summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/ldap_server/devdocs/Index10
-rw-r--r--source4/ldap_server/devdocs/rfc1777.txt1235
-rw-r--r--source4/ldap_server/devdocs/rfc1779.txt451
-rw-r--r--source4/ldap_server/devdocs/rfc2251.txt2803
-rw-r--r--source4/ldap_server/devdocs/rfc2252.txt1795
-rw-r--r--source4/ldap_server/devdocs/rfc2253.txt563
-rw-r--r--source4/ldap_server/devdocs/rfc2254.txt451
-rw-r--r--source4/ldap_server/devdocs/rfc2255.txt563
-rw-r--r--source4/ldap_server/devdocs/rfc2256.txt1123
9 files changed, 1 insertions, 8993 deletions
diff --git a/source4/ldap_server/devdocs/Index b/source4/ldap_server/devdocs/Index
index 6a83af13ac..3be797ea5b 100644
--- a/source4/ldap_server/devdocs/Index
+++ b/source4/ldap_server/devdocs/Index
@@ -1,13 +1,4 @@
-RFC 1777 - Lightweight Directory Access Protocol
-RFC 1778 - The String Representation of Standard Attribute Syntaxes
-RFC 1779 - A String Representation of Distinguished Names
RFC 1823 - The LDAP Application Program Interface
-RFC 2251 - Lightweight Directory Access Protocol (v3)
-RFC 2252 - LDAPv3: Attribute Syntax Definitions
-RFC 2253 - LDAPv3: UTF-8 String Representation of Distinguished Names
-RFC 2254 - The String Representation of LDAP Search Filters
-RFC 2255 - The LDAP URL Format
-RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3
RFC 2307 - An Approach for Using LDAP as a Network Information Service
RFC 2696 - LDAP Control Extension for Simple Paged Results Manipulation
RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification
@@ -17,3 +8,4 @@ RFC 3296 - Named Subordinate References in LDAP Directories
Expired but used Draft:
ldapext-ldapv3-vlv-04: LDAP Extensions for Scrolling View Browsing of Search Results
+RFC 4510
diff --git a/source4/ldap_server/devdocs/rfc1777.txt b/source4/ldap_server/devdocs/rfc1777.txt
deleted file mode 100644
index f5593e72a2..0000000000
--- a/source4/ldap_server/devdocs/rfc1777.txt
+++ /dev/null
@@ -1,1235 +0,0 @@
-
-
-
-
-
-
-Network Working Group W. Yeong
-Request for Comments: 1777 Performance Systems International
-Obsoletes: 1487 T. Howes
-Category: Standards Track University of Michigan
- S. Kille
- ISODE Consortium
- March 1995
-
-
- Lightweight Directory Access Protocol
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Abstract
-
- The protocol described in this document is designed to provide access
- to the X.500 Directory while not incurring the resource requirements
- of the Directory Access Protocol (DAP). This protocol is specifically
- targeted at simple management applications and browser applications
- that provide simple read/write interactive access to the X.500
- Directory, and is intended to be a complement to the DAP itself.
-
- Key aspects of LDAP are:
-
- - Protocol elements are carried directly over TCP or other transport,
- bypassing much of the session/presentation overhead.
-
- - Many protocol data elements are encoding as ordinary strings (e.g.,
- Distinguished Names).
-
- - A lightweight BER encoding is used to encode all protocol elements.
-
-1. History
-
- The tremendous interest in X.500 [1,2] technology in the Internet has
- lead to efforts to reduce the high "cost of entry" associated with
- use of the technology, such as the Directory Assistance Service [3]
- and DIXIE [4]. While efforts such as these have met with success,
- they have been solutions based on particular implementations and as
- such have limited applicability. This document continues the efforts
- to define Directory protocol alternatives but departs from previous
- efforts in that it consciously avoids dependence on particular
-
-
-
-Yeong, Howes & Kille [Page 1]
-
-RFC 1777 LDAP March 1995
-
-
- implementations.
-
-2. Protocol Model
-
- The general model adopted by this protocol is one of clients
- performing protocol operations against servers. In this model, this
- is accomplished by a client transmitting a protocol request
- describing the operation to be performed to a server, which is then
- responsible for performing the necessary operations on the Directory.
- Upon completion of the necessary operations, the server returns a
- response containing any results or errors to the requesting client.
- In keeping with the goal of easing the costs associated with use of
- the Directory, it is an objective of this protocol to minimize the
- complexity of clients so as to facilitate widespread deployment of
- applications capable of utilizing the Directory.
-
- Note that, although servers are required to return responses whenever
- such responses are defined in the protocol, there is no requirement
- for synchronous behavior on the part of either client or server
- implementations: requests and responses for multiple operations may
- be exchanged by client and servers in any order, as long as clients
- eventually receive a response for every request that requires one.
-
- Consistent with the model of servers performing protocol operations
- on behalf of clients, it is also to be noted that protocol servers
- are expected to handle referrals without resorting to the return of
- such referrals to the client. This protocol makes no provisions for
- the return of referrals to clients, as the model is one of servers
- ensuring the performance of all necessary operations in the
- Directory, with only final results or errors being returned by
- servers to clients.
-
- Note that this protocol can be mapped to a strict subset of the
- directory abstract service, so it can be cleanly provided by the DAP.
-
-3. Mapping Onto Transport Services
-
- This protocol is designed to run over connection-oriented, reliable
- transports, with all 8 bits in an octet being significant in the data
- stream. Specifications for two underlying services are defined here,
- though others are also possible.
-
-3.1. Transmission Control Protocol (TCP)
-
- The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
- Server implementations running over the TCP should provide a protocol
- listener on port 389.
-
-
-
-
-Yeong, Howes & Kille [Page 2]
-
-RFC 1777 LDAP March 1995
-
-
-3.2. Connection Oriented Transport Service (COTS)
-
- The connection is established. No special use of T-Connect is made.
- Each LDAPMessage PDU is mapped directly onto T-Data.
-
-4. Elements of Protocol
-
- For the purposes of protocol exchanges, all protocol operations are
- encapsulated in a common envelope, the LDAPMessage, which is defined
- as follows:
-
- LDAPMessage ::=
- SEQUENCE {
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResponse SearchResponse,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modifyRDNRequest ModifyRDNRequest,
- modifyRDNResponse ModifyRDNResponse,
- compareDNRequest CompareRequest,
- compareDNResponse CompareResponse,
- abandonRequest AbandonRequest
- }
- }
-
- MessageID ::= INTEGER (0 .. maxInt)
-
- The function of the LDAPMessage is to provide an envelope containing
- common fields required in all protocol exchanges. At this time the
- only common field is a message ID, which is required to have a value
- different from the values of any other requests outstanding in the
- LDAP session of which this message is a part.
-
- The message ID value must be echoed in all LDAPMessage envelopes
- encapsulting responses corresponding to the request contained in the
- LDAPMessage in which the message ID value was originally used.
-
- In addition to the LDAPMessage defined above, the following
- definitions are also used in defining protocol operations:
-
-
-
-Yeong, Howes & Kille [Page 3]
-
-RFC 1777 LDAP March 1995
-
-
- LDAPString ::= OCTET STRING
-
- The LDAPString is a notational convenience to indicate that, although
- strings of LDAPString type encode as OCTET STRING types, the legal
- character set in such strings is limited to the IA5 character set.
-
- LDAPDN ::= LDAPString
-
- RelativeLDAPDN ::= LDAPString
-
- An LDAPDN and a RelativeLDAPDN are respectively defined to be the
- representation of a Distinguished Name and a Relative Distinguished
- Name after encoding according to the specification in [5], such that
-
- <distinguished-name> ::= <name>
-
- <relative-distinguished-name> ::= <name-component>
-
- where <name> and <name-component> are as defined in [5].
-
- AttributeValueAssertion ::=
- SEQUENCE {
- attributeType AttributeType,
- attributeValue AttributeValue
- }
-
- The AttributeValueAssertion type definition is similar to the one in
- the X.500 Directory standards.
-
- AttributeType ::= LDAPString
-
- AttributeValue ::= OCTET STRING
-
- An AttributeType value takes on as its value the textual string
- associated with that AttributeType in the X.500 Directory standards.
- For example, the AttributeType 'organizationName' with object
- identifier 2.5.4.10 is represented as an AttributeType in this
- protocol by the string "organizationName". In the event that a
- protocol implementation encounters an Attribute Type with which it
- cannot associate a textual string, an ASCII string encoding of the
- object identifier associated with the Attribute Type may be
- subsitituted. For example, the organizationName AttributeType may be
- represented by the ASCII string "2.5.4.10" if a protocol
- implementation is unable to associate the string "organizationName"
- with it.
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 4]
-
-RFC 1777 LDAP March 1995
-
-
- A field of type AttributeValue takes on as its value an octet string
- encoding of a Directory AttributeValue type. The definition of these
- string encodings for different Directory AttributeValue types may be
- found in companions to this document that define the encodings of
- various attribute syntaxes such as [6].
-
- LDAPResult ::=
- SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongAuthRequired (8),
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- isLeaf (35),
- aliasDereferencingProblem (36),
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- other (80)
- },
- matchedDN LDAPDN,
- errorMessage LDAPString
- }
-
-
-
-
-Yeong, Howes & Kille [Page 5]
-
-RFC 1777 LDAP March 1995
-
-
- The LDAPResult is the construct used in this protocol to return
- success or failure indications from servers to clients. In response
- to various requests, servers will return responses containing fields
- of type LDAPResult to indicate the final status of a protocol
- operation request. The errorMessage field of this construct may, at
- the servers option, be used to return an ASCII string containing a
- textual, human-readable error diagnostic. As this error diagnostic is
- not standardized, implementations should not rely on the values
- returned. If the server chooses not to return a textual diagnostic,
- the errorMessage field of the LDAPResult type should contain a zero
- length string.
-
- For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax,
- isLeaf, and aliasDereferencingProblem, the matchedDN field is set to
- the name of the lowest entry (object or alias) in the DIT that was
- matched and is a truncated form of the name provided or, if an alias
- has been dereferenced, of the resulting name. The matchedDN field
- should be set to NULL DN (a zero length string) in all other cases.
-
-4.1. Bind Operation
-
- The function of the Bind Operation is to initiate a protocol session
- between a client and a server, and to allow the authentication of the
- client to the server. The Bind Operation must be the first operation
- request received by a server from a client in a protocol session.
- The Bind Request is defined as follows:
-
- BindRequest ::=
- [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication CHOICE {
- simple [0] OCTET STRING,
- krbv42LDAP [1] OCTET STRING,
- krbv42DSA [2] OCTET STRING
- }
- }
-
- Parameters of the Bind Request are:
-
- - version: A version number indicating the version of the protocol to
- be used in this protocol session. This document describes version
- 2 of the LDAP protocol. Note that there is no version negotiation,
- and the client should just set this parameter to the version it
- desires.
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 6]
-
-RFC 1777 LDAP March 1995
-
-
- - name: The name of the Directory object that the client wishes to
- bind as. This field may take on a null value (a zero length
- string) for the purposes of anonymous binds.
-
- - authentication: information used to authenticate the name, if any,
- provided in the Bind Request. The "simple" authentication option
- provides minimal authentication facilities, with the contents of
- the authentication field consisting only of a cleartext password.
- This option should also be used when unauthenticated or anonymous
- binds are to be performed, with the field containing a zero length
- string in such cases. Kerberos version 4 [7] authentication to the
- LDAP server and the DSA is accomplished by using the "krbv42LDAP"
- and "krbv42DSA" authentication options, respectively. Note that
- though they are referred to as separate entities here, there is no
- requirement these two entities be distinct (i.e., a DSA could speak
- LDAP directly). Two separate authentication options are provided
- to support all implementations. Each octet string should contain
- the kerberos ticket (e.g., as returned by krb_mk_req()) for the
- appropriate service. The suggested service name for authentication
- to the LDAP server is "ldapserver". The suggested service name for
- authentication to the DSA is "x500dsa". In both cases, the
- suggested instance name for the service is the name of the host on
- which the service is running. Of course, the actual service names
- and instances will depend on what is entered in the local kerberos
- principle database.
-
- The Bind Operation requires a response, the Bind Response, which is
- defined as:
-
- BindResponse ::= [APPLICATION 1] LDAPResult
-
- A Bind Response consists simply of an indication from the server of
- the status of the client's request for the initiation of a protocol
- session.
-
- Upon receipt of a Bind Request, a protocol server will authenticate
- the requesting client if necessary, and attempt to set up a protocol
- session with that client. The server will then return a Bind Response
- to the client indicating the status of the session setup request.
-
-4.2. Unbind Operation
-
- The function of the Unbind Operation is to terminate a protocol
- session. The Unbind Operation is defined as follows:
-
- UnbindRequest ::= [APPLICATION 2] NULL
-
-
-
-
-
-Yeong, Howes & Kille [Page 7]
-
-RFC 1777 LDAP March 1995
-
-
- The Unbind Operation has no response defined. Upon transmission of an
- UnbindRequest, a protocol client may assume that the protocol session
- is terminated. Upon receipt of an UnbindRequest, a protocol server
- may assume that the requesting client has terminated the session and
- that all outstanding requests may be discarded.
-
-4.3. Search Operation
-
- The Search Operation allows a client to request that a search be
- performed on its behalf by a server. The Search Request is defined as
- follows:
-
- SearchRequest ::=
- [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2)
- },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- derefAlways (3)
- },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- attrsOnly BOOLEAN,
- filter Filter,
- attributes SEQUENCE OF AttributeType
- }
-
- Filter ::=
- CHOICE {
- and [0] SET OF Filter,
- or [1] SET OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeType,
- approxMatch [8] AttributeValueAssertion
- }
-
- SubstringFilter
- SEQUENCE {
-
-
-
-Yeong, Howes & Kille [Page 8]
-
-RFC 1777 LDAP March 1995
-
-
- type AttributeType,
- SEQUENCE OF CHOICE {
- initial [0] LDAPString,
- any [1] LDAPString,
- final [2] LDAPString
- }
- }
-
- Parameters of the Search Request are:
-
- - baseObject: An LDAPDN that is the base object entry relative to
- which the search is to be performed.
-
- - scope: An indicator of the scope of the search to be performed. The
- semantics of the possible values of this field are identical to the
- semantics of the scope field in the Directory Search Operation.
-
- - derefAliases: An indicator as to how alias objects should be
- handled in searching. The semantics of the possible values of
- this field are, in order of increasing value:
-
- neverDerefAliases: do not dereference aliases in searching
- or in locating the base object of the search;
-
- derefInSearching: dereference aliases in subordinates of
- the base object in searching, but not in locating the
- base object of the search;
-
- derefFindingBaseObject: dereference aliases in locating
- the base object of the search, but not when searching
- subordinates of the base object;
-
- derefAlways: dereference aliases both in searching and in
- locating the base object of the search.
-
- - sizelimit: A sizelimit that restricts the maximum number of entries
- to be returned as a result of the search. A value of 0 in this
- field indicates that no sizelimit restrictions are in effect for
- the search.
-
- - timelimit: A timelimit that restricts the maximum time (in seconds)
- allowed for a search. A value of 0 in this field indicates that no
- timelimit restrictions are in effect for the search.
-
- - attrsOnly: An indicator as to whether search results should contain
- both attribute types and values, or just attribute types. Setting
- this field to TRUE causes only attribute types (no values) to be
- returned. Setting this field to FALSE causes both attribute types
-
-
-
-Yeong, Howes & Kille [Page 9]
-
-RFC 1777 LDAP March 1995
-
-
- and values to be returned.
-
- - filter: A filter that defines the conditions that must be fulfilled
- in order for the search to match a given entry.
-
- - attributes: A list of the attributes from each entry found as a
- result of the search to be returned. An empty list signifies that
- all attributes from each entry found in the search are to be
- returned.
-
- The results of the search attempted by the server upon receipt of a
- Search Request are returned in Search Responses, defined as follows:
-
- Search Response ::=
- CHOICE {
- entry [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes SEQUENCE OF SEQUENCE {
- AttributeType,
- SET OF AttributeValue
- }
- },
- resultCode [APPLICATION 5] LDAPResult
- }
-
- Upon receipt of a Search Request, a server will perform the necessary
- search of the DIT.
-
- The server will return to the client a sequence of responses
- comprised of:
-
- - Zero or more Search Responses each consisting of an entry found
- during the search; with the response sequence terminated by
-
- - A single Search Response containing an indication of success, or
- detailing any errors that have occurred.
-
- Each entry returned will contain all attributes, complete with
- associated values if necessary, as specified in the 'attributes'
- field of the Search Request.
-
- Note that an X.500 "list" operation can be emulated by a one-level
- LDAP search operation with a filter checking for the existence of the
- objectClass attribute, and that an X.500 "read" operation can be
- emulated by a base object LDAP search operation with the same filter.
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 10]
-
-RFC 1777 LDAP March 1995
-
-
-4.4. Modify Operation
-
- The Modify Operation allows a client to request that a modification
- of the DIB be performed on its behalf by a server. The Modify
- Request is defined as follows:
-
-ModifyRequest ::=
- [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- modification SEQUENCE OF SEQUENCE {
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2)
- },
- modification SEQUENCE {
- type AttributeType,
- values SET OF
- AttributeValue
- }
- }
- }
-
- Parameters of the Modify Request are:
-
- - object: The object to be modified. The value of this field should
- name the object to be modified after all aliases have been
- dereferenced. The server will not perform any alias dereferencing
- in determining the object to be modified.
-
- - A list of modifications to be performed on the entry to be modified.
- The entire list of entry modifications should be performed
- in the order they are listed, as a single atomic operation. While
- individual modifications may violate the Directory schema, the
- resulting entry after the entire list of modifications is performed
- must conform to the requirements of the Directory schema. The
- values that may be taken on by the 'operation' field in each
- modification construct have the following semantics respectively:
-
- add: add values listed to the given attribute, creating
- the attribute if necessary;
-
- delete: delete values listed from the given attribute,
-
- removing the entire attribute if no values are listed, or
- if all current values of the attribute are listed for
- deletion;
-
-
-
-
-Yeong, Howes & Kille [Page 11]
-
-RFC 1777 LDAP March 1995
-
-
- replace: replace existing values of the given attribute
- with the new values listed, creating the attribute if
- necessary.
-
- The result of the modify attempted by the server upon receipt of a
- Modify Request is returned in a Modify Response, defined as follows:
-
- ModifyResponse ::= [APPLICATION 7] LDAPResult
-
- Upon receipt of a Modify Request, a server will perform the necessary
- modifications to the DIB.
-
- The server will return to the client a single Modify Response
- indicating either the successful completion of the DIB modification,
- or the reason that the modification failed. Note that due to the
- requirement for atomicity in applying the list of modifications in
- the Modify Request, the client may expect that no modifications of
- the DIB have been performed if the Modify Response received indicates
- any sort of error, and that all requested modifications have been
- performed if the Modify Response indicates successful completion of
- the Modify Operation.
-
-4.5. Add Operation
-
- The Add Operation allows a client to request the addition of an entry
- into the Directory. The Add Request is defined as follows:
-
- AddRequest ::=
- [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attrs SEQUENCE OF SEQUENCE {
- type AttributeType,
- values SET OF AttributeValue
- }
- }
-
- Parameters of the Add Request are:
-
- - entry: the Distinguished Name of the entry to be added. Note that
- all components of the name except for the last RDN component must
- exist for the add to succeed.
-
- - attrs: the list of attributes that make up the content of the entry
- being added.
-
- The result of the add attempted by the server upon receipt of a Add
- Request is returned in the Add Response, defined as follows:
-
-
-
-
-Yeong, Howes & Kille [Page 12]
-
-RFC 1777 LDAP March 1995
-
-
- AddResponse ::= [APPLICATION 9] LDAPResult
-
- Upon receipt of an Add Request, a server will attempt to perform the
- add requested. The result of the add attempt will be returned to the
- client in the Add Response.
-
-4.6. Delete Operation
-
- The Delete Operation allows a client to request the removal of an
- entry from the Directory. The Delete Request is defined as follows:
-
- DelRequest ::= [APPLICATION 10] LDAPDN
-
- The Delete Request consists only of the Distinguished Name of the
- entry to be deleted. The result of the delete attempted by the
- server upon receipt of a Delete Request is returned in the Delete
- Response, defined as follows:
-
- DelResponse ::= [APPLICATION 11] LDAPResult
-
- Upon receipt of a Delete Request, a server will attempt to perform
- the entry removal requested. The result of the delete attempt will be
- returned to the client in the Delete Response. Note that only leaf
- objects may be deleted with this operation.
-
-4.7. Modify RDN Operation
-
- The Modify RDN Operation allows a client to change the last component
- of the name of an entry in the Directory. The Modify RDN Request is
- defined as follows:
-
- ModifyRDNRequest ::=
- [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN
- }
-
- Parameters of the Modify RDN Request are:
-
- - entry: the name of the entry to be changed.
-
- - newrdn: the RDN that will form the last component of the new name.
-
- - deleteoldrdn: a boolean parameter that controls whether the old RDN
- attribute values should be retained as attributes of the entry or
- deleted from the entry.
-
-
-
-
-Yeong, Howes & Kille [Page 13]
-
-RFC 1777 LDAP March 1995
-
-
- The result of the name change attempted by the server upon receipt of
- a Modify RDN Request is returned in the Modify RDN Response, defined
- as follows:
-
- ModifyRDNResponse ::= [APPLICATION 13] LDAPResult
-
- Upon receipt of a Modify RDN Request, a server will attempt to
- perform the name change. The result of the name change attempt will
- be returned to the client in the Modify RDN Response. The attributes
- that make up the old RDN are deleted from the entry, or kept,
- depending on the setting of the deleteoldrdn parameter.
-
-4.8. Compare Operation
-
- The Compare Operation allows a client to compare an assertion
- provided with an entry in the Directory. The Compare Request is
- defined as follows:
-
- CompareRequest ::=
- [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion
- }
-
- Parameters of the Compare Request are:
-
- - entry: the name of the entry to be compared with.
-
- - ava: the assertion with which the entry is to be compared.
-
- The result of the compare attempted by the server upon receipt of a
- Compare Request is returned in the Compare Response, defined as
- follows:
-
- CompareResponse ::= [APPLICATION 15] LDAPResult
-
- Upon receipt of a Compare Request, a server will attempt to perform
- the requested comparison. The result of the comparison will be
- returned to the client in the Compare Response. Note that errors and
- the result of comparison are all returned in the same construct.
-
-6.9. Abandon Operation
-
- The function of the Abandon Operation is to allow a client to request
- that the server abandon an outstanding operation. The Abandon
- Request is defined as follows:
-
- AbandonRequest ::= [APPLICATION 16] MessageID
-
-
-
-Yeong, Howes & Kille [Page 14]
-
-RFC 1777 LDAP March 1995
-
-
- There is no response defined in the Abandon Operation. Upon
- transmission of an Abandon Operation, a client may expect that the
- operation identityfied by the Message ID in the Abandon Request has
- been abandoned. In the event that a server receives an Abandon
- Request on a Search Operation in the midst of transmitting responses
- to that search, that server should cease transmitting responses to
- the abandoned search immediately.
-
-5. Protocol Element Encodings
-
- The protocol elements of LDAP are encoded for exchange using the
- Basic Encoding Rules (BER) [12] of ASN.1 [11]. However, due to the
- high overhead involved in using certain elements of the BER, the
- following additional restrictions are placed on BER-encodings of LDAP
- protocol elements:
-
- (1) Only the definite form of length encoding will be used.
-
- (2) Bitstrings and octet strings and all character string types
- will be encoded in the primitive form only.
-
-6. Security Considerations
-
- This version of the protocol provides facilities only for simple
- authentication using a cleartext password, and for kerberos version 4
- authentication. Future versions of LDAP will likely include support
- for other authentication methods.
-
-7. Bibliography
-
- [1] The Directory: Overview of Concepts, Models and Service. CCITT
- Recommendation X.500, 1988.
-
- [2] Information Processing Systems -- Open Systems Interconnection --
- The Directory: Overview of Concepts, Models and Service. ISO/IEC
- JTC 1/SC21; International Standard 9594-1, 1988
-
- [3] Rose, M., "Directory Assistance Service", RFC 1202, Performance
- Systems International, Inc., February 1991.
-
- [4] Howes, T., Smith, M., and B. Beecher, "DIXIE Protocol
- Specification, RFC 1249, University of Michigan, August 1991.
-
- [5] Kille, S., "A String Representation of Distinguished Names", RFC
- 1779, ISODE Consortium, March 1995.
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 15]
-
-RFC 1777 LDAP March 1995
-
-
- [6] Howes, T., Kille, S., Yeong, W., and C. Robbins, "Lightweight
- Directory Access Protocol", RFC 1488, University of Michigan,
- ISODE Consortium, Performance Systems International, NeXor Ltd.,
- July 1993.
-
- [7] Kerberos Authentication and Authorization System. S.P. Miller,
- B.C. Neuman, J.I. Schiller, J.H. Saltzer; MIT Project Athena
- Documentation Section E.2.1, December 1987.
-
- [8] The Directory: Models. CCITT Recommendation X.501 ISO/IEC JTC
- 1/SC21; International Standard 9594-2, 1988.
-
- [10] The Directory: Abstract Service Definition. CCITT Recommendation
- X.511, ISO/IEC JTC 1/SC21; International Standard 9594-3, 1988.
-
- [11] Specification of Abstract Syntax Notation One (ASN.1). CCITT
- Recommendation X.208, 1988.
-
- [12] Specification of Basic Encoding Rules for Abstract Syntax
- Notation One (ASN.1). CCITT Recommendation X.209, 1988.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 16]
-
-RFC 1777 LDAP March 1995
-
-
-10. Authors' Addresses
-
- Wengyik Yeong
- PSI Inc.
- 510 Huntmar Park Drive
- Herndon, VA 22070
- USA
-
- Phone: +1 703-450-8001
- EMail: yeongw@psilink.com
-
-
- Tim Howes
- University of Michigan
- ITD Research Systems
- 535 W William St.
- Ann Arbor, MI 48103-4943
- USA
-
- Phone: +1 313 747-4454
- EMail: tim@umich.edu
-
-
- Steve Kille
- ISODE Consortium
- PO Box 505
- London
- SW11 1DX
- UK
-
- Phone: +44-71-223-4062
- EMail: S.Kille@isode.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 17]
-
-RFC 1777 LDAP March 1995
-
-
-Appendix A - Complete ASN.1 Definition
-
-Lightweight-Directory-Access-Protocol DEFINITIONS IMPLICIT TAGS ::=
-
-BEGIN
-
-LDAPMessage ::=
- SEQUENCE {
- messageID MessageID,
- -- unique id in request,
- -- to be echoed in response(s)
- protocolOp CHOICE {
- searchRequest SearchRequest,
- searchResponse SearchResponse,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modifyDNRequest ModifyDNRequest,
- modifyDNResponse ModifyDNResponse,
- compareDNRequest CompareRequest,
- compareDNResponse CompareResponse,
- bindRequest BindRequest,
- bindResponse BindResponse,
- abandonRequest AbandonRequest,
- unbindRequest UnbindRequest
- }
- }
-
-BindRequest ::=
- [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- -- current version is 2
- name LDAPDN,
- -- null name implies an anonymous bind
- authentication CHOICE {
- simple [0] OCTET STRING,
- -- a zero length octet string
- -- implies an unauthenticated
- -- bind.
- krbv42LDAP [1] OCTET STRING,
- krbv42DSA [2] OCTET STRING
- -- values as returned by
- -- krb_mk_req()
- -- Other values in later versions
- -- of this protocol.
-
-
-
-Yeong, Howes & Kille [Page 18]
-
-RFC 1777 LDAP March 1995
-
-
- }
- }
-
-BindResponse ::= [APPLICATION 1] LDAPResult
-
-UnbindRequest ::= [APPLICATION 2] NULL
-
-SearchRequest ::=
- [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2)
- },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- alwaysDerefAliases (3)
- },
- sizeLimit INTEGER (0 .. maxInt),
- -- value of 0 implies no sizelimit
- timeLimit INTEGER (0 .. maxInt),
- -- value of 0 implies no timelimit
- attrsOnly BOOLEAN,
- -- TRUE, if only attributes (without values)
- -- to be returned.
- filter Filter,
- attributes SEQUENCE OF AttributeType
- }
-
-SearchResponse ::=
- CHOICE {
- entry [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes SEQUENCE OF SEQUENCE {
- AttributeType,
- SET OF
- AttributeValue
- }
- },
- resultCode [APPLICATION 5] LDAPResult
- }
-
-ModifyRequest ::=
- [APPLICATION 6] SEQUENCE {
- object LDAPDN,
-
-
-
-Yeong, Howes & Kille [Page 19]
-
-RFC 1777 LDAP March 1995
-
-
- modifications SEQUENCE OF SEQUENCE {
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2)
- },
- modification SEQUENCE {
- type AttributeType,
- values SET OF
- AttributeValue
- }
- }
- }
-
-
-ModifyResponse ::= [APPLICATION 7] LDAPResult
-
-AddRequest ::=
- [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attrs SEQUENCE OF SEQUENCE {
- type AttributeType,
- values SET OF AttributeValue
- }
- }
-
-AddResponse ::= [APPLICATION 9] LDAPResult
-
-DelRequest ::= [APPLICATION 10] LDAPDN
-
-DelResponse ::= [APPLICATION 11] LDAPResult
-
-ModifyRDNRequest ::=
- [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN -- old RDN always deleted
- }
-
-ModifyRDNResponse ::= [APPLICATION 13] LDAPResult
-
-CompareRequest ::=
- [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion
- }
-
-CompareResponse ::= [APPLICATION 15] LDAPResult
-
-
-
-
-Yeong, Howes & Kille [Page 20]
-
-RFC 1777 LDAP March 1995
-
-
-AbandonRequest ::= [APPLICATION 16] MessageID
-
-MessageID ::= INTEGER (0 .. maxInt)
-
-LDAPDN ::= LDAPString
-
-RelativeLDAPDN ::= LDAPString
-
-Filter ::=
- CHOICE {
- and [0] SET OF Filter,
- or [1] SET OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeType,
- approxMatch [8] AttributeValueAssertion
- }
-
-LDAPResult ::=
- SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongAuthRequired (8),
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- isLeaf (35),
- aliasDereferencingProblem (36),
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
-
-
-
-Yeong, Howes & Kille [Page 21]
-
-RFC 1777 LDAP March 1995
-
-
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- other (80)
- },
- matchedDN LDAPDN,
- errorMessage LDAPString
- }
-
-AttributeType ::= LDAPString
- -- text name of the attribute, or dotted
- -- OID representation
-
-AttributeValue ::= OCTET STRING
-
-AttributeValueAssertion ::=
- SEQUENCE {
- attributeType AttributeType,
- attributeValue AttributeValue
- }
-
-SubstringFilter ::=
- SEQUENCE {
- type AttributeType,
- SEQUENCE OF CHOICE {
- initial [0] LDAPString,
- any [1] LDAPString,
- final [2] LDAPString
- }
- }
-
-LDAPString ::= OCTET STRING
-
-maxInt INTEGER ::= 65535
-END
-
-
-
-
-
-
-
-
-
-
-Yeong, Howes & Kille [Page 22]
-
diff --git a/source4/ldap_server/devdocs/rfc1779.txt b/source4/ldap_server/devdocs/rfc1779.txt
deleted file mode 100644
index a487e9e788..0000000000
--- a/source4/ldap_server/devdocs/rfc1779.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group S. Kille
-Request for Comments: 1779 ISODE Consortium
-Obsoletes: 1485 March 1995
-Category: Standards Track
-
-
- A String Representation of Distinguished Names
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Abstract
-
- The OSI Directory uses distinguished names as the primary keys to
- entries in the directory. Distinguished Names are encoded in ASN.1.
- When a distinguished name is communicated between to users not using
- a directory protocol (e.g., in a mail message), there is a need to
- have a user-oriented string representation of distinguished name.
- This specification defines a string format for representing names,
- which is designed to give a clean representation of commonly used
- names, whilst being able to represent any distinguished name.
-
-Table of Contents
-
- 1. Why a notation is needed ................................... 2
- 2. A notation for Distinguished Name .......................... 2
- 2.1 Goals ................................................ 2
- 2.2 Informal definition .................................. 2
- 2.3 Formal definition .................................... 4
- 3. Examples ................................................... 6
- 4. Acknowledgements ........................................... 7
- 5. References ................................................. 7
- 6. Security Considerations .................................... 8
- 7. Author's Address ........................................... 8
-
-
-
-
-
-
-
-
-
-
-
-
-Kille [Page 1]
-
-RFC 1779 DN Representation March 1995
-
-
-1. Why a notation is needed
-
- Many OSI Applications make use of Distinguished Names (DN) as defined
- in the OSI Directory, commonly known as X.500 [1]. This
- specification assumes familiarity with X.500, and the concept of
- Distinguished Name. It is important to have a common format to be
- able to unambiguously represent a distinguished name. This might be
- done to represent a directory name on a business card or in an email
- message. There is a need for a format to support human to human
- communication, which must be string based (not ASN.1) and user
- oriented. This notation is targeted towards a general user oriented
- system, and in particular to represent the names of humans. Other
- syntaxes may be more appropriate for other uses of the directory.
- For example, the OSF Syntax may be more appropriate for some system
- oriented uses. (The OSF Syntax uses "/" as a separator, and forms
- names in a manner intended to resemble UNIX filenames).
-
-2. A notation for Distinguished Name
-
-2.1 Goals
-
- The following goals are laid out:
-
- o To provide an unambiguous representation of a distinguished name
-
- o To be an intuitive format for the majority of names
-
- o To be fully general, and able to represent any distinguished name
-
- o To be amenable to a number of different layouts to achieve an
- attractive representation.
-
- o To give a clear representation of the contents of the
- distinguished name
-
-2.2 Informal definition
-
- This notation is designed to be convenient for common forms of name.
- Some examples are given. The author's directory distinguished name
- would be written:
-
- CN=Steve Kille,
- O=ISODE Consortium, C=GB
-
-
-
-
-
-
-
-
-Kille [Page 2]
-
-RFC 1779 DN Representation March 1995
-
-
- This may be folded, perhaps to display in multi-column format. For
- example:
-
- CN=Steve Kille,
- O=ISODE Consortium,
- C=GB
-
- Another name might be:
-
- CN=Christian Huitema, O=INRIA, C=FR
-
- Semicolon (";") may be used as an alternate separator. The
- separators may be mixed, but this usage is discouraged.
-
- CN=Christian Huitema; O=INRIA; C=FR
-
- In running text, this would be written as <CN=Christian Huitema;
- O=INRIA; C=FR>. Another example, shows how different attribute types
- are handled:
-
- CN=James Hacker,
- L=Basingstoke,
- O=Widget Inc,
- C=GB
-
- Here is an example of a multi-valued Relative Distinguished Name,
- where the namespace is flat within an organisation, and department is
- used to disambiguate certain names:
-
- OU=Sales + CN=J. Smith, O=Widget Inc., C=US
-
- The final examples show both methods quoting of a comma in an
- Organisation name:
-
- CN=L. Eagle, O="Sue, Grabbit and Runn", C=GB
-
- CN=L. Eagle, O=Sue\, Grabbit and Runn, C=GB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kille [Page 3]
-
-RFC 1779 DN Representation March 1995
-
-
-2.3 Formal definition
-
- A formal definition can now be given. The structure is specified in
- a BNF grammar in Figure 1. This BNF uses the grammar defined in RFC
- 822, with the terminals enclosed in <> [2]. This definition is in an
- abstract character set, and so may be written in any character set
- supporting the explicitly defined special characters. The quoting
- mechanism is used for the following cases:
-
- o Strings containing ",", "+", "=" or """ , <CR>, "<",
- ">", "#", or ";".
-
- o Strings with leading or trailing spaces
-
- o Strings containing consecutive spaces
-
- There is an escape mechanism from the normal user oriented form, so
- that this syntax may be used to print any valid distinguished name.
- This is ugly. It is expected to be used only in pathological cases.
- There are two parts to this mechanism:
-
- 1. Attributes types are represented in a (big-endian) dotted
- notation. (e.g., OID.2.6.53).
-
- 2. Attribute values are represented in hexadecimal (e.g. #0A56CF).
- Each pair of hex digits defines an octet, which is the ASN.1 Basic
- Encoding Rules value of the Attribute Value.
-
- The keyword specification is optional in the BNF, but mandatory for
- this specification. This is so that the same BNF may be used for the
- related specification on User Friendly Naming [5]. When this
- specification is followed, the attribute type keywords must always be
- present.
-
- A list of valid keywords for well known attribute types used in
- naming is given in Table 1. Keywords may contain spaces, but shall
- not have leading or trailing spaces. This is a list of keywords
- which must be supported. These are chosen because they appear in
- common forms of name, and can do so in a place which does not
- correspond to the default schema used. A register of valid keywords
- is maintained by the IANA.
-
-
-
-
-
-
-
-
-
-
-Kille [Page 4]
-
-RFC 1779 DN Representation March 1995
-
-
- <name> ::= <name-component> ( <spaced-separator> )
- | <name-component> <spaced-separator> <name>
-
- <spaced-separator> ::= <optional-space>
- <separator>
- <optional-space>
-
- <separator> ::= "," | ";"
-
- <optional-space> ::= ( <CR> ) *( " " )
-
- <name-component> ::= <attribute>
- | <attribute> <optional-space> "+"
- <optional-space> <name-component>
-
- <attribute> ::= <string>
- | <key> <optional-space> "=" <optional-space> <string>
-
- <key> ::= 1*( <keychar> ) | "OID." <oid> | "oid." <oid>
- <keychar> ::= letters, numbers, and space
-
- <oid> ::= <digitstring> | <digitstring> "." <oid>
- <digitstring> ::= 1*<digit>
- <digit> ::= digits 0-9
-
- <string> ::= *( <stringchar> | <pair> )
- | '"' *( <stringchar> | <special> | <pair> ) '"'
- | "#" <hex>
-
-
- <special> ::= "," | "=" | <CR> | "+" | "<" | ">"
- | "#" | ";"
-
- <pair> ::= "\" ( <special> | "\" | '"')
- <stringchar> ::= any character except <special> or "\" or '"'
-
-
- <hex> ::= 2*<hexchar>
- <hexchar> ::= 0-9, a-f, A-F
-
-
-
- Figure 1: BNF Grammar for Distinguished Name
-
-
-
-
-
-
-
-
-Kille [Page 5]
-
-RFC 1779 DN Representation March 1995
-
-
- Key Attribute (X.520 keys)
- ------------------------------
- CN CommonName
- L LocalityName
- ST StateOrProvinceName
- O OrganizationName
- OU OrganizationalUnitName
- C CountryName
- STREET StreetAddress
-
-
- Table 1: Standardised Keywords
-
-
- Only string type attributes are considered, but other attribute
- syntaxes could be supported locally (e.g., by use of the syntexes
- defined in [3].) It is assumed that the interface will translate
- from the supplied string into an appropriate Directory String
- encoding. The "+" notation is used to specify multi-component RDNs.
- In this case, the types for attributes in the RDN must be explicit.
-
- The name is presented/input in a little-endian order (most
- significant component last). When an address is written in a context
- where there is a need to delimit the entire address (e.g., in free
- text), it is recommended that the delimiters <> are used. The
- terminator > is a special in the notation to facilitate this
- delimitation.
-
-3. Examples
-
- This section gives a few examples of distinguished names written
- using this notation:
-
- CN=Marshall T. Rose, O=Dover Beach Consulting, L=Santa Clara,
- ST=California, C=US
-
- CN=FTAM Service, CN=Bells, OU=Computer Science,
- O=University College London, C=GB
-
- CN=Markus Kuhn, O=University of Erlangen, C=DE
-
- CN=Steve Kille,
- O=ISODE Consortium,
- C=GB
-
-
-
-
-
-
-
-Kille [Page 6]
-
-RFC 1779 DN Representation March 1995
-
-
- CN=Steve Kille ,
-
- O = ISODE Consortium,
- C=GB
-
- CN=Steve Kille, O=ISODE Consortium, C=GB
-
-4. Acknowledgements
-
- This work was based on research work done at University College
- London [4], and evolved by the IETF OSI-DS WG.
-
- Input for this version of the document was received from: Allan
- Cargille (University of Wisconsin); John Dale (COS); Philip Gladstone
- (Onsett); John Hawthorne (US Air Force); Roland Hedberg (University
- of Umea); Kipp Hickman (Mosaic Communications Corp.) Markus Kuhn
- (University of Erlangen); Elisabeth Roudier (E3X); Mark Wahl (ISODE
- Consortium).
-
-5. References
-
- [1] The Directory --- overview of concepts, models and services,
- 1993. CCITT X.500 Series Recommendations.
-
- [2] Crocker, D., "Standard of the Format of ARPA-Internet Text
- Messages", STD 11, RFC 822, University of Delaware, August 1982.
-
- [3] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access
- Protocol", RFC 1777, Performance Systems International,
- University of Michigan, ISODE Consortium, March 1995.
-
- [4] S.E. Kille. Using the OSI directory to achieve user friendly
- naming. Research Note RN/20/29, Department of Computer Science,
- University College London, February 1990.
-
- [5] Kille, S., "Using the OSI Directory to Achieve User Friendly
- Naming", RFC 1781, ISODE Consortium, March 1995.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kille [Page 7]
-
-RFC 1779 DN Representation March 1995
-
-
-6. Security Considerations
-
- Security issues are not discussed in this memo.
-
-7. Author's Address
-
- Steve Kille
- ISODE Consortium
- The Dome
- The Square
- Richmond, Surrey
- TW9 1DT
- England
-
- Phone: +44-181-332-9091
- EMail: S.Kille@ISODE.COM
-
- DN: CN=Steve Kille,
- O=ISODE Consortium, C=GB
-
- UFN: S. Kille,
- ISODE Consortium, GB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kille [Page 8]
-
diff --git a/source4/ldap_server/devdocs/rfc2251.txt b/source4/ldap_server/devdocs/rfc2251.txt
deleted file mode 100644
index 88844cbf38..0000000000
--- a/source4/ldap_server/devdocs/rfc2251.txt
+++ /dev/null
@@ -1,2803 +0,0 @@
-
-
-
-
-
-
-Network Working Group M. Wahl
-Request for Comments: 2251 Critical Angle Inc.
-Category: Standards Track T. Howes
- Netscape Communications Corp.
- S. Kille
- Isode Limited
- December 1997
-
-
- Lightweight Directory Access Protocol (v3)
-
-1. Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
-IESG Note
-
- This document describes a directory access protocol that provides
- both read and update access. Update access requires secure
- authentication, but this document does not mandate implementation of
- any satisfactory authentication mechanisms.
-
- In accordance with RFC 2026, section 4.4.1, this specification is
- being approved by IESG as a Proposed Standard despite this
- limitation, for the following reasons:
-
- a. to encourage implementation and interoperability testing of
- these protocols (with or without update access) before they
- are deployed, and
-
- b. to encourage deployment and use of these protocols in read-only
- applications. (e.g. applications where LDAPv3 is used as
- a query language for directories which are updated by some
- secure mechanism other than LDAP), and
-
- c. to avoid delaying the advancement and deployment of other Internet
- standards-track protocols which require the ability to query, but
- not update, LDAPv3 directory servers.
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 1]
-
-RFC 2251 LDAPv3 December 1997
-
-
- Readers are hereby warned that until mandatory authentication
- mechanisms are standardized, clients and servers written according to
- this specification which make use of update functionality are
- UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
- IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
-
- Implementors are hereby discouraged from deploying LDAPv3 clients or
- servers which implement the update functionality, until a Proposed
- Standard for mandatory authentication in LDAPv3 has been approved and
- published as an RFC.
-
-Table of Contents
-
- 1. Status of this Memo .................................... 1
- Copyright Notice ....................................... 1
- IESG Note .............................................. 1
- 2. Abstract ............................................... 3
- 3. Models ................................................. 4
- 3.1. Protocol Model ........................................ 4
- 3.2. Data Model ............................................ 5
- 3.2.1. Attributes of Entries ............................... 5
- 3.2.2. Subschema Entries and Subentries .................... 7
- 3.3. Relationship to X.500 ................................. 8
- 3.4. Server-specific Data Requirements ..................... 8
- 4. Elements of Protocol ................................... 9
- 4.1. Common Elements ....................................... 9
- 4.1.1. Message Envelope .................................... 9
- 4.1.1.1. Message ID ........................................ 11
- 4.1.2. String Types ........................................ 11
- 4.1.3. Distinguished Name and Relative Distinguished Name .. 11
- 4.1.4. Attribute Type ...................................... 12
- 4.1.5. Attribute Description ............................... 13
- 4.1.5.1. Binary Option ..................................... 14
- 4.1.6. Attribute Value ..................................... 14
- 4.1.7. Attribute Value Assertion ........................... 15
- 4.1.8. Attribute ........................................... 15
- 4.1.9. Matching Rule Identifier ............................ 15
- 4.1.10. Result Message ..................................... 16
- 4.1.11. Referral ........................................... 18
- 4.1.12. Controls ........................................... 19
- 4.2. Bind Operation ........................................ 20
- 4.2.1. Sequencing of the Bind Request ...................... 21
- 4.2.2. Authentication and Other Security Services .......... 22
- 4.2.3. Bind Response ....................................... 23
- 4.3. Unbind Operation ...................................... 24
- 4.4. Unsolicited Notification .............................. 24
- 4.4.1. Notice of Disconnection ............................. 24
- 4.5. Search Operation ...................................... 25
-
-
-
-Wahl, et. al. Standards Track [Page 2]
-
-RFC 2251 LDAPv3 December 1997
-
-
- 4.5.1. Search Request ...................................... 25
- 4.5.2. Search Result ....................................... 29
- 4.5.3. Continuation References in the Search Result ........ 31
- 4.5.3.1. Example ........................................... 31
- 4.6. Modify Operation ...................................... 32
- 4.7. Add Operation ......................................... 34
- 4.8. Delete Operation ...................................... 35
- 4.9. Modify DN Operation ................................... 36
- 4.10. Compare Operation .................................... 37
- 4.11. Abandon Operation .................................... 38
- 4.12. Extended Operation ................................... 38
- 5. Protocol Element Encodings and Transfer ................ 39
- 5.1. Mapping Onto BER-based Transport Services ............. 39
- 5.2. Transfer Protocols .................................... 40
- 5.2.1. Transmission Control Protocol (TCP) ................. 40
- 6. Implementation Guidelines .............................. 40
- 6.1. Server Implementations ................................ 40
- 6.2. Client Implementations ................................ 40
- 7. Security Considerations ................................ 41
- 8. Acknowledgements ....................................... 41
- 9. Bibliography ........................................... 41
- 10. Authors' Addresses ..................................... 42
- Appendix A - Complete ASN.1 Definition ..................... 44
- Full Copyright Statement ................................... 50
-
-2. Abstract
-
- The protocol described in this document is designed to provide access
- to directories supporting the X.500 models, while not incurring the
- resource requirements of the X.500 Directory Access Protocol (DAP).
- This protocol is specifically targeted at management applications and
- browser applications that provide read/write interactive access to
- directories. When used with a directory supporting the X.500
- protocols, it is intended to be a complement to the X.500 DAP.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document
- are to be interpreted as described in RFC 2119 [10].
-
- Key aspects of this version of LDAP are:
-
- - All protocol elements of LDAPv2 (RFC 1777) are supported. The
- protocol is carried directly over TCP or other transport, bypassing
- much of the session/presentation overhead of X.500 DAP.
-
- - Most protocol data elements can be encoded as ordinary strings
- (e.g., Distinguished Names).
-
-
-
-
-Wahl, et. al. Standards Track [Page 3]
-
-RFC 2251 LDAPv3 December 1997
-
-
- - Referrals to other servers may be returned.
-
- - SASL mechanisms may be used with LDAP to provide association
- security services.
-
- - Attribute values and Distinguished Names have been
- internationalized through the use of the ISO 10646 character set.
-
- - The protocol can be extended to support new operations, and
- controls may be used to extend existing operations.
-
- - Schema is published in the directory for use by clients.
-
-3. Models
-
- Interest in X.500 [1] directory technologies in the Internet has led
- to efforts to reduce the high cost of entry associated with use of
- these technologies. This document continues the efforts to define
- directory protocol alternatives, updating the LDAP [2] protocol
- specification.
-
-3.1. Protocol Model
-
- The general model adopted by this protocol is one of clients
- performing protocol operations against servers. In this model, a
- client transmits a protocol request describing the operation to be
- performed to a server. The server is then responsible for performing
- the necessary operation(s) in the directory. Upon completion of the
- operation(s), the server returns a response containing any results or
- errors to the requesting client.
-
- In keeping with the goal of easing the costs associated with use of
- the directory, it is an objective of this protocol to minimize the
- complexity of clients so as to facilitate widespread deployment of
- applications capable of using the directory.
-
- Note that although servers are required to return responses whenever
- such responses are defined in the protocol, there is no requirement
- for synchronous behavior on the part of either clients or servers.
- Requests and responses for multiple operations may be exchanged
- between a client and server in any order, provided the client
- eventually receives a response for every request that requires one.
-
- In LDAP versions 1 and 2, no provision was made for protocol servers
- returning referrals to clients. However, for improved performance
- and distribution this version of the protocol permits servers to
- return to clients referrals to other servers. This allows servers to
- offload the work of contacting other servers to progress operations.
-
-
-
-Wahl, et. al. Standards Track [Page 4]
-
-RFC 2251 LDAPv3 December 1997
-
-
- Note that the core protocol operations defined in this document can
- be mapped to a strict subset of the X.500(1997) directory abstract
- service, so it can be cleanly provided by the DAP. However there is
- not a one-to-one mapping between LDAP protocol operations and DAP
- operations: server implementations acting as a gateway to X.500
- directories may need to make multiple DAP requests.
-
-3.2. Data Model
-
- This section provides a brief introduction to the X.500 data model,
- as used by LDAP.
-
- The LDAP protocol assumes there are one or more servers which jointly
- provide access to a Directory Information Tree (DIT). The tree is
- made up of entries. Entries have names: one or more attribute values
- from the entry form its relative distinguished name (RDN), which MUST
- be unique among all its siblings. The concatenation of the relative
- distinguished names of the sequence of entries from a particular
- entry to an immediate subordinate of the root of the tree forms that
- entry's Distinguished Name (DN), which is unique in the tree. An
- example of a Distinguished Name is
-
- CN=Steve Kille, O=Isode Limited, C=GB
-
- Some servers may hold cache or shadow copies of entries, which can be
- used to answer search and comparison queries, but will return
- referrals or contact other servers if modification operations are
- requested.
-
- Servers which perform caching or shadowing MUST ensure that they do
- not violate any access control constraints placed on the data by the
- originating server.
-
- The largest collection of entries, starting at an entry that is
- mastered by a particular server, and including all its subordinates
- and their subordinates, down to the entries which are mastered by
- different servers, is termed a naming context. The root of the DIT
- is a DSA-specific Entry (DSE) and not part of any naming context:
- each server has different attribute values in the root DSE. (DSA is
- an X.500 term for the directory server).
-
-3.2.1. Attributes of Entries
-
- Entries consist of a set of attributes. An attribute is a type with
- one or more associated values. The attribute type is identified by a
- short descriptive name and an OID (object identifier). The attribute
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 5]
-
-RFC 2251 LDAPv3 December 1997
-
-
- type governs whether there can be more than one value of an attribute
- of that type in an entry, the syntax to which the values must
- conform, the kinds of matching which can be performed on values of
- that attribute, and other functions.
-
- An example of an attribute is "mail". There may be one or more values
- of this attribute, they must be IA5 (ASCII) strings, and they are
- case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").
-
- Schema is the collection of attribute type definitions, object class
- definitions and other information which a server uses to determine
- how to match a filter or attribute value assertion (in a compare
- operation) against the attributes of an entry, and whether to permit
- add and modify operations. The definition of schema for use with
- LDAP is given in [5] and [6]. Additional schema elements may be
- defined in other documents.
-
- Each entry MUST have an objectClass attribute. The objectClass
- attribute specifies the object classes of an entry, which along with
- the system and user schema determine the permitted attributes of an
- entry. Values of this attribute may be modified by clients, but the
- objectClass attribute cannot be removed. Servers may restrict the
- modifications of this attribute to prevent the basic structural class
- of the entry from being changed (e.g. one cannot change a person into
- a country). When creating an entry or adding an objectClass value to
- an entry, all superclasses of the named classes are implicitly added
- as well if not already present, and the client must supply values for
- any mandatory attributes of new superclasses.
-
- Some attributes, termed operational attributes, are used by servers
- for administering the directory system itself. They are not returned
- in search results unless explicitly requested by name. Attributes
- which are not operational, such as "mail", will have their schema and
- syntax constraints enforced by servers, but servers will generally
- not make use of their values.
-
- Servers MUST NOT permit clients to add attributes to an entry unless
- those attributes are permitted by the object class definitions, the
- schema controlling that entry (specified in the subschema - see
- below), or are operational attributes known to that server and used
- for administrative purposes. Note that there is a particular
- objectClass 'extensibleObject' defined in [5] which permits all user
- attributes to be present in an entry.
-
- Entries MAY contain, among others, the following operational
- attributes, defined in [5]. These attributes are maintained
- automatically by the server and are not modifiable by clients:
-
-
-
-
-Wahl, et. al. Standards Track [Page 6]
-
-RFC 2251 LDAPv3 December 1997
-
-
- - creatorsName: the Distinguished Name of the user who added this
- entry to the directory.
-
- - createTimestamp: the time this entry was added to the directory.
-
- - modifiersName: the Distinguished Name of the user who last modified
- this entry.
-
- - modifyTimestamp: the time this entry was last modified.
-
- - subschemaSubentry: the Distinguished Name of the subschema entry
- (or subentry) which controls the schema for this entry.
-
-3.2.2. Subschema Entries and Subentries
-
- Subschema entries are used for administering information about the
- directory schema, in particular the object classes and attribute
- types supported by directory servers. A single subschema entry
- contains all schema definitions used by entries in a particular part
- of the directory tree.
-
- Servers which follow X.500(93) models SHOULD implement subschema
- using the X.500 subschema mechanisms, and so these subschemas are not
- ordinary entries. LDAP clients SHOULD NOT assume that servers
- implement any of the other aspects of X.500 subschema. A server
- which masters entries and permits clients to modify these entries
- MUST implement and provide access to these subschema entries, so that
- its clients may discover the attributes and object classes which are
- permitted to be present. It is strongly recommended that all other
- servers implement this as well.
-
- The following four attributes MUST be present in all subschema
- entries:
-
- - cn: this attribute MUST be used to form the RDN of the subschema
- entry.
-
- - objectClass: the attribute MUST have at least the values "top" and
- "subschema".
-
- - objectClasses: each value of this attribute specifies an object
- class known to the server.
-
- - attributeTypes: each value of this attribute specifies an attribute
- type known to the server.
-
- These are defined in [5]. Other attributes MAY be present in
- subschema entries, to reflect additional supported capabilities.
-
-
-
-Wahl, et. al. Standards Track [Page 7]
-
-RFC 2251 LDAPv3 December 1997
-
-
- These include matchingRules, matchingRuleUse, dITStructureRules,
- dITContentRules, nameForms and ldapSyntaxes.
-
- Servers SHOULD provide the attributes createTimestamp and
- modifyTimestamp in subschema entries, in order to allow clients to
- maintain their caches of schema information.
-
- Clients MUST only retrieve attributes from a subschema entry by
- requesting a base object search of the entry, where the search filter
- is "(objectClass=subschema)". (This will allow LDAPv3 servers which
- gateway to X.500(93) to detect that subentry information is being
- requested.)
-
-3.3. Relationship to X.500
-
- This document defines LDAP in terms of X.500 as an X.500 access
- mechanism. An LDAP server MUST act in accordance with the
- X.500(1993) series of ITU recommendations when providing the service.
- However, it is not required that an LDAP server make use of any X.500
- protocols in providing this service, e.g. LDAP can be mapped onto any
- other directory system so long as the X.500 data and service model as
- used in LDAP is not violated in the LDAP interface.
-
-3.4. Server-specific Data Requirements
-
- An LDAP server MUST provide information about itself and other
- information that is specific to each server. This is represented as
- a group of attributes located in the root DSE (DSA-Specific Entry),
- which is named with the zero-length LDAPDN. These attributes are
- retrievable if a client performs a base object search of the root
- with filter "(objectClass=*)", however they are subject to access
- control restrictions. The root DSE MUST NOT be included if the
- client performs a subtree search starting from the root.
-
- Servers may allow clients to modify these attributes.
-
- The following attributes of the root DSE are defined in section 5 of
- [5]. Additional attributes may be defined in other documents.
-
- - namingContexts: naming contexts held in the server. Naming contexts
- are defined in section 17 of X.501 [6].
-
- - subschemaSubentry: subschema entries (or subentries) known by this
- server.
-
- - altServer: alternative servers in case this one is later
- unavailable.
-
-
-
-
-Wahl, et. al. Standards Track [Page 8]
-
-RFC 2251 LDAPv3 December 1997
-
-
- - supportedExtension: list of supported extended operations.
-
- - supportedControl: list of supported controls.
-
- - supportedSASLMechanisms: list of supported SASL security features.
-
- - supportedLDAPVersion: LDAP versions implemented by the server.
-
- If the server does not master entries and does not know the locations
- of schema information, the subschemaSubentry attribute is not present
- in the root DSE. If the server masters directory entries under one
- or more schema rules, there may be any number of values of the
- subschemaSubentry attribute in the root DSE.
-
-4. Elements of Protocol
-
- The LDAP protocol is described using Abstract Syntax Notation 1
- (ASN.1) [3], and is typically transferred using a subset of ASN.1
- Basic Encoding Rules [11]. In order to support future extensions to
- this protocol, clients and servers MUST ignore elements of SEQUENCE
- encodings whose tags they do not recognize.
-
- Note that unlike X.500, each change to the LDAP protocol other than
- through the extension mechanisms will have a different version
- number. A client will indicate the version it supports as part of
- the bind request, described in section 4.2. If a client has not sent
- a bind, the server MUST assume that version 3 is supported in the
- client (since version 2 required that the client bind first).
-
- Clients may determine the protocol version a server supports by
- reading the supportedLDAPVersion attribute from the root DSE. Servers
- which implement version 3 or later versions MUST provide this
- attribute. Servers which only implement version 2 may not provide
- this attribute.
-
-4.1. Common Elements
-
- This section describes the LDAPMessage envelope PDU (Protocol Data
- Unit) format, as well as data type definitions which are used in the
- protocol operations.
-
-4.1.1. Message Envelope
-
- For the purposes of protocol exchanges, all protocol operations are
- encapsulated in a common envelope, the LDAPMessage, which is defined
- as follows:
-
- LDAPMessage ::= SEQUENCE {
-
-
-
-Wahl, et. al. Standards Track [Page 9]
-
-RFC 2251 LDAPv3 December 1997
-
-
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResEntry SearchResultEntry,
- searchResDone SearchResultDone,
- searchResRef SearchResultReference,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modDNRequest ModifyDNRequest,
- modDNResponse ModifyDNResponse,
- compareRequest CompareRequest,
- compareResponse CompareResponse,
- abandonRequest AbandonRequest,
- extendedReq ExtendedRequest,
- extendedResp ExtendedResponse },
- controls [0] Controls OPTIONAL }
-
- MessageID ::= INTEGER (0 .. maxInt)
-
- maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
-
- The function of the LDAPMessage is to provide an envelope containing
- common fields required in all protocol exchanges. At this time the
- only common fields are the message ID and the controls.
-
- If the server receives a PDU from the client in which the LDAPMessage
- SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
- the tag of the protocolOp is not recognized as a request, or the
- encoding structures or lengths of data fields are found to be
- incorrect, then the server MUST return the notice of disconnection
- described in section 4.4.1, with resultCode protocolError, and
- immediately close the connection. In other cases that the server
- cannot parse the request received by the client, the server MUST
- return an appropriate response to the request, with the resultCode
- set to protocolError.
-
- If the client receives a PDU from the server which cannot be parsed,
- the client may discard the PDU, or may abruptly close the connection.
-
- The ASN.1 type Controls is defined in section 4.1.12.
-
-
-
-
-Wahl, et. al. Standards Track [Page 10]
-
-RFC 2251 LDAPv3 December 1997
-
-
-4.1.1.1. Message ID
-
- All LDAPMessage envelopes encapsulating responses contain the
- messageID value of the corresponding request LDAPMessage.
-
- The message ID of a request MUST have a value different from the
- values of any other requests outstanding in the LDAP session of which
- this message is a part.
-
- A client MUST NOT send a second request with the same message ID as
- an earlier request on the same connection if the client has not
- received the final response from the earlier request. Otherwise the
- behavior is undefined. Typical clients increment a counter for each
- request.
-
- A client MUST NOT reuse the message id of an abandonRequest or of the
- abandoned operation until it has received a response from the server
- for another request invoked subsequent to the abandonRequest, as the
- abandonRequest itself does not have a response.
-
-4.1.2. String Types
-
- The LDAPString is a notational convenience to indicate that, although
- strings of LDAPString type encode as OCTET STRING types, the ISO
- 10646 [13] character set (a superset of Unicode) is used, encoded
- following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
- characters which are the same as ASCII (0x0000 through 0x007F) are
- represented as that same ASCII character in a single byte. The other
- byte values are used to form a variable-length encoding of an
- arbitrary character.
-
- LDAPString ::= OCTET STRING
-
- The LDAPOID is a notational convenience to indicate that the
- permitted value of this string is a (UTF-8 encoded) dotted-decimal
- representation of an OBJECT IDENTIFIER.
-
- LDAPOID ::= OCTET STRING
-
- For example,
-
- 1.3.6.1.4.1.1466.1.2.3
-
-4.1.3. Distinguished Name and Relative Distinguished Name
-
- An LDAPDN and a RelativeLDAPDN are respectively defined to be the
- representation of a Distinguished Name and a Relative Distinguished
- Name after encoding according to the specification in [4], such that
-
-
-
-Wahl, et. al. Standards Track [Page 11]
-
-RFC 2251 LDAPv3 December 1997
-
-
- <distinguished-name> ::= <name>
-
- <relative-distinguished-name> ::= <name-component>
-
- where <name> and <name-component> are as defined in [4].
-
- LDAPDN ::= LDAPString
-
- RelativeLDAPDN ::= LDAPString
-
- Only Attribute Types can be present in a relative distinguished name
- component; the options of Attribute Descriptions (next section) MUST
- NOT be used in specifying distinguished names.
-
-4.1.4. Attribute Type
-
- An AttributeType takes on as its value the textual string associated
- with that AttributeType in its specification.
-
- AttributeType ::= LDAPString
-
- Each attribute type has a unique OBJECT IDENTIFIER which has been
- assigned to it. This identifier may be written as decimal digits
- with components separated by periods, e.g. "2.5.4.10".
-
- A specification may also assign one or more textual names for an
- attribute type. These names MUST begin with a letter, and only
- contain ASCII letters, digit characters and hyphens. They are case
- insensitive. (These ASCII characters are identical to ISO 10646
- characters whose UTF-8 encoding is a single byte between 0x00 and
- 0x7F.)
-
- If the server has a textual name for an attribute type, it MUST use a
- textual name for attributes returned in search results. The dotted-
- decimal OBJECT IDENTIFIER is only used if there is no textual name
- for an attribute type.
-
- Attribute type textual names are non-unique, as two different
- specifications (neither in standards track RFCs) may choose the same
- name.
-
- A server which masters or shadows entries SHOULD list all the
- attribute types it supports in the subschema entries, using the
- attributeTypes attribute. Servers which support an open-ended set of
- attributes SHOULD include at least the attributeTypes value for the
- 'objectClass' attribute. Clients MAY retrieve the attributeTypes
- value from subschema entries in order to obtain the OBJECT IDENTIFIER
- and other information associated with attribute types.
-
-
-
-Wahl, et. al. Standards Track [Page 12]
-
-RFC 2251 LDAPv3 December 1997
-
-
- Some attribute type names which are used in this version of LDAP are
- described in [5]. Servers may implement additional attribute types.
-
-4.1.5. Attribute Description
-
- An AttributeDescription is a superset of the definition of the
- AttributeType. It has the same ASN.1 definition, but allows
- additional options to be specified. They are also case insensitive.
-
- AttributeDescription ::= LDAPString
-
- A value of AttributeDescription is based on the following BNF:
-
- <AttributeDescription> ::= <AttributeType> [ ";" <options> ]
-
- <options> ::= <option> | <option> ";" <options>
-
- <option> ::= <opt-char> <opt-char>*
-
- <opt-char> ::= ASCII-equivalent letters, numbers and hyphen
-
- Examples of valid AttributeDescription:
-
- cn
- userCertificate;binary
-
- One option, "binary", is defined in this document. Additional
- options may be defined in IETF standards-track and experimental RFCs.
- Options beginning with "x-" are reserved for private experiments.
- Any option could be associated with any AttributeType, although not
- all combinations may be supported by a server.
-
- An AttributeDescription with one or more options is treated as a
- subtype of the attribute type without any options. Options present
- in an AttributeDescription are never mutually exclusive.
- Implementations MUST generate the <options> list sorted in ascending
- order, and servers MUST treat any two AttributeDescription with the
- same AttributeType and options as equivalent. A server will treat an
- AttributeDescription with any options it does not implement as an
- unrecognized attribute type.
-
- The data type "AttributeDescriptionList" describes a list of 0 or
- more attribute types. (A list of zero elements has special
- significance in the Search request.)
-
- AttributeDescriptionList ::= SEQUENCE OF
- AttributeDescription
-
-
-
-
-Wahl, et. al. Standards Track [Page 13]
-
-RFC 2251 LDAPv3 December 1997
-
-
-4.1.5.1. Binary Option
-
- If the "binary" option is present in an AttributeDescription, it
- overrides any string-based encoding representation defined for that
- attribute in [5]. Instead the attribute is to be transferred as a
- binary value encoded using the Basic Encoding Rules [11]. The syntax
- of the binary value is an ASN.1 data type definition which is
- referenced by the "SYNTAX" part of the attribute type definition.
-
- The presence or absence of the "binary" option only affects the
- transfer of attribute values in protocol; servers store any
- particular attribute in a single format. If a client requests that a
- server return an attribute in the binary format, but the server
- cannot generate that format, the server MUST treat this attribute
- type as an unrecognized attribute type. Similarly, clients MUST NOT
- expect servers to return an attribute in binary format if the client
- requested that attribute by name without the binary option.
-
- This option is intended to be used with attributes whose syntax is a
- complex ASN.1 data type, and the structure of values of that type is
- needed by clients. Examples of this kind of syntax are "Certificate"
- and "CertificateList".
-
-4.1.6. Attribute Value
-
- A field of type AttributeValue takes on as its value either a string
- encoding of a AttributeValue data type, or an OCTET STRING containing
- an encoded binary value, depending on whether the "binary" option is
- present in the companion AttributeDescription to this AttributeValue.
-
- The definition of string encodings for different syntaxes and types
- may be found in other documents, and in particular [5].
-
- AttributeValue ::= OCTET STRING
-
- Note that there is no defined limit on the size of this encoding;
- thus protocol values may include multi-megabyte attributes (e.g.
- photographs).
-
- Attributes may be defined which have arbitrary and non-printable
- syntax. Implementations MUST NEITHER simply display nor attempt to
- decode as ASN.1 a value if its syntax is not known. The
- implementation may attempt to discover the subschema of the source
- entry, and retrieve the values of attributeTypes from it.
-
- Clients MUST NOT send attribute values in a request which are not
- valid according to the syntax defined for the attributes.
-
-
-
-
-Wahl, et. al. Standards Track [Page 14]
-
-RFC 2251 LDAPv3 December 1997
-
-
-4.1.7. Attribute Value Assertion
-
- The AttributeValueAssertion type definition is similar to the one in
- the X.500 directory standards. It contains an attribute description
- and a matching rule assertion value suitable for that type.
-
- AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
-
- AssertionValue ::= OCTET STRING
-
- If the "binary" option is present in attributeDesc, this signals to
- the server that the assertionValue is a binary encoding of the
- assertion value.
-
- For all the string-valued user attributes described in [5], the
- assertion value syntax is the same as the value syntax. Clients may
- use attribute values as assertion values in compare requests and
- search filters.
-
- Note however that the assertion syntax may be different from the
- value syntax for other attributes or for non-equality matching rules.
- These may have an assertion syntax which contains only part of the
- value. See section 20.2.1.8 of X.501 [6] for examples.
-
-4.1.8. Attribute
-
- An attribute consists of a type and one or more values of that type.
- (Though attributes MUST have at least one value when stored, due to
- access control restrictions the set may be empty when transferred in
- protocol. This is described in section 4.5.2, concerning the
- PartialAttributeList type.)
-
- Attribute ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- Each attribute value is distinct in the set (no duplicates). The
- order of attribute values within the vals set is undefined and
- implementation-dependent, and MUST NOT be relied upon.
-
-4.1.9. Matching Rule Identifier
-
- A matching rule is a means of expressing how a server should compare
- an AssertionValue received in a search filter with an abstract data
- value. The matching rule defines the syntax of the assertion value
- and the process to be performed in the server.
-
-
-
-Wahl, et. al. Standards Track [Page 15]
-
-RFC 2251 LDAPv3 December 1997
-
-
- An X.501(1993) Matching Rule is identified in the LDAP protocol by
- the printable representation of its OBJECT IDENTIFIER, either as one
- of the strings given in [5], or as decimal digits with components
- separated by periods, e.g. "caseIgnoreIA5Match" or
- "1.3.6.1.4.1.453.33.33".
-
- MatchingRuleId ::= LDAPString
-
- Servers which support matching rules for use in the extensibleMatch
- search filter MUST list the matching rules they implement in
- subschema entries, using the matchingRules attributes. The server
- SHOULD also list there, using the matchingRuleUse attribute, the
- attribute types with which each matching rule can be used. More
- information is given in section 4.4 of [5].
-
-4.1.10. Result Message
-
- The LDAPResult is the construct used in this protocol to return
- success or failure indications from servers to clients. In response
- to various requests servers will return responses containing fields
- of type LDAPResult to indicate the final status of a protocol
- operation request.
-
- LDAPResult ::= SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
-
- authMethodNotSupported (7),
- strongAuthRequired (8),
- -- 9 reserved --
- referral (10), -- new
- adminLimitExceeded (11), -- new
- unavailableCriticalExtension (12), -- new
- confidentialityRequired (13), -- new
- saslBindInProgress (14), -- new
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- -- 22-31 unused --
-
-
-
-Wahl, et. al. Standards Track [Page 16]
-
-RFC 2251 LDAPv3 December 1997
-
-
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- -- 35 reserved for undefined isLeaf --
- aliasDereferencingProblem (36),
- -- 37-47 unused --
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- -- 55-63 unused --
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- -- 70 reserved for CLDAP --
- affectsMultipleDSAs (71), -- new
- -- 72-79 unused --
- other (80) },
- -- 81-90 reserved for APIs --
- matchedDN LDAPDN,
- errorMessage LDAPString,
- referral [3] Referral OPTIONAL }
-
- All the result codes with the exception of success, compareFalse and
- compareTrue are to be treated as meaning the operation could not be
- completed in its entirety.
-
- Most of the result codes are based on problem indications from X.511
- error data types. Result codes from 16 to 21 indicate an
- AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
- codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
- indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
- UpdateProblem.
-
- If a client receives a result code which is not listed above, it is
- to be treated as an unknown error condition.
-
- The errorMessage field of this construct may, at the server's option,
- be used to return a string containing a textual, human-readable
- (terminal control and page formatting characters should be avoided)
- error diagnostic. As this error diagnostic is not standardized,
-
-
-
-
-Wahl, et. al. Standards Track [Page 17]
-
-RFC 2251 LDAPv3 December 1997
-
-
- implementations MUST NOT rely on the values returned. If the server
- chooses not to return a textual diagnostic, the errorMessage field of
- the LDAPResult type MUST contain a zero length string.
-
- For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
- aliasDereferencingProblem, the matchedDN field is set to the name of
- the lowest entry (object or alias) in the directory that was matched.
- If no aliases were dereferenced while attempting to locate the entry,
- this will be a truncated form of the name provided, or if aliases
- were dereferenced, of the resulting name, as defined in section 12.5
- of X.511 [8]. The matchedDN field is to be set to a zero length
- string with all other result codes.
-
-4.1.11. Referral
-
- The referral error indicates that the contacted server does not hold
- the target entry of the request. The referral field is present in an
- LDAPResult if the LDAPResult.resultCode field value is referral, and
- absent with all other result codes. It contains a reference to
- another server (or set of servers) which may be accessed via LDAP or
- other protocols. Referrals can be returned in response to any
- operation request (except unbind and abandon which do not have
- responses). At least one URL MUST be present in the Referral.
-
- The referral is not returned for a singleLevel or wholeSubtree search
- in which the search scope spans multiple naming contexts, and several
- different servers would need to be contacted to complete the
- operation. Instead, continuation references, described in section
- 4.5.3, are returned.
-
- Referral ::= SEQUENCE OF LDAPURL -- one or more
-
- LDAPURL ::= LDAPString -- limited to characters permitted in URLs
-
- If the client wishes to progress the operation, it MUST follow the
- referral by contacting any one of servers. All the URLs MUST be
- equally capable of being used to progress the operation. (The
- mechanisms for how this is achieved by multiple servers are outside
- the scope of this document.)
-
- URLs for servers implementing the LDAP protocol are written according
- to [9]. If an alias was dereferenced, the <dn> part of the URL MUST
- be present, with the new target object name. If the <dn> part is
- present, the client MUST use this name in its next request to
- progress the operation, and if it is not present the client will use
- the same name as in the original request. Some servers (e.g.
- participating in distributed indexing) may provide a different filter
- in a referral for a search operation. If the filter part of the URL
-
-
-
-Wahl, et. al. Standards Track [Page 18]
-
-RFC 2251 LDAPv3 December 1997
-
-
- is present in an LDAPURL, the client MUST use this filter in its next
- request to progress this search, and if it is not present the client
- MUST use the same filter as it used for that search. Other aspects
- of the new request may be the same or different as the request which
- generated the referral.
-
- Note that UTF-8 characters appearing in a DN or search filter may not
- be legal for URLs (e.g. spaces) and MUST be escaped using the %
- method in RFC 1738 [7].
-
- Other kinds of URLs may be returned, so long as the operation could
- be performed using that protocol.
-
-4.1.12. Controls
-
- A control is a way to specify extension information. Controls which
- are sent as part of a request apply only to that request and are not
- saved.
-
- Controls ::= SEQUENCE OF Control
-
- Control ::= SEQUENCE {
- controlType LDAPOID,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue OCTET STRING OPTIONAL }
-
- The controlType field MUST be a UTF-8 encoded dotted-decimal
- representation of an OBJECT IDENTIFIER which uniquely identifies the
- control. This prevents conflicts between control names.
-
- The criticality field is either TRUE or FALSE.
-
- If the server recognizes the control type and it is appropriate for
- the operation, the server will make use of the control when
- performing the operation.
-
- If the server does not recognize the control type and the criticality
- field is TRUE, the server MUST NOT perform the operation, and MUST
- instead return the resultCode unsupportedCriticalExtension.
-
- If the control is not appropriate for the operation and criticality
- field is TRUE, the server MUST NOT perform the operation, and MUST
- instead return the resultCode unsupportedCriticalExtension.
-
- If the control is unrecognized or inappropriate but the criticality
- field is FALSE, the server MUST ignore the control.
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 19]
-
-RFC 2251 LDAPv3 December 1997
-
-
- The controlValue contains any information associated with the
- control, and its format is defined for the control. The server MUST
- be prepared to handle arbitrary contents of the controlValue octet
- string, including zero bytes. It is absent only if there is no value
- information which is associated with a control of its type.
-
- This document does not define any controls. Controls may be defined
- in other documents. The definition of a control consists of:
-
- - the OBJECT IDENTIFIER assigned to the control,
-
- - whether the control is always noncritical, always critical, or
- critical at the client's option,
-
- - the format of the controlValue contents of the control.
-
- Servers list the controls which they recognize in the
- supportedControl attribute in the root DSE.
-
-4.2. Bind Operation
-
- The function of the Bind Operation is to allow authentication
- information to be exchanged between the client and server.
-
- The Bind Request is defined as follows:
-
- BindRequest ::= [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication AuthenticationChoice }
-
- AuthenticationChoice ::= CHOICE {
- simple [0] OCTET STRING,
- -- 1 and 2 reserved
- sasl [3] SaslCredentials }
-
- SaslCredentials ::= SEQUENCE {
- mechanism LDAPString,
- credentials OCTET STRING OPTIONAL }
-
- Parameters of the Bind Request are:
-
- - version: A version number indicating the version of the protocol to
- be used in this protocol session. This document describes version
- 3 of the LDAP protocol. Note that there is no version negotiation,
- and the client just sets this parameter to the version it desires.
- If the client requests protocol version 2, a server that supports
- the version 2 protocol as described in [2] will not return any v3-
-
-
-
-Wahl, et. al. Standards Track [Page 20]
-
-RFC 2251 LDAPv3 December 1997
-
-
- specific protocol fields. (Note that not all LDAP servers will
- support protocol version 2, since they may be unable to generate
- the attribute syntaxes associated with version 2.)
-
- - name: The name of the directory object that the client wishes to
- bind as. This field may take on a null value (a zero length
- string) for the purposes of anonymous binds, when authentication
- has been performed at a lower layer, or when using SASL credentials
- with a mechanism that includes the LDAPDN in the credentials.
-
- - authentication: information used to authenticate the name, if any,
- provided in the Bind Request.
-
- Upon receipt of a Bind Request, a protocol server will authenticate
- the requesting client, if necessary. The server will then return a
- Bind Response to the client indicating the status of the
- authentication.
-
- Authorization is the use of this authentication information when
- performing operations. Authorization MAY be affected by factors
- outside of the LDAP Bind request, such as lower layer security
- services.
-
-4.2.1. Sequencing of the Bind Request
-
- For some SASL authentication mechanisms, it may be necessary for the
- client to invoke the BindRequest multiple times. If at any stage the
- client wishes to abort the bind process it MAY unbind and then drop
- the underlying connection. Clients MUST NOT invoke operations
- between two Bind requests made as part of a multi-stage bind.
-
- A client may abort a SASL bind negotiation by sending a BindRequest
- with a different value in the mechanism field of SaslCredentials, or
- an AuthenticationChoice other than sasl.
-
- If the client sends a BindRequest with the sasl mechanism field as an
- empty string, the server MUST return a BindResponse with
- authMethodNotSupported as the resultCode. This will allow clients to
- abort a negotiation if it wishes to try again with the same SASL
- mechanism.
-
- Unlike LDAP v2, the client need not send a Bind Request in the first
- PDU of the connection. The client may request any operations and the
- server MUST treat these as unauthenticated. If the server requires
- that the client bind before browsing or modifying the directory, the
- server MAY reject a request other than binding, unbinding or an
- extended request with the "operationsError" result.
-
-
-
-
-Wahl, et. al. Standards Track [Page 21]
-
-RFC 2251 LDAPv3 December 1997
-
-
- If the client did not bind before sending a request and receives an
- operationsError, it may then send a Bind Request. If this also fails
- or the client chooses not to bind on the existing connection, it will
- close the connection, reopen it and begin again by first sending a
- PDU with a Bind Request. This will aid in interoperating with
- servers implementing other versions of LDAP.
-
- Clients MAY send multiple bind requests on a connection to change
- their credentials. A subsequent bind process has the effect of
- abandoning all operations outstanding on the connection. (This
- simplifies server implementation.) Authentication from earlier binds
- are subsequently ignored, and so if the bind fails, the connection
- will be treated as anonymous. If a SASL transfer encryption or
- integrity mechanism has been negotiated, and that mechanism does not
- support the changing of credentials from one identity to another,
- then the client MUST instead establish a new connection.
-
-4.2.2. Authentication and Other Security Services
-
- The simple authentication option provides minimal authentication
- facilities, with the contents of the authentication field consisting
- only of a cleartext password. Note that the use of cleartext
- passwords is not recommended over open networks when there is no
- authentication or encryption being performed by a lower layer; see
- the "Security Considerations" section.
-
- If no authentication is to be performed, then the simple
- authentication option MUST be chosen, and the password be of zero
- length. (This is often done by LDAPv2 clients.) Typically the DN is
- also of zero length.
-
- The sasl choice allows for any mechanism defined for use with SASL
- [12]. The mechanism field contains the name of the mechanism. The
- credentials field contains the arbitrary data used for
- authentication, inside an OCTET STRING wrapper. Note that unlike
- some Internet application protocols where SASL is used, LDAP is not
- text-based, thus no base64 transformations are performed on the
- credentials.
-
- If any SASL-based integrity or confidentiality services are enabled,
- they take effect following the transmission by the server and
- reception by the client of the final BindResponse with resultCode
- success.
-
- The client can request that the server use authentication information
- from a lower layer protocol by using the SASL EXTERNAL mechanism.
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 22]
-
-RFC 2251 LDAPv3 December 1997
-
-
-4.2.3. Bind Response
-
- The Bind Response is defined as follows.
-
- BindResponse ::= [APPLICATION 1] SEQUENCE {
- COMPONENTS OF LDAPResult,
- serverSaslCreds [7] OCTET STRING OPTIONAL }
-
- BindResponse consists simply of an indication from the server of he
- status of the client's request for authentication.
-
- f the bind was successful, the resultCode will be success, therwise
- it will be one of:
-
- - operationsError: server encountered an internal error,
-
- - protocolError: unrecognized version number or incorrect PDU
- structure,
-
- - authMethodNotSupported: unrecognized SASL mechanism name,
-
- - strongAuthRequired: the server requires authentication be
- performed with a SASL mechanism,
-
- - referral: this server cannot accept this bind and the client
- should try another,
-
- - saslBindInProgress: the server requires the client to send a
- new bind request, with the same sasl mechanism, to continue the
- authentication process,
-
- - inappropriateAuthentication: the server requires the client
- which had attempted to bind anonymously or without supplying
- credentials to provide some form of credentials,
-
- - invalidCredentials: the wrong password was supplied or the SASL
- credentials could not be processed,
-
- - unavailable: the server is shutting down.
-
- If the server does not support the client's requested protocol
- version, it MUST set the resultCode to protocolError.
-
- If the client receives a BindResponse response where the resultCode
- was protocolError, it MUST close the connection as the server will be
- unwilling to accept further operations. (This is for compatibility
- with earlier versions of LDAP, in which the bind was always the first
- operation, and there was no negotiation.)
-
-
-
-Wahl, et. al. Standards Track [Page 23]
-
-RFC 2251 LDAPv3 December 1997
-
-
- The serverSaslCreds are used as part of a SASL-defined bind mechanism
- to allow the client to authenticate the server to which it is
- communicating, or to perform "challenge-response" authentication. If
- the client bound with the password choice, or the SASL mechanism does
- not require the server to return information to the client, then this
- field is not to be included in the result.
-
-4.3. Unbind Operation
-
- The function of the Unbind Operation is to terminate a protocol
- session. The Unbind Operation is defined as follows:
-
- UnbindRequest ::= [APPLICATION 2] NULL
-
- The Unbind Operation has no response defined. Upon transmission of an
- UnbindRequest, a protocol client may assume that the protocol session
- is terminated. Upon receipt of an UnbindRequest, a protocol server
- may assume that the requesting client has terminated the session and
- that all outstanding requests may be discarded, and may close the
- connection.
-
-4.4. Unsolicited Notification
-
- An unsolicited notification is an LDAPMessage sent from the server to
- the client which is not in response to any LDAPMessage received by
- the server. It is used to signal an extraordinary condition in the
- server or in the connection between the client and the server. The
- notification is of an advisory nature, and the server will not expect
- any response to be returned from the client.
-
- The unsolicited notification is structured as an LDAPMessage in which
- the messageID is 0 and protocolOp is of the extendedResp form. The
- responseName field of the ExtendedResponse is present. The LDAPOID
- value MUST be unique for this notification, and not be used in any
- other situation.
-
- One unsolicited notification is defined in this document.
-
-4.4.1. Notice of Disconnection
-
- This notification may be used by the server to advise the client that
- the server is about to close the connection due to an error
- condition. Note that this notification is NOT a response to an
- unbind requested by the client: the server MUST follow the procedures
- of section 4.3. This notification is intended to assist clients in
- distinguishing between an error condition and a transient network
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 24]
-
-RFC 2251 LDAPv3 December 1997
-
-
- failure. As with a connection close due to network failure, the
- client MUST NOT assume that any outstanding requests which modified
- the directory have succeeded or failed.
-
- The responseName is 1.3.6.1.4.1.1466.20036, the response field is
- absent, and the resultCode is used to indicate the reason for the
- disconnection.
-
- The following resultCode values are to be used in this notification:
-
- - protocolError: The server has received data from the client in
- which
- the LDAPMessage structure could not be parsed.
-
- - strongAuthRequired: The server has detected that an established
- underlying security association protecting communication between
- the client and server has unexpectedly failed or been compromised.
-
- - unavailable: This server will stop accepting new connections and
- operations on all existing connections, and be unavailable for an
- extended period of time. The client may make use of an alternative
- server.
-
- After sending this notice, the server MUST close the connection.
- After receiving this notice, the client MUST NOT transmit any further
- on the connection, and may abruptly close the connection.
-
-4.5. Search Operation
-
- The Search Operation allows a client to request that a search be
- performed on its behalf by a server. This can be used to read
- attributes from a single entry, from entries immediately below a
- particular entry, or a whole subtree of entries.
-
-4.5.1. Search Request
-
- The Search Request is defined as follows:
-
- SearchRequest ::= [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2) },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
-
-
-
-Wahl, et. al. Standards Track [Page 25]
-
-RFC 2251 LDAPv3 December 1997
-
-
- derefAlways (3) },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- typesOnly BOOLEAN,
- filter Filter,
- attributes AttributeDescriptionList }
-
- Filter ::= CHOICE {
- and [0] SET OF Filter,
- or [1] SET OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion }
-
- SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- -- at least one must be present
- substrings SEQUENCE OF CHOICE {
- initial [0] LDAPString,
- any [1] LDAPString,
- final [2] LDAPString } }
-
- MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
-
- Parameters of the Search Request are:
-
- - baseObject: An LDAPDN that is the base object entry relative to
- which the search is to be performed.
-
- - scope: An indicator of the scope of the search to be performed. The
- semantics of the possible values of this field are identical to the
- semantics of the scope field in the X.511 Search Operation.
-
- - derefAliases: An indicator as to how alias objects (as defined in
- X.501) are to be handled in searching. The semantics of the
- possible values of this field are:
-
- neverDerefAliases: do not dereference aliases in searching
- or in locating the base object of the search;
-
-
-
-Wahl, et. al. Standards Track [Page 26]
-
-RFC 2251 LDAPv3 December 1997
-
-
- derefInSearching: dereference aliases in subordinates of
- the base object in searching, but not in locating the
- base object of the search;
-
- derefFindingBaseObj: dereference aliases in locating
- the base object of the search, but not when searching
- subordinates of the base object;
-
- derefAlways: dereference aliases both in searching and in
- locating the base object of the search.
-
- - sizelimit: A sizelimit that restricts the maximum number of entries
- to be returned as a result of the search. A value of 0 in this
- field indicates that no client-requested sizelimit restrictions are
- in effect for the search. Servers may enforce a maximum number of
- entries to return.
-
- - timelimit: A timelimit that restricts the maximum time (in seconds)
- allowed for a search. A value of 0 in this field indicates that no
- client-requested timelimit restrictions are in effect for the
- search.
-
- - typesOnly: An indicator as to whether search results will contain
- both attribute types and values, or just attribute types. Setting
- this field to TRUE causes only attribute types (no values) to be
- returned. Setting this field to FALSE causes both attribute types
- and values to be returned.
-
- - filter: A filter that defines the conditions that must be fulfilled
- in order for the search to match a given entry.
-
- The 'and', 'or' and 'not' choices can be used to form combinations of
- filters. At least one filter element MUST be present in an 'and' or
- 'or' choice. The others match against individual attribute values of
- entries in the scope of the search. (Implementor's note: the 'not'
- filter is an example of a tagged choice in an implicitly-tagged
- module. In BER this is treated as if the tag was explicit.)
-
- A server MUST evaluate filters according to the three-valued logic
- of X.511(93) section 7.8.1. In summary, a filter is evaluated to
- either "TRUE", "FALSE" or "Undefined". If the filter evaluates
- to TRUE for a particular entry, then the attributes of that entry
- are returned as part of the search result (subject to any applicable
- access control restrictions). If the filter evaluates to FALSE or
- Undefined, then the entry is ignored for the search.
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 27]
-
-RFC 2251 LDAPv3 December 1997
-
-
- A filter of the "and" choice is TRUE if all the filters in the SET
- OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
- otherwise Undefined. A filter of the "or" choice is FALSE if all
- of the filters in the SET OF evaluate to FALSE, TRUE if at least
- one filter is TRUE, and Undefined otherwise. A filter of the "not"
- choice is TRUE if the filter being negated is FALSE, FALSE if it is
- TRUE, and Undefined if it is Undefined.
-
- The present match evaluates to TRUE where there is an attribute or
- subtype of the specified attribute description present in an entry,
- and FALSE otherwise (including a presence test with an unrecognized
- attribute description.)
-
- The extensibleMatch is new in this version of LDAP. If the
- matchingRule field is absent, the type field MUST be present, and
- the equality match is performed for that type. If the type field is
- absent and matchingRule is present, the matchValue is compared
- against all attributes in an entry which support that matchingRule,
- and the matchingRule determines the syntax for the assertion value
- (the filter item evaluates to TRUE if it matches with at least
- one attribute in the entry, FALSE if it does not match any attribute
- in the entry, and Undefined if the matchingRule is not recognized
- or the assertionValue cannot be parsed.) If the type field is
- present and matchingRule is present, the matchingRule MUST be one
- permitted for use with that type, otherwise the filter item is
- undefined. If the dnAttributes field is set to TRUE, the match is
- applied against all the attributes in an entry's distinguished name
- as well, and also evaluates to TRUE if there is at least one
- attribute in the distinguished name for which the filter item
- evaluates to TRUE. (Editors note: The dnAttributes field is present
- so that there does not need to be multiple versions of generic
- matching rules such as for word matching, one to apply to entries
- and another to apply to entries and dn attributes as well).
-
- A filter item evaluates to Undefined when the server would not
- be able to determine whether the assertion value matches an
- entry. If an attribute description in an equalityMatch, substrings,
- greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch
- filter is not recognized by the server, a matching rule id in the
- extensibleMatch is not recognized by the server, the assertion
- value cannot be parsed, or the type of filtering requested is not
- implemented, then the filter is Undefined. Thus for example if a
- server did not recognize the attribute type shoeSize, a filter of
- (shoeSize=*) would evaluate to FALSE, and the filters (shoeSize=12),
- (shoeSize>=12) and (shoeSize<=12) would evaluate to Undefined.
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 28]
-
-RFC 2251 LDAPv3 December 1997
-
-
- Servers MUST NOT return errors if attribute descriptions or matching
- rule ids are not recognized, or assertion values cannot be parsed.
- More details of filter processing are given in section 7.8 of X.511
- [8].
-
- - attributes: A list of the attributes to be returned from each entry
- which matches the search filter. There are two special values which
- may be used: an empty list with no attributes, and the attribute
- description string "*". Both of these signify that all user
- attributes are to be returned. (The "*" allows the client to
- request all user attributes in addition to specific operational
- attributes).
-
- Attributes MUST be named at most once in the list, and are returned
- at most once in an entry. If there are attribute descriptions in
- the list which are not recognized, they are ignored by the server.
-
- If the client does not want any attributes returned, it can specify
- a list containing only the attribute with OID "1.1". This OID was
- chosen arbitrarily and does not correspond to any attribute in use.
-
- Client implementors should note that even if all user attributes are
- requested, some attributes of the entry may not be included in
- search results due to access control or other restrictions.
- Furthermore, servers will not return operational attributes, such
- as objectClasses or attributeTypes, unless they are listed by name,
- since there may be extremely large number of values for certain
- operational attributes. (A list of operational attributes for use
- in LDAP is given in [5].)
-
- Note that an X.500 "list"-like operation can be emulated by the client
- requesting a one-level LDAP search operation with a filter checking
- for the existence of the objectClass attribute, and that an X.500
- "read"-like operation can be emulated by a base object LDAP search
- operation with the same filter. A server which provides a gateway to
- X.500 is not required to use the Read or List operations, although it
- may choose to do so, and if it does must provide the same semantics
- as the X.500 search operation.
-
-4.5.2. Search Result
-
- The results of the search attempted by the server upon receipt of a
- Search Request are returned in Search Responses, which are LDAP
- messages containing either SearchResultEntry, SearchResultReference,
- ExtendedResponse or SearchResultDone data types.
-
- SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
-
-
-
-Wahl, et. al. Standards Track [Page 29]
-
-RFC 2251 LDAPv3 December 1997
-
-
- attributes PartialAttributeList }
-
- PartialAttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
- -- implementors should note that the PartialAttributeList may
- -- have zero elements (if none of the attributes of that entry
- -- were requested, or could be returned), and that the vals set
- -- may also have zero elements (if types only was requested, or
- -- all values were excluded from the result.)
-
- SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
- -- at least one LDAPURL element must be present
-
- SearchResultDone ::= [APPLICATION 5] LDAPResult
-
- Upon receipt of a Search Request, a server will perform the necessary
- search of the DIT.
-
- If the LDAP session is operating over a connection-oriented transport
- such as TCP, the server will return to the client a sequence of
- responses in separate LDAP messages. There may be zero or more
- responses containing SearchResultEntry, one for each entry found
- during the search. There may also be zero or more responses
- containing SearchResultReference, one for each area not explored by
- this server during the search. The SearchResultEntry and
- SearchResultReference PDUs may come in any order. Following all the
- SearchResultReference responses and all SearchResultEntry responses
- to be returned by the server, the server will return a response
- containing the SearchResultDone, which contains an indication of
- success, or detailing any errors that have occurred.
-
- Each entry returned in a SearchResultEntry will contain all
- attributes, complete with associated values if necessary, as
- specified in the attributes field of the Search Request. Return of
- attributes is subject to access control and other administrative
- policy. Some attributes may be returned in binary format (indicated
- by the AttributeDescription in the response having the binary option
- present).
-
- Some attributes may be constructed by the server and appear in a
- SearchResultEntry attribute list, although they are not stored
- attributes of an entry. Clients MUST NOT assume that all attributes
- can be modified, even if permitted by access control.
-
- LDAPMessage responses of the ExtendedResponse form are reserved for
- returning information associated with a control requested by the
- client. These may be defined in future versions of this document.
-
-
-
-Wahl, et. al. Standards Track [Page 30]
-
-RFC 2251 LDAPv3 December 1997
-
-
-4.5.3. Continuation References in the Search Result
-
- If the server was able to locate the entry referred to by the
- baseObject but was unable to search all the entries in the scope at
- and under the baseObject, the server may return one or more
- SearchResultReference, each containing a reference to another set of
- servers for continuing the operation. A server MUST NOT return any
- SearchResultReference if it has not located the baseObject and
- thus has not searched any entries; in this case it would return a
- SearchResultDone containing a referral resultCode.
-
- In the absence of indexing information provided to a server from
- servers holding subordinate naming contexts, SearchResultReference
- responses are not affected by search filters and are always returned
- when in scope.
-
- The SearchResultReference is of the same data type as the Referral.
- URLs for servers implementing the LDAP protocol are written according
- to [9]. The <dn> part MUST be present in the URL, with the new target
- object name. The client MUST use this name in its next request.
- Some servers (e.g. part of a distributed index exchange system) may
- provide a different filter in the URLs of the SearchResultReference.
- If the filter part of the URL is present in an LDAP URL, the client
- MUST use the new filter in its next request to progress the search,
- and if the filter part is absent the client will use again the same
- filter. Other aspects of the new search request may be the same or
- different as the search which generated the continuation references.
-
- Other kinds of URLs may be returned so long as the operation could be
- performed using that protocol.
-
- The name of an unexplored subtree in a SearchResultReference need not
- be subordinate to the base object.
-
- In order to complete the search, the client MUST issue a new search
- operation for each SearchResultReference that is returned. Note that
- the abandon operation described in section 4.11 applies only to a
- particular operation sent on a connection between a client and server,
- and if the client has multiple outstanding search operations to
- different servers, it MUST abandon each operation individually.
-
-4.5.3.1. Example
-
- For example, suppose the contacted server (hosta) holds the entry
- "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW". It knows that
- either LDAP-capable servers (hostb) or (hostc) hold
- "OU=People,O=MNN,C=WW" (one is the master and the other server a
-
-
-
-
-Wahl, et. al. Standards Track [Page 31]
-
-RFC 2251 LDAPv3 December 1997
-
-
- shadow), and that LDAP-capable server (hostd) holds the subtree
- "OU=Roles,O=MNN,C=WW". If a subtree search of "O=MNN,C=WW" is
- requested to the contacted server, it may return the following:
-
- SearchResultEntry for O=MNN,C=WW
- SearchResultEntry for CN=Manager,O=MNN,C=WW
- SearchResultReference {
- ldap://hostb/OU=People,O=MNN,C=WW
- ldap://hostc/OU=People,O=MNN,C=WW
- }
- SearchResultReference {
- ldap://hostd/OU=Roles,O=MNN,C=WW
- }
- SearchResultDone (success)
-
- Client implementors should note that when following a
- SearchResultReference, additional SearchResultReference may be
- generated. Continuing the example, if the client contacted the
- server (hostb) and issued the search for the subtree
- "OU=People,O=MNN,C=WW", the server might respond as follows:
-
- SearchResultEntry for OU=People,O=MNN,C=WW
- SearchResultReference {
- ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
- }
- SearchResultReference {
- ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
- }
- SearchResultDone (success)
-
- If the contacted server does not hold the base object for the search,
- then it will return a referral to the client. For example, if the
- client requests a subtree search of "O=XYZ,C=US" to hosta, the server
- may return only a SearchResultDone containing a referral.
-
- SearchResultDone (referral) {
- ldap://hostg/
- }
-
-4.6. Modify Operation
-
- The Modify Operation allows a client to request that a modification
- of an entry be performed on its behalf by a server. The Modify
- Request is defined as follows:
-
- ModifyRequest ::= [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- modification SEQUENCE OF SEQUENCE {
-
-
-
-Wahl, et. al. Standards Track [Page 32]
-
-RFC 2251 LDAPv3 December 1997
-
-
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2) },
- modification AttributeTypeAndValues } }
-
- AttributeTypeAndValues ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- Parameters of the Modify Request are:
-
- - object: The object to be modified. The value of this field contains
- the DN of the entry to be modified. The server will not perform
- any alias dereferencing in determining the object to be modified.
-
- - modification: A list of modifications to be performed on the entry.
- The entire list of entry modifications MUST be performed
- in the order they are listed, as a single atomic operation. While
- individual modifications may violate the directory schema, the
- resulting entry after the entire list of modifications is performed
- MUST conform to the requirements of the directory schema. The
- values that may be taken on by the 'operation' field in each
- modification construct have the following semantics respectively:
-
- add: add values listed to the given attribute, creating
- the attribute if necessary;
-
- delete: delete values listed from the given attribute,
- removing the entire attribute if no values are listed, or
- if all current values of the attribute are listed for
- deletion;
-
- replace: replace all existing values of the given attribute
- with the new values listed, creating the attribute if it
- did not already exist. A replace with no value will delete
- the entire attribute if it exists, and is ignored if the
- attribute does not exist.
-
- The result of the modify attempted by the server upon receipt of a
- Modify Request is returned in a Modify Response, defined as follows:
-
- ModifyResponse ::= [APPLICATION 7] LDAPResult
-
- Upon receipt of a Modify Request, a server will perform the necessary
- modifications to the DIT.
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 33]
-
-RFC 2251 LDAPv3 December 1997
-
-
- The server will return to the client a single Modify Response
- indicating either the successful completion of the DIT modification,
- or the reason that the modification failed. Note that due to the
- requirement for atomicity in applying the list of modifications in
- the Modify Request, the client may expect that no modifications of
- the DIT have been performed if the Modify Response received indicates
- any sort of error, and that all requested modifications have been
- performed if the Modify Response indicates successful completion of
- the Modify Operation. If the connection fails, whether the
- modification occurred or not is indeterminate.
-
- The Modify Operation cannot be used to remove from an entry any of
- its distinguished values, those values which form the entry's
- relative distinguished name. An attempt to do so will result in the
- server returning the error notAllowedOnRDN. The Modify DN Operation
- described in section 4.9 is used to rename an entry.
-
- If an equality match filter has not been defined for an attribute type,
- clients MUST NOT attempt to delete individual values of that attribute
- from an entry using the "delete" form of a modification, and MUST
- instead use the "replace" form.
-
- Note that due to the simplifications made in LDAP, there is not a
- direct mapping of the modifications in an LDAP ModifyRequest onto the
- EntryModifications of a DAP ModifyEntry operation, and different
- implementations of LDAP-DAP gateways may use different means of
- representing the change. If successful, the final effect of the
- operations on the entry MUST be identical.
-
-4.7. Add Operation
-
- The Add Operation allows a client to request the addition of an entry
- into the directory. The Add Request is defined as follows:
-
- AddRequest ::= [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attributes AttributeList }
-
- AttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- Parameters of the Add Request are:
-
- - entry: the Distinguished Name of the entry to be added. Note that
- the server will not dereference any aliases in locating the entry
- to be added.
-
-
-
-
-Wahl, et. al. Standards Track [Page 34]
-
-RFC 2251 LDAPv3 December 1997
-
-
- - attributes: the list of attributes that make up the content of the
- entry being added. Clients MUST include distinguished values
- (those forming the entry's own RDN) in this list, the objectClass
- attribute, and values of any mandatory attributes of the listed
- object classes. Clients MUST NOT supply the createTimestamp or
- creatorsName attributes, since these will be generated
- automatically by the server.
-
- The entry named in the entry field of the AddRequest MUST NOT exist
- for the AddRequest to succeed. The parent of the entry to be added
- MUST exist. For example, if the client attempted to add
- "CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
- "C=US" entry did exist, then the server would return the error
- noSuchObject with the matchedDN field containing "C=US". If the
- parent entry exists but is not in a naming context held by the
- server, the server SHOULD return a referral to the server holding the
- parent entry.
-
- Servers implementations SHOULD NOT restrict where entries can be
- located in the directory. Some servers MAY allow the administrator
- to restrict the classes of entries which can be added to the
- directory.
-
- Upon receipt of an Add Request, a server will attempt to perform the
- add requested. The result of the add attempt will be returned to the
- client in the Add Response, defined as follows:
-
- AddResponse ::= [APPLICATION 9] LDAPResult
-
- A response of success indicates that the new entry is present in the
- directory.
-
-4.8. Delete Operation
-
- The Delete Operation allows a client to request the removal of an
- entry from the directory. The Delete Request is defined as follows:
-
- DelRequest ::= [APPLICATION 10] LDAPDN
-
- The Delete Request consists of the Distinguished Name of the entry to
- be deleted. Note that the server will not dereference aliases while
- resolving the name of the target entry to be removed, and that only
- leaf entries (those with no subordinate entries) can be deleted with
- this operation.
-
- The result of the delete attempted by the server upon receipt of a
- Delete Request is returned in the Delete Response, defined as
- follows:
-
-
-
-Wahl, et. al. Standards Track [Page 35]
-
-RFC 2251 LDAPv3 December 1997
-
-
- DelResponse ::= [APPLICATION 11] LDAPResult
-
- Upon receipt of a Delete Request, a server will attempt to perform
- the entry removal requested. The result of the delete attempt will be
- returned to the client in the Delete Response.
-
-4.9. Modify DN Operation
-
- The Modify DN Operation allows a client to change the leftmost (least
- significant) component of the name of an entry in the directory, or
- to move a subtree of entries to a new location in the directory. The
- Modify DN Request is defined as follows:
-
- ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN,
- newSuperior [0] LDAPDN OPTIONAL }
-
- Parameters of the Modify DN Request are:
-
- - entry: the Distinguished Name of the entry to be changed. This
- entry may or may not have subordinate entries.
-
- - newrdn: the RDN that will form the leftmost component of the new
- name of the entry.
-
- - deleteoldrdn: a boolean parameter that controls whether the old RDN
- attribute values are to be retained as attributes of the entry, or
- deleted from the entry.
-
- - newSuperior: if present, this is the Distinguished Name of the entry
- which becomes the immediate superior of the existing entry.
-
- The result of the name change attempted by the server upon receipt of
- a Modify DN Request is returned in the Modify DN Response, defined
- as follows:
-
- ModifyDNResponse ::= [APPLICATION 13] LDAPResult
-
- Upon receipt of a ModifyDNRequest, a server will attempt to
- perform the name change. The result of the name change attempt will
- be returned to the client in the Modify DN Response.
-
- For example, if the entry named in the "entry" parameter was
- "cn=John Smith,c=US", the newrdn parameter was "cn=John Cougar Smith",
- and the newSuperior parameter was absent, then this operation would
-
-
-
-
-Wahl, et. al. Standards Track [Page 36]
-
-RFC 2251 LDAPv3 December 1997
-
-
- attempt to rename the entry to be "cn=John Cougar Smith,c=US". If
- there was already an entry with that name, the operation would fail
- with error code entryAlreadyExists.
-
- If the deleteoldrdn parameter is TRUE, the values forming the old
- RDN are deleted from the entry. If the deleteoldrdn parameter is
- FALSE, the values forming the old RDN will be retained as
- non-distinguished attribute values of the entry. The server may
- not perform the operation and return an error code if the setting of
- the deleteoldrdn parameter would cause a schema inconsistency in the
- entry.
-
- Note that X.500 restricts the ModifyDN operation to only affect
- entries that are contained within a single server. If the LDAP
- server is mapped onto DAP, then this restriction will apply, and the
- resultCode affectsMultipleDSAs will be returned if this error
- occurred. In general clients MUST NOT expect to be able to perform
- arbitrary movements of entries and subtrees between servers.
-
-4.10. Compare Operation
-
- The Compare Operation allows a client to compare an assertion
- provided with an entry in the directory. The Compare Request is
- defined as follows:
-
- CompareRequest ::= [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion }
-
- Parameters of the Compare Request are:
-
- - entry: the name of the entry to be compared with.
-
- - ava: the assertion with which an attribute in the entry is to be
- compared.
-
- The result of the compare attempted by the server upon receipt of a
- Compare Request is returned in the Compare Response, defined as
- follows:
-
- CompareResponse ::= [APPLICATION 15] LDAPResult
-
- Upon receipt of a Compare Request, a server will attempt to perform
- the requested comparison. The result of the comparison will be
- returned to the client in the Compare Response. Note that errors and
- the result of comparison are all returned in the same construct.
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 37]
-
-RFC 2251 LDAPv3 December 1997
-
-
- Note that some directory systems may establish access controls which
- permit the values of certain attributes (such as userPassword) to be
- compared but not read. In a search result, it may be that an
- attribute of that type would be returned, but with an empty set of
- values.
-
-4.11. Abandon Operation
-
- The function of the Abandon Operation is to allow a client to request
- that the server abandon an outstanding operation. The Abandon
- Request is defined as follows:
-
- AbandonRequest ::= [APPLICATION 16] MessageID
-
- The MessageID MUST be that of a an operation which was requested
- earlier in this connection.
-
- (The abandon request itself has its own message id. This is distinct
- from the id of the earlier operation being abandoned.)
-
- There is no response defined in the Abandon Operation. Upon
- transmission of an Abandon Operation, a client may expect that the
- operation identified by the Message ID in the Abandon Request has
- been abandoned. In the event that a server receives an Abandon
- Request on a Search Operation in the midst of transmitting responses
- to the search, that server MUST cease transmitting entry responses to
- the abandoned request immediately, and MUST NOT send the
- SearchResponseDone. Of course, the server MUST ensure that only
- properly encoded LDAPMessage PDUs are transmitted.
-
- Clients MUST NOT send abandon requests for the same operation
- multiple times, and MUST also be prepared to receive results from
- operations it has abandoned (since these may have been in transit
- when the abandon was requested).
-
- Servers MUST discard abandon requests for message IDs they do not
- recognize, for operations which cannot be abandoned, and for
- operations which have already been abandoned.
-
-4.12. Extended Operation
-
- An extension mechanism has been added in this version of LDAP, in
- order to allow additional operations to be defined for services not
- available elsewhere in this protocol, for instance digitally signed
- operations and results.
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 38]
-
-RFC 2251 LDAPv3 December 1997
-
-
- The extended operation allows clients to make requests and receive
- responses with predefined syntaxes and semantics. These may be
- defined in RFCs or be private to particular implementations. Each
- request MUST have a unique OBJECT IDENTIFIER assigned to it.
-
- ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
- requestName [0] LDAPOID,
- requestValue [1] OCTET STRING OPTIONAL }
-
- The requestName is a dotted-decimal representation of the OBJECT
- IDENTIFIER corresponding to the request. The requestValue is
- information in a form defined by that request, encapsulated inside an
- OCTET STRING.
-
- The server will respond to this with an LDAPMessage containing the
- ExtendedResponse.
-
- ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
- COMPONENTS OF LDAPResult,
- responseName [10] LDAPOID OPTIONAL,
- response [11] OCTET STRING OPTIONAL }
-
- If the server does not recognize the request name, it MUST return
- only the response fields from LDAPResult, containing the
- protocolError result code.
-
-5. Protocol Element Encodings and Transfer
-
- One underlying service is defined here. Clients and servers SHOULD
- implement the mapping of LDAP over TCP described in 5.2.1.
-
-5.1. Mapping Onto BER-based Transport Services
-
- The protocol elements of LDAP are encoded for exchange using the
- Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
- high overhead involved in using certain elements of the BER, the
- following additional restrictions are placed on BER-encodings of LDAP
- protocol elements:
-
- (1) Only the definite form of length encoding will be used.
-
- (2) OCTET STRING values will be encoded in the primitive form only.
-
- (3) If the value of a BOOLEAN type is true, the encoding MUST have
- its contents octets set to hex "FF".
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 39]
-
-RFC 2251 LDAPv3 December 1997
-
-
- (4) If a value of a type is its default value, it MUST be absent.
- Only some BOOLEAN and INTEGER types have default values in this
- protocol definition.
-
- These restrictions do not apply to ASN.1 types encapsulated inside of
- OCTET STRING values, such as attribute values, unless otherwise
- noted.
-
-5.2. Transfer Protocols
-
- This protocol is designed to run over connection-oriented, reliable
- transports, with all 8 bits in an octet being significant in the data
- stream.
-
-5.2.1. Transmission Control Protocol (TCP)
-
- The LDAPMessage PDUs are mapped directly onto the TCP bytestream. It
- is recommended that server implementations running over the TCP MAY
- provide a protocol listener on the assigned port, 389. Servers may
- instead provide a listener on a different port number. Clients MUST
- support contacting servers on any valid TCP port.
-
-6. Implementation Guidelines
-
- This document describes an Internet protocol.
-
-6.1. Server Implementations
-
- The server MUST be capable of recognizing all the mandatory attribute
- type names and implement the syntaxes specified in [5]. Servers MAY
- also recognize additional attribute type names.
-
-6.2. Client Implementations
-
- Clients which request referrals MUST ensure that they do not loop
- between servers. They MUST NOT repeatedly contact the same server for
- the same request with the same target entry name, scope and filter.
- Some clients may be using a counter that is incremented each time
- referral handling occurs for an operation, and these kinds of clients
- MUST be able to handle a DIT with at least ten layers of naming
- contexts between the root and a leaf entry.
-
- In the absence of prior agreements with servers, clients SHOULD NOT
- assume that servers support any particular schemas beyond those
- referenced in section 6.1. Different schemas can have different
- attribute types with the same names. The client can retrieve the
- subschema entries referenced by the subschemaSubentry attribute in
- the server's root DSE or in entries held by the server.
-
-
-
-Wahl, et. al. Standards Track [Page 40]
-
-RFC 2251 LDAPv3 December 1997
-
-
-7. Security Considerations
-
- When used with a connection-oriented transport, this version of the
- protocol provides facilities for the LDAP v2 authentication
- mechanism, simple authentication using a cleartext password, as well
- as any SASL mechanism [12]. SASL allows for integrity and privacy
- services to be negotiated.
-
- It is also permitted that the server can return its credentials to
- the client, if it chooses to do so.
-
- Use of cleartext password is strongly discouraged where the
- underlying transport service cannot guarantee confidentiality and may
- result in disclosure of the password to unauthorized parties.
-
- When used with SASL, it should be noted that the name field of the
- BindRequest is not protected against modification. Thus if the
- distinguished name of the client (an LDAPDN) is agreed through the
- negotiation of the credentials, it takes precedence over any value in
- the unprotected name field.
-
- Implementations which cache attributes and entries obtained via LDAP
- MUST ensure that access controls are maintained if that information
- is to be provided to multiple clients, since servers may have access
- control policies which prevent the return of entries or attributes in
- search results except to particular authenticated clients. For
- example, caches could serve result information only to the client
- whose request caused it to be cache.
-
-8. Acknowledgements
-
- This document is an update to RFC 1777, by Wengyik Yeong, Tim Howes,
- and Steve Kille. Design ideas included in this document are based on
- those discussed in ASID and other IETF Working Groups. The
- contributions of individuals in these working groups is gratefully
- acknowledged.
-
-9. Bibliography
-
- [1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models
- and Service", 1993.
-
- [2] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access
- Protocol", RFC 1777, March 1995.
-
- [3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
- Specification of Basic Notation", 1994.
-
-
-
-
-Wahl, et. al. Standards Track [Page 41]
-
-RFC 2251 LDAPv3 December 1997
-
-
- [4] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory Access
- Protocol (v3): UTF-8 String Representation of Distinguished
- Names", RFC 2253, December 1997.
-
- [5] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax Definitions",
- RFC 2252, December 1997.
-
- [6] ITU-T Rec. X.501, "The Directory: Models", 1993.
-
- [7] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
- Resource Locators (URL)", RFC 1738, December 1994.
-
- [8] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
- 1993.
-
- [9] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
- December 1997.
-
- [10] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", RFC 2119, March 1997.
-
- [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
- Canonical, and Distinguished Encoding Rules", 1994.
-
- [12] Meyers, J., "Simple Authentication and Security Layer",
- RFC 2222, October 1997.
-
- [13] Universal Multiple-Octet Coded Character Set (UCS) -
- Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 :
- 1993.
-
- [14] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
- 10646", RFC 2044, October 1996.
-
-10. Authors' Addresses
-
- Mark Wahl
- Critical Angle Inc.
- 4815 W Braker Lane #502-385
- Austin, TX 78759
- USA
-
- Phone: +1 512 372-3160
- EMail: M.Wahl@critical-angle.com
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 42]
-
-RFC 2251 LDAPv3 December 1997
-
-
- Tim Howes
- Netscape Communications Corp.
- 501 E. Middlefield Rd., MS MV068
- Mountain View, CA 94043
- USA
-
- Phone: +1 650 937-3419
- EMail: howes@netscape.com
-
- Steve Kille
- Isode Limited
- The Dome, The Square
- Richmond
- TW9 1DT
- UK
-
- Phone: +44-181-332-9091
- EMail: S.Kille@isode.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 43]
-
-RFC 2251 LDAPv3 December 1997
-
-
-Appendix A - Complete ASN.1 Definition
-
- Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
- IMPLICIT TAGS ::=
-
- BEGIN
-
- LDAPMessage ::= SEQUENCE {
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResEntry SearchResultEntry,
- searchResDone SearchResultDone,
- searchResRef SearchResultReference,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modDNRequest ModifyDNRequest,
- modDNResponse ModifyDNResponse,
- compareRequest CompareRequest,
- compareResponse CompareResponse,
- abandonRequest AbandonRequest,
- extendedReq ExtendedRequest,
- extendedResp ExtendedResponse },
- controls [0] Controls OPTIONAL }
-
- MessageID ::= INTEGER (0 .. maxInt)
-
- maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
-
- LDAPString ::= OCTET STRING
-
- LDAPOID ::= OCTET STRING
-
- LDAPDN ::= LDAPString
-
- RelativeLDAPDN ::= LDAPString
-
- AttributeType ::= LDAPString
-
- AttributeDescription ::= LDAPString
-
-
-
-
-Wahl, et. al. Standards Track [Page 44]
-
-RFC 2251 LDAPv3 December 1997
-
-
- AttributeDescriptionList ::= SEQUENCE OF
- AttributeDescription
-
- AttributeValue ::= OCTET STRING
-
- AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
-
- AssertionValue ::= OCTET STRING
-
- Attribute ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- MatchingRuleId ::= LDAPString
-
- LDAPResult ::= SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongAuthRequired (8),
- -- 9 reserved --
- referral (10), -- new
- adminLimitExceeded (11), -- new
- unavailableCriticalExtension (12), -- new
- confidentialityRequired (13), -- new
- saslBindInProgress (14), -- new
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- -- 22-31 unused --
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- -- 35 reserved for undefined isLeaf --
- aliasDereferencingProblem (36),
- -- 37-47 unused --
- inappropriateAuthentication (48),
-
-
-
-Wahl, et. al. Standards Track [Page 45]
-
-RFC 2251 LDAPv3 December 1997
-
-
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- -- 55-63 unused --
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- -- 70 reserved for CLDAP --
- affectsMultipleDSAs (71), -- new
- -- 72-79 unused --
- other (80) },
- -- 81-90 reserved for APIs --
- matchedDN LDAPDN,
- errorMessage LDAPString,
- referral [3] Referral OPTIONAL }
-
- Referral ::= SEQUENCE OF LDAPURL
-
- LDAPURL ::= LDAPString -- limited to characters permitted in URLs
-
- Controls ::= SEQUENCE OF Control
-
- Control ::= SEQUENCE {
- controlType LDAPOID,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue OCTET STRING OPTIONAL }
-
- BindRequest ::= [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication AuthenticationChoice }
-
- AuthenticationChoice ::= CHOICE {
- simple [0] OCTET STRING,
- -- 1 and 2 reserved
- sasl [3] SaslCredentials }
-
- SaslCredentials ::= SEQUENCE {
- mechanism LDAPString,
- credentials OCTET STRING OPTIONAL }
-
- BindResponse ::= [APPLICATION 1] SEQUENCE {
-
-
-
-Wahl, et. al. Standards Track [Page 46]
-
-RFC 2251 LDAPv3 December 1997
-
-
- COMPONENTS OF LDAPResult,
- serverSaslCreds [7] OCTET STRING OPTIONAL }
-
- UnbindRequest ::= [APPLICATION 2] NULL
-
- SearchRequest ::= [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2) },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- derefAlways (3) },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- typesOnly BOOLEAN,
- filter Filter,
- attributes AttributeDescriptionList }
-
- Filter ::= CHOICE {
- and [0] SET OF Filter,
- or [1] SET OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion }
-
- SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- -- at least one must be present
- substrings SEQUENCE OF CHOICE {
- initial [0] LDAPString,
- any [1] LDAPString,
- final [2] LDAPString } }
-
- MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
-
-
-
-
-Wahl, et. al. Standards Track [Page 47]
-
-RFC 2251 LDAPv3 December 1997
-
-
- SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes PartialAttributeList }
-
- PartialAttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
-
- SearchResultDone ::= [APPLICATION 5] LDAPResult
-
- ModifyRequest ::= [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- modification SEQUENCE OF SEQUENCE {
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2) },
- modification AttributeTypeAndValues } }
-
- AttributeTypeAndValues ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- ModifyResponse ::= [APPLICATION 7] LDAPResult
-
- AddRequest ::= [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attributes AttributeList }
-
- AttributeList ::= SEQUENCE OF SEQUENCE {
- type AttributeDescription,
- vals SET OF AttributeValue }
-
- AddResponse ::= [APPLICATION 9] LDAPResult
-
- DelRequest ::= [APPLICATION 10] LDAPDN
-
- DelResponse ::= [APPLICATION 11] LDAPResult
-
- ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN,
- newSuperior [0] LDAPDN OPTIONAL }
-
- ModifyDNResponse ::= [APPLICATION 13] LDAPResult
-
-
-
-Wahl, et. al. Standards Track [Page 48]
-
-RFC 2251 LDAPv3 December 1997
-
-
- CompareRequest ::= [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion }
-
- CompareResponse ::= [APPLICATION 15] LDAPResult
-
- AbandonRequest ::= [APPLICATION 16] MessageID
-
- ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
- requestName [0] LDAPOID,
- requestValue [1] OCTET STRING OPTIONAL }
-
- ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
- COMPONENTS OF LDAPResult,
- responseName [10] LDAPOID OPTIONAL,
- response [11] OCTET STRING OPTIONAL }
-
- END
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 49]
-
-RFC 2251 LDAPv3 December 1997
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 50]
-
diff --git a/source4/ldap_server/devdocs/rfc2252.txt b/source4/ldap_server/devdocs/rfc2252.txt
deleted file mode 100644
index 5a72b7768a..0000000000
--- a/source4/ldap_server/devdocs/rfc2252.txt
+++ /dev/null
@@ -1,1795 +0,0 @@
-
-
-
-
-
-
-Network Working Group M. Wahl
-Request for Comments: 2252 Critical Angle Inc.
-Category: Standards Track A. Coulbeck
- Isode Inc.
- T. Howes
- Netscape Communications Corp.
- S. Kille
- Isode Limited
- December 1997
-
-
- Lightweight Directory Access Protocol (v3):
- Attribute Syntax Definitions
-
-1. Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
-IESG Note
-
- This document describes a directory access protocol that provides
- both read and update access. Update access requires secure
- authentication, but this document does not mandate implementation of
- any satisfactory authentication mechanisms.
-
- In accordance with RFC 2026, section 4.4.1, this specification is
- being approved by IESG as a Proposed Standard despite this
- limitation, for the following reasons:
-
- a. to encourage implementation and interoperability testing of
- these protocols (with or without update access) before they
- are deployed, and
-
- b. to encourage deployment and use of these protocols in read-only
- applications. (e.g. applications where LDAPv3 is used as
- a query language for directories which are updated by some
- secure mechanism other than LDAP), and
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 1]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- c. to avoid delaying the advancement and deployment of other Internet
- standards-track protocols which require the ability to query, but
- not update, LDAPv3 directory servers.
-
- Readers are hereby warned that until mandatory authentication
- mechanisms are standardized, clients and servers written according to
- this specification which make use of update functionality are
- UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
- IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
-
- Implementors are hereby discouraged from deploying LDAPv3 clients or
- servers which implement the update functionality, until a Proposed
- Standard for mandatory authentication in LDAPv3 has been approved and
- published as an RFC.
-
-2. Abstract
-
- The Lightweight Directory Access Protocol (LDAP) [1] requires that
- the contents of AttributeValue fields in protocol elements be octet
- strings. This document defines a set of syntaxes for LDAPv3, and the
- rules by which attribute values of these syntaxes are represented as
- octet strings for transmission in the LDAP protocol. The syntaxes
- defined in this document are referenced by this and other documents
- that define attribute types. This document also defines the set of
- attribute types which LDAP servers should support.
-
-3. Overview
-
- This document defines the framework for developing schemas for
- directories accessible via the Lightweight Directory Access Protocol.
-
- Schema is the collection of attribute type definitions, object class
- definitions and other information which a server uses to determine
- how to match a filter or attribute value assertion (in a compare
- operation) against the attributes of an entry, and whether to permit
- add and modify operations.
-
- Section 4 states the general requirements and notations for attribute
- types, object classes, syntax and matching rule definitions.
-
- Section 5 lists attributes, section 6 syntaxes and section 7 object
- classes.
-
- Additional documents define schemas for representing real-world
- objects as directory entries.
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 2]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-4. General Issues
-
- This document describes encodings used in an Internet protocol.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [4].
-
- Attribute Type and Object Class definitions are written in a string
- representation of the AttributeTypeDescription and
- ObjectClassDescription data types defined in X.501(93) [3].
- Implementors are strongly advised to first read the description of
- how schema is represented in X.500 before reading the rest of this
- document.
-
-4.1. Common Encoding Aspects
-
- For the purposes of defining the encoding rules for attribute
- syntaxes, the following BNF definitions will be used. They are based
- on the BNF styles of RFC 822 [13].
-
- a = "a" / "b" / "c" / "d" / "e" / "f" / "g" / "h" / "i" /
- "j" / "k" / "l" / "m" / "n" / "o" / "p" / "q" / "r" /
- "s" / "t" / "u" / "v" / "w" / "x" / "y" / "z" / "A" /
- "B" / "C" / "D" / "E" / "F" / "G" / "H" / "I" / "J" /
- "K" / "L" / "M" / "N" / "O" / "P" / "Q" / "R" / "S" /
- "T" / "U" / "V" / "W" / "X" / "Y" / "Z"
-
- d = "0" / "1" / "2" / "3" / "4" /
- "5" / "6" / "7" / "8" / "9"
-
- hex-digit = d / "a" / "b" / "c" / "d" / "e" / "f" /
- "A" / "B" / "C" / "D" / "E" / "F"
-
- k = a / d / "-" / ";"
-
- p = a / d / """ / "(" / ")" / "+" / "," /
- "-" / "." / "/" / ":" / "?" / " "
-
- letterstring = 1*a
-
- numericstring = 1*d
-
- anhstring = 1*k
-
- keystring = a [ anhstring ]
-
- printablestring = 1*p
-
-
-
-Wahl, et. al. Standards Track [Page 3]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- space = 1*" "
-
- whsp = [ space ]
-
- utf8 = <any sequence of octets formed from the UTF-8 [9]
- transformation of a character from ISO10646 [10]>
-
- dstring = 1*utf8
-
- qdstring = whsp "'" dstring "'" whsp
-
- qdstringlist = [ qdstring *( qdstring ) ]
-
- qdstrings = qdstring / ( whsp "(" qdstringlist ")" whsp )
-
- In the following BNF for the string representation of OBJECT
- IDENTIFIERs, descr is the syntactic representation of an object
- descriptor, which consists of letters and digits, starting with a
- letter. An OBJECT IDENTIFIER in the numericoid format should not
- have leading zeroes (e.g. "0.9.3" is permitted but "0.09.3" should
- not be generated).
-
- When encoding 'oid' elements in a value, the descr encoding option
- SHOULD be used in preference to the numericoid. An object descriptor
- is a more readable alias for a number OBJECT IDENTIFIER, and these
- (where assigned and known by the implementation) SHOULD be used in
- preference to numeric oids to the greatest extent possible. Examples
- of object descriptors in LDAP are attribute type, object class and
- matching rule names.
-
- oid = descr / numericoid
-
- descr = keystring
-
- numericoid = numericstring *( "." numericstring )
-
- woid = whsp oid whsp
-
- ; set of oids of either form
- oids = woid / ( "(" oidlist ")" )
-
- oidlist = woid *( "$" woid )
-
- ; object descriptors used as schema element names
- qdescrs = qdescr / ( whsp "(" qdescrlist ")" whsp )
-
- qdescrlist = [ qdescr *( qdescr ) ]
-
-
-
-
-Wahl, et. al. Standards Track [Page 4]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- qdescr = whsp "'" descr "'" whsp
-
-4.2. Attribute Types
-
- The attribute types are described by sample values for the subschema
- "attributeTypes" attribute, which is written in the
- AttributeTypeDescription syntax. While lines have been folded for
- readability, the values transferred in protocol would not contain
- newlines.
-
- The AttributeTypeDescription is encoded according to the following
- BNF, and the productions for oid, qdescrs and qdstring are given in
- section 4.1. Implementors should note that future versions of this
- document may have expanded this BNF to include additional terms.
- Terms which begin with the characters "X-" are reserved for private
- experiments, and MUST be followed by a <qdstrings>.
-
- AttributeTypeDescription = "(" whsp
- numericoid whsp ; AttributeType identifier
- [ "NAME" qdescrs ] ; name used in AttributeType
- [ "DESC" qdstring ] ; description
- [ "OBSOLETE" whsp ]
- [ "SUP" woid ] ; derived from this other
- ; AttributeType
- [ "EQUALITY" woid ; Matching Rule name
- [ "ORDERING" woid ; Matching Rule name
- [ "SUBSTR" woid ] ; Matching Rule name
- [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
- [ "SINGLE-VALUE" whsp ] ; default multi-valued
- [ "COLLECTIVE" whsp ] ; default not collective
- [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
- [ "USAGE" whsp AttributeUsage ]; default userApplications
- whsp ")"
-
- AttributeUsage =
- "userApplications" /
- "directoryOperation" /
- "distributedOperation" / ; DSA-shared
- "dSAOperation" ; DSA-specific, value depends on server
-
- Servers are not required to provide the same or any text in the
- description part of the subschema values they maintain. Servers
- SHOULD provide at least one of the "SUP" and "SYNTAX" fields for each
- AttributeTypeDescription.
-
- Servers MUST implement all the attribute types referenced in sections
- 5.1, 5.2 and 5.3.
-
-
-
-
-Wahl, et. al. Standards Track [Page 5]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Servers MAY recognize additional names and attributes not listed in
- this document, and if they do so, MUST publish the definitions of the
- types in the attributeTypes attribute of their subschema entries.
-
- Schema developers MUST NOT create attribute definitions whose names
- conflict with attributes defined for use with LDAP in existing
- standards-track RFCs.
-
- An AttributeDescription can be used as the value in a NAME part of an
- AttributeTypeDescription. Note that these are case insensitive.
-
- Note that the AttributeTypeDescription does not list the matching
- rules which can can be used with that attribute type in an
- extensibleMatch search filter. This is done using the
- matchingRuleUse attribute described in section 4.5.
-
- This document refines the schema description of X.501 by requiring
- that the syntax field in an AttributeTypeDescription be a string
- representation of an OBJECT IDENTIFIER for the LDAP string syntax
- definition, and an optional indication of the maximum length of a
- value of this attribute (defined in section 4.3.2).
-
-4.3. Syntaxes
-
- This section defines general requirements for LDAP attribute value
- syntax encodings. All documents defining attribute syntax encodings
- for use with LDAP are expected to conform to these requirements.
-
- The encoding rules defined for a given attribute syntax must produce
- octet strings. To the greatest extent possible, encoded octet
- strings should be usable in their native encoded form for display
- purposes. In particular, encoding rules for attribute syntaxes
- defining non-binary values should produce strings that can be
- displayed with little or no translation by clients implementing LDAP.
- There are a few cases (e.g. audio) however, when it is not sensible
- to produce a printable representation, and clients MUST NOT assume
- that an unrecognized syntax is a string representation.
-
- In encodings where an arbitrary string, not a Distinguished Name, is
- used as part of a larger production, and other than as part of a
- Distinguished Name, a backslash quoting mechanism is used to escape
- the following separator symbol character (such as "'", "$" or "#") if
- it should occur in that string. The backslash is followed by a pair
- of hexadecimal digits representing the next character. A backslash
- itself in the string which forms part of a larger syntax is always
- transmitted as '\5C' or '\5c'. An example is given in section 6.27.
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 6]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Syntaxes are also defined for matching rules whose assertion value
- syntax is different from the attribute value syntax.
-
-4.3.1 Binary Transfer of Values
-
- This encoding format is used if the binary encoding is requested by
- the client for an attribute, or if the attribute syntax name is
- "1.3.6.1.4.1.1466.115.121.1.5". The contents of the LDAP
- AttributeValue or AssertionValue field is a BER-encoded instance of
- the attribute value or a matching rule assertion value ASN.1 data
- type as defined for use with X.500. (The first byte inside the OCTET
- STRING wrapper is a tag octet. However, the OCTET STRING is still
- encoded in primitive form.)
-
- All servers MUST implement this form for both generating attribute
- values in search responses, and parsing attribute values in add,
- compare and modify requests, if the attribute type is recognized and
- the attribute syntax name is that of Binary. Clients which request
- that all attributes be returned from entries MUST be prepared to
- receive values in binary (e.g. userCertificate;binary), and SHOULD
- NOT simply display binary or unrecognized values to users.
-
-4.3.2. Syntax Object Identifiers
-
- Syntaxes for use with LDAP are named by OBJECT IDENTIFIERs, which are
- dotted-decimal strings. These are not intended to be displayed to
- users.
-
- noidlen = numericoid [ "{" len "}" ]
-
- len = numericstring
-
- The following table lists some of the syntaxes that have been defined
- for LDAP thus far. The H-R column suggests whether a value in that
- syntax would likely be a human readable string. Clients and servers
- need not implement all the syntaxes listed here, and MAY implement
- other syntaxes.
-
- Other documents may define additional syntaxes. However, the
- definition of additional arbitrary syntaxes is strongly deprecated
- since it will hinder interoperability: today's client and server
- implementations generally do not have the ability to dynamically
- recognize new syntaxes. In most cases attributes will be defined
- with the syntax for directory strings.
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 7]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Value being represented H-R OBJECT IDENTIFIER
- =================================================================
- ACI Item N 1.3.6.1.4.1.1466.115.121.1.1
- Access Point Y 1.3.6.1.4.1.1466.115.121.1.2
- Attribute Type Description Y 1.3.6.1.4.1.1466.115.121.1.3
- Audio N 1.3.6.1.4.1.1466.115.121.1.4
- Binary N 1.3.6.1.4.1.1466.115.121.1.5
- Bit String Y 1.3.6.1.4.1.1466.115.121.1.6
- Boolean Y 1.3.6.1.4.1.1466.115.121.1.7
- Certificate N 1.3.6.1.4.1.1466.115.121.1.8
- Certificate List N 1.3.6.1.4.1.1466.115.121.1.9
- Certificate Pair N 1.3.6.1.4.1.1466.115.121.1.10
- Country String Y 1.3.6.1.4.1.1466.115.121.1.11
- DN Y 1.3.6.1.4.1.1466.115.121.1.12
- Data Quality Syntax Y 1.3.6.1.4.1.1466.115.121.1.13
- Delivery Method Y 1.3.6.1.4.1.1466.115.121.1.14
- Directory String Y 1.3.6.1.4.1.1466.115.121.1.15
- DIT Content Rule Description Y 1.3.6.1.4.1.1466.115.121.1.16
- DIT Structure Rule Description Y 1.3.6.1.4.1.1466.115.121.1.17
- DL Submit Permission Y 1.3.6.1.4.1.1466.115.121.1.18
- DSA Quality Syntax Y 1.3.6.1.4.1.1466.115.121.1.19
- DSE Type Y 1.3.6.1.4.1.1466.115.121.1.20
- Enhanced Guide Y 1.3.6.1.4.1.1466.115.121.1.21
- Facsimile Telephone Number Y 1.3.6.1.4.1.1466.115.121.1.22
- Fax N 1.3.6.1.4.1.1466.115.121.1.23
- Generalized Time Y 1.3.6.1.4.1.1466.115.121.1.24
- Guide Y 1.3.6.1.4.1.1466.115.121.1.25
- IA5 String Y 1.3.6.1.4.1.1466.115.121.1.26
- INTEGER Y 1.3.6.1.4.1.1466.115.121.1.27
- JPEG N 1.3.6.1.4.1.1466.115.121.1.28
- LDAP Syntax Description Y 1.3.6.1.4.1.1466.115.121.1.54
- LDAP Schema Definition Y 1.3.6.1.4.1.1466.115.121.1.56
- LDAP Schema Description Y 1.3.6.1.4.1.1466.115.121.1.57
- Master And Shadow Access Points Y 1.3.6.1.4.1.1466.115.121.1.29
- Matching Rule Description Y 1.3.6.1.4.1.1466.115.121.1.30
- Matching Rule Use Description Y 1.3.6.1.4.1.1466.115.121.1.31
- Mail Preference Y 1.3.6.1.4.1.1466.115.121.1.32
- MHS OR Address Y 1.3.6.1.4.1.1466.115.121.1.33
- Modify Rights Y 1.3.6.1.4.1.1466.115.121.1.55
- Name And Optional UID Y 1.3.6.1.4.1.1466.115.121.1.34
- Name Form Description Y 1.3.6.1.4.1.1466.115.121.1.35
- Numeric String Y 1.3.6.1.4.1.1466.115.121.1.36
- Object Class Description Y 1.3.6.1.4.1.1466.115.121.1.37
- Octet String Y 1.3.6.1.4.1.1466.115.121.1.40
- OID Y 1.3.6.1.4.1.1466.115.121.1.38
- Other Mailbox Y 1.3.6.1.4.1.1466.115.121.1.39
- Postal Address Y 1.3.6.1.4.1.1466.115.121.1.41
- Protocol Information Y 1.3.6.1.4.1.1466.115.121.1.42
-
-
-
-Wahl, et. al. Standards Track [Page 8]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Presentation Address Y 1.3.6.1.4.1.1466.115.121.1.43
- Printable String Y 1.3.6.1.4.1.1466.115.121.1.44
- Substring Assertion Y 1.3.6.1.4.1.1466.115.121.1.58
- Subtree Specification Y 1.3.6.1.4.1.1466.115.121.1.45
- Supplier Information Y 1.3.6.1.4.1.1466.115.121.1.46
- Supplier Or Consumer Y 1.3.6.1.4.1.1466.115.121.1.47
- Supplier And Consumer Y 1.3.6.1.4.1.1466.115.121.1.48
- Supported Algorithm N 1.3.6.1.4.1.1466.115.121.1.49
- Telephone Number Y 1.3.6.1.4.1.1466.115.121.1.50
- Teletex Terminal Identifier Y 1.3.6.1.4.1.1466.115.121.1.51
- Telex Number Y 1.3.6.1.4.1.1466.115.121.1.52
- UTC Time Y 1.3.6.1.4.1.1466.115.121.1.53
-
- A suggested minimum upper bound on the number of characters in value
- with a string-based syntax, or the number of bytes in a value for all
- other syntaxes, may be indicated by appending this bound count inside
- of curly braces following the syntax name's OBJECT IDENTIFIER in an
- Attribute Type Description. This bound is not part of the syntax
- name itself. For instance, "1.3.6.4.1.1466.0{64}" suggests that
- server implementations should allow a string to be 64 characters
- long, although they may allow longer strings. Note that a single
- character of the Directory String syntax may be encoded in more than
- one byte since UTF-8 is a variable-length encoding.
-
-4.3.3. Syntax Description
-
- The following BNF may be used to associate a short description with a
- syntax OBJECT IDENTIFIER. Implementors should note that future
- versions of this document may expand this definition to include
- additional terms. Terms whose identifier begins with "X-" are
- reserved for private experiments, and MUST be followed by a
- <qdstrings>.
-
- SyntaxDescription = "(" whsp
- numericoid whsp
- [ "DESC" qdstring ]
- whsp ")"
-
-4.4. Object Classes
-
- The format for representation of object classes is defined in X.501
- [3]. In general every entry will contain an abstract class ("top" or
- "alias"), at least one structural object class, and zero or more
- auxiliary object classes. Whether an object class is abstract,
- structural or auxiliary is defined when the object class identifier
- is assigned. An object class definition should not be changed
- without having a new identifier assigned to it.
-
-
-
-
-Wahl, et. al. Standards Track [Page 9]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Object class descriptions are written according to the following BNF.
- Implementors should note that future versions of this document may
- expand this definition to include additional terms. Terms whose
- identifier begins with "X-" are reserved for private experiments, and
- MUST be followed by a <qdstrings> encoding.
-
- ObjectClassDescription = "(" whsp
- numericoid whsp ; ObjectClass identifier
- [ "NAME" qdescrs ]
- [ "DESC" qdstring ]
- [ "OBSOLETE" whsp ]
- [ "SUP" oids ] ; Superior ObjectClasses
- [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
- ; default structural
- [ "MUST" oids ] ; AttributeTypes
- [ "MAY" oids ] ; AttributeTypes
- whsp ")"
-
- These are described as sample values for the subschema
- "objectClasses" attribute for a server which implements the LDAP
- schema. While lines have been folded for readability, the values
- transferred in protocol would not contain newlines.
-
- Servers SHOULD implement all the object classes referenced in section
- 7, except for extensibleObject, which is optional. Servers MAY
- implement additional object classes not listed in this document, and
- if they do so, MUST publish the definitions of the classes in the
- objectClasses attribute of their subschema entries.
-
- Schema developers MUST NOT create object class definitions whose
- names conflict with attributes defined for use with LDAP in existing
- standards-track RFCs.
-
-4.5. Matching Rules
-
- Matching rules are used by servers to compare attribute values
- against assertion values when performing Search and Compare
- operations. They are also used to identify the value to be added or
- deleted when modifying entries, and are used when comparing a
- purported distinguished name with the name of an entry.
-
- Most of the attributes given in this document will have an equality
- matching rule defined.
-
- Matching rule descriptions are written according to the following
- BNF. Implementors should note that future versions of this document
- may have expanded this BNF to include additional terms. Terms whose
- identifier begins with "X-" are reserved for private experiments, and
-
-
-
-Wahl, et. al. Standards Track [Page 10]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- MUST be followed by a <qdstrings> encoding.
-
- MatchingRuleDescription = "(" whsp
- numericoid whsp ; MatchingRule identifier
- [ "NAME" qdescrs ]
- [ "DESC" qdstring ]
- [ "OBSOLETE" whsp ]
- "SYNTAX" numericoid
- whsp ")"
-
- Values of the matchingRuleUse list the attributes which are suitable
- for use with an extensible matching rule.
-
- MatchingRuleUseDescription = "(" whsp
- numericoid whsp ; MatchingRule identifier
- [ "NAME" qdescrs ]
- [ "DESC" qdstring ]
- [ "OBSOLETE" ]
- "APPLIES" oids ; AttributeType identifiers
- whsp ")"
-
- Servers which support matching rules and the extensibleMatch SHOULD
- implement all the matching rules in section 8.
-
- Servers MAY implement additional matching rules not listed in this
- document, and if they do so, MUST publish the definitions of the
- matching rules in the matchingRules attribute of their subschema
- entries. If the server supports the extensibleMatch, then the server
- MUST publish the relationship between the matching rules and
- attributes in the matchingRuleUse attribute.
-
- For example, a server which implements a privately-defined matching
- rule for performing sound-alike matches on Directory String-valued
- attributes would include the following in the subschema entry
- (1.2.3.4.5 is an example, the OID of an actual matching rule would be
- different):
-
- matchingRule: ( 1.2.3.4.5 NAME 'soundAlikeMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- If this matching rule could be used with the attributes 2.5.4.41 and
- 2.5.4.15, the following would also be present:
-
- matchingRuleUse: ( 1.2.3.4.5 APPLIES (2.5.4.41 $ 2.5.4.15) )
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 11]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- A client could then make use of this matching rule by sending a
- search operation in which the filter is of the extensibleMatch
- choice, the matchingRule field is "soundAlikeMatch", and the type
- field is "2.5.4.41" or "2.5.4.15".
-
-5. Attribute Types
-
- All LDAP server implementations MUST recognize the attribute types
- defined in this section.
-
- Servers SHOULD also recognize all the attributes from section 5 of
- [12].
-
-5.1. Standard Operational Attributes
-
- Servers MUST maintain values of these attributes in accordance with
- the definitions in X.501(93).
-
-5.1.1. createTimestamp
-
- This attribute SHOULD appear in entries which were created using the
- Add operation.
-
- ( 2.5.18.1 NAME 'createTimestamp' EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
-
-5.1.2. modifyTimestamp
-
- This attribute SHOULD appear in entries which have been modified
- using the Modify operation.
-
- ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
-
-5.1.3. creatorsName
-
- This attribute SHOULD appear in entries which were created using the
- Add operation.
-
- ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 12]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-5.1.4. modifiersName
-
- This attribute SHOULD appear in entries which have been modified
- using the Modify operation.
-
- ( 2.5.18.4 NAME 'modifiersName' EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
-
-5.1.5. subschemaSubentry
-
- The value of this attribute is the name of a subschema entry (or
- subentry if the server is based on X.500(93)) in which the server
- makes available attributes specifying the schema.
-
- ( 2.5.18.10 NAME 'subschemaSubentry'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION
- SINGLE-VALUE USAGE directoryOperation )
-
-5.1.6. attributeTypes
-
- This attribute is typically located in the subschema entry.
-
- ( 2.5.21.5 NAME 'attributeTypes'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )
-
-5.1.7. objectClasses
-
- This attribute is typically located in the subschema entry.
-
- ( 2.5.21.6 NAME 'objectClasses'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )
-
-5.1.8. matchingRules
-
- This attribute is typically located in the subschema entry.
-
- ( 2.5.21.4 NAME 'matchingRules'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.30 USAGE directoryOperation )
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 13]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-5.1.9. matchingRuleUse
-
- This attribute is typically located in the subschema entry.
-
- ( 2.5.21.8 NAME 'matchingRuleUse'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.31 USAGE directoryOperation )
-
-5.2. LDAP Operational Attributes
-
- These attributes are only present in the root DSE (see [1] and [3]).
-
- Servers MUST recognize these attribute names, but it is not required
- that a server provide values for these attributes, when the attribute
- corresponds to a feature which the server does not implement.
-
-5.2.1. namingContexts
-
- The values of this attribute correspond to naming contexts which this
- server masters or shadows. If the server does not master any
- information (e.g. it is an LDAP gateway to a public X.500 directory)
- this attribute will be absent. If the server believes it contains
- the entire directory, the attribute will have a single value, and
- that value will be the empty string (indicating the null DN of the
- root). This attribute will allow a client to choose suitable base
- objects for searching when it has contacted a server.
-
- ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation )
-
-5.2.2. altServer
-
- The values of this attribute are URLs of other servers which may be
- contacted when this server becomes unavailable. If the server does
- not know of any other servers which could be used this attribute will
- be absent. Clients may cache this information in case their preferred
- LDAP server later becomes unavailable.
-
- ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperation )
-
-5.2.3. supportedExtension
-
- The values of this attribute are OBJECT IDENTIFIERs identifying the
- supported extended operations which the server supports.
-
- If the server does not support any extensions this attribute will be
- absent.
-
-
-
-Wahl, et. al. Standards Track [Page 14]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
-
-5.2.4. supportedControl
-
- The values of this attribute are the OBJECT IDENTIFIERs identifying
- controls which the server supports. If the server does not support
- any controls, this attribute will be absent.
-
- ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
-
-5.2.5. supportedSASLMechanisms
-
- The values of this attribute are the names of supported SASL
- mechanisms which the server supports. If the server does not support
- any mechanisms this attribute will be absent.
-
- ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE dSAOperation )
-
-5.2.6. supportedLDAPVersion
-
- The values of this attribute are the versions of the LDAP protocol
- which the server implements.
-
- ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 USAGE dSAOperation )
-
-5.3. LDAP Subschema Attribute
-
- This attribute is typically located in the subschema entry.
-
-5.3.1. ldapSyntaxes
-
- Servers MAY use this attribute to list the syntaxes which are
- implemented. Each value corresponds to one syntax.
-
- ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.54 USAGE directoryOperation )
-
-5.4. X.500 Subschema attributes
-
- These attributes are located in the subschema entry. All servers
- SHOULD recognize their name, although typically only X.500 servers
- will implement their functionality.
-
-
-
-
-Wahl, et. al. Standards Track [Page 15]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-5.4.1. dITStructureRules
-
- ( 2.5.21.1 NAME 'dITStructureRules' EQUALITY integerFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.17 USAGE directoryOperation )
-
-5.4.2. nameForms
-
- ( 2.5.21.7 NAME 'nameForms'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.35 USAGE directoryOperation )
-
-5.4.3. ditContentRules
-
- ( 2.5.21.2 NAME 'dITContentRules'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 USAGE directoryOperation )
-
-6. Syntaxes
-
- Servers SHOULD recognize all the syntaxes described in this section.
-
-6.1. Attribute Type Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' )
-
- Values in this syntax are encoded according to the BNF given at the
- start of section 4.2. For example,
-
- ( 2.5.4.0 NAME 'objectClass'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
-6.2. Binary
-
- ( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' )
-
- Values in this syntax are encoded as described in section 4.3.1.
-
-6.3. Bit String
-
- ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
-
- Values in this syntax are encoded according to the following BNF:
-
- bitstring = "'" *binary-digit "'B"
-
- binary-digit = "0" / "1"
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 16]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Example:
-
- '0101111101'B
-
-6.4. Boolean
-
- ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
-
- Values in this syntax are encoded according to the following BNF:
-
- boolean = "TRUE" / "FALSE"
-
- Boolean values have an encoding of "TRUE" if they are logically true,
- and have an encoding of "FALSE" otherwise.
-
-6.5. Certificate
-
- ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' )
-
- Because of the changes from X.509(1988) and X.509(1993) and
- additional changes to the ASN.1 definition to support certificate
- extensions, no string representation is defined, and values in this
- syntax MUST only be transferred using the binary encoding, by
- requesting or returning the attributes with descriptions
- "userCertificate;binary" or "caCertificate;binary". The BNF notation
- in RFC 1778 for "User Certificate" is not recommended to be used.
-
-6.6. Certificate List
-
- ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' )
-
- Because of the incompatibility of the X.509(1988) and X.509(1993)
- definitions of revocation lists, values in this syntax MUST only be
- transferred using a binary encoding, by requesting or returning the
- attributes with descriptions "certificateRevocationList;binary" or
- "authorityRevocationList;binary". The BNF notation in RFC 1778 for
- "Authority Revocation List" is not recommended to be used.
-
-6.7. Certificate Pair
-
- ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' )
-
- Because the Certificate is being carried in binary, values in this
- syntax MUST only be transferred using a binary encoding, by
- requesting or returning the attribute description
- "crossCertificatePair;binary". The BNF notation in RFC 1778 for
- "Certificate Pair" is not recommended to be used.
-
-
-
-
-Wahl, et. al. Standards Track [Page 17]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-6.8. Country String
-
- ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )
-
- A value in this syntax is encoded the same as a value of Directory
- String syntax. Note that this syntax is limited to values of exactly
- two printable string characters, as listed in ISO 3166 [14].
-
- CountryString = p p
-
- Example:
- US
-
-6.9. DN
-
- ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'DN' )
-
- Values in the Distinguished Name syntax are encoded to have the
- representation defined in [5]. Note that this representation is not
- reversible to an ASN.1 encoding used in X.500 for Distinguished
- Names, as the CHOICE of any DirectoryString element in an RDN is no
- longer known.
-
- Examples (from [5]):
- CN=Steve Kille,O=Isode Limited,C=GB
- OU=Sales+CN=J. Smith,O=Widget Inc.,C=US
- CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB
- CN=Before\0DAfter,O=Test,C=GB
- 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB
- SN=Lu\C4\8Di\C4\87
-
-6.10. Directory String
-
- ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )
-
- A string in this syntax is encoded in the UTF-8 form of ISO 10646 (a
- superset of Unicode). Servers and clients MUST be prepared to
- receive encodings of arbitrary Unicode characters, including
- characters not presently assigned to any character set.
-
- For characters in the PrintableString form, the value is encoded as
- the string value itself.
-
- If it is of the TeletexString form, then the characters are
- transliterated to their equivalents in UniversalString, and encoded
- in UTF-8 [9].
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 18]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- If it is of the UniversalString or BMPString forms [10], UTF-8 is
- used to encode them.
-
- Note: the form of DirectoryString is not indicated in protocol unless
- the attribute value is carried in binary. Servers which convert to
- DAP MUST choose an appropriate form. Servers MUST NOT reject values
- merely because they contain legal Unicode characters outside of the
- range of printable ASCII.
-
- Example:
-
- This is a string of DirectoryString containing #!%#@
-
-6.11. DIT Content Rule Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.16 DESC 'DIT Content Rule Description' )
-
- Values in this syntax are encoded according to the following BNF.
- Implementors should note that future versions of this document may
- have expanded this BNF to include additional terms.
-
-
- DITContentRuleDescription = "("
- numericoid ; Structural ObjectClass identifier
- [ "NAME" qdescrs ]
- [ "DESC" qdstring ]
- [ "OBSOLETE" ]
- [ "AUX" oids ] ; Auxiliary ObjectClasses
- [ "MUST" oids ] ; AttributeType identifiers
- [ "MAY" oids ] ; AttributeType identifiers
- [ "NOT" oids ] ; AttributeType identifiers
- ")"
-
-6.12. Facsimile Telephone Number
-
-
- ( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Number' )
-
- Values in this syntax are encoded according to the following BNF:
-
- fax-number = printablestring [ "$" faxparameters ]
-
- faxparameters = faxparm / ( faxparm "$" faxparameters )
-
- faxparm = "twoDimensional" / "fineResolution" /
- "unlimitedLength" /
- "b4Length" / "a3Width" / "b4Width" / "uncompressed"
-
-
-
-
-Wahl, et. al. Standards Track [Page 19]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- In the above, the first printablestring is the telephone number,
- based on E.123 [15], and the faxparm tokens represent fax parameters.
-
-6.13. Fax
-
- ( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' )
-
- Values in this syntax are encoded as if they were octet strings
- containing Group 3 Fax images as defined in [7].
-
-6.14. Generalized Time
-
- ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )
-
- Values in this syntax are encoded as printable strings, represented
- as specified in X.208. Note that the time zone must be specified.
- It is strongly recommended that GMT time be used. For example,
-
- 199412161032Z
-
-6.15. IA5 String
-
- ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
-
- The encoding of a value in this syntax is the string value itself.
-
-6.16. INTEGER
-
- ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'INTEGER' )
-
- Values in this syntax are encoded as the decimal representation of
- their values, with each decimal digit represented by the its
- character equivalent. So the number 1321 is represented by the
- character string "1321".
-
-6.17. JPEG
-
- ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' )
-
- Values in this syntax are encoded as strings containing JPEG images
- in the JPEG File Interchange Format (JFIF), as described in [8].
-
-6.18. Matching Rule Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Description' )
-
- Values of type matchingRules are encoded as strings according to the
- BNF given in section 4.5.
-
-
-
-Wahl, et. al. Standards Track [Page 20]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-6.19. Matching Rule Use Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.31 DESC 'Matching Rule Use Description'
- )
-
- Values of type matchingRuleUse are encoded as strings according to
- the BNF given in section 4.5.
-
-6.20. MHS OR Address
-
- ( 1.3.6.1.4.1.1466.115.121.1.33 DESC 'MHS OR Address' )
-
- Values in this syntax are encoded as strings, according to the format
- defined in [11].
-
-6.21. Name And Optional UID
-
- ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )
-
- Values in this syntax are encoded according to the following BNF:
-
- NameAndOptionalUID = DistinguishedName [ "#" bitstring ]
-
- Although the '#' character may occur in a string representation of a
- distinguished name, no additional special quoting is done. This
- syntax has been added subsequent to RFC 1778.
-
- Example:
-
- 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B
-
-6.22. Name Form Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' )
-
- Values in this syntax are encoded according to the following BNF.
- Implementors should note that future versions of this document may
- have expanded this BNF to include additional terms.
-
- NameFormDescription = "(" whsp
- numericoid whsp ; NameForm identifier
- [ "NAME" qdescrs ]
- [ "DESC" qdstring ]
- [ "OBSOLETE" whsp ]
- "OC" woid ; Structural ObjectClass
- "MUST" oids ; AttributeTypes
- [ "MAY" oids ] ; AttributeTypes
- whsp ")"
-
-
-
-Wahl, et. al. Standards Track [Page 21]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-6.23. Numeric String
-
- ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )
-
- The encoding of a string in this syntax is the string value itself.
- Example:
-
- 1997
-
-6.24. Object Class Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Description' )
-
- Values in this syntax are encoded according to the BNF in section
- 4.4.
-
-6.25. OID
-
- ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )
-
- Values in the Object Identifier syntax are encoded according to
- the BNF in section 4.1 for "oid".
-
- Example:
-
- 1.2.3.4
- cn
-
-6.26. Other Mailbox
-
- ( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )
-
- Values in this syntax are encoded according to the following BNF:
-
- otherMailbox = mailbox-type "$" mailbox
-
- mailbox-type = printablestring
-
- mailbox = <an encoded IA5 String>
-
- In the above, mailbox-type represents the type of mail system in
- which the mailbox resides, for example "MCIMail"; and mailbox is the
- actual mailbox in the mail system defined by mailbox-type.
-
-6.27. Postal Address
-
- ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
-
-
-
-
-Wahl, et. al. Standards Track [Page 22]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Values in this syntax are encoded according to the following BNF:
-
- postal-address = dstring *( "$" dstring )
-
- In the above, each dstring component of a postal address value is
- encoded as a value of type Directory String syntax. Backslashes and
- dollar characters, if they occur in the component, are quoted as
- described in section 4.3. Many servers limit the postal address to
- six lines of up to thirty characters.
-
- Example:
-
- 1234 Main St.$Anytown, CA 12345$USA
- \241,000,000 Sweepstakes$PO Box 1000000$Anytown, CA 12345$USA
-
-6.28. Presentation Address
-
- ( 1.3.6.1.4.1.1466.115.121.1.43 DESC 'Presentation Address' )
-
- Values in this syntax are encoded with the representation described
- in RFC 1278 [6].
-
-6.29. Printable String
-
- ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )
-
- The encoding of a value in this syntax is the string value itself.
- PrintableString is limited to the characters in production p of
- section 4.1.
-
- Example:
-
- This is a PrintableString
-
-6.30. Telephone Number
-
- ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )
-
- Values in this syntax are encoded as if they were Printable String
- types. Telephone numbers are recommended in X.520 to be in
- international form, as described in E.123 [15].
-
- Example:
-
- +1 512 305 0280
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 23]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-6.31. UTC Time
-
- ( 1.3.6.1.4.1.1466.115.121.1.53 DESC 'UTC Time' )
-
- Values in this syntax are encoded as if they were printable strings
- with the strings containing a UTCTime value. This is historical; new
- attribute definitions SHOULD use GeneralizedTime instead.
-
-6.32. LDAP Syntax Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description' )
-
- Values in this syntax are encoded according to the BNF in section
- 4.3.3.
-
-6.33. DIT Structure Rule Description
-
- ( 1.3.6.1.4.1.1466.115.121.1.17 DESC 'DIT Structure Rule Description'
- )
-
- Values with this syntax are encoded according to the following BNF:
-
- DITStructureRuleDescription = "(" whsp
- ruleidentifier whsp ; DITStructureRule identifier
- [ "NAME" qdescrs ]
- [ "DESC" qdstring ]
- [ "OBSOLETE" whsp ]
- "FORM" woid whsp ; NameForm
- [ "SUP" ruleidentifiers whsp ] ; superior DITStructureRules
- ")"
-
- ruleidentifier = integer
-
- ruleidentifiers = ruleidentifier |
- "(" whsp ruleidentifierlist whsp ")"
-
- ruleidentifierlist = [ ruleidentifier *( ruleidentifier ) ]
-
-7. Object Classes
-
- Servers SHOULD recognize all the names of standard classes from
- section 7 of [12].
-
-7.1. Extensible Object Class
-
- The extensibleObject object class, if present in an entry, permits
- that entry to optionally hold any attribute. The MAY attribute list
- of this class is implicitly the set of all attributes.
-
-
-
-Wahl, et. al. Standards Track [Page 24]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
- SUP top AUXILIARY )
-
- The mandatory attributes of the other object classes of this entry
- are still required to be present.
-
- Note that not all servers will implement this object class, and those
- which do not will reject requests to add entries which contain this
- object class, or modify an entry to add this object class.
-
-7.2. subschema
-
- This object class is used in the subschema entry.
-
- ( 2.5.20.1 NAME 'subschema' AUXILIARY
- MAY ( dITStructureRules $ nameForms $ ditContentRules $
- objectClasses $ attributeTypes $ matchingRules $
- matchingRuleUse ) )
-
- The ldapSyntaxes operational attribute may also be present in
- subschema entries.
-
-8. Matching Rules
-
- Servers which implement the extensibleMatch filter SHOULD allow all
- the matching rules listed in this section to be used in the
- extensibleMatch. In general these servers SHOULD allow matching
- rules to be used with all attribute types known to the server, when
- the assertion syntax of the matching rule is the same as the value
- syntax of the attribute.
-
- Servers MAY implement additional matching rules.
-
-8.1. Matching Rules used in Equality Filters
-
- Servers SHOULD be capable of performing the following matching rules.
-
- For all these rules, the assertion syntax is the same as the value
- syntax.
-
- ( 2.5.13.0 NAME 'objectIdentifierMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
- If the client supplies a filter using an objectIdentifierMatch whose
- matchValue oid is in the "descr" form, and the oid is not recognized
- by the server, then the filter is Undefined.
-
- ( 2.5.13.1 NAME 'distinguishedNameMatch'
-
-
-
-Wahl, et. al. Standards Track [Page 25]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- ( 2.5.13.2 NAME 'caseIgnoreMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- ( 2.5.13.8 NAME 'numericStringMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
-
- ( 2.5.13.11 NAME 'caseIgnoreListMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
- ( 2.5.13.14 NAME 'integerMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- ( 2.5.13.16 NAME 'bitStringMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-
- ( 2.5.13.20 NAME 'telephoneNumberMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
- ( 2.5.13.22 NAME 'presentationAddressMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 )
-
- ( 2.5.13.23 NAME 'uniqueMemberMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
-
- ( 2.5.13.24 NAME 'protocolInformationMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
-
- ( 2.5.13.27 NAME 'generalizedTimeMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- When performing the caseIgnoreMatch, caseIgnoreListMatch,
- telephoneNumberMatch, caseExactIA5Match and caseIgnoreIA5Match,
- multiple adjoining whitespace characters are treated the same as an
- individual space, and leading and trailing whitespace is ignored.
-
- Clients MUST NOT assume that servers are capable of transliteration
- of Unicode values.
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 26]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-8.2. Matching Rules used in Inequality Filters
-
- Servers SHOULD be capable of performing the following matching rules,
- which are used in greaterOrEqual and lessOrEqual filters.
-
- ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The sort ordering for a caseIgnoreOrderingMatch is implementation-
- dependent.
-
-8.3. Syntax and Matching Rules used in Substring Filters
-
- The Substring Assertion syntax is used only as the syntax of
- assertion values in the extensible match. It is not used as the
- syntax of attributes, or in the substring filter.
-
- ( 1.3.6.1.4.1.1466.115.121.1.58 DESC 'Substring Assertion' )
-
- The Substring Assertion is encoded according to the following BNF:
-
- substring = [initial] any [final]
- initial = value
- any = "*" *(value "*")
- final = value
-
- The <value> production is UTF-8 encoded string. Should the backslash
- or asterix characters be present in a production of <value>, they are
- quoted as described in section 4.3.
-
- Servers SHOULD be capable of performing the following matching rules,
- which are used in substring filters.
-
- ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- ( 2.5.13.21 NAME 'telephoneNumberSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- ( 2.5.13.10 NAME 'numericStringSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 27]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-8.4. Matching Rules for Subschema Attributes
-
- Servers which allow subschema entries to be modified by clients MUST
- support the following matching rules, as they are the equality
- matching rules for several of the subschema attributes.
-
- ( 2.5.13.29 NAME 'integerFirstComponentMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
- Implementors should note that the assertion syntax of these matching
- rules, an INTEGER or OID, is different from the value syntax of
- attributes for which this is the equality matching rule.
-
- If the client supplies an extensible filter using an
- objectIdentifierFirstComponentMatch whose matchValue is in the
- "descr" form, and the OID is not recognized by the server, then the
- filter is Undefined.
-
-9. Security Considerations
-
-9.1. Disclosure
-
- Attributes of directory entries are used to provide descriptive
- information about the real-world objects they represent, which can be
- people, organizations or devices. Most countries have privacy laws
- regarding the publication of information about people.
-
-9.2. Use of Attribute Values in Security Applications
-
- The transformations of an AttributeValue value from its X.501 form to
- an LDAP string representation are not always reversible back to the
- same BER or DER form. An example of a situation which requires the
- DER form of a distinguished name is the verification of an X.509
- certificate.
-
- For example, a distinguished name consisting of one RDN with one AVA,
- in which the type is commonName and the value is of the TeletexString
- choice with the letters 'Sam' would be represented in LDAP as the
- string CN=Sam. Another distinguished name in which the value is
- still 'Sam' but of the PrintableString choice would have the same
- representation CN=Sam.
-
- Applications which require the reconstruction of the DER form of the
- value SHOULD NOT use the string representation of attribute syntaxes
- when converting a value to LDAP format. Instead it SHOULD use the
-
-
-
-Wahl, et. al. Standards Track [Page 28]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
- Binary syntax.
-
-10. Acknowledgements
-
- This document is based substantially on RFC 1778, written by Tim
- Howes, Steve Kille, Wengyik Yeong and Colin Robbins.
-
- Many of the attribute syntax encodings defined in this and related
- documents are adapted from those used in the QUIPU and the IC R3
- X.500 implementations. The contributions of the authors of both these
- implementations in the specification of syntaxes are gratefully
- acknowledged.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 29]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-11. Authors' Addresses
-
- Mark Wahl
- Critical Angle Inc.
- 4815 West Braker Lane #502-385
- Austin, TX 78759
- USA
-
- Phone: +1 512 372-3160
- EMail: M.Wahl@critical-angle.com
-
- Andy Coulbeck
- Isode Inc.
- 9390 Research Blvd Suite 305
- Austin, TX 78759
- USA
-
- Phone: +1 512 231-8993
- EMail: A.Coulbeck@isode.com
-
- Tim Howes
- Netscape Communications Corp.
- 501 E. Middlefield Rd, MS MV068
- Mountain View, CA 94043
- USA
-
- Phone: +1 650 937-3419
- EMail: howes@netscape.com
-
- Steve Kille
- Isode Limited
- The Dome, The Square
- Richmond
- TW9 1DT
- UK
-
- Phone: +44-181-332-9091
- EMail: S.Kille@isode.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 30]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-12. Bibliography
-
- [1] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
-
- [2] The Directory: Selected Attribute Types. ITU-T Recommendation
- X.520, 1993.
-
- [3] The Directory: Models. ITU-T Recommendation X.501, 1993.
-
- [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", RFC 2119, March 1997.
-
- [5] Wahl, M., Kille, S., and T. Howes, "Lightweight Directory Access
- Protocol (v3): UTF-8 String Representation of
- Distinguished Names", RFC 2253, December 1997.
-
- [6] Kille, S., "A String Representation for Presentation Addresses",
- RFC 1278, November 1991.
-
- [7] Terminal Equipment and Protocols for Telematic Services -
- Standardization of Group 3 facsimile apparatus for document
- transmission. CCITT, Recommendation T.4.
-
- [8] JPEG File Interchange Format (Version 1.02). Eric Hamilton,
- C-Cube Microsystems, Milpitas, CA, September 1, 1992.
-
- [9] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
- 10646", RFC 2044, October 1996.
-
- [10] Universal Multiple-Octet Coded Character Set (UCS) -
- Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 :
- 1993 (With amendments).
-
- [11] Hardcastle-Kille, S., "Mapping between X.400(1988) / ISO 10021
- and RFC 822", RFC 1327, May 1992.
-
- [12] Wahl, M., "A Summary of the X.500(96) User Schema for use
- with LDAPv3", RFC 2256, December 1997.
-
- [13] Crocker, D., "Standard of the Format of ARPA-Internet Text
- Messages", STD 11, RFC 822, August 1982.
-
- [14] ISO 3166, "Codes for the representation of names of countries".
-
- [15] ITU-T Rec. E.123, Notation for national and international
- telephone numbers, 1988.
-
-
-
-
-Wahl, et. al. Standards Track [Page 31]
-
-RFC 2252 LADPv3 Attributes December 1997
-
-
-13. Full Copyright Statement
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Standards Track [Page 32]
-
diff --git a/source4/ldap_server/devdocs/rfc2253.txt b/source4/ldap_server/devdocs/rfc2253.txt
deleted file mode 100644
index a7439eed77..0000000000
--- a/source4/ldap_server/devdocs/rfc2253.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group M. Wahl
-Request for Comments: 2253 Critical Angle Inc.
-Obsoletes: 1779 S. Kille
-Category: Standards Track Isode Ltd.
- T. Howes
- Netscape Communications Corp.
- December 1997
-
-
- Lightweight Directory Access Protocol (v3):
- UTF-8 String Representation of Distinguished Names
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
-IESG Note
-
- This document describes a directory access protocol that provides
- both read and update access. Update access requires secure
- authentication, but this document does not mandate implementation of
- any satisfactory authentication mechanisms.
-
- In accordance with RFC 2026, section 4.4.1, this specification is
- being approved by IESG as a Proposed Standard despite this
- limitation, for the following reasons:
-
- a. to encourage implementation and interoperability testing of
- these protocols (with or without update access) before they
- are deployed, and
-
- b. to encourage deployment and use of these protocols in read-only
- applications. (e.g. applications where LDAPv3 is used as
- a query language for directories which are updated by some
- secure mechanism other than LDAP), and
-
- c. to avoid delaying the advancement and deployment of other Internet
- standards-track protocols which require the ability to query, but
- not update, LDAPv3 directory servers.
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 1]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
- Readers are hereby warned that until mandatory authentication
- mechanisms are standardized, clients and servers written according to
- this specification which make use of update functionality are
- UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
- IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
-
- Implementors are hereby discouraged from deploying LDAPv3 clients or
- servers which implement the update functionality, until a Proposed
- Standard for mandatory authentication in LDAPv3 has been approved and
- published as an RFC.
-
-Abstract
-
- The X.500 Directory uses distinguished names as the primary keys to
- entries in the directory. Distinguished Names are encoded in ASN.1
- in the X.500 Directory protocols. In the Lightweight Directory
- Access Protocol, a string representation of distinguished names is
- transferred. This specification defines the string format for
- representing names, which is designed to give a clean representation
- of commonly used distinguished names, while being able to represent
- any distinguished name.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [6].
-
-1. Background
-
- This specification assumes familiarity with X.500 [1], and the
- concept of Distinguished Name. It is important to have a common
- format to be able to unambiguously represent a distinguished name.
- The primary goal of this specification is ease of encoding and
- decoding. A secondary goal is to have names that are human readable.
- It is not expected that LDAP clients with a human user interface
- would display these strings directly to the user, but would most
- likely be performing translations (such as expressing attribute type
- names in one of the local national languages).
-
-2. Converting DistinguishedName from ASN.1 to a String
-
- In X.501 [2] the ASN.1 structure of distinguished name is defined as:
-
- DistinguishedName ::= RDNSequence
-
- RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 2]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
- RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
- AttributeTypeAndValue
-
- AttributeTypeAndValue ::= SEQUENCE {
- type AttributeType,
- value AttributeValue }
-
- The following sections define the algorithm for converting from an
- ASN.1 structured representation to a UTF-8 string representation.
-
-2.1. Converting the RDNSequence
-
- If the RDNSequence is an empty sequence, the result is the empty or
- zero length string.
-
- Otherwise, the output consists of the string encodings of each
- RelativeDistinguishedName in the RDNSequence (according to 2.2),
- starting with the last element of the sequence and moving backwards
- toward the first.
-
- The encodings of adjoining RelativeDistinguishedNames are separated
- by a comma character (',' ASCII 44).
-
-2.2. Converting RelativeDistinguishedName
-
- When converting from an ASN.1 RelativeDistinguishedName to a string,
- the output consists of the string encodings of each
- AttributeTypeAndValue (according to 2.3), in any order.
-
- Where there is a multi-valued RDN, the outputs from adjoining
- AttributeTypeAndValues are separated by a plus ('+' ASCII 43)
- character.
-
-2.3. Converting AttributeTypeAndValue
-
- The AttributeTypeAndValue is encoded as the string representation of
- the AttributeType, followed by an equals character ('=' ASCII 61),
- followed by the string representation of the AttributeValue. The
- encoding of the AttributeValue is given in section 2.4.
-
- If the AttributeType is in a published table of attribute types
- associated with LDAP [4], then the type name string from that table
- is used, otherwise it is encoded as the dotted-decimal encoding of
- the AttributeType's OBJECT IDENTIFIER. The dotted-decimal notation is
- described in [3]. As an example, strings for a few of the attribute
- types frequently seen in RDNs include:
-
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 3]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
- String X.500 AttributeType
- ------------------------------
- CN commonName
- L localityName
- ST stateOrProvinceName
- O organizationName
- OU organizationalUnitName
- C countryName
- STREET streetAddress
- DC domainComponent
- UID userid
-
-2.4. Converting an AttributeValue from ASN.1 to a String
-
- If the AttributeValue is of a type which does not have a string
- representation defined for it, then it is simply encoded as an
- octothorpe character ('#' ASCII 35) followed by the hexadecimal
- representation of each of the bytes of the BER encoding of the X.500
- AttributeValue. This form SHOULD be used if the AttributeType is of
- the dotted-decimal form.
-
- Otherwise, if the AttributeValue is of a type which has a string
- representation, the value is converted first to a UTF-8 string
- according to its syntax specification (see for example section 6 of
- [4]).
-
- If the UTF-8 string does not have any of the following characters
- which need escaping, then that string can be used as the string
- representation of the value.
-
- o a space or "#" character occurring at the beginning of the
- string
-
- o a space character occurring at the end of the string
-
- o one of the characters ",", "+", """, "\", "<", ">" or ";"
-
- Implementations MAY escape other characters.
-
- If a character to be escaped is one of the list shown above, then it
- is prefixed by a backslash ('\' ASCII 92).
-
- Otherwise the character to be escaped is replaced by a backslash and
- two hex digits, which form a single byte in the code of the
- character.
-
- Examples of the escaping mechanism are shown in section 5.
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 4]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
-3. Parsing a String back to a Distinguished Name
-
- The structure of the string is specified in a BNF grammar, based on
- the grammar defined in RFC 822 [5]. Server implementations parsing a
- DN string generated by an LDAPv2 client MUST also accept (and ignore)
- the variants given in section 4 of this document.
-
-distinguishedName = [name] ; may be empty string
-
-name = name-component *("," name-component)
-
-name-component = attributeTypeAndValue *("+" attributeTypeAndValue)
-
-attributeTypeAndValue = attributeType "=" attributeValue
-
-attributeType = (ALPHA 1*keychar) / oid
-keychar = ALPHA / DIGIT / "-"
-
-oid = 1*DIGIT *("." 1*DIGIT)
-
-attributeValue = string
-
-string = *( stringchar / pair )
- / "#" hexstring
- / QUOTATION *( quotechar / pair ) QUOTATION ; only from v2
-
-quotechar = <any character except "\" or QUOTATION >
-
-special = "," / "=" / "+" / "<" / ">" / "#" / ";"
-
-pair = "\" ( special / "\" / QUOTATION / hexpair )
-stringchar = <any character except one of special, "\" or QUOTATION >
-
-hexstring = 1*hexpair
-hexpair = hexchar hexchar
-
-hexchar = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
- / "a" / "b" / "c" / "d" / "e" / "f"
-
-ALPHA = <any ASCII alphabetic character>
- ; (decimal 65-90 and 97-122)
-DIGIT = <any ASCII decimal digit> ; (decimal 48-57)
-QUOTATION = <the ASCII double quotation mark character '"' decimal 34>
-
-
-
-
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 5]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
-4. Relationship with RFC 1779 and LDAPv2
-
- The syntax given in this document is more restrictive than the syntax
- in RFC 1779. Implementations parsing a string generated by an LDAPv2
- client MUST accept the syntax of RFC 1779. Implementations MUST NOT,
- however, generate any of the RFC 1779 encodings which are not
- described above in section 2.
-
- Implementations MUST allow a semicolon character to be used instead
- of a comma to separate RDNs in a distinguished name, and MUST also
- allow whitespace characters to be present on either side of the comma
- or semicolon. The whitespace characters are ignored, and the
- semicolon replaced with a comma.
-
- Implementations MUST allow an oid in the attribute type to be
- prefixed by one of the character strings "oid." or "OID.".
-
- Implementations MUST allow for space (' ' ASCII 32) characters to be
- present between name-component and ',', between attributeTypeAndValue
- and '+', between attributeType and '=', and between '=' and
- attributeValue. These space characters are ignored when parsing.
-
- Implementations MUST allow a value to be surrounded by quote ('"'
- ASCII 34) characters, which are not part of the value. Inside the
- quoted value, the following characters can occur without any
- escaping:
-
- ",", "=", "+", "<", ">", "#" and ";"
-
-5. Examples
-
- This notation is designed to be convenient for common forms of name.
- This section gives a few examples of distinguished names written
- using this notation. First is a name containing three relative
- distinguished names (RDNs):
-
- CN=Steve Kille,O=Isode Limited,C=GB
-
- Here is an example name containing three RDNs, in which the first RDN
- is multi-valued:
-
- OU=Sales+CN=J. Smith,O=Widget Inc.,C=US
-
- This example shows the method of quoting of a comma in an
- organization name:
-
- CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 6]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
- An example name in which a value contains a carriage return
- character:
-
- CN=Before\0DAfter,O=Test,C=GB
-
- An example name in which an RDN was of an unrecognized type. The
- value is the BER encoding of an OCTET STRING containing two bytes
- 0x48 and 0x69.
-
- 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB
-
- Finally, an example of an RDN surname value consisting of 5 letters:
-
- Unicode Letter Description 10646 code UTF-8 Quoted
- =============================== ========== ====== =======
- LATIN CAPITAL LETTER L U0000004C 0x4C L
- LATIN SMALL LETTER U U00000075 0x75 u
- LATIN SMALL LETTER C WITH CARON U0000010D 0xC48D \C4\8D
- LATIN SMALL LETTER I U00000069 0x69 i
- LATIN SMALL LETTER C WITH ACUTE U00000107 0xC487 \C4\87
-
- Could be written in printable ASCII (useful for debugging purposes):
-
- SN=Lu\C4\8Di\C4\87
-
-6. References
-
- [1] The Directory -- overview of concepts, models and services.
- ITU-T Rec. X.500(1993).
-
- [2] The Directory -- Models. ITU-T Rec. X.501(1993).
-
- [3] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
- [4] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax Definitions",
- RFC 2252, December 1997.
-
- [5] Crocker, D., "Standard of the Format of ARPA-Internet Text
- Messages", STD 11, RFC 822, August 1982.
-
- [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", RFC 2119.
-
-
-
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 7]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
-7. Security Considerations
-
-7.1. Disclosure
-
- Distinguished Names typically consist of descriptive information
- about the entries they name, which can be people, organizations,
- devices or other real-world objects. This frequently includes some
- of the following kinds of information:
-
- - the common name of the object (i.e. a person's full name)
- - an email or TCP/IP address
- - its physical location (country, locality, city, street address)
- - organizational attributes (such as department name or affiliation)
-
- Most countries have privacy laws regarding the publication of
- information about people.
-
-7.2. Use of Distinguished Names in Security Applications
-
- The transformations of an AttributeValue value from its X.501 form to
- an LDAP string representation are not always reversible back to the
- same BER or DER form. An example of a situation which requires the
- DER form of a distinguished name is the verification of an X.509
- certificate.
-
- For example, a distinguished name consisting of one RDN with one AVA,
- in which the type is commonName and the value is of the TeletexString
- choice with the letters 'Sam' would be represented in LDAP as the
- string CN=Sam. Another distinguished name in which the value is
- still 'Sam' but of the PrintableString choice would have the same
- representation CN=Sam.
-
- Applications which require the reconstruction of the DER form of the
- value SHOULD NOT use the string representation of attribute syntaxes
- when converting a distinguished name to the LDAP format. Instead,
- they SHOULD use the hexadecimal form prefixed by the octothorpe ('#')
- as described in the first paragraph of section 2.4.
-
-8. Authors' Addresses
-
- Mark Wahl
- Critical Angle Inc.
- 4815 W. Braker Lane #502-385
- Austin, TX 78759
- USA
-
- EMail: M.Wahl@critical-angle.com
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 8]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
- Steve Kille
- Isode Ltd.
- The Dome
- The Square
- Richmond, Surrey
- TW9 1DT
- England
-
- Phone: +44-181-332-9091
- EMail: S.Kille@ISODE.COM
-
-
- Tim Howes
- Netscape Communications Corp.
- 501 E. Middlefield Rd, MS MV068
- Mountain View, CA 94043
- USA
-
- Phone: +1 650 937-3419
- EMail: howes@netscape.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 9]
-
-RFC 2253 LADPv3 Distinguished Names December 1997
-
-
-9. Full Copyright Statement
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl, et. al. Proposed Standard [Page 10]
-
diff --git a/source4/ldap_server/devdocs/rfc2254.txt b/source4/ldap_server/devdocs/rfc2254.txt
deleted file mode 100644
index 323fdb00b7..0000000000
--- a/source4/ldap_server/devdocs/rfc2254.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group T. Howes
-Request for Comments: 2254 Netscape Communications Corp.
-Category: Standards Track December 1997
-
-
- The String Representation of LDAP Search Filters
-
-1. Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
-IESG Note
-
- This document describes a directory access protocol that provides
- both read and update access. Update access requires secure
- authentication, but this document does not mandate implementation of
- any satisfactory authentication mechanisms.
-
- In accordance with RFC 2026, section 4.4.1, this specification is
- being approved by IESG as a Proposed Standard despite this
- limitation, for the following reasons:
-
- a. to encourage implementation and interoperability testing of
- these protocols (with or without update access) before they
- are deployed, and
-
- b. to encourage deployment and use of these protocols in read-only
- applications. (e.g. applications where LDAPv3 is used as
- a query language for directories which are updated by some
- secure mechanism other than LDAP), and
-
- c. to avoid delaying the advancement and deployment of other Internet
- standards-track protocols which require the ability to query, but
- not update, LDAPv3 directory servers.
-
-
-
-
-
-
-
-
-
-Howes Standards Track [Page 1]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
- Readers are hereby warned that until mandatory authentication
- mechanisms are standardized, clients and servers written according to
- this specification which make use of update functionality are
- UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
- IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
-
- Implementors are hereby discouraged from deploying LDAPv3 clients or
- servers which implement the update functionality, until a Proposed
- Standard for mandatory authentication in LDAPv3 has been approved and
- published as an RFC.
-
-2. Abstract
-
- The Lightweight Directory Access Protocol (LDAP) [1] defines a
- network representation of a search filter transmitted to an LDAP
- server. Some applications may find it useful to have a common way of
- representing these search filters in a human-readable form. This
- document defines a human-readable string format for representing LDAP
- search filters.
-
- This document replaces RFC 1960, extending the string LDAP filter
- definition to include support for LDAP version 3 extended match
- filters, and including support for representing the full range of
- possible LDAP search filters.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes Standards Track [Page 2]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
-3. LDAP Search Filter Definition
-
- An LDAPv3 search filter is defined in Section 4.5.1 of [1] as
- follows:
-
- Filter ::= CHOICE {
- and [0] SET OF Filter,
- or [1] SET OF Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion
- }
-
- SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- SEQUENCE OF CHOICE {
- initial [0] LDAPString,
- any [1] LDAPString,
- final [2] LDAPString
- }
- }
-
- AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- attributeValue AttributeValue
- }
-
- MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleID OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE
- }
-
- AttributeDescription ::= LDAPString
-
- AttributeValue ::= OCTET STRING
-
- MatchingRuleID ::= LDAPString
-
- AssertionValue ::= OCTET STRING
-
- LDAPString ::= OCTET STRING
-
-
-
-Howes Standards Track [Page 3]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
- where the LDAPString above is limited to the UTF-8 encoding of the
- ISO 10646 character set [4]. The AttributeDescription is a string
- representation of the attribute description and is defined in [1].
- The AttributeValue and AssertionValue OCTET STRING have the form
- defined in [2]. The Filter is encoded for transmission over a
- network using the Basic Encoding Rules defined in [3], with
- simplifications described in [1].
-
-4. String Search Filter Definition
-
- The string representation of an LDAP search filter is defined by the
- following grammar, following the ABNF notation defined in [5]. The
- filter format uses a prefix notation.
-
- filter = "(" filtercomp ")"
- filtercomp = and / or / not / item
- and = "&" filterlist
- or = "|" filterlist
- not = "!" filter
- filterlist = 1*filter
- item = simple / present / substring / extensible
- simple = attr filtertype value
- filtertype = equal / approx / greater / less
- equal = "="
- approx = "~="
- greater = ">="
- less = "<="
- extensible = attr [":dn"] [":" matchingrule] ":=" value
- / [":dn"] ":" matchingrule ":=" value
- present = attr "=*"
- substring = attr "=" [initial] any [final]
- initial = value
- any = "*" *(value "*")
- final = value
- attr = AttributeDescription from Section 4.1.5 of [1]
- matchingrule = MatchingRuleId from Section 4.1.9 of [1]
- value = AttributeValue from Section 4.1.6 of [1]
-
- The attr, matchingrule, and value constructs are as described in the
- corresponding section of [1] given above.
-
-
-
-
-
-
-
-
-
-
-
-Howes Standards Track [Page 4]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
- If a value should contain any of the following characters
-
- Character ASCII value
- ---------------------------
- * 0x2a
- ( 0x28
- ) 0x29
- \ 0x5c
- NUL 0x00
-
- the character must be encoded as the backslash '\' character (ASCII
- 0x5c) followed by the two hexadecimal digits representing the ASCII
- value of the encoded character. The case of the two hexadecimal
- digits is not significant.
-
- This simple escaping mechanism eliminates filter-parsing ambiguities
- and allows any filter that can be represented in LDAP to be
- represented as a NUL-terminated string. Other characters besides the
- ones listed above may be escaped using this mechanism, for example,
- non-printing characters.
-
- For example, the filter checking whether the "cn" attribute contained
- a value with the character "*" anywhere in it would be represented as
- "(cn=*\2a*)".
-
- Note that although both the substring and present productions in the
- grammar above can produce the "attr=*" construct, this construct is
- used only to denote a presence filter.
-
-5. Examples
-
- This section gives a few examples of search filters written using
- this notation.
-
- (cn=Babs Jensen)
- (!(cn=Tim Howes))
- (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
- (o=univ*of*mich*)
-
- The following examples illustrate the use of extensible matching.
-
- (cn:1.2.3.4.5:=Fred Flintstone)
- (sn:dn:2.4.6.8.10:=Barney Rubble)
- (o:dn:=Ace Industry)
- (:dn:2.4.6.8.10:=Dino)
-
-
-
-
-
-
-Howes Standards Track [Page 5]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
- The second example illustrates the use of the ":dn" notation to
- indicate that matching rule "2.4.6.8.10" should be used when making
- comparisons, and that the attributes of an entry's distinguished name
- should be considered part of the entry when evaluating the match.
-
- The third example denotes an equality match, except that DN
- components should be considered part of the entry when doing the
- match.
-
- The fourth example is a filter that should be applied to any
- attribute supporting the matching rule given (since the attr has been
- left off). Attributes supporting the matching rule contained in the
- DN should also be considered.
-
- The following examples illustrate the use of the escaping mechanism.
-
- (o=Parens R Us \28for all your parenthetical needs\29)
- (cn=*\2A*)
- (filename=C:\5cMyFile)
- (bin=\00\00\00\04)
- (sn=Lu\c4\8di\c4\87)
-
- The first example shows the use of the escaping mechanism to
- represent parenthesis characters. The second shows how to represent a
- "*" in a value, preventing it from being interpreted as a substring
- indicator. The third illustrates the escaping of the backslash
- character.
-
- The fourth example shows a filter searching for the four-byte value
- 0x00000004, illustrating the use of the escaping mechanism to
- represent arbitrary data, including NUL characters.
-
- The final example illustrates the use of the escaping mechanism to
- represent various non-ASCII UTF-8 characters.
-
-6. Security Considerations
-
- This memo describes a string representation of LDAP search filters.
- While the representation itself has no known security implications,
- LDAP search filters do. They are interpreted by LDAP servers to
- select entries from which data is retrieved. LDAP servers should
- take care to protect the data they maintain from unauthorized access.
-
-
-
-
-
-
-
-
-
-Howes Standards Track [Page 6]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
-7. References
-
- [1] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
-
- [2] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax Definitions", RFC
- 2252, December 1997.
-
- [3] Specification of ASN.1 encoding rules: Basic, Canonical, and
- Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994.
-
- [4] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
- 10646", RFC 2044, October 1996.
-
- [5] Crocker, D., "Standard for the Format of ARPA Internet Text
- Messages", STD 11, RFC 822, August 1982.
-
-8. Author's Address
-
- Tim Howes
- Netscape Communications Corp.
- 501 E. Middlefield Road
- Mountain View, CA 94043
- USA
-
- Phone: +1 415 937-3419
- EMail: howes@netscape.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes Standards Track [Page 7]
-
-RFC 2254 String Representation of LDAP December 1997
-
-
-9. Full Copyright Statement
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes Standards Track [Page 8]
-
diff --git a/source4/ldap_server/devdocs/rfc2255.txt b/source4/ldap_server/devdocs/rfc2255.txt
deleted file mode 100644
index a03567154e..0000000000
--- a/source4/ldap_server/devdocs/rfc2255.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group T. Howes
-Request for Comments: 2255 M. Smith
-Category: Standards Track Netscape Communications Corp.
- December 1997
-
-
- The LDAP URL Format
-
-1. Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
-IESG NOTE
-
- This document describes a directory access protocol that provides
- both read and update access. Update access requires secure
- authentication, but this document does not mandate implementation of
- any satisfactory authentication mechanisms.
-
- In accordance with RFC 2026, section 4.4.1, this specification is
- being approved by IESG as a Proposed Standard despite this
- limitation, for the following reasons:
-
- a. to encourage implementation and interoperability testing of
- these protocols (with or without update access) before they
- are deployed, and
-
- b. to encourage deployment and use of these protocols in read-only
- applications. (e.g. applications where LDAPv3 is used as
- a query language for directories which are updated by some
- secure mechanism other than LDAP), and
-
- c. to avoid delaying the advancement and deployment of other Internet
- standards-track protocols which require the ability to query, but
- not update, LDAPv3 directory servers.
-
-
-
-
-
-
-
-
-Howes & Smith Standards Track [Page 1]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- Readers are hereby warned that until mandatory authentication
- mechanisms are standardized, clients and servers written according to
- this specification which make use of update functionality are
- UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
- IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
-
- Implementors are hereby discouraged from deploying LDAPv3 clients or
- servers which implement the update functionality, until a Proposed
- Standard for mandatory authentication in LDAPv3 has been approved and
- published as an RFC.
-
-2. Abstract
-
- LDAP is the Lightweight Directory Access Protocol, defined in [1],
- [2] and [3]. This document describes a format for an LDAP Uniform
- Resource Locator. The format describes an LDAP search operation to
- perform to retrieve information from an LDAP directory. This document
- replaces RFC 1959. It updates the LDAP URL format for version 3 of
- LDAP and clarifies how LDAP URLs are resolved. This document also
- defines an extension mechanism for LDAP URLs, so that future
- documents can extend their functionality, for example, to provide
- access to new LDAPv3 extensions as they are defined.
-
- The key words "MUST", "MAY", and "SHOULD" used in this document are
- to be interpreted as described in [6].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes & Smith Standards Track [Page 2]
-
-RFC 2255 LDAP URL Format December 1997
-
-
-3. URL Definition
-
- An LDAP URL begins with the protocol prefix "ldap" and is defined by
- the following grammar.
-
- ldapurl = scheme "://" [hostport] ["/"
- [dn ["?" [attributes] ["?" [scope]
- ["?" [filter] ["?" extensions]]]]]]
- scheme = "ldap"
- attributes = attrdesc *("," attrdesc)
- scope = "base" / "one" / "sub"
- dn = distinguishedName from Section 3 of [1]
- hostport = hostport from Section 5 of RFC 1738 [5]
- attrdesc = AttributeDescription from Section 4.1.5 of [2]
- filter = filter from Section 4 of [4]
- extensions = extension *("," extension)
- extension = ["!"] extype ["=" exvalue]
- extype = token / xtoken
- exvalue = LDAPString from section 4.1.2 of [2]
- token = oid from section 4.1 of [3]
- xtoken = ("X-" / "x-") token
-
- The "ldap" prefix indicates an entry or entries residing in the LDAP
- server running on the given hostname at the given portnumber. The
- default LDAP port is TCP port 389. If no hostport is given, the
- client must have some apriori knowledge of an appropriate LDAP server
- to contact.
-
- The dn is an LDAP Distinguished Name using the string format
- described in [1]. It identifies the base object of the LDAP search.
-
- ldapurl = scheme "://" [hostport] ["/"
- [dn ["?" [attributes] ["?" [scope]
- ["?" [filter] ["?" extensions]]]]]]
- scheme = "ldap"
- attributes = attrdesc *("," attrdesc)
- scope = "base" / "one" / "sub"
- dn = distinguishedName from Section 3 of [1]
- hostport = hostport from Section 5 of RFC 1738 [5]
- attrdesc = AttributeDescription from Section 4.1.5 of [2]
- filter = filter from Section 4 of [4]
- extensions = extension *("," extension)
- extension = ["!"] extype ["=" exvalue]
- extype = token / xtoken
- exvalue = LDAPString from section 4.1.2 of [2]
- token = oid from section 4.1 of [3]
- xtoken = ("X-" / "x-") token
-
-
-
-
-Howes & Smith Standards Track [Page 3]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- The "ldap" prefix indicates an entry or entries residing in the LDAP
- server running on the given hostname at the given portnumber. The
- default LDAP port is TCP port 389. If no hostport is given, the
- client must have some apriori knowledge of an appropriate LDAP server
- to contact.
-
- The dn is an LDAP Distinguished Name using the string format
- described in [1]. It identifies the base object of the LDAP search.
-
- The attributes construct is used to indicate which attributes should
- be returned from the entry or entries. Individual attrdesc names are
- as defined for AttributeDescription in [2]. If the attributes part
- is omitted, all user attributes of the entry or entries should be
- requested (e.g., by setting the attributes field
- AttributeDescriptionList in the LDAP search request to a NULL list,
- or (in LDAPv3) by requesting the special attribute name "*").
-
- The scope construct is used to specify the scope of the search to
- perform in the given LDAP server. The allowable scopes are "base"
- for a base object search, "one" for a one-level search, or "sub" for
- a subtree search. If scope is omitted, a scope of "base" is assumed.
-
- The filter is used to specify the search filter to apply to entries
- within the specified scope during the search. It has the format
- specified in [4]. If filter is omitted, a filter of
- "(objectClass=*)" is assumed.
-
- The extensions construct provides the LDAP URL with an extensibility
- mechanism, allowing the capabilities of the URL to be extended in the
- future. Extensions are a simple comma-separated list of type=value
- pairs, where the =value portion MAY be omitted for options not
- requiring it. Each type=value pair is a separate extension. These
- LDAP URL extensions are not necessarily related to any of the LDAPv3
- extension mechanisms. Extensions may be supported or unsupported by
- the client resolving the URL. An extension prefixed with a '!'
- character (ASCII 33) is critical. An extension not prefixed with a '
- !' character is non-critical.
-
- If an extension is supported by the client, the client MUST obey the
- extension if the extension is critical. The client SHOULD obey
- supported extensions that are non-critical.
-
- If an extension is unsupported by the client, the client MUST NOT
- process the URL if the extension is critical. If an unsupported
- extension is non-critical, the client MUST ignore the extension.
-
-
-
-
-
-
-Howes & Smith Standards Track [Page 4]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- If a critical extension cannot be processed successfully by the
- client, the client MUST NOT process the URL. If a non-critical
- extension cannot be processed successfully by the client, the client
- SHOULD ignore the extension.
-
- Extension types prefixed by "X-" or "x-" are reserved for use in
- bilateral agreements between communicating parties. Other extension
- types MUST be defined in this document, or in other standards-track
- documents.
-
- One LDAP URL extension is defined in this document in the next
- section. Other documents or a future version of this document MAY
- define other extensions.
-
- Note that any URL-illegal characters (e.g., spaces), URL special
- characters (as defined in section 2.2 of RFC 1738) and the reserved
- character '?' (ASCII 63) occurring inside a dn, filter, or other
- element of an LDAP URL MUST be escaped using the % method described
- in RFC 1738 [5]. If a comma character ',' occurs inside an extension
- value, the character MUST also be escaped using the % method.
-
-4. The Bindname Extension
-
- This section defines an LDAP URL extension for representing the
- distinguished name for a client to use when authenticating to an LDAP
- directory during resolution of an LDAP URL. Clients MAY implement
- this extension.
-
- The extension type is "bindname". The extension value is the
- distinguished name of the directory entry to authenticate as, in the
- same form as described for dn in the grammar above. The dn may be the
- NULL string to specify unauthenticated access. The extension may be
- either critical (prefixed with a '!' character) or non-critical (not
- prefixed with a '!' character).
-
- If the bindname extension is critical, the client resolving the URL
- MUST authenticate to the directory using the given distinguished name
- and an appropriate authentication method. Note that for a NULL
- distinguished name, no bind MAY be required to obtain anonymous
- access to the directory. If the extension is non-critical, the client
- MAY bind to the directory using the given distinguished name.
-
-5. URL Processing
-
- This section describes how an LDAP URL SHOULD be resolved by a
- client.
-
-
-
-
-
-Howes & Smith Standards Track [Page 5]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- First, the client obtains a connection to the LDAP server referenced
- in the URL, or an LDAP server of the client's choice if no LDAP
- server is explicitly referenced. This connection MAY be opened
- specifically for the purpose of resolving the URL or the client MAY
- reuse an already open connection. The connection MAY provide
- confidentiality, integrity, or other services, e.g., using TLS. Use
- of security services is at the client's discretion if not specified
- in the URL.
-
- Next, the client authenticates itself to the LDAP server. This step
- is optional, unless the URL contains a critical bindname extension
- with a non-NULL value. If a bindname extension is given, the client
- proceeds according to the section above.
-
- If a bindname extension is not specified, the client MAY bind to the
- directory using a appropriate dn and authentication method of its own
- choosing (including NULL authentication).
-
- Next, the client performs the LDAP search operation specified in the
- URL. Additional fields in the LDAP protocol search request, such as
- sizelimit, timelimit, deref, and anything else not specified or
- defaulted in the URL specification, MAY be set at the client's
- discretion.
-
- Once the search has completed, the client MAY close the connection to
- the LDAP server, or the client MAY keep the connection open for
- future use.
-
-6. Examples
-
- The following are some example LDAP URLs using the format defined
- above. The first example is an LDAP URL referring to the University
- of Michigan entry, available from an LDAP server of the client's
- choosing:
-
- ldap:///o=University%20of%20Michigan,c=US
-
- The next example is an LDAP URL referring to the University of
- Michigan entry in a particular ldap server:
-
- ldap://ldap.itd.umich.edu/o=University%20of%20Michigan,c=US
-
- Both of these URLs correspond to a base object search of the
- "o=University of Michigan, c=US" entry using a filter of
- "(objectclass=*)", requesting all attributes.
-
- The next example is an LDAP URL referring to only the postalAddress
- attribute of the University of Michigan entry:
-
-
-
-Howes & Smith Standards Track [Page 6]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- ldap://ldap.itd.umich.edu/o=University%20of%20Michigan,
- c=US?postalAddress
-
- The corresponding LDAP search operation is the same as in the
- previous example, except that only the postalAddress attribute is
- requested.
-
- The next example is an LDAP URL referring to the set of entries found
- by querying the given LDAP server on port 6666 and doing a subtree
- search of the University of Michigan for any entry with a common name
- of "Babs Jensen", retrieving all attributes:
-
- ldap://host.com:6666/o=University%20of%20Michigan,
- c=US??sub?(cn=Babs%20Jensen)
-
- The next example is an LDAP URL referring to all children of the c=GB
- entry:
-
- ldap://ldap.itd.umich.edu/c=GB?objectClass?one
-
- The objectClass attribute is requested to be returned along with the
- entries, and the default filter of "(objectclass=*)" is used.
-
- The next example is an LDAP URL to retrieve the mail attribute for
- the LDAP entry named "o=Question?,c=US" is given below, illustrating
- the use of the escaping mechanism on the reserved character '?'.
-
- ldap://ldap.question.com/o=Question%3f,c=US?mail
-
- The next example illustrates the interaction between LDAP and URL
- quoting mechanisms.
-
- ldap://ldap.netscape.com/o=Babsco,c=US??(int=%5c00%5c00%5c00%5c04)
-
- The filter in this example uses the LDAP escaping mechanism of \ to
- encode three zero or null bytes in the value. In LDAP, the filter
- would be written as (int=\00\00\00\04). Because the \ character must
- be escaped in a URL, the \'s are escaped as %5c in the URL encoding.
-
- The final example shows the use of the bindname extension to specify
- the dn a client should use for authentication when resolving the URL.
-
- ldap:///??sub??bindname=cn=Manager%2co=Foo
- ldap:///??sub??!bindname=cn=Manager%2co=Foo
-
- The two URLs are the same, except that the second one marks the
- bindname extension as critical. Notice the use of the % encoding
- method to encode the comma in the distinguished name value in the
-
-
-
-Howes & Smith Standards Track [Page 7]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- bindname extension.
-
-7. Security Considerations
-
- General URL security considerations discussed in [5] are relevant for
- LDAP URLs.
-
- The use of security mechanisms when processing LDAP URLs requires
- particular care, since clients may encounter many different servers
- via URLs, and since URLs are likely to be processed automatically,
- without user intervention. A client SHOULD have a user-configurable
- policy about which servers to connect to using which security
- mechanisms, and SHOULD NOT make connections that are inconsistent
- with this policy.
-
- Sending authentication information, no matter the mechanism, may
- violate a user's privacy requirements. In the absence of specific
- policy permitting authentication information to be sent to a server,
- a client should use an anonymous connection. (Note that clients
- conforming to previous LDAP URL specifications, where all connections
- are anonymous and unprotected, are consistent with this
- specification; they simply have the default security policy.)
-
- Some authentication methods, in particular reusable passwords sent to
- the server, may reveal easily-abused information to the remote server
- or to eavesdroppers in transit, and should not be used in URL
- processing unless explicitly permitted by policy. Confirmation by
- the human user of the use of authentication information is
- appropriate in many circumstances. Use of strong authentication
- methods that do not reveal sensitive information is much preferred.
-
- The LDAP URL format allows the specification of an arbitrary LDAP
- search operation to be performed when evaluating the LDAP URL.
- Following an LDAP URL may cause unexpected results, for example, the
- retrieval of large amounts of data, the initiation of a long-lived
- search, etc. The security implications of resolving an LDAP URL are
- the same as those of resolving an LDAP search query.
-
-8. Acknowledgements
-
- The LDAP URL format was originally defined at the University of
- Michigan. This material is based upon work supported by the National
- Science Foundation under Grant No. NCR-9416667. The support of both
- the University of Michigan and the National Science Foundation is
- gratefully acknowledged.
-
-
-
-
-
-
-Howes & Smith Standards Track [Page 8]
-
-RFC 2255 LDAP URL Format December 1997
-
-
- Several people have made valuable comments on this document. In
- particular RL "Bob" Morgan and Mark Wahl deserve special thanks for
- their contributions.
-
-9. References
-
- [1] Wahl, M., Kille, S., and T. Howes, "Lightweight Directory Access
- Protocol (v3): UTF-8 String Representation of Distinguished Names",
- RFC 2253, December 1997.
-
- [2] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
-
- [3] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax Definitions", RFC
- 2252, December 1997.
-
- [4] Howes, T., "A String Representation of LDAP Search Filters", RFC
- 2254, December 1997.
-
- [5] Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform Resource
- Locators (URL)," RFC 1738, December 1994.
-
- [6] Bradner, S., "Key Words for use in RFCs to Indicate Requirement
- Levels," RFC 2119, March 1997.
-
-Authors' Addresses
-
- Tim Howes
- Netscape Communications Corp.
- 501 E. Middlefield Rd.
- Mountain View, CA 94043
- USA
-
- Phone: +1 415 937-3419
- EMail: howes@netscape.com
-
-
- Mark Smith
- Netscape Communications Corp.
- 501 E. Middlefield Rd.
- Mountain View, CA 94043
- USA
-
- Phone: +1 415 937-3477
- EMail: mcs@netscape.com
-
-
-
-
-
-Howes & Smith Standards Track [Page 9]
-
-RFC 2255 LDAP URL Format December 1997
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes & Smith Standards Track [Page 10]
-
diff --git a/source4/ldap_server/devdocs/rfc2256.txt b/source4/ldap_server/devdocs/rfc2256.txt
deleted file mode 100644
index 69706f65a6..0000000000
--- a/source4/ldap_server/devdocs/rfc2256.txt
+++ /dev/null
@@ -1,1123 +0,0 @@
-
-
-
-
-
-
-Network Working Group M. Wahl
-Request for Comments: 2256 Critical Angle Inc.
-Category: Standards Track December 1997
-
-
- A Summary of the X.500(96) User Schema for use with LDAPv3
-
-1. Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
-IESG Note
-
- This document describes a directory access protocol that provides
- both read and update access. Update access requires secure
- authentication, but this document does not mandate implementation of
- any satisfactory authentication mechanisms.
-
- In accordance with RFC 2026, section 4.4.1, this specification is
- being approved by IESG as a Proposed Standard despite this
- limitation, for the following reasons:
-
- a. to encourage implementation and interoperability testing of
- these protocols (with or without update access) before they
- are deployed, and
-
- b. to encourage deployment and use of these protocols in read-only
- applications. (e.g. applications where LDAPv3 is used as
- a query language for directories which are updated by some
- secure mechanism other than LDAP), and
-
- c. to avoid delaying the advancement and deployment of other Internet
- standards-track protocols which require the ability to query, but
- not update, LDAPv3 directory servers.
-
- Readers are hereby warned that until mandatory authentication
- mechanisms are standardized, clients and servers written according to
- this specification which make use of update functionality are
- UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
- IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
-
-
-
-Wahl Standards Track [Page 1]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- Implementors are hereby discouraged from deploying LDAPv3 clients or
- servers which implement the update functionality, until a Proposed
- Standard for mandatory authentication in LDAPv3 has been approved and
- published as an RFC.
-
-2. Abstract
-
- This document provides an overview of the attribute types and object
- classes defined by the ISO and ITU-T committees in the X.500
- documents, in particular those intended for use by directory clients.
- This is the most widely used schema for LDAP/X.500 directories, and
- many other schema definitions for white pages objects use it as a
- basis. This document does not cover attributes used for the
- administration of X.500 directory servers, nor does it include
- attributes defined by other ISO/ITU-T documents.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [6].
-
-3. General Issues
-
- This document references syntaxes given in section 6 of this document
- and section 6 of [1]. Matching rules are listed in section 8 of this
- document and section 8 of [1].
-
- The attribute type and object class definitions are written using the
- BNF form of AttributeTypeDescription and ObjectClassDescription given
- in [1]. Lines have been folded for readability.
-
-4. Source
-
- The schema definitions in this document are based on those found in
- X.500 [2],[3],[4],[5], and updates to these documents, specifically:
-
- Sections Source
- ============ ============
- 5.1 - 5.2 X.501(93)
- 5.3 - 5.36 X.520(88)
- 5.37 - 5.41 X.509(93)
- 5.42 - 5.52 X.520(93)
- 5.53 - 5.54 X.509(96)
- 5.55 X.520(96)
- 6.1 RFC 1274
- 6.2 (new syntax)
- 6.3 - 6.6 RFC 1274
- 7.1 - 7.2 X.501(93)
- 7.3 - 7.18 X.521(93)
-
-
-
-Wahl Standards Track [Page 2]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- 7.19 - 7.21 X.509(96)
- 7.22 X.521(96)
-
- Some attribute names are different from those found in X.520(93).
-
- Three new attributes supportedAlgorithms, deltaRevocationList and
- dmdName, and the objectClass dmd, are defined in the X.500(96)
- documents.
-
-5. Attribute Types
-
- An LDAP server implementation SHOULD recognize the attribute types
- described in this section.
-
-5.1. objectClass
-
- The values of the objectClass attribute describe the kind of object
- which an entry represents. The objectClass attribute is present in
- every entry, with at least two values. One of the values is either
- "top" or "alias".
-
- ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
-5.2. aliasedObjectName
-
- The aliasedObjectName attribute is used by the directory service if
- the entry containing this attribute is an alias.
-
- ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
-
-5.3. knowledgeInformation
-
- This attribute is no longer used.
-
- ( 2.5.4.2 NAME 'knowledgeInformation' EQUALITY caseIgnoreMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
-
-5.4. cn
-
- This is the X.500 commonName attribute, which contains a name of an
- object. If the object corresponds to a person, it is typically the
- person's full name.
-
- ( 2.5.4.3 NAME 'cn' SUP name )
-
-
-
-
-
-Wahl Standards Track [Page 3]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.5. sn
-
- This is the X.500 surname attribute, which contains the family name
- of a person.
-
- ( 2.5.4.4 NAME 'sn' SUP name )
-
-5.6. serialNumber
-
- This attribute contains the serial number of a device.
-
- ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
-
-5.7. c
-
- This attribute contains a two-letter ISO 3166 country code
- (countryName).
-
- ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
-
-5.8. l
-
- This attribute contains the name of a locality, such as a city,
- county or other geographic region (localityName).
-
- ( 2.5.4.7 NAME 'l' SUP name )
-
-5.9. st
-
- This attribute contains the full name of a state or province
- (stateOrProvinceName).
-
- ( 2.5.4.8 NAME 'st' SUP name )
-
-5.10. street
-
- This attribute contains the physical address of the object to which
- the entry corresponds, such as an address for package delivery
- (streetAddress).
-
- ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-
-
-
-
-
-Wahl Standards Track [Page 4]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.11. o
-
- This attribute contains the name of an organization
- (organizationName).
-
- ( 2.5.4.10 NAME 'o' SUP name )
-
-5.12. ou
-
- This attribute contains the name of an organizational unit
- (organizationalUnitName).
-
- ( 2.5.4.11 NAME 'ou' SUP name )
-
-5.13. title
-
- This attribute contains the title, such as "Vice President", of a
- person in their organizational context. The "personalTitle"
- attribute would be used for a person's title independent of their job
- function.
-
- ( 2.5.4.12 NAME 'title' SUP name )
-
-5.14. description
-
- This attribute contains a human-readable description of the object.
-
- ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
-
-5.15. searchGuide
-
- This attribute is for use by X.500 clients in constructing search
- filters. It is obsoleted by enhancedSearchGuide, described below in
- 5.48.
-
- ( 2.5.4.14 NAME 'searchGuide'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
-
-5.16. businessCategory
-
- This attribute describes the kind of business performed by an
- organization.
-
- ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-
-
-Wahl Standards Track [Page 5]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.17. postalAddress
-
- ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
- SUBSTR caseIgnoreListSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
-5.18. postalCode
-
- ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
-
-5.19. postOfficeBox
-
- ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
-
-5.20. physicalDeliveryOfficeName
-
- ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-5.21. telephoneNumber
-
- ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
-
-5.22. telexNumber
-
- ( 2.5.4.21 NAME 'telexNumber'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
-
-5.23. teletexTerminalIdentifier
-
- ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
-
-5.24. facsimileTelephoneNumber
-
- ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
-
-
-
-
-
-
-
-Wahl Standards Track [Page 6]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.25. x121Address
-
- ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch
- SUBSTR numericStringSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
-
-5.26. internationaliSDNNumber
-
- ( 2.5.4.25 NAME 'internationaliSDNNumber' EQUALITY numericStringMatch
- SUBSTR numericStringSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
-
-5.27. registeredAddress
-
- This attribute holds a postal address suitable for reception of
- telegrams or expedited documents, where it is necessary to have the
- recipient accept delivery.
-
- ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
-5.28. destinationIndicator
-
- This attribute is used for the telegram service.
-
- ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
-
-5.29. preferredDeliveryMethod
-
- ( 2.5.4.28 NAME 'preferredDeliveryMethod'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
- SINGLE-VALUE )
-
-5.30. presentationAddress
-
- This attribute contains an OSI presentation address.
-
- ( 2.5.4.29 NAME 'presentationAddress'
- EQUALITY presentationAddressMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
- SINGLE-VALUE )
-
-
-
-
-
-
-
-
-Wahl Standards Track [Page 7]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.31. supportedApplicationContext
-
- This attribute contains the identifiers of OSI application contexts.
-
- ( 2.5.4.30 NAME 'supportedApplicationContext'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
-5.32. member
-
- ( 2.5.4.31 NAME 'member' SUP distinguishedName )
-
-5.33. owner
-
- ( 2.5.4.32 NAME 'owner' SUP distinguishedName )
-
-5.34. roleOccupant
-
- ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName )
-
-5.35. seeAlso
-
- ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName )
-
-5.36. userPassword
-
- ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
-
- Passwords are stored using an Octet String syntax and are not
- encrypted. Transfer of cleartext passwords are strongly discouraged
- where the underlying transport service cannot guarantee
- confidentiality and may result in disclosure of the password to
- unauthorized parties.
-
-5.37. userCertificate
-
- This attribute is to be stored and requested in the binary form, as
- 'userCertificate;binary'.
-
- ( 2.5.4.36 NAME 'userCertificate'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
-
-5.38. cACertificate
-
- This attribute is to be stored and requested in the binary form, as
- 'cACertificate;binary'.
-
-
-
-
-Wahl Standards Track [Page 8]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- ( 2.5.4.37 NAME 'cACertificate'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
-
-5.39. authorityRevocationList
-
- This attribute is to be stored and requested in the binary form, as
- 'authorityRevocationList;binary'.
-
- ( 2.5.4.38 NAME 'authorityRevocationList'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
-
-5.40. certificateRevocationList
-
- This attribute is to be stored and requested in the binary form, as
- 'certificateRevocationList;binary'.
-
- ( 2.5.4.39 NAME 'certificateRevocationList'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
-
-5.41. crossCertificatePair
-
- This attribute is to be stored and requested in the binary form, as
- 'crossCertificatePair;binary'.
-
- ( 2.5.4.40 NAME 'crossCertificatePair'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
-
-5.42. name
-
- The name attribute type is the attribute supertype from which string
- attribute types typically used for naming may be formed. It is
- unlikely that values of this type itself will occur in an entry. LDAP
- server implementations which do not support attribute subtyping need
- not recognize this attribute in requests. Client implementations
- MUST NOT assume that LDAP servers are capable of performing attribute
- subtyping.
-
- ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
-
-5.43. givenName
-
- The givenName attribute is used to hold the part of a person's name
- which is not their surname nor middle name.
-
- ( 2.5.4.42 NAME 'givenName' SUP name )
-
-
-
-
-Wahl Standards Track [Page 9]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.44. initials
-
- The initials attribute contains the initials of some or all of an
- individuals names, but not the surname(s).
-
- ( 2.5.4.43 NAME 'initials' SUP name )
-
-5.45. generationQualifier
-
- The generationQualifier attribute contains the part of the name which
- typically is the suffix, as in "IIIrd".
-
- ( 2.5.4.44 NAME 'generationQualifier' SUP name )
-
-5.46. x500UniqueIdentifier
-
- The x500UniqueIdentifier attribute is used to distinguish between
- objects when a distinguished name has been reused. This is a
- different attribute type from both the "uid" and "uniqueIdentifier"
- types.
-
- ( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-
-5.47. dnQualifier
-
- The dnQualifier attribute type specifies disambiguating information
- to add to the relative distinguished name of an entry. It is
- intended for use when merging data from multiple sources in order to
- prevent conflicts between entries which would otherwise have the same
- name. It is recommended that the value of the dnQualifier attribute
- be the same for all entries from a particular source.
-
- ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch
- ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
-
-5.48. enhancedSearchGuide
-
- This attribute is for use by X.500 clients in constructing search
- filters.
-
- ( 2.5.4.47 NAME 'enhancedSearchGuide'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
-
-
-
-
-
-
-
-Wahl Standards Track [Page 10]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.49. protocolInformation
-
- This attribute is used in conjunction with the presentationAddress
- attribute, to provide additional information to the OSI network
- service.
-
- ( 2.5.4.48 NAME 'protocolInformation'
- EQUALITY protocolInformationMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
-
-5.50. distinguishedName
-
- This attribute type is not used as the name of the object itself, but
- it is instead a base type from which attributes with DN syntax
- inherit.
-
- It is unlikely that values of this type itself will occur in an
- entry. LDAP server implementations which do not support attribute
- subtyping need not recognize this attribute in requests. Client
- implementations MUST NOT assume that LDAP servers are capable of
- performing attribute subtyping.
-
- ( 2.5.4.49 NAME 'distinguishedName' EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
-5.51. uniqueMember
-
- ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
-
-5.52. houseIdentifier
-
- This attribute is used to identify a building within a location.
-
- ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
-
-5.53. supportedAlgorithms
-
- This attribute is to be stored and requested in the binary form, as
- 'supportedAlgorithms;binary'.
-
- ( 2.5.4.52 NAME 'supportedAlgorithms'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
-
-
-
-
-
-
-Wahl Standards Track [Page 11]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-5.54. deltaRevocationList
-
- This attribute is to be stored and requested in the binary form, as
- 'deltaRevocationList;binary'.
-
- ( 2.5.4.53 NAME 'deltaRevocationList'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
-
-5.55. dmdName
-
- The value of this attribute specifies a directory management domain
- (DMD), the administrative authority which operates the directory
- server.
-
- ( 2.5.4.54 NAME 'dmdName' SUP name )
-
-6. Syntaxes
-
- Servers SHOULD recognize the syntaxes defined in this section. Each
- syntax begins with a sample value of the ldapSyntaxes attribute which
- defines the OBJECT IDENTIFIER of the syntax. The descriptions of
- syntax names are not carried in protocol, and are not guaranteed to
- be unique.
-
-6.1. Delivery Method
-
- ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' )
-
- Values in this syntax are encoded according to the following BNF:
-
- delivery-value = pdm / ( pdm whsp "$" whsp delivery-value )
-
- pdm = "any" / "mhs" / "physical" / "telex" / "teletex" /
- "g3fax" / "g4fax" / "ia5" / "videotex" / "telephone"
-
- Example:
-
- telephone
-
-6.2. Enhanced Guide
-
- ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' )
-
- Values in this syntax are encoded according to the following BNF:
-
- EnhancedGuide = woid whsp "#" whsp criteria whsp "#" whsp subset
-
- subset = "baseobject" / "oneLevel" / "wholeSubtree"
-
-
-
-Wahl Standards Track [Page 12]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- The criteria production is defined in the Guide syntax below. This
- syntax has been added subsequent to RFC 1778.
-
- Example:
-
- person#(sn)#oneLevel
-
-6.3. Guide
-
- ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' )
-
- Values in this syntax are encoded according to the following BNF:
-
- guide-value = [ object-class "#" ] criteria
-
- object-class = woid
-
- criteria = criteria-item / criteria-set / ( "!" criteria )
-
- criteria-set = ( [ "(" ] criteria "&" criteria-set [ ")" ] ) /
- ( [ "(" ] criteria "|" criteria-set [ ")" ] )
-
- criteria-item = [ "(" ] attributetype "$" match-type [ ")" ]
-
- match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX"
-
- This syntax should not be used for defining new attributes.
-
-6.4. Octet String
-
- ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )
-
- Values in this syntax are encoded as octet strings.
-
-
- Example:
-
- secret
-
-6.5. Teletex Terminal Identifier
-
- ( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' )
-
- Values in this syntax are encoded according to the following BNF:
-
- teletex-id = ttx-term 0*("$" ttx-param)
-
- ttx-term = printablestring
-
-
-
-Wahl Standards Track [Page 13]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- ttx-param = ttx-key ":" ttx-value
-
- ttx-key = "graphic" / "control" / "misc" / "page" / "private"
-
- ttx-value = octetstring
-
- In the above, the first printablestring is the encoding of the first
- portion of the teletex terminal identifier to be encoded, and the
- subsequent 0 or more octetstrings are subsequent portions of the
- teletex terminal identifier.
-
-6.6. Telex Number
-
- ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
-
- Values in this syntax are encoded according to the following BNF:
-
- telex-number = actual-number "$" country "$" answerback
-
- actual-number = printablestring
-
- country = printablestring
-
- answerback = printablestring
-
- In the above, actual-number is the syntactic representation of the
- number portion of the TELEX number being encoded, country is the
- TELEX country code, and answerback is the answerback code of a TELEX
- terminal.
-
-6.7. Supported Algorithm
-
- ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' )
-
- No printable representation of values of the supportedAlgorithms
- attribute is defined in this document. Clients which wish to store
- and retrieve this attribute MUST use "supportedAlgorithms;binary", in
- which the value is transferred as a binary encoding.
-
-7. Object Classes
-
- LDAP servers MUST recognize the object classes "top" and "subschema".
- LDAP servers SHOULD recognize all the other object classes listed
- here as values of the objectClass attribute.
-
-7.1. top
-
- ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
-
-
-
-Wahl Standards Track [Page 14]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-7.2. alias
-
- ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )
-
-7.3. country
-
- ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c
- MAY ( searchGuide $ description ) )
-
-7.4. locality
-
- ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL
- MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
-
-7.5. organization
-
- ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o
- MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
- x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationaliSDNNumber $
- facsimileTelephoneNumber $
- street $ postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l $ description ) )
-
-7.6. organizationalUnit
-
- ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou
- MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
- x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationaliSDNNumber $
- facsimileTelephoneNumber $
- street $ postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l $ description ) )
-
-7.7. person
-
- ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
- MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
-
-7.8. organizationalPerson
-
- ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL
- MAY ( title $ x121Address $ registeredAddress $
- destinationIndicator $
- preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationaliSDNNumber $
-
-
-
-Wahl Standards Track [Page 15]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- facsimileTelephoneNumber $
- street $ postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ ou $ st $ l ) )
-
-7.9. organizationalRole
-
- ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn
- MAY ( x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationaliSDNNumber $
- facsimileTelephoneNumber $
- seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
- postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
-
-7.10. groupOfNames
-
- ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( member $ cn )
- MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
-
-7.11. residentialPerson
-
- ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l
- MAY ( businessCategory $ x121Address $ registeredAddress $
- destinationIndicator $ preferredDeliveryMethod $ telexNumber $
- teletexTerminalIdentifier $ telephoneNumber $
- internationaliSDNNumber $
- facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
- postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l ) )
-
-7.12. applicationProcess
-
- ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn
- MAY ( seeAlso $ ou $ l $ description ) )
-
-7.13. applicationEntity
-
- ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL
- MUST ( presentationAddress $ cn )
- MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
- description ) )
-
-7.14. dSA
-
- ( 2.5.6.13 NAME 'dSA' SUP applicationEntity STRUCTURAL
- MAY knowledgeInformation )
-
-
-
-
-Wahl Standards Track [Page 16]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-7.15. device
-
- ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn
- MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
-
-7.16. strongAuthenticationUser
-
- ( 2.5.6.15 NAME 'strongAuthenticationUser' SUP top AUXILIARY
- MUST userCertificate )
-
-7.17. certificationAuthority
-
- ( 2.5.6.16 NAME 'certificationAuthority' SUP top AUXILIARY
- MUST ( authorityRevocationList $ certificateRevocationList $
- cACertificate ) MAY crossCertificatePair )
-
-7.18. groupOfUniqueNames
-
- ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL
- MUST ( uniqueMember $ cn )
- MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
-
-7.19. userSecurityInformation
-
- ( 2.5.6.18 NAME 'userSecurityInformation' SUP top AUXILIARY
- MAY ( supportedAlgorithms ) )
-
-7.20. certificationAuthority-V2
-
- ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP
- certificationAuthority
- AUXILIARY MAY ( deltaRevocationList ) )
-
-7.21. cRLDistributionPoint
-
- ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL
- MUST ( cn ) MAY ( certificateRevocationList $
- authorityRevocationList $
- deltaRevocationList ) )
-
-7.22. dmd
-
- ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName )
- MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
- x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationaliSDNNumber $
- facsimileTelephoneNumber $
-
-
-
-Wahl Standards Track [Page 17]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- street $ postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l $ description ) )
-
-8. Matching Rules
-
- Servers MAY implement additional matching rules.
-
-8.1. octetStringMatch
-
- Servers which implement the extensibleMatch filter SHOULD allow the
- matching rule listed in this section to be used in the
- extensibleMatch. In general these servers SHOULD allow matching
- rules to be used with all attribute types known to the server, when
- the assertion syntax of the matching rule is the same as the value
- syntax of the attribute.
-
- ( 2.5.13.17 NAME 'octetStringMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-
-9. Security Considerations
-
- Attributes of directory entries are used to provide descriptive
- information about the real-world objects they represent, which can be
- people, organizations or devices. Most countries have privacy laws
- regarding the publication of information about people.
-
- Transfer of cleartext passwords are strongly discouraged where the
- underlying transport service cannot guarantee confidentiality and may
- result in disclosure of the password to unauthorized parties.
-
-10. Acknowledgements
-
- The definitions on which this document have been developed by
- committees for telecommunications and international standards. No
- new attribute definitions have been added. The syntax definitions
- are based on the ISODE "QUIPU" implementation of X.500.
-
-11. Bibliography
-
- [1] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
- "Lightweight X.500 Directory Access Protocol (v3): Attribute
- Syntax Definitions", RFC 2252, December 1997.
-
- [2] The Directory: Models. ITU-T Recommendation X.501, 1996.
-
- [3] The Directory: Authentication Framework. ITU-T Recommendation
- X.509, 1996.
-
-
-
-
-Wahl Standards Track [Page 18]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
- [4] The Directory: Selected Attribute Types. ITU-T Recommendation
- X.520, 1996.
-
- [5] The Directory: Selected Object Classes. ITU-T Recommendation
- X.521, 1996.
-
- [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", RFC 2119, March 1997.
-
-12. Author's Address
-
- Mark Wahl
- Critical Angle Inc.
- 4815 West Braker Lane #502-385
- Austin, TX 78759
- USA
-
- Phone: +1 512 372 3160
- EMail: M.Wahl@critical-angle.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl Standards Track [Page 19]
-
-RFC 2256 LDAPv3 Schema December 1997
-
-
-13. Full Copyright Statement
-
- Copyright (C) The Internet Society (1997). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wahl Standards Track [Page 20]
-