Internet Draft M. R. Bannister <draft-bannister-dbis-hosts-04.txt> Prose Consulting Ltd. Category: Informational March 11, 2014 Expires September 12, 2014 Directory-Based Information Services: Hosts, Networks and Services Status of this Memo Distribution of this memo is unlimited. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 12, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Bannister, Mark R. Expires September 12, 2014 [Page 1]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 Abstract This document extends Directory-Based Information Services (DBIS) described in [draft-bannister-dbis-mapping-00] to support hosts, networks, netmasks, protocols, rpc and services databases. The database schemas SHALL be backwards compatible with the Network Information Service [NIS] but stored within [X.500] entries so that they may be resolved with the Lightweight Directory Access Protocol [RFC4510]. A hosts database maps hostnames to IP addresses, networks map network names to network numbers, netmasks map network numbers to netmasks, protocols map network protocol names to protocol numbers, rpc maps Remote Procedure Call [RFC1057] program names to RPC program numbers and services map network service names to port numbers and protocols. This document describes configuration maps [draft-bannister-dbis- mapping-00] for hosts, networks, protocols, rpc and services, and database entries referenced by those maps. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED" and "MAY" in this document are to be interpreted as described in [RFC2119]. Table of Contents 1. Configuration Maps . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Example Configuration Map Entries . . . . . . . . . . . . . 5 2. Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1. Definition . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2. Object Classes . . . . . . . . . . . . . . . . . . . . 5 2.1.2.1. Introduction . . . . . . . . . . . . . . . . . . . 5 2.1.2.2. dbisHostConfig . . . . . . . . . . . . . . . . . . 5 2.1.2.3. ipHostObject . . . . . . . . . . . . . . . . . . . 6 2.1.2.4. ipv4HostObject . . . . . . . . . . . . . . . . . . 6 2.1.2.5. ipv6HostObject . . . . . . . . . . . . . . . . . . 6 2.1.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3.1. rn . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3.2. authPassword . . . . . . . . . . . . . . . . . . . 7 2.1.3.3. userPassword . . . . . . . . . . . . . . . . . . . 7 2.1.3.4. exactNetgroup . . . . . . . . . . . . . . . . . . . 7 2.1.3.5. automountUseMap . . . . . . . . . . . . . . . . . . 7 2.1.3.6. ipv4Address . . . . . . . . . . . . . . . . . . . . 7 2.1.3.7. ipv6Address . . . . . . . . . . . . . . . . . . . . 8 2.1.4. Example Host Entry . . . . . . . . . . . . . . . . . . 8 Bannister, Mark R. Expires September 12, 2014 [Page 2]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 2.2. networks . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1. Definition . . . . . . . . . . . . . . . . . . . . . . 9 2.2.2. Object Classes . . . . . . . . . . . . . . . . . . . . 9 2.2.2.1. Introduction . . . . . . . . . . . . . . . . . . . 9 2.2.2.2. dbisNetworkConfig . . . . . . . . . . . . . . . . . 9 2.2.2.3. ipNetworkObject . . . . . . . . . . . . . . . . . . 9 2.2.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 10 2.2.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.3.2. ipNetworkNumber . . . . . . . . . . . . . . . . . . 10 2.2.3.3. ipNetmaskNumber . . . . . . . . . . . . . . . . . . 10 2.2.4. Example Network Entry . . . . . . . . . . . . . . . . . 10 2.3. protocols . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1. Definition . . . . . . . . . . . . . . . . . . . . . . 11 2.3.2. Object Classes . . . . . . . . . . . . . . . . . . . . 11 2.3.2.1. Introduction . . . . . . . . . . . . . . . . . . . 11 2.3.2.2. dbisProtocolConfig . . . . . . . . . . . . . . . . 11 2.3.2.3. ipProtocolObject . . . . . . . . . . . . . . . . . 12 2.3.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 12 2.3.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.3.2. ipProtocolNumber . . . . . . . . . . . . . . . . . 12 2.3.4. Example Protocol Entry . . . . . . . . . . . . . . . . 12 2.4. rpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.4.1. Definition . . . . . . . . . . . . . . . . . . . . . . 13 2.4.2. Object Classes . . . . . . . . . . . . . . . . . . . . 13 2.4.2.1. Introduction . . . . . . . . . . . . . . . . . . . 13 2.4.2.2. dbisRpcConfig . . . . . . . . . . . . . . . . . . . 13 2.4.2.3. rpcObject . . . . . . . . . . . . . . . . . . . . . 13 2.4.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.2. rpcNumber . . . . . . . . . . . . . . . . . . . . . 14 2.4.4. Example RPC Entry . . . . . . . . . . . . . . . . . . . 14 2.5. services . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.5.1. Definition . . . . . . . . . . . . . . . . . . . . . . 15 2.5.2. Object Classes . . . . . . . . . . . . . . . . . . . . 15 2.5.2.1. Introduction . . . . . . . . . . . . . . . . . . . 15 2.5.2.2. dbisServiceConfig . . . . . . . . . . . . . . . . . 15 2.5.2.3. ipServiceObject . . . . . . . . . . . . . . . . . . 15 2.5.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 15 2.5.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 16 2.5.3.2. ipPortNumber . . . . . . . . . . . . . . . . . . . 16 2.5.3.3. ipProtocolName . . . . . . . . . . . . . . . . . . 16 2.5.4. Example Service Entry . . . . . . . . . . . . . . . . . 16 3. Common Attributes . . . . . . . . . . . . . . . . . . . . . . . 17 3.1. Definition . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2. description . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3. manager . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4. l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.5. disableObject . . . . . . . . . . . . . . . . . . . . . . . 17 Bannister, Mark R. Expires September 12, 2014 [Page 3]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 4. Attribute Syntax . . . . . . . . . . . . . . . . . . . . . . . 18 5. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 18 5.1. NIS Compatible Field Mapping . . . . . . . . . . . . . . . 18 5.1.1. Introduction . . . . . . . . . . . . . . . . . . . . . 18 5.1.2. hosts . . . . . . . . . . . . . . . . . . . . . . . . . 18 5.1.3. networks . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.4. netmasks . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.5. protocols . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.6. rpc . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.7. services . . . . . . . . . . . . . . . . . . . . . . . 20 5.2. Common Search Filters . . . . . . . . . . . . . . . . . . . 20 5.2.1. Search Parameters . . . . . . . . . . . . . . . . . . . 20 5.2.2. Find Configuration Map for Domain . . . . . . . . . . . 21 5.2.3. List All Entries . . . . . . . . . . . . . . . . . . . 21 5.2.4. Find Specific Entry . . . . . . . . . . . . . . . . . . 21 5.2.5. Find Host by Address . . . . . . . . . . . . . . . . . 22 5.2.6. Find Network by Address . . . . . . . . . . . . . . . . 22 5.2.7. Find Protocol by Number . . . . . . . . . . . . . . . . 22 5.2.8. Find RPC by Number . . . . . . . . . . . . . . . . . . 22 5.2.9. Find Service by Name and Protocol . . . . . . . . . . . 22 5.2.10. Find Service by Port and Protocol . . . . . . . . . . 22 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 23 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 7.1. Normative References . . . . . . . . . . . . . . . . . . . 23 7.2. Informative References . . . . . . . . . . . . . . . . . . 24 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 1. Configuration Maps 1.1. Scope All databases described in this document use the standard configuration maps defined in [draft-bannister-dbis-mapping-00], section 3. Additionally, dbisMapConfig entries for the databases described in this document SHALL have assigned the object classes described below. It is RECOMMENDED that the dbisMapConfig entry for a passwd or group database have the dbisMapFilter attribute set according to the following table: -------------------------------------------------------------- Database Configuration Class dbisMapFilter -------------------------------------------------------------- hosts dbisHostConfig objectClass=ipHostObject networks dbisNetworkConfig objectClass=ipNetworkObject protocols dbisProtocolConfig objectClass=ipProtocolObject Bannister, Mark R. Expires September 12, 2014 [Page 4]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 rpc dbisRpcConfig objectClass=rpcObject services dbisServiceConfig objectClass=ipServiceObject -------------------------------------------------------------- 1.2. Example Configuration Map Entries The following gives an example of a configuration map entry for a hosts database: dn: cn=hosts,en=sales.corp,ou=domain-mappings,o=infra objectClass: top objectClass: dbisMapConfig objectClass: dbisHostConfig cn: hosts dbisMapDN: cn=hosts,ou=dbis,o=infra dbisMapFilter: objectClass=ipHostObject profileTTL: 900 description: Primary hosts database 2. Database 2.1. hosts 2.1.1. Definition A hosts database contains the following fields: - IPv4 or IPv6 address. - Canonical host name. - Aliases. The information that makes up a database entry is obtained from the attributes described in the following sections. 2.1.2. Object Classes 2.1.2.1. Introduction A dbisMapConfig entry for a hosts database SHALL be assigned the object class dbisHostConfig. A host entry SHALL be defined by an LDAP entry with the object class ipv4HostObject or ipv6HostObject for IPv4 and IPv6 addresses respectively. 2.1.2.2. dbisHostConfig Bannister, Mark R. Expires September 12, 2014 [Page 5]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 The dbisHostConfig class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.15 NAME 'dbisHostConfig' DESC 'DBIS hosts configuration map' SUP dbisMapConfig STRUCTURAL ) 2.1.2.3. ipHostObject The ipHostObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.16 NAME 'ipHostObject' DESC 'An IP address and associated host name' SUP top ABSTRACT MUST rn MAY ( authPassword $ userPassword $ exactNetgroup $ description $ manager $ l $ automountUseMap $ disableObject ) ) This class is an abstract class and is not to be used directly. The ipv4HostObject or ipv6HostObject classes must be used instead. 2.1.2.4. ipv4HostObject The ipv4HostObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.17 NAME 'ipv4HostObject' DESC 'An IPv4 address' SUP ipHostObject STRUCTURAL MUST ipv4Address ) 2.1.2.5. ipv6HostObject The ipv6HostObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.18 NAME 'ipv6HostObject' DESC 'An IPv6 address' SUP ipHostObject STRUCTURAL MUST ipv6Address ) 2.1.3. Attributes 2.1.3.1. rn The fully-qualified canonical name of the host is stored in the LDAP attribute rn which is defined in [draft-bannister-dbis-mapping-00]. The rn attribute MUST be associated with an ipHostObject entry and SHALL form the RDN. Bannister, Mark R. Expires September 12, 2014 [Page 6]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 2.1.3.2. authPassword An encrypted password may be stored in the authPassword attribute, which is defined in section 2.5 of [RFC3112], and that MAY be assigned to an ipHostObject entry. All notes regarding the use of the authPassword attribute described in section 2.1.3.7 of [draft- bannister-dbis-passwd-01] apply equally to this document. 2.1.3.3. userPassword For compatibility, an encrypted password may alternatively be stored in the userPassword attribute which is defined in section 2.41 of [RFC4519] and that MAY be assigned to an ipHostObject entry. All notes regarding the use of the userPassword attribute described in section 2.1.3.8 of [draft-bannister-dbis-passwd-01] apply equally to this document. 2.1.3.4. exactNetgroup The host can have netgroup membership expressed by providing netgroup names in one or more exactNetgroup attributes defined in [draft- bannister-dbis-netgroup-00] and that MAY be assigned to an ipHostObject entry. This attribute is provided as an alternative mechanism to using the netgroupHost attribute on the netgroupObject entry. The DUA SHALL validate that a netgroup referenced by this attribute exists and is enabled. If the netgroup is not defined, or if it has been disabled with the disableObject attribute, then it SHALL NOT be included in the response to the client. 2.1.3.5. automountUseMap One or more automounter map names identifying maps with the object class automountMapObject are given in the automountUseMap attribute, as defined in section 3.1.1 of [draft-bannister-dbis-automounter-01], and which MAY be assigned to an ipHostObject entry. Automounter map entries associated with host entries define a list of additional paths that the automounter should manage on this host. 2.1.3.6. ipv4Address Bannister, Mark R. Expires September 12, 2014 [Page 7]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 The IPv4 address in dotted decimal format is stored in the ipv4Address attribute which MUST be associated with an ipv4HostObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.27 NAME 'ipv4Address' DESC 'An IPv4 address in dotted decimal format' EQUALITY caseIgnoreIA5Match SINGLE-VALUE SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{15} ) 2.1.3.7. ipv6Address The IPv6 address [RFC2373] is stored in the ipv6Address attribute that MUST be associated with an ipv6HostObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.28 NAME 'ipv6Address' DESC 'An IPv6 address [RFC2373]' EQUALITY caseIgnoreIA5Match SINGLE-VALUE SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{45} ) 2.1.4. Example Host Entry The following is an example of an ipv4HostObject entry in LDIF format [RFC2849]: dn: rn=picard,ou=hosts,o=infra objectClass: top objectClass: ipHostObject objectClass: ipv4HostObject rn: picard ipv4Address: 10.11.12.13 exactNetgroup: enterprise exactNetgroup: federation The following is an example of an ipv6HostObject entry: dn: rn=picard-hive,ou=hosts,o=infra objectClass: top objectClass: ipHostObject objectClass: ipv6HostObject rn: picard-hive ipv6Address: 0:1:2:3:4:5:6:7 exactNetgroup: collective The following is an example of a host alias entry: dn: rn=picard-eth0,ou=hosts,o=infra Bannister, Mark R. Expires September 12, 2014 [Page 8]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 objectClass: top objectClass: alias objectClass: extensibleObject rn: picard-eth0 aliasedObjectName: rn=picard,ou=hosts,o=infra 2.2. networks 2.2.1. Definition A networks database contains the following fields: - Network name. - IP network number. - Aliases. The NIS netmasks map additionally contains the IP network mask. The information that makes up a database entry is obtained from the attributes described in the following sections. 2.2.2. Object Classes 2.2.2.1. Introduction A dbisMapConfig entry for a networks database SHALL be assigned the object class dbisNetworkConfig. A network entry SHALL be defined by an LDAP entry with the object class ipNetworkObject. 2.2.2.2. dbisNetworkConfig The dbisNetworkConfig class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.19 NAME 'dbisNetworkConfig' DESC 'DBIS networks configuration map' SUP dbisMapConfig STRUCTURAL ) 2.2.2.3. ipNetworkObject The ipNetworkObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.20 NAME 'ipNetworkObject' DESC 'An IP network entry' SUP top STRUCTURAL Bannister, Mark R. Expires September 12, 2014 [Page 9]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 MUST ipNetworkNumber MAY ( en $ ipNetmaskNumber $ description $ manager $ l $ disableObject ) ) 2.2.3. Attributes 2.2.3.1. en The name of the network is stored in the LDAP attribute en which is defined in [draft-bannister-dbis-mapping-00]. The en attribute MAY be associated with an ipNetworkObject entry, and if provided SHALL form the RDN. If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 2.2.3.2. ipNetworkNumber The IP network address in dotted decimal format is stored in the ipNetworkNumber attribute which MUST be associated with an ipNetworkObject entry: attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP network as a dotted decimal, eg. 192.168, omitting leading zeros' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) If the en attribute is not provided, then the ipNetworkNumber SHALL form the RDN. 2.2.3.3. ipNetmaskNumber The IP netmask address in dotted decimal format is stored in the ipNetmaskNumber attribute which MAY be associated with an ipNetworkObject entry: attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, omitting leading zeros' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 2.2.4. Example Network Entry Bannister, Mark R. Expires September 12, 2014 [Page 10]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 The following is an example of an ipNetworkObject entry in LDIF format [RFC2849]: dn: en=lab,ou=networks,o=infra objectClass: top objectClass: ipNetworkObject en: lab ipNetworkNumber: 10.23.10 ipNetmaskNumber: 255.255.255.0 The following is an example of a network alias entry: dn: en=testnet,ou=networks,o=infra objectClass: top objectClass: alias objectClass: extensibleObject en: testnet aliasedObjectName: en=lab,ou=networks,o=infra 2.3. protocols 2.3.1. Definition A protocols database contains the following fields: - Protocol name. - Protocol number. - Aliases. The information that makes up a database entry is obtained from the attributes described in the following sections. 2.3.2. Object Classes 2.3.2.1. Introduction A dbisMapConfig entry for a protocols database SHALL be assigned the object class dbisProtocolConfig. A protocol entry SHALL be defined by an LDAP entry with the object class ipProtocolObject. 2.3.2.2. dbisProtocolConfig The dbisProtocolConfig class is defined as follows: Bannister, Mark R. Expires September 12, 2014 [Page 11]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 objectclass ( 1.3.6.1.4.1.23780.219.1.21 NAME 'dbisProtocolConfig' DESC 'DBIS protocols configuration map' SUP dbisMapConfig STRUCTURAL ) 2.3.2.3. ipProtocolObject The ipProtocolObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.22 NAME 'ipProtocolObject' DESC 'An IP protocol entry' SUP top STRUCTURAL MUST ( en $ ipProtocolNumber ) MAY ( description $ manager $ disableObject ) ) 2.3.3. Attributes 2.3.3.1. en The name of the protocol is stored in the LDAP attribute en which is defined in [draft-bannister-dbis-mapping-00]. The en attribute MUST be associated with an ipProtocolObject entry and SHALL form the RDN. If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 2.3.3.2. ipProtocolNumber The IP protocol number is stored in the ipProtocolNumber attribute which MUST be associated with an ipProtocolObject entry: attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP protocol number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 2.3.4. Example Protocol Entry The following is an example of an ipProtocolObject entry in LDIF format [RFC2849]: dn: en=ip,ou=protocols,o=infra objectClass: top objectClass: ipProtocolObject en: ip ipProtocolNumber: 0 Bannister, Mark R. Expires September 12, 2014 [Page 12]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 The following is an example of a protocol alias entry: dn: en=IP,ou=protocols,o=infra objectClass: top objectClass: alias objectClass: extensibleObject en: IP aliasedObjectName: en=ip,ou=protocols,o=infra 2.4. rpc 2.4.1. Definition An RPC database contains the following fields: - RPC program name. - RPC program number. - Aliases. The information that makes up a database entry is obtained from the attributes described in the following sections. 2.4.2. Object Classes 2.4.2.1. Introduction A dbisMapConfig entry for an rpc database SHALL be assigned the object class dbisRpcConfig. A protocol entry SHALL be defined by an LDAP entry with the object class rpcObject. 2.4.2.2. dbisRpcConfig The dbisRpcConfig class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.23 NAME 'dbisRpcConfig' DESC 'DBIS rpc configuration map' SUP dbisMapConfig STRUCTURAL ) 2.4.2.3. rpcObject The rpcObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.24 NAME 'rpcObject' DESC 'An rpc entry [RFC1057]' Bannister, Mark R. Expires September 12, 2014 [Page 13]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 SUP top STRUCTURAL MUST ( en $ rpcNumber ) MAY ( description $ manager $ disableObject ) ) 2.4.3. Attributes 2.4.3.1. en The name of the RPC program is stored in the LDAP attribute en which is defined in [draft-bannister-dbis-mapping-00]. The en attribute MUST be associated with an rpcObject entry and SHALL form the RDN. If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 2.4.3.2. rpcNumber The RPC program number is stored in the rpcNumber attribute which MUST be associated with an rpcObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.29 NAME 'rpcNumber' DESC 'RPC program number [RFC1057]' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 2.4.4. Example RPC Entry The following is an example of an rpcObject entry in LDIF format [RFC2849]: dn: en=rpcbind,ou=rpc,o=infra objectClass: top objectClass: rpcObject en: rpcbind rpcNumber: 100000 The following is an example of an RPC alias entry: dn: en=portmap,ou=protocols,o=infra objectClass: top objectClass: alias objectClass: extensibleObject en: portmap aliasedObjectName: en=rpcbind,ou=rpc,o=infra 2.5. services Bannister, Mark R. Expires September 12, 2014 [Page 14]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 2.5.1. Definition A services database contains the following fields: - Service name. - Port number and protocol name. - Aliases. The information that makes up a database entry is obtained from the attributes described in the following sections. The RDN may be comprised of just the en attribute, however, where an entry cannot be uniquely identified due to the presence of another service that uses the same service name and port number but a different protocol name, a multi-valued RDN [RFC4512] SHALL be used instead. An example may be found in section 2.5.4 below. 2.5.2. Object Classes 2.5.2.1. Introduction A dbisMapConfig entry for a services database SHALL be assigned the object class dbisServiceConfig. A service entry SHALL be defined by an LDAP entry with the object class ipServiceObject. 2.5.2.2. dbisServiceConfig The dbisServiceConfig class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.25 NAME 'dbisServiceConfig' DESC 'DBIS services configuration map' SUP dbisMapConfig STRUCTURAL ) 2.5.2.3. ipServiceObject The ipServiceObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.26 NAME 'ipServiceObject' DESC 'An IP service entry' SUP top STRUCTURAL MUST ( en $ ipPortNumber $ ipProtocolName ) MAY ( description $ manager $ disableObject ) ) 2.5.3. Attributes Bannister, Mark R. Expires September 12, 2014 [Page 15]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 2.5.3.1. en The name of the service is stored in the LDAP attribute en which is defined in [draft-bannister-dbis-mapping-00]. The en attribute MUST be associated with an ipServiceObject entry and SHALL form the RDN, except where noted in section 2.5.1 above. If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 2.5.3.2. ipPortNumber The IP port number is stored in the ipPortNumber attribute which MUST be associated with an ipServiceObject entry: attributetype ( 1.3.6.1.1.1.1.15 NAME ( 'ipPortNumber' 'ipServicePort' ) DESC 'IP port number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 2.5.3.3. ipProtocolName The IP service protocol name is stored in the ipProtocolName attribute which MUST be associated with an ipServiceObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.30 NAME 'ipProtocolName' DESC 'IP protocol name' EQUALITY caseExactMatch SINGLE-VALUE SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) The ipProtocolName may form part of a multi-valued RDN as discussed in section 2.5.1 above. 2.5.4. Example Service Entry The following is an example of an ipServiceObject entry in LDIF format [RFC2849]: dn: en=smtp,ou=services,o=infra objectClass: top objectClass: ipServiceObject en: smtp ipPortNumber: 25 ipProtocolName: tcp Bannister, Mark R. Expires September 12, 2014 [Page 16]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 The following is an example of a service alias entry: dn: en=mail,ou=services,o=infra objectClass: top objectClass: alias objectClass: extensibleObject en: mail aliasedObjectName: en=smtp,ou=services,o=infra The following is an example of two multi-valued service entries: dn: en=rpcbind+ipProtocolName=udp,ou=services,o=infra objectClass: top objectClass: ipServiceObject en: rpcbind ipPortNumber: 111 ipProtocolName: udp dn: en=rpcbind+ipProtocolName=tcp,ou=services,o=infra objectClass: top objectClass: ipServiceObject en: rpcbind ipPortNumber: 111 ipProtocolName: tcp 3. Common Attributes 3.1. Definition This document makes use of the common attributes defined below. 3.2. description The description attribute MAY be associated with an entry to provide an arbitrary description of the entry. 3.3. manager The manager attribute MAY be associated with an entry to provide one or more DNs of the individuals, groups or systems that are responsible for maintaining the entry. 3.4. l The l attribute MAY be associated with an entry to provide details of locality. 3.5. disableObject Bannister, Mark R. Expires September 12, 2014 [Page 17]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 An entry MAY be disabled by setting the disableObject attribute [draft-bannister-dbis-mapping-00] to TRUE. If an entry is disabled, then the DUA SHALL behave as if the entry does not exist. The DUA MAY optionally provide a separate mechanism for listing disabled entries, but they MUST be clearly marked as disabled so that no confusion can arise. 4. Attribute Syntax The following syntaxes are used by the attributes defined in this document: ----------------------------------------------------------- Syntax OID Value Reference ----------------------------------------------------------- 1.3.6.1.4.1.1466.115.121.1.15 Directory String [RFC4517] 1.3.6.1.4.1.1466.115.121.1.26 IA5 String [RFC4517] 1.3.6.1.4.1.1466.115.121.1.27 Integer [RFC4517] ----------------------------------------------------------- 5. Implementation Notes 5.1. NIS Compatible Field Mapping 5.1.1. Introduction All fields that are required to generate NIS-compatible space- separated hosts, networks, netmasks, protocols, rpc or services database formats exist in this schema and can be mapped to attribute types using common ABNF productions described in [draft-bannister- dbis-netgroup-00], section 1.2. These are described for each database in the following sections. 5.1.2. hosts The NIS-compatible hosts database fields are mapped as follows: ipaddr = ipv4Address / ipv6Address hostname = rn alias = rn ; derived, see below hosts-entry = ipaddr SPACE hostname *(SPACE alias) In the hosts mappings above: - alias is derived from the rn attribute used with entries that reference this one via aliasedObjectName. Bannister, Mark R. Expires September 12, 2014 [Page 18]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 5.1.3. networks The NIS-compatible networks database fields are mapped as follows: network-name = en network-number = ipNetworkNumber alias = en ; derived, see below networks-entry = network-name SPACE network-number *(SPACE alias) In the networks mappings above: - alias is derived from the en attribute used with entries that reference this one via aliasedObjectName. 5.1.4. netmasks The NIS-compatible netmasks database fields are mapped as follows: network-number = ipNetworkNumber netmask = ipNetmaskNumber netmasks-entry = network-number SPACE netmask 5.1.5. protocols The NIS-compatible protocols database fields are mapped as follows: proto-name = en proto-number = ipProtocolNumber alias = en ; derived, see below protocols-entry = proto-name SPACE proto-number *(SPACE alias) In the protocols mappings above: - alias is derived from the en attribute used with entries that reference this one via aliasedObjectName. 5.1.6. rpc The NIS-compatible rpc database fields are mapped as follows: rpc-name = en rpc-number = rpcNumber alias = en ; derived, see below Bannister, Mark R. Expires September 12, 2014 [Page 19]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 rpc-entry = rpc-name SPACE rpc-number *(SPACE alias) In the rpc mappings above: - alias is derived from the en attribute used with entries that reference this one via aliasedObjectName. 5.1.7. services The NIS-compatible services database fields are mapped as follows: service-name = en service-port = ipPortNumber service-protocol = ipProtocolName alias = en ; derived, see below services-entry = service-name SPACE service-port SLASH service-protocol *(SPACE alias) In the services mappings above: - alias is derived from the en attribute used with entries that reference this one via aliasedObjectName. 5.2. Common Search Filters 5.2.1. Search Parameters This section provides example LDAP search filters [RFC4515] for obtaining database entries with commonly used input criteria. To simplify the examples, all databases are assumed to have been defined with only a single configuration map entry (dbisMapConfig). However, [draft-bannister-dbis-mapping-00] permits multiple such entries, so an implementation must support this, increasing the number of search operations as necessary to locate all of the database entries in scope. The base DN used in the search operations described in this section comes from the dbisMapDN attribute assigned to the dbisMapConfig entry. Note that a dbisMapConfig entry may have more than one of these. Where it appears in search filters below, the text "dbisMapFilter" refers to the value assigned to the attribute of the same name in the corresponding dbisMapConfig entry. Note that each database has different dbisMapConfig entries. Attribute names used in these search filters may be modified by the dbisMapAttr attribute assigned Bannister, Mark R. Expires September 12, 2014 [Page 20]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 to the dbisMapConfig entry. 5.2.2. Find Configuration Map for Domain To locate the configuration map for a given DBIS domain, search for entries underneath the dbisDomainObject entry [draft-bannister-dbis- mapping-00]. Hosts maps can be found with the following search filter: (&(objectClass=dbisHostConfig)(!(disableObject=TRUE))) Networks maps can be found with: (&(objectClass=dbisNetworkConfig)(!(disableObject=TRUE))) Protocols maps can be found with: (&(objectClass=dbisProtocolConfig)(!(disableObject=TRUE))) RPC maps can be found with: (&(objectClass=dbisRpcConfig)(!(disableObject=TRUE))) Services maps can be found with: (&(objectClass=dbisServiceConfig)(!(disableObject=TRUE))) 5.2.3. List All Entries Entries for a given database are enumerated by applying the dbisMapFilter as follows: (&(dbisMapFilter)(!(disableObject=TRUE))) This filter returns all enabled entries. 5.2.4. Find Specific Entry If a hosts entry is known by "name", its definition is located using the following search filter: (&(dbisMapFilter)(!(disableObject=TRUE))(rn=name)) If a networks, protocols, rpc or services entry is known by "name", its definition is located using the following search filter: (&(dbisMapFilter)(!(disableObject=TRUE))(en=name)) Bannister, Mark R. Expires September 12, 2014 [Page 21]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 5.2.5. Find Host by Address If a hosts entry has an IPv4 address "ipv4", its definition is located using the following search filter: (&(dbisMapFilter)(!(disableObject=TRUE))(ipv4Address=ipv4)) If a hosts entry has an IPv6 address "ipv6", it may be located using: (&(dbisMapFilter)(!(disableObject=TRUE))(ipv6Address=ipv6)) 5.2.6. Find Network by Address To locate a networks entry by its address "netip", use the following search filter: (&(dbisMapFilter)(!(disableObject=TRUE)) (ipNetworkNumber=netip)) 5.2.7. Find Protocol by Number Given the IP protocol number "protonum", the following search filter will locate the associated protocols entry: (&(dbisMapFilter)(!(disableObject=TRUE)) (ipProtocolNumber=protonum)) 5.2.8. Find RPC by Number To locate an rpc entry by its program number "rpcnum", use the following search filter: (&(dbisMapFilter)(!(disableObject=TRUE))(rpcNumber=rpcnum)) 5.2.9. Find Service by Name and Protocol To find the services entry for a given service name "servname" and protocol "servproto", the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE)) (en=servname)(ipProtocolName=servproto)) 5.2.10. Find Service by Port and Protocol To find the services entry for a given service port "servport" and protocol "servproto", the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE)) Bannister, Mark R. Expires September 12, 2014 [Page 22]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 (ipPortNumber=servport)(ipProtocolName=servproto)) 6. Security Considerations The security considerations discussed in [draft-bannister-dbis- mapping-00] and [draft-bannister-dbis-passwd-01] apply equally to this document. 7. References 7.1. Normative References [RFC1057] Sun Microsystems, Inc., "RPC: Remote Procedure Call Protocol Specification: Version 2", RFC1057, June 1988. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2373] Hinden, R. and Deering, S., "IP Version 6 Addressing Architecture", RFC 2373, July 1998. [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) - Technical Specification", RFC 2849, June 2000. [RFC3112] Zeilenga, K., "LDAP Authentication Password Schema", RFC 3112, May 2001. [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006. [RFC4515] Smith, M., Ed., and T. Howes, "Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters", RFC 4515, June 2006. [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006. [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications", RFC 4519, June 2006. [draft-bannister-dbis-mapping-00] Bannister, M. R., "Directory-Based Information Services: Mapping Objects", draft-bannister- Bannister, Mark R. Expires September 12, 2014 [Page 23]
Internet Draft DBIS Hosts, Networks and Services March 11, 2014 dbis-mapping-00.txt, August 2013. [draft-bannister-dbis-netgroup-00] Bannister, M. R., "Directory- Based Information Services: Netgroups and Netservices", draft-bannister-dbis-netgroups-00.txt, August 2013. [draft-bannister-dbis-passwd-01] Bannister, M. R., "Directory-Based Information Services: Users and Groups", draft-bannister- dbis-passwd-01.txt, September 2013. [draft-bannister-dbis-automounter-01] Bannister, M. R., "Directory- Based Information Services: Automounter", draft-bannister- dbis-automounter-01.txt, September 2013. 7.2. Informative References [X.500] Weider, C. and J. Reynolds, "Executive Introduction to Directory Services Using the X.500 Protocol", FYI 13, RFC 1308, March 1992. [NIS] Wikipedia, "Network Information Service", <http:// en.wikipedia.org/wiki/Network_Information_Service>. Author's Address Mark R. Bannister Prose Consulting Ltd. 73 Claygate Lane Esher, Surrey, KT10 0BQ United Kingdom Tel: +44 7764 604316 EMail: dbis@proseconsulting.co.uk Bannister, Mark R. Expires September 12, 2014 [Page 24]