ASID Working Group                                             Y. Yaacovi
INTERNET-DRAFT                                                  Microsoft
                                                                  M. Wahl
                                                      Critical Angle Inc.
                                                                K. Settle
                                                              T. Genovese

Expires in six months from                              10 September 1996
Intended Category: Standards Track

                   Lightweight Directory Access Protocol:
                  Extensions for Dynamic Directory Services

1. Status of this Memo

This document is a proposal for extending an Internet-Draft. Internet-
Drafts  Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups.  Note that other groups may also distribute working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time.  It is expected that inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

To learn the proposed extensions current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing  contained in this memo will eventually
be folded into the LDAP V3 draft. Internet-Drafts Shadow
Directories on (US East Coast), (Europe), (US West Coast), or (Pacific Rim).

2. Abstract

This document defines the requirements for dynamic directory services
and specifies the format of request and response extended operations for
supporting client-server interoperation in a dynamic directories

The Lightweight Directory Access Protocol (LDAP) [1] supports
lightweight access to static directory services, allowing relatively
fast search and update access. Static directory services store
information about people that persists in its accuracy and value over
a long period of time.

Dynamic directory services are different in that they store information
about people that only persists in its accuracy and value while people
are online. Though the protocol operations and attributes used by
dynamic  directory services are similar to the ones used for static
directory services, clients that are bound to a dynamic directory
service need to periodically refresh their presence at the server to
keep directory entries from getting stale in the presence of client
application crashes.

A flow control mechanism from the server is also described that allows
a server to inform clients how often they should refresh their presence. A

precursor of this mechanism was previously described in [2].

3. Extensions for dynamic directory services Requirements

The main extension we propose protocol extensions must allow accessing dynamic directories in a
standard LDAP manner, to add is allow clients to access static and dynamic
directories in the ability same way.

By nature of dynamic directories, entries are not persistent and clients
may go away gracefully or not. The proposed extensions must offer a
way for the client server to
refresh its presence tell if entries are still valid, and to do this in a
way that will scale for a relatively large number of users. There also
must be a mechanism for clients to reestablish their entry with the
server. This refresh is achieved by
sending Refresh requests from the client

Finally, to allow clients to broadly use the server. The server
can control the rate dynamic extensions, they
need to be registered as standard LDAP extended operations.

4. Description of these Approach

The Lightweight Directory Access Protocol (LDAP) [1] permits additional
operation requests and their frequency by sending
refresh responses.

We propose responses to add Refresh as an LDAP V3 protocol operation, as follows:

   LDAPMessage ::= SEQUENCE {
           messageID       MessageID,
           cldapUserName   LDAPDN OPTIONAL,
           protocolOp      CHOICE {
                   <Currently defined LDAP V3 operations>
                   refreshRequest   RefreshRequest,
                   refreshResponse  RefreshResponse } }

We expect be added to the protocol. The
support for dynamic directories takes advantage of these protocol operations to be connectionless LDAP

3.1. Refresh Request

Refresh is establish
a protocol operation sent by a client mechanism to tell the server that

the client support dynamic directories which is still alive and fully integrated
with LDAP.

A dynamic entry is an object in the directory entry tree which has a time-to-live
associated with it.  This time-to-live is set when the entry is created.
The time-to-live is automatically decremented, and when it expires the
dynamic entry disappears.  By invoking the refresh extended operation
(defined below) to re-set the time-to-live, a client can cause the entry
to remain present a while longer.

A dynamic entry is created by including the objectClass value given in
section 6 in the list of attributes when adding an entry. This method
is subject to standard access control restrictions.

The extended operation covered here, allows a client to refresh a
dynamic entry by invoking at intervals refresh operations containing
that entry's name.  Dynamic entries will be treated the same as
non-dynamic entries when processing search, compare, add, delete,
modify and modifydn operations.  However if clients stop sending
refresh operations for an entry, then the server will automatically
and without notification remove that entry from the directory.
This removal will be treated the same as if the client had issued a
delete operation on that entry.

There is no way to change a static entry into a dynamic one and vice-
versa. If the client is using Modify with an objectClass of dynamicObject
on a static entry, the server must return a service error either
"objectClassModsProhibited" (if the server does not allow objectClass

modifications at all) or "objectClassViolation" (if the server does allow
objectClass modifications in general).

A dynamic entry may be removed by the client using the delete operation.
This operation will be subject to access control restrictions.

A non-dynamic entry cannot be added subordinate to a dynamic entry: the
server must return an appropriate update or service error if this is

5. Protocol Additions

5.1 Refresh Request

Refresh is a protocol operation sent by a client to tell the server that
the client is still alive and the directory entry is still accurate and
valuable. The client sends a Refresh request periodically based on the
value of the client refresh period (CRP). The server can request that
the client change this value. As long as the client sends server receives a Refresh
request within the CRP,the timeout period, the directory entry is guaranteed
to persist on the server.

   RefreshRequest ::= SEQUENCE  {
           version         INTEGER (1 .. 127)
           clientID        INTEGER       } }

Parameters of the Refresh request are:

- version: The value of this field Clients implementors should be aware that
since the intervening network between the LDAP protocol version.
- clientID: A client identifier. When and server is
unreliable, a Refresh request arrives at packet may be delayed or lost while in
transit.  If this occurs, the
server, entry may disappear, and the server client will use the clientID
need to quickly find detect this and re-add the entry.

A client may request this operation by transmitting an LDAP PDU containing
an ExtendedRequest. An LDAP ExtendedRequest is defined as follows:

         ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
                 requestName             [0] LDAPOID,
                 requestValue            [1] OCTET STRING }

The requestName field must be set to the string

The requestValue field will contain as a value the DER-encoding of the
following ASN.1 data type:

        SEQUENCE {
                entryName  [0] LDAPDN,
                requestTtl [1] INTEGER

The entryName field is the UTF-8 string representation of the name of the
dynamic entry [3].  This entry must already exist.

The requestTtl is a time in seconds (between 1 and 31557600) that the
client requests that the entry exists in the directory before it is
automatically removed. Servers are not required to accept this value
and might return a different TTL value to the client. Clients must be

able to use this server-dictated value as their CRP.

5.2 Refresh Response

If a server implements this extension, then when the request is made it
will return an LDAP PDU containing an ExtendedResponse. An LDAP
ExtendedResponse is defined as follows:

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
                responseName            [0] LDAPOID OPTIONAL,
                response                [1] OCTET STRING OPTIONAL,
                standardResponse        [2] LDAPResult }

The responseName field contains the same string as that present in the

The response field will contain as a value the DER-encoding of the
following ASN.1 data type:

        SEQUENCE {
                responseTtl [1] INTEGER

The responseTtl field is the time in seconds which the server chooses
to have as the time-to-live field for that entry.  It must not be any
smaller than that which the client requested, and it may be larger.

If the operation was successful, the errorCode field in the
standardResponse part of an ExtendedResponse will be set to success.

In case of an error, the responseTtl field will have the value 0,
and the errorCode field will contain an appropriate value, as follows:
If the entry named by entryName could not be located, the errorCode
field will contain "noSuchObject".
If the entry is not dynamic, the errorCode field will contain
If the requestor does not have permission to refresh the entry,
the errorCode field will contain "insufficientAccessRights".
If the requestTtl field is too large, the errorCode field will contain

If a server does not implement this extension, it will return an LDAP
PDU containing an ExtendedResponse, which contains only the
standardResponse element (the responseName and response elements
will be absent).  The LDAPResult element will indicate the protocolError
result code.

This request is permitted to be invoked when LDAP is carried by a
connectionless transport.

When using a connection-oriented transport, there is no requirement that
this operation be on the same particular connection as any other.  A client record

may open multiple connections, or close and update it. then reopen a connection.

6. Schema Additions

All dynamic entries must have the dynamicObject value in their
objectClass attribute. This object class is defined as follows
(using the ObjectClassDescription notation of [2]):

( NAME 'dynamicObject'
  DESC 'This class, if present in an entry, indicates that this entry has
        a limited lifetime and may disappear automatically when its
        time-to-live has reached 0.  There are no mandatory attributes of
        this class, however if the client has not supplied a value for
        the entryTtl attribute, the server will provide one.'

Furthermore, the dynamic entry must have the following operational
attribute. It is described using the AttributeTypeDescription notation
of [2]:

( NAME 'entryTtl'
  DESC 'This operational attribute is maintained by the server and appears
        to be present in every dynamic entry.  The attribute is not present
        when the entry does not contain the dynamicObject object class.
        The value of this attribute is the time in seconds that the entry
        will continue to exist before it disappears from the directory.
        In the absence of intervening refresh operations, the values
        returned by reading the attribute in two successive searches
        are guaranteed to be nonincreasing.  The cldapUserName provided with the Refresh request could serve as smallest permissible value
        is 0, indicating that the
sending client's identifier. entry may disappear without warning.
        The DN attribute is guaranteed to marked NO-USER-MODIFICATION since it may only be unique, but can
consume substantial bandwidth for such a frequent request
        changed using the refresh operation.'

7. Client and it might Server Requirements

7.1 Client Requirements

Once a dynamic entry has been created, clients are responsible for
invoking the refresh extended operation, in order to keep that entry
present in the directory.

Clients must not expect that the entry will be quickly accessible at present in the server. We propose DIT after
it has timed out, however it must not either require that the server
assign client identifiers to clients. This can be done as a return value

remove the Add request. The server implementation is required entry immediately (some servers may only process timing out
entries at intervals). If the client wishes to ensure that the entry
does not exist it should issue a RemoveRequest for that entry.

Initially, a client identifier is unique. The server may optionally use this
value needs to know how often it should send refresh
requests to quickly locate the client record in Refresh requests. The client will

specify this server. This value is defined as the clientID in refresh calls.

The initial CRP value will be (Client Refresh

Period) and is set by the server through based on the AddResponse.

Upon any Refresh request from a client, entryTtl. Since the server may respond with
AddRequest is left unchanged and is not modified in this proposal to
return this value, a
new CRP value through client must issue a Refresh response.

Note extended operation
immediately after an Add that the server might assign created a separate Time-To-Live (TTL) value
client at the server. dynamic entry. The TTL should always be higher than the client

3.2. Refresh

By sending a Refresh response, will return the server acknowledges CRP (in responseTtl) to the receipt of a
Refresh request, and can optionally dictate client.

Clients must not refresh dynamic entries which they have not created.

Clients should always be ready to handle the client case in which their entry
timed out. In such a lower or
higher CRP value. This will cause the client to send more frequent or
less frequent Refresh request messages, respectively. A Refresh response

is required.

   refreshResponse ::= SEQUENCE {
          LDAPResult      LDAPResult,
          newCRP          INTEGER (1 .. 32767) } }

Parameters of case, the Refresh response are:

- newCRP: The period of time, in minutes, that operation will fail with
an error code such as noSuchObject, and the client is guaranteed expected to
re-create its entry.

Clients should be registered prepared to experience refresh operations failing
with protocolError, even though the add and available at any previous refresh
requests succeeded. This might happen if a proxy between the server without sending Refresh

If client
and the server cannot find the client, it will respond with goes down, and another proxy is used which does not
support the
of compareFalse. This will be an indication Refresh extended operation.

7.2 Server Requirements

Servers are responsible for removing dynamic entries when they time out.
Server are not required to do this immediately.

Servers must enforce the client structural rules listed in above section 4.

Servers must ensure that it needs
to re-establish its presence at the server.

3.3 Modification to AddResponse

Refresh requests need operational attribute described in section 6
is present in dynamic entries.

Servers are permitted to send check the clientID as part authentication of the request. The client ID is assigned by the server invoking
a refresh extended operation, and will be sent to only permit the operation if it
matches that of the client which created the dynamic entry. Servers may
permit anonymous users to refresh entries.

Servers may require that a client which attempts to create a dynamic entry
have remove permission for that entry.

Servers which implement this extension must have the OBJECT
IDENTIFIERs, described above in section 5 for the AddResponse.This requires request and response,
present as values of the following change supportedExtension field in the AddResponse.

   AddResponse ::= SEQUENCE {
          LDAPResult      LDAPResult,
          clientID        INTEGER OPTIONAL,
          CRP             INTEGER (1 .. 32767) OPTIONAL  } }

4. root DSE.  They
must also have as values in the attributeTypes and objectClasses attributes
of their subschema subentries, the AttributeTypeDescription and
ObjectClassDescription from section 6.

8. Implementation issues


8.1 Storage of dynamic information

Dynamic information is expected to change very often. In addition,
Refresh requests are expected to arrive at the server very often.
Disk-based databases that static directory services often use are

likely  inappropriate for storing dynamic information. We expect recommend
that server implementations to store the dynamic attributes in memory
sufficient to avoid paging.

If the LDAP static server and the LDAP dynamic server are separate,
we expect each of these servers to store all the attributes in the
appropriate storage mechanism (either memory-based or disk-based).
However, if the same server stores both static and dynamic attributes,
we expect that the client will tell the server that the set of
attributes it adds or modifies entries in a request is dynamic or static.
This can be achieved by using one attribute (objectClass) to tell
the server if the list of attributes is dynamic or static. A new
objectClass for real time object (RTObject) can be used for that.

4.2 Transport protocol memory sufficient
to avoid paging. This is not a requirement.

We expect refresh requests and responses LDAP servers to be a connectionless able to store static and dynamic entries.
If an LDAP
protocoloperations over UDP.

Using UDP can reduce the load on the server but can also introduce
problems. If a Refresh request is lost, does not support dynamic entries, it is possible that by the
time should respond
with an error code such as objectClassViolation

8.2 Client refresh behavior

In some cases, the client times out waiting for the response and resends might not get a Refresh response. This
may happen as a result of a server crash after receiving the Refresh
request, the TTL of the directory entry on TCP/IP socket timing out in the server may expire,
causing connection case, or
the server to remove UDP packet getting lost in the entry. Servers should maintain a
TTL value for directory entries that connection-less case.

It is somewhat higher than the

client's CRP. In recommended that in such a case, the Refresh request that the client will
resend because of retry the
Refresh operation immediately, and if this Refresh request does
not get a lost response is redundant, but harmless.

4.3 Allocation of client IDs

Client IDs are allocated by the server. The typical server can allocate
increasing numbers to clients to guarantee uniqueness. The server might
also use some part of the client ID to allow as well, it will resort to quickly find the
client record at the server. For example, part of the client ID might
be the pointer to the client record its original Refresh
cycle, i.e. send a Refresh request at the server, which could allow
direct access to the record by the server.

5. its Client Refresh Period

9. Localization

The are no localization issues for Refresh.

6. this extended operation.

10. Security Considerations

There are no security

Security issues for Refresh.

7. Acknowledgments

Robert Carney, Tony Genovese, Max Morris and William Lai had a
part are not addressed in this proposal.

8. document. Please note, though,
that anonymous clients are able to refresh entries which they did not

11. Acknowledgements

Design ideas included in this document are based on those
discussed in ASID and other IETF Working Groups.

12. Authors Addresses

       Yoram Yaacovi
       One Microsoft way
       Redmond, WA 98052

       Phone:  +1 206-936-9629

       Mark Wahl
       Critical Angle Inc.
       4815 W. Braker Lane #502-385
       Austin, TX 78759


       Kent Settle
       One Microsoft way
       Redmond, WA 98052

       Phone:  +1 206-936-3027


       Tony Genovese
       One Microsoft way
       Redmond, WA 98052

       Phone:  +1 206-703-0852

13. Bibliography

[1] M.Wahl, W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access Protocol
    (Version 3)". INTERNET DRAFT <draft-ietf-asid-ldapv3-protocol-01.txt>

[2] R. Williams, "User Location Service". <draft-williams-uls-00.txt> M.Wahl, A.Coulbeck, T. Howes, S. Kille, "Lightweight Directory Access
    Protocol Standard and Pilot Attributes". INTERNET DRAFT

[3] M.Wahl, S.Kille, "Lightweight Directory Access Protocol UTF-8 String
    Representation of Distinguished Names". INTERNET DRAFT

Expires on 10 March 1996.