mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
676 lines
26 KiB
Plaintext
676 lines
26 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group Y. Yaacovi
|
||
Request for Comments: 2589 Microsoft
|
||
Category: Standards Track M. Wahl
|
||
Innosoft International, Inc.
|
||
T. Genovese
|
||
Microsoft
|
||
May 1999
|
||
|
||
|
||
Lightweight Directory Access Protocol (v3):
|
||
Extensions for Dynamic Directory Services
|
||
|
||
Status of this Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (1999). All Rights Reserved.
|
||
|
||
1. Abstract
|
||
|
||
This document defines the requirements for dynamic directory services
|
||
and specifies the format of request and response extended operations
|
||
for supporting client-server interoperation in a dynamic directories
|
||
environment.
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) [1] supports
|
||
lightweight access to static directory services, allowing relatively
|
||
fast search and update access. Static directory services store
|
||
information about people that persists in its accuracy and value over
|
||
a long period of time.
|
||
|
||
Dynamic directory services are different in that they store
|
||
information that only persists in its accuracy and value when it is
|
||
being periodically refreshed. This information is stored as dynamic
|
||
entries in the directory. A typical use will be a client or a person
|
||
that is either online - in which case it has an entry in the
|
||
directory, or is offline - in which case its entry disappears from
|
||
the directory. Though the protocol operations and attributes used by
|
||
dynamic directory services are similar to the ones used for static
|
||
directory services, clients that store dynamic information in the
|
||
directory need to periodically refresh this information, in order to
|
||
prevent it from disappearing. If dynamic entries are not refreshed
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 1]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
within a given timeout, they will be removed from the directory. For
|
||
example, this will happen if the client that set them goes offline.
|
||
|
||
A flow control mechanism from the server is also described that
|
||
allows a server to inform clients how often they should refresh their
|
||
presence.
|
||
|
||
2. Requirements
|
||
|
||
The protocol extensions must allow accessing dynamic information in a
|
||
directory in a standard LDAP manner, to allow clients to access
|
||
static and dynamic information in the same way.
|
||
|
||
By definition, dynamic entries are not persistent and clients may go
|
||
away gracefully or not. The proposed extensions must offer a way for
|
||
a server to tell if entries are still valid, and to do this in a way
|
||
that is scalable. There also must be a mechanism for clients to
|
||
reestablish their entry with the server.
|
||
|
||
There must be a way for clients to find out, in a standard LDAP
|
||
manner, if servers support the dynamic extensions.
|
||
|
||
Finally, to allow clients to broadly use the dynamic extensions, the
|
||
extensions need to be registered as standard LDAP extended
|
||
operations.
|
||
|
||
3. Description of Approach
|
||
|
||
The Lightweight Directory Access Protocol (LDAP) [1] permits
|
||
additional operation requests and responses to be added to the
|
||
protocol. This proposal takes advantage of these to support
|
||
directories which contain dynamic information in a manner which is
|
||
fully integrated with LDAP.
|
||
|
||
The approach described in this proposal defines dynamic entries in
|
||
order to allow implementing directories with dynamic information. An
|
||
implementation of dynamic directories, must be able to support
|
||
dynamic directory entries.
|
||
|
||
3.1. Dynamic Entries and the dynamicObject object class
|
||
|
||
A dynamic entry is an object in the directory tree which has a time-
|
||
to-live associated with it. This time-to-live is set when the entry
|
||
is created. The time-to-live is automatically decremented, and when
|
||
it expires the dynamic entry disappears. By invoking the refresh
|
||
extended operation (defined below) to re-set the time-to-live, a
|
||
client can cause the entry to remain present a while longer.
|
||
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 2]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
A dynamic entry is created by including the objectClass value given
|
||
in section 5 in the list of attributes when adding an entry. This
|
||
method is subject to standard access control restrictions.
|
||
|
||
The extended operation covered here, allows a client to refresh a
|
||
dynamic entry by invoking, at intervals, refresh operations
|
||
containing that entry's name. Dynamic entries will be treated the
|
||
same as non-dynamic entries when processing search, compare, add,
|
||
delete, modify and modifyDN operations. However if clients stop
|
||
sending refresh operations for an entry, then the server will
|
||
automatically and without notification remove that entry from the
|
||
directory. This removal will be treated the same as if the entry had
|
||
been deleted by an LDAP protocol operation.
|
||
|
||
There is no way to change a static entry into a dynamic one and
|
||
vice-versa. If the client is using Modify with an objectClass of
|
||
dynamicObject on a static entry, the server must return a service
|
||
error either "objectClassModsProhibited" (if the server does not
|
||
allow objectClass modifications at all) or "objectClassViolation" (if
|
||
the server does allow objectClass modifications in general).
|
||
|
||
A dynamic entry may be removed by the client using the delete
|
||
operation. This operation will be subject to access control
|
||
restrictions.
|
||
|
||
A non-dynamic entry cannot be added subordinate to a dynamic entry:
|
||
the server must return an appropriate update or service error if this
|
||
is attempted.
|
||
|
||
The support of dynamic attributes of an otherwise static object, are
|
||
outside the scope of this document.
|
||
|
||
3.2 Dynamic meetings (conferences)
|
||
|
||
The way dynamicObject is defined, it has a time-to-live associated
|
||
with it, and that's about it. Though the most common dynamic object
|
||
is a person object, there is no specific type associated with the
|
||
dynamicObject as defined here. By the use of the dynamic object's
|
||
attributes, one can make this object represent practically anything.
|
||
|
||
Specifically, Meetings (conferences) can be represented by dynamic
|
||
objects. While full-featured meeting support requires special
|
||
semantics and handling by the server (and is not in the scope of this
|
||
document), the extensions described here, provide basic meetings
|
||
support. A meeting object can be refreshed by the meeting
|
||
participants, and when it is not, the meeting entry disappears. The
|
||
one meeting type that is naturally supported by the dynamic
|
||
extensions is creator-owned meeting.
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 3]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
3.2.1 Creator-owned meetings
|
||
|
||
Creator-owned meetings are created by a client that sets the time-
|
||
to-live attribute for the entry, and it is this client's
|
||
responsibility to refresh the meeting entry, so that it will not
|
||
disappear. Others might join the meeting, by modifying the
|
||
appropriate attribute, but they are not allowed to refresh the entry.
|
||
When the client that created the entry goes away, it can delete the
|
||
meeting entry, or it might disappear when its time-to-live expires.
|
||
This is consistent with the common model for dynamicObject as
|
||
described above.
|
||
|
||
4. Protocol Additions
|
||
|
||
4.1 Refresh Request
|
||
|
||
Refresh is a protocol operation sent by a client to tell the server
|
||
that the client is still alive and the dynamic directory entry is
|
||
still accurate and valuable. The client sends a Refresh request
|
||
periodically based on the value of the client refresh period (CRP).
|
||
The server can request that the client change this value. As long as
|
||
the server receives a Refresh request within the timeout period, the
|
||
directory entry is guaranteed to persist on the server. Client
|
||
implementers should be aware that since the intervening network
|
||
between the client and server is unreliable, a Refresh request packet
|
||
may be delayed or lost while in transit. If this occurs, the entry
|
||
may disappear, and the client will need to detect this and re-add the
|
||
entry.
|
||
|
||
A client may request this operation by transmitting an LDAP PDU
|
||
containing an ExtendedRequest. An LDAP ExtendedRequest is defined as
|
||
follows:
|
||
|
||
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
|
||
requestName [0] LDAPOID,
|
||
requestValue [1] OCTET STRING OPTIONAL }
|
||
|
||
The requestName field must be set to the string
|
||
"1.3.6.1.4.1.1466.101.119.1".
|
||
|
||
The requestValue field will contain as a value the DER-encoding of
|
||
the following ASN.1 data type:
|
||
|
||
SEQUENCE {
|
||
entryName [0] LDAPDN,
|
||
requestTtl [1] INTEGER
|
||
}
|
||
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 4]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
The entryName field is the UTF-8 string representation of the name of
|
||
the dynamic entry [3]. This entry must already exist.
|
||
|
||
The requestTtl is a time in seconds (between 1 and 31557600) that the
|
||
client requests that the entry exists in the directory before being
|
||
automatically removed. Servers are not required to accept this value
|
||
and might return a different TTL value to the client. Clients must
|
||
be able to use this server-dictated value as their CRP.
|
||
|
||
4.2 Refresh Response
|
||
|
||
If a server implements this extension, then when the request is made
|
||
it will return an LDAP PDU containing an ExtendedResponse. An LDAP
|
||
ExtendedResponse is defined as follows:
|
||
|
||
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
|
||
COMPONENTS OF LDAPResult,
|
||
responseName [10] LDAPOID OPTIONAL,
|
||
response [11] OCTET STRING OPTIONAL }
|
||
|
||
The responseName field contains the same string as that present in
|
||
the request.
|
||
|
||
The response field will contain as a value the DER-encoding of the
|
||
following ASN.1 data type:
|
||
|
||
SEQUENCE {
|
||
responseTtl [1] INTEGER
|
||
}
|
||
|
||
The responseTtl field is the time in seconds which the server chooses
|
||
to have as the time-to-live field for that entry. It must not be any
|
||
smaller than that which the client requested, and it may be larger.
|
||
However, to allow servers to maintain a relatively accurate
|
||
directory, and to prevent clients from abusing the dynamic
|
||
extensions, servers are permitted to shorten a client-requested
|
||
time-to-live value, down to a minimum of 86400 seconds (one day).
|
||
|
||
If the operation was successful, the errorCode field in the
|
||
standardResponse part of an ExtendedResponse will be set to success.
|
||
|
||
In case of an error, the responseTtl field will have the value 0, and
|
||
the errorCode field will contain an appropriate value, as follows: If
|
||
the entry named by entryName could not be located, the errorCode
|
||
field will contain "noSuchObject". If the entry is not dynamic, the
|
||
errorCode field will contain "objectClassViolation". If the
|
||
requester does not have permission to refresh the entry, the
|
||
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 5]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
errorCode field will contain "insufficientAccessRights". If the
|
||
requestTtl field is too large, the errorCode field will contain
|
||
"sizeLimitExceeded".
|
||
|
||
If a server does not implement this extension, it will return an LDAP
|
||
PDU containing an ExtendedResponse, which contains only the
|
||
standardResponse element (the responseName and response elements will
|
||
be absent). The LDAPResult element will indicate the protocolError
|
||
result code.
|
||
|
||
This request is permitted to be invoked when LDAP is carried by a
|
||
connectionless transport.
|
||
|
||
When using a connection-oriented transport, there is no requirement
|
||
that this operation be on the same particular connection as any
|
||
other. A client may open multiple connections, or close and then
|
||
reopen a connection.
|
||
|
||
4.3 X.500/DAP Modify(97)
|
||
|
||
X.500/DAP servers can map the Refresh request and response operations
|
||
into the X.500/DAP Modify(97) operation.
|
||
|
||
5. Schema Additions
|
||
|
||
All dynamic entries must have the dynamicObject value in their
|
||
objectClass attribute. This object class is defined as follows
|
||
(using the ObjectClassDescription notation of [2]):
|
||
|
||
( 1.3.6.1.4.1.1466.101.119.2 NAME 'dynamicObject'
|
||
DESC 'This class, if present in an entry, indicates that this entry
|
||
has a limited lifetime and may disappear automatically when
|
||
its time-to-live has reached 0. There are no mandatory
|
||
attributes of this class, however if the client has not
|
||
supplied a value for the entryTtl attribute, the server will
|
||
provide one.'
|
||
SUP top AUXILIARY )
|
||
|
||
Furthermore, the dynamic entry must have the following operational
|
||
attribute. It is described using the AttributeTypeDescription
|
||
notation of [2]:
|
||
|
||
( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl'
|
||
DESC 'This operational attribute is maintained by the server and
|
||
appears to be present in every dynamic entry. The attribute
|
||
is not present when the entry does not contain the
|
||
dynamicObject object class. The value of this attribute is
|
||
the time in seconds that the entry will continue to exist
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 6]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
before disappearing from the directory. In the absence of
|
||
intervening refresh operations, the values returned by
|
||
reading the attribute in two successive searches are
|
||
guaranteed to be nonincreasing. The smallest permissible
|
||
value is 0, indicating that the entry may disappear without
|
||
warning. The attribute is marked NO-USER-MODIFICATION since
|
||
it may only be changed using the refresh operation.'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
|
||
NO-USER-MODIFICATION USAGE dSAOperation )
|
||
|
||
To allow servers to support dynamic entries in only a part of the
|
||
DIT, the following operational attribute is defined. It is
|
||
described using the AttributeTypeDescription notation of [2]:
|
||
|
||
( 1.3.6.1.4.1.1466.101.119.4 NAME 'dynamicSubtrees'
|
||
DESC 'This operational attribute is maintained by the server and is
|
||
present in the Root DSE, if the server supports the dynamic
|
||
extensions described in this memo. The attribute contains a
|
||
list of all the subtrees in this directory for which the
|
||
server supports the dynamic extensions.'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION
|
||
USAGE dSAOperation )
|
||
|
||
6. Client and Server Requirements
|
||
|
||
6.1 Client Requirements
|
||
|
||
Clients can find out if a server supports the dynamic extensions by
|
||
checking the supportedExtension field in the root DSE, to see if the
|
||
OBJECT IDENTIFIER described in section 4 is present. Since servers
|
||
may select to support the dynamic extensions in only some of the
|
||
subtrees of the DIT, clients must check the dynamicSubtrees
|
||
operational attribute in the root DSE to find out if the dynamic
|
||
extensions are supported on a specific subtree.
|
||
|
||
Once a dynamic entry has been created, clients are responsible for
|
||
invoking the refresh extended operation, in order to keep that entry
|
||
present in the directory.
|
||
|
||
Clients must not expect that a dynamic entry will be present in the
|
||
DIT after it has timed out, however it must not require that the
|
||
server remove the entry immediately (some servers may only process
|
||
timing out entries at intervals). If the client wishes to ensure the
|
||
entry does not exist it should issue a RemoveRequest for that entry.
|
||
|
||
Initially, a client needs to know how often it should send refresh
|
||
requests to the server. This value is defined as the CRP (Client
|
||
Refresh Period) and is set by the server based on the entryTtl.
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 7]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
Since the LDAP AddRequest operation is left unchanged and is not
|
||
modified in this proposal to return this value, a client must issue a
|
||
Refresh extended operation immediately after an Add that created a
|
||
dynamic entry. The Refresh Response will return the CRP (in
|
||
responseTtl) to the client.
|
||
|
||
Clients must not issue the refresh request for dynamic entries which
|
||
they have not created. If an anonymous client attempts to do so, a
|
||
server is permitted to return insufficientAccessRights (50) in the
|
||
RefreshResponse, enforcing the client to bind first. Please note that
|
||
servers which allow anonymous clients to create and refresh dynamic
|
||
entries will not be able to enforce the above.
|
||
|
||
Clients should always be ready to handle the case in which their
|
||
entry timed out. In such a case, the Refresh operation will fail
|
||
with an error code such as noSuchObject, and the client is expected
|
||
to re-create its entry.
|
||
|
||
Clients should be prepared to experience refresh operations failing
|
||
with protocolError, even though the add and any previous refresh
|
||
requests succeeded. This might happen if a proxy between the client
|
||
and the server goes down, and another proxy is used which does not
|
||
support the Refresh extended operation.
|
||
|
||
6.2 Server Requirements
|
||
|
||
Servers are responsible for removing dynamic entries when they time
|
||
out. Servers are not required to do this immediately.
|
||
|
||
Servers must enforce the structural rules listed in above section 3.
|
||
|
||
Servers must ensure that the operational attribute described in
|
||
section 5 is present in dynamic entries
|
||
|
||
Servers may permit anonymous users to refresh entries. However, to
|
||
eliminate the possibility of a malicious use of the Refresh
|
||
operation, servers may require the refreshing client to bind first. A
|
||
server implementation can achieve this by presenting ACLs on the
|
||
entryTtl attribute, and returning insufficientAccessRights (50) in
|
||
the RefreshResponse, if the client is not allowed to refresh the
|
||
entry. Doing this, though, might have performance implications on the
|
||
server and might impact the server's scalability.
|
||
|
||
Servers may require that a client which attempts to create a dynamic
|
||
entry have a remove permission for that entry.
|
||
|
||
Servers which implement the dynamic extensions must have the OBJECT
|
||
IDENTIFIER, described above in section 4 for the request and
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 8]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
response, present as a value of the supportedExtension field in the
|
||
root DSE. They must also have as values in the attributeTypes and
|
||
objectClasses attributes of their subschema subentries, the
|
||
AttributeTypeDescription and ObjectClassDescription from section 5.
|
||
|
||
Servers can limit the support of the dynamic extensions to only some
|
||
of the subtrees in the DIT. Servers indicate for which subtrees they
|
||
support the extensions, by specifying the OIDs for the supported
|
||
subtrees in the dynamicSubtrees attribute described in section 5. If
|
||
a server supports the dynamic extensions for all naming contexts it
|
||
holds, the dynamicSubtrees attribute may be absent.
|
||
|
||
7. Implementation issues
|
||
|
||
7.1 Storage of dynamic information
|
||
|
||
Dynamic information is expected to change very often. In addition,
|
||
Refresh requests are expected to arrive at the server very often.
|
||
Disk-based databases that static directory services often use are
|
||
likely inappropriate for storing dynamic information. We recommend
|
||
that server implementations store dynamic entries in memory
|
||
sufficient to avoid paging. This is not a requirement.
|
||
|
||
We expect LDAP servers to be able to store static and dynamic
|
||
entries. If an LDAP server does not support dynamic entries, it
|
||
should respond with an error code such as objectClassViolation.
|
||
|
||
7.2 Client refresh behavior
|
||
|
||
In some cases, the client might not get a Refresh response. This may
|
||
happen as a result of a server crash after receiving the Refresh
|
||
request, the TCP/IP socket timing out in the connection case, or the
|
||
UDP packet getting lost in the connection-less case.
|
||
|
||
It is recommended that in such a case, the client will retry the
|
||
Refresh operation immediately, and if this Refresh request does not
|
||
get a response as well, it will resort to its original Refresh cycle,
|
||
i.e. send a Refresh request at its Client Refresh Period (CRP).
|
||
|
||
7.3 Configuration of refresh times
|
||
|
||
We recommend that servers will provide administrators with the
|
||
ability to configure the default client refresh period (CRP), and
|
||
also a minimum and maximum CRP values. This, together with allowing
|
||
administrators to request that the server will not change the CRP
|
||
dynamically, will allow administrators to set CRP values which will
|
||
enforce a low refresh traffic, or - on the other extreme, an highly
|
||
up-to-date directory.
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 9]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
8. Replication
|
||
|
||
Replication is only partially addressed in this memo. There is a
|
||
separate effort in progress at the IETF on replication of static and
|
||
dynamic directories.
|
||
|
||
it is allowed to replicate a dynamic entry or a static entry with
|
||
dynamic attributes. Since the entryTtl is expressed as a relative
|
||
time (how many seconds till the entry will expire), replicating it
|
||
means that the replicated entry will be "off" by the replication
|
||
time.
|
||
|
||
9. Localization
|
||
|
||
The are no localization issues for this extended operation.
|
||
|
||
10. Security Considerations
|
||
|
||
Standard LDAP security rules and support apply for the extensions
|
||
described in this document, and there are no special security issues
|
||
for these extensions. Please note, though, that servers may permit
|
||
anonymous clients to refresh entries which they did not create.
|
||
Servers are also permitted to control a refresh access to an entry by
|
||
requiring clients to bind before issuing a RefreshRequest. This will
|
||
have implications on the server performance and scalability.
|
||
|
||
Also, Care should be taken in making use of information obtained from
|
||
directory servers that has been supplied by client, as it may now be
|
||
out of date. In many networks, for example, IP addresses are
|
||
automatically assigned when a host connects to the network, and may
|
||
be reassigned if that host later disconnects. An IP address obtained
|
||
from the directory may no longer be assigned to the host that placed
|
||
the address in the directory. This issue is not specific to LDAP or
|
||
dynamic directories.
|
||
|
||
11. Acknowledgments
|
||
|
||
Design ideas included in this document are based on those discussed
|
||
in ASID and other IETF Working Groups.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 10]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
12. Authors' Addresses
|
||
|
||
Yoram Yaacovi
|
||
Microsoft
|
||
One Microsoft way
|
||
Redmond, WA 98052
|
||
USA
|
||
|
||
Phone: +1 206-936-9629
|
||
EMail: yoramy@microsoft.com
|
||
|
||
|
||
Mark Wahl
|
||
Innosoft International, Inc.
|
||
8911 Capital of Texas Hwy #4140
|
||
Austin, TX 78759
|
||
USA
|
||
|
||
Email: M.Wahl@innosoft.com
|
||
|
||
|
||
Tony Genovese
|
||
Microsoft
|
||
One Microsoft way
|
||
Redmond, WA 98052
|
||
USA
|
||
|
||
Phone: +1 206-703-0852
|
||
EMail: tonyg@microsoft.com
|
||
|
||
13. Bibliography
|
||
|
||
[1] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
|
||
Protocol (Version 3)", RFC 2251, December 1997.
|
||
|
||
[2] Wahl, M. Coulbeck, A., Howes, T. and S. Kille, "Lightweight
|
||
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
||
RFC 2252, December 1997.
|
||
|
||
[3] Wahl, M. and S. Kille, "Lightweight Directory Access Protocol
|
||
(v3): UTF-8 String Representation of Distinguished Names", RFC
|
||
2253, December 1997.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 11]
|
||
|
||
RFC 2589 LDAPv3 Extensions for Dynamic Directory Services May 1999
|
||
|
||
|
||
14. Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (1999). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Yaacovi, et al. Standards Track [Page 12]
|
||
|