Rev 4 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# OpenLDAP X.509 PMI schema# $OpenLDAP$## This work is part of OpenLDAP Software <http://www.openldap.org/>.#### Copyright 1998-2014 The OpenLDAP Foundation.## All rights reserved.#### Redistribution and use in source and binary forms, with or without## modification, are permitted only as authorized by the OpenLDAP## Public License.#### A copy of this license is available in the file LICENSE in the## top-level directory of the distribution or, alternatively, at## <http://www.OpenLDAP.org/license.html>.### Portions Copyright (C) The Internet Society (1997-2006).## All Rights Reserved.#### This document and translations of it may be copied and furnished to## others, and derivative works that comment on or otherwise explain it## or assist in its implementation may be prepared, copied, published## and distributed, in whole or in part, without restriction of any## kind, provided that the above copyright notice and this paragraph are## included on all such copies and derivative works. However, this## document itself may not be modified in any way, such as by removing## the copyright notice or references to the Internet Society or other## Internet organizations, except as needed for the purpose of## developing Internet standards in which case the procedures for## copyrights defined in the Internet Standards process must be## followed, or as required to translate it into languages other than## English.#### The limited permissions granted above are perpetual and will not be## revoked by the Internet Society or its successors or assigns.#### This document and the information contained herein is provided on an## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.### Includes LDAPv3 schema items from:# ITU X.509 (08/2005)### X.509 (08/2005) pp. 120-121#### -- object identifier assignments --## -- object classes --## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24}## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25}## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26}## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27}## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32}## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33}## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34}## -- directory attributes --## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61}## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62}## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63}## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71}## id-at-role OBJECT IDENTIFIER ::= {id-at 72}## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73}## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74}## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75}## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76}## -- attribute certificate extensions --## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}## -- PMI matching rules --## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45}## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46}## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53}## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54}## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55}## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56}## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57}## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58}## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59}## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61}## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66}## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67}###### X.509 (08/2005) pp. 71, 86-89#### 14.4.1 Role attribute## role ATTRIBUTE ::= {## WITH SYNTAX RoleSyntax## ID id-at-role }## RoleSyntax ::= SEQUENCE {## roleAuthority [0] GeneralNames OPTIONAL,## roleName [1] GeneralName }#### 14.5 XML privilege information attribute## xmlPrivilegeInfo ATTRIBUTE ::= {## WITH SYNTAX UTF8String -- contains XML-encoded privilege information## ID id-at-xMLPrivilegeInfo }#### 17.1 PMI directory object classes#### 17.1.1 PMI user object class## pmiUser OBJECT-CLASS ::= {## -- a PMI user (i.e., a "holder")## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN {attributeCertificateAttribute}## ID id-oc-pmiUser }#### 17.1.2 PMI AA object class## pmiAA OBJECT-CLASS ::= {## -- a PMI AA## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN {aACertificate |## attributeCertificateRevocationList |## attributeAuthorityRevocationList}## ID id-oc-pmiAA }#### 17.1.3 PMI SOA object class## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN {attributeCertificateRevocationList |## attributeAuthorityRevocationList |## attributeDescriptorCertificate}## ID id-oc-pmiSOA }#### 17.1.4 Attribute certificate CRL distribution point object class## attCertCRLDistributionPt OBJECT-CLASS ::= {## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN { attributeCertificateRevocationList |## attributeAuthorityRevocationList }## ID id-oc-attCertCRLDistributionPts }#### 17.1.5 PMI delegation path## pmiDelegationPath OBJECT-CLASS ::= {## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN { delegationPath }## ID id-oc-pmiDelegationPath }#### 17.1.6 Privilege policy object class## privilegePolicy OBJECT-CLASS ::= {## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN {privPolicy }## ID id-oc-privilegePolicy }#### 17.1.7 Protected privilege policy object class## protectedPrivilegePolicy OBJECT-CLASS ::= {## SUBCLASS OF {top}## KIND auxiliary## MAY CONTAIN {protPrivPolicy }## ID id-oc-protectedPrivilegePolicy }#### 17.2 PMI Directory attributes#### 17.2.1 Attribute certificate attribute## attributeCertificateAttribute ATTRIBUTE ::= {## WITH SYNTAX AttributeCertificate## EQUALITY MATCHING RULE attributeCertificateExactMatch## ID id-at-attributeCertificate }#### 17.2.2 AA certificate attribute## aACertificate ATTRIBUTE ::= {## WITH SYNTAX AttributeCertificate## EQUALITY MATCHING RULE attributeCertificateExactMatch## ID id-at-aACertificate }#### 17.2.3 Attribute descriptor certificate attribute## attributeDescriptorCertificate ATTRIBUTE ::= {## WITH SYNTAX AttributeCertificate## EQUALITY MATCHING RULE attributeCertificateExactMatch## ID id-at-attributeDescriptorCertificate }#### 17.2.4 Attribute certificate revocation list attribute## attributeCertificateRevocationList ATTRIBUTE ::= {## WITH SYNTAX CertificateList## EQUALITY MATCHING RULE certificateListExactMatch## ID id-at-attributeCertificateRevocationList}#### 17.2.5 AA certificate revocation list attribute## attributeAuthorityRevocationList ATTRIBUTE ::= {## WITH SYNTAX CertificateList## EQUALITY MATCHING RULE certificateListExactMatch## ID id-at-attributeAuthorityRevocationList }#### 17.2.6 Delegation path attribute## delegationPath ATTRIBUTE ::= {## WITH SYNTAX AttCertPath## ID id-at-delegationPath }## AttCertPath ::= SEQUENCE OF AttributeCertificate#### 17.2.7 Privilege policy attribute## privPolicy ATTRIBUTE ::= {## WITH SYNTAX PolicySyntax## ID id-at-privPolicy }#### 17.2.8 Protected privilege policy attribute## protPrivPolicy ATTRIBUTE ::= {## WITH SYNTAX AttributeCertificate## EQUALITY MATCHING RULE attributeCertificateExactMatch## ID id-at-protPrivPolicy }#### 17.2.9 XML Protected privilege policy attribute## xmlPrivPolicy ATTRIBUTE ::= {## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information## ID id-at-xMLPprotPrivPolicy }#### -- object identifier assignments --## -- object classes --objectidentifier id-oc-pmiUser 2.5.6.24objectidentifier id-oc-pmiAA 2.5.6.25objectidentifier id-oc-pmiSOA 2.5.6.26objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27objectidentifier id-oc-privilegePolicy 2.5.6.32objectidentifier id-oc-pmiDelegationPath 2.5.6.33objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34## -- directory attributes --objectidentifier id-at-attributeCertificate 2.5.4.58objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59objectidentifier id-at-aACertificate 2.5.4.61objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63objectidentifier id-at-privPolicy 2.5.4.71objectidentifier id-at-role 2.5.4.72objectidentifier id-at-delegationPath 2.5.4.73objectidentifier id-at-protPrivPolicy 2.5.4.74objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76## -- attribute certificate extensions --## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}## -- PMI matching rules --objectidentifier id-mr 2.5.13objectidentifier id-mr-attributeCertificateMatch id-mr:42objectidentifier id-mr-attributeCertificateExactMatch id-mr:45objectidentifier id-mr-holderIssuerMatch id-mr:46objectidentifier id-mr-authAttIdMatch id-mr:53objectidentifier id-mr-roleSpecCertIdMatch id-mr:54objectidentifier id-mr-basicAttConstraintsMatch id-mr:55objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56objectidentifier id-mr-timeSpecMatch id-mr:57objectidentifier id-mr-attDescriptorMatch id-mr:58objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59objectidentifier id-mr-delegationPathMatch id-mr:61objectidentifier id-mr-sOAIdentifierMatch id-mr:66objectidentifier id-mr-indirectIssuerMatch id-mr:67## -- syntaxes --## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP## to this work in progressobjectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6# NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired)#objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5#objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10#objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17#objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13#### Substitute syntaxes#### AttCertPathldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4NAME 'AttCertPath'DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate'X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )#### PolicySyntaxldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5NAME 'PolicySyntax'DESC 'X.509 PMI policy syntax'X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )#### RoleSyntaxldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6NAME 'RoleSyntax'DESC 'X.509 PMI role syntax'X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )#### X.509 (08/2005) pp. 71, 86-89#### 14.4.1 Role attributeattributeType ( id-at-roleNAME 'role'DESC 'X.509 Role attribute, use ;binary'SYNTAX RoleSyntax )#### 14.5 XML privilege information attribute## -- contains XML-encoded privilege informationattributeType ( id-at-xMLPrivilegeInfoNAME 'xmlPrivilegeInfo'DESC 'X.509 XML privilege information attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )#### 17.2 PMI Directory attributes#### 17.2.1 Attribute certificate attributeattributeType ( id-at-attributeCertificateNAME 'attributeCertificateAttribute'DESC 'X.509 Attribute certificate attribute, use ;binary'SYNTAX AttributeCertificateEQUALITY attributeCertificateExactMatch )#### 17.2.2 AA certificate attributeattributeType ( id-at-aACertificateNAME 'aACertificate'DESC 'X.509 AA certificate attribute, use ;binary'SYNTAX AttributeCertificateEQUALITY attributeCertificateExactMatch )#### 17.2.3 Attribute descriptor certificate attributeattributeType ( id-at-attributeDescriptorCertificateNAME 'attributeDescriptorCertificate'DESC 'X.509 Attribute descriptor certificate attribute, use ;binary'SYNTAX AttributeCertificateEQUALITY attributeCertificateExactMatch )#### 17.2.4 Attribute certificate revocation list attributeattributeType ( id-at-attributeCertificateRevocationListNAME 'attributeCertificateRevocationList'DESC 'X.509 Attribute certificate revocation list attribute, use ;binary'SYNTAX CertificateListX-EQUALITY 'certificateListExactMatch, not implemented yet' )#### 17.2.5 AA certificate revocation list attributeattributeType ( id-at-attributeAuthorityRevocationListNAME 'attributeAuthorityRevocationList'DESC 'X.509 AA certificate revocation list attribute, use ;binary'SYNTAX CertificateListX-EQUALITY 'certificateListExactMatch, not implemented yet' )#### 17.2.6 Delegation path attributeattributeType ( id-at-delegationPathNAME 'delegationPath'DESC 'X.509 Delegation path attribute, use ;binary'SYNTAX AttCertPath )## AttCertPath ::= SEQUENCE OF AttributeCertificate#### 17.2.7 Privilege policy attributeattributeType ( id-at-privPolicyNAME 'privPolicy'DESC 'X.509 Privilege policy attribute, use ;binary'SYNTAX PolicySyntax )#### 17.2.8 Protected privilege policy attributeattributeType ( id-at-protPrivPolicyNAME 'protPrivPolicy'DESC 'X.509 Protected privilege policy attribute, use ;binary'SYNTAX AttributeCertificateEQUALITY attributeCertificateExactMatch )#### 17.2.9 XML Protected privilege policy attribute## -- contains XML-encoded privilege policy informationattributeType ( id-at-xMLPprotPrivPolicyNAME 'xmlPrivPolicy'DESC 'X.509 XML Protected privilege policy attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )#### 17.1 PMI directory object classes#### 17.1.1 PMI user object class## -- a PMI user (i.e., a "holder")objectClass ( id-oc-pmiUserNAME 'pmiUser'DESC 'X.509 PMI user object class'SUP topAUXILIARYMAY ( attributeCertificateAttribute ) )#### 17.1.2 PMI AA object class## -- a PMI AAobjectClass ( id-oc-pmiAANAME 'pmiAA'DESC 'X.509 PMI AA object class'SUP topAUXILIARYMAY ( aACertificate $attributeCertificateRevocationList $attributeAuthorityRevocationList) )#### 17.1.3 PMI SOA object class## -- a PMI Source of AuthorityobjectClass ( id-oc-pmiSOANAME 'pmiSOA'DESC 'X.509 PMI SOA object class'SUP topAUXILIARYMAY ( attributeCertificateRevocationList $attributeAuthorityRevocationList $attributeDescriptorCertificate) )#### 17.1.4 Attribute certificate CRL distribution point object classobjectClass ( id-oc-attCertCRLDistributionPtsNAME 'attCertCRLDistributionPt'DESC 'X.509 Attribute certificate CRL distribution point object class'SUP topAUXILIARYMAY ( attributeCertificateRevocationList $attributeAuthorityRevocationList) )#### 17.1.5 PMI delegation pathobjectClass ( id-oc-pmiDelegationPathNAME 'pmiDelegationPath'DESC 'X.509 PMI delegation path'SUP topAUXILIARYMAY ( delegationPath ) )#### 17.1.6 Privilege policy object classobjectClass ( id-oc-privilegePolicyNAME 'privilegePolicy'DESC 'X.509 Privilege policy object class'SUP topAUXILIARYMAY ( privPolicy ) )#### 17.1.7 Protected privilege policy object classobjectClass ( id-oc-protectedPrivilegePolicyNAME 'protectedPrivilegePolicy'DESC 'X.509 Protected privilege policy object class'SUP topAUXILIARYMAY ( protPrivPolicy ) )