mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-24 13:24:56 +08:00
676 lines
24 KiB
Plaintext
676 lines
24 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group D. Chadwick
|
|||
|
Request for Comments: 3876 University of Salford
|
|||
|
Category: Standards Track S. Mullan
|
|||
|
Sun Microsystems
|
|||
|
September 2004
|
|||
|
|
|||
|
|
|||
|
Returning Matched Values with the
|
|||
|
Lightweight Directory Access Protocol version 3 (LDAPv3)
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document specifies an Internet standards track protocol for the
|
|||
|
Internet community, and requests discussion and suggestions for
|
|||
|
improvements. Please refer to the current edition of the "Internet
|
|||
|
Official Protocol Standards" (STD 1) for the standardization state
|
|||
|
and status of this protocol. Distribution of this memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004).
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document describes a control for the Lightweight Directory
|
|||
|
Access Protocol version 3 that is used to return a subset of
|
|||
|
attribute values from an entry. Specifically, only those values that
|
|||
|
match a "values return" filter. Without support for this control, a
|
|||
|
client must retrieve all of an attribute's values and search for
|
|||
|
specific values locally.
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
When reading an attribute from an entry using the Lightweight
|
|||
|
Directory Access Protocol version 3 (LDAPv3) [2], it is normally only
|
|||
|
possible to read either the attribute type, or the attribute type and
|
|||
|
all its values. It is not possible to selectively read just a few of
|
|||
|
the attribute values. If an attribute holds many values, for
|
|||
|
example, the userCertificate attribute, or the subschema publishing
|
|||
|
operational attributes objectClasses and attributeTypes [3], then it
|
|||
|
may be desirable for the user to be able to selectively retrieve a
|
|||
|
subset of the values, specifically, those attribute values that match
|
|||
|
some user defined selection criteria. Without the control specified
|
|||
|
in this document, a client must read all of the attribute's values
|
|||
|
and filter out the unwanted values, necessitating the client to
|
|||
|
implement the matching rules. It also requires the client to
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
potentially read and process many irrelevant values, which can be
|
|||
|
inefficient if the values are large or complex, or there are many
|
|||
|
values stored per attribute.
|
|||
|
|
|||
|
This document specifies an LDAPv3 control to enable a user to return
|
|||
|
only those values that matched (i.e., returned TRUE to) one or more
|
|||
|
elements of a newly defined "values return" filter. This control can
|
|||
|
be especially useful when used in conjunction with extensible
|
|||
|
matching rules that match on one or more components of complex binary
|
|||
|
attribute values.
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in BCP 14, RFC 2119 [4].
|
|||
|
|
|||
|
2. The valuesReturnFilter Control
|
|||
|
|
|||
|
The valuesReturnFilter control is either critical or non-critical as
|
|||
|
determined by the user. It only has meaning for the Search
|
|||
|
operation, and SHOULD only be added to the Search operation by the
|
|||
|
client. If the server supports the control and it is present on a
|
|||
|
Search operation, the server MUST obey the control, regardless of the
|
|||
|
value of the criticality flag.
|
|||
|
|
|||
|
If the control is marked as critical, and either the server does not
|
|||
|
support the control or the control is applied to an operation other
|
|||
|
than Search, the server MUST return an unavailableCriticalExtension
|
|||
|
error. If the control is not marked as critical, and either the
|
|||
|
server does not support the control or the control is applied to an
|
|||
|
operation other than Search, then the server MUST ignore the control.
|
|||
|
|
|||
|
The object identifier for this control is 1.2.826.0.1.3344810.2.3.
|
|||
|
|
|||
|
The controlValue is an OCTET STRING, whose value is the BER encoding
|
|||
|
[6], as per Section 5.1 of RFC 2251 [2], of a value of the ASN.1 [5]
|
|||
|
type ValuesReturnFilter.
|
|||
|
|
|||
|
ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
|
|||
|
|
|||
|
SimpleFilterItem ::= CHOICE {
|
|||
|
equalityMatch [3] AttributeValueAssertion,
|
|||
|
substrings [4] SubstringFilter,
|
|||
|
greaterOrEqual [5] AttributeValueAssertion,
|
|||
|
lessOrEqual [6] AttributeValueAssertion,
|
|||
|
present [7] AttributeDescription,
|
|||
|
approxMatch [8] AttributeValueAssertion,
|
|||
|
extensibleMatch [9] SimpleMatchingAssertion }
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
SimpleMatchingAssertion ::= SEQUENCE {
|
|||
|
matchingRule [1] MatchingRuleId OPTIONAL,
|
|||
|
type [2] AttributeDescription OPTIONAL,
|
|||
|
--- at least one of the above must be present
|
|||
|
matchValue [3] AssertionValue}
|
|||
|
|
|||
|
All the above data types have their standard meanings as defined in
|
|||
|
[2].
|
|||
|
|
|||
|
If the server supports this control, the server MUST make use of the
|
|||
|
control as follows:
|
|||
|
|
|||
|
1) The Search Filter is first executed in order to determine which
|
|||
|
entries satisfy the Search criteria (these are the filtered
|
|||
|
entries). The control has no impact on this step.
|
|||
|
|
|||
|
2) If the typesOnly parameter of the Search Request is TRUE, the
|
|||
|
control has no effect and the Search Request is processed as if
|
|||
|
the control had not been specified.
|
|||
|
|
|||
|
3) If the attributes parameter of the Search Request consists of a
|
|||
|
list containing only the attribute with OID "1.1" (specifying that
|
|||
|
no attributes are to be returned), the control has no effect and
|
|||
|
the Search Request is processed as if the control had not been
|
|||
|
specified.
|
|||
|
|
|||
|
4) For each attribute listed in the attributes parameter of the
|
|||
|
Search Request, the server MUST apply the control as follows to
|
|||
|
each entry in the set of filtered entries:
|
|||
|
|
|||
|
i) Every attribute value that evaluates TRUE against one or more
|
|||
|
elements of the ValuesReturnFilter is placed in the
|
|||
|
corresponding SearchResultEntry.
|
|||
|
|
|||
|
ii) Every attribute value that evaluates FALSE or undefined
|
|||
|
against all elements of the ValuesReturnFilter is not placed
|
|||
|
in the corresponding SearchResultEntry. An attribute that has
|
|||
|
no values selected is returned with an empty set of values.
|
|||
|
|
|||
|
Note. If the AttributeDescriptionList (see [2]) is empty or
|
|||
|
comprises "*", then the control MUST be applied against every user
|
|||
|
attribute. If the AttributeDescriptionList contains a "+", then the
|
|||
|
control MUST be applied against every operational attribute.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
3. Relationship to X.500
|
|||
|
|
|||
|
The control is a superset of the matchedValuesOnly (MVO) boolean of
|
|||
|
the X.500 Directory Access Protocol (DAP) [8] Search argument, as
|
|||
|
amended in the latest version [9]. Close examination of the
|
|||
|
matchedValuesOnly boolean by the LDAP Extensions (LDAPEXT) Working
|
|||
|
Group revealed ambiguities and complexities in the MVO boolean that
|
|||
|
could not easily be resolved. For example, it was not clear if the
|
|||
|
MVO boolean governed only those attribute values that contributed to
|
|||
|
the overall truth of the filter, or all of the attribute values, even
|
|||
|
if the filter item containing the attribute was evaluated as false.
|
|||
|
For this reason the LDAPEXT group decided to replace the MVO boolean
|
|||
|
with a simple filter that removes any uncertainty as to whether an
|
|||
|
attribute value has been selected or not.
|
|||
|
|
|||
|
4. Relationship to other LDAP Controls
|
|||
|
|
|||
|
The purpose of this control is to select zero, one, or more attribute
|
|||
|
values from each requested attribute in a filtered entry, and to
|
|||
|
discard the remainder. Once the attribute values have been discarded
|
|||
|
by this control, they MUST NOT be re-instated into the Search results
|
|||
|
by other controls.
|
|||
|
|
|||
|
This control acts independently of other LDAP controls such as server
|
|||
|
side sorting [13] and duplicate entries [10]. However, there might
|
|||
|
be interactions between this control and other controls so that a
|
|||
|
different set of Search Result Entries are returned, or the entries
|
|||
|
are returned in a different order, depending upon the sequencing of
|
|||
|
this control and other controls in the LDAP request. For example,
|
|||
|
with server side sorting, if sorting is done first, and value return
|
|||
|
filtering second, the set of Search Results may appear to be in the
|
|||
|
wrong order since the value filtering may remove the attribute values
|
|||
|
upon which the ordering was done. (The sorting document specifies
|
|||
|
that entries without any sort key attribute values should be treated
|
|||
|
as coming after all other attribute values.) Similarly with
|
|||
|
duplicate entries, if duplication is performed before value
|
|||
|
filtering, the set of Search Result Entries may contain identical
|
|||
|
duplicate entries, each with an empty set of attribute values,
|
|||
|
because the value filtering removed the attribute values that were
|
|||
|
used to duplicate the results.
|
|||
|
|
|||
|
For these reasons, the ValuesReturnFilter control in a SearchRequest
|
|||
|
SHOULD precede other controls that affect the number and ordering of
|
|||
|
SearchResultEntrys.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
5. Examples
|
|||
|
|
|||
|
All entries are provided in an LDAP Data Interchange Format
|
|||
|
(LDIF)[11].
|
|||
|
|
|||
|
The string representation of the valuesReturnFilter in the examples
|
|||
|
below uses the following ABNF [15] notation:
|
|||
|
|
|||
|
valuesReturnFilter = "(" 1*simpleFilterItem ")"
|
|||
|
simpleFilterItem = "(" item ")"
|
|||
|
|
|||
|
where item is as defined below (adapted from RFC2254 [14]).
|
|||
|
|
|||
|
item = simple / present / substring / extensible
|
|||
|
simple = attr filtertype value
|
|||
|
filtertype = equal / approx / greater / less
|
|||
|
equal = "="
|
|||
|
approx = "~="
|
|||
|
greater = ">="
|
|||
|
less = "<="
|
|||
|
extensible = attr [":" matchingrule] ":=" value
|
|||
|
/ ":" matchingrule ":=" value
|
|||
|
present = attr "=*"
|
|||
|
substring = attr "=" [initial] any [final]
|
|||
|
initial = value
|
|||
|
any = "*" *(value "*")
|
|||
|
final = value
|
|||
|
attr = AttributeDescription from Section 4.1.5 of [1]
|
|||
|
matchingrule = MatchingRuleId from Section 4.1.9 of [1]
|
|||
|
value = AttributeValue from Section 4.1.6 of [1]
|
|||
|
|
|||
|
1) The first example shows how the control can be set to return all
|
|||
|
attribute values from one attribute type (e.g., telephoneNumber)
|
|||
|
and a subset of values from another attribute type (e.g., mail).
|
|||
|
|
|||
|
The entries below represent organizationalPerson object classes
|
|||
|
located somewhere beneath the distinguished name dc=ac,dc=uk.
|
|||
|
|
|||
|
dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
|
|||
|
cn: Sean Mullan
|
|||
|
sn: Mullan
|
|||
|
objectClass: organizationalPerson
|
|||
|
objectClass: person
|
|||
|
objectClass: inetOrgPerson
|
|||
|
mail: sean.mullan@hotmail.com
|
|||
|
mail: mullan@east.sun.com
|
|||
|
telephoneNumber: + 781 442 0926
|
|||
|
telephoneNumber: 555-9999
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
dn: cn=David Chadwick,ou=isi,o=salford,dc=ac,dc=uk
|
|||
|
cn: David Chadwick
|
|||
|
sn: Chadwick
|
|||
|
objectClass: organizationalPerson
|
|||
|
objectClass: person
|
|||
|
objectClass: inetOrgPerson
|
|||
|
mail: d.w.chadwick@salford.ac.uk
|
|||
|
|
|||
|
An LDAP search operation is specified with a baseObject set to the DN
|
|||
|
of the search base (i.e., dc=ac,dc=uk), a subtree scope, a filter set
|
|||
|
to (sn=mullan), and the list of attributes to be returned set to
|
|||
|
"mail,telephoneNumber" or "*". In addition, a ValuesReturnFilter
|
|||
|
control is set to ((mail=*hotmail.com)(telephoneNumber=*)).
|
|||
|
|
|||
|
The search results returned by the server would consist of the
|
|||
|
following entry:
|
|||
|
|
|||
|
dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
|
|||
|
mail: sean.mullan@hotmail.com
|
|||
|
telephoneNumber: + 781 442 0926
|
|||
|
telephoneNumber: 555-9999
|
|||
|
|
|||
|
Note that the control has no effect on the values returned for the
|
|||
|
"telephoneNumber" attribute (all of the values are returned), since
|
|||
|
the control specified that all values should be returned.
|
|||
|
|
|||
|
2) The second example shows how one might retrieve a single attribute
|
|||
|
type subschema definition for the "gunk" attribute with OID
|
|||
|
1.2.3.4.5 from the subschema subentry.
|
|||
|
|
|||
|
Assume the subschema subentry is held below the root entry with DN
|
|||
|
cn=subschema subentry,o=myorg and this holds an attributeTypes
|
|||
|
operational attribute holding the descriptions of the 35 attributes
|
|||
|
known to this server (each description is held as a single attribute
|
|||
|
value of the attributeTypes attribute).
|
|||
|
|
|||
|
dn: cn=subschema subentry,o=myorg
|
|||
|
cn: subschema subentry
|
|||
|
objectClass: subschema
|
|||
|
attributeTypes: ( 2.5.4.3 NAME 'cn' SUP name )
|
|||
|
attributeTypes: ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
|
|||
|
attributeTypes: ( 2.5.4.0 NAME 'objectClass' EQUALITY obj
|
|||
|
ectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
|
|||
|
attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY gen
|
|||
|
eralizedTimeMatch ORDERING generalizedTimeOrderingMatch SYN
|
|||
|
TAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-
|
|||
|
MODIFICATION USAGE directoryOperation )
|
|||
|
attributeTypes: ( 2.5.21.6 NAME 'objectClasses' EQUALITY obj
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 6]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
ectIdentifierFirstComponentMatch SYNTAX 1.3.
|
|||
|
6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )
|
|||
|
attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat
|
|||
|
ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.
|
|||
|
6.1.4.1.1466.115.121.1.44{64} )
|
|||
|
attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' EQUALITY obj
|
|||
|
ectIdentifierFirstComponentMatch SYNTAX 1.3.
|
|||
|
6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )
|
|||
|
|
|||
|
plus another 28 - you get the idea.
|
|||
|
|
|||
|
The user creates an LDAP search operation with a baseObject set to
|
|||
|
cn=subschema subentry,o=myorg, a scope of base, a filter set to
|
|||
|
(objectClass=subschema), the list of attributes to be returned set to
|
|||
|
"attributeTypes", and the ValuesReturnFilter set to
|
|||
|
((attributeTypes=1.2.3.4.5))
|
|||
|
|
|||
|
The search result returned by the server would consist of the
|
|||
|
following entry:
|
|||
|
|
|||
|
dn: cn=subschema subentry,o=myorg
|
|||
|
attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat
|
|||
|
ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.
|
|||
|
6.1.4.1.1466.115.121.1.44{64} )
|
|||
|
|
|||
|
3) The final example shows how the control can be used to match on a
|
|||
|
userCertificate attribute value. Note that this example requires
|
|||
|
the LDAP server to support the certificateExactMatch matching rule
|
|||
|
defined in [12] as the EQUALITY matching rule for userCertificate.
|
|||
|
|
|||
|
The entry below represents a pkiUser object class stored in the
|
|||
|
directory.
|
|||
|
|
|||
|
dn: cn=David Chadwick,ou=people,o=University of Salford,c=gb
|
|||
|
cn: David Chadwick
|
|||
|
objectClass: person
|
|||
|
objectClass: organizationalPerson
|
|||
|
objectClass: pkiUser
|
|||
|
objectClass: inetOrgPerson
|
|||
|
sn: Chadwick
|
|||
|
mail: d.w.chadwick@salford.ac.uk
|
|||
|
userCertificate;binary: {binary representation of a certificate with
|
|||
|
a serial number of 2468 issued by o=truetrust ltd,c=gb}
|
|||
|
userCertificate;binary: {binary representation of certificate with a
|
|||
|
serial number of 1357 issued by o=truetrust ltd,c=gb}
|
|||
|
userCertificate;binary: {binary representation of certificate with a
|
|||
|
serial number of 1234 issued by dc=certsRus,dc=com}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 7]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
An LDAP search operation is specified with a baseObject set to
|
|||
|
o=University of Salford,c=gb, a subtree scope, a filter set to
|
|||
|
(sn=chadwick), and the list of attributes to be returned set to
|
|||
|
"userCertificate;binary". In addition, a ValuesReturnFilter control
|
|||
|
is set to ((userCertificate=1357$o=truetrust ltd,c=gb)).
|
|||
|
|
|||
|
The search result returned by the server would consist of the
|
|||
|
following entry:
|
|||
|
|
|||
|
dn: cn=David Chadwick,ou=people,o=University of Salford,c=gb
|
|||
|
userCertificate;binary: {binary representation of certificate with a
|
|||
|
serial number of 1357 issued by o=truetrust ltd,c=gb}
|
|||
|
|
|||
|
6. Security Considerations
|
|||
|
|
|||
|
This document does not primarily discuss security issues.
|
|||
|
|
|||
|
Note however that attribute values MUST only be returned if the
|
|||
|
access controls applied by the LDAP server allow them to be returned,
|
|||
|
and in this respect the effect of the ValuesReturnFilter control is
|
|||
|
of no consequence.
|
|||
|
|
|||
|
Note that the ValuesReturnFilter control may have a positive effect
|
|||
|
on the deployment of public key infrastructures. Certain PKI
|
|||
|
operations, like searching for specific certificates, become more
|
|||
|
scalable, and more practical when combined with X.509 certificate
|
|||
|
matching rules at the server, since the control avoids the
|
|||
|
downloading of potentially large numbers of irrelevant certificates
|
|||
|
which would have to be processed and filtered locally (which in some
|
|||
|
cases is very difficult to perform).
|
|||
|
|
|||
|
7. IANA Considerations
|
|||
|
|
|||
|
The Matched Values control as an LDAP Protocol Mechanism [7] has been
|
|||
|
registered as follows:
|
|||
|
|
|||
|
Subject: Request for LDAP Protocol Mechanism Registration
|
|||
|
|
|||
|
Object Identifier: 1.2.826.0.1.3344810.2.3
|
|||
|
Description: Matched Values Control
|
|||
|
Person & email address to contact for further information:
|
|||
|
David Chadwick <d.w.chadwick@salford.ac.uk>
|
|||
|
Usage: Control
|
|||
|
Specification: RFC3876
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments: none
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 8]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
This document uses the OID 1.2.826.0.1.3344810.2.3 to identify the
|
|||
|
matchedValues control described here. This OID was assigned by
|
|||
|
TrueTrust Ltd, under its BSI assigned English/Welsh Registered
|
|||
|
Company number [16].
|
|||
|
|
|||
|
8. Acknowledgements
|
|||
|
|
|||
|
The authors would like to thank members of the LDAPExt list for their
|
|||
|
constructive comments on earlier versions of this document, and in
|
|||
|
particular to Harald Alvestrand who first suggested having an
|
|||
|
attribute return filter and Bruce Greenblatt who first proposed a
|
|||
|
syntax for this control.
|
|||
|
|
|||
|
9. References
|
|||
|
|
|||
|
9.1. Normative References
|
|||
|
|
|||
|
[1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
|
|||
|
9, RFC 2026, October 1996.
|
|||
|
|
|||
|
[2] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
|
|||
|
Protocol (w3)", RFC 2251, December 1997.
|
|||
|
|
|||
|
[3] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
|
|||
|
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
|||
|
RFC 2252, December 1997.
|
|||
|
|
|||
|
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
|||
|
Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
[5] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998,
|
|||
|
Information Technology - Abstract Syntax Notation One (ASN.1):
|
|||
|
Specification of Basic Notation
|
|||
|
|
|||
|
[6] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1,2,3:1998
|
|||
|
Information technology - ASN.1 encoding rules: Specification of
|
|||
|
Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and
|
|||
|
Distinguished Encoding Rules (DER)
|
|||
|
|
|||
|
[7] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
|||
|
Considerations for the Lightweight Directory Access Protocol
|
|||
|
(LDAP)", BCP 64, RFC 3383, September 2002.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 9]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
9.2. Informative References
|
|||
|
|
|||
|
[8] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
|
|||
|
1993.
|
|||
|
|
|||
|
[9] ISO/IEC 9594 / ITU-T Rec X.511 (2001) The Directory: Abstract
|
|||
|
Service Definition.
|
|||
|
|
|||
|
[10] Sermersheim, J., "LDAP Control for a Duplicate Entry
|
|||
|
Representation of Search Results", Work in Progress, October
|
|||
|
2000.
|
|||
|
|
|||
|
[11] Good, G., "The LDAP Data Interchange Format (LDIF) - Technical
|
|||
|
Specification", RFC 2849, June 2000.
|
|||
|
|
|||
|
[12] Chadwick, D. and S.Legg, "Internet X.509 Public Key
|
|||
|
Infrastructure - Additional LDAP Schema for PKIs", Work in
|
|||
|
Progress, June 2002
|
|||
|
|
|||
|
[13] Howes, T., Wahl, M., and A. Anantha, "LDAP Control Extension for
|
|||
|
Server Side Sorting of Search Results", RFC 2891, August 2000.
|
|||
|
|
|||
|
[14] Howes, T., "The String Representation of LDAP Search Filters",
|
|||
|
RFC 2254, December 1997.
|
|||
|
|
|||
|
[15] Crocker, D. and P. Overell, "Augmented BNF for Syntax
|
|||
|
Specifications: ABNF", RFC 2234, November 1997.
|
|||
|
|
|||
|
[16] BRITISH STANDARD BS 7453 Part 1. Procedures for UK Registration
|
|||
|
for Open System Standards Part 1: Procedures for the UK Name
|
|||
|
Registration Authority.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 10]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
10. Authors' Addresses
|
|||
|
|
|||
|
David Chadwick
|
|||
|
IS Institute
|
|||
|
University of Salford
|
|||
|
Salford M5 4WT
|
|||
|
England
|
|||
|
|
|||
|
Phone: +44 161 295 5351
|
|||
|
EMail: d.w.chadwick@salford.ac.uk
|
|||
|
|
|||
|
|
|||
|
Sean Mullan
|
|||
|
Sun Microsystems
|
|||
|
One Network Drive
|
|||
|
Burlington, MA 01803
|
|||
|
USA
|
|||
|
|
|||
|
EMail: sean.mullan@sun.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 11]
|
|||
|
|
|||
|
RFC 3876 Returning Matched Values with LDAPv3 September 2004
|
|||
|
|
|||
|
|
|||
|
11. Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004).
|
|||
|
|
|||
|
This document is subject to the rights, licenses and restrictions
|
|||
|
contained in BCP 78, and except as set forth therein, the authors
|
|||
|
retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
|
|||
|
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
|
|||
|
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
|
|||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
|||
|
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; nor does it represent that it has
|
|||
|
made any independent effort to identify any such rights. Information
|
|||
|
on the IETF's procedures with respect to rights in IETF Documents can
|
|||
|
be found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use of
|
|||
|
such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository at
|
|||
|
http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights that may cover technology that may be required to implement
|
|||
|
this standard. Please address the information to the IETF at ietf-
|
|||
|
ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Chadwick & Mullan Standards Track [Page 12]
|
|||
|
|