[Search] [txt|pdfized|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01 02 03 04 05 06 07 08                                    
                                                    Ed Reed
                                        Reed-Matthews, Inc.
                                           November 5, 2000

LDAP Subentry Schema

1. Status of this Memo

This document is an Internet-Draft and is in full
conformance with all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet
Engineering Task Force (IETF), its areas, and its working
groups. Note that other groups may also distribute working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other
than as "work in progress."

The list of current Internet-Drafts can be accessed at

The list of Internet-Draft Shadow Directories can be
accessed at http://www.ietf.org/shadow.html.

This Internet-Draft expires on May 5, 2001.

2. Abstract

This document describes an object class called ldapSubEntry
which MAY be used to indicate operations and management
related entries in the directory, called LDAP Subentries.
To control the visibility of entries of type ldapSubEntry,
a control, ldapSubentriesControl, is also defined.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
and  "OPTIONAL" in this document are to be interpreted as
described in RFC 2119 [RFC2119]. The sections below
reiterate these definitions and include some additional

Reed                                               [Page 1]

                    Expires May 5, 2001

INTERNET-DRAFT                              5 November 2000
                   LDAP Subentry Schema

3. Definition

3.1 ldapSubEntry Class

( 2.16.840.1.113719. NAME 'ldapSubEntry'
   DESC 'LDAP Subentry class, version 1'
     MAY ( cn ) )

The class ldapSubEntry is intended to be used as a super-
class when defining other structural classes to be used
as LDAP Subentries, and as the structural class to which
Auxiliary classes may be added for application specific
subentry information.  Where possible, the use of Auxiliary
classes to extend ldapSubEntries is strongly preferred.

The presence of ldapSubEntry in the list of super-classes
of an entry in the directory makes that entry an LDAP
Subentry.  Object classes derived from ldapSubEntry are
themselves considered ldapSubEntry classes, for the purpose
of this discussion.

LDAP Subentries MAY be named by their commonName attribute
[LDAPv3].  Other naming attributes are also permitted.

LDAP Subentries MAY be containers, unlike their [X.501]

LDAP Subentries MAY be contained by, and will usually be
located in the directory information tree immediately
subordinate to, administrative points and/or naming
contexts.  Further (unlike X.500 subentries), LDAP
Subentries MAY be contained by other LDAP Subentries (the
way organizational units may be contained by other
organizational units).  Deep nestings of LDAP Subentries
are discouraged, but not prohibited.

3.2 LdapSubentriesControl

This control is included in the searchRequest message as
part of the controls field of the LDAPMessage, as defined
in Section 4.1.12 of [RFC2251].

The controlType is set to "TBD". The criticality MAY be set
to either TRUE or FALSE.  The controlValue is absent.

Reed                                               [Page 2]

                    Expires May 5, 2001

INTERNET-DRAFT                              5 November 2000
                   LDAP Subentry Schema

There is no corresponding response control defined.

LDAP Subentries SHOULD be treated as "operational objects"
in much the same way that "operational attributes" are not
regularly provided in search results and read operations
when only user attributes are requested).

In [X.511] a ServiceControl option is used to govern the
visibility of X.500 subentries.  The subentry
ServiceControl option is a specific bit of a bitstring
that, when set to TRUE in the common arguments of an X.500
Search or List operation, indicates that the operation is
to access ONLY the subentries found in the context of the
list or search.  In fact, normal entries are explicitly NOT
returned in the result of a list or search operation when
the X.500 subentries ServiceControl is set.  Entries which
are not subentries may still be referenced in the base
object of list and search operations where the subentries
control is set.  The [X.511] subentries ServiceControl has
no meaning for operations other than Search and List (i.e.,
Read, Modify, Delete, etc.).

The ldapSubentriesControl is defined for LDAP to signal to
LDAP Search operations that LDAP Subentries are to be
included in the return set of entries for the Search (with
scopes other than baseObject), provided other Search
criteria (scope, filter) are satisfied.

For Search operations with a scope value of baseObject, the
presence or absence of the ldapSubentriesControl MUST be
ignored.  Specifically, baseObject searches applied to
ldapSubEntry entries MUST be evaluated as if the
ldapSubentriesControl is present, even if it is not.

In addition, LDAP servers SHOULD implement the following
special handling of ldapSubEntry entries: search operations
which include a filter "objectclass=ldapSubEntry" MUST
include entries derived from the ldapSubEntry class in the
scope of their operations.  This alternative method of
requesting the operation to be applied to entries of
ldapSubEntry class is intuitive, and is specified to
maintain consistency with previous versions of this

Reed                                               [Page 3]

                    Expires May 5, 2001

INTERNET-DRAFT                              5 November 2000
                   LDAP Subentry Schema

4. Security Considerations

LDAP Subentries will frequently be used to hold data which
reflects either the actual or intended behavior of the
directory service.  As such, permission to read such
entries MAY need to be restricted to authorized users.
More importantly, IF a directory service treats the
information in an LDAP Subentry as the authoritative source
of policy to be used to control the behavior of the
directory, then permission to create, modify, or delete
such entries MUST be carefully restricted to authorized

5. References

[LDAPv3] S. Kille, M. Wahl, and T. Howes, "Lightweight
Directory Access Protocol (v3)", RFC 2251, December 1997

[X.501] ITU-T Rec. X.501, "The Directory: Models", 1993 and
subsequent versions

[X.511] ITU-T Rec. X.501, "The Directory: Abstract Service
Definition", 1993 and subsequent versions.

6. Copyright Notice

Copyright (C) The Internet Society (2000). All Rights

This document and translations of it may be copied and
furnished to others, and derivative works that comment on
or otherwise explain it or assist in its implementation may
be prepared, copied, published and distributed, in whole or
in part, without restriction of any kind, provided that the
above copyright notice and this paragraph are included on
all such copies and derivative works. However, this
document itself may not be modified in any way, such as by
removing the copyright notice or references to the Internet
Society or other Internet organizations, except as needed
for the purpose of developing Internet standards in which
case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to
translate it into languages other than English.

Reed                                               [Page 4]

                    Expires May 5, 2001

INTERNET-DRAFT                              5 November 2000
                   LDAP Subentry Schema

The limited permissions granted above are perpetual and
will not be revoked by the Internet Society or its
successors or assigns.

This document and the information contained herein is
provided on an "AS IS" basis and THE INTERNET SOCIETY AND

7. Acknowledgements

The use of subEntry object class to store Replica and
Replication Agreement information is due primarily to the
lucid explanation by Mark Wahl, (then of Innosoft), of how
they could be used and extended.

The IETF takes no position regarding the validity or scope
of any intellectual property or other rights that might be
claimed to pertain to the implementation or use of the
technology described in this document or the extent to
which any license under such rights might or might not be
available; neither does it represent that it has made any
effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track
and standards-related documentation can be found in BCP-11.
Copies of claims of rights made available for publication
and any assurances of licenses to be made available, or the
result of an attempt made to obtain a general license or
permission for the use of such proprietary rights by
implementers or users of this specification can be obtained
from the IETF Secretariat.

The IETF invites any interested party to bring to its
attention any copyrights, patents or patent applications,
or other proprietary rights which may cover technology that
may be required to practice this standard. Please address
the information to the IETF Executive Director.

8. Author's Address

     Edwards E. Reed
     Reed-Matthews, Inc.
     1064 E 140 North

Reed                                               [Page 5]

                    Expires May 5, 2001

INTERNET-DRAFT                              5 November 2000
                   LDAP Subentry Schema

     Lindon, UT  84042
     E-mail: eer@oncalldba.com

     LDUP Mailing List: ietf-ldup@imc.org
     LDAPEXT Mailing List: ietf-ldapext@netscape.com

Reed                                               [Page 6]

                    Expires May 5, 2001