Network Working Group L. Howard
Request for Comments: 2307 Independent Consultant
Category: Experimental March 1998
Network Working Group L. Howard
Request for Comments: 2307 Independent Consultant
Category: Experimental March 1998
An Approach for Using LDAP as a Network Information Service
一种使用LDAP作为网络信息服务的方法
Status of this Memo
本备忘录的状况
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Abstract
摘要
This document describes an experimental mechanism for mapping entities related to TCP/IP and the UNIX system into X.500 [X500] entries so that they may be resolved with the Lightweight Directory Access Protocol [RFC2251]. A set of attribute types and object classes are proposed, along with specific guidelines for interpreting them.
本文档描述了一种实验性机制,用于将与TCP/IP和UNIX系统相关的实体映射到X.500[X500]条目中,以便使用轻量级目录访问协议[RFC2251]对其进行解析。提出了一组属性类型和对象类,以及解释它们的具体准则。
The intention is to assist the deployment of LDAP as an organizational nameservice. No proposed solutions are intended as standards for the Internet. Rather, it is hoped that a general consensus will emerge as to the appropriate solution to such problems, leading eventually to the adoption of standards. The proposed mechanism has already been implemented with some success.
其目的是帮助将LDAP部署为组织名称服务。没有提议的解决方案是互联网的标准。相反,希望就这些问题的适当解决办法达成普遍共识,最终通过标准。拟议的机制已经实施,并取得了一些成功。
The UNIX (R) operating system, and its derivatives (specifically, those which support TCP/IP and conform to the X/Open Single UNIX specification [XOPEN]) require a means of looking up entities, by matching them against search criteria or by enumeration. (Other operating systems that support TCP/IP may provide some means of resolving some of these entities. This schema is applicable to those environments also.)
UNIX(R)操作系统及其衍生产品(特别是那些支持TCP/IP并符合X/Open Single UNIX规范[XOPEN])要求通过将实体与搜索条件匹配或通过枚举来查找实体。(其他支持TCP/IP的操作系统可能会提供一些解析这些实体的方法。此模式也适用于这些环境。)
These entities include users, groups, IP services (which map names to IP ports and protocols, and vice versa), IP protocols (which map names to IP protocol numbers and vice versa), RPCs (which map names to ONC Remote Procedure Call [RFC1057] numbers and vice versa), NIS
这些实体包括用户、组、IP服务(将名称映射到IP端口和协议,反之亦然)、IP协议(将名称映射到IP协议编号,反之亦然)、RPC(将名称映射到ONC远程过程调用[RFC1057]编号,反之亦然)、NIS
netgroups, booting information (boot parameters and MAC address mappings), filesystem mounts, IP hosts and networks, and RFC822 mail aliases.
网络组、引导信息(引导参数和MAC地址映射)、文件系统装载、IP主机和网络以及RFC822邮件别名。
Resolution requests are made through a set of C functions, provided in the UNIX system's C library. For example, the UNIX system utility "ls", which enumerates the contents of a filesystem directory, uses the C library function getpwuid() in order to map user IDs to login names. Once the request is made, it is resolved using a "nameservice" which is supported by the client library. The nameservice may be, at its simplest, a collection of files in the local filesystem which are opened and searched by the C library. Other common nameservices include the Network Information Service (NIS) and the Domain Name System (DNS). (The latter is typically used for resolving hosts, services and networks.) Both these nameservices have the advantage of being distributed and thus permitting a common set of entities to be shared amongst many clients.
解析请求是通过UNIX系统的C库中提供的一组C函数发出的。例如,UNIX系统实用程序“ls”枚举文件系统目录的内容,它使用C库函数getpwuid()将用户ID映射到登录名。一旦发出请求,就可以使用客户端库支持的“名称服务”来解析该请求。nameservice最简单的可能是本地文件系统中由C库打开和搜索的文件的集合。其他常见的名称服务包括网络信息服务(NIS)和域名系统(DNS)。(后者通常用于解析主机、服务和网络。)这两种名称服务都具有分布式的优点,因此允许在多个客户端之间共享一组公共实体。
LDAP is a distributed, hierarchical directory service access protocol which is used to access repositories of users and other network-related entities. Because LDAP is often not tightly integrated with the host operating system, information such as users may need to be kept both in LDAP and in an operating system supported nameservice such as NIS. By using LDAP as the the primary means of resolving these entities, these redundancy issues are minimized and the scalability of LDAP can be exploited. (By comparison, NIS services based on flat files do not have the scalability or extensibility of LDAP or X.500.)
LDAP是一种分布式、分层目录服务访问协议,用于访问用户和其他网络相关实体的存储库。由于LDAP通常未与主机操作系统紧密集成,因此用户等信息可能需要保存在LDAP和操作系统支持的名称服务(如NIS)中。通过使用LDAP作为解决这些实体的主要手段,这些冗余问题被最小化,并且可以利用LDAP的可伸缩性。(相比之下,基于平面文件的NIS服务没有LDAP或X.500的可伸缩性或可扩展性。)
The object classes and attributes defined below are suitable for representing the aforementioned entities in a form compatible with LDAP and X.500 directory services.
下面定义的对象类和属性适用于以与LDAP和X.500目录服务兼容的形式表示上述实体。
The key words "MUST", "SHOULD", and "MAY" used in this document are to be interpreted as described in [RFC2119].
本文件中使用的关键词“必须”、“应该”和“可能”应按照[RFC2119]中所述进行解释。
For the purposes of this document, the term "nameservice" refers to a service, such as NIS or flat files, that is used by the operating system to resolve entities within a single, local naming context. Contrast this with a "directory service" such as LDAP, which supports extensible schema and multiple naming contexts.
在本文档中,术语“nameservice”是指操作系统用于解析单个本地命名上下文中的实体的服务,如NIS或平面文件。与此相比,LDAP等“目录服务”支持可扩展模式和多个命名上下文。
The term "NIS-related entities" broadly refers to entities which are typically resolved using the Network Information Service. (NIS was previously known as YP.) Deploying LDAP for resolving these entities does not imply that NIS be used, as a gateway or otherwise. In particular, the host and network classes are generically applicable, and may be implemented on any system that wishes to use LDAP or X.500 for host and network resolution.
术语“NIS相关实体”泛指通常使用网络信息服务解决的实体。(NIS以前被称为YP。)部署LDAP来解析这些实体并不意味着NIS可以用作网关或其他用途。特别是,主机和网络类一般适用,并且可以在希望使用LDAP或X.500进行主机和网络解析的任何系统上实现。
The "DUA" (directory user agent) refers to the LDAP client querying these entities, such as an LDAP to NIS gateway or the C library. The "client" refers to the application which ultimately makes use of the information returned by the resolution. It is irrelevant whether the DUA and the client reside within the same address space. The act of the DUA making this information to the client is termed "republishing".
“DUA”(目录用户代理)是指查询这些实体的LDAP客户端,例如LDAP到NIS网关或C库。“客户机”是指最终使用解析返回的信息的应用程序。DUA和客户机是否位于同一地址空间内无关紧要。DUA向客户提供此信息的行为称为“重新发布”。
To avoid confusion, the term "login name" refers to the user's login name (being the value of the uid attribute) and the term "user ID" refers to he user's integer identification number (being the value of the uidNumber attribute).
为了避免混淆,术语“登录名”指的是用户的登录名(uid属性的值),术语“用户ID”指的是用户的整数标识号(uidNumber属性的值)。
The phrases "resolving an entity" and "resolution of entities" refer respectively to enumerating NIS-related entities of a given type, and matching them against a given search criterion. One or more entities are returned as a result of successful "resolutions" (a "match" operation will only return one entity).
短语“解析实体”和“解析实体”分别指枚举给定类型的NIS相关实体,并根据给定搜索条件进行匹配。成功的“解析”将返回一个或多个实体(“匹配”操作将仅返回一个实体)。
The use of the term UNIX does not confer upon this schema the endorsement of owners of the UNIX trademark. Where necessary, the term "TCP/IP entity" is used to refer to protocols, services, hosts, and networks, and the term "UNIX entity" to its complement. (The former category does not mandate the host operating system supporting the interfaces required for resolving UNIX entities.)
术语UNIX的使用并不授予此模式UNIX商标所有者的认可。必要时,术语“TCP/IP实体”用于指协议、服务、主机和网络,术语“UNIX实体”用于补充。(前一类不要求主机操作系统支持解析UNIX实体所需的接口。)
The OIDs defined below are derived from iso(1) org(3) dod(6) internet(1) directory(1) nisSchema(1).
以下定义的OID源自iso(1)组织(3)国防部(6)互联网(1)目录(1)NISCHEMA(1)。
The attributes and classes defined in this document are summarized below.
本文档中定义的属性和类总结如下。
The following attributes are defined in this document:
本文档中定义了以下属性:
uidNumber gidNumber gecos homeDirectory
uidNumber gidNumber gecos homeDirectory
loginShell shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag memberUid memberNisNetgroup nisNetgroupTriple ipServicePort ipServiceProtocol ipProtocolNumber oncRpcNumber ipHostNumber ipNetworkNumber ipNetmaskNumber macAddress bootParameter bootFile nisMapName nisMapEntry
loginShell shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag memberUid memberNisNetgroup nisNetgroupTriple ipServicePort ipServiceProtocol IPProtocol编号oncRpcNumber ipHostNumber ipNetworkNumber ipNetmaskNumber macAddress bootParameter引导文件nisMapName nisMapEntry
Additionally, some of the attributes defined in [RFC2256] are required.
此外,还需要[RFC2256]中定义的一些属性。
The following object classes are defined in this document:
本文档中定义了以下对象类:
posixAccount shadowAccount posixGroup ipService ipProtocol oncRpc ipHost ipNetwork nisNetgroup nisMap nisObject ieee802Device bootableDevice
posixAccount SHADOCOUNT posixGroup ipService ipProtocol oncRpc ipHost ipNetwork nisNetgroup nisMap NISPECT IEEE802设备可引导设备
Additionally, some of the classes defined in [RFC2256] are required.
此外,还需要[RFC2256]中定义的一些类。
The following syntax definitions [RFC2252] are used by this schema. The nisNetgroupTripleSyntax represents NIS netgroup triples:
此模式使用以下语法定义[RFC2252]。nisNetgroupTripleSyntax表示NIS网络组三元组:
( nisSchema.0.0 NAME 'nisNetgroupTripleSyntax' DESC 'NIS netgroup triple' )
(nisSchema.0.0名称“nisNetgroupTripleSyntax”说明“NIS网络组TripleSyntax”)
Values in this syntax are represented by the following:
此语法中的值由以下内容表示:
nisnetgrouptriple = "(" hostname "," username "," domainname ")"
hostname = "" / "-" / keystring
username = "" / "-" / keystring
domainname = "" / "-" / keystring
nisnetgrouptriple = "(" hostname "," username "," domainname ")"
hostname = "" / "-" / keystring
username = "" / "-" / keystring
domainname = "" / "-" / keystring
X.500 servers may use the following representation of the above syntax:
X.500服务器可以使用上述语法的以下表示形式:
nisNetgroupTripleSyntax ::= SEQUENCE {
hostname [0] IA5String OPTIONAL,
username [1] IA5String OPTIONAL,
domainname [2] IA5String OPTIONAL
}
nisNetgroupTripleSyntax ::= SEQUENCE {
hostname [0] IA5String OPTIONAL,
username [1] IA5String OPTIONAL,
domainname [2] IA5String OPTIONAL
}
The bootParameterSyntax syntax represents boot parameters:
bootParameterSyntax语法表示启动参数:
( nisSchema.0.1 NAME 'bootParameterSyntax' DESC 'Boot parameter' )
(nisSchema.0.1名称'bootParameterSyntax'说明'Boot parameter')
where:
哪里:
bootparameter = key "=" server ":" path
key = keystring
server = keystring
path = keystring
bootparameter = key "=" server ":" path
key = keystring
server = keystring
path = keystring
X.500 servers may use the following representation of the above syntax:
X.500服务器可以使用上述语法的以下表示形式:
bootParameterSyntax ::= SEQUENCE {
key IA5String,
server IA5String,
path IA5String
}
bootParameterSyntax ::= SEQUENCE {
key IA5String,
server IA5String,
path IA5String
}
Values adhering to these syntaxes are encoded as strings by LDAP servers.
LDAP服务器将遵循这些语法的值编码为字符串。
This section contains attribute definitions to be implemented by DUAs supporting this schema.
本节包含由支持此模式的DUAs实现的属性定义。
( nisSchema.1.0 NAME 'uidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.0名称'uidNumber'DESC'唯一标识管理域中用户的整数'EQUALITY integerMatch SYNTAX'integer'单值)
( nisSchema.1.1 NAME 'gidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.1名称'gidNumber'DESC'唯一标识管理域中组的整数'EQUALITY integerMatch语法'integer'单值)
( nisSchema.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5SubstringsMatch SYNTAX 'IA5String' SINGLE-VALUE )
(nisSchema.1.2名称'gecos'描述'gecos字段;通用名称'EQUALITY CaseIgnoreA5Match SUBSTRINGS CaseIgnoreA5Substrings匹配语法'IA5String'单值)
( nisSchema.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
(nisSchema.1.3名称'homeDirectory'DESC'到主目录的绝对路径'EQUALITY caseExactIA5Match语法'IA5String'单值)
( nisSchema.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
(nisSchema.1.4名称'loginShell'DESC'登录shell的路径'EQUALITY caseExactIA5Match SYNTAX'IA5String'单值)
( nisSchema.1.5 NAME 'shadowLastChange' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.5名称'shadowLastChange'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.6 NAME 'shadowMin' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.6名称'shadowMin'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.7 NAME 'shadowMax' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.7名称'shadowMax'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.8 NAME 'shadowWarning' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.8名称'shadowWarning'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.9 NAME 'shadowInactive'
(2.1.9名称“shadowInactive”
EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
相等整数匹配语法“整数”单值)
( nisSchema.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.10名称'shadowExpire'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.11 NAME 'shadowFlag' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.11名称'shadowFlag'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String' )
(nisSchema.1.12名称'memberUid'相等caseExactIA5Match子字符串caseExactIA5SubstringsMatch语法'IA5String')
( nisSchema.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String' )
(nisSchema.1.13名称'memberNisNetgroup'相等caseExactIA5Match子字符串caseExactIA5SubstringsMatch语法'IA5String')
( nisSchema.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 'nisNetgroupTripleSyntax' )
(nisSchema.1.14名称'nisNetgroupTriple'说明'Netgroup triple'语法'nisNetgroupTripleSyntax')
( nisSchema.1.15 NAME 'ipServicePort' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.15名称'ipServicePort'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.16 NAME 'ipServiceProtocol' SUP name )
(nisSchema.1.16名称“ipServiceProtocol”辅助名称)
( nisSchema.1.17 NAME 'ipProtocolNumber' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.17名称'ipProtocolNumber'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.18 NAME 'oncRpcNumber' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
(nisSchema.1.18名称'oncRpcNumber'相等整数匹配语法'INTEGER'单值)
( nisSchema.1.19 NAME 'ipHostNumber' DESC 'IP address as a dotted decimal, eg. 192.168.1.1, omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' )
(nisSchema.1.19将'ipHostNumber'DESC'IP地址命名为点十进制,例如192.168.1.1,省略前导零'EQUALITY CaseIgnoreA5Match语法'IA5String{128}')
( nisSchema.1.20 NAME 'ipNetworkNumber' DESC 'IP network as a dotted decimal, eg. 192.168,
(NISCHEMA.1.20将“ipNetworkNumber”描述的IP网络命名为点十进制,例如192.168,
omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' SINGLE-VALUE )
省略前导零“相等caseIgnoreIA5Match语法”IA5String{128}单值)
( nisSchema.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' SINGLE-VALUE )
(nisSchema.1.21将'ipNetmaskNumber'DESC'IP网络掩码命名为点十进制,例如255.255.255.0,省略前导零'EQUALITY CaseIgnoreA5Match语法'IA5String{128}'单值)
( nisSchema.1.22 NAME 'macAddress'
DESC 'MAC address in maximal, colon separated hex
notation, eg. 00:00:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( nisSchema.1.22 NAME 'macAddress'
DESC 'MAC address in maximal, colon separated hex
notation, eg. 00:00:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match
SYNTAX 'IA5String{128}' )
( nisSchema.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' SYNTAX 'bootParameterSyntax' )
(nisSchema.1.23名称'bootParameter'DESC'rpc.bootparamd参数'SYNTAX'bootParameterSyntax')
( nisSchema.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 'IA5String' )
(nisSchema.1.24名称'bootFile'DESC'引导映像名称'EQUALITY caseExactIA5Match语法'IA5String')
( nisSchema.1.26 NAME 'nisMapName' SUP name )
(nisSchema.1.26名称“nisMapName”辅助名称)
( nisSchema.1.27 NAME 'nisMapEntry' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String{1024}' SINGLE-VALUE )
(nisSchema.1.27名称'nismappentry'相等caseExactIA5Match子字符串caseExactIA5SubstringsMatch语法'IA5String{1024}'单值)
This section contains class definitions to be implemented by DUAs supporting the schema.
本节包含将由支持模式的DUAs实现的类定义。
The rfc822MailGroup object class MAY be used to represent a mail group for the purpose of alias expansion. Several alternative schemes for mail routing and delivery using LDAP directories, which are outside the scope of this document.
rfc822MailGroup对象类可用于表示用于别名扩展的邮件组。使用LDAP目录进行邮件路由和传递的几种备选方案,不在本文档范围内。
( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
(nisSchema.2.0名称“posixAccount”SUP top辅助说明“具有POSIX属性的帐户抽象”必须(cn$uid$uidNumber$gidNumber$homeDirectory)可以(用户密码$loginShell$gecos$description))
( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) )
(nisSchema.2.1名称“shadowAccount”SUP top associative DESC“shadow passwords的附加属性”必须为uid MAY(用户密码$shadowLastChange$shadowMin shadowMax$shadowWarning$shadowInactive$shadowExpire$shadowFlag$description))
( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )
(nisSchema.2.2名称'posixGroup'SUP top STRUCTURAL DESC'帐户组的抽象'必须(cn$GIDNAMER)可以(用户密码$memberUid$说明))
( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the service's canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) )
(nisSchema.2.3名称'ipService'SUP top STRUCTURAL DESC'抽象Internet协议服务。将IP端口和协议(如tcp或udp)映射到一个或多个名称;cn属性的可分辨值表示服务的规范名称'MUST(cn$ipServicePort$ipServiceProtocol)MAY(说明))
( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocol's canonical name' MUST ( cn $ ipProtocolNumber $ description ) MAY description )
(nisSchema.2.4 IP协议的名称'ipProtocol'SUP top STRUCTURAL DESC'抽象。将协议编号映射到一个或多个名称。cn属性的可分辨值表示协议的规范名称'MUST(cn$ipProtocolNumber$description)MAY description)
( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC service's canonical name' MUST ( cn $ oncRpcNumber $ description ) MAY description )
(nisSchema.2.5开放网络计算(ONC)[RFC1057]远程过程调用(RPC)绑定的名称'oncRpc'SUP top STRUCTURAL DESC'抽象。此类将ONC RPC编号映射到名称。cn属性的可分辨值表示RPC服务的规范名称'MUST(cn$oncRpcNumber$description)MAY description)
( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY
(nisSchema.2.6名称“ipHost”辅助顶部辅助
DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the host's canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) )
描述对主机、IP设备的抽象。cn属性的可分辨值表示主机的规范名称。设备应作为结构类“必须”(cn$ipHostNumber)MAY(l$description$manager))使用
( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the network's canonical name'
(nisSchema.2.7名称“ipNetwork”SUP top STRUCTURAL DESC“网络的抽象。cn属性的可分辨值表示网络的规范名称”
MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) )
必须(cn$ipNetworkNumber)可以(ipNetmaskNumber$l$description$manager))
( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
(nisSchema.2.8网络组的名称'nisNetgroup'SUP top STRUCTURAL DESC'抽象。可参考其他网络组的'MUST cn May'(nisNetgroup Triple$memberNisNetgroup$说明))
( nisSchema.2.09 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description )
(nisSchema.2.09名称“nisMap”SUP top STRUCTURAL DESC“NIS映射的一般抽象”必须为nisMapName可能的描述)
( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description )
(nisSchema.2.10名称'nisObject'SUP top STRUCTURAL DESC'NIS映射中的条目'必须(cn$nisMapEntry$nisMapName)可以描述)
( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY macAddress )
(nisSchema.2.11名称“ieee802Device”SUP top associative DESC“具有MAC地址的设备;设备应用作结构类“MAY macAddress”)
( nisSchema.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters; device SHOULD be used as a structural class' MAY ( bootFile $ bootParameter ) )
(nisSchema.2.12名称'bootableDevice'SUP top associative DESC'具有引导参数的设备;设备应用作结构类'MAY(引导文件$bootParameter))
The preferred means of directing a client application (one using the shared services of the C library) to use LDAP as its information source for the functions listed in 5.2 is to modify the source code to directly query LDAP. As the source to commercial C libraries and applications is rarely available to the end-user, one could emulate a supported nameservice (such as NIS). (This is also an appropriate opportunity to perform caching of entries across process address spaces.) In the case of NIS, reference implementations are widely available and the RPC interface is well known.
指导客户机应用程序(使用C库的共享服务的应用程序)使用LDAP作为5.2中列出的函数的信息源的首选方法是修改源代码以直接查询LDAP。由于商业C库和应用程序的源代码很少可供最终用户使用,因此可以模拟受支持的名称服务(如NIS)。(这也是跨进程地址空间执行条目缓存的适当机会。)在NIS的情况下,参考实现广泛可用,并且RPC接口是众所周知的。
The means by which the operating system is directed to use LDAP is implementation dependent. For example, some operating systems and C libraries support end-user extensible resolvers using dynamically loadable libraries and a nameservice "switch". The means in which the DUA locates LDAP servers is also implementation dependent.
引导操作系统使用LDAP的方式取决于实现。例如,一些操作系统和C库支持使用可动态加载库和名称服务“开关”的最终用户可扩展解析器。DUA定位LDAP服务器的方法也取决于实现。
The following functions are typically found in the C libraries of most UNIX and POSIX compliant systems. An LDAP search filter [RFC2254] which may be used to satisfy the function call is included alongside each function name. Parameters are denoted by %s and %d for string and integer arguments, respectively. Long lines are broken.
以下函数通常可以在大多数UNIX和POSIX兼容系统的C库中找到。每个函数名旁边都包含一个LDAP搜索过滤器[RFC2254],可用于满足函数调用。字符串参数和整数参数分别用%s和%d表示。长线断了。
getpwnam() (&(objectClass=posixAccount)(uid=%s))
getpwuid() (&(objectClass=posixAccount)
(uidNumber=%d))
getpwent() (objectClass=posixAccount)
getpwnam() (&(objectClass=posixAccount)(uid=%s))
getpwuid() (&(objectClass=posixAccount)
(uidNumber=%d))
getpwent() (objectClass=posixAccount)
getspnam() (&(objectClass=shadowAccount)(uid=%s))
getspent() (objectClass=shadowAccount)
getspnam() (&(objectClass=shadowAccount)(uid=%s))
getspent() (objectClass=shadowAccount)
getgrnam() (&(objectClass=posixGroup)(cn=%s))
getgrgid() (&(objectClass=posixGroup)
(gidNumber=%d))
getgrent() (objectClass=posixGroup)
getgrnam() (&(objectClass=posixGroup)(cn=%s))
getgrgid() (&(objectClass=posixGroup)
(gidNumber=%d))
getgrent() (objectClass=posixGroup)
getservbyname() (&(objectClass=ipService)
(cn=%s)(ipServiceProtocol=%s))
getservbyport() (&(objectClass=ipService)
(ipServicePort=%d)
(ipServiceProtocol=%s))
getservent() (objectClass=ipService)
getservbyname() (&(objectClass=ipService)
(cn=%s)(ipServiceProtocol=%s))
getservbyport() (&(objectClass=ipService)
(ipServicePort=%d)
(ipServiceProtocol=%s))
getservent() (objectClass=ipService)
getrpcbyname() (&(objectClass=oncRpc)(cn=%s))
getrpcbynumber() (&(objectClass=oncRpc)(oncRpcNumber=%d))
getrpcent() (objectClass=oncRpc)
getrpcbyname() (&(objectClass=oncRpc)(cn=%s))
getrpcbynumber() (&(objectClass=oncRpc)(oncRpcNumber=%d))
getrpcent() (objectClass=oncRpc)
getprotobyname() (&(objectClass=ipProtocol)(cn=%s))
getprotobynumber() (&(objectClass=ipProtocol)
(ipProtocolNumber=%d))
getprotoent() (objectClass=ipProtocol)
getprotobyname() (&(objectClass=ipProtocol)(cn=%s))
getprotobynumber() (&(objectClass=ipProtocol)
(ipProtocolNumber=%d))
getprotoent() (objectClass=ipProtocol)
gethostbyname() (&(objectClass=ipHost)(cn=%s))
gethostbyaddr() (&(objectClass=ipHost)(ipHostNumber=%s))
gethostent() (objectClass=ipHost)
gethostbyname() (&(objectClass=ipHost)(cn=%s))
gethostbyaddr() (&(objectClass=ipHost)(ipHostNumber=%s))
gethostent() (objectClass=ipHost)
getnetbyname() (&(objectClass=ipNetwork)(cn=%s))
getnetbyaddr() (&(objectClass=ipNetwork)
(ipNetworkNumber=%s))
getnetent() (objectClass=ipNetwork)
getnetbyname() (&(objectClass=ipNetwork)(cn=%s))
getnetbyaddr() (&(objectClass=ipNetwork)
(ipNetworkNumber=%s))
getnetent() (objectClass=ipNetwork)
setnetgrent() (&(objectClass=nisNetgroup)(cn=%s))
setnetgrent() (&(objectClass=nisNetgroup)(cn=%s))
User and group resolution is initiated by the functions prefixed by getpw and getgr respectively. The uid attribute contains the user's login name. The cn attribute, in posixGroup entries, contains the group's name.
用户和组解析分别由以getpw和getgr为前缀的函数启动。uid属性包含用户的登录名。posixGroup条目中的cn属性包含组的名称。
The account object class provides a convenient structural class for posixAccount, and SHOULD be used where additional attributes are not required.
account对象类为posixAccount提供了一个方便的结构类,应该在不需要附加属性的地方使用。
It is suggested that uid and cn are used as the RDN attribute type for posixAccount and posixGroup entries, respectively.
建议将uid和cn分别用作posixAccount和posixGroup条目的RDN属性类型。
An account's GECOS field is preferably determined by a value of the gecos attribute. If no gecos attribute exists, the value of the cn attribute MUST be used. (The existence of the gecos attribute allows information embedded in the GECOS field, such as a user's telephone number, to be returned to the client without overloading the cn attribute. It also accommodates directories where the common name does not contain the user's full name.)
账户的GECOS字段最好由GECOS属性的值确定。如果不存在gecos属性,则必须使用cn属性的值。(gecos属性的存在允许嵌入在gecos字段中的信息(如用户的电话号码)返回到客户端,而无需重载cn属性。它还包含公用名不包含用户全名的目录。)
An entry of class posixAccount, posixGroup, or shadowAccount without a userPassword attribute MUST NOT be used for authentication. The client should be returned a non-matchable password such as "x".
没有userPassword属性的posixAccount、posixGroup或shadowAccount类条目不得用于身份验证。客户端应返回一个不匹配的密码,如“x”。
userPassword values MUST be represented by following syntax:
用户密码值必须由以下语法表示:
passwordvalue = schemeprefix encryptedpassword
schemeprefix = "{" scheme "}"
scheme = "crypt" / "md5" / "sha" / altscheme
altscheme = "x-" keystring
encryptedpassword = encrypted password
passwordvalue = schemeprefix encryptedpassword
schemeprefix = "{" scheme "}"
scheme = "crypt" / "md5" / "sha" / altscheme
altscheme = "x-" keystring
encryptedpassword = encrypted password
The encrypted password contains of a plaintext key hashed using the algorithm scheme.
加密密码包含使用算法方案散列的明文密钥。
userPassword values which do not adhere to this syntax MUST NOT be used for authentication. The DUA MUST iterate through the values of the attribute until a value matching the above syntax is found. Only if encryptedpassword is an empty string does the user have no password. DUAs are not required to consider encryption schemes which the client will not recognize; in most cases, it may be sufficient to consider only "crypt".
不符合此语法的userPassword值不得用于身份验证。DUA必须遍历属性的值,直到找到与上述语法匹配的值。只有encryptedpassword为空字符串时,用户才没有密码。DAAS不需要考虑客户端不能识别的加密方案;在大多数情况下,只考虑“隐窝”就足够了。
Below is an example of a userPassword attribute:
下面是userPassword属性的示例:
userPassword: {crypt}X5/DBrWPOQQaI
userPassword: {crypt}X5/DBrWPOQQaI
A future standard may specify LDAP v3 attribute descriptions to represent hashed userPasswords, as noted below. This schema MUST NOT be used with LDAP v2 DUAs and DSAs.
未来的标准可能会指定LDAP v3属性描述来表示散列用户密码,如下所述。此架构不得与LDAP v2 DUAs和DSA一起使用。
attributetype = attributename sep attributeoption
attributename = "userPassword"
sep = ";"
attributeoption = schemeclass "-" scheme
schemeclass = "hash" / altschemeclass
scheme = "crypt" / "md5" / "sha" / altscheme
altschemeclass = "x-" keystring
altscheme = keystring
attributetype = attributename sep attributeoption
attributename = "userPassword"
sep = ";"
attributeoption = schemeclass "-" scheme
schemeclass = "hash" / altschemeclass
scheme = "crypt" / "md5" / "sha" / altscheme
altschemeclass = "x-" keystring
altscheme = keystring
Below is an example of a userPassword attribute, represented with an LDAP v3 attribute description:
下面是userPassword属性的示例,用LDAP v3属性描述表示:
userPassword;hash-crypt: X5/DBrWPOQQaI
userPassword;hash-crypt: X5/DBrWPOQQaI
A DUA MAY utilise the attributes in the shadowAccount class to provide shadow password service (getspnam() and getspent()). In such cases, the DUA MUST NOT make use of the userPassword attribute for getpwnam() et al, and MUST return a non-matchable password (such as "x") to the client instead.
DUA可以使用shadowAccount类中的属性来提供影子密码服务(getspnam()和getspend()。在这种情况下,DUA不能使用getpwnam()等的userPassword属性,而必须向客户端返回不匹配的密码(如“x”)。
The ipHostNumber and ipNetworkNumber attributes are defined in preference to dNSRecord (defined in [RFC1279]), in order to simplify the DUA's role in interpreting entries in the directory. A dNSRecord expresses a complete resource record, including time to live and class data, which is extraneous to this schema.
ipHostNumber和ipNetworkNumber属性的定义优先于dNSRecord(在[RFC1279]中定义),以简化DUA在解释目录中条目时的角色。dNSRecord表示与此架构无关的完整资源记录,包括生存时间和类数据。
Additionally, the ipHost and ipNetwork classes permit a host or network (respectively) and all its aliases to be represented by a single entry in the directory. This is not necessarily possible if a DNS resource record is mapped directly to an LDAP entry. Implementations that wish to use LDAP to master DNS zone information are not precluded from doing so, and may simply avoid the ipHost and ipNetwork classes.
此外,ipHost和ipNetwork类允许主机或网络(分别)及其所有别名由目录中的单个条目表示。如果DNS资源记录直接映射到LDAP条目,则这不一定是可能的。希望使用LDAP来掌握DNS区域信息的实现并不排除这样做,而且可能只是避免使用ipHost和ipNetwork类。
This document redefines, although not exclusively, the ipNetwork class defined in [RFC1279], in order to achieve consistent naming with ipHost. The ipNetworkNumber attribute is also used in the siteContact object class [ROSE].
本文档重新定义了[RFC1279]中定义的ipNetwork类(尽管不是唯一的),以实现与ipHost的一致命名。ipNetworkNumber属性也用于siteContact对象类[ROSE]。
The trailing zeros in a network address MUST be omitted. CIDR-style network addresses (eg. 192.168.1/24) MAY be used.
必须省略网络地址中的尾随零。可以使用CIDR样式的网络地址(例如192.168.1/24)。
Hosts with IPv6 addresses MUST be written in their "preferred" form as defined in section 2.2.1 of [RFC1884], such that all components of the address are indicated and leading zeros are omitted. This provides a consistent means of resolving ipHosts by address.
具有IPv6地址的主机必须以[RFC1884]第2.2.1节中定义的“首选”形式写入,以便指示地址的所有组件,并省略前导零。这提供了一种按地址解析iPhone主机的一致方法。
In general, a one-to-one mapping between entities and LDAP entries is proposed, in that each entity has exactly one representation in the DIT. In some cases this is not feasible; for example, a service which is represented in more than one protocol domain. Consider the following entry:
通常,建议在实体和LDAP条目之间进行一对一映射,因为每个实体在DIT中只有一个表示。在某些情况下,这是不可行的;例如,在多个协议域中表示的服务。考虑以下条目:
dn: cn=domain, dc=aja, dc=com
cn: domain
cn: nameserver
objectClass: top
objectClass: ipService
ipServicePort: 53
ipServiceProtocol: tcp
ipServiceProtocol: udp
dn: cn=domain, dc=aja, dc=com
cn: domain
cn: nameserver
objectClass: top
objectClass: ipService
ipServicePort: 53
ipServiceProtocol: tcp
ipServiceProtocol: udp
This entry MUST map to the following two (2) services entities:
此条目必须映射到以下两(2)个服务实体:
domain 53/tcp nameserver domain 53/udp nameserver
域53/tcp名称服务器域53/udp名称服务器
While the above two entities may be represented as separate LDAP entities, with different distinguished names (such as cn=domain+ipServiceProtocol=tcp, ... and cn=domain+ipServiceProtocol=udp, ...) it is convenient to represent them as a single entry. (If a service is represented in multiple protocol domains with different ports, then multiple entries are required; multivalued RDNs may be used to distinguish them.)
虽然上述两个实体可以表示为单独的LDAP实体,但具有不同的可分辨名称(例如cn=domain+ipServiceProtocol=tcp,…和cn=domain+ipServiceProtocol=udp,…),将它们表示为单个条目很方便。(如果服务在具有不同端口的多个协议域中表示,则需要多个条目;可以使用多值RDN来区分它们。)
With the exception of userPassword values, which are parsed according to the syntax considered in section 5.2, any empty values (consisting of a zero length string) are returned by the DUA to the client. The DUA MUST reject any entries which do not conform to the schema (missing mandatory attributes). Non-conforming entries SHOULD be ignored while enumerating entries.
除userPassword值(根据第5.2节中考虑的语法进行解析)外,DUA将向客户端返回任何空值(由零长度字符串组成)。DUA必须拒绝任何不符合模式的条目(缺少强制属性)。枚举条目时应忽略不一致条目。
The nisObject object class MAY be used as a generic means of representing NIS entities. Its use is not encouraged; where support for entities not described in this schema is desired, an appropriate
NIS对象类可用作表示NIS实体的通用方法。不鼓励使用它;如果需要支持此模式中未描述的实体,则需要适当的
schema should be devised. Implementors are strongly advised to support end-user extensible mappings between NIS entities and object classes. (Where the nisObject class is used, the nisMapName attribute may be used as a RDN.)
应该设计模式。强烈建议实现者支持NIS实体和对象类之间的最终用户可扩展映射。(如果使用NISSOBJECT类,nisMapName属性可以用作RDN。)
For entities such as hosts, services, networks, protocols, and RPCs, where there may be one or more aliases, the respective entry's relative distinguished name SHOULD be used to determine the canonical name. Any other values for the same attribute are used as aliases. For example, the service described in section 5.5 has the canonical name "domain" and exactly one alias, "nameserver".
对于可能有一个或多个别名的实体(如主机、服务、网络、协议和RPC),应使用相应条目的相对可分辨名称来确定规范名称。同一属性的任何其他值都用作别名。例如,第5.5节中描述的服务具有规范名称“domain”和一个别名“nameserver”。
The schema in this document generally only defines one attribute per class which is suitable for distinguishing an entity (excluding any attributes with integer syntax; it is assumed that entries will be distinguished on name). Usually, this is the common name (cn) attribute. This aids the DUA in determining the canonical name of an entity, as it can examine the value of the relative distinguished name. Aliases are thus any values of the distinguishing attribute (such as cn) which do not match the canonical name of the entity.
本文档中的模式通常只为每个类定义一个适合于区分实体的属性(不包括任何具有整数语法的属性;假定条目将根据名称进行区分)。通常,这是公共名称(cn)属性。这有助于DUA确定实体的规范名称,因为它可以检查相对可分辨名称的值。因此,别名是与实体的规范名称不匹配的区别属性(如cn)的任何值。
In the event that a different attribute is used to distinguish the entry, as may be the case where these object classes are used as auxiliary classes, the entry's canonical name may not be present in the RDN. In this case, the DUA MUST choose one of the non-distinguished values to represent the entity's canonical name. As the directory server guarantees no ordering of attribute values, it may not be possible to distinguish an entry deterministically. This ambiguity SHOULD NOT be resolved by mapping one directory entry into multiple entities.
如果使用不同的属性来区分条目,例如将这些对象类用作辅助类,则RDN中可能不存在条目的规范名称。在这种情况下,DUA必须选择一个非可分辨值来表示实体的规范名称。由于目录服务器不保证属性值的排序,因此可能无法确定地区分条目。不应该通过将一个目录条目映射到多个实体来解决这种模糊性。
A NIS server which uses LDAP instead of local files has been developed which supports the schema defined in this document.
已经开发了一个使用LDAP而不是本地文件的NIS服务器,它支持本文档中定义的模式。
A reference implementation of the C library resolution code has been written for the Free Software Foundation. It may support other C libraries which support the Name Service Switch (NSS) or the Information Retrieval Service (IRS).
C库解析代码的参考实现已经为自由软件基金会编写。它可能支持支持名称服务交换(NSS)或信息检索服务(IRS)的其他C库。
The author has made available a freely distributable set of scripts which parses local databases such as /etc/passwd and /etc/hosts into a form suitable for loading into an LDAP server.
作者提供了一组可自由分发的脚本,可以将本地数据库(如/etc/passwd和/etc/hosts)解析为适合加载到LDAP服务器的形式。
The entirety of related security considerations are outside the scope of this document. It is noted that making passwords encrypted with a widely understood hash function (such as crypt()) available to non-privileged users is dangerous because it exposes them to dictionary and brute-force attacks. This is proposed only for compatibility with existing UNIX system implementations. Sites where security is critical SHOULD consider using a strong authentication service for user authentication.
所有相关安全注意事项不在本文件范围内。需要注意的是,让非特权用户使用广泛理解的哈希函数(如crypt())加密密码是危险的,因为这会使他们受到字典和暴力攻击。这只是为了与现有UNIX系统实现兼容而提出的。安全性至关重要的站点应该考虑使用强身份验证服务来进行用户身份验证。
Alternatively, the encrypted password could be made available only to a subset of privileged DUAs, which would provide "shadow" password service to client applications. This may be difficult to enforce.
或者,加密密码只能提供给特权DUA的子集,这将为客户端应用程序提供“影子”密码服务。这可能很难执行。
Because the schema represents operating system-level entities, access to these entities SHOULD be granted on a discretionary basis. (There is little point in restricting access to data which will be republished without restriction, however.) It is particularly important that only administrators can modify entries defined in this schema, with the exception of allowing a principal to change their password (which may be done on behalf of the user by a client bound as a superior principal, such that password restrictions may be enforced). For example, if a user were allowed to change the value of their uidNumber attribute, they could subvert security by equivalencing their account with the superuser account.
由于模式表示操作系统级实体,因此应酌情授予对这些实体的访问权。(但是,限制对将不受限制地重新发布的数据的访问没有什么意义。)特别重要的是,只有管理员可以修改此模式中定义的条目,但允许主体更改其密码除外(这可以由绑定为上级主体的客户端代表用户完成,这样就可以强制执行密码限制)。例如,如果允许用户更改其uidNumber属性的值,则他们可以通过将其帐户与超级用户帐户等效来破坏安全性。
A subtree of the DIT which is to be republished by a DUA (such as a NIS gateway) SHOULD be within the same administrative domain that the republishing DUA represents. (For example, principals outside an organization, while conceivably part of the DIT, should not be considered with the same degree of authority as those within the organization.)
将由DUA(如NIS网关)重新发布的DIT子树应位于重新发布DUA所代表的同一管理域内。(例如,组织外部的负责人虽然可以认为是DIT的一部分,但不应被视为具有与组织内部相同的权限。)
Finally, care should be exercised with integer attributes of a sensitive nature (particularly the uidNumber and gidNumber attributes) which contain zero-length values. DUAs MAY treat such values as corresponding to the "nobody" or "nogroup" user and group, respectively.
最后,对于包含零长度值的敏感性质的整数属性(特别是uidNumber和gidNumber属性),应特别小心。DUAs可以将这些值分别视为对应于“nobody”或“nogroup”用户和组。
Thanks to Leif Hedstrom of Netscape Communications Corporation, Michael Grant and Rosanna Lee of Sun Microsystems Inc., Ed Reed of Novell Inc., and Mark Wahl of Critical Angle Inc. for their valuable contributions to the development of this schema. Thanks to Andrew Josey of The Open Group for clarifying the use of the UNIX trademark, and to Tim Howes and Peter J. Cherny for their support.
感谢Netscape Communications Corporation的Leif Hedstrom、Sun Microsystems Inc.的Michael Grant和Rosanna Lee、Novell Inc.的Ed Reed和Critical Angle Inc.的Mark Wahl,感谢他们对该模式开发的宝贵贡献。感谢开放组的Andrew Josey澄清了UNIX商标的使用,感谢Tim Howes和Peter J.Cherny的支持。
UNIX is a registered trademark of The Open Group.
UNIX是Open Group的注册商标。
[RFC1057] Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol Specification Version 2", RFC 1057, June 1988.
[RFC1057]Sun Microsystems,Inc.,“RPC:远程过程调用:协议规范版本2”,RFC1057,1988年6月。
[RFC1279] Kille, S., "X.500 and Domains", RFC 1279, November 1991.
[RFC1279]Kille,S.,“X.500和域”,RFC 1279,1991年11月。
[RFC1884] Hinden, R., and S. Deering, "IP Version 6 Addressing Architecture", RFC 1884, December 1995.
[RFC1884]Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 18841995年12月。
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.
[RFC2251]Wahl,M.,Howes,T.,和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。
[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.
[RFC2252]Wahl,M.,Coulbeck,A.,Howes,T.,和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。
[RFC2254] Howes, T., "The String Representation of LDAP Search Filters", RFC 2254, December 1997.
[RFC2254]Howes,T.,“LDAP搜索过滤器的字符串表示”,RFC2254,1997年12月。
[RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for use with LDAPv3", RFC 2256, December 1997.
[RFC2256]Wahl,M.,“用于LDAPv3的X.500(96)用户模式摘要”,RFC 2256,1997年12月。
[ROSE] M. T. Rose, "The Little Black Book: Mail Bonding with OSI Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc., 1992.
[ROSE]M.T.ROSE,“小黑皮书:与OSI目录服务的邮件联系”,ISBN 0-13-683210-5,普伦蒂斯霍尔公司,1992年。
[X500] "Information Processing Systems - Open Systems Interconnection - The Directory: Overview of Concepts, Models and Service", ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988.
[X500]“信息处理系统-开放系统互连-目录:概念、模型和服务概述”,ISO/IEC JTC 1/SC21,国际标准9594-11988。
[XOPEN] ISO/IEC 9945-1:1990, Information Technology - Portable Operating Systems Interface (POSIX) - Part 1: Systems Application Programming Interface (API) [C Language]
[XOPEN]ISO/IEC 9945-1:1990,信息技术-便携式操作系统接口(POSIX)-第1部分:系统应用程序编程接口(API)[C语言]
Luke Howard PO Box 59 Central Park Vic 3145 Australia
卢克·霍华德邮政信箱59中央公园维多利亚3145澳大利亚
EMail: lukeh@xedoc.com
EMail: lukeh@xedoc.com
A. Example entries
A.示例条目
The examples described in this section are provided to illustrate the schema described in this memo. They are not meant to be exhaustive.
本节中描述的示例用于说明本备忘录中描述的模式。它们并不意味着详尽无遗。
The following entry is an example of the posixAccount class:
以下条目是posixAccount类的一个示例:
dn: uid=lester, dc=aja, dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: lester
cn: Lester the Nightfly
userPassword: {crypt}X5/DBrWPOQQaI
gecos: Lester
loginShell: /bin/csh
uidNumber: 10
gidNumber: 10
homeDirectory: /home/lester
dn: uid=lester, dc=aja, dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: lester
cn: Lester the Nightfly
userPassword: {crypt}X5/DBrWPOQQaI
gecos: Lester
loginShell: /bin/csh
uidNumber: 10
gidNumber: 10
homeDirectory: /home/lester
This corresponds the UNIX system password file entry:
这对应于UNIX系统密码文件条目:
lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/sh
lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/sh
The following entry is an example of the ipHost class:
以下条目是ipHost类的一个示例:
dn: cn=peg.aja.com, dc=aja, dc=com
objectClass: top
objectClass: device
objectClass: ipHost
objectClass: bootableDevice
objectClass: ieee802Device
cn: peg.aja.com
cn: www.aja.com
ipHostNumber: 10.0.0.1
macAddress: 00:00:92:90:ee:e2
bootFile: mach
bootParameter: root=fs:/nfsroot/peg
bootParameter: swap=fs:/nfsswap/peg
bootParameter: dump=fs:/nfsdump/peg
dn: cn=peg.aja.com, dc=aja, dc=com
objectClass: top
objectClass: device
objectClass: ipHost
objectClass: bootableDevice
objectClass: ieee802Device
cn: peg.aja.com
cn: www.aja.com
ipHostNumber: 10.0.0.1
macAddress: 00:00:92:90:ee:e2
bootFile: mach
bootParameter: root=fs:/nfsroot/peg
bootParameter: swap=fs:/nfsswap/peg
bootParameter: dump=fs:/nfsdump/peg
This entry represents the host canonically peg.aja.com, also known as www.aja.com. The Ethernet address and four boot parameters are also specified.
此条目代表主机规范peg.aja.com,也称为www.aja.com。还指定了以太网地址和四个引导参数。
An example of the nisNetgroup class:
nisNetgroup类的一个示例:
dn: cn=nightfly, dc=aja, dc=com
objectClass: top
objectClass: nisNetgroup
cn: nightfly
nisNetgroupTriple: (charlemagne,peg,dunes.aja.com)
nisNetgroupTriple: (lester,-,)
memberNisNetgroup: kamakiriad
dn: cn=nightfly, dc=aja, dc=com
objectClass: top
objectClass: nisNetgroup
cn: nightfly
nisNetgroupTriple: (charlemagne,peg,dunes.aja.com)
nisNetgroupTriple: (lester,-,)
memberNisNetgroup: kamakiriad
This entry represents the netgroup nightfly, which contains two triples (the user charlemagne, the host peg, and the domain dunes.aja.com; and, the user lester, no host, and any domain) and one netgroup (kamakiriad).
此条目表示网络组夜蛾,它包含两个三元组(用户charlemagne、主机peg和域dunes.aja.com;以及用户lester、无主机和任何域)和一个网络组(kamakiriad)。
Finally, an example of the nisObject class:
最后,nisObject类的一个示例:
dn: nisMapName=tracks, dc=dunes, dc=aja, dc=com
objectClass: top
objectClass: nisMap
nisMapName: tracks
dn: nisMapName=tracks, dc=dunes, dc=aja, dc=com
objectClass: top
objectClass: nisMap
nisMapName: tracks
dn: cn=Maxine, nisMapName=tracks, dc=dunes, dc=aja, dc=com
objectClass: top
objectClass: nisObject
cn: Maxine
nisMapName: tracks
nisMapEntry: Nightfly$4
dn: cn=Maxine, nisMapName=tracks, dc=dunes, dc=aja, dc=com
objectClass: top
objectClass: nisObject
cn: Maxine
nisMapName: tracks
nisMapEntry: Nightfly$4
This entry represents the NIS map tracks, and a single map entry.
此条目表示NIS贴图轨迹和单个贴图条目。
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。