mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
452 lines
17 KiB
Plaintext
452 lines
17 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group R. Harrison
|
|||
|
Request for Comments: 3771 Novell, Inc.
|
|||
|
Updates: 2251 K. Zeilenga
|
|||
|
Category: Standards Track OpenLDAP Foundation
|
|||
|
April 2004
|
|||
|
|
|||
|
|
|||
|
The Lightweight Directory Access Protocol (LDAP)
|
|||
|
Intermediate Response Message
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document specifies an Internet standards track protocol for the
|
|||
|
Internet community, and requests discussion and suggestions for
|
|||
|
improvements. Please refer to the current edition of the "Internet
|
|||
|
Official Protocol Standards" (STD 1) for the standardization state
|
|||
|
and status of this protocol. Distribution of this memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document defines and describes the IntermediateResponse message,
|
|||
|
a general mechanism for defining single-request/multiple-response
|
|||
|
operations in Lightweight Directory Access Protocol (LDAP). The
|
|||
|
IntermediateResponse message is defined in such a way that the
|
|||
|
protocol behavior of existing LDAP operations is maintained. This
|
|||
|
message is intended to be used in conjunction with the LDAP
|
|||
|
ExtendedRequest and ExtendedResponse to define new single-
|
|||
|
request/multiple-response operations or in conjunction with a control
|
|||
|
when extending existing LDAP operations in a way that requires them
|
|||
|
to return intermediate response information.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
The Lightweight Directory Access Protocol (LDAP), version 3 [RFC3377]
|
|||
|
is an extensible protocol. Extended operations ([RFC2251] Section
|
|||
|
4.12) are defined to allow for the addition of operations to LDAP,
|
|||
|
without requiring revisions of the protocol. Similarly, controls
|
|||
|
([RFC2251] Section 4.1.12) are defined to extend or modify the
|
|||
|
behavior of existing LDAP operations.
|
|||
|
|
|||
|
LDAP is a client-request/server-response based protocol. With the
|
|||
|
exception of the search operation, the entire response to an
|
|||
|
operation request is returned in a single protocol data unit (i.e.,
|
|||
|
LDAP message). While this single-request/single-response paradigm is
|
|||
|
sufficient for many operations (including all but one of those
|
|||
|
currently defined by [RFC3377]), both intuition and practical
|
|||
|
experience validate the notion that it is insufficient for others.
|
|||
|
|
|||
|
For example, the LDAP delete operation could be extended via a
|
|||
|
subtree control to mean that an entire subtree is to be deleted. A
|
|||
|
subtree delete operation needs to return continuation references
|
|||
|
based upon subordinate knowledge information contained in the server
|
|||
|
so that the client can complete the operation. Returning references
|
|||
|
as they are found, instead of with the final result, allows the
|
|||
|
client to perform the operation more efficiently because it does not
|
|||
|
have to wait for the final result to get this continuation reference
|
|||
|
information.
|
|||
|
|
|||
|
Similarly, an engineer might choose to design the subtree delete
|
|||
|
operation as an extended operation of its own rather than using a
|
|||
|
subtree control in conjunction with the delete operation. Once
|
|||
|
again, the same continuation reference information is needed by the
|
|||
|
client to complete the operation, and sending the continuation
|
|||
|
references as they are found would allow the client to perform the
|
|||
|
operation more efficiently.
|
|||
|
|
|||
|
Operations that are completed in stages or that progress through
|
|||
|
various states as they are completed might want to send intermediate
|
|||
|
responses to the client, thereby informing it of the status of the
|
|||
|
operation. For example, an LDAP implementation might define an
|
|||
|
extended operation to create a new replica of an administrative area
|
|||
|
on a server, and the operation is completed in three stages: (1)
|
|||
|
begin creation of replica, (2) send replica data to server, (3)
|
|||
|
replica creation complete. Intermediate messages might be sent from
|
|||
|
the server to the client at the beginning of each stage with the
|
|||
|
final response for the extended operation being sent after stage (3)
|
|||
|
is complete.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
As LDAP [RFC3377] is currently defined, there is no general LDAP
|
|||
|
message type that can be used to return intermediate results. A
|
|||
|
single, reusable LDAP message for carrying intermediate response
|
|||
|
information is desired to avoid repeated modification of the
|
|||
|
protocol. Although the ExtendedResponse message is defined in LDAP,
|
|||
|
it is defined to be the one and only response message to an
|
|||
|
ExtendedRequest message ([RFC2251] Section 4.12), for unsolicited
|
|||
|
notifications ([RFC2251] Section 4.4), and to return intermediate
|
|||
|
responses for the search operation ([RFC3377] Section 4.5.2, also see
|
|||
|
Section 5 below). The adaptation of ExtendedResponse as a general
|
|||
|
intermediate response mechanism would be problematic. In particular,
|
|||
|
existing APIs would likely have to be redesigned. It is believed
|
|||
|
(based upon operational experience) that the addition of a new
|
|||
|
message to carry intermediate result information is easier to
|
|||
|
implement and is less likely to cause interoperability problems with
|
|||
|
existing deployed implementations.
|
|||
|
|
|||
|
This document defines and describes the LDAP IntermediateResponse
|
|||
|
message. This message is intended to be used in conjunction with
|
|||
|
ExtendedRequest and ExtendedResponse to define new single-
|
|||
|
request/multiple-response operations or in conjunction with a control
|
|||
|
when extending existing LDAP operations in a way that requires them
|
|||
|
to return intermediate response information.
|
|||
|
|
|||
|
It is intended that the definitions and descriptions of extended
|
|||
|
operations and controls using the IntermediateResponse message will
|
|||
|
define the circumstances in which an IntermediateResponse message can
|
|||
|
be sent by a server and the associated meaning of the
|
|||
|
IntermediateResponse message sent in a particular circumstance.
|
|||
|
Similarly, it is intended that clients will explicitly solicit
|
|||
|
IntermediateResponse messages by issuing operations that specifically
|
|||
|
call for their return.
|
|||
|
|
|||
|
The LDAP Content Sync Operation [ZEILENGA] demonstrates one use of
|
|||
|
LDAP Intermediate Response messages.
|
|||
|
|
|||
|
2. Conventions used in this document
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in [RFC2119].
|
|||
|
|
|||
|
The term "request control" is used to describe a control that is
|
|||
|
included in an LDAP request message sent from an LDAP client to an
|
|||
|
LDAP server.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
3. The IntermediateResponse Message
|
|||
|
|
|||
|
This document extends the protocolOp CHOICE of LDAPMessage ([RFC2251]
|
|||
|
Section 4.1.1) to include the field:
|
|||
|
|
|||
|
intermediateResponse IntermediateResponse
|
|||
|
|
|||
|
where IntermediateResponse is defined as:
|
|||
|
|
|||
|
IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
|
|||
|
responseName [0] LDAPOID OPTIONAL,
|
|||
|
responseValue [1] OCTET STRING OPTIONAL }
|
|||
|
|
|||
|
IntermediateResponse messages SHALL NOT be returned to the client
|
|||
|
unless the client issues a request that specifically solicits their
|
|||
|
return. This document defines two forms of solicitation: extended
|
|||
|
operation and request control.
|
|||
|
|
|||
|
Although the responseName and responseValue are optional in some
|
|||
|
circumstances, IntermediateResponse messages usually have a
|
|||
|
predefined responseName and a responseValue. The value of the
|
|||
|
responseName (if present), the syntax of the responseValue (if
|
|||
|
present) and the semantics associated with a particular
|
|||
|
IntermediateResponse message MUST be specified in documents
|
|||
|
describing the extended operation or request control that uses them.
|
|||
|
Sections 3.1 and 3.2 describe additional requirements for the
|
|||
|
inclusion of responseName and responseValue in IntermediateResponse
|
|||
|
messages.
|
|||
|
|
|||
|
3.1. Usage with LDAP ExtendedRequest and ExtendedResponse
|
|||
|
|
|||
|
A single-request/multiple-response operation may be defined using a
|
|||
|
single ExtendedRequest message to solicit zero or more
|
|||
|
IntermediateResponse messages, of one or more kinds, followed by an
|
|||
|
ExtendedResponse message.
|
|||
|
|
|||
|
An extended operation that defines the return of multiple kinds of
|
|||
|
IntermediateResponse messages MUST provide and document a mechanism
|
|||
|
for the client to distinguish the kind of IntermediateResponse
|
|||
|
message being sent. This SHALL be accomplished by using different
|
|||
|
responseName values for each type of IntermediateResponse message
|
|||
|
associated with the extended operation or by including identifying
|
|||
|
information in the responseValue of each type of IntermediateResponse
|
|||
|
message associated with the extended operation.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
3.2. Usage with LDAP Request Controls
|
|||
|
|
|||
|
Any LDAP operation may be extended by the addition of one or more
|
|||
|
controls ([RFC2251] Section 4.1.12). A control's semantics may
|
|||
|
include the return of zero or more IntermediateResponse messages
|
|||
|
prior to returning the final result code for the operation. One or
|
|||
|
more kinds of IntermediateResponse messages may be sent in response
|
|||
|
to a request control.
|
|||
|
|
|||
|
All IntermediateResponse messages associated with request controls
|
|||
|
SHALL include a responseName. This requirement ensures that the
|
|||
|
client can correctly identify the source of IntermediateResponse
|
|||
|
messages when:
|
|||
|
|
|||
|
a) two or more controls using IntermediateResponse messages are
|
|||
|
included in a request for any LDAP operation or
|
|||
|
|
|||
|
b) one or more controls using IntermediateResponse messages are
|
|||
|
included in a request with an LDAP extended operation that uses
|
|||
|
IntermediateResponse messages.
|
|||
|
|
|||
|
A request control that defines the return of multiple kinds of
|
|||
|
IntermediateResponse messages MUST provide and document a mechanism
|
|||
|
for the client to distinguish the kind of IntermediateResponse
|
|||
|
message being sent. This SHALL be accomplished by using different
|
|||
|
responseName values for each type of IntermediateResponse message
|
|||
|
associated with the request control or by including identifying
|
|||
|
information in the responseValue of each type of IntermediateResponse
|
|||
|
message associated with the request control.
|
|||
|
|
|||
|
4. Advertising Support for IntermediateResponse Messages
|
|||
|
|
|||
|
Because IntermediateResponse messages are associated with extended
|
|||
|
operations or controls and LDAP provides a means for advertising the
|
|||
|
extended operations and controls supported by a server (using the
|
|||
|
supportedExtension ([RFC2252] Section 5.2.3) and supportedControl
|
|||
|
([RFC2252] Section 5.2.4) attributes of the root DSE), there is no
|
|||
|
need for a separate means of advertising support for intermediate
|
|||
|
response messages.
|
|||
|
|
|||
|
5. Use of IntermediateResponse and ExtendedResponse with Search
|
|||
|
|
|||
|
It is noted that ExtendedResponse messages may be sent in response to
|
|||
|
LDAP search operations with controls ([RFC2251] Section 4.5.2). This
|
|||
|
use of ExtendedResponse messages SHOULD be viewed as deprecated, in
|
|||
|
favor of use of the IntermediateResponse messages.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
6. Security Considerations
|
|||
|
|
|||
|
This document describes an enhancement to LDAP. All security
|
|||
|
considerations of [RFC3377] apply to this document; however, it does
|
|||
|
not introduce any new security considerations to LDAP.
|
|||
|
|
|||
|
Security considerations specific to each extension using this
|
|||
|
protocol mechanism shall be discussed in the technical specification
|
|||
|
detailing the extension.
|
|||
|
|
|||
|
7. IANA Considerations
|
|||
|
|
|||
|
Registration of the following value has been completed [RFC3383].
|
|||
|
|
|||
|
7.1. LDAP Message Type
|
|||
|
|
|||
|
The IANA has registered an LDAP Message Type (25) to identify the
|
|||
|
LDAP IntermediateResponse message as defined in section 3 of this
|
|||
|
document.
|
|||
|
|
|||
|
The following registration template is suggested:
|
|||
|
|
|||
|
Subject: Request for LDAP Message Type Registration
|
|||
|
Person & email address to contact for further information:
|
|||
|
Roger Harrison <roger_harrison@novell.com>
|
|||
|
Specification: RFC3771
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments: Identifies the LDAP IntermediateResponse Message
|
|||
|
|
|||
|
8. Acknowledgments
|
|||
|
|
|||
|
The authors would like to acknowledge the members of the IETF LDAP
|
|||
|
Extensions (ldapext) working group mail list who responded to the
|
|||
|
suggestion that a multiple-response paradigm might be useful for LDAP
|
|||
|
extended requests. Special thanks to two individuals: David Wilbur
|
|||
|
who first introduced the idea on the working group list, and Thomas
|
|||
|
Salter, who succinctly summarized the group's discussion.
|
|||
|
|
|||
|
9. References
|
|||
|
|
|||
|
9.1. Normative References
|
|||
|
|
|||
|
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
|
|||
|
Access Protocol (v3)", RFC 2251, December 1997.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 6]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
|
|||
|
"Lightweight Directory Access Protocol (v3): Attribute
|
|||
|
Syntax Definitions", RFC 2252, December 1997.
|
|||
|
|
|||
|
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
|
|||
|
Protocol (v3): Technical Specification", RFC 3377,
|
|||
|
September 2002.
|
|||
|
|
|||
|
[RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
|||
|
Considerations for the Lightweight Directory Access
|
|||
|
Protocol (LDAP)", BCP 64, RFC 3383, September 2002.
|
|||
|
|
|||
|
9.2. Informative References
|
|||
|
|
|||
|
[ZEILENGA] Zeilenga, K., "LDAP Content Synchronization Operation",
|
|||
|
Work in Progress, February 2004.
|
|||
|
|
|||
|
10. Authors' Addresses
|
|||
|
|
|||
|
Roger Harrison
|
|||
|
Novell, Inc.
|
|||
|
1800 S. Novell Place
|
|||
|
Provo, UT 84606
|
|||
|
|
|||
|
Phone: +1 801 861 2642
|
|||
|
EMail: roger_harrison@novell.com
|
|||
|
|
|||
|
|
|||
|
Kurt D. Zeilenga
|
|||
|
OpenLDAP Foundation
|
|||
|
|
|||
|
EMail: Kurt@OpenLDAP.org
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 7]
|
|||
|
|
|||
|
RFC 3771 LDAP Intermediate Response April 2004
|
|||
|
|
|||
|
|
|||
|
11. Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004). This document is subject
|
|||
|
to the rights, licenses and restrictions contained in BCP 78, and
|
|||
|
except as set forth therein, the authors retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|||
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; nor does it represent that it has
|
|||
|
made any independent effort to identify any such rights. Information
|
|||
|
on the procedures with respect to rights in RFC documents can be
|
|||
|
found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use of
|
|||
|
such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository at
|
|||
|
http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights that may cover technology that may be required to implement
|
|||
|
this standard. Please address the information to the IETF at ietf-
|
|||
|
ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Harrison & Zeilenga Standards Track [Page 8]
|
|||
|
|