2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LDAPEXT Working Group J. Sermersheim
|
|
|
|
|
Internet Draft Novell, Inc
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Document: draft-ietf-ldapext-ldapv3-dupent-05.txt October 2000
|
|
|
|
|
Intended Category: Standard Track
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Status of this Memo
|
|
|
|
|
|
|
|
|
|
This document is an Internet-Draft and is in full conformance with
|
|
|
|
|
all provisions of Section 10 of RFC2026 [1].
|
|
|
|
|
|
|
|
|
|
Internet-Drafts are working documents of the Internet Engineering
|
|
|
|
|
Task Force (IETF), its areas, and its working groups. Note that
|
|
|
|
|
other groups may also distribute working documents as Internet-
|
|
|
|
|
Drafts. Internet-Drafts are draft documents valid for a maximum of
|
|
|
|
|
six months and may be updated, replaced, or obsoleted by other
|
|
|
|
|
documents at any time. It is inappropriate to use Internet- Drafts
|
|
|
|
|
as reference material or to cite them other than as "work in
|
|
|
|
|
progress."
|
|
|
|
|
|
|
|
|
|
The list of current Internet-Drafts can be accessed at
|
|
|
|
|
http://www.ietf.org/ietf/1id-abstracts.txt
|
|
|
|
|
|
|
|
|
|
The list of Internet-Draft Shadow Directories can be accessed at
|
|
|
|
|
http://www.ietf.org/shadow.html.
|
|
|
|
|
|
|
|
|
|
2. Abstract
|
|
|
|
|
|
|
|
|
|
This document describes a Duplicate Entry Representation control
|
|
|
|
|
extension for the LDAP Search operation. By using the control with
|
|
|
|
|
an LDAP search, a client requests that the server return separate
|
|
|
|
|
entries for each value held in the specified attributes. For
|
|
|
|
|
instance, if a specified attribute of an entry holds multiple
|
|
|
|
|
values, the search operation will return multiple instances of that
|
|
|
|
|
entry, each instance holding a separate single value in that
|
|
|
|
|
attribute.
|
|
|
|
|
|
|
|
|
|
3. Overview
|
|
|
|
|
|
|
|
|
|
The Server-Side Sorting control [SSS] allows the server to order
|
|
|
|
|
search result entries based on attribute values (sort keys). It
|
|
|
|
|
does not allow one to specify behavior when an attribute contains
|
|
|
|
|
multiple values. The default behavior, as outlined in 7.9 of
|
|
|
|
|
[X.511], is to use the smallest value as the sort key.
|
|
|
|
|
|
|
|
|
|
An application may need to produce an ordered list of entries,
|
|
|
|
|
sorted by a multi-valued attribute, where each attribute value is
|
|
|
|
|
represented in the list. In order to do this, a separate control is
|
|
|
|
|
needed which causes the set of entries to be expanded sufficiently
|
|
|
|
|
to represent each attribute value prior to sorting.
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Sermersheim Internet-Draft - Expires Apr 2001 Page 1
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This document describes controls, which allow duplicate entries in
|
|
|
|
|
the result set of search, where each entry represents a distinct
|
|
|
|
|
value of a given multiple valued attribute.
|
|
|
|
|
|
|
|
|
|
An example of this would be a sorted list of all telephone numbers
|
|
|
|
|
in an organization. Because any entry may have multiple telephone
|
|
|
|
|
numbers, and the list is to be sorted by telephone number, the list
|
|
|
|
|
must be able to contain duplicate entries, each with its own unique
|
|
|
|
|
telephone number.
|
|
|
|
|
|
|
|
|
|
Another example would be an application that needs to display an
|
|
|
|
|
ordered list of all members of a group. It would use this control
|
|
|
|
|
to create a result set of duplicate groupOfNames entries, each with
|
|
|
|
|
a single, unique value in its member attribute.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
|
|
|
|
|
used in this document carry the meanings described in [RFC2119].
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
4. The Controls
|
|
|
|
|
|
|
|
|
|
Support for the controls is advertised by the presence of their OID
|
|
|
|
|
in the supportedControl attribute of a server's root DSE. The OID
|
|
|
|
|
for the request control is "2.16.840.1.113719.1.27.101.1" and the
|
|
|
|
|
OID for the response control is "2.16.840.1.113719.1.27.101.2".
|
|
|
|
|
|
|
|
|
|
4.1 Request Control
|
|
|
|
|
|
|
|
|
|
This control is included in the searchRequest message as part of the
|
|
|
|
|
controls field of the LDAPMessage, as defined in Section 4.1.12 of
|
2000-11-03 00:33:47 +08:00
|
|
|
|
[RFC2251].
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
The controlType is set to "2.16.840.1.113719.1.27.101.1". The
|
|
|
|
|
criticality MAY be set to either TRUE or FALSE. The controlValue is
|
|
|
|
|
an OCTET STRING, whose value is the BER encoding of the following
|
|
|
|
|
type:
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
DuplicateEntryRequest ::= SEQUENCE {
|
|
|
|
|
AttributeDescriptionList, -- from [RFC2251]
|
|
|
|
|
PartialApplicationAllowed BOOLEAN DEFAULT TRUE }
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
|
|
|
|
|
4.1.1 AttributeDescriptionList Semantics
|
|
|
|
|
|
|
|
|
|
The AttributeDescriptionList data type is described in 4.1.5 of
|
|
|
|
|
[RFC2251] and describes a list of 0 or more AttributeDescription
|
|
|
|
|
types as also described in 4.1.5 of [RFC2251]. Both definitions are
|
2000-06-19 05:51:37 +08:00
|
|
|
|
repeated here for convenience:
|
|
|
|
|
|
|
|
|
|
AttributeDescriptionList ::= SEQUENCE OF
|
|
|
|
|
AttributeDescription
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
AttributeDescription ::= LDAPString
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 2
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
A value of AttributeDescription is based on the following BNF:
|
|
|
|
|
|
|
|
|
|
attributeDescription = AttributeType [ ";" <options> ]
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
While processing a search request, a server implementation examines
|
|
|
|
|
this list. If a specified attribute or attribute subtype exists in
|
|
|
|
|
an entry to be returned by search, and that attribute holds multiple
|
|
|
|
|
values, the server treats the entry as if it were multiple,
|
|
|
|
|
duplicate entries -- the specified attributes each holding a single,
|
|
|
|
|
unique value from the original set of values of that attribute.
|
|
|
|
|
|
|
|
|
|
An AttributeDescription MUST only occur once in the list. If an
|
2000-06-19 05:51:37 +08:00
|
|
|
|
AttributeDescription is included in the DuplicateEntryRequest
|
2000-11-03 00:33:47 +08:00
|
|
|
|
multiple times, the server MUST return a protocolError error in the
|
|
|
|
|
DuplicateEntryResponseDone control.
|
|
|
|
|
|
|
|
|
|
Client implementations SHOULD NOT specify attribute type options
|
|
|
|
|
that indicate transfer encoding.
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
When two or more attribute types are specified by this control, the
|
|
|
|
|
number of duplicate entries is the combination of all values in each
|
|
|
|
|
attribute. Because of the potential complexity involved in servicing
|
|
|
|
|
multiple attribute types, server implementations MAY choose to
|
|
|
|
|
support a limited number of attribute types in the control.
|
|
|
|
|
|
|
|
|
|
There is a special case where either no attributes are specified, or
|
|
|
|
|
an attribute description value of "*" is specified. In this case,
|
|
|
|
|
all attributes are used. (The "*" allows the client to request all
|
|
|
|
|
user attributes in addition to specific operational attributes).
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
4.1.2 PartialApplicationAllowed Semantics
|
|
|
|
|
|
|
|
|
|
The PartialApplicationAllowed field is used to specify whether the
|
|
|
|
|
client will allow the server to apply this control to a subset of
|
|
|
|
|
the search result set. If TRUE, the server is free to arbitrarily
|
|
|
|
|
apply this control to no, any, or all search results. If FALSE, the
|
|
|
|
|
server MUST either apply the control to all search results or fail
|
|
|
|
|
to support the control at all.
|
|
|
|
|
|
|
|
|
|
Client implementations use the DuplicateSearchResult control to
|
|
|
|
|
discover which search results have been affected by this control
|
|
|
|
|
|
|
|
|
|
4.2 Response Controls
|
|
|
|
|
|
|
|
|
|
Two response controls are defined to provide feedback while the
|
|
|
|
|
search results are being processed; DuplicateSearchResult and
|
|
|
|
|
DuplicateEntryResponseDone.
|
|
|
|
|
|
|
|
|
|
The DuplicateSearchResult control is sent with all SearchResultEntry
|
|
|
|
|
operations that contain search results which have been modified by
|
|
|
|
|
the DuplicateEntryRequest control.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 3
|
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The DuplicateEntryResponseDone control is sent with the
|
|
|
|
|
SearchResultDone operation in order to convey completion
|
|
|
|
|
information.
|
|
|
|
|
|
|
|
|
|
4.2.1 The DuplicateSearchResult control
|
|
|
|
|
|
|
|
|
|
This control is included in the SearchResultEntry message of any
|
|
|
|
|
search result that holds an entry that has been modified by the
|
|
|
|
|
DuplicateEntryRequest control as part of the controls field of the
|
|
|
|
|
LDAPMessage, as defined in Section 4.1.12 of [RFC2251]. This control
|
|
|
|
|
is absent on search results that are unaffected by
|
|
|
|
|
DuplicateEntryRequest control.
|
|
|
|
|
|
|
|
|
|
The controlType is set to "2.16.840.1.113719.1.27.101.2". The
|
|
|
|
|
criticality is ignored. The controlValue is not included.
|
|
|
|
|
|
|
|
|
|
4.2.2 The DuplicateEntryResponseDone control
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
This control is included in the searchResultDone message as part of
|
|
|
|
|
the controls field of the LDAPMessage, as defined in Section 4.1.12
|
2000-11-03 00:33:47 +08:00
|
|
|
|
of [RFC2251].
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
The controlType is set to "2.16.840.1.113719.1.27.101.3". The
|
|
|
|
|
criticality is ignored. The controlValue is an OCTET STRING, whose
|
|
|
|
|
value is the BER encoding of the following SEQUENCE:
|
|
|
|
|
|
|
|
|
|
DuplicateEntryResponseDone ::= SEQUENCE {
|
|
|
|
|
resultCode, -- From [RFC2251]
|
|
|
|
|
errorMessage [0] LDAPString OPTIONAL,
|
|
|
|
|
attributeType [1] AttributeDescription OPTIONAL }
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
A result field is provided here to allow feedback in the case where
|
|
|
|
|
the criticality of the request control is FALSE, and the server
|
|
|
|
|
could not process the control - yet it could complete the search
|
|
|
|
|
operation successfully. If the request control's criticality is
|
|
|
|
|
TRUE, and the server cannot process the control, the resultCode of
|
|
|
|
|
the LDAPResult is used to report the error.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Though any result code that is defined in [RFC2251] MAY be returned
|
|
|
|
|
the following list assigns special meanings to certain result codes
|
|
|
|
|
when returned in this control:
|
|
|
|
|
|
|
|
|
|
- success: The control was successful.
|
|
|
|
|
- protocolError Invalid data in request control.
|
|
|
|
|
- timeLimitExceeded Time limit reached before attribute values
|
|
|
|
|
could be processed.
|
|
|
|
|
- sizeLimitExceeded Size limit reached as a result of this
|
|
|
|
|
control.
|
|
|
|
|
- adminLimitExceeded result set too large for server to handle.
|
|
|
|
|
- noSuchAttribute unrecognized attribute description.
|
|
|
|
|
- unwillingToPerform Server cannot process control.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 4
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
errorMessage MAY be populated with a human-readable string in the
|
|
|
|
|
event of an erroneous result code.
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
attributeType MAY be set to the value of the first attribute type
|
|
|
|
|
specified by the DuplicateEntryRequest that was in error. The
|
|
|
|
|
client MUST ignore the attributeType field if the result is success.
|
|
|
|
|
|
|
|
|
|
5. Protocol Examples
|
|
|
|
|
|
|
|
|
|
5.1 Simple example
|
|
|
|
|
|
|
|
|
|
This example will show this control being used to produce a list of
|
2000-11-03 00:33:47 +08:00
|
|
|
|
all telephone numbers in the dc=example,dc=net container. Let's say
|
|
|
|
|
the following three entries exist in this container;
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User1,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-0123
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-8854
|
|
|
|
|
telephoneNumber: 555-4588
|
|
|
|
|
telephoneNumber: 555-5884
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User3,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-9425
|
|
|
|
|
telephoneNumber: 555-7992
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
First an LDAP search is specified with a baseDN of
|
|
|
|
|
"dc=example,dc=net", subtree scope, filter set to
|
|
|
|
|
"telephoneNumber=*". A DuplicateEntryRequest control is attached to
|
|
|
|
|
the search, specifying "telephoneNumber" as the attribute
|
|
|
|
|
description, and the search request is sent to the server.
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
The set of search results returned by the server would then consist
|
|
|
|
|
of the following entries:
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User1,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-0123
|
2000-11-03 00:33:47 +08:00
|
|
|
|
<no DuplicateSearchResult control sent with search result>
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-8854
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-4588
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-5884
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User3,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
telephoneNumber: 555-9425
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User3,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 5
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
telephoneNumber: 555-7992
|
|
|
|
|
|
|
|
|
|
All but the first entry are accompanied by the DuplicateSearchResult
|
|
|
|
|
control when sent from the server.
|
|
|
|
|
|
2000-06-19 05:51:37 +08:00
|
|
|
|
Note that it is not necessary to use an attribute type in this
|
|
|
|
|
control that is specified in the search filter. This example only
|
|
|
|
|
does so, because the result was to obtain a list of telephone
|
|
|
|
|
numbers.
|
|
|
|
|
|
|
|
|
|
5.2 Specifying multiple attributes
|
|
|
|
|
|
|
|
|
|
A more complicated example involving multiple attributes will result
|
|
|
|
|
in more entries. If we assume these entries in the directory:
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User1,dc=example,dc=net
|
|
|
|
|
givenName: User1
|
|
|
|
|
mail: user1@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
|
|
|
|
givenName: User2
|
|
|
|
|
givenName: User Two
|
|
|
|
|
mail: user2@example.net
|
|
|
|
|
mail: usertwo@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
And both "mail" and "givenName" are specified as attribute types in
|
|
|
|
|
this control, the resulting set of entries would be this:
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User1,dc=example,dc=net
|
|
|
|
|
givenName: User1
|
|
|
|
|
mail: user1@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
|
|
|
|
givenName: User2
|
|
|
|
|
mail: user2@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
|
|
|
|
givenName: User2
|
|
|
|
|
mail: usertwo@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
|
|
|
|
givenName: User Two
|
|
|
|
|
mail: user2@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=User2,dc=example,dc=net
|
|
|
|
|
givenName: User Two
|
|
|
|
|
mail: usertwo@example.net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
5.3 Listing the members of a groupOfNames
|
|
|
|
|
|
|
|
|
|
This example shows how the controls can be used to turn a single
|
|
|
|
|
groupOfNames entry into multiple duplicate entries. Let<65>s say this
|
|
|
|
|
is our groupOfNames entry:
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 6
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=Administrators,dc=example,dc=net
|
|
|
|
|
cn: Administrators
|
|
|
|
|
member: cn=aBaker,dc=example,dc=net
|
|
|
|
|
member: cn=cDavis,dc=example,dc=net
|
|
|
|
|
member: cn=bChilds,dc=example,dc=net
|
|
|
|
|
member: cn=dEvans,dc=example,dc=net
|
|
|
|
|
|
|
|
|
|
We could set our search base to "cn=Administrators,dc=example,dc=net
|
|
|
|
|
", filter to "objectClass=*", use an object scope (to restrict it to
|
|
|
|
|
this entry) and send the duplicateEntryRequest control with "member"
|
|
|
|
|
as its attribute value. The resulting set would look like this:
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=Administrators,dc=example,dc=net
|
|
|
|
|
member: cn=aBaker,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=Administrators,dc=example,dc=net
|
|
|
|
|
member: cn=cDavis,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=Administrators,dc=example,dc=net
|
|
|
|
|
member: cn=bChilds,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
dn: cn=Administrators,dc=example,dc=net
|
|
|
|
|
member: cn=dEvans,dc=example,dc=net
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
This list can then be sorted by member and displayed (also by
|
|
|
|
|
member) in a list.
|
|
|
|
|
|
|
|
|
|
6 Relationship to other controls
|
|
|
|
|
|
|
|
|
|
This control is intended (but not limited) to be used with the
|
|
|
|
|
Server Side Sorting control [SSS]. By pairing this control with the
|
|
|
|
|
Server Side Sorting control, One can produce a set of entries,
|
|
|
|
|
sorted by attribute values, where each attribute value is
|
2000-11-03 00:33:47 +08:00
|
|
|
|
represented in the sorted set. Server implementations MUST ensure
|
2000-06-19 05:51:37 +08:00
|
|
|
|
that this control is processed before sorting the result of a
|
|
|
|
|
search, as this control alters the result set of search.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
This control MAY also be used with the Virtual List View [VLV]
|
2000-06-19 05:51:37 +08:00
|
|
|
|
control (which has a dependency on the Server Side Sort control).
|
|
|
|
|
The nature of the dependency between the VLV control and the Sort
|
|
|
|
|
control is such that the Sorting takes place first. Because the sort
|
|
|
|
|
happens first, and because this control is processed before the sort
|
|
|
|
|
control, the impact of this control on the VLV control is minimal.
|
|
|
|
|
Some server implementations may need to carefully consider how to
|
|
|
|
|
handle the typedown functionality of the VLV control when paired
|
|
|
|
|
with this control. The details of this are heavily implementation
|
|
|
|
|
dependent and are beyond the scope of this document.
|
|
|
|
|
|
|
|
|
|
7. Notes for Implementers
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Both client and server implementations MUST be aware that using this
|
|
|
|
|
control could potentially result in a very large set of search
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 7
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
results. Servers MAY return an adminLimitExceeded result in the
|
|
|
|
|
response control due to inordinate consumption of resources. This
|
|
|
|
|
may be due to some a priori knowledge such as a server restriction
|
|
|
|
|
of the number of attribute types in the request control that it's
|
2000-06-19 05:51:37 +08:00
|
|
|
|
willing to service, or it may be due to the server attempting to
|
|
|
|
|
service the control and running out of resources.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Client implementations MUST be aware that when using this control,
|
|
|
|
|
search entries returned will contain a subset of the values of any
|
2000-06-19 05:51:37 +08:00
|
|
|
|
specified attribute.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
If this control is used in a chained environment, servers SHOULD NOT
|
|
|
|
|
pass this control to other servers. Instead they SHOULD gather
|
|
|
|
|
results and apply this control themselves.
|
|
|
|
|
|
|
|
|
|
8. Security Considerations
|
|
|
|
|
|
|
|
|
|
This control allows finer control of the result set returned by an
|
|
|
|
|
LDAP search operation and as such may be used in a denial of service
|
|
|
|
|
attack. See Section 7 for more information on how this is detected
|
|
|
|
|
and handled.
|
|
|
|
|
|
|
|
|
|
9. Acknowledgments
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
The author gratefully thanks the input and support of participants
|
|
|
|
|
of the LDAP-EXT working group.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
10. References
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
[RFC2251]
|
2000-06-19 05:51:37 +08:00
|
|
|
|
Wahl, M, S. Kille and T. Howes, "Lightweight Directory Access
|
|
|
|
|
Protocol (v3)", Internet Standard, December, 1997.
|
|
|
|
|
Available as RFC2251.
|
|
|
|
|
|
|
|
|
|
[SSS]
|
|
|
|
|
Wahl, M, A. Herron and T. Howes, "LDAP Control Extension for Server
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Side Sorting of Search Results", Internet Draft, June, 2000.
|
|
|
|
|
Available as draft-ietf-ldapext-sorting-03.txt.
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
[VLV]
|
|
|
|
|
Boreham, D, Sermersheim, J, Anantha, A, Armijo, M, "LDAP Extensions
|
|
|
|
|
for Scrolling View Browsing of Search Results", Internet Draft,
|
2000-11-03 00:33:47 +08:00
|
|
|
|
April, 2000.
|
|
|
|
|
Available as draft-ietf-ldapext-ldapv3-vlv-04.txt.
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
[X.511]
|
|
|
|
|
ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
|
|
|
|
|
1993.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
[RFC2119]
|
2000-06-19 05:51:37 +08:00
|
|
|
|
Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement
|
|
|
|
|
Levels", Internet Draft, March, 1997.
|
|
|
|
|
Available as RFC2119.
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 8
|
|
|
|
|
|
|
|
|
|
LDAP Control for a Duplicate Entry Representation of Search Results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11. Author's Address
|
2000-06-19 05:51:37 +08:00
|
|
|
|
|
|
|
|
|
Jim Sermersheim
|
|
|
|
|
Novell, Inc.
|
2000-11-03 00:33:47 +08:00
|
|
|
|
1800 South Novell Place
|
2000-06-19 05:51:37 +08:00
|
|
|
|
Provo, Utah 84606, USA
|
|
|
|
|
jimse@novell.com
|
|
|
|
|
+1 801 861-3088
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2000-11-03 00:33:47 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sermersheim Internet-Draft - Expires Jan 2001 Page 9
|
|
|
|
|
|