Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419






Network Working Group                                       J. Strassner
Request for Comments: 3703                        Intelliden Corporation
Category: Standards Track                                       B. Moore
                                                         IBM Corporation
                                                                R. Moats
                                                    Lemur Networks, Inc.
                                                             E. Ellesson
                                                           February 2004


    Policy Core Lightweight Directory Access Protocol (LDAP) Schema

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document defines a mapping of the Policy Core Information Model
   to a form that can be implemented in a directory that uses
   Lightweight Directory Access Protocol (LDAP) as its access protocol.
   This model defines two hierarchies of object classes: structural
   classes representing information for representing and controlling
   policy data as specified in RFC 3060, and relationship classes that
   indicate how instances of the structural classes are related to each
   other.  Classes are also added to the LDAP schema to improve the
   performance of a client's interactions with an LDAP server when the
   client is retrieving large amounts of policy-related information.
   These classes exist only to optimize LDAP retrievals: there are no
   classes in the information model that correspond to them.

Table of Contents

   1.  Introduction .................................................  2
   2.  The Policy Core Information Model ............................  4
   3.  Inheritance Hierarchy for the PCLS ...........................  5
   4.  General Discussion of Mapping the Information Model to LDAP ..  6
       4.1.  Summary of Class and Association Mappings ..............  7
       4.2.  Usage of DIT Content and Structure Rules and Name Forms.  9
       4.3.  Naming Attributes in the PCLS .......................... 10



Strassner, et al.           Standards Track                     [Page 1]

RFC 3703                Policy Core LDAP Schema            February 2004


       4.4.  Rule-Specific and Reusable Conditions and Actions ...... 11
       4.5.  Location and Retrieval of Policy Objects in the
             Directory .............................................. 16
             4.5.1.  Aliases and Other DIT-Optimization Techniques .. 19
   5.  Class Definitions ............................................ 19
       5.1.  The Abstract Class "pcimPolicy" ........................ 21
       5.2.  The Three Policy Group Classes ......................... 22
       5.3.  The Three Policy Rule Classes .......................... 23
       5.4.  The Class pcimRuleConditionAssociation ................. 30
       5.5.  The Class pcimRuleValidityAssociation .................. 32
       5.6.  The Class pcimRuleActionAssociation .................... 34
       5.7.  The Auxiliary Class pcimConditionAuxClass .............. 36
       5.8.  The Auxiliary Class pcimTPCAuxClass .................... 36
       5.9.  The Auxiliary Class pcimConditionVendorAuxClass ........ 40
       5.10. The Auxiliary Class pcimActionAuxClass ................. 41
       5.11. The Auxiliary Class pcimActionVendorAuxClass ........... 42
       5.12. The Class pcimPolicyInstance ........................... 43
       5.13. The Auxiliary Class pcimElementAuxClass ................ 44
       5.14. The Three Policy Repository Classes .................... 45
       5.15. The Auxiliary Class pcimSubtreesPtrAuxClass ............ 46
       5.16. The Auxiliary Class pcimGroupContainmentAuxClass ....... 48
       5.17. The Auxiliary Class pcimRuleContainmentAuxClass ........ 49
   6.  Extending the Classes Defined in This Document ............... 50
       6.1.  Subclassing pcimConditionAuxClass and pcimActionAuxClass 50
       6.2.  Using the Vendor Policy Attributes ..................... 50
       6.3.  Using Time Validity Periods ............................ 51
   7.  Security Considerations ...................................... 51
   8.  IANA Considerations .......................................... 53
       8.1.  Object Identifiers ..................................... 53
       8.2.  Object Identifier Descriptors .......................... 53
   9.  Acknowledgments .............................................. 56
   10. Appendix:  Constructing the Value of orderedCIMKeys .......... 57
   11. References ................................................... 58
       11.1. Normative References ................................... 58
       11.2. Informative References ................................. 59
   12. Authors' Addresses ........................................... 60
   13. Full Copyright Statement ..................................... 61

1.  Introduction

   This document takes as its starting point the object-oriented
   information model for representing information for representing and
   controlling policy data as specified in [1].  Lightweight Directory
   Access Protocol (LDAP) [2] implementers, please note that the use of
   the term "policy" in this document does not refer to the use of the
   term "policy" as defined in X.501 [4].  Rather, the use of the term
   "policy" throughout this document is defined as follows:




Strassner, et al.           Standards Track                     [Page 2]

RFC 3703                Policy Core LDAP Schema            February 2004


      Policy is defined as a set of rules to administer, manage, and
      control access to network resources.

   This work is currently under joint development in the IETF's Policy
   Framework working group and in the Policy working group of the
   Distributed Management Task Force (DMTF).  This model defines two
   hierarchies of object classes: structural classes representing policy
   information and control of policies, and relationship classes that
   indicate how instances of the structural classes are related to each
   other.  In general, both of these class hierarchies will need to be
   mapped to a particular data store.

   This document defines the mapping of these information model classes
   to a directory that uses LDAP as its access protocol.  Two types of
   mappings are involved:

      -  For the structural classes in the information model, the
         mapping is basically one-for-one: information model classes map
         to LDAP classes, information model properties map to LDAP
         attributes.

      -  For the relationship classes in the information model,
         different mappings are possible.  In this document, the Policy
         Core Information Model's (PCIM's) relationship classes and
         their properties are mapped in three ways: to LDAP auxiliary
         classes, to attributes representing distinguished name (DN)
         references, and to superior-subordinate relationships in the
         Directory Information Tree (DIT).

   Implementations that use an LDAP directory as their policy repository
   and want to implement policy information according to RFC 3060 [1]
   SHALL use the LDAP schema defined in this document, or a schema that
   subclasses from the schema defined in this document.  The use of the
   information model defined in reference [1] as the starting point
   enables the inheritance and the relationship class hierarchies to be
   extensible, such that other types of policy repositories, such as
   relational databases, can also use this information.

   This document fits into the overall framework for representing,
   deploying, and managing policies being developed by the Policy
   Framework Working Group.

   The LDAP schema described in this document uses the prefix "pcim" to
   identify its classes and attributes.  It consists of ten very general
   classes: pcimPolicy (an abstract class), three policy group classes
   (pcimGroup, pcimGroupAuxClass, and pcimGroupInstance), three policy
   rule classes (pcimRule, pcimRuleAuxClass, and pcimRuleInstance), and
   three special auxiliary classes (pcimConditionAuxClass,



Strassner, et al.           Standards Track                     [Page 3]

RFC 3703                Policy Core LDAP Schema            February 2004


   pcimTPCAuxClass, and pcimActionAuxClass).  (Note that the
   PolicyTimePeriodCondition auxiliary class defined in [1] would
   normally have been named pcimTimePeriodConditionAuxClass, but this
   name is too long for some directories.  Therefore, we have
   abbreviated this name to be pcimTPCAuxClass).

   The mapping for the PCIM classes pcimGroup and pcimRule is designed
   to be as flexible as possible.  Three classes are defined for these
   two PCIM classes.  First, an abstract superclass is defined that
   contains all required properties of each PCIM class.  Then, both an
   auxiliary class as well as a structural class are derived from the
   abstract superclass.  This provides maximum flexibility for the
   developer.

   The schema also contains two less general classes:
   pcimConditionVendorAuxClass and pcimActionVendorAuxClass.  To achieve
   the mapping of the information model's relationships, the schema also
   contains two auxiliary classes: pcimGroupContainmentAuxClass and
   pcimRuleContainmentAuxClass.  Capturing the distinction between
   rule-specific and reusable policy conditions and policy actions
   introduces seven other classes: pcimRuleConditionAssociation,
   pcimRuleValidityAssociation, pcimRuleActionAssociation,
   pcimPolicyInstance, and three policy repository classes
   (pcimRepository, pcimRepositoryAuxClass, and pcimRepositoryInstance).
   Finally, the schema includes two classes (pcimSubtreesPtrAuxClass and
   pcimElementAuxClass) for optimizing LDAP retrievals.  In all, the
   schema contains 23 classes.

   Within the context of this document, the term "PCLS" (Policy Core
   LDAP Schema) is used to refer to the LDAP class definitions that this
   document contains.  The term "PCIM" refers to classes defined in [1].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [10].

2.  The Policy Core Information Model

   This document contains an LDAP schema representing the classes
   defined in the companion document "Policy Core Information
   Model -- Version 1 Specification" [1].  Other documents may
   subsequently be produced, with mappings of this same PCIM to other
   storage technologies.  Since the detailed semantics of the PCIM
   classes appear only in [1], that document is a prerequisite for
   reading and understanding this document.






Strassner, et al.           Standards Track                     [Page 4]

RFC 3703                Policy Core LDAP Schema            February 2004


3.  Inheritance Hierarchy for the PCLS

   The following diagram illustrates the class hierarchy for the LDAP
   Classes defined in this document:

        top
         |
         +--dlm1ManagedElement (abstract)
         |   |
         |   +--pcimPolicy (abstract)
         |   |   |
         |   |   +--pcimGroup (abstract)
         |   |   |  |
         |   |   |  +--pcimGroupAuxClass (auxiliary)
         |   |   |  |
         |   |   |  +--pcimGroupInstance (structural)
         |   |   |
         |   |   +--pcimRule (abstract)
         |   |   |  |
         |   |   |  +--pcimRuleAuxClass (auxiliary)
         |   |   |  |
         |   |   |  +--pcimRuleInstance (structural)
         |   |   |
         |   |   +--pcimRuleConditionAssociation (structural)
         |   |   |
         |   |   +--pcimRuleValidityAssociation (structural)
         |   |   |
         |   |   +--pcimRuleActionAssociation (structural)
         |   |   |
         |   |   +--pcimPolicyInstance (structural)
         |   |   |
         |   |   +--pcimElementAuxClass (auxiliary)
         |   |
         |   +--dlm1ManagedSystemElement (abstract)
         |       |
         |       +--dlm1LogicalElement (abstract)
         |           |
         |           +--dlm1System (abstract)
         |               |
         |               +--dlm1AdminDomain (abstract)
         |                   |
         |                   +--pcimRepository (abstract)
         |                      |
         |                      +--pcimRepositoryAuxClass (auxiliary)







Strassner, et al.           Standards Track                     [Page 5]

RFC 3703                Policy Core LDAP Schema            February 2004


        top
         |                      |
         |                      +--pcimRepositoryInstance
         |                         (structural)
         |
         +--pcimConditionAuxClass (auxiliary)
         |   |
         |   +---pcimTPCAuxClass (auxiliary)
         |   |
         |   +---pcimConditionVendorAuxClass (auxiliary)
         |
         +--pcimActionAuxClass (auxiliary)
         |   |
         |   +---pcimActionVendorAuxClass (auxiliary)
         |
         +--pcimSubtreesPtrAuxClass (auxiliary)
         |
         +--pcimGroupContainmentAuxClass (auxiliary)
         |
         +--pcimRuleContainmentAuxClass (auxiliary)

         Figure 1.  LDAP Class Inheritance Hierarchy for the PCLS

4.  General Discussion of Mapping the Information Model to LDAP

   The classes described in Section 5 below contain certain
   optimizations for a directory that uses LDAP as its access protocol.
   One example of this is the use of auxiliary classes to represent some
   of the associations defined in the information model.  Other data
   stores might need to implement these associations differently.  A
   second example is the introduction of classes specifically designed
   to optimize retrieval of large amounts of policy-related data from a
   directory.  This section discusses some general topics related to the
   mapping from the information model to LDAP.

   The remainder of this section will discuss the following topics.
   Section 4.1 will discuss the strategy used in mapping the classes and
   associations defined in [1] to a form that can be represented in a
   directory that uses LDAP as its access protocol.  Section 4.2
   discusses DIT content and structure rules, as well as name forms.
   Section 4.3 describes the strategy used in defining naming attributes
   for the schema described in Section 5 of this document.  Section 4.4
   defines the strategy recommended for locating and retrieving
   PCIM-derived objects in the directory.







Strassner, et al.           Standards Track                     [Page 6]

RFC 3703                Policy Core LDAP Schema            February 2004


4.1.  Summary of Class and Association Mappings

   Fifteen of the classes in the PCLS come directly from the nine
   corresponding classes in the information model.  Note that names of
   classes begin with an upper case character in the information model
   (although for CIM in particular, case is not significant in class and
   property names), but with a lower case character in LDAP.  This is
   because although LDAP doesn't care, X.500 doesn't allow class names
   to begin with an uppercase character.  Note also that the prefix
   "pcim" is used to identify these LDAP classes.

      +---------------------------+-------------------------------+
      | Information Model         | LDAP Class(es)                |
      +---------------------------+-------------------------------+
      +---------------------------+-------------------------------+
      | Policy                    | pcimPolicy                    |
      +---------------------------+-------------------------------+
      | PolicyGroup               | pcimGroup                     |
      |                           |   pcimGroupAuxClass           |
      |                           |   pcimGroupInstance           |
      +---------------------------+-------------------------------+
      | PolicyRule                | pcimRule                      |
      |                           |   pcimRuleAuxClass            |
      |                           |   pcimRuleInstance            |
      +---------------------------+-------------------------------+
      | PolicyCondition           | pcimConditionAuxClass         |
      +---------------------------+-------------------------------+
      | PolicyAction              | pcimActionAuxClass            |
      +---------------------------+-------------------------------+
      | VendorPolicyCondition     | pcimConditionVendorAuxClass   |
      +---------------------------+-------------------------------+
      | VendorPolicyAction        | pcimActionVendorAuxClass      |
      +---------------------------+-------------------------------+
      | PolicyTimePeriodCondition | pcimTPCAuxClass               |
      +---------------------------+-------------------------------+
      | PolicyRepository          | pcimRepository                |
      |                           |   pcimRepositoryAuxClass      |
      |                           |   pcimRepositoryInstance      |
      +---------------------------+-------------------------------+

          Figure 2.  Mapping of Information Model Classes to LDAP

   The associations in the information model map to attributes that
   reference DNs (Distinguished Names) or to Directory Information Tree
   (DIT) containment (i.e., superior-subordinate relationships) in LDAP.
   Two of the attributes that reference DNs appear in auxiliary classes,
   which allow each of them to represent several relationships from the
   information model.



Strassner, et al.           Standards Track                     [Page 7]

RFC 3703                Policy Core LDAP Schema            February 2004


+----------------------------------+----------------------------------+
| Information Model Association     | LDAP Attribute / Class          |
+-----------------------------------+---------------------------------+
+-----------------------------------+---------------------------------+
| PolicyGroupInPolicyGroup          | pcimGroupsAuxContainedSet in    |
|                                   |  pcimGroupContainmentAuxClass   |
+-----------------------------------+---------------------------------+
| PolicyRuleInPolicyGroup           | pcimRulesAuxContainedSet in     |
|                                   |  pcimRuleContainmentAuxClass    |
+-----------------------------------+---------------------------------+
| PolicyConditionInPolicyRule       | DIT containment or              |
|                                   | pcimRuleConditionList in        |
|                                   |  pcimRule or                    |
|                                   | pcimConditionDN in              |
|                                   |  pcimRuleConditionAssociation   |
+-----------------------------------+---------------------------------+
| PolicyActionInPolicyRule          | DIT containment or              |
|                                   | pcimRuleActionList in           |
|                                   |  pcimRule or                    |
|                                   | pcimActionDN in                 |
|                                   |  pcimRuleActionAssociation      |
+-----------------------------------+---------------------------------+
| PolicyRuleValidityPeriod          | pcimRuleValidityPeriodList      |
|                                   |  in pcimRule or (if reusable)   |
|                                   |  referenced through the         |
|                                   | pcimTimePeriodConditionDN in    |
|                                   |  pcimRuleValidityAssociation    |
+-----------------------------------+---------------------------------+
| PolicyConditionInPolicyRepository | DIT containment                 |
+-----------------------------------+---------------------------------+
| PolicyActionInPolicyRepository    | DIT containment                 |
+-----------------------------------+---------------------------------+
| PolicyRepositoryInPolicyRepository| DIT containment                 |
+-----------------------------------+---------------------------------+

      Figure 3.  Mapping of Information Model Associations to LDAP

   Of the remaining classes in the PCLS, two (pcimElementAuxClass and
   pcimSubtreesPtrAuxClass) are included to make navigation through the
   DIT and retrieval of the entries found there more efficient.  This
   topic is discussed below in Section 4.5.

   The remaining four classes in the PCLS, pcimRuleConditionAssociation,
   pcimRuleValidityAssociation, pcimRuleActionAssociation, and
   pcimPolicyInstance, are all involved with the representation of
   policy conditions and policy actions in an LDAP directory.  This
   topic is discussed below in Section 4.4.




Strassner, et al.           Standards Track                     [Page 8]

RFC 3703                Policy Core LDAP Schema            February 2004


4.2.  Usage of DIT Content and Structure Rules and Name Forms

   There are three powerful tools that can be used to help define
   schemata. The first, DIT content rules, is a way of defining the
   content of an entry for a structural object class.  It can be used to
   specify the following characteristics of the entry:

      -  additional mandatory attributes that the entries are required
         to contain
      -  additional optional attributes the entries are allowed to
         contain
      -  the set of additional auxiliary object classes that these
         entries are allowed to be members of
      -  any optional attributes from the structural and auxiliary
         object class definitions that the entries are required to
         preclude

   DIT content rules are NOT mandatory for any structural object class.

   A DIT structure rule, together with a name form, controls the
   placement and naming of an entry within the scope of a subschema.
   Name forms define which attribute type(s) are required and are
   allowed to be used in forming the Relative Distinguished Names (RDNs)
   of entries.  DIT structure rules specify which entries are allowed to
   be superior to other entries, and hence control the way that RDNs are
   added together to make DNs.

   A name form specifies the following:

      -  the structural object class of the entries named by this name
         form
      -  attributes that are required to be used in forming the RDNs of
         these entries
      -  attributes that are allowed to be used in forming the RDNs of
         these entries
      -  an object identifier to uniquely identify this name form

   Note that name forms can only be specified for structural object
   classes.  However, every entry in the DIT must have a name form
   controlling it.

   Unfortunately, current LDAP servers vary quite a lot in their support
   of these features.  There are also three crucial implementation
   points that must be followed.  First, X.500 use of structure rules
   requires that a structural object class with no superior structure
   rule be a subschema administrative point.  This is exactly NOT what
   we want for policy information.  Second, when an auxiliary class is
   subclassed, if a content rule exists for the structural class that



Strassner, et al.           Standards Track                     [Page 9]

RFC 3703                Policy Core LDAP Schema            February 2004


   the auxiliary class refers to, then that content rule needs to be
   augmented.  Finally, most LDAP servers unfortunately do not support
   inheritance of structure and content rules.

   Given these concerns, DIT structure and content rules have been
   removed from the PCLS.  This is because, if included, they would be
   normative references and would require OIDs.  However, we don't want
   to lose the insight gained in building the structure and content
   rules of the previous version of the schema.  Therefore, we describe
   where such rules could be used in this schema, what they would
   control, and what their effect would be.

4.3.  Naming Attributes in the PCLS

   Instances in a directory are identified by distinguished names (DNs),
   which provide the same type of hierarchical organization that a file
   system provides in a computer system.  A distinguished name is a
   sequence of RDNs.  An RDN provides a unique identifier for an
   instance within the context of its immediate superior, in the same
   way that a filename provides a unique identifier for a file within
   the context of the folder in which it resides.

   To preserve maximum naming flexibility for policy administrators,
   three optional (i.e., "MAY") naming attributes have been defined.
   They are:

      -  Each of the structural classes defined in this schema has its
         own unique ("MAY") naming attribute.  Since the naming
         attributes are different, a policy administrator can, by using
         these attributes, guarantee that there will be no name
         collisions between instances of different classes, even if the
         same value is assigned to the instances' respective naming
         attributes.

      -  The LDAP attribute cn (corresponding to X.500's commonName) is
         included as a MAY attribute in the abstract class pcimPolicy,
         and thus by inheritance in all of its subclasses.  In X.500,
         commonName typically functions as an RDN attribute, for naming
         instances of many classes (e.g., X.500's person class).

      -  A special attribute is provided for implementations that expect
         to map between native CIM and LDAP representations of policy
         information.  This attribute, called orderedCimKeys, is defined
         in the class dlm1ManagedElement [6].  The value of this
         attribute is derived algorithmically from values that are
         already present in a CIM policy instance.  The normative
         reference for this algorithm is contained in [6].  See the
         appendix of this document for a description of the algorithm.



Strassner, et al.           Standards Track                    [Page 10]

RFC 3703                Policy Core LDAP Schema            February 2004


   Since any of these naming attributes MAY be used for naming an
   instance of a PCLS class, implementations MUST be able to accommodate
   instances named in any of these ways.

   Note that it is recommended that two or more of these attributes
   SHOULD NOT be used together to form a multi-part RDN, since support
   for multi-part RDNs is limited among existing directory
   implementations.

4.4.  Rule-Specific and Reusable Conditions and Actions

   The PCIM [1] distinguishes between two types of policy conditions and
   policy actions:  those associated with a single policy rule, and
   those that are reusable, in the sense that they may be associated
   with more than one policy rule.  While there is no inherent
   functional difference between a rule-specific condition or action and
   a reusable one, there is both a usage, as well as, an implementation
   difference between them.

   Defining a condition or action as reusable vs. rule-specific reflects
   a conscious decision on the part of the administrator in defining how
   they are used.  In addition, there are variations that reflect
   implementing rule-specific vs. reusable policy conditions and actions
   and how they are treated in a policy repository.  The major
   implementation differences between a rule-specific and a reusable
   condition or action are delineated below:

   1.  It is natural for a rule-specific condition or action to be
       removed from the policy repository at the same time the rule is.
       It is just the opposite for reusable conditions and actions.
       This is because the condition or action is conceptually attached
       to the rule in the rule-specific case, whereas it is referenced
       (e.g., pointed at) in the reusable case.  The persistence of a
       pcimRepository instance is independent of the persistence of a
       pcimRule instance.
   2.  Access permissions for a rule-specific condition or action are
       usually identical to those for the rule itself.  On the other
       hand, access permissions of reusable conditions and actions must
       be expressible without reference to a policy rule.
   3.  Rule-specific conditions and actions require fewer accesses,
       because the conditions and actions are "attached" to the rule.
       In contrast, reusable conditions and actions require more
       accesses, because each condition or action that is reusable
       requires a separate access.
   4.  Rule-specific conditions and actions are designed for use by a
       single rule.  As the number of rules that use the same
       rule-specific condition increase, subtle problems are created
       (the most obvious being how to keep the rule-specific conditions



Strassner, et al.           Standards Track                    [Page 11]

RFC 3703                Policy Core LDAP Schema            February 2004


       and actions updated to reflect the same value).  Reusable
       conditions and actions lend themselves for use by multiple
       independent rules.
   5.  Reusable conditions and actions offer an optimization when
       multiple rules are using the same condition or action.  This is
       because the reusable condition or action only needs be updated
       once, and by virtue of DN reference, the policy rules will be
       automatically updated.

   The preceding paragraph does not contain an exhaustive list of the
   ways in which reusable and rule-specific conditions should be treated
   differently.  Its purpose is merely to justify making a semantic
   distinction between rule-specific and reusable, and then reflecting
   this distinction in the policy repository itself.

   When the policy repository is realized in an LDAP-accessible
   directory, the distinction between rule-specific and reusable
   conditions and actions is realized via placement of auxiliary classes
   and via DIT containment.  Figure 4 illustrates a policy rule Rule1
   with one rule-specific condition CA and one rule-specific action AB.

                    +-----+
                    |Rule1|
                    |     |
              +-----|-   -|-----+
              |     +-----+     |
              |       * *       |
              |       * *       |
              |    **** ****    |
              |    *       *    |
              v    *       *    v
            +--------+   +--------+
            | CA+ca  |   | AB+ab  |
            +--------+   +--------+


                          +------------------------------+
                          |LEGEND:                       |
                          |  ***** DIT containment       |
                          |    +   auxiliary attachment  |
                          |  ----> DN reference          |
                          +------------------------------+

           Figure 4  Rule-Specific Policy Conditions and Actions







Strassner, et al.           Standards Track                    [Page 12]

RFC 3703                Policy Core LDAP Schema            February 2004


   Because the condition and action are specific to Rule1, the auxiliary
   classes ca and ab that represent them are attached, respectively, to
   the structural classes CA and AB.  These structural classes represent
   not the condition ca and action ab themselves, but rather the
   associations between Rule1 and ca, and between Rule1 and ab.

   As Figure 4 illustrates, Rule1 contains DN references to the
   structural classes CA and AB that appear below it in the DIT.  At
   first glance it might appear that these DN references are
   unnecessary, since a subtree search below Rule1 would find all of the
   structural classes representing the associations between Rule1 and
   its conditions and actions.  Relying only on a subtree search,
   though, runs the risk of missing conditions or actions that should
   have appeared in the subtree, but for some reason did not, or of
   finding conditions or actions that were inadvertently placed in the
   subtree, or that should have been removed from the subtree, but for
   some reason were not.  Implementation experience has suggested that
   many (but not all) of these risks are eliminated.

   However, it must be noted that this comes at a price.  The use of DN
   references, as shown in Figure 4 above, thwarts inheritance of access
   control information as well as existence dependency information.  It
   also is subject to referential integrity considerations.  Therefore,
   it is being included as an option for the designer.

   Figure 5 illustrates a second way of representing rule-specific
   conditions and actions in an LDAP-accessible directory: attachment of
   the auxiliary classes directly to the instance representing the
   policy rule.  When all of the conditions and actions are attached to
   a policy rule in this way, the rule is termed a "simple" policy rule.
   When conditions and actions are not attached directly to a policy
   rule, the rule is termed a "complex" policy rule.

                    +-----------+
                    |Rule1+ca+ab|
                    |           |
                    +-----------+

                          +------------------------------+
                          |LEGEND:                       |
                          |    +   auxiliary attachment  |
                          +------------------------------+

                      Figure 5.  A Simple Policy Rule







Strassner, et al.           Standards Track                    [Page 13]

RFC 3703                Policy Core LDAP Schema            February 2004


   The simple/complex distinction for a policy rule is not all or
   nothing.  A policy rule may have its conditions attached to itself
   and its actions attached to other entries, or it may have its actions
   attached to itself and its conditions attached to other entries.
   However, it SHALL NOT have either its conditions or its actions
   attached both to itself and to other entries, with one exception:  a
   policy rule may reference its validity periods with the
   pcimRuleValidityPeriodList attribute, but have its other conditions
   attached to itself.

   The tradeoffs between simple and complex policy rules are between the
   efficiency of simple rules and the flexibility and greater potential
   for reuse of complex rules.  With a simple policy rule, the semantic
   options are limited:

   -   All conditions are ANDed together.  This combination can be
       represented in two ways in the Disjunctive Normal Form (DNF)/
       Conjunctive Normal Form (CNF) (please see [1] for definitions of
       these terms) expressions characteristic of policy conditions:  as
       a DNF expression with a single AND group, or as a CNF expression
       with multiple single-condition OR groups.  The first of these is
       arbitrarily chosen as the representation for the ANDed conditions
       in a simple policy rule.

   -   If multiple actions are included, no order can be specified for
       them.

   If a policy administrator needs to combine conditions in some other
   way, or if there is a set of actions that must be ordered, then the
   only option is to use a complex policy rule.

   Finally, Figure 6 illustrates the same policy rule Rule1, but this
   time its condition and action are reusable.  The association classes
   CA and AB are still present, and they are still DIT contained under
   Rule1.  But rather than having the auxiliary classes ca and ab
   attached directly to the association classes CA and AB, each now
   contains DN references to other entries to which these auxiliary
   classes are attached.  These other entries, CIA and AIB, are DIT
   contained under RepositoryX, which is an instance of the class
   pcimRepository.  Because they are named under an instance of
   pcimRepository, ca and ab are clearly identified as reusable.










Strassner, et al.           Standards Track                    [Page 14]

RFC 3703                Policy Core LDAP Schema            February 2004


                   +-----+             +-------------+
                   |Rule1|             | RepositoryX |
                 +-|-   -|--+          |             |
                 | +-----+  |          +-------------+
                 |   * *    |             *       *
                 |   * *    |             *       *
                 | *** **** |             *       *
                 | *      * v             *       *
                 | *     +---+            *       *
                 | *     |AB |         +------+   *
                 v *     |  -|-------->|AIB+ab|   *
                +---+    +---+         +------+   *
                |CA |                         +------+
                |  -|------------------------>|CIA+ca|
                +---+                         +------+

                          +------------------------------+
                          |LEGEND:                       |
                          |  ***** DIT containment       |
                          |    +   auxiliary attachment  |
                          |  ----> DN reference          |
                          +------------------------------+

             Figure 6.  Reusable Policy Conditions and Actions

   The classes pcimConditionAuxClass and pcimActionAuxClass do not
   themselves represent actual conditions and actions:  these are
   introduced in their subclasses.  What pcimConditionAuxClass and
   pcimActionAuxClass do introduce are the semantics of being a policy
   condition or a policy action.  These are the semantics that all the
   subclasses of pcimConditionAuxClass and pcimActionAuxClass inherit.
   Among these semantics are those of representing either a
   rule-specific or a reusable policy condition or policy action.

   In order to preserve the ability to represent a rule-specific or a
   reusable condition or action, as well as a simple policy rule, all
   the subclasses of pcimConditionAuxClass and pcimActionAuxClass MUST
   also be auxiliary classes.













Strassner, et al.           Standards Track                    [Page 15]

RFC 3703                Policy Core LDAP Schema            February 2004


4.5.  Location and Retrieval of Policy Objects in the Directory

   When a Policy Decision Point (PDP) goes to an LDAP directory to
   retrieve the policy object instances relevant to the Policy
   Enforcement Points (PEPs) it serves, it is faced with two related
   problems:

   -   How does it locate and retrieve the directory entries that apply
       to its PEPs?  These entries may include instances of the PCLS
       classes, instances of domain-specific subclasses of these
       classes, and instances of other classes modeling such resources
       as user groups, interfaces, and address ranges.

   -   How does it retrieve the directory entries it needs in an
       efficient manner, so that retrieval of policy information from
       the directory does not become a roadblock to scalability?  There
       are two facets to this efficiency:  retrieving only the relevant
       directory entries, and retrieving these entries using as few LDAP
       calls as possible.

   The placement of objects in the Directory Information Tree (DIT)
   involves considerations other than how the policy-related objects
   will be retrieved by a PDP.  Consequently, all that the PCLS can do
   is to provide a "toolkit" of classes to assist the policy
   administrator as the DIT is being designed and built.  A PDP SHOULD
   be able to take advantage of any tools that the policy administrator
   is able to build into the DIT, but it MUST be able to use a less
   efficient means of retrieval if that is all it has available to it.

   The basic idea behind the LDAP optimization classes is a simple one:
   make it possible for a PDP to retrieve all the policy-related objects
   it needs, and only those objects, using as few LDAP calls as
   possible.  An important assumption underlying this approach is that
   the policy administrator has sufficient control over the underlying
   DIT structure to define subtrees for storing policy information.  If
   the policy administrator does not have this level of control over DIT
   structure, a PDP can still retrieve the policy-related objects it
   needs individually.  But it will require more LDAP access operations
   to do the retrieval in this way.  Figure 7 illustrates how LDAP
   optimization is accomplished.











Strassner, et al.           Standards Track                    [Page 16]

RFC 3703                Policy Core LDAP Schema            February 2004


                       +-----+
      ---------------->|  A  |
      DN reference to  |     |    DN references to subtrees   +---+
      starting object  +-----+    +-------------------------->| C |
                       |  o--+----+         +---+             +---+
                       |  o--+------------->| B |            /     \
                       +-----+              +---+           /       \
                      /       \            /     \         /   ...   \
                     /         \          /       \
                    /           \        /   ...   \

      Figure 7.  Using the pcimSubtreesPtrAuxClass to Locate Policies

   The PDP is configured initially with a DN reference to some entry in
   the DIT.  The structural class of this entry is not important; the
   PDP is interested only in the pcimSubtreesPtrAuxClass attached to it.
   This auxiliary class contains a multi-valued attribute with DN
   references to objects that anchor subtrees containing policy-related
   objects of interest to the PDP.  Since pcimSubtreesPtrAuxClass is an
   auxiliary class, it can be attached to an entry that the PDP would
   need to access anyway - perhaps an entry containing initial
   configuration settings for the PDP, or for a PEP that uses the PDP.

   Once it has retrieved the DN references, the PDP will direct to each
   of the objects identified by them an LDAP request that all entries in
   its subtree be evaluated against the selection criteria specified in
   the request.  The LDAP-enabled directory then returns all entries in
   that subtree that satisfy the specified criteria.

   The selection criteria always specify that object class="pcimPolicy".
   Since all classes representing policy rules, policy conditions, and
   policy actions, both in the PCLS and in any domain-specific schema
   derived from it, are subclasses of the abstract class policy, this
   criterion evaluates to TRUE for all instances of these classes.  To
   accommodate special cases where a PDP needs to retrieve objects that
   are not inherently policy-related (for example, an IP address range
   object referenced by a subclass of pcimActionAuxClass representing
   the DHCP action "assign from this address range"), the auxiliary
   class pcimElementAuxClass can be used to "tag" an entry, so that it
   will be found by the selection criterion "object class=pcimPolicy".

   The approach described in the preceding paragraph will not work for
   certain directory implementations, because these implementations do
   not support matching of auxiliary classes in the objectClass
   attribute.  For environments where these implementations are expected
   to be present, the "tagging" of entries as relevant to policy can be





Strassner, et al.           Standards Track                    [Page 17]

RFC 3703                Policy Core LDAP Schema            February 2004


   accomplished by inserting the special value "POLICY" into the list of
   values contained in the pcimKeywords attribute (provided by the
   pcimPolicy class).

   If a PDP needs only a subset of the policy-related objects in the
   indicated subtrees, then it can be configured with additional
   selection criteria based on the pcimKeywords attribute defined in the
   pcimPolicy class.  This attribute supports both standardized and
   administrator- defined values.  For example, a PDP could be
   configured to request only those policy-related objects containing
   the keywords "DHCP" and "Eastern US".

   To optimize what is expected to be a typical case, the initial
   request from the client includes not only the object to which its
   "seed" DN references, but also the subtree contained under this
   object.  The filter for searching this subtree is whatever the client
   is going to use later to search the other subtrees:  object
   class="pcimPolicy" or the presence of the keyword "POLICY", and/or
   presence of a more specific value of pcimKeywords (e.g., "QoS Edge
   Policy").

   Returning to the example in Figure 7, we see that in the best case, a
   PDP can get all the policy-related objects it needs, and only those
   objects, with exactly three LDAP requests:  one to its starting
   object A to get the references to B and C, as well as the
   policy-related objects it needs from the subtree under A, and then
   one each to B and C to get all the policy-related objects that pass
   the selection criteria with which it was configured.  Once it has
   retrieved all of these objects, the PDP can then traverse their
   various DN references locally to understand the semantic
   relationships among them.  The PDP should also be prepared to find a
   reference to another subtree attached to any of the objects it
   retrieves, and to follow this reference first, before it follows any
   of the semantically significant references it has received.  This
   recursion permits a structured approach to identifying related
   policies.  In Figure 7, for example, if the subtree under B includes
   departmental policies and the one under C includes divisional
   policies, then there might be a reference from the subtree under C to
   an object D that roots the subtree of corporate-level policies.

   A PDP SHOULD understand the pcimSubtreesPtrAuxClass class, SHOULD be
   capable of retrieving and processing the entries in the subtrees it
   references, and SHOULD be capable of doing all of this recursively.
   The same requirements apply to any other entity needing to retrieve
   policy information from the directory.  Thus, a Policy Management
   Tool that retrieves policy entries from the directory in order to
   perform validation and conflict detection SHOULD also understand and
   be capable of using the pcimSubtreesPtrAuxClass.  All of these



Strassner, et al.           Standards Track                    [Page 18]

RFC 3703                Policy Core LDAP Schema            February 2004


   requirements are "SHOULD"s rather than "MUST"s because an LDAP client
   that doesn't implement them can still access and retrieve the
   directory entries it needs.  The process of doing so will just be
   less efficient than it would have been if the client had implemented
   these optimizations.

   When it is serving as a tool for creating policy entries in the
   directory, a Policy Management Tool SHOULD support creation of
   pcimSubtreesPtrAuxClass entries and their references to object
   instances.

4.5.1.  Aliases and Other DIT-Optimization Techniques

   Additional flexibility in DIT structure is available to the policy
   administrator via LDAP aliasing and other techniques.  Previous
   versions of this document have used aliases.  However, because
   aliases are experimental, the use of aliases has been removed from
   this version of this document.  This is because the IETF has yet to
   produce a specification on how aliases are represented in the
   directory or how server implementations are to process aliases.

5.  Class Definitions

   The semantics for the policy information classes that are to be
   mapped directly from the information model to an LDAP representation
   are detailed in [1].  Consequently, all that this document presents
   for these classes is the specification for how to do the mapping from
   the information model (which is independent of repository type and
   access protocol) to a form that can be accessed using LDAP.  Remember
   that some new classes needed to be created (that were not part of
   [1]) to implement the LDAP mapping.  These new LDAP-only classes are
   fully documented in this document.

   The formal language for specifying the classes, attributes, and DIT
   structure and content rules is that defined in reference [3].  If
   your implementation does not support auxiliary class inheritance, you
   will have to list auxiliary classes in content rules explicitly or
   define them in another (implementation-specific) way.

   The following notes apply to this section in its entirety.

   Note 1: in the following definitions, the class and attribute
   definitions follow RFC 2252 [3] but they are line-wrapped to enhance
   human readability.

   Note 2: where applicable, the possibilities for specifying DIT
   structure and content rules are noted.  However, care must be taken
   in specifying DIT structure rules.  This is because X.501 [4] states



Strassner, et al.           Standards Track                    [Page 19]

RFC 3703                Policy Core LDAP Schema            February 2004


   that an entry may only exist in the DIT as a subordinate to another
   superior entry (the superior) if a DIT structure rule exists in the
   governing subschema which:

   1)  indicates a name form for the structural object class of the
       subordinate entry, and
   2)  either includes the entry's superior structure rule as a possible
       superior structure rule, or
   3)  does not specify a superior structure rule.

   If this last case (3) applies, then the entry is defined to be a
   subschema administrative point.  This is not what is desired.
   Therefore, care must be taken in defining structure rules, and in
   particular, they must be locally augmented.

   Note 3: Wherever possible, both an equality and a substring matching
   rule are defined for a particular attribute (as well as an ordering
   match rule to enable sorting of matching results).  This provides two
   different choices for the developer for maximum flexibility.

   For example, consider the pcimRoles attribute (section 5.3).  Suppose
   that a PEP has reported that it is interested in pcimRules for three
   roles R1, R2, and R3.  If the goal is to minimize queries, then the
   PDP can supply three substring filters containing the three role
   names.

   These queries will return all of the pcimRules that apply to the PEP,
   but they may also get some that do not apply (e.g., ones that contain
   one of the roles R1, R2, or R3 and one or more other roles present in
   a role-combination [1]).

   Another strategy would be for the PDP to use only equality filters.
   This approach eliminates the extraneous replies, but it requires the
   PDP to explicitly build the desired role-combinations itself.  It
   also requires extra queries.  Note that this approach is practical
   only because the role names in a role combination are required to
   appear in alphabetical order.

   Note 4: in the following definitions, note that all LDAP matching
   rules are defined in [3] and in [9].  The corresponding X.500
   matching rules are defined in [8].

   Note 5: some of the following attribute definitions specify
   additional constraints on various data types (e.g., this integer has
   values that are valid  from 1..10).  Text has been added to instruct
   servers and applications what to do if a value outside of this range





Strassner, et al.           Standards Track                    [Page 20]

RFC 3703                Policy Core LDAP Schema            February 2004


   is encountered.  In all cases, if a constraint is violated, then the
   policy rule SHOULD be treated as being disabled, meaning that
   execution of the policy rule SHOULD be stopped.

5.1.  The Abstract Class pcimPolicy

   The abstract class pcimPolicy is a direct mapping of the abstract
   class Policy from the PCIM.  The class value "pcimPolicy" is also
   used as the mechanism for identifying policy-related instances in the
   Directory Information Tree.  An instance of any class may be "tagged"
   with this class value by attaching to it the auxiliary class
   pcimElementAuxClass.  Since pcimPolicy is derived from the class
   dlm1ManagedElement defined in reference [6], this specification has a
   normative dependency on that element of reference [6].

   The class definition is as follows:

       ( 1.3.6.1.1.6.1.1 NAME 'pcimPolicy'
         DESC 'An abstract class that is the base class for all classes
               that describe policy-related instances.'
         SUP dlm1ManagedElement
         ABSTRACT
         MAY ( cn $ dlmCaption $ dlmDescription $ orderedCimKeys $
               pcimKeywords )
       )

   The attribute cn is defined in RFC 2256 [7].  The dlmCaption,
   dlmDescription, and orderedCimKeys attributes are defined in [6].

   The pcimKeywords attribute is a multi-valued attribute that contains
   a set of keywords to assist directory clients in locating the policy
   objects identified by these keywords.  It is defined as follows:

       ( 1.3.6.1.1.6.2.3 NAME 'pcimKeywords'
              DESC 'A set of keywords to assist directory clients in
                    locating the policy objects applicable to them.'
              EQUALITY caseIgnoreMatch
              ORDERING caseIgnoreOrderingMatch
              SUBSTR caseIgnoreSubstringsMatch
              SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
       )










Strassner, et al.           Standards Track                    [Page 21]

RFC 3703                Policy Core LDAP Schema            February 2004


5.2.  The Three Policy Group Classes

   PCIM [1] defines the PolicyGroup class to serve as a generalized
   aggregation mechanism, enabling PolicyRules and/or PolicyGroups to be
   aggregated together.  PCLS maps this class into three LDAP classes,
   called pcimGroup, pcimGroupAuxClass, and pcimGroupInstance.  This is
   done in order to provide maximum flexibility for the DIT designer.

   The class definitions for the three policy group classes are listed
   below.  These class definitions do not include attributes to realize
   the PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup associations
   from the PCIM.  This is because a pcimGroup object refers to
   instances of pcimGroup and pcimRule via, respectively, the attribute
   pcimGroupsAuxContainedSet in the pcimGroupContainmentAuxClass object
   class and the attribute pcimRulesAuxContainedSet in the
   pcimRuleContainmentAuxClass object class.

   To maximize flexibility, the pcimGroup class is defined as abstract.
   The subclass pcimGroupAuxClass provides for auxiliary attachment to
   another entry, while the structural subclass pcimGroupInstance is
   available to represent a policy group as a standalone entry.

   The class definitions are as follows.  First, the definition of the
   abstract class pcimGroup:

       ( 1.3.6.1.1.6.1.2 NAME 'pcimGroup'
              DESC 'A container for a set of related pcimRules and/or
                    a set of related pcimGroups.'
              SUP pcimPolicy
              ABSTRACT
              MAY ( pcimGroupName )
       )

   The one attribute of pcimGroup is pcimGroupName.  This attribute is
   used to define a user-friendly name of this policy group, and may be
   used as a naming attribute if desired.  It is defined as follows:

       ( 1.3.6.1.1.6.2.4 NAME 'pcimGroupName'
              DESC 'The user-friendly name of this policy group.'
              EQUALITY caseIgnoreMatch
              ORDERING caseIgnoreOrderingMatch
              SUBSTR caseIgnoreSubstringsMatch
              SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
              SINGLE-VALUE
       )






Strassner, et al.           Standards Track                    [Page 22]

RFC 3703                Policy Core LDAP Schema            February 2004


   The two subclasses of pcimGroup are defined as follows.  The class
   pcimGroupAuxClass is an auxiliary class that can be used to collect a
   set of related pcimRule and/or pcimGroup classes.  It is defined as
   follows:

       ( 1.3.6.1.1.6.1.3 NAME 'pcimGroupAuxClass'
              DESC 'An auxiliary class that collects a set of related
                    pcimRule and/or pcimGroup entries.'
              SUP pcimGroup
              AUXILIARY
       )

   The class pcimGroupInstance is a structural class that can be used to
   collect a set of related pcimRule and/or pcimGroup classes.  It is
   defined as follows:

       ( 1.3.6.1.1.6.1.4 NAME 'pcimGroupInstance'
              DESC 'A structural class that collects a set of related
                    pcimRule and/or pcimGroup entries.'
              SUP pcimGroup
              STRUCTURAL
       )

   A DIT content rule could be written to enable an instance of
   pcimGroupInstance to have attached to it either references to one or
   more policy groups (using pcimGroupContainmentAuxClass) or references
   to one or more policy rules (using pcimRuleContainmentAuxClass).
   This would be used to formalize the semantics of the PolicyGroup
   class [1].  Since these semantics do not include specifying any
   properties of the PolicyGroup class, the content rule would not need
   to specify any attributes.

   Similarly, three separate DIT structure rules could be written, each
   of which would refer to a specific name form that identified one of
   the three possible naming attributes (i.e., pcimGroupName, cn, and
   orderedCIMKeys) for the pcimGroup object class.  This structure rule
   SHOULD include a superiorStructureRule (see Note 2 at the beginning
   of section 5).  The three name forms referenced by the three
   structure rules would each define one of the three naming attributes.

5.3.  The Three Policy Rule Classes

   The information model defines a PolicyRule class to represent the "If
   Condition then Action" semantics associated with processing policy
   information.  For maximum flexibility, the PCLS maps this class into
   three LDAP classes.





Strassner, et al.           Standards Track                    [Page 23]

RFC 3703                Policy Core LDAP Schema            February 2004


   To maximize flexibility, the pcimRule class is defined as abstract.
   The subclass pcimRuleAuxClass provides for auxiliary attachment to
   another entry, while the structural subclass pcimRuleInstance is
   available to represent a policy rule as a standalone entry.

   The conditions and actions associated with a policy rule are modeled,
   respectively, with auxiliary subclasses of the auxiliary classes
   pcimConditionAuxClass and pcimActionAuxClass.  Each of these
   auxiliary subclasses is attached to an instance of one of three
   structural classes.  A subclass of pcimConditionAuxClass is attached
   to an instance of pcimRuleInstance, to an instance of
   pcimRuleConditionAssociation, or to an instance of
   pcimPolicyInstance.  Similarly, a subclass of pcimActionAuxClass is
   attached to an instance of pcimRuleInstance, to an instance of
   pcimRuleActionAssociation, or to an instance of pcimPolicyInstance.

   The pcimRuleValidityPeriodList attribute (defined below) realizes the
   PolicyRuleValidityPeriod association defined in the PCIM.  Since this
   association has no additional properties besides those that tie the
   association to its associated objects, this association can be
   realized by simply using an attribute.  Thus, the
   pcimRuleValidityPeriodList attribute is simply a multi-valued
   attribute that provides an unordered set of DN references to one or
   more instances of the pcimTPCAuxClass, indicating when the policy
   rule is scheduled to be active and when it is scheduled to be
   inactive.  A policy rule is scheduled to be active if it is active
   according to AT LEAST ONE of the pcimTPCAuxClass instances referenced
   by this attribute.

   The PolicyConditionInPolicyRule and PolicyActionInPolicyRule
   associations, however, do have additional attributes.  The
   association PolicyActionInPolicyRule defines an integer attribute to
   sequence the actions, and the association PolicyConditionInPolicyRule
   has both an integer attribute to group the condition terms as well as
   a Boolean property to specify whether a condition is to be negated.

   In the PCLS, these additional association attributes are represented
   as attributes of two classes introduced specifically to model these
   associations.  These classes are the pcimRuleConditionAssociation
   class and the pcimRuleActionAssociation class, which are defined in
   Sections 5.4 and 5.5, respectively.  Thus, they do not appear as
   attributes of the class pcimRule.  Instead, the pcimRuleConditionList
   and pcimRuleActionList attributes can be used to reference these
   classes.







Strassner, et al.           Standards Track                    [Page 24]

RFC 3703                Policy Core LDAP Schema            February 2004


   The class definitions for the three pcimRule classes are as follows.

   The abstract class pcimRule is a base class for representing the "If
   Condition then Action" semantics associated with a policy rule.  It
   is defined as follows:

     ( 1.3.6.1.1.6.1.5 NAME 'pcimRule'
            DESC 'The base class for representing the "If Condition
                  then Action" semantics associated with a policy rule.'
            SUP pcimPolicy
            ABSTRACT
            MAY ( pcimRuleName $ pcimRuleEnabled $
                  pcimRuleConditionListType $ pcimRuleConditionList $
                  pcimRuleActionList $ pcimRuleValidityPeriodList $
                  pcimRuleUsage $ pcimRulePriority $
                  pcimRuleMandatory $ pcimRuleSequencedActions $
                  pcimRoles )
     )

   The PCIM [1] defines seven properties for the PolicyRule class.  The
   PCLS defines eleven attributes for the pcimRule class, which is the
   LDAP equivalent of the PolicyRule class.  Of these eleven attributes,
   seven are mapped directly from corresponding properties in PCIM's
   PolicyRule class.  The remaining four attributes are a class-specific
   optional naming attribute, and three attributes used to realize the
   three associations that the pcimRule class participates in.

   The pcimRuleName attribute is used as a user-friendly name of this
   policy rule, and can also serve as the class-specific optional naming
   attribute.  It is defined as follows:

        ( 1.3.6.1.1.6.2.5 NAME 'pcimRuleName'
               DESC 'The user-friendly name of this policy rule.'
               EQUALITY caseIgnoreMatch
               ORDERING caseIgnoreOrderingMatch
               SUBSTR caseIgnoreSubstringsMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
               SINGLE-VALUE
        )

   The pcimRuleEnabled attribute is an integer enumeration indicating
   whether a policy rule is administratively enabled (value=1),
   administratively disabled (value=2), or enabled for debug (value=3).
   It is defined as follows:

        ( 1.3.6.1.1.6.2.6 NAME 'pcimRuleEnabled'
               DESC 'An integer indicating whether a policy rule is
                     administratively enabled (value=1), disabled



Strassner, et al.           Standards Track                    [Page 25]

RFC 3703                Policy Core LDAP Schema            February 2004


                     (value=2), or enabled for debug (value=3).'
               EQUALITY integerMatch
               ORDERING integerOrderingMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
               SINGLE-VALUE
        )

   Note: All other values for the pcimRuleEnabled attribute are
   considered errors, and the administrator SHOULD treat this rule as
   being disabled if an invalid value is found.

   The pcimRuleConditionListType attribute is used to indicate whether
   the list of policy conditions associated with this policy rule is in
   disjunctive normal form (DNF, value=1) or conjunctive normal form
   (CNF, value=2).  It is defined as follows:

     ( 1.3.6.1.1.6.2.7 NAME 'pcimRuleConditionListType'
            DESC 'A value of 1 means that this policy rule is in
                  disjunctive normal form; a value of 2 means that this
                  policy rule is in conjunctive normal form.'
            EQUALITY integerMatch
            ORDERING integerOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE
     )

   Note: any value other than 1 or 2 for the pcimRuleConditionListType
   attribute is considered an error.  Administrators SHOULD treat this
   rule as being disabled if an invalid value is found, since it is
   unclear how to structure the condition list.

   The pcimRuleConditionList attribute is a multi-valued attribute that
   is used to realize the policyRuleInPolicyCondition association
   defined in [1].  It contains a set of DNs of
   pcimRuleConditionAssociation entries representing associations
   between this policy rule and its conditions.  No order is implied.
   It is defined as follows:

     ( 1.3.6.1.1.6.2.8 NAME 'pcimRuleConditionList'
            DESC 'Unordered set of DNs of pcimRuleConditionAssociation
                  entries representing associations between this policy
                  rule and its conditions.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     )






Strassner, et al.           Standards Track                    [Page 26]

RFC 3703                Policy Core LDAP Schema            February 2004


   The pcimRuleActionList attribute is a multi-valued attribute that is
   used to realize the policyRuleInPolicyAction association defined in
   [1].  It contains a set of DNs of pcimRuleActionAssociation entries
   representing associations between this policy rule and its actions.
   No order is implied.  It is defined as follows:

     ( 1.3.6.1.1.6.2.9 NAME 'pcimRuleActionList'
            DESC 'Unordered set of DNs of pcimRuleActionAssociation
                  entries representing associations between this policy
                  rule and its actions.'
           EQUALITY distinguishedNameMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     )

   The pcimRuleValidityPeriodList attribute is a multi-valued attribute
   that is used to realize the pcimRuleValidityPeriod association that
   is defined in [1].  It contains a set of DNs of
   pcimRuleValidityAssociation entries that determine when the pcimRule
   is scheduled to be active or inactive.  No order is implied.  It is
   defined as follows:

     ( 1.3.6.1.1.6.2.10 NAME 'pcimRuleValidityPeriodList'
            DESC 'Unordered set of DNs of pcimRuleValidityAssociation
                  entries that determine when the pcimRule is scheduled
                  to be active or inactive.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     )

   The pcimRuleUsage attribute is a free-form string providing
   guidelines on how this policy should be used.  It is defined as
   follows:

     ( 1.3.6.1.1.6.2.11 NAME 'pcimRuleUsage'
            DESC 'This attribute is a free-form sting providing
                  guidelines on how this policy should be used.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE
     )









Strassner, et al.           Standards Track                    [Page 27]

RFC 3703                Policy Core LDAP Schema            February 2004


   The pcimRulePriority attribute is a non-negative integer that is used
   to prioritize this pcimRule relative to other pcimRules.  A larger
   value indicates a higher priority.  It is defined as follows:

     ( 1.3.6.1.1.6.2.12 NAME 'pcimRulePriority'
            DESC 'A non-negative integer for prioritizing this
                  pcimRule relative to other pcimRules.  A larger
                  value indicates a higher priority.'
            EQUALITY integerMatch
            ORDERING integerOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE
     )

   Note: if the value of the pcimRulePriority field is 0, then it SHOULD
   be treated as "don't care".  On the other hand, if the value is
   negative, then it SHOULD be treated as an error and Administrators
   SHOULD treat this rule as being disabled.

   The pcimRuleMandatory attribute is a Boolean attribute that, if TRUE,
   indicates that for this policy rule, the evaluation of its conditions
   and execution of its actions (if the condition is satisfied) is
   required.  If it is FALSE, then the evaluation of its conditions and
   execution of its actions (if the condition is satisfied) is not
   required.  This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.13 NAME 'pcimRuleMandatory'
            DESC 'If TRUE, indicates that for this policy rule, the
                  evaluation of its conditions and execution of its
                  actions (if the condition is satisfied) is required.'
            EQUALITY booleanMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
            SINGLE-VALUE
     )

   The pcimRuleSequencedActions attribute is an integer enumeration that
   is used to indicate that the ordering of actions defined by the
   pcimActionOrder attribute is either  mandatory(value=1),
   recommended(value=2), or dontCare(value=3).  It is defined as
   follows:

     ( 1.3.6.1.1.6.2.14 NAME 'pcimRuleSequencedActions'
            DESC 'An integer enumeration indicating that the ordering of
                  actions defined by the pcimActionOrder attribute is
                  mandatory(1), recommended(2), or dontCare(3).'
            EQUALITY integerMatch
            ORDERING integerOrderingMatch




Strassner, et al.           Standards Track                    [Page 28]

RFC 3703                Policy Core LDAP Schema            February 2004


            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE
     )

   Note: if the value of pcimRulesSequencedActions field is not one of
   these three values, then Administrators SHOULD treat this rule as
   being disabled.

   The pcimRoles attribute represents the policyRoles property of [1].
   Each value of this attribute represents a role-combination, which is
   a string of the form:
       <RoleName>[&&<RoleName>]* where the individual role names appear
   in alphabetical order according to the collating sequence for UCS-2.
   This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.15 NAME 'pcimRoles'
            DESC 'Each value of this attribute represents a role-
                  combination.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     )

   Note: if the value of the pcimRoles attribute does not conform to the
   format "<RoleName>[&&<RoleName>]*" (see Section 6.3.7 of [1]), then
   this attribute is malformed and its policy rule SHOULD be treated as
   being disabled.

   The two subclasses of the pcimRule class are defined as follows.
   First, the pcimRuleAuxClass is an auxiliary class for representing
   the "If Condition then Action" semantics associated with a policy
   rule.  Its class definition is as follows:

     ( 1.3.6.1.1.6.1.6 NAME 'pcimRuleAuxClass'
            DESC 'An auxiliary class for representing the "If Condition
                 then Action" semantics associated with a policy rule.'
            SUP pcimRule
            AUXILIARY
     )

   The pcimRuleInstance is a structural class for representing the "If
   Condition then Action" semantics associated with a policy rule.  Its
   class definition is as follows:

     ( 1.3.6.1.1.6.1.7 NAME 'pcimRuleInstance'
            DESC 'A structural class for representing the "If Condition
                 then Action" semantics associated with a policy rule.'



Strassner, et al.           Standards Track                    [Page 29]

RFC 3703                Policy Core LDAP Schema            February 2004


            SUP pcimRule
            STRUCTURAL
     )

   A DIT content rule could be written to enable an instance of
   pcimRuleInstance to have attached to it either references to one or
   more policy conditions (using pcimConditionAuxClass) or references to
   one or more policy actions (using pcimActionAuxClass).  This would be
   used to formalize the semantics of the PolicyRule class [1].  Since
   these semantics do not include specifying any properties of the
   PolicyRule class, the content rule would not need to specify any
   attributes.

   Similarly, three separate DIT structure rules could be written, each
   of which would refer to a specific name form that identified one of
   its three possible naming attributes (i.e., pcimRuleName, cn, and
   orderedCIMKeys).  This structure rule SHOULD include a
   superiorStructureRule (see Note 2 at the beginning of section 5).
   The three name forms referenced by the three structure rules would
   each define one of the three naming attributes.

5.4.  The Class pcimRuleConditionAssociation

   This class contains attributes to represent the properties of the
   PCIM's PolicyConditionInPolicyRule association.  Instances of this
   class are related to an instance of pcimRule via DIT containment.
   The policy conditions themselves are represented by auxiliary
   subclasses of the auxiliary class pcimConditionAuxClass.  These
   auxiliary classes are attached directly to instances of
   pcimRuleConditionAssociation for rule-specific policy conditions.
   For a reusable policy condition, the policyCondition auxiliary
   subclass is attached to an instance of the class pcimPolicyInstance
   (which is presumably associated with a pcimRepository by DIT
   containment), and the policyConditionDN attribute (of this class) is
   used to reference the reusable policyCondition instance.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.8 NAME 'pcimRuleConditionAssociation'
            DESC 'This class contains attributes characterizing the
                  relationship between a policy rule and one of its
                  policy conditions.'
            SUP pcimPolicy
            MUST ( pcimConditionGroupNumber $ pcimConditionNegated )
            MAY ( pcimConditionName $ pcimConditionDN )
     )





Strassner, et al.           Standards Track                    [Page 30]

RFC 3703                Policy Core LDAP Schema            February 2004


   The attributes of this class are defined as follows.

   The pcimConditionGroupNumber attribute is a non-negative integer.  It
   is used to identify the group to which the condition referenced by
   this association is assigned.  This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.16
            NAME 'pcimConditionGroupNumber'
            DESC 'The number of the group to which a policy condition
                  belongs.  This is used to form the DNF or CNF
                  expression associated with a policy rule.'
            EQUALITY integerMatch
            ORDERING integerOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE
     )

   Note that this number is non-negative.  A negative value for this
   attribute is invalid, and any policy rule that refers to an invalid
   entry SHOULD be treated as being disabled.

   The pcimConditionNegated attribute is a Boolean attribute that
   indicates whether this policy condition is to be negated or not.  If
   it is TRUE (FALSE), it indicates that a policy condition IS (IS NOT)
   negated in the DNF or CNF expression associated with a policy rule.
   This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.17
            NAME 'pcimConditionNegated'
            DESC 'If TRUE (FALSE), it indicates that a policy condition
                  IS (IS NOT) negated in the DNF or CNF expression
                  associated with a policy rule.'
            EQUALITY booleanMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
            SINGLE-VALUE
     )

   The pcimConditionName is a user-friendly name for identifying this
   policy condition, and may be used as a naming attribute if desired.
   This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.18
            NAME 'pcimConditionName'
            DESC 'A user-friendly name for a policy condition.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch




Strassner, et al.           Standards Track                    [Page 31]

RFC 3703                Policy Core LDAP Schema            February 2004


            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE
     )

   The pcimConditionDN attribute is a DN that references an instance of
   a reusable policy condition.  This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.19
            NAME 'pcimConditionDN'
            DESC 'A DN that references an instance of a reusable policy
                  condition.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
            SINGLE-VALUE
     )

   A DIT content rule could be written to enable an instance of
   pcimRuleConditionAssociation to have attached to it an instance of
   the auxiliary class pcimConditionAuxClass, or one of its subclasses.
   This would be used to formalize the semantics of the
   PolicyConditionInPolicyRule association.  Specifically, this would be
   used to represent a rule-specific policy condition [1].
   Similarly, three separate DIT structure rules could be written.  Each
   of these DIT structure rules would refer to a specific name form that
   defined two important semantics.  First, each name form would
   identify one of the three possible naming attributes (i.e.,
   pcimConditionName, cn, and orderedCIMKeys) for the
   pcimRuleConditionAssociation object class.  Second, each name form
   would require that an instance of the pcimRuleConditionAssociation
   class have as its superior an instance of the pcimRule class.  This
   structure rule SHOULD also include a superiorStructureRule (see Note
   2 at the beginning of section 5).

5.5.  The Class pcimRuleValidityAssociation

   The policyRuleValidityPeriod aggregation is mapped to the PCLS
   pcimRuleValidityAssociation class.  This class represents the
   scheduled activation and deactivation of a policy rule by binding the
   definition of times that the policy is active to the policy rule
   itself.  The "scheduled" times are either identified through an
   attached auxiliary class pcimTPCAuxClass, or are referenced through
   its pcimTimePeriodConditionDN attribute.

   This class is defined as follows:

     ( 1.3.6.1.1.6.1.9 NAME 'pcimRuleValidityAssociation'
           DESC 'This defines the scheduled activation or deactivation
                 of a policy rule.'



Strassner, et al.           Standards Track                    [Page 32]

RFC 3703                Policy Core LDAP Schema            February 2004


           SUP pcimPolicy
           STRUCTURAL
           MAY ( pcimValidityConditionName $ pcimTimePeriodConditionDN )
     )

   The attributes of this class are defined as follows:

   The pcimValidityConditionName attribute is used to define a
   user-friendly name of this condition, and may be used as a naming
   attribute if desired.  This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.20
            NAME 'pcimValidityConditionName'
            DESC 'A user-friendly name for identifying an instance of
                  a pcimRuleValidityAssociation entry.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE
     )

   The pcimTimePeriodConditionDN attribute is a DN that references a
   reusable time period condition.  It is defined as follows:

     ( 1.3.6.1.1.6.2.21
            NAME 'pcimTimePeriodConditionDN'
             DESC 'A reference to a reusable policy time period
                   condition.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
            SINGLE-VALUE
     )

   A DIT content rule could be written to enable an instance of
   pcimRuleValidityAssociation to have attached to it an instance of the
   auxiliary class pcimTPCAuxClass, or one of its subclasses.  This
   would be used to formalize the semantics of the
   PolicyRuleValidityPeriod aggregation [1].

   Similarly, three separate DIT structure rules could be written.  Each
   of these DIT structure rules would refer to a specific name form that
   defined two important semantics.  First, each name form would
   identify one of the three possible naming attributes (i.e.,
   pcimValidityConditionName, cn, and orderedCIMKeys) for the
   pcimRuleValidityAssociation object class.  Second, each name form
   would require that an instance of the pcimRuleValidityAssociation
   class have as its superior an instance of the pcimRule class.  This



Strassner, et al.           Standards Track                    [Page 33]

RFC 3703                Policy Core LDAP Schema            February 2004


   structure rule SHOULD also include a superiorStructureRule (see Note
   2 at the beginning of section 5).

5.6.  The Class pcimRuleActionAssociation

   This class contains an attribute to represent the one property of the
   PCIM PolicyActionInPolicyRule association, ActionOrder.  This
   property is used to specify an order for executing the actions
   associated with a policy rule.  Instances of this class are related
   to an instance of pcimRule via DIT containment.  The actions
   themselves are represented by auxiliary subclasses of the auxiliary
   class pcimActionAuxClass.

   These auxiliary classes are attached directly to instances of
   pcimRuleActionAssociation for rule-specific policy actions.  For a
   reusable policy action, the pcimAction auxiliary subclass is attached
   to an instance of the class pcimPolicyInstance (which is presumably
   associated with a pcimRepository by DIT containment), and the
   pcimActionDN attribute (of this class) is used to reference the
   reusable pcimCondition instance.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.10 NAME 'pcimRuleActionAssociation'
            DESC 'This class contains attributes characterizing the
                  relationship between a policy rule and one of its
                  policy actions.'
            SUP pcimPolicy
            MUST ( pcimActionOrder )
            MAY ( pcimActionName $ pcimActionDN )
     )

   The pcimActionName attribute is used to define a user-friendly name
   of this action, and may be used as a naming attribute if desired.
   This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.22
            NAME 'pcimActionName'
            DESC 'A user-friendly name for a policy action.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE
     )






Strassner, et al.           Standards Track                    [Page 34]

RFC 3703                Policy Core LDAP Schema            February 2004


   The pcimActionOrder attribute is an unsigned integer that is used to
   indicate the relative position of an action in a sequence of actions
   that are associated with a given policy rule.  When this number is
   positive, it indicates a place in the sequence of actions to be
   performed, with smaller values indicating earlier positions in the
   sequence.  If the value is zero, then this indicates that the order
   is irrelevant.  Note that if two or more actions have the same
   non-zero value, they may be performed in any order as long as they
   are each performed in the correct place in the overall sequence of
   actions.  This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.23
            NAME 'pcimActionOrder'
            DESC 'An integer indicating the relative order of an action
                  in the context of a policy rule.'
            EQUALITY integerMatch
            ORDERING integerOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE
     )

   Note: if the value of the pcimActionOrder field is negative, then it
   SHOULD be treated as an error and any policy rule that refers to such
   an entry SHOULD be treated as being disabled.

   The pcimActionDN attribute is a DN that references a reusable policy
   action.  It is defined as follows:

     ( 1.3.6.1.1.6.2.24
            NAME 'pcimActionDN'
            DESC 'A DN that references a reusable policy action.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
            SINGLE-VALUE
     )

   A DIT content rule could be written to enable an instance of
   pcimRuleActionAssociation to have attached to it an instance of the
   auxiliary class pcimActionAuxClass, or one of its subclasses.  This
   would be used to formalize the semantics of the
   PolicyActionInPolicyRule association.  Specifically, this would be
   used to represent a rule-specific policy action [1].

   Similarly, three separate DIT structure rules could be written.  Each
   of these DIT structure rules would refer to a specific name form that
   defined two important semantics.  First, each name form would
   identify one of the three possible naming attributes (i.e.,
   pcimActionName, cn, and orderedCIMKeys) for the



Strassner, et al.           Standards Track                    [Page 35]

RFC 3703                Policy Core LDAP Schema            February 2004


   pcimRuleActionAssociation object class.  Second, each name form would
   require that an instance of the pcimRuleActionAssociation class have
   as its superior an instance of the pcimRule class.  This structure
   rule should also include a superiorStructureRule (see Note 2 at the
   beginning of section 5).

5.7.  The Auxiliary Class pcimConditionAuxClass

   The purpose of a policy condition is to determine whether or not the
   set of actions (contained in the pcimRule that the condition applies
   to) should be executed or not.  This class defines the basic
   organizational semantics of a policy condition, as specified in [1].
   Subclasses of this auxiliary class can be attached to instances of
   three other classes in the PCLS.  When a subclass of this class is
   attached to an instance of pcimRuleConditionAssociation, or to an
   instance of pcimRule, it represents a rule-specific policy condition.
   When a subclass of this class is attached to an instance of
   pcimPolicyInstance, it represents a reusable policy condition.

   Since all of the classes to which subclasses of this auxiliary class
   may be attached are derived from the pcimPolicy class, the attributes
   of pcimPolicy will already be defined for the entries to which these
   subclasses attach.  Thus, this class is derived directly from "top".

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.11 NAME 'pcimConditionAuxClass'
            DESC 'A class representing a condition to be evaluated in
                  conjunction with a policy rule.'
            SUP top
            AUXILIARY
     )

5.8.  The Auxiliary Class pcimTPCAuxClass

   The PCIM defines a time period class, PolicyTimePeriodCondition, to
   provide a means of representing the time periods during which a
   policy rule is valid, i.e., active.  It also defines an aggregation,
   PolicyRuleValidityPeriod, so that time periods can be associated with
   a PolicyRule.  The LDAP mapping also provides two classes, one for
   the time condition itself, and one for the aggregation.

   In the PCIM, the time period class is named
   PolicyTimePeriodCondition. However, the resulting name of the
   auxiliary class in this mapping (pcimTimePeriodConditionAuxClass)
   exceeds the length of a name that some directories can store.
   Therefore, the name has been shortened to pcimTPCAuxClass.




Strassner, et al.           Standards Track                    [Page 36]

RFC 3703                Policy Core LDAP Schema            February 2004


   The class definition is as follows:

     ( 1.3.6.1.1.6.1.12 NAME 'pcimTPCAuxClass'
            DESC 'This provides the capability of enabling or disabling
                  a policy rule according to a predetermined schedule.'
            SUP pcimConditionAuxClass
            AUXILIARY
            MAY ( pcimTPCTime $ pcimTPCMonthOfYearMask $
                  pcimTPCDayOfMonthMask $ pcimTPCDayOfWeekMask $
                  pcimTPCTimeOfDayMask $ pcimTPCLocalOrUtcTime )
     )

   The attributes of the pcimTPCAuxClass are defined as follows.

   The pcimTPCTime attribute represents the time period that a policy
   rule is enabled for.  This attribute is defined as a string in [1]
   with a special format which defines a time period with a starting
   date and an ending date separated by a forward slash ("/"), as
   follows:

       yyyymmddThhmmss/yyyymmddThhmmss

   where the first date and time may be replaced with the string
   "THISANDPRIOR" or the second date and time may be replaced with the
   string "THISANDFUTURE".  This attribute is defined as follows:

        ( 1.3.6.1.1.6.2.25
               NAME 'pcimTPCTime'
               DESC 'The start and end times on which a policy rule is
                     valid.'
               EQUALITY caseIgnoreMatch
               ORDERING caseIgnoreOrderingMatch
               SUBSTR caseIgnoreSubstringsMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
               SINGLE-VALUE
        )

   The value of this attribute SHOULD be checked against its defined
   format ("yyyymmddThhmmss/yyyymmddThhmmss", where the first and second
   date strings may be replaced with the strings "THISANDPRIOR" and
   "THISANDFUTURE").  If the value of this attribute does not conform to
   this syntax, then this SHOULD be considered an error and the policy
   rule SHOULD be treated as being disabled.

   The next four attributes (pcimTPCMonthOfYearMask,
   pcimTPCDayOfMonthMask, pcimTPCDayOfWeekMask, and
   pcimTPCTimeOfDayMask) are all defined as octet strings in [1].
   However, the semantics of each of these attributes are contained in



Strassner, et al.           Standards Track                    [Page 37]

RFC 3703                Policy Core LDAP Schema            February 2004


   bit strings of various fixed lengths.  Therefore, the PCLS uses a
   syntax of Bit String to represent each of them.  The definition of
   these four attributes are as follows.

   The pcimTPCMonthOfYearMask attribute defines a 12-bit mask
   identifying the months of the year in which a policy rule is valid.
   The format is a bit string of length 12, representing the months of
   the year from January through December.  The definition of this
   attribute is as follows:

     ( 1.3.6.1.1.6.2.26
            NAME 'pcimTPCMonthOfYearMask'
            DESC 'This identifies the valid months of the year for a
                  policy rule using a 12-bit string that represents the
                  months of the year from January through December.'
            EQUALITY bitStringMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
            SINGLE-VALUE
     )

   The value of this attribute SHOULD be checked against its defined
   format.  If the value of this attribute does not conform to this
   syntax, then this SHOULD be considered an error and the policy rule
   SHOULD be treated as being disabled.

   The pcimTPCMonthOfDayMask attribute defines a mask identifying the
   days of the month on which a policy rule is valid.  The format is a
   bit string of length 62.  The first 31 positions represent the days
   of the month in ascending order, from day 1 to day 31.  The next 31
   positions represent the days of the month in descending order, from
   the last day to the day 31 days from the end.  The definition of this
   attribute is as follows:

     ( 1.3.6.1.1.6.2.27
            NAME 'pcimTPCDayOfMonthMask'
            DESC 'This identifies the valid days of the month for a
                  policy rule using a 62-bit string. The first 31
                  positions represent the days of the month in ascending
                  order, and the next 31 positions represent the days of
                  the month in descending order.'
            EQUALITY bitStringMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
            SINGLE-VALUE
     )







Strassner, et al.           Standards Track                    [Page 38]

RFC 3703                Policy Core LDAP Schema            February 2004


   The value of this attribute SHOULD be checked against its defined
   format.  If the value of this attribute does not conform to this
   syntax, then this SHOULD be considered an error and the policy rule
   SHOULD be treated as being disabled.

   The pcimTPCDayOfWeekMask attribute defines a mask identifying the
   days of the week on which a policy rule is valid.  The format is a
   bit string of length 7, representing the days of the week from Sunday
   through Saturday.  The definition of this attribute is as follows:

     ( 1.3.6.1.1.6.2.28
            NAME 'pcimTPCDayOfWeekMask'
            DESC 'This identifies the valid days of the week for a
                  policy rule using a 7-bit string. This represents
                  the days of the week from Sunday through Saturday.'
            EQUALITY bitStringMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
            SINGLE-VALUE
     )

   The value of this attribute SHOULD be checked against its defined
   format.  If the value of this attribute does not conform to this
   syntax, then this SHOULD be considered an error and the policy rule
   SHOULD be treated as being disabled.

   The pcimTPCTimeOfDayMask attribute defines the range of times at
   which a policy rule is valid.  If the second time is earlier than the
   first, then the interval spans midnight.  The format of the string is
   Thhmmss/Thhmmss.  The definition of this attribute is as follows:

     ( 1.3.6.1.1.6.2.29
            NAME 'pcimTPCTimeOfDayMask'
            DESC 'This identifies the valid range of times for a policy
                  using the format Thhmmss/Thhmmss.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
            SINGLE-VALUE
     )

   The value of this attribute SHOULD be checked against its defined
   format.  If the value of this attribute does not conform to this
   syntax, then this SHOULD be considered an error and the policy rule
   SHOULD be treated as being disabled.






Strassner, et al.           Standards Track                    [Page 39]

RFC 3703                Policy Core LDAP Schema            February 2004


   Finally, the pcimTPCLocalOrUtcTime attribute is used to choose
   between local or UTC time representation.  This is mapped as a simple
   integer syntax, with the value of 1 representing local time and the
   value of 2 representing UTC time.  The definition of this attribute
   is as follows:

     ( 1.3.6.1.1.6.2.30
            NAME 'pcimTPCLocalOrUtcTime'
            DESC 'This defines whether the times in this instance
                  represent local (value=1) times or UTC (value=2)
                  times.'
            EQUALITY integerMatch
            ORDERING integerOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
            SINGLE-VALUE
     )

   Note: if the value of the pcimTPCLocalOrUtcTime is not 1 or 2, then
   this SHOULD be considered an error and the policy rule SHOULD be
   disabled. If the attribute is not present at all, then all times are
   interpreted as if it were present with the value 2, that is, UTC
   time.

5.9.  The Auxiliary Class pcimConditionVendorAuxClass

   This class provides a general extension mechanism for representing
   policy conditions that have not been modeled with specific
   properties. Instead, its two properties are used to define the
   content and format of the condition, as explained below.  This class
   is intended for vendor-specific extensions that are not amenable to
   using pcimCondition; standardized extensions SHOULD NOT use this
   class.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.13 NAME 'pcimConditionVendorAuxClass'
            DESC 'A class that defines a registered means to describe a
                  policy condition.'
            SUP pcimConditionAuxClass
            AUXILIARY
            MAY ( pcimVendorConstraintData $
                 pcimVendorConstraintEncoding )
     )

   The pcimVendorConstraintData attribute is a multi-valued attribute.
   It provides a general mechanism for representing policy conditions
   that have not been modeled as specific attributes.  This information
   is encoded in a set of octet strings.  The format of the octet



Strassner, et al.           Standards Track                    [Page 40]

RFC 3703                Policy Core LDAP Schema            February 2004


   strings is identified by the OID stored in the
   pcimVendorConstraintEncoding attribute.  This attribute is defined as
   follows:

     ( 1.3.6.1.1.6.2.31
            NAME 'pcimVendorConstraintData'
            DESC 'Mechanism for representing constraints that have not
                  been modeled as specific attributes.  Their format is
                  identified by the OID stored in the attribute
                  pcimVendorConstraintEncoding.'
            EQUALITY octetStringMatch
            ORDERING octetStringOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     )

   The pcimVendorConstraintEncoding attribute is used to identify the
   format and semantics for the pcimVendorConstraintData attribute.
   This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.32
            NAME 'pcimVendorConstraintEncoding'
            DESC 'An OID identifying the format and semantics for the
                  pcimVendorConstraintData for this instance.'
            EQUALITY objectIdentifierMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
            SINGLE-VALUE
     )

5.10.  The Auxiliary Class pcimActionAuxClass

   The purpose of a policy action is to execute one or more operations
   that will affect network traffic and/or systems, devices, etc. in
   order to achieve a desired policy state.  This class is used to
   represent an action to be performed as a result of a policy rule
   whose condition clause was satisfied.

   Subclasses of this auxiliary class can be attached to instances of
   three other classes in the PCLS.  When a subclass of this class is
   attached to an instance of pcimRuleActionAssociation, or to an
   instance of pcimRule, it represents a rule-specific policy action.
   When a subclass of this class is attached to an instance of
   pcimPolicyInstance, it represents a reusable policy action.

   Since all of the classes to which subclasses of this auxiliary class
   may be attached are derived from the pcimPolicy class, the attributes
   of the pcimPolicy class will already be defined for the entries to
   which these subclasses attach.  Thus, this class is derived directly
   from "top".



Strassner, et al.           Standards Track                    [Page 41]

RFC 3703                Policy Core LDAP Schema            February 2004


   The class definition is as follows:

     ( 1.3.6.1.1.6.1.14 NAME 'pcimActionAuxClass'
            DESC 'A class representing an action to be performed as a
                  result of a policy rule.'
            SUP top
            AUXILIARY
     )

5.11.  The Auxiliary Class pcimActionVendorAuxClass

   The purpose of this class is to provide a general extension mechanism
   for representing policy actions that have not been modeled with
   specific properties.  Instead, its two properties are used to define
   the content and format of the action, as explained below.

   As its name suggests, this class is intended for vendor-specific
   extensions that are not amenable to using the standard pcimAction
   class.  Standardized extensions SHOULD NOT use this class.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.15 NAME 'pcimActionVendorAuxClass'
            DESC 'A class that defines a registered means to describe a
                  policy action.'
            SUP pcimActionAuxClass
            AUXILIARY
            MAY ( pcimVendorActionData $ pcimVendorActionEncoding )
     )

   The pcimVendorActionData attribute is a multi-valued attribute.  It
   provides a general mechanism for representing policy actions that
   have not been modeled as specific attributes.  This information is
   encoded in a set of octet strings.  The format of the octet strings
   is identified by the OID stored in the pcimVendorActionEncoding
   attribute.  This attribute is defined as follows:

     ( 1.3.6.1.1.6.2.33
            NAME 'pcimVendorActionData'
            DESC ' Mechanism for representing policy actions that have
                   not been modeled as specific attributes.  Their
                   format is identified by the OID stored in the
                   attribute pcimVendorActionEncoding.'
            EQUALITY octetStringMatch
            ORDERING octetStringOrderingMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     )




Strassner, et al.           Standards Track                    [Page 42]

RFC 3703                Policy Core LDAP Schema            February 2004


   The pcimVendorActionEncoding attribute is used to identify the format
   and semantics for the pcimVendorActionData attribute.  This attribute
   is defined as follows:

     ( 1.3.6.1.1.6.2.34
            NAME 'pcimVendorActionEncoding'
            DESC 'An OID identifying the format and semantics for the
                  pcimVendorActionData attribute of this instance.'
            EQUALITY objectIdentifierMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
            SINGLE-VALUE
     )

5.12.  The Class pcimPolicyInstance

   This class is not defined in the PCIM.  Its role is to serve as a
   structural class to which auxiliary classes representing policy
   information are attached when the information is reusable.  For
   auxiliary classes representing policy conditions and policy actions,
   there are alternative structural classes that may be used.  See
   Section 4.4 for a complete discussion of reusable policy conditions
   and actions, and of the role that this class plays in how they are
   represented.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.16 NAME 'pcimPolicyInstance'
            DESC 'A structural class to which aux classes containing
                  reusable policy information can be attached.'
            SUP pcimPolicy
            MAY ( pcimPolicyInstanceName )
     )

   The pcimPolicyInstanceName attribute is used to define a
   user-friendly name of this class, and may be used as a naming
   attribute if desired.  It is defined as follows:

     ( 1.3.6.1.1.6.2.35 NAME 'pcimPolicyInstanceName'
            DESC 'The user-friendly name of this policy instance.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE
     )






Strassner, et al.           Standards Track                    [Page 43]

RFC 3703                Policy Core LDAP Schema            February 2004


   A DIT content rule could be written to enable an instance of
   pcimPolicyInstance to have attached to it either instances of one or
   more of the auxiliary object classes pcimConditionAuxClass and
   pcimActionAuxClass.  Since these semantics do not include specifying
   any properties, the content rule would not need to specify any
   attributes.  Note that other content rules could be defined to enable
   other policy-related auxiliary classes to be attached to
   pcimPolicyInstance.

   Similarly, three separate DIT structure rules could be written.  Each
   of these DIT structure rules would refer to a specific name form that
   defined two important semantics.  First, each name form would
   identify one of the three possible naming attributes (i.e.,
   pcimPolicyInstanceName, cn, and orderedCIMKeys) for this object
   class.  Second, each name form would require that an instance of the
   pcimPolicyInstance class have as its superior an instance of the
   pcimRepository class.  This structure rule SHOULD also include a
   superiorStructureRule (see Note 2 at the beginning of section 5).

5.13.  The Auxiliary Class pcimElementAuxClass

   This class introduces no additional attributes, beyond those defined
   in the class pcimPolicy from which it is derived.  Its role is to
   "tag" an instance of a class defined outside the realm of policy
   information as represented by PCIM as being nevertheless relevant to
   a policy specification.  This tagging can potentially take place at
   two levels:

   -   Every instance to which pcimElementAuxClass is attached becomes
       an instance of the class pcimPolicy, since pcimElementAuxClass is
       a subclass of pcimPolicy.  Searching for object
       class="pcimPolicy" will return the instance.  (As noted earlier,
       this approach does NOT work for some directory implementations.
       To accommodate these implementations, policy-related entries
       SHOULD be tagged with the pcimKeyword "POLICY".)

   -   With the pcimKeywords attribute that it inherits from pcimPolicy,
       an instance to which pcimElementAuxClass is attached can be
       tagged as being relevant to a particular type or category of
       policy information, using standard keywords,
       administrator-defined keywords, or both.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.17 NAME 'pcimElementAuxClass'
            DESC 'An auxiliary class used to tag instances of classes
                  defined outside the realm of policy as relevant to a
                  particular policy specification.'



Strassner, et al.           Standards Track                    [Page 44]

RFC 3703                Policy Core LDAP Schema            February 2004


            SUP pcimPolicy
            AUXILIARY
     )

5.14.  The Three Policy Repository Classes

   These classes provide a container for reusable policy information,
   such as reusable policy conditions and/or reusable policy actions.
   This document is concerned with mapping just the properties that
   appear in these classes.  Conceptually, this may be thought of as a
   special location in the DIT where policy information may reside.
   Since pcimRepository is derived from the class dlm1AdminDomain
   defined in reference [6], this specification has a normative
   dependency on that element of reference [6] (as well as on its entire
   derivation hierarchy, which also appears in reference [6]).  To
   maximize flexibility, the pcimRepository class is defined as
   abstract.  A subclass pcimRepositoryAuxClass provides for auxiliary
   attachment to another entry, while a structural subclass
   pcimRepositoryInstance is available to represent a policy repository
   as a standalone entry.

   The definition for the pcimRepository class is as follows:

     ( 1.3.6.1.1.6.1.18 NAME 'pcimRepository'
            DESC 'A container for reusable policy information.'
            SUP dlm1AdminDomain
            ABSTRACT
            MAY ( pcimRepositoryName )
     )

   The pcimRepositoryName attribute is used to define a user-friendly
   name of this class, and may be used as a naming attribute if desired.
   It is defined as follows:

     ( 1.3.6.1.1.6.2.36 NAME 'pcimRepositoryName'
            DESC 'The user-friendly name of this policy repository.'
            EQUALITY caseIgnoreMatch
            ORDERING caseIgnoreOrderingMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
            SINGLE-VALUE
     )









Strassner, et al.           Standards Track                    [Page 45]

RFC 3703                Policy Core LDAP Schema            February 2004


   The two subclasses of pcimRepository are defined as follows.  First,
   the pcimRepositoryAuxClass is an auxiliary class that can be used to
   aggregate reusable policy information.  It is defined as follows:

     ( 1.3.6.1.1.6.1.19 NAME 'pcimRepositoryAuxClass'
            DESC 'An auxiliary class that can be used to aggregate
                  reusable policy information.'
            SUP pcimRepository
            AUXILIARY
     )

   In cases where structural classes are needed instead of an auxiliary
   class, the pcimRepositoryInstance class is a structural class that
   can be used to aggregate reusable policy information.  It is defined
   as follows:

     ( 1.3.6.1.1.6.1.20 NAME 'pcimRepositoryInstance'
            DESC 'A structural class that can be used to aggregate
                  reusable policy information.'
            SUP pcimRepository
            STRUCTURAL
     )

   Three separate DIT structure rules could be written for this class.
   Each of these DIT structure rules would refer to a specific name form
   that enabled an instance of the pcimRepository class to be named
   under any superior using one of the three possible naming attributes
   (i.e., pcimRepositoryName, cn, and orderedCIMKeys).  This structure
   rule SHOULD also include a superiorStructureRule (see Note 2 at the
   beginning of section 5).

5.15.  The Auxiliary Class pcimSubtreesPtrAuxClass

   This auxiliary class provides a single, multi-valued attribute that
   references a set of objects that are at the root of DIT subtrees
   containing policy-related information.  By attaching this attribute
   to instances of various other classes, a policy administrator has a
   flexible way of providing an entry point into the directory that
   allows a client to locate and retrieve the policy information
   relevant to it.

   It is intended that these entries are placed in the DIT such that
   well-known DNs can be used to reference a well-known structural entry
   that has the pcimSubtreesPtrAuxClass attached to it.  In effect, this
   defines a set of entry points.  Each of these entry points can
   contain and/or reference all related policy entries for





Strassner, et al.           Standards Track                    [Page 46]

RFC 3703                Policy Core LDAP Schema            February 2004


   any well-known policy domains.  The pcimSubtreesPtrAuxClass functions
   as a tag to identify portions of the DIT that contain policy
   information.

   This object does not provide the semantic linkages between individual
   policy objects, such as those between a policy group and the policy
   rules that belong to it.  Its only role is to enable efficient bulk
   retrieval of policy-related objects, as described in Section 4.5.

   Once the objects have been retrieved, a directory client can
   determine the semantic linkages by following references contained in
   multi-valued attributes, such as pcimRulesAuxContainedSet.

   Since policy-related objects will often be included in the DIT
   subtree beneath an object to which this auxiliary class is attached,
   a client SHOULD request the policy-related objects from the subtree
   under the object with these references at the same time that it
   requests the references themselves.

   Since clients are expected to behave in this way, the policy
   administrator SHOULD make sure that this subtree does not contain so
   many objects unrelated to policy that an initial search done in this
   way results in a performance problem.  The pcimSubtreesPtrAuxClass
   SHOULD NOT be attached to the partition root for a large directory
   partition containing a relatively few number of policy-related
   objects along with a large number of objects unrelated to policy
   (again, "policy" here refers to the PCIM, not the X.501, definition
   and use of "policy").  A better approach would be to introduce a
   container object immediately below the partition root, attach
   pcimSubtreesPtrAuxClass to this container object, and then place all
   of the policy-related objects in that subtree.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.21 NAME 'pcimSubtreesPtrAuxClass'
            DESC 'An auxiliary class providing DN references to roots of
                  DIT subtrees containing policy-related objects.'
            SUP top
            AUXILIARY
            MAY ( pcimSubtreesAuxContainedSet )
     )










Strassner, et al.           Standards Track                    [Page 47]

RFC 3703                Policy Core LDAP Schema            February 2004


   The attribute pcimSubtreesAuxContainedSet provides an unordered set
   of DN references to instances of one or more objects under which
   policy-related information is present.  The objects referenced may or
   may not themselves contain policy-related information.  The attribute
   definition is as follows:

     ( 1.3.6.1.1.6.2.37
            NAME 'pcimSubtreesAuxContainedSet'
            DESC 'DNs of objects that serve as roots for DIT subtrees
                  containing policy-related objects.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     )

   Note that the cn attribute does NOT need to be defined for this
   class. This is because an auxiliary class is used as a means to
   collect common attributes and treat them as properties of an object.
   A good analogy is a #include file, except that since an auxiliary
   class is a class, all the benefits of a class (e.g., inheritance) can
   be applied to an auxiliary class.

5.16.  The Auxiliary Class pcimGroupContainmentAuxClass

   This auxiliary class provides a single, multi-valued attribute that
   references a set of pcimGroups.  By attaching this attribute to
   instances of various other classes, a policy administrator has a
   flexible way of providing an entry point into the directory that
   allows a client to locate and retrieve the pcimGroups relevant to it.

   As is the case with pcimRules, a policy administrator might have
   several different references to a pcimGroup in the overall directory
   structure. The pcimGroupContainmentAuxClass is the mechanism that
   makes it possible for the policy administrator to define all these
   different references.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.22 NAME 'pcimGroupContainmentAuxClass'
            DESC 'An auxiliary class used to bind pcimGroups to an
                  appropriate container object.'
            SUP top
            AUXILIARY
            MAY ( pcimGroupsAuxContainedSet )
     )







Strassner, et al.           Standards Track                    [Page 48]

RFC 3703                Policy Core LDAP Schema            February 2004


   The attribute pcimGroupsAuxContainedSet provides an unordered set of
   references to instances of one or more pcimGroups associated with the
   instance of a structural class to which this attribute has been
   appended.

   The attribute definition is as follows:

     ( 1.3.6.1.1.6.2.38
            NAME 'pcimGroupsAuxContainedSet'
            DESC 'DNs of pcimGroups associated in some way with the
                  instance to which this attribute has been appended.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     )

   Note that the cn attribute does NOT have to be defined for this class
   for the same reasons as those given for the pcimSubtreesPtrAuxClass
   in section 5.15.

5.17.  The Auxiliary Class pcimRuleContainmentAuxClass

   This auxiliary class provides a single, multi-valued attribute that
   references a set of pcimRules.  By attaching this attribute to
   instances of various other classes, a policy administrator has a
   flexible way of providing an entry point into the directory that
   allows a client to locate and retrieve the pcimRules relevant to it.

   A policy administrator might have several different references to a
   pcimRule in the overall directory structure.  For example, there
   might be references to all pcimRules for traffic originating in a
   particular subnet from a directory entry that represents that subnet.
   At the same time, there might be references to all pcimRules related
   to a particular DiffServ setting from an instance of a pcimGroup
   explicitly introduced as a container for DiffServ-related pcimRules.
   The pcimRuleContainmentAuxClass is the mechanism that makes it
   possible for the policy administrator to define all these separate
   references.

   The class definition is as follows:

     ( 1.3.6.1.1.6.1.23 NAME 'pcimRuleContainmentAuxClass'
            DESC 'An auxiliary class used to bind pcimRules to an
                  appropriate container object.'
            SUP top
            AUXILIARY
            MAY ( pcimRulesAuxContainedSet )
     )




Strassner, et al.           Standards Track                    [Page 49]

RFC 3703                Policy Core LDAP Schema            February 2004


   The attribute pcimRulesAuxContainedSet provides an unordered set of
   references to one or more instances of pcimRules associated with the
   instance of a structural class to which this attribute has been
   appended.  The attribute definition is as follows:

     ( 1.3.6.1.1.6.2.39
            NAME 'pcimRulesAuxContainedSet'
            DESC 'DNs of pcimRules associated in some way with the
                  instance to which this attribute has been appended.'
            EQUALITY distinguishedNameMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     )

   The cn attribute does NOT have to be defined for this class for the
   same reasons as those given for the pcimSubtreesPtrAuxClass in
   section 5.15.

6.  Extending the Classes Defined in This Document

   The following subsections provide general guidance on how to create a
   domain-specific schema derived from this document, discuss how the
   vendor classes in the PCLS should be used, and explain how
   policyTimePeriodConditions are related to other policy conditions.

6.1.  Subclassing pcimConditionAuxClass and pcimActionAuxClass

   In Section 4.4, there is a discussion of how, by representing policy
   conditions and policy actions as auxiliary classes in a schema, the
   flexibility is retained to instantiate a particular condition or
   action as either rule-specific or reusable.  This flexibility is lost
   if a condition or action class is defined as structural rather than
   auxiliary.  For standardized schemata, this document specifies that
   domain-specific information MUST be expressed in auxiliary subclasses
   of pcimConditionAuxClass and pcimActionAuxClass.  It is RECOMMENDED
   that non-standardized schemata follow this practice as well.

6.2.  Using the Vendor Policy Attributes

   As discussed Section 5.9, the attributes pcimVendorConstraintData and
   pcimVendorConstraintEncoding are included in the
   pcimConditionVendorAuxClass to provide a mechanism for representing
   vendor-specific policy conditions that are not amenable to being
   represented with the pcimCondition class (or its subclasses).  The
   attributes pcimVendorActionData and pcimVendorActionEncoding in the
   pcimActionVendorAuxClass class play the same role with respect to
   actions.  This enables interoperability between different vendors who
   could not otherwise interoperate.




Strassner, et al.           Standards Track                    [Page 50]

RFC 3703                Policy Core LDAP Schema            February 2004


   For example, imagine a network composed of access devices from vendor
   A, edge and core devices from vendor B, and a policy server from
   vendor C. It is desirable for this policy server to be able to
   configure and manage all of the devices from vendors A and B.
   Unfortunately, these devices will in general have little in common
   (e.g., different mechanisms, different ways for controlling those
   mechanisms, different operating systems, different commands, and so
   forth).  The extension conditions provide a way for vendor-specific
   commands to be encoded as octet strings, so that a single policy
   server can commonly manage devices from different vendors.

6.3.  Using Time Validity Periods

   Time validity periods are defined as an auxiliary subclass of
   pcimConditionAuxClass, called pcimTPCAuxClass.  This is to allow
   their inclusion in the AND/OR condition definitions for a pcimRule.
   Care should be taken not to subclass pcimTPCAuxClass to add
   domain-specific condition properties.

   For example, it would be incorrect to add IPsec- or QoS-specific
   condition properties to the pcimTPCAuxClass class, just because IPsec
   or QoS includes time in its condition definition.  The correct
   subclassing would be to create IPsec or QoS-specific subclasses of
   pcimConditionAuxClass and then combine instances of these
   domain-specific condition classes with the appropriate validity
   period criteria.  This is accomplished using the AND/OR association
   capabilities for policy conditions in pcimRules.

7.  Security Considerations

   The PCLS, presented in this document, provides a mapping of the
   object-oriented model for describing policy information (PCIM) into a
   data model that forms the basic framework for describing the
   structure of policy data, in the case where the policy repository
   takes the form of an LDAP-accessible directory.

   PCLS is not intended to represent any particular system design or
   implementation.  PCLS is not directly useable in a real world system,
   without the discipline-specific mappings that are works in progress
   in the Policy Framework Working Group of the IETF.

   These other derivative documents, which use PCIM and its
   discipline-specific extensions as a base, will need to convey more
   specific security considerations (refer to RFC 3060 for more
   information.)






Strassner, et al.           Standards Track                    [Page 51]

RFC 3703                Policy Core LDAP Schema            February 2004


   The reason that PCLS, as defined here, is not representative of any
   real-world system, is that its object classes were designed to be
   independent of any specific discipline, or policy domain.  For
   example, DiffServ and IPsec represent two different policy domains.
   Each document that extends PCIM to one of these domains will derive
   subclasses from the classes and relationships defined in PCIM, in
   order to represent extensions of a generic model to cover specific
   technical domains.

   PCIM-derived documents will thus subclass the PCIM classes into
   classes specific to each technical policy domain (QOS, IPsec, etc.),
   which will, in turn, be mapped, to directory-specific schemata
   consistent with the PCLS documented here.

   Even though discipline-specific security requirements are not
   appropriate for PCLS, specific security requirements MUST be defined
   for each operational real-world application of PCIM.  Just as there
   will be a wide range of operational, real-world systems using PCIM,
   there will also be a wide range of security requirements for these
   systems.  Some operational, real-world systems that are deployed
   using PCLS may have extensive security requirements that impact
   nearly all object classes utilized by such a system, while other
   systems' security requirements might have very little impact.

   The derivative documents, discussed above, will create the context
   for applying operational, real-world, system-level security
   requirements against the various models that derive from PCIM,
   consistent with PCLS.

   In some real-world scenarios, the values associated with certain
   properties, within certain instantiated object classes, may represent
   information associated with scarce, and/or costly (and therefore
   valuable) resources.  It may be the case that these values must not
   be disclosed to, or manipulated by, unauthorized parties.

   Since this document forms the basis for the representation of a
   policy data model in a specific format (an LDAP-accessible
   directory), it is herein appropriate to reference the data
   model-specific tools and mechanisms that are available for achieving
   the authentication and authorization implicit in a requirement that
   restricts read and/or read- write access to these values stored in a
   directory.









Strassner, et al.           Standards Track                    [Page 52]

RFC 3703                Policy Core LDAP Schema            February 2004


   General LDAP security considerations apply, as documented in RFC 3377
   [2]. LDAP-specific authentication and authorization tools and
   mechanisms are found in the following standards track documents,
   which are appropriate for application to the management of security
   applied to policy data models stored in an LDAP-accessible directory:

     -   RFC 2829 (Authentication Methods for LDAP)
     -   RFC 2830 (Lightweight Directory Access Protocol (v3): Extension
         for Transport Layer Security)

   Any identified security requirements that are not dealt with in the
   appropriate discipline-specific information model documents, or in
   this document, MUST be dealt with in the derivative data model
   documents which are specific to each discipline.

8.  IANA Considerations

   Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA)
   Considerations for the Lightweight Directory Access Protocol (LDAP)"
   [16].

8.1.  Object Identifiers

   The IANA has registered an LDAP Object Identifier for use in this
   technical specification according to the following template:

   Subject: Request for LDAP OID Registration
   Person & email address to contact for further information:
      Bob Moore (remoore@us.ibm.com)
   Specification: RFC 3703
   Author/Change Controller: IESG
   Comments:
      The assigned OID will be used as a base for identifying
      a number of schema elements defined in this document.

   IANA has assigned an OID of 1.3.6.1.1.6 with the name of pcimSchema
   to this registration as recorded in the following registry:

      http://www.iana.org/assignments/smi-numbers

8.2.  Object Identifier Descriptors

   The IANA has registered the LDAP Descriptors used in this technical
   specification as detailed in the following template:

   Subject: Request for LDAP Descriptor Registration Update
   Descriptor (short name): see comment
   Object Identifier: see comment



Strassner, et al.           Standards Track                    [Page 53]

RFC 3703                Policy Core LDAP Schema            February 2004


   Person & email address to contact for further information:
      Bob Moore (remoore@us.ibm.com)
   Usage: see comment
   Specification: RFC 3703
   Author/Change Controller: IESG
   Comments:

   The following descriptors have been added:

   NAME                            Type    OID
   --------------                  ----    ------------
   pcimPolicy                      O       1.3.6.1.1.6.1.1
   pcimGroup                       O       1.3.6.1.1.6.1.2
   pcimGroupAuxClass               O       1.3.6.1.1.6.1.3
   pcimGroupInstance               O       1.3.6.1.1.6.1.4
   pcimRule                        O       1.3.6.1.1.6.1.5
   pcimRuleAuxClass                O       1.3.6.1.1.6.1.6
   pcimRuleInstance                O       1.3.6.1.1.6.1.7
   pcimRuleConditionAssociation    O       1.3.6.1.1.6.1.8
   pcimRuleValidityAssociation     O       1.3.6.1.1.6.1.9
   pcimRuleActionAssociation       O       1.3.6.1.1.6.1.10
   pcimConditionAuxClass           O       1.3.6.1.1.6.1.11
   pcimTPCAuxClass                 O       1.3.6.1.1.6.1.12
   pcimConditionVendorAuxClass     O       1.3.6.1.1.6.1.13
   pcimActionAuxClass              O       1.3.6.1.1.6.1.14
   pcimActionVendorAuxClass        O       1.3.6.1.1.6.1.15
   pcimPolicyInstance              O       1.3.6.1.1.6.1.16
   pcimElementAuxClass             O       1.3.6.1.1.6.1.17
   pcimRepository                  O       1.3.6.1.1.6.1.18
   pcimRepositoryAuxClass          O       1.3.6.1.1.6.1.19
   pcimRepositoryInstance          O       1.3.6.1.1.6.1.20
   pcimSubtreesPtrAuxClass         O       1.3.6.1.1.6.1.21
   pcimGroupContainmentAuxClass    O       1.3.6.1.1.6.1.22
   pcimRuleContainmentAuxClass     O       1.3.6.1.1.6.1.23
   pcimKeywords                    A       1.3.6.1.1.6.2.3
   pcimGroupName                   A       1.3.6.1.1.6.2.4
   pcimRuleName                    A       1.3.6.1.1.6.2.5
   pcimRuleEnabled                 A       1.3.6.1.1.6.2.6
   pcimRuleConditionListType       A       1.3.6.1.1.6.2.7
   pcimRuleConditionList           A       1.3.6.1.1.6.2.8
   pcimRuleActionList              A       1.3.6.1.1.6.2.9
   pcimRuleValidityPeriodList      A       1.3.6.1.1.6.2.10
   pcimRuleUsage                   A       1.3.6.1.1.6.2.11
   pcimRulePriority                A       1.3.6.1.1.6.2.12
   pcimRuleMandatory               A       1.3.6.1.1.6.2.13
   pcimRuleSequencedActions        A       1.3.6.1.1.6.2.14
   pcimRoles                       A       1.3.6.1.1.6.2.15
   pcimConditionGroupNumber        A       1.3.6.1.1.6.2.16



Strassner, et al.           Standards Track                    [Page 54]

RFC 3703                Policy Core LDAP Schema            February 2004


   NAME                            Type    OID
   --------------                  ----    ------------
   pcimConditionNegated            A       1.3.6.1.1.6.2.17
   pcimConditionName               A       1.3.6.1.1.6.2.18
   pcimConditionDN                 A       1.3.6.1.1.6.2.19
   pcimValidityConditionName       A       1.3.6.1.1.6.2.20
   pcimTimePeriodConditionDN       A       1.3.6.1.1.6.2.21
   pcimActionName                  A       1.3.6.1.1.6.2.22
   pcimActionOrder                 A       1.3.6.1.1.6.2.23
   pcimActionDN                    A       1.3.6.1.1.6.2.24
   pcimTPCTime                     A       1.3.6.1.1.6.2.25
   pcimTPCMonthOfYearMask          A       1.3.6.1.1.6.2.26
   pcimTPCDayOfMonthMask           A       1.3.6.1.1.6.2.27
   pcimTPCDayOfWeekMask            A       1.3.6.1.1.6.2.28
   pcimTPCTimeOfDayMask            A       1.3.6.1.1.6.2.29
   pcimTPCLocalOrUtcTime           A       1.3.6.1.1.6.2.30
   pcimVendorConstraintData        A       1.3.6.1.1.6.2.31
   pcimVendorConstraintEncoding    A       1.3.6.1.1.6.2.32
   pcimVendorActionData            A       1.3.6.1.1.6.2.33
   pcimVendorActionEncoding        A       1.3.6.1.1.6.2.34
   pcimPolicyInstanceName          A       1.3.6.1.1.6.2.35
   pcimRepositoryName              A       1.3.6.1.1.6.2.36
   pcimSubtreesAuxContainedSet     A       1.3.6.1.1.6.2.37
   pcimGroupsAuxContainedSet       A       1.3.6.1.1.6.2.38
   pcimRulesAuxContainedSet        A       1.3.6.1.1.6.2.39

   where Type A is Attribute, Type O is ObjectClass

   These assignments are recorded in the following registry:

      http://www.iana.org/assignments/ldap-parameters




















Strassner, et al.           Standards Track                    [Page 55]

RFC 3703                Policy Core LDAP Schema            February 2004


9.  Acknowledgments

   We would like to thank Kurt Zeilenga, Roland Hedburg, and Steven Legg
   for doing a review of this document and making many helpful
   suggestions and corrections.

   Several of the policy classes in this model first appeared in early
   IETF drafts on IPsec policy and QoS policy.  The authors of these
   drafts were Partha Bhattacharya, Rob Adams, William Dixon, Roy
   Pereira, Raju Rajan, Jean-Christophe Martin, Sanjay Kamat, Michael
   See, Rajiv Chaudhury, Dinesh Verma, George Powers, and Raj Yavatkar.

   This document is closely aligned with the work being done in the
   Distributed Management Task Force (DMTF) Policy and Networks working
   groups.  We would especially like to thank Lee Rafalow, Glenn Waters,
   David Black, Michael Richardson, Mark Stevens, David Jones, Hugh
   Mahon, Yoram Snir, and Yoram Ramberg for their helpful comments.


































Strassner, et al.           Standards Track                    [Page 56]

RFC 3703                Policy Core LDAP Schema            February 2004


10.  Appendix:  Constructing the Value of orderedCIMKeys

   This appendix is non-normative, and is included in this document as a
   guide to implementers that wish to exchange information between CIM
   schemata and LDAP schemata.

   Within a CIM name space, the naming is basically flat; all instances
   are identified by the values of their key properties, and each
   combination of key values must be unique.  A limited form of
   hierarchical naming is available in CIM, however, by using weak
   associations: since a weak association involves propagation of key
   properties and their values from the superior object to the
   subordinate one, the subordinate object can be thought of as being
   named "under" the superior object.  Once they have been propagated,
   however, propagated key properties and their values function in
   exactly the same way that native key properties and their values do
   in identifying a CIM instance.

   The CIM mapping document [6] introduces a special attribute,
   orderedCIMKeys, to help map from the CIM_ManagedElement class to the
   LDAP class dlm1ManagedElement.  This attribute SHOULD only be used in
   an environment where it is necessary to map between an
   LDAP-accessible directory and a CIM repository.  For an LDAP
   environment, other LDAP naming attributes are defined (i.e., cn and a
   class-specific naming attribute) that SHOULD be used instead.

   The role of orderedCIMKeys is to represent the information necessary
   to correlate an entry in an LDAP-accessible directory with an
   instance in a CIM name space.  Depending on how naming of CIM-related
   entries is handled in an LDAP directory, the value of orderedCIMKeys
   represents one of two things:

     - If the DIT hierarchy does not mirror the "weakness hierarchy" of
       the CIM name space, then orderedCIMKeys represents all the
       keys of the CIM instance, both native and propagated.
     - If the DIT hierarchy does mirror the "weakness hierarchy" of the
       CIM name space, then orderedCIMKeys may represent either all the
       keys of the instance, or only the native keys.

   Regardless of which of these alternatives is taken, the syntax of
   orderedCIMKeys is the same - a DirectoryString of the form

       <className>.<key>=<value>[,<key>=<value>]*

   where the <key>=<value> elements are ordered by the names of the key
   properties, according to the collating sequence for US ASCII.  The
   only spaces allowed in the DirectoryString are those that fall within
   a <value> element.  As with alphabetizing the key properties, the



Strassner, et al.           Standards Track                    [Page 57]

RFC 3703                Policy Core LDAP Schema            February 2004


   goal of suppressing the spaces is once again to make the results of
   string operations predictable.

   The values of the <value> elements are derived from the various CIM
   syntaxes according to a grammar specified in [5].

11.  References

11.1.  Normative References

   [1]   Moore, B., Ellesson,E., Strassner, J. and A. Westerinen "Policy
         Core Information Model -- Version 1 Specification", RFC 3060,
         February 2001.

   [2]   Hodges, J. and R. Morgan, "Lightweight Directory Access
         Protocol (v3): Technical Specification", RFC 3377, September
         2002.

   [3]   Wahl, M., Coulbeck, A., Howes,T. and S. Kille, "Lightweight
         Directory Access Protocol (v3): Attribute Syntax Definitions",
         RFC 2252, December 1997.

   [4]   The Directory: Models.  ITU-T Recommendation X.501, 2001.

   [5]   Distributed Management Task Force, Inc., "Common Information
         Model (CIM) Specification", Version 2.2, June 14, 1999.  This
         document is available on the following DMTF web page:
         http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf

   [6]   Distributed Management Task Force, Inc., "DMTF LDAP Schema for
         the CIM v2.5 Core Information Model", April 15, 2002.  This
         document is available on the following DMTF web page:
         http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf

   [7]   Wahl, M., "A Summary of the X.500(96) User Schema for use with
         LDAPv3", RFC 2256, December 1997.

   [8]   The Directory: Selected Attribute Types.  ITU-T Recommendation
         X.520, 2001.

   [9]   Zeilenga, K., Ed., "Lightweight Directory Access Protocol
         (LDAP): Additional Matching Rules", RFC 3698, February 2004.

   [10]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.






Strassner, et al.           Standards Track                    [Page 58]

RFC 3703                Policy Core LDAP Schema            February 2004


11.2.  Informative References

   [11]  Hovey, R. and S. Bradner, "The Organizations Involved in the
         IETF Standards Process", BCP 11, RFC 2028, October 1996.

   [12]  Strassner, J., policy architecture BOF presentation, 42nd IETF
         Meeting, Chicago, Illinois, October 1998.  Minutes of this BOF
         are available at the following location:
         http://www.ietf.org/proceedings/98aug/index.html.

   [13]  Yavatkar, R., Guerin, R. and D. Pendarakis, "A Framework for
         Policy-based Admission Control", RFC 2753, January 2000.

   [14]  Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,
         "Authentication Methods for LDAP", RFC 2829, May 2000

   [15]  Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory
         Access Protocol (v3): Extension for Transport Layer Security",
         RFC 2830, May 2000.

   [16]  Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
         Considerations for the Lightweight Directory Access Protocol
         (LDAP)", BCP 64, RFC 3383, September 2002.




























Strassner, et al.           Standards Track                    [Page 59]

RFC 3703                Policy Core LDAP Schema            February 2004


12.  Authors' Addresses

   John Strassner
   Intelliden Corporation
   90 South Cascade Avenue
   Colorado Springs, CO  80903

   Phone: +1.719.785.0648
   Fax:   +1.719.785.0644
   EMail: john.strassner@intelliden.com


   Bob Moore
   IBM Corporation
   P. O. Box 12195, BRQA/B501/G206
   3039 Cornwallis Rd.
   Research Triangle Park, NC  27709-2195

   Phone: +1 919-254-4436
   Fax:   +1 919-254-6243
   EMail: remoore@us.ibm.com


   Ryan Moats
   Lemur Networks, Inc.
   15621 Drexel Circle
   Omaha, NE 68135

   Phone: +1-402-894-9456
   EMail: rmoats@lemurnetworks.net


   Ed Ellesson
   3026 Carriage Trail
   Hillsborough, NC 27278

   Phone: +1 919-644-3977
   EMail: ellesson@mindspring.com













Strassner, et al.           Standards Track                    [Page 60]

RFC 3703                Policy Core LDAP Schema            February 2004


13.  Full Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78 and
   except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed
   to pertain to the implementation or use of the technology
   described in this document or the extent to which any license
   under such rights might or might not be available; nor does it
   represent that it has made any independent effort to identify any
   such rights.  Information on the procedures with respect to
   rights in RFC documents can be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository
   at http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention
   any copyrights, patents or patent applications, or other
   proprietary rights that may cover technology that may be required
   to implement this standard.  Please address the information to the
   IETF at ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.









Strassner, et al.           Standards Track                    [Page 61]