home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
drafts
/
draft_ietf_a_c
/
draft-ietf-asid-nis-schema-01.txt
< prev
next >
Wrap
Text File
|
1997-06-05
|
42KB
|
1,137 lines
Application Working Group L. Howard
INTERNET-DRAFT Independent Consultant
Expires in six months from 4 June 1997
Intended Category: Experimental
An Approach for Using LDAP as a Network Information Service
<draft-ietf-asid-nis-schema-01.txt>
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or made obsolete by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a "working
draft" or "work in progress".
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Distribution of this document is unlimited.
Abstract
This document describes an experimental mechanism for mapping POSIX
[13] and TCP/IP network-related entities into X.500 entries so that
they may be resolved with the Lightweight Directory Access Protocol
[1]. A set of attribute types and object classes are proposed, along
with specific guidelines for interpreting them.
The intention is to assist the deployment of LDAP as an
organizational nameservice. No proposed solutions are intended as
standards for the Internet. Rather, it is hoped that a general
consensus will emerge as to the appropriate solution to such
problems, leading eventually to the adoption of standards. The
proposed mechanism has already been implemented with some success.
Howard [Page 1]
Internet Draft NIS X.500 schema 4 June 1997
1. Background and Motivation
The Unix operating system, and its derivatives (specifically, those
which support TCP/IP and conform to the POSIX XPG.4 specification)
require a means of looking up entities, by matching them against
search criteria or by enumeration. (Other operating systems that
support TCP/IP may provide some means of resolving some of these
entities. This schema applies to those environments also.)
These entities include users, groups, IP services (which map names to
IP ports and protocols, and vice versa), IP protocols (which map
names to IP protocol numbers and vice versa), RPCs (which map names
to ONC Remote Procedure Call [12] numbers and vice versa), NIS
netgroups, booting information (boot parameters and MAC address
mappings), filesystem mounts, IP hosts and networks, and RFC822 mail
aliases.
Resolution requests are made through a set of C functions, provided
in the Unix C library. For example, the Unix command line tool 'ls',
which enumerates the contents of a filesystem directory, uses the C
library function getpwuid(3c) in order to map user IDs to login
names. Once the request is made, it is resolved using a 'nameservice'
which is supported by the client library. The nameservice may be, at
its simplest, a collection of files in the local filesystem which are
opened and searched by the C library. Other common nameservices
include the Network Information Service (NIS) and the Domain Name
System (DNS). (The latter is typically only used for resolving hosts
and networks.) Both these nameservices have the advantage of being
distributed and thus permitting a common set of entities to be shared
amongst many clients.
LDAP is a distributed, hierarchical directory service access protocol
which is used to access repositories of users and other network-
related entities. Because LDAP is usually not tightly integrated with
the operating system, information such as users needs to be kept both
in LDAP and in an operating system supported nameservice such as NIS.
By using LDAP as the the primary means of resolving these entities,
these redundancy issues are minimized and the scalability of LDAP can
be exploited. (By comparison, NIS services based on flat files do not
have the scalability or extensibility of LDAP or X.500.)
"In general, it is advantageous for different network
applications and services to refer to the directory for
user account information, rather than each service keeping
its own collection of user account records, which requires
the network administrator to separately create or destroy
user entities, passwords, etc., in many different systems
each time a user joins or leaves the organization." [4]
Howard [Page 2]
Internet Draft NIS X.500 schema 4 June 1997
The object classes and attributes defined below are suitable for
representing the aforementioned entities in a form compatible with
LDAP and X.500 directory services. While the schema is by no means
deemed to be authoritative, it is considered desirable to have a
single, open schema rather than the proliferation of multiple
proprietary schema. This document is one step towards such a schema.
2. General Issues
2.1. Terminology
In this document, the term 'NIS-related entities' is used rather
loosely to refer to those entities (described in the previous
section) which are typically repesented in the Network Information
Service. (NIS was previously known as Yellow Pages, or YP.) It should
not be inferred from this that deploying LDAP for resolving such
entities requires NIS to be used (as a gateway or otherwise). The
host and network classes are generically applicable, and may be
implemented on operating systems other than Unix that wish to use
LDAP to resolve these entities.
The 'DUA' (directory user agent) refers to the LDAP client querying
these entities, such as an LDAP to NIS gateway or the C library. The
'client' refers to the application which ultimately makes use of the
information returned by the resolution. It is irrelevant whether the
DUA and the client reside within the same address space. The act of
the DUA making this information to the client is termed
'republishing'.
To avoid confusion, the term 'login name' refers to the user's login
name (being the value of the uid attribute) and the term 'user ID'
refers to he user's integer identification number (being the value of
the posixUidNumber attribute). The term 'principal' is used to
distinguish accounts that may be used for authentication from those
that are not.
The term 'nameservice' refers to a service, such as NIS or flat
files, that is used by the operating system to resolve entities
within a single, local naming context. Contrast this with a
'directory service' such as LDAP, which support extensible schema and
multiple naming contexts.
The phrase 'resolving an entity' or 'resolution of entities' refers
to enumerating NIS-related entities of a given type, or matching them
against a given search criterion. One or more entities are returned
as a result of successful 'resolutions' (a 'match' operation will
only return one entity).
Howard [Page 3]
Internet Draft NIS X.500 schema 4 June 1997
Note that the use of the attribute and class prefix 'posix' does not
confer any endorsement of this schema by the POSIX standards body.
The prefix was chosen as a more appropriate prefix than 'unix', the
other suitable candidate. Where necessary, the term 'POSIX entity'
is used to refer to users and groups; the term 'TCP/IP entity' is
used to refer to protocols, services, hosts, and networks. (The
latter category does not mandate the host operating system supporting
the interfaces required for resolving POSIX entities.) NIS netgroups,
ONC RPC binding information, and mounts fall outside these
categories.
2.2. Attributes
The attributes and classes defined in this document are summarized
below. The reader is referred to [2] for the BFN for attribute type
definitions.
The following attributes are defined in this document:
posixUidNumber
posixPrimaryGidNumber
posixGidNumber
posixGecos
posixHomeDirectory
posixShell
shadowLastChange
shadowMin
shadowMax
shadowWarn
shadowInactive
shadowExpire
shadowFlag
memberUid
memberNISNetgroup
memberHost
ipServicePort
ipServiceProtocol
ipProtocolNumber
oNCRPCNumber
mountOption
mountType
mountDirectory
mountDumpFrequency
mountPassNo
ipHostNumber
ipNetworkNumber
ipNetmaskNumber
macAddress
Howard [Page 4]
Internet Draft NIS X.500 schema 4 June 1997
bootParameter
bootFile
nISDomain
Additionally, the attributes defined in [2] and [9] are imported.
2.3. Object classes
The reader is referred to [2] for the BFN for object class
definition.
The following object classes are defined in this document:
posixAccount
posixGroup
ipService
ipProtocol
oNCRPC
mount
ipHost
ipNetwork
nISNetgroup
Additionally, the classes defined in [2] and [9] are imported.
3. Attribute definitions
This section contains attribute definitions which must be implemented
by DUAs supporting the schema.
( TBD.0.0 NAME 'posixUidNumber'
DESC 'An integer uniquely identifying a user in an
administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.1 NAME 'posixPrimaryGidNumber'
DESC 'An integer uniquely identifying a group in an
administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.2 NAME 'posixGidNumber'
DESC 'An integer uniquely identifying a group in an
administrative domain'
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.3 NAME 'posixGecos'
DESC 'The GECOS field (the user's full name et al)'
EQUALITY caseIgnoreIA5Match
Howard [Page 5]
Internet Draft NIS X.500 schema 4 June 1997
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.4 NAME 'posixHomeDirectory'
DESC 'The absolute path of the user's home directory'
EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.5 NAME 'posixShell'
DESC 'The absolute path of the user's shell'
EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.6 NAME 'shadowLastChange' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.7 NAME 'shadowMin' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.8 NAME 'shadowMax' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.9 NAME 'shadowWarn' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.10 NAME 'shadowInactive' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.11 NAME 'shadowExpire' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.12 NAME 'shadowFlag' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.13 NAME 'memberUid' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String{128}' )
( TBD.0.14 NAME 'memberNISNetgroup' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' )
( TBD.0.15 NAME 'memberHost' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' )
( TBD.0.16 NAME 'ipServicePort' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
Howard [Page 6]
Internet Draft NIS X.500 schema 4 June 1997
( TBD.0.17 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' )
( TBD.0.18 NAME 'ipProtocolNumber' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' )
( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match
SYNTAX 'IA5String' SINGLE-VALUE )
( TBD.0.23 NAME 'mountDumpFrequency' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.24 NAME 'mountPassNo' EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
( TBD.0.25 NAME 'ipHostNumber'
DESC 'IP address in dotted decimal notation, eg. 192.168.1.1'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( TBD.0.26 NAME 'ipNetworkNumber'
DESC 'IP address in dotted decimal notation, eg. 192.168'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( TBD.0.27 NAME 'ipNetmaskNumber'
DESC 'IP address in dotted decimal notation, eg. 255.255.255.0'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( TBD.0.28 NAME 'macAddress'
DESC 'MAC address in colon-separated hex notation, for
example 0:0:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( TBD.0.29 NAME 'bootParameter'
DESC 'rpc.bootparamd parameter; informal syntax is key=value'
EQUALITY caseExactIA5Match
Howard [Page 7]
Internet Draft NIS X.500 schema 4 June 1997
SYNTAX 'IA5String' )
( TBD.0.30 NAME 'bootFile' EQUALITY caseExactIA5Match
STRINGS caseExactSubstringsIA5Match SYNTAX 'IA5String' )
( TBD.0.31 NAME 'nISDomain' EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX 'IA5String' )
4. Class definitions
This section contains class definitions which must be implemented by
DUAs supporting the schema.
The definitions under the OID 2.5.6 are imported. The rfc822MailGroup
object class may used to represent a mail group for the purpose of
alias expansion. (Several alternative schemes for mail routing and
delivery using LDAP directories have been proposed [4]; these issues
will not be considered in detail here.)
( TBD.1.0 NAME 'posixAccount' SUP top STRUCTURAL
DESC 'Abstraction of an account.
The uid attribute is the account's login name.'
MUST ( cn $ uid $ posixUidNumber $
posixPrimaryGidNumber $ posixHomeDirectory )
MAY ( userPassword $ posixShell $ posixGecos $
shadowLastChange $ shadowMin $ shadowMax $
shadowWarn $ shadowInactive $ shadowExpire $
shadowFlag ) )
( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of accounts.'
MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) )
( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service. Maps an IP
port and protocol (eg. tcp or udp) to one or more names.
The distinguished value of the cn attribute denotes the
service's canonical name.'
MUST ( cn $ ipServicePort $ ipServiceProtocol ) )
( TBD.1.3 NAME 'ipProtocol' SUP top STRUCTURAL
DESC 'Abstraction of an IP protocol. Maps a protocol number to
one or more names. The distinguished value of the cn
attribute denotes the protocol's canonical name.'
MUST ( cn $ ipProtocolNumber ) )
Howard [Page 8]
Internet Draft NIS X.500 schema 4 June 1997
( TBD.1.4 NAME 'oNCRPC' SUP top STRUCTURAL
DESC 'Abstraction of an Open Network Computing (ONC) [12]
Remote Procedure Call (RPC) binding. Maps an ONC RPC
number to a name. The distinguished value of the cn
attribute denotes the RPC service's canonical name.'
MUST ( cn $ oNCRPCNumber ) )
( TBD.1.5 NAME 'mount' SUP top STRUCTURAL
DESC 'Abstraction of a filesystem mount.'
MUST ( cn $ mountDirectory $ mountType )
MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) )
( TBD.1.6 NAME 'ipHost' SUP domainRelatedObject STRUCTURAL
DESC 'Abstraction of a host. The schema defined in [3] is used
to denote the canonical hostname, by mapping the
distinguished name into a DNS domain name.
The associatedDomain attribute is used for
interrogating the DIT, and as such must contain values
for the host's canonical name and its aliases.'
MUST ( dc $ ipHostNumber )
MAY ( macAddress $ bootParameter $ bootFile $
l $ description $ manager ) )
( TBD.1.7 NAME 'ipNetwork' SUP domainRelatedObject
STRUCTURAL
DESC 'Abstraction of a network.'
MUST ( dc $ ipNetworkNumber )
MAY ( ipNetmaskNumber $ l $ description $ manager ) )
( TBD.1.8 NAME 'nISNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May refer to other netgroups.'
MUST cn
MAY ( memberUid $ memberHost $ memberNISNetgroup $ nISDomain ) )
5. Implementation details
5.1. Resolution methods
The ideal means of directing a client application (one using the
shared services of the C library) to use LDAP as its information
source for the functions listed in 5.2 is to modify the source code
to directly query LDAP. As the source code to commercial C libraries
and applications is rarely available to the end-user, it is
acceptable to emulate a supported nameservice (such as NIS) and
modify the resolution code to use LDAP. (This is also an appropriate
opportunity to perform caching of entries across client address
Howard [Page 9]
Internet Draft NIS X.500 schema 4 June 1997
spaces.) In the case of NIS, reference implementations are widely
available and the client-server RPC interface is well known. Some
operating systems and C libraries support end-user extensible
resolvers using dynamically loadable libraries and a nameservice
"switch". In any case, the precise means by which the operating
system is directed to use LDAP is not at issue; this is left to the
implementor to decide.
5.2. Affected resolver calls
The following entry points are found in the C libraries of most Unix
and POSIX compliant systems. An LDAP search filter [5] which may be
used to satisfy the function call is included alongside each function
name, with printf(3s) format notation used to denote the function
parameter(s), if any. Note that the POSIX specification does not
define the enumeration routines (such as getpwent(3c)); however, the
filters are included here for completeness. With the exception of
getmntent(3c), those functions in section 3c of Unix manual pages
relate to POSIX entities, and those in section 3n relate to TCP/IP
entities. Long lines are broken with the '\' character.
getpwnam(3c) (&(objectClass=posixAccount)(uid=%s))
getpwuid(3c) (&(objectClass=posixAccount)\
(posixUidNumber=%d))
getpwent(3c) (objectClass=posixAccount)
getgrnam(3c) (&(objectClass=posixGroup)(cn=%s))
getgrgid(3c) (&(objectClass=posixGroup)\
(posixGidNumber=%d))
getgrent(3c) (objectClass=posixGroup)
getservbyname(3n) (&(objectClass=ipService)\
(&(cn=%s)(ipServiceProtocol=%s)))
getservbyport(3n) (&(objectClass=ipService)\
(&(ipServicePort=%d)\
(ipServiceProtocol=%s)))
getservent(3n) (objectClass=ipService)
getrpcbyname(3n) (&(objectClass=oNCRPC)(cn=%s))
getrpcbynumber(3n) (&(objectClass=oNCRPC)(oNCRPCNumber=%d))
getrpcent(3n) (objectClass=oNCRPC)
getprotobyname(3n) (&(objectClass=ipProtocol)(cn=%s))
getprotobynumber(3n) (&(objectClass=ipProtocol)\
(ipProtocolNumber=%d))
getprotoent(3n) (objectClass=ipProtocol)
gethostbyname(3n) (&(objectClass=ipHost)\
Howard [Page 10]
Internet Draft NIS X.500 schema 4 June 1997
(associatedDomain=%s))
gethostbyaddr(3n) (&(objectClass=ipHost)(ipHostNumber=%s))
gethostent(3n) (objectClass=ipHost)
getnetbyname(3n) (&(objectClass=ipNetwork)\
(associatedDomain=%s))
getnetbyaddr(3n) (&(objectClass=ipNetwork)\
(ipNetworkNumber=%s))
getnetent(3n) (objectClass=ipNetwork)
getnetgrent(3n) (objectClass=nISNetgroup)
getaliasbyname(3n) (&(objectClass=rfc822MailGroup)(cn=%s))
getaliasent(3n) (objectClass=rfc822MailGroup)
getmntent(3c) (objectClass=mount)
5.3. Interpreting user and group entries
User and group resolution is initiated by the functions prefixed by
getpw and getgr respectively. A user's login name is denoted by the
value of the uid attribute (which will typically be used as a
relative distinguished name); a group's name is denoted by a value of
the cn attribute.
An account's GECOS field is preferably determined by a value of the
posixGecos attribute. If no posixGecos attribute exists, the value of
the cn attribute must be used. (The existence of the posixGecos
attribute allows attributes embedded in the GECOS field, such as a
user's telephone number, to be returned to the client without
overloading the cn attribute.)
An entry of class posixAccount without a userPassword attribute must
be denied the opportunity to authenticate. For example, the client
may be returned a non-matchable password such as "*" by the DUA.
A user which is a member of a posixGroup which has no groupPassword
attribute must not be allowed to authenticate themself as a member of
that group, unless the user's posixPrimaryGidNumber attribute implies
a user has the same group ID (in which case the operating system may
determine this implicitly).
userPassword and groupPassword values must be represented by
following BNF syntax:
<passwordValue> ::= <encryptionSchemePrefix> <encryptedPassword>
<encryptionSchemePrefix> ::= '{' <encryptionScheme> '}'
Howard [Page 11]
Internet Draft NIS X.500 schema 4 June 1997
<encryptionScheme> ::= 'crypt'
<encryptedPassword> ::= encrypted password
(where the encrypted password consists of a plaintext key encrypted
using crypt(3) with a two-character random salt)
Operating systems which support different one way encoding functions
may choose a different encryptionScheme; crypt(3) is only considered
here.
userPassword and groupPassword values which do not adhere to the BNF
above must not be used for authentication. (The DUA must iterate
through the values of the attribute until a value matching the above
BNF is found.) Only if encryptedPassword is an empty string does the
user have no password.
A DUA may make use of the attributes prefixed by shadow in order to
provide shadow password service (getspnam(3c) and getspent(3c)). In
such cases, the DUA must not make use of the userPassword attribute
for getpwnam(3c) et al, and must return a non-matchable password
(such as "x") to the client instead.
5.4. Interpreting hosts and networks
The means for representing DNS [6] domains in LDAP distinguished
names described in [3] and [9] is used in part to represent TCP/IP
hosts and networks in LDAP.
Potentially contentious is the use of the ipHostNumber attribute
instead of the dNSRecord attribute. The rationale is that, in order
to minimize the responsibility placed on the DUA, attribute values
ought to directly contain the information they seek to represent.
This contrasts with, for example, a dNSRecord value which expresses a
complete DNS resource record including time to live and class data.
While dNSRecords are suitable for building a DNS gateway to LDAP
(which may ultimately fulfill the purpose of resolving hosts), this
information is extraneous to performing host lookups directly with
LDAP.
Additionally, it is considered more appropriate for an entity, and
all its aliases, to be represented by a single entry in the DIT,
which is not always possible when a DNS resource record is mapped
directly to an LDAP entry.
This document redefines (although not to the extent of excluding the
existing definition) the ipNetwork class defined in [3], for naming
consistency with ipHost. The ipNetworkNumber attribute is also used
Howard [Page 12]
Internet Draft NIS X.500 schema 4 June 1997
in the siteContact object class [14]. (The trailing zeros in a
network address should be omitted.)
If an entry of class ipHost or ipNetwork belongs to a naming context
denoted by relative distinguished names (RDNs) [10] of attribute type
dc (domainComponent), then the distinguished name (DN) is transformed
into a domain name system (DNS) suffix by concatenating each RDN
value with a period ('.').
For example, an entry of class ipHost with a DN of dc=foo, dc=bar,
dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host
name foo.bar.edu. If the naming context is does not contain 'dc'
values, a non-qualified host name is returned. For organizations
which wish to use existing X.500 container classes to form their
context (ie. organization and organizationalUnit) the RDN components
of incorrect type are skipped by the DUA in determining the domain
name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Ace Industry, c=US
may be parsed as foo.bar.edu. As this may be considered a naming
violation, this document does not specifically endorse this.
5.5. Interpreting other entities
In general, a one-to-one mapping between entities and LDAP entries is
proposed, in that each entity has exactly one representation in the
DIT. In some cases this is not feasible; for example, a service which
is represented in more than one protocol domain. Consider the
following entry:
dn: cn=domain, dc=aceindustry, dc=com
cn: domain
cn: nameserver
objectClass: top
objectClass: ipService
ipServicePort: 53
ipServiceProtocol: tcp
ipServiceProtocol: udp
This entry would map to the following two (2) services entities:
domain 53/tcp nameserver
domain 53/udp nameserver
While the above two entities could have been equally represented as
separate LDAP entities, with different distinguished names (such as
cn=domain+ipServiceProtocol=tcp, ... and
cn=domain+ipServiceProtocol=udp, ...) it is considered that
representing them as a single entry is more convenient.
Howard [Page 13]
Internet Draft NIS X.500 schema 4 June 1997
The mount class represents mount entities as they would be found
directly in /etc/fstab. Granted, this information is used primarily
at boot time when access to non-local nameservices may be restricted.
It may be considered useful to use LDAP to represent the
configuration data for automount daemons; such a schema is outside
the scope of this document. (However, the DUA may hint to the client
that certain information is to be used by the automounter using the
mountOption attribute.)
With the exception of userPassword and groupPassword values, which
must be parsed according to the BNF considered in section 5.2, any
empty values (those that consist of a zero length string) are
returned by the DUA to the client. The client may not make sense of
them, but this situation is no different to parsing files which
contain empty fields. (By contrast, the DUA must reject any entries
which do not conform to the schema, ie. are missing certain mandatory
attributes.)
5.6. Canonicalizing entries with multi-valued naming attributes
For entities such as services, protocols, and RPCs, where there may
be one or more aliases, the respective entry's relative distinguished
name is used to form the canonical name. Any other values for the
same attribute are used as aliases. For example, the service
described in section 5.5 has the canonical name 'domain' and exactly
one alias, 'nameserver'.
The schema in this document generally only defines one attribute per
class which is suitable for distinguishing an entity (excluding any
attributes with integer syntax; it is assumed that entries will be
distinguished based on name). Usually, this is the common name (cn)
attribute. (For users, either the cn or uid attributes may be used
to canonicalize an entry. For hosts and networks, the entire
distinguished name is considered, as per section 5.4.) This fact aids
the DUA in determining the canonical name of an entity: it can simply
examine the value of the relative distinguished name. Aliases are
thus any values of the distinguishing attribute (such as cn) which do
not match the canonical name of the entity.
In the event that a different attribute is used to distinguish the
entry, as may be the case with conforming entries that belong to
additional object classes, it is possible that the entity's canonical
name cannot be deduced from the RDN. In this situation, the DUA must
choose one of the non-distinguished values to represent the entity's
canonical name. Because the directory server guarantees no ordering
of attribute values, attempting to distinguish an entry in a
deterministic fashion may require the DUA to maintain a mapping
between entries' DNs and their canonical names as considered by the
Howard [Page 14]
Internet Draft NIS X.500 schema 4 June 1997
DUA. This document does not require this, nor does it advocate that
such situations be resolved by mapping one DIT entry into multiple
entities.
6. Implementation focus
A NIS to LDAP gateway daemon has been developed which supports the
schema defined in this document. A set of extensions to a particular
implementation of the Mach operating system has also been developed,
which sidesteps NIS and uses LDAP directly.
Work is underway to develop a freely available (under the GNU General
Library Public License) reference implementation of the C library
resolution code that supports LDAP using the draft schema. The code
will be compatible with the Free Software Foundation's GNU C library
and other C libraries which support the Name Service Switch (NSS).
The alias lookup functions referred to in section 5.2 are presently
available only in the GNU C library, and (albeit with different
names) in the C library of one commercial Unix vendor. It is
anticipated that the mail transport agent (MTA) will typically
consult LDAP or NIS directly instead of using the C library; however,
support for the suggested library calls is encouraged.
The author has made available a freely distributable set of Perl
scripts for parsing configuration files such as /etc/passwd and
/etc/hosts and generating LDIF data suitable for preparing an LDIF
database. It would be a relatively trivial effort to write utilities
to export LDIF data to flat files, such that information stored in an
LDAP-compatible directory service could be regularly dumped into NIS
maps or flat files.
7. Security considerations
The entirety of related security considerations are outside the scope
of this document. However, it should be noted that making passwords
encrypted with a widely understood one way function (such as
crypt(3)) available to non-privileged users is potentially dangerous
because it exposes them to dictionary and brute-force attacks. It is
proposed only for compatibility with existing Unix implementations.
Sites where security is critical may consider using Kerberos or
another authentication service for logins. A variation on this is to
authenticate to an LDAP server by binding over an encrypted
connection (such as SSL [8]).
Alternatively, the encrypted password could be made available only to
a subset of privileged DUAs, which would provide 'shadow' password
service to client applications.
Howard [Page 15]
Internet Draft NIS X.500 schema 4 June 1997
Because the schema represents operating system-level entities, access
to these entities should be granted on a discretionary basis. (That
said, there is little point in restricting access to data which will
be republished without restriction, eg. by a NIS server.) It is
particularly important that only administrators can modify entries
defined in this schema, with the exception of allowing a principal to
change their password (which may be done on behalf of the user by a
client bound as a superior principal, such that password restrictions
may be enforced). For example, if a user were allowed to change the
value of their posixUidNumber attribute, they could subvert security
by equivalencing their account with the root account.
A subtree of the DIT which is to be republished by a DUA (such as a
NIS gateway) should be within the same administrative domain that the
republishing DUA represents. (For example, principals outside an
organization, while conceivably part of the DIT, should not be
considered with the same degree of authority as those within the
organization.)
8. Acknowledgements
Thanks to Leif Hedstrom of Netscape Communications Corporation and
Mark Wahl of Critical Angle Inc. for their contributions to the
development of this schema.
9. References
[1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (Version 3)", INTERNET-DRAFT <draft-ietf-asid-ldapv3-
protocol-03.txt>, October 1996.
[2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol: Standard and Pilot Attribute Definitions", INTERNET-
DRAFT <draft-ietf-asid-ldapv3-attributes-03.txt>, October 1996.
[3] S. Kille, "X.500 and Domains", RFC 1279, November 1991.
[4] H. Lachman, "LDAP-based Routing of SMTP Messages: Approach Used
by Netscape", INTERNET-DRAFT <draft-ietf-asid-email-routing-ns-
00.txt>, March 1997.
[5] T. Howes, "A String Representation of LDAP Search Filters",
INTERNET-DRAFT <draft-ietf-asid-ldapv3-filter-00.txt>, March
1997. See also [10].
[6] P. Mockapetris, "Domain names - concepts and facilities", RFC
1034, November 1987.
Howard [Page 16]
Internet Draft NIS X.500 schema 4 June 1997
[7] "Information Processing Systems - Open Systems Interconnection -
The Directory: Overview of Concepts, Models and Service",
ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988.
[8] A. O. Freier, P. Karlton, P. Kocher, "The SSL Protocol, Version
3.0", INTERNET-DRAFT <draft-ietf-tls-ssl-version3-00.txt>
November 1996.
[9] S. Kille, M. Wahl, "An Approach for Using Domains in LDAP
Distinguished Names", INTERNET-DRAFT <draft-ietf-asid-ldap-
domains-00.txt>, July 1996.
[10] S. Kille, "A String Representation of Distinguished Names", RFC
1779, March 1995.
[11] G. Good, "The LDAP Data Interchange Format (LDIF)", INTERNET-
DRAFT <draft-ietf-asid-ldif-00.txt>, November 1996.
[12] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol
Specification Version 2", RFC 1057, June 1988.
[13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating
Systems Interface (POSIX) - Part 1: Systems Application
Programming Interface (API) [C Language]
[14] M. T. Rose, "The Little Black Book: Mail Bonding with OSI
Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,
1992.
10. Author's Address
Luke Howard
PO Box 59
Central Park Vic 3145
Australia
Email: lukeh@xedoc.com
A. Example entries
The examples described in this section are provided to illustrate the
schema described in this draft. They do not purport to be a
authoritative reference. Entries are presented in LDIF notation [11].
The following entry is an example of the posixAccount class:
dn: uid=lukeh, dc=aceindustry, dc=com
cn: Luke Howard
Howard [Page 17]
Internet Draft NIS X.500 schema 4 June 1997
objectClass: top
objectClass: person
objectClass: posixAccount
sn: Howard
telephoneNumber: +61 3 9428 0788
uid: lukeh
userPassword: {crypt}X5/DBrWPOQQaI
posixGecos: Luke Howard
posixShell: /bin/csh
posixUidNumber: 10
posixPrimaryGidNumber: 10
posixHomeDirectory: /home/lukeh
This corresponds the Unix password file entry:
lukeh:X5/DBrWPOQQaI:10:10:Luke Howard:/home/lukeh:/bin/sh
Note that the userPassword value is parsed into a password suitable
for matching with crypt(3). Attributes such as telephoneNumber and sn
(which belong to classes other than posixAccount), are not used in
determining the corresponding password file entry but may be useful
to other LDAP clients. (In most cases, entries of class posixAccount
will also inherit from person or organizationalPerson.)
The following entry is an example of the ipHost class:
dn: dc=yoyo, dc=aceindustry, dc=com
dc: yoyo
objectClass: top
objectClass: ipHost
objectClass: domainRelatedObject
associatedDomain: yoyo.aceindustry.com
associatedDomain: www.aceindustry.com
ipHostNumber: 10.0.0.1
macAddress: 0:0:92:90:ee:e2
bootFile: unix
bootParameter: root=fs:/nfsroot/yoyo
bootParameter: swap=fs:/nfsswap/yoyo
bootParameter: dump=fs:/nfsdump/yoyo
This entry represents the host yoyo.aceindustry.com, also known as
www.aceindustry.com. Note that the associatedDomain values are used
in searching for the entry, but the distinguished name is parsed to
determine the host's canonical name. The MAC address, boot image, and
two boot parameters are also specified in this entry. (Thus, the NIS
maps prefixed by 'hosts', 'ethers', and 'bootparams' could all be
derived from similar entries.)
Howard [Page 18]
Internet Draft NIS X.500 schema 4 June 1997
An example of the nISNetgroup class:
dn: cn=nightfly, dc=aceindustry, dc=com
cn: nightfly
objectClass: top
objectClass: nISNetgroup
memberUid: lukeh
memberUid: fagen
memberHost: yoyo.aceindustry.com
nISDomain: yp.aceindustry.com
This entry represents the netgroup 'nightfly' which contains the
users lukeh and fagen, and the host yoyo.aceindustry.com; and which
belongs to the NIS domain yp.aceindustry.com.
Finally, an example of the ipProtocol class:
dn: cn=tcp, dc=aceindustry, dc=com
objectClass: top
objectClass: ipProtocol
cn: tcp
cn: TCP
ipProtocolNumber: 6
This entry represents the protocol named 'tcp' whose protocol number
is 6.
Howard [Page 19]