| 9 |
- |
1 |
# $OpenLDAP$
|
| 4 |
- |
2 |
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
3 |
##
|
| 9 |
- |
4 |
## Copyright 1998-2014 The OpenLDAP Foundation.
|
| 4 |
- |
5 |
## All rights reserved.
|
|
|
6 |
##
|
|
|
7 |
## Redistribution and use in source and binary forms, with or without
|
|
|
8 |
## modification, are permitted only as authorized by the OpenLDAP
|
|
|
9 |
## Public License.
|
|
|
10 |
##
|
|
|
11 |
## A copy of this license is available in the file LICENSE in the
|
|
|
12 |
## top-level directory of the distribution or, alternatively, at
|
|
|
13 |
## <http://www.OpenLDAP.org/license.html>.
|
|
|
14 |
|
|
|
15 |
# DUA schema from draft-joslin-config-schema (a work in progress)
|
|
|
16 |
|
|
|
17 |
# Contents of this file are subject to change (including deletion)
|
|
|
18 |
# without notice.
|
|
|
19 |
#
|
|
|
20 |
# Not recommended for production use!
|
|
|
21 |
# Use with extreme caution!
|
|
|
22 |
|
|
|
23 |
## Notes:
|
|
|
24 |
## - The matching rule for attributes followReferrals and dereferenceAliases
|
|
|
25 |
## has been changed to booleanMatch since their syntax is boolean
|
|
|
26 |
## - There was a typo in the name of the dereferenceAliases attributeType
|
|
|
27 |
## in the DUAConfigProfile objectClass definition
|
|
|
28 |
## - Credit goes to the original Authors
|
|
|
29 |
|
|
|
30 |
#
|
|
|
31 |
# Application Working Group M. Ansari
|
|
|
32 |
# INTERNET-DRAFT Sun Microsystems, Inc.
|
|
|
33 |
# Expires Febuary 2003 L. Howard
|
|
|
34 |
# PADL Software Pty. Ltd.
|
|
|
35 |
# B. Joslin [ed.]
|
|
|
36 |
# Hewlett-Packard Company
|
|
|
37 |
#
|
|
|
38 |
# September 15th, 2003
|
|
|
39 |
# Intended Category: Informational
|
|
|
40 |
#
|
|
|
41 |
#
|
|
|
42 |
# A Configuration Schema for LDAP Based
|
|
|
43 |
# Directory User Agents
|
|
|
44 |
# <draft-joslin-config-schema-07.txt>
|
|
|
45 |
#
|
|
|
46 |
#Status of this Memo
|
|
|
47 |
#
|
|
|
48 |
# This memo provides information for the Internet community. This
|
|
|
49 |
# memo does not specify an Internet standard of any kind. Distribu-
|
|
|
50 |
# tion of this memo is unlimited.
|
|
|
51 |
#
|
|
|
52 |
# This document is an Internet-Draft and is in full conformance with
|
|
|
53 |
# all provisions of Section 10 of RFC2026.
|
|
|
54 |
#
|
|
|
55 |
# This document is an Internet-Draft. Internet-Drafts are working
|
|
|
56 |
# documents of the Internet Engineering Task Force (IETF), its areas,
|
|
|
57 |
# and its working groups. Note that other groups may also distribute
|
|
|
58 |
# working documents as Internet-Drafts.
|
|
|
59 |
#
|
|
|
60 |
# Internet-Drafts are draft documents valid for a maximum of six
|
|
|
61 |
# months. Internet-Drafts may be updated, replaced, or made obsolete
|
|
|
62 |
# by other documents at any time. It is not appropriate to use
|
|
|
63 |
# Internet-Drafts as reference material or to cite them other than as
|
|
|
64 |
# a "working draft" or "work in progress".
|
|
|
65 |
#
|
|
|
66 |
# To learn the current status of any Internet-Draft, please check the
|
|
|
67 |
# 1id-abstracts.txt listing contained in the Internet-Drafts Shadow
|
|
|
68 |
# Directories on ds.internic.net (US East Coast), nic.nordu.net
|
|
|
69 |
# (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
|
|
|
70 |
# Rim).
|
|
|
71 |
#
|
|
|
72 |
# Distribution of this document is unlimited.
|
|
|
73 |
#
|
|
|
74 |
#
|
|
|
75 |
# Abstract
|
|
|
76 |
#
|
|
|
77 |
# This document describes a mechanism for global configuration of
|
|
|
78 |
# similar directory user agents. This document defines a schema for
|
|
|
79 |
# configuration of these DUAs that may be discovered using the Light-
|
|
|
80 |
# weight Directory Access Protocol in RFC 2251[17]. A set of attri-
|
|
|
81 |
# bute types and an objectclass are proposed, along with specific
|
|
|
82 |
# guidelines for interpreting them. A significant feature of the
|
|
|
83 |
# global configuration policy for DUAs is a mechanism that allows
|
|
|
84 |
# DUAs to re-configure their schema to that of the end user's
|
|
|
85 |
# environment. This configuration is achieved through attribute and
|
|
|
86 |
# objectclass mapping. This document is intended to be a skeleton
|
|
|
87 |
# for future documents that describe configuration of specific DUA
|
|
|
88 |
# services.
|
|
|
89 |
#
|
|
|
90 |
#
|
|
|
91 |
# [trimmed]
|
|
|
92 |
#
|
|
|
93 |
#
|
|
|
94 |
# 2. General Issues
|
|
|
95 |
#
|
|
|
96 |
# The schema defined by this document is defined under the "DUA Con-
|
|
|
97 |
# figuration Schema." This schema is derived from the OID: iso (1)
|
|
|
98 |
# org (3) dod (6) internet (1) private (4) enterprises (1) Hewlett-
|
|
|
99 |
# Packard Company (11) directory (1) LDAP-UX Integration Project (3)
|
|
|
100 |
# DUA Configuration Schema (1). This OID is represented in this
|
|
|
101 |
# document by the keystring "DUAConfSchemaOID"
|
|
|
102 |
# (1.3.6.1.4.1.11.1.3.1).
|
|
|
103 |
objectidentifier DUAConfSchemaOID 1.3.6.1.4.1.11.1.3.1
|
|
|
104 |
#
|
|
|
105 |
# 2.2 Attributes
|
|
|
106 |
#
|
|
|
107 |
# The attributes and classes defined in this document are summarized
|
|
|
108 |
# below.
|
|
|
109 |
#
|
|
|
110 |
# The following attributes are defined in this document:
|
|
|
111 |
#
|
|
|
112 |
# preferredServerList
|
|
|
113 |
# defaultServerList
|
|
|
114 |
# defaultSearchBase
|
|
|
115 |
# defaultSearchScope
|
|
|
116 |
# authenticationMethod
|
|
|
117 |
# credentialLevel
|
|
|
118 |
# serviceSearchDescriptor
|
|
|
119 |
#
|
|
|
120 |
#
|
|
|
121 |
#
|
|
|
122 |
# Joslin [Page 3]
|
|
|
123 |
# Internet-Draft DUA Configuration Schema October 2002
|
|
|
124 |
#
|
|
|
125 |
#
|
|
|
126 |
# serviceCredentialLevel
|
|
|
127 |
# serviceAuthenticationMethod
|
|
|
128 |
# attributeMap
|
|
|
129 |
# objectclassMap
|
|
|
130 |
# searchTimeLimit
|
|
|
131 |
# bindTimeLimit
|
|
|
132 |
# followReferrals
|
|
|
133 |
# dereferenceAliases
|
|
|
134 |
# profileTTL
|
|
|
135 |
#
|
|
|
136 |
# 2.3 Object Classes
|
|
|
137 |
#
|
|
|
138 |
# The following object class is defined in this document:
|
|
|
139 |
#
|
|
|
140 |
# DUAConfigProfile
|
|
|
141 |
#
|
|
|
142 |
#
|
|
|
143 |
attributeType ( DUAConfSchemaOID:1.0 NAME 'defaultServerList'
|
|
|
144 |
DESC 'Default LDAP server host address used by a DUA'
|
|
|
145 |
EQUALITY caseIgnoreMatch
|
|
|
146 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
147 |
SINGLE-VALUE )
|
|
|
148 |
|
|
|
149 |
attributeType ( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase'
|
|
|
150 |
DESC 'Default LDAP base DN used by a DUA'
|
|
|
151 |
EQUALITY distinguishedNameMatch
|
|
|
152 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|
|
153 |
SINGLE-VALUE )
|
|
|
154 |
|
|
|
155 |
attributeType ( DUAConfSchemaOID:1.2 NAME 'preferredServerList'
|
|
|
156 |
DESC 'Preferred LDAP server host addresses to be used by a
|
|
|
157 |
DUA'
|
|
|
158 |
EQUALITY caseIgnoreMatch
|
|
|
159 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
160 |
SINGLE-VALUE )
|
|
|
161 |
|
|
|
162 |
attributeType ( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit'
|
|
|
163 |
DESC 'Maximum time in seconds a DUA should allow for a
|
|
|
164 |
search to complete'
|
|
|
165 |
EQUALITY integerMatch
|
|
|
166 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
|
167 |
SINGLE-VALUE )
|
|
|
168 |
|
|
|
169 |
attributeType ( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit'
|
|
|
170 |
DESC 'Maximum time in seconds a DUA should allow for the
|
|
|
171 |
bind operation to complete'
|
|
|
172 |
EQUALITY integerMatch
|
|
|
173 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
|
174 |
SINGLE-VALUE )
|
|
|
175 |
|
|
|
176 |
attributeType ( DUAConfSchemaOID:1.5 NAME 'followReferrals'
|
|
|
177 |
DESC 'Tells DUA if it should follow referrals
|
|
|
178 |
returned by a DSA search result'
|
|
|
179 |
EQUALITY booleanMatch
|
|
|
180 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
|
181 |
SINGLE-VALUE )
|
|
|
182 |
|
|
|
183 |
attributeType ( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases'
|
|
|
184 |
DESC 'Tells DUA if it should dereference aliases'
|
|
|
185 |
EQUALITY booleanMatch
|
|
|
186 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
|
187 |
SINGLE-VALUE )
|
|
|
188 |
|
|
|
189 |
attributeType ( DUAConfSchemaOID:1.6 NAME 'authenticationMethod'
|
|
|
190 |
DESC 'A keystring which identifies the type of
|
|
|
191 |
authentication method used to contact the DSA'
|
|
|
192 |
EQUALITY caseIgnoreMatch
|
|
|
193 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
|
194 |
SINGLE-VALUE )
|
|
|
195 |
|
|
|
196 |
attributeType ( DUAConfSchemaOID:1.7 NAME 'profileTTL'
|
|
|
197 |
DESC 'Time to live, in seconds, before a client DUA
|
|
|
198 |
should re-read this configuration profile'
|
|
|
199 |
EQUALITY integerMatch
|
|
|
200 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
|
201 |
SINGLE-VALUE )
|
|
|
202 |
|
|
|
203 |
attributeType ( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor'
|
|
|
204 |
DESC 'LDAP search descriptor list used by a DUA'
|
|
|
205 |
EQUALITY caseExactMatch
|
|
|
206 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
207 |
|
|
|
208 |
attributeType ( DUAConfSchemaOID:1.9 NAME 'attributeMap'
|
|
|
209 |
DESC 'Attribute mappings used by a DUA'
|
|
|
210 |
EQUALITY caseIgnoreIA5Match
|
|
|
211 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
212 |
|
|
|
213 |
attributeType ( DUAConfSchemaOID:1.10 NAME 'credentialLevel'
|
|
|
214 |
DESC 'Identifies type of credentials a DUA should
|
|
|
215 |
use when binding to the LDAP server'
|
|
|
216 |
EQUALITY caseIgnoreIA5Match
|
|
|
217 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
|
|
218 |
SINGLE-VALUE )
|
|
|
219 |
|
|
|
220 |
attributeType ( DUAConfSchemaOID:1.11 NAME 'objectclassMap'
|
|
|
221 |
DESC 'Objectclass mappings used by a DUA'
|
|
|
222 |
EQUALITY caseIgnoreIA5Match
|
|
|
223 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
224 |
|
|
|
225 |
attributeType ( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope'
|
|
|
226 |
DESC 'Default search scope used by a DUA'
|
|
|
227 |
EQUALITY caseIgnoreIA5Match
|
|
|
228 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
|
|
229 |
SINGLE-VALUE )
|
|
|
230 |
|
|
|
231 |
attributeType ( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel'
|
|
|
232 |
DESC 'Identifies type of credentials a DUA
|
|
|
233 |
should use when binding to the LDAP server for a
|
|
|
234 |
specific service'
|
|
|
235 |
EQUALITY caseIgnoreIA5Match
|
|
|
236 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
|
237 |
|
|
|
238 |
attributeType ( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMethod'
|
|
|
239 |
DESC 'Authentication method used by a service of the DUA'
|
|
|
240 |
EQUALITY caseIgnoreMatch
|
|
|
241 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
242 |
#
|
|
|
243 |
# 4. Class Definition
|
|
|
244 |
#
|
|
|
245 |
# The objectclass below is constructed from the attributes defined in
|
|
|
246 |
# 3, with the exception of the cn attribute, which is defined in RFC
|
|
|
247 |
# 2256 [8]. cn is used to represent the name of the DUA configura-
|
|
|
248 |
# tion profile.
|
|
|
249 |
#
|
|
|
250 |
objectClass ( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile'
|
|
|
251 |
SUP top STRUCTURAL
|
|
|
252 |
DESC 'Abstraction of a base configuration for a DUA'
|
|
|
253 |
MUST ( cn )
|
|
|
254 |
MAY ( defaultServerList $ preferredServerList $
|
|
|
255 |
defaultSearchBase $ defaultSearchScope $
|
|
|
256 |
searchTimeLimit $ bindTimeLimit $
|
|
|
257 |
credentialLevel $ authenticationMethod $
|
|
|
258 |
followReferrals $ dereferenceAliases $
|
|
|
259 |
serviceSearchDescriptor $ serviceCredentialLevel $
|
|
|
260 |
serviceAuthenticationMethod $ objectclassMap $
|
|
|
261 |
attributeMap $ profileTTL ) )
|