mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
450 lines
14 KiB
Plaintext
450 lines
14 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Change Record Object Class Definition Gordon Good
|
|||
|
INTERNET-DRAFT Netscape Communications
|
|||
|
11 March 1998
|
|||
|
|
|||
|
Definition of an Object Class to Hold LDAP Change Records
|
|||
|
Filename: draft-good-ldap-changelog-00.txt
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document is an Internet-Draft. Internet-Drafts are working
|
|||
|
documents of the Internet Engineering Task Force (IETF), its
|
|||
|
areas, and its working groups. Note that other groups may also
|
|||
|
distribute working documents as Internet-Drafts.
|
|||
|
|
|||
|
Internet-Drafts are draft documents valid for a maximum of six
|
|||
|
months and may be updated, replaced, or obsoleted by other
|
|||
|
documents at any time. It is inappropriate to use Internet-
|
|||
|
Drafts as reference material or to cite them other than as
|
|||
|
``work in progress.''
|
|||
|
|
|||
|
To learn the current status of any Internet-Draft, please check
|
|||
|
the ``1id-abstracts.txt'' listing contained in the Internet-
|
|||
|
Drafts Shadow Directories on ds.internic.net (US East Coast),
|
|||
|
nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
|
|||
|
munnari.oz.au (Pacific Rim).
|
|||
|
|
|||
|
This Internet Draft expires October 1st, 1998.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
In order to support more flexible replication methods, it is
|
|||
|
desirable to specify some manner in which an LDAP client may retrieve
|
|||
|
a set of changes which have been applied to an LDAP server's
|
|||
|
database. The client, which may be another LDAP server, may then
|
|||
|
choose to update its own replicated copy of the data. This document
|
|||
|
specifies an object class which may be used to represent changes
|
|||
|
applied to an LDAP server. It also specifies a method for
|
|||
|
discovering the location of the container object which holds these
|
|||
|
change records, so that clients and servers have a common rendezvous
|
|||
|
point for this information.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Background and Intended Usage
|
|||
|
|
|||
|
This document describes an objectclass which can be used to represent
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 1]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
changes which have been applied to a directory server. It also
|
|||
|
suggests a common location for a container which holds these objects.
|
|||
|
A client may update its local copy of directory information by
|
|||
|
reading the entries within this container, and applying the changes
|
|||
|
to its local database.
|
|||
|
|
|||
|
The key words "MUST", "MAY", and "SHOULD" used in this document are
|
|||
|
to be interpreted as described in [3].
|
|||
|
|
|||
|
New Attribute Types Used in the changeLogEntry Object Class
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.5
|
|||
|
NAME 'changeNumber'
|
|||
|
DESC 'a number which uniquely identifies a change made to a
|
|||
|
directory entry'
|
|||
|
SYNTAX 'INTEGER'
|
|||
|
EQUALITY 'integerMatch'
|
|||
|
ORDERING 'integerOrderingMatch' )
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.6
|
|||
|
NAME 'targetDN'
|
|||
|
DESC 'the DN of the entry which was modified'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 'DN' )
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.7
|
|||
|
NAME 'changeType'
|
|||
|
DESC 'the type of change made to an entry'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
SYNTAX 'DirectoryString' )
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.8
|
|||
|
NAME 'changes'
|
|||
|
DESC 'a set of changes to apply to an entry'
|
|||
|
SYNTAX 'OctetString' )
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.9
|
|||
|
NAME 'newRDN'
|
|||
|
DESC 'the new RDN of an entry which is the target of a
|
|||
|
modrdn operation'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 'DN' )
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.10
|
|||
|
NAME 'deleteOldRDN'
|
|||
|
DESC 'a flag which indicates if the old RDN should be retained
|
|||
|
as an attribute of the entry'
|
|||
|
EQUALITY booleanMatch
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 2]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
SYNTAX 'BOOLEAN' )
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.11
|
|||
|
NAME 'newSuperior'
|
|||
|
DESC 'the new parent of an entry which is the target of a
|
|||
|
moddn operation'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 'DN' )
|
|||
|
|
|||
|
|
|||
|
Schema Definition of the changeLogEntry Object Class
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.2.1
|
|||
|
NAME 'changeLogEntry'
|
|||
|
SUP top
|
|||
|
STRUCTURAL
|
|||
|
MUST (
|
|||
|
changeNumber $ targetDN $ changeType
|
|||
|
)
|
|||
|
MAY (
|
|||
|
changes $ newRDN $ deleteOldRDN $ newSuperior
|
|||
|
)
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Discussion of changeLogEntry Attributes:
|
|||
|
|
|||
|
changeNumber: the change number, as assigned by the supplier. This
|
|||
|
integer MUST strictly increase as new entries are added, and must
|
|||
|
always be unique within a given server. Syntax: INTEGER
|
|||
|
|
|||
|
targetdn: the distinguished name of the entry which was added,
|
|||
|
modified or deleted. In the case of a modrdn operation, the targetdn
|
|||
|
gives the DN of the entry before it was modified. Syntax: DN
|
|||
|
|
|||
|
changeType: the type of change. One of: "add", "delete", "modify",
|
|||
|
"modrdn". Later RFCs may define additional values for changeType.
|
|||
|
Syntax: DirectoryString
|
|||
|
|
|||
|
changes: the changes which were made to the directory server. These
|
|||
|
changes are in LDIF format, which is described in [1].
|
|||
|
Syntax: OctetString
|
|||
|
|
|||
|
newRDN: the new RDN (Relative Distinguished Name) of the entry, if the
|
|||
|
changeType is "modrdn". If the changeType attribute does not have the
|
|||
|
value "modrdn", then there should be no values contained in the newRDN
|
|||
|
attribute.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 3]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
Syntax: DN
|
|||
|
|
|||
|
deleteOldRDN: a flag which tells whether the old RDN of the entry
|
|||
|
should be retained as a distinguished attribute of the entry, or
|
|||
|
should be deleted. A value of "FALSE" indicates that the RDN should be
|
|||
|
retained as a distinguished attribute, and a value of "TRUE" indicates
|
|||
|
that it should not be retained as a distinguished attribute of the
|
|||
|
entry. If any value other than "TRUE" or "FALSE" is contained in the
|
|||
|
deleteOldRDN attribute, or if the deleteOldRDN contains multiple
|
|||
|
values, the RDN should be retained as a distinguished attribute (that
|
|||
|
is, "FALSE" is the default if no values are present, or if illegal
|
|||
|
values are present).
|
|||
|
Syntax: BOOLEAN
|
|||
|
|
|||
|
newSuperior: if present, gives the name of the entry which
|
|||
|
becomes the immediate superior of the existing entry. This optional
|
|||
|
attribute reflects LDAPv3 functionality, and MUST NOT be generated
|
|||
|
by LDAPv2 servers [2].
|
|||
|
Syntax: DN
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Discussion of the changeLogEntry object class
|
|||
|
|
|||
|
The changeLogEntry object class is used to represent changes made to a
|
|||
|
directory server. The set of changes made to a directory server, then,
|
|||
|
is given by the ordered set of all entries within the changelog
|
|||
|
container, ordered by changeNumber.
|
|||
|
|
|||
|
A client may synchronize its local copy of a remote directory server's
|
|||
|
contents by searching the remote server's changelog container for any
|
|||
|
entries where the changenumber is greater than or equal to the last
|
|||
|
change previously retrieved from that server. If the entry with the
|
|||
|
changenumber matching the last change retrieved is not returned in the
|
|||
|
search results, then the server's changelog has been trimmed. The
|
|||
|
client must then fall back to reading the entire directory to bring its
|
|||
|
copy in sync with the server's.
|
|||
|
|
|||
|
Assuming that the client has successfully retrieved one or more changelog
|
|||
|
entries from the server, it can then use the information contained in each
|
|||
|
entry to update the corresponding entry (named by the targetDN attribute)
|
|||
|
in its local copy of the database.
|
|||
|
|
|||
|
Note that, due to access control restrictions, the client is not guaranteed
|
|||
|
read access to the "changes" attribute. If the client discovers that the
|
|||
|
"changes" attribute has no values, then it must read the entry given by
|
|||
|
the targetDN attribute, possibly only retrieving attributes it deems
|
|||
|
"interesting". However, in the case of delete and modrdn operations, there
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 4]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
is never a "changes" attribute, so it is never necessary to read the target
|
|||
|
entry in these cases.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Examples of the changeLogEntry object class
|
|||
|
|
|||
|
In each example below, the "changes" attribute is shown in plain text,
|
|||
|
with embedded newlines. This is done for clarity. It is intended that
|
|||
|
newlines be stored in the entry literally, not encoded in any way.
|
|||
|
If a "changes" attribute value is stored in an LDIF file, it must
|
|||
|
base-64 encoded.
|
|||
|
|
|||
|
Example 1: A changeLogEntry representing the addition of a
|
|||
|
new entry to the directory
|
|||
|
|
|||
|
dn: changenumber=1923, cn=changelog
|
|||
|
changenumber: 1923
|
|||
|
targetdn: cn=Barbara Jensen, ou=Accounting, o=Ace Industry, c=US
|
|||
|
changetype: add
|
|||
|
changes: cn: Barbara Jensen\ncn: Babs Jensen\nsn: Jensen\n
|
|||
|
givenname: Barbara\ntelephonenumber: +1 212 555-1212\nmail: babs@ace.com\n
|
|||
|
objectclass: top\nobjectclass: person\nobjectclass: organizationalPerson\n
|
|||
|
objectclass: inetOrgPerson
|
|||
|
|
|||
|
Example 2: A changeLogEntry representing the deletion of an entry
|
|||
|
from the directory
|
|||
|
|
|||
|
dn: changenumber=2933, cn=changelog
|
|||
|
changenumber: 2933
|
|||
|
targetdn: cn=Gern Jensen, ou=Product Testing, o=Ace Industry, c=US
|
|||
|
changetype: delete
|
|||
|
|
|||
|
Example 3: A changeLogEntry representing the modification of an entry
|
|||
|
in the directory
|
|||
|
|
|||
|
dn: changenumber=5883, cn=changelog
|
|||
|
changenumber: 5883
|
|||
|
targetdn: cn=Bjorn Jensen, ou=Product Development, o=Ace Industry, c=US
|
|||
|
changetype: modify
|
|||
|
changes: delete: telephonenumber\ntelephonenumber: 1212\n-\n
|
|||
|
add: telephonenumber\ntelephonenumber: +1 212 555 1212\n-
|
|||
|
|
|||
|
Example 4: A changeLogEntry representing a modrdn operation performed
|
|||
|
on an entry in the directory
|
|||
|
|
|||
|
dn: changenumber=10042, cn=changelog
|
|||
|
changenumber: 10042
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 5]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
targetdn: cn=Bjorn Jensen, ou=Product Development, o=Ace Industry, c=US
|
|||
|
changetype: modrdn
|
|||
|
newrdn: cn=Bjorn J Jensen
|
|||
|
deleteoldrdn: FALSE
|
|||
|
|
|||
|
|
|||
|
Location of the container containing changeLogEntry objects
|
|||
|
|
|||
|
For LDAPv3 servers, the location of the container which holds
|
|||
|
changeLogEntry objects is obtained by reading the "changeLog" attribute
|
|||
|
of a server's root DSE. For example, if the container's root is
|
|||
|
"cn=changelog", then the root DSE must have an attribute named
|
|||
|
"changeLog" with the value "cn=changelog".
|
|||
|
|
|||
|
The "changelog" attribute is defined as follows:
|
|||
|
|
|||
|
( 2.16.840.1.113730.3.1.35
|
|||
|
NAME 'changelog'
|
|||
|
DESC 'the distinguished name of the entry which contains
|
|||
|
the set of entries comprising this server's changelog'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 'DN'
|
|||
|
)
|
|||
|
|
|||
|
For LDAPv2 servers, the name of the changelog container must be
|
|||
|
"cn=changelog".
|
|||
|
|
|||
|
|
|||
|
Differences from previous versions of this document
|
|||
|
|
|||
|
Differences between draft-ietf-asid-changelog-00.txt and
|
|||
|
draft-ietf-asid-changelog-01.txt
|
|||
|
|
|||
|
1) Fixed a deficiency in the syntax of the changeNumber attribute. The
|
|||
|
attribute now has INTEGER syntax, with appropriate matching and
|
|||
|
ordering rules defined.
|
|||
|
|
|||
|
2) Removed unneeded substring matching rules from the changeType and
|
|||
|
deleteOldRDN attribute definitions.
|
|||
|
|
|||
|
3) Made use of MAY, SHOULD, etc. consistent with RFC 2119.
|
|||
|
|
|||
|
4) Renamed document (now an individual submission).
|
|||
|
|
|||
|
5) Changed syntax of "changes" attribute from "Binary" to "OctetString".
|
|||
|
|
|||
|
6) Removed references to X.500 supplier and consumer-initiated
|
|||
|
replication.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 6]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
7) Updated references to current drafts/proposed standards documents.
|
|||
|
|
|||
|
Security Considerations
|
|||
|
|
|||
|
Servers implementing this scheme MUST NOT allow the "changes"
|
|||
|
attribute to be generally readable. The "changes" attribute contains
|
|||
|
all modifications made to an entry, and some changes may contain
|
|||
|
sensitive data, e.g. passwords.
|
|||
|
|
|||
|
If a server does allow read access on the "changes: attribute to a
|
|||
|
particular bound DN, then that DN should be trusted. For example, two
|
|||
|
cooperating servers may exchange the password for some DN which is
|
|||
|
granted read access to the "changes" attribute of the changeLog. This
|
|||
|
would allow one server to retrieve changes and apply them directly to
|
|||
|
its database.
|
|||
|
|
|||
|
In situations where the "changes" attribute is not readable by a client,
|
|||
|
that client may still use the entries in the changeLog to construct a
|
|||
|
list of entry DNs which are known to have changed since the last time
|
|||
|
the client synchronized. The client may then read each of those entries,
|
|||
|
subject to whatever access control is in effect on the server,
|
|||
|
and update its local copy of each entry.
|
|||
|
|
|||
|
Servers implementing this scheme should disallow write access to the
|
|||
|
changelog container object and all entries contained within.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Acknowledgements
|
|||
|
|
|||
|
This material is based in part upon work supported by the National
|
|||
|
Science Foundation under Grant No. NCR-9416667.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
References
|
|||
|
|
|||
|
[1] Good, G., "The LDAP Data Interchange Format", INTERNET-DRAFT
|
|||
|
draft-good-ldap-ldif-03.txt, Netscape Communications Corp., March 1997,
|
|||
|
<URL:ftp://ftp.ietf.org/internet-drafts/draft-good-ldap-ldif-03.txt>
|
|||
|
|
|||
|
[2] Wahl, M., Howes, T., Kille, S., "Lightweight Directory Access
|
|||
|
Protocol (v3)", RFC 2251 Critical Angle, Inc., Netscape Communications Corp.,
|
|||
|
ISODE Consortium, July, 1997,
|
|||
|
<URL:ftp://ftp.isi.edu/in-notes/rfc2251.txt>
|
|||
|
|
|||
|
[3] S. Bradner, "Key Words for use in RFCs to Indicate Requirement
|
|||
|
Levels", Harvard University, RFC 2119, March 1997,
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 7]
|
|||
|
|
|||
|
INTERNET-DRAFT Change Record Object Class 11 March 1998
|
|||
|
|
|||
|
|
|||
|
<URL:http://ds.internic.net/rfc/rfc2119.txt>
|
|||
|
|
|||
|
|
|||
|
Author's Address
|
|||
|
|
|||
|
Gordon Good
|
|||
|
Netscape Communications Corp.
|
|||
|
501 E. Middlefield Rd.
|
|||
|
Mailstop MV068
|
|||
|
Mountain View, CA 94043, USA
|
|||
|
Phone: +1 415 937-3825
|
|||
|
EMail: ggood@netscape.com
|
|||
|
|
|||
|
This Internet Draft expires October 1st, 1998.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Good March 11, 1998 [Page 8]
|
|||
|
|