mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
508 lines
18 KiB
Plaintext
508 lines
18 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group A. Young
|
|||
|
Request for Comments: 1798 ISODE Consortium
|
|||
|
Category: Standards Track June 1995
|
|||
|
|
|||
|
|
|||
|
Connection-less Lightweight Directory Access Protocol
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document specifies an Internet standards track protocol for the
|
|||
|
Internet community, and requests discussion and suggestions for
|
|||
|
improvements. Please refer to the current edition of the "Internet
|
|||
|
Official Protocol Standards" (STD 1) for the standardization state
|
|||
|
and status of this protocol. Distribution of this memo is unlimited.
|
|||
|
|
|||
|
X.500
|
|||
|
|
|||
|
The protocol described in this document is designed to provide access
|
|||
|
to the Directory while not incurring the resource requirements of the
|
|||
|
Directory Access Protocol (DAP) [3]. In particular, it is aimed at
|
|||
|
avoiding the elapsed time that is associated with connection-oriented
|
|||
|
communication and it facilitates use of the Directory in a manner
|
|||
|
analagous to the DNS [5,6]. It is specifically targeted at simple
|
|||
|
lookup applications that require to read a small number of attribute
|
|||
|
values from a single entry. It is intended to be a complement to DAP
|
|||
|
and LDAP [4]. The protocol specification draws heavily on that of
|
|||
|
LDAP.
|
|||
|
|
|||
|
1. Background
|
|||
|
|
|||
|
The Directory can be used as a repository for many kinds of
|
|||
|
information. The full power of DAP is unnecessary for applications
|
|||
|
that require simple read access to a few attribute values.
|
|||
|
Applications addressing is a good example of this type of use where
|
|||
|
an application entity needs to determine the Presentation Address
|
|||
|
(PA) of a peer entity given that peer's Application Entity Title
|
|||
|
(AET). If the AET is a Directory Name (DN) then the required result
|
|||
|
can be obtained from the PA attribute of the Directory entry
|
|||
|
identified by the AET. This is very similar to DNS.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
Use of DAP to achieve this functionality involves a significant
|
|||
|
number of network exchanges:
|
|||
|
|
|||
|
___________________________________________________________
|
|||
|
|_#_|______Client_(DUA)________DAP________Server_(DSA)_____|
|
|||
|
| 1| N-Connect.request -> |
|
|||
|
| 2| <- N-Connect.response |
|
|||
|
| 3| T-Connect.request -> |
|
|||
|
| 4| <- T-Connect.response |
|
|||
|
| | S-Connect.request, |
|
|||
|
| | P-Connect.request, |
|
|||
|
| | A-Associate.request, |
|
|||
|
| 5| DAP-Bind.request -> |
|
|||
|
| | S-Connect.response, |
|
|||
|
| | P-Connect.response, |
|
|||
|
| | A-Associate.response, |
|
|||
|
| 6| <- DAP-Bind.response |
|
|||
|
| 7| DAP-Read.request -> |
|
|||
|
| 8| <- DAP-Read.response |
|
|||
|
| | S-Release.request, |
|
|||
|
| | P-Release.request, |
|
|||
|
| | A-Release.request, |
|
|||
|
| 9| DAP-Unbind.request -> |
|
|||
|
| | S-Release.response, |
|
|||
|
| | P-Release.response, |
|
|||
|
| | A-Release.response, |
|
|||
|
| 10| <- DAP-Unbind.response |
|
|||
|
| | T-Disconnect.request, |
|
|||
|
| 11| N-Disconnect.request -> |
|
|||
|
| | T-Disconnect.response,|
|
|||
|
| 12| <- N-Disconnect.response |
|
|||
|
|___|______________________________________________________|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
This is 10 packets before the application can continue, given that it
|
|||
|
can probably do so after issuing the T-Disconnect.request. (Some
|
|||
|
minor variations arise depending upon the class of Network and
|
|||
|
Transport service that is being used; for example use of TP4 over
|
|||
|
CLNS reduces the packet count by two.) LDAP is no better in the case
|
|||
|
where the LDAP server uses full DAP to communicate with the
|
|||
|
Directory:
|
|||
|
|
|||
|
____________________________________________________________________
|
|||
|
|__#_|___Client_____LDAP_____LDAP_server______DAP_________DSA_______|
|
|||
|
| 1 | TCP SYN -> |
|
|||
|
| 2 | <- TCP SYN ACK |
|
|||
|
| 3 | BindReq -> |
|
|||
|
| 4 | N-Connect.req -> |
|
|||
|
| 5 | <- N-Connect.res |
|
|||
|
| 6 | T-Connect.req -> |
|
|||
|
| 7 | <- T-Connect.res |
|
|||
|
| 8 | DAP-Bind.req -> |
|
|||
|
| 9 | <- DAP-Bind.res |
|
|||
|
| 10 | <- BindRes |
|
|||
|
| 11 | SearchReq -> |
|
|||
|
| 12 | DAP-Search.req -> |
|
|||
|
| 13 | <- DAP-Search.res |
|
|||
|
| 14 | <- SearchRes |
|
|||
|
| 15 | TCP FIN -> |
|
|||
|
| 16 | DAP-Unbind.req -> |
|
|||
|
| 17 | <- DAP-Unbind.res |
|
|||
|
| 18 | N-Disconnect.req -> |
|
|||
|
| 19 | <- N-Disconnect.res|
|
|||
|
|____|______________________________________________________________|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
Here there are 14 packets before the application can continue. Even
|
|||
|
if the LDAP server is on the same host as the DSA (so packet delay is
|
|||
|
negligible), or if the DSA supports LDAP directly, then there are
|
|||
|
still 6 packets.
|
|||
|
|
|||
|
____________________________________
|
|||
|
| #| Client LDAP LDAP server|
|
|||
|
|__|________________________________|
|
|||
|
| 1| TCP SYN -> |
|
|||
|
| 2| <- TCP SYN ACK|
|
|||
|
| 3| BindReq -> |
|
|||
|
| 4| <- BindRes |
|
|||
|
| 5| SearchReq -> |
|
|||
|
|_6|_______________<-____SearchRes__|
|
|||
|
|
|||
|
|
|||
|
This protocol provides for simple access to the Directory where the
|
|||
|
delays inherent in the above exchanges are unacceptable and where the
|
|||
|
additional functionality provided by connection-mode operation is not
|
|||
|
required.
|
|||
|
|
|||
|
2. Protocol Model
|
|||
|
|
|||
|
CLDAP is based directly on LDAP [4] and inherits many of the key
|
|||
|
aspects of the LDAP protocol:
|
|||
|
|
|||
|
- - Many protocol data elements are encoding as ordinary strings
|
|||
|
(e.g., Distinguished Names).
|
|||
|
|
|||
|
- - A lightweight BER encoding is used to encode all protocol
|
|||
|
elements.
|
|||
|
|
|||
|
It is different to LDAP in that:
|
|||
|
|
|||
|
- - Protocol elements are carried directly over UDP or other
|
|||
|
connection-less transport, bypassing much of the
|
|||
|
session/presentation overhead and that of connections (LDAP uses
|
|||
|
a connection-mode transport service).
|
|||
|
|
|||
|
- - A restricted set of operations is available.
|
|||
|
|
|||
|
The definitions of most protocol elements are inherited from LDAP.
|
|||
|
|
|||
|
The general model adopted by this protocol is one of clients
|
|||
|
performing protocol operations against servers. In this model, this
|
|||
|
is accomplished by a client transmitting a protocol request
|
|||
|
describing the operation to be performed to a server, which is then
|
|||
|
responsible for performing the necessary operations on the Directory.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
Upon completion of the necessary operations, the server returns a
|
|||
|
response containing any results or errors to the requesting client.
|
|||
|
|
|||
|
Note that, although servers are required to return responses whenever
|
|||
|
such responses are defined in the protocol, there is no requirement
|
|||
|
for synchronous behaviour on the part of either client or server
|
|||
|
implementations: requests and responses for multiple operations may
|
|||
|
be exchanged by client and servers in any order, as long as servers
|
|||
|
eventually send a response for every request that requires one.
|
|||
|
|
|||
|
Also, because the protocol is implemented over a connection-less
|
|||
|
transport service clients must be prepared for either requests or
|
|||
|
responses to be lost. Clients should use a retry mechanism with
|
|||
|
timeouts in order to achieve the desired level of reliability. For
|
|||
|
example, a client might send off a request and wait for two seconds.
|
|||
|
If no reply is forthcoming, the request is sent again and the client
|
|||
|
waits four seconds. If there is still no reply, the client sends it
|
|||
|
again and waits eight seconds, and so on, until some maximun time.
|
|||
|
Such algorithms are widely used in other datagram-based protocol
|
|||
|
implementations, such as the DNS. It is not appropriate to mandate a
|
|||
|
specific algorithm as this will depend upon the requirments and
|
|||
|
operational environment of individual CLDAP client implementations.
|
|||
|
|
|||
|
It is not required that a client abandon any requests to which no
|
|||
|
response has been received and for which a reply is no longer
|
|||
|
required (because the request has been timed out), but they may do
|
|||
|
so.
|
|||
|
|
|||
|
Consistent with the model of servers performing protocol operations
|
|||
|
on behalf of clients, it is also to be noted that protocol servers
|
|||
|
are expected to handle referrals without resorting to the return of
|
|||
|
such referrals to the client. This protocol makes no provisions for
|
|||
|
the return of referrals to clients, as the model is one of servers
|
|||
|
ensuring the performance of all necessary operations in the
|
|||
|
Directory, with only final results or errors being returned by
|
|||
|
servers to clients.
|
|||
|
|
|||
|
Note that this protocol can be mapped to a strict subset of the
|
|||
|
Directory abstract service, so it can be cleanly provided by the DAP.
|
|||
|
|
|||
|
3. Mapping Onto Transport Services
|
|||
|
|
|||
|
This protocol is designed to run over connection-less transports,
|
|||
|
with all 8 bits in an octet being significant in the data stream.
|
|||
|
Specifications for two underlying services are defined here, though
|
|||
|
others are also possible.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
3.1. User Datagram Protocol (UDP)
|
|||
|
|
|||
|
The CLDAPMessage PDUs are mapped directly onto UDP datagrams. Only
|
|||
|
one request may be sent in a single datagram. Only one response may
|
|||
|
be sent in a single datagram. Server implementations running over
|
|||
|
the UDP should provide a protocol listener on port 389.
|
|||
|
|
|||
|
3.2. Connection-less Transport Service (CLTS)
|
|||
|
|
|||
|
Each LDAPMessage PDU is mapped directly onto T-Unit-Data.
|
|||
|
|
|||
|
4. Elements of Protocol
|
|||
|
|
|||
|
CLDAP messages are defined by the following ASN.1:
|
|||
|
|
|||
|
CLDAPMessage ::= SEQUENCE {
|
|||
|
messageID MessageID,
|
|||
|
user LDAPDN, -- on request only --
|
|||
|
protocolOp CHOICE {
|
|||
|
searchRequest SearchRequest,
|
|||
|
searchResponse SEQUENCE OF
|
|||
|
SearchResponse,
|
|||
|
abandonRequest AbandonRequest
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
where MessageID, LDAPDN, SearchRequest, SearchResponse and
|
|||
|
AbandonRequest are defined in the LDAP protocol.
|
|||
|
|
|||
|
The 'user' element is supplied only on requests (it should be zero
|
|||
|
length and is ignored in responses). It may be used for logging
|
|||
|
purposes but it is not required that a CLDAP server implementation
|
|||
|
apply any particular semantics to this field.
|
|||
|
|
|||
|
Editorial note:
|
|||
|
There has been some discussion about the desirability of
|
|||
|
authentication with CLDAP requests and the addition of the fields
|
|||
|
necessary to support this. This might take the form of a clear
|
|||
|
text password (which would go against the current IAB drive to
|
|||
|
remove such things from protocols) or some arbitrary credentials.
|
|||
|
Such a field is not included. It is felt that, in general,
|
|||
|
authentication would incur sufficient overhead to negate the
|
|||
|
advantages of the connectionless basis of CLDAP. If an
|
|||
|
application requires authenticated access to the Directory then
|
|||
|
CLDAP is not an appropriate protocol.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 6]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
Within a searchResponse all but the last SearchResponse has choice
|
|||
|
'entry' and the last SearchResponse has choice 'resultCode'. Within
|
|||
|
a searchResponse, as an encoding optimisation, the value of the
|
|||
|
objectName LDAP DN may use a trailing '*' character to refer to the
|
|||
|
baseObject of the corresponding searchRequest. For example, if the
|
|||
|
baseObject is specified as "o=UofM, c=US", then the following
|
|||
|
objectName LDAPDNs in a response would have the indicated meanings
|
|||
|
|
|||
|
objectName returned actual LDAPDN denoted
|
|||
|
____________________________________________________
|
|||
|
"*" "o=UofM, c=US"
|
|||
|
"cn=Babs Jensen, *" "cn=Babs Jensen, o=UofM, c=US"
|
|||
|
|
|||
|
4.1. Errors
|
|||
|
|
|||
|
The following error code is added to the LDAPResult.resultCode
|
|||
|
enumeration of [4]:
|
|||
|
|
|||
|
resultsTooLarge (70),
|
|||
|
|
|||
|
This error is returned when the LDAPMessage PDU containing the
|
|||
|
results of an operation are too large to be sent in a single
|
|||
|
datagram.
|
|||
|
|
|||
|
4.2. Example
|
|||
|
|
|||
|
A simple lookup can be performed in 4 packets. This is reduced to 2
|
|||
|
if either the DSA implements the CLDAP protocol, the CLDAP server has
|
|||
|
a cache of the desired results, or the CLDAP server and DSA are co-
|
|||
|
located such that there is insignificant delay between them.
|
|||
|
|
|||
|
_______________________________________________________________
|
|||
|
|_#|___Client_____CLDAP____CLDAP_server____DAP________DSA______|
|
|||
|
| 1| SearchReq -> |
|
|||
|
| 2| DAP-Search.req -> |
|
|||
|
| 3| <- DAP-Search.res|
|
|||
|
| 4| <- SearchRes |
|
|||
|
|__|___________________________________________________________|
|
|||
|
|
|||
|
5. Implementation Considerations
|
|||
|
|
|||
|
The following subsections provide guidance on the implementation of
|
|||
|
clients and servers using the CLDAP protocol.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 7]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
5.1. Server Implementations
|
|||
|
|
|||
|
Given that the goal of this protocol is to minimise the elapsed time
|
|||
|
between making a Directory request and receiving the response, a
|
|||
|
server which uses DAP to access the directory should use techniques
|
|||
|
that assist in this.
|
|||
|
|
|||
|
- - A server should remain bound to the Directory during reasonably
|
|||
|
long idle periods or should remain bound permanently.
|
|||
|
|
|||
|
- - Cacheing of results is highly desirable but this must be
|
|||
|
tempered by the need to provide up-to-date results given the
|
|||
|
lack of a cache invalidation protocol in DAP (either implicit
|
|||
|
via timers or explicit) and the lack of a dontUseCopy service
|
|||
|
control in the protocol.
|
|||
|
|
|||
|
Of course these issues are irrelevant if the CLDAP protocol is
|
|||
|
directly supported by a DSA.
|
|||
|
|
|||
|
5.2. Client Implementations
|
|||
|
|
|||
|
For simple lookup applications, use of a retry algorithm with
|
|||
|
multiple servers similar to that commonly used in DNS stub resolver
|
|||
|
implementations is recommended. The location of a CLDAP server or
|
|||
|
servers may be better specified using IP addresses (simple or
|
|||
|
broadcast) rather than names that must first be looked up in another
|
|||
|
directory such as DNS.
|
|||
|
|
|||
|
6. Security Considerations
|
|||
|
|
|||
|
This protocol provides no facilities for authentication. It is
|
|||
|
expected that servers will bind to the Directory either anonymously
|
|||
|
or using simple authentication without a password.
|
|||
|
|
|||
|
7. Bibliography
|
|||
|
|
|||
|
[1] The Directory: Overview of Concepts, Models and Service. CCITT
|
|||
|
Recommendation X.500, 1988.
|
|||
|
|
|||
|
[2] The Directory: Models. CCITT Recommendation X.501 ISO/IEC JTC
|
|||
|
1/SC21; International Standard 9594-2, 1988.
|
|||
|
|
|||
|
[3] The Directory: Abstract Service Definition. CCITT Recommendation
|
|||
|
X.511, ISO/IEC JTC 1/SC21; International Standard 9594-3, 1988.
|
|||
|
|
|||
|
[4] Yeong, W., Howes, T., and S. Kille, "X.500 Lightweight Directory
|
|||
|
Access Protocol", RFC 1487, Performance Systems International,
|
|||
|
University of Michigan, ISODE Consortium, July 1993.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 8]
|
|||
|
|
|||
|
RFC 1798 CLDAP June 1995
|
|||
|
|
|||
|
|
|||
|
[5] Mockapetris, P., "Domain Names - Implementation and
|
|||
|
Specification", STD 13, RFC 1035, USC/Information Sciences
|
|||
|
Institute, November 1987.
|
|||
|
|
|||
|
[6] Mockapetris, P., "Domain Names - Concepts and Facilities", STD
|
|||
|
13, RFC 1034, USC/Information Sciences Institute, November 1987.
|
|||
|
|
|||
|
8. Acknowledgements
|
|||
|
|
|||
|
Many thanks to Tim Howes and Steve Kille for their detailed comments
|
|||
|
and to other members of the working group.
|
|||
|
|
|||
|
This work was initiated by the Union Bank of Switzerland.
|
|||
|
|
|||
|
9. Author's Address
|
|||
|
|
|||
|
Alan Young
|
|||
|
ISODE Consortium
|
|||
|
The Dome, The Square
|
|||
|
RICHMOND
|
|||
|
GB - TW9 1DT
|
|||
|
|
|||
|
Phone: +44 81 332 9091
|
|||
|
EMail: A.Young@isode.com
|
|||
|
X.400: i=A; s=Young; o=ISODE Consortium; p=ISODE; a=MAILNET; c=FI
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Young Standards Track [Page 9]
|
|||
|
|