mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
1684 lines
69 KiB
Plaintext
1684 lines
69 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group R. Megginson, Ed.
|
|||
|
Request for Comments: 3928 Netscape Communications Corp.
|
|||
|
Category: Standards Track M. Smith
|
|||
|
Pearl Crescent, LLC
|
|||
|
O. Natkovich
|
|||
|
Yahoo
|
|||
|
J. Parham
|
|||
|
Microsoft Corporation
|
|||
|
October 2004
|
|||
|
|
|||
|
|
|||
|
Lightweight Directory Access Protocol (LDAP)
|
|||
|
Client Update Protocol (LCUP)
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document specifies an Internet standards track protocol for the
|
|||
|
Internet community, and requests discussion and suggestions for
|
|||
|
improvements. Please refer to the current edition of the "Internet
|
|||
|
Official Protocol Standards" (STD 1) for the standardization state
|
|||
|
and status of this protocol. Distribution of this memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004).
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document defines the Lightweight Directory Access Protocol
|
|||
|
(LDAP) Client Update Protocol (LCUP). The protocol is intended to
|
|||
|
allow an LDAP client to synchronize with the content of a directory
|
|||
|
information tree (DIT) stored by an LDAP server and to be notified
|
|||
|
about the changes to that content.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
|||
|
2. Applicability. . . . . . . . . . . . . . . . . . . . . . . . . 4
|
|||
|
3. Specification of Protocol Elements . . . . . . . . . . . . . . 5
|
|||
|
3.1. ASN.1 Considerations . . . . . . . . . . . . . . . . . . 5
|
|||
|
3.2. Universally Unique Identifiers . . . . . . . . . . . . . 5
|
|||
|
3.3. LCUP Scheme and LCUP Cookie. . . . . . . . . . . . . . . 5
|
|||
|
3.4. LCUP Context . . . . . . . . . . . . . . . . . . . . . . 6
|
|||
|
3.5. Additional LDAP Result Codes defined by LCUP . . . . . . 6
|
|||
|
3.6. Sync Request Control . . . . . . . . . . . . . . . . . . 7
|
|||
|
3.7. Sync Update Control. . . . . . . . . . . . . . . . . . . 7
|
|||
|
3.8. Sync Done Control. . . . . . . . . . . . . . . . . . . . 8
|
|||
|
4. Protocol Usage and Flow. . . . . . . . . . . . . . . . . . . . 8
|
|||
|
4.1. LCUP Search Requests . . . . . . . . . . . . . . . . . . 8
|
|||
|
4.1.1. Initial Synchronization and Full Resync . . . . . 9
|
|||
|
4.1.2. Incremental or Update Synchronization . . . . . . 10
|
|||
|
4.1.3. Persistent Only . . . . . . . . . . . . . . . . . 10
|
|||
|
4.2. LCUP Search Responses. . . . . . . . . . . . . . . . . . 10
|
|||
|
4.2.1. Sync Update Informational Responses . . . . . . . 11
|
|||
|
4.2.2. Cookie Return Frequency . . . . . . . . . . . . . 11
|
|||
|
4.2.3. Definition of an Entry That Has Entered the
|
|||
|
Result Set. . . . . . . . . . . . . . . . . . . . 12
|
|||
|
4.2.4. Definition of an Entry That Has Changed . . . . . 13
|
|||
|
4.2.5. Definition of an Entry That Has Left the
|
|||
|
Result Set. . . . . . . . . . . . . . . . . . . . 13
|
|||
|
4.2.6. Results For Entries Present in the Result Set . . 14
|
|||
|
4.2.7. Results For Entries That Have Left the Result
|
|||
|
Set . . . . . . . . . . . . . . . . . . . . . . . 14
|
|||
|
4.3. Responses Requiring Special Consideration . . . . . . . . 15
|
|||
|
4.3.1. Returning Results During the Persistent Phase . . 15
|
|||
|
4.3.2. No Mixing of Sync Phase with Persist Phase. . . . 16
|
|||
|
4.3.3. Returning Updated Results During the Sync Phase . 16
|
|||
|
4.3.4. Operational Attributes and Administrative
|
|||
|
Entries . . . . . . . . . . . . . . . . . . . . . 16
|
|||
|
4.3.5. Virtual Attributes. . . . . . . . . . . . . . . . 17
|
|||
|
4.3.6. Modify DN and Delete Operations Applied to
|
|||
|
Subtrees. . . . . . . . . . . . . . . . . . . . . 17
|
|||
|
4.3.7. Convergence Guarantees. . . . . . . . . . . . . . 18
|
|||
|
4.4. LCUP Search Termination. . . . . . . . . . . . . . . . . 18
|
|||
|
4.4.1. Server Initiated Termination. . . . . . . . . . . 18
|
|||
|
4.4.2. Client Initiated Termination. . . . . . . . . . . 19
|
|||
|
4.5. Size and Time Limits . . . . . . . . . . . . . . . . . . 19
|
|||
|
4.6. Operations on the Same Connection. . . . . . . . . . . . 19
|
|||
|
4.7. Interactions with Other Controls . . . . . . . . . . . . 19
|
|||
|
4.8. Replication Considerations . . . . . . . . . . . . . . . 20
|
|||
|
5. Client Side Considerations . . . . . . . . . . . . . . . . . . 20
|
|||
|
5.1. Using Cookies with Different Search Criteria . . . . . . 20
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
5.2. Renaming the Base Object . . . . . . . . . . . . . . . . 20
|
|||
|
5.3. Use of Persistent Searches With Respect to Resources . . 21
|
|||
|
5.4. Continuation References to Other LCUP Contexts . . . . . 21
|
|||
|
5.5. Referral Handling. . . . . . . . . . . . . . . . . . . . 21
|
|||
|
5.6. Multiple Copies of Same Entry During Sync Phase. . . . . 21
|
|||
|
5.7. Handling Server Out of Resources Condition . . . . . . . 21
|
|||
|
6. Server Implementation Considerations . . . . . . . . . . . . . 22
|
|||
|
6.1. Server Support for UUIDs . . . . . . . . . . . . . . . . 22
|
|||
|
6.2. Example of Using an RUV as the Cookie Value. . . . . . . 22
|
|||
|
6.3. Cookie Support Issues. . . . . . . . . . . . . . . . . . 22
|
|||
|
6.3.1. Support for Multiple Cookie Schemes . . . . . . . 22
|
|||
|
6.3.2. Information Contained in the Cookie . . . . . . . 23
|
|||
|
6.4. Persist Phase Response Time. . . . . . . . . . . . . . . 23
|
|||
|
6.5. Scaling Considerations . . . . . . . . . . . . . . . . . 23
|
|||
|
6.6. Alias Dereferencing. . . . . . . . . . . . . . . . . . . 24
|
|||
|
7. Synchronizing Heterogeneous Data Stores. . . . . . . . . . . . 24
|
|||
|
8. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 24
|
|||
|
9. Security Considerations. . . . . . . . . . . . . . . . . . . . 24
|
|||
|
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
|
|||
|
10.1. Normative References . . . . . . . . . . . . . . . . . . 25
|
|||
|
10.2. Informative References . . . . . . . . . . . . . . . . . 26
|
|||
|
11. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 26
|
|||
|
Appendix - Features Left Out of LCUP . . . . . . . . . . . . . . . 27
|
|||
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29
|
|||
|
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 30
|
|||
|
|
|||
|
1. Overview
|
|||
|
|
|||
|
The LCUP protocol is intended to allow LDAP clients to synchronize
|
|||
|
with the content stored by LDAP servers.
|
|||
|
|
|||
|
The problem areas addressed by the protocol include:
|
|||
|
|
|||
|
- Mobile clients that maintain a local read-only copy of the
|
|||
|
directory data. While off-line, the client uses the local copy of
|
|||
|
the data. When the client connects to the network, it
|
|||
|
synchronizes with the current directory content and can optionally
|
|||
|
receive notification about the changes that occur while it is on-
|
|||
|
line. For example, a mail client can maintain a local copy of the
|
|||
|
corporate address book that it synchronizes with the master copy
|
|||
|
whenever the client is connected to the corporate network.
|
|||
|
|
|||
|
- Applications intending to synchronize heterogeneous data stores.
|
|||
|
A meta directory application, for instance, would periodically
|
|||
|
retrieve a list of modified entries from the directory, construct
|
|||
|
the changes and apply them to a foreign data store.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
- Clients that need to take certain actions when a directory entry
|
|||
|
is modified. For instance, an electronic mail repository may want
|
|||
|
to perform a "create mailbox" task when a new person entry is
|
|||
|
added to an LDAP directory and a "delete mailbox" task when a
|
|||
|
person entry is removed.
|
|||
|
|
|||
|
The problem areas not being considered:
|
|||
|
|
|||
|
- Directory server to directory server synchronization. The IETF is
|
|||
|
developing a LDAP replication protocol, called LDUP [RFC3384],
|
|||
|
which is specifically designed to address this problem area.
|
|||
|
|
|||
|
There are currently several protocols in use for LDAP client server
|
|||
|
synchronization. While each protocol addresses the needs of a
|
|||
|
particular group of clients (e.g., on-line clients or off-line
|
|||
|
clients), none satisfies the requirements of all clients in the
|
|||
|
target group. For instance, a mobile client that was off-line and
|
|||
|
wants to become up to date with the server and stay up to date while
|
|||
|
connected can't be easily supported by any of the existing protocols.
|
|||
|
|
|||
|
LCUP is designed such that the server does not need to maintain state
|
|||
|
information specific to individual clients. The server may need to
|
|||
|
maintain additional state information about attribute modifications,
|
|||
|
deleted entries, and moved/renamed entries. The clients are
|
|||
|
responsible for storing the information about how up to date they are
|
|||
|
with respect to the server's content. LCUP design avoids the need
|
|||
|
for LCUP-specific update agreements to be made between client and
|
|||
|
server prior to LCUP use. The client decides when and from where to
|
|||
|
retrieve the changes. LCUP design requires clients to initiate the
|
|||
|
update session and "pull" the changes from server.
|
|||
|
|
|||
|
LCUP operations are subject to administrative and access control
|
|||
|
policies enforced by the server.
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in BCP 14, RFC 2119
|
|||
|
[RFC2119].
|
|||
|
|
|||
|
2. Applicability
|
|||
|
|
|||
|
LCUP will work best if the following conditions are met:
|
|||
|
|
|||
|
1) The server stores some degree of historical state or change
|
|||
|
information to reduce the amount of wire traffic required for
|
|||
|
incremental synchronizations. The optimal balance between server
|
|||
|
state and wire traffic varies amongst implementations and usage
|
|||
|
scenarios, and is therefore left in the hands of implementers.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
2) The client cannot be assumed to understand the physical
|
|||
|
information model (virtual attributes, operational attributes,
|
|||
|
subentries, etc.) implemented by the server. Optimizations would
|
|||
|
be possible if such assumptions could be made.
|
|||
|
|
|||
|
3) Meta data changes and renames and deletions of large subtrees are
|
|||
|
very infrequent. LCUP makes these assumptions in order to reduce
|
|||
|
client complexity required to deal with these special operations,
|
|||
|
though when they do occur they may result in a large number of
|
|||
|
incremental update messages or a full resync.
|
|||
|
|
|||
|
3. Specification of Protocol Elements
|
|||
|
|
|||
|
The following sections define the new elements required to use this
|
|||
|
protocol.
|
|||
|
|
|||
|
3.1. ASN.1 Considerations
|
|||
|
|
|||
|
Protocol elements are described using ASN.1 [X.680]. The term "BER-
|
|||
|
encoded" means the element is to be encoded using the Basic Encoding
|
|||
|
Rules [X.690] under the restrictions detailed in Section 5.1 of
|
|||
|
[RFC2251]. All ASN.1 in this document uses implicit tags.
|
|||
|
|
|||
|
3.2. Universally Unique Identifiers
|
|||
|
|
|||
|
Distinguished names can change, so are therefore unreliable as
|
|||
|
identifiers. A Universally Unique Identifier (or UUID for short)
|
|||
|
MUST be used to uniquely identify entries used with LCUP. The UUID
|
|||
|
is part of the Sync Update control value (see below) returned with
|
|||
|
each search result. The server SHOULD provide the UUID as a single
|
|||
|
valued operational attribute of the entry (e.g., "entryUUID"). We
|
|||
|
RECOMMEND that the server provides a way to do efficient (i.e.,
|
|||
|
indexed) searches for values of UUID, e.g., by using a search filter
|
|||
|
like (entryUUID=<some UUID value>) to quickly search for and retrieve
|
|||
|
an entry based on its UUID. Servers SHOULD use a UUID format as
|
|||
|
specified in [UUID]. The UUID used by LCUP is a value of the
|
|||
|
following ASN.1 type:
|
|||
|
|
|||
|
LCUPUUID ::= OCTET STRING
|
|||
|
|
|||
|
3.3. LCUP Scheme and LCUP Cookie
|
|||
|
|
|||
|
The LCUP protocol uses a cookie to hold the state of the client's
|
|||
|
data with respect to the server's data. Each cookie format is
|
|||
|
uniquely identified by its scheme. The LCUP Scheme is a value of the
|
|||
|
following ASN.1 type:
|
|||
|
|
|||
|
LCUPScheme ::= LDAPOID
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
This is the OID which identifies the format of the LCUP Cookie value.
|
|||
|
The scheme OID, as all object identifiers, MUST be unique for a given
|
|||
|
cookie scheme. The cookie value may be opaque or it may be exposed
|
|||
|
to LCUP clients. For cookie schemes that expose their value, the
|
|||
|
preferred form of documentation is an RFC. It is expected that there
|
|||
|
will be one or more standards track cookie schemes where the value
|
|||
|
format is exposed and described in detail.
|
|||
|
|
|||
|
The LCUP Cookie is a value of the following ASN.1 type:
|
|||
|
|
|||
|
LCUPCookie ::= OCTET STRING
|
|||
|
|
|||
|
This is the actual data describing the state of the client's data.
|
|||
|
This value may be opaque, or its value may have some well-known
|
|||
|
format, depending on the scheme.
|
|||
|
|
|||
|
Further uses of the LCUP Cookie value are described below.
|
|||
|
|
|||
|
3.4. LCUP Context
|
|||
|
|
|||
|
A part of the DIT which is enabled for LCUP is referred to as an LCUP
|
|||
|
Context. A server may support one or more LCUP Contexts. For
|
|||
|
example, a server with two naming contexts may support LCUP in one
|
|||
|
naming context but not the other, or support different LCUP cookie
|
|||
|
schemes in each naming context. Each LCUP Context MAY use a
|
|||
|
different cookie scheme. An LCUP search will not cross an LCUP
|
|||
|
Context boundary, but will instead return a SearchResultReference
|
|||
|
message, with the LDAP URL specifying the same host and port as
|
|||
|
currently being searched, and with the baseDN set to the baseDN of
|
|||
|
the new LCUP Context. The client is then responsible for issuing
|
|||
|
another search using the new baseDN, and possibly a different cookie
|
|||
|
if that LCUP Context uses a different cookie. The client is
|
|||
|
responsible for maintaining a mapping of the LDAP URL to its
|
|||
|
corresponding cookie.
|
|||
|
|
|||
|
3.5. Additional LDAP Result Codes defined by LCUP
|
|||
|
|
|||
|
Implementations of this specification SHALL recognize the following
|
|||
|
additional resultCode values. The LDAP result code names and numbers
|
|||
|
defined in the following table have been assigned by IANA per RFC
|
|||
|
3383 [RFC3383].
|
|||
|
|
|||
|
lcupResourcesExhausted (113) the server is running out of resources
|
|||
|
lcupSecurityViolation (114) the client is suspected of malicious
|
|||
|
actions
|
|||
|
lcupInvalidData (115) invalid scheme or cookie was supplied
|
|||
|
by the client
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 6]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
lcupUnsupportedScheme (116) The cookie scheme is a valid OID but
|
|||
|
is not supported by this server
|
|||
|
lcupReloadRequired (117) indicates that client data needs to be
|
|||
|
reinitialized. This reason is
|
|||
|
returned if the server does not
|
|||
|
contain sufficient information to
|
|||
|
synchronize the client or if the
|
|||
|
server's data was reloaded since the
|
|||
|
last synchronization session
|
|||
|
|
|||
|
The uses of these codes are described below.
|
|||
|
|
|||
|
3.6. Sync Request Control
|
|||
|
|
|||
|
The Sync Request Control is an LDAP Control [RFC2251, Section 4.1.2]
|
|||
|
where the controlType is the object identifier 1.3.6.1.1.7.1 and the
|
|||
|
controlValue, an OCTET STRING, contains a BER-encoded
|
|||
|
syncRequestControlValue.
|
|||
|
|
|||
|
syncRequestControlValue ::= SEQUENCE {
|
|||
|
updateType ENUMERATED {
|
|||
|
syncOnly (0),
|
|||
|
syncAndPersist (1),
|
|||
|
persistOnly (2) },
|
|||
|
sendCookieInterval [0] INTEGER OPTIONAL,
|
|||
|
scheme [1] LCUPScheme OPTIONAL,
|
|||
|
cookie [2] LCUPCookie OPTIONAL
|
|||
|
}
|
|||
|
|
|||
|
sendCookieInterval - the server SHOULD send the cookie back in the
|
|||
|
Sync Update control value (defined below) for every
|
|||
|
sendCookieInterval number of SearchResultEntry and
|
|||
|
SearchResultReference PDUs returned to the client. For example, if
|
|||
|
the value is 5, the server SHOULD send the cookie back in the Sync
|
|||
|
Update control value for every 5 search results returned to the
|
|||
|
client. If this value is absent, zero or less than zero, the server
|
|||
|
chooses the interval.
|
|||
|
|
|||
|
The Sync Request Control is only applicable to the searchRequest
|
|||
|
message. Use of this control is described below.
|
|||
|
|
|||
|
3.7. Sync Update Control
|
|||
|
|
|||
|
The Sync Update Control is an LDAP Control [RFC2251, Section 4.1.2]
|
|||
|
where the controlType is the object identifier 1.3.6.1.1.7.2 and the
|
|||
|
controlValue, an OCTET STRING, contains a BER-encoded
|
|||
|
syncUpdateControlValue.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 7]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
syncUpdateControlValue ::= SEQUENCE {
|
|||
|
stateUpdate BOOLEAN,
|
|||
|
entryUUID [0] LCUPUUID OPTIONAL, -- REQUIRED for entries --
|
|||
|
UUIDAttribute [1] AttributeType OPTIONAL,
|
|||
|
entryLeftSet [2] BOOLEAN,
|
|||
|
persistPhase [3] BOOLEAN,
|
|||
|
scheme [4] LCUPScheme OPTIONAL,
|
|||
|
cookie [5] LCUPCookie OPTIONAL
|
|||
|
}
|
|||
|
|
|||
|
The field UUIDAttribute contains the name or OID of the attribute
|
|||
|
that the client should use to perform searches for entries based on
|
|||
|
the UUID. The client should be able to use it in an equality search
|
|||
|
filter, e.g., "(<uuid attribute>=<entry UUID value>)" and should be
|
|||
|
able to use it in the attribute list of the search request to return
|
|||
|
its value. The UUIDAttribute field may be omitted if the server does
|
|||
|
not support searching on the UUID values.
|
|||
|
|
|||
|
The Sync Update Control is only applicable to SearchResultEntry and
|
|||
|
SearchResultReference messages. Although entryUUID is OPTIONAL, it
|
|||
|
MUST be used with SearchResultEntry messages. Use of this control is
|
|||
|
described below.
|
|||
|
|
|||
|
3.8. Sync Done Control
|
|||
|
|
|||
|
The Sync Done Control is an LDAP Control [RFC2251, Section 4.1.2]
|
|||
|
where the controlType is the object identifier 1.3.6.1.1.7.3 and the
|
|||
|
controlValue contains a BER-encoded syncDoneValue.
|
|||
|
|
|||
|
syncDoneValue ::= SEQUENCE {
|
|||
|
scheme [0] LCUPScheme OPTIONAL,
|
|||
|
cookie [1] LCUPCookie OPTIONAL
|
|||
|
}
|
|||
|
|
|||
|
The Sync Done Control is only applicable to SearchResultDone message.
|
|||
|
Use of this control is described below.
|
|||
|
|
|||
|
4. Protocol Usage and Flow
|
|||
|
|
|||
|
4.1. LCUP Search Requests
|
|||
|
|
|||
|
A client initiates a synchronization or persistent search session
|
|||
|
with a server by attaching a Sync Request control to an LDAP
|
|||
|
searchRequest message. The search specification determines the part
|
|||
|
of the directory information tree (DIT) the client wishes to
|
|||
|
synchronize with, the set of attributes it is interested in and the
|
|||
|
amount of data the client is willing to receive. The Sync Request
|
|||
|
control contains the client's request specification.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 8]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
If there is an error condition, the server MUST immediately return a
|
|||
|
SearchResultDone message with the resultCode set to an error code.
|
|||
|
This table maps a condition to its corresponding behavior and
|
|||
|
resultCode.
|
|||
|
|
|||
|
Condition Behavior or resultCode
|
|||
|
|
|||
|
Sync Request Control is not Server behaves as [RFC2251, Section
|
|||
|
supported 4.1.2] - specifically, if the
|
|||
|
criticality of the control is FALSE,
|
|||
|
the server will process the request
|
|||
|
as a normal search request
|
|||
|
|
|||
|
Scheme is not supported lcupUnsupportedScheme
|
|||
|
|
|||
|
A control value field is lcupInvalidData
|
|||
|
invalid (e.g., illegal
|
|||
|
updateType, or the scheme is
|
|||
|
not a valid OID, or the cookie
|
|||
|
is invalid)
|
|||
|
|
|||
|
Server is running out of lcupResourcesExhausted
|
|||
|
resources
|
|||
|
|
|||
|
Server suspects client of lcupSecurityViolation
|
|||
|
malicious behavior (frequent
|
|||
|
connects/disconnects, etc.)
|
|||
|
|
|||
|
The server cannot bring the lcupReloadRequired
|
|||
|
client up to date (server data
|
|||
|
has been reloaded, or other
|
|||
|
changes prevent
|
|||
|
convergence)
|
|||
|
|
|||
|
4.1.1. Initial Synchronization and Full Resync
|
|||
|
|
|||
|
For an initial synchronization or full resync, the fields of the Sync
|
|||
|
Request control MUST be specified as follows:
|
|||
|
|
|||
|
updateType - MUST be set to syncOnly or syncAndPersist
|
|||
|
sendCookieInterval - MAY be set
|
|||
|
scheme - MAY be set - if set, the server MUST use this
|
|||
|
specified scheme or return lcupUnsupportedScheme
|
|||
|
(see above) - if not set, the server MAY use any
|
|||
|
scheme it supports.
|
|||
|
cookie - MUST NOT be set
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 9]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
If the request was successful, the client will receive results as
|
|||
|
described in the section "LCUP Search Responses" below.
|
|||
|
|
|||
|
4.1.2. Incremental or Update Synchronization
|
|||
|
|
|||
|
For an incremental or update synchronization, the fields of the Sync
|
|||
|
Request control MUST be specified as follows:
|
|||
|
|
|||
|
updateType - MUST be set to syncOnly or syncAndPersist
|
|||
|
sendCookieInterval - MAY be set
|
|||
|
scheme - MUST be set
|
|||
|
cookie - MUST be set
|
|||
|
|
|||
|
The client SHOULD always use the latest cookie it received from the
|
|||
|
server.
|
|||
|
|
|||
|
If the request was successful, the client will receive results as
|
|||
|
described in the section "LCUP Search Responses" below.
|
|||
|
|
|||
|
4.1.3. Persistent Only
|
|||
|
|
|||
|
For persistent only search request, the fields of the Sync Request
|
|||
|
MUST be specified as follows:
|
|||
|
|
|||
|
updateType - MUST be set to persistOnly
|
|||
|
sendCookieInterval - MAY be set
|
|||
|
scheme - MAY be set - if set, the server MUST use this
|
|||
|
specified scheme or return
|
|||
|
lcupUnsupportedScheme (see above) - if not set,
|
|||
|
the server MAY use any scheme it supports.
|
|||
|
cookie - MAY be set, but the server MUST ignore it
|
|||
|
|
|||
|
If the request was successful, the client will receive results as
|
|||
|
described in the section "LCUP Search Responses" below.
|
|||
|
|
|||
|
4.2. LCUP Search Responses
|
|||
|
|
|||
|
In response to the client's LCUP request, the server returns zero or
|
|||
|
more SearchResultEntry or SearchResultReference PDUs that fit the
|
|||
|
client's specification, followed by a SearchResultDone PDU. The
|
|||
|
behavior is as specified in [RFC2251 Section 4.5]. Each
|
|||
|
SearchResultEntry or SearchResultReference PDU also contains a Sync
|
|||
|
Update control that describes the LCUP state of the returned entry.
|
|||
|
The SearchResultDone PDU contains a Sync Done control. The following
|
|||
|
sections specify behaviors in addition to [RFC2251 Section 4.5].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 10]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
4.2.1 Sync Update Informational Responses
|
|||
|
|
|||
|
The server may use the Sync Update control to return information not
|
|||
|
related to a particular entry. It MAY do this at any time to return
|
|||
|
a cookie to the client, or to inform the client that the sync phase
|
|||
|
of a syncAndPersist search is complete and the persist phase has
|
|||
|
begun. It MAY do this during the persist phase even though no entry
|
|||
|
has changed that would have normally triggered a response. In order
|
|||
|
to do this, it is REQUIRED to return the following:
|
|||
|
|
|||
|
- A SearchResultEntry PDU with the objectName field set to the DN of
|
|||
|
the baseObject of the search request and with an empty attribute
|
|||
|
list.
|
|||
|
|
|||
|
- A Sync Update control value with the fields set to the following:
|
|||
|
|
|||
|
stateUpdate - MUST be set to TRUE
|
|||
|
entryUUID - SHOULD be set to the UUID of the baseObject of the
|
|||
|
search request
|
|||
|
entryLeftSet - MUST be set to FALSE
|
|||
|
persistPhase - MUST be FALSE if the search is in the sync phase of a
|
|||
|
request, and MUST be TRUE if the search is in the
|
|||
|
persist phase
|
|||
|
UUIDAttribute - SHOULD only be set if this is either the first result
|
|||
|
returned or if the attribute has changed
|
|||
|
scheme - MUST be set if the cookie is set and the cookie
|
|||
|
format has changed; otherwise, it MAY be omitted
|
|||
|
cookie - SHOULD be set
|
|||
|
|
|||
|
If the server merely wants to return a cookie to the client, it
|
|||
|
should return as above with the cookie field set.
|
|||
|
|
|||
|
During a syncAndPersist request, the server MUST return (as above)
|
|||
|
immediately after the last entry of the sync phase has been sent and
|
|||
|
before the first entry of the persist phase has been sent. In this
|
|||
|
case, the persistPhase field MUST be set to TRUE. This allows the
|
|||
|
client to know that the sync phase is complete and the persist phase
|
|||
|
is starting.
|
|||
|
|
|||
|
4.2.2 Cookie Return Frequency
|
|||
|
|
|||
|
The cookie field of the Sync Update control value MAY be set in any
|
|||
|
returned result, during both the sync phase and the persist phase.
|
|||
|
The server should return the cookie to the client often enough for
|
|||
|
the client to resync in a reasonable period of time in case the
|
|||
|
search is disconnected or otherwise terminated. The
|
|||
|
sendCookieInterval field in the Sync Request control is a suggestion
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 11]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
to the server of how often to return the cookie in the Sync Update
|
|||
|
control. The server SHOULD respect this value.
|
|||
|
|
|||
|
The scheme field of the Sync Update control value MUST be set if the
|
|||
|
cookie is set and the cookie format has changed; otherwise, it MAY be
|
|||
|
omitted.
|
|||
|
|
|||
|
Some clients may have unreliable connections, for example, a wireless
|
|||
|
device or a WAN connection. These clients may want to insure that
|
|||
|
the cookie is returned often in the Sync Update control value, so
|
|||
|
that if they have to reconnect, they do not have to process many
|
|||
|
redundant entries. These clients should set the sendCookieInterval
|
|||
|
in the Sync Request control value to a low number, perhaps even 1.
|
|||
|
Some clients may have a limited bandwidth connection, and may not
|
|||
|
want to receive the cookie very often, or even at all (however, the
|
|||
|
cookie is always sent back in the Sync Done control value upon
|
|||
|
successful completion). These clients should set the
|
|||
|
sendCookieInterval in the Sync Request control value to a high
|
|||
|
number.
|
|||
|
|
|||
|
A reasonable behavior of the server is to return the cookie only when
|
|||
|
data in the LCUP context has changed, even if the client has
|
|||
|
specified a frequent sendCookieInterval. If nothing has changed, the
|
|||
|
server can probably save some bandwidth by not returning the cookie.
|
|||
|
|
|||
|
4.2.3. Definition of an Entry That Has Entered the Result Set
|
|||
|
|
|||
|
An entry SHALL BE considered to have entered the client's search
|
|||
|
result set if one of the following conditions is met:
|
|||
|
|
|||
|
- During the sync phase for an incremental sync operation, the entry
|
|||
|
is present in the search result set but was not present before;
|
|||
|
this can be due to the entry being added via an LDAP Add
|
|||
|
operation, or by the entry being moved into the result set by an
|
|||
|
LDAP Modify DN operation, or by some modification to the entry
|
|||
|
that causes it to enter the result set (e.g., adding an attribute
|
|||
|
value that matches the clients search filter), or by some meta-
|
|||
|
data change that causes the entry to enter the result set (e.g.,
|
|||
|
relaxing of some access control that permits the entry to be
|
|||
|
visible to the client).
|
|||
|
|
|||
|
- During the persist phase for a persistent search operation, the
|
|||
|
entry enters the search result set; this can be due to the entry
|
|||
|
being added via an LDAP Add operation, or by the entry being moved
|
|||
|
into the result set by an LDAP Modify DN operation, or by some
|
|||
|
modification to the entry that causes it to enter the result set
|
|||
|
(e.g., adding an attribute value that matches the clients search
|
|||
|
filter), or by some meta-data change that causes the entry to
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 12]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
enter the result set (e.g., relaxing of some access control that
|
|||
|
permits the entry to be visible to the client).
|
|||
|
|
|||
|
4.2.4. Definition of an Entry That Has Changed
|
|||
|
|
|||
|
An entry SHALL BE considered to be changed if one or more of the
|
|||
|
attributes in the attribute list in the search request have been
|
|||
|
modified. For example, if the search request listed the attributes
|
|||
|
"cn sn uid", and there is an entry in the client's search result set
|
|||
|
with the "cn" attribute that has been modified, the entry is
|
|||
|
considered to be modified. The modification may be due to an LDAP
|
|||
|
Modify operation or by some change to the meta-data for the entry
|
|||
|
(e.g., virtual attributes) that causes some change to the value of
|
|||
|
the specified attributes.
|
|||
|
|
|||
|
The converse of this is that an entry SHALL NOT BE considered to be
|
|||
|
changed if none of the attributes in the attribute list of the search
|
|||
|
request are modified attributes of the entry. For example, if the
|
|||
|
search request listed the attributes "cn sn uid", and there is an
|
|||
|
entry in the client's search result set with the "foo" attribute that
|
|||
|
has been modified, and none of the "cn" or "sn" or "uid" attributes
|
|||
|
have been modified, the entry is NOT considered to be changed.
|
|||
|
|
|||
|
4.2.5. Definition of an Entry That Has Left the Result Set
|
|||
|
|
|||
|
An entry SHALL BE considered to have left the client's search result
|
|||
|
set if one of the following conditions is met:
|
|||
|
|
|||
|
- During the sync phase for an incremental sync operation, the entry
|
|||
|
is not present in the search result set but was present before;
|
|||
|
this can be due to the entry being deleted via an LDAP Delete
|
|||
|
operation, or by the entry leaving the result set via an LDAP
|
|||
|
Modify DN operation, or by some modification to the entry that
|
|||
|
causes it to leave the result set (e.g., changing/removing an
|
|||
|
attribute value so that it no longer matches the client's search
|
|||
|
filter), or by some meta-data change that causes the entry to
|
|||
|
leave the result set (e.g., adding of some access control that
|
|||
|
denies the entry to be visible to the client).
|
|||
|
|
|||
|
- During the persist phase for a persistent search operation, the
|
|||
|
entry leaves the search result set; this can be due to the entry
|
|||
|
being deleted via an LDAP Delete operation, or by the entry
|
|||
|
leaving the result set via an LDAP Modify DN operation, or by some
|
|||
|
modification to the entry that causes it to leave the result set
|
|||
|
(e.g., changing/removing an attribute value so that it no longer
|
|||
|
matches the client's search filter), or by some meta-data change
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 13]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
that causes the entry to leave the result set (e.g., adding of
|
|||
|
some access control that denies the entry to be visible to the
|
|||
|
client).
|
|||
|
|
|||
|
4.2.6. Results For Entries Present in the Result Set
|
|||
|
|
|||
|
An entry SHOULD be returned as present under the following
|
|||
|
conditions:
|
|||
|
|
|||
|
- The request is an initial synchronization or full resync request
|
|||
|
and the entry is present in the client's search result set
|
|||
|
|
|||
|
- The request is an incremental synchronization and the entry has
|
|||
|
changed or entered the result set since the last sync
|
|||
|
|
|||
|
- The search is in the persist phase and the entry enters the result
|
|||
|
set or changes
|
|||
|
|
|||
|
For a SearchResultEntry return, the fields of the Sync Update control
|
|||
|
value MUST be set as follows:
|
|||
|
|
|||
|
stateUpdate - MUST be set to FALSE
|
|||
|
entryUUID - MUST be set to the UUID of the entry
|
|||
|
entryLeftSet - MUST be set to FALSE
|
|||
|
persistPhase - MUST be set to FALSE if during the sync phase or TRUE
|
|||
|
if during the persist phase
|
|||
|
UUIDAttribute - SHOULD only be set if this is either the first result
|
|||
|
returned or if the attribute has changed
|
|||
|
scheme - as above
|
|||
|
cookie - as above
|
|||
|
|
|||
|
The searchResultReference return will look the same, except that the
|
|||
|
entryUUID is not required. If it is specified, it MUST contain the
|
|||
|
UUID of the DSE holding the reference knowledge.
|
|||
|
|
|||
|
4.2.7. Results For Entries That Have Left the Result Set
|
|||
|
|
|||
|
An entry SHOULD be returned as having left the result set under the
|
|||
|
following conditions:
|
|||
|
|
|||
|
- The request is an incremental synchronization during the sync
|
|||
|
phase and the entry has left the result set
|
|||
|
|
|||
|
- The search is in the persist phase and the entry has left the
|
|||
|
result set
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 14]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
- The entry has left the result set as a result of an LDAP Delete or
|
|||
|
LDAP Modify DN operation against the entry itself (i.e., not as a
|
|||
|
result of an operation against its parent or ancestor)
|
|||
|
|
|||
|
For a SearchResultEntry return where the entry has left the result
|
|||
|
set, the fields of the Sync Update control value MUST be set as
|
|||
|
follows:
|
|||
|
|
|||
|
stateUpdate - MUST be set to FALSE
|
|||
|
entryUUID - MUST be set to the UUID of the entry that left the
|
|||
|
result set
|
|||
|
entryLeftSet - MUST be set to TRUE
|
|||
|
persistPhase - MUST be set to FALSE if during the sync phase or TRUE
|
|||
|
if during the persist phase
|
|||
|
UUIDAttribute - SHOULD only be set if this is either the first result
|
|||
|
returned or if the attribute has changed
|
|||
|
scheme - as above
|
|||
|
cookie - as above
|
|||
|
|
|||
|
The searchResultReference return will look the same, except that the
|
|||
|
entryUUID is not required. If it is specified, it MUST contain the
|
|||
|
UUID of the DSE holding the reference knowledge.
|
|||
|
|
|||
|
Some server implementations keep track of deleted entries using a
|
|||
|
tombstone - a hidden entry that keeps track of the state, but not all
|
|||
|
of the data, of an entry that has been deleted. In this case, the
|
|||
|
tombstone may not contain all of the original attributes of the
|
|||
|
entry, and therefore it may be impossible for the server to determine
|
|||
|
if an entry should be removed from the result set based on the
|
|||
|
attributes in the client's search request. Servers SHOULD keep
|
|||
|
enough information about the attributes in the deleted entries to
|
|||
|
determine if an entry should be removed from the result set. Since
|
|||
|
this may not be possible, the server MAY return an entry as having
|
|||
|
left the result set even if it is not or never was in the client's
|
|||
|
result set. Clients MUST ignore these notifications.
|
|||
|
|
|||
|
4.3. Responses Requiring Special Consideration
|
|||
|
|
|||
|
The following sections describe special handling that may be required
|
|||
|
when returning results.
|
|||
|
|
|||
|
4.3.1. Returning Results During the Persistent Phase
|
|||
|
|
|||
|
During the persistent phase, the server SHOULD return the changed
|
|||
|
entries to the client as quickly as possible.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 15]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
4.3.2. No Mixing of Sync Phase with Persist Phase
|
|||
|
|
|||
|
During a sync phase, the server MUST NOT return any entries with the
|
|||
|
persistPhase flag set to TRUE, and during the persist phase, all
|
|||
|
entries returned MUST have the persistPhase flag set to TRUE. The
|
|||
|
server MUST NOT mix and match sync phase entries with persist phase
|
|||
|
entries. If there are any sync phase entries to return, they MUST be
|
|||
|
returned before any persist phase entries are returned.
|
|||
|
|
|||
|
4.3.3. Returning Updated Results During the Sync Phase
|
|||
|
|
|||
|
There may be updates to the entries in the result set of a sync phase
|
|||
|
search during the actual search operation. If the DSA is under a
|
|||
|
heavy update load, and it attempts to send all of those updated
|
|||
|
entries to the client in addition to the other updates it was already
|
|||
|
planning to send for the sync phase, the server may never get to the
|
|||
|
end of the sync phase. Therefore, it is left up to the discretion of
|
|||
|
the server implementation to decide when the client is "in sync" -
|
|||
|
that is, when to end a syncOnly request, or when to send the Sync
|
|||
|
Update Informational Response between the sync phase and the persist
|
|||
|
phase of a syncAndPersist request. The server MAY send the same
|
|||
|
entry multiple times during the sync phase if the entry changes
|
|||
|
during the sync phase.
|
|||
|
|
|||
|
A reasonable behavior is for the server to generate a cookie based on
|
|||
|
the server state at the time the client initiated the LCUP request,
|
|||
|
and only send entries up to that point during the sync phase. Entries
|
|||
|
updated after that point will be returned only during the persist
|
|||
|
phase of a syncAndPersist request, or only upon an incremental
|
|||
|
synchronization.
|
|||
|
|
|||
|
4.3.4. Operational Attributes and Administrative Entries
|
|||
|
|
|||
|
An operational attribute SHOULD be returned if it is specified in the
|
|||
|
attributes list and would normally be returned as subject to the
|
|||
|
constraints of [RFC2251 Section 4.5]. If the server does not support
|
|||
|
syncing of operational attributes, the server MUST return a
|
|||
|
SearchResultDone message with a resultCode of unwillingToPerform.
|
|||
|
|
|||
|
LDAP Subentries [RFC3672] SHOULD be returned if they would normally
|
|||
|
be returned by the search request. If the server does not support
|
|||
|
syncing of LDAP Subentries, and the server can determine from the
|
|||
|
search request that the client has requested LDAP Subentries to be
|
|||
|
returned (e.g., search control or search filter), the server MUST
|
|||
|
return a SearchResultDone message with a resultCode of
|
|||
|
unwillingToPerform. Otherwise, the server MAY simply omit returning
|
|||
|
LDAP Subentries.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 16]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
4.3.5. Virtual Attributes
|
|||
|
|
|||
|
An entry may have attributes whose presence in the entry, or presence
|
|||
|
of values of the attribute, is generated on the fly, possibly by some
|
|||
|
mechanism outside of the entry, elsewhere in the DIT. An example of
|
|||
|
this is collective attributes [RFC3671]. These attributes shall be
|
|||
|
referred to in this document as virtual attributes.
|
|||
|
|
|||
|
LCUP treats these attributes the same way as normal, non-virtual
|
|||
|
attributes. A virtual attribute SHOULD be returned if it is
|
|||
|
specified in the attributes list and would normally be returned as
|
|||
|
subject to the constraints of [RFC2251 Section 4.5]. If the server
|
|||
|
does not support syncing of virtual attributes, the server MUST
|
|||
|
return a SearchResultDone message with a resultCode of
|
|||
|
unwillingToPerform.
|
|||
|
|
|||
|
One consequence of this is that if you change the definition of a
|
|||
|
virtual attribute such that it makes the value of that attribute
|
|||
|
change in many entries in the client's search scope, this means that
|
|||
|
a server may have to return many entries to the client as a result of
|
|||
|
that one change. It is not anticipated that this will be a frequent
|
|||
|
occurrence, and the server has the option to simply force the client
|
|||
|
to resync if necessary.
|
|||
|
|
|||
|
It is also possible that a future LDAP control will allow the client
|
|||
|
to request only virtual or only non-virtual attributes.
|
|||
|
|
|||
|
4.3.6. Modify DN and Delete Operations Applied to Subtrees
|
|||
|
|
|||
|
There is a special case where a Modify DN or a Delete operation is
|
|||
|
applied to the base entry of a subtree, and either that base entry or
|
|||
|
entries in the subtree are within the scope of an LCUP search
|
|||
|
request. In this case, all of the entries in the subtree are
|
|||
|
implicitly renamed or removed.
|
|||
|
|
|||
|
In either of these cases, the server MUST do one of the following:
|
|||
|
|
|||
|
- treat all of these entries as having been renamed or removed and
|
|||
|
return each entry to the client as such
|
|||
|
|
|||
|
- decide that this would be prohibitively expensive, and force the
|
|||
|
client to resync
|
|||
|
|
|||
|
If the search base object has been renamed, and the client has
|
|||
|
received a noSuchObject as the result of a search request, the client
|
|||
|
MAY use the entryUUID and UUIDAttribute to locate the new DN that is
|
|||
|
the result of the modify DN operation.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 17]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
4.3.7. Convergence Guarantees
|
|||
|
|
|||
|
If at any time during an LCUP search, either during the sync phase or
|
|||
|
the persist phase, the server determines that it cannot guarantee
|
|||
|
that it can bring the client's copy of the data to eventual
|
|||
|
convergence, it SHOULD immediately terminate the LCUP search request
|
|||
|
and return a SearchResultDone message with a resultCode of
|
|||
|
lcupReloadRequired. This can also happen at the beginning of an
|
|||
|
incremental synchronization request, if the client presents a cookie
|
|||
|
that is out of date or otherwise unable to be processed. The client
|
|||
|
should then issue an initial synchronization request.
|
|||
|
|
|||
|
This can happen, for example, if the data on the server is reloaded,
|
|||
|
or if there has been some change to the meta-data that makes it
|
|||
|
impossible for the server to determine if a particular entry should
|
|||
|
or should not be part of the search result set, or if the meta-data
|
|||
|
change makes it too resource intensive for the server to calculate
|
|||
|
the proper result set.
|
|||
|
|
|||
|
The server can also return lcupReloadRequired if it determines that
|
|||
|
it would be more efficient for the client to perform a reload, for
|
|||
|
example, if too many entries have changed and a simple reload would
|
|||
|
be much faster.
|
|||
|
|
|||
|
4.4. LCUP Search Termination
|
|||
|
|
|||
|
4.4.1. Server Initiated Termination
|
|||
|
|
|||
|
When the server has successfully finished processing the client's
|
|||
|
request, it attaches a Sync Done control to the SearchResultDone
|
|||
|
message and sends it to the client. However, if the SearchResultDone
|
|||
|
message contains a resultCode that is not success or canceled, the
|
|||
|
Sync Done control MAY be omitted. Although the LCUP cookie is
|
|||
|
OPTIONAL in the Sync Done control value, it MUST be set if the
|
|||
|
SearchResultDone resultCode is success or canceled. The server
|
|||
|
SHOULD also set the cookie if the resultCode is
|
|||
|
lcupResourcesExhausted, timeLimitExceeded, sizeLimitExceeded, or
|
|||
|
adminLimitExceeded. This allows the client to more easily resync
|
|||
|
later. If some error occurred, either an LDAP search error (e.g.,
|
|||
|
insufficientAccessRights) or an LCUP error (e.g.,
|
|||
|
lcupUnsupportedScheme), the cookie MAY be omitted. If the cookie is
|
|||
|
set, the scheme MUST be set also if the cookie format has changed,
|
|||
|
otherwise, it MAY be omitted.
|
|||
|
|
|||
|
If server resources become tight, the server can terminate one or
|
|||
|
more search operations by sending a SearchResultDone message to the
|
|||
|
client(s) with a resultCode of lcupResourcesExhausted. The server
|
|||
|
SHOULD attach a Sync Done control with the cookie set. A server side
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 18]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
policy is used to decide which searches to terminate. This can also
|
|||
|
be used as a security mechanism to disconnect clients that are
|
|||
|
suspected of malicious actions, but if the server can infer that the
|
|||
|
client is malicious, the server SHOULD return lcupSecurityViolation
|
|||
|
instead.
|
|||
|
|
|||
|
4.4.2. Client Initiated Termination
|
|||
|
|
|||
|
If the client needs to terminate the synchronization process and it
|
|||
|
wishes to obtain the cookie that represents the current state of its
|
|||
|
data, it issues an LDAP Cancel operation [RFC3909]. The server
|
|||
|
responds immediately with a LDAP Cancel response [RFC3909]. The
|
|||
|
server MAY send any pending SearchResultEntry or
|
|||
|
SearchResultReference PDUs if the server cannot easily abort or
|
|||
|
remove those search results from its outgoing queue. The server
|
|||
|
SHOULD send as few of these remaining messages as possible. Finally,
|
|||
|
the server sends the message SearchResultDone with the Sync Done
|
|||
|
control attached. If the search was successful up to that point, the
|
|||
|
resultCode field of the SearchResultDone message MUST be canceled
|
|||
|
[RFC3909], and the cookie MUST be set in the Sync Done control. If
|
|||
|
there is an error condition, the server MAY return as described in
|
|||
|
section 4.4.1 above, or MAY return as described in [RFC3909].
|
|||
|
|
|||
|
If the client is not interested in the state information, it can
|
|||
|
simply abandon the search operation or disconnect from the server.
|
|||
|
|
|||
|
4.5. Size and Time Limits
|
|||
|
|
|||
|
The server SHALL support size and time limits as specified in
|
|||
|
[RFC2251, Section 5]. The server SHOULD ensure that if the operation
|
|||
|
is terminated due to these conditions, the cookie is sent back to the
|
|||
|
client.
|
|||
|
|
|||
|
4.6. Operations on the Same Connection
|
|||
|
|
|||
|
It is permissible for the client to issue other LDAP operations on
|
|||
|
the connection used by the protocol. Since each LDAP
|
|||
|
request/response carries a message id there will be no ambiguity
|
|||
|
about which PDU belongs to which operation. By sharing the
|
|||
|
connection among multiple operations, the server will be able to
|
|||
|
conserve its resources.
|
|||
|
|
|||
|
4.7. Interactions with Other Controls
|
|||
|
|
|||
|
LCUP defines neither restrictions nor guarantees about the ability to
|
|||
|
use the controls defined in this document in conjunction with other
|
|||
|
LDAP controls, except for the following: A server MAY ignore non-
|
|||
|
critical controls supplied with the LCUP control. A server MAY
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 19]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
ignore an LCUP defined control if it is non-critical and it is
|
|||
|
supplied with other critical controls. If a server receives a
|
|||
|
critical LCUP control with another critical control, and the server
|
|||
|
does not support both controls at the same time, the server SHOULD
|
|||
|
return unavailableCriticalExtension.
|
|||
|
|
|||
|
It is up to the server implementation to determine if the server
|
|||
|
supports controls such as the Sort or VLV or similar controls that
|
|||
|
change the order of the entries sent to the client. But note that it
|
|||
|
may be difficult or impossible for a server to perform an incremental
|
|||
|
synchronization in the presence of such controls, since the cookie
|
|||
|
will typically be based off a change number, or Change Sequence
|
|||
|
Number (CSN), or timestamp, or some criteria other than an
|
|||
|
alphabetical order.
|
|||
|
|
|||
|
4.8. Replication Considerations
|
|||
|
|
|||
|
Use of an LCUP cookie with multiple DSAs in a replicated environment
|
|||
|
is not defined by LCUP. An implementation of LCUP may support
|
|||
|
continuation of an LCUP session with another DSA holding a replica of
|
|||
|
the LCUP context. Clients MAY submit cookies returned by one DSA to
|
|||
|
a different DSA; it is up to the server to determine if a cookie is
|
|||
|
one they recognize or not and to return an appropriate result code if
|
|||
|
not.
|
|||
|
|
|||
|
5. Client Side Considerations
|
|||
|
|
|||
|
5.1. Using Cookies with Different Search Criteria
|
|||
|
|
|||
|
The cookie received from the server after a synchronization session
|
|||
|
SHOULD only be used with the same search specification as the search
|
|||
|
that generated the cookie. Some servers MAY allow the cookie to be
|
|||
|
used with a more restrictive search specification than the search
|
|||
|
that generated the cookie. If the server does not support the
|
|||
|
cookie, it MUST return lcupInvalidCookie. This is because the client
|
|||
|
can end up with an incomplete data store otherwise. A more
|
|||
|
restrictive search specification is one that would generate a subset
|
|||
|
of the data produced by the original search specification.
|
|||
|
|
|||
|
5.2. Renaming the Base Object
|
|||
|
|
|||
|
Because an LCUP client specifies the area of the tree with which it
|
|||
|
wishes to synchronize through the standard LDAP search specification,
|
|||
|
the client can be returned noSuchObject error if the root of the
|
|||
|
synchronization area was renamed between the synchronization sessions
|
|||
|
or during a synchronization session. If this condition occurs, the
|
|||
|
client can attempt to locate the root by using the root's UUID saved
|
|||
|
in client's local data store. It then can repeat the synchronization
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 20]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
request using the new search base. In general, a client can detect
|
|||
|
that an entry was renamed and apply the changes received to the right
|
|||
|
entry by using the UUID rather than DN based addressing.
|
|||
|
|
|||
|
5.3. Use of Persistent Searches With Respect to Resources
|
|||
|
|
|||
|
Each active persistent operation requires that an open TCP connection
|
|||
|
be maintained between an LDAP client and an LDAP server that might
|
|||
|
not otherwise be kept open. Therefore, client implementors are
|
|||
|
encouraged to avoid using persistent operations for non-essential
|
|||
|
tasks and to close idle LDAP connections as soon as practical. The
|
|||
|
server may close connections if server resources become tight.
|
|||
|
|
|||
|
5.4. Continuation References to Other LCUP Contexts
|
|||
|
|
|||
|
The client MAY receive a continuation reference
|
|||
|
(SearchResultReference [RFC2251 SECTION 4.5.3]) if the search request
|
|||
|
spans multiple parts of the DIT, some of which may require a
|
|||
|
different LCUP cookie, some of which may not even be managed by LCUP.
|
|||
|
The client SHOULD maintain a cache of the LDAP URLs returned in the
|
|||
|
continuation references and the cookies associated with them. The
|
|||
|
client is responsible for performing another LCUP search to follow
|
|||
|
the references, and SHOULD use the cookie corresponding to the LDAP
|
|||
|
URL for that reference (if it has a cookie).
|
|||
|
|
|||
|
5.5. Referral Handling
|
|||
|
|
|||
|
The client may receive a referral (Referral [RFC2251 SECTION 4.1.11])
|
|||
|
when the search base is a subordinate reference, and this will end
|
|||
|
the operation.
|
|||
|
|
|||
|
5.6. Multiple Copies of Same Entry During Sync Phase
|
|||
|
|
|||
|
The server MAY send the same entry multiple times during a sync phase
|
|||
|
if the entry changes during the sync phase. The client SHOULD use
|
|||
|
the last sent copy of the entry as the current one.
|
|||
|
|
|||
|
5.7. Handling Server Out of Resources Condition
|
|||
|
|
|||
|
If the client receives an lcupResourcesExhausted or
|
|||
|
lcupSecurityViolation resultCode, the client SHOULD wait at least 5
|
|||
|
seconds before attempting another operation. It is RECOMMENDED that
|
|||
|
the client use an exponential backoff strategy, but different clients
|
|||
|
may want to use different backoff strategies.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 21]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
6. Server Implementation Considerations
|
|||
|
|
|||
|
6.1. Server Support for UUIDs
|
|||
|
|
|||
|
Servers MUST support UUIDs. UUIDs are required in the Sync Update
|
|||
|
control. Additionally, server implementers SHOULD make the UUID
|
|||
|
values for the entries available as an attribute of the entry, and
|
|||
|
provide indexing or other mechanisms to allow clients to search for
|
|||
|
an entry using the UUID attribute in the search filter. The
|
|||
|
syncUpdate control provides a field UUIDAttribute to allow the server
|
|||
|
to let the client know the name or OID of the attribute to use to
|
|||
|
search for an entry by UUID.
|
|||
|
|
|||
|
6.2. Example of Using an RUV as the Cookie Value
|
|||
|
|
|||
|
By design, the protocol supports multiple cookie schemes. This is to
|
|||
|
allow different implementations the flexibility of storing any
|
|||
|
information applicable to their environment. A reasonable
|
|||
|
implementation for an LDUP compliant server would be to use the
|
|||
|
Replica Update Vector (RUV). For each master, RUV contains the
|
|||
|
largest CSN seen from this master. In addition, RUV implemented by
|
|||
|
some directory servers (not yet in LDUP) contains replica generation
|
|||
|
- an opaque string that identifies the replica's data store. The
|
|||
|
replica generation value changes whenever the replica's data is
|
|||
|
reloaded. Replica generation is intended to signal the
|
|||
|
replication/synchronization peers that the replica's data was
|
|||
|
reloaded and that all other replicas need to be reinitialized. RUV
|
|||
|
satisfies the three most important properties of the cookie: (1) it
|
|||
|
uniquely identifies the state of client's data, (2) it can be used to
|
|||
|
synchronize with multiple servers, and (3) it can be used to detect
|
|||
|
that the server's data was reloaded. If RUV is used as the cookie,
|
|||
|
entries last modified by a particular master must be sent to the
|
|||
|
client in the order of their last modified CSN. This ordering
|
|||
|
guarantees that the RUV can be updated after each entry is sent.
|
|||
|
|
|||
|
6.3. Cookie Support Issues
|
|||
|
|
|||
|
6.3.1. Support for Multiple Cookie Schemes
|
|||
|
|
|||
|
A server may support one or more LCUP cookie schemes. It is expected
|
|||
|
that schemes will be published along with their OIDs as RFCs. The
|
|||
|
server's DIT may be partitioned into different sections which may
|
|||
|
have different cookies associated with them. For example, some
|
|||
|
servers may use some sort of replication mechanism to support LCUP.
|
|||
|
If so, the DIT may be partitioned into multiple replicas. A client
|
|||
|
may send an LCUP search request that spans multiple replicas. Some
|
|||
|
parts of the DIT spanned by the search request scope may support LCUP
|
|||
|
and some may not. The server MUST send a SearchResultReference
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 22]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
[RFC2251, SECTION 4.5.3] when the LCUP Context for a returned entry
|
|||
|
changes. The server SHOULD send all references to other LCUP
|
|||
|
Contexts in the search scope first, in order to allow the clients to
|
|||
|
process these searches in parallel. The LDAP URL(s) returned MUST
|
|||
|
contain the DN(s) of the base of another section of the DIT (however
|
|||
|
the server implementation has partitioned the DIT). The client will
|
|||
|
then issue another LCUP search using the LDAP URL returned. Each
|
|||
|
section of the DIT MAY require a different cookie value, so the
|
|||
|
client SHOULD maintain a cache, mapping the different LDAP URL values
|
|||
|
to different cookies. If the cookie changes, the scheme may change
|
|||
|
as well, but the cookie scheme MUST be the same within a given LCUP
|
|||
|
Context.
|
|||
|
|
|||
|
6.3.2. Information Contained in the Cookie
|
|||
|
|
|||
|
The cookie must contain enough information to allow the server to
|
|||
|
determine whether the cookie can be safely used with the search
|
|||
|
specification it is attached to. As discussed earlier in the
|
|||
|
document, the cookie SHOULD only be used with the search
|
|||
|
specification that is equal to the one for which the cookie was
|
|||
|
generated, but some servers MAY support using a cookie with a search
|
|||
|
specification that is more restrictive than the one used to generate
|
|||
|
the cookie.
|
|||
|
|
|||
|
6.4. Persist Phase Response Time
|
|||
|
|
|||
|
The specification makes no guarantees about how soon a server should
|
|||
|
send notification of a changed entry to the client during the persist
|
|||
|
phase. This is intentional as any specific maximum delay would be
|
|||
|
impossible to meet in a distributed directory service implementation.
|
|||
|
Server implementers are encouraged to minimize the delay before
|
|||
|
sending notifications to ensure that clients' needs for timeliness of
|
|||
|
change notification are met.
|
|||
|
|
|||
|
6.5. Scaling Considerations
|
|||
|
|
|||
|
Implementers of servers that support the mechanism described in this
|
|||
|
document should ensure that their implementation scales well as the
|
|||
|
number of active persistent operations and the number of changes made
|
|||
|
in the directory increases. Server implementers are also encouraged
|
|||
|
to support a large number of client connections if they need to
|
|||
|
support large numbers of persistent operations.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 23]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
6.6. Alias Dereferencing
|
|||
|
|
|||
|
LCUP design does not consider issues associated with alias
|
|||
|
dereferencing in search. Clients MUST specify derefAliases as either
|
|||
|
neverDerefAliases or derefFindingBaseObj. Servers are to return
|
|||
|
protocolError if the client specifies either derefInSearching or
|
|||
|
derefAlways.
|
|||
|
|
|||
|
7. Synchronizing Heterogeneous Data Stores
|
|||
|
|
|||
|
Clients, like a meta directory join engine, synchronizing multiple
|
|||
|
writable data stores, will only work correctly if each piece of
|
|||
|
information comes from a single authoritative data source. In a
|
|||
|
replicated environment, an LCUP Context should employ the same
|
|||
|
conflict resolution scheme across all its replicas. This is because
|
|||
|
different systems have different notions of time and different update
|
|||
|
resolution procedures. As a result, a change applied on one system
|
|||
|
can be discarded by the other, thus preventing the data stores from
|
|||
|
converging.
|
|||
|
|
|||
|
8. IANA Considerations
|
|||
|
|
|||
|
This document lists several values that have been registered by the
|
|||
|
IANA. The following LDAP result codes have been assigned by IANA as
|
|||
|
described in section 3.6 of [RFC3383]:
|
|||
|
|
|||
|
lcupResourcesExhausted 113
|
|||
|
lcupSecurityViolation 114
|
|||
|
lcupInvalidData 115
|
|||
|
lcupUnsupportedScheme 116
|
|||
|
lcupReloadRequired 117
|
|||
|
|
|||
|
The three controls defined in this document have been registered as
|
|||
|
LDAP Protocol Mechanisms as described in section 3.2 of [RFC3383].
|
|||
|
One OID, 1.3.6.1.1.7, has been assigned by IANA as described in
|
|||
|
section 3.1 of [RFC3383]. The OIDs for the controls defined in this
|
|||
|
document are derived as follows from the one assigned by IANA:
|
|||
|
|
|||
|
LCUP Sync Request Control 1.3.6.1.1.7.1
|
|||
|
LCUP Sync Update Control 1.3.6.1.1.7.2
|
|||
|
LCUP Sync Done Control 1.3.6.1.1.7.3
|
|||
|
|
|||
|
9. Security Considerations
|
|||
|
|
|||
|
In some situations, it may be important to prevent general exposure
|
|||
|
of information about changes that occur in an LDAP server. Therefore,
|
|||
|
servers that implement the mechanism described in this document
|
|||
|
SHOULD provide a means to enforce access control on the entries
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 24]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
returned and MAY also provide specific access control mechanisms to
|
|||
|
control the use of the controls and extended operations defined in
|
|||
|
this document.
|
|||
|
|
|||
|
As with normal LDAP search requests, a malicious client can initiate
|
|||
|
a large number of persistent search requests in an attempt to consume
|
|||
|
all available server resources and deny service to legitimate
|
|||
|
clients. The protocol provides the means to stop malicious clients
|
|||
|
by disconnecting them from the server. The servers that implement
|
|||
|
the mechanism SHOULD provide the means to detect the malicious
|
|||
|
clients. In addition, the servers SHOULD provide the means to limit
|
|||
|
the number of resources that can be consumed by a single client.
|
|||
|
|
|||
|
10. References
|
|||
|
|
|||
|
10.1. Normative References
|
|||
|
|
|||
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
[RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight
|
|||
|
Directory Access Protocol (v3)", RFC 2251, December
|
|||
|
1997.
|
|||
|
|
|||
|
[RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority
|
|||
|
(IANA) Considerations for Lightweight Directory Access
|
|||
|
Protocol (LDAP)", BCP 64, RFC 3383, September 2002.
|
|||
|
|
|||
|
[RFC3909] Zeilenga, K., "Lightweight Directory Access Protocol
|
|||
|
(LDAP) Cancel Operation", RFC 3909, October 2004.
|
|||
|
|
|||
|
[X.680] ITU-T, "Abstract Syntax Notation One (ASN.1) -
|
|||
|
Specification of Basic Notation", X.680, 1994.
|
|||
|
|
|||
|
[X.690] ITU-T, "Specification of ASN.1 encoding rules: Basic,
|
|||
|
Canonical, and Distinguished Encoding Rules", X.690,
|
|||
|
1994.
|
|||
|
|
|||
|
[UUID] International Organization for Standardization (ISO),
|
|||
|
"Information technology - Open Systems Interconnection -
|
|||
|
Remote Procedure Call", ISO/IEC 11578:1996.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 25]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
10.2. Informative References
|
|||
|
|
|||
|
[RFC3384] Stokes, E., Weiser, R., Moats, R., and R. Huber,
|
|||
|
"Lightweight Directory Access Protocol (version 3)
|
|||
|
Replication Requirements", RFC 3384, October 2002.
|
|||
|
|
|||
|
[RFC3671] Zeilenga, K., "Collective Attributes in the Lightweight
|
|||
|
Directory Access Protocol (LDAP)", RFC 3671, December
|
|||
|
2003.
|
|||
|
|
|||
|
[RFC3672] Zeilenga, K. and S. Legg, "Subentries in the Lightweight
|
|||
|
Directory Access Protocol (LDAP)", RFC 3672, December
|
|||
|
2003.
|
|||
|
|
|||
|
11. Acknowledgments
|
|||
|
|
|||
|
The LCUP protocol is based in part on the Persistent Search Change
|
|||
|
Notification Mechanism defined by Mark Smith, Gordon Good, Tim Howes,
|
|||
|
and Rob Weltman, the LDAPv3 Triggered Search Control defined by Mark
|
|||
|
Wahl, and the LDAP Control for Directory Synchronization defined by
|
|||
|
Michael Armijo. The members of the IETF LDUP working group made
|
|||
|
significant contributions to this document.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 26]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
Appendix - Features Left Out of LCUP
|
|||
|
|
|||
|
There are several features present in other protocols or considered
|
|||
|
useful by clients that are currently not included in the protocol
|
|||
|
primarily because they are difficult to implement on the server.
|
|||
|
These features are briefly discussed in this section.
|
|||
|
|
|||
|
Triggered Search Change Type
|
|||
|
|
|||
|
This feature is present in the Triggered Search specification. A
|
|||
|
flag is attached to each entry returned to the client indicating the
|
|||
|
reason why this entry is returned. The possible reasons from the
|
|||
|
document are:
|
|||
|
|
|||
|
- notChange: the entry existed in the directory and matched the
|
|||
|
search at the time the operation is being performed,
|
|||
|
|
|||
|
- enteredSet: the entry entered the result,
|
|||
|
|
|||
|
- leftSet: the entry left the result,
|
|||
|
|
|||
|
- modified: the entry was part of the result set, was modified or
|
|||
|
renamed, and still is in the result set.
|
|||
|
|
|||
|
The leftSet feature is particularly useful because it indicates to
|
|||
|
the client that an entry is no longer within the client's search
|
|||
|
specification and the client can remove the associated data from its
|
|||
|
data store. Ironically, this feature is the hardest to implement on
|
|||
|
the server because the server does not keep track of the client's
|
|||
|
state and has no easy way of telling which entries moved out of scope
|
|||
|
between synchronization sessions with the client. A compromise could
|
|||
|
be reached by only providing this feature for the operations that
|
|||
|
occur while the client is connected to the server. This is easier to
|
|||
|
accomplish because the decision about the change type can be made
|
|||
|
based only on the change without need for any historical information.
|
|||
|
This, however, would add complexity to the protocol.
|
|||
|
|
|||
|
Persistent Search Change Type
|
|||
|
|
|||
|
This feature is present in the Persistent Search specification.
|
|||
|
Persistent search has the notion of changeTypes. The client
|
|||
|
specifies which type of updates will cause entries to be returned,
|
|||
|
and optionally whether the server tags each returned entry with the
|
|||
|
type of change that caused that entry to be returned.
|
|||
|
|
|||
|
For LCUP, the intention is full synchronization, not partial. Each
|
|||
|
entry returned by an LCUP search will have some change associated
|
|||
|
with it that may concern the client. The client may have to have a
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 27]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
local index of entries by DN or UUID to determine if the entry has
|
|||
|
been added or just modified. It is easy for clients to determine if
|
|||
|
the entry has been deleted because the entryLeftSet value of the Sync
|
|||
|
Update control will be TRUE.
|
|||
|
|
|||
|
Sending Changes
|
|||
|
|
|||
|
Some earlier synchronization protocols sent the client(s) only the
|
|||
|
modified attributes of the entry rather than the entire entry. While
|
|||
|
this approach can significantly reduce the amount of data returned to
|
|||
|
the client, it has several disadvantages. First, unless a separate
|
|||
|
mechanism (like the change type described above) is used to notify
|
|||
|
the client about entries moving into the search scope, sending only
|
|||
|
the changes can result in the client having an incomplete version of
|
|||
|
the data. Let's consider an example. An attribute of an entry is
|
|||
|
modified. As a result of the change, the entry enters the scope of
|
|||
|
the client's search. If only the changes are sent, the client would
|
|||
|
never see the initial data of the entry. Second, this feature is
|
|||
|
hard to implement since the server might not contain sufficient
|
|||
|
information to construct the changes based solely on the server's
|
|||
|
state and the client's cookie. On the other hand, this feature can
|
|||
|
be easily implemented by the client assuming that the client has the
|
|||
|
previous version of the data and can perform value by value
|
|||
|
comparisons.
|
|||
|
|
|||
|
Data Size Limits
|
|||
|
|
|||
|
Some earlier synchronization protocols allowed clients to control the
|
|||
|
amount of data sent to them in the search response. This feature was
|
|||
|
intended to allow clients with limited resources to process
|
|||
|
synchronization data in batches. However, an LDAP search operation
|
|||
|
already provides the means for the client to specify the size limit
|
|||
|
by setting the sizeLimit field in the SearchRequest to the maximum
|
|||
|
number of entries the client is willing to receive. While the
|
|||
|
granularity is not the same, the assumption is that regular LDAP
|
|||
|
clients that can deal with the limitations of the LDAP protocol will
|
|||
|
implement LCUP.
|
|||
|
|
|||
|
Data Ordering
|
|||
|
|
|||
|
Some earlier synchronization protocols allowed a client to specify
|
|||
|
that parent entries should be sent before the children for add
|
|||
|
operations and children entries sent before their parents during
|
|||
|
delete operations. This ordering helps clients to maintain a
|
|||
|
hierarchical view of the data in their data store. While possibly
|
|||
|
useful, this feature is relatively hard to implement and is expensive
|
|||
|
to perform.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 28]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
Authors' Addresses
|
|||
|
|
|||
|
Rich Megginson
|
|||
|
Netscape Communications Corp., an America Online company.
|
|||
|
360 W. Caribbean Drive
|
|||
|
Sunnyvale, CA 94089
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 505 797-7762
|
|||
|
EMail: rmegginson0224@aol.com
|
|||
|
|
|||
|
|
|||
|
Olga Natkovich
|
|||
|
Yahoo, Inc.
|
|||
|
701 First Ave.
|
|||
|
Sunnyvale, CA 94089
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 408 349-6153
|
|||
|
EMail: olgan@yahoo-inc.com
|
|||
|
|
|||
|
|
|||
|
Mark Smith
|
|||
|
Pearl Crescent, LLC
|
|||
|
447 Marlpool Drive
|
|||
|
Saline, MI 48176
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 734 944-2856
|
|||
|
EMail: mcs@pearlcrescent.com
|
|||
|
|
|||
|
|
|||
|
Jeff Parham
|
|||
|
Microsoft Corporation
|
|||
|
One Microsoft Way
|
|||
|
Redmond, WA 98052-6399
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 425 882-8080
|
|||
|
EMail: jeffparh@microsoft.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 29]
|
|||
|
|
|||
|
RFC 3928 LDAP Client Update Protocol October 2004
|
|||
|
|
|||
|
|
|||
|
Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004).
|
|||
|
|
|||
|
This document is subject to the rights, licenses and restrictions
|
|||
|
contained in BCP 78, and at www.rfc-editor.org, and except as set
|
|||
|
forth therein, the authors retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|||
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; nor does it represent that it has
|
|||
|
made any independent effort to identify any such rights. Information
|
|||
|
on the ISOC's procedures with respect to rights in ISOC Documents can
|
|||
|
be found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use of
|
|||
|
such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository at
|
|||
|
http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights that may cover technology that may be required to implement
|
|||
|
this standard. Please address the information to the IETF at ietf-
|
|||
|
ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Megginson, et al. Standards Track [Page 30]
|
|||
|
|