1# OpenLDAP X.509 PMI schema 2# OpenLDAP: pkg/ldap/servers/slapd/schema/pmi.schema,v 1.1.2.3 2010/04/13 20:23:49 kurt Exp 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2010 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15# 16## Portions Copyright (C) The Internet Society (1997-2006). 17## All Rights Reserved. 18## 19## This document and translations of it may be copied and furnished to 20## others, and derivative works that comment on or otherwise explain it 21## or assist in its implementation may be prepared, copied, published 22## and distributed, in whole or in part, without restriction of any 23## kind, provided that the above copyright notice and this paragraph are 24## included on all such copies and derivative works. However, this 25## document itself may not be modified in any way, such as by removing 26## the copyright notice or references to the Internet Society or other 27## Internet organizations, except as needed for the purpose of 28## developing Internet standards in which case the procedures for 29## copyrights defined in the Internet Standards process must be 30## followed, or as required to translate it into languages other than 31## English. 32## 33## The limited permissions granted above are perpetual and will not be 34## revoked by the Internet Society or its successors or assigns. 35## 36## This document and the information contained herein is provided on an 37## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 38## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 39## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 40## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 41## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 42 43# 44# 45# Includes LDAPv3 schema items from: 46# ITU X.509 (08/2005) 47# 48## X.509 (08/2005) pp. 120-121 49## 50## -- object identifier assignments -- 51## -- object classes -- 52## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24} 53## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25} 54## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26} 55## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27} 56## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32} 57## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33} 58## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34} 59## -- directory attributes -- 60## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58} 61## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59} 62## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61} 63## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62} 64## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63} 65## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71} 66## id-at-role OBJECT IDENTIFIER ::= {id-at 72} 67## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73} 68## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74} 69## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75} 70## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76} 71## -- attribute certificate extensions -- 72## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38} 73## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39} 74## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41} 75## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42} 76## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43} 77## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48} 78## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49} 79## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50} 80## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52} 81## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55} 82## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56} 83## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57} 84## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61} 85## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62} 86## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64} 87## -- PMI matching rules -- 88## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42} 89## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45} 90## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46} 91## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53} 92## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54} 93## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55} 94## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56} 95## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57} 96## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58} 97## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59} 98## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61} 99## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66} 100## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67} 101## 102## 103## X.509 (08/2005) pp. 71, 86-89 104## 105## 14.4.1 Role attribute 106## role ATTRIBUTE ::= { 107## WITH SYNTAX RoleSyntax 108## ID id-at-role } 109## RoleSyntax ::= SEQUENCE { 110## roleAuthority [0] GeneralNames OPTIONAL, 111## roleName [1] GeneralName } 112## 113## 14.5 XML privilege information attribute 114## xmlPrivilegeInfo ATTRIBUTE ::= { 115## WITH SYNTAX UTF8String -- contains XML-encoded privilege information 116## ID id-at-xMLPrivilegeInfo } 117## 118## 17.1 PMI directory object classes 119## 120## 17.1.1 PMI user object class 121## pmiUser OBJECT-CLASS ::= { 122## -- a PMI user (i.e., a "holder") 123## SUBCLASS OF {top} 124## KIND auxiliary 125## MAY CONTAIN {attributeCertificateAttribute} 126## ID id-oc-pmiUser } 127## 128## 17.1.2 PMI AA object class 129## pmiAA OBJECT-CLASS ::= { 130## -- a PMI AA 131## SUBCLASS OF {top} 132## KIND auxiliary 133## MAY CONTAIN {aACertificate | 134## attributeCertificateRevocationList | 135## attributeAuthorityRevocationList} 136## ID id-oc-pmiAA } 137## 138## 17.1.3 PMI SOA object class 139## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority 140## SUBCLASS OF {top} 141## KIND auxiliary 142## MAY CONTAIN {attributeCertificateRevocationList | 143## attributeAuthorityRevocationList | 144## attributeDescriptorCertificate} 145## ID id-oc-pmiSOA } 146## 147## 17.1.4 Attribute certificate CRL distribution point object class 148## attCertCRLDistributionPt OBJECT-CLASS ::= { 149## SUBCLASS OF {top} 150## KIND auxiliary 151## MAY CONTAIN { attributeCertificateRevocationList | 152## attributeAuthorityRevocationList } 153## ID id-oc-attCertCRLDistributionPts } 154## 155## 17.1.5 PMI delegation path 156## pmiDelegationPath OBJECT-CLASS ::= { 157## SUBCLASS OF {top} 158## KIND auxiliary 159## MAY CONTAIN { delegationPath } 160## ID id-oc-pmiDelegationPath } 161## 162## 17.1.6 Privilege policy object class 163## privilegePolicy OBJECT-CLASS ::= { 164## SUBCLASS OF {top} 165## KIND auxiliary 166## MAY CONTAIN {privPolicy } 167## ID id-oc-privilegePolicy } 168## 169## 17.1.7 Protected privilege policy object class 170## protectedPrivilegePolicy OBJECT-CLASS ::= { 171## SUBCLASS OF {top} 172## KIND auxiliary 173## MAY CONTAIN {protPrivPolicy } 174## ID id-oc-protectedPrivilegePolicy } 175## 176## 17.2 PMI Directory attributes 177## 178## 17.2.1 Attribute certificate attribute 179## attributeCertificateAttribute ATTRIBUTE ::= { 180## WITH SYNTAX AttributeCertificate 181## EQUALITY MATCHING RULE attributeCertificateExactMatch 182## ID id-at-attributeCertificate } 183## 184## 17.2.2 AA certificate attribute 185## aACertificate ATTRIBUTE ::= { 186## WITH SYNTAX AttributeCertificate 187## EQUALITY MATCHING RULE attributeCertificateExactMatch 188## ID id-at-aACertificate } 189## 190## 17.2.3 Attribute descriptor certificate attribute 191## attributeDescriptorCertificate ATTRIBUTE ::= { 192## WITH SYNTAX AttributeCertificate 193## EQUALITY MATCHING RULE attributeCertificateExactMatch 194## ID id-at-attributeDescriptorCertificate } 195## 196## 17.2.4 Attribute certificate revocation list attribute 197## attributeCertificateRevocationList ATTRIBUTE ::= { 198## WITH SYNTAX CertificateList 199## EQUALITY MATCHING RULE certificateListExactMatch 200## ID id-at-attributeCertificateRevocationList} 201## 202## 17.2.5 AA certificate revocation list attribute 203## attributeAuthorityRevocationList ATTRIBUTE ::= { 204## WITH SYNTAX CertificateList 205## EQUALITY MATCHING RULE certificateListExactMatch 206## ID id-at-attributeAuthorityRevocationList } 207## 208## 17.2.6 Delegation path attribute 209## delegationPath ATTRIBUTE ::= { 210## WITH SYNTAX AttCertPath 211## ID id-at-delegationPath } 212## AttCertPath ::= SEQUENCE OF AttributeCertificate 213## 214## 17.2.7 Privilege policy attribute 215## privPolicy ATTRIBUTE ::= { 216## WITH SYNTAX PolicySyntax 217## ID id-at-privPolicy } 218## 219## 17.2.8 Protected privilege policy attribute 220## protPrivPolicy ATTRIBUTE ::= { 221## WITH SYNTAX AttributeCertificate 222## EQUALITY MATCHING RULE attributeCertificateExactMatch 223## ID id-at-protPrivPolicy } 224## 225## 17.2.9 XML Protected privilege policy attribute 226## xmlPrivPolicy ATTRIBUTE ::= { 227## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information 228## ID id-at-xMLPprotPrivPolicy } 229## 230 231## -- object identifier assignments -- 232## -- object classes -- 233objectidentifier id-oc-pmiUser 2.5.6.24 234objectidentifier id-oc-pmiAA 2.5.6.25 235objectidentifier id-oc-pmiSOA 2.5.6.26 236objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27 237objectidentifier id-oc-privilegePolicy 2.5.6.32 238objectidentifier id-oc-pmiDelegationPath 2.5.6.33 239objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34 240## -- directory attributes -- 241objectidentifier id-at-attributeCertificate 2.5.4.58 242objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59 243objectidentifier id-at-aACertificate 2.5.4.61 244objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62 245objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63 246objectidentifier id-at-privPolicy 2.5.4.71 247objectidentifier id-at-role 2.5.4.72 248objectidentifier id-at-delegationPath 2.5.4.73 249objectidentifier id-at-protPrivPolicy 2.5.4.74 250objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75 251objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76 252## -- attribute certificate extensions -- 253## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38} 254## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39} 255## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41} 256## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42} 257## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43} 258## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48} 259## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49} 260## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50} 261## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52} 262## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55} 263## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56} 264## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57} 265## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61} 266## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62} 267## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64} 268## -- PMI matching rules -- 269objectidentifier id-mr 2.5.13 270objectidentifier id-mr-attributeCertificateMatch id-mr:42 271objectidentifier id-mr-attributeCertificateExactMatch id-mr:45 272objectidentifier id-mr-holderIssuerMatch id-mr:46 273objectidentifier id-mr-authAttIdMatch id-mr:53 274objectidentifier id-mr-roleSpecCertIdMatch id-mr:54 275objectidentifier id-mr-basicAttConstraintsMatch id-mr:55 276objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56 277objectidentifier id-mr-timeSpecMatch id-mr:57 278objectidentifier id-mr-attDescriptorMatch id-mr:58 279objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59 280objectidentifier id-mr-delegationPathMatch id-mr:61 281objectidentifier id-mr-sOAIdentifierMatch id-mr:66 282objectidentifier id-mr-indirectIssuerMatch id-mr:67 283## -- syntaxes -- 284## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP 285## to this work in progress 286objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1 287objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9 288objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4 289objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5 290objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6 291# NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired) 292#objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5 293#objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10 294#objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17 295#objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13 296## 297## Substitute syntaxes 298## 299## AttCertPath 300ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4 301 NAME 'AttCertPath' 302 DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate' 303 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) 304## 305## PolicySyntax 306ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5 307 NAME 'PolicySyntax' 308 DESC 'X.509 PMI policy syntax' 309 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) 310## 311## RoleSyntax 312ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6 313 NAME 'RoleSyntax' 314 DESC 'X.509 PMI role syntax' 315 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) 316## 317## X.509 (08/2005) pp. 71, 86-89 318## 319## 14.4.1 Role attribute 320attributeType ( id-at-role 321 NAME 'role' 322 DESC 'X.509 Role attribute, use ;binary' 323 SYNTAX RoleSyntax ) 324## 325## 14.5 XML privilege information attribute 326## -- contains XML-encoded privilege information 327attributeType ( id-at-xMLPrivilegeInfo 328 NAME 'xmlPrivilegeInfo' 329 DESC 'X.509 XML privilege information attribute' 330 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 331## 332## 17.2 PMI Directory attributes 333## 334## 17.2.1 Attribute certificate attribute 335attributeType ( id-at-attributeCertificate 336 NAME 'attributeCertificateAttribute' 337 DESC 'X.509 Attribute certificate attribute, use ;binary' 338 SYNTAX AttributeCertificate 339 EQUALITY attributeCertificateExactMatch ) 340## 341## 17.2.2 AA certificate attribute 342attributeType ( id-at-aACertificate 343 NAME 'aACertificate' 344 DESC 'X.509 AA certificate attribute, use ;binary' 345 SYNTAX AttributeCertificate 346 EQUALITY attributeCertificateExactMatch ) 347## 348## 17.2.3 Attribute descriptor certificate attribute 349attributeType ( id-at-attributeDescriptorCertificate 350 NAME 'attributeDescriptorCertificate' 351 DESC 'X.509 Attribute descriptor certificate attribute, use ;binary' 352 SYNTAX AttributeCertificate 353 EQUALITY attributeCertificateExactMatch ) 354## 355## 17.2.4 Attribute certificate revocation list attribute 356attributeType ( id-at-attributeCertificateRevocationList 357 NAME 'attributeCertificateRevocationList' 358 DESC 'X.509 Attribute certificate revocation list attribute, use ;binary' 359 SYNTAX CertificateList 360 X-EQUALITY 'certificateListExactMatch, not implemented yet' ) 361## 362## 17.2.5 AA certificate revocation list attribute 363attributeType ( id-at-attributeAuthorityRevocationList 364 NAME 'attributeAuthorityRevocationList' 365 DESC 'X.509 AA certificate revocation list attribute, use ;binary' 366 SYNTAX CertificateList 367 X-EQUALITY 'certificateListExactMatch, not implemented yet' ) 368## 369## 17.2.6 Delegation path attribute 370attributeType ( id-at-delegationPath 371 NAME 'delegationPath' 372 DESC 'X.509 Delegation path attribute, use ;binary' 373 SYNTAX AttCertPath ) 374## AttCertPath ::= SEQUENCE OF AttributeCertificate 375## 376## 17.2.7 Privilege policy attribute 377attributeType ( id-at-privPolicy 378 NAME 'privPolicy' 379 DESC 'X.509 Privilege policy attribute, use ;binary' 380 SYNTAX PolicySyntax ) 381## 382## 17.2.8 Protected privilege policy attribute 383attributeType ( id-at-protPrivPolicy 384 NAME 'protPrivPolicy' 385 DESC 'X.509 Protected privilege policy attribute, use ;binary' 386 SYNTAX AttributeCertificate 387 EQUALITY attributeCertificateExactMatch ) 388## 389## 17.2.9 XML Protected privilege policy attribute 390## -- contains XML-encoded privilege policy information 391attributeType ( id-at-xMLPprotPrivPolicy 392 NAME 'xmlPrivPolicy' 393 DESC 'X.509 XML Protected privilege policy attribute' 394 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 395## 396## 17.1 PMI directory object classes 397## 398## 17.1.1 PMI user object class 399## -- a PMI user (i.e., a "holder") 400objectClass ( id-oc-pmiUser 401 NAME 'pmiUser' 402 DESC 'X.509 PMI user object class' 403 SUP top 404 AUXILIARY 405 MAY ( attributeCertificateAttribute ) ) 406## 407## 17.1.2 PMI AA object class 408## -- a PMI AA 409objectClass ( id-oc-pmiAA 410 NAME 'pmiAA' 411 DESC 'X.509 PMI AA object class' 412 SUP top 413 AUXILIARY 414 MAY ( aACertificate $ 415 attributeCertificateRevocationList $ 416 attributeAuthorityRevocationList 417 ) ) 418## 419## 17.1.3 PMI SOA object class 420## -- a PMI Source of Authority 421objectClass ( id-oc-pmiSOA 422 NAME 'pmiSOA' 423 DESC 'X.509 PMI SOA object class' 424 SUP top 425 AUXILIARY 426 MAY ( attributeCertificateRevocationList $ 427 attributeAuthorityRevocationList $ 428 attributeDescriptorCertificate 429 ) ) 430## 431## 17.1.4 Attribute certificate CRL distribution point object class 432objectClass ( id-oc-attCertCRLDistributionPts 433 NAME 'attCertCRLDistributionPt' 434 DESC 'X.509 Attribute certificate CRL distribution point object class' 435 SUP top 436 AUXILIARY 437 MAY ( attributeCertificateRevocationList $ 438 attributeAuthorityRevocationList 439 ) ) 440## 441## 17.1.5 PMI delegation path 442objectClass ( id-oc-pmiDelegationPath 443 NAME 'pmiDelegationPath' 444 DESC 'X.509 PMI delegation path' 445 SUP top 446 AUXILIARY 447 MAY ( delegationPath ) ) 448## 449## 17.1.6 Privilege policy object class 450objectClass ( id-oc-privilegePolicy 451 NAME 'privilegePolicy' 452 DESC 'X.509 Privilege policy object class' 453 SUP top 454 AUXILIARY 455 MAY ( privPolicy ) ) 456## 457## 17.1.7 Protected privilege policy object class 458objectClass ( id-oc-protectedPrivilegePolicy 459 NAME 'protectedPrivilegePolicy' 460 DESC 'X.509 Protected privilege policy object class' 461 SUP top 462 AUXILIARY 463 MAY ( protPrivPolicy ) ) 464 465