upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 00:29:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

draft rev 1.

Browse source
This commit is contained in:
Kurt Zeilenga 1999-11-22 01:18:28 +00:00
parent a1a5f9752c
commit eeecbd0ea1
1 changed files with 95 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

134
doc/drafts/draft-ietf-ldup-subentry-xx.txt
View file

@ -1,8 +1,8 @@
INTERNET-DRAFT
draft-ietf-ldup-subentry-00.txt
draft-ietf-ldup-subentry-01.txt
Ed Reed
Novell, Inc.
August 15, 1999
August 29, 1999
LDAP Subentry Schema
@ -27,14 +27,15 @@ http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft expires on January 9, 1999.
This Internet-Draft expires on February 29, 1999.
2. Abstract
This document describes an object class called lDAPsubEntry which MAY
This document describes an object class called ldapSubEntry which MAY
be used to indicate operations and management related entries in the
directory, called LDAP Subentries.
directory, called LDAP Subentries. This version of this document is
updated with an assigned OID for the ldapSubEntry object class.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
@ -47,35 +48,34 @@ ones.
Reed [Page 1]
Expires January 15, 2000
Expires February 29, 2000
INTERNET-DRAFT 15 August 1999
INTERNET-DRAFT 29 August 1999
LDAP Subentry Schema
3. Definition
3.1 LDAPsubEntry Class
3.1 ldapSubEntry Class
( 1.3.6.1.4.1.1466.115.121.1.?? NAME 'LDAPsubEntry'
DESC 'LDAP Subentry class, named by cn'
( 2.16.840.1.113719.2.142.6.1.1 NAME 'ldapSubEntry'
DESC 'LDAP Subentry class, version 1'
SUP top STRUCTURAL
MUST ( cn ) )
The class lDAPsubEntry is intended to be used as a super class when
The class ldapSubEntry is intended to be used as a super class when
defining other structural classes to be used as LDAP Subentries. The
presence of lDAPsubEntry in the list of super-classes of an entry in
presence of ldapSubEntry in the list of super-classes of an entry in
the directory makes that entry an LDAP Subentry. Object classes
derived from lDAPsubEntry are themselves considered lDAPsubEntry
derived from ldapSubEntry are themselves considered ldapSubEntry
classes, for the purpose of this discussion.
LDAP Subentries MAY be named by their commonName attribute [LDAPv3].
Other naming attributes are also permitted.
LDAP Subentries MAY be containers, unlike their [X.500] counterparts.
LDAP Subentries MAY be containers, unlike their [X.501] counterparts.
LDAP Subentries MAY be contained by, and will usually be located in
the directory information tree immediately subordinate to,
@ -90,27 +90,39 @@ same way that "operational attributes" are not regularly provided in
search results and read operations when only user attributes are
requested).
NOTE: No special treatment of LDAP Subentries by applications is
required, but it might be worth considering creating an LDAPv3 control
to indicate when LDAP Subentries are desired to be returned (subject
to access controls and search filters, of course) for LDAP search
LDAP servers SHOULD implement the following special handling of
ldapSubEntry entries:
a) search operations which include a matching criteria
"objectclass=ldapSubEntry" MUST include entries derived from the
ldapSubEntry class in the scope of their operations;
b) search operations which do not include a matching criteria
"objectclass=ldapSubEntry" MUST IGNORE entries derived from the
ldapSubEntry class, and exclude them from the scope of their
operations.
Reed [Page 2]
Expires February 29, 2000
INTERNET-DRAFT 29 August 1999
LDAP Subentry Schema
The combination of SHOULD and MUST in the special handling
instructions, above, are meant to convey this: Servers SHOULD support
this special handling, and if they do they MUST do it as described,
and not some other way.
4. Security Considerations
LDAP Subentries will frequently be used to hold data which reflects
either the actual or intended behavior of the directory service. As
such, permission to read such entries MAY need to be restricted to
Reed [Page 2]
Expires January 15, 2000
INTERNET-DRAFT 15 August 1999
LDAP Subentry Schema
authorized users. More importantly, IF a directory service treats the
information in an LDAP Subentry as the authoritative source of policy
to be used to control the behavior of the directory, then permission
@ -124,10 +136,10 @@ to authorized administrators.
[LDUPINFO] _ E. Reed, "LDUP Replication Information Model", draft-
ietf-ldup-infomod-01.txt
[LDAPv3] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory
[LDAPv3] S. Kille, M. Wahl, and T. Howes, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997
[X.500] ITU-T Rec. X.501, "The Directory: Models", 1993
[X.501] ITU-T Rec. X.501, "The Directory: Models", 1993
@ -148,6 +160,14 @@ Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English.
Reed [Page 3]
Expires February 29, 2000
INTERNET-DRAFT 29 August 1999
LDAP Subentry Schema
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
@ -159,14 +179,6 @@ WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Reed [Page 3]
Expires January 15, 2000
INTERNET-DRAFT 15 August 1999
LDAP Subentry Schema
7. Acknowledgements
The use of subEntry object class to store Replica and Replication
@ -203,6 +215,14 @@ Director.
USA
E-mail: Ed_Reed@Novell.com
Reed [Page 4]
Expires February 29, 2000
INTERNET-DRAFT 29 August 1999
LDAP Subentry Schema
LDUP Mailing List: ietf-ldup@imc.org
@ -216,5 +236,41 @@ Director.
Reed [Page 4]
Expires January 15, 2000
Reed [Page 5]
Expires February 29, 2000