1 2 3 4Network Working Group L. Howard 5Internet-Draft PADL Software 6Obsoletes: 2307 (if approved) H. Chu, Ed. 7Intended status: Informational Symas Corp. 8Expires: February 10, 2010 August 9, 2009 9 10 11 An Approach for Using LDAP as a Network Information Service 12 draft-howard-rfc2307bis-02.txt 13 14Status of this Memo 15 16 This Internet-Draft is submitted to IETF in full conformance with the 17 provisions of BCP 78 and BCP 79. 18 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 23 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 28 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 31 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 34 35 This Internet-Draft will expire on February 10, 2010. 36 37Copyright Notice 38 39 Copyright (c) 2009 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 41 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents in effect on the date of 44 publication of this document (http://trustee.ietf.org/license-info). 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. 47 48 49 50 51 52 53 54 55Howard & Chu Expires February 10, 2010 [Page 1] 56 57Internet-Draft LDAP NameService Schema August 2009 58 59 60Abstract 61 62 This document describes a mechanism for mapping entities related to 63 TCP/IP and the UNIX system [UNIX] into [X.500] entries so that they 64 may be resolved with the Lightweight Directory Access Protocol 65 [RFC4511]. A set of attribute types and object classes are proposed, 66 along with specific guidelines for interpreting them. The intention 67 is to assist the deployment of LDAP as an organizational nameservice. 68 No proposed solutions are intended as standards for the Internet. 69 Rather, it is hoped that a general consensus will emerge as to the 70 appropriate solution to such problems, leading eventually to the 71 adoption of standards. The proposed mechanism has already been 72 implemented with some success. 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111Howard & Chu Expires February 10, 2010 [Page 2] 112 113Internet-Draft LDAP NameService Schema August 2009 114 115 1161. Background and Motivation 117 118 The UNIX (R) operating system, and its derivatives (specifically, 119 those which support TCP/IP and conform to the X/Open Single UNIX 120 specification [UNIX]) require a means of looking up entities, by 121 matching them against search criteria or by enumeration. (Other 122 operating systems that support TCP/IP may provide some means of 123 resolving some of these entities. This schema is applicable to those 124 environments also.) 125 126 These entities include users, groups, IP services (which map names to 127 IP ports and protocols, and vice versa), IP protocols (which map 128 names to IP protocol numbers and vice versa), RPCs (which map names 129 to ONC Remote Procedure Call [RFC1057] numbers and vice versa), NIS 130 netgroups, booting information (boot parameters and MAC address 131 mappings), filesystem mounts, IP hosts and networks. 132 133 Resolution requests are made through a set of C functions, provided 134 in the UNIX system's C library. For example, the UNIX system utility 135 "ls", which enumerates the contents of a filesystem directory, uses 136 the C library function getpwuid() in order to map user IDs to login 137 names. Once the request is made, it is resolved using a 138 "nameservice" which is supported by the client library. The 139 nameservice may be, at its simplest, a collection of files in the 140 local filesystem which are opened and searched by the C library. 141 Other common nameservices include the Network Information Service 142 (NIS) and the Domain Name System (DNS) [RFC1034]. (The latter is 143 typically used for resolving hosts, services and networks.) Both 144 these nameservices have the advantage of being distributed and thus 145 permitting a common set of entities to be shared amongst many 146 clients. 147 148 LDAP is a distributed, hierarchical directory service access protocol 149 which is used to access repositories of users and other network- 150 related entities. Because LDAP is often not tightly integrated with 151 the host operating system, information such as users may need to be 152 kept both in LDAP and in an operating system supported nameservice 153 such as NIS. By using LDAP as the primary means of resolving these 154 entities, these redundancy issues are minimized and the scalability 155 of LDAP can be exploited. (By comparison, NIS services based on flat 156 files do not have the scalability or extensibility of LDAP or X.500.) 157 158 The object classes and attributes defined below are suitable for 159 representing the aforementioned entities in a form compatible with 160 LDAP and X.500 directory services. 161 162 163 164 165 166 167Howard & Chu Expires February 10, 2010 [Page 3] 168 169Internet-Draft LDAP NameService Schema August 2009 170 171 1722. General Issues 173 1742.1. Terminology 175 176 The key words "MUST", "SHOULD", and "MAY" used in this document are 177 to be interpreted as described in [RFC2119]. 178 179 For the purposes of this document, the term "nameservice" refers to a 180 service, such as NIS or flat files, that is used by the operating 181 system to resolve entities within a single, local naming context. 182 Contrast this with a "directory service" such as LDAP, which supports 183 extensible schema and multiple naming contexts. 184 185 The term "NIS-related entities" broadly refers to entities which are 186 typically resolved using the Network Information Service. (NIS was 187 previously known as YP.) Deploying LDAP for resolving these entities 188 does not imply that NIS be used, as a gateway or otherwise. In 189 particular, the host and network classes are generically applicable, 190 and may be implemented on any system that wishes to use LDAP or X.500 191 for host and network resolution. 192 193 The "DUA" (directory user agent) refers to the LDAP client querying 194 these entities, such as an LDAP to NIS gateway or the C library. The 195 "client" refers to the application which ultimately makes use of the 196 information returned by the resolution. It is irrelevant whether the 197 DUA and the client reside within the same address space. The act of 198 the DUA making this information to the client is termed 199 "republishing". 200 201 To avoid confusion, the term "login name" refers to the user's login 202 name (being the value of the uid attribute) and the term "user ID" 203 refers to the user's integer identification number (being the value 204 of the uidNumber attribute). 205 206 The phrases "resolving an entity" and "resolution of entities" refer 207 respectively to enumerating NIS-related entities of a given type, and 208 matching them against a given search criterion. One or more entities 209 are returned as a result of successful "resolutions" (a "match" 210 operation will only return one entity). 211 212 The use of the term UNIX does not confer upon this schema the 213 endorsement of owners of the UNIX trademark. Where necessary, the 214 term "TCP/IP entity" is used to refer to protocols, services, hosts, 215 and networks, and the term "UNIX entity" to its complement. (The 216 former category does not mandate the host operating system supporting 217 the interfaces required for resolving UNIX entities.) 218 219 The OIDs defined below are derived from iso(1) org(3) dod(6) 220 221 222 223Howard & Chu Expires February 10, 2010 [Page 4] 224 225Internet-Draft LDAP NameService Schema August 2009 226 227 228 internet(1) directory(1) nisSchema(1) 229 2302.2. Schema 231 232 The attributes and classes defined in this document are summarized 233 below. 234 2352.2.1. Attributes 236 237 The following attributes are defined in this document: 238 239 uidNumber 240 gidNumber 241 gecos 242 homeDirectory 243 loginShell 244 shadowLastChange 245 shadowMin 246 shadowMax 247 shadowWarning 248 shadowInactive 249 shadowExpire 250 shadowFlag 251 memberUid 252 memberNisNetgroup 253 nisNetgroupTriple 254 ipServicePort 255 ipServiceProtocol 256 ipProtocolNumber 257 oncRpcNumber 258 ipHostNumber 259 ipNetworkNumber 260 ipNetmaskNumber 261 macAddress 262 bootParameter 263 bootFile 264 nisMapName 265 nisMapEntry 266 nisPublicKey 267 nisSecretKey 268 nisDomain 269 automountMapName 270 automountKey 271 automountInformation 272 273 Additionally, some of the attributes defined in [RFC4519] and 274 [RFC3112] are required. 275 276 277 278 279Howard & Chu Expires February 10, 2010 [Page 5] 280 281Internet-Draft LDAP NameService Schema August 2009 282 283 2842.2.2. Attribute Option 285 286 Centralizing a name service in LDAP allows heterogeneous systems to 287 obtain their information from a single place. However in some cases, 288 this information cannot be used uniformly on all of the client 289 systems. These attribute options are defined to allow system- 290 specific values to be used where necessary. The options are defined 291 as the following: 292 293 host-<hostname> 294 hostos-<ostype> 295 296 where hostname is a string representing the name of a specific 297 machine, and ostype is a string representing a particular operating 298 system. 299 300 For example, a user named "Babs Jensen" may have a different home 301 directory on different machines. This could be represented as: 302 303 homeDirectory: /home/babsj 304 homeDirectory;hostos-sunos: /export/home/bjensen 305 homeDirectory;host-babshost: /home/root 306 307 These attribute options follow sub-typing semantics. If a DUA 308 requests an attribute to be returned in a search operation, and does 309 not specify an option, all subtypes of that attribute are returned. 310 3112.2.3. Object Classes 312 313 The following object classes are defined in this document: 314 315 posixAccount 316 shadowAccount 317 posixGroup 318 ipService 319 ipProtocol 320 oncRpc 321 ipHost 322 ipNetwork 323 nisNetgroup 324 nisMap 325 nisObject 326 ieee802Device 327 bootableDevice 328 nisKeyObject 329 nisDomainObject 330 automountMap 331 automount 332 333 334 335Howard & Chu Expires February 10, 2010 [Page 6] 336 337Internet-Draft LDAP NameService Schema August 2009 338 339 340 Additionally, some of the attributes defined in [RFC4519] are 341 required. 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391Howard & Chu Expires February 10, 2010 [Page 7] 392 393Internet-Draft LDAP NameService Schema August 2009 394 395 3963. Attribute Definitions 397 398 This section contains attribute definitions to be implemented by DUAs 399 supporting this schema: 400 401 ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' 402 DESC 'An integer uniquely identifying a user in an 403 administrative domain' 404 EQUALITY integerMatch 405 ORDERING integerOrderingMatch 406 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 407 SINGLE-VALUE ) 408 409 410 ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' 411 DESC 'An integer uniquely identifying a group in an 412 administrative domain' 413 EQUALITY integerMatch 414 ORDERING integerOrderingMatch 415 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 416 SINGLE-VALUE ) 417 418 419 ( 1.3.6.1.1.1.1.2 NAME 'gecos' 420 DESC 'The GECOS field; the common name' 421 EQUALITY caseIgnoreMatch 422 SUBSTRINGS caseIgnoreSubstringsMatch 423 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 424 SINGLE-VALUE ) 425 426 427 ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' 428 DESC 'The absolute path to the home directory' 429 EQUALITY caseExactIA5Match 430 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 431 SINGLE-VALUE ) 432 433 434 ( 1.3.6.1.1.1.1.4 NAME 'loginShell' 435 DESC 'The path to the login shell' 436 EQUALITY caseExactIA5Match 437 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 438 SINGLE-VALUE ) 439 440 441 442 443 444 445 446 447Howard & Chu Expires February 10, 2010 [Page 8] 448 449Internet-Draft LDAP NameService Schema August 2009 450 451 452 ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' 453 EQUALITY integerMatch 454 ORDERING integerOrderingMatch 455 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 456 SINGLE-VALUE ) 457 458 459 ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' 460 EQUALITY integerMatch 461 ORDERING integerOrderingMatch 462 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 463 SINGLE-VALUE ) 464 465 466 ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' 467 EQUALITY integerMatch 468 ORDERING integerOrderingMatch 469 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 470 SINGLE-VALUE ) 471 472 473 ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' 474 EQUALITY integerMatch 475 ORDERING integerOrderingMatch 476 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 477 SINGLE-VALUE ) 478 479 480 ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' 481 EQUALITY integerMatch 482 ORDERING integerOrderingMatch 483 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 484 SINGLE-VALUE ) 485 486 487 ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' 488 EQUALITY integerMatch 489 ORDERING integerOrderingMatch 490 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 491 SINGLE-VALUE ) 492 493 494 ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' 495 EQUALITY integerMatch 496 ORDERING integerOrderingMatch 497 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 498 SINGLE-VALUE ) 499 500 501 502 503Howard & Chu Expires February 10, 2010 [Page 9] 504 505Internet-Draft LDAP NameService Schema August 2009 506 507 508 ( 1.3.6.1.1.1.1.12 NAME 'memberUid' 509 EQUALITY caseExactMatch 510 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 511 512 513 ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' 514 EQUALITY caseExactMatch 515 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 516 517 518 ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' 519 DESC 'Netgroup triple' 520 EQUALITY caseIgnoreMatch 521 SUBSTRINGS caseIgnoreSubstringsMatch 522 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 523 524 525 ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' 526 DESC 'Service port number' 527 EQUALITY integerMatch 528 ORDERING integerOrderingMatch 529 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 530 SINGLE-VALUE ) 531 532 533 ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' 534 DESC 'Service protocol name' 535 EQUALITY caseIgnoreMatch 536 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 537 538 539 ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' 540 DESC 'IP protocol number' 541 EQUALITY integerMatch 542 ORDERING integerOrderingMatch 543 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 544 SINGLE-VALUE ) 545 546 547 ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' 548 DESC 'ONC RPC number' 549 EQUALITY integerMatch 550 ORDERING integerOrderingMatch 551 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 552 SINGLE-VALUE ) 553 554 555 556 557 558 559Howard & Chu Expires February 10, 2010 [Page 10] 560 561Internet-Draft LDAP NameService Schema August 2009 562 563 564 ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' 565 DESC 'IPv4 addresses as a dotted decimal omitting leading 566 zeros or IPv6 addresses as defined in RFC2373' 567 EQUALITY caseIgnoreIA5Match 568 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 569 570 571 ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' 572 DESC 'IP network omitting leading zeros, eg. 192.168' 573 EQUALITY caseIgnoreIA5Match 574 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 575 SINGLE-VALUE ) 576 577 578 ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' 579 DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0' 580 EQUALITY caseIgnoreIA5Match 581 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 582 SINGLE-VALUE ) 583 584 585 ( 1.3.6.1.1.1.1.22 NAME 'macAddress' 586 DESC 'MAC address in maximal, colon separated hex 587 notation, eg. 00:00:92:90:ee:e2' 588 EQUALITY caseIgnoreIA5Match 589 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 590 591 592 ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' 593 DESC 'rpc.bootparamd parameter' 594 EQUALITY caseExactIA5Match 595 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 596 597 598 ( 1.3.6.1.1.1.1.24 NAME 'bootFile' 599 DESC 'Boot image name' 600 EQUALITY caseExactIA5Match 601 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 602 603 604 ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' 605 DESC 'Name of a generic NIS map' 606 EQUALITY caseIgnoreMatch 607 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) 608 609 610 611 612 613 614 615Howard & Chu Expires February 10, 2010 [Page 11] 616 617Internet-Draft LDAP NameService Schema August 2009 618 619 620 ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' 621 DESC 'A generic NIS entry' 622 EQUALITY caseExactMatch 623 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} 624 SINGLE-VALUE ) 625 626 627 ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' 628 DESC 'NIS public key' 629 EQUALITY octetStringMatch 630 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 631 SINGLE-VALUE ) 632 633 634 ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' 635 DESC 'NIS secret key' 636 EQUALITY octetStringMatch 637 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 638 SINGLE-VALUE ) 639 640 641 ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' 642 DESC 'NIS domain' 643 EQUALITY caseIgnoreIA5Match 644 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) 645 646 647 ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' 648 DESC 'automount Map Name' 649 EQUALITY caseExactMatch 650 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 651 SINGLE-VALUE ) 652 653 654 ( 1.3.6.1.1.1.1.32 NAME 'automountKey' 655 DESC 'Automount Key value' 656 EQUALITY caseExactMatch 657 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 658 SINGLE-VALUE ) 659 660 661 ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' 662 DESC 'Automount information' 663 EQUALITY caseExactMatch 664 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 665 SINGLE-VALUE ) 666 667 668 669 670 671Howard & Chu Expires February 10, 2010 [Page 12] 672 673Internet-Draft LDAP NameService Schema August 2009 674 675 6764. Class Definitions 677 678 This section contains class definitions to be implemented by DUAs 679 supporting the schema. 680 681 Various schema for mail routing and delivery using LDAP directories 682 have been proposed, and as such this document does not consider 683 schema for representing mail aliases or distribution lists. 684 685 ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY 686 DESC 'Abstraction of an account with POSIX attributes' 687 MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) 688 MAY ( authPassword $ userPassword $ loginShell $ gecos $ 689 description ) ) 690 691 692 ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY 693 DESC 'Additional attributes for shadow passwords' 694 MUST uid 695 MAY ( authPassword $ userPassword $ description $ 696 shadowLastChange $ shadowMin $ shadowMax $ 697 shadowWarning $ shadowInactive $ 698 shadowExpire $ shadowFlag ) ) 699 700 701 ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY 702 DESC 'Abstraction of a group of accounts' 703 MUST gidNumber 704 MAY ( authPassword $ userPassword $ memberUid $ 705 description ) ) 706 707 708 ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL 709 DESC 'Abstraction an Internet Protocol service. 710 Maps an IP port and protocol (such as tcp or udp) 711 to one or more names; the distinguished value of 712 the cn attribute denotes the service's canonical 713 name' 714 MUST ( cn $ ipServicePort $ ipServiceProtocol ) 715 MAY description ) 716 717 718 ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL 719 DESC 'Abstraction of an IP protocol. Maps a protocol number 720 to one or more names. The distinguished value of the cn 721 attribute denotes the protocol canonical name' 722 MUST ( cn $ ipProtocolNumber ) 723 MAY description ) 724 725 726 727Howard & Chu Expires February 10, 2010 [Page 13] 728 729Internet-Draft LDAP NameService Schema August 2009 730 731 732 ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL 733 DESC 'Abstraction of an Open Network Computing (ONC) 734 [RFC1057] Remote Procedure Call (RPC) binding. 735 This class maps an ONC RPC number to a name. 736 The distinguished value of the cn attribute denotes 737 the RPC service canonical name' 738 MUST ( cn $ oncRpcNumber ) 739 MAY description ) 740 741 742 ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY 743 DESC 'Abstraction of a host, an IP device. The distinguished 744 value of the cn attribute denotes the host's canonical 745 name. Device SHOULD be used as a structural class' 746 MUST ( cn $ ipHostNumber ) 747 MAY ( authPassword $ userPassword $ l $ description $ 748 manager ) ) 749 750 751 ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL 752 DESC 'Abstraction of a network. The distinguished value of 753 the cn attribute denotes the network canonical name' 754 MUST ipNetworkNumber 755 MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) 756 757 758 ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL 759 DESC 'Abstraction of a netgroup. May refer to other 760 netgroups' 761 MUST cn 762 MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) 763 764 765 ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL 766 DESC 'A generic abstraction of a NIS map' 767 MUST nisMapName 768 MAY description ) 769 770 771 ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL 772 DESC 'An entry in a NIS map' 773 MUST ( cn $ nisMapEntry $ nisMapName ) 774 775 776 ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY 777 DESC 'A device with a MAC address; device SHOULD be 778 used as a structural class' 779 MAY macAddress ) 780 781 782 783Howard & Chu Expires February 10, 2010 [Page 14] 784 785Internet-Draft LDAP NameService Schema August 2009 786 787 788 ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY 789 DESC 'A device with boot parameters; device SHOULD be 790 used as a structural class' 791 MAY ( bootFile $ bootParameter ) ) 792 793 794 ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY 795 DESC 'An object with a public and secret key' 796 MUST ( cn $ nisPublicKey $ nisSecretKey ) 797 MAY ( uidNumber $ description ) ) 798 799 800 ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY 801 DESC 'Associates a NIS domain with a naming context' 802 MUST nisDomain ) 803 804 805 ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL 806 MUST ( automountMapName ) 807 MAY description ) 808 809 810 ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL 811 DESC 'Automount information' 812 MUST ( automountKey $ automountInformation ) 813 MAY description ) 814 815 816 ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL 817 DESC 'A group with members (DNs)' 818 MUST cn 819 MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ 820 description $ member ) ) 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839Howard & Chu Expires February 10, 2010 [Page 15] 840 841Internet-Draft LDAP NameService Schema August 2009 842 843 8445. Implementation Details 845 8465.1. Suggested Resolution Methods 847 848 The preferred means of directing a client application (one using the 849 shared services of the C library) to use LDAP as its information 850 source for the functions listed in Appendix B is to modify the source 851 code to directly query LDAP. As the source to commercial C libraries 852 and applications is rarely available to the end-user, one could 853 emulate a supported nameservice (such as NIS). (This is also an 854 appropriate opportunity to perform caching of entries across process 855 address spaces.) In the case of NIS, reference implementations are 856 widely available and the RPC interface is well known. 857 858 The means by which the operating system is directed to use LDAP is 859 implementation dependent. For example, some operating systems and C 860 libraries support end-user extensible resolvers using dynamically 861 loadable libraries and a nameservice "switch" (NSS). The means in 862 which the DUA locates LDAP servers is also implementation dependent. 863 8645.2. Interpreting User and Group Entries 865 866 User and group resolution is initiated by the functions prefixed by 867 getpw and getgr respectively. The uid attribute contains the user's 868 login name. The cn attribute, in posixGroup entries, contains the 869 group's name. This document preserves the use of the uid attribute 870 even though, being a naming attribute, its syntax is case 871 insensitive. This may cause a problem with existing deployments 872 where there exist login names differing only in case. If DUAs 873 support attribute mapping, a different attribute MAY be used to 874 represent users' login names. 875 876 The account object class provides a convenient structural class for 877 posixAccount, and SHOULD be used where additional attributes are not 878 required. Likewise, the groupOfMembers object class SHOULD be used 879 for groups. (The groupOfUniqueNames object class is deprecated and 880 SHOULD NOT be used.) 881 882 It is suggested that uid and cn are used as the naming attribute for 883 posixAccount and posixGroup entries, respectively. Group members may 884 either be login names (values of memberUid) or distinguished names 885 (values of member). In the latter case, the distinguished name must 886 be mapped to one or more login names by examining the name's RDN or, 887 if it is not distinguished by uid, performing a base search on the DN 888 with a filter of "(objectclass=*)". DUAs MAY wish to cache DN to 889 login name mappings. The DUA MAY traverse nested groups. 890 891 An account's GECOS field is preferably determined by a value of the 892 893 894 895Howard & Chu Expires February 10, 2010 [Page 16] 896 897Internet-Draft LDAP NameService Schema August 2009 898 899 900 gecos attribute. If no gecos attribute exists, the value of the cn 901 attribute MUST be used. (The existence of the gecos attribute allows 902 information embedded in the GECOS field, such as a user's telephone 903 number, to be returned to the client without overloading the cn 904 attribute. It also accommodates directories where the common name 905 does not contain the user's full name.) 906 9075.2.1. Using Attribute Options 908 909 Some posixAccount attributes may be accompanied by options 910 (Section 2.2.2) identifying particular hosts or operating system 911 types. The attribute with a hostos option matching the operating 912 system of the DUA SHOULD be used in preference to an attribute 913 without any associated options. The attribute with a host option 914 matching the hostname of the DUA SHOULD be used in preference to any 915 other attribute. 916 9175.2.2. Authentication Considerations 918 9195.2.2.1. Using Password Values 920 921 When authenticating using a NIS to LDAP gateway or using NSS, a 922 lookup is performed to retrieve the password attribute and the value 923 is used in the DUA to authenticate a user. This approach to 924 authentication is deprecated, as it requires that read access to the 925 password attribute be granted across a network. 926 927 An entry of class posixAccount, posixGroup, or shadowAccount without 928 an authPassword or userPassword attribute MUST NOT be used for 929 authentication. In this case the client SHOULD be returned a non- 930 matchable password such as "x". 931 932 If userPassword is used, its values MUST be represented by the 933 following syntax: 934 935 passwordvalue = schemeprefix hashedpasswd 936 schemeprefix = "{" scheme "}" 937 scheme = "crypt" / "md5" / "sha" / "ssha" / altscheme 938 altscheme = "x-" keystring 939 hashedpasswd = hashed password 940 941 The hashed password contains a plaintext key hashed using the 942 algorithm scheme. If the schema is "sha", the hashed password is the 943 base64 encoding of the SHA-1 digest of the plaintext password. 944 945 userPassword values which do not adhere to this syntax MUST NOT be 946 used for authentication. The DUA MUST iterate through the values of 947 the attribute until a value matching the above syntax is found. Only 948 949 950 951Howard & Chu Expires February 10, 2010 [Page 17] 952 953Internet-Draft LDAP NameService Schema August 2009 954 955 956 if hashedpassword is an empty string does the user have no password. 957 DUAs are not required to consider hashing schemes which the client 958 will not recognize; in most cases, it may be sufficient to consider 959 only "crypt". 960 961 DUA MAY use the authPassword attribute instead of userPassword, 962 defined in [RFC3112]. The DUA MUST iterate the values of the 963 authPassword attribute until a value whose scheme is CRYPT is found. 964 The DUA MAY iterate through the values of the userPassword attribute, 965 using the syntax defined here, until a value whose scheme is CRYPT is 966 found. If no conforming value is found, the client MUST be returned 967 a non-matchable password such as "x". Authentication using schemes 968 other than CRYPT is, although advisable, beyond the scope of this 969 document 970 971 Below is an example of an authPassword attribute: 972 973 authPassword: CRYPT$X5/DBrWPOQQaI 974 975 Below is an example of a (deprecated) userPassword attribute: 976 977 userPassword: {CRYPT}X5/DBrWPOQQaI 978 979 A DUA MAY utilize the attributes in the shadowAccount class to 980 provide shadow password service (getspnam() and getspent()). In such 981 cases, the DUA MUST NOT make use of the userPassword attribute for 982 getpwnam() et al, and MUST return a non-matchable password (such as 983 "x") to the client instead. 984 9855.2.2.2. Using LDAP Bind 986 987 The preferred method for authenticating users with LDAP is to perform 988 an LDAP Bind operation with the user's name and password. In this 989 case the method the DSA uses to store and verify the password is 990 completely internal to the DSA and not of any concern to the DUA. 991 992 Likewise, using the shadowAccount attributes requires the DUA to 993 handle password policy enforcement. However the policies expressed 994 in the shadowAccount are limited in scope, and not uniformly 995 applicable to all the systems that will be using LDAP. 996 997 The preferred method is to leave password policy enforcement to the 998 DSA, so that it will be uniformly enforced across all of the various 999 systems that rely on the directory. This enforcement occurs 1000 implicitly when authenticating using LDAP Bind if the DSA supports 1001 the LDAP password policy [I-D.behera-ldap-password-policy] 1002 mechanisms. 1003 1004 1005 1006 1007Howard & Chu Expires February 10, 2010 [Page 18] 1008 1009Internet-Draft LDAP NameService Schema August 2009 1010 1011 1012 The means in which authentication in the DUA is configured is 1013 implementation dependent. Typically it is accomplished using [PAM]. 1014 Further details of authentication are beyond the scope of this 1015 document. 1016 10175.2.3. Naming Considerations 1018 1019 On UNIX systems, users and groups reside in separate name spaces and 1020 it is common for the same name to be used by both a user and a group. 1021 Since they are in separate name spaces there is no ambiguity and no 1022 conflict. However, when integrating a name service into LDAP the 1023 directory may be used with other systems besides UNIX and its 1024 derivatives. In particular, the Microsoft Windows operating system 1025 may also use LDAP for its own name service. In Windows, users and 1026 groups reside in a single name space and so one cannot use the same 1027 name for both a user and a group. 1028 1029 Conflicts in naming conventions may arise in other deployments as 1030 well, and should be carefully taken into account when migrating from 1031 other naming services into LDAP. 1032 10335.3. Interpreting Hosts and Networks 1034 1035 The ipHostNumber and ipNetworkNumber attributes are defined in 1036 preference to dNSRecord (defined in [RFC1279]), in order to simplify 1037 the DUA's role in interpreting entries in the directory. A dNSRecord 1038 expresses a complete resource record, including time to live and 1039 class data, which is extraneous to this schema. 1040 1041 Additionally, the ipHost and ipNetwork classes permit a host or 1042 network (respectively) and all its aliases to be represented by a 1043 single entry in the directory. This is not necessarily possible if a 1044 DNS resource record is mapped directly to an LDAP entry. 1045 Implementations that wish to use LDAP to master DNS zone information 1046 are not precluded from doing so, and may simply avoid the ipHost and 1047 ipNetwork classes. 1048 1049 This document redefines, although not exclusively, the ipNetwork 1050 class defined in [RFC1279], in order to achieve consistent naming 1051 with ipHost. The ipNetworkNumber attribute is also used in the 1052 siteContact object class [ROSE]. 1053 1054 The authPassword and userPassword attributes are included in ipHost 1055 such that hosts MAY be treated as authentication principals. The 1056 treatment of these attributes and inherent caveats considered in 1057 Section 5.2 apply here also. 1058 1059 The trailing zeros in a network address MUST be omitted. CIDR-style 1060 1061 1062 1063Howard & Chu Expires February 10, 2010 [Page 19] 1064 1065Internet-Draft LDAP NameService Schema August 2009 1066 1067 1068 network addresses (eg. 192.168.1/24) MAY be used. Leading zeros MUST 1069 be removed from all components of an IPv6 address string as defined 1070 by [RFC2373], section 2.2, item 1. The IPv6 address string MUST be 1071 further normalized by following the "::" syntax as defined in 1072 [RFC2373], section 2.2, item 2. In addition, "::" MUST be used to 1073 replace the longest string of zero bits. If there are two or more 1074 longest strings of zero bits, then the first string MUST be replaced. 1075 In addition, the syntax defined by [RFC2373], section 2.2, item 3 1076 MUST NOT be used. IPv4 addresses MUST be represented by the IPv4 1077 dotted decimal string syntax. 1078 1079 For example the following address: 1080 1081 1080:0000:0:0:08:800:200C:417A 1082 FF01:0:0:0:0:0:01 1083 0:0:0:0:0:0:0:0001 1084 0:0:0:0:0:0:0:0 1085 1086 MUST be normalized as: 1087 1088 1080::8:800:200C:417A 1089 FF01::101 1090 0::1 1091 :: 1092 10935.4. Interpreting Other Entities 1094 1095 In general, a one-to-one mapping between entities and LDAP entries is 1096 proposed, in that each entity has exactly one representation in the 1097 DIT. In some cases this is not feasible; for example, a service 1098 which is represented in more than one protocol domain. Consider the 1099 following entry: 1100 1101 dn: cn=domain,ou=services,dc=aja,dc=com 1102 objectClass: top 1103 objectClass: ipService 1104 cn: domain 1105 cn: nameserver 1106 ipServicePort: 53 1107 ipServiceProtocol: tcp 1108 ipServiceProtocol: udp 1109 1110 This entry MUST map to the following two (2) services entities: 1111 1112 domain 53/tcp nameserver 1113 domain 53/udp nameserver 1114 1115 While the above two entities may be represented as separate LDAP 1116 1117 1118 1119Howard & Chu Expires February 10, 2010 [Page 20] 1120 1121Internet-Draft LDAP NameService Schema August 2009 1122 1123 1124 entities, with different distinguished names (such as cn=domain+ 1125 ipServiceProtocol=tcp, ... and cn=domain+ipServiceProtocol=udp, ...) 1126 it is convenient to represent them as a single entry. If a service 1127 is represented in multiple protocol domains with different ports, 1128 then multiple entries are required; multi-valued RDNs MAY be used to 1129 distinguish them.) 1130 1131 With the exception of authPassword and userPassword values, empty 1132 values (consisting of a zero length string) are returned by the DUA 1133 to the client. The DUA MUST reject any entries which do not conform 1134 to the schema (missing mandatory attributes). Non-conforming entries 1135 SHOULD be ignored while enumerating entries. 1136 1137 The nisDomainObject object class is provided to associate a NIS 1138 domain with a naming context. A DUA would retrieve the NIS domain 1139 name from a configuration file and enumerate the naming contexts 1140 served by an LDAP server, searching each naming context for 1141 (nisDomain=%s). The first matching entry that is found MAY be used 1142 as a search base for configuration profile information or for entries 1143 themselves. For example, the following example shows an association 1144 between the NIS domain "nis.aja.com" and the naming context 1145 "dc=aja,dc=com": 1146 1147 dn: dc=aja,dc=com 1148 objectClass: top 1149 objectClass: domain 1150 objectClass: nisDomainObject 1151 dc: aja 1152 nisDomain: nis.aja.com 1153 1154 The nisObject object class MAY be used as a generic means of 1155 representing NIS entities. Its use is not encouraged; where support 1156 for entities not described in this schema is desired, an appropriate 1157 schema should be devised. Implementers are strongly advised to 1158 support end-user extensible mappings between NIS entities and object 1159 classes. (Where the nisObject class is used, the nisMapName 1160 attribute MAY be used as a RDN.) The nisObject class might be used 1161 to represent automount information. 1162 11635.5. Canonicalizing entries with multi-valued naming attributes 1164 1165 For entities such as hosts, services, networks, protocols, and RPCs, 1166 where there may be one or more aliases, the respective entry's 1167 relative distinguished name SHOULD be used to determine the canonical 1168 name. Any other values for the same attribute are used as aliases. 1169 For example, the service described in Section 5.4 has the canonical 1170 name "domain" and exactly one alias, "nameserver". 1171 1172 1173 1174 1175Howard & Chu Expires February 10, 2010 [Page 21] 1176 1177Internet-Draft LDAP NameService Schema August 2009 1178 1179 1180 The schema in this document generally only defines one attribute per 1181 class which is suitable for distinguishing an entity (excluding any 1182 attributes with integer syntax; it is assumed that entries will be 1183 distinguished on name). Usually, this is the common name (cn) 1184 attribute. This aids the DUA in determining the canonical name of an 1185 entity, as it can examine the value of the relative distinguished 1186 name. Aliases are thus any values of the distinguishing attribute 1187 (such as cn) which do not match the canonical name of the entity. 1188 1189 In the event that a different attribute is used to distinguish the 1190 entry, as may be the case where these object classes are used as 1191 auxiliary classes, the entry's canonical name may not be present in 1192 the RDN. In this case, the DUA MUST choose one of the non- 1193 distinguished values to represent the entity's canonical name. As 1194 the directory server guarantees no ordering of attribute values, it 1195 may not be possible to distinguish an entry deterministically. This 1196 ambiguity SHOULD NOT be resolved by mapping one directory entry into 1197 multiple entities. 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231Howard & Chu Expires February 10, 2010 [Page 22] 1232 1233Internet-Draft LDAP NameService Schema August 2009 1234 1235 12366. Implementation Focus 1237 1238 Gateways between NIS and LDAP have been developed by PADL Software 1239 and Sun Microsystems. They both support this schema. 1240 1241 An open source implementation of the C library resolution code has 1242 been written and is available from PADL Software. It supports C 1243 libraries on GNU, BSD, AIX, and Solaris operating systems. PADL have 1244 also made available a set of scripts for migrating flat files into a 1245 form suitable for loading into an LDAP server. Another open source 1246 implementation of the C library code is available from the OpenLDAP 1247 Project. 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287Howard & Chu Expires February 10, 2010 [Page 23] 1288 1289Internet-Draft LDAP NameService Schema August 2009 1290 1291 12927. Security Considerations 1293 1294 The entirety of related security considerations are outside the scope 1295 of this document. It is noted that making passwords encrypted with a 1296 widely understood hash function (such as crypt()) available to non- 1297 privileged users is dangerous because it exposes them to dictionary 1298 and brute-force attacks. This is proposed only for compatibility 1299 with existing UNIX system implementations. Sites where security is 1300 critical SHOULD consider using a strong authentication service for 1301 user authentication. 1302 1303 Alternatively, the encrypted password could be made available only to 1304 a subset of privileged DUAs, which would provide "shadow" password 1305 service to client applications. This may be difficult to enforce. 1306 1307 Because the schema represents operating system-level entities, access 1308 to these entities SHOULD be granted on a discretionary basis. (There 1309 is little point in restricting access to data which will be 1310 republished without restriction, however.) It is particularly 1311 important that only administrators can modify entries defined in this 1312 schema, with the exception of allowing a principal to change their 1313 password (which MAY be done on behalf of the user by a client bound 1314 as a superior principal, such that password restrictions MAY be 1315 enforced). For example, if a user were allowed to change the value 1316 of their uidNumber attribute, they could subvert security by 1317 equivalencing their account with the superuser account. 1318 1319 A subtree of the DIT which is to be republished by a DUA (such as a 1320 NIS gateway) SHOULD be within the same administrative domain that the 1321 republishing DUA represents. (For example, principals outside an 1322 organization, while conceivably part of the DIT, should not be 1323 considered with the same degree of authority as those within the 1324 organization.) 1325 1326 Finally, care should be exercised with integer attributes of a 1327 sensitive nature (particularly the uidNumber and gidNumber 1328 attributes) which contain zero-length values. DUAs MAY treat such 1329 values as corresponding to the "nobody" or "nogroup" user and group, 1330 respectively. 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343Howard & Chu Expires February 10, 2010 [Page 24] 1344 1345Internet-Draft LDAP NameService Schema August 2009 1346 1347 13488. Acknowledgements 1349 1350 Thanks to Bob Joslin of the Hewlett Packard Company, and to all those 1351 that helped with this document's predecessor, RFC 2307. 1352 1353 UNIX is a registered trademark of The Open Group. 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399Howard & Chu Expires February 10, 2010 [Page 25] 1400 1401Internet-Draft LDAP NameService Schema August 2009 1402 1403 14049. References 1405 1406 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1407 STD 13, RFC 1034, November 1987. 1408 1409 [RFC1057] Sun Microsystems, Inc., "RPC: Remote Procedure Call 1410 Protocol specification: Version 2", RFC 1057, June 1988. 1411 1412 [RFC1279] Hardcastle-Kille, S., "X.500 and Domains", RFC 1279, 1413 November 1991. 1414 1415 [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing 1416 Architecture", RFC 2373, July 1998. 1417 1418 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1419 Requirement Levels", BCP 14, RFC 2119, March 1997. 1420 1421 [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol 1422 (LDAP): The Protocol", RFC 4511, June 2006. 1423 1424 [RFC4515] Smith, M. and T. Howes, "Lightweight Directory Access 1425 Protocol (LDAP): String Representation of Search Filters", 1426 RFC 4515, June 2006. 1427 1428 [RFC4519] Sciberras, A., "Lightweight Directory Access Protocol 1429 (LDAP): Schema for User Applications", RFC 4519, 1430 June 2006. 1431 1432 [RFC3112] Zeilenga, K., "LDAP Authentication Password Schema", 1433 RFC 3112, May 2001. 1434 1435 [I-D.behera-ldap-password-policy] 1436 Sermersheim, J., Poitou, L., and H. Chu, "Password Policy 1437 for LDAP Directories", 1438 draft-behera-ldap-password-policy-10 (work in progress), 1439 August 2009. 1440 1441 [ROSE] Rose, M., "The Little Black Book: Mail Bonding with OSI 1442 Directory Services", ISBN 0-13-683210-5, 2001. 1443 1444 [X.500] ISO/IEC JTC 1/SC21, "Information Processing Systems - Open 1445 Systems Interconnection - The Directory: Overview of 1446 Concepts, Models and Service", 1988. 1447 1448 [UNIX] Institute of Electrical and Electronics Engineers and The 1449 Open Group, "IEEE Std 1003.1, 2004 Edition, Single UNIX 1450 Specification Version 3", IEEE Standard 1003.1, 2004. 1451 1452 1453 1454 1455Howard & Chu Expires February 10, 2010 [Page 26] 1456 1457Internet-Draft LDAP NameService Schema August 2009 1458 1459 1460 [PAM] Samar, V. and R. Schemers, "Unified Login with Pluggable 1461 Authentication Modules (PAM)", OSF RFC 86.0, October 1995. 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511Howard & Chu Expires February 10, 2010 [Page 27] 1512 1513Internet-Draft LDAP NameService Schema August 2009 1514 1515 1516Appendix A. Example Entries 1517 1518 The examples described in this section are provided to illustrate the 1519 schema described in this draft. They are not meant to be exhaustive. 1520 1521 The following entry is an example of the posixAccount class: 1522 1523 dn: uid=lester,ou=people,dc=aja,dc=com 1524 objectClass: top 1525 objectClass: account 1526 objectClass: posixAccount 1527 uid: lester 1528 cn: Lester the Nightfly 1529 gecos: Lester 1530 uidNumber: 10 1531 gidNumber: 10 1532 loginShell: /bin/csh 1533 userPassword: {crypt}$X5/DBrWPOQQaI 1534 homeDirectory: /home/lester 1535 1536 This corresponds to the UNIX system password file entry: 1537 1538 lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/sh 1539 1540 The following entry is an example of the ipHost class: 1541 1542 dn: cn=josie.aja.com,ou=hosts,dc=aja,dc=com 1543 objectClass: top 1544 objectClass: device 1545 objectClass: ipHost 1546 objectClass: bootableDevice 1547 objectClass: ieee802Device 1548 cn: josie.aja.com 1549 cn: www.aja.com 1550 ipHostNumber: 10.0.0.1 1551 macAddress: 00:00:92:90:ee:e2 1552 bootFile: mach 1553 bootParameter: root=dan.aja.com:/nfsroot/peg 1554 bootParameter: swap=dan.aja.com:/nfsswap/peg 1555 bootParameter: dump=dan.aja.com:/nfsdump/peg 1556 1557 This entry represents the host canonically josie.aja.com, also known 1558 as www.aja.com. The Ethernet address and four boot parameters are 1559 also specified. 1560 1561 An example of the nisNetgroup class: 1562 1563 1564 1565 1566 1567Howard & Chu Expires February 10, 2010 [Page 28] 1568 1569Internet-Draft LDAP NameService Schema August 2009 1570 1571 1572 dn: cn=nightfly,ou=netgroup,dc=aja,dc=com 1573 objectClass: top 1574 objectClass: nisNetgroup 1575 cn: nightfly 1576 nisNetgroupTriple: (charlemagne,peg,dunes.aja.com) 1577 nisNetgroupTriple: (lester,-,) 1578 memberNisNetgroup: kamakiriad 1579 1580 This entry represents the netgroup nightfly, which contains two 1581 triples (the user charlemagne, the host peg, and the domain 1582 dunes.aja.com; and, the user lester, no host, and any domain) and one 1583 netgroup (kamakiriad). 1584 1585 Finally, an example of the nisObject class: 1586 1587 dn: nisMapName=tracks,dc=dunes,dc=aja,dc=com 1588 objectClass: top 1589 objectClass: nisMap 1590 nisMapName: tracks 1591 1592 dn: cn=Maxine,nisMapName=tracks,dc=dunes,dc=aja,dc=com 1593 objectClass: top 1594 objectClass: nisObject 1595 cn: Maxine 1596 nisMapName: tracks 1597 nisMapEntry: Nightfly$4 1598 1599 This represents the NIS map tracks, and a single map entry. 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623Howard & Chu Expires February 10, 2010 [Page 29] 1624 1625Internet-Draft LDAP NameService Schema August 2009 1626 1627 1628Appendix B. Affected Library Functions 1629 1630 The following functions are typically found in the C libraries of 1631 most UNIX and POSIX compliant systems [UNIX]. An LDAP search filter 1632 string [RFC4515] which may be used to satisfy the function call is 1633 included alongside each function name. Parameters are denoted by %s 1634 and %d for string and integer arguments, respectively. Long lines 1635 are broken: 1636 1637 getpwnam() (&(objectClass=posixAccount)(uid=%s)) 1638 getpwuid() (&(objectClass=posixAccount)(uidNumber=%d)) 1639 getpwent() (objectClass=posixAccount) 1640 getspnam() (&(objectClass=shadowAccount)(uid=%s)) 1641 getspent() (objectClass=shadowAccount) 1642 1643 getgrnam() (&(objectClass=posixGroup)(cn=%s)) 1644 getgrgid() (&(objectClass=posixGroup)(gidNumber=%d)) 1645 getgrent() (objectClass=posixGroup) 1646 1647 getservbyname() (&(objectClass=ipService)(cn=%s) 1648 (ipServiceProtocol=%s)) 1649 getservbyport() (&(objectClass=ipService)(ipServicePort=%d) 1650 (ipServiceProtocol=%s)) 1651 getservent() (objectClass=ipService) 1652 1653 getrpcbyname() (&(objectClass=oncRpc)(cn=%s)) 1654 getrpcbynumber() (&(objectClass=oncRpc)(oncRpcNumber=%d)) 1655 getrpcent() (objectClass=oncRpc) 1656 1657 getprotobyname() (&(objectClass=ipProtocol)(cn=%s)) 1658 getprotobynumber() (&(objectClass=ipProtocol) 1659 (ipProtocolNumber=%d)) 1660 getprotoent() (objectClass=ipProtocol) 1661 1662 gethostbyname() (&(objectClass=ipHost)(cn=%s)) 1663 gethostbyaddr() (&(objectClass=ipHost)(ipHostNumber=%s)) 1664 gethostent() (objectClass=ipHost) 1665 1666 getnetbyname() (&(objectClass=ipNetwork)(cn=%s)) 1667 getnetbyaddr() (&(objectClass=ipNetwork)(ipNetworkNumber=%s)) 1668 getnetent() (objectClass=ipNetwork) 1669 1670 setnetgrent() (&(objectClass=nisNetgroup)(cn=%s)) 1671 getpublickey() (&(objectClass=nisKeyObject)(...)) 1672 1673 1674 1675 1676 1677 1678 1679Howard & Chu Expires February 10, 2010 [Page 30] 1680 1681Internet-Draft LDAP NameService Schema August 2009 1682 1683 1684Appendix C. Suggested DIT structure 1685 1686 The cn attribute is typically used to name entities. The 1687 ipHostNumber, ipNetworkNumber, and ipServiceProtocol attributes are 1688 also naming attributes, such that multi-valued RDNs may be used to 1689 distinguish between, for example, different interfaces of a 1690 multihomed host. 1691 1692 The following DIT structure MAY be used for deploying this schema. 1693 It is not required that DC-naming be used, but it is encouraged: 1694 1695 Naming context ObjectClass 1696 ============================================================ 1697 ou=people,dc=... posixAccount 1698 shadowAcount 1699 ou=group,dc=... posixGroup 1700 ou=services,dc=... ipService 1701 ou=protocols,dc=... ipProtocol 1702 ou=rpc,dc=... oncRpc 1703 ou=hosts,dc=... ipHost 1704 ou=ethers,dc=... ieee802Device 1705 bootableDevice 1706 ou=networks,dc=... ipNetwork 1707 ou=netgroup,dc=... nisNetgroup 1708 nisMapName=...,dc=... nisObject 1709 automountMapName=...,dc=... automountMap 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735Howard & Chu Expires February 10, 2010 [Page 31] 1736 1737Internet-Draft LDAP NameService Schema August 2009 1738 1739 1740Authors' Addresses 1741 1742 Luke Howard 1743 PADL Software Pty. Ltd. 1744 PO Box 59 1745 Central Park, Vic 3145 1746 AU 1747 1748 Email: lukeh@padl.com 1749 1750 1751 Howard Chu (editor) 1752 Symas Corp. 1753 18740 Oxnard Street, Suite 313A 1754 Tarzana, California 91356 1755 US 1756 1757 Phone: +1 818 757-7087 1758 Email: hyc@symas.com 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791Howard & Chu Expires February 10, 2010 [Page 32] 1792 1793