     MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

7.8. organizationalPerson

   ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL
     MAY ( title $ x121Address $ registeredAddress $
     destinationIndicator $
     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
     telephoneNumber $ internationaliSDNNumber $
     facsimileTelephoneNumber $
     street $ postOfficeBox $ postalCode $ postalAddress $
     physicalDeliveryOfficeName $ ou $ st $ l ) )

7.9. organizationalRole

   ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn
     MAY ( x121Address $ registeredAddress $ destinationIndicator $
     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
     telephoneNumber $ internationaliSDNNumber $
     facsimileTelephoneNumber $
     seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
     postOfficeBox $ postalCode $ postalAddress $
     physicalDeliveryOfficeName $ ou $ st $ l $ description ) )

7.10. groupOfNames

   ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn )
     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

7.11. residentialPerson

   ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l
     MAY ( businessCategory $ x121Address $ registeredAddress $
     destinationIndicator $ preferredDeliveryMethod $ telexNumber $
     teletexTerminalIdentifier $ telephoneNumber $
     internationaliSDNNumber $
     facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
     postOfficeBox $ postalCode $ postalAddress $
     physicalDeliveryOfficeName $ st $ l ) )

7.12. applicationProcess

   ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn
     MAY ( seeAlso $ ou $ l $ description ) )

7.13. applicationEntity

   ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL
     MUST ( presentationAddress $ cn )
     MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
     description ) )

7.14. dSA

   ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL
     MAY knowledgeInformation )

7.15. device

   ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn
     MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )

7.16. strongAuthenticationUser

   ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY
     MUST userCertificate )

7.17. certificationAuthority

   ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY
     MUST ( authorityRevocationList $ certificateRevocationList $
     cACertificate ) MAY crossCertificatePair )

7.18. groupOfUniqueNames

   ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL
     MUST ( uniqueMember $ cn )
     MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

7.19. userSecurityInformation

   ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY
     MAY ( supportedAlgorithms ) )

7.20. certificationAuthority-V2

   ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP
     certificationAuthority
     AUXILIARY MAY ( deltaRevocationList ) )

7.21. cRLDistributionPoint

   ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL
     MUST ( cn ) MAY ( certificateRevocationList $
     authorityRevocationList $
     deltaRevocationList ) )

7.22. dmd

   ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName )
     MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
     x121Address $ registeredAddress $ destinationIndicator $
     preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
     telephoneNumber $ internationaliSDNNumber $
     facsimileTelephoneNumber $
     street $ postOfficeBox $ postalCode $ postalAddress $
     physicalDeliveryOfficeName $ st $ l $ description ) )


本文来自CSDN博客，转载请标明出处：http://blog.csdn.net/njchenyi/archive/2008/01/16/2046963.aspx