summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2005-07-16 16:12:14 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:29:33 -0500
commitb86111fe83f531629c0d76584ea7217ac6fbffef (patch)
treede3d7e31eddeee744401d0ba617f2d6397eed71a /source4
parent24bef4a4bb8d8831d8deb8cd6691f8526af47f4e (diff)
downloadsamba-b86111fe83f531629c0d76584ea7217ac6fbffef.tar.gz
samba-b86111fe83f531629c0d76584ea7217ac6fbffef.tar.bz2
samba-b86111fe83f531629c0d76584ea7217ac6fbffef.zip
r8514: add docs
(This used to be commit 876f0a095b8aa7060c62f91fc5715af1f1432e8b)
Diffstat (limited to 'source4')
-rw-r--r--source4/ldap_server/devdocs/rfc2251.txt2803
1 files changed, 2803 insertions, 0 deletions
diff --git a/source4/ldap_server/devdocs/rfc2251.txt b/source4/ldap_server/devdocs/rfc2251.txt
new file mode 100644
index 0000000000..88844cbf38
--- /dev/null
+++ b/source4/ldap_server/devdocs/rfc2251.txt
@@ -0,0 +1,2803 @@
+
+
+
+
+
+
+Network Working Group M. Wahl
+Request for Comments: 2251 Critical Angle Inc.
+Category: Standards Track T. Howes
+ Netscape Communications Corp.
+ S. Kille
+ Isode Limited
+ December 1997
+
+
+ Lightweight Directory Access Protocol (v3)
+
+1. Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (1997). All Rights Reserved.
+
+IESG Note
+
+ This document describes a directory access protocol that provides
+ both read and update access. Update access requires secure
+ authentication, but this document does not mandate implementation of
+ any satisfactory authentication mechanisms.
+
+ In accordance with RFC 2026, section 4.4.1, this specification is
+ being approved by IESG as a Proposed Standard despite this
+ limitation, for the following reasons:
+
+ a. to encourage implementation and interoperability testing of
+ these protocols (with or without update access) before they
+ are deployed, and
+
+ b. to encourage deployment and use of these protocols in read-only
+ applications. (e.g. applications where LDAPv3 is used as
+ a query language for directories which are updated by some
+ secure mechanism other than LDAP), and
+
+ c. to avoid delaying the advancement and deployment of other Internet
+ standards-track protocols which require the ability to query, but
+ not update, LDAPv3 directory servers.
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 1]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ Readers are hereby warned that until mandatory authentication
+ mechanisms are standardized, clients and servers written according to
+ this specification which make use of update functionality are
+ UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
+ IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
+
+ Implementors are hereby discouraged from deploying LDAPv3 clients or
+ servers which implement the update functionality, until a Proposed
+ Standard for mandatory authentication in LDAPv3 has been approved and
+ published as an RFC.
+
+Table of Contents
+
+ 1. Status of this Memo .................................... 1
+ Copyright Notice ....................................... 1
+ IESG Note .............................................. 1
+ 2. Abstract ............................................... 3
+ 3. Models ................................................. 4
+ 3.1. Protocol Model ........................................ 4
+ 3.2. Data Model ............................................ 5
+ 3.2.1. Attributes of Entries ............................... 5
+ 3.2.2. Subschema Entries and Subentries .................... 7
+ 3.3. Relationship to X.500 ................................. 8
+ 3.4. Server-specific Data Requirements ..................... 8
+ 4. Elements of Protocol ................................... 9
+ 4.1. Common Elements ....................................... 9
+ 4.1.1. Message Envelope .................................... 9
+ 4.1.1.1. Message ID ........................................ 11
+ 4.1.2. String Types ........................................ 11
+ 4.1.3. Distinguished Name and Relative Distinguished Name .. 11
+ 4.1.4. Attribute Type ...................................... 12
+ 4.1.5. Attribute Description ............................... 13
+ 4.1.5.1. Binary Option ..................................... 14
+ 4.1.6. Attribute Value ..................................... 14
+ 4.1.7. Attribute Value Assertion ........................... 15
+ 4.1.8. Attribute ........................................... 15
+ 4.1.9. Matching Rule Identifier ............................ 15
+ 4.1.10. Result Message ..................................... 16
+ 4.1.11. Referral ........................................... 18
+ 4.1.12. Controls ........................................... 19
+ 4.2. Bind Operation ........................................ 20
+ 4.2.1. Sequencing of the Bind Request ...................... 21
+ 4.2.2. Authentication and Other Security Services .......... 22
+ 4.2.3. Bind Response ....................................... 23
+ 4.3. Unbind Operation ...................................... 24
+ 4.4. Unsolicited Notification .............................. 24
+ 4.4.1. Notice of Disconnection ............................. 24
+ 4.5. Search Operation ...................................... 25
+
+
+
+Wahl, et. al. Standards Track [Page 2]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ 4.5.1. Search Request ...................................... 25
+ 4.5.2. Search Result ....................................... 29
+ 4.5.3. Continuation References in the Search Result ........ 31
+ 4.5.3.1. Example ........................................... 31
+ 4.6. Modify Operation ...................................... 32
+ 4.7. Add Operation ......................................... 34
+ 4.8. Delete Operation ...................................... 35
+ 4.9. Modify DN Operation ................................... 36
+ 4.10. Compare Operation .................................... 37
+ 4.11. Abandon Operation .................................... 38
+ 4.12. Extended Operation ................................... 38
+ 5. Protocol Element Encodings and Transfer ................ 39
+ 5.1. Mapping Onto BER-based Transport Services ............. 39
+ 5.2. Transfer Protocols .................................... 40
+ 5.2.1. Transmission Control Protocol (TCP) ................. 40
+ 6. Implementation Guidelines .............................. 40
+ 6.1. Server Implementations ................................ 40
+ 6.2. Client Implementations ................................ 40
+ 7. Security Considerations ................................ 41
+ 8. Acknowledgements ....................................... 41
+ 9. Bibliography ........................................... 41
+ 10. Authors' Addresses ..................................... 42
+ Appendix A - Complete ASN.1 Definition ..................... 44
+ Full Copyright Statement ................................... 50
+
+2. Abstract
+
+ The protocol described in this document is designed to provide access
+ to directories supporting the X.500 models, while not incurring the
+ resource requirements of the X.500 Directory Access Protocol (DAP).
+ This protocol is specifically targeted at management applications and
+ browser applications that provide read/write interactive access to
+ directories. When used with a directory supporting the X.500
+ protocols, it is intended to be a complement to the X.500 DAP.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document
+ are to be interpreted as described in RFC 2119 [10].
+
+ Key aspects of this version of LDAP are:
+
+ - All protocol elements of LDAPv2 (RFC 1777) are supported. The
+ protocol is carried directly over TCP or other transport, bypassing
+ much of the session/presentation overhead of X.500 DAP.
+
+ - Most protocol data elements can be encoded as ordinary strings
+ (e.g., Distinguished Names).
+
+
+
+
+Wahl, et. al. Standards Track [Page 3]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ - Referrals to other servers may be returned.
+
+ - SASL mechanisms may be used with LDAP to provide association
+ security services.
+
+ - Attribute values and Distinguished Names have been
+ internationalized through the use of the ISO 10646 character set.
+
+ - The protocol can be extended to support new operations, and
+ controls may be used to extend existing operations.
+
+ - Schema is published in the directory for use by clients.
+
+3. Models
+
+ Interest in X.500 [1] directory technologies in the Internet has led
+ to efforts to reduce the high cost of entry associated with use of
+ these technologies. This document continues the efforts to define
+ directory protocol alternatives, updating the LDAP [2] protocol
+ specification.
+
+3.1. Protocol Model
+
+ The general model adopted by this protocol is one of clients
+ performing protocol operations against servers. In this model, a
+ client transmits a protocol request describing the operation to be
+ performed to a server. The server is then responsible for performing
+ the necessary operation(s) in the directory. Upon completion of the
+ operation(s), the server returns a response containing any results or
+ errors to the requesting client.
+
+ In keeping with the goal of easing the costs associated with use of
+ the directory, it is an objective of this protocol to minimize the
+ complexity of clients so as to facilitate widespread deployment of
+ applications capable of using the directory.
+
+ Note that although servers are required to return responses whenever
+ such responses are defined in the protocol, there is no requirement
+ for synchronous behavior on the part of either clients or servers.
+ Requests and responses for multiple operations may be exchanged
+ between a client and server in any order, provided the client
+ eventually receives a response for every request that requires one.
+
+ In LDAP versions 1 and 2, no provision was made for protocol servers
+ returning referrals to clients. However, for improved performance
+ and distribution this version of the protocol permits servers to
+ return to clients referrals to other servers. This allows servers to
+ offload the work of contacting other servers to progress operations.
+
+
+
+Wahl, et. al. Standards Track [Page 4]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ Note that the core protocol operations defined in this document can
+ be mapped to a strict subset of the X.500(1997) directory abstract
+ service, so it can be cleanly provided by the DAP. However there is
+ not a one-to-one mapping between LDAP protocol operations and DAP
+ operations: server implementations acting as a gateway to X.500
+ directories may need to make multiple DAP requests.
+
+3.2. Data Model
+
+ This section provides a brief introduction to the X.500 data model,
+ as used by LDAP.
+
+ The LDAP protocol assumes there are one or more servers which jointly
+ provide access to a Directory Information Tree (DIT). The tree is
+ made up of entries. Entries have names: one or more attribute values
+ from the entry form its relative distinguished name (RDN), which MUST
+ be unique among all its siblings. The concatenation of the relative
+ distinguished names of the sequence of entries from a particular
+ entry to an immediate subordinate of the root of the tree forms that
+ entry's Distinguished Name (DN), which is unique in the tree. An
+ example of a Distinguished Name is
+
+ CN=Steve Kille, O=Isode Limited, C=GB
+
+ Some servers may hold cache or shadow copies of entries, which can be
+ used to answer search and comparison queries, but will return
+ referrals or contact other servers if modification operations are
+ requested.
+
+ Servers which perform caching or shadowing MUST ensure that they do
+ not violate any access control constraints placed on the data by the
+ originating server.
+
+ The largest collection of entries, starting at an entry that is
+ mastered by a particular server, and including all its subordinates
+ and their subordinates, down to the entries which are mastered by
+ different servers, is termed a naming context. The root of the DIT
+ is a DSA-specific Entry (DSE) and not part of any naming context:
+ each server has different attribute values in the root DSE. (DSA is
+ an X.500 term for the directory server).
+
+3.2.1. Attributes of Entries
+
+ Entries consist of a set of attributes. An attribute is a type with
+ one or more associated values. The attribute type is identified by a
+ short descriptive name and an OID (object identifier). The attribute
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 5]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ type governs whether there can be more than one value of an attribute
+ of that type in an entry, the syntax to which the values must
+ conform, the kinds of matching which can be performed on values of
+ that attribute, and other functions.
+
+ An example of an attribute is "mail". There may be one or more values
+ of this attribute, they must be IA5 (ASCII) strings, and they are
+ case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").
+
+ Schema is the collection of attribute type definitions, object class
+ definitions and other information which a server uses to determine
+ how to match a filter or attribute value assertion (in a compare
+ operation) against the attributes of an entry, and whether to permit
+ add and modify operations. The definition of schema for use with
+ LDAP is given in [5] and [6]. Additional schema elements may be
+ defined in other documents.
+
+ Each entry MUST have an objectClass attribute. The objectClass
+ attribute specifies the object classes of an entry, which along with
+ the system and user schema determine the permitted attributes of an
+ entry. Values of this attribute may be modified by clients, but the
+ objectClass attribute cannot be removed. Servers may restrict the
+ modifications of this attribute to prevent the basic structural class
+ of the entry from being changed (e.g. one cannot change a person into
+ a country). When creating an entry or adding an objectClass value to
+ an entry, all superclasses of the named classes are implicitly added
+ as well if not already present, and the client must supply values for
+ any mandatory attributes of new superclasses.
+
+ Some attributes, termed operational attributes, are used by servers
+ for administering the directory system itself. They are not returned
+ in search results unless explicitly requested by name. Attributes
+ which are not operational, such as "mail", will have their schema and
+ syntax constraints enforced by servers, but servers will generally
+ not make use of their values.
+
+ Servers MUST NOT permit clients to add attributes to an entry unless
+ those attributes are permitted by the object class definitions, the
+ schema controlling that entry (specified in the subschema - see
+ below), or are operational attributes known to that server and used
+ for administrative purposes. Note that there is a particular
+ objectClass 'extensibleObject' defined in [5] which permits all user
+ attributes to be present in an entry.
+
+ Entries MAY contain, among others, the following operational
+ attributes, defined in [5]. These attributes are maintained
+ automatically by the server and are not modifiable by clients:
+
+
+
+
+Wahl, et. al. Standards Track [Page 6]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ - creatorsName: the Distinguished Name of the user who added this
+ entry to the directory.
+
+ - createTimestamp: the time this entry was added to the directory.
+
+ - modifiersName: the Distinguished Name of the user who last modified
+ this entry.
+
+ - modifyTimestamp: the time this entry was last modified.
+
+ - subschemaSubentry: the Distinguished Name of the subschema entry
+ (or subentry) which controls the schema for this entry.
+
+3.2.2. Subschema Entries and Subentries
+
+ Subschema entries are used for administering information about the
+ directory schema, in particular the object classes and attribute
+ types supported by directory servers. A single subschema entry
+ contains all schema definitions used by entries in a particular part
+ of the directory tree.
+
+ Servers which follow X.500(93) models SHOULD implement subschema
+ using the X.500 subschema mechanisms, and so these subschemas are not
+ ordinary entries. LDAP clients SHOULD NOT assume that servers
+ implement any of the other aspects of X.500 subschema. A server
+ which masters entries and permits clients to modify these entries
+ MUST implement and provide access to these subschema entries, so that
+ its clients may discover the attributes and object classes which are
+ permitted to be present. It is strongly recommended that all other
+ servers implement this as well.
+
+ The following four attributes MUST be present in all subschema
+ entries:
+
+ - cn: this attribute MUST be used to form the RDN of the subschema
+ entry.
+
+ - objectClass: the attribute MUST have at least the values "top" and
+ "subschema".
+
+ - objectClasses: each value of this attribute specifies an object
+ class known to the server.
+
+ - attributeTypes: each value of this attribute specifies an attribute
+ type known to the server.
+
+ These are defined in [5]. Other attributes MAY be present in
+ subschema entries, to reflect additional supported capabilities.
+
+
+
+Wahl, et. al. Standards Track [Page 7]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ These include matchingRules, matchingRuleUse, dITStructureRules,
+ dITContentRules, nameForms and ldapSyntaxes.
+
+ Servers SHOULD provide the attributes createTimestamp and
+ modifyTimestamp in subschema entries, in order to allow clients to
+ maintain their caches of schema information.
+
+ Clients MUST only retrieve attributes from a subschema entry by
+ requesting a base object search of the entry, where the search filter
+ is "(objectClass=subschema)". (This will allow LDAPv3 servers which
+ gateway to X.500(93) to detect that subentry information is being
+ requested.)
+
+3.3. Relationship to X.500
+
+ This document defines LDAP in terms of X.500 as an X.500 access
+ mechanism. An LDAP server MUST act in accordance with the
+ X.500(1993) series of ITU recommendations when providing the service.
+ However, it is not required that an LDAP server make use of any X.500
+ protocols in providing this service, e.g. LDAP can be mapped onto any
+ other directory system so long as the X.500 data and service model as
+ used in LDAP is not violated in the LDAP interface.
+
+3.4. Server-specific Data Requirements
+
+ An LDAP server MUST provide information about itself and other
+ information that is specific to each server. This is represented as
+ a group of attributes located in the root DSE (DSA-Specific Entry),
+ which is named with the zero-length LDAPDN. These attributes are
+ retrievable if a client performs a base object search of the root
+ with filter "(objectClass=*)", however they are subject to access
+ control restrictions. The root DSE MUST NOT be included if the
+ client performs a subtree search starting from the root.
+
+ Servers may allow clients to modify these attributes.
+
+ The following attributes of the root DSE are defined in section 5 of
+ [5]. Additional attributes may be defined in other documents.
+
+ - namingContexts: naming contexts held in the server. Naming contexts
+ are defined in section 17 of X.501 [6].
+
+ - subschemaSubentry: subschema entries (or subentries) known by this
+ server.
+
+ - altServer: alternative servers in case this one is later
+ unavailable.
+
+
+
+
+Wahl, et. al. Standards Track [Page 8]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ - supportedExtension: list of supported extended operations.
+
+ - supportedControl: list of supported controls.
+
+ - supportedSASLMechanisms: list of supported SASL security features.
+
+ - supportedLDAPVersion: LDAP versions implemented by the server.
+
+ If the server does not master entries and does not know the locations
+ of schema information, the subschemaSubentry attribute is not present
+ in the root DSE. If the server masters directory entries under one
+ or more schema rules, there may be any number of values of the
+ subschemaSubentry attribute in the root DSE.
+
+4. Elements of Protocol
+
+ The LDAP protocol is described using Abstract Syntax Notation 1
+ (ASN.1) [3], and is typically transferred using a subset of ASN.1
+ Basic Encoding Rules [11]. In order to support future extensions to
+ this protocol, clients and servers MUST ignore elements of SEQUENCE
+ encodings whose tags they do not recognize.
+
+ Note that unlike X.500, each change to the LDAP protocol other than
+ through the extension mechanisms will have a different version
+ number. A client will indicate the version it supports as part of
+ the bind request, described in section 4.2. If a client has not sent
+ a bind, the server MUST assume that version 3 is supported in the
+ client (since version 2 required that the client bind first).
+
+ Clients may determine the protocol version a server supports by
+ reading the supportedLDAPVersion attribute from the root DSE. Servers
+ which implement version 3 or later versions MUST provide this
+ attribute. Servers which only implement version 2 may not provide
+ this attribute.
+
+4.1. Common Elements
+
+ This section describes the LDAPMessage envelope PDU (Protocol Data
+ Unit) format, as well as data type definitions which are used in the
+ protocol operations.
+
+4.1.1. Message Envelope
+
+ For the purposes of protocol exchanges, all protocol operations are
+ encapsulated in a common envelope, the LDAPMessage, which is defined
+ as follows:
+
+ LDAPMessage ::= SEQUENCE {
+
+
+
+Wahl, et. al. Standards Track [Page 9]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ messageID MessageID,
+ protocolOp CHOICE {
+ bindRequest BindRequest,
+ bindResponse BindResponse,
+ unbindRequest UnbindRequest,
+ searchRequest SearchRequest,
+ searchResEntry SearchResultEntry,
+ searchResDone SearchResultDone,
+ searchResRef SearchResultReference,
+ modifyRequest ModifyRequest,
+ modifyResponse ModifyResponse,
+ addRequest AddRequest,
+ addResponse AddResponse,
+ delRequest DelRequest,
+ delResponse DelResponse,
+ modDNRequest ModifyDNRequest,
+ modDNResponse ModifyDNResponse,
+ compareRequest CompareRequest,
+ compareResponse CompareResponse,
+ abandonRequest AbandonRequest,
+ extendedReq ExtendedRequest,
+ extendedResp ExtendedResponse },
+ controls [0] Controls OPTIONAL }
+
+ MessageID ::= INTEGER (0 .. maxInt)
+
+ maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
+
+ The function of the LDAPMessage is to provide an envelope containing
+ common fields required in all protocol exchanges. At this time the
+ only common fields are the message ID and the controls.
+
+ If the server receives a PDU from the client in which the LDAPMessage
+ SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
+ the tag of the protocolOp is not recognized as a request, or the
+ encoding structures or lengths of data fields are found to be
+ incorrect, then the server MUST return the notice of disconnection
+ described in section 4.4.1, with resultCode protocolError, and
+ immediately close the connection. In other cases that the server
+ cannot parse the request received by the client, the server MUST
+ return an appropriate response to the request, with the resultCode
+ set to protocolError.
+
+ If the client receives a PDU from the server which cannot be parsed,
+ the client may discard the PDU, or may abruptly close the connection.
+
+ The ASN.1 type Controls is defined in section 4.1.12.
+
+
+
+
+Wahl, et. al. Standards Track [Page 10]
+
+RFC 2251 LDAPv3 December 1997
+
+
+4.1.1.1. Message ID
+
+ All LDAPMessage envelopes encapsulating responses contain the
+ messageID value of the corresponding request LDAPMessage.
+
+ The message ID of a request MUST have a value different from the
+ values of any other requests outstanding in the LDAP session of which
+ this message is a part.
+
+ A client MUST NOT send a second request with the same message ID as
+ an earlier request on the same connection if the client has not
+ received the final response from the earlier request. Otherwise the
+ behavior is undefined. Typical clients increment a counter for each
+ request.
+
+ A client MUST NOT reuse the message id of an abandonRequest or of the
+ abandoned operation until it has received a response from the server
+ for another request invoked subsequent to the abandonRequest, as the
+ abandonRequest itself does not have a response.
+
+4.1.2. String Types
+
+ The LDAPString is a notational convenience to indicate that, although
+ strings of LDAPString type encode as OCTET STRING types, the ISO
+ 10646 [13] character set (a superset of Unicode) is used, encoded
+ following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
+ characters which are the same as ASCII (0x0000 through 0x007F) are
+ represented as that same ASCII character in a single byte. The other
+ byte values are used to form a variable-length encoding of an
+ arbitrary character.
+
+ LDAPString ::= OCTET STRING
+
+ The LDAPOID is a notational convenience to indicate that the
+ permitted value of this string is a (UTF-8 encoded) dotted-decimal
+ representation of an OBJECT IDENTIFIER.
+
+ LDAPOID ::= OCTET STRING
+
+ For example,
+
+ 1.3.6.1.4.1.1466.1.2.3
+
+4.1.3. Distinguished Name and Relative Distinguished Name
+
+ An LDAPDN and a RelativeLDAPDN are respectively defined to be the
+ representation of a Distinguished Name and a Relative Distinguished
+ Name after encoding according to the specification in [4], such that
+
+
+
+Wahl, et. al. Standards Track [Page 11]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ <distinguished-name> ::= <name>
+
+ <relative-distinguished-name> ::= <name-component>
+
+ where <name> and <name-component> are as defined in [4].
+
+ LDAPDN ::= LDAPString
+
+ RelativeLDAPDN ::= LDAPString
+
+ Only Attribute Types can be present in a relative distinguished name
+ component; the options of Attribute Descriptions (next section) MUST
+ NOT be used in specifying distinguished names.
+
+4.1.4. Attribute Type
+
+ An AttributeType takes on as its value the textual string associated
+ with that AttributeType in its specification.
+
+ AttributeType ::= LDAPString
+
+ Each attribute type has a unique OBJECT IDENTIFIER which has been
+ assigned to it. This identifier may be written as decimal digits
+ with components separated by periods, e.g. "2.5.4.10".
+
+ A specification may also assign one or more textual names for an
+ attribute type. These names MUST begin with a letter, and only
+ contain ASCII letters, digit characters and hyphens. They are case
+ insensitive. (These ASCII characters are identical to ISO 10646
+ characters whose UTF-8 encoding is a single byte between 0x00 and
+ 0x7F.)
+
+ If the server has a textual name for an attribute type, it MUST use a
+ textual name for attributes returned in search results. The dotted-
+ decimal OBJECT IDENTIFIER is only used if there is no textual name
+ for an attribute type.
+
+ Attribute type textual names are non-unique, as two different
+ specifications (neither in standards track RFCs) may choose the same
+ name.
+
+ A server which masters or shadows entries SHOULD list all the
+ attribute types it supports in the subschema entries, using the
+ attributeTypes attribute. Servers which support an open-ended set of
+ attributes SHOULD include at least the attributeTypes value for the
+ 'objectClass' attribute. Clients MAY retrieve the attributeTypes
+ value from subschema entries in order to obtain the OBJECT IDENTIFIER
+ and other information associated with attribute types.
+
+
+
+Wahl, et. al. Standards Track [Page 12]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ Some attribute type names which are used in this version of LDAP are
+ described in [5]. Servers may implement additional attribute types.
+
+4.1.5. Attribute Description
+
+ An AttributeDescription is a superset of the definition of the
+ AttributeType. It has the same ASN.1 definition, but allows
+ additional options to be specified. They are also case insensitive.
+
+ AttributeDescription ::= LDAPString
+
+ A value of AttributeDescription is based on the following BNF:
+
+ <AttributeDescription> ::= <AttributeType> [ ";" <options> ]
+
+ <options> ::= <option> | <option> ";" <options>
+
+ <option> ::= <opt-char> <opt-char>*
+
+ <opt-char> ::= ASCII-equivalent letters, numbers and hyphen
+
+ Examples of valid AttributeDescription:
+
+ cn
+ userCertificate;binary
+
+ One option, "binary", is defined in this document. Additional
+ options may be defined in IETF standards-track and experimental RFCs.
+ Options beginning with "x-" are reserved for private experiments.
+ Any option could be associated with any AttributeType, although not
+ all combinations may be supported by a server.
+
+ An AttributeDescription with one or more options is treated as a
+ subtype of the attribute type without any options. Options present
+ in an AttributeDescription are never mutually exclusive.
+ Implementations MUST generate the <options> list sorted in ascending
+ order, and servers MUST treat any two AttributeDescription with the
+ same AttributeType and options as equivalent. A server will treat an
+ AttributeDescription with any options it does not implement as an
+ unrecognized attribute type.
+
+ The data type "AttributeDescriptionList" describes a list of 0 or
+ more attribute types. (A list of zero elements has special
+ significance in the Search request.)
+
+ AttributeDescriptionList ::= SEQUENCE OF
+ AttributeDescription
+
+
+
+
+Wahl, et. al. Standards Track [Page 13]
+
+RFC 2251 LDAPv3 December 1997
+
+
+4.1.5.1. Binary Option
+
+ If the "binary" option is present in an AttributeDescription, it
+ overrides any string-based encoding representation defined for that
+ attribute in [5]. Instead the attribute is to be transferred as a
+ binary value encoded using the Basic Encoding Rules [11]. The syntax
+ of the binary value is an ASN.1 data type definition which is
+ referenced by the "SYNTAX" part of the attribute type definition.
+
+ The presence or absence of the "binary" option only affects the
+ transfer of attribute values in protocol; servers store any
+ particular attribute in a single format. If a client requests that a
+ server return an attribute in the binary format, but the server
+ cannot generate that format, the server MUST treat this attribute
+ type as an unrecognized attribute type. Similarly, clients MUST NOT
+ expect servers to return an attribute in binary format if the client
+ requested that attribute by name without the binary option.
+
+ This option is intended to be used with attributes whose syntax is a
+ complex ASN.1 data type, and the structure of values of that type is
+ needed by clients. Examples of this kind of syntax are "Certificate"
+ and "CertificateList".
+
+4.1.6. Attribute Value
+
+ A field of type AttributeValue takes on as its value either a string
+ encoding of a AttributeValue data type, or an OCTET STRING containing
+ an encoded binary value, depending on whether the "binary" option is
+ present in the companion AttributeDescription to this AttributeValue.
+
+ The definition of string encodings for different syntaxes and types
+ may be found in other documents, and in particular [5].
+
+ AttributeValue ::= OCTET STRING
+
+ Note that there is no defined limit on the size of this encoding;
+ thus protocol values may include multi-megabyte attributes (e.g.
+ photographs).
+
+ Attributes may be defined which have arbitrary and non-printable
+ syntax. Implementations MUST NEITHER simply display nor attempt to
+ decode as ASN.1 a value if its syntax is not known. The
+ implementation may attempt to discover the subschema of the source
+ entry, and retrieve the values of attributeTypes from it.
+
+ Clients MUST NOT send attribute values in a request which are not
+ valid according to the syntax defined for the attributes.
+
+
+
+
+Wahl, et. al. Standards Track [Page 14]
+
+RFC 2251 LDAPv3 December 1997
+
+
+4.1.7. Attribute Value Assertion
+
+ The AttributeValueAssertion type definition is similar to the one in
+ the X.500 directory standards. It contains an attribute description
+ and a matching rule assertion value suitable for that type.
+
+ AttributeValueAssertion ::= SEQUENCE {
+ attributeDesc AttributeDescription,
+ assertionValue AssertionValue }
+
+ AssertionValue ::= OCTET STRING
+
+ If the "binary" option is present in attributeDesc, this signals to
+ the server that the assertionValue is a binary encoding of the
+ assertion value.
+
+ For all the string-valued user attributes described in [5], the
+ assertion value syntax is the same as the value syntax. Clients may
+ use attribute values as assertion values in compare requests and
+ search filters.
+
+ Note however that the assertion syntax may be different from the
+ value syntax for other attributes or for non-equality matching rules.
+ These may have an assertion syntax which contains only part of the
+ value. See section 20.2.1.8 of X.501 [6] for examples.
+
+4.1.8. Attribute
+
+ An attribute consists of a type and one or more values of that type.
+ (Though attributes MUST have at least one value when stored, due to
+ access control restrictions the set may be empty when transferred in
+ protocol. This is described in section 4.5.2, concerning the
+ PartialAttributeList type.)
+
+ Attribute ::= SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ Each attribute value is distinct in the set (no duplicates). The
+ order of attribute values within the vals set is undefined and
+ implementation-dependent, and MUST NOT be relied upon.
+
+4.1.9. Matching Rule Identifier
+
+ A matching rule is a means of expressing how a server should compare
+ an AssertionValue received in a search filter with an abstract data
+ value. The matching rule defines the syntax of the assertion value
+ and the process to be performed in the server.
+
+
+
+Wahl, et. al. Standards Track [Page 15]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ An X.501(1993) Matching Rule is identified in the LDAP protocol by
+ the printable representation of its OBJECT IDENTIFIER, either as one
+ of the strings given in [5], or as decimal digits with components
+ separated by periods, e.g. "caseIgnoreIA5Match" or
+ "1.3.6.1.4.1.453.33.33".
+
+ MatchingRuleId ::= LDAPString
+
+ Servers which support matching rules for use in the extensibleMatch
+ search filter MUST list the matching rules they implement in
+ subschema entries, using the matchingRules attributes. The server
+ SHOULD also list there, using the matchingRuleUse attribute, the
+ attribute types with which each matching rule can be used. More
+ information is given in section 4.4 of [5].
+
+4.1.10. Result Message
+
+ The LDAPResult is the construct used in this protocol to return
+ success or failure indications from servers to clients. In response
+ to various requests servers will return responses containing fields
+ of type LDAPResult to indicate the final status of a protocol
+ operation request.
+
+ LDAPResult ::= SEQUENCE {
+ resultCode ENUMERATED {
+ success (0),
+ operationsError (1),
+ protocolError (2),
+ timeLimitExceeded (3),
+ sizeLimitExceeded (4),
+ compareFalse (5),
+ compareTrue (6),
+
+ authMethodNotSupported (7),
+ strongAuthRequired (8),
+ -- 9 reserved --
+ referral (10), -- new
+ adminLimitExceeded (11), -- new
+ unavailableCriticalExtension (12), -- new
+ confidentialityRequired (13), -- new
+ saslBindInProgress (14), -- new
+ noSuchAttribute (16),
+ undefinedAttributeType (17),
+ inappropriateMatching (18),
+ constraintViolation (19),
+ attributeOrValueExists (20),
+ invalidAttributeSyntax (21),
+ -- 22-31 unused --
+
+
+
+Wahl, et. al. Standards Track [Page 16]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ noSuchObject (32),
+ aliasProblem (33),
+ invalidDNSyntax (34),
+ -- 35 reserved for undefined isLeaf --
+ aliasDereferencingProblem (36),
+ -- 37-47 unused --
+ inappropriateAuthentication (48),
+ invalidCredentials (49),
+ insufficientAccessRights (50),
+ busy (51),
+ unavailable (52),
+ unwillingToPerform (53),
+ loopDetect (54),
+ -- 55-63 unused --
+ namingViolation (64),
+ objectClassViolation (65),
+ notAllowedOnNonLeaf (66),
+ notAllowedOnRDN (67),
+ entryAlreadyExists (68),
+ objectClassModsProhibited (69),
+ -- 70 reserved for CLDAP --
+ affectsMultipleDSAs (71), -- new
+ -- 72-79 unused --
+ other (80) },
+ -- 81-90 reserved for APIs --
+ matchedDN LDAPDN,
+ errorMessage LDAPString,
+ referral [3] Referral OPTIONAL }
+
+ All the result codes with the exception of success, compareFalse and
+ compareTrue are to be treated as meaning the operation could not be
+ completed in its entirety.
+
+ Most of the result codes are based on problem indications from X.511
+ error data types. Result codes from 16 to 21 indicate an
+ AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
+ codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
+ indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
+ UpdateProblem.
+
+ If a client receives a result code which is not listed above, it is
+ to be treated as an unknown error condition.
+
+ The errorMessage field of this construct may, at the server's option,
+ be used to return a string containing a textual, human-readable
+ (terminal control and page formatting characters should be avoided)
+ error diagnostic. As this error diagnostic is not standardized,
+
+
+
+
+Wahl, et. al. Standards Track [Page 17]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ implementations MUST NOT rely on the values returned. If the server
+ chooses not to return a textual diagnostic, the errorMessage field of
+ the LDAPResult type MUST contain a zero length string.
+
+ For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
+ aliasDereferencingProblem, the matchedDN field is set to the name of
+ the lowest entry (object or alias) in the directory that was matched.
+ If no aliases were dereferenced while attempting to locate the entry,
+ this will be a truncated form of the name provided, or if aliases
+ were dereferenced, of the resulting name, as defined in section 12.5
+ of X.511 [8]. The matchedDN field is to be set to a zero length
+ string with all other result codes.
+
+4.1.11. Referral
+
+ The referral error indicates that the contacted server does not hold
+ the target entry of the request. The referral field is present in an
+ LDAPResult if the LDAPResult.resultCode field value is referral, and
+ absent with all other result codes. It contains a reference to
+ another server (or set of servers) which may be accessed via LDAP or
+ other protocols. Referrals can be returned in response to any
+ operation request (except unbind and abandon which do not have
+ responses). At least one URL MUST be present in the Referral.
+
+ The referral is not returned for a singleLevel or wholeSubtree search
+ in which the search scope spans multiple naming contexts, and several
+ different servers would need to be contacted to complete the
+ operation. Instead, continuation references, described in section
+ 4.5.3, are returned.
+
+ Referral ::= SEQUENCE OF LDAPURL -- one or more
+
+ LDAPURL ::= LDAPString -- limited to characters permitted in URLs
+
+ If the client wishes to progress the operation, it MUST follow the
+ referral by contacting any one of servers. All the URLs MUST be
+ equally capable of being used to progress the operation. (The
+ mechanisms for how this is achieved by multiple servers are outside
+ the scope of this document.)
+
+ URLs for servers implementing the LDAP protocol are written according
+ to [9]. If an alias was dereferenced, the <dn> part of the URL MUST
+ be present, with the new target object name. If the <dn> part is
+ present, the client MUST use this name in its next request to
+ progress the operation, and if it is not present the client will use
+ the same name as in the original request. Some servers (e.g.
+ participating in distributed indexing) may provide a different filter
+ in a referral for a search operation. If the filter part of the URL
+
+
+
+Wahl, et. al. Standards Track [Page 18]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ is present in an LDAPURL, the client MUST use this filter in its next
+ request to progress this search, and if it is not present the client
+ MUST use the same filter as it used for that search. Other aspects
+ of the new request may be the same or different as the request which
+ generated the referral.
+
+ Note that UTF-8 characters appearing in a DN or search filter may not
+ be legal for URLs (e.g. spaces) and MUST be escaped using the %
+ method in RFC 1738 [7].
+
+ Other kinds of URLs may be returned, so long as the operation could
+ be performed using that protocol.
+
+4.1.12. Controls
+
+ A control is a way to specify extension information. Controls which
+ are sent as part of a request apply only to that request and are not
+ saved.
+
+ Controls ::= SEQUENCE OF Control
+
+ Control ::= SEQUENCE {
+ controlType LDAPOID,
+ criticality BOOLEAN DEFAULT FALSE,
+ controlValue OCTET STRING OPTIONAL }
+
+ The controlType field MUST be a UTF-8 encoded dotted-decimal
+ representation of an OBJECT IDENTIFIER which uniquely identifies the
+ control. This prevents conflicts between control names.
+
+ The criticality field is either TRUE or FALSE.
+
+ If the server recognizes the control type and it is appropriate for
+ the operation, the server will make use of the control when
+ performing the operation.
+
+ If the server does not recognize the control type and the criticality
+ field is TRUE, the server MUST NOT perform the operation, and MUST
+ instead return the resultCode unsupportedCriticalExtension.
+
+ If the control is not appropriate for the operation and criticality
+ field is TRUE, the server MUST NOT perform the operation, and MUST
+ instead return the resultCode unsupportedCriticalExtension.
+
+ If the control is unrecognized or inappropriate but the criticality
+ field is FALSE, the server MUST ignore the control.
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 19]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ The controlValue contains any information associated with the
+ control, and its format is defined for the control. The server MUST
+ be prepared to handle arbitrary contents of the controlValue octet
+ string, including zero bytes. It is absent only if there is no value
+ information which is associated with a control of its type.
+
+ This document does not define any controls. Controls may be defined
+ in other documents. The definition of a control consists of:
+
+ - the OBJECT IDENTIFIER assigned to the control,
+
+ - whether the control is always noncritical, always critical, or
+ critical at the client's option,
+
+ - the format of the controlValue contents of the control.
+
+ Servers list the controls which they recognize in the
+ supportedControl attribute in the root DSE.
+
+4.2. Bind Operation
+
+ The function of the Bind Operation is to allow authentication
+ information to be exchanged between the client and server.
+
+ The Bind Request is defined as follows:
+
+ BindRequest ::= [APPLICATION 0] SEQUENCE {
+ version INTEGER (1 .. 127),
+ name LDAPDN,
+ authentication AuthenticationChoice }
+
+ AuthenticationChoice ::= CHOICE {
+ simple [0] OCTET STRING,
+ -- 1 and 2 reserved
+ sasl [3] SaslCredentials }
+
+ SaslCredentials ::= SEQUENCE {
+ mechanism LDAPString,
+ credentials OCTET STRING OPTIONAL }
+
+ Parameters of the Bind Request are:
+
+ - version: A version number indicating the version of the protocol to
+ be used in this protocol session. This document describes version
+ 3 of the LDAP protocol. Note that there is no version negotiation,
+ and the client just sets this parameter to the version it desires.
+ If the client requests protocol version 2, a server that supports
+ the version 2 protocol as described in [2] will not return any v3-
+
+
+
+Wahl, et. al. Standards Track [Page 20]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ specific protocol fields. (Note that not all LDAP servers will
+ support protocol version 2, since they may be unable to generate
+ the attribute syntaxes associated with version 2.)
+
+ - name: The name of the directory object that the client wishes to
+ bind as. This field may take on a null value (a zero length
+ string) for the purposes of anonymous binds, when authentication
+ has been performed at a lower layer, or when using SASL credentials
+ with a mechanism that includes the LDAPDN in the credentials.
+
+ - authentication: information used to authenticate the name, if any,
+ provided in the Bind Request.
+
+ Upon receipt of a Bind Request, a protocol server will authenticate
+ the requesting client, if necessary. The server will then return a
+ Bind Response to the client indicating the status of the
+ authentication.
+
+ Authorization is the use of this authentication information when
+ performing operations. Authorization MAY be affected by factors
+ outside of the LDAP Bind request, such as lower layer security
+ services.
+
+4.2.1. Sequencing of the Bind Request
+
+ For some SASL authentication mechanisms, it may be necessary for the
+ client to invoke the BindRequest multiple times. If at any stage the
+ client wishes to abort the bind process it MAY unbind and then drop
+ the underlying connection. Clients MUST NOT invoke operations
+ between two Bind requests made as part of a multi-stage bind.
+
+ A client may abort a SASL bind negotiation by sending a BindRequest
+ with a different value in the mechanism field of SaslCredentials, or
+ an AuthenticationChoice other than sasl.
+
+ If the client sends a BindRequest with the sasl mechanism field as an
+ empty string, the server MUST return a BindResponse with
+ authMethodNotSupported as the resultCode. This will allow clients to
+ abort a negotiation if it wishes to try again with the same SASL
+ mechanism.
+
+ Unlike LDAP v2, the client need not send a Bind Request in the first
+ PDU of the connection. The client may request any operations and the
+ server MUST treat these as unauthenticated. If the server requires
+ that the client bind before browsing or modifying the directory, the
+ server MAY reject a request other than binding, unbinding or an
+ extended request with the "operationsError" result.
+
+
+
+
+Wahl, et. al. Standards Track [Page 21]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ If the client did not bind before sending a request and receives an
+ operationsError, it may then send a Bind Request. If this also fails
+ or the client chooses not to bind on the existing connection, it will
+ close the connection, reopen it and begin again by first sending a
+ PDU with a Bind Request. This will aid in interoperating with
+ servers implementing other versions of LDAP.
+
+ Clients MAY send multiple bind requests on a connection to change
+ their credentials. A subsequent bind process has the effect of
+ abandoning all operations outstanding on the connection. (This
+ simplifies server implementation.) Authentication from earlier binds
+ are subsequently ignored, and so if the bind fails, the connection
+ will be treated as anonymous. If a SASL transfer encryption or
+ integrity mechanism has been negotiated, and that mechanism does not
+ support the changing of credentials from one identity to another,
+ then the client MUST instead establish a new connection.
+
+4.2.2. Authentication and Other Security Services
+
+ The simple authentication option provides minimal authentication
+ facilities, with the contents of the authentication field consisting
+ only of a cleartext password. Note that the use of cleartext
+ passwords is not recommended over open networks when there is no
+ authentication or encryption being performed by a lower layer; see
+ the "Security Considerations" section.
+
+ If no authentication is to be performed, then the simple
+ authentication option MUST be chosen, and the password be of zero
+ length. (This is often done by LDAPv2 clients.) Typically the DN is
+ also of zero length.
+
+ The sasl choice allows for any mechanism defined for use with SASL
+ [12]. The mechanism field contains the name of the mechanism. The
+ credentials field contains the arbitrary data used for
+ authentication, inside an OCTET STRING wrapper. Note that unlike
+ some Internet application protocols where SASL is used, LDAP is not
+ text-based, thus no base64 transformations are performed on the
+ credentials.
+
+ If any SASL-based integrity or confidentiality services are enabled,
+ they take effect following the transmission by the server and
+ reception by the client of the final BindResponse with resultCode
+ success.
+
+ The client can request that the server use authentication information
+ from a lower layer protocol by using the SASL EXTERNAL mechanism.
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 22]
+
+RFC 2251 LDAPv3 December 1997
+
+
+4.2.3. Bind Response
+
+ The Bind Response is defined as follows.
+
+ BindResponse ::= [APPLICATION 1] SEQUENCE {
+ COMPONENTS OF LDAPResult,
+ serverSaslCreds [7] OCTET STRING OPTIONAL }
+
+ BindResponse consists simply of an indication from the server of he
+ status of the client's request for authentication.
+
+ f the bind was successful, the resultCode will be success, therwise
+ it will be one of:
+
+ - operationsError: server encountered an internal error,
+
+ - protocolError: unrecognized version number or incorrect PDU
+ structure,
+
+ - authMethodNotSupported: unrecognized SASL mechanism name,
+
+ - strongAuthRequired: the server requires authentication be
+ performed with a SASL mechanism,
+
+ - referral: this server cannot accept this bind and the client
+ should try another,
+
+ - saslBindInProgress: the server requires the client to send a
+ new bind request, with the same sasl mechanism, to continue the
+ authentication process,
+
+ - inappropriateAuthentication: the server requires the client
+ which had attempted to bind anonymously or without supplying
+ credentials to provide some form of credentials,
+
+ - invalidCredentials: the wrong password was supplied or the SASL
+ credentials could not be processed,
+
+ - unavailable: the server is shutting down.
+
+ If the server does not support the client's requested protocol
+ version, it MUST set the resultCode to protocolError.
+
+ If the client receives a BindResponse response where the resultCode
+ was protocolError, it MUST close the connection as the server will be
+ unwilling to accept further operations. (This is for compatibility
+ with earlier versions of LDAP, in which the bind was always the first
+ operation, and there was no negotiation.)
+
+
+
+Wahl, et. al. Standards Track [Page 23]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ The serverSaslCreds are used as part of a SASL-defined bind mechanism
+ to allow the client to authenticate the server to which it is
+ communicating, or to perform "challenge-response" authentication. If
+ the client bound with the password choice, or the SASL mechanism does
+ not require the server to return information to the client, then this
+ field is not to be included in the result.
+
+4.3. Unbind Operation
+
+ The function of the Unbind Operation is to terminate a protocol
+ session. The Unbind Operation is defined as follows:
+
+ UnbindRequest ::= [APPLICATION 2] NULL
+
+ The Unbind Operation has no response defined. Upon transmission of an
+ UnbindRequest, a protocol client may assume that the protocol session
+ is terminated. Upon receipt of an UnbindRequest, a protocol server
+ may assume that the requesting client has terminated the session and
+ that all outstanding requests may be discarded, and may close the
+ connection.
+
+4.4. Unsolicited Notification
+
+ An unsolicited notification is an LDAPMessage sent from the server to
+ the client which is not in response to any LDAPMessage received by
+ the server. It is used to signal an extraordinary condition in the
+ server or in the connection between the client and the server. The
+ notification is of an advisory nature, and the server will not expect
+ any response to be returned from the client.
+
+ The unsolicited notification is structured as an LDAPMessage in which
+ the messageID is 0 and protocolOp is of the extendedResp form. The
+ responseName field of the ExtendedResponse is present. The LDAPOID
+ value MUST be unique for this notification, and not be used in any
+ other situation.
+
+ One unsolicited notification is defined in this document.
+
+4.4.1. Notice of Disconnection
+
+ This notification may be used by the server to advise the client that
+ the server is about to close the connection due to an error
+ condition. Note that this notification is NOT a response to an
+ unbind requested by the client: the server MUST follow the procedures
+ of section 4.3. This notification is intended to assist clients in
+ distinguishing between an error condition and a transient network
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 24]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ failure. As with a connection close due to network failure, the
+ client MUST NOT assume that any outstanding requests which modified
+ the directory have succeeded or failed.
+
+ The responseName is 1.3.6.1.4.1.1466.20036, the response field is
+ absent, and the resultCode is used to indicate the reason for the
+ disconnection.
+
+ The following resultCode values are to be used in this notification:
+
+ - protocolError: The server has received data from the client in
+ which
+ the LDAPMessage structure could not be parsed.
+
+ - strongAuthRequired: The server has detected that an established
+ underlying security association protecting communication between
+ the client and server has unexpectedly failed or been compromised.
+
+ - unavailable: This server will stop accepting new connections and
+ operations on all existing connections, and be unavailable for an
+ extended period of time. The client may make use of an alternative
+ server.
+
+ After sending this notice, the server MUST close the connection.
+ After receiving this notice, the client MUST NOT transmit any further
+ on the connection, and may abruptly close the connection.
+
+4.5. Search Operation
+
+ The Search Operation allows a client to request that a search be
+ performed on its behalf by a server. This can be used to read
+ attributes from a single entry, from entries immediately below a
+ particular entry, or a whole subtree of entries.
+
+4.5.1. Search Request
+
+ The Search Request is defined as follows:
+
+ SearchRequest ::= [APPLICATION 3] SEQUENCE {
+ baseObject LDAPDN,
+ scope ENUMERATED {
+ baseObject (0),
+ singleLevel (1),
+ wholeSubtree (2) },
+ derefAliases ENUMERATED {
+ neverDerefAliases (0),
+ derefInSearching (1),
+ derefFindingBaseObj (2),
+
+
+
+Wahl, et. al. Standards Track [Page 25]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ derefAlways (3) },
+ sizeLimit INTEGER (0 .. maxInt),
+ timeLimit INTEGER (0 .. maxInt),
+ typesOnly BOOLEAN,
+ filter Filter,
+ attributes AttributeDescriptionList }
+
+ Filter ::= CHOICE {
+ and [0] SET OF Filter,
+ or [1] SET OF Filter,
+ not [2] Filter,
+ equalityMatch [3] AttributeValueAssertion,
+ substrings [4] SubstringFilter,
+ greaterOrEqual [5] AttributeValueAssertion,
+ lessOrEqual [6] AttributeValueAssertion,
+ present [7] AttributeDescription,
+ approxMatch [8] AttributeValueAssertion,
+ extensibleMatch [9] MatchingRuleAssertion }
+
+ SubstringFilter ::= SEQUENCE {
+ type AttributeDescription,
+ -- at least one must be present
+ substrings SEQUENCE OF CHOICE {
+ initial [0] LDAPString,
+ any [1] LDAPString,
+ final [2] LDAPString } }
+
+ MatchingRuleAssertion ::= SEQUENCE {
+ matchingRule [1] MatchingRuleId OPTIONAL,
+ type [2] AttributeDescription OPTIONAL,
+ matchValue [3] AssertionValue,
+ dnAttributes [4] BOOLEAN DEFAULT FALSE }
+
+ Parameters of the Search Request are:
+
+ - baseObject: An LDAPDN that is the base object entry relative to
+ which the search is to be performed.
+
+ - scope: An indicator of the scope of the search to be performed. The
+ semantics of the possible values of this field are identical to the
+ semantics of the scope field in the X.511 Search Operation.
+
+ - derefAliases: An indicator as to how alias objects (as defined in
+ X.501) are to be handled in searching. The semantics of the
+ possible values of this field are:
+
+ neverDerefAliases: do not dereference aliases in searching
+ or in locating the base object of the search;
+
+
+
+Wahl, et. al. Standards Track [Page 26]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ derefInSearching: dereference aliases in subordinates of
+ the base object in searching, but not in locating the
+ base object of the search;
+
+ derefFindingBaseObj: dereference aliases in locating
+ the base object of the search, but not when searching
+ subordinates of the base object;
+
+ derefAlways: dereference aliases both in searching and in
+ locating the base object of the search.
+
+ - sizelimit: A sizelimit that restricts the maximum number of entries
+ to be returned as a result of the search. A value of 0 in this
+ field indicates that no client-requested sizelimit restrictions are
+ in effect for the search. Servers may enforce a maximum number of
+ entries to return.
+
+ - timelimit: A timelimit that restricts the maximum time (in seconds)
+ allowed for a search. A value of 0 in this field indicates that no
+ client-requested timelimit restrictions are in effect for the
+ search.
+
+ - typesOnly: An indicator as to whether search results will contain
+ both attribute types and values, or just attribute types. Setting
+ this field to TRUE causes only attribute types (no values) to be
+ returned. Setting this field to FALSE causes both attribute types
+ and values to be returned.
+
+ - filter: A filter that defines the conditions that must be fulfilled
+ in order for the search to match a given entry.
+
+ The 'and', 'or' and 'not' choices can be used to form combinations of
+ filters. At least one filter element MUST be present in an 'and' or
+ 'or' choice. The others match against individual attribute values of
+ entries in the scope of the search. (Implementor's note: the 'not'
+ filter is an example of a tagged choice in an implicitly-tagged
+ module. In BER this is treated as if the tag was explicit.)
+
+ A server MUST evaluate filters according to the three-valued logic
+ of X.511(93) section 7.8.1. In summary, a filter is evaluated to
+ either "TRUE", "FALSE" or "Undefined". If the filter evaluates
+ to TRUE for a particular entry, then the attributes of that entry
+ are returned as part of the search result (subject to any applicable
+ access control restrictions). If the filter evaluates to FALSE or
+ Undefined, then the entry is ignored for the search.
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 27]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ A filter of the "and" choice is TRUE if all the filters in the SET
+ OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
+ otherwise Undefined. A filter of the "or" choice is FALSE if all
+ of the filters in the SET OF evaluate to FALSE, TRUE if at least
+ one filter is TRUE, and Undefined otherwise. A filter of the "not"
+ choice is TRUE if the filter being negated is FALSE, FALSE if it is
+ TRUE, and Undefined if it is Undefined.
+
+ The present match evaluates to TRUE where there is an attribute or
+ subtype of the specified attribute description present in an entry,
+ and FALSE otherwise (including a presence test with an unrecognized
+ attribute description.)
+
+ The extensibleMatch is new in this version of LDAP. If the
+ matchingRule field is absent, the type field MUST be present, and
+ the equality match is performed for that type. If the type field is
+ absent and matchingRule is present, the matchValue is compared
+ against all attributes in an entry which support that matchingRule,
+ and the matchingRule determines the syntax for the assertion value
+ (the filter item evaluates to TRUE if it matches with at least
+ one attribute in the entry, FALSE if it does not match any attribute
+ in the entry, and Undefined if the matchingRule is not recognized
+ or the assertionValue cannot be parsed.) If the type field is
+ present and matchingRule is present, the matchingRule MUST be one
+ permitted for use with that type, otherwise the filter item is
+ undefined. If the dnAttributes field is set to TRUE, the match is
+ applied against all the attributes in an entry's distinguished name
+ as well, and also evaluates to TRUE if there is at least one
+ attribute in the distinguished name for which the filter item
+ evaluates to TRUE. (Editors note: The dnAttributes field is present
+ so that there does not need to be multiple versions of generic
+ matching rules such as for word matching, one to apply to entries
+ and another to apply to entries and dn attributes as well).
+
+ A filter item evaluates to Undefined when the server would not
+ be able to determine whether the assertion value matches an
+ entry. If an attribute description in an equalityMatch, substrings,
+ greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch
+ filter is not recognized by the server, a matching rule id in the
+ extensibleMatch is not recognized by the server, the assertion
+ value cannot be parsed, or the type of filtering requested is not
+ implemented, then the filter is Undefined. Thus for example if a
+ server did not recognize the attribute type shoeSize, a filter of
+ (shoeSize=*) would evaluate to FALSE, and the filters (shoeSize=12),
+ (shoeSize>=12) and (shoeSize<=12) would evaluate to Undefined.
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 28]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ Servers MUST NOT return errors if attribute descriptions or matching
+ rule ids are not recognized, or assertion values cannot be parsed.
+ More details of filter processing are given in section 7.8 of X.511
+ [8].
+
+ - attributes: A list of the attributes to be returned from each entry
+ which matches the search filter. There are two special values which
+ may be used: an empty list with no attributes, and the attribute
+ description string "*". Both of these signify that all user
+ attributes are to be returned. (The "*" allows the client to
+ request all user attributes in addition to specific operational
+ attributes).
+
+ Attributes MUST be named at most once in the list, and are returned
+ at most once in an entry. If there are attribute descriptions in
+ the list which are not recognized, they are ignored by the server.
+
+ If the client does not want any attributes returned, it can specify
+ a list containing only the attribute with OID "1.1". This OID was
+ chosen arbitrarily and does not correspond to any attribute in use.
+
+ Client implementors should note that even if all user attributes are
+ requested, some attributes of the entry may not be included in
+ search results due to access control or other restrictions.
+ Furthermore, servers will not return operational attributes, such
+ as objectClasses or attributeTypes, unless they are listed by name,
+ since there may be extremely large number of values for certain
+ operational attributes. (A list of operational attributes for use
+ in LDAP is given in [5].)
+
+ Note that an X.500 "list"-like operation can be emulated by the client
+ requesting a one-level LDAP search operation with a filter checking
+ for the existence of the objectClass attribute, and that an X.500
+ "read"-like operation can be emulated by a base object LDAP search
+ operation with the same filter. A server which provides a gateway to
+ X.500 is not required to use the Read or List operations, although it
+ may choose to do so, and if it does must provide the same semantics
+ as the X.500 search operation.
+
+4.5.2. Search Result
+
+ The results of the search attempted by the server upon receipt of a
+ Search Request are returned in Search Responses, which are LDAP
+ messages containing either SearchResultEntry, SearchResultReference,
+ ExtendedResponse or SearchResultDone data types.
+
+ SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
+ objectName LDAPDN,
+
+
+
+Wahl, et. al. Standards Track [Page 29]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ attributes PartialAttributeList }
+
+ PartialAttributeList ::= SEQUENCE OF SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+ -- implementors should note that the PartialAttributeList may
+ -- have zero elements (if none of the attributes of that entry
+ -- were requested, or could be returned), and that the vals set
+ -- may also have zero elements (if types only was requested, or
+ -- all values were excluded from the result.)
+
+ SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
+ -- at least one LDAPURL element must be present
+
+ SearchResultDone ::= [APPLICATION 5] LDAPResult
+
+ Upon receipt of a Search Request, a server will perform the necessary
+ search of the DIT.
+
+ If the LDAP session is operating over a connection-oriented transport
+ such as TCP, the server will return to the client a sequence of
+ responses in separate LDAP messages. There may be zero or more
+ responses containing SearchResultEntry, one for each entry found
+ during the search. There may also be zero or more responses
+ containing SearchResultReference, one for each area not explored by
+ this server during the search. The SearchResultEntry and
+ SearchResultReference PDUs may come in any order. Following all the
+ SearchResultReference responses and all SearchResultEntry responses
+ to be returned by the server, the server will return a response
+ containing the SearchResultDone, which contains an indication of
+ success, or detailing any errors that have occurred.
+
+ Each entry returned in a SearchResultEntry will contain all
+ attributes, complete with associated values if necessary, as
+ specified in the attributes field of the Search Request. Return of
+ attributes is subject to access control and other administrative
+ policy. Some attributes may be returned in binary format (indicated
+ by the AttributeDescription in the response having the binary option
+ present).
+
+ Some attributes may be constructed by the server and appear in a
+ SearchResultEntry attribute list, although they are not stored
+ attributes of an entry. Clients MUST NOT assume that all attributes
+ can be modified, even if permitted by access control.
+
+ LDAPMessage responses of the ExtendedResponse form are reserved for
+ returning information associated with a control requested by the
+ client. These may be defined in future versions of this document.
+
+
+
+Wahl, et. al. Standards Track [Page 30]
+
+RFC 2251 LDAPv3 December 1997
+
+
+4.5.3. Continuation References in the Search Result
+
+ If the server was able to locate the entry referred to by the
+ baseObject but was unable to search all the entries in the scope at
+ and under the baseObject, the server may return one or more
+ SearchResultReference, each containing a reference to another set of
+ servers for continuing the operation. A server MUST NOT return any
+ SearchResultReference if it has not located the baseObject and
+ thus has not searched any entries; in this case it would return a
+ SearchResultDone containing a referral resultCode.
+
+ In the absence of indexing information provided to a server from
+ servers holding subordinate naming contexts, SearchResultReference
+ responses are not affected by search filters and are always returned
+ when in scope.
+
+ The SearchResultReference is of the same data type as the Referral.
+ URLs for servers implementing the LDAP protocol are written according
+ to [9]. The <dn> part MUST be present in the URL, with the new target
+ object name. The client MUST use this name in its next request.
+ Some servers (e.g. part of a distributed index exchange system) may
+ provide a different filter in the URLs of the SearchResultReference.
+ If the filter part of the URL is present in an LDAP URL, the client
+ MUST use the new filter in its next request to progress the search,
+ and if the filter part is absent the client will use again the same
+ filter. Other aspects of the new search request may be the same or
+ different as the search which generated the continuation references.
+
+ Other kinds of URLs may be returned so long as the operation could be
+ performed using that protocol.
+
+ The name of an unexplored subtree in a SearchResultReference need not
+ be subordinate to the base object.
+
+ In order to complete the search, the client MUST issue a new search
+ operation for each SearchResultReference that is returned. Note that
+ the abandon operation described in section 4.11 applies only to a
+ particular operation sent on a connection between a client and server,
+ and if the client has multiple outstanding search operations to
+ different servers, it MUST abandon each operation individually.
+
+4.5.3.1. Example
+
+ For example, suppose the contacted server (hosta) holds the entry
+ "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW". It knows that
+ either LDAP-capable servers (hostb) or (hostc) hold
+ "OU=People,O=MNN,C=WW" (one is the master and the other server a
+
+
+
+
+Wahl, et. al. Standards Track [Page 31]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ shadow), and that LDAP-capable server (hostd) holds the subtree
+ "OU=Roles,O=MNN,C=WW". If a subtree search of "O=MNN,C=WW" is
+ requested to the contacted server, it may return the following:
+
+ SearchResultEntry for O=MNN,C=WW
+ SearchResultEntry for CN=Manager,O=MNN,C=WW
+ SearchResultReference {
+ ldap://hostb/OU=People,O=MNN,C=WW
+ ldap://hostc/OU=People,O=MNN,C=WW
+ }
+ SearchResultReference {
+ ldap://hostd/OU=Roles,O=MNN,C=WW
+ }
+ SearchResultDone (success)
+
+ Client implementors should note that when following a
+ SearchResultReference, additional SearchResultReference may be
+ generated. Continuing the example, if the client contacted the
+ server (hostb) and issued the search for the subtree
+ "OU=People,O=MNN,C=WW", the server might respond as follows:
+
+ SearchResultEntry for OU=People,O=MNN,C=WW
+ SearchResultReference {
+ ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
+ }
+ SearchResultReference {
+ ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
+ }
+ SearchResultDone (success)
+
+ If the contacted server does not hold the base object for the search,
+ then it will return a referral to the client. For example, if the
+ client requests a subtree search of "O=XYZ,C=US" to hosta, the server
+ may return only a SearchResultDone containing a referral.
+
+ SearchResultDone (referral) {
+ ldap://hostg/
+ }
+
+4.6. Modify Operation
+
+ The Modify Operation allows a client to request that a modification
+ of an entry be performed on its behalf by a server. The Modify
+ Request is defined as follows:
+
+ ModifyRequest ::= [APPLICATION 6] SEQUENCE {
+ object LDAPDN,
+ modification SEQUENCE OF SEQUENCE {
+
+
+
+Wahl, et. al. Standards Track [Page 32]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ operation ENUMERATED {
+ add (0),
+ delete (1),
+ replace (2) },
+ modification AttributeTypeAndValues } }
+
+ AttributeTypeAndValues ::= SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ Parameters of the Modify Request are:
+
+ - object: The object to be modified. The value of this field contains
+ the DN of the entry to be modified. The server will not perform
+ any alias dereferencing in determining the object to be modified.
+
+ - modification: A list of modifications to be performed on the entry.
+ The entire list of entry modifications MUST be performed
+ in the order they are listed, as a single atomic operation. While
+ individual modifications may violate the directory schema, the
+ resulting entry after the entire list of modifications is performed
+ MUST conform to the requirements of the directory schema. The
+ values that may be taken on by the 'operation' field in each
+ modification construct have the following semantics respectively:
+
+ add: add values listed to the given attribute, creating
+ the attribute if necessary;
+
+ delete: delete values listed from the given attribute,
+ removing the entire attribute if no values are listed, or
+ if all current values of the attribute are listed for
+ deletion;
+
+ replace: replace all existing values of the given attribute
+ with the new values listed, creating the attribute if it
+ did not already exist. A replace with no value will delete
+ the entire attribute if it exists, and is ignored if the
+ attribute does not exist.
+
+ The result of the modify attempted by the server upon receipt of a
+ Modify Request is returned in a Modify Response, defined as follows:
+
+ ModifyResponse ::= [APPLICATION 7] LDAPResult
+
+ Upon receipt of a Modify Request, a server will perform the necessary
+ modifications to the DIT.
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 33]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ The server will return to the client a single Modify Response
+ indicating either the successful completion of the DIT modification,
+ or the reason that the modification failed. Note that due to the
+ requirement for atomicity in applying the list of modifications in
+ the Modify Request, the client may expect that no modifications of
+ the DIT have been performed if the Modify Response received indicates
+ any sort of error, and that all requested modifications have been
+ performed if the Modify Response indicates successful completion of
+ the Modify Operation. If the connection fails, whether the
+ modification occurred or not is indeterminate.
+
+ The Modify Operation cannot be used to remove from an entry any of
+ its distinguished values, those values which form the entry's
+ relative distinguished name. An attempt to do so will result in the
+ server returning the error notAllowedOnRDN. The Modify DN Operation
+ described in section 4.9 is used to rename an entry.
+
+ If an equality match filter has not been defined for an attribute type,
+ clients MUST NOT attempt to delete individual values of that attribute
+ from an entry using the "delete" form of a modification, and MUST
+ instead use the "replace" form.
+
+ Note that due to the simplifications made in LDAP, there is not a
+ direct mapping of the modifications in an LDAP ModifyRequest onto the
+ EntryModifications of a DAP ModifyEntry operation, and different
+ implementations of LDAP-DAP gateways may use different means of
+ representing the change. If successful, the final effect of the
+ operations on the entry MUST be identical.
+
+4.7. Add Operation
+
+ The Add Operation allows a client to request the addition of an entry
+ into the directory. The Add Request is defined as follows:
+
+ AddRequest ::= [APPLICATION 8] SEQUENCE {
+ entry LDAPDN,
+ attributes AttributeList }
+
+ AttributeList ::= SEQUENCE OF SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ Parameters of the Add Request are:
+
+ - entry: the Distinguished Name of the entry to be added. Note that
+ the server will not dereference any aliases in locating the entry
+ to be added.
+
+
+
+
+Wahl, et. al. Standards Track [Page 34]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ - attributes: the list of attributes that make up the content of the
+ entry being added. Clients MUST include distinguished values
+ (those forming the entry's own RDN) in this list, the objectClass
+ attribute, and values of any mandatory attributes of the listed
+ object classes. Clients MUST NOT supply the createTimestamp or
+ creatorsName attributes, since these will be generated
+ automatically by the server.
+
+ The entry named in the entry field of the AddRequest MUST NOT exist
+ for the AddRequest to succeed. The parent of the entry to be added
+ MUST exist. For example, if the client attempted to add
+ "CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
+ "C=US" entry did exist, then the server would return the error
+ noSuchObject with the matchedDN field containing "C=US". If the
+ parent entry exists but is not in a naming context held by the
+ server, the server SHOULD return a referral to the server holding the
+ parent entry.
+
+ Servers implementations SHOULD NOT restrict where entries can be
+ located in the directory. Some servers MAY allow the administrator
+ to restrict the classes of entries which can be added to the
+ directory.
+
+ Upon receipt of an Add Request, a server will attempt to perform the
+ add requested. The result of the add attempt will be returned to the
+ client in the Add Response, defined as follows:
+
+ AddResponse ::= [APPLICATION 9] LDAPResult
+
+ A response of success indicates that the new entry is present in the
+ directory.
+
+4.8. Delete Operation
+
+ The Delete Operation allows a client to request the removal of an
+ entry from the directory. The Delete Request is defined as follows:
+
+ DelRequest ::= [APPLICATION 10] LDAPDN
+
+ The Delete Request consists of the Distinguished Name of the entry to
+ be deleted. Note that the server will not dereference aliases while
+ resolving the name of the target entry to be removed, and that only
+ leaf entries (those with no subordinate entries) can be deleted with
+ this operation.
+
+ The result of the delete attempted by the server upon receipt of a
+ Delete Request is returned in the Delete Response, defined as
+ follows:
+
+
+
+Wahl, et. al. Standards Track [Page 35]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ DelResponse ::= [APPLICATION 11] LDAPResult
+
+ Upon receipt of a Delete Request, a server will attempt to perform
+ the entry removal requested. The result of the delete attempt will be
+ returned to the client in the Delete Response.
+
+4.9. Modify DN Operation
+
+ The Modify DN Operation allows a client to change the leftmost (least
+ significant) component of the name of an entry in the directory, or
+ to move a subtree of entries to a new location in the directory. The
+ Modify DN Request is defined as follows:
+
+ ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
+ entry LDAPDN,
+ newrdn RelativeLDAPDN,
+ deleteoldrdn BOOLEAN,
+ newSuperior [0] LDAPDN OPTIONAL }
+
+ Parameters of the Modify DN Request are:
+
+ - entry: the Distinguished Name of the entry to be changed. This
+ entry may or may not have subordinate entries.
+
+ - newrdn: the RDN that will form the leftmost component of the new
+ name of the entry.
+
+ - deleteoldrdn: a boolean parameter that controls whether the old RDN
+ attribute values are to be retained as attributes of the entry, or
+ deleted from the entry.
+
+ - newSuperior: if present, this is the Distinguished Name of the entry
+ which becomes the immediate superior of the existing entry.
+
+ The result of the name change attempted by the server upon receipt of
+ a Modify DN Request is returned in the Modify DN Response, defined
+ as follows:
+
+ ModifyDNResponse ::= [APPLICATION 13] LDAPResult
+
+ Upon receipt of a ModifyDNRequest, a server will attempt to
+ perform the name change. The result of the name change attempt will
+ be returned to the client in the Modify DN Response.
+
+ For example, if the entry named in the "entry" parameter was
+ "cn=John Smith,c=US", the newrdn parameter was "cn=John Cougar Smith",
+ and the newSuperior parameter was absent, then this operation would
+
+
+
+
+Wahl, et. al. Standards Track [Page 36]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ attempt to rename the entry to be "cn=John Cougar Smith,c=US". If
+ there was already an entry with that name, the operation would fail
+ with error code entryAlreadyExists.
+
+ If the deleteoldrdn parameter is TRUE, the values forming the old
+ RDN are deleted from the entry. If the deleteoldrdn parameter is
+ FALSE, the values forming the old RDN will be retained as
+ non-distinguished attribute values of the entry. The server may
+ not perform the operation and return an error code if the setting of
+ the deleteoldrdn parameter would cause a schema inconsistency in the
+ entry.
+
+ Note that X.500 restricts the ModifyDN operation to only affect
+ entries that are contained within a single server. If the LDAP
+ server is mapped onto DAP, then this restriction will apply, and the
+ resultCode affectsMultipleDSAs will be returned if this error
+ occurred. In general clients MUST NOT expect to be able to perform
+ arbitrary movements of entries and subtrees between servers.
+
+4.10. Compare Operation
+
+ The Compare Operation allows a client to compare an assertion
+ provided with an entry in the directory. The Compare Request is
+ defined as follows:
+
+ CompareRequest ::= [APPLICATION 14] SEQUENCE {
+ entry LDAPDN,
+ ava AttributeValueAssertion }
+
+ Parameters of the Compare Request are:
+
+ - entry: the name of the entry to be compared with.
+
+ - ava: the assertion with which an attribute in the entry is to be
+ compared.
+
+ The result of the compare attempted by the server upon receipt of a
+ Compare Request is returned in the Compare Response, defined as
+ follows:
+
+ CompareResponse ::= [APPLICATION 15] LDAPResult
+
+ Upon receipt of a Compare Request, a server will attempt to perform
+ the requested comparison. The result of the comparison will be
+ returned to the client in the Compare Response. Note that errors and
+ the result of comparison are all returned in the same construct.
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 37]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ Note that some directory systems may establish access controls which
+ permit the values of certain attributes (such as userPassword) to be
+ compared but not read. In a search result, it may be that an
+ attribute of that type would be returned, but with an empty set of
+ values.
+
+4.11. Abandon Operation
+
+ The function of the Abandon Operation is to allow a client to request
+ that the server abandon an outstanding operation. The Abandon
+ Request is defined as follows:
+
+ AbandonRequest ::= [APPLICATION 16] MessageID
+
+ The MessageID MUST be that of a an operation which was requested
+ earlier in this connection.
+
+ (The abandon request itself has its own message id. This is distinct
+ from the id of the earlier operation being abandoned.)
+
+ There is no response defined in the Abandon Operation. Upon
+ transmission of an Abandon Operation, a client may expect that the
+ operation identified by the Message ID in the Abandon Request has
+ been abandoned. In the event that a server receives an Abandon
+ Request on a Search Operation in the midst of transmitting responses
+ to the search, that server MUST cease transmitting entry responses to
+ the abandoned request immediately, and MUST NOT send the
+ SearchResponseDone. Of course, the server MUST ensure that only
+ properly encoded LDAPMessage PDUs are transmitted.
+
+ Clients MUST NOT send abandon requests for the same operation
+ multiple times, and MUST also be prepared to receive results from
+ operations it has abandoned (since these may have been in transit
+ when the abandon was requested).
+
+ Servers MUST discard abandon requests for message IDs they do not
+ recognize, for operations which cannot be abandoned, and for
+ operations which have already been abandoned.
+
+4.12. Extended Operation
+
+ An extension mechanism has been added in this version of LDAP, in
+ order to allow additional operations to be defined for services not
+ available elsewhere in this protocol, for instance digitally signed
+ operations and results.
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 38]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ The extended operation allows clients to make requests and receive
+ responses with predefined syntaxes and semantics. These may be
+ defined in RFCs or be private to particular implementations. Each
+ request MUST have a unique OBJECT IDENTIFIER assigned to it.
+
+ ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
+ requestName [0] LDAPOID,
+ requestValue [1] OCTET STRING OPTIONAL }
+
+ The requestName is a dotted-decimal representation of the OBJECT
+ IDENTIFIER corresponding to the request. The requestValue is
+ information in a form defined by that request, encapsulated inside an
+ OCTET STRING.
+
+ The server will respond to this with an LDAPMessage containing the
+ ExtendedResponse.
+
+ ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
+ COMPONENTS OF LDAPResult,
+ responseName [10] LDAPOID OPTIONAL,
+ response [11] OCTET STRING OPTIONAL }
+
+ If the server does not recognize the request name, it MUST return
+ only the response fields from LDAPResult, containing the
+ protocolError result code.
+
+5. Protocol Element Encodings and Transfer
+
+ One underlying service is defined here. Clients and servers SHOULD
+ implement the mapping of LDAP over TCP described in 5.2.1.
+
+5.1. Mapping Onto BER-based Transport Services
+
+ The protocol elements of LDAP are encoded for exchange using the
+ Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
+ high overhead involved in using certain elements of the BER, the
+ following additional restrictions are placed on BER-encodings of LDAP
+ protocol elements:
+
+ (1) Only the definite form of length encoding will be used.
+
+ (2) OCTET STRING values will be encoded in the primitive form only.
+
+ (3) If the value of a BOOLEAN type is true, the encoding MUST have
+ its contents octets set to hex "FF".
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 39]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ (4) If a value of a type is its default value, it MUST be absent.
+ Only some BOOLEAN and INTEGER types have default values in this
+ protocol definition.
+
+ These restrictions do not apply to ASN.1 types encapsulated inside of
+ OCTET STRING values, such as attribute values, unless otherwise
+ noted.
+
+5.2. Transfer Protocols
+
+ This protocol is designed to run over connection-oriented, reliable
+ transports, with all 8 bits in an octet being significant in the data
+ stream.
+
+5.2.1. Transmission Control Protocol (TCP)
+
+ The LDAPMessage PDUs are mapped directly onto the TCP bytestream. It
+ is recommended that server implementations running over the TCP MAY
+ provide a protocol listener on the assigned port, 389. Servers may
+ instead provide a listener on a different port number. Clients MUST
+ support contacting servers on any valid TCP port.
+
+6. Implementation Guidelines
+
+ This document describes an Internet protocol.
+
+6.1. Server Implementations
+
+ The server MUST be capable of recognizing all the mandatory attribute
+ type names and implement the syntaxes specified in [5]. Servers MAY
+ also recognize additional attribute type names.
+
+6.2. Client Implementations
+
+ Clients which request referrals MUST ensure that they do not loop
+ between servers. They MUST NOT repeatedly contact the same server for
+ the same request with the same target entry name, scope and filter.
+ Some clients may be using a counter that is incremented each time
+ referral handling occurs for an operation, and these kinds of clients
+ MUST be able to handle a DIT with at least ten layers of naming
+ contexts between the root and a leaf entry.
+
+ In the absence of prior agreements with servers, clients SHOULD NOT
+ assume that servers support any particular schemas beyond those
+ referenced in section 6.1. Different schemas can have different
+ attribute types with the same names. The client can retrieve the
+ subschema entries referenced by the subschemaSubentry attribute in
+ the server's root DSE or in entries held by the server.
+
+
+
+Wahl, et. al. Standards Track [Page 40]
+
+RFC 2251 LDAPv3 December 1997
+
+
+7. Security Considerations
+
+ When used with a connection-oriented transport, this version of the
+ protocol provides facilities for the LDAP v2 authentication
+ mechanism, simple authentication using a cleartext password, as well
+ as any SASL mechanism [12]. SASL allows for integrity and privacy
+ services to be negotiated.
+
+ It is also permitted that the server can return its credentials to
+ the client, if it chooses to do so.
+
+ Use of cleartext password is strongly discouraged where the
+ underlying transport service cannot guarantee confidentiality and may
+ result in disclosure of the password to unauthorized parties.
+
+ When used with SASL, it should be noted that the name field of the
+ BindRequest is not protected against modification. Thus if the
+ distinguished name of the client (an LDAPDN) is agreed through the
+ negotiation of the credentials, it takes precedence over any value in
+ the unprotected name field.
+
+ Implementations which cache attributes and entries obtained via LDAP
+ MUST ensure that access controls are maintained if that information
+ is to be provided to multiple clients, since servers may have access
+ control policies which prevent the return of entries or attributes in
+ search results except to particular authenticated clients. For
+ example, caches could serve result information only to the client
+ whose request caused it to be cache.
+
+8. Acknowledgements
+
+ This document is an update to RFC 1777, by Wengyik Yeong, Tim Howes,
+ and Steve Kille. Design ideas included in this document are based on
+ those discussed in ASID and other IETF Working Groups. The
+ contributions of individuals in these working groups is gratefully
+ acknowledged.
+
+9. Bibliography
+
+ [1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models
+ and Service", 1993.
+
+ [2] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access
+ Protocol", RFC 1777, March 1995.
+
+ [3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
+ Specification of Basic Notation", 1994.
+
+
+
+
+Wahl, et. al. Standards Track [Page 41]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ [4] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory Access
+ Protocol (v3): UTF-8 String Representation of Distinguished
+ Names", RFC 2253, December 1997.
+
+ [5] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
+ Directory Access Protocol (v3): Attribute Syntax Definitions",
+ RFC 2252, December 1997.
+
+ [6] ITU-T Rec. X.501, "The Directory: Models", 1993.
+
+ [7] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
+ Resource Locators (URL)", RFC 1738, December 1994.
+
+ [8] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
+ 1993.
+
+ [9] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
+ December 1997.
+
+ [10] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", RFC 2119, March 1997.
+
+ [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
+ Canonical, and Distinguished Encoding Rules", 1994.
+
+ [12] Meyers, J., "Simple Authentication and Security Layer",
+ RFC 2222, October 1997.
+
+ [13] Universal Multiple-Octet Coded Character Set (UCS) -
+ Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 :
+ 1993.
+
+ [14] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
+ 10646", RFC 2044, October 1996.
+
+10. Authors' Addresses
+
+ Mark Wahl
+ Critical Angle Inc.
+ 4815 W Braker Lane #502-385
+ Austin, TX 78759
+ USA
+
+ Phone: +1 512 372-3160
+ EMail: M.Wahl@critical-angle.com
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 42]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ Tim Howes
+ Netscape Communications Corp.
+ 501 E. Middlefield Rd., MS MV068
+ Mountain View, CA 94043
+ USA
+
+ Phone: +1 650 937-3419
+ EMail: howes@netscape.com
+
+ Steve Kille
+ Isode Limited
+ The Dome, The Square
+ Richmond
+ TW9 1DT
+ UK
+
+ Phone: +44-181-332-9091
+ EMail: S.Kille@isode.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 43]
+
+RFC 2251 LDAPv3 December 1997
+
+
+Appendix A - Complete ASN.1 Definition
+
+ Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
+ IMPLICIT TAGS ::=
+
+ BEGIN
+
+ LDAPMessage ::= SEQUENCE {
+ messageID MessageID,
+ protocolOp CHOICE {
+ bindRequest BindRequest,
+ bindResponse BindResponse,
+ unbindRequest UnbindRequest,
+ searchRequest SearchRequest,
+ searchResEntry SearchResultEntry,
+ searchResDone SearchResultDone,
+ searchResRef SearchResultReference,
+ modifyRequest ModifyRequest,
+ modifyResponse ModifyResponse,
+ addRequest AddRequest,
+ addResponse AddResponse,
+ delRequest DelRequest,
+ delResponse DelResponse,
+ modDNRequest ModifyDNRequest,
+ modDNResponse ModifyDNResponse,
+ compareRequest CompareRequest,
+ compareResponse CompareResponse,
+ abandonRequest AbandonRequest,
+ extendedReq ExtendedRequest,
+ extendedResp ExtendedResponse },
+ controls [0] Controls OPTIONAL }
+
+ MessageID ::= INTEGER (0 .. maxInt)
+
+ maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
+
+ LDAPString ::= OCTET STRING
+
+ LDAPOID ::= OCTET STRING
+
+ LDAPDN ::= LDAPString
+
+ RelativeLDAPDN ::= LDAPString
+
+ AttributeType ::= LDAPString
+
+ AttributeDescription ::= LDAPString
+
+
+
+
+Wahl, et. al. Standards Track [Page 44]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ AttributeDescriptionList ::= SEQUENCE OF
+ AttributeDescription
+
+ AttributeValue ::= OCTET STRING
+
+ AttributeValueAssertion ::= SEQUENCE {
+ attributeDesc AttributeDescription,
+ assertionValue AssertionValue }
+
+ AssertionValue ::= OCTET STRING
+
+ Attribute ::= SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ MatchingRuleId ::= LDAPString
+
+ LDAPResult ::= SEQUENCE {
+ resultCode ENUMERATED {
+ success (0),
+ operationsError (1),
+ protocolError (2),
+ timeLimitExceeded (3),
+ sizeLimitExceeded (4),
+ compareFalse (5),
+ compareTrue (6),
+ authMethodNotSupported (7),
+ strongAuthRequired (8),
+ -- 9 reserved --
+ referral (10), -- new
+ adminLimitExceeded (11), -- new
+ unavailableCriticalExtension (12), -- new
+ confidentialityRequired (13), -- new
+ saslBindInProgress (14), -- new
+ noSuchAttribute (16),
+ undefinedAttributeType (17),
+ inappropriateMatching (18),
+ constraintViolation (19),
+ attributeOrValueExists (20),
+ invalidAttributeSyntax (21),
+ -- 22-31 unused --
+ noSuchObject (32),
+ aliasProblem (33),
+ invalidDNSyntax (34),
+ -- 35 reserved for undefined isLeaf --
+ aliasDereferencingProblem (36),
+ -- 37-47 unused --
+ inappropriateAuthentication (48),
+
+
+
+Wahl, et. al. Standards Track [Page 45]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ invalidCredentials (49),
+ insufficientAccessRights (50),
+ busy (51),
+ unavailable (52),
+ unwillingToPerform (53),
+ loopDetect (54),
+ -- 55-63 unused --
+ namingViolation (64),
+ objectClassViolation (65),
+ notAllowedOnNonLeaf (66),
+ notAllowedOnRDN (67),
+ entryAlreadyExists (68),
+ objectClassModsProhibited (69),
+ -- 70 reserved for CLDAP --
+ affectsMultipleDSAs (71), -- new
+ -- 72-79 unused --
+ other (80) },
+ -- 81-90 reserved for APIs --
+ matchedDN LDAPDN,
+ errorMessage LDAPString,
+ referral [3] Referral OPTIONAL }
+
+ Referral ::= SEQUENCE OF LDAPURL
+
+ LDAPURL ::= LDAPString -- limited to characters permitted in URLs
+
+ Controls ::= SEQUENCE OF Control
+
+ Control ::= SEQUENCE {
+ controlType LDAPOID,
+ criticality BOOLEAN DEFAULT FALSE,
+ controlValue OCTET STRING OPTIONAL }
+
+ BindRequest ::= [APPLICATION 0] SEQUENCE {
+ version INTEGER (1 .. 127),
+ name LDAPDN,
+ authentication AuthenticationChoice }
+
+ AuthenticationChoice ::= CHOICE {
+ simple [0] OCTET STRING,
+ -- 1 and 2 reserved
+ sasl [3] SaslCredentials }
+
+ SaslCredentials ::= SEQUENCE {
+ mechanism LDAPString,
+ credentials OCTET STRING OPTIONAL }
+
+ BindResponse ::= [APPLICATION 1] SEQUENCE {
+
+
+
+Wahl, et. al. Standards Track [Page 46]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ COMPONENTS OF LDAPResult,
+ serverSaslCreds [7] OCTET STRING OPTIONAL }
+
+ UnbindRequest ::= [APPLICATION 2] NULL
+
+ SearchRequest ::= [APPLICATION 3] SEQUENCE {
+ baseObject LDAPDN,
+ scope ENUMERATED {
+ baseObject (0),
+ singleLevel (1),
+ wholeSubtree (2) },
+ derefAliases ENUMERATED {
+ neverDerefAliases (0),
+ derefInSearching (1),
+ derefFindingBaseObj (2),
+ derefAlways (3) },
+ sizeLimit INTEGER (0 .. maxInt),
+ timeLimit INTEGER (0 .. maxInt),
+ typesOnly BOOLEAN,
+ filter Filter,
+ attributes AttributeDescriptionList }
+
+ Filter ::= CHOICE {
+ and [0] SET OF Filter,
+ or [1] SET OF Filter,
+ not [2] Filter,
+ equalityMatch [3] AttributeValueAssertion,
+ substrings [4] SubstringFilter,
+ greaterOrEqual [5] AttributeValueAssertion,
+ lessOrEqual [6] AttributeValueAssertion,
+ present [7] AttributeDescription,
+ approxMatch [8] AttributeValueAssertion,
+ extensibleMatch [9] MatchingRuleAssertion }
+
+ SubstringFilter ::= SEQUENCE {
+ type AttributeDescription,
+ -- at least one must be present
+ substrings SEQUENCE OF CHOICE {
+ initial [0] LDAPString,
+ any [1] LDAPString,
+ final [2] LDAPString } }
+
+ MatchingRuleAssertion ::= SEQUENCE {
+ matchingRule [1] MatchingRuleId OPTIONAL,
+ type [2] AttributeDescription OPTIONAL,
+ matchValue [3] AssertionValue,
+ dnAttributes [4] BOOLEAN DEFAULT FALSE }
+
+
+
+
+Wahl, et. al. Standards Track [Page 47]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
+ objectName LDAPDN,
+ attributes PartialAttributeList }
+
+ PartialAttributeList ::= SEQUENCE OF SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
+
+ SearchResultDone ::= [APPLICATION 5] LDAPResult
+
+ ModifyRequest ::= [APPLICATION 6] SEQUENCE {
+ object LDAPDN,
+ modification SEQUENCE OF SEQUENCE {
+ operation ENUMERATED {
+ add (0),
+ delete (1),
+ replace (2) },
+ modification AttributeTypeAndValues } }
+
+ AttributeTypeAndValues ::= SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ ModifyResponse ::= [APPLICATION 7] LDAPResult
+
+ AddRequest ::= [APPLICATION 8] SEQUENCE {
+ entry LDAPDN,
+ attributes AttributeList }
+
+ AttributeList ::= SEQUENCE OF SEQUENCE {
+ type AttributeDescription,
+ vals SET OF AttributeValue }
+
+ AddResponse ::= [APPLICATION 9] LDAPResult
+
+ DelRequest ::= [APPLICATION 10] LDAPDN
+
+ DelResponse ::= [APPLICATION 11] LDAPResult
+
+ ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
+ entry LDAPDN,
+ newrdn RelativeLDAPDN,
+ deleteoldrdn BOOLEAN,
+ newSuperior [0] LDAPDN OPTIONAL }
+
+ ModifyDNResponse ::= [APPLICATION 13] LDAPResult
+
+
+
+Wahl, et. al. Standards Track [Page 48]
+
+RFC 2251 LDAPv3 December 1997
+
+
+ CompareRequest ::= [APPLICATION 14] SEQUENCE {
+ entry LDAPDN,
+ ava AttributeValueAssertion }
+
+ CompareResponse ::= [APPLICATION 15] LDAPResult
+
+ AbandonRequest ::= [APPLICATION 16] MessageID
+
+ ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
+ requestName [0] LDAPOID,
+ requestValue [1] OCTET STRING OPTIONAL }
+
+ ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
+ COMPONENTS OF LDAPResult,
+ responseName [10] LDAPOID OPTIONAL,
+ response [11] OCTET STRING OPTIONAL }
+
+ END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 49]
+
+RFC 2251 LDAPv3 December 1997
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (1997). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et. al. Standards Track [Page 50]
+