From b86111fe83f531629c0d76584ea7217ac6fbffef Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Sat, 16 Jul 2005 16:12:14 +0000
Subject: r8514: add docs (This used to be commit
 876f0a095b8aa7060c62f91fc5715af1f1432e8b)

---
 source4/ldap_server/devdocs/rfc2251.txt | 2803 +++++++++++++++++++++++++++++++
 1 file changed, 2803 insertions(+)
 create mode 100644 source4/ldap_server/devdocs/rfc2251.txt

(limited to 'source4/ldap_server/devdocs')

diff --git a/source4/ldap_server/devdocs/rfc2251.txt b/source4/ldap_server/devdocs/rfc2251.txt
new file mode 100644
index 0000000000..88844cbf38
--- /dev/null
+++ b/source4/ldap_server/devdocs/rfc2251.txt
@@ -0,0 +1,2803 @@
+
+
+
+
+
+
+Network Working Group                                            M. Wahl
+Request for Comments: 2251                           Critical Angle Inc.
+Category: Standards Track                                       T. Howes
+                                           Netscape Communications Corp.
+                                                                S. Kille
+                                                           Isode Limited
+                                                           December 1997
+
+
+               Lightweight Directory Access Protocol (v3)
+
+1. Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+IESG Note
+
+   This document describes a directory access protocol that provides
+   both read and update access.  Update access requires secure
+   authentication, but this document does not mandate implementation of
+   any satisfactory authentication mechanisms.
+
+   In accordance with RFC 2026, section 4.4.1, this specification is
+   being approved by IESG as a Proposed Standard despite this
+   limitation, for the following reasons:
+
+   a. to encourage implementation and interoperability testing of
+      these protocols (with or without update access) before they
+      are deployed, and
+
+   b. to encourage deployment and use of these protocols in read-only
+      applications.  (e.g. applications where LDAPv3 is used as
+      a query language for directories which are updated by some
+      secure mechanism other than LDAP), and
+
+   c. to avoid delaying the advancement and deployment of other Internet
+      standards-track protocols which require the ability to query, but
+      not update, LDAPv3 directory servers.
+
+
+
+
+
+Wahl, et. al.               Standards Track                     [Page 1]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   Readers are hereby warned that until mandatory authentication
+   mechanisms are standardized, clients and servers written according to
+   this specification which make use of update functionality are
+   UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
+   IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
+
+   Implementors are hereby discouraged from deploying LDAPv3 clients or
+   servers which implement the update functionality, until a Proposed
+   Standard for mandatory authentication in LDAPv3 has been approved and
+   published as an RFC.
+
+Table of Contents
+
+   1.  Status of this Memo ....................................  1
+       Copyright Notice .......................................  1
+       IESG Note ..............................................  1
+   2.  Abstract ...............................................  3
+   3.  Models .................................................  4
+   3.1. Protocol Model ........................................  4
+   3.2. Data Model ............................................  5
+   3.2.1. Attributes of Entries ...............................  5
+   3.2.2. Subschema Entries and Subentries ....................  7
+   3.3. Relationship to X.500 .................................  8
+   3.4. Server-specific Data Requirements .....................  8
+   4.  Elements of Protocol ...................................  9
+   4.1. Common Elements .......................................  9
+   4.1.1. Message Envelope ....................................  9
+   4.1.1.1. Message ID ........................................ 11
+   4.1.2. String Types ........................................ 11
+   4.1.3. Distinguished Name and Relative Distinguished Name .. 11
+   4.1.4. Attribute Type ...................................... 12
+   4.1.5. Attribute Description ............................... 13
+   4.1.5.1. Binary Option ..................................... 14
+   4.1.6. Attribute Value ..................................... 14
+   4.1.7. Attribute Value Assertion ........................... 15
+   4.1.8. Attribute ........................................... 15
+   4.1.9. Matching Rule Identifier ............................ 15
+   4.1.10. Result Message ..................................... 16
+   4.1.11. Referral ........................................... 18
+   4.1.12. Controls ........................................... 19
+   4.2. Bind Operation ........................................ 20
+   4.2.1. Sequencing of the Bind Request ...................... 21
+   4.2.2. Authentication and Other Security Services .......... 22
+   4.2.3. Bind Response ....................................... 23
+   4.3. Unbind Operation ...................................... 24
+   4.4. Unsolicited Notification .............................. 24
+   4.4.1. Notice of Disconnection ............................. 24
+   4.5. Search Operation ...................................... 25
+
+
+
+Wahl, et. al.               Standards Track                     [Page 2]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   4.5.1. Search Request ...................................... 25
+   4.5.2. Search Result ....................................... 29
+   4.5.3. Continuation References in the Search Result ........ 31
+   4.5.3.1. Example ........................................... 31
+   4.6. Modify Operation ...................................... 32
+   4.7. Add Operation ......................................... 34
+   4.8. Delete Operation ...................................... 35
+   4.9. Modify DN Operation ................................... 36
+   4.10. Compare Operation .................................... 37
+   4.11. Abandon Operation .................................... 38
+   4.12. Extended Operation ................................... 38
+   5.  Protocol Element Encodings and Transfer ................ 39
+   5.1. Mapping Onto BER-based Transport Services ............. 39
+   5.2. Transfer Protocols .................................... 40
+   5.2.1. Transmission Control Protocol (TCP) ................. 40
+   6.  Implementation Guidelines .............................. 40
+   6.1. Server Implementations ................................ 40
+   6.2. Client Implementations ................................ 40
+   7.  Security Considerations ................................ 41
+   8.  Acknowledgements ....................................... 41
+   9.  Bibliography ........................................... 41
+   10. Authors' Addresses ..................................... 42
+   Appendix A - Complete ASN.1 Definition ..................... 44
+   Full Copyright Statement ................................... 50
+
+2.  Abstract
+
+   The protocol described in this document is designed to provide access
+   to directories supporting the X.500 models, while not incurring the
+   resource requirements of the X.500 Directory Access Protocol (DAP).
+   This protocol is specifically targeted at management applications and
+   browser applications that provide read/write interactive access to
+   directories. When used with a directory supporting the X.500
+   protocols, it is intended to be a complement to the X.500 DAP.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  and "MAY" in this document
+   are to be interpreted as described in RFC 2119 [10].
+
+   Key aspects of this version of LDAP are:
+
+   - All protocol elements of LDAPv2 (RFC 1777) are supported. The
+     protocol is carried directly over TCP or other transport, bypassing
+     much of the session/presentation overhead of X.500 DAP.
+
+   - Most protocol data elements can be encoded as ordinary strings
+     (e.g., Distinguished Names).
+
+
+
+
+Wahl, et. al.               Standards Track                     [Page 3]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   - Referrals to other servers may be returned.
+
+   - SASL mechanisms may be used with LDAP to provide association
+     security services.
+
+   - Attribute values and Distinguished Names have been
+     internationalized through the use of the ISO 10646 character set.
+
+   - The protocol can be extended to support new operations, and
+     controls may be used to extend existing operations.
+
+   - Schema is published in the directory for use by clients.
+
+3.  Models
+
+   Interest in X.500 [1] directory technologies in the Internet has led
+   to efforts to reduce the high cost of entry associated with use of
+   these technologies.  This document continues the efforts to define
+   directory protocol alternatives, updating the LDAP [2] protocol
+   specification.
+
+3.1. Protocol Model
+
+   The general model adopted by this protocol is one of clients
+   performing protocol operations against servers. In this model, a
+   client transmits a protocol request describing the operation to be
+   performed to a server. The server is then responsible for performing
+   the necessary operation(s) in the directory. Upon completion of the
+   operation(s), the server returns a response containing any results or
+   errors to the requesting client.
+
+   In keeping with the goal of easing the costs associated with use of
+   the directory, it is an objective of this protocol to minimize the
+   complexity of clients so as to facilitate widespread deployment of
+   applications capable of using the directory.
+
+   Note that although servers are required to return responses whenever
+   such responses are defined in the protocol, there is no requirement
+   for synchronous behavior on the part of either clients or servers.
+   Requests and responses for multiple operations may be exchanged
+   between a client and server in any order, provided the client
+   eventually receives a response for every request that requires one.
+
+   In LDAP versions 1 and 2, no provision was made for protocol servers
+   returning referrals to clients.  However, for improved performance
+   and distribution this version of the protocol permits servers to
+   return to clients referrals to other servers.  This allows servers to
+   offload the work of contacting other servers to progress operations.
+
+
+
+Wahl, et. al.               Standards Track                     [Page 4]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   Note that the core protocol operations defined in this document can
+   be mapped to a strict subset of the X.500(1997) directory abstract
+   service, so it can be cleanly provided by the DAP.  However there is
+   not a one-to-one mapping between LDAP protocol operations and DAP
+   operations: server implementations acting as a gateway to X.500
+   directories may need to make multiple DAP requests.
+
+3.2. Data Model
+
+   This section provides a brief introduction to the X.500 data model,
+   as used by LDAP.
+
+   The LDAP protocol assumes there are one or more servers which jointly
+   provide access to a Directory Information Tree (DIT).  The tree is
+   made up of entries.  Entries have names: one or more attribute values
+   from the entry form its relative distinguished name (RDN), which MUST
+   be unique among all its siblings.  The concatenation of the relative
+   distinguished names of the sequence of entries from a particular
+   entry to an immediate subordinate of the root of the tree forms that
+   entry's Distinguished Name (DN), which is unique in the tree.  An
+   example of a Distinguished Name is
+
+   CN=Steve Kille, O=Isode Limited, C=GB
+
+   Some servers may hold cache or shadow copies of entries, which can be
+   used to answer search and comparison queries, but will return
+   referrals or contact other servers if modification operations are
+   requested.
+
+   Servers which perform caching or shadowing MUST ensure that they do
+   not violate any access control constraints placed on the data by the
+   originating server.
+
+   The largest collection of entries, starting at an entry that is
+   mastered by a particular server, and including all its subordinates
+   and their subordinates, down to the entries which are mastered by
+   different servers, is termed a naming context.  The root of the DIT
+   is a DSA-specific Entry (DSE) and not part of any naming context:
+   each server has different attribute values in the root DSE.  (DSA is
+   an X.500 term for the directory server).
+
+3.2.1. Attributes of Entries
+
+   Entries consist of a set of attributes.  An attribute is a type with
+   one or more associated values.  The attribute type is identified by a
+   short descriptive name and an OID (object identifier). The attribute
+
+
+
+
+
+Wahl, et. al.               Standards Track                     [Page 5]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   type governs whether there can be more than one value of an attribute
+   of that type in an entry, the syntax to which the values must
+   conform, the kinds of matching which can be performed on values of
+   that attribute, and other functions.
+
+   An example of an attribute is "mail". There may be one or more values
+   of this attribute, they must be IA5 (ASCII) strings, and they are
+   case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").
+
+   Schema is the collection of attribute type definitions, object class
+   definitions and other information which a server uses to determine
+   how to match a filter or attribute value assertion (in a compare
+   operation) against the attributes of an entry, and whether to permit
+   add and modify operations.  The definition of schema for use with
+   LDAP is given in [5] and [6].  Additional schema elements may be
+   defined in other documents.
+
+   Each entry MUST have an objectClass attribute.  The objectClass
+   attribute specifies the object classes of an entry, which along with
+   the system and user schema determine the permitted attributes of an
+   entry.  Values of this attribute may be modified by clients, but the
+   objectClass attribute cannot be removed.  Servers may restrict the
+   modifications of this attribute to prevent the basic structural class
+   of the entry from being changed (e.g. one cannot change a person into
+   a country).  When creating an entry or adding an objectClass value to
+   an entry, all superclasses of the named classes are implicitly added
+   as well if not already present, and the client must supply values for
+   any mandatory attributes of new superclasses.
+
+   Some attributes, termed operational attributes, are used by servers
+   for administering the directory system itself.  They are not returned
+   in search results unless explicitly requested by name.  Attributes
+   which are not operational, such as "mail", will have their schema and
+   syntax constraints enforced by servers, but servers will generally
+   not make use of their values.
+
+   Servers MUST NOT permit clients to add attributes to an entry unless
+   those attributes are permitted by the object class definitions, the
+   schema controlling that entry (specified in the subschema - see
+   below), or are operational attributes known to that server and used
+   for administrative purposes.  Note that there is a particular
+   objectClass 'extensibleObject' defined in [5] which permits all user
+   attributes to be present in an entry.
+
+   Entries MAY contain, among others, the following operational
+   attributes, defined in [5]. These attributes are maintained
+   automatically by the server and are not modifiable by clients:
+
+
+
+
+Wahl, et. al.               Standards Track                     [Page 6]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   - creatorsName: the Distinguished Name of the user who added this
+     entry to the directory.
+
+   - createTimestamp: the time this entry was added to the directory.
+
+   - modifiersName: the Distinguished Name of the user who last modified
+     this entry.
+
+   - modifyTimestamp: the time this entry was last modified.
+
+   - subschemaSubentry:  the Distinguished Name of the subschema entry
+     (or subentry) which controls the schema for this entry.
+
+3.2.2. Subschema Entries and Subentries
+
+   Subschema entries are used for administering information about the
+   directory schema, in particular the object classes and attribute
+   types supported by directory servers.  A single subschema entry
+   contains all schema definitions used by entries in a particular part
+   of the directory tree.
+
+   Servers which follow X.500(93) models SHOULD implement subschema
+   using the X.500 subschema mechanisms, and so these subschemas are not
+   ordinary entries.  LDAP clients SHOULD NOT assume that servers
+   implement any of the other aspects of X.500 subschema.  A server
+   which masters entries and permits clients to modify these entries
+   MUST implement and provide access to these subschema entries, so that
+   its clients may discover the attributes and object classes which are
+   permitted to be present. It is strongly recommended that all other
+   servers implement this as well.
+
+   The following four attributes MUST be present in all subschema
+   entries:
+
+   - cn: this attribute MUST be used to form the RDN of the subschema
+     entry.
+
+   - objectClass: the attribute MUST have at least the values "top" and
+     "subschema".
+
+   - objectClasses: each value of this attribute specifies an object
+     class known to the server.
+
+   - attributeTypes: each value of this attribute specifies an attribute
+     type known to the server.
+
+   These are defined in [5]. Other attributes MAY be present in
+   subschema entries, to reflect additional supported capabilities.
+
+
+
+Wahl, et. al.               Standards Track                     [Page 7]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   These include matchingRules, matchingRuleUse, dITStructureRules,
+   dITContentRules, nameForms and ldapSyntaxes.
+
+   Servers SHOULD provide the attributes createTimestamp and
+   modifyTimestamp in subschema entries, in order to allow clients to
+   maintain their caches of schema information.
+
+   Clients MUST only retrieve attributes from a subschema entry by
+   requesting a base object search of the entry, where the search filter
+   is "(objectClass=subschema)". (This will allow LDAPv3 servers which
+   gateway to X.500(93) to detect that subentry information is being
+   requested.)
+
+3.3. Relationship to X.500
+
+   This document defines LDAP in terms of X.500 as an X.500 access
+   mechanism.  An LDAP server MUST act in accordance with the
+   X.500(1993) series of ITU recommendations when providing the service.
+   However, it is not required that an LDAP server make use of any X.500
+   protocols in providing this service, e.g. LDAP can be mapped onto any
+   other directory system so long as the X.500 data and service model as
+   used in LDAP is not violated in the LDAP interface.
+
+3.4. Server-specific Data Requirements
+
+   An LDAP server MUST provide information about itself and other
+   information that is specific to each server.  This is represented as
+   a group of attributes located in the root DSE (DSA-Specific Entry),
+   which is named with the zero-length LDAPDN.  These attributes are
+   retrievable if a client performs a base object search of the root
+   with filter "(objectClass=*)", however they are subject to access
+   control restrictions.  The root DSE MUST NOT be included if the
+   client performs a subtree search starting from the root.
+
+   Servers may allow clients to modify these attributes.
+
+   The following attributes of the root DSE are defined in section 5 of
+   [5].  Additional attributes may be defined in other documents.
+
+   - namingContexts: naming contexts held in the server. Naming contexts
+     are defined in section 17 of X.501 [6].
+
+   - subschemaSubentry: subschema entries (or subentries) known by this
+     server.
+
+   - altServer: alternative servers in case this one is later
+     unavailable.
+
+
+
+
+Wahl, et. al.               Standards Track                     [Page 8]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   - supportedExtension: list of supported extended operations.
+
+   - supportedControl: list of supported controls.
+
+   - supportedSASLMechanisms: list of supported SASL security features.
+
+   - supportedLDAPVersion: LDAP versions implemented by the server.
+
+   If the server does not master entries and does not know the locations
+   of schema information, the subschemaSubentry attribute is not present
+   in the root DSE.  If the server masters directory entries under one
+   or more schema rules, there may be any number of values of the
+   subschemaSubentry attribute in the root DSE.
+
+4.  Elements of Protocol
+
+   The LDAP protocol is described using Abstract Syntax Notation 1
+   (ASN.1) [3], and is typically transferred using a subset of ASN.1
+   Basic Encoding Rules [11]. In order to support future extensions to
+   this protocol, clients and servers MUST ignore elements of SEQUENCE
+   encodings whose tags they do not recognize.
+
+   Note that unlike X.500, each change to the LDAP protocol other than
+   through the extension mechanisms will have a different version
+   number.  A client will indicate the version it supports as part of
+   the bind request, described in section 4.2.  If a client has not sent
+   a bind, the server MUST assume that version 3 is supported in the
+   client (since version 2 required that the client bind first).
+
+   Clients may determine the protocol version a server supports by
+   reading the supportedLDAPVersion attribute from the root DSE. Servers
+   which implement version 3 or later versions MUST provide this
+   attribute.  Servers which only implement version 2 may not provide
+   this attribute.
+
+4.1. Common Elements
+
+   This section describes the LDAPMessage envelope PDU (Protocol Data
+   Unit) format, as well as data type definitions which are used in the
+   protocol operations.
+
+4.1.1. Message Envelope
+
+   For the purposes of protocol exchanges, all protocol operations are
+   encapsulated in a common envelope, the LDAPMessage, which is defined
+   as follows:
+
+        LDAPMessage ::= SEQUENCE {
+
+
+
+Wahl, et. al.               Standards Track                     [Page 9]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+                messageID       MessageID,
+                protocolOp      CHOICE {
+                        bindRequest     BindRequest,
+                        bindResponse    BindResponse,
+                        unbindRequest   UnbindRequest,
+                        searchRequest   SearchRequest,
+                        searchResEntry  SearchResultEntry,
+                        searchResDone   SearchResultDone,
+                        searchResRef    SearchResultReference,
+                        modifyRequest   ModifyRequest,
+                        modifyResponse  ModifyResponse,
+                        addRequest      AddRequest,
+                        addResponse     AddResponse,
+                        delRequest      DelRequest,
+                        delResponse     DelResponse,
+                        modDNRequest    ModifyDNRequest,
+                        modDNResponse   ModifyDNResponse,
+                        compareRequest  CompareRequest,
+                        compareResponse CompareResponse,
+                        abandonRequest  AbandonRequest,
+                        extendedReq     ExtendedRequest,
+                        extendedResp    ExtendedResponse },
+                 controls       [0] Controls OPTIONAL }
+
+        MessageID ::= INTEGER (0 .. maxInt)
+
+        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
+
+   The function of the LDAPMessage is to provide an envelope containing
+   common fields required in all protocol exchanges. At this time the
+   only common fields are the message ID and the controls.
+
+   If the server receives a PDU from the client in which the LDAPMessage
+   SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
+   the tag of the protocolOp is not recognized as a request, or the
+   encoding structures or lengths of data fields are found to be
+   incorrect, then the server MUST return the notice of disconnection
+   described in section 4.4.1, with resultCode protocolError, and
+   immediately close the connection. In other cases that the server
+   cannot parse the request received by the client, the server MUST
+   return an appropriate response to the request, with the resultCode
+   set to protocolError.
+
+   If the client receives a PDU from the server which cannot be parsed,
+   the client may discard the PDU, or may abruptly close the connection.
+
+   The ASN.1 type Controls is defined in section 4.1.12.
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 10]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+4.1.1.1. Message ID
+
+   All LDAPMessage envelopes encapsulating responses contain the
+   messageID value of the corresponding request LDAPMessage.
+
+   The message ID of a request MUST have a value different from the
+   values of any other requests outstanding in the LDAP session of which
+   this message is a part.
+
+   A client MUST NOT send a second request with the same message ID as
+   an earlier request on the same connection if the client has not
+   received the final response from the earlier request.  Otherwise the
+   behavior is undefined.  Typical clients increment a counter for each
+   request.
+
+   A client MUST NOT reuse the message id of an abandonRequest or of the
+   abandoned operation until it has received a response from the server
+   for another request invoked subsequent to the abandonRequest, as the
+   abandonRequest itself does not have a response.
+
+4.1.2. String Types
+
+   The LDAPString is a notational convenience to indicate that, although
+   strings of LDAPString type encode as OCTET STRING types, the ISO
+   10646 [13] character set (a superset of Unicode) is used, encoded
+   following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
+   characters which are the same as ASCII (0x0000 through 0x007F) are
+   represented as that same ASCII character in a single byte.  The other
+   byte values are used to form a variable-length encoding of an
+   arbitrary character.
+
+        LDAPString ::= OCTET STRING
+
+   The LDAPOID is a notational convenience to indicate that the
+   permitted value of this string is a (UTF-8 encoded) dotted-decimal
+   representation of an OBJECT IDENTIFIER.
+
+        LDAPOID ::= OCTET STRING
+
+   For example,
+
+        1.3.6.1.4.1.1466.1.2.3
+
+4.1.3. Distinguished Name and Relative Distinguished Name
+
+   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
+   representation of a Distinguished Name and a Relative Distinguished
+   Name after encoding according to the specification in [4], such that
+
+
+
+Wahl, et. al.               Standards Track                    [Page 11]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+        <distinguished-name> ::= <name>
+
+        <relative-distinguished-name> ::= <name-component>
+
+   where <name> and <name-component> are as defined in [4].
+
+        LDAPDN ::= LDAPString
+
+        RelativeLDAPDN ::= LDAPString
+
+   Only Attribute Types can be present in a relative distinguished name
+   component; the options of Attribute Descriptions (next section) MUST
+   NOT be used in specifying distinguished names.
+
+4.1.4. Attribute Type
+
+   An AttributeType takes on as its value the textual string associated
+   with that AttributeType in its specification.
+
+        AttributeType ::= LDAPString
+
+   Each attribute type has a unique OBJECT IDENTIFIER which has been
+   assigned to it.  This identifier may be written as decimal digits
+   with components separated by periods, e.g. "2.5.4.10".
+
+   A specification may also assign one or more textual names for an
+   attribute type.  These names MUST begin with a letter, and only
+   contain ASCII letters, digit characters and hyphens.  They are case
+   insensitive.  (These ASCII characters are identical to ISO 10646
+   characters whose UTF-8 encoding is a single byte between 0x00 and
+   0x7F.)
+
+   If the server has a textual name for an attribute type, it MUST use a
+   textual name for attributes returned in search results.  The dotted-
+   decimal OBJECT IDENTIFIER is only used if there is no textual name
+   for an attribute type.
+
+   Attribute type textual names are non-unique, as two different
+   specifications (neither in standards track RFCs) may choose the same
+   name.
+
+   A server which masters or shadows entries SHOULD list all the
+   attribute types it supports in the subschema entries, using the
+   attributeTypes attribute.  Servers which support an open-ended set of
+   attributes SHOULD include at least the attributeTypes value for the
+   'objectClass' attribute. Clients MAY retrieve the attributeTypes
+   value from subschema entries in order to obtain the OBJECT IDENTIFIER
+   and other information associated with attribute types.
+
+
+
+Wahl, et. al.               Standards Track                    [Page 12]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   Some attribute type names which are used in this version of LDAP are
+   described in [5].  Servers may implement additional attribute types.
+
+4.1.5. Attribute Description
+
+   An AttributeDescription is a superset of the definition of the
+   AttributeType.  It has the same ASN.1 definition, but allows
+   additional options to be specified.  They are also case insensitive.
+
+        AttributeDescription ::= LDAPString
+
+   A value of AttributeDescription is based on the following BNF:
+
+        <AttributeDescription> ::= <AttributeType> [ ";" <options> ]
+
+        <options>  ::= <option> | <option> ";" <options>
+
+        <option>   ::= <opt-char> <opt-char>*
+
+        <opt-char> ::=  ASCII-equivalent letters, numbers and hyphen
+
+   Examples of valid AttributeDescription:
+
+        cn
+        userCertificate;binary
+
+   One option, "binary", is defined in this document.  Additional
+   options may be defined in IETF standards-track and experimental RFCs.
+   Options beginning with "x-" are reserved for private experiments.
+   Any option could be associated with any AttributeType, although not
+   all combinations may be supported by a server.
+
+   An AttributeDescription with one or more options is treated as a
+   subtype of the attribute type without any options.  Options present
+   in an AttributeDescription are never mutually exclusive.
+   Implementations MUST generate the <options> list sorted in ascending
+   order, and servers MUST treat any two AttributeDescription with the
+   same AttributeType and options as equivalent.  A server will treat an
+   AttributeDescription with any options it does not implement as an
+   unrecognized attribute type.
+
+   The data type "AttributeDescriptionList" describes a list of 0 or
+   more attribute types.  (A list of zero elements has special
+   significance in the Search request.)
+
+        AttributeDescriptionList ::= SEQUENCE OF
+                AttributeDescription
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 13]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+4.1.5.1. Binary Option
+
+   If the "binary" option is present in an AttributeDescription, it
+   overrides any string-based encoding representation defined for that
+   attribute in [5]. Instead the attribute is to be transferred as a
+   binary value encoded using the Basic Encoding Rules [11].  The syntax
+   of the binary value is an ASN.1 data type definition which is
+   referenced by the "SYNTAX" part of the attribute type definition.
+
+   The presence or absence of the "binary" option only affects the
+   transfer of attribute values in protocol; servers store any
+   particular attribute in a single format.  If a client requests that a
+   server return an attribute in the binary format, but the server
+   cannot generate that format, the server MUST treat this attribute
+   type as an unrecognized attribute type.  Similarly, clients MUST NOT
+   expect servers to return an attribute in binary format if the client
+   requested that attribute by name without the binary option.
+
+   This option is intended to be used with attributes whose syntax is a
+   complex ASN.1 data type, and the structure of values of that type is
+   needed by clients.  Examples of this kind of syntax are "Certificate"
+   and "CertificateList".
+
+4.1.6. Attribute Value
+
+   A field of type AttributeValue takes on as its value either a string
+   encoding of a AttributeValue data type, or an OCTET STRING containing
+   an encoded binary value, depending on whether the "binary" option is
+   present in the companion AttributeDescription to this AttributeValue.
+
+   The definition of string encodings for different syntaxes and types
+   may be found in other documents, and in particular [5].
+
+        AttributeValue ::= OCTET STRING
+
+   Note that there is no defined limit on the size of this encoding;
+   thus protocol values may include multi-megabyte attributes (e.g.
+   photographs).
+
+   Attributes may be defined which have arbitrary and non-printable
+   syntax.  Implementations MUST NEITHER simply display nor attempt to
+   decode as ASN.1 a value if its syntax is not known.  The
+   implementation may attempt to discover the subschema of the source
+   entry, and retrieve the values of attributeTypes from it.
+
+   Clients MUST NOT send attribute values in a request which are not
+   valid according to the syntax defined for the attributes.
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 14]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+4.1.7. Attribute Value Assertion
+
+   The AttributeValueAssertion type definition is similar to the one in
+   the X.500 directory standards.  It contains an attribute description
+   and a matching rule assertion value suitable for that type.
+
+        AttributeValueAssertion ::= SEQUENCE {
+                attributeDesc   AttributeDescription,
+                assertionValue  AssertionValue }
+
+        AssertionValue ::= OCTET STRING
+
+   If the "binary" option is present in attributeDesc, this signals to
+   the server that the assertionValue is a binary encoding of the
+   assertion value.
+
+   For all the string-valued user attributes described in [5], the
+   assertion value syntax is the same as the value syntax.  Clients may
+   use attribute values as assertion values in compare requests and
+   search filters.
+
+   Note however that the assertion syntax may be different from the
+   value syntax for other attributes or for non-equality matching rules.
+   These may have an assertion syntax which contains only part of the
+   value.  See section 20.2.1.8 of X.501 [6] for examples.
+
+4.1.8. Attribute
+
+   An attribute consists of a type and one or more values of that type.
+   (Though attributes MUST have at least one value when stored, due to
+   access control restrictions the set may be empty when transferred in
+   protocol.  This is described in section 4.5.2, concerning the
+   PartialAttributeList type.)
+
+        Attribute ::= SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+   Each attribute value is distinct in the set (no duplicates).  The
+   order of attribute values within the vals set is undefined and
+   implementation-dependent, and MUST NOT be relied upon.
+
+4.1.9. Matching Rule Identifier
+
+   A matching rule is a means of expressing how a server should compare
+   an AssertionValue received in a search filter with an abstract data
+   value.  The matching rule defines the syntax of the assertion value
+   and the process to be performed in the server.
+
+
+
+Wahl, et. al.               Standards Track                    [Page 15]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   An X.501(1993) Matching Rule is identified in the LDAP protocol by
+   the printable representation of its OBJECT IDENTIFIER, either as one
+   of the strings given in [5], or as decimal digits with components
+   separated by periods, e.g. "caseIgnoreIA5Match" or
+   "1.3.6.1.4.1.453.33.33".
+
+        MatchingRuleId ::= LDAPString
+
+   Servers which support matching rules for use in the extensibleMatch
+   search filter MUST list the matching rules they implement in
+   subschema entries, using the matchingRules attributes.  The server
+   SHOULD also list there, using the matchingRuleUse attribute, the
+   attribute types with which each matching rule can be used.  More
+   information is given in section 4.4 of [5].
+
+4.1.10. Result Message
+
+   The LDAPResult is the construct used in this protocol to return
+   success or failure indications from servers to clients. In response
+   to various requests servers will return responses containing fields
+   of type LDAPResult to indicate the final status of a protocol
+   operation request.
+
+        LDAPResult ::= SEQUENCE {
+                resultCode      ENUMERATED {
+                             success                      (0),
+                             operationsError              (1),
+                             protocolError                (2),
+                             timeLimitExceeded            (3),
+                             sizeLimitExceeded            (4),
+                             compareFalse                 (5),
+                             compareTrue                  (6),
+
+                             authMethodNotSupported       (7),
+                             strongAuthRequired           (8),
+                                        -- 9 reserved --
+                             referral                     (10),  -- new
+                             adminLimitExceeded           (11),  -- new
+                             unavailableCriticalExtension (12),  -- new
+                             confidentialityRequired      (13),  -- new
+                             saslBindInProgress           (14),  -- new
+                             noSuchAttribute              (16),
+                             undefinedAttributeType       (17),
+                             inappropriateMatching        (18),
+                             constraintViolation          (19),
+                             attributeOrValueExists       (20),
+                             invalidAttributeSyntax       (21),
+                                        -- 22-31 unused --
+
+
+
+Wahl, et. al.               Standards Track                    [Page 16]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+                             noSuchObject                 (32),
+                             aliasProblem                 (33),
+                             invalidDNSyntax              (34),
+                             -- 35 reserved for undefined isLeaf --
+                             aliasDereferencingProblem    (36),
+                                        -- 37-47 unused --
+                             inappropriateAuthentication  (48),
+                             invalidCredentials           (49),
+                             insufficientAccessRights     (50),
+                             busy                         (51),
+                             unavailable                  (52),
+                             unwillingToPerform           (53),
+                             loopDetect                   (54),
+                                        -- 55-63 unused --
+                             namingViolation              (64),
+                             objectClassViolation         (65),
+                             notAllowedOnNonLeaf          (66),
+                             notAllowedOnRDN              (67),
+                             entryAlreadyExists           (68),
+                             objectClassModsProhibited    (69),
+                                        -- 70 reserved for CLDAP --
+                             affectsMultipleDSAs          (71), -- new
+                                        -- 72-79 unused --
+                             other                        (80) },
+                             -- 81-90 reserved for APIs --
+                matchedDN       LDAPDN,
+                errorMessage    LDAPString,
+                referral        [3] Referral OPTIONAL }
+
+   All the result codes with the exception of success, compareFalse and
+   compareTrue are to be treated as meaning the operation could not be
+   completed in its entirety.
+
+   Most of the result codes are based on problem indications from X.511
+   error data types.  Result codes from 16 to 21 indicate an
+   AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
+   codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
+   indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
+   UpdateProblem.
+
+   If a client receives a result code which is not listed above, it is
+   to be treated as an unknown error condition.
+
+   The errorMessage field of this construct may, at the server's option,
+   be used to return a string containing a textual, human-readable
+   (terminal control and page formatting characters should be avoided)
+   error diagnostic. As this error diagnostic is not standardized,
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 17]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   implementations MUST NOT rely on the values returned.  If the server
+   chooses not to return a textual diagnostic, the errorMessage field of
+   the LDAPResult type MUST contain a zero length string.
+
+   For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
+   aliasDereferencingProblem, the matchedDN field is set to the name of
+   the lowest entry (object or alias) in the directory that was matched.
+   If no aliases were dereferenced while attempting to locate the entry,
+   this will be a truncated form of the name provided, or if aliases
+   were dereferenced, of the resulting name, as defined in section 12.5
+   of X.511 [8]. The matchedDN field is to be set to a zero length
+   string with all other result codes.
+
+4.1.11. Referral
+
+   The referral error indicates that the contacted server does not hold
+   the target entry of the request.  The referral field is present in an
+   LDAPResult if the LDAPResult.resultCode field value is referral, and
+   absent with all other result codes.  It contains a reference to
+   another server (or set of servers) which may be accessed via LDAP or
+   other protocols.  Referrals can be returned in response to any
+   operation request (except unbind and abandon which do not have
+   responses). At least one URL MUST be present in the Referral.
+
+   The referral is not returned for a singleLevel or wholeSubtree search
+   in which the search scope spans multiple naming contexts, and several
+   different servers would need to be contacted to complete the
+   operation. Instead, continuation references, described in section
+   4.5.3, are returned.
+
+        Referral ::= SEQUENCE OF LDAPURL  -- one or more
+
+        LDAPURL ::= LDAPString -- limited to characters permitted in URLs
+
+   If the client wishes to progress the operation, it MUST follow the
+   referral by contacting any one of servers.  All the URLs MUST be
+   equally capable of being used to progress the operation.  (The
+   mechanisms for how this is achieved by multiple servers are outside
+   the scope of this document.)
+
+   URLs for servers implementing the LDAP protocol are written according
+   to [9].  If an alias was dereferenced, the <dn> part of the URL MUST
+   be present, with the new target object name.  If the <dn> part is
+   present, the client MUST use this name in its next request to
+   progress the operation, and if it is not present the client will use
+   the same name as in the original request.  Some servers (e.g.
+   participating in distributed indexing) may provide a different filter
+   in a referral for a search operation.  If the filter part of the URL
+
+
+
+Wahl, et. al.               Standards Track                    [Page 18]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   is present in an LDAPURL, the client MUST use this filter in its next
+   request to progress this search, and if it is not present the client
+   MUST use the same filter as it used for that search.  Other aspects
+   of the new request may be the same or different as the request which
+   generated the referral.
+
+   Note that UTF-8 characters appearing in a DN or search filter may not
+   be legal for URLs (e.g. spaces) and MUST be escaped using the %
+   method in RFC 1738 [7].
+
+   Other kinds of URLs may be returned, so long as the operation could
+   be performed using that protocol.
+
+4.1.12. Controls
+
+   A control is a way to specify extension information. Controls which
+   are sent as part of a request apply only to that request and are not
+   saved.
+
+        Controls ::= SEQUENCE OF Control
+
+        Control ::= SEQUENCE {
+                controlType             LDAPOID,
+                criticality             BOOLEAN DEFAULT FALSE,
+                controlValue            OCTET STRING OPTIONAL }
+
+   The controlType field MUST be a UTF-8 encoded dotted-decimal
+   representation of an OBJECT IDENTIFIER which uniquely identifies the
+   control.  This prevents conflicts between control names.
+
+   The criticality field is either TRUE or FALSE.
+
+   If the server recognizes the control type and it is appropriate for
+   the operation, the server will make use of the control when
+   performing the operation.
+
+   If the server does not recognize the control type and the criticality
+   field is TRUE, the server MUST NOT perform the operation, and MUST
+   instead return the resultCode unsupportedCriticalExtension.
+
+   If the control is not appropriate for the operation and criticality
+   field is TRUE, the server MUST NOT perform the operation, and MUST
+   instead return the resultCode unsupportedCriticalExtension.
+
+   If the control is unrecognized or inappropriate but the criticality
+   field is FALSE, the server MUST ignore the control.
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 19]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   The controlValue contains any information associated with the
+   control, and its format is defined for the control.  The server MUST
+   be prepared to handle arbitrary contents of the controlValue octet
+   string, including zero bytes.  It is absent only if there is no value
+   information which is associated with a control of its type.
+
+   This document does not define any controls.  Controls may be defined
+   in other documents.  The definition of a control consists of:
+
+     - the OBJECT IDENTIFIER assigned to the control,
+
+     - whether the control is always noncritical, always critical, or
+       critical at the client's option,
+
+     - the format of the controlValue contents of the control.
+
+   Servers list the controls which they recognize in the
+   supportedControl attribute in the root DSE.
+
+4.2. Bind Operation
+
+   The function of the Bind Operation is to allow authentication
+   information to be exchanged between the client and server.
+
+   The Bind Request is defined as follows:
+
+        BindRequest ::= [APPLICATION 0] SEQUENCE {
+                version                 INTEGER (1 .. 127),
+                name                    LDAPDN,
+                authentication          AuthenticationChoice }
+
+        AuthenticationChoice ::= CHOICE {
+                simple                  [0] OCTET STRING,
+                                         -- 1 and 2 reserved
+                sasl                    [3] SaslCredentials }
+
+        SaslCredentials ::= SEQUENCE {
+                mechanism               LDAPString,
+                credentials             OCTET STRING OPTIONAL }
+
+   Parameters of the Bind Request are:
+
+   - version: A version number indicating the version of the protocol to
+     be used in this protocol session.  This document describes version
+     3 of the LDAP protocol.  Note that there is no version negotiation,
+     and the client just sets this parameter to the version it desires.
+     If the client requests protocol version 2, a server that supports
+     the version 2 protocol as described in [2] will not return any v3-
+
+
+
+Wahl, et. al.               Standards Track                    [Page 20]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+     specific protocol fields.  (Note that not all LDAP servers will
+     support protocol version 2, since they may be unable to generate
+     the attribute syntaxes associated with version 2.)
+
+   - name: The name of the directory object that the client wishes to
+     bind as.  This field may take on a null value (a zero length
+     string) for the purposes of anonymous binds, when authentication
+     has been performed at a lower layer, or when using SASL credentials
+     with a mechanism that includes the LDAPDN in the credentials.
+
+   - authentication: information used to authenticate the name, if any,
+     provided in the Bind Request.
+
+   Upon receipt of a Bind Request, a protocol server will authenticate
+   the requesting client, if necessary.  The server will then return a
+   Bind Response to the client indicating the status of the
+   authentication.
+
+   Authorization is the use of this authentication information when
+   performing operations.  Authorization MAY be affected by factors
+   outside of the LDAP Bind request, such as lower layer security
+   services.
+
+4.2.1. Sequencing of the Bind Request
+
+   For some SASL authentication mechanisms, it may be necessary for the
+   client to invoke the BindRequest multiple times.  If at any stage the
+   client wishes to abort the bind process it MAY unbind and then drop
+   the underlying connection.  Clients MUST NOT invoke operations
+   between two Bind requests made as part of a multi-stage bind.
+
+   A client may abort a SASL bind negotiation by sending a BindRequest
+   with a different value in the mechanism field of SaslCredentials, or
+   an AuthenticationChoice other than sasl.
+
+   If the client sends a BindRequest with the sasl mechanism field as an
+   empty string, the server MUST return a BindResponse with
+   authMethodNotSupported as the resultCode.  This will allow clients to
+   abort a negotiation if it wishes to try again with the same SASL
+   mechanism.
+
+   Unlike LDAP v2, the client need not send a Bind Request in the first
+   PDU of the connection.  The client may request any operations and the
+   server MUST treat these as unauthenticated. If the server requires
+   that the client bind before browsing or modifying the directory, the
+   server MAY reject a request other than binding, unbinding or an
+   extended request with the "operationsError" result.
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 21]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   If the client did not bind before sending a request and receives an
+   operationsError, it may then send a Bind Request.  If this also fails
+   or the client chooses not to bind on the existing connection, it will
+   close the connection, reopen it and begin again by first sending a
+   PDU with a Bind Request.  This will aid in interoperating with
+   servers implementing other versions of LDAP.
+
+   Clients MAY send multiple bind requests on a connection to change
+   their credentials.  A subsequent bind process has the effect of
+   abandoning all operations outstanding on the connection.  (This
+   simplifies server implementation.)  Authentication from earlier binds
+   are subsequently ignored, and so if the bind fails, the connection
+   will be treated as anonymous. If a SASL transfer encryption or
+   integrity mechanism has been negotiated, and that mechanism does not
+   support the changing of credentials from one identity to another,
+   then the client MUST instead establish a new connection.
+
+4.2.2. Authentication and Other Security Services
+
+   The simple authentication option provides minimal authentication
+   facilities, with the contents of the authentication field consisting
+   only of a cleartext password.  Note that the use of cleartext
+   passwords is not recommended over open networks when there is no
+   authentication or encryption being performed by a lower layer; see
+   the "Security Considerations" section.
+
+   If no authentication is to be performed, then the simple
+   authentication option MUST be chosen, and the password be of zero
+   length.  (This is often done by LDAPv2 clients.)  Typically the DN is
+   also of zero length.
+
+   The sasl choice allows for any mechanism defined for use with SASL
+   [12].  The mechanism field contains the name of the mechanism.  The
+   credentials field contains the arbitrary data used for
+   authentication, inside an OCTET STRING wrapper.  Note that unlike
+   some Internet application protocols where SASL is used, LDAP is not
+   text-based, thus no base64 transformations are performed on the
+   credentials.
+
+   If any SASL-based integrity or confidentiality services are enabled,
+   they take effect following the transmission by the server and
+   reception by the client of the final BindResponse with resultCode
+   success.
+
+   The client can request that the server use authentication information
+   from a lower layer protocol by using the SASL EXTERNAL mechanism.
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 22]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+4.2.3. Bind Response
+
+   The Bind Response is defined as follows.
+
+        BindResponse ::= [APPLICATION 1] SEQUENCE {
+             COMPONENTS OF LDAPResult,
+             serverSaslCreds    [7] OCTET STRING OPTIONAL }
+
+    BindResponse consists simply of an indication from the server of he
+   status of the client's request for authentication.
+
+   f the bind was successful, the resultCode will be success, therwise
+   it will be one of:
+
+   - operationsError: server encountered an internal error,
+
+   - protocolError: unrecognized version number or incorrect PDU
+     structure,
+
+   - authMethodNotSupported: unrecognized SASL mechanism name,
+
+   - strongAuthRequired: the server requires authentication be
+     performed with a SASL mechanism,
+
+   - referral: this server cannot accept this bind and the client
+     should try another,
+
+   - saslBindInProgress: the server requires the client to send a
+     new bind request, with the same sasl mechanism, to continue the
+     authentication process,
+
+   - inappropriateAuthentication: the server requires the client
+     which had attempted to bind anonymously or without supplying
+     credentials to provide some form of credentials,
+
+   - invalidCredentials: the wrong password was supplied or the SASL
+     credentials could not be processed,
+
+   - unavailable: the server is shutting down.
+
+   If the server does not support the client's requested protocol
+   version, it MUST set the resultCode to protocolError.
+
+   If the client receives a BindResponse response where the resultCode
+   was protocolError, it MUST close the connection as the server will be
+   unwilling to accept further operations.  (This is for compatibility
+   with earlier versions of LDAP, in which the bind was always the first
+   operation, and there was no negotiation.)
+
+
+
+Wahl, et. al.               Standards Track                    [Page 23]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   The serverSaslCreds are used as part of a SASL-defined bind mechanism
+   to allow the client to authenticate the server to which it is
+   communicating, or to perform "challenge-response" authentication. If
+   the client bound with the password choice, or the SASL mechanism does
+   not require the server to return information to the client, then this
+   field is not to be included in the result.
+
+4.3. Unbind Operation
+
+   The function of the Unbind Operation is to terminate a protocol
+   session.  The Unbind Operation is defined as follows:
+
+        UnbindRequest ::= [APPLICATION 2] NULL
+
+   The Unbind Operation has no response defined. Upon transmission of an
+   UnbindRequest, a protocol client may assume that the protocol session
+   is terminated. Upon receipt of an UnbindRequest, a protocol server
+   may assume that the requesting client has terminated the session and
+   that all outstanding requests may be discarded, and may close the
+   connection.
+
+4.4. Unsolicited Notification
+
+   An unsolicited notification is an LDAPMessage sent from the server to
+   the client which is not in response to any LDAPMessage received by
+   the server. It is used to signal an extraordinary condition in the
+   server or in the connection between the client and the server.  The
+   notification is of an advisory nature, and the server will not expect
+   any response to be returned from the client.
+
+   The unsolicited notification is structured as an LDAPMessage in which
+   the messageID is 0 and protocolOp is of the extendedResp form.  The
+   responseName field of the ExtendedResponse is present. The LDAPOID
+   value MUST be unique for this notification, and not be used in any
+   other situation.
+
+   One unsolicited notification is defined in this document.
+
+4.4.1. Notice of Disconnection
+
+   This notification may be used by the server to advise the client that
+   the server is about to close the connection due to an error
+   condition.  Note that this notification is NOT a response to an
+   unbind requested by the client: the server MUST follow the procedures
+   of section 4.3. This notification is intended to assist clients in
+   distinguishing between an error condition and a transient network
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 24]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   failure.  As with a connection close due to network failure, the
+   client MUST NOT assume that any outstanding requests which modified
+   the directory have succeeded or failed.
+
+   The responseName is 1.3.6.1.4.1.1466.20036, the response field is
+   absent, and the resultCode is used to indicate the reason for the
+   disconnection.
+
+   The following resultCode values are to be used in this notification:
+
+   - protocolError: The server has received data from the client in
+   which
+     the LDAPMessage structure could not be parsed.
+
+   - strongAuthRequired: The server has detected that an established
+     underlying security association protecting communication between
+     the client and server has unexpectedly failed or been compromised.
+
+   - unavailable: This server will stop accepting new connections and
+     operations on all existing connections, and be unavailable for an
+     extended period of time.  The client may make use of an alternative
+     server.
+
+   After sending this notice, the server MUST close the connection.
+   After receiving this notice, the client MUST NOT transmit any further
+   on the connection, and may abruptly close the connection.
+
+4.5. Search Operation
+
+   The Search Operation allows a client to request that a search be
+   performed on its behalf by a server.  This can be used to read
+   attributes from a single entry, from entries immediately below a
+   particular entry, or a whole subtree of entries.
+
+4.5.1. Search Request
+
+   The Search Request is defined as follows:
+
+        SearchRequest ::= [APPLICATION 3] SEQUENCE {
+                baseObject      LDAPDN,
+                scope           ENUMERATED {
+                        baseObject              (0),
+                        singleLevel             (1),
+                        wholeSubtree            (2) },
+                derefAliases    ENUMERATED {
+                        neverDerefAliases       (0),
+                        derefInSearching        (1),
+                        derefFindingBaseObj     (2),
+
+
+
+Wahl, et. al.               Standards Track                    [Page 25]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+                        derefAlways             (3) },
+                sizeLimit       INTEGER (0 .. maxInt),
+                timeLimit       INTEGER (0 .. maxInt),
+                typesOnly       BOOLEAN,
+                filter          Filter,
+                attributes      AttributeDescriptionList }
+
+        Filter ::= CHOICE {
+                and             [0] SET OF Filter,
+                or              [1] SET OF Filter,
+                not             [2] Filter,
+                equalityMatch   [3] AttributeValueAssertion,
+                substrings      [4] SubstringFilter,
+                greaterOrEqual  [5] AttributeValueAssertion,
+                lessOrEqual     [6] AttributeValueAssertion,
+                present         [7] AttributeDescription,
+                approxMatch     [8] AttributeValueAssertion,
+                extensibleMatch [9] MatchingRuleAssertion }
+
+        SubstringFilter ::= SEQUENCE {
+                type            AttributeDescription,
+                -- at least one must be present
+                substrings      SEQUENCE OF CHOICE {
+                        initial [0] LDAPString,
+                        any     [1] LDAPString,
+                        final   [2] LDAPString } }
+
+        MatchingRuleAssertion ::= SEQUENCE {
+                matchingRule    [1] MatchingRuleId OPTIONAL,
+                type            [2] AttributeDescription OPTIONAL,
+                matchValue      [3] AssertionValue,
+                dnAttributes    [4] BOOLEAN DEFAULT FALSE }
+
+   Parameters of the Search Request are:
+
+   - baseObject: An LDAPDN that is the base object entry relative to
+     which the search is to be performed.
+
+   - scope: An indicator of the scope of the search to be performed. The
+     semantics of the possible values of this field are identical to the
+     semantics of the scope field in the X.511 Search Operation.
+
+   - derefAliases: An indicator as to how alias objects (as defined in
+     X.501) are to be handled in searching.  The semantics of the
+     possible values of this field are:
+
+             neverDerefAliases: do not dereference aliases in searching
+             or in locating the base object of the search;
+
+
+
+Wahl, et. al.               Standards Track                    [Page 26]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+             derefInSearching: dereference aliases in subordinates of
+             the base object in searching, but not in locating the
+             base object of the search;
+
+             derefFindingBaseObj: dereference aliases in locating
+             the base object of the search, but not when searching
+             subordinates of the base object;
+
+             derefAlways: dereference aliases both in searching and in
+             locating the base object of the search.
+
+   - sizelimit: A sizelimit that restricts the maximum number of entries
+     to be returned as a result of the search. A value of 0 in this
+     field indicates that no client-requested sizelimit restrictions are
+     in effect for the search.  Servers may enforce a maximum number of
+     entries to return.
+
+   - timelimit: A timelimit that restricts the maximum time (in seconds)
+     allowed for a search. A value of 0 in this field indicates that no
+     client-requested timelimit restrictions are in effect for the
+     search.
+
+   - typesOnly: An indicator as to whether search results will contain
+     both attribute types and values, or just attribute types.  Setting
+     this field to TRUE causes only attribute types (no values) to be
+     returned.  Setting this field to FALSE causes both attribute types
+     and values to be returned.
+
+   - filter: A filter that defines the conditions that must be fulfilled
+     in order for the search to match a given entry.
+
+     The 'and', 'or' and 'not' choices can be used to form combinations of
+     filters. At least one filter element MUST be present in an 'and' or
+     'or' choice.  The others match against individual attribute values of
+     entries in the scope of the search.  (Implementor's note: the 'not'
+     filter is an example of a tagged choice in an implicitly-tagged
+     module.  In BER this is treated as if the tag was explicit.)
+
+     A server MUST evaluate filters according to the three-valued logic
+     of X.511(93) section 7.8.1.  In summary, a filter is evaluated to
+     either "TRUE", "FALSE" or "Undefined".  If the filter evaluates
+     to TRUE for a particular entry, then the attributes of that entry
+     are returned as part of the search result (subject to any applicable
+     access control restrictions). If the filter evaluates to FALSE or
+     Undefined, then the entry is ignored for the search.
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 27]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+     A filter of the "and" choice is TRUE if all the filters in the SET
+     OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
+     otherwise Undefined.  A filter of the "or" choice is FALSE if all
+     of the filters in the SET OF evaluate to FALSE, TRUE if at least
+     one filter is TRUE, and Undefined otherwise.  A filter of the "not"
+     choice is TRUE if the filter being negated is FALSE, FALSE if it is
+     TRUE, and Undefined if it is Undefined.
+
+     The present match evaluates to TRUE where there is an attribute or
+     subtype of the specified attribute description present in an entry,
+     and FALSE otherwise (including a presence test with an unrecognized
+     attribute description.)
+
+     The extensibleMatch is new in this version of LDAP.  If the
+     matchingRule field is absent, the type field MUST be present, and
+     the equality match is performed for that type.  If the type field is
+     absent and matchingRule is present, the matchValue is compared
+     against all attributes in an entry which support that matchingRule,
+     and the matchingRule determines the syntax for the assertion value
+     (the filter item evaluates to TRUE if it matches with at least
+     one attribute in the entry, FALSE if it does not match any attribute
+     in the entry, and Undefined if the matchingRule is not recognized
+     or the assertionValue cannot be parsed.)  If the type field is
+     present and matchingRule is present, the matchingRule MUST be one
+     permitted for use with that type, otherwise the filter item is
+     undefined.  If the dnAttributes field is set to TRUE, the match is
+     applied against all the attributes in an entry's distinguished name
+     as well, and also evaluates to TRUE if there is at least one
+     attribute in the distinguished name for which the filter item
+     evaluates to TRUE.  (Editors note: The dnAttributes field is present
+     so that there does not need to be multiple versions of generic
+     matching rules such as for word matching, one to apply to entries
+     and another to apply to entries and dn attributes as well).
+
+     A filter item evaluates to Undefined when the server would not
+     be able to determine whether the assertion value matches an
+     entry.  If an attribute description in an equalityMatch, substrings,
+     greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch
+     filter is not recognized by the server, a matching rule id in the
+     extensibleMatch is not recognized by the server, the assertion
+     value cannot be parsed, or the type of filtering requested is not
+     implemented, then the filter is Undefined.  Thus for example if a
+     server did not recognize the attribute type shoeSize, a filter of
+     (shoeSize=*) would evaluate to FALSE, and the filters (shoeSize=12),
+     (shoeSize>=12) and (shoeSize<=12) would evaluate to Undefined.
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 28]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+     Servers MUST NOT return errors if attribute descriptions or matching
+     rule ids are not recognized, or assertion values cannot be parsed.
+     More details of filter processing are given in section 7.8 of X.511
+     [8].
+
+   - attributes: A list of the attributes to be returned from each entry
+     which matches the search filter. There are two special values which
+     may be used: an empty list with no attributes, and the attribute
+     description string "*".  Both of these signify that all user
+     attributes are to be returned.  (The "*" allows the client to
+     request all user attributes in addition to specific operational
+     attributes).
+
+     Attributes MUST be named at most once in the list, and are returned
+     at most once in an entry.   If there are attribute descriptions in
+     the list which are not recognized, they are ignored by the server.
+
+     If the client does not want any attributes returned, it can specify
+     a list containing only the attribute with OID "1.1".  This OID was
+     chosen arbitrarily and does not correspond to any attribute in use.
+
+     Client implementors should note that even if all user attributes are
+     requested, some attributes of the entry may not be included in
+     search results due to access control or other restrictions.
+     Furthermore, servers will not return operational attributes, such
+     as objectClasses or attributeTypes, unless they are listed by name,
+     since there may be extremely large number of values for certain
+     operational attributes. (A list of operational attributes for use
+     in LDAP is given in [5].)
+
+   Note that an X.500 "list"-like operation can be emulated by the client
+   requesting a one-level LDAP search operation with a filter checking
+   for the existence of the objectClass attribute, and that an X.500
+   "read"-like operation can be emulated by a base object LDAP search
+   operation with the same filter.  A server which provides a gateway to
+   X.500 is not required to use the Read or List operations, although it
+   may choose to do so, and if it does must provide the same semantics
+   as the X.500 search operation.
+
+4.5.2. Search Result
+
+   The results of the search attempted by the server upon receipt of a
+   Search Request are returned in Search Responses, which are LDAP
+   messages containing either SearchResultEntry, SearchResultReference,
+   ExtendedResponse or SearchResultDone data types.
+
+        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
+                objectName      LDAPDN,
+
+
+
+Wahl, et. al.               Standards Track                    [Page 29]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+                attributes      PartialAttributeList }
+
+        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+        -- implementors should note that the PartialAttributeList may
+        -- have zero elements (if none of the attributes of that entry
+        -- were requested, or could be returned), and that the vals set
+        -- may also have zero elements (if types only was requested, or
+        -- all values were excluded from the result.)
+
+        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
+        -- at least one LDAPURL element must be present
+
+        SearchResultDone ::= [APPLICATION 5] LDAPResult
+
+   Upon receipt of a Search Request, a server will perform the necessary
+   search of the DIT.
+
+   If the LDAP session is operating over a connection-oriented transport
+   such as TCP, the server will return to the client a sequence of
+   responses in separate LDAP messages.  There may be zero or more
+   responses containing SearchResultEntry, one for each entry found
+   during the search.  There may also be zero or more responses
+   containing SearchResultReference, one for each area not explored by
+   this server during the search.  The SearchResultEntry and
+   SearchResultReference PDUs may come in any order. Following all the
+   SearchResultReference responses and all SearchResultEntry responses
+   to be returned by the server, the server will return a response
+   containing the SearchResultDone, which contains an indication of
+   success, or detailing any errors that have occurred.
+
+   Each entry returned in a SearchResultEntry will contain all
+   attributes, complete with associated values if necessary, as
+   specified in the attributes field of the Search Request.  Return of
+   attributes is subject to access control and other administrative
+   policy.  Some attributes may be returned in binary format (indicated
+   by the AttributeDescription in the response having the binary option
+   present).
+
+   Some attributes may be constructed by the server and appear in a
+   SearchResultEntry attribute list, although they are not stored
+   attributes of an entry. Clients MUST NOT assume that all attributes
+   can be modified, even if permitted by access control.
+
+   LDAPMessage responses of the ExtendedResponse form are reserved for
+   returning information associated with a control requested by the
+   client.  These may be defined in future versions of this document.
+
+
+
+Wahl, et. al.               Standards Track                    [Page 30]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+4.5.3. Continuation References in the Search Result
+
+   If the server was able to locate the entry referred to by the
+   baseObject but was unable to search all the entries in the scope at
+   and under the baseObject, the server may return one or more
+   SearchResultReference, each containing a reference to another set of
+   servers for continuing the operation.  A server MUST NOT return any
+   SearchResultReference if it has not located the baseObject and
+   thus has not searched any entries; in this case it would return a
+   SearchResultDone containing a referral resultCode.
+
+   In the absence of indexing information provided to a server from
+   servers holding subordinate naming contexts, SearchResultReference
+   responses are not affected by search filters and are always returned
+   when in scope.
+
+   The SearchResultReference is of the same data type as the Referral.
+   URLs for servers implementing the LDAP protocol are written according
+   to [9].  The <dn> part MUST be present in the URL, with the new target
+   object name.  The client MUST use this name in its next request.
+   Some servers (e.g. part of a distributed index exchange system) may
+   provide a different filter in the URLs of the SearchResultReference.
+   If the filter part of the URL is present in an LDAP URL, the client
+   MUST use the new filter in its next request to progress the search,
+   and if the filter part is absent the client will use again the same
+   filter.  Other aspects of the new search request may be the same or
+   different as the search which generated the continuation references.
+
+   Other kinds of URLs may be returned so long as the operation could be
+   performed using that protocol.
+
+   The name of an unexplored subtree in a SearchResultReference need not
+   be subordinate to the base object.
+
+   In order to complete the search, the client MUST issue a new search
+   operation for each SearchResultReference that is returned.  Note that
+   the abandon operation described in section 4.11 applies only to a
+   particular operation sent on a connection between a client and server,
+   and if the client has multiple outstanding search operations to
+   different servers, it MUST abandon each operation individually.
+
+4.5.3.1. Example
+
+   For example, suppose the contacted server (hosta) holds the entry
+   "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW".  It knows that
+   either LDAP-capable servers (hostb) or (hostc) hold
+   "OU=People,O=MNN,C=WW" (one is the master and the other server a
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 31]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   shadow), and that LDAP-capable server (hostd) holds the subtree
+   "OU=Roles,O=MNN,C=WW".  If a subtree search of "O=MNN,C=WW" is
+   requested to the contacted server, it may return the following:
+
+     SearchResultEntry for O=MNN,C=WW
+     SearchResultEntry for CN=Manager,O=MNN,C=WW
+     SearchResultReference {
+       ldap://hostb/OU=People,O=MNN,C=WW
+       ldap://hostc/OU=People,O=MNN,C=WW
+     }
+     SearchResultReference {
+       ldap://hostd/OU=Roles,O=MNN,C=WW
+     }
+     SearchResultDone (success)
+
+   Client implementors should note that when following a
+   SearchResultReference, additional SearchResultReference may be
+   generated.  Continuing the example, if the client contacted the
+   server (hostb) and issued the search for the subtree
+   "OU=People,O=MNN,C=WW", the server might respond as follows:
+
+     SearchResultEntry for OU=People,O=MNN,C=WW
+     SearchResultReference {
+      ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
+     }
+     SearchResultReference {
+      ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
+     }
+     SearchResultDone (success)
+
+   If the contacted server does not hold the base object for the search,
+   then it will return a referral to the client.  For example, if the
+   client requests a subtree search of "O=XYZ,C=US" to hosta, the server
+   may return only a SearchResultDone containing a referral.
+
+     SearchResultDone (referral) {
+       ldap://hostg/
+     }
+
+4.6. Modify Operation
+
+   The Modify Operation allows a client to request that a modification
+   of an entry be performed on its behalf by a server.  The Modify
+   Request is defined as follows:
+
+        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
+                object          LDAPDN,
+                modification    SEQUENCE OF SEQUENCE {
+
+
+
+Wahl, et. al.               Standards Track                    [Page 32]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+                        operation       ENUMERATED {
+                                                add     (0),
+                                                delete  (1),
+                                                replace (2) },
+                        modification    AttributeTypeAndValues } }
+
+        AttributeTypeAndValues ::= SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+   Parameters of the Modify Request are:
+
+   - object: The object to be modified. The value of this field contains
+     the DN of the entry to be modified.  The server will not perform
+     any alias dereferencing in determining the object to be modified.
+
+   - modification: A list of modifications to be performed on the entry.
+     The entire list of entry modifications MUST be performed
+     in the order they are listed, as a single atomic operation.  While
+     individual modifications may violate the directory schema, the
+     resulting entry after the entire list of modifications is performed
+     MUST conform to the requirements of the directory schema. The
+     values that may be taken on by the 'operation' field in each
+     modification construct have the following semantics respectively:
+
+             add: add values listed to the given attribute, creating
+             the attribute if necessary;
+
+             delete: delete values listed from the given attribute,
+             removing the entire attribute if no values are listed, or
+             if all current values of the attribute are listed for
+             deletion;
+
+             replace: replace all existing values of the given attribute
+             with the new values listed, creating the attribute if it
+             did not already exist.  A replace with no value will delete
+             the entire attribute if it exists, and is ignored if the
+             attribute does not exist.
+
+   The result of the modify attempted by the server upon receipt of a
+   Modify Request is returned in a Modify Response, defined as follows:
+
+        ModifyResponse ::= [APPLICATION 7] LDAPResult
+
+   Upon receipt of a Modify Request, a server will perform the necessary
+   modifications to the DIT.
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 33]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   The server will return to the client a single Modify Response
+   indicating either the successful completion of the DIT modification,
+   or the reason that the modification failed. Note that due to the
+   requirement for atomicity in applying the list of modifications in
+   the Modify Request, the client may expect that no modifications of
+   the DIT have been performed if the Modify Response received indicates
+   any sort of error, and that all requested modifications have been
+   performed if the Modify Response indicates successful completion of
+   the Modify Operation.  If the connection fails, whether the
+   modification occurred or not is indeterminate.
+
+   The Modify Operation cannot be used to remove from an entry any of
+   its distinguished values, those values which form the entry's
+   relative distinguished name.  An attempt to do so will result in the
+   server returning the error notAllowedOnRDN.  The Modify DN Operation
+   described in section 4.9 is used to rename an entry.
+
+   If an equality match filter has not been defined for an attribute type,
+   clients MUST NOT attempt to delete individual values of that attribute
+   from an entry using the "delete" form of a modification, and MUST
+   instead use the "replace" form.
+
+   Note that due to the simplifications made in LDAP, there is not a
+   direct mapping of the modifications in an LDAP ModifyRequest onto the
+   EntryModifications of a DAP ModifyEntry operation, and different
+   implementations of LDAP-DAP gateways may use different means of
+   representing the change.  If successful, the final effect of the
+   operations on the entry MUST be identical.
+
+4.7. Add Operation
+
+   The Add Operation allows a client to request the addition of an entry
+   into the directory. The Add Request is defined as follows:
+
+        AddRequest ::= [APPLICATION 8] SEQUENCE {
+                entry           LDAPDN,
+                attributes      AttributeList }
+
+        AttributeList ::= SEQUENCE OF SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+   Parameters of the Add Request are:
+
+   - entry: the Distinguished Name of the entry to be added. Note that
+     the server will not dereference any aliases in locating the entry
+     to be added.
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 34]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   - attributes: the list of attributes that make up the content of the
+     entry being added.  Clients MUST include distinguished values
+     (those forming the entry's own RDN) in this list, the objectClass
+     attribute, and values of any mandatory attributes of the listed
+     object classes.  Clients MUST NOT supply the createTimestamp or
+     creatorsName attributes, since these will be generated
+     automatically by the server.
+
+   The entry named in the entry field of the AddRequest MUST NOT exist
+   for the AddRequest to succeed.  The parent of the entry to be added
+   MUST exist.  For example, if the client attempted to add
+   "CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
+   "C=US" entry did exist, then the server would return the error
+   noSuchObject with the matchedDN field containing "C=US".  If the
+   parent entry exists but is not in a naming context held by the
+   server, the server SHOULD return a referral to the server holding the
+   parent entry.
+
+   Servers implementations SHOULD NOT restrict where entries can be
+   located in the directory.  Some servers MAY allow the administrator
+   to restrict the classes of entries which can be added to the
+   directory.
+
+   Upon receipt of an Add Request, a server will attempt to perform the
+   add requested.  The result of the add attempt will be returned to the
+   client in the Add Response, defined as follows:
+
+        AddResponse ::= [APPLICATION 9] LDAPResult
+
+   A response of success indicates that the new entry is present in the
+   directory.
+
+4.8. Delete Operation
+
+   The Delete Operation allows a client to request the removal of an
+   entry from the directory. The Delete Request is defined as follows:
+
+        DelRequest ::= [APPLICATION 10] LDAPDN
+
+   The Delete Request consists of the Distinguished Name of the entry to
+   be deleted. Note that the server will not dereference aliases while
+   resolving the name of the target entry to be removed, and that only
+   leaf entries (those with no subordinate entries) can be deleted with
+   this operation.
+
+   The result of the delete attempted by the server upon receipt of a
+   Delete Request is returned in the Delete Response, defined as
+   follows:
+
+
+
+Wahl, et. al.               Standards Track                    [Page 35]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+        DelResponse ::= [APPLICATION 11] LDAPResult
+
+   Upon receipt of a Delete Request, a server will attempt to perform
+   the entry removal requested. The result of the delete attempt will be
+   returned to the client in the Delete Response.
+
+4.9. Modify DN Operation
+
+   The Modify DN Operation allows a client to change the leftmost (least
+   significant) component of the name of an entry in the directory, or
+   to move a subtree of entries to a new location in the directory.  The
+   Modify DN Request is defined as follows:
+
+        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
+                entry           LDAPDN,
+                newrdn          RelativeLDAPDN,
+                deleteoldrdn    BOOLEAN,
+                newSuperior     [0] LDAPDN OPTIONAL }
+
+   Parameters of the Modify DN Request are:
+
+   - entry: the Distinguished Name of the entry to be changed.  This
+     entry may or may not have subordinate entries.
+
+   - newrdn: the RDN that will form the leftmost component of the new
+     name of the entry.
+
+   - deleteoldrdn: a boolean parameter that controls whether the old RDN
+     attribute values are to be retained as attributes of the entry, or
+     deleted from the entry.
+
+   - newSuperior: if present, this is the Distinguished Name of the entry
+     which becomes the immediate superior of the existing entry.
+
+   The result of the name change attempted by the server upon receipt of
+   a Modify DN Request is returned in the Modify DN Response, defined
+   as follows:
+
+        ModifyDNResponse ::= [APPLICATION 13] LDAPResult
+
+   Upon receipt of a ModifyDNRequest, a server will attempt to
+   perform the name change. The result of the name change attempt will
+   be returned to the client in the Modify DN Response.
+
+   For example, if the entry named in the "entry" parameter was
+   "cn=John Smith,c=US", the newrdn parameter was "cn=John Cougar Smith",
+   and the newSuperior parameter was absent, then this operation would
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 36]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   attempt to rename the entry to be "cn=John Cougar Smith,c=US".  If
+   there was already an entry with that name, the operation would fail
+   with error code entryAlreadyExists.
+
+   If the deleteoldrdn parameter is TRUE, the values forming the old
+   RDN are deleted from the entry.  If the deleteoldrdn parameter is
+   FALSE, the values forming the old RDN will be retained as
+   non-distinguished attribute values of the entry.  The server may
+   not perform the operation and return an error code if the setting of
+   the deleteoldrdn parameter would cause a schema inconsistency in the
+   entry.
+
+   Note that X.500 restricts the ModifyDN operation to only affect
+   entries that are contained within a single server.  If the LDAP
+   server is mapped onto DAP, then this restriction will apply, and the
+   resultCode affectsMultipleDSAs will be returned if this error
+   occurred.  In general clients MUST NOT expect to be able to perform
+   arbitrary movements of entries and subtrees between servers.
+
+4.10. Compare Operation
+
+   The Compare Operation allows a client to compare an assertion
+   provided with an entry in the directory. The Compare Request is
+   defined as follows:
+
+        CompareRequest ::= [APPLICATION 14] SEQUENCE {
+                entry           LDAPDN,
+                ava             AttributeValueAssertion }
+
+   Parameters of the Compare Request are:
+
+   - entry: the name of the entry to be compared with.
+
+   - ava: the assertion with which an attribute in the entry is to be
+     compared.
+
+   The result of the compare attempted by the server upon receipt of a
+   Compare Request is returned in the Compare Response, defined as
+   follows:
+
+        CompareResponse ::= [APPLICATION 15] LDAPResult
+
+   Upon receipt of a Compare Request, a server will attempt to perform
+   the requested comparison. The result of the comparison will be
+   returned to the client in the Compare Response. Note that errors and
+   the result of comparison are all returned in the same construct.
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 37]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   Note that some directory systems may establish access controls which
+   permit the values of certain attributes (such as userPassword) to be
+   compared but not read.  In a search result, it may be that an
+   attribute of that type would be returned, but with an empty set of
+   values.
+
+4.11. Abandon Operation
+
+   The function of the Abandon Operation is to allow a client to request
+   that the server abandon an outstanding operation.  The Abandon
+   Request is defined as follows:
+
+        AbandonRequest ::= [APPLICATION 16] MessageID
+
+   The MessageID MUST be that of a an operation which was requested
+   earlier in this connection.
+
+   (The abandon request itself has its own message id.  This is distinct
+    from the id of the earlier operation being abandoned.)
+
+   There is no response defined in the Abandon Operation. Upon
+   transmission of an Abandon Operation, a client may expect that the
+   operation identified by the Message ID in the Abandon Request has
+   been abandoned. In the event that a server receives an Abandon
+   Request on a Search Operation in the midst of transmitting responses
+   to the search, that server MUST cease transmitting entry responses to
+   the abandoned request immediately, and MUST NOT send the
+   SearchResponseDone.  Of course, the server MUST ensure that only
+   properly encoded LDAPMessage PDUs are transmitted.
+
+   Clients MUST NOT send abandon requests for the same operation
+   multiple times, and MUST also be prepared to receive results from
+   operations it has abandoned (since these may have been in transit
+   when the abandon was requested).
+
+   Servers MUST discard abandon requests for message IDs they do not
+   recognize, for operations which cannot be abandoned, and for
+   operations which have already been abandoned.
+
+4.12. Extended Operation
+
+   An extension mechanism has been added in this version of LDAP, in
+   order to allow additional operations to be defined for services not
+   available elsewhere in this protocol, for instance digitally signed
+   operations and results.
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 38]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   The extended operation allows clients to make requests and receive
+   responses with predefined syntaxes and semantics.  These may be
+   defined in RFCs or be private to particular implementations.  Each
+   request MUST have a unique OBJECT IDENTIFIER assigned to it.
+
+        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
+                requestName      [0] LDAPOID,
+                requestValue     [1] OCTET STRING OPTIONAL }
+
+   The requestName is a dotted-decimal representation of the OBJECT
+   IDENTIFIER corresponding to the request. The requestValue is
+   information in a form defined by that request, encapsulated inside an
+   OCTET STRING.
+
+   The server will respond to this with an LDAPMessage containing the
+   ExtendedResponse.
+
+        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
+                COMPONENTS OF LDAPResult,
+                responseName     [10] LDAPOID OPTIONAL,
+                response         [11] OCTET STRING OPTIONAL }
+
+   If the server does not recognize the request name, it MUST return
+   only the response fields from LDAPResult, containing the
+   protocolError result code.
+
+5.  Protocol Element Encodings and Transfer
+
+   One underlying service is defined here.  Clients and servers SHOULD
+   implement the mapping of LDAP over TCP described in 5.2.1.
+
+5.1. Mapping Onto BER-based Transport Services
+
+   The protocol elements of LDAP are encoded for exchange using the
+   Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
+   high overhead involved in using certain elements of the BER, the
+   following additional restrictions are placed on BER-encodings of LDAP
+   protocol elements:
+
+   (1) Only the definite form of length encoding will be used.
+
+   (2) OCTET STRING values will be encoded in the primitive form only.
+
+   (3) If the value of a BOOLEAN type is true, the encoding MUST have
+       its contents octets set to hex "FF".
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 39]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   (4) If a value of a type is its default value, it MUST be absent.
+       Only some BOOLEAN and INTEGER types have default values in this
+       protocol definition.
+
+   These restrictions do not apply to ASN.1 types encapsulated inside of
+   OCTET STRING values, such as attribute values, unless otherwise
+   noted.
+
+5.2. Transfer Protocols
+
+   This protocol is designed to run over connection-oriented, reliable
+   transports, with all 8 bits in an octet being significant in the data
+   stream.
+
+5.2.1. Transmission Control Protocol (TCP)
+
+   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.  It
+   is recommended that server implementations running over the TCP MAY
+   provide a protocol listener on the assigned port, 389.  Servers may
+   instead provide a listener on a different port number. Clients MUST
+   support contacting servers on any valid TCP port.
+
+6.  Implementation Guidelines
+
+   This document describes an Internet protocol.
+
+6.1. Server Implementations
+
+   The server MUST be capable of recognizing all the mandatory attribute
+   type names and implement the syntaxes specified in [5].  Servers MAY
+   also recognize additional attribute type names.
+
+6.2. Client Implementations
+
+   Clients which request referrals MUST ensure that they do not loop
+   between servers. They MUST NOT repeatedly contact the same server for
+   the same request with the same target entry name, scope and filter.
+   Some clients may be using a counter that is incremented each time
+   referral handling occurs for an operation, and these kinds of clients
+   MUST be able to handle a DIT with at least ten layers of naming
+   contexts between the root and a leaf entry.
+
+   In the absence of prior agreements with servers, clients SHOULD NOT
+   assume that servers support any particular schemas beyond those
+   referenced in section 6.1. Different schemas can have different
+   attribute types with the same names.  The client can retrieve the
+   subschema entries referenced by the subschemaSubentry attribute in
+   the server's root DSE or in entries held by the server.
+
+
+
+Wahl, et. al.               Standards Track                    [Page 40]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+7.  Security Considerations
+
+   When used with a connection-oriented transport, this version of the
+   protocol provides facilities for the LDAP v2 authentication
+   mechanism, simple authentication using a cleartext password, as well
+   as any SASL mechanism [12].  SASL allows for integrity and privacy
+   services to be negotiated.
+
+   It is also permitted that the server can return its credentials to
+   the client, if it chooses to do so.
+
+   Use of cleartext password is strongly discouraged where the
+   underlying transport service cannot guarantee confidentiality and may
+   result in disclosure of the password to unauthorized parties.
+
+   When used with SASL, it should be noted that the name field of the
+   BindRequest is not protected against modification.  Thus if the
+   distinguished name of the client (an LDAPDN) is agreed through the
+   negotiation of the credentials, it takes precedence over any value in
+   the unprotected name field.
+
+   Implementations which cache attributes and entries obtained via LDAP
+   MUST ensure that access controls are maintained if that information
+   is to be provided to multiple clients, since servers may have access
+   control policies which prevent the return of entries or attributes in
+   search results except to particular authenticated clients.  For
+   example, caches could serve result information only to the client
+   whose request caused it to be cache.
+
+8.  Acknowledgements
+
+   This document is an update to RFC 1777, by Wengyik Yeong, Tim Howes,
+   and Steve Kille.  Design ideas included in this document are based on
+   those discussed in ASID and other IETF Working Groups.  The
+   contributions of individuals in these working groups is gratefully
+   acknowledged.
+
+9.  Bibliography
+
+   [1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models
+       and Service",  1993.
+
+   [2] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access
+       Protocol", RFC 1777, March 1995.
+
+   [3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
+       Specification of Basic Notation", 1994.
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 41]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   [4] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory Access
+       Protocol (v3): UTF-8 String Representation of Distinguished
+       Names", RFC 2253, December 1997.
+
+   [5] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
+       Directory Access Protocol (v3): Attribute Syntax Definitions",
+       RFC 2252, December 1997.
+
+   [6] ITU-T Rec. X.501, "The Directory: Models", 1993.
+
+   [7] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
+       Resource  Locators (URL)", RFC 1738, December 1994.
+
+   [8] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
+       1993.
+
+   [9] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
+       December 1997.
+
+   [10] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", RFC 2119, March 1997.
+
+   [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
+        Canonical, and Distinguished Encoding Rules", 1994.
+
+   [12] Meyers, J., "Simple Authentication and Security Layer",
+        RFC 2222, October 1997.
+
+   [13] Universal Multiple-Octet Coded Character Set (UCS) -
+        Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 :
+        1993.
+
+   [14] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
+        10646", RFC 2044, October 1996.
+
+10. Authors' Addresses
+
+   Mark Wahl
+   Critical Angle Inc.
+   4815 W Braker Lane #502-385
+   Austin, TX 78759
+   USA
+
+   Phone:  +1 512 372-3160
+   EMail:  M.Wahl@critical-angle.com
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 42]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+   Tim Howes
+   Netscape Communications Corp.
+   501 E. Middlefield Rd., MS MV068
+   Mountain View, CA 94043
+   USA
+
+   Phone:  +1 650 937-3419
+   EMail:   howes@netscape.com
+
+   Steve Kille
+   Isode Limited
+   The Dome, The Square
+   Richmond
+   TW9 1DT
+   UK
+
+   Phone:  +44-181-332-9091
+   EMail:  S.Kille@isode.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 43]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+Appendix A - Complete ASN.1 Definition
+
+        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
+        IMPLICIT TAGS ::=
+
+        BEGIN
+
+        LDAPMessage ::= SEQUENCE {
+                messageID       MessageID,
+                protocolOp      CHOICE {
+                        bindRequest     BindRequest,
+                        bindResponse    BindResponse,
+                        unbindRequest   UnbindRequest,
+                        searchRequest   SearchRequest,
+                        searchResEntry  SearchResultEntry,
+                        searchResDone   SearchResultDone,
+                        searchResRef    SearchResultReference,
+                        modifyRequest   ModifyRequest,
+                        modifyResponse  ModifyResponse,
+                        addRequest      AddRequest,
+                        addResponse     AddResponse,
+                        delRequest      DelRequest,
+                        delResponse     DelResponse,
+                        modDNRequest    ModifyDNRequest,
+                        modDNResponse   ModifyDNResponse,
+                        compareRequest  CompareRequest,
+                        compareResponse CompareResponse,
+                        abandonRequest  AbandonRequest,
+                        extendedReq     ExtendedRequest,
+                        extendedResp    ExtendedResponse },
+                 controls       [0] Controls OPTIONAL }
+
+        MessageID ::= INTEGER (0 .. maxInt)
+
+        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
+
+        LDAPString ::= OCTET STRING
+
+        LDAPOID ::= OCTET STRING
+
+        LDAPDN ::= LDAPString
+
+        RelativeLDAPDN ::= LDAPString
+
+        AttributeType ::= LDAPString
+
+        AttributeDescription ::= LDAPString
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 44]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+        AttributeDescriptionList ::= SEQUENCE OF
+                AttributeDescription
+
+        AttributeValue ::= OCTET STRING
+
+        AttributeValueAssertion ::= SEQUENCE {
+                attributeDesc   AttributeDescription,
+                assertionValue  AssertionValue }
+
+        AssertionValue ::= OCTET STRING
+
+        Attribute ::= SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+        MatchingRuleId ::= LDAPString
+
+        LDAPResult ::= SEQUENCE {
+                resultCode      ENUMERATED {
+                             success                      (0),
+                             operationsError              (1),
+                             protocolError                (2),
+                             timeLimitExceeded            (3),
+                             sizeLimitExceeded            (4),
+                             compareFalse                 (5),
+                             compareTrue                  (6),
+                             authMethodNotSupported       (7),
+                             strongAuthRequired           (8),
+                                        -- 9 reserved --
+                             referral                     (10),  -- new
+                             adminLimitExceeded           (11),  -- new
+                             unavailableCriticalExtension (12),  -- new
+                             confidentialityRequired      (13),  -- new
+                             saslBindInProgress           (14),  -- new
+                             noSuchAttribute              (16),
+                             undefinedAttributeType       (17),
+                             inappropriateMatching        (18),
+                             constraintViolation          (19),
+                             attributeOrValueExists       (20),
+                             invalidAttributeSyntax       (21),
+                                        -- 22-31 unused --
+                             noSuchObject                 (32),
+                             aliasProblem                 (33),
+                             invalidDNSyntax              (34),
+                             -- 35 reserved for undefined isLeaf --
+                             aliasDereferencingProblem    (36),
+                                        -- 37-47 unused --
+                             inappropriateAuthentication  (48),
+
+
+
+Wahl, et. al.               Standards Track                    [Page 45]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+                             invalidCredentials           (49),
+                             insufficientAccessRights     (50),
+                             busy                         (51),
+                             unavailable                  (52),
+                             unwillingToPerform           (53),
+                             loopDetect                   (54),
+                                        -- 55-63 unused --
+                             namingViolation              (64),
+                             objectClassViolation         (65),
+                             notAllowedOnNonLeaf          (66),
+                             notAllowedOnRDN              (67),
+                             entryAlreadyExists           (68),
+                             objectClassModsProhibited    (69),
+                                        -- 70 reserved for CLDAP --
+                             affectsMultipleDSAs          (71), -- new
+                                        -- 72-79 unused --
+                             other                        (80) },
+                             -- 81-90 reserved for APIs --
+                matchedDN       LDAPDN,
+                errorMessage    LDAPString,
+                referral        [3] Referral OPTIONAL }
+
+        Referral ::= SEQUENCE OF LDAPURL
+
+        LDAPURL ::= LDAPString -- limited to characters permitted in URLs
+
+        Controls ::= SEQUENCE OF Control
+
+        Control ::= SEQUENCE {
+                controlType             LDAPOID,
+                criticality             BOOLEAN DEFAULT FALSE,
+                controlValue            OCTET STRING OPTIONAL }
+
+        BindRequest ::= [APPLICATION 0] SEQUENCE {
+                version                 INTEGER (1 .. 127),
+                name                    LDAPDN,
+                authentication          AuthenticationChoice }
+
+        AuthenticationChoice ::= CHOICE {
+                simple                  [0] OCTET STRING,
+                                         -- 1 and 2 reserved
+                sasl                    [3] SaslCredentials }
+
+        SaslCredentials ::= SEQUENCE {
+                mechanism               LDAPString,
+                credentials             OCTET STRING OPTIONAL }
+
+        BindResponse ::= [APPLICATION 1] SEQUENCE {
+
+
+
+Wahl, et. al.               Standards Track                    [Page 46]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+             COMPONENTS OF LDAPResult,
+             serverSaslCreds    [7] OCTET STRING OPTIONAL }
+
+        UnbindRequest ::= [APPLICATION 2] NULL
+
+        SearchRequest ::= [APPLICATION 3] SEQUENCE {
+                baseObject      LDAPDN,
+                scope           ENUMERATED {
+                        baseObject              (0),
+                        singleLevel             (1),
+                        wholeSubtree            (2) },
+                derefAliases    ENUMERATED {
+                        neverDerefAliases       (0),
+                        derefInSearching        (1),
+                        derefFindingBaseObj     (2),
+                        derefAlways             (3) },
+                sizeLimit       INTEGER (0 .. maxInt),
+                timeLimit       INTEGER (0 .. maxInt),
+                typesOnly       BOOLEAN,
+                filter          Filter,
+                attributes      AttributeDescriptionList }
+
+        Filter ::= CHOICE {
+                and             [0] SET OF Filter,
+                or              [1] SET OF Filter,
+                not             [2] Filter,
+                equalityMatch   [3] AttributeValueAssertion,
+                substrings      [4] SubstringFilter,
+                greaterOrEqual  [5] AttributeValueAssertion,
+                lessOrEqual     [6] AttributeValueAssertion,
+                present         [7] AttributeDescription,
+                approxMatch     [8] AttributeValueAssertion,
+                extensibleMatch [9] MatchingRuleAssertion }
+
+        SubstringFilter ::= SEQUENCE {
+                type            AttributeDescription,
+                -- at least one must be present
+                substrings      SEQUENCE OF CHOICE {
+                        initial [0] LDAPString,
+                        any     [1] LDAPString,
+                        final   [2] LDAPString } }
+
+        MatchingRuleAssertion ::= SEQUENCE {
+                matchingRule    [1] MatchingRuleId OPTIONAL,
+                type            [2] AttributeDescription OPTIONAL,
+                matchValue      [3] AssertionValue,
+                dnAttributes    [4] BOOLEAN DEFAULT FALSE }
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 47]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
+                objectName      LDAPDN,
+                attributes      PartialAttributeList }
+
+        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
+
+        SearchResultDone ::= [APPLICATION 5] LDAPResult
+
+        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
+                object          LDAPDN,
+                modification    SEQUENCE OF SEQUENCE {
+                        operation       ENUMERATED {
+                                                add     (0),
+                                                delete  (1),
+                                                replace (2) },
+                        modification    AttributeTypeAndValues } }
+
+        AttributeTypeAndValues ::= SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+        ModifyResponse ::= [APPLICATION 7] LDAPResult
+
+        AddRequest ::= [APPLICATION 8] SEQUENCE {
+                entry           LDAPDN,
+                attributes      AttributeList }
+
+        AttributeList ::= SEQUENCE OF SEQUENCE {
+                type    AttributeDescription,
+                vals    SET OF AttributeValue }
+
+        AddResponse ::= [APPLICATION 9] LDAPResult
+
+        DelRequest ::= [APPLICATION 10] LDAPDN
+
+        DelResponse ::= [APPLICATION 11] LDAPResult
+
+        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
+                entry           LDAPDN,
+                newrdn          RelativeLDAPDN,
+                deleteoldrdn    BOOLEAN,
+                newSuperior     [0] LDAPDN OPTIONAL }
+
+        ModifyDNResponse ::= [APPLICATION 13] LDAPResult
+
+
+
+Wahl, et. al.               Standards Track                    [Page 48]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+        CompareRequest ::= [APPLICATION 14] SEQUENCE {
+                entry           LDAPDN,
+                ava             AttributeValueAssertion }
+
+        CompareResponse ::= [APPLICATION 15] LDAPResult
+
+        AbandonRequest ::= [APPLICATION 16] MessageID
+
+        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
+                requestName      [0] LDAPOID,
+                requestValue     [1] OCTET STRING OPTIONAL }
+
+        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
+                COMPONENTS OF LDAPResult,
+                responseName     [10] LDAPOID OPTIONAL,
+                response         [11] OCTET STRING OPTIONAL }
+
+        END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 49]
+
+RFC 2251                         LDAPv3                    December 1997
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wahl, et. al.               Standards Track                    [Page 50]
+
-- 
cgit