#---------------------------------------------------------------------- # # papi.schema v: 20041231.1 # # The PAPI Authentication and Authorization Framework # # RedIRIS 2001-2005 # #---------------------------------------------------------------------- # # # Changelog # # 20041231 - Add new attribute papiSiteAccess # # 20031128 - Changes to minimize schema clashes: # papiSite and papiGroup have been left as structural, while # papiUser is now declared auxiliary. # Specific utility classes (papiSiteAux, papiGroupAux, and # papiUserStr) have been defined to support all other cases # #---------------------------------------------------------------------- # # This is release 2.1 of the schema # #---------------------------------------------------------------------- # Attribute types for site definitions # These attributes model the required parameters that PAPI needs for # generating the access tokens to a site. #---------------------------------------------------------------------- # # Point of Access attributetype ( 1.3.6.1.4.1.7547.4.2.2.1 NAME 'papiSitePoA' SUP labeledURI ) # URI for requesting tokens to the Point of Access attributetype ( 1.3.6.1.4.1.7547.4.2.2.2 NAME 'papiSiteAuth' SUP labeledURI ) # URI for initially requesting the contents at the Point of Access attributetype ( 1.3.6.1.4.1.7547.4.2.2.12 NAME 'papiSiteAccess' SUP labeledURI ) # Location at the PoA for this site attributetype ( 1.3.6.1.4.1.7547.4.2.2.3 NAME 'papiSiteLocation' SUP labeledURI ) # Time to live for the tokens requested to the PoA for this site attributetype ( 1.3.6.1.4.1.7547.4.2.2.4 NAME 'papiSiteTtl' DESC 'TTL of access to this resource' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) # Service identifier at the PoA for this site attributetype ( 1.3.6.1.4.1.7547.4.2.2.5 NAME 'papiSiteService' SUP name ) # Identifier for papiSite objects attributetype ( 1.3.6.1.4.1.7547.4.2.2.6 NAME 'papiSiteId' DESC 'Site name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # URL to be used for indicating request acceptance at the PoA for this site attributetype ( 1.3.6.1.4.1.7547.4.2.2.8 NAME 'papiSiteAcceptURL' SUP labeledURI ) # URL to be used for indicating request rejection at the PoA for this site attributetype ( 1.3.6.1.4.1.7547.4.2.2.9 NAME 'papiSiteRejectURL' SUP labeledURI ) # Format of the assertion on user attributes to be sent to the PoA for this # site if no group/user specific definition exists attributetype ( 1.3.6.1.4.1.7547.4.2.2.10 NAME 'papiAssertion' DESC 'User assertion for this site' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) #---------------------------------------------------------------------- # Attribute types for user/group definitions #---------------------------------------------------------------------- # # Identifier for papiGroup objects attributetype ( 1.3.6.1.4.1.7547.4.2.2.7 NAME 'papiGroupId' DESC 'Group name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # Format of the assertion on user attributes to be sent to a PoA identified # in the qualifying part of the attribute. These attributes store pairs # 'siteID assertionFormat', where siteID must correspond to one papiSiteID # and assertionFormat describes the assertion to be used for that site. # The separator of both parts is made of any number of whitespace characters # (spaces or tabs). attributetype ( 1.3.6.1.4.1.7547.4.2.2.11 NAME 'papiQualifiedAssertion' DESC 'User assertion to use for the identified site' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) #---------------------------------------------------------------------- # Object classes #---------------------------------------------------------------------- # A papiSite object models an information resource that must be accessed # using the PAPI protocol # objectclass ( 1.3.6.1.4.1.7547.4.2.1.1 NAME 'papiSite' DESC 'Resource protected with PAPI' SUP top STRUCTURAL MUST ( papiSiteId $ papiSiteTtl $ papiSiteService $ papiSitePoA $ papiSiteLocation $ papiSiteAuth ) MAY ( description $ papiSiteAcceptURL $ papiSiteRejectURL $ papiAssertion $ papiSiteAccess ) ) # # An ad-hoc class for making non-structural use of papiSite objectclass ( 1.3.6.1.4.1.7547.4.2.1.4 NAME 'papiSiteAux' DESC 'Resource protected with PAPI' SUP top AUXILIARY MUST ( papiSiteId $ papiSiteTtl $ papiSiteService $ papiSitePoA $ papiSiteLocation $ papiSiteAuth ) MAY ( description $ papiSiteAcceptURL $ papiSiteRejectURL $ papiAssertion $ papiSiteAccess ) ) # A papiGroup object models a group of users with similar characteristics. # It has a set of associated papiSites that users in the group have access to. # objectclass ( 1.3.6.1.4.1.7547.4.2.1.2 NAME 'papiGroup' DESC 'Group of PAPI users' SUP top STRUCTURAL MUST ( papiGroupId ) MAY ( papiSiteId $ description $ papiQualifiedAssertion ) ) # # An ad-hoc class for making non-structural use of papiGroup objectclass ( 1.3.6.1.4.1.7547.4.2.1.5 NAME 'papiGroupAux' DESC 'Group of PAPI users' SUP top AUXILIARY MUST ( papiGroupId ) MAY ( papiSiteId $ description $ papiQualifiedAssertion ) ) # A papiUser models an individual and her/his access rights to resources # protected by the PAPI protocol. It may have a set of papiSites the user # has access to, and/or a set of papiGroups the user belongs to. # objectclass ( 1.3.6.1.4.1.7547.4.2.1.3 NAME 'papiUser' DESC 'User of PAPI services' SUP top AUXILIARY MAY ( papiGroupId $ papiSiteId $ papiQualifiedAssertion ) ) # # An ad-hoc class for making structural use of papiUser objectclass ( 1.3.6.1.4.1.7547.4.2.1.6 NAME 'papiUserStr' DESC 'User of PAPI services' SUP top STRUCTURAL MAY ( papiGroupId $ papiSiteId $ papiQualifiedAssertion ) )