mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-18 11:05:48 +08:00
Code Issues Packages Projects Releases Wiki Activity

Suck in latest docs

Browse Source
This commit is contained in:
Kurt Zeilenga 2004-04-15 02:20:53 +00:00
parent 79e6c6afc9
commit 59f542d6e7
8 changed files with 8465 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1961
doc/drafts/draft-behera-ldap-password-policy-xx.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1680
doc/drafts/draft-joslin-config-schema-xx.txt Normal file
View File

File diff suppressed because it is too large Load Diff

406
doc/drafts/draft-sermersheim-ldap-chaining-xx.txt Normal file
View File

@ -0,0 +1,406 @@
Internet Draft J. Sermersheim
Personal Submission R. Harrison
Intended Category: Standard Track Novell, Inc
Document: draft-sermersheim-ldap-chaining-02.txt Feb 2004
LDAP Control to Specify Chaining Behavior
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extensions Working Group
mailing list <ldapext@ietf.org>. Editorial comments may be sent to
the author <jimse@novell.com>.
Abstract
This document describes a Lightweight Directory Access Protocol
(LDAP) request control that allows specification of chaining behavior
for LDAP operations. By using the control with various LDAP
operations, a directory client (DUA), or directory server (DSA)
specifies whether or not a DSA or secondary DSA chains operations to
other DSAs or returns referrals and/or search result references to
the client.
1. Introduction
Many directory servers have the ability through the use of various
mechanisms to participate in a distributed directory model. A
distributed directory is one where the DIT is distributed over
multiple DSAs. One operation completion mechanism used by DSAs in a
distributed directory is chaining. Chaining is defined in [X.518],
and is the act of one DSA communicating a directory operation that
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 1
LDAP Control to Specify Chaining Behavior
originated from a DUA to another DSA in a distributed directory.
Contrast this with the act of passing referrals (4.1.11 of [RFC2251])
and SearchResultReferences (4.5.2 of [RFC2251]) back to the client.
Chaining may happen during the name resolution part of an operation
or during other parts of operations like search which apply to a
number of entries in a subtree.
This document does not attempt to define the distributed directory
model, nor does it attempt to define the manner in which DSAs chain
requests. This document defines a request control that the client can
use to specify whether parts of an operation should or should not be
chained.
2. Conventions
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
used in this document carry the meanings described in [RFC2119].
The term chaining may apply to uni-chaining as well as multi-chaining
(see [X.518]) depending on the capabilities and configuration of the
DSAs.
3. The Control
Support for the control is advertised by the presence of its
controlType in the supportedControl attribute of a server's root DSE.
This control MAY be included in any LDAP request operation except
abandon, unbind, and StartTLS as part of the controls field of the
LDAPMessage, as defined in Section 4.1.12 of [RFC2251]:
The controlType is set to <IANA-ASSIGNED-OID.1>. The criticality MAY
be set to either TRUE or FALSE. The controlValue is an OCTET STRING,
whose value is the following ChainingBehavior type, BER encoded
following the rules in Section 5.1 of [RFC2251]:
ChainingBehavior ::= SEQUENCE {
resolveBehavior Behavior OPTIONAL,
continuationBehavior Behavior OPTIONAL }
Behavior :: = ENUMERATED {
chainingPreferred (0),
chainingRequired (1),
referralsPreferred (2),
referralsRequired (3) }
resolveBehavior instructs the DSA what to do when a referral is
encountered during the local name resolution part of an operation. If
this field is not specified, other policy dictates the DSA's
behavior.
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 2
LDAP Control to Specify Chaining Behavior
continuationBehavior instructs the DSA what to do when a referral is
encountered after the name resolution part of an operation has
completed. This scenario occurs during search operations, and may
occur during yet to be defined future operations. If this field is
not specified, other policy dictates the DSA's behavior.
Behavior specifies whether the DSA should chain the operation or
return referrals when a target object is held by a remote service.
chainingPreferred indicates that the preference is that
chaining, rather than referrals, be used to provide the service.
When this value is set, the server attempts to chain the request
but if it can't it returns referrals.
chainingRequired indicates that chaining is to be used rather
than referrals to service the request. When this value is set,
the server MUST NOT return referrals. It either chains the
request or fails.
referralsPreferred indicates that the client wishes to receive
referrals rather than allow the server to chain the operation.
When this value is set, the server return referrals and search
references when possible, but may chain the operation otherwise.
referralsRequired indicates that chaining is prohibited. When
this value is set, the server MUST NOT chain the request to
other DSAs. Instead it returns referrals as necessary, or fails.
The following list assigns meanings to some of the result codes that
may occur due to this control being present:
- chainingRequired (IANA-ASSIGNED-1) Unable to process without
chaining.
- cannotChain (IANA-ASSIGNED-2) Unable to chain the request.
4. Notes to Implementors
<todo: add some>
4.1 Unbind and Abandon
Clients MUST NOT include the ChainingBehavior control with an Abandon
operation or an Unbind operation. Servers MUST ignore any chaining
control on the abandon and unbind requests. Servers that chain
operation are responsible to keep track of where an operation was
chained to for the purposes of unbind and abandon.
4.2 StartTLS
This operation cannot be chained because the TLS handshake protocol
does not allow man-in-the-middle attacks.
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 3
LDAP Control to Specify Chaining Behavior
5. Relationship with other Extensions
This control MAY be used with other controls or with extended
operations. When it is used with other controls or with extended
operations not listed here, server behavior is undefined unless
otherwise specified.
5.1 Relationship with ManageDsaIT
When this control is used along with the ManageDsaIT control, the
resolveBehavior value is evaluated. If resolveBehavior is such that
chaining is allowed, the DSA is allowed to chain the operation as
necessary until the last RDN is found.
For example: DSA1 holds the naming context <dc=net> and a subordinate
reference to <dc=example,dc=net>, DSA2 holds the naming context
<dc=example,dc=net> and a subordinate reference to
<dc=hostc,dc=example,dc=net>.
A modify operation accompanied by the ManageDsaIT control alone is
sent to DSA1. The base object of the modify operation is set to
<dc=hostc,dc=example,dc=net>. Since DSA1 does not hold the
<dc=hostc,dc=example,dc=net> IT DSE, a referral is returned for
<dc=example,dc=net>.
Next, the same modify operation is accompanied by both the
ManageDsaIT and the ChainingBehavior control where the
ChainingBehavior.resolveBehavior is set to chainingPreferred. In this
case, DSA1 chains to DSA2 when it encounters <dc=example,dc=net> and
DSA2 continues the operation. Since DSA2 holds the IT DSE
<dc=hostc,dc=example,dc=net>, the resolve portion completes, and the
rest of the operation proceeds.
6. Security Considerations
Because this control directs a DSA to chain requests to other DSAs,
it may be used in a denial of service attack. Implementers should be
cognizant of this possibility.
This control may be used to allow access to hosts and portions of the
DIT not normally available to clients. Servers supporting this
control should provide sufficient policy to prevent unwanted
occurrences of this.
7. IANA Considerations
Registration of the following values is requested [RFC3383].
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 4
LDAP Control to Specify Chaining Behavior
7.1. Object Identifiers
It is requested that IANA register upon Standards Action an LDAP
Object Identifier in identifying the protocol elements defined in
this technical specification. The following registration template is
suggested:
Subject: Request for LDAP OID Registration
Person & email address to contact for further information:
Jim Sermersheim
jimse@novell.com
Specification: RFCXXXX
Author/Change Controller: IESG
Comments:
One delegation will be made under the assigned OID:
IANA-ASSIGNED-OID.1 Chaining Behavior Request Control
7.2. LDAP Protocol Mechanism
It is requested that IANA register upon Standards Action the LDAP
protocol mechanism described in this document. The following
registration template is suggested:
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: IANA-ASSIGNED-OID.1
Description: Chaining Behavior Request Control
Person & email address to contact for further information:
Jim Sermersheim
jimse@novell.com
Usage: Control
Specification: RFCXXXX
Author/Change Controller: IESG
Comments: none
7.3. LDAP Result Codes
It is requested that IANA register upon Standards Action the LDAP
result codes:
chainingRequired (IANA-ASSIGNED-1)
cannotChain (IANA-ASSIGNED-2)
The following registration template is suggested:
Subject: LDAP Result Code Registration
Person & email address to contact for further information:
Jim Sermersheim
jimse@novell.com
Result Code Name: chainingRequired
Result Code Name: cannotChain
Specification: RFCXXXX
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 5
LDAP Control to Specify Chaining Behavior
Author/Change Controller: IESG
Comments: request consecutive result codes be assigned
8. Normative References
[X.518]
ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.
[RFC2119]
Bradner, Scott, "Key Words for use in RFCs to Indicate Requirement
Levels", Internet Draft, March 1997.
Available as RFC2119.
[RFC2251]
Wahl, M, S. Kille and T. Howes, "Lightweight Directory Access
Protocol (v3)", Internet Standard, December, 1997.
Available as RFC2251.
9. Authors' Addresses
Jim Sermersheim
Novell, Inc.
1800 South Novell Place
Provo, Utah 84606, USA
jimse@novell.com
+1 801 861-3088
Roger Harrison
Novell, Inc.
1800 South Novell Place
Provo, Utah 84606, USA
rharrison@novell.com
+1 801 861-2642
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 6
LDAP Control to Specify Chaining Behavior
Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification
can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain
it or assist in its implementation may be prepared, copied,
published and distributed, in whole or in part, without restriction
of any kind, provided that the above copyright notice and this
paragraph are included on all such copies and derivative works.
However, this document itself may not be modified in any way, such
as by removing the copyright notice or references to the Internet
Society or other Internet organizations, except as needed for the
purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards process
must be followed, or as required to translate it into languages
other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Sermersheim, Harrison Internet-Draft - Exp. Aug 2004 Page 7

451
doc/drafts/draft-zeilenga-ldap-readentry-xx.txt Normal file
View File

@ -0,0 +1,451 @@
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
Expires in six months 26 October 2003
LDAP Read Entry Controls
<draft-zeilenga-ldap-readentry-01.txt>
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extensions mailing list
<ldapext@ietf.org>. Please send editorial comments directly to the
author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
Copyright (C) The Internet Society (2003). All Rights Reserved.
Please see the Full Copyright section near the end of this document
for more information.
Abstract
This specification describes controls which can be attached to a
Lightweight Directory Access Protocol (LDAP) update request to obtain
copies of the target entry before and/or after the requested update is
applied.
Zeilenga LDAP Read Entry Controls [Page 1]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
1. Background and Intent of Use
This specification describes controls [RFC2251] which can be attached
to Lightweight Directory Access Protocol (LDAP) [RFC3377] update
requests to request and return copies of the target entry. One
request control, called the Pre-Read request control, indicates that a
copy of the entry before application of update is to be returned.
Another control, called the Post-Read request control, indicates that
a copy of the entry after application of the update is to be returned.
Each request control has a corresponding response control used to
return the entry.
The functionality offered by these controls is based upon similar
functionality in the X.500 Directory Access Protocol (DAP) [X.511].
The Pre-Read controls may be used to obtain replaced or deleted values
of modified attributes or a copy of the entry being deleted.
The Post-Read controls may be used to obtain values of operational
attributes, such as the 'entryUUID' [EntryUUID] and 'modifytimestamp'
[RFC2252] attributes, updated by the server as part of the update
operation.
2. Terminology
Protocol elements are described using ASN.1 [X.680] with implicit
tags. The term "BER-encoded" means the element is to be encoded using
the Basic Encoding Rules [X.690] under the restrictions detailed in
Section 5.1 of [RFC2251].
DN stands for Distinguished Name.
DSA stands for Directory System Agent (i.e., a directory server).
DSE stands for DSA-specific Entry.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
3. Read Entry Controls
3.1. The Pre-Read Controls
The Pre-Read request and response controls are identified by the
IANA-ASSIGNED-OID.1 object identifier. Servers implementing these
controls SHOULD publish IANA-ASSIGNED-OID.1 as a value of the
'supportedControl' [RFC2252] in their root DSE.
Zeilenga LDAP Read Entry Controls [Page 2]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
The Pre-Read request control is an LDAP Control [RFC2251] whose
controlType is IANA-ASSIGNED-OID.1 and controlValue is a BER-encoded
AttributeDescriptionList [RFC2251]. The criticality may be TRUE or
FALSE. This control is appropriate for the modifyRequest, delRequest,
and modDNRequest LDAP messages.
The corresponding response control is a LDAP Control whose controlType
is IANA-ASSIGNED-OID.1 and the controlValue, an OCTET STRING, contains
a BER-encoded SearchResultEntry. The criticality may be TRUE or
FALSE. This control is appropriate for the modifyResponse,
delResponse, and modDNResponse LDAP messages with a resultCode of
success (0).
When the request control is attached to an appropriate update LDAP
request, the control requests the return of a copy of target entry
prior to the application of the update. The AttributeDescriptionList
indicates which attributes are requested to appear in the copy. There
are two special AttributeDescriptions which may be included in the
list, "*" and "+". "*" requests all user attributes. "+" requests
all operational attributes. If the list is empty, all user attributes
are requested. If the list contains an unrecognized attribute type,
that type is simply ignored. If all attribute types are unrecognized,
no attributes are to be returned. The server is to return a
SearchResultEntry containing, subject to access controls and other
constraints, values of the requested attributes.
The normal processing of the update operation and the processing of
this control MUST be performed as one atomic action isolated from
other update operations.
If the update operation fails, no response control is provided.
3.2. The Post-Read Controls
The Post-Read request and response controls are identified by the
IANA-ASSIGNED-OID.2 object identifier. Servers implementing these
controls SHOULD publish IANA-ASSIGNED-OID.2 as a value of the
'supportedControl' [RFC2252] in their root DSE.
The Post-Read request control is an LDAP Control [RFC2251] whose
controlType is IANA-ASSIGNED-OID.2 and controlValue, an OCTET STRING,
contains a BER-encoded AttributeDescriptionList [RFC2251]. The
criticality may be TRUE or FALSE. This control is appropriate for the
addRequest, modifyRequest, and modDNRequest LDAP messages.
The corresponding response control is a LDAP Control whose controlType
is IANA-ASSIGNED-OID.2 and controlValue is a BER-encoded
Zeilenga LDAP Read Entry Controls [Page 3]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
SearchResultEntry. The criticality may be TRUE or FALSE. This
control is appropriate for the addResponse, modifyResponse, and
modDNResponse LDAP messages with a resultCode of success (0).
When the request control is attached to an appropriate update LDAP
request, the control requests the return of a copy of target entry
after the application of the update. The AttributeDescriptionList
indicates which attributes are requested to appear in the copy. There
are two special AttributeDescriptions which may be included in the
list, "*" and "+". "*" requests all user attributes. "+" requests
all operational attributes. If the list is empty, all user attributes
are requested. If the list contains an unrecognized attribute type,
that type is simply ignored. If all attribute types are unrecognized,
no attributes are to be returned. The server is to return a
SearchResultEntry containing, subject to access controls and other
constraints, values of the requested attributes.
The normal processing of the update operation and the processing of
this control MUST be performed as one atomic action isolated from
other update operations.
If the update operation fails, no response control is provided.
4. Interaction with other controls
The Pre- and Post-Read controls may be combined with each other and/or
with a variety of other controls. When combined with the assertion
control [ASSERT], the manageDsaIT control [RFC3296], and/or the proxy
authorization control [PROXYAUTH], the semantics of each control
included in the combination apply. The Pre- and Post-Read controls
may be combined with other controls as detailed in other technical
specifications.
5. Security Considerations
The controls defined in this document extend update operations to
support read capabilities. Servers MUST ensure that the client is
authorized both for reading of the information provided in this
control in addition to ensuring the client is authorized to perform
the requested directory update.
Implementors of this (or any) LDAP extension should be familiar with
general LDAP security considerations [RFC3377].
6. IANA Considerations
Zeilenga LDAP Read Entry Controls [Page 4]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
Registration of the following protocol values [RFC3383] is requested.
6.1. Object Identifier
It is requested that IANA register an LDAP Object Identifier to
identify LDAP protocol elements defined in this document.
Subject: Request for LDAP Object Identifier Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Specification: RFC XXXX
Author/Change Controller: IESG
Comments:
Identifies the LDAP Read Entry Controls
6.2. LDAP Protocol Mechanisms
It is requested that IANA register the LDAP Protocol Mechanism
described in this document.
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: IANA-ASSIGNED-OID.1
Description: LDAP Pre-read Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC XXXX
Author/Change Controller: IESG
Comments: none
in 2
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: IANA-ASSIGNED-OID.2
Description: LDAP Post-read Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC XXXX
Author/Change Controller: IESG
Comments: none
in 2
7. Acknowledgment
The LDAP Pre- and Post-Read controls are modeled after similar
Zeilenga LDAP Read Entry Controls [Page 5]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
capabilities offered in the DAP [X.511].
8. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
[RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[RFC2252] Wahl, M., A. Coulbeck, T. Howes, and S. Kille,
"Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
[RFC2830] Hodges, J., R. Morgan, and M. Wahl, "Lightweight
Directory Access Protocol (v3): Extension for Transport
Layer Security", RFC 2830, May 2000.
[RFC3296] Zeilenga, K., "Named Subordinate References in
Lightweight Directory Access Protocol (LDAP)
Directories", RFC 3296, July 2002.
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
[X.680] International Telecommunication Union -
Telecommunication Standardization Sector, "Abstract
Syntax Notation One (ASN.1) - Specification of Basic
Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
[X.690] International Telecommunication Union -
Telecommunication Standardization Sector, "Specification
of ASN.1 encoding rules: Basic Encoding Rules (BER),
Canonical Encoding Rules (CER), and Distinguished
Encoding Rules (DER)", X.690(1997) (also ISO/IEC
8825-1:1998).
[PROXYAUTH] Weltman, R., "LDAP Proxy Authentication Control", draft-
weltman-ldapv3-proxy-xx.txt, a work in progress.
[ASSERT] Zeilenga, K., "LDAP Assertion Control",
draft-zeilenga-ldap-assert-xx.txt, a work in progress.
9. Informative References
Zeilenga LDAP Read Entry Controls [Page 6]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
(also RFC 3383), September 2002.
[X.511] International Telecommunication Union -
Telecommunication Standardization Sector, "The
Directory: Abstract Service Definition", X.511(1993).
[EntryUUID] Zeilenga, K., "The LDAP EntryUUID Operational
Attribute", draft-zeilenga-ldap-uuid-xx.txt, a work in
progress.
10. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
<Kurt@OpenLDAP.org>
Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such proprietary
rights by implementors or users of this specification can be obtained
from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright
Copyright (C) The Internet Society (2003). All Rights Reserved.
Zeilenga LDAP Read Entry Controls [Page 7]
INTERNET-DRAFT draft-zeilenga-ldap-readentry-01 26 October 2003
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
Zeilenga LDAP Read Entry Controls [Page 8]

339
doc/drafts/draft-zeilenga-ldap-turn-xx.txt Normal file
View File

@ -0,0 +1,339 @@
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Experimental OpenLDAP Foundation
Expires in six months 8 February 2004
LDAP Turn Operation
<draft-zeilenga-ldap-turn-00.txt>
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor for publication as an
Experimental document. Distribution of this memo is unlimited.
Technical discussion of this document will take place on the IETF LDAP
Extensions mailing list <ldapext@ietf.org>. Please send editorial
comments directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
Copyright (C) The Internet Society (2004). All Rights Reserved.
Please see the Full Copyright section near the end of this document
for more information.
Abstract
This specification describes a Lightweight Directory Access Protocol
(LDAP) extended operation to reverse (or "turn") the roles of client
and server for subsequent protocol exchanges in the session.
Zeilenga LDAP Turn Op [Page 1]
INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
1. Background and Intent of Use
The Lightweight Directory Access Protocol (LDAP) [RFC3377] is a client
/ server protocol which typically operates over reliable octet stream
transports such as the Transport Control Protocol (TCP). Generally,
the client initiates the stream by connecting to the server's listener
at some well-known address.
There are cases where it is desirable for the server to initiate the
stream. While it certainly is possible to write a technical
specification detailing how to implement server-initiated LDAP
sessions, this would requiring designing new authentication and other
security features to support server-initiated LDAP sessions.
This document instead introduces an operation, the Turn operation,
which may be used to reverse the client / server roles of the
protocol peers. This allows the initiating protocol peer to be server
(after reversal).
As an additional feature, the Turn operation may be used to allow both
peers to act in both roles. This is useful where both peers are
directory servers which desire to issue, as LDAP clients, operations
against the other. This may be useful in replicated environments.
This operation is intended to used between protocol peers which have
established a mutual agreement, by means outside of the protocol,
which requires reversal of client / server roles or both peers to act
both as client and server.
1.1 Terminology
Protocol elements are described using ASN.1 [X.680] with implicit
tags. The term "BER-encoded" means the element is to be encoded using
the Basic Encoding Rules [X.690] under the restrictions detailed in
Section 5.1 of [RFC2251].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
2. Turn Operation
The Turn operation is defined as a LDAP Extended Operation [RFC2251,
Section 4.12] identified by the IANA-ASSIGNED-OID. The function of
the Turn Operation is to request that the client / server roles be
reversed, or, optionally to request that both protocol peers to be
Zeilenga LDAP Turn Op [Page 2]
INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
able to act both as client and server.
2.1. Turn Request
The Turn request is an ExtendedRequest with the requestName field
containing the IANA-ASSIGNED-OID and a requestValue field is a
BER-encoded turnValue:
turnValue ::= SEQUENCE {
mutual BOOLEAN DEFAULT FALSE,
identifier LDAPString,
}
A TRUE value of the mutual field indicates a request to allow both
peers to act both as client and server while a FALSE value indicates a
request to reserve the client and server roles.
The value of the identifier field is a locally-defined policy
identifier (typicallly associated with a mutual agreement for which
this turn is be executed as part of). This policy identifier is
called the turn indicator.
2.2. Turn Response
A Turn response is an ExtendedResponse where the responseName and
response fields are absent. A resultCode of success is returned if
and only if the responder is willing and able to turn the session as
requested. Otherwise, a different resultCode is returned.
3. Security Considerations
It is generally recommended that before issuing the Turn operation the
protocol peers:
- establish each other identities through appropriate authentication
mechanism,
- establish appropriate data integrity, data confidentiality, and
other protections,
- establish an LDAP association between the initiating peer and the
responding peer.
And upon successful completion of turn:
- establish an LDAP association in reverse.
That is, for peer A connecting to peer B listening and where TLS and
Zeilenga LDAP Turn Op [Page 3]
INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
SASL/EXTERNAL were to be used, the sequence of operations would be:
A->B: StartTLS
A->B: Bind(SASL,EXTERNAL)
A->B: Turn
B->A: Bind(SASL,EXTERNAL)
4. IANA Considerations
Registration of the following values [RFC3383] is requested.
4.1. Object Identifier
It is requested that IANA assign an LDAP Object Identifier to identify
the LDAP Turn Operation as defined in this document.
Subject: Request for LDAP Object Identifier Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Specification: RFC XXXX
Author/Change Controller: Author
Comments:
Identifies the LDAP Turn Operation
4.2. LDAP Protocol Mechanism
It is requested that IANA register the LDAP Protocol Mechanism
described in this document.
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: IANA-ASSIGNED-OID
Description: LDAP Turn Operation
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Extended Operation
Specification: RFC XXXX
Author/Change Controller: Author
Comments: none
5. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14 (also RFC 2119), March 1997.
Zeilenga LDAP Turn Op [Page 4]
INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
[RFC2251] Wahl, M., T. Howes and S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
[X.680] International Telecommunication Union -
Telecommunication Standardization Sector, "Abstract
Syntax Notation One (ASN.1) - Specification of Basic
Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
[X.690] International Telecommunication Union -
Telecommunication Standardization Sector, "Specification
of ASN.1 encoding rules: Basic Encoding Rules (BER),
Canonical Encoding Rules (CER), and Distinguished
Encoding Rules (DER)", X.690(1997) (also ISO/IEC
8825-1:1998).
6. Informative References
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
(also RFC 3383), September 2002.
7. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
Email: Kurt@OpenLDAP.org
Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such proprietary
Zeilenga LDAP Turn Op [Page 5]
INTERNET-DRAFT draft-zeilenga-ldap-turn-00 8 February 2004
rights by implementors or users of this specification can be obtained
from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
Zeilenga LDAP Turn Op [Page 6]

397
doc/man/man5/slapd.conf.5
View File

@ -284,195 +284,6 @@ feature. The default is 0.
.B include <filename>
Read additional configuration information from the given file before
continuing with the next line of the current file.
.TP
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
The argument
.B who
can be any of
.RS
.RS
.TP
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
.RE
with
.RS
.TP
<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
.RE
The term
.B anonymous
matches all unauthenticated clients.
The term
.B users
matches all authenticated clients;
otherwise an
.B exact
dn pattern is assumed unless otherwise specified by qualifying
the (optional) key string
.B dn
with
.B exact
or
.B base
(which are synonyms), to require an exact match; with
.BR onelevel ,
to require exactly one level of depth match; with
.BR subtree ,
to allow any level of depth match, including the exact match; with
.BR children ,
to allow any level of depth match, not including the exact match;
.BR regex
explicitly requires the (default) match based on regular expression
pattern, as detailed in
.BR regex (7).
Finally,
.B anonymous
matches unbound operations; the
.B pattern
field is ignored.
The same behavior is obtained by using the
.B anonymous
form of the
.B who
clause.
The term
.BR group ,
with the optional objectClass
.B oc
and attributeType
.B at
fields, followed by
.BR pattern ,
sets the limits for any DN listed in the values of the
.B at
attribute (default
.BR member )
of the
.B oc
group objectClass (default
.BR groupOfNames )
whose DN exactly matches
.BR pattern .
The currently supported limits are
.B size
and
.BR time .
The syntax for time limits is
.BR time[.{soft|hard}]=<integer> ,
where
.BR integer
is the number of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client, the
.BR soft
limit is used; if the requested time limit exceeds the
.BR hard
limit, an
.I \"Administrative limit exceeded\"
is returned.
If the
.BR hard
limit is set to 0 or to the keyword
.IR soft ,
the soft limit is used in either case; if it is set to
.I -1
or to the keyword
.IR none ,
no hard limit is enforced.
Explicit requests for time limits smaller or equal to the
.BR hard
limit are honored.
If no flag is set, the value is assigned to the
.BR soft
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.
The syntax for size limits is
.BR size[.{soft|hard|unchecked}]=<integer> ,
where
.BR integer
is the maximum number of entries slapd will return answering a search
request.
If no size limit is explicitly requested by the client, the
.BR soft
limit is used; if the requested size limit exceeds the
.BR hard
limit, an
.I \"Administrative limit exceeded\"
is returned.
If the
.BR hard
limit is set to 0 or to the keyword
.IR soft ,
the soft limit is used in either case; if it is set to
.I -1
or to the keyword
.IR none ,
no hard limit is enforced.
Explicit requests for size limits smaller or equal to the
.BR hard
limit are honored.
The
.BR unchecked
flag sets a limit on the number of candidates a search request is allowed
to examine.
If the selected candidates exceed the
.BR unchecked
limit, the search will abort with
.IR \"Unwilling to perform\" .
If it is set to
.I -1
or to the keyword
.IR none ,
no limit is applied (the default).
If it is set to
.IR disable ,
the search is not even performed; this can be used to disallow searches
for a specific set of users.
If no flag is set, the value is assigned to the
.BR soft
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.
In case of no match, the global limits are used.
The default values are the same of
.B sizelimit
and
.BR timelimit ;
no limit is set on
.BR unchecked .
If
.B pagedResults
control is defined, additional size limits may be enforced; the syntax is
.BR size.pr={<integer>|noEstimate|disabled|none} ,
where
.B integer
is the max page size if no explicit limit is set; the keyword
.I noEstimate
inhibits the server to return an estimate of the total number
of entries that will be returned; the keyword
.I disabled
disables the control; the keyword
.I none
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|none}
allows to set a limit on the total number of entries that a pagedResults
control allows to return.
By default it is unlimited, which is indicated by the keyword
.IR none .
When set,
.B integer
is the max number of entries that the whole search with pagedResults control
can return.
.RE
.\"-- NEW_LOGGING option --
.\".TP
.\".B logfile <filename>
@ -1148,6 +959,214 @@ will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
createTimestamp attributes for entries. By default, lastmod is on.
.TP
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
The argument
.B who
can be any of
.RS
.RS
.TP
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
.RE
with
.RS
.TP
<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
.RE
The term
.B anonymous
matches all unauthenticated clients.
The term
.B users
matches all authenticated clients;
otherwise an
.B exact
dn pattern is assumed unless otherwise specified by qualifying
the (optional) key string
.B dn
with
.B exact
or
.B base
(which are synonyms), to require an exact match; with
.BR onelevel ,
to require exactly one level of depth match; with
.BR subtree ,
to allow any level of depth match, including the exact match; with
.BR children ,
to allow any level of depth match, not including the exact match;
.BR regex
explicitly requires the (default) match based on regular expression
pattern, as detailed in
.BR regex (7).
Finally,
.B anonymous
matches unbound operations; the
.B pattern
field is ignored.
The same behavior is obtained by using the
.B anonymous
form of the
.B who
clause.
The term
.BR group ,
with the optional objectClass
.B oc
and attributeType
.B at
fields, followed by
.BR pattern ,
sets the limits for any DN listed in the values of the
.B at
attribute (default
.BR member )
of the
.B oc
group objectClass (default
.BR groupOfNames )
whose DN exactly matches
.BR pattern .
The currently supported limits are
.B size
and
.BR time .
The syntax for time limits is
.BR time[.{soft|hard}]=<integer> ,
where
.BR integer
is the number of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client, the
.BR soft
limit is used; if the requested time limit exceeds the
.BR hard
limit, an
.I \"Administrative limit exceeded\"
error is returned.
If the
.BR hard
limit is set to 0 or to the keyword
.IR soft ,
the soft limit is used in either case; if it is set to
.I -1
or to the keyword
.IR none ,
no hard limit is enforced.
Explicit requests for time limits smaller or equal to the
.BR hard
limit are honored.
If no flag is set, the value is assigned to the
.BR soft
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.
The syntax for size limits is
.BR size[.{soft|hard|unchecked}]=<integer> ,
where
.BR integer
is the maximum number of entries slapd will return answering a search
request.
If no size limit is explicitly requested by the client, the
.BR soft
limit is used; if the requested size limit exceeds the
.BR hard
limit, an
.I \"Administrative limit exceeded\"
error is returned.
If the
.BR hard
limit is set to 0 or to the keyword
.IR soft ,
the soft limit is used in either case; if it is set to
.I -1
or to the keyword
.IR none ,
no hard limit is enforced.
Explicit requests for size limits smaller or equal to the
.BR hard
limit are honored.
The
.BR unchecked
flag sets a limit on the number of candidates a search request is allowed
to examine.
If the selected candidates exceed the
.BR unchecked
limit, the search will abort with
.IR \"Unwilling to perform\" .
If it is set to
.I -1
or to the keyword
.IR none ,
no limit is applied (the default).
If it is set to
.IR disable ,
the search is not even performed; this can be used to disallow searches
for a specific set of users.
If no flag is set, the value is assigned to the
.BR soft
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.
In case of no match, the global limits are used.
The default values are the same of
.B sizelimit
and
.BR timelimit ;
no limit is set on
.BR unchecked .
If
.B pagedResults
control is requested, the
.B hard
size limit is used by default, because the request of a specific page size
is considered as an explicit request for a limitation on the number
of entries to be returned.
However, the size limit applies to the total count of entries returned within
the search, and not to a single page.
Additional size limits may be enforced; the syntax is
.BR size.pr={<integer>|noEstimate|disabled|none} ,
where
.B integer
is the max page size if no explicit limit is set; the keyword
.I noEstimate
inhibits the server to return an estimate of the total number
of entries that will be returned; the keyword
.I disabled
disables the control, i.e. no paged results can be returned; the keyword
.I none
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|none}
allows to set a limit on the total number of entries that a pagedResults
control allows to return.
By default it is set to the
.B hard
limit.
When set,
.B integer
is the max number of entries that the whole search with pagedResults control
can return.
Use
.B none
to allow unlimited number of entries to be returned, i.e. to use
pagedResults as a means to allow clients to circumvent size limitations
on regular searches.
Note that the total number of entries returned when the pagedResults control
is requested cannot exceed the
.B hard
size limit of regular searches unless extended by the
.B prtotal
switch.
.RE
.TP
.B maxderefdepth <depth>
Specifies the maximum number of aliases to dereference when trying to
resolve an entry, used to avoid infinite alias loops. The default is 1.

1
doc/rfc/INDEX
View File

@ -39,6 +39,7 @@ rfc3673.txt LDAPv3: All Operational Attributes (PS)
rfc3674.txt Feature Discovery in LDAP (PS)
rfc3687.txt LDAP Component Matching Rules (PS)
rfc3698.txt LDAP: Additional Matching Rules (PS)
rfc3703.txt LDAP: Schema for Policy Core (PS)
rfc3712.txt LDAP: Schema for Printer Services (I)
rfc3727.txt ASN.1 Module for LDAP Component Matching Rules (PS)

3419
doc/rfc/rfc3703.txt Normal file
View File

File diff suppressed because it is too large Load Diff