📄 rfc2307.txt
字号:
RFC 2307 Using LDAP as a Network Information Service March 1998 omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' SINGLE-VALUE ) ( nisSchema.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' SINGLE-VALUE ) ( nisSchema.1.22 NAME 'macAddress' DESC 'MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:ee:e2' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( nisSchema.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' SYNTAX 'bootParameterSyntax' ) ( nisSchema.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) ( nisSchema.1.26 NAME 'nisMapName' SUP name ) ( nisSchema.1.27 NAME 'nisMapEntry' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String{1024}' SINGLE-VALUE )4. Class definitions This section contains class definitions to be implemented by DUAs supporting the schema. The rfc822MailGroup object class MAY be used to represent a mail group for the purpose of alias expansion. Several alternative schemes for mail routing and delivery using LDAP directories, which are outside the scope of this document. ( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )Howard Experimental [Page 8]
RFC 2307 Using LDAP as a Network Information Service March 1998 ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) ( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the service's canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) ) ( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocol's canonical name' MUST ( cn $ ipProtocolNumber $ description ) MAY description ) ( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC service's canonical name' MUST ( cn $ oncRpcNumber $ description ) MAY description ) ( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the host's canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) ( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the network's canonical name'Howard Experimental [Page 9]
RFC 2307 Using LDAP as a Network Information Service March 1998 MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) ) ( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) ( nisSchema.2.09 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description ) ( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) ( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY macAddress ) ( nisSchema.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters; device SHOULD be used as a structural class' MAY ( bootFile $ bootParameter ) )5. Implementation details5.1. Suggested resolution methods The preferred means of directing a client application (one using the shared services of the C library) to use LDAP as its information source for the functions listed in 5.2 is to modify the source code to directly query LDAP. As the source to commercial C libraries and applications is rarely available to the end-user, one could emulate a supported nameservice (such as NIS). (This is also an appropriate opportunity to perform caching of entries across process address spaces.) In the case of NIS, reference implementations are widely available and the RPC interface is well known. The means by which the operating system is directed to use LDAP is implementation dependent. For example, some operating systems and C libraries support end-user extensible resolvers using dynamically loadable libraries and a nameservice "switch". The means in which the DUA locates LDAP servers is also implementation dependent.Howard Experimental [Page 10]
RFC 2307 Using LDAP as a Network Information Service March 19985.2. Affected library functions The following functions are typically found in the C libraries of most UNIX and POSIX compliant systems. An LDAP search filter [RFC2254] which may be used to satisfy the function call is included alongside each function name. Parameters are denoted by %s and %d for string and integer arguments, respectively. Long lines are broken. getpwnam() (&(objectClass=posixAccount)(uid=%s)) getpwuid() (&(objectClass=posixAccount) (uidNumber=%d)) getpwent() (objectClass=posixAccount) getspnam() (&(objectClass=shadowAccount)(uid=%s)) getspent() (objectClass=shadowAccount) getgrnam() (&(objectClass=posixGroup)(cn=%s)) getgrgid() (&(objectClass=posixGroup) (gidNumber=%d)) getgrent() (objectClass=posixGroup) getservbyname() (&(objectClass=ipService) (cn=%s)(ipServiceProtocol=%s)) getservbyport() (&(objectClass=ipService) (ipServicePort=%d) (ipServiceProtocol=%s)) getservent() (objectClass=ipService) getrpcbyname() (&(objectClass=oncRpc)(cn=%s)) getrpcbynumber() (&(objectClass=oncRpc)(oncRpcNumber=%d)) getrpcent() (objectClass=oncRpc) getprotobyname() (&(objectClass=ipProtocol)(cn=%s)) getprotobynumber() (&(objectClass=ipProtocol) (ipProtocolNumber=%d)) getprotoent() (objectClass=ipProtocol) gethostbyname() (&(objectClass=ipHost)(cn=%s)) gethostbyaddr() (&(objectClass=ipHost)(ipHostNumber=%s)) gethostent() (objectClass=ipHost) getnetbyname() (&(objectClass=ipNetwork)(cn=%s)) getnetbyaddr() (&(objectClass=ipNetwork) (ipNetworkNumber=%s)) getnetent() (objectClass=ipNetwork) setnetgrent() (&(objectClass=nisNetgroup)(cn=%s))Howard Experimental [Page 11]
RFC 2307 Using LDAP as a Network Information Service March 19985.3. Interpreting user and group entries User and group resolution is initiated by the functions prefixed by getpw and getgr respectively. The uid attribute contains the user's login name. The cn attribute, in posixGroup entries, contains the group's name. The account object class provides a convenient structural class for posixAccount, and SHOULD be used where additional attributes are not required. It is suggested that uid and cn are used as the RDN attribute type for posixAccount and posixGroup entries, respectively. An account's GECOS field is preferably determined by a value of the gecos attribute. If no gecos attribute exists, the value of the cn attribute MUST be used. (The existence of the gecos attribute allows information embedded in the GECOS field, such as a user's telephone number, to be returned to the client without overloading the cn attribute. It also accommodates directories where the common name does not contain the user's full name.) An entry of class posixAccount, posixGroup, or shadowAccount without a userPassword attribute MUST NOT be used for authentication. The client should be returned a non-matchable password such as "x". userPassword values MUST be represented by following syntax: passwordvalue = schemeprefix encryptedpassword schemeprefix = "{" scheme "}" scheme = "crypt" / "md5" / "sha" / altscheme altscheme = "x-" keystring encryptedpassword = encrypted password The encrypted password contains of a plaintext key hashed using the algorithm scheme. userPassword values which do not adhere to this syntax MUST NOT be used for authentication. The DUA MUST iterate through the values of the attribute until a value matching the above syntax is found. Only if encryptedpassword is an empty string does the user have no password. DUAs are not required to consider encryption schemes which the client will not recognize; in most cases, it may be sufficient to consider only "crypt". Below is an example of a userPassword attribute: userPassword: {crypt}X5/DBrWPOQQaIHoward Experimental [Page 12]
RFC 2307 Using LDAP as a Network Information Service March 1998 A future standard may specify LDAP v3 attribute descriptions to represent hashed userPasswords, as noted below. This schema MUST NOT be used with LDAP v2 DUAs and DSAs. attributetype = attributename sep attributeoption attributename = "userPassword" sep = ";" attributeoption = schemeclass "-" scheme schemeclass = "hash" / altschemeclass scheme = "crypt" / "md5" / "sha" / altscheme altschemeclass = "x-" keystring altscheme = keystring Below is an example of a userPassword attribute, represented with an LDAP v3 attribute description: userPassword;hash-crypt: X5/DBrWPOQQaI A DUA MAY utilise the attributes in the shadowAccount class to provide shadow password service (getspnam() and getspent()). In such cases, the DUA MUST NOT make use of the userPassword attribute for getpwnam() et al, and MUST return a non-matchable password (such as "x") to the client instead.5.4. Interpreting hosts and networks The ipHostNumber and ipNetworkNumber attributes are defined in preference to dNSRecord (defined in [RFC1279]), in order to simplify the DUA's role in interpreting entries in the directory. A dNSRecord expresses a complete resource record, including time to live and class data, which is extraneous to this schema. Additionally, the ipHost and ipNetwork classes permit a host or network (respectively) and all its aliases to be represented by a single entry in the directory. This is not necessarily possible if a DNS resource record is mapped directly to an LDAP entry. Implementations that wish to use LDAP to master DNS zone information are not precluded from doing so, and may simply avoid the ipHost and ipNetwork classes. This document redefines, although not exclusively, the ipNetwork class defined in [RFC1279], in order to achieve consistent naming with ipHost. The ipNetworkNumber attribute is also used in the siteContact object class [ROSE].Howard Experimental [Page 13]
RFC 2307 Using LDAP as a Network Information Service March 1998 The trailing zeros in a network address MUST be omitted. CIDR-style network addresses (eg. 192.168.1/24) MAY be used. Hosts with IPv6 addresses MUST be written in their "preferred" form as defined in section 2.2.1 of [RFC1884], such that all components of the address are indicated and leading zeros are omitted. This provides a consistent means of resolving ipHosts by address.5.5. Interpreting other entities In general, a one-to-one mapping between entities and LDAP entries is proposed, in that each entity has exactly one representation in the DIT. In some cases this is not feasible; for example, a service which is represented in more than one protocol domain. Consider the following entry: dn: cn=domain, dc=aja, dc=com cn: domain cn: nameserver objectClass: top objectClass: ipService ipServicePort: 53 ipServiceProtocol: tcp ipServiceProtocol: udp This entry MUST map to the following two (2) services entities: domain 53/tcp nameserver domain 53/udp nameserver While the above two entities may be represented as separate LDAP entities, with different distinguished names (such as cn=domain+ipServiceProtocol=tcp, ... and cn=domain+ipServiceProtocol=udp, ...) it is convenient to represent them as a single entry. (If a service is represented in multiple protocol domains with different ports, then multiple entries are required; multivalued RDNs may be used to distinguish them.) With the exception of userPassword values, which are parsed according to the syntax considered in section 5.2, any empty values (consisting of a zero length string) are returned by the DUA to the client. The DUA MUST reject any entries which do not conform to the schema (missing mandatory attributes). Non-conforming entries SHOULD be ignored while enumerating entries. The nisObject object class MAY be used as a generic means of representing NIS entities. Its use is not encouraged; where support for entities not described in this schema is desired, an appropriateHoward Experimental [Page 14]
RFC 2307 Using LDAP as a Network Information Service March 1998⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -