mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
2804 lines
112 KiB
Plaintext
2804 lines
112 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group M. Wahl
|
||
Request for Comments: 2251 Critical Angle Inc.
|
||
Category: Standards Track T. Howes
|
||
Netscape Communications Corp.
|
||
S. Kille
|
||
Isode Limited
|
||
December 1997
|
||
|
||
|
||
Lightweight Directory Access Protocol (v3)
|
||
|
||
1. Status of this Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (1997). All Rights Reserved.
|
||
|
||
IESG Note
|
||
|
||
This document describes a directory access protocol that provides
|
||
both read and update access. Update access requires secure
|
||
authentication, but this document does not mandate implementation of
|
||
any satisfactory authentication mechanisms.
|
||
|
||
In accordance with RFC 2026, section 4.4.1, this specification is
|
||
being approved by IESG as a Proposed Standard despite this
|
||
limitation, for the following reasons:
|
||
|
||
a. to encourage implementation and interoperability testing of
|
||
these protocols (with or without update access) before they
|
||
are deployed, and
|
||
|
||
b. to encourage deployment and use of these protocols in read-only
|
||
applications. (e.g. applications where LDAPv3 is used as
|
||
a query language for directories which are updated by some
|
||
secure mechanism other than LDAP), and
|
||
|
||
c. to avoid delaying the advancement and deployment of other Internet
|
||
standards-track protocols which require the ability to query, but
|
||
not update, LDAPv3 directory servers.
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 1]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Readers are hereby warned that until mandatory authentication
|
||
mechanisms are standardized, clients and servers written according to
|
||
this specification which make use of update functionality are
|
||
UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
|
||
IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
|
||
|
||
Implementors are hereby discouraged from deploying LDAPv3 clients or
|
||
servers which implement the update functionality, until a Proposed
|
||
Standard for mandatory authentication in LDAPv3 has been approved and
|
||
published as an RFC.
|
||
|
||
Table of Contents
|
||
|
||
1. Status of this Memo .................................... 1
|
||
Copyright Notice ....................................... 1
|
||
IESG Note .............................................. 1
|
||
2. Abstract ............................................... 3
|
||
3. Models ................................................. 4
|
||
3.1. Protocol Model ........................................ 4
|
||
3.2. Data Model ............................................ 5
|
||
3.2.1. Attributes of Entries ............................... 5
|
||
3.2.2. Subschema Entries and Subentries .................... 7
|
||
3.3. Relationship to X.500 ................................. 8
|
||
3.4. Server-specific Data Requirements ..................... 8
|
||
4. Elements of Protocol ................................... 9
|
||
4.1. Common Elements ....................................... 9
|
||
4.1.1. Message Envelope .................................... 9
|
||
4.1.1.1. Message ID ........................................ 11
|
||
4.1.2. String Types ........................................ 11
|
||
4.1.3. Distinguished Name and Relative Distinguished Name .. 11
|
||
4.1.4. Attribute Type ...................................... 12
|
||
4.1.5. Attribute Description ............................... 13
|
||
4.1.5.1. Binary Option ..................................... 14
|
||
4.1.6. Attribute Value ..................................... 14
|
||
4.1.7. Attribute Value Assertion ........................... 15
|
||
4.1.8. Attribute ........................................... 15
|
||
4.1.9. Matching Rule Identifier ............................ 15
|
||
4.1.10. Result Message ..................................... 16
|
||
4.1.11. Referral ........................................... 18
|
||
4.1.12. Controls ........................................... 19
|
||
4.2. Bind Operation ........................................ 20
|
||
4.2.1. Sequencing of the Bind Request ...................... 21
|
||
4.2.2. Authentication and Other Security Services .......... 22
|
||
4.2.3. Bind Response ....................................... 23
|
||
4.3. Unbind Operation ...................................... 24
|
||
4.4. Unsolicited Notification .............................. 24
|
||
4.4.1. Notice of Disconnection ............................. 24
|
||
4.5. Search Operation ...................................... 25
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 2]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
4.5.1. Search Request ...................................... 25
|
||
4.5.2. Search Result ....................................... 29
|
||
4.5.3. Continuation References in the Search Result ........ 31
|
||
4.5.3.1. Example ........................................... 31
|
||
4.6. Modify Operation ...................................... 32
|
||
4.7. Add Operation ......................................... 34
|
||
4.8. Delete Operation ...................................... 35
|
||
4.9. Modify DN Operation ................................... 36
|
||
4.10. Compare Operation .................................... 37
|
||
4.11. Abandon Operation .................................... 38
|
||
4.12. Extended Operation ................................... 38
|
||
5. Protocol Element Encodings and Transfer ................ 39
|
||
5.1. Mapping Onto BER-based Transport Services ............. 39
|
||
5.2. Transfer Protocols .................................... 40
|
||
5.2.1. Transmission Control Protocol (TCP) ................. 40
|
||
6. Implementation Guidelines .............................. 40
|
||
6.1. Server Implementations ................................ 40
|
||
6.2. Client Implementations ................................ 40
|
||
7. Security Considerations ................................ 41
|
||
8. Acknowledgements ....................................... 41
|
||
9. Bibliography ........................................... 41
|
||
10. Authors' Addresses ..................................... 42
|
||
Appendix A - Complete ASN.1 Definition ..................... 44
|
||
Full Copyright Statement ................................... 50
|
||
|
||
2. Abstract
|
||
|
||
The protocol described in this document is designed to provide access
|
||
to directories supporting the X.500 models, while not incurring the
|
||
resource requirements of the X.500 Directory Access Protocol (DAP).
|
||
This protocol is specifically targeted at management applications and
|
||
browser applications that provide read/write interactive access to
|
||
directories. When used with a directory supporting the X.500
|
||
protocols, it is intended to be a complement to the X.500 DAP.
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document
|
||
are to be interpreted as described in RFC 2119 [10].
|
||
|
||
Key aspects of this version of LDAP are:
|
||
|
||
- All protocol elements of LDAPv2 (RFC 1777) are supported. The
|
||
protocol is carried directly over TCP or other transport, bypassing
|
||
much of the session/presentation overhead of X.500 DAP.
|
||
|
||
- Most protocol data elements can be encoded as ordinary strings
|
||
(e.g., Distinguished Names).
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 3]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
- Referrals to other servers may be returned.
|
||
|
||
- SASL mechanisms may be used with LDAP to provide association
|
||
security services.
|
||
|
||
- Attribute values and Distinguished Names have been
|
||
internationalized through the use of the ISO 10646 character set.
|
||
|
||
- The protocol can be extended to support new operations, and
|
||
controls may be used to extend existing operations.
|
||
|
||
- Schema is published in the directory for use by clients.
|
||
|
||
3. Models
|
||
|
||
Interest in X.500 [1] directory technologies in the Internet has led
|
||
to efforts to reduce the high cost of entry associated with use of
|
||
these technologies. This document continues the efforts to define
|
||
directory protocol alternatives, updating the LDAP [2] protocol
|
||
specification.
|
||
|
||
3.1. Protocol Model
|
||
|
||
The general model adopted by this protocol is one of clients
|
||
performing protocol operations against servers. In this model, a
|
||
client transmits a protocol request describing the operation to be
|
||
performed to a server. The server is then responsible for performing
|
||
the necessary operation(s) in the directory. Upon completion of the
|
||
operation(s), the server returns a response containing any results or
|
||
errors to the requesting client.
|
||
|
||
In keeping with the goal of easing the costs associated with use of
|
||
the directory, it is an objective of this protocol to minimize the
|
||
complexity of clients so as to facilitate widespread deployment of
|
||
applications capable of using the directory.
|
||
|
||
Note that although servers are required to return responses whenever
|
||
such responses are defined in the protocol, there is no requirement
|
||
for synchronous behavior on the part of either clients or servers.
|
||
Requests and responses for multiple operations may be exchanged
|
||
between a client and server in any order, provided the client
|
||
eventually receives a response for every request that requires one.
|
||
|
||
In LDAP versions 1 and 2, no provision was made for protocol servers
|
||
returning referrals to clients. However, for improved performance
|
||
and distribution this version of the protocol permits servers to
|
||
return to clients referrals to other servers. This allows servers to
|
||
offload the work of contacting other servers to progress operations.
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 4]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Note that the core protocol operations defined in this document can
|
||
be mapped to a strict subset of the X.500(1997) directory abstract
|
||
service, so it can be cleanly provided by the DAP. However there is
|
||
not a one-to-one mapping between LDAP protocol operations and DAP
|
||
operations: server implementations acting as a gateway to X.500
|
||
directories may need to make multiple DAP requests.
|
||
|
||
3.2. Data Model
|
||
|
||
This section provides a brief introduction to the X.500 data model,
|
||
as used by LDAP.
|
||
|
||
The LDAP protocol assumes there are one or more servers which jointly
|
||
provide access to a Directory Information Tree (DIT). The tree is
|
||
made up of entries. Entries have names: one or more attribute values
|
||
from the entry form its relative distinguished name (RDN), which MUST
|
||
be unique among all its siblings. The concatenation of the relative
|
||
distinguished names of the sequence of entries from a particular
|
||
entry to an immediate subordinate of the root of the tree forms that
|
||
entry's Distinguished Name (DN), which is unique in the tree. An
|
||
example of a Distinguished Name is
|
||
|
||
CN=Steve Kille, O=Isode Limited, C=GB
|
||
|
||
Some servers may hold cache or shadow copies of entries, which can be
|
||
used to answer search and comparison queries, but will return
|
||
referrals or contact other servers if modification operations are
|
||
requested.
|
||
|
||
Servers which perform caching or shadowing MUST ensure that they do
|
||
not violate any access control constraints placed on the data by the
|
||
originating server.
|
||
|
||
The largest collection of entries, starting at an entry that is
|
||
mastered by a particular server, and including all its subordinates
|
||
and their subordinates, down to the entries which are mastered by
|
||
different servers, is termed a naming context. The root of the DIT
|
||
is a DSA-specific Entry (DSE) and not part of any naming context:
|
||
each server has different attribute values in the root DSE. (DSA is
|
||
an X.500 term for the directory server).
|
||
|
||
3.2.1. Attributes of Entries
|
||
|
||
Entries consist of a set of attributes. An attribute is a type with
|
||
one or more associated values. The attribute type is identified by a
|
||
short descriptive name and an OID (object identifier). The attribute
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 5]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
type governs whether there can be more than one value of an attribute
|
||
of that type in an entry, the syntax to which the values must
|
||
conform, the kinds of matching which can be performed on values of
|
||
that attribute, and other functions.
|
||
|
||
An example of an attribute is "mail". There may be one or more values
|
||
of this attribute, they must be IA5 (ASCII) strings, and they are
|
||
case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").
|
||
|
||
Schema is the collection of attribute type definitions, object class
|
||
definitions and other information which a server uses to determine
|
||
how to match a filter or attribute value assertion (in a compare
|
||
operation) against the attributes of an entry, and whether to permit
|
||
add and modify operations. The definition of schema for use with
|
||
LDAP is given in [5] and [6]. Additional schema elements may be
|
||
defined in other documents.
|
||
|
||
Each entry MUST have an objectClass attribute. The objectClass
|
||
attribute specifies the object classes of an entry, which along with
|
||
the system and user schema determine the permitted attributes of an
|
||
entry. Values of this attribute may be modified by clients, but the
|
||
objectClass attribute cannot be removed. Servers may restrict the
|
||
modifications of this attribute to prevent the basic structural class
|
||
of the entry from being changed (e.g. one cannot change a person into
|
||
a country). When creating an entry or adding an objectClass value to
|
||
an entry, all superclasses of the named classes are implicitly added
|
||
as well if not already present, and the client must supply values for
|
||
any mandatory attributes of new superclasses.
|
||
|
||
Some attributes, termed operational attributes, are used by servers
|
||
for administering the directory system itself. They are not returned
|
||
in search results unless explicitly requested by name. Attributes
|
||
which are not operational, such as "mail", will have their schema and
|
||
syntax constraints enforced by servers, but servers will generally
|
||
not make use of their values.
|
||
|
||
Servers MUST NOT permit clients to add attributes to an entry unless
|
||
those attributes are permitted by the object class definitions, the
|
||
schema controlling that entry (specified in the subschema - see
|
||
below), or are operational attributes known to that server and used
|
||
for administrative purposes. Note that there is a particular
|
||
objectClass 'extensibleObject' defined in [5] which permits all user
|
||
attributes to be present in an entry.
|
||
|
||
Entries MAY contain, among others, the following operational
|
||
attributes, defined in [5]. These attributes are maintained
|
||
automatically by the server and are not modifiable by clients:
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 6]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
- creatorsName: the Distinguished Name of the user who added this
|
||
entry to the directory.
|
||
|
||
- createTimestamp: the time this entry was added to the directory.
|
||
|
||
- modifiersName: the Distinguished Name of the user who last modified
|
||
this entry.
|
||
|
||
- modifyTimestamp: the time this entry was last modified.
|
||
|
||
- subschemaSubentry: the Distinguished Name of the subschema entry
|
||
(or subentry) which controls the schema for this entry.
|
||
|
||
3.2.2. Subschema Entries and Subentries
|
||
|
||
Subschema entries are used for administering information about the
|
||
directory schema, in particular the object classes and attribute
|
||
types supported by directory servers. A single subschema entry
|
||
contains all schema definitions used by entries in a particular part
|
||
of the directory tree.
|
||
|
||
Servers which follow X.500(93) models SHOULD implement subschema
|
||
using the X.500 subschema mechanisms, and so these subschemas are not
|
||
ordinary entries. LDAP clients SHOULD NOT assume that servers
|
||
implement any of the other aspects of X.500 subschema. A server
|
||
which masters entries and permits clients to modify these entries
|
||
MUST implement and provide access to these subschema entries, so that
|
||
its clients may discover the attributes and object classes which are
|
||
permitted to be present. It is strongly recommended that all other
|
||
servers implement this as well.
|
||
|
||
The following four attributes MUST be present in all subschema
|
||
entries:
|
||
|
||
- cn: this attribute MUST be used to form the RDN of the subschema
|
||
entry.
|
||
|
||
- objectClass: the attribute MUST have at least the values "top" and
|
||
"subschema".
|
||
|
||
- objectClasses: each value of this attribute specifies an object
|
||
class known to the server.
|
||
|
||
- attributeTypes: each value of this attribute specifies an attribute
|
||
type known to the server.
|
||
|
||
These are defined in [5]. Other attributes MAY be present in
|
||
subschema entries, to reflect additional supported capabilities.
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 7]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
These include matchingRules, matchingRuleUse, dITStructureRules,
|
||
dITContentRules, nameForms and ldapSyntaxes.
|
||
|
||
Servers SHOULD provide the attributes createTimestamp and
|
||
modifyTimestamp in subschema entries, in order to allow clients to
|
||
maintain their caches of schema information.
|
||
|
||
Clients MUST only retrieve attributes from a subschema entry by
|
||
requesting a base object search of the entry, where the search filter
|
||
is "(objectClass=subschema)". (This will allow LDAPv3 servers which
|
||
gateway to X.500(93) to detect that subentry information is being
|
||
requested.)
|
||
|
||
3.3. Relationship to X.500
|
||
|
||
This document defines LDAP in terms of X.500 as an X.500 access
|
||
mechanism. An LDAP server MUST act in accordance with the
|
||
X.500(1993) series of ITU recommendations when providing the service.
|
||
However, it is not required that an LDAP server make use of any X.500
|
||
protocols in providing this service, e.g. LDAP can be mapped onto any
|
||
other directory system so long as the X.500 data and service model as
|
||
used in LDAP is not violated in the LDAP interface.
|
||
|
||
3.4. Server-specific Data Requirements
|
||
|
||
An LDAP server MUST provide information about itself and other
|
||
information that is specific to each server. This is represented as
|
||
a group of attributes located in the root DSE (DSA-Specific Entry),
|
||
which is named with the zero-length LDAPDN. These attributes are
|
||
retrievable if a client performs a base object search of the root
|
||
with filter "(objectClass=*)", however they are subject to access
|
||
control restrictions. The root DSE MUST NOT be included if the
|
||
client performs a subtree search starting from the root.
|
||
|
||
Servers may allow clients to modify these attributes.
|
||
|
||
The following attributes of the root DSE are defined in section 5 of
|
||
[5]. Additional attributes may be defined in other documents.
|
||
|
||
- namingContexts: naming contexts held in the server. Naming contexts
|
||
are defined in section 17 of X.501 [6].
|
||
|
||
- subschemaSubentry: subschema entries (or subentries) known by this
|
||
server.
|
||
|
||
- altServer: alternative servers in case this one is later
|
||
unavailable.
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 8]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
- supportedExtension: list of supported extended operations.
|
||
|
||
- supportedControl: list of supported controls.
|
||
|
||
- supportedSASLMechanisms: list of supported SASL security features.
|
||
|
||
- supportedLDAPVersion: LDAP versions implemented by the server.
|
||
|
||
If the server does not master entries and does not know the locations
|
||
of schema information, the subschemaSubentry attribute is not present
|
||
in the root DSE. If the server masters directory entries under one
|
||
or more schema rules, there may be any number of values of the
|
||
subschemaSubentry attribute in the root DSE.
|
||
|
||
4. Elements of Protocol
|
||
|
||
The LDAP protocol is described using Abstract Syntax Notation 1
|
||
(ASN.1) [3], and is typically transferred using a subset of ASN.1
|
||
Basic Encoding Rules [11]. In order to support future extensions to
|
||
this protocol, clients and servers MUST ignore elements of SEQUENCE
|
||
encodings whose tags they do not recognize.
|
||
|
||
Note that unlike X.500, each change to the LDAP protocol other than
|
||
through the extension mechanisms will have a different version
|
||
number. A client will indicate the version it supports as part of
|
||
the bind request, described in section 4.2. If a client has not sent
|
||
a bind, the server MUST assume that version 3 is supported in the
|
||
client (since version 2 required that the client bind first).
|
||
|
||
Clients may determine the protocol version a server supports by
|
||
reading the supportedLDAPVersion attribute from the root DSE. Servers
|
||
which implement version 3 or later versions MUST provide this
|
||
attribute. Servers which only implement version 2 may not provide
|
||
this attribute.
|
||
|
||
4.1. Common Elements
|
||
|
||
This section describes the LDAPMessage envelope PDU (Protocol Data
|
||
Unit) format, as well as data type definitions which are used in the
|
||
protocol operations.
|
||
|
||
4.1.1. Message Envelope
|
||
|
||
For the purposes of protocol exchanges, all protocol operations are
|
||
encapsulated in a common envelope, the LDAPMessage, which is defined
|
||
as follows:
|
||
|
||
LDAPMessage ::= SEQUENCE {
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 9]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
messageID MessageID,
|
||
protocolOp CHOICE {
|
||
bindRequest BindRequest,
|
||
bindResponse BindResponse,
|
||
unbindRequest UnbindRequest,
|
||
searchRequest SearchRequest,
|
||
searchResEntry SearchResultEntry,
|
||
searchResDone SearchResultDone,
|
||
searchResRef SearchResultReference,
|
||
modifyRequest ModifyRequest,
|
||
modifyResponse ModifyResponse,
|
||
addRequest AddRequest,
|
||
addResponse AddResponse,
|
||
delRequest DelRequest,
|
||
delResponse DelResponse,
|
||
modDNRequest ModifyDNRequest,
|
||
modDNResponse ModifyDNResponse,
|
||
compareRequest CompareRequest,
|
||
compareResponse CompareResponse,
|
||
abandonRequest AbandonRequest,
|
||
extendedReq ExtendedRequest,
|
||
extendedResp ExtendedResponse },
|
||
controls [0] Controls OPTIONAL }
|
||
|
||
MessageID ::= INTEGER (0 .. maxInt)
|
||
|
||
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
|
||
|
||
The function of the LDAPMessage is to provide an envelope containing
|
||
common fields required in all protocol exchanges. At this time the
|
||
only common fields are the message ID and the controls.
|
||
|
||
If the server receives a PDU from the client in which the LDAPMessage
|
||
SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
|
||
the tag of the protocolOp is not recognized as a request, or the
|
||
encoding structures or lengths of data fields are found to be
|
||
incorrect, then the server MUST return the notice of disconnection
|
||
described in section 4.4.1, with resultCode protocolError, and
|
||
immediately close the connection. In other cases that the server
|
||
cannot parse the request received by the client, the server MUST
|
||
return an appropriate response to the request, with the resultCode
|
||
set to protocolError.
|
||
|
||
If the client receives a PDU from the server which cannot be parsed,
|
||
the client may discard the PDU, or may abruptly close the connection.
|
||
|
||
The ASN.1 type Controls is defined in section 4.1.12.
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 10]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
4.1.1.1. Message ID
|
||
|
||
All LDAPMessage envelopes encapsulating responses contain the
|
||
messageID value of the corresponding request LDAPMessage.
|
||
|
||
The message ID of a request MUST have a value different from the
|
||
values of any other requests outstanding in the LDAP session of which
|
||
this message is a part.
|
||
|
||
A client MUST NOT send a second request with the same message ID as
|
||
an earlier request on the same connection if the client has not
|
||
received the final response from the earlier request. Otherwise the
|
||
behavior is undefined. Typical clients increment a counter for each
|
||
request.
|
||
|
||
A client MUST NOT reuse the message id of an abandonRequest or of the
|
||
abandoned operation until it has received a response from the server
|
||
for another request invoked subsequent to the abandonRequest, as the
|
||
abandonRequest itself does not have a response.
|
||
|
||
4.1.2. String Types
|
||
|
||
The LDAPString is a notational convenience to indicate that, although
|
||
strings of LDAPString type encode as OCTET STRING types, the ISO
|
||
10646 [13] character set (a superset of Unicode) is used, encoded
|
||
following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
|
||
characters which are the same as ASCII (0x0000 through 0x007F) are
|
||
represented as that same ASCII character in a single byte. The other
|
||
byte values are used to form a variable-length encoding of an
|
||
arbitrary character.
|
||
|
||
LDAPString ::= OCTET STRING
|
||
|
||
The LDAPOID is a notational convenience to indicate that the
|
||
permitted value of this string is a (UTF-8 encoded) dotted-decimal
|
||
representation of an OBJECT IDENTIFIER.
|
||
|
||
LDAPOID ::= OCTET STRING
|
||
|
||
For example,
|
||
|
||
1.3.6.1.4.1.1466.1.2.3
|
||
|
||
4.1.3. Distinguished Name and Relative Distinguished Name
|
||
|
||
An LDAPDN and a RelativeLDAPDN are respectively defined to be the
|
||
representation of a Distinguished Name and a Relative Distinguished
|
||
Name after encoding according to the specification in [4], such that
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 11]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
<distinguished-name> ::= <name>
|
||
|
||
<relative-distinguished-name> ::= <name-component>
|
||
|
||
where <name> and <name-component> are as defined in [4].
|
||
|
||
LDAPDN ::= LDAPString
|
||
|
||
RelativeLDAPDN ::= LDAPString
|
||
|
||
Only Attribute Types can be present in a relative distinguished name
|
||
component; the options of Attribute Descriptions (next section) MUST
|
||
NOT be used in specifying distinguished names.
|
||
|
||
4.1.4. Attribute Type
|
||
|
||
An AttributeType takes on as its value the textual string associated
|
||
with that AttributeType in its specification.
|
||
|
||
AttributeType ::= LDAPString
|
||
|
||
Each attribute type has a unique OBJECT IDENTIFIER which has been
|
||
assigned to it. This identifier may be written as decimal digits
|
||
with components separated by periods, e.g. "2.5.4.10".
|
||
|
||
A specification may also assign one or more textual names for an
|
||
attribute type. These names MUST begin with a letter, and only
|
||
contain ASCII letters, digit characters and hyphens. They are case
|
||
insensitive. (These ASCII characters are identical to ISO 10646
|
||
characters whose UTF-8 encoding is a single byte between 0x00 and
|
||
0x7F.)
|
||
|
||
If the server has a textual name for an attribute type, it MUST use a
|
||
textual name for attributes returned in search results. The dotted-
|
||
decimal OBJECT IDENTIFIER is only used if there is no textual name
|
||
for an attribute type.
|
||
|
||
Attribute type textual names are non-unique, as two different
|
||
specifications (neither in standards track RFCs) may choose the same
|
||
name.
|
||
|
||
A server which masters or shadows entries SHOULD list all the
|
||
attribute types it supports in the subschema entries, using the
|
||
attributeTypes attribute. Servers which support an open-ended set of
|
||
attributes SHOULD include at least the attributeTypes value for the
|
||
'objectClass' attribute. Clients MAY retrieve the attributeTypes
|
||
value from subschema entries in order to obtain the OBJECT IDENTIFIER
|
||
and other information associated with attribute types.
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 12]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Some attribute type names which are used in this version of LDAP are
|
||
described in [5]. Servers may implement additional attribute types.
|
||
|
||
4.1.5. Attribute Description
|
||
|
||
An AttributeDescription is a superset of the definition of the
|
||
AttributeType. It has the same ASN.1 definition, but allows
|
||
additional options to be specified. They are also case insensitive.
|
||
|
||
AttributeDescription ::= LDAPString
|
||
|
||
A value of AttributeDescription is based on the following BNF:
|
||
|
||
<AttributeDescription> ::= <AttributeType> [ ";" <options> ]
|
||
|
||
<options> ::= <option> | <option> ";" <options>
|
||
|
||
<option> ::= <opt-char> <opt-char>*
|
||
|
||
<opt-char> ::= ASCII-equivalent letters, numbers and hyphen
|
||
|
||
Examples of valid AttributeDescription:
|
||
|
||
cn
|
||
userCertificate;binary
|
||
|
||
One option, "binary", is defined in this document. Additional
|
||
options may be defined in IETF standards-track and experimental RFCs.
|
||
Options beginning with "x-" are reserved for private experiments.
|
||
Any option could be associated with any AttributeType, although not
|
||
all combinations may be supported by a server.
|
||
|
||
An AttributeDescription with one or more options is treated as a
|
||
subtype of the attribute type without any options. Options present
|
||
in an AttributeDescription are never mutually exclusive.
|
||
Implementations MUST generate the <options> list sorted in ascending
|
||
order, and servers MUST treat any two AttributeDescription with the
|
||
same AttributeType and options as equivalent. A server will treat an
|
||
AttributeDescription with any options it does not implement as an
|
||
unrecognized attribute type.
|
||
|
||
The data type "AttributeDescriptionList" describes a list of 0 or
|
||
more attribute types. (A list of zero elements has special
|
||
significance in the Search request.)
|
||
|
||
AttributeDescriptionList ::= SEQUENCE OF
|
||
AttributeDescription
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 13]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
4.1.5.1. Binary Option
|
||
|
||
If the "binary" option is present in an AttributeDescription, it
|
||
overrides any string-based encoding representation defined for that
|
||
attribute in [5]. Instead the attribute is to be transferred as a
|
||
binary value encoded using the Basic Encoding Rules [11]. The syntax
|
||
of the binary value is an ASN.1 data type definition which is
|
||
referenced by the "SYNTAX" part of the attribute type definition.
|
||
|
||
The presence or absence of the "binary" option only affects the
|
||
transfer of attribute values in protocol; servers store any
|
||
particular attribute in a single format. If a client requests that a
|
||
server return an attribute in the binary format, but the server
|
||
cannot generate that format, the server MUST treat this attribute
|
||
type as an unrecognized attribute type. Similarly, clients MUST NOT
|
||
expect servers to return an attribute in binary format if the client
|
||
requested that attribute by name without the binary option.
|
||
|
||
This option is intended to be used with attributes whose syntax is a
|
||
complex ASN.1 data type, and the structure of values of that type is
|
||
needed by clients. Examples of this kind of syntax are "Certificate"
|
||
and "CertificateList".
|
||
|
||
4.1.6. Attribute Value
|
||
|
||
A field of type AttributeValue takes on as its value either a string
|
||
encoding of a AttributeValue data type, or an OCTET STRING containing
|
||
an encoded binary value, depending on whether the "binary" option is
|
||
present in the companion AttributeDescription to this AttributeValue.
|
||
|
||
The definition of string encodings for different syntaxes and types
|
||
may be found in other documents, and in particular [5].
|
||
|
||
AttributeValue ::= OCTET STRING
|
||
|
||
Note that there is no defined limit on the size of this encoding;
|
||
thus protocol values may include multi-megabyte attributes (e.g.
|
||
photographs).
|
||
|
||
Attributes may be defined which have arbitrary and non-printable
|
||
syntax. Implementations MUST NEITHER simply display nor attempt to
|
||
decode as ASN.1 a value if its syntax is not known. The
|
||
implementation may attempt to discover the subschema of the source
|
||
entry, and retrieve the values of attributeTypes from it.
|
||
|
||
Clients MUST NOT send attribute values in a request which are not
|
||
valid according to the syntax defined for the attributes.
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 14]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
4.1.7. Attribute Value Assertion
|
||
|
||
The AttributeValueAssertion type definition is similar to the one in
|
||
the X.500 directory standards. It contains an attribute description
|
||
and a matching rule assertion value suitable for that type.
|
||
|
||
AttributeValueAssertion ::= SEQUENCE {
|
||
attributeDesc AttributeDescription,
|
||
assertionValue AssertionValue }
|
||
|
||
AssertionValue ::= OCTET STRING
|
||
|
||
If the "binary" option is present in attributeDesc, this signals to
|
||
the server that the assertionValue is a binary encoding of the
|
||
assertion value.
|
||
|
||
For all the string-valued user attributes described in [5], the
|
||
assertion value syntax is the same as the value syntax. Clients may
|
||
use attribute values as assertion values in compare requests and
|
||
search filters.
|
||
|
||
Note however that the assertion syntax may be different from the
|
||
value syntax for other attributes or for non-equality matching rules.
|
||
These may have an assertion syntax which contains only part of the
|
||
value. See section 20.2.1.8 of X.501 [6] for examples.
|
||
|
||
4.1.8. Attribute
|
||
|
||
An attribute consists of a type and one or more values of that type.
|
||
(Though attributes MUST have at least one value when stored, due to
|
||
access control restrictions the set may be empty when transferred in
|
||
protocol. This is described in section 4.5.2, concerning the
|
||
PartialAttributeList type.)
|
||
|
||
Attribute ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
Each attribute value is distinct in the set (no duplicates). The
|
||
order of attribute values within the vals set is undefined and
|
||
implementation-dependent, and MUST NOT be relied upon.
|
||
|
||
4.1.9. Matching Rule Identifier
|
||
|
||
A matching rule is a means of expressing how a server should compare
|
||
an AssertionValue received in a search filter with an abstract data
|
||
value. The matching rule defines the syntax of the assertion value
|
||
and the process to be performed in the server.
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 15]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
An X.501(1993) Matching Rule is identified in the LDAP protocol by
|
||
the printable representation of its OBJECT IDENTIFIER, either as one
|
||
of the strings given in [5], or as decimal digits with components
|
||
separated by periods, e.g. "caseIgnoreIA5Match" or
|
||
"1.3.6.1.4.1.453.33.33".
|
||
|
||
MatchingRuleId ::= LDAPString
|
||
|
||
Servers which support matching rules for use in the extensibleMatch
|
||
search filter MUST list the matching rules they implement in
|
||
subschema entries, using the matchingRules attributes. The server
|
||
SHOULD also list there, using the matchingRuleUse attribute, the
|
||
attribute types with which each matching rule can be used. More
|
||
information is given in section 4.4 of [5].
|
||
|
||
4.1.10. Result Message
|
||
|
||
The LDAPResult is the construct used in this protocol to return
|
||
success or failure indications from servers to clients. In response
|
||
to various requests servers will return responses containing fields
|
||
of type LDAPResult to indicate the final status of a protocol
|
||
operation request.
|
||
|
||
LDAPResult ::= SEQUENCE {
|
||
resultCode ENUMERATED {
|
||
success (0),
|
||
operationsError (1),
|
||
protocolError (2),
|
||
timeLimitExceeded (3),
|
||
sizeLimitExceeded (4),
|
||
compareFalse (5),
|
||
compareTrue (6),
|
||
|
||
authMethodNotSupported (7),
|
||
strongAuthRequired (8),
|
||
-- 9 reserved --
|
||
referral (10), -- new
|
||
adminLimitExceeded (11), -- new
|
||
unavailableCriticalExtension (12), -- new
|
||
confidentialityRequired (13), -- new
|
||
saslBindInProgress (14), -- new
|
||
noSuchAttribute (16),
|
||
undefinedAttributeType (17),
|
||
inappropriateMatching (18),
|
||
constraintViolation (19),
|
||
attributeOrValueExists (20),
|
||
invalidAttributeSyntax (21),
|
||
-- 22-31 unused --
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 16]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
noSuchObject (32),
|
||
aliasProblem (33),
|
||
invalidDNSyntax (34),
|
||
-- 35 reserved for undefined isLeaf --
|
||
aliasDereferencingProblem (36),
|
||
-- 37-47 unused --
|
||
inappropriateAuthentication (48),
|
||
invalidCredentials (49),
|
||
insufficientAccessRights (50),
|
||
busy (51),
|
||
unavailable (52),
|
||
unwillingToPerform (53),
|
||
loopDetect (54),
|
||
-- 55-63 unused --
|
||
namingViolation (64),
|
||
objectClassViolation (65),
|
||
notAllowedOnNonLeaf (66),
|
||
notAllowedOnRDN (67),
|
||
entryAlreadyExists (68),
|
||
objectClassModsProhibited (69),
|
||
-- 70 reserved for CLDAP --
|
||
affectsMultipleDSAs (71), -- new
|
||
-- 72-79 unused --
|
||
other (80) },
|
||
-- 81-90 reserved for APIs --
|
||
matchedDN LDAPDN,
|
||
errorMessage LDAPString,
|
||
referral [3] Referral OPTIONAL }
|
||
|
||
All the result codes with the exception of success, compareFalse and
|
||
compareTrue are to be treated as meaning the operation could not be
|
||
completed in its entirety.
|
||
|
||
Most of the result codes are based on problem indications from X.511
|
||
error data types. Result codes from 16 to 21 indicate an
|
||
AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
|
||
codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
|
||
indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
|
||
UpdateProblem.
|
||
|
||
If a client receives a result code which is not listed above, it is
|
||
to be treated as an unknown error condition.
|
||
|
||
The errorMessage field of this construct may, at the server's option,
|
||
be used to return a string containing a textual, human-readable
|
||
(terminal control and page formatting characters should be avoided)
|
||
error diagnostic. As this error diagnostic is not standardized,
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 17]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
implementations MUST NOT rely on the values returned. If the server
|
||
chooses not to return a textual diagnostic, the errorMessage field of
|
||
the LDAPResult type MUST contain a zero length string.
|
||
|
||
For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
|
||
aliasDereferencingProblem, the matchedDN field is set to the name of
|
||
the lowest entry (object or alias) in the directory that was matched.
|
||
If no aliases were dereferenced while attempting to locate the entry,
|
||
this will be a truncated form of the name provided, or if aliases
|
||
were dereferenced, of the resulting name, as defined in section 12.5
|
||
of X.511 [8]. The matchedDN field is to be set to a zero length
|
||
string with all other result codes.
|
||
|
||
4.1.11. Referral
|
||
|
||
The referral error indicates that the contacted server does not hold
|
||
the target entry of the request. The referral field is present in an
|
||
LDAPResult if the LDAPResult.resultCode field value is referral, and
|
||
absent with all other result codes. It contains a reference to
|
||
another server (or set of servers) which may be accessed via LDAP or
|
||
other protocols. Referrals can be returned in response to any
|
||
operation request (except unbind and abandon which do not have
|
||
responses). At least one URL MUST be present in the Referral.
|
||
|
||
The referral is not returned for a singleLevel or wholeSubtree search
|
||
in which the search scope spans multiple naming contexts, and several
|
||
different servers would need to be contacted to complete the
|
||
operation. Instead, continuation references, described in section
|
||
4.5.3, are returned.
|
||
|
||
Referral ::= SEQUENCE OF LDAPURL -- one or more
|
||
|
||
LDAPURL ::= LDAPString -- limited to characters permitted in URLs
|
||
|
||
If the client wishes to progress the operation, it MUST follow the
|
||
referral by contacting any one of servers. All the URLs MUST be
|
||
equally capable of being used to progress the operation. (The
|
||
mechanisms for how this is achieved by multiple servers are outside
|
||
the scope of this document.)
|
||
|
||
URLs for servers implementing the LDAP protocol are written according
|
||
to [9]. If an alias was dereferenced, the <dn> part of the URL MUST
|
||
be present, with the new target object name. If the <dn> part is
|
||
present, the client MUST use this name in its next request to
|
||
progress the operation, and if it is not present the client will use
|
||
the same name as in the original request. Some servers (e.g.
|
||
participating in distributed indexing) may provide a different filter
|
||
in a referral for a search operation. If the filter part of the URL
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 18]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
is present in an LDAPURL, the client MUST use this filter in its next
|
||
request to progress this search, and if it is not present the client
|
||
MUST use the same filter as it used for that search. Other aspects
|
||
of the new request may be the same or different as the request which
|
||
generated the referral.
|
||
|
||
Note that UTF-8 characters appearing in a DN or search filter may not
|
||
be legal for URLs (e.g. spaces) and MUST be escaped using the %
|
||
method in RFC 1738 [7].
|
||
|
||
Other kinds of URLs may be returned, so long as the operation could
|
||
be performed using that protocol.
|
||
|
||
4.1.12. Controls
|
||
|
||
A control is a way to specify extension information. Controls which
|
||
are sent as part of a request apply only to that request and are not
|
||
saved.
|
||
|
||
Controls ::= SEQUENCE OF Control
|
||
|
||
Control ::= SEQUENCE {
|
||
controlType LDAPOID,
|
||
criticality BOOLEAN DEFAULT FALSE,
|
||
controlValue OCTET STRING OPTIONAL }
|
||
|
||
The controlType field MUST be a UTF-8 encoded dotted-decimal
|
||
representation of an OBJECT IDENTIFIER which uniquely identifies the
|
||
control. This prevents conflicts between control names.
|
||
|
||
The criticality field is either TRUE or FALSE.
|
||
|
||
If the server recognizes the control type and it is appropriate for
|
||
the operation, the server will make use of the control when
|
||
performing the operation.
|
||
|
||
If the server does not recognize the control type and the criticality
|
||
field is TRUE, the server MUST NOT perform the operation, and MUST
|
||
instead return the resultCode unsupportedCriticalExtension.
|
||
|
||
If the control is not appropriate for the operation and criticality
|
||
field is TRUE, the server MUST NOT perform the operation, and MUST
|
||
instead return the resultCode unsupportedCriticalExtension.
|
||
|
||
If the control is unrecognized or inappropriate but the criticality
|
||
field is FALSE, the server MUST ignore the control.
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 19]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
The controlValue contains any information associated with the
|
||
control, and its format is defined for the control. The server MUST
|
||
be prepared to handle arbitrary contents of the controlValue octet
|
||
string, including zero bytes. It is absent only if there is no value
|
||
information which is associated with a control of its type.
|
||
|
||
This document does not define any controls. Controls may be defined
|
||
in other documents. The definition of a control consists of:
|
||
|
||
- the OBJECT IDENTIFIER assigned to the control,
|
||
|
||
- whether the control is always noncritical, always critical, or
|
||
critical at the client's option,
|
||
|
||
- the format of the controlValue contents of the control.
|
||
|
||
Servers list the controls which they recognize in the
|
||
supportedControl attribute in the root DSE.
|
||
|
||
4.2. Bind Operation
|
||
|
||
The function of the Bind Operation is to allow authentication
|
||
information to be exchanged between the client and server.
|
||
|
||
The Bind Request is defined as follows:
|
||
|
||
BindRequest ::= [APPLICATION 0] SEQUENCE {
|
||
version INTEGER (1 .. 127),
|
||
name LDAPDN,
|
||
authentication AuthenticationChoice }
|
||
|
||
AuthenticationChoice ::= CHOICE {
|
||
simple [0] OCTET STRING,
|
||
-- 1 and 2 reserved
|
||
sasl [3] SaslCredentials }
|
||
|
||
SaslCredentials ::= SEQUENCE {
|
||
mechanism LDAPString,
|
||
credentials OCTET STRING OPTIONAL }
|
||
|
||
Parameters of the Bind Request are:
|
||
|
||
- version: A version number indicating the version of the protocol to
|
||
be used in this protocol session. This document describes version
|
||
3 of the LDAP protocol. Note that there is no version negotiation,
|
||
and the client just sets this parameter to the version it desires.
|
||
If the client requests protocol version 2, a server that supports
|
||
the version 2 protocol as described in [2] will not return any v3-
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 20]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
specific protocol fields. (Note that not all LDAP servers will
|
||
support protocol version 2, since they may be unable to generate
|
||
the attribute syntaxes associated with version 2.)
|
||
|
||
- name: The name of the directory object that the client wishes to
|
||
bind as. This field may take on a null value (a zero length
|
||
string) for the purposes of anonymous binds, when authentication
|
||
has been performed at a lower layer, or when using SASL credentials
|
||
with a mechanism that includes the LDAPDN in the credentials.
|
||
|
||
- authentication: information used to authenticate the name, if any,
|
||
provided in the Bind Request.
|
||
|
||
Upon receipt of a Bind Request, a protocol server will authenticate
|
||
the requesting client, if necessary. The server will then return a
|
||
Bind Response to the client indicating the status of the
|
||
authentication.
|
||
|
||
Authorization is the use of this authentication information when
|
||
performing operations. Authorization MAY be affected by factors
|
||
outside of the LDAP Bind request, such as lower layer security
|
||
services.
|
||
|
||
4.2.1. Sequencing of the Bind Request
|
||
|
||
For some SASL authentication mechanisms, it may be necessary for the
|
||
client to invoke the BindRequest multiple times. If at any stage the
|
||
client wishes to abort the bind process it MAY unbind and then drop
|
||
the underlying connection. Clients MUST NOT invoke operations
|
||
between two Bind requests made as part of a multi-stage bind.
|
||
|
||
A client may abort a SASL bind negotiation by sending a BindRequest
|
||
with a different value in the mechanism field of SaslCredentials, or
|
||
an AuthenticationChoice other than sasl.
|
||
|
||
If the client sends a BindRequest with the sasl mechanism field as an
|
||
empty string, the server MUST return a BindResponse with
|
||
authMethodNotSupported as the resultCode. This will allow clients to
|
||
abort a negotiation if it wishes to try again with the same SASL
|
||
mechanism.
|
||
|
||
Unlike LDAP v2, the client need not send a Bind Request in the first
|
||
PDU of the connection. The client may request any operations and the
|
||
server MUST treat these as unauthenticated. If the server requires
|
||
that the client bind before browsing or modifying the directory, the
|
||
server MAY reject a request other than binding, unbinding or an
|
||
extended request with the "operationsError" result.
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 21]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
If the client did not bind before sending a request and receives an
|
||
operationsError, it may then send a Bind Request. If this also fails
|
||
or the client chooses not to bind on the existing connection, it will
|
||
close the connection, reopen it and begin again by first sending a
|
||
PDU with a Bind Request. This will aid in interoperating with
|
||
servers implementing other versions of LDAP.
|
||
|
||
Clients MAY send multiple bind requests on a connection to change
|
||
their credentials. A subsequent bind process has the effect of
|
||
abandoning all operations outstanding on the connection. (This
|
||
simplifies server implementation.) Authentication from earlier binds
|
||
are subsequently ignored, and so if the bind fails, the connection
|
||
will be treated as anonymous. If a SASL transfer encryption or
|
||
integrity mechanism has been negotiated, and that mechanism does not
|
||
support the changing of credentials from one identity to another,
|
||
then the client MUST instead establish a new connection.
|
||
|
||
4.2.2. Authentication and Other Security Services
|
||
|
||
The simple authentication option provides minimal authentication
|
||
facilities, with the contents of the authentication field consisting
|
||
only of a cleartext password. Note that the use of cleartext
|
||
passwords is not recommended over open networks when there is no
|
||
authentication or encryption being performed by a lower layer; see
|
||
the "Security Considerations" section.
|
||
|
||
If no authentication is to be performed, then the simple
|
||
authentication option MUST be chosen, and the password be of zero
|
||
length. (This is often done by LDAPv2 clients.) Typically the DN is
|
||
also of zero length.
|
||
|
||
The sasl choice allows for any mechanism defined for use with SASL
|
||
[12]. The mechanism field contains the name of the mechanism. The
|
||
credentials field contains the arbitrary data used for
|
||
authentication, inside an OCTET STRING wrapper. Note that unlike
|
||
some Internet application protocols where SASL is used, LDAP is not
|
||
text-based, thus no base64 transformations are performed on the
|
||
credentials.
|
||
|
||
If any SASL-based integrity or confidentiality services are enabled,
|
||
they take effect following the transmission by the server and
|
||
reception by the client of the final BindResponse with resultCode
|
||
success.
|
||
|
||
The client can request that the server use authentication information
|
||
from a lower layer protocol by using the SASL EXTERNAL mechanism.
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 22]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
4.2.3. Bind Response
|
||
|
||
The Bind Response is defined as follows.
|
||
|
||
BindResponse ::= [APPLICATION 1] SEQUENCE {
|
||
COMPONENTS OF LDAPResult,
|
||
serverSaslCreds [7] OCTET STRING OPTIONAL }
|
||
|
||
BindResponse consists simply of an indication from the server of he
|
||
status of the client's request for authentication.
|
||
|
||
f the bind was successful, the resultCode will be success, therwise
|
||
it will be one of:
|
||
|
||
- operationsError: server encountered an internal error,
|
||
|
||
- protocolError: unrecognized version number or incorrect PDU
|
||
structure,
|
||
|
||
- authMethodNotSupported: unrecognized SASL mechanism name,
|
||
|
||
- strongAuthRequired: the server requires authentication be
|
||
performed with a SASL mechanism,
|
||
|
||
- referral: this server cannot accept this bind and the client
|
||
should try another,
|
||
|
||
- saslBindInProgress: the server requires the client to send a
|
||
new bind request, with the same sasl mechanism, to continue the
|
||
authentication process,
|
||
|
||
- inappropriateAuthentication: the server requires the client
|
||
which had attempted to bind anonymously or without supplying
|
||
credentials to provide some form of credentials,
|
||
|
||
- invalidCredentials: the wrong password was supplied or the SASL
|
||
credentials could not be processed,
|
||
|
||
- unavailable: the server is shutting down.
|
||
|
||
If the server does not support the client's requested protocol
|
||
version, it MUST set the resultCode to protocolError.
|
||
|
||
If the client receives a BindResponse response where the resultCode
|
||
was protocolError, it MUST close the connection as the server will be
|
||
unwilling to accept further operations. (This is for compatibility
|
||
with earlier versions of LDAP, in which the bind was always the first
|
||
operation, and there was no negotiation.)
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 23]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
The serverSaslCreds are used as part of a SASL-defined bind mechanism
|
||
to allow the client to authenticate the server to which it is
|
||
communicating, or to perform "challenge-response" authentication. If
|
||
the client bound with the password choice, or the SASL mechanism does
|
||
not require the server to return information to the client, then this
|
||
field is not to be included in the result.
|
||
|
||
4.3. Unbind Operation
|
||
|
||
The function of the Unbind Operation is to terminate a protocol
|
||
session. The Unbind Operation is defined as follows:
|
||
|
||
UnbindRequest ::= [APPLICATION 2] NULL
|
||
|
||
The Unbind Operation has no response defined. Upon transmission of an
|
||
UnbindRequest, a protocol client may assume that the protocol session
|
||
is terminated. Upon receipt of an UnbindRequest, a protocol server
|
||
may assume that the requesting client has terminated the session and
|
||
that all outstanding requests may be discarded, and may close the
|
||
connection.
|
||
|
||
4.4. Unsolicited Notification
|
||
|
||
An unsolicited notification is an LDAPMessage sent from the server to
|
||
the client which is not in response to any LDAPMessage received by
|
||
the server. It is used to signal an extraordinary condition in the
|
||
server or in the connection between the client and the server. The
|
||
notification is of an advisory nature, and the server will not expect
|
||
any response to be returned from the client.
|
||
|
||
The unsolicited notification is structured as an LDAPMessage in which
|
||
the messageID is 0 and protocolOp is of the extendedResp form. The
|
||
responseName field of the ExtendedResponse is present. The LDAPOID
|
||
value MUST be unique for this notification, and not be used in any
|
||
other situation.
|
||
|
||
One unsolicited notification is defined in this document.
|
||
|
||
4.4.1. Notice of Disconnection
|
||
|
||
This notification may be used by the server to advise the client that
|
||
the server is about to close the connection due to an error
|
||
condition. Note that this notification is NOT a response to an
|
||
unbind requested by the client: the server MUST follow the procedures
|
||
of section 4.3. This notification is intended to assist clients in
|
||
distinguishing between an error condition and a transient network
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 24]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
failure. As with a connection close due to network failure, the
|
||
client MUST NOT assume that any outstanding requests which modified
|
||
the directory have succeeded or failed.
|
||
|
||
The responseName is 1.3.6.1.4.1.1466.20036, the response field is
|
||
absent, and the resultCode is used to indicate the reason for the
|
||
disconnection.
|
||
|
||
The following resultCode values are to be used in this notification:
|
||
|
||
- protocolError: The server has received data from the client in
|
||
which
|
||
the LDAPMessage structure could not be parsed.
|
||
|
||
- strongAuthRequired: The server has detected that an established
|
||
underlying security association protecting communication between
|
||
the client and server has unexpectedly failed or been compromised.
|
||
|
||
- unavailable: This server will stop accepting new connections and
|
||
operations on all existing connections, and be unavailable for an
|
||
extended period of time. The client may make use of an alternative
|
||
server.
|
||
|
||
After sending this notice, the server MUST close the connection.
|
||
After receiving this notice, the client MUST NOT transmit any further
|
||
on the connection, and may abruptly close the connection.
|
||
|
||
4.5. Search Operation
|
||
|
||
The Search Operation allows a client to request that a search be
|
||
performed on its behalf by a server. This can be used to read
|
||
attributes from a single entry, from entries immediately below a
|
||
particular entry, or a whole subtree of entries.
|
||
|
||
4.5.1. Search Request
|
||
|
||
The Search Request is defined as follows:
|
||
|
||
SearchRequest ::= [APPLICATION 3] SEQUENCE {
|
||
baseObject LDAPDN,
|
||
scope ENUMERATED {
|
||
baseObject (0),
|
||
singleLevel (1),
|
||
wholeSubtree (2) },
|
||
derefAliases ENUMERATED {
|
||
neverDerefAliases (0),
|
||
derefInSearching (1),
|
||
derefFindingBaseObj (2),
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 25]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
derefAlways (3) },
|
||
sizeLimit INTEGER (0 .. maxInt),
|
||
timeLimit INTEGER (0 .. maxInt),
|
||
typesOnly BOOLEAN,
|
||
filter Filter,
|
||
attributes AttributeDescriptionList }
|
||
|
||
Filter ::= CHOICE {
|
||
and [0] SET OF Filter,
|
||
or [1] SET OF Filter,
|
||
not [2] Filter,
|
||
equalityMatch [3] AttributeValueAssertion,
|
||
substrings [4] SubstringFilter,
|
||
greaterOrEqual [5] AttributeValueAssertion,
|
||
lessOrEqual [6] AttributeValueAssertion,
|
||
present [7] AttributeDescription,
|
||
approxMatch [8] AttributeValueAssertion,
|
||
extensibleMatch [9] MatchingRuleAssertion }
|
||
|
||
SubstringFilter ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
-- at least one must be present
|
||
substrings SEQUENCE OF CHOICE {
|
||
initial [0] LDAPString,
|
||
any [1] LDAPString,
|
||
final [2] LDAPString } }
|
||
|
||
MatchingRuleAssertion ::= SEQUENCE {
|
||
matchingRule [1] MatchingRuleId OPTIONAL,
|
||
type [2] AttributeDescription OPTIONAL,
|
||
matchValue [3] AssertionValue,
|
||
dnAttributes [4] BOOLEAN DEFAULT FALSE }
|
||
|
||
Parameters of the Search Request are:
|
||
|
||
- baseObject: An LDAPDN that is the base object entry relative to
|
||
which the search is to be performed.
|
||
|
||
- scope: An indicator of the scope of the search to be performed. The
|
||
semantics of the possible values of this field are identical to the
|
||
semantics of the scope field in the X.511 Search Operation.
|
||
|
||
- derefAliases: An indicator as to how alias objects (as defined in
|
||
X.501) are to be handled in searching. The semantics of the
|
||
possible values of this field are:
|
||
|
||
neverDerefAliases: do not dereference aliases in searching
|
||
or in locating the base object of the search;
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 26]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
derefInSearching: dereference aliases in subordinates of
|
||
the base object in searching, but not in locating the
|
||
base object of the search;
|
||
|
||
derefFindingBaseObj: dereference aliases in locating
|
||
the base object of the search, but not when searching
|
||
subordinates of the base object;
|
||
|
||
derefAlways: dereference aliases both in searching and in
|
||
locating the base object of the search.
|
||
|
||
- sizelimit: A sizelimit that restricts the maximum number of entries
|
||
to be returned as a result of the search. A value of 0 in this
|
||
field indicates that no client-requested sizelimit restrictions are
|
||
in effect for the search. Servers may enforce a maximum number of
|
||
entries to return.
|
||
|
||
- timelimit: A timelimit that restricts the maximum time (in seconds)
|
||
allowed for a search. A value of 0 in this field indicates that no
|
||
client-requested timelimit restrictions are in effect for the
|
||
search.
|
||
|
||
- typesOnly: An indicator as to whether search results will contain
|
||
both attribute types and values, or just attribute types. Setting
|
||
this field to TRUE causes only attribute types (no values) to be
|
||
returned. Setting this field to FALSE causes both attribute types
|
||
and values to be returned.
|
||
|
||
- filter: A filter that defines the conditions that must be fulfilled
|
||
in order for the search to match a given entry.
|
||
|
||
The 'and', 'or' and 'not' choices can be used to form combinations of
|
||
filters. At least one filter element MUST be present in an 'and' or
|
||
'or' choice. The others match against individual attribute values of
|
||
entries in the scope of the search. (Implementor's note: the 'not'
|
||
filter is an example of a tagged choice in an implicitly-tagged
|
||
module. In BER this is treated as if the tag was explicit.)
|
||
|
||
A server MUST evaluate filters according to the three-valued logic
|
||
of X.511(93) section 7.8.1. In summary, a filter is evaluated to
|
||
either "TRUE", "FALSE" or "Undefined". If the filter evaluates
|
||
to TRUE for a particular entry, then the attributes of that entry
|
||
are returned as part of the search result (subject to any applicable
|
||
access control restrictions). If the filter evaluates to FALSE or
|
||
Undefined, then the entry is ignored for the search.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 27]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
A filter of the "and" choice is TRUE if all the filters in the SET
|
||
OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
|
||
otherwise Undefined. A filter of the "or" choice is FALSE if all
|
||
of the filters in the SET OF evaluate to FALSE, TRUE if at least
|
||
one filter is TRUE, and Undefined otherwise. A filter of the "not"
|
||
choice is TRUE if the filter being negated is FALSE, FALSE if it is
|
||
TRUE, and Undefined if it is Undefined.
|
||
|
||
The present match evaluates to TRUE where there is an attribute or
|
||
subtype of the specified attribute description present in an entry,
|
||
and FALSE otherwise (including a presence test with an unrecognized
|
||
attribute description.)
|
||
|
||
The extensibleMatch is new in this version of LDAP. If the
|
||
matchingRule field is absent, the type field MUST be present, and
|
||
the equality match is performed for that type. If the type field is
|
||
absent and matchingRule is present, the matchValue is compared
|
||
against all attributes in an entry which support that matchingRule,
|
||
and the matchingRule determines the syntax for the assertion value
|
||
(the filter item evaluates to TRUE if it matches with at least
|
||
one attribute in the entry, FALSE if it does not match any attribute
|
||
in the entry, and Undefined if the matchingRule is not recognized
|
||
or the assertionValue cannot be parsed.) If the type field is
|
||
present and matchingRule is present, the matchingRule MUST be one
|
||
permitted for use with that type, otherwise the filter item is
|
||
undefined. If the dnAttributes field is set to TRUE, the match is
|
||
applied against all the attributes in an entry's distinguished name
|
||
as well, and also evaluates to TRUE if there is at least one
|
||
attribute in the distinguished name for which the filter item
|
||
evaluates to TRUE. (Editors note: The dnAttributes field is present
|
||
so that there does not need to be multiple versions of generic
|
||
matching rules such as for word matching, one to apply to entries
|
||
and another to apply to entries and dn attributes as well).
|
||
|
||
A filter item evaluates to Undefined when the server would not
|
||
be able to determine whether the assertion value matches an
|
||
entry. If an attribute description in an equalityMatch, substrings,
|
||
greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch
|
||
filter is not recognized by the server, a matching rule id in the
|
||
extensibleMatch is not recognized by the server, the assertion
|
||
value cannot be parsed, or the type of filtering requested is not
|
||
implemented, then the filter is Undefined. Thus for example if a
|
||
server did not recognize the attribute type shoeSize, a filter of
|
||
(shoeSize=*) would evaluate to FALSE, and the filters (shoeSize=12),
|
||
(shoeSize>=12) and (shoeSize<=12) would evaluate to Undefined.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 28]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Servers MUST NOT return errors if attribute descriptions or matching
|
||
rule ids are not recognized, or assertion values cannot be parsed.
|
||
More details of filter processing are given in section 7.8 of X.511
|
||
[8].
|
||
|
||
- attributes: A list of the attributes to be returned from each entry
|
||
which matches the search filter. There are two special values which
|
||
may be used: an empty list with no attributes, and the attribute
|
||
description string "*". Both of these signify that all user
|
||
attributes are to be returned. (The "*" allows the client to
|
||
request all user attributes in addition to specific operational
|
||
attributes).
|
||
|
||
Attributes MUST be named at most once in the list, and are returned
|
||
at most once in an entry. If there are attribute descriptions in
|
||
the list which are not recognized, they are ignored by the server.
|
||
|
||
If the client does not want any attributes returned, it can specify
|
||
a list containing only the attribute with OID "1.1". This OID was
|
||
chosen arbitrarily and does not correspond to any attribute in use.
|
||
|
||
Client implementors should note that even if all user attributes are
|
||
requested, some attributes of the entry may not be included in
|
||
search results due to access control or other restrictions.
|
||
Furthermore, servers will not return operational attributes, such
|
||
as objectClasses or attributeTypes, unless they are listed by name,
|
||
since there may be extremely large number of values for certain
|
||
operational attributes. (A list of operational attributes for use
|
||
in LDAP is given in [5].)
|
||
|
||
Note that an X.500 "list"-like operation can be emulated by the client
|
||
requesting a one-level LDAP search operation with a filter checking
|
||
for the existence of the objectClass attribute, and that an X.500
|
||
"read"-like operation can be emulated by a base object LDAP search
|
||
operation with the same filter. A server which provides a gateway to
|
||
X.500 is not required to use the Read or List operations, although it
|
||
may choose to do so, and if it does must provide the same semantics
|
||
as the X.500 search operation.
|
||
|
||
4.5.2. Search Result
|
||
|
||
The results of the search attempted by the server upon receipt of a
|
||
Search Request are returned in Search Responses, which are LDAP
|
||
messages containing either SearchResultEntry, SearchResultReference,
|
||
ExtendedResponse or SearchResultDone data types.
|
||
|
||
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
|
||
objectName LDAPDN,
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 29]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
attributes PartialAttributeList }
|
||
|
||
PartialAttributeList ::= SEQUENCE OF SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
-- implementors should note that the PartialAttributeList may
|
||
-- have zero elements (if none of the attributes of that entry
|
||
-- were requested, or could be returned), and that the vals set
|
||
-- may also have zero elements (if types only was requested, or
|
||
-- all values were excluded from the result.)
|
||
|
||
SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
|
||
-- at least one LDAPURL element must be present
|
||
|
||
SearchResultDone ::= [APPLICATION 5] LDAPResult
|
||
|
||
Upon receipt of a Search Request, a server will perform the necessary
|
||
search of the DIT.
|
||
|
||
If the LDAP session is operating over a connection-oriented transport
|
||
such as TCP, the server will return to the client a sequence of
|
||
responses in separate LDAP messages. There may be zero or more
|
||
responses containing SearchResultEntry, one for each entry found
|
||
during the search. There may also be zero or more responses
|
||
containing SearchResultReference, one for each area not explored by
|
||
this server during the search. The SearchResultEntry and
|
||
SearchResultReference PDUs may come in any order. Following all the
|
||
SearchResultReference responses and all SearchResultEntry responses
|
||
to be returned by the server, the server will return a response
|
||
containing the SearchResultDone, which contains an indication of
|
||
success, or detailing any errors that have occurred.
|
||
|
||
Each entry returned in a SearchResultEntry will contain all
|
||
attributes, complete with associated values if necessary, as
|
||
specified in the attributes field of the Search Request. Return of
|
||
attributes is subject to access control and other administrative
|
||
policy. Some attributes may be returned in binary format (indicated
|
||
by the AttributeDescription in the response having the binary option
|
||
present).
|
||
|
||
Some attributes may be constructed by the server and appear in a
|
||
SearchResultEntry attribute list, although they are not stored
|
||
attributes of an entry. Clients MUST NOT assume that all attributes
|
||
can be modified, even if permitted by access control.
|
||
|
||
LDAPMessage responses of the ExtendedResponse form are reserved for
|
||
returning information associated with a control requested by the
|
||
client. These may be defined in future versions of this document.
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 30]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
4.5.3. Continuation References in the Search Result
|
||
|
||
If the server was able to locate the entry referred to by the
|
||
baseObject but was unable to search all the entries in the scope at
|
||
and under the baseObject, the server may return one or more
|
||
SearchResultReference, each containing a reference to another set of
|
||
servers for continuing the operation. A server MUST NOT return any
|
||
SearchResultReference if it has not located the baseObject and
|
||
thus has not searched any entries; in this case it would return a
|
||
SearchResultDone containing a referral resultCode.
|
||
|
||
In the absence of indexing information provided to a server from
|
||
servers holding subordinate naming contexts, SearchResultReference
|
||
responses are not affected by search filters and are always returned
|
||
when in scope.
|
||
|
||
The SearchResultReference is of the same data type as the Referral.
|
||
URLs for servers implementing the LDAP protocol are written according
|
||
to [9]. The <dn> part MUST be present in the URL, with the new target
|
||
object name. The client MUST use this name in its next request.
|
||
Some servers (e.g. part of a distributed index exchange system) may
|
||
provide a different filter in the URLs of the SearchResultReference.
|
||
If the filter part of the URL is present in an LDAP URL, the client
|
||
MUST use the new filter in its next request to progress the search,
|
||
and if the filter part is absent the client will use again the same
|
||
filter. Other aspects of the new search request may be the same or
|
||
different as the search which generated the continuation references.
|
||
|
||
Other kinds of URLs may be returned so long as the operation could be
|
||
performed using that protocol.
|
||
|
||
The name of an unexplored subtree in a SearchResultReference need not
|
||
be subordinate to the base object.
|
||
|
||
In order to complete the search, the client MUST issue a new search
|
||
operation for each SearchResultReference that is returned. Note that
|
||
the abandon operation described in section 4.11 applies only to a
|
||
particular operation sent on a connection between a client and server,
|
||
and if the client has multiple outstanding search operations to
|
||
different servers, it MUST abandon each operation individually.
|
||
|
||
4.5.3.1. Example
|
||
|
||
For example, suppose the contacted server (hosta) holds the entry
|
||
"O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW". It knows that
|
||
either LDAP-capable servers (hostb) or (hostc) hold
|
||
"OU=People,O=MNN,C=WW" (one is the master and the other server a
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 31]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
shadow), and that LDAP-capable server (hostd) holds the subtree
|
||
"OU=Roles,O=MNN,C=WW". If a subtree search of "O=MNN,C=WW" is
|
||
requested to the contacted server, it may return the following:
|
||
|
||
SearchResultEntry for O=MNN,C=WW
|
||
SearchResultEntry for CN=Manager,O=MNN,C=WW
|
||
SearchResultReference {
|
||
ldap://hostb/OU=People,O=MNN,C=WW
|
||
ldap://hostc/OU=People,O=MNN,C=WW
|
||
}
|
||
SearchResultReference {
|
||
ldap://hostd/OU=Roles,O=MNN,C=WW
|
||
}
|
||
SearchResultDone (success)
|
||
|
||
Client implementors should note that when following a
|
||
SearchResultReference, additional SearchResultReference may be
|
||
generated. Continuing the example, if the client contacted the
|
||
server (hostb) and issued the search for the subtree
|
||
"OU=People,O=MNN,C=WW", the server might respond as follows:
|
||
|
||
SearchResultEntry for OU=People,O=MNN,C=WW
|
||
SearchResultReference {
|
||
ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
|
||
}
|
||
SearchResultReference {
|
||
ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
|
||
}
|
||
SearchResultDone (success)
|
||
|
||
If the contacted server does not hold the base object for the search,
|
||
then it will return a referral to the client. For example, if the
|
||
client requests a subtree search of "O=XYZ,C=US" to hosta, the server
|
||
may return only a SearchResultDone containing a referral.
|
||
|
||
SearchResultDone (referral) {
|
||
ldap://hostg/
|
||
}
|
||
|
||
4.6. Modify Operation
|
||
|
||
The Modify Operation allows a client to request that a modification
|
||
of an entry be performed on its behalf by a server. The Modify
|
||
Request is defined as follows:
|
||
|
||
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
|
||
object LDAPDN,
|
||
modification SEQUENCE OF SEQUENCE {
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 32]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
operation ENUMERATED {
|
||
add (0),
|
||
delete (1),
|
||
replace (2) },
|
||
modification AttributeTypeAndValues } }
|
||
|
||
AttributeTypeAndValues ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
Parameters of the Modify Request are:
|
||
|
||
- object: The object to be modified. The value of this field contains
|
||
the DN of the entry to be modified. The server will not perform
|
||
any alias dereferencing in determining the object to be modified.
|
||
|
||
- modification: A list of modifications to be performed on the entry.
|
||
The entire list of entry modifications MUST be performed
|
||
in the order they are listed, as a single atomic operation. While
|
||
individual modifications may violate the directory schema, the
|
||
resulting entry after the entire list of modifications is performed
|
||
MUST conform to the requirements of the directory schema. The
|
||
values that may be taken on by the 'operation' field in each
|
||
modification construct have the following semantics respectively:
|
||
|
||
add: add values listed to the given attribute, creating
|
||
the attribute if necessary;
|
||
|
||
delete: delete values listed from the given attribute,
|
||
removing the entire attribute if no values are listed, or
|
||
if all current values of the attribute are listed for
|
||
deletion;
|
||
|
||
replace: replace all existing values of the given attribute
|
||
with the new values listed, creating the attribute if it
|
||
did not already exist. A replace with no value will delete
|
||
the entire attribute if it exists, and is ignored if the
|
||
attribute does not exist.
|
||
|
||
The result of the modify attempted by the server upon receipt of a
|
||
Modify Request is returned in a Modify Response, defined as follows:
|
||
|
||
ModifyResponse ::= [APPLICATION 7] LDAPResult
|
||
|
||
Upon receipt of a Modify Request, a server will perform the necessary
|
||
modifications to the DIT.
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 33]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
The server will return to the client a single Modify Response
|
||
indicating either the successful completion of the DIT modification,
|
||
or the reason that the modification failed. Note that due to the
|
||
requirement for atomicity in applying the list of modifications in
|
||
the Modify Request, the client may expect that no modifications of
|
||
the DIT have been performed if the Modify Response received indicates
|
||
any sort of error, and that all requested modifications have been
|
||
performed if the Modify Response indicates successful completion of
|
||
the Modify Operation. If the connection fails, whether the
|
||
modification occurred or not is indeterminate.
|
||
|
||
The Modify Operation cannot be used to remove from an entry any of
|
||
its distinguished values, those values which form the entry's
|
||
relative distinguished name. An attempt to do so will result in the
|
||
server returning the error notAllowedOnRDN. The Modify DN Operation
|
||
described in section 4.9 is used to rename an entry.
|
||
|
||
If an equality match filter has not been defined for an attribute type,
|
||
clients MUST NOT attempt to delete individual values of that attribute
|
||
from an entry using the "delete" form of a modification, and MUST
|
||
instead use the "replace" form.
|
||
|
||
Note that due to the simplifications made in LDAP, there is not a
|
||
direct mapping of the modifications in an LDAP ModifyRequest onto the
|
||
EntryModifications of a DAP ModifyEntry operation, and different
|
||
implementations of LDAP-DAP gateways may use different means of
|
||
representing the change. If successful, the final effect of the
|
||
operations on the entry MUST be identical.
|
||
|
||
4.7. Add Operation
|
||
|
||
The Add Operation allows a client to request the addition of an entry
|
||
into the directory. The Add Request is defined as follows:
|
||
|
||
AddRequest ::= [APPLICATION 8] SEQUENCE {
|
||
entry LDAPDN,
|
||
attributes AttributeList }
|
||
|
||
AttributeList ::= SEQUENCE OF SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
Parameters of the Add Request are:
|
||
|
||
- entry: the Distinguished Name of the entry to be added. Note that
|
||
the server will not dereference any aliases in locating the entry
|
||
to be added.
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 34]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
- attributes: the list of attributes that make up the content of the
|
||
entry being added. Clients MUST include distinguished values
|
||
(those forming the entry's own RDN) in this list, the objectClass
|
||
attribute, and values of any mandatory attributes of the listed
|
||
object classes. Clients MUST NOT supply the createTimestamp or
|
||
creatorsName attributes, since these will be generated
|
||
automatically by the server.
|
||
|
||
The entry named in the entry field of the AddRequest MUST NOT exist
|
||
for the AddRequest to succeed. The parent of the entry to be added
|
||
MUST exist. For example, if the client attempted to add
|
||
"CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
|
||
"C=US" entry did exist, then the server would return the error
|
||
noSuchObject with the matchedDN field containing "C=US". If the
|
||
parent entry exists but is not in a naming context held by the
|
||
server, the server SHOULD return a referral to the server holding the
|
||
parent entry.
|
||
|
||
Servers implementations SHOULD NOT restrict where entries can be
|
||
located in the directory. Some servers MAY allow the administrator
|
||
to restrict the classes of entries which can be added to the
|
||
directory.
|
||
|
||
Upon receipt of an Add Request, a server will attempt to perform the
|
||
add requested. The result of the add attempt will be returned to the
|
||
client in the Add Response, defined as follows:
|
||
|
||
AddResponse ::= [APPLICATION 9] LDAPResult
|
||
|
||
A response of success indicates that the new entry is present in the
|
||
directory.
|
||
|
||
4.8. Delete Operation
|
||
|
||
The Delete Operation allows a client to request the removal of an
|
||
entry from the directory. The Delete Request is defined as follows:
|
||
|
||
DelRequest ::= [APPLICATION 10] LDAPDN
|
||
|
||
The Delete Request consists of the Distinguished Name of the entry to
|
||
be deleted. Note that the server will not dereference aliases while
|
||
resolving the name of the target entry to be removed, and that only
|
||
leaf entries (those with no subordinate entries) can be deleted with
|
||
this operation.
|
||
|
||
The result of the delete attempted by the server upon receipt of a
|
||
Delete Request is returned in the Delete Response, defined as
|
||
follows:
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 35]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
DelResponse ::= [APPLICATION 11] LDAPResult
|
||
|
||
Upon receipt of a Delete Request, a server will attempt to perform
|
||
the entry removal requested. The result of the delete attempt will be
|
||
returned to the client in the Delete Response.
|
||
|
||
4.9. Modify DN Operation
|
||
|
||
The Modify DN Operation allows a client to change the leftmost (least
|
||
significant) component of the name of an entry in the directory, or
|
||
to move a subtree of entries to a new location in the directory. The
|
||
Modify DN Request is defined as follows:
|
||
|
||
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
|
||
entry LDAPDN,
|
||
newrdn RelativeLDAPDN,
|
||
deleteoldrdn BOOLEAN,
|
||
newSuperior [0] LDAPDN OPTIONAL }
|
||
|
||
Parameters of the Modify DN Request are:
|
||
|
||
- entry: the Distinguished Name of the entry to be changed. This
|
||
entry may or may not have subordinate entries.
|
||
|
||
- newrdn: the RDN that will form the leftmost component of the new
|
||
name of the entry.
|
||
|
||
- deleteoldrdn: a boolean parameter that controls whether the old RDN
|
||
attribute values are to be retained as attributes of the entry, or
|
||
deleted from the entry.
|
||
|
||
- newSuperior: if present, this is the Distinguished Name of the entry
|
||
which becomes the immediate superior of the existing entry.
|
||
|
||
The result of the name change attempted by the server upon receipt of
|
||
a Modify DN Request is returned in the Modify DN Response, defined
|
||
as follows:
|
||
|
||
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
|
||
|
||
Upon receipt of a ModifyDNRequest, a server will attempt to
|
||
perform the name change. The result of the name change attempt will
|
||
be returned to the client in the Modify DN Response.
|
||
|
||
For example, if the entry named in the "entry" parameter was
|
||
"cn=John Smith,c=US", the newrdn parameter was "cn=John Cougar Smith",
|
||
and the newSuperior parameter was absent, then this operation would
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 36]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
attempt to rename the entry to be "cn=John Cougar Smith,c=US". If
|
||
there was already an entry with that name, the operation would fail
|
||
with error code entryAlreadyExists.
|
||
|
||
If the deleteoldrdn parameter is TRUE, the values forming the old
|
||
RDN are deleted from the entry. If the deleteoldrdn parameter is
|
||
FALSE, the values forming the old RDN will be retained as
|
||
non-distinguished attribute values of the entry. The server may
|
||
not perform the operation and return an error code if the setting of
|
||
the deleteoldrdn parameter would cause a schema inconsistency in the
|
||
entry.
|
||
|
||
Note that X.500 restricts the ModifyDN operation to only affect
|
||
entries that are contained within a single server. If the LDAP
|
||
server is mapped onto DAP, then this restriction will apply, and the
|
||
resultCode affectsMultipleDSAs will be returned if this error
|
||
occurred. In general clients MUST NOT expect to be able to perform
|
||
arbitrary movements of entries and subtrees between servers.
|
||
|
||
4.10. Compare Operation
|
||
|
||
The Compare Operation allows a client to compare an assertion
|
||
provided with an entry in the directory. The Compare Request is
|
||
defined as follows:
|
||
|
||
CompareRequest ::= [APPLICATION 14] SEQUENCE {
|
||
entry LDAPDN,
|
||
ava AttributeValueAssertion }
|
||
|
||
Parameters of the Compare Request are:
|
||
|
||
- entry: the name of the entry to be compared with.
|
||
|
||
- ava: the assertion with which an attribute in the entry is to be
|
||
compared.
|
||
|
||
The result of the compare attempted by the server upon receipt of a
|
||
Compare Request is returned in the Compare Response, defined as
|
||
follows:
|
||
|
||
CompareResponse ::= [APPLICATION 15] LDAPResult
|
||
|
||
Upon receipt of a Compare Request, a server will attempt to perform
|
||
the requested comparison. The result of the comparison will be
|
||
returned to the client in the Compare Response. Note that errors and
|
||
the result of comparison are all returned in the same construct.
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 37]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Note that some directory systems may establish access controls which
|
||
permit the values of certain attributes (such as userPassword) to be
|
||
compared but not read. In a search result, it may be that an
|
||
attribute of that type would be returned, but with an empty set of
|
||
values.
|
||
|
||
4.11. Abandon Operation
|
||
|
||
The function of the Abandon Operation is to allow a client to request
|
||
that the server abandon an outstanding operation. The Abandon
|
||
Request is defined as follows:
|
||
|
||
AbandonRequest ::= [APPLICATION 16] MessageID
|
||
|
||
The MessageID MUST be that of a an operation which was requested
|
||
earlier in this connection.
|
||
|
||
(The abandon request itself has its own message id. This is distinct
|
||
from the id of the earlier operation being abandoned.)
|
||
|
||
There is no response defined in the Abandon Operation. Upon
|
||
transmission of an Abandon Operation, a client may expect that the
|
||
operation identified by the Message ID in the Abandon Request has
|
||
been abandoned. In the event that a server receives an Abandon
|
||
Request on a Search Operation in the midst of transmitting responses
|
||
to the search, that server MUST cease transmitting entry responses to
|
||
the abandoned request immediately, and MUST NOT send the
|
||
SearchResponseDone. Of course, the server MUST ensure that only
|
||
properly encoded LDAPMessage PDUs are transmitted.
|
||
|
||
Clients MUST NOT send abandon requests for the same operation
|
||
multiple times, and MUST also be prepared to receive results from
|
||
operations it has abandoned (since these may have been in transit
|
||
when the abandon was requested).
|
||
|
||
Servers MUST discard abandon requests for message IDs they do not
|
||
recognize, for operations which cannot be abandoned, and for
|
||
operations which have already been abandoned.
|
||
|
||
4.12. Extended Operation
|
||
|
||
An extension mechanism has been added in this version of LDAP, in
|
||
order to allow additional operations to be defined for services not
|
||
available elsewhere in this protocol, for instance digitally signed
|
||
operations and results.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 38]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
The extended operation allows clients to make requests and receive
|
||
responses with predefined syntaxes and semantics. These may be
|
||
defined in RFCs or be private to particular implementations. Each
|
||
request MUST have a unique OBJECT IDENTIFIER assigned to it.
|
||
|
||
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
|
||
requestName [0] LDAPOID,
|
||
requestValue [1] OCTET STRING OPTIONAL }
|
||
|
||
The requestName is a dotted-decimal representation of the OBJECT
|
||
IDENTIFIER corresponding to the request. The requestValue is
|
||
information in a form defined by that request, encapsulated inside an
|
||
OCTET STRING.
|
||
|
||
The server will respond to this with an LDAPMessage containing the
|
||
ExtendedResponse.
|
||
|
||
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
|
||
COMPONENTS OF LDAPResult,
|
||
responseName [10] LDAPOID OPTIONAL,
|
||
response [11] OCTET STRING OPTIONAL }
|
||
|
||
If the server does not recognize the request name, it MUST return
|
||
only the response fields from LDAPResult, containing the
|
||
protocolError result code.
|
||
|
||
5. Protocol Element Encodings and Transfer
|
||
|
||
One underlying service is defined here. Clients and servers SHOULD
|
||
implement the mapping of LDAP over TCP described in 5.2.1.
|
||
|
||
5.1. Mapping Onto BER-based Transport Services
|
||
|
||
The protocol elements of LDAP are encoded for exchange using the
|
||
Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
|
||
high overhead involved in using certain elements of the BER, the
|
||
following additional restrictions are placed on BER-encodings of LDAP
|
||
protocol elements:
|
||
|
||
(1) Only the definite form of length encoding will be used.
|
||
|
||
(2) OCTET STRING values will be encoded in the primitive form only.
|
||
|
||
(3) If the value of a BOOLEAN type is true, the encoding MUST have
|
||
its contents octets set to hex "FF".
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 39]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
(4) If a value of a type is its default value, it MUST be absent.
|
||
Only some BOOLEAN and INTEGER types have default values in this
|
||
protocol definition.
|
||
|
||
These restrictions do not apply to ASN.1 types encapsulated inside of
|
||
OCTET STRING values, such as attribute values, unless otherwise
|
||
noted.
|
||
|
||
5.2. Transfer Protocols
|
||
|
||
This protocol is designed to run over connection-oriented, reliable
|
||
transports, with all 8 bits in an octet being significant in the data
|
||
stream.
|
||
|
||
5.2.1. Transmission Control Protocol (TCP)
|
||
|
||
The LDAPMessage PDUs are mapped directly onto the TCP bytestream. It
|
||
is recommended that server implementations running over the TCP MAY
|
||
provide a protocol listener on the assigned port, 389. Servers may
|
||
instead provide a listener on a different port number. Clients MUST
|
||
support contacting servers on any valid TCP port.
|
||
|
||
6. Implementation Guidelines
|
||
|
||
This document describes an Internet protocol.
|
||
|
||
6.1. Server Implementations
|
||
|
||
The server MUST be capable of recognizing all the mandatory attribute
|
||
type names and implement the syntaxes specified in [5]. Servers MAY
|
||
also recognize additional attribute type names.
|
||
|
||
6.2. Client Implementations
|
||
|
||
Clients which request referrals MUST ensure that they do not loop
|
||
between servers. They MUST NOT repeatedly contact the same server for
|
||
the same request with the same target entry name, scope and filter.
|
||
Some clients may be using a counter that is incremented each time
|
||
referral handling occurs for an operation, and these kinds of clients
|
||
MUST be able to handle a DIT with at least ten layers of naming
|
||
contexts between the root and a leaf entry.
|
||
|
||
In the absence of prior agreements with servers, clients SHOULD NOT
|
||
assume that servers support any particular schemas beyond those
|
||
referenced in section 6.1. Different schemas can have different
|
||
attribute types with the same names. The client can retrieve the
|
||
subschema entries referenced by the subschemaSubentry attribute in
|
||
the server's root DSE or in entries held by the server.
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 40]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
7. Security Considerations
|
||
|
||
When used with a connection-oriented transport, this version of the
|
||
protocol provides facilities for the LDAP v2 authentication
|
||
mechanism, simple authentication using a cleartext password, as well
|
||
as any SASL mechanism [12]. SASL allows for integrity and privacy
|
||
services to be negotiated.
|
||
|
||
It is also permitted that the server can return its credentials to
|
||
the client, if it chooses to do so.
|
||
|
||
Use of cleartext password is strongly discouraged where the
|
||
underlying transport service cannot guarantee confidentiality and may
|
||
result in disclosure of the password to unauthorized parties.
|
||
|
||
When used with SASL, it should be noted that the name field of the
|
||
BindRequest is not protected against modification. Thus if the
|
||
distinguished name of the client (an LDAPDN) is agreed through the
|
||
negotiation of the credentials, it takes precedence over any value in
|
||
the unprotected name field.
|
||
|
||
Implementations which cache attributes and entries obtained via LDAP
|
||
MUST ensure that access controls are maintained if that information
|
||
is to be provided to multiple clients, since servers may have access
|
||
control policies which prevent the return of entries or attributes in
|
||
search results except to particular authenticated clients. For
|
||
example, caches could serve result information only to the client
|
||
whose request caused it to be cache.
|
||
|
||
8. Acknowledgements
|
||
|
||
This document is an update to RFC 1777, by Wengyik Yeong, Tim Howes,
|
||
and Steve Kille. Design ideas included in this document are based on
|
||
those discussed in ASID and other IETF Working Groups. The
|
||
contributions of individuals in these working groups is gratefully
|
||
acknowledged.
|
||
|
||
9. Bibliography
|
||
|
||
[1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models
|
||
and Service", 1993.
|
||
|
||
[2] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access
|
||
Protocol", RFC 1777, March 1995.
|
||
|
||
[3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
|
||
Specification of Basic Notation", 1994.
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 41]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
[4] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory Access
|
||
Protocol (v3): UTF-8 String Representation of Distinguished
|
||
Names", RFC 2253, December 1997.
|
||
|
||
[5] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
|
||
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
||
RFC 2252, December 1997.
|
||
|
||
[6] ITU-T Rec. X.501, "The Directory: Models", 1993.
|
||
|
||
[7] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
|
||
Resource Locators (URL)", RFC 1738, December 1994.
|
||
|
||
[8] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
|
||
1993.
|
||
|
||
[9] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
|
||
December 1997.
|
||
|
||
[10] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||
Levels", RFC 2119, March 1997.
|
||
|
||
[11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
|
||
Canonical, and Distinguished Encoding Rules", 1994.
|
||
|
||
[12] Meyers, J., "Simple Authentication and Security Layer",
|
||
RFC 2222, October 1997.
|
||
|
||
[13] Universal Multiple-Octet Coded Character Set (UCS) -
|
||
Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 :
|
||
1993.
|
||
|
||
[14] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
|
||
10646", RFC 2044, October 1996.
|
||
|
||
10. Authors' Addresses
|
||
|
||
Mark Wahl
|
||
Critical Angle Inc.
|
||
4815 W Braker Lane #502-385
|
||
Austin, TX 78759
|
||
USA
|
||
|
||
Phone: +1 512 372-3160
|
||
EMail: M.Wahl@critical-angle.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 42]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Tim Howes
|
||
Netscape Communications Corp.
|
||
501 E. Middlefield Rd., MS MV068
|
||
Mountain View, CA 94043
|
||
USA
|
||
|
||
Phone: +1 650 937-3419
|
||
EMail: howes@netscape.com
|
||
|
||
Steve Kille
|
||
Isode Limited
|
||
The Dome, The Square
|
||
Richmond
|
||
TW9 1DT
|
||
UK
|
||
|
||
Phone: +44-181-332-9091
|
||
EMail: S.Kille@isode.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 43]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Appendix A - Complete ASN.1 Definition
|
||
|
||
Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
|
||
IMPLICIT TAGS ::=
|
||
|
||
BEGIN
|
||
|
||
LDAPMessage ::= SEQUENCE {
|
||
messageID MessageID,
|
||
protocolOp CHOICE {
|
||
bindRequest BindRequest,
|
||
bindResponse BindResponse,
|
||
unbindRequest UnbindRequest,
|
||
searchRequest SearchRequest,
|
||
searchResEntry SearchResultEntry,
|
||
searchResDone SearchResultDone,
|
||
searchResRef SearchResultReference,
|
||
modifyRequest ModifyRequest,
|
||
modifyResponse ModifyResponse,
|
||
addRequest AddRequest,
|
||
addResponse AddResponse,
|
||
delRequest DelRequest,
|
||
delResponse DelResponse,
|
||
modDNRequest ModifyDNRequest,
|
||
modDNResponse ModifyDNResponse,
|
||
compareRequest CompareRequest,
|
||
compareResponse CompareResponse,
|
||
abandonRequest AbandonRequest,
|
||
extendedReq ExtendedRequest,
|
||
extendedResp ExtendedResponse },
|
||
controls [0] Controls OPTIONAL }
|
||
|
||
MessageID ::= INTEGER (0 .. maxInt)
|
||
|
||
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
|
||
|
||
LDAPString ::= OCTET STRING
|
||
|
||
LDAPOID ::= OCTET STRING
|
||
|
||
LDAPDN ::= LDAPString
|
||
|
||
RelativeLDAPDN ::= LDAPString
|
||
|
||
AttributeType ::= LDAPString
|
||
|
||
AttributeDescription ::= LDAPString
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 44]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
AttributeDescriptionList ::= SEQUENCE OF
|
||
AttributeDescription
|
||
|
||
AttributeValue ::= OCTET STRING
|
||
|
||
AttributeValueAssertion ::= SEQUENCE {
|
||
attributeDesc AttributeDescription,
|
||
assertionValue AssertionValue }
|
||
|
||
AssertionValue ::= OCTET STRING
|
||
|
||
Attribute ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
MatchingRuleId ::= LDAPString
|
||
|
||
LDAPResult ::= SEQUENCE {
|
||
resultCode ENUMERATED {
|
||
success (0),
|
||
operationsError (1),
|
||
protocolError (2),
|
||
timeLimitExceeded (3),
|
||
sizeLimitExceeded (4),
|
||
compareFalse (5),
|
||
compareTrue (6),
|
||
authMethodNotSupported (7),
|
||
strongAuthRequired (8),
|
||
-- 9 reserved --
|
||
referral (10), -- new
|
||
adminLimitExceeded (11), -- new
|
||
unavailableCriticalExtension (12), -- new
|
||
confidentialityRequired (13), -- new
|
||
saslBindInProgress (14), -- new
|
||
noSuchAttribute (16),
|
||
undefinedAttributeType (17),
|
||
inappropriateMatching (18),
|
||
constraintViolation (19),
|
||
attributeOrValueExists (20),
|
||
invalidAttributeSyntax (21),
|
||
-- 22-31 unused --
|
||
noSuchObject (32),
|
||
aliasProblem (33),
|
||
invalidDNSyntax (34),
|
||
-- 35 reserved for undefined isLeaf --
|
||
aliasDereferencingProblem (36),
|
||
-- 37-47 unused --
|
||
inappropriateAuthentication (48),
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 45]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
invalidCredentials (49),
|
||
insufficientAccessRights (50),
|
||
busy (51),
|
||
unavailable (52),
|
||
unwillingToPerform (53),
|
||
loopDetect (54),
|
||
-- 55-63 unused --
|
||
namingViolation (64),
|
||
objectClassViolation (65),
|
||
notAllowedOnNonLeaf (66),
|
||
notAllowedOnRDN (67),
|
||
entryAlreadyExists (68),
|
||
objectClassModsProhibited (69),
|
||
-- 70 reserved for CLDAP --
|
||
affectsMultipleDSAs (71), -- new
|
||
-- 72-79 unused --
|
||
other (80) },
|
||
-- 81-90 reserved for APIs --
|
||
matchedDN LDAPDN,
|
||
errorMessage LDAPString,
|
||
referral [3] Referral OPTIONAL }
|
||
|
||
Referral ::= SEQUENCE OF LDAPURL
|
||
|
||
LDAPURL ::= LDAPString -- limited to characters permitted in URLs
|
||
|
||
Controls ::= SEQUENCE OF Control
|
||
|
||
Control ::= SEQUENCE {
|
||
controlType LDAPOID,
|
||
criticality BOOLEAN DEFAULT FALSE,
|
||
controlValue OCTET STRING OPTIONAL }
|
||
|
||
BindRequest ::= [APPLICATION 0] SEQUENCE {
|
||
version INTEGER (1 .. 127),
|
||
name LDAPDN,
|
||
authentication AuthenticationChoice }
|
||
|
||
AuthenticationChoice ::= CHOICE {
|
||
simple [0] OCTET STRING,
|
||
-- 1 and 2 reserved
|
||
sasl [3] SaslCredentials }
|
||
|
||
SaslCredentials ::= SEQUENCE {
|
||
mechanism LDAPString,
|
||
credentials OCTET STRING OPTIONAL }
|
||
|
||
BindResponse ::= [APPLICATION 1] SEQUENCE {
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 46]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
COMPONENTS OF LDAPResult,
|
||
serverSaslCreds [7] OCTET STRING OPTIONAL }
|
||
|
||
UnbindRequest ::= [APPLICATION 2] NULL
|
||
|
||
SearchRequest ::= [APPLICATION 3] SEQUENCE {
|
||
baseObject LDAPDN,
|
||
scope ENUMERATED {
|
||
baseObject (0),
|
||
singleLevel (1),
|
||
wholeSubtree (2) },
|
||
derefAliases ENUMERATED {
|
||
neverDerefAliases (0),
|
||
derefInSearching (1),
|
||
derefFindingBaseObj (2),
|
||
derefAlways (3) },
|
||
sizeLimit INTEGER (0 .. maxInt),
|
||
timeLimit INTEGER (0 .. maxInt),
|
||
typesOnly BOOLEAN,
|
||
filter Filter,
|
||
attributes AttributeDescriptionList }
|
||
|
||
Filter ::= CHOICE {
|
||
and [0] SET OF Filter,
|
||
or [1] SET OF Filter,
|
||
not [2] Filter,
|
||
equalityMatch [3] AttributeValueAssertion,
|
||
substrings [4] SubstringFilter,
|
||
greaterOrEqual [5] AttributeValueAssertion,
|
||
lessOrEqual [6] AttributeValueAssertion,
|
||
present [7] AttributeDescription,
|
||
approxMatch [8] AttributeValueAssertion,
|
||
extensibleMatch [9] MatchingRuleAssertion }
|
||
|
||
SubstringFilter ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
-- at least one must be present
|
||
substrings SEQUENCE OF CHOICE {
|
||
initial [0] LDAPString,
|
||
any [1] LDAPString,
|
||
final [2] LDAPString } }
|
||
|
||
MatchingRuleAssertion ::= SEQUENCE {
|
||
matchingRule [1] MatchingRuleId OPTIONAL,
|
||
type [2] AttributeDescription OPTIONAL,
|
||
matchValue [3] AssertionValue,
|
||
dnAttributes [4] BOOLEAN DEFAULT FALSE }
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 47]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
|
||
objectName LDAPDN,
|
||
attributes PartialAttributeList }
|
||
|
||
PartialAttributeList ::= SEQUENCE OF SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
|
||
|
||
SearchResultDone ::= [APPLICATION 5] LDAPResult
|
||
|
||
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
|
||
object LDAPDN,
|
||
modification SEQUENCE OF SEQUENCE {
|
||
operation ENUMERATED {
|
||
add (0),
|
||
delete (1),
|
||
replace (2) },
|
||
modification AttributeTypeAndValues } }
|
||
|
||
AttributeTypeAndValues ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
ModifyResponse ::= [APPLICATION 7] LDAPResult
|
||
|
||
AddRequest ::= [APPLICATION 8] SEQUENCE {
|
||
entry LDAPDN,
|
||
attributes AttributeList }
|
||
|
||
AttributeList ::= SEQUENCE OF SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
AddResponse ::= [APPLICATION 9] LDAPResult
|
||
|
||
DelRequest ::= [APPLICATION 10] LDAPDN
|
||
|
||
DelResponse ::= [APPLICATION 11] LDAPResult
|
||
|
||
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
|
||
entry LDAPDN,
|
||
newrdn RelativeLDAPDN,
|
||
deleteoldrdn BOOLEAN,
|
||
newSuperior [0] LDAPDN OPTIONAL }
|
||
|
||
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 48]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
CompareRequest ::= [APPLICATION 14] SEQUENCE {
|
||
entry LDAPDN,
|
||
ava AttributeValueAssertion }
|
||
|
||
CompareResponse ::= [APPLICATION 15] LDAPResult
|
||
|
||
AbandonRequest ::= [APPLICATION 16] MessageID
|
||
|
||
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
|
||
requestName [0] LDAPOID,
|
||
requestValue [1] OCTET STRING OPTIONAL }
|
||
|
||
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
|
||
COMPONENTS OF LDAPResult,
|
||
responseName [10] LDAPOID OPTIONAL,
|
||
response [11] OCTET STRING OPTIONAL }
|
||
|
||
END
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 49]
|
||
|
||
RFC 2251 LDAPv3 December 1997
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (1997). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Wahl, et. al. Standards Track [Page 50]
|
||
|