mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-30 13:30:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update to rev 04

Browse Source
This commit is contained in:
Kurt Zeilenga 2001-08-01 05:40:10 +00:00
parent 3a1b634ee2
commit e83281bff3
1 changed files with 129 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

196
doc/drafts/draft-zeilenga-ldapv3bis-opattrs-xx.txt
View File

@ -1,13 +1,21 @@
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation
Expires: 29 December 2000 29 June 2000
Expires: 1 October 2001 1 April 2001
Updates: RFC 2251
LDAPv3: All Operational Attributes
<draft-zeilenga-ldapv3bis-opattrs-00.txt>
<draft-zeilenga-ldapv3bis-opattrs-06.txt>
1. Status of this Memo
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
@ -15,7 +23,7 @@ Expires: 29 December 2000 29 June 2000
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as a Standard Track document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Extension Working Group
document will take place on the IETF LDAP Extensions Working Group
mailing list <ietf-ldapext@netscape.com>. Please send editorial
comments directly to the author <Kurt@OpenLDAP.org>.
@ -31,32 +39,32 @@ Expires: 29 December 2000 29 June 2000
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft
Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
Copyright 2000, The Internet Society. All Rights Reserved.
Copyright 2001, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
2. Overview
2. Overview
X.500 provides a mechanism for clients to request all operational
attributes be returned with entries provided in response to a search
operation. LDAP [RFC2251] does not provide a similar mechanism to
clients to request the return of operational attributes. The lack of
such a mechanisms hinders discovery of operational attributes present
in an entry.
X.500 [X.500] provides a mechanism for clients to request all
operational attributes be returned with entries provided in response
to a search operation. This mechanism is often used by clients to
discover which operational attributes are present in an entry. LDAP
[RFC2251] does not provide a similar mechanism to clients.
Zeilenga [Page 1]
Zeilenga LDAP All Op Attrs [Page 1]
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-06 1 April 2001
This document defines a simple mechanism which clients may use to
request all operation attributes. This document updates RFC 2251 as
detailed below.
request the return of all operation attributes. The mechanism is
designed for use with existing general purpose LDAP clients (including
web browsers which support LDAP URLs). This document updates the
LDAPv3 technical specification as detailed below.
The key words ``MUST'', ``MUST NOT'', ``REQUIRED'', ``SHALL'', ``SHALL
NOT'', ``SHOULD'', ``SHOULD NOT'', ``RECOMMENDED'', and ``MAY'' in
@ -64,7 +72,7 @@ INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
[RFC2119].
3. Changes to RFC 2251
3. Changes to LDAP version 3
This document updates RFC 2251 as follows:
@ -100,16 +108,16 @@ INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
signifies that all user attributes are to be returned. An
attribute list containing the attribute description string "*"
signifies that all user attributes are to be returned. An
Zeilenga LDAP All Op Attrs [Page 2]
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-06 1 April 2001
attribute list containing the attribute description string "+"
signifies that all operational attributes are to be returned.
Zeilenga [Page 2]
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
(The "*" allows the client to request all user attributes in
addition to any requested operational attributes. The "+" allows
the client to request all operational attributes in addition to
@ -129,44 +137,81 @@ INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
is replaced with:
Client implementors should note that results may not include all
requested attributes due to access controls or other restrictions.
In addition, client implementors should request types only be
returned when discovering operational attributes as certain
operational attributes may have extremely large number of values.
Furthermore, servers will not return operational attributes, such
as objectClasses or attributeTypes, unless they are requested,
since there may be extremely large number of values for certain
operational attributes. (A list of operational attributes for use
in LDAP is given in [5].)
as objectClasses or attributeTypes, unless they are requested (by
name or by "+"), since there may be extremely large number of
values for certain operational attributes. (A list of operational
attributes for use in LDAP is given in [5].) Clients should also
note that certain operational attributes may be returned only if
requested by name.
5. Interoperability Considerations
5. Interoperability Considerations
The addition of this mechanism to LDAPv3 is not believed to cause
significant interoperability problems. A server which does not
support the "+" should ignore the attribute description per RFC 2251,
section 4.5.1 and only return the attributes for the attribute
descriptions strings they do recognize. From the client's
perspective, this is one possible "other restriction" noted above.
This mechanism is specifically designed to allow users to request all
operational attributes using existing LDAP clients. In particular,
the mechanism is designed to be compatible with existing general
purpose LDAP clients includes web browsers which support LDAP URLs
[RFC 2255].
The addition of this mechanism to LDAPv3 is believed not to cause any
significant interoperability issues (this has been confirmed through
testing). Servers which have yet to implement this specification
should ignore the "+" as an unrecognized attribute description per
[RFC 2251, Section 4.5.1]. From the client's perspective, a server
which does not return all operational attributes when "+" is requested
should be viewed as having other restrictions.
It is also noted that this mechanism is believed to require no
modification of existing LDAP SDKs.
5. Security Considerations
Zeilenga LDAP All Op Attrs [Page 3]
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-06 1 April 2001
6. Security Considerations
This document provides a mechanism which clients may use to discover
operational attributes. Access controls should be used to restrict
access to operational attributes per local policy.
operational attributes. Those relying on security by obscurity should
implement appropriate access controls to restricts access to
operational attributes per local policy.
6. Copyright
7. Bibliography
[RFC2219] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Protocol (v3)", RFC 2251, December 1997.
[RFC2255] T. Howes and M. Smith, "The LDAP URL Format", RFC 2255,
December 1997.
[X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993.
8. Acknowledgment
The "+" mechanism is believed to have been first suggested by Bruce
Greenblatt in a November 1998 post to the IETF LDAPext Working Group
mailing list.
Zeilenga [Page 3]
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
9. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
<Kurt@OpenLDAP.org>
Copyright 2000, The Internet Society. All Rights Reserved.
10. Full Copyright
Copyright 2001, The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
@ -175,6 +220,14 @@ INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
Zeilenga LDAP All Op Attrs [Page 4]
INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-06 1 April 2001
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
@ -191,24 +244,6 @@ INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
7. Bibliography
[RFC2219] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight
Directory Access Protocol (v3)", RFC 2251,
December 1997.
[X.500] ITU-T Rec. X.500, "The Directory: Overview of
Concepts, Models and Service", 1993.
8. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
<Kurt@OpenLDAP.org>
@ -217,5 +252,32 @@ INTERNET-DRAFT draft-zeilenga-ldapv3bis-opattrs-00 13 June 2000
Zeilenga [Page 4]
Zeilenga LDAP All Op Attrs [Page 5]