rfc2798.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                          M. Smith
Request for Comments: 2798                      Netscape Communications
Category: Informational                                      April 2000


           Definition of the inetOrgPerson LDAP Object Class

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   While the X.500 standards define many useful attribute types [X520]
   and object classes [X521], they do not define a person object class
   that meets the requirements found in today's Internet and Intranet
   directory service deployments.  We define a new object class called
   inetOrgPerson for use in LDAP and X.500 directory services that
   extends the X.521 standard organizationalPerson class to meet these
   needs.

























Smith                        Informational                      [Page 1]

RFC 2798          The LDAP inetOrgPerson Object Class         April 2000


Table of Contents

   1.     Background and Intended Usage...............................2
   2.     New Attribute Types Used in the inetOrgPerson Object Class..3
   2.1.      Vehicle license or registration plate....................3
   2.2.      Department number........................................3
   2.3.      Display Name.............................................4
   2.4.      Employee Number..........................................4
   2.5.      Employee Type............................................4
   2.6.      JPEG Photograph..........................................5
   2.7.      Preferred Language.......................................5
   2.8.      User S/MIME Certificate..................................5
   2.9.      User PKCS #12............................................6
   3.     Definition of the inetOrgPerson Object Class................6
   4.     Example of an inetOrgPerson Entry...........................7
   5.     Security Considerations.....................................8
   6.     Acknowledgments.............................................8
   7.     Bibliography................................................8
   8.     Author's Address............................................9
   9.     Appendix A - inetOrgPerson Schema Summary..................10
   9.1.     Attribute Types..........................................10
   9.1.1.      New attribute types that are defined in this document.10
   9.1.2.      Attribute types from RFC 2256.........................12
   9.1.3.      Attribute types from RFC 1274.........................15
   9.1.4.      Attribute type from RFC 2079..........................16
   9.2.     Syntaxes.................................................17
   9.2.1.      Syntaxes from RFC 2252................................17
   9.2.2.      Syntaxes from RFC 2256................................17
   9.3.     Matching Rules...........................................17
   9.3.1.      Matching rules from RFC 2252..........................17
   9.3.2.      Matching rule from RFC 2256...........................18
   9.3.3.      Additional matching rules from X.520..................18
   9.3.4.      Matching rules not defined in any referenced document.19
   10.    Full Copyright Statement...................................20

1.  Background and Intended Usage

   The inetOrgPerson object class is a general purpose object class that
   holds attributes about people.  The attributes it holds were chosen
   to accommodate information requirements found in typical Internet and
   Intranet directory service deployments.  The inetOrgPerson object
   class is designed to be used within directory services based on the
   LDAP [RFC2251] and the X.500 family of protocols, and it should be
   useful in other contexts as well.  There is no requirement for
   directory services implementors to use the inetOrgPerson object
   class; it is simply presented as well-documented class that
   implementors can choose to use if they find it useful.




Smith                        Informational                      [Page 2]

RFC 2798          The LDAP inetOrgPerson Object Class         April 2000


   The attribute type and object class definitions in this document are
   written using the BNF form of AttributeTypeDescription and
   ObjectClassDescription given in [RFC2252].  In some cases lines have
   been folded for readability.

   Attributes that are referenced but not defined in this document are
   included in one of the following documents:

      The COSINE and Internet X.500 Schema [RFC1274]

      Definition of an X.500 Attribute Type and an Object Class to Hold
      Uniform Resource Identifiers (URIs) [RFC2079]

      A Summary of the X.500(96) User Schema for use with LDAPv3
      [RFC2256]

   See Appendix A for a summary of the attribute types, associated
   syntaxes, and matching rules used in this document.

2.  New Attribute Types Used in the inetOrgPerson Object Class

2.1.  Vehicle license or registration plate.

   This multivalued field is used to record the values of the license or
   registration plate associated with an individual.

    ( 2.16.840.1.113730.3.1.1 NAME 'carLicense'
      DESC 'vehicle license or registration plate'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

2.2.  Department number

   Code for department to which a person belongs.  This can also be
   strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).

    ( 2.16.840.1.113730.3.1.2
      NAME 'departmentNumber'
      DESC 'identifies a department within an organization'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )








Smith                        Informational                      [Page 3]

RFC 2798          The LDAP inetOrgPerson Object Class         April 2000


2.3.  Display Name

   When displaying an entry, especially within a one-line summary list,
   it is useful to be able to identify a name to be used.  Since other
   attribute types such as 'cn' are multivalued, an additional attribute
   type is needed.  Display name is defined for this purpose.

  ( 2.16.840.1.113730.3.1.241
    NAME 'displayName'
    DESC 'preferred name of a person to be used when displaying entries'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

2.4.  Employee Number

   Numeric or alphanumeric identifier assigned to a person, typically
   based on order of hire or association with an organization.  Single
   valued.

    ( 2.16.840.1.113730.3.1.3
      NAME 'employeeNumber'
      DESC 'numerically identifies an employee within an organization'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
      SINGLE-VALUE )

2.5.  Employee Type

   Used to identify the employer to employee relationship.  Typical
   values used will be "Contractor", "Employee", "Intern", "Temp",
   "External", and "Unknown" but any value may be used.

    ( 2.16.840.1.113730.3.1.4
      NAME 'employeeType'
      DESC 'type of employment for a person'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )










Smith                        Informational                      [Page 4]

RFC 2798          The LDAP inetOrgPerson Object Class         April 2000


2.6.  JPEG Photograph

   Used to store one or more images of a person using the JPEG File
   Interchange Format [JFIF].

    ( 0.9.2342.19200300.100.1.60
      NAME 'jpegPhoto'
      DESC 'a JPEG image'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )

   Note that the jpegPhoto attribute type was defined for use in the
   Internet X.500 pilots but no referencable definition for it could be
   located.

2.7.  Preferred Language

   Used to indicate an individual's preferred written or spoken
   language.  This is useful for international correspondence or human-
   computer interaction.  Values for this attribute type MUST conform to
   the definition of the Accept-Language header field defined in
   [RFC2068] with one exception:  the sequence "Accept-Language" ":"
   should be omitted.  This is a single valued attribute type.

    ( 2.16.840.1.113730.3.1.39
      NAME 'preferredLanguage'
      DESC 'preferred written or spoken language for a person'
      EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
      SINGLE-VALUE )
   )

2.8.  User S/MIME Certificate

   A PKCS#7 [RFC2315] SignedData, where the content that is signed is
   ignored by consumers of userSMIMECertificate values.  It is
   recommended that values have a `contentType' of data with an absent
   `content' field.  Values of this attribute contain a person's entire
   certificate chain and an smimeCapabilities field [RFC2633] that at a
   minimum describes their SMIME algorithm capabilities.  Values for
   this attribute are to be stored and requested in binary form, as
   'userSMIMECertificate;binary'.  If available, this attribute is
   preferred over the userCertificate attribute for S/MIME applications.

    ( 2.16.840.1.113730.3.1.40
      NAME 'userSMIMECertificate'
      DESC 'PKCS#7 SignedData used to support S/MIME'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )



Smith                        Informational                      [Page 5]

RFC 2798          The LDAP inetOrgPerson Object Class         April 2000


2.9.  User PKCS #12

   PKCS #12 [PKCS12] provides a format for exchange of personal identity
   information.  When such information is stored in a directory service,
   the userPKCS12 attribute should be used. This attribute is to be
   stored and requested in binary form, as 'userPKCS12;binary'.  The
   attribute values are PFX PDUs stored as binary data.

( 2.16.840.1.113730.3.1.216
  NAME 'userPKCS12'
  DESC 'PKCS #12 PFX PDU for exchange of personal identity information'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

3.  Definition of the inetOrgPerson Object Class

   The inetOrgPerson represents people who are associated with an
   organization in some way.  It is a structural class and is derived
   from the organizationalPerson class which is defined in X.521 [X521].

( 2.16.840.1.113730.3.2.2
    NAME 'inetOrgPerson'
    SUP organizationalPerson
    STRUCTURAL
    MAY (
        audio $ businessCategory $ carLicense $ departmentNumber $
        displayName $ employeeNumber $ employeeType $ givenName $
        homePhone $ homePostalAddress $ initials $ jpegPhoto $
        labeledURI $ mail $ manager $ mobile $ o $ pager $
        photo $ roomNumber $ secretary $ uid $ userCertificate $
        x500uniqueIdentifier $ preferredLanguage $
        userSMIMECertificate $ userPKCS12
    )
)

   For reference, we list the following additional attribute types that
   are part of the inetOrgPerson object class.  These attribute types
   are inherited from organizationalPerson (which in turn is derived
   from the person object class):













Smith                        Informational                      [Page 6]

RFC 2798          The LDAP inetOrgPerson Object Class         April 2000


    MUST (
        cn $ objectClass $ sn
    )
    MAY (
        description $ destinationIndicator $ facsimileTelephoneNumber $
        internationaliSDNNumber $ l $ ou $ physicalDeliveryOfficeName $
        postalAddress $ postalCode $ postOfficeBox $
        preferredDeliveryMethod $ registeredAddress $ seeAlso $
        st $ street $ telephoneNumber $ teletexTerminalIdentifier $
        telexNumber $ title $ userPassword $ x121Address
    )

4.  Example of an inetOrgPerson Entry

   The following example is expressed using the LDIF notation defined in
   [LDIF].

   version: 1
   dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: inetOrgPerson
   cn: Barbara Jensen
   cn: Babs Jensen
   displayName: Babs Jensen
   sn: Jensen
   givenName: Barbara
   initials: BJJ
   title: manager, product development
   uid: bjensen
   mail: bjensen@siroe.com
   telephoneNumber: +1 408 555 1862