Internet-Draft                                    D. Byrne, IBM
          LDAP Extensions WG                                L. Poitou, Sun
          Intended Category: Standards Track                E. Stokes, IBM
          Expires: 20 October 1998

           20 April 1998

                             Use of Aliases within LDAP
                          <draft-byrne-ldap-alias-00.txt>

          STATUS OF THIS MEMO

             This document is an Internet Draft. Internet Drafts are
             working documents of the Internet Engineering Task Force
             (IETF), its Areas, and its Working Groups. Note that other
             groups may also distribute working documents as Internet
             Drafts.

             Internet Drafts are draft documents valid for a maximum of six
             months. Internet Drafts may be updated, replaced, or obsoleted
             by other documents at any time. It is not appropriate to use
             Internet Drafts as reference material or to cite them other
             than as a "working draft" or "work in progress."

             To view the entire list of current Internet-Drafts, please
             check the "1id-abstracts.txt" listing contained in the
             Internet-Drafts Shadow Directories on ftp.is.co.za (Africa),
             ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern
             Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East
             Coast), or ftp.isi.edu (US West Coast).

             Comments and suggestions on this document are encouraged.
             Comments on this document should be sent to the  LDAPEXT
             working group discussion list:

                    ietf-ldapext@netscape.com

          ABSTRACT

             This document describes the suggested behavior for aliases for
             LDAPv3 and above to improve LDAP server interoperability .

             The key words "MUST", "SHOULD", and "MAY" used in this
             document are to be interpreted as described in [Bradner97].


          1. Objectives


             Aliases may be used within LDAP to reference entries anywhere
             within the directory tree. Conceptually, an alias is simply a
             pointer to the DIT entry it represents. It does not contain
             additional information about that entry; only the location of
             the entry.

             The behavior of the alias object within LDAP is not well-
             defined, both in creation of the alias object and the behavior
             when dereferencing the alias.

             For successful interoperability, the expected behavior of
             servers when encountering alias objects SHOULD be consistent.

             Additionally, it MUST be possible to use aliases without
             changing the LDAPv3 schema as defined in [Wahl] and without
             adding server-dependent data.


          2. Schema Definition


          2.1 Schema Expansion

             The alias objectclass definitions presented in the LDAPv3
             Schema [Wahl] are   the basis for aliasing within ldap. The
             alias objectclass is a Structural objectclass with a single
             required attribute; the single valued aliasObjectName.

             This definition of the alias objectclass does not allow for
             any attribute other than 'aliasedObjectName' to be used as the
             naming attribute within the RDN. The resulting dn for the
             alias object must therefore be of the form
             "aliasedObjectName=<dn>, <rdn>, <rdn>..."   This is not a
             user-friendly name for a directory entry, and quite possibly
             corrupts the naming hierarchy within the directory tree.

             In order to remain true the concept of an alias; that it is
             merely a pointer to another entry, an entry of objectclass
             alias SHOULD NOT be combined with any other objectclass. If
             multiple objectclasses are combined, it becomes possible to
             add information to the alias entry without violating the
             schema rules.

             While not explicitly specified as either a 'required' or
             'may', any naming attribute MUST be allowed to form the RDN of
             the alias. Restricting the possible naming attributes would
             potentially corrupt the hierarchy. For example, it would be
             impossible to distinguish between a person alias and an
             organisation alias.

          2.2 AliasObject Objectclass

             In order to create an alias object which can be appropriately
             named to that which it represents, the definition of the alias
             object MUST be expanded. A new objectclass must be defined
             which inherits from the current definition of alias but
             extends the attributes allowed within the RDN.

              ( 1.3.6.1.4.1.42.2.27.1.2.1
                 NAME      'aliasObject'
                 DESC      objectclass for all alias objects
                 SUP           'ALIAS'
                 MAY         *
              )

             The '*' allows any naming attribute to be used in forming the
             RDN of the object.

             For example, the following is a correct LDIF:
             dn: cn=John Doe, ou=myOrg, c=US
             objectclass: alias
             objectclass: aliasObject
             aliasedObjectName: cn=President, ou=myOrg, c=US
             cn: John Doe

             To prevent the alias from containing extra information about
             the object, the naming attribute SHOULD contain only a single
             value.

             For example, the following is  not a correct LDIF:
             dn: cn=John Doe, ou=myOrg, c=US
             objectclass: alias
             objectclass: aliasObject
             aliasedObjectName: cn=President, ou=myOrg, c=US
             cn: John Doe
             cn: Doe

             Similarly, the following would not be a correct LDIF file
             because it adds extra information to the alias object.

             dn: cn=John Doe, ou=myOrg, c=US
             objectclass: alias
             objectclass: aliasObject
             aliasedObjectName: cn=President, ou=myOrg, c=US
             cn: John Doe
             title: President

             The naming attribute used to form the RDN of the object SHOULD
             reflect the naming attribute of the referenced object.
             However, there are some cases where the naming attribute MAY
             be different.

             Within the X.501 [ITU-T], the attribute used to described the
             aliased object is 'aliasedEntryName'. Since the OID for
             'aliasedEntryName' and 'aliasedObjectName' are the same for
             both X.500 and LDAP, LDAP servers SHOULD treat the
             'aliasedEntryName' as a synonym for 'aliasedObjectName'.


          3. Alias Behavior

             In general alias objects SHOULD NOT be dereferenced during any
             operation other than search unless requested to do so by the
             client.

             Since an alias points to another section of the tree, it MUST
             NOT be possible to add an object under an alias object; alias
             objects MUST always be leaf nodes.

             During the dereferencing of aliases, a loop is detected if the
             server visits the same alias entry more than once. In this
             case a data integrity error has occurred and the server MUST
             return an error of 'aliasProblem'

             If an alias is dereferenced, and the resulting directory entry
             does not exists, a data integrity problem has occurred, and
             the server MUST return an  error code of
             'aliasDereferencingProblem'

             If the base entry for an ldapsearch is an alias, and alias
             dereferencing is set to either derefFindBaseObj, or
             derefAlways, the base entry MUST be dereferenced before the
             search is performed. The new base for the search will become
             the entry to which the alias resolves. The search is then
             performed.

             If multiple aliases are chained, the alias for the first
             object MUST resolve to the last entry in the chain. For
             example, A, B, and C are alias objects. If A points to B which
             points to C which points to D, A resolves to D when
             dereferencing the alias.

             If an alias is dereferenced as part of a search, the alias
             entry itself SHOULD NOT be returned as part of the search.

             If an alias matches the search filter, and dereferencing is
             set to 'searching' or 'always', the dereferenced object SHOULD
             be returned, even if it does not match the filter.

             If the alias is not dereferenced during the search, and it
             matches the filter, then it SHOULD be returned within the
             search result.

             Each directory object matching a filter SHOULD be returned
             only once during a search. If an entry is found twice because
             of aliases pointing to a part of the tree already searched,
             the entry SHOULD NOT be returned to the client a second time.

          4. Scenarios

             Using the following LDIF, the scenarios would return the
             expected information as follows:

             dn: c=myCountry
             c: myCountry
             objectclass: country

             dn: ou=Area1, c=myCountry
             ou: Area1
             aliasedObjectName: o=myCorporation, c=myCountry
             objectclass: alias
             objectclass:aliasObject

             dn: o=myCorporation, c=myCountry
             ou: myCorporation
             objectclass:organization

             dn: cn=President, o=myCorporation, c=myCountry
             cn: President
             aliasObjectName:  cn=John Doe, o=myCorporation, c=myCountry
             objectclass: alias
             objectclass: aliasObject

             dn: cn=John Doe, o=myCorporation, c=myCountry
             cn: John Doe
             objectclass: person


                      c = myCountry
                     /            |
              ou = Area1 ----->  o = myCorporation
                                  |               \
                             cn=President --->  cn = John Doe

             Performing a base search of 'ou = Area1, c=myCountry' with a
             filter of 'objectclass=aliasObject'
             NeverDerefAlias would return 'ou=Area1, c=myCountry'
             DerefFinding would return 'cn=President, o=myCorporation,
             c=myCountry'
             DerefSearching would return 'o=myCorporation,
             c=myCountry'
             DerefAlways would return 'cn=John Doe, o=myCorporation,
             c=myCountry'

             Performing a one level search of 'c=myCountry' with a filter
             of 'ou = * '
             NeverDerefAlias would return  'ou=Area1, c=myCountry'
             DerefFinding would return  'ou=Area1, c=myCountry'
             DerefSearching would return 'o=myCorporation,
             c=myCountry'
             DerefAlways would return ' o=myCorporation, c=myCountry'

             Performing a full tree search of 'c=myCountry' with a filter
             of ' cn = President '
             NeverDerefAlias would return  'cn=President, o=myCorporation,
             c=myCountry'
             DerefFinding would return  'cn=President, o=myCorporation,
             c=myCountry'
             DerefSearching would return 'cn=John Doe, o=myCorporation,
             c=myCountry'
             DerefAlways would return 'cn=John Doe, o=myCorporation,
             c=myCountry'


          6. Security Considerations

             Permissions to dereferencing an alias, adding, deleting or
             returning alias entries are decided by the directory server's
             ACL administration policy.


          7. References

             [LDAPv3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory
             Access Protocol (v3)", RFC 2251, December 1997.

             [Whal] M.Wahl, A, Coulbeck, T. Howes, S. Kille, "Lightweight
             Directory Access Protocol (v3)": Attribute Syntax Definitions,
             RFC 2252, December 1997.

             [Bradner97] Bradner, Scott, "Key Words for use in RFCs to
             Indicate Requirement Levels", RFC 2119.

             [ITU-T] ITU-T Rec. X.501, "The Directory: Models", 1993


          AUTHOR(S) ADDRESS


              Debbie Byrne
              IBM
              11400 Burnet Rd
              Austin, TX 78758
              USA
              mail-to: djbyrne@us.ibm.com
              phone: +1 512 838 1930

              Ludovic Poitou
              Sun Microsystems
              32, Chemin du vieux Chene
              38240 Meylan
              France
              Phone: +33.(0)4.76.41.42.12
              email: ludovic.poitou@france.sun.com

              Ellen Stokes
              IBM
              11400 Burnet Rd
              Austin, TX 78758
              USA
              mail-to: stokes@austin.ibm.com
              phone: +1 512 838 3725