mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
900 lines
34 KiB
Plaintext
900 lines
34 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group K. Zeilenga
|
||
Request for Comments: 4521 OpenLDAP Foundation
|
||
BCP: 118 June 2006
|
||
Category: Best Current Practice
|
||
|
||
|
||
Considerations for
|
||
Lightweight Directory Access Protocol (LDAP) Extensions
|
||
|
||
Status of This Memo
|
||
|
||
This document specifies an Internet Best Current Practices for the
|
||
Internet Community, and requests discussion and suggestions for
|
||
improvements. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
Abstract
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) is extensible. It
|
||
provides mechanisms for adding new operations, extending existing
|
||
operations, and expanding user and system schemas. This document
|
||
discusses considerations for designers of LDAP extensions.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 1]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction ....................................................3
|
||
1.1. Terminology ................................................3
|
||
2. General Considerations ..........................................4
|
||
2.1. Scope of Extension .........................................4
|
||
2.2. Interaction between extensions .............................4
|
||
2.3. Discovery Mechanism ........................................4
|
||
2.4. Internationalization Considerations ........................5
|
||
2.5. Use of the Basic Encoding Rules ............................5
|
||
2.6. Use of Formal Languages ....................................5
|
||
2.7. Examples ...................................................5
|
||
2.8. Registration of Protocol Values ............................5
|
||
3. LDAP Operation Extensions .......................................6
|
||
3.1. Controls ...................................................6
|
||
3.1.1. Extending Bind Operation with Controls ..............6
|
||
3.1.2. Extending the Start TLS Operation with Controls .....7
|
||
3.1.3. Extending the Search Operation with Controls ........7
|
||
3.1.4. Extending the Update Operations with Controls .......8
|
||
3.1.5. Extending the Responseless Operations with Controls..8
|
||
3.2. Extended Operations ........................................8
|
||
3.3. Intermediate Responses .....................................8
|
||
3.4. Unsolicited Notifications ..................................9
|
||
4. Extending the LDAP ASN.1 Definition .............................9
|
||
4.1. Result Codes ...............................................9
|
||
4.2. LDAP Message Types .........................................9
|
||
4.3. Authentication Methods ....................................10
|
||
4.4. General ASN.1 Extensibility ...............................10
|
||
5. Schema Extensions ..............................................10
|
||
5.1. LDAP Syntaxes .............................................11
|
||
5.2. Matching Rules ............................................11
|
||
5.3. Attribute Types ...........................................12
|
||
5.4. Object Classes ............................................12
|
||
6. Other Extension Mechanisms .....................................12
|
||
6.1. Attribute Description Options .............................12
|
||
6.2. Authorization Identities ..................................12
|
||
6.3. LDAP URL Extensions .......................................12
|
||
7. Security Considerations ........................................12
|
||
8. Acknowledgements ...............................................13
|
||
9. References .....................................................13
|
||
9.1. Normative References ......................................13
|
||
9.2. Informative References ....................................15
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 2]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
1. Introduction
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) [RFC4510] is an
|
||
extensible protocol.
|
||
|
||
LDAP allows for new operations to be added and for existing
|
||
operations to be enhanced [RFC4511].
|
||
|
||
LDAP allows additional schema to be defined [RFC4512][RFC4517]. This
|
||
can include additional object classes, attribute types, matching
|
||
rules, additional syntaxes, and other elements of schema. LDAP
|
||
provides an ability to extend attribute types with options [RFC4512].
|
||
|
||
LDAP supports a Simple Authentication and Security Layer (SASL)
|
||
authentication method [RFC4511][RFC4513]. SASL [RFC4422] is
|
||
extensible. LDAP may be extended to support additional
|
||
authentication methods [RFC4511].
|
||
|
||
LDAP supports establishment of Transport Layer Security (TLS)
|
||
[RFC4511][RFC4513]. TLS [RFC4346] is extensible.
|
||
|
||
LDAP has an extensible Uniform Resource Locator (URL) format
|
||
[RFC4516].
|
||
|
||
Lastly, LDAP allows for certain extensions to the protocol's Abstract
|
||
Syntax Notation - One (ASN.1) [X.680] definition to be made. This
|
||
facilitates a wide range of protocol enhancements, for example, new
|
||
result codes needed to support extensions to be added through
|
||
extension of the protocol's ASN.1 definition.
|
||
|
||
This document describes practices that engineers should consider when
|
||
designing extensions to LDAP.
|
||
|
||
1.1. Terminology
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in BCP 14 [RFC2119]. In
|
||
this document, "the specification", as used by BCP 14, RFC 2119,
|
||
refers to the engineering of LDAP extensions.
|
||
|
||
The term "Request Control" refers to a control attached to a client-
|
||
generated message sent to a server. The term "Response Control"
|
||
refers to a control attached to a server-generated message sent to a
|
||
client.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 3]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
DIT stands for Directory Information Tree.
|
||
DSA stands for Directory System Agent, a server.
|
||
DSE stands for DSA-Specific Entry.
|
||
DUA stands for Directory User Agent, a client.
|
||
DN stands for Distinguished Name.
|
||
|
||
2. General Considerations
|
||
|
||
2.1. Scope of Extension
|
||
|
||
Mutually agreeing peers may, within the confines of an extension,
|
||
agree to significant changes in protocol semantics. However,
|
||
designers MUST consider the impact of an extension upon protocol
|
||
peers that have not agreed to implement or otherwise recognize and
|
||
support the extension. Extensions MUST be "truly optional"
|
||
[RFC2119].
|
||
|
||
2.2. Interaction between extensions
|
||
|
||
Designers SHOULD consider how extensions they engineer interact with
|
||
other extensions.
|
||
|
||
Designers SHOULD consider the extensibility of extensions they
|
||
specify. Extensions to LDAP SHOULD themselves be extensible.
|
||
|
||
Except where it is stated otherwise, extensibility is implied.
|
||
|
||
2.3. Discovery Mechanism
|
||
|
||
Extensions SHOULD provide adequate discovery mechanisms.
|
||
|
||
As LDAP design is based upon the client-request/server-response
|
||
paradigm, the general discovery approach is for the client to
|
||
discover the capabilities of the server before utilizing a particular
|
||
extension. Commonly, this discovery involves querying the root DSE
|
||
and/or other DSEs for operational information associated with the
|
||
extension. LDAP provides no mechanism for a server to discover the
|
||
capabilities of a client.
|
||
|
||
The 'supportedControl' attribute [RFC4512] is used to advertise
|
||
supported controls. The 'supportedExtension' attribute [RFC4512] is
|
||
used to advertise supported extended operations. The
|
||
'supportedFeatures' attribute [RFC4512] is used to advertise
|
||
features. Other root DSE attributes MAY be defined to advertise
|
||
other capabilities.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 4]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
2.4. Internationalization Considerations
|
||
|
||
LDAP is designed to support the full Unicode [Unicode] repertory of
|
||
characters. Extensions SHOULD avoid unnecessarily restricting
|
||
applications to subsets of Unicode (e.g., Basic Multilingual Plane,
|
||
ISO 8859-1, ASCII, Printable String).
|
||
|
||
LDAP Language Tag options [RFC3866] provide a mechanism for tagging
|
||
text (and other) values with language information. Extensions that
|
||
define attribute types SHOULD allow use of language tags with these
|
||
attributes.
|
||
|
||
2.5. Use of the Basic Encoding Rules
|
||
|
||
Numerous elements of LDAP are described using ASN.1 [X.680] and are
|
||
encoded using a particular subset [Protocol, Section 5.2] of the
|
||
Basic Encoding Rules (BER) [X.690]. To allow reuse of
|
||
parsers/generators used in implementing the LDAP "core" technical
|
||
specification [RFC4510], it is RECOMMENDED that extension elements
|
||
(e.g., extension specific contents of controlValue, requestValue,
|
||
responseValue fields) described by ASN.1 and encoded using BER be
|
||
subjected to the restrictions of [Protocol, Section 5.2].
|
||
|
||
2.6. Use of Formal Languages
|
||
|
||
Formal languages SHOULD be used in specifications in accordance with
|
||
IESG guidelines [FORMAL].
|
||
|
||
2.7. Examples
|
||
|
||
Example DN strings SHOULD conform to the syntax defined in [RFC4518].
|
||
Example LDAP filter strings SHOULD conform to the syntax defined in
|
||
[RFC4515]. Example LDAP URLs SHOULD conform to the syntax defined in
|
||
[RFC4516]. Entries SHOULD be represented using LDIF [RFC2849].
|
||
|
||
2.8. Registration of Protocol Values
|
||
|
||
Designers SHALL register protocol values of their LDAP extensions in
|
||
accordance with BCP 64, RFC 4520 [RFC4520]. Specifications that
|
||
create new extensible protocol elements SHALL extend existing
|
||
registries or establish new registries for values of these elements
|
||
in accordance with BCP 64, RFC 4520 [RFC4520] and BCP 26, RFC 2434
|
||
[RFC2434].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 5]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
3. LDAP Operation Extensions
|
||
|
||
Extensions SHOULD use controls in defining extensions that complement
|
||
existing operations. Where the extension to be defined does not
|
||
complement an existing operation, designers SHOULD consider defining
|
||
an extended operation instead.
|
||
|
||
For example, a subtree delete operation could be designed as either
|
||
an extension of the delete operation or as a new operation. As the
|
||
feature complements the existing delete operation, use of the control
|
||
mechanism to extend the delete operation is likely more appropriate.
|
||
|
||
As a counter (and contrived) example, a locate services operation (an
|
||
operation that would return for a DN a set of LDAP URLs to services
|
||
that may hold the entry named by this DN) could be designed as either
|
||
a search operation or a new operation. As the feature doesn't
|
||
complement the search operation (e.g., the operation is not contrived
|
||
to search for entries held in the Directory Information Tree), it is
|
||
likely more appropriate to define a new operation using the extended
|
||
operation mechanism.
|
||
|
||
3.1. Controls
|
||
|
||
Controls [Protocol, Section 4.1.11] are the RECOMMENDED mechanism for
|
||
extending existing operations. The existing operation can be a base
|
||
operation defined in [RFC4511] (e.g., search, modify) , an extended
|
||
operation (e.g., Start TLS [RFC4511], Password Modify [RFC3062]), or
|
||
an operation defined as an extension to a base or extended operation.
|
||
|
||
Extensions SHOULD NOT return Response controls unless the server has
|
||
specific knowledge that the client can make use of the control.
|
||
Generally, the client requests the return of a particular response
|
||
control by providing a related request control.
|
||
|
||
An existing operation MAY be extended to return IntermediateResponse
|
||
messages [Protocol, Section 4.13].
|
||
|
||
Specifications of controls SHALL NOT attach additional semantics to
|
||
the criticality of controls beyond those defined in [Protocol,
|
||
Section 4.1.11]. A specification MAY mandate the criticality take on
|
||
a particular value (e.g., TRUE or FALSE), where appropriate.
|
||
|
||
3.1.1. Extending Bind Operation with Controls
|
||
|
||
Controls attached to the request and response messages of a Bind
|
||
Operation [RFC4511] are not protected by any security layers
|
||
established by that Bind operation.
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 6]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
Specifications detailing controls extending the Bind operation SHALL
|
||
detail that the Bind negotiated security layers do not protect the
|
||
information contained in these controls and SHALL detail how the
|
||
information in these controls is protected or why the information
|
||
does not need protection.
|
||
|
||
It is RECOMMENDED that designers consider alternative mechanisms for
|
||
providing the function. For example, an extended operation issued
|
||
subsequent to the Bind operation (hence, protected by the security
|
||
layers negotiated by the Bind operation) might be used to provide the
|
||
desired function.
|
||
|
||
Additionally, designers of Bind control extensions MUST also consider
|
||
how the controls' semantics interact with individual steps of a
|
||
multi-step Bind operation. Note that some steps are optional and
|
||
thus may require special attention in the design.
|
||
|
||
3.1.2. Extending the Start TLS Operation with Controls
|
||
|
||
Controls attached to the request and response messages of a Start TLS
|
||
Operation [RFC4511] are not protected by the security layers
|
||
established by the Start TLS operation.
|
||
|
||
Specifications detailing controls extending the Start TLS operation
|
||
SHALL detail that the Start TLS negotiated security layers do not
|
||
protect the information contained in these controls and SHALL detail
|
||
how the information in these controls is protected or why the
|
||
information does not need protection.
|
||
|
||
It is RECOMMENDED that designers consider alternative mechanisms for
|
||
providing the function. For example, an extended operation issued
|
||
subsequent to the Start TLS operation (hence, protected by the
|
||
security layers negotiated by the Start TLS operation) might be used
|
||
to provided the desired function.
|
||
|
||
3.1.3. Extending the Search Operation with Controls
|
||
|
||
The Search operation processing has two distinct phases:
|
||
|
||
- finding the base object; and
|
||
|
||
- searching for objects at or under that base object.
|
||
|
||
Specifications of controls extending the Search Operation should
|
||
clearly state in which phase(s) the control's semantics apply.
|
||
Semantics of controls that are not specific to the Search Operation
|
||
SHOULD apply in the finding phase.
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 7]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
3.1.4. Extending the Update Operations with Controls
|
||
|
||
Update operations have properties of atomicity, consistency,
|
||
isolation, and durability ([ACID]).
|
||
|
||
- atomicity: All or none of the DIT changes requested are made.
|
||
|
||
- consistency: The resulting DIT state must be conform to schema
|
||
and other constraints.
|
||
|
||
- isolation: Intermediate states are not exposed.
|
||
|
||
- durability: The resulting DIT state is preserved until
|
||
subsequently updated.
|
||
|
||
When defining a control that requests additional (or other) DIT
|
||
changes be made to the DIT, these additional changes SHOULD NOT be
|
||
treated as part of a separate transaction. The specification MUST be
|
||
clear as to whether the additional DIT changes are part of the same
|
||
or a separate transaction as the DIT changes expressed in the request
|
||
of the base operation.
|
||
|
||
When defining a control that requests additional (or other) DIT
|
||
changes be made to the DIT, the specification MUST be clear as to the
|
||
order in which these and the base changes are to be applied to the
|
||
DIT.
|
||
|
||
3.1.5. Extending the Responseless Operations with Controls
|
||
|
||
The Abandon and Unbind operations do not include a response message.
|
||
For this reason, specifications for controls designed to be attached
|
||
to Abandon and Unbind requests SHOULD mandate that the control's
|
||
criticality be FALSE.
|
||
|
||
3.2. Extended Operations
|
||
|
||
Extended Operations [Protocol, Section 4.12] are the RECOMMENDED
|
||
mechanism for defining new operations. An extended operation
|
||
consists of an ExtendedRequest message, zero or more
|
||
IntermediateResponse messages, and an ExtendedResponse message.
|
||
|
||
3.3. Intermediate Responses
|
||
|
||
Extensions SHALL use IntermediateResponse messages instead of
|
||
ExtendedResponse messages to return intermediate results.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 8]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
3.4. Unsolicited Notifications
|
||
|
||
Unsolicited notifications [Protocol, Section 4.4] offer a capability
|
||
for the server to notify the client of events not associated with the
|
||
operation currently being processed.
|
||
|
||
Extensions SHOULD be designed such that unsolicited notifications are
|
||
not returned unless the server has specific knowledge that the client
|
||
can make use of the notification. Generally, the client requests the
|
||
return of a particular unsolicited notification by performing a
|
||
related extended operation.
|
||
|
||
For example, a time hack extension could be designed to return
|
||
unsolicited notifications at regular intervals that were enabled by
|
||
an extended operation (which possibly specified the desired
|
||
interval).
|
||
|
||
4. Extending the LDAP ASN.1 Definition
|
||
|
||
LDAP allows limited extension [Protocol, Section 4] of the LDAP ASN.1
|
||
definition [Protocol, Appendix B] to be made.
|
||
|
||
4.1. Result Codes
|
||
|
||
Extensions that specify new operations or enhance existing operations
|
||
often need to define new result codes. The extension SHOULD be
|
||
designed such that a client has a reasonably clear indication of the
|
||
nature of the successful or non-successful result.
|
||
|
||
Extensions SHOULD use existing result codes to indicate conditions
|
||
that are consistent with the intended meaning [RFC4511][X.511] of
|
||
these codes. Extensions MAY introduce new result codes [RFC4520]
|
||
where no existing result code provides an adequate indication of the
|
||
nature of the result.
|
||
|
||
Extensions SHALL NOT disallow or otherwise restrict the return of
|
||
general service result codes, especially those reporting a protocol,
|
||
service, or security problem, or indicating that the server is unable
|
||
or unwilling to complete the operation.
|
||
|
||
4.2. LDAP Message Types
|
||
|
||
While extensions can specify new types of LDAP messages by extending
|
||
the protocolOp CHOICE of the LDAPMessage SEQUENCE, this is generally
|
||
unnecessary and inappropriate. Existing operation extension
|
||
mechanisms (e.g., extended operations, unsolicited notifications, and
|
||
intermediate responses) SHOULD be used instead. However, there may
|
||
be cases where an extension does not fit well into these mechanisms.
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 9]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
In such cases, a new extension mechanism SHOULD be defined that can
|
||
be used by multiple extensions that have similar needs.
|
||
|
||
4.3. Authentication Methods
|
||
|
||
The Bind operation currently supports two authentication methods,
|
||
simple and SASL. SASL [RFC4422] is an extensible authentication
|
||
framework used by multiple application-level protocols (e.g., BEEP,
|
||
IMAP, SMTP). It is RECOMMENDED that new authentication processes be
|
||
defined as SASL mechanisms. New LDAP authentication methods MAY be
|
||
added to support new authentication frameworks.
|
||
|
||
The Bind operation's primary function is to establish the LDAP
|
||
association [RFC4513]. No other operation SHALL be defined (or
|
||
extended) to establish the LDAP association. However, other
|
||
operations MAY be defined to establish other security associations
|
||
(e.g., IPsec).
|
||
|
||
4.4. General ASN.1 Extensibility
|
||
|
||
Section 4 of [RFC4511] states the following:
|
||
|
||
In order to support future extensions to this protocol,
|
||
extensibility is implied where it is allowed per ASN.1 (i.e.,
|
||
sequence, set, choice, and enumerated types are extensible). In
|
||
addition, ellipses (...) have been supplied in ASN.1 types that
|
||
are explicitly extensible as discussed in [RFC4520]. Because of
|
||
the implied extensibility, clients and servers MUST (unless
|
||
otherwise specified) ignore trailing SEQUENCE components whose
|
||
tags they do not recognize.
|
||
|
||
Designers SHOULD avoid introducing extensions that rely on
|
||
unsuspecting implementations to ignore trailing components of
|
||
SEQUENCE whose tags they do not recognize.
|
||
|
||
5. Schema Extensions
|
||
|
||
Extensions defining LDAP schema elements SHALL provide schema
|
||
definitions conforming with syntaxes defined in [Models, Section
|
||
4.1]. While provided definitions MAY be reformatted (line wrapped)
|
||
for readability, this SHALL be noted in the specification.
|
||
|
||
For definitions that allow a NAME field, new schema elements SHOULD
|
||
provide one and only one name. The name SHOULD be short.
|
||
|
||
Each schema definition allows a DESC field. The DESC field, if
|
||
provided, SHOULD contain a short descriptive phrase. The DESC field
|
||
MUST be regarded as informational. That is, the specification MUST
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 10]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
be written such that its interpretation is the same with and without
|
||
the provided DESC fields.
|
||
|
||
The extension SHALL NOT mandate that implementations provide the same
|
||
DESC field in the schema they publish. Implementors MAY replace or
|
||
remove the DESC field.
|
||
|
||
Published schema elements SHALL NOT be redefined. Replacement schema
|
||
elements (new OIDs, new NAMEs) SHOULD be defined as needed.
|
||
|
||
Schema designers SHOULD reuse existing schema elements, where
|
||
appropriate. However, any reuse MUST not alter the semantics of the
|
||
element.
|
||
|
||
5.1. LDAP Syntaxes
|
||
|
||
Each LDAP syntax [RFC4517] is defined in terms of ASN.1 [X.680].
|
||
Each extension detailing an LDAP syntax MUST specify the ASN.1 data
|
||
definition associated with the syntax. A distinct LDAP syntax SHOULD
|
||
be created for each distinct ASN.1 data definition (including
|
||
constraints).
|
||
|
||
Each LDAP syntax SHOULD have a string encoding defined for it. It is
|
||
RECOMMENDED that this string encoding be restricted to UTF-8
|
||
[RFC3629] encoded Unicode [Unicode] characters. Use of Generic
|
||
String Encoding Rules (GSER) [RFC3641][RFC3642] or other generic
|
||
string encoding rules to provide string encodings for complex ASN.1
|
||
data definitions is RECOMMENDED. Otherwise, it is RECOMMENDED that
|
||
the string encoding be described using a formal language (e.g., ABNF
|
||
[RFC4234]). Formal languages SHOULD be used in specifications in
|
||
accordance with IESG guidelines [FORMAL].
|
||
|
||
If no string encoding is defined, the extension SHALL specify how the
|
||
transfer encoding is to be indicated. Generally, the extension
|
||
SHOULD mandate use of binary or other transfer encoding option.
|
||
|
||
5.2. Matching Rules
|
||
|
||
Three basic kinds of matching rules (e.g., EQUALITY, ORDERING, and
|
||
SUBSTRING) may be associated with an attribute type. In addition,
|
||
LDAP provides an extensible matching rule mechanism.
|
||
|
||
The matching rule specification SHOULD detail which kind of matching
|
||
rule it is and SHOULD describe which kinds of values it can be used
|
||
with.
|
||
|
||
In addition to requirements stated in the LDAP technical
|
||
specification, equality matching rules SHOULD be commutative.
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 11]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
5.3. Attribute Types
|
||
|
||
Designers SHOULD carefully consider how the structure of values is to
|
||
be restricted. Designers SHOULD consider that servers will only
|
||
enforce constraints of the attribute's syntax. That is, an attribute
|
||
intended to hold URIs, but that has directoryString syntax, is not
|
||
restricted to values that are URIs.
|
||
|
||
Designers SHOULD carefully consider which matching rules, if any, are
|
||
appropriate for the attribute type. Matching rules specified for an
|
||
attribute type MUST be compatible with the attribute type's syntax.
|
||
|
||
Extensions specifying operational attributes MUST detail how servers
|
||
are to maintain and/or utilize values of each operational attribute.
|
||
|
||
5.4. Object Classes
|
||
|
||
Designers SHOULD carefully consider whether each attribute of an
|
||
object class is required ("MUST") or allowed ("MAY").
|
||
|
||
Extensions specifying object classes that allow (or require)
|
||
operational attributes MUST specify how servers are to maintain
|
||
and/or utilize entries belonging to these object classes.
|
||
|
||
6. Other Extension Mechanisms
|
||
|
||
6.1. Attribute Description Options
|
||
|
||
Each option is identified by a string of letters, numbers, and
|
||
hyphens. This string SHOULD be short.
|
||
|
||
6.2. Authorization Identities
|
||
|
||
Extensions interacting with authorization identities SHALL support
|
||
the LDAP authzId format [RFC4513]. The authzId format is extensible.
|
||
|
||
6.3. LDAP URL Extensions
|
||
|
||
LDAP URL extensions are identified by a short string, a descriptor.
|
||
Like other descriptors, the string SHOULD be short.
|
||
|
||
7. Security Considerations
|
||
|
||
LDAP does not place undue restrictions on the kinds of extensions
|
||
that can be implemented. While this document attempts to outline
|
||
some specific issues that designers need to consider, it is not (and
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 12]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
cannot be) all encompassing. Designers MUST do their own evaluations
|
||
of the security considerations applicable to their extensions.
|
||
|
||
Designers MUST NOT assume that the LDAP "core" technical
|
||
specification [RFC4510] adequately addresses the specific concerns
|
||
surrounding their extensions or assume that their extensions have no
|
||
specific concerns.
|
||
|
||
Extension specifications, however, SHOULD note whether security
|
||
considerations specific to the feature they are extending, as well as
|
||
general LDAP security considerations, apply to the extension.
|
||
|
||
8. Acknowledgements
|
||
|
||
The author thanks the IETF LDAP community for their thoughtful
|
||
comments.
|
||
|
||
This work builds upon "LDAP Extension Style Guide" [GUIDE] by Bruce
|
||
Greenblatt.
|
||
|
||
9. References
|
||
|
||
9.1. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
|
||
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
|
||
October 1998.
|
||
|
||
[RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
|
||
Technical Specification", RFC 2849, June 2000.
|
||
|
||
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
|
||
10646", STD 63, RFC 3629, November 2003.
|
||
|
||
[RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1
|
||
Types", RFC 3641, October 2003.
|
||
|
||
[RFC3642] Legg, S., "Common Elements of Generic String Encoding
|
||
Rules (GSER) Encodings", RFC 3642, October 2003.
|
||
|
||
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
|
||
(LDAP): Directory Information Models", RFC 4512, June
|
||
2006.
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 13]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
[RFC3866] Zeilenga, K., Ed., "Language Tags and Ranges in the
|
||
Lightweight Directory Access Protocol (LDAP)", RFC 3866,
|
||
July 2004.
|
||
|
||
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
|
||
Specifications: ABNF", RFC 4234, October 2005.
|
||
|
||
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Technical Specification Road Map", RFC 4510, June
|
||
2006.
|
||
|
||
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
|
||
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
|
||
|
||
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
|
||
(LDAP): Directory Information Models", RFC 4512, June
|
||
2006.
|
||
|
||
[RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Authentication Methods and Security Mechanisms",
|
||
RFC 4513, June 2006.
|
||
|
||
[RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory Access
|
||
Protocol (LDAP): String Representation of Search Filters",
|
||
RFC 4515, June 2006.
|
||
|
||
[RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory Access
|
||
Protocol (LDAP): Uniform Resource Locator", RFC 4516, June
|
||
2006.
|
||
|
||
[RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006.
|
||
|
||
[RFC4518] Zeilenga, K., "Lightweight Directory Access Protocol
|
||
(LDAP): String Representation of Distinguished Names", RFC
|
||
4518, June 2006.
|
||
|
||
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
||
Considerations for the Lightweight Directory Access
|
||
Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
|
||
|
||
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
|
||
Authentication and Security Layer (SASL)", RFC 4422, June
|
||
2006.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 14]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
[Unicode] The Unicode Consortium, "The Unicode Standard, Version
|
||
3.2.0" is defined by "The Unicode Standard, Version 3.0"
|
||
(Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
|
||
as amended by the "Unicode Standard Annex #27: Unicode
|
||
3.1" (http://www.unicode.org/reports/tr27/) and by the
|
||
"Unicode Standard Annex #28: Unicode 3.2"
|
||
(http://www.unicode.org/reports/tr28/).
|
||
|
||
[FORMAL] IESG, "Guidelines for the use of formal languages in IETF
|
||
specifications",
|
||
<http://www.ietf.org/IESG/STATEMENTS/pseudo-code-in-
|
||
specs.txt>, 2001.
|
||
|
||
[X.511] International Telecommunication Union - Telecommunication
|
||
Standardization Sector, "The Directory: Abstract Service
|
||
Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
|
||
|
||
[X.680] International Telecommunication Union - Telecommunication
|
||
Standardization Sector, "Abstract Syntax Notation One
|
||
(ASN.1) - Specification of Basic Notation", X.680(2002)
|
||
(also ISO/IEC 8824-1:2002).
|
||
|
||
[X.690] International Telecommunication Union - Telecommunication
|
||
Standardization Sector, "Specification of ASN.1 encoding
|
||
rules: Basic Encoding Rules (BER), Canonical Encoding
|
||
Rules (CER), and Distinguished Encoding Rules (DER)",
|
||
X.690(2002) (also ISO/IEC 8825-1:2002).
|
||
|
||
9.2. Informative References
|
||
|
||
[ACID] Section 4 of ISO/IEC 10026-1:1992.
|
||
|
||
[GUIDE] Greenblatt, B., "LDAP Extension Style Guide", Work in
|
||
Progress.
|
||
|
||
[RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation",
|
||
RFC 3062, February 2001.
|
||
|
||
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
|
||
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
|
||
|
||
Author's Address
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
|
||
EMail: Kurt@OpenLDAP.org
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 15]
|
||
|
||
RFC 4521 LDAP Extensions June 2006
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is provided by the IETF
|
||
Administrative Support Activity (IASA).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Zeilenga Best Current Practice [Page 16]
|
||
|