Skip to content
Snippets Groups Projects
draft-joslin-config-schema-xx.txt 59.1 KiB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000



Application Working Group                                      M. Ansari
INTERNET-DRAFT                                    Sun Microsystems, Inc.
Expires Febuary 2003                                           L. Howard
                                                 PADL Software Pty. Ltd.
                                                         B. Joslin [ed.]
                                                 Hewlett-Packard Company

                                                    September 15th, 2003
Intended Category: Informational


                 A Configuration Schema for LDAP Based
                         Directory User Agents
                  <draft-joslin-config-schema-07.txt>


Status of this Memo

     This memo provides information for the Internet community.  This
     memo does not specify an Internet standard of any kind.  Distribu-
     tion of this memo is unlimited.

     This document is an Internet-Draft and is in full conformance with
     all provisions of Section 10 of RFC2026.

     This document is an Internet-Draft. Internet-Drafts are working
     documents of the Internet Engineering Task Force (IETF), its areas,
     and its working groups. Note that other groups may also distribute
     working documents as Internet-Drafts.

     Internet-Drafts are draft documents valid for a maximum of six
     months.  Internet-Drafts may be updated, replaced, or made obsolete
     by other documents at any time. It is not appropriate to use
     Internet-Drafts as reference material or to cite them other than as
     a "working draft" or "work in progress".

     To learn the current status of any Internet-Draft, please check the
     1id-abstracts.txt listing contained in the Internet-Drafts Shadow
     Directories on ds.internic.net (US East Coast), nic.nordu.net
     (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
     Rim).

     Distribution of this document is unlimited.

Abstract

     This document describes a mechanism for global configuration of
     similar directory user agents.  This document defines a schema for



Joslin                                                         [Page 1]

Internet-Draft          DUA Configuration Schema            October 2002


     configuration of these DUAs that may be discovered using the Light-
     weight Directory Access Protocol in RFC 2251[17].  A set of attri-
     bute types and an objectclass are proposed, along with specific
     guidelines for interpreting them.  A significant feature of the
     global configuration policy for DUAs is a mechanism that allows
     DUAs to re-configure their schema to that of the end user's
     environment.  This configuration is achieved through attribute and
     objectclass mapping.  This document is intended to be a skeleton
     for future documents that describe configuration of specific DUA
     services.


1.  Background & Motivation

     The LDAP protocol has brought about a new and nearly ubiquitous
     acceptance of the directory server.  Many new client applications
     (DUAs) are being created that use LDAP directories for many dif-
     ferent services.  And although the LDAP protocol has eased the
     development of these applications, some challenges still exist for
     both developers and directory administrators.

     The authors of this document are implementers of DUAs described by
     RFC 2307 [14].  In developing these agents, we felt there are
     several issues that still need to be addressed to ease the deploy-
     ment and configuration of a large network of these DUAs.

     One of these challenges stems from the lack of a utopian schema.  A
     utopian schema would be one that every application developer could
     agree upon and that would support every application.  Unfortunately
     today, many DUAs define their own schema (like RFC 2307 vs.
     Microsoft's Services for Unix [13]) containing similar attributes,
     but with different attribute names.  This can lead to data redun-
     dancy within directory entries and give directory administrators
     unwanted challenges, updating schemas and synchronizing data.

     So, one goal of this document is to eliminate data redundancy by
     having DUAs configure themselves to the schema of the deployed
     directory, instead of forcing it's own schema on the directory.

     Another goal of this document is to provide the DUA with enough
     configuration information so that it can discover how to retrieve
     its data in the directory, such as what locations to search in the
     directory tree.

     Finally, this document intends to describe a configuration method
     for DUAs that can be shared among many DUAs, on various platforms,
     providing as such, a configuration profile, the purpose is to cen-
     tralize and simplify management of DUAs.



Joslin                                                         [Page 2]

Internet-Draft          DUA Configuration Schema            October 2002


     This document is intended to provide the skeleton framework for
     future drafts, which will describe the individual implementation
     details for the particular services provided by that DUA.  The
     authors of this document plan to develop such a document for the
     Network Information Service DUA, described by RFC 2307 or its suc-
     cessor.

     We expect that as DUAs take advantage of this configuration scheme,
     each DUA will require additional configuration parameters, not
     specified by this document.  Thus, we would expect that new auxili-
     ary object classes, containing new configuration attributes will be
     created, and then joined with the structural class defined by this
     document to create a configuration profile for a particular DUA
     service.  And that by joining various auxiliary objectclasses for
     different DUA services, that configuration of various DUA services
     can be controlled by a single configuration profile entry.


2.  General Issues

     The schema defined by this document is defined under the "DUA Con-
     figuration Schema."  This schema is derived from the OID: iso (1)
     org (3) dod (6) internet (1) private (4) enterprises (1) Hewlett-
     Packard Company (11) directory (1) LDAP-UX Integration Project (3)
     DUA Configuration Schema (1).  This OID is represented in this
     document by the keystring "DUAConfSchemaOID"
     (1.3.6.1.4.1.11.1.3.1).

2.1 Terminology

     The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
     "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
     this document are to be interpreted as described in RFC 2119 [15].

2.2 Attributes

     The attributes and classes defined in this document are summarized
     below.

     The following attributes are defined in this document:

          preferredServerList
          defaultServerList
          defaultSearchBase
          defaultSearchScope
          authenticationMethod
          credentialLevel
          serviceSearchDescriptor



Joslin                                                         [Page 3]

Internet-Draft          DUA Configuration Schema            October 2002


          serviceCredentialLevel
          serviceAuthenticationMethod
          attributeMap
          objectclassMap
          searchTimeLimit
          bindTimeLimit
          followReferrals
          dereferenceAliases
          profileTTL

2.3 Object Classes

     The following object class is defined in this document:

          DUAConfigProfile

2.4 Syntax Definitions

     The following syntax definitions are used throughout this document.
     This document does not define new syntaxes that must be supported
     by the directory server.  The string encoding used by the attri-
     butes defined in this document can be found section 5.

          keystring                 as defined by RFC 2252 [2]
          descr                     as defined by RFC 2252 section 4.1
          a                         as defined by RFC 2252 section 4.1
          d                         as defined by RFC 2252 section 4.1
          space                     as defined by RFC 2252 section 4.1
          whsp                      as defined by RFC 2252 section 4.1
          base                      as defined by RFC 2253 [3]
          DistinguishedName         as defined by RFC 2253 section 2
          RelativeDistinguishedName as defined by RFC 2253 section 2
          scope                     as defined by RFC 2255 [5]
          IPv4address               as defined by RFC 2396 [9]
          hostport                  as defined by RFC 2396 section 3.2.2
          port                      as defined by RFC 2396 section 3.2.2
          ipv6reference             as defined by RFC 2732 [10]
          host                      as defined by RFC 2732 section 3
          serviceID                 = keystring


3.  Attribute Definitions

     This section contains attribute definitions to be used by DUAs when
     discovering their configuration.

          ( DUAConfSchemaOID.1.0 NAME 'defaultServerList'
            DESC 'Default LDAP server host address used by a DUA'



Joslin                                                         [Page 4]

Internet-Draft          DUA Configuration Schema            October 2002


            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.1 NAME 'defaultSearchBase'
            DESC 'Default LDAP base DN used by a DUA'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.2 NAME 'preferredServerList'
            DESC 'Preferred LDAP server host addresses to be used by a
            DUA'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.3 NAME 'searchTimeLimit'
            DESC 'Maximum time in seconds a DUA should allow for a
            search to complete'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.4 NAME 'bindTimeLimit'
            DESC 'Maximum time in seconds a DUA should allow for the
            bind operation to complete'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.5 NAME 'followReferrals'
            DESC 'Tells DUA if it should follow referrals
            returned by a DSA search result'
            EQUALITY booleanMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.16 NAME 'dereferenceAliases'
            DESC 'Tells DUA if it should dereference aliases'
            EQUALITY booleanMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.6 NAME 'authenticationMethod'
            DESC 'A keystring which identifies the type of
            authentication method used to contact the DSA'
            EQUALITY caseIgnoreMatch



Joslin                                                         [Page 5]

Internet-Draft          DUA Configuration Schema            October 2002


            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.7 NAME 'profileTTL'
            DESC 'Time to live, in seconds, before a client DUA
            should re-read this configuration profile'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.14 NAME 'serviceSearchDescriptor'
            DESC 'LDAP search descriptor list used by a DUA'
            EQUALITY caseExactMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

          ( DUAConfSchemaOID.1.9 NAME 'attributeMap'
            DESC 'Attribute mappings used by a DUA'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

          ( DUAConfSchemaOID.1.10 NAME 'credentialLevel'
            DESC 'Identifies type of credentials a DUA should
            use when binding to the LDAP server'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.11 NAME 'objectclassMap'
            DESC 'Objectclass mappings used by a DUA'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

          ( DUAConfSchemaOID.1.12 NAME 'defaultSearchScope'
            DESC 'Default search scope used by a DUA'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
            SINGLE-VALUE )

          ( DUAConfSchemaOID.1.13 NAME 'serviceCredentialLevel'
            DESC 'Identifies type of credentials a DUA
            should use when binding to the LDAP server for a
            specific service'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

          ( DUAConfSchemaOID.1.15 NAME 'serviceAuthenticationMethod'
            DESC 'Authentication method used by a service of the DUA'
            EQUALITY caseIgnoreMatch



Joslin                                                         [Page 6]

Internet-Draft          DUA Configuration Schema            October 2002


            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )


4.  Class Definition

     The objectclass below is constructed from the attributes defined in
     3, with the exception of the cn attribute, which is defined in RFC
     2256 [8].  cn is used to represent the name of the DUA configura-
     tion profile.

        ( DUAConfSchemaOID.2.5 NAME 'DUAConfigProfile'
          SUP top STRUCTURAL
          DESC 'Abstraction of a base configuration for a DUA'
          MUST ( cn )
          MAY ( defaultServerList $ preferredServerList $
                defaultSearchBase $ defaultSearchScope $
                searchTimeLimit $ bindTimeLimit $
                credentialLevel $ authenticationMethod $
                followReferrals $ dereferenceAliases $
                serviceSearchDescriptor $ serviceCredentialLevel $
                serviceAuthenticationMethod $ objectclassMap $
                attributeMap $ profileTTL ) )


5.  Implementation Details

5.1.1 Interpreting the preferredServerList attribute

     Interpretation:

          As described by the syntax, the preferredServerList parameter
          is a white-space separated list of server addresses and asso-
          ciated port numbers.  When the DUA needs to contact a DSA, the
          DUA MUST first attempt to contact one of the servers listed in
          the preferredServerList attribute.  The DUA MUST contact the
          DSA specified by the first server address in the list.  If
          that DSA is unavailable, the remaining DSAs MUST be queried in
          the order provided until a connection is established with a
          DSA.  Once a connection with a DSA is established, the DUA
          SHOULD NOT attempt to establish a connection with the remain-
          ing DSAs.

          If the DUA is unable to contact any of the DSAs specified by
          the preferredServerList, the defaultServerList attribute MUST
          be examined, as described in 5.1.2.  The servers identified by
          the preferredServerList MUST be contacted before attempting to
          contact any of the servers specified by the defaultServerList.




Joslin                                                         [Page 7]

Internet-Draft          DUA Configuration Schema            October 2002


     Syntax:

          serverList       = host *(space [host])

     Default Value:

          The preferredServerList attribute does not have a default
          value.  Instead a DUA MUST examine the defaultServerList
          attribute.

     Other attribute notes:

          This attribute is used in conjunction with the defaultServer-
          List attribute.  Please see section 5.1.2 for additional
          implementation notes.  Determining how the DUA should query
          the DSAs also depends on the additional configuration attri-
          butes, credentialLevel, serviceCredentialLevel, bindTimeLimit,
          serviceAuthenticationMethod and authenticationMethod.  Please
          review section 5.2 for details on how a Posix DUA should prop-
          erly bind to a DSA.

     Example:

          preferredServerList: 1.2.3.4 ldap1.mycorp.com ldap2:1389
            [1080::8:800:200C:417A]:1389

5.1.2 Interpreting the defaultServerList attribute

     Interpretation:

          The defaultServerList attribute MUST only be examined if the
          preferredServerList attribute is not provided, or the DUA is
          unable to establish a connection with one of the DSAs speci-
          fied by the preferredServerList.

          If more than one address is provided, the DUA may choose to
          either accept the order provided, or choose to create its own
          order, based on what the DUA determines is the "best" order of
          servers to query.  For example, the DUA may choose to examine
          the server list and choose to query the DSAs in order based on
          the "closest" server or the server with the least amount of
          "load." Interpretation of the "best" server order is entirely
          up to the DUA, and not part of this document.

          Once the order of server addresses is determined, the DUA con-
          tacts the DSA specified by the first server address in the
          list.  If that DSA is unavailable, the remaining DSAs SHOULD
          be queried until an available DSA is found or no more DSAs are



Joslin                                                         [Page 8]

Internet-Draft          DUA Configuration Schema            October 2002


          available.  If a server address or port is invalid, the DUA
          SHOULD proceed to the next server address as described just
          above.

     Syntax:

          serverList       = host *(space [host])

     Default Value:

          If a defaultServerList attribute is not provided, the DUA
          should xxx attempt to contact the same DSA that provided the
          configuration profile entry itself.  The default DSA is con-
          tacted only if the preferredServerList attribute is also not
          provided.

     Other attribute notes:

          This attribute is used in conjunction with the preferredSer-
          verList attribute.  Please see section 5.1.1 for additional
          implementation notes.  Determining how the DUA should query
          the DSAs also depends on the additional configuration attri-
          butes, credentialLevel, serviceCredentialLevel, bindTimeLimit,
          serviceAuthenticationMethod and authenticationMethod.  Please
          review section 5.2 for details on how a DUA should properly
          contact a DSA.

     Example:

          defaultServerList: 1.2.3.4 ldap1.mycorp.com ldap2:1389
            [1080::8:800:200C:417A]:1389

5.1.3 Interpreting the defaultSearchBase attribute

     Interpretation:

          When a DUA needs to search the DSA for information, this
          attribute provides the "base" for the search.  This parameter
          can be overridden or appended by the serviceSearchDescriptor
          attribute.  See section 5.1.6.

     Syntax:

          Defined by OID 1.3.6.1.4.1.1466.115.121.1.12

     Default Value:

          There is no default value for the defaultSearchBase.  A DUA



Joslin                                                         [Page 9]

Internet-Draft          DUA Configuration Schema            October 2002


          MAY define its own method for determining the search base, if
          the defaultSearchBase is not provided.

     Other attribute notes:

          This attribute is used in conjunction with the serviceSear-
          chDescriptor attribute.  See section 5.1.6.

     Example:

          defaultSearchBase: dc=mycompany,dc=com

5.1.4 Interpreting the authenticationMethod attribute

     Interpretation:

          The authenticationMethod attribute defines an ordered list of
          LDAP bind methods to be used when attempting to contact a
          DSA[1].   The serviceAuthenticationMethod overrides this value
          for a particular service (see 5.1.15.)  Each method MUST be
          attempted in the order provided by the attribute, until a suc-
          cessful LDAP bind is performed ("none" is assumed to always be
          successful.) However the DUA MAY skip over one or more
          methods.  See section 5.2 for more information.

            none   - The DUA does not perform an LDAP bind.
            simple - The DUA performs an LDAP simple bind.
            sasl   - The DUA performs an LDAP SASL bind using the
                     specified SASL mechanism and options.
            tls    - The DUA performs an LDAP StartTLS operation
                     followed by the specified bind method (for more
                     information refer to section 5.1 of RFC 2830 [12]).

     Syntax:

          authMethod      = method *(";" method)
          method          = none | simple | sasl | tls
          none            = "none"
          simple          = "simple"
          sasl            = "sasl/" saslmech [ ":" sasloption ]
          sasloption      = "auth-conf" | "auth-int"
          tls             = "tls:" (none | simple | sasl)
          saslmech        = SASL mechanism name as defined in
                            RFC 2222[7], section 3

          Note: Although multiple authentication methods may be speci-
          fied in the syntax, at most one of each type is allowed.




Joslin                                                        [Page 10]

Internet-Draft          DUA Configuration Schema            October 2002


     Default Value:

          If the authenticationMethod or serviceAuthenticationMethod
          (for that particular service) attributes are not provided, the
          DUA MAY choose to bind to the DSA using any method defined by
          the DUA.  However, if either authenticationMethod or servi-
          ceAuthenticationMethod are provided, the DUA MUST only use the
          methods specified.

     Other attribute notes:

          When using TLS, the string "tls:sasl/EXTERNAL" implies that
          two way authentication is to be performed.  Any other TLS
          authentication method implies one way (DSA side credential)
          authentication.

          Determining how the DUA should bind to the DSAs also depends
          on the additional configuration attributes, credentialLevel,
          serviceCredentialLevel, serviceAuthenticationMethod and
          bindTimeLimit.  Please review section 5.2 for details on how
          to properly bind to a DSA.

     Example:

          authenticationMethod: tls:simple;sasl/DIGEST-MD5
          (see [11])

5.1.5 Interpreting the credentialLevel attribute

     Interpretation:

          The credentialLevel attribute defines what type(s) of
          credential(s) the DUA SHOULD use when contacting the DSA.  The
          serviceCredentialLevel overrides this value for a particular
          service (5.1.16.)  The credentialLevel can contain more than
          one credential type, separated by white space.

          anonymous - The DUA SHOULD NOT use a credential when binding
          to the DSA.

          proxy - The DUA SHOULD use a known proxy identity when binding
          to the DSA.  A proxy identity is a specific credential that
          was created to represent the DUA.  This document does not
          define how the proxy user should be created, or how the DUA
          should determine what the proxy user's credential is.  This
          functionality is up to each implementation.

          self - When the DUA is acting on behalf of a "real user" the



Joslin                                                        [Page 11]

Internet-Draft          DUA Configuration Schema            October 2002


          DUA SHOULD attempt to bind to the DSA as that user.  The DUA
          SHOULD map the user's identity to a credential used in the
          directory.

          If the credentialLevel contains more than one credential type,
          the DUA MUST use the credential types in the order specified.
          However, the DUA MAY skip over one or more credential types.
          As soon as the DUA is able to successfully bind to the DSA,
          the DUA SHOULD NOT attempt to bind using the remaining creden-
          tial types.

     Syntax:

          credentialLevel   = level *(space level)
          level             = self | proxy | anonymous
          self              = "self"
          proxy             = "proxy"
          anonymous         = "anonymous"

          Note: Although multiple credential levels may be specified in
          the syntax, at most one of each type is allowed.  Refer to
          implementation notes in section 5.2 for additional syntax
          requirements for the credentialLevel attribute.

     Default Value:

          If the credentialLevel attribute is not defined, the DUA
          SHOULD NOT use a credential when binding to the DSA (also
          known as anonymous.)

     Other attribute notes:

          Determining how the DUA should bind to the DSAs also depends
          on the additional configuration attributes, authentication-
          Method, serviceAuthenticationMethod, serviceCredentialLevel
          and bindTimeLimit.  Please review section 5.2 for details on
          how to properly bind to a DSA.

     Example:

          credentialLevel: proxy anonymous

5.1.6 Interpreting the serviceSearchDescriptor attribute

     Interpretation:

          The serviceSearchDescriptor attribute defines how and where a
          DUA SHOULD search for information for a particular service.



Joslin                                                        [Page 12]

Internet-Draft          DUA Configuration Schema            October 2002


          The serviceSearchDescriptor contains a serviceID, followed by
          one or more base-scope-filter triples.  These base-scope-
          filter triples are used to define searches only for the
          specific service.  Multiple base-scope-filters allow the DUA
          to search for data in multiple locations of the DIT.  Although
          this syntax is very similar to the LDAP URL[6], this draft
          requires the ability to supply multiple hosts as part of the
          configuration of the DSA.  In addition, an ordered list of
          search descritors is required, which can not be specified by
          the LDAP URL.

          In addition to the triples, serviceSearchDescriptor might also
          contain the DN of an entry that will contain an alternate pro-
          file.  The DSA SHOULD re-evaluate the alternate profile and
          perform searches as specified by that profile.

          If the base, as defined in the serviceSearchDescriptor, is
          followed by the "," (ASCII 0x2C) character, this base is known
          as a relative base.  This relative base may be constructed of
          one or more RDN components.  The DUA MUST define the search
          base by appending the relative base with the defaultSear-
          chBase.

     Syntax:

          serviceSearchList = serviceID ":" serviceSearchDesc
                              *(";" serviceSearchDesc)
          serviceSearchDesc = confReferral | searchDescriptor
          searchDescriptor  = [base] ["?" [scope] ["?" [filter]]]
          confReferral      = "ref:" DistinguishedName
          base              = DistinguishedName |
                              RelativeBaseName
          RelativeBaseName  = 1*(RelativeDistinguishedName ",")
          filter            = UTF-8 encoded string

          If the base or filter contains the ";" (ASCII 0x3B) "?" (ASCII
          0x3F) """ (ASCII 0x22) or "\" (ASCII 0x5C) characters, those
          characters MUST be escaped (preceded with the "\" character.)
          Alternately the DN may be surrounded by quotes (ASCII 0x22.)
          Refer to RFC 2253, section 4.  If the base or filter are sur-
          rounded by quotes, only the """ character needs to be escaped.
          Any character that is preceded by the "\" character, which
          does not need to be escaped results in both "\" character and
          the character itself.

          The usage and syntax of the filter string MUST be defined by
          the DUA service.  A suggested syntax would be that as defined
          by RFC 2254.



Joslin                                                        [Page 13]

Internet-Draft          DUA Configuration Schema            October 2002


          If a DUA is performing a search for a particular service,
          which has a serviceSearchDescriptor defined, the DUA MUST set
          the base, scope and filter as defined.  Each base-scope-filter
          triple represents a single LDAP search operation.  If multiple
          base-scope-filter triples are provided in the serviceSear-
          chDescriptor, the DUA SHOULD perform multiple search requests
          and in that case it MUST be in the order specified by the ser-
          viceSearchDescriptor.

          FYI: Service search descriptors do not exactly follow the LDAP
          URL syntax [5].  The reasoning for this difference is to
          separate the host name(s) from the filter.  This allows the
          DUA to have a more flexible solution in choosing its provider.

     Default Values:

          If a serviceSearchDescriptor, or an element their-of, is not
          defined for a particular service, the DUA SHOULD create the
          base, scope and filter as follows:

            base   - Same as the defaultSearchBase or as
                     defined by the DUA service.
            scope  - Same as the defaultSearchScope or as
                     defined by the DUA service.
            filter - Use defaults as defined by DUAs service.

          If the defaultSearchBase or defaultSearchScope are not
          defined, then the DUA service may use its own default.


     Other attribute notes:

          If a serviceSearchDescriptor exists for a given service, the
          service MUST use at least one base-scope-filter triple in per-
          forming searches.  It SHOULD perform multiple searches per
          service if multiple base-scope-filter triples are defined for
          that service.

          The details of how the "filter" is interpreted by each DUA's
          service is defined by that service.  This means the filter is
          NOT REQUIRED to be a legal LDAP filter [4].  Furthermore,
          determining how attribute and objectclass mapping affects that
          search filter MUST be defined by the service.  I.E. The DUA
          SHOULD specify if the filter has been assumed to already have
          been mapped, or if it is expected that mapping would be
          applied to the filter.  In general practice, implementation
          and usability suggests that attribute and objectclass mapping
          (sections 5.1.7 and 5.1.13) SHOULD NOT be applied to the



Joslin                                                        [Page 14]

Internet-Draft          DUA Configuration Schema            October 2002


          filter defined in the serviceSearchDescriptor.

          It is assumed the serviceID is unique to a given service
          within the scope of any DUA that might use the given profile.

     Example:

          defaultSearchBase: dc=mycompany,dc=com

          serviceSearchDescriptor: email:ou=people,ou=org1,?
           one;ou=contractor,?one;
           ref:cn=profile,dc=mycompany,dc=com

          In this example, the DUA MUST search in
          "ou=people,ou=org1,dc=mycompany,dc=com" first.  The DUA then
          SHOULD search in "ou=contractor,dc=mycompany,dc=com", and
          finally it SHOULD search other locations as specified in the
          profile described at "cn=profile,dc=mycompany,dc=com".  For
          more examples, see section 9.


5.1.7 Interpreting the attributeMap attribute

     Interpretation:

          A DUA SHOULD perform attribute mapping for all LDAP operations
          performed for a service that has an attributeMap entry.
          Because attribute mapping is specific to each service within
          the DUA, a "serviceID" is required as part of the attributeMap
          syntax.  I.E. not all DUA services should necessarily perform
          the same attribute mapping.

          Attribute mapping in general is expected be used to map attri-
          butes of similar syntaxes as specified by the service sup-
          ported by the DUA.  However, a DUA is NOT REQUIRED to verify
          syntaxes of mapped attributes.  If the DUA does discover that
          the syntax of the mapped attribute does not match that of the
          original attribute, the DUA MAY perform translation between
          the original syntax and the new syntax.  When DUAs do support
          attribute value translation, the list of capabable transla-
          tions SHOULD be documented in a description of the DUA ser-
          vice.

     Syntax:

          attributeMap      = serviceID ":" origAttribute "="
                              attributes
          origAttribute     = attribute



Joslin                                                        [Page 15]

Internet-Draft          DUA Configuration Schema            October 2002


          attributes        = wattribute *( space wattribute )
          wattribute        = whsp newAttribute whsp
          newAttribute      = descr | "*NULL*"
          attribute         = descr

          Values of the origAttribute are defined by and SHOULD be docu-
          mented for the DUA service, as a list of known supported
          attributes.

     Default Value:

          By default, attributes that are used by a DUA service are not
          mapped unless mapped by the attributeMap attributes.  The DUA
          MUST NOT map an attribute unless it is explicitly defined by
          an attributeMap attribute.

     Other attribute notes:

          When an attribute is mapped to the special keystring "*NULL*",
          the DUA SHOULD NOT request that attribute from the DSA, when
          performing a search or compare request.  If the DUA is also
          capable of performing modification on the DSA, the DUA SHOULD
          NOT attempt to modify any attribute which has been mapped to
          "*NULL*".

          It is assumed the serviceID is unique to a given service
          within the scope of the DSA.

          A DUA SHOULD support attribute mapping.  If it does, the fol-
          lowing additional rules apply:

          1) The list of attributes that are allowed to be mapped SHOULD
          defined by and documented for the service.

          2) Any supported translation of mapping from attributes of
          dissimilar syntax SHOULD also be defined and documented.

          3) If an attribute may be mapped to multiple attributes the
          DSA SHOULD define a syntax or usage statement for how the new
          attribute value will be evaluated.  Furthermore, the resulting
          translated syntax of the combined attributes MUST be the same
          as the attribute being mapped.

          4) A DUA MUST support mapping of attributes using the attri-
          bute OID.  It SHOULD support attribute mapping based on the
          attribute name.

          5) It is recommended that attribute mapping not be applied to



Joslin                                                        [Page 16]

Internet-Draft          DUA Configuration Schema            October 2002


          parents of the target entries.

          6) Attribute mapping is not recursive.  In other words, if an
          attribute has been mapped to a target attribute, that new tar-
          get attribute MUST NOT be mapped to a third attribute.

          7) A given attribute MUST only be mapped once for a given ser-
          vice.


     Example:

          Suppose a DUA is acting on behalf of an email service.  By
          default the "email" service uses the "mail", "cn" and "sn"
          attributes to discover mail addresses.  However, the email
          service has been deployed in an environment that uses "employ-
          eeName" instead of "cn."  And also instead of using the "mail"
          attribute for email addresses, the "email" attribute is used
          for that purpose.  In this case, the attribute "cn" can be
          mapped to "employeeName," allowing the DUA to perform searches
          using the "employeeName" attribute as part of the search
          filter, instead of "cn".  And "mail" can be mapped to "email"
          when attempting to retrieve the email address.  This mapping
          is performed by adding the attributeMap attributes to the con-
          figuration profile entry as follows (represented in LDIF[18]):

          attributeMap: email:cn=employeeName
          attributeMap: email:mail=email

          As described above, the DUA MAY also map a single attribute to
          multiple attributes.  When mapping a single attribute to more
          than one attribute, the new syntax or usage of the mapped
          attribute must be intrinsically defined by the DUAs service.

          attributeMap: email:cn=firstName lastName

          In the above example, the DUA creates the new value by gen-
          erating space separated string using the values of the mapped
          attributes.  In this case, a special mapping must be defined
          so that a proper search filter can be created.  For further
          information on this example, please refer to section 9.

          Another possibility for multiple attribute mapping might come
          in when constructing returned attributes.  For example,
          perhaps all email addresses are of a guaranteed syntax of
          "uid@domain".  And in this example, the uid and domain are
          separate attributes in the directory.  The email service may
          define that if the "mail" attribute is mapped to two different



Joslin                                                        [Page 17]

Internet-Draft          DUA Configuration Schema            October 2002


          attributes, it will construct the email address as a concate-
          nation of the uid and domain attributes, placing the "@" char-
          acter between them.

          attributeMap: email:mail=uid domain


5.1.8 Interpreting the searchTimeLimit attribute

     Interpretation:

          The searchTimeLimit attribute defines the maximum time, in
          seconds, that a DUA SHOULD allow to perform a search request.

     Syntax:

          Defined by OID 1.3.6.1.4.1.1466.115.121.1.27.

     Default Value:

          If the searchTimeLimit attribute is not defined or is zero,
          the search time limit is not enforced by the DUA.

     Other attribute notes:

          This time limit only includes the amount of time required to
          perform the LDAP search operation.  If other operations are
          required, those operations do not need to be considered part
          of the search time.  See bindTimeLimit for the LDAP bind
          operation.

5.1.9 Interpreting the bindTimeLimit attribute

     Interpretation:

          The bindTimeLimit attribute defines the maximum time, in
          seconds, that a DUA SHOULD allow to perform an LDAP bind
          request against each server on the preferredServerList or
          defaultServerList.

     Syntax:

          Defined by OID 1.3.6.1.4.1.1466.115.121.1.27.

     Default Value: