Application Working Group L. Howard INTERNET-DRAFT Xedoc Software Development Expires in six months Intended Category: Experimental April 1997 An Approach for Using LDAP as a Network Information Service Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months. Internet-Drafts may be updated, replaced, or made obsolete by other documents at any time. It is not appropriate to use Internet- Drafts as reference material or to cite them other than as a "working draft" or "work in progress". To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Distribution of this document is unlimited. Abstract This document describes an experimental mechanism for mapping POSIX [13] and TCP/IP network-related entities into X.500 entries so that they may be resolved with the Lightweight Directory Access Protocol [1]. A set of attribute types and object classes are proposed, along with specific guidelines for interpreting them. The intention is to assist the deployment of LDAP as an organizational nameservice. No proposed solutions are intended as standards for the Internet. Rather, it is hoped that a general consensus will emerge as to the appropriate solution to such problems, leading eventually to the adoption of standards. The proposed mechanism has already been implemented with some success. Howard [Page 1] Internet Draft NIS X.500 schema 16 April 1997 1. Background and Motivation The UNIX operating system, and its derivatives (in this context, those which support TCP/IP and conform to the POSIX XPG.4 specification) require a means of resolving entities, by matching them against search criteria or by enumeration. These entities include users, groups, IP services, (which map names to IP ports and protocols, and vice versa) IP protocols, (which map names to IP protocol numbers and vice versa) RPCs, (which map names to ONC Remote Procedure Call [12] numbers and vice versa) NIS netgroups, booting information (boot parameters and MAC address mappings), filesystem mounts, IP hosts and networks, and RFC822 mail aliases. Resolution requests are made through a set of C functions, provided in the Unix C library. For example, the Unix command line tool 'ls', which enumerates the contents of a filesystem directory, uses the C library function getpwuid(3c) in order to map user IDs to login names. Once the request is made, it is resolved using a 'nameservice' which is supported by the client library. The nameservice may be, at its simplest, a collection of files in the local filesystem which are opened and searched by the C library. Other common nameservices include the Network Information Service (NIS) and the Domain Name System (DNS). (The latter is typically only used for resolving hosts and networks.) Both these nameservices have the advantage of being distributed and thus permitting a common set of entities to be shared amongst many clients. LDAP is a distributed, hierarchical directory service access protocol which is used to access repositories of users and other network- related entities. Because LDAP is usually not tightly integrated with the operating system, information such as users needs to be kept both in LDAP and in an operating system supported nameservice such as NIS. By using LDAP as the the primary means of resolving these entities, these redundancy issues are minimized and the scalability of LDAP can be exploited. (By comparison, NIS services based on flat files do not have the scalability or extensibility of LDAP or X.500.) "In general, it is advantageous for different network applications and services to refer to the directory for user account information, rather than each service keeping its own collection of user account records, which requires the network administrator to separately create or destroy user entities, passwords, etc., in many different systems each time a user joins or leaves the organization." [4] The object classes and attributes defined below are suitable for Howard [Page 2] Internet Draft NIS X.500 schema 16 April 1997 representing the aforementioned entities in a form compatible with LDAP and X.500 directory services. While the schema is by no means deemed to be authoritative, it is considered desirable to have a single, open schema rather than the proliferation of multiple proprietary schema. This document is one step towards such a schema. 2. General Issues 2.1. Terminology In this document, the term 'NIS-related entities' is used rather loosely to refer to those entities (described in the previous section) which are typically repesented in the Network Information Service. (NIS was previously known as Yellow Pages, or YP.) It should not be inferred from this that deploying LDAP for resolving such entities requires NIS to be used (as a gateway or otherwise). The 'DUA' (directory user agent) refers to the LDAP client querying these entities, such as an LDAP to NIS gateway or the C library. The 'client' refers to the application which ultimately makes use of the information returned by the resolution. It is irrelevant whether the DUA and the client reside within the same address space. The act of the DUA making this information to the client is termed 'republishing'. To avoid confusion, the term 'login name' refers to the user's login name (being the value of the uid attribute) and the term 'user ID' refers to he user's integer identification number (being the value of the posixUidNumber attribute). The term 'principal' is used to distinguish accounts that may be used for authentication from those that are not. The term 'nameservice' refers to a service, such as NIS or flat files, that is used by the operating system to resolve entities within a single, local naming context. Contrast this with a 'directory service' such as LDAP, which support extensible schema and multiple naming contexts. The phrase 'resolving an entity' or 'resolution of entities' refers to enumerating NIS-related entities of a given type, or matching them against a given search criterion. One or more entities are returned as a result of successful 'resolutions' (a 'match' operation will only return one entity). Note that the use of the attribute and class prefix 'posix' does not confer any endorsement of this schema by the POSIX standards body. The prefix was chosen as a more appropriate prefix than 'unix', the other suitable candidate. Where necessary, the term 'POSIX entity' Howard [Page 3] Internet Draft NIS X.500 schema 16 April 1997 is used to refer to users and groups and the term 'TCP/IP entity' is used to refer to protocols, services, hosts, networks, NIS netgroups, and RPCs. (Hence the set of 'NIS-related entities' is the union of the former two categories.) It is acknowledged that shadow passwords are not defined in POSIX. 2.2. Attributes The attributes and classes defined in this document are summarized below. The reader is referred to [2] for the BFN for attribute type definitions. The following attributes are defined in this document: posixUidNumber posixPrimaryGidNumber posixGidNumber posixGecos posixHomeDirectory posixShell posixShadowLastChange posixShadowMin posixShadowMax posixShadowWarn posixShadowInactive posixShadowExpire posixShadowFlag memberUid memberNISNetgroup memberHost ipServicePort ipServiceProtocol ipProtocolNumber oNCRPCNumber mountOption mountType mountDirectory mountDumpFrequency mountPassNo ipHostNumber ipNetworkNumber ipNetmaskNumber macAddress bootParameter bootFile hostVendor hostModel hostOS Howard [Page 4] Internet Draft NIS X.500 schema 16 April 1997 hostFunction nISDomain Additionally, the attributes defined in [2] and [9] are imported. 2.3. Object classes The reader is referred to [2] for the BFN for object class definition. The following object classes are defined in this document: posixAccount posixGroup ipService ipProtocol oNCRPC mount ipHost ipNetwork nISNetgroup Additionally, the classes defined in [2] and [9] are imported. 3. Attribute definitions This section contains attribute definitions which must be implemented by DUAs supporting the schema. ( TBD.0.0 NAME 'posixUidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.1 NAME 'posixPrimaryGidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.2 NAME 'posixGidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.3 NAME 'posixGecos' DESC 'GECOS password field' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) Howard [Page 5] Internet Draft NIS X.500 schema 16 April 1997 ( TBD.0.4 NAME 'posixHomeDirectory' DESC 'The absolute path of the user's home directory' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( TBD.0.5 NAME 'posixShell' DESC 'The absolute path of the user's shell' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( TBD.0.6 NAME 'posixShadowLastChange' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.7 NAME 'posixShadowMin' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.8 NAME 'posixShadowMax' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.9 NAME 'posixShadowWarn' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.10 NAME 'posixShadowInactive' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.11 NAME 'posixShadowExpire' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.12 NAME 'posixShadowFlag' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.13 NAME 'memberUid' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( TBD.0.14 NAME 'memberNISNetgroup' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.15 NAME 'memberHost' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.16 NAME 'ipServicePort' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.17 NAME 'ipServiceProtocol' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.18 NAME 'ipProtocolNumber' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) Howard [Page 6] Internet Draft NIS X.500 schema 16 April 1997 ( TBD.0.19 NAME 'oNCRPCNumber' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.20 NAME 'mountOption' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.21 NAME 'mountType' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( TBD.0.22 NAME 'mountDirectory' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( TBD.0.23 NAME 'mountDumpFrequency' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.24 NAME 'mountPassNo' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( TBD.0.25 NAME 'ipHostNumber' DESC 'IP address in dotted decimal notation, eg. 192.168.1.1' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( TBD.0.26 NAME 'ipNetworkNumber' DESC 'IP address in dotted decimal notation, eg. 192.168' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( TBD.0.27 NAME 'ipNetmaskNumber' DESC 'IP address in dotted decimal notation, eg. 255.255.255.0' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( TBD.0.28 NAME 'macAddress' DESC 'MAC address in colon-separated hex notation, for example 0:0:92:90:ee:e2' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( TBD.0.29 NAME 'bootParameter' DESC 'rpc.bootparamd parameter; informal syntax is key=value' EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) ( TBD.0.30 NAME 'bootFile' EQUALITY caseExactIA5Match STRINGS caseExactSubstringsIA5Match SYNTAX 'IA5String' ) ( TBD.0.31 NAME 'hostVendor' EQUALITY caseIgnoreIA5Match Howard [Page 7] Internet Draft NIS X.500 schema 16 April 1997 SYNTAX 'IA5String' ) ( TBD.0.32 NAME 'hostModel' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.33 NAME 'hostOS' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.34 NAME 'hostFunction' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) ( TBD.0.35 NAME 'nISDomain' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' ) 4. Class definitions This section contains class definitions which must be implemented by DUAs supporting the schema. The definitions under the OID 2.5.6 are imported. The rfc822MailGroup object class is used to represent a mail group for the purpose of alias expansion. (An alternative schema for aliases, proposed in [4], is not considered here.) ( TBD.1.0 NAME 'posixAccount' SUP top STRUCTURAL DESC 'Abstraction of an account. The uid attribute represents the account's login name.' MUST ( cn $ uid $ posixUidNumber $ posixPrimaryGidNumber $ posixHomeDirectory ) MAY ( userPassword $ posixShell $ posixGecos $ posixShadowLastChange $ posixShadowMin $ posixShadowMax $ posixShadowWarn $ posixShadowInactive $ posixShadowExpire $ posixShadowFlag ) ) ( TBD.1.1 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts.' MUST ( cn $ posixGidNumber ) MAY ( groupPassword $ memberUid ) ) ( TBD.1.2 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (eg. tcp or udp) to one or more names. The distinguished value of the cn attribute denotes the service's canonical name.' MUST ( cn $ ipServicePort $ ipServiceProtocol ) ) Howard [Page 8] Internet Draft NIS X.500 schema 16 April 1997 ( TBD.1.3 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocol's canonical name.' MUST ( cn $ ipProtocolNumber ) ) ( TBD.1.4 NAME 'oNCRPC' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [12] Remote Procedure Call (RPC) service. Maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC service's canonical name.' MUST ( cn $ oNCRPCNumber ) ) ( TBD.1.5 NAME 'mount' SUP top STRUCTURAL DESC 'Abstraction of a filesystem mount.' MUST ( cn $ mountDirectory $ mountType ) MAY ( mountOption $ mountDumpFrequency $ mountPassNo ) ) ( TBD.1.6 NAME 'ipHost' SUP domainRelatedObject STRUCTURAL DESC 'Abstraction of a host. The schema defined in [3] is used to denote the canonical hostname, by mapping the distinguished name into a DNS domain name. The associatedDomain attribute is used for interrogating the DIT, and as such must contain values for the host's canonical name and its aliases.' MUST ( dc $ ipHostNumber ) MAY ( macAddress $ bootParameter $ bootFile $ hostVendor $ hostModel $ hostOS $ hostFunction ) ) ( TBD.1.7 NAME 'ipNetwork' SUP domainRelatedObject STRUCTURAL DESC 'Abstraction of a network.' MUST ( dc $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ manager $ locality $ description ) ) ( TBD.1.8 NAME 'nISNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May reference other netgroups.' MUST cn MAY ( memberUid $ memberHost $ memberNISNetgroup $ nISDomain ) ) 5. Implementation details 5.1. Resolution methods The ideal means of directing a client application (one using the shared services of the C library) to use LDAP as its information Howard [Page 9] Internet Draft NIS X.500 schema 16 April 1997 source for the functions listed in 5.2 is to modify the source code to directly query LDAP. As the source code to commercial C libraries and applications is rarely available to the end-user, it is acceptable to emulate a supported nameservice (such as NIS) and modify the resolution code to use LDAP. (This is also an appropriate opportunity to perform caching of entries across client address spaces.) In the case of NIS, reference implementations are widely available and the client-server RPC interface is well known. Some operating systems and C libraries support end-user extensible resolvers using dynamically loadable libraries and a nameservice "switch". In any case, the precise means by which the operating system is directed to use LDAP is not at issue; this is left to the implementor to decide. 5.2. Affected resolver calls The following entry points are found in the C libraries of most Unix and POSIX compliant systems. An LDAP search filter [5] which may be used to satisfy the function call is included alongside each function name, with printf(3s) format notation used to denote the function parameter(s), if any. Note that the POSIX specification does not define the enumeration routines (such as getpwent(3c)); however, the filters are included here for completeness. With the exception of getmntent(3c), those functions in section 3c of Unix manual pages relate to POSIX entities, and those in section 3n relate to TCP/IP entities. Long lines are broken with the '\' character. getpwnam(3c) (&(objectClass=posixAccount)(uid=%s)) getpwuid(3c) (&(objectClass=posixAccount)\ (posixUidNumber=%d)) getpwent(3c) (objectClass=posixAccount) getgrnam(3c) (&(objectClass=posixGroup)(cn=%s)) getgrgid(3c) (&(objectClass=posixGroup)\ (posixGidNumber=%d)) getgrent(3c) (objectClass=posixGroup) getservbyname(3n) (&(objectClass=ipService)\ (&(cn=%s)(ipServiceProtocol=%s))) getservbyport(3n) (&(objectClass=ipService)\ (&(ipServicePort=%d)\ (ipServiceProtocol=%s))) getservent(3n) (objectClass=ipService) getrpcbyname(3n) (&(objectClass=oNCRPC)(cn=%s)) getrpcbynumber(3n) (&(objectClass=oNCRPC)(oNCRPCNumber=%d)) getrpcent(3n) (objectClass=oNCRPC) Howard [Page 10] Internet Draft NIS X.500 schema 16 April 1997 getprotobyname(3n) (&(objectClass=ipProtocol)(cn=%s)) getprotobynumber(3n) (&(objectClass=ipProtocol)\ (ipProtocolNumber=%d)) getprotoent(3n) (objectClass=ipProtocol) gethostbyname(3n) (&(objectClass=ipHost)\ (associatedDomain=%s)) gethostbyaddr(3n) (&(objectClass=ipHost)(ipHostNumber=%s)) gethostent(3n) (objectClass=ipHost) getnetbyname(3n) (&(objectClass=ipNetwork)\ (associatedDomain=%s)) getnetbyaddr(3n) (&(objectClass=ipNetwork)\ (ipNetworkNumber=%s)) getnetent(3n) (objectClass=ipNetwork) getnetgrent(3n) (objectClass=nISNetgroup) getaliasbyname(3n) (&(objectClass=rfc822MailGroup)(cn=%s)) getaliasent(3n) (objectClass=rfc822MailGroup) getmntent(3c) (objectClass=mount) 5.3. Interpreting user and group entries User and group resolution is initiated by the functions prefixed by getpw and getgr respectively. A user's login name is denoted by the value of the uid attribute (which will typically be used as a relative distinguished name); a group's name is denoted by a value of the cn attribute. A user's GECOS field is preferentially determined by a value of the posixGecos attribute. If no posixGecos attribute exists, the value of the cn attribute must be used. (The existence of the posixGecos attribute allows attributes embedded in the GECOS field, such as a user's telephone number, to be returned to the client without overloading the cn attribute.) An entry of class posixAccount without a userPassword attribute must be denied the opportunity to authenticate. For example, the client may be returned a non-matchable password such as "*" by the DUA. A user which is a member of a posixGroup which has no groupPassword attribute must not be allowed to authenticate themself as a member of that group, unless the user's posixPrimaryGidNumber attribute implies a user has the same group ID (in which case the operating system may determine this implicitly). Howard [Page 11] Internet Draft NIS X.500 schema 16 April 1997 userPassword and groupPassword values must be represented by following BNF syntax: ::= ::= '{' '}' ::= 'crypt' ::= encrypted password (where the encrypted password consists of a plaintext key encrypted using crypt(3) with a two-character random salt) Operating systems which support different one way encoding functions may choose a different encryptionScheme, such as 'md5'; crypt(3) is only considered here. userPassword and groupPassword values which do not adhere to the BNF above must not be used for authentication. (The DUA must iterate through the values of the attribute until a value matching the above BNF is found.) Only if encryptedPassword is an empty string does the user have no password. A DUA may make use of the attributes prefixed by posixShadow in order to provide shadow password service (getspnam(3c) and getspent(3c)). In such cases, the DUA must not make use of the userPassword attribute for getpwnam(3c) et al, and must return a non-matchable password (such as "x") to the client instead. 5.4. Interpreting hosts and networks The means for representing DNS [6] domains in LDAP distinguished names described in [3] and [9] is used in part to represent NIS hosts and networks in LDAP. A potential point of contention is the use of the ipHostNumber attribute instead of the aRecord or dNSRecord attributes. The rationale is that, in order to minimize the responsibility placed on the DUA, attribute values ought to directly contain the information they seek to represent. This contrasts with, for example, a dNSRecord value which expresses a complete DNS resource record including time to live and class data. While dNSRecords, aRecords, etc may be suitable for building a DNS gateway to LDAP, (which may ultimately fulfill the purpose of resolving hosts) this information is extraneous to performing host lookups directly with LDAP. Additionally, it is considered more appropriate for an entity, and all its aliases, to be represented by a single entry in the DIT, Howard [Page 12] Internet Draft NIS X.500 schema 16 April 1997 which is not always possible when a DNS resource record is mapped directly to an LDAP entry. This document redefines (although not to the extent of excluding the existing definition) the ipNetwork class defined in [3], for naming consistency with ipHost. If an entry of class ipHost or ipNetwork belongs to a naming context denoted by relative distinguished names (RDNs) [10] of attribute type dc (domainComponent), then the distinguished name (DN) is transformed into a domain name system (DNS) suffix by concatenating each RDN value with a period ('.'). For example, an entry of class ipHost with a DN of dc=foo, dc=bar, dc=edu or dc=foo, dc=bar, dc=edu, o=Internet is parsed into the host name foo.bar.edu. If the naming context is does not contain 'dc' values, a non-qualified host name is returned. For organizations which wish to use existing X.500 container classes to form their context (ie. organization and organizationalUnit) the RDN components of incorrect type are skipped by the DUA in determining the domain name. As such, a DN of dc=foo, dc=bar, dc=edu, o=Xedoc Software Development, c=US may be parsed as foo.bar.edu. As this may be considered a naming violation, this document does not specifically endorse this. 5.5. Interpreting other entities In general, a one-to-one mapping between entities and LDAP entries is proposed, in that each entity has exactly one representation in the DIT. In some cases this is not feasible; for example, a service which is represented in more than one protocol domain. Consider the following entry: dn: cn=domain, o=Xedoc Software Development, c=US cn: domain cn: nameserver objectClass: top objectClass: ipService ipServicePort: 53 ipServiceProtocol: tcp ipServiceProtocol: udp This entry would map to the following two (2) services entities: domain 53/tcp nameserver domain 53/udp nameserver While the above two entities could have been equally represented as Howard [Page 13] Internet Draft NIS X.500 schema 16 April 1997 separate LDAP entities, with different distinguished names (such as cn=domain, ou=tcp, ... and cn=domain, ou=udp, ...) it is considered that representing them as a single entry is more convenient. The mount class represents mount entities as they would be found directly in /etc/fstab. Granted, this information is used primarily at boot time when access to non-local nameservices may be restricted. It may be considered useful to use LDAP to represent the configuration data for automount daemons; such a schema is outside the scope of this document. (However, the DUA may hint to the client that certain information is to be used by the automounter using the mountOption attribute.) With the exception of userPassword and groupPassword values, which must be parsed according to the BNF considered in section 5.2, any empty values (those that consist of a zero length string) are returned by the DUA to the client. The client may not make sense of them, but this situation is no different to parsing files which contain empty fields. (By contrast, the DUA must reject any entries which do not conform to the schema, ie. are missing certain required attributes.) 5.6. Canonicalizing entries with multi-valued naming attributes For entities such as services, protocols, and RPCs, where there may be one or more aliases, the respective entry's relative distinguished name is used to form the canonical name. Any other values for the same attribute are used as aliases. For example, the service described in section 5.5 has the canonical name 'domain' and exactly one alias, 'nameserver'. The schema in this document generally only defines one attribute per class which is suitable for distinguishing an entity (excluding any attributes with integer syntax; it is assumed that entries will be distinguished based on name). Usually, this is the common name (cn) attribute. (For users, either the cn or uid attributes may be used to canonicalize an entry. For hosts and networks, the entire distinguished name is considered, as per section 5.4.) This fact aids the DUA in determining the canonical name of an entity: it can simply examine the value of the relative distinguished name. Aliases are thus any values of the distinguishing attribute (such as cn) which do not match the canonical name of the entity. In the event that a different attribute is used to distinguish the entry, as may be the case with conforming entries that belong to additional object classes, it is possible that the entity's canonical name cannot be deduced from the RDN. In this situation, the DUA must choose one of the non-distinguished values to represent the entity's Howard [Page 14] Internet Draft NIS X.500 schema 16 April 1997 canonical name. Because the directory server guarantees no ordering of attribute values, attempting to distinguish an entry in a deterministic fashion may require the DUA to maintain a mapping between entries' DNs and their canonical names as considered by the DUA. This document does not require this, nor does it advocate that such situations be resolved by mapping one DIT entry into multiple entities. 6. Implementation focus A NIS to LDAP gateway daemon has been developed which supports the schema defined in this document. A set of extensions to a particular implementation of the BSD operating system has also been developed, which sidesteps NIS and uses LDAP directly. Work is underway to develop a freely available (under the GNU General Library Public License) reference implementation of the C library resolution code that supports LDAP using the draft schema. The code will be compatible with the Free Software Foundation's GNU C library and other C libraries which support the Name Service Switch (NSS). The alias lookup functions referred to in section 5.2 are presently available only in the GNU C library, and (albeit with different names) in the C library of one commercial Unix vendor. It is anticipated that the mail transport agent (MTA) will typically consult LDAP or NIS directly instead of using the C library; however, support for the suggested library calls is encouraged. The author has made available a freely distributable set of Perl scripts for parsing configuration files such as /etc/passwd and /etc/hosts and generating LDIF data suitable for preparing an LDIF database. It would be a relatively trivial effort to write utilities to export LDIF data to flat files, such that information stored in an LDAP-compatible directory service could be regularly dumped into NIS maps or flat files. 7. Security considerations The entirety of related security considerations are outside the scope of this document. However, it should be noted that making passwords encrypted with a widely understood one way function (such as crypt(3)) available to non-privileged users is potentially dangerous because it exposes them to dictionary and brute-force attacks. It is proposed only for compatibility with existing Unix implementations. Sites where security is critical may consider using Kerberos or another authentication service for logins. A variation on this is to authenticate to an LDAP server over an encrypted connection (such as SSL [8]) without performing a search. Howard [Page 15] Internet Draft NIS X.500 schema 16 April 1997 Alternatively, the encrypted password could be made available only to a subset of privileged DUAs, which would provide 'shadow' password service to client applications. Because the schema represents operating system-level entities, access to these entities should be granted on a discretionary basis. (That said, there is little point in restricting access to data which will be republished without restriction, eg. by a NIS server.) It is particularly important that only administrators can modify entries defined in this schema, with the exception of allowing a principal to change their password (which may be done on behalf of the user by a client bound as a superior principal, such that password restrictions may be enforced). For example, if a user were allowed to change the value of their posixUidNumber attribute, they could subvert security by equivalencing their account with the root account. A subtree of the DIT which is to be republished by a DUA (such as a NIS gateway) should be within the same administrative domain that the republishing DUA represents. (For example, principals outside an organisation, while conceivably part of the DIT, should not be considered with the same degree of authority as those within the organisation.) 8. References [1] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol (Version 3)", INTERNET-DRAFT , October 1996. [2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol: Standard and Pilot Attribute Definitions", INTERNET- DRAFT , October 1996. [3] S. Kille, "X.500 and Domains", RFC 1279, November 1991. [4] H. Lachman, "LDAP-based Routing of SMTP Messages: Approach Used by Netscape", INTERNET-DRAFT , March 1997. [5] T. Howes, "A String Representation of LDAP Search Filters", INTERNET-DRAFT , March 1997. See also [10]. [6] P. Mockapetris, "Domain names - concepts and facilities", RFC 1034, November 1987. [7] "Information Processing Systems - Open Systems Interconnection - The Directory: Overview of Concepts, Models and Service", Howard [Page 16] Internet Draft NIS X.500 schema 16 April 1997 ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988. [8] A. O. Freier, P. Karlton, P. Kocher, "The SSL Protocol, Version 3.0", INTERNET-DRAFT November 1996. [9] S. Kille, M. Wahl, "An Approach for Using Domains in LDAP Distinguished Names", INTERNET-DRAFT , July 1996. [10] S. Kille, "A String Representation of Distinguished Names", RFC 1779, March 1995. [11] G. Good, "The LDAP Data Interchange Format (LDIF)", INTERNET- DRAFT , November 1996. [12] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol Specification Version 2", RFC 1057, June 1988. [13] ISO/IEC 9945-1:1990, Information Technology - Portable Operating Systems Interface (POSIX) - Part 1: Systems Application Programming Interface (API) [C Language] 9. Author's Address Luke Howard Xedoc Software Development Inc PO Box 33015 Los Gatos, CA 95031 USA Phone: +61-3-9428-0788 Fax: +61-3-9428-0786 Email: lukeh@xedoc.com A. Example entries The examples described in this section are provided to illustrate the schema described in this draft. They do not purport to be a authoritative reference. Entries are presented in LDIF notation [11]. The following entry is an example of the posixAccount class: dn: uid=lukeh, o=Xedoc Software Development, c=US cn: Luke Howard objectClass: top objectClass: person objectClass: posixAccount Howard [Page 17] Internet Draft NIS X.500 schema 16 April 1997 sn: Howard telephoneNumber: +61 3 9428 0788 uid: lukeh userPassword: {crypt}X5/DBrWPOQQaI posixGecos: Luke Howard posixShell: /bin/csh posixUidNumber: 10 posixPrimaryGidNumber: 10 posixHomeDirectory: /home/lukeh This corresponds the Unix password file entry: lukeh:X5/DBrWPOQQaI:10:10:Luke Howard:/home/lukeh:/bin/sh Note that the userPassword value is parsed into a password suitable for matching with crypt(3). Attributes such as telephoneNumber and sn (which belong to classes other than posixAccount), are not used in determining the corresponding password file entry but may be useful to other LDAP clients. (In most cases, entries of class posixAccount will also inherit from person or organizationalPerson.) The following entry is an example of the ipHost class: dn: dc=grualdo, dc=xedoc, dc=com, o=Internet dc: grualdo objectClass: top objectClass: ipHost objectClass: domainRelatedObject associatedDomain: grualdo.xedoc.com associatedDomain: www.xedoc.com ipHostNumber: 10.0.0.1 macAddress: 0:0:92:90:ee:e2 bootFile: unix bootParameter: root=fs:/nfsroot/grualdo bootParameter: swap=fs:/nfsswap/grualdo bootParameter: dump=fs:/nfsdump/grualdo This entry represents the host grualdo.xedoc.com, also known as www.xedoc.com. Note that the associatedDomain values are used in searching for the entry, but the distinguished name is parsed to determine the host's canonical name. The MAC address, boot image, and two boot parameters are also specified in this entry. (Thus, the NIS maps prefixed by 'hosts', 'ethers', and 'bootparams' could all be derived from similar entries.) An example of the nISNetgroup class: Howard [Page 18] Internet Draft NIS X.500 schema 16 April 1997 dn: cn=nightfly, o=Xedoc Software Development, c=US cn: nightfly objectClass: top objectClass: nISNetgroup memberUid: lukeh memberUid: fagen memberHost: grualdo.xedoc.com nISDomain: nis.xedoc.com This entry represents the netgroup 'nightfly' which contains the users lukeh and fagen, and the host grualdo.xedoc.com; and which belongs to the NIS domain nis.xedoc.com. Finally, an example of the ipProtocol class: dn: cn=tcp, o=Xedoc Software Development, c=US objectClass: top objectClass: ipProtocol cn: tcp cn: TCP ipProtocolNumber: 6 This entry represents the protocol named 'tcp' whose protocol number is 6. Howard [Page 19]