draft-ietf-ldapbis-protocol-29.txt   draft-ietf-ldapbis-protocol-30.txt 
Internet-Draft Editor: J. Sermersheim Internet-Draft Editor: J. Sermersheim
Intended Category: Standard Track Novell, Inc Intended Category: Standard Track Novell, Inc
Document: draft-ietf-ldapbis-protocol-29.txt Feb 2005 Document: draft-ietf-ldapbis-protocol-30.txt Feb 2005
Obsoletes: RFCs 2251, 2830, 3771 Obsoletes: RFCs 2251, 2830, 3771
LDAP: The Protocol LDAP: The Protocol
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
skipping to change at line 61 skipping to change at line 60
Protocol (DAP). Protocol (DAP).
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
Table of Contents Table of Contents
1. Introduction....................................................3 1. Introduction....................................................3
1.1. Relationship to Other LDAP Specifications.....................3 1.1. Relationship to Other LDAP Specifications.....................3
2. Conventions.....................................................3 2. Conventions.....................................................3
3. Protocol Model..................................................4 3. Protocol Model..................................................4
3.1 Operation and LDAP Message Layer Relationship..................4 3.1 Operation and LDAP Message Layer Relationship..................5
4. Elements of Protocol............................................5 4. Elements of Protocol............................................5
4.1. Common Elements...............................................5 4.1. Common Elements...............................................5
4.1.1. Message Envelope............................................5 4.1.1. Message Envelope............................................5
4.1.2. String Types................................................7 4.1.2. String Types................................................7
4.1.3. Distinguished Name and Relative Distinguished Name..........7 4.1.3. Distinguished Name and Relative Distinguished Name..........7
4.1.4. Attribute Descriptions......................................8 4.1.4. Attribute Descriptions......................................8
4.1.5. Attribute Value.............................................8 4.1.5. Attribute Value.............................................8
4.1.6. Attribute Value Assertion...................................8 4.1.6. Attribute Value Assertion...................................8
4.1.7. Attribute and PartialAttribute..............................9 4.1.7. Attribute and PartialAttribute..............................9
4.1.8. Matching Rule Identifier....................................9 4.1.8. Matching Rule Identifier....................................9
4.1.9. Result Message..............................................9 4.1.9. Result Message..............................................9
4.1.10. Referral..................................................11 4.1.10. Referral..................................................11
4.1.11. Controls..................................................12 4.1.11. Controls..................................................13
4.2. Bind Operation...............................................14 4.2. Bind Operation...............................................14
4.3. Unbind Operation.............................................17 4.3. Unbind Operation.............................................17
4.4. Unsolicited Notification.....................................17 4.4. Unsolicited Notification.....................................17
4.6. Modify Operation.............................................28 4.5. Search Operation.............................................18
4.7. Add Operation................................................29 4.6. Modify Operation.............................................29
4.8. Delete Operation.............................................30 4.7. Add Operation................................................31
4.9. Modify DN Operation..........................................31 4.8. Delete Operation.............................................31
4.10. Compare Operation...........................................32 4.9. Modify DN Operation..........................................32
4.11. Abandon Operation...........................................33 4.10. Compare Operation...........................................33
4.12. Extended Operation..........................................34 4.11. Abandon Operation...........................................34
4.13. IntermediateResponse Message................................35 4.12. Extended Operation..........................................35
4.13.1. Usage with LDAP ExtendedRequest and ExtendedResponse......36 4.13. IntermediateResponse Message................................36
4.13.2. Usage with LDAP Request Controls..........................36 4.14. StartTLS Operation..........................................37
4.14. StartTLS Operation..........................................36 5. Protocol Encoding, Connection, and Transfer....................39
5. Protocol Encoding, Connection, and Transfer....................38 5.1. Protocol Encoding............................................40
5.1. Protocol Encoding............................................38 5.2. Transmission Control Protocol (TCP)..........................40
5.2. Transmission Control Protocol (TCP)..........................39 5.3. Termination of the LDAP session..............................40
5.3. Termination of the LDAP session..............................39 6. Security Considerations........................................41
6. Security Considerations........................................39 7. Acknowledgements...............................................42
7. Acknowledgements...............................................41 8. Normative References...........................................42
8. Normative References...........................................41 9. Informative References.........................................44
9. Informative References.........................................43 10. IANA Considerations...........................................44
10. IANA Considerations...........................................43 11. Editor's Address..............................................45
11. Editor's Address..............................................43 Appendix A - LDAP Result Codes....................................46
Appendix A - LDAP Result Codes....................................45 A.1 Non-Error Result Codes........................................46
A.1 Non-Error Result Codes........................................45 A.2 Result Codes..................................................46
A.2 Result Codes..................................................45 Appendix B - Complete ASN.1 Definition............................51
Appendix B - Complete ASN.1 Definition............................50 Appendix C - Changes..............................................57
Appendix C - Changes..............................................56 C.1 Changes made to RFC 2251:.....................................57
C.1 Changes made to RFC 2251:.....................................56 C.2 Changes made to RFC 2830:.....................................62
C.2 Changes made to RFC 2830:.....................................61 C.3 Changes made to RFC 3771:.....................................63
C.3 Changes made to RFC 3771:.....................................62
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
1. Introduction 1. Introduction
The Directory is "a collection of open systems cooperating to provide The Directory is "a collection of open systems cooperating to provide
directory services" [X.500]. A directory user, which may be a human directory services" [X.500]. A directory user, which may be a human
or other entity, accesses the Directory through a client (or or other entity, accesses the Directory through a client (or
Directory User Agent (DUA)). The client, on behalf of the directory Directory User Agent (DUA)). The client, on behalf of the directory
user, interacts with one or more servers (or Directory System Agents user, interacts with one or more servers (or Directory System Agents
(DSA)). Clients interact with servers using a directory access (DSA)). Clients interact with servers using a directory access
skipping to change at line 212 skipping to change at line 210
exchanged between a client and server in any order. If required, exchanged between a client and server in any order. If required,
synchronous behavior may be controlled by client applications. synchronous behavior may be controlled by client applications.
The core protocol operations defined in this document can be mapped The core protocol operations defined in this document can be mapped
to a subset of the X.500 (1993) Directory Abstract Service [X.511]. to a subset of the X.500 (1993) Directory Abstract Service [X.511].
However there is not a one-to-one mapping between LDAP operations and However there is not a one-to-one mapping between LDAP operations and
X.500 Directory Access Protocol (DAP) operations. Server X.500 Directory Access Protocol (DAP) operations. Server
implementations acting as a gateway to X.500 directories may need to implementations acting as a gateway to X.500 directories may need to
make multiple DAP requests to service a single LDAP request. make multiple DAP requests to service a single LDAP request.
3.1 Operation and LDAP Message Layer Relationship
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
3.1 Operation and LDAP Message Layer Relationship
Protocol operations are exchanged at the LDAP message layer. When the Protocol operations are exchanged at the LDAP message layer. When the
transport connection is closed, any uncompleted operations at the transport connection is closed, any uncompleted operations at the
LDAP message layer, when possible, are abandoned, and when not LDAP message layer, when possible, are abandoned, and when not
possible, are completed without transmission of the response. Also, possible, are completed without transmission of the response. Also,
when the transport connection is closed, the client MUST NOT assume when the transport connection is closed, the client MUST NOT assume
that any uncompleted update operations have succeeded or failed. that any uncompleted update operations have succeeded or failed.
4. Elements of Protocol 4. Elements of Protocol
The protocol is described using Abstract Syntax Notation One The protocol is described using Abstract Syntax Notation One
skipping to change at line 259 skipping to change at line 258
This section describes the LDAPMessage envelope Protocol Data Unit This section describes the LDAPMessage envelope Protocol Data Unit
(PDU) format, as well as data type definitions, which are used in the (PDU) format, as well as data type definitions, which are used in the
protocol operations. protocol operations.
4.1.1. Message Envelope 4.1.1. Message Envelope
For the purposes of protocol exchanges, all protocol operations are For the purposes of protocol exchanges, all protocol operations are
encapsulated in a common envelope, the LDAPMessage, which is defined encapsulated in a common envelope, the LDAPMessage, which is defined
as follows: as follows:
Lightweight Directory Access Protocol Version 3
LDAPMessage ::= SEQUENCE { LDAPMessage ::= SEQUENCE {
messageID MessageID, messageID MessageID,
protocolOp CHOICE { protocolOp CHOICE {
bindRequest BindRequest, bindRequest BindRequest,
bindResponse BindResponse, bindResponse BindResponse,
unbindRequest UnbindRequest, unbindRequest UnbindRequest,
searchRequest SearchRequest, searchRequest SearchRequest,
Lightweight Directory Access Protocol Version 3
searchResEntry SearchResultEntry, searchResEntry SearchResultEntry,
searchResDone SearchResultDone, searchResDone SearchResultDone,
searchResRef SearchResultReference, searchResRef SearchResultReference,
modifyRequest ModifyRequest, modifyRequest ModifyRequest,
modifyResponse ModifyResponse, modifyResponse ModifyResponse,
addRequest AddRequest, addRequest AddRequest,
addResponse AddResponse, addResponse AddResponse,
delRequest DelRequest, delRequest DelRequest,
delResponse DelResponse, delResponse DelResponse,
modDNRequest ModifyDNRequest, modDNRequest ModifyDNRequest,
skipping to change at line 314 skipping to change at line 313
and MUST immediately terminate the LDAP session as described in and MUST immediately terminate the LDAP session as described in
Section 5.3. Section 5.3.
In other cases where the client or server cannot parse a PDU, it In other cases where the client or server cannot parse a PDU, it
SHOULD abruptly terminate the LDAP session (Section 5.3) where SHOULD abruptly terminate the LDAP session (Section 5.3) where
further communication (including providing notice) would be further communication (including providing notice) would be
pernicious. Otherwise, server implementations MUST return an pernicious. Otherwise, server implementations MUST return an
appropriate response to the request, with the resultCode set to appropriate response to the request, with the resultCode set to
protocolError. protocolError.
Lightweight Directory Access Protocol Version 3
4.1.1.1. Message ID 4.1.1.1. Message ID
All LDAPMessage envelopes encapsulating responses contain the All LDAPMessage envelopes encapsulating responses contain the
messageID value of the corresponding request LDAPMessage. messageID value of the corresponding request LDAPMessage.
The message ID of a request MUST have a non-zero value different from The message ID of a request MUST have a non-zero value different from
the messageID of any other request in progress in the same LDAP the messageID of any other request in progress in the same LDAP
Lightweight Directory Access Protocol Version 3
session. The zero value is reserved for the unsolicited notification session. The zero value is reserved for the unsolicited notification
message. message.
Typical clients increment a counter for each request. Typical clients increment a counter for each request.
A client MUST NOT send a request with the same message ID as an A client MUST NOT send a request with the same message ID as an
earlier request in the same LDAP session unless it can be determined earlier request in the same LDAP session unless it can be determined
that the server is no longer servicing the earlier request (e.g. that the server is no longer servicing the earlier request (e.g.
after the final response is received, or a subsequent Bind after the final response is received, or a subsequent Bind
completes). Otherwise the behavior is undefined. For this purpose, completes). Otherwise the behavior is undefined. For this purpose,
skipping to change at line 368 skipping to change at line 367
1.3.6.1.4.1.1466.1.2.3 1.3.6.1.4.1.1466.1.2.3
4.1.3. Distinguished Name and Relative Distinguished Name 4.1.3. Distinguished Name and Relative Distinguished Name
An LDAPDN is defined to be the representation of a Distinguished Name An LDAPDN is defined to be the representation of a Distinguished Name
(DN) after encoding according to the specification in [LDAPDN]. (DN) after encoding according to the specification in [LDAPDN].
LDAPDN ::= LDAPString LDAPDN ::= LDAPString
-- Constrained to <distinguishedName> [LDAPDN] -- Constrained to <distinguishedName> [LDAPDN]
Lightweight Directory Access Protocol Version 3
A RelativeLDAPDN is defined to be the representation of a Relative A RelativeLDAPDN is defined to be the representation of a Relative
Distinguished Name (RDN) after encoding according to the Distinguished Name (RDN) after encoding according to the
specification in [LDAPDN]. specification in [LDAPDN].
RelativeLDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString
-- Constrained to <name-component> [LDAPDN] -- Constrained to <name-component> [LDAPDN]
Lightweight Directory Access Protocol Version 3
4.1.4. Attribute Descriptions 4.1.4. Attribute Descriptions
The definition and encoding rules for attribute descriptions are The definition and encoding rules for attribute descriptions are
defined in Section 2.5 of [Models]. Briefly, an attribute description defined in Section 2.5 of [Models]. Briefly, an attribute description
is an attribute type and zero or more options. is an attribute type and zero or more options.
AttributeDescription ::= LDAPString AttributeDescription ::= LDAPString
-- Constrained to <attributedescription> -- Constrained to <attributedescription>
-- [Models] -- [Models]
skipping to change at line 421 skipping to change at line 420
4.1.6. Attribute Value Assertion 4.1.6. Attribute Value Assertion
The AttributeValueAssertion (AVA) type definition is similar to the The AttributeValueAssertion (AVA) type definition is similar to the
one in the X.500 Directory standards. It contains an attribute one in the X.500 Directory standards. It contains an attribute
description and a matching rule ([Models] Section 4.1.3) assertion description and a matching rule ([Models] Section 4.1.3) assertion
value suitable for that type. Elements of this type are typically value suitable for that type. Elements of this type are typically
used to assert that the value in assertionValue matches a value of an used to assert that the value in assertionValue matches a value of an
attribute. attribute.
Lightweight Directory Access Protocol Version 3
AttributeValueAssertion ::= SEQUENCE { AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription, attributeDesc AttributeDescription,
assertionValue AssertionValue } assertionValue AssertionValue }
AssertionValue ::= OCTET STRING AssertionValue ::= OCTET STRING
Lightweight Directory Access Protocol Version 3
The syntax of the AssertionValue depends on the context of the LDAP The syntax of the AssertionValue depends on the context of the LDAP
operation being performed. For example, the syntax of the EQUALITY operation being performed. For example, the syntax of the EQUALITY
matching rule for an attribute is used when performing a Compare matching rule for an attribute is used when performing a Compare
operation. Often this is the same syntax used for values of the operation. Often this is the same syntax used for values of the
attribute type, but in some cases the assertion syntax differs from attribute type, but in some cases the assertion syntax differs from
the value syntax. See objectIdentiferFirstComponentMatch in the value syntax. See objectIdentiferFirstComponentMatch in
[Syntaxes] for an example. [Syntaxes] for an example.
4.1.7. Attribute and PartialAttribute 4.1.7. Attribute and PartialAttribute
skipping to change at line 471 skipping to change at line 471
MatchingRuleId ::= LDAPString MatchingRuleId ::= LDAPString
4.1.9. Result Message 4.1.9. Result Message
The LDAPResult is the construct used in this protocol to return The LDAPResult is the construct used in this protocol to return
success or failure indications from servers to clients. To various success or failure indications from servers to clients. To various
requests, servers will return responses containing the elements found requests, servers will return responses containing the elements found
in LDAPResult to indicate the final status of the protocol operation in LDAPResult to indicate the final status of the protocol operation
request. request.
Lightweight Directory Access Protocol Version 3
LDAPResult ::= SEQUENCE { LDAPResult ::= SEQUENCE {
resultCode ENUMERATED { resultCode ENUMERATED {
success (0), success (0),
operationsError (1), operationsError (1),
protocolError (2), protocolError (2),
timeLimitExceeded (3), timeLimitExceeded (3),
sizeLimitExceeded (4), sizeLimitExceeded (4),
compareFalse (5), compareFalse (5),
Lightweight Directory Access Protocol Version 3
compareTrue (6), compareTrue (6),
authMethodNotSupported (7), authMethodNotSupported (7),
strongerAuthRequired (8), strongerAuthRequired (8),
-- 9 reserved -- -- 9 reserved --
referral (10), referral (10),
adminLimitExceeded (11), adminLimitExceeded (11),
unavailableCriticalExtension (12), unavailableCriticalExtension (12),
confidentialityRequired (13), confidentialityRequired (13),
saslBindInProgress (14), saslBindInProgress (14),
noSuchAttribute (16), noSuchAttribute (16),
skipping to change at line 525 skipping to change at line 525
entryAlreadyExists (68), entryAlreadyExists (68),
objectClassModsProhibited (69), objectClassModsProhibited (69),
-- 70 reserved for CLDAP -- -- 70 reserved for CLDAP --
affectsMultipleDSAs (71), affectsMultipleDSAs (71),
-- 72-79 unused -- -- 72-79 unused --
other (80), other (80),
... }, ... },
matchedDN LDAPDN, matchedDN LDAPDN,
diagnosticMessage LDAPString, diagnosticMessage LDAPString,
referral [3] Referral OPTIONAL } referral [3] Referral OPTIONAL }
Lightweight Directory Access Protocol Version 3
The resultCode enumeration is extensible as defined in Section 3.6 of The resultCode enumeration is extensible as defined in Section 3.6 of
[LDAPIANA]. The meanings of the listed result codes are given in [LDAPIANA]. The meanings of the listed result codes are given in
Appendix A. If a server detects multiple errors for an operation, Appendix A. If a server detects multiple errors for an operation,
only one result code is returned. The server should return the result only one result code is returned. The server should return the result
code that best indicates the nature of the error encountered. code that best indicates the nature of the error encountered.
The diagnosticMessage field of this construct may, at the server's The diagnosticMessage field of this construct may, at the server's
option, be used to return a string containing a textual, human- option, be used to return a string containing a textual, human-
readable (terminal control and page formatting characters should be readable (terminal control and page formatting characters should be
Lightweight Directory Access Protocol Version 3
avoided) diagnostic message. As this diagnostic message is not avoided) diagnostic message. As this diagnostic message is not
standardized, implementations MUST NOT rely on the values returned. standardized, implementations MUST NOT rely on the values returned.
Diagnostic messages typically supplement the resultCode with Diagnostic messages typically supplement the resultCode with
additional information. If the server chooses not to return a textual additional information. If the server chooses not to return a textual
diagnostic, the diagnosticMessage field MUST be empty. diagnostic, the diagnosticMessage field MUST be empty.
For certain result codes (typically, but not restricted to For certain result codes (typically, but not restricted to
noSuchObject, aliasProblem, invalidDNSyntax and noSuchObject, aliasProblem, invalidDNSyntax and
aliasDereferencingProblem), the matchedDN field is set (subject to aliasDereferencingProblem), the matchedDN field is set (subject to
access controls) to the name of the last entry (object or alias) used access controls) to the name of the last entry (object or alias) used
skipping to change at line 579 skipping to change at line 578
not have responses). At least one URI MUST be present in the not have responses). At least one URI MUST be present in the
Referral. Referral.
During a Search operation, after the baseObject is located, and During a Search operation, after the baseObject is located, and
entries are being evaluated, the referral is not returned. Instead, entries are being evaluated, the referral is not returned. Instead,
continuation references, described in Section 4.5.3, are returned continuation references, described in Section 4.5.3, are returned
when other servers would need to be contacted to complete the when other servers would need to be contacted to complete the
operation. operation.
Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
Lightweight Directory Access Protocol Version 3
URI ::= LDAPString -- limited to characters permitted in URI ::= LDAPString -- limited to characters permitted in
-- URIs -- URIs
If the client wishes to progress the operation, it contacts one of If the client wishes to progress the operation, it contacts one of
the supported services found in the referral. If multiple URIs are the supported services found in the referral. If multiple URIs are
present, the client assumes that any supported URI may be used to present, the client assumes that any supported URI may be used to
progress the operation. progress the operation.
Clients that follow referrals MUST ensure that they do not loop Clients that follow referrals MUST ensure that they do not loop
between servers. They MUST NOT repeatedly contact the same server for between servers. They MUST NOT repeatedly contact the same server for
Lightweight Directory Access Protocol Version 3
the same request with the same parameters. Some clients use a counter the same request with the same parameters. Some clients use a counter
that is incremented each time referral handling occurs for an that is incremented each time referral handling occurs for an
operation, and these kinds of clients MUST be able to handle at least operation, and these kinds of clients MUST be able to handle at least
ten nested referrals while progressing the operation. ten nested referrals while progressing the operation.
A URI for a server implementing LDAP and accessible via [TCP]/[IP] A URI for a server implementing LDAP and accessible via [TCP]/[IP]
(v4 or v6) is written as an LDAP URL according to [LDAPURL]. (v4 or v6) is written as an LDAP URL according to [LDAPURL].
Referral values which are LDAP URLs follow these rules: Referral values which are LDAP URLs follow these rules:
skipping to change at line 634 skipping to change at line 632
- If the <scope> part is missing, the scope of the original Search - If the <scope> part is missing, the scope of the original Search
is used by the client to progress the operation. is used by the client to progress the operation.
- Other aspects of the new request may be the same as or different - Other aspects of the new request may be the same as or different
from the request which generated the referral. from the request which generated the referral.
Other kinds of URIs may be returned. The syntax and semantics of such Other kinds of URIs may be returned. The syntax and semantics of such
URIs is left to future specifications. Clients may ignore URIs that URIs is left to future specifications. Clients may ignore URIs that
they do not support. they do not support.
Lightweight Directory Access Protocol Version 3
UTF-8 encoded characters appearing in the string representation of a UTF-8 encoded characters appearing in the string representation of a
DN, search filter, or other fields of the referral value may not be DN, search filter, or other fields of the referral value may not be
legal for URIs (e.g. spaces) and MUST be escaped using the % method legal for URIs (e.g. spaces) and MUST be escaped using the % method
in [URI]. in [URI].
4.1.11. Controls 4.1.11. Controls
Controls provide a mechanism whereby the semantics and arguments of Controls provide a mechanism whereby the semantics and arguments of
existing LDAP operations may be extended. One or more controls may be existing LDAP operations may be extended. One or more controls may be
attached to a single LDAP message. A control only affects the attached to a single LDAP message. A control only affects the
semantics of the message it is attached to. semantics of the message it is attached to.
Lightweight Directory Access Protocol Version 3
Controls sent by clients are termed 'request controls' and those sent Controls sent by clients are termed 'request controls' and those sent
by servers are termed 'response controls'. by servers are termed 'response controls'.
Controls ::= SEQUENCE OF control Control Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE { Control ::= SEQUENCE {
controlType LDAPOID, controlType LDAPOID,
criticality BOOLEAN DEFAULT FALSE, criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL } controlValue OCTET STRING OPTIONAL }
skipping to change at line 687 skipping to change at line 685
- If the server does not recognize the control type or it is not - If the server does not recognize the control type or it is not
appropriate for the operation, and the criticality field is TRUE, appropriate for the operation, and the criticality field is TRUE,
the server MUST NOT perform the operation, and for operations that the server MUST NOT perform the operation, and for operations that
have a response message, MUST return with the resultCode set to have a response message, MUST return with the resultCode set to
unavailableCriticalExtension. unavailableCriticalExtension.
- If the server does not recognize the control type or it is not - If the server does not recognize the control type or it is not
appropriate for the operation, and the criticality field is FALSE, appropriate for the operation, and the criticality field is FALSE,
the server MUST ignore the control. the server MUST ignore the control.
Lightweight Directory Access Protocol Version 3
The controlValue may contain information associated with the The controlValue may contain information associated with the
controlType. Its format is defined by the specification of the controlType. Its format is defined by the specification of the
control. Implementations MUST be prepared to handle arbitrary control. Implementations MUST be prepared to handle arbitrary
contents of the controlValue octet string, including zero bytes. It contents of the controlValue octet string, including zero bytes. It
is absent only if there is no value information which is associated is absent only if there is no value information which is associated
with a control of its type. When a controlValue is defined in terms with a control of its type. When a controlValue is defined in terms
of ASN.1, and BER encoded according to Section 5.1, it also follows of ASN.1, and BER encoded according to Section 5.1, it also follows
the extensibility rules in Section 4. the extensibility rules in Section 4.
Servers list the controlType of request controls they recognize in Servers list the controlType of request controls they recognize in
the 'supportedControl' attribute in the root DSE (Section 5.1 of the 'supportedControl' attribute in the root DSE (Section 5.1 of
[Models]). [Models]).
Lightweight Directory Access Protocol Version 3
Controls SHOULD NOT be combined unless the semantics of the Controls SHOULD NOT be combined unless the semantics of the
combination has been specified. The semantics of control combination has been specified. The semantics of control
combinations, if specified, are generally found in the control combinations, if specified, are generally found in the control
specification most recently published. When a combination of controls specification most recently published. When a combination of controls
is encountered whose semantics are invalid, not specified (or not is encountered whose semantics are invalid, not specified (or not
known), the message is considered to be not well-formed, thus the known), the message is considered to be not well-formed, thus the
operation fails with protocolError. Additionally, unless order- operation fails with protocolError. Additionally, unless order-
dependent semantics are given in a specification, the order of a dependent semantics are given in a specification, the order of a
combination of controls in the SEQUENCE is ignored. Where the order combination of controls in the SEQUENCE is ignored. Where the order
is to be ignored but cannot be ignored by the server, the message is is to be ignored but cannot be ignored by the server, the message is
skipping to change at line 742 skipping to change at line 740
with other controls. with other controls.
4.2. Bind Operation 4.2. Bind Operation
The function of the Bind operation is to allow authentication The function of the Bind operation is to allow authentication
information to be exchanged between the client and server. The Bind information to be exchanged between the client and server. The Bind
operation should be thought of as the "authenticate" operation. operation should be thought of as the "authenticate" operation.
Operational, authentication, and security-related semantics of this Operational, authentication, and security-related semantics of this
operation are given in [AuthMeth]. operation are given in [AuthMeth].
Lightweight Directory Access Protocol Version 3
The Bind request is defined as follows: The Bind request is defined as follows:
BindRequest ::= [APPLICATION 0] SEQUENCE { BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127), version INTEGER (1 .. 127),
name LDAPDN, name LDAPDN,
authentication AuthenticationChoice } authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE { AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING, simple [0] OCTET STRING,
-- 1 and 2 reserved -- 1 and 2 reserved
sasl [3] SaslCredentials, sasl [3] SaslCredentials,
... } ... }
Lightweight Directory Access Protocol Version 3
SaslCredentials ::= SEQUENCE { SaslCredentials ::= SEQUENCE {
mechanism LDAPString, mechanism LDAPString,
credentials OCTET STRING OPTIONAL } credentials OCTET STRING OPTIONAL }
Fields of the BindRequest are: Fields of the BindRequest are:
- version: A version number indicating the version of the protocol - version: A version number indicating the version of the protocol
to be used at the LDAP message layer. This document describes to be used at the LDAP message layer. This document describes
version 3 of the protocol. There is no version negotiation. The version 3 of the protocol. There is no version negotiation. The
skipping to change at line 791 skipping to change at line 790
Textual passwords (consisting of a character sequence with a known Textual passwords (consisting of a character sequence with a known
character set and encoding) transferred to the server using the character set and encoding) transferred to the server using the
simple AuthenticationChoice SHALL be transferred as [UTF-8] simple AuthenticationChoice SHALL be transferred as [UTF-8]
encoded [Unicode]. Prior to transfer, clients SHOULD prepare text encoded [Unicode]. Prior to transfer, clients SHOULD prepare text
passwords by applying the [SASLprep] profile of the [Stringprep] passwords by applying the [SASLprep] profile of the [Stringprep]
algorithm. Passwords consisting of other data (such as random algorithm. Passwords consisting of other data (such as random
octets) MUST NOT be altered. The determination of whether a octets) MUST NOT be altered. The determination of whether a
password is textual is a local client matter. password is textual is a local client matter.
Lightweight Directory Access Protocol Version 3
4.2.1. Processing of the Bind Request 4.2.1. Processing of the Bind Request
Before processing a BindRequest, all uncompleted operations MUST Before processing a BindRequest, all uncompleted operations MUST
either complete or be abandoned. The server may either wait for the either complete or be abandoned. The server may either wait for the
uncompleted operations to complete, or abandon them. The server then uncompleted operations to complete, or abandon them. The server then
proceeds to authenticate the client in either a single-step, or proceeds to authenticate the client in either a single-step, or
multi-step Bind process. Each step requires the server to return a multi-step Bind process. Each step requires the server to return a
BindResponse to indicate the status of authentication. BindResponse to indicate the status of authentication.
After sending a BindRequest, clients MUST NOT send further LDAP PDUs After sending a BindRequest, clients MUST NOT send further LDAP PDUs
until receiving the BindResponse. Similarly, servers SHOULD NOT until receiving the BindResponse. Similarly, servers SHOULD NOT
process or respond to requests received while processing a process or respond to requests received while processing a
BindRequest. BindRequest.
If the client did not bind before sending a request and receives an If the client did not bind before sending a request and receives an
operationsError to that request, it may then send a BindRequest. If operationsError to that request, it may then send a BindRequest. If
this also fails or the client chooses not to bind on the existing this also fails or the client chooses not to bind on the existing
LDAP session, it may terminate the LDAP session, re-establish it and LDAP session, it may terminate the LDAP session, re-establish it and
Lightweight Directory Access Protocol Version 3
begin again by first sending a PDU with a BindRequest. This will aid begin again by first sending a PDU with a BindRequest. This will aid
in interoperating with servers implementing other versions of LDAP. in interoperating with servers implementing other versions of LDAP.
Clients may send multiple Bind requests to change the authentication Clients may send multiple Bind requests to change the authentication
and/or security associations or to complete a multi-stage Bind and/or security associations or to complete a multi-stage Bind
process. Authentication from earlier binds is subsequently ignored. process. Authentication from earlier binds is subsequently ignored.
For some SASL authentication mechanisms, it may be necessary for the For some SASL authentication mechanisms, it may be necessary for the
client to invoke the BindRequest multiple times ([AuthMeth] Section client to invoke the BindRequest multiple times ([AuthMeth] Section
8.2). Clients MUST NOT invoke operations between two Bind requests 8.2). Clients MUST NOT invoke operations between two Bind requests
skipping to change at line 844 skipping to change at line 843
The Bind response is defined as follows. The Bind response is defined as follows.
BindResponse ::= [APPLICATION 1] SEQUENCE { BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult, COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL } serverSaslCreds [7] OCTET STRING OPTIONAL }
BindResponse consists simply of an indication from the server of the BindResponse consists simply of an indication from the server of the
status of the client's request for authentication. status of the client's request for authentication.
Lightweight Directory Access Protocol Version 3
A successful Bind operation is indicated by a BindResponse with a A successful Bind operation is indicated by a BindResponse with a
resultCode set to success. Otherwise, an appropriate result code is resultCode set to success. Otherwise, an appropriate result code is
set in the BindResponse. For BindResponse, the protocolError result set in the BindResponse. For BindResponse, the protocolError result
code may be used to indicate that the version number supplied by the code may be used to indicate that the version number supplied by the
client is unsupported. client is unsupported.
If the client receives a BindResponse where the resultCode is set to If the client receives a BindResponse where the resultCode is set to
protocolError, it is to assume that the server does not support this protocolError, it is to assume that the server does not support this
version of LDAP. While the client may be able proceed with another version of LDAP. While the client may be able proceed with another
version of this protocol (this may or may not require closing and re- version of this protocol (this may or may not require closing and re-
establishing the transport connection), how to proceed with another establishing the transport connection), how to proceed with another
version of this protocol is beyond the scope of this document. version of this protocol is beyond the scope of this document.
Clients which are unable or unwilling to proceed SHOULD terminate the Clients which are unable or unwilling to proceed SHOULD terminate the
LDAP session. LDAP session.
The serverSaslCreds field is used as part of a SASL-defined bind The serverSaslCreds field is used as part of a SASL-defined bind
mechanism to allow the client to authenticate the server to which it mechanism to allow the client to authenticate the server to which it
is communicating, or to perform "challenge-response" authentication. is communicating, or to perform "challenge-response" authentication.
If the client bound with the simple choice, or the SASL mechanism If the client bound with the simple choice, or the SASL mechanism
Lightweight Directory Access Protocol Version 3
does not require the server to return information to the client, then does not require the server to return information to the client, then
this field SHALL NOT be included in the BindResponse. this field SHALL NOT be included in the BindResponse.
4.3. Unbind Operation 4.3. Unbind Operation
The function of the Unbind operation is to terminate an LDAP session. The function of the Unbind operation is to terminate an LDAP session.
The Unbind operation is not the antithesis of the Bind operation as The Unbind operation is not the antithesis of the Bind operation as
the name implies. The naming of these operations are historical. The the name implies. The naming of these operations are historical. The
Unbind operation should be thought of as the "quit" operation. Unbind operation should be thought of as the "quit" operation.
skipping to change at line 894 skipping to change at line 893
4.4. Unsolicited Notification 4.4. Unsolicited Notification
An unsolicited notification is an LDAPMessage sent from the server to An unsolicited notification is an LDAPMessage sent from the server to
the client which is not in response to any LDAPMessage received by the client which is not in response to any LDAPMessage received by
the server. It is used to signal an extraordinary condition in the the server. It is used to signal an extraordinary condition in the
server or in the LDAP session between the client and the server. The server or in the LDAP session between the client and the server. The
notification is of an advisory nature, and the server will not expect notification is of an advisory nature, and the server will not expect
any response to be returned from the client. any response to be returned from the client.
Lightweight Directory Access Protocol Version 3
The unsolicited notification is structured as an LDAPMessage in which The unsolicited notification is structured as an LDAPMessage in which
the messageID is zero and protocolOp is set to the extendedResp the messageID is zero and protocolOp is set to the extendedResp
choice using the ExtendedResponse type (See Section 4.12). The choice using the ExtendedResponse type (See Section 4.12). The
responseName field of the ExtendedResponse always contains an LDAPOID responseName field of the ExtendedResponse always contains an LDAPOID
which is unique for this notification. which is unique for this notification.
One unsolicited notification (Notice of Disconnection) is defined in One unsolicited notification (Notice of Disconnection) is defined in
this document. The specification of an unsolicited notification this document. The specification of an unsolicited notification
consists of: consists of:
skipping to change at line 915 skipping to change at line 916
specified in the responseName, specified in the responseName,
- the format of the contents of the responseValue (if any), - the format of the contents of the responseValue (if any),
- the circumstances which will cause the notification to be sent, - the circumstances which will cause the notification to be sent,
and and
- the semantics of the message. - the semantics of the message.
4.4.1. Notice of Disconnection 4.4.1. Notice of Disconnection
Lightweight Directory Access Protocol Version 3
This notification may be used by the server to advise the client that This notification may be used by the server to advise the client that
the server is about to terminate the LDAP session on its own the server is about to terminate the LDAP session on its own
initiative. This notification is intended to assist clients in initiative. This notification is intended to assist clients in
distinguishing between an exceptional server condition and a distinguishing between an exceptional server condition and a
transient network failure. Note that this notification is not a transient network failure. Note that this notification is not a
response to an Unbind requested by the client. Uncompleted operations response to an Unbind requested by the client. Uncompleted operations
are handled as specified in Section 3.1. are handled as specified in Section 3.1.
The responseName is 1.3.6.1.4.1.1466.20036, the responseValue field The responseName is 1.3.6.1.4.1.1466.20036, the responseValue field
skipping to change at line 947 skipping to change at line 947
The Search operation is used to request a server to return, subject The Search operation is used to request a server to return, subject
to access controls and other restrictions, a set of entries matching to access controls and other restrictions, a set of entries matching
a complex search criterion. This can be used to read attributes from a complex search criterion. This can be used to read attributes from
a single entry, from entries immediately subordinate to a particular a single entry, from entries immediately subordinate to a particular
entry, or a whole subtree of entries. entry, or a whole subtree of entries.
4.5.1. Search Request 4.5.1. Search Request
The Search request is defined as follows: The Search request is defined as follows:
Lightweight Directory Access Protocol Version 3
SearchRequest ::= [APPLICATION 3] SEQUENCE { SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN, baseObject LDAPDN,
scope ENUMERATED { scope ENUMERATED {
baseObject (0), baseObject (0),
singleLevel (1), singleLevel (1),
wholeSubtree (2), wholeSubtree (2),
... }, ... },
derefAliases ENUMERATED { derefAliases ENUMERATED {
neverDerefAliases (0), neverDerefAliases (0),
derefInSearching (1), derefInSearching (1),
skipping to change at line 968 skipping to change at line 970
derefAlways (3) }, derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt), sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt), timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN, typesOnly BOOLEAN,
filter Filter, filter Filter,
attributes AttributeSelection } attributes AttributeSelection }
AttributeSelection ::= SEQUENCE OF selector LDAPString AttributeSelection ::= SEQUENCE OF selector LDAPString
-- The LDAPString is constrained to -- The LDAPString is constrained to
-- <attributeSelector> in Section 4.5.1.7 -- <attributeSelector> in Section 4.5.1.7
Lightweight Directory Access Protocol Version 3
Filter ::= CHOICE { Filter ::= CHOICE {
and [0] SET SIZE (1..MAX) OF filter Filter, and [0] SET SIZE (1..MAX) OF filter Filter,
or [1] SET SIZE (1..MAX) OF filter Filter, or [1] SET SIZE (1..MAX) OF filter Filter,
not [2] Filter, not [2] Filter,
equalityMatch [3] AttributeValueAssertion, equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter, substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion, greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription, present [7] AttributeDescription,
skipping to change at line 996 skipping to change at line 997
initial [0] AssertionValue, -- can occur at most once initial [0] AssertionValue, -- can occur at most once
any [1] AssertionValue, any [1] AssertionValue,
final [2] AssertionValue } -- can occur at most once final [2] AssertionValue } -- can occur at most once
} }
MatchingRuleAssertion ::= SEQUENCE { MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL, matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeDescription OPTIONAL, type [2] AttributeDescription OPTIONAL,
matchValue [3] AssertionValue, matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE } dnAttributes [4] BOOLEAN DEFAULT FALSE }
Lightweight Directory Access Protocol Version 3
Note that an X.500 "list"-like operation can be emulated by the Note that an X.500 "list"-like operation can be emulated by the
client requesting a singleLevel Search operation with a filter client requesting a singleLevel Search operation with a filter
checking for the presence of the 'objectClass' attribute, and that an checking for the presence of the 'objectClass' attribute, and that an
X.500 "read"-like operation can be emulated by a baseObject Search X.500 "read"-like operation can be emulated by a baseObject Search
operation with the same filter. A server which provides a gateway to operation with the same filter. A server which provides a gateway to
X.500 is not required to use the Read or List operations, although it X.500 is not required to use the Read or List operations, although it
may choose to do so, and if it does, it must provide the same may choose to do so, and if it does, it must provide the same
semantics as the X.500 Search operation. semantics as the X.500 Search operation.
skipping to change at line 1022 skipping to change at line 1024
Specifies the scope of the Search to be performed. The semantics (as Specifies the scope of the Search to be performed. The semantics (as
described in [X.511]) of the defined values of this field are: described in [X.511]) of the defined values of this field are:
baseObject: The scope is constrained to the entry named by baseObject: The scope is constrained to the entry named by
baseObject. baseObject.
singleLevel: The scope is constrained to the immediate singleLevel: The scope is constrained to the immediate
subordinates of the entry named by baseObject. subordinates of the entry named by baseObject.
Lightweight Directory Access Protocol Version 3
wholeSubtree: the scope is constrained to the entry named by the wholeSubtree: the scope is constrained to the entry named by the
baseObject, and all its subordinates. baseObject, and all its subordinates.
4.5.1.3 SearchRequest.derefAliases 4.5.1.3 SearchRequest.derefAliases
An indicator as to whether or not alias entries (as defined in An indicator as to whether or not alias entries (as defined in
[Models]) are to be dereferenced during stages of the Search [Models]) are to be dereferenced during stages of the Search
operation. operation.
The act of dereferencing an alias includes recursively dereferencing The act of dereferencing an alias includes recursively dereferencing
aliases which refer to aliases. aliases which refer to aliases.
Servers MUST detect looping while dereferencing aliases in order to Servers MUST detect looping while dereferencing aliases in order to
prevent denial of service attacks of this nature. prevent denial of service attacks of this nature.
The semantics of the defined values of this field are: The semantics of the defined values of this field are:
neverDerefAliases: Do not dereference aliases in searching or in neverDerefAliases: Do not dereference aliases in searching or in
locating the base object of the Search. locating the base object of the Search.
Lightweight Directory Access Protocol Version 3
derefInSearching: While searching subordinates of the base object, derefInSearching: While searching subordinates of the base object,
dereference any alias within the search scope. Dereferenced dereference any alias within the search scope. Dereferenced
objects become the vertices of further search scopes where the objects become the vertices of further search scopes where the
Search operation is also applied. If the search scope is Search operation is also applied. If the search scope is
wholeSubtree, the Search continues in the subtree(s) of any wholeSubtree, the Search continues in the subtree(s) of any
dereferenced object. If the search scope is singleLevel, the dereferenced object. If the search scope is singleLevel, the
search is applied to any dereferenced objects, and is not applied search is applied to any dereferenced objects, and is not applied
to their subordinates. Servers SHOULD eliminate duplicate entries to their subordinates. Servers SHOULD eliminate duplicate entries
that arise due to alias dereferencing while searching. that arise due to alias dereferencing while searching.
skipping to change at line 1076 skipping to change at line 1078
effect for the Search. Servers may also enforce a maximum number of effect for the Search. Servers may also enforce a maximum number of
entries to return. entries to return.
4.5.1.5 SearchRequest.timeLimit 4.5.1.5 SearchRequest.timeLimit
A time limit that restricts the maximum time (in seconds) allowed for A time limit that restricts the maximum time (in seconds) allowed for
a Search. A value of zero in this field indicates that no client- a Search. A value of zero in this field indicates that no client-
requested time limit restrictions are in effect for the Search. requested time limit restrictions are in effect for the Search.
Servers may also enforce a maximum time limit for the Search. Servers may also enforce a maximum time limit for the Search.
Lightweight Directory Access Protocol Version 3
4.5.1.6 SearchRequest.typesOnly 4.5.1.6 SearchRequest.typesOnly
An indicator as to whether Search results are to contain both An indicator as to whether Search results are to contain both
attribute descriptions and values, or just attribute descriptions. attribute descriptions and values, or just attribute descriptions.
Setting this field to TRUE causes only attribute descriptions (no Setting this field to TRUE causes only attribute descriptions (no
values) to be returned. Setting this field to FALSE causes both values) to be returned. Setting this field to FALSE causes both
attribute descriptions and values to be returned. attribute descriptions and values to be returned.
Lightweight Directory Access Protocol Version 3
4.5.1.7 SearchRequest.filter 4.5.1.7 SearchRequest.filter
A filter that defines the conditions that must be fulfilled in order A filter that defines the conditions that must be fulfilled in order
for the Search to match a given entry. for the Search to match a given entry.
The 'and', 'or' and 'not' choices can be used to form combinations of The 'and', 'or' and 'not' choices can be used to form combinations of
filters. At least one filter element MUST be present in an 'and' or filters. At least one filter element MUST be present in an 'and' or
'or' choice. The others match against individual attribute values of 'or' choice. The others match against individual attribute values of
entries in the scope of the Search. (Implementor's note: the 'not' entries in the scope of the Search. (Implementor's note: the 'not'
filter is an example of a tagged choice in an implicitly-tagged filter is an example of a tagged choice in an implicitly-tagged
skipping to change at line 1130 skipping to change at line 1132
filter is not recognized by the server. filter is not recognized by the server.
- The attribute type does not define the appropriate matching - The attribute type does not define the appropriate matching
rule. rule.
- A MatchingRuleId in the extensibleMatch is not recognized by - A MatchingRuleId in the extensibleMatch is not recognized by
the server or is not valid for the attribute type. the server or is not valid for the attribute type.
- The type of filtering requested is not implemented. - The type of filtering requested is not implemented.
Lightweight Directory Access Protocol Version 3
- The assertion value is invalid. - The assertion value is invalid.
Lightweight Directory Access Protocol Version 3
For example, if a server did not recognize the attribute type For example, if a server did not recognize the attribute type
shoeSize, a filter of (shoeSize=*) would evaluate to FALSE, and the shoeSize, a filter of (shoeSize=*) would evaluate to FALSE, and the
filters (shoeSize=12), (shoeSize>=12) and (shoeSize<=12) would each filters (shoeSize=12), (shoeSize>=12) and (shoeSize<=12) would each
evaluate to Undefined. evaluate to Undefined.
Servers MUST NOT return errors if attribute descriptions or matching Servers MUST NOT return errors if attribute descriptions or matching
rule ids are not recognized, assertion values are invalid, or the rule ids are not recognized, assertion values are invalid, or the
assertion syntax is not supported. More details of filter processing assertion syntax is not supported. More details of filter processing
are given in Clause 7.8 of [X.511]. are given in Clause 7.8 of [X.511].
skipping to change at line 1179 skipping to change at line 1181
4.5.1.7.4 SearchRequest.filter.lessOrEqual 4.5.1.7.4 SearchRequest.filter.lessOrEqual
The matching rule for the lessOrEqual filter item is defined by the The matching rule for the lessOrEqual filter item is defined by the
ORDERING matching rule for the attribute type. ORDERING matching rule for the attribute type.
4.5.1.7.5 SearchRequest.filter.present 4.5.1.7.5 SearchRequest.filter.present
The present match evaluates to TRUE where there is an attribute or The present match evaluates to TRUE where there is an attribute or
subtype of the specified attribute description present in an entry, subtype of the specified attribute description present in an entry,
Lightweight Directory Access Protocol Version 3
and FALSE otherwise (including a presence test with an unrecognized and FALSE otherwise (including a presence test with an unrecognized
attribute description). attribute description).
Lightweight Directory Access Protocol Version 3
4.5.1.7.6 SearchRequest.filter.approxMatch 4.5.1.7.6 SearchRequest.filter.approxMatch
An approxMatch filter item evaluates to TRUE when there is a value of An approxMatch filter item evaluates to TRUE when there is a value of
the attribute or subtype for which some locally-defined approximate the attribute or subtype for which some locally-defined approximate
matching algorithm (e.g. spelling variations, phonetic match, etc.) matching algorithm (e.g. spelling variations, phonetic match, etc.)
returns TRUE. If an item matches for equality, it also satisfies an returns TRUE. If an item matches for equality, it also satisfies an
approximate match. If approximate matching is not supported for the approximate match. If approximate matching is not supported for the
attribute, this filter item should be treated as an equalityMatch. attribute, this filter item should be treated as an equalityMatch.
4.5.1.7.7 SearchRequest.filter.extensibleMatch 4.5.1.7.7 SearchRequest.filter.extensibleMatch
skipping to change at line 1232 skipping to change at line 1234
attribute in the entry, and Undefined if the matchingRule is not attribute in the entry, and Undefined if the matchingRule is not
recognized, the matchingRule is unsuitable for use with the specified recognized, the matchingRule is unsuitable for use with the specified
type, or the assertionValue is invalid. type, or the assertionValue is invalid.
4.5.1.7 SearchRequest.attributes 4.5.1.7 SearchRequest.attributes
A selection list of the attributes to be returned from each entry A selection list of the attributes to be returned from each entry
which matches the search filter. LDAPString values of this field are which matches the search filter. LDAPString values of this field are
constrained to the following Augmented Backus-Naur Form ([ABNF]): constrained to the following Augmented Backus-Naur Form ([ABNF]):
Lightweight Directory Access Protocol Version 3
attributeSelector = attributedescription / selectorspecial attributeSelector = attributedescription / selectorspecial
selectorspecial = noattrs / alluserattrs selectorspecial = noattrs / alluserattrs
Lightweight Directory Access Protocol Version 3
noattrs = %x31.2E.31 ; "1.1" noattrs = %x31.2E.31 ; "1.1"
alluserattrs = %x2A ; asterisk ("*") alluserattrs = %x2A ; asterisk ("*")
The <attributedescription> production is defined in Section 2.5 of The <attributedescription> production is defined in Section 2.5 of
[Models]. [Models].
There are three special cases which may appear in the attributes There are three special cases which may appear in the attributes
selection list: selection list:
skipping to change at line 1287 skipping to change at line 1288
4.5.2. Search Result 4.5.2. Search Result
The results of the Search operation are returned as zero or more The results of the Search operation are returned as zero or more
SearchResultEntry and/or SearchResultReference messages, followed by SearchResultEntry and/or SearchResultReference messages, followed by
a single SearchResultDone message. a single SearchResultDone message.
SearchResultEntry ::= [APPLICATION 4] SEQUENCE { SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN, objectName LDAPDN,
attributes PartialAttributeList } attributes PartialAttributeList }
Lightweight Directory Access Protocol Version 3
PartialAttributeList ::= SEQUENCE OF PartialAttributeList ::= SEQUENCE OF
partialAttribute PartialAttribute partialAttribute PartialAttribute
Lightweight Directory Access Protocol Version 3
SearchResultReference ::= [APPLICATION 19] SEQUENCE SearchResultReference ::= [APPLICATION 19] SEQUENCE
SIZE (1..MAX) OF uri URI SIZE (1..MAX) OF uri URI
SearchResultDone ::= [APPLICATION 5] LDAPResult SearchResultDone ::= [APPLICATION 5] LDAPResult
Each SearchResultEntry represents an entry found during the Search. Each SearchResultEntry represents an entry found during the Search.
Each SearchResultReference represents an area not yet explored during Each SearchResultReference represents an area not yet explored during
the Search. The SearchResultEntry and SearchResultReference PDUs may the Search. The SearchResultEntry and SearchResultReference PDUs may
come in any order. Following all the SearchResultReference and come in any order. Following all the SearchResultReference and
skipping to change at line 1447 skipping to change at line 1448
SearchResultEntry for OU=People,DC=Example,DC=NET SearchResultEntry for OU=People,DC=Example,DC=NET
SearchResultReference { SearchResultReference {
ldap://hoste/OU=Managers,OU=People,DC=Example,DC=NET??sub } ldap://hoste/OU=Managers,OU=People,DC=Example,DC=NET??sub }
SearchResultReference { SearchResultReference {
ldap://hostf/OU=Consultants,OU=People,DC=Example,DC=NET??sub } ldap://hostf/OU=Consultants,OU=People,DC=Example,DC=NET??sub }
SearchResultDone (success) SearchResultDone (success)
Similarly, if a singleLevel Search of <DC=Example,DC=NET> is Similarly, if a singleLevel Search of <DC=Example,DC=NET> is
requested to the contacted server, it may return the following: requested to the contacted server, it may return the following:
Lightweight Directory Access Protocol Version 3
SearchResultEntry for CN=Manager,DC=Example,DC=NET SearchResultEntry for CN=Manager,DC=Example,DC=NET
SearchResultReference { SearchResultReference {
ldap://hostb/OU=People,DC=Example,DC=NET??base ldap://hostb/OU=People,DC=Example,DC=NET??base
ldap://hostc/OU=People,DC=Example,DC=NET??base } ldap://hostc/OU=People,DC=Example,DC=NET??base }
Lightweight Directory Access Protocol Version 3
SearchResultReference { SearchResultReference {
ldap://hostd/OU=Roles,DC=Example,DC=NET??base } ldap://hostd/OU=Roles,DC=Example,DC=NET??base }
SearchResultDone (success) SearchResultDone (success)
If the contacted server does not hold the base object for the Search, If the contacted server does not hold the base object for the Search,
but has knowledge of its possible location, then it may return a but has knowledge of its possible location, then it may return a
referral to the client. In this case, if the client requests a referral to the client. In this case, if the client requests a
subtree Search of <DC=Example,DC=ORG> to hosta, the server returns a subtree Search of <DC=Example,DC=ORG> to hosta, the server returns a
SearchResultDone containing a referral. SearchResultDone containing a referral.
skipping to change at line 1502 skipping to change at line 1503
(such as the object class definition and DIT content rule), the (such as the object class definition and DIT content rule), the
resulting entry after the entire list of modifications is resulting entry after the entire list of modifications is
performed MUST conform to the requirements of the directory model performed MUST conform to the requirements of the directory model
and controlling schema [Models]. and controlling schema [Models].
- operation: Used to specify the type of modification being - operation: Used to specify the type of modification being
performed. Each operation type acts on the following performed. Each operation type acts on the following
modification. The values of this field have the following modification. The values of this field have the following
semantics respectively: semantics respectively:
Lightweight Directory Access Protocol Version 3
add: add values listed to the modification attribute, add: add values listed to the modification attribute,
creating the attribute if necessary; creating the attribute if necessary;
Lightweight Directory Access Protocol Version 3
delete: delete values listed from the modification attribute. delete: delete values listed from the modification attribute.
If no values are listed, or if all current values of the If no values are listed, or if all current values of the
attribute are listed, the entire attribute is removed; attribute are listed, the entire attribute is removed;
replace: replace all existing values of the modification replace: replace all existing values of the modification
attribute with the new values listed, creating the attribute attribute with the new values listed, creating the attribute
if it did not already exist. A replace with no value will if it did not already exist. A replace with no value will
delete the entire attribute if it exists, and is ignored if delete the entire attribute if it exists, and is ignored if
the attribute does not exist. the attribute does not exist.
skipping to change at line 1557 skipping to change at line 1559
For attribute types which specify no equality matching, the rules in For attribute types which specify no equality matching, the rules in
Section 2.5.1 of [Models] are followed. Section 2.5.1 of [Models] are followed.
Note that due to the simplifications made in LDAP, there is not a Note that due to the simplifications made in LDAP, there is not a
direct mapping of the changes in an LDAP ModifyRequest onto the direct mapping of the changes in an LDAP ModifyRequest onto the
changes of a DAP ModifyEntry operation, and different implementations changes of a DAP ModifyEntry operation, and different implementations
of LDAP-DAP gateways may use different means of representing the of LDAP-DAP gateways may use different means of representing the
change. If successful, the final effect of the operations on the change. If successful, the final effect of the operations on the
entry MUST be identical. entry MUST be identical.
4.7. Add Operation
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
4.7. Add Operation
The Add operation allows a client to request the addition of an entry The Add operation allows a client to request the addition of an entry
into the Directory. The Add Request is defined as follows: into the Directory. The Add Request is defined as follows:
AddRequest ::= [APPLICATION 8] SEQUENCE { AddRequest ::= [APPLICATION 8] SEQUENCE {
entry LDAPDN, entry LDAPDN,
attributes AttributeList } attributes AttributeList }
AttributeList ::= SEQUENCE OF attribute Attribute AttributeList ::= SEQUENCE OF attribute Attribute
Fields of the Add Request are: Fields of the Add Request are:
skipping to change at line 1664 skipping to change at line 1667
entry which becomes the immediate superior (parent) of the entry which becomes the immediate superior (parent) of the
existing entry. existing entry.
The server SHALL NOT dereference any aliases in locating the objects The server SHALL NOT dereference any aliases in locating the objects
named in entry or newSuperior. named in entry or newSuperior.
Upon receipt of a ModifyDNRequest, a server will attempt to perform Upon receipt of a ModifyDNRequest, a server will attempt to perform
the name change and return the result in the Modify DN Response, the name change and return the result in the Modify DN Response,
defined as follows: defined as follows:
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
For example, if the entry named in the entry field was <cn=John For example, if the entry named in the entry field was <cn=John
Smith,c=US>, the newrdn field was <cn=John Cougar Smith>, and the Smith,c=US>, the newrdn field was <cn=John Cougar Smith>, and the
newSuperior field was absent, then this operation would attempt to newSuperior field was absent, then this operation would attempt to
rename the entry to be <cn=John Cougar Smith,c=US>. If there was rename the entry to be <cn=John Cougar Smith,c=US>. If there was
already an entry with that name, the operation would fail with the already an entry with that name, the operation would fail with the
entryAlreadyExists result code. entryAlreadyExists result code.
Servers MUST ensure that entries conform to user and system schema Servers MUST ensure that entries conform to user and system schema
rules or other data model constraints. For attribute types which rules or other data model constraints. For attribute types which
specify no equality matching, the rules in Section 2.5.1 of [Models] specify no equality matching, the rules in Section 2.5.1 of [Models]
skipping to change at line 1927 skipping to change at line 1931
included in a request with an LDAP Extended operation that uses included in a request with an LDAP Extended operation that uses
IntermediateResponse messages. IntermediateResponse messages.
4.14. StartTLS Operation 4.14. StartTLS Operation
The Start Transport Layer Security (StartTLS) operation's purpose is The Start Transport Layer Security (StartTLS) operation's purpose is
to initiate installation of a TLS layer. The StartTLS operation is to initiate installation of a TLS layer. The StartTLS operation is
defined using the Extended operation mechanism described in Section defined using the Extended operation mechanism described in Section
4.12. 4.12.
Lightweight Directory Access Protocol Version 3
4.14.1. StartTLS Request 4.14.1. StartTLS Request
A client requests TLS establishment by transmitting a StartTLS A client requests TLS establishment by transmitting a StartTLS
request PDU to the server. The StartTLS request is defined in terms request PDU to the server. The StartTLS request is defined in terms
Lightweight Directory Access Protocol Version 3
of an ExtendedRequest. The requestName is "1.3.6.1.4.1.1466.20037", of an ExtendedRequest. The requestName is "1.3.6.1.4.1.1466.20037",
and the requestValue field is always absent. and the requestValue field is always absent.
The client MUST NOT send any PDUs at this LDAP message layer The client MUST NOT send any PDUs at this LDAP message layer
following this request until it receives a StartTLS Extended response following this request until it receives a StartTLS Extended response
and, in the case of a successful response, completes TLS and, in the case of a successful response, completes TLS
negotiations. negotiations.
Detected sequencing problems (particularly those detailed in Section Detected sequencing problems (particularly those detailed in Section
3.1.1 of [AuthMeth]) result in the resultCode being set to 3.1.1 of [AuthMeth]) result in the resultCode being set to
skipping to change at line 1980 skipping to change at line 1984
alert. alert.
The initiating protocol peer sends the TLS closure alert. If it The initiating protocol peer sends the TLS closure alert. If it
wishes to leave the LDAP message layer intact, it then MUST cease to wishes to leave the LDAP message layer intact, it then MUST cease to
send further PDUs and MUST ignore any received LDAP PDUs until it send further PDUs and MUST ignore any received LDAP PDUs until it
receives a TLS closure alert from the other peer. receives a TLS closure alert from the other peer.
Once the initiating protocol peer receives a TLS closure alert from Once the initiating protocol peer receives a TLS closure alert from
the other peer it MAY send and receive LDAP PDUs. the other peer it MAY send and receive LDAP PDUs.
When a protocol peer receives the initial TLS closure alert, it may
choose to allow the LDAP message layer to remain intact. In this
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
When a protocol peer receives the initial TLS closure alert, it may
choose to allow the LDAP message layer to remain intact. In this
case, it MUST immediately transmit a TLS closure alert. Following case, it MUST immediately transmit a TLS closure alert. Following
this, it MAY send and receive LDAP PDUs. this, it MAY send and receive LDAP PDUs.
Protocol peers MAY terminate the LDAP session after sending or Protocol peers MAY terminate the LDAP session after sending or
receiving a TLS closure alert. receiving a TLS closure alert.
After the TLS layer has been removed, the server MUST NOT send After the TLS layer has been removed, the server MUST NOT send
responses to any request message received before the TLS closure responses to any request message received before the TLS closure
alert. Thus, clients wishing to receive responses to messages sent alert. Thus, clients wishing to receive responses to messages sent
while the TLS layer is intact MUST wait for those message responses while the TLS layer is intact MUST wait for those message responses
skipping to change at line 2027 skipping to change at line 2031
+----------------------+ > LDAP PDUs +----------------------+ > LDAP PDUs
+----------------------+ < data +----------------------+ < data
| SASL layer | | SASL layer |
+----------------------+ > SASL-protected data +----------------------+ > SASL-protected data
+----------------------+ < data +----------------------+ < data
| TLS layer | | TLS layer |
Application +----------------------+ > TLS-protected data Application +----------------------+ > TLS-protected data
------------+----------------------+ < data ------------+----------------------+ < data
Transport | transport connection | Transport | transport connection |
+----------------------+ +----------------------+
Lightweight Directory Access Protocol Version 3
5.1. Protocol Encoding 5.1. Protocol Encoding
The protocol elements of LDAP SHALL be encoded for exchange using the The protocol elements of LDAP SHALL be encoded for exchange using the
Basic Encoding Rules [BER] of [ASN.1] with the following Basic Encoding Rules [BER] of [ASN.1] with the following
restrictions: restrictions:
- Only the definite form of length encoding is used. - Only the definite form of length encoding is used.
Lightweight Directory Access Protocol Version 3
- OCTET STRING values are encoded in the primitive form only. - OCTET STRING values are encoded in the primitive form only.
- If the value of a BOOLEAN type is true, the encoding of the value - If the value of a BOOLEAN type is true, the encoding of the value
octet is set to hex "FF". octet is set to hex "FF".
- If a value of a type is its default value, it is absent. Only some - If a value of a type is its default value, it is absent. Only some
BOOLEAN and INTEGER types have default values in this protocol BOOLEAN and INTEGER types have default values in this protocol
definition. definition.
These restrictions are meant to ease the overhead of encoding and These restrictions are meant to ease the overhead of encoding and
skipping to change at line 2081 skipping to change at line 2084
TLS layer, and closing the transport connection. TLS layer, and closing the transport connection.
A protocol peer may determine that the continuation of any A protocol peer may determine that the continuation of any
communication would be pernicious, and in this case may abruptly communication would be pernicious, and in this case may abruptly
terminate the session by ceasing communication and closing the terminate the session by ceasing communication and closing the
transport connection. transport connection.
In either case, when the LDAP session is terminated, uncompleted In either case, when the LDAP session is terminated, uncompleted
operations are handled as specified in Section 3.1. operations are handled as specified in Section 3.1.
Lightweight Directory Access Protocol Version 3
6. Security Considerations 6. Security Considerations
This version of the protocol provides facilities for simple This version of the protocol provides facilities for simple
authentication using a cleartext password, as well as any [SASL] authentication using a cleartext password, as well as any [SASL]
mechanism. Installing SASL and/or TLS layers can provide integrity mechanism. Installing SASL and/or TLS layers can provide integrity
and other data security services. and other data security services.
Lightweight Directory Access Protocol Version 3
It is also permitted that the server can return its credentials to It is also permitted that the server can return its credentials to
the client, if it chooses to do so. the client, if it chooses to do so.
Use of cleartext password is strongly discouraged where the Use of cleartext password is strongly discouraged where the
underlying transport service cannot guarantee confidentiality and may underlying transport service cannot guarantee confidentiality and may
result in disclosure of the password to unauthorized parties. result in disclosure of the password to unauthorized parties.
Servers are encouraged to prevent directory modifications by clients Servers are encouraged to prevent directory modifications by clients
that have authenticated anonymously [AuthMeth]. that have authenticated anonymously [AuthMeth].
skipping to change at line 2136 skipping to change at line 2139
whose request caused it to be in the cache. whose request caused it to be in the cache.
Servers may return referrals or Search result references which Servers may return referrals or Search result references which
redirect clients to peer servers. It is possible for a rogue redirect clients to peer servers. It is possible for a rogue
application to inject such referrals into the data stream in an application to inject such referrals into the data stream in an
attempt to redirect a client to a rogue server. Clients are advised attempt to redirect a client to a rogue server. Clients are advised
to be aware of this, and possibly reject referrals when to be aware of this, and possibly reject referrals when
confidentiality measures are not in place. Clients are advised to confidentiality measures are not in place. Clients are advised to
reject referrals from the StartTLS operation. reject referrals from the StartTLS operation.
Lightweight Directory Access Protocol Version 3
The matchedDN and diagnosticMessage fields, as well as some The matchedDN and diagnosticMessage fields, as well as some
resultCode values (e.g., attributeOrValueExists and resultCode values (e.g., attributeOrValueExists and
entryAlreadyExists), could disclose the presence or absence of entryAlreadyExists), could disclose the presence or absence of
specific data in the directory which is subject to access and other specific data in the directory which is subject to access and other
administrative controls. Server implementations should restrict administrative controls. Server implementations should restrict
access to protected information equally under both normal and error access to protected information equally under both normal and error
conditions. conditions.
Lightweight Directory Access Protocol Version 3
Protocol peers MUST be prepared to handle invalid and arbitrary Protocol peers MUST be prepared to handle invalid and arbitrary
length protocol encodings. Invalid protocol encodings include: BER length protocol encodings. Invalid protocol encodings include: BER
encoding exceptions, format string and UTF-8 encoding exceptions, encoding exceptions, format string and UTF-8 encoding exceptions,
overflow exceptions, integer value exceptions, and binary mode on/off overflow exceptions, integer value exceptions, and binary mode on/off
flag exceptions. The LDAPv3 PROTOS [PROTOS-LDAP] test suite provides flag exceptions. The LDAPv3 PROTOS [PROTOS-LDAP] test suite provides
excellent examples of these exceptions and test cases used to excellent examples of these exceptions and test cases used to
discover flaws. discover flaws.
In the event that a protocol peer senses an attack which in its In the event that a protocol peer senses an attack which in its
nature could cause damage due to further communication at any layer nature could cause damage due to further communication at any layer
skipping to change at line 2187 skipping to change at line 2190
Specifications: ABNF", RFC 2234, November 1997. Specifications: ABNF", RFC 2234, November 1997.
[ASN.1] ITU-T Recommendation X.680 (07/2002) | ISO/IEC 8824-1:2002 [ASN.1] ITU-T Recommendation X.680 (07/2002) | ISO/IEC 8824-1:2002
"Information Technology - Abstract Syntax Notation One "Information Technology - Abstract Syntax Notation One
(ASN.1): Specification of basic notation" (ASN.1): Specification of basic notation"
[AuthMeth] Harrison, R., "LDAP: Authentication Methods and Connection [AuthMeth] Harrison, R., "LDAP: Authentication Methods and Connection
Level Security Mechanisms", draft-ietf-ldapbis-authmeth- Level Security Mechanisms", draft-ietf-ldapbis-authmeth-
xx.txt, (a work in progress). xx.txt, (a work in progress).
Lightweight Directory Access Protocol Version 3
[BER] ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, [BER] ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002,
"Information technology - ASN.1 encoding rules: "Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", 2002. (DER)", 2002.
[IP] Postel, J., "Internet Protocol", STD5 and RFC 791, [IP] Postel, J., "Internet Protocol", STD5 and RFC 791,
September 1981 September 1981
Lightweight Directory Access Protocol Version 3
[ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
Architecture and Basic Multilingual Plane, ISO/IEC 10646-1 Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
: 1993. : 1993.
[Keyword] Bradner, S., "Key words for use in RFCs to Indicate [Keyword] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[LDAPDN] Zeilenga, K., "LDAP: String Representation of [LDAPDN] Zeilenga, K., "LDAP: String Representation of
Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, (a Distinguished Names", draft-ietf-ldapbis-dn-xx.txt, (a
skipping to change at line 2241 skipping to change at line 2245
[Syntaxes] Legg, S., and K. Dally, "LDAP: Syntaxes and Matching [Syntaxes] Legg, S., and K. Dally, "LDAP: Syntaxes and Matching
Rules", draft-ietf-ldapbis-syntaxes-xx.txt, (a work in Rules", draft-ietf-ldapbis-syntaxes-xx.txt, (a work in
progress). progress).
[TCP] Postel, J., "Transmission Control Protocol", STD7 and RFC [TCP] Postel, J., "Transmission Control Protocol", STD7 and RFC
793, September 1981 793, September 1981
[TLS] Dierks, T. and C. Allen. "The TLS Protocol Version 1.1", [TLS] Dierks, T. and C. Allen. "The TLS Protocol Version 1.1",
draft-ietf-tls-rfc2246-bis-xx.txt, a work in progress. draft-ietf-tls-rfc2246-bis-xx.txt, a work in progress.
Lightweight Directory Access Protocol Version 3
[Unicode] The Unicode Consortium, "The Unicode Standard, Version [Unicode] The Unicode Consortium, "The Unicode Standard, Version
3.2.0" is defined by "The Unicode Standard, Version 3.0" 3.2.0" is defined by "The Unicode Standard, Version 3.0"
(Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
as amended by the "Unicode Standard Annex #27: Unicode as amended by the "Unicode Standard Annex #27: Unicode
3.1" (http://www.unicode.org/reports/tr27/) and by the 3.1" (http://www.unicode.org/reports/tr27/) and by the
"Unicode Standard Annex #28: Unicode 3.2" "Unicode Standard Annex #28: Unicode 3.2"
(http://www.unicode.org/reports/tr28/). (http://www.unicode.org/reports/tr28/).
Lightweight Directory Access Protocol Version 3
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 2396, Resource Identifiers (URI): Generic Syntax", RFC 2396,
August 1998. August 1998.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD63 and RFC3629, November 2003. 10646", STD63 and RFC3629, November 2003.
[X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts, [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993. Models and Service", 1993.
skipping to change at line 2295 skipping to change at line 2299
It is requested that the Internet Assigned Numbers Authority (IANA) It is requested that the Internet Assigned Numbers Authority (IANA)
update the LDAP result code registry to indicate that this document update the LDAP result code registry to indicate that this document
provides the definitive technical specification for result codes 0- provides the definitive technical specification for result codes 0-
36, 48-54, 64-70, 80-90. 36, 48-54, 64-70, 80-90.
It is requested that the IANA update the LDAP Protocol Mechanism It is requested that the IANA update the LDAP Protocol Mechanism
registry to indicate that this document and [AuthMeth] provides the registry to indicate that this document and [AuthMeth] provides the
definitive technical specification for the StartTLS definitive technical specification for the StartTLS
(1.3.6.1.4.1.1466.20037) Extended operation. (1.3.6.1.4.1.1466.20037) Extended operation.
Lightweight Directory Access Protocol Version 3
It is requested that the IANA update the occurrence of "RFC XXXX" in It is requested that the IANA update the occurrence of "RFC XXXX" in
Appendix B with this RFC number at publication. Appendix B with this RFC number at publication.
11. Editor's Address 11. Editor's Address
Jim Sermersheim Jim Sermersheim
Novell, Inc. Novell, Inc.
Lightweight Directory Access Protocol Version 3
1800 South Novell Place 1800 South Novell Place
Provo, Utah 84606, USA Provo, Utah 84606, USA
jimse@novell.com jimse@novell.com
+1 801 861-3088 +1 801 861-3088
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
Appendix A - LDAP Result Codes Appendix A - LDAP Result Codes
This normative appendix details additional considerations regarding This normative appendix details additional considerations regarding
LDAP result codes and provides a brief, general description of each LDAP result codes and provides a brief, general description of each
skipping to change at line 2528 skipping to change at line 2531
notAllowedOnRDN (67) notAllowedOnRDN (67)
Indicates that the operation is inappropriately attempting to Indicates that the operation is inappropriately attempting to
remove a value which forms the entry's relative distinguished remove a value which forms the entry's relative distinguished
name. name.
entryAlreadyExists (68) entryAlreadyExists (68)
Indicates that the request cannot be fulfilled (added, moved, Indicates that the request cannot be fulfilled (added, moved,
or renamed) as the target entry already exists. or renamed) as the target entry already exists.
objectClassModsProhibited (69)
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
objectClassModsProhibited (69)
Indicates that an attempt to modify the object class(es) of Indicates that an attempt to modify the object class(es) of
an entry's 'objectClass' attribute is prohibited. an entry's 'objectClass' attribute is prohibited.
For example, this code is returned when a client attempts to For example, this code is returned when a client attempts to
modify the structural object class of an entry. modify the structural object class of an entry.
affectsMultipleDSAs (71) affectsMultipleDSAs (71)
Indicates that the operation cannot be performed as it would Indicates that the operation cannot be performed as it would
affect multiple servers (DSAs). affect multiple servers (DSAs).
skipping to change at line 2598 skipping to change at line 2601
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) -- maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
LDAPString ::= OCTET STRING -- UTF-8 encoded, LDAPString ::= OCTET STRING -- UTF-8 encoded,
-- [ISO10646] characters -- [ISO10646] characters
LDAPOID ::= OCTET STRING -- Constrained to <numericoid> [Models] LDAPOID ::= OCTET STRING -- Constrained to <numericoid> [Models]
LDAPDN ::= LDAPString -- Constrained to <distinguishedName> LDAPDN ::= LDAPString -- Constrained to <distinguishedName>
-- [LDAPDN] -- [LDAPDN]
RelativeLDAPDN ::= LDAPString -- Constrained to <name-component>
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
RelativeLDAPDN ::= LDAPString -- Constrained to <name-component>
-- [LDAPDN] -- [LDAPDN]
AttributeDescription ::= LDAPString AttributeDescription ::= LDAPString
-- Constrained to <attributedescription> -- Constrained to <attributedescription>
-- [Models] -- [Models]
AttributeValue ::= OCTET STRING AttributeValue ::= OCTET STRING
AttributeValueAssertion ::= SEQUENCE { AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription, attributeDesc AttributeDescription,
skipping to change at line 2625 skipping to change at line 2627
PartialAttribute ::= SEQUENCE { PartialAttribute ::= SEQUENCE {
type AttributeDescription, type AttributeDescription,
vals SET OF value AttributeValue } vals SET OF value AttributeValue }
Attribute ::= PartialAttribute(WITH COMPONENTS { Attribute ::= PartialAttribute(WITH COMPONENTS {
..., ...,
vals (SIZE(1..MAX))}) vals (SIZE(1..MAX))})
MatchingRuleId ::= LDAPString MatchingRuleId ::= LDAPString
Lightweight Directory Access Protocol Version 3
LDAPResult ::= SEQUENCE { LDAPResult ::= SEQUENCE {
resultCode ENUMERATED { resultCode ENUMERATED {
success (0), success (0),
operationsError (1), operationsError (1),
protocolError (2), protocolError (2),
timeLimitExceeded (3), timeLimitExceeded (3),
sizeLimitExceeded (4), sizeLimitExceeded (4),
compareFalse (5), compareFalse (5),
compareTrue (6), compareTrue (6),
skipping to change at line 2656 skipping to change at line 2659
constraintViolation (19), constraintViolation (19),
attributeOrValueExists (20), attributeOrValueExists (20),
invalidAttributeSyntax (21), invalidAttributeSyntax (21),
-- 22-31 unused -- -- 22-31 unused --
noSuchObject (32), noSuchObject (32),
aliasProblem (33), aliasProblem (33),
invalidDNSyntax (34), invalidDNSyntax (34),
-- 35 reserved for undefined isLeaf -- -- 35 reserved for undefined isLeaf --
aliasDereferencingProblem (36), aliasDereferencingProblem (36),
-- 37-47 unused -- -- 37-47 unused --
Lightweight Directory Access Protocol Version 3
inappropriateAuthentication (48), inappropriateAuthentication (48),
invalidCredentials (49), invalidCredentials (49),
insufficientAccessRights (50), insufficientAccessRights (50),
busy (51), busy (51),
unavailable (52), unavailable (52),
unwillingToPerform (53), unwillingToPerform (53),
loopDetect (54), loopDetect (54),
-- 55-63 unused -- -- 55-63 unused --
namingViolation (64), namingViolation (64),
objectClassViolation (65), objectClassViolation (65),
skipping to change at line 2682 skipping to change at line 2683
-- 70 reserved for CLDAP -- -- 70 reserved for CLDAP --
affectsMultipleDSAs (71), affectsMultipleDSAs (71),
-- 72-79 unused -- -- 72-79 unused --
other (80), other (80),
... }, ... },
matchedDN LDAPDN, matchedDN LDAPDN,
diagnosticMessage LDAPString, diagnosticMessage LDAPString,
referral [3] Referral OPTIONAL } referral [3] Referral OPTIONAL }
Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
Lightweight Directory Access Protocol Version 3
URI ::= LDAPString -- limited to characters permitted in URI ::= LDAPString -- limited to characters permitted in
-- URIs -- URIs
Controls ::= SEQUENCE OF control Control Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE { Control ::= SEQUENCE {
controlType LDAPOID, controlType LDAPOID,
criticality BOOLEAN DEFAULT FALSE, criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL } controlValue OCTET STRING OPTIONAL }
skipping to change at line 2711 skipping to change at line 2713
sasl [3] SaslCredentials, sasl [3] SaslCredentials,
... } ... }
SaslCredentials ::= SEQUENCE { SaslCredentials ::= SEQUENCE {
mechanism LDAPString, mechanism LDAPString,
credentials OCTET STRING OPTIONAL } credentials OCTET STRING OPTIONAL }
BindResponse ::= [APPLICATION 1] SEQUENCE { BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult, COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL } serverSaslCreds [7] OCTET STRING OPTIONAL }
Lightweight Directory Access Protocol Version 3
UnbindRequest ::= [APPLICATION 2] NULL UnbindRequest ::= [APPLICATION 2] NULL
SearchRequest ::= [APPLICATION 3] SEQUENCE { SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN, baseObject LDAPDN,
scope ENUMERATED { scope ENUMERATED {
baseObject (0), baseObject (0),
singleLevel (1), singleLevel (1),
wholeSubtree (2), wholeSubtree (2),
... }, ... },
skipping to change at line 2736 skipping to change at line 2737
derefAlways (3) }, derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt), sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt), timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN, typesOnly BOOLEAN,
filter Filter, filter Filter,
attributes AttributeSelection } attributes AttributeSelection }
AttributeSelection ::= SEQUENCE OF selector LDAPString AttributeSelection ::= SEQUENCE OF selector LDAPString
-- The LDAPString is constrained to -- The LDAPString is constrained to
-- <attributeSelector> in Section 4.5.1.7 -- <attributeSelector> in Section 4.5.1.7
Lightweight Directory Access Protocol Version 3
Filter ::= CHOICE { Filter ::= CHOICE {
and [0] SET SIZE (1..MAX) OF filter Filter, and [0] SET SIZE (1..MAX) OF filter Filter,
or [1] SET SIZE (1..MAX) OF filter Filter, or [1] SET SIZE (1..MAX) OF filter Filter,
not [2] Filter, not [2] Filter,
equalityMatch [3] AttributeValueAssertion, equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter, substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion, greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription, present [7] AttributeDescription,
skipping to change at line 2767 skipping to change at line 2769
MatchingRuleAssertion ::= SEQUENCE { MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL, matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeDescription OPTIONAL, type [2] AttributeDescription OPTIONAL,
matchValue [3] AssertionValue, matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE } dnAttributes [4] BOOLEAN DEFAULT FALSE }
SearchResultEntry ::= [APPLICATION 4] SEQUENCE { SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN, objectName LDAPDN,
attributes PartialAttributeList } attributes PartialAttributeList }
Lightweight Directory Access Protocol Version 3
PartialAttributeList ::= SEQUENCE OF PartialAttributeList ::= SEQUENCE OF
partialAttribute PartialAttribute partialAttribute PartialAttribute
SearchResultReference ::= [APPLICATION 19] SEQUENCE SearchResultReference ::= [APPLICATION 19] SEQUENCE
SIZE (1..MAX) OF uri URI SIZE (1..MAX) OF uri URI
SearchResultDone ::= [APPLICATION 5] LDAPResult SearchResultDone ::= [APPLICATION 5] LDAPResult
ModifyRequest ::= [APPLICATION 6] SEQUENCE { ModifyRequest ::= [APPLICATION 6] SEQUENCE {
skipping to change at line 2792 skipping to change at line 2793
delete (1), delete (1),
replace (2), replace (2),
... }, ... },
modification PartialAttribute } } modification PartialAttribute } }
ModifyResponse ::= [APPLICATION 7] LDAPResult ModifyResponse ::= [APPLICATION 7] LDAPResult
AddRequest ::= [APPLICATION 8] SEQUENCE { AddRequest ::= [APPLICATION 8] SEQUENCE {
entry LDAPDN, entry LDAPDN,
attributes AttributeList } attributes AttributeList }
Lightweight Directory Access Protocol Version 3
AttributeList ::= SEQUENCE OF attribute Attribute AttributeList ::= SEQUENCE OF attribute Attribute
AddResponse ::= [APPLICATION 9] LDAPResult AddResponse ::= [APPLICATION 9] LDAPResult
DelRequest ::= [APPLICATION 10] LDAPDN DelRequest ::= [APPLICATION 10] LDAPDN
DelResponse ::= [APPLICATION 11] LDAPResult DelResponse ::= [APPLICATION 11] LDAPResult
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
skipping to change at line 2822 skipping to change at line 2824
CompareResponse ::= [APPLICATION 15] LDAPResult CompareResponse ::= [APPLICATION 15] LDAPResult
AbandonRequest ::= [APPLICATION 16] MessageID AbandonRequest ::= [APPLICATION 16] MessageID
ExtendedRequest ::= [APPLICATION 23] SEQUENCE { ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID, requestName [0] LDAPOID,
requestValue [1] OCTET STRING OPTIONAL } requestValue [1] OCTET STRING OPTIONAL }
ExtendedResponse ::= [APPLICATION 24] SEQUENCE { ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
Lightweight Directory Access Protocol Version 3
COMPONENTS OF LDAPResult, COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL, responseName [10] LDAPOID OPTIONAL,
responseValue [11] OCTET STRING OPTIONAL } responseValue [11] OCTET STRING OPTIONAL }
IntermediateResponse ::= [APPLICATION 25] SEQUENCE { IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
responseName [0] LDAPOID OPTIONAL, responseName [0] LDAPOID OPTIONAL,
responseValue [1] OCTET STRING OPTIONAL } responseValue [1] OCTET STRING OPTIONAL }
END END
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
skipping to change at line 3036 skipping to change at line 3036
- Recommended that servers not use attribute short names when it - Recommended that servers not use attribute short names when it
knows they are ambiguous or may cause interoperability problems. knows they are ambiguous or may cause interoperability problems.
- Removed all mention of ExtendedResponse due to lack of - Removed all mention of ExtendedResponse due to lack of
implementation. implementation.
C.1.19 Section 4.5.3 (Continuation References in the Search Result) C.1.19 Section 4.5.3 (Continuation References in the Search Result)
- Made changes similar to those made to Section 4.1.11. - Made changes similar to those made to Section 4.1.11.
C.1.20 Section 4.5.3.1 (Example)
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
C.1.20 Section 4.5.3.1 (Example)
- Fixed examples to adhere to changes made to Section 4.5.3. - Fixed examples to adhere to changes made to Section 4.5.3.
C.1.21 Section 4.6 (Modify Operation) C.1.21 Section 4.6 (Modify Operation)
- Replaced AttributeTypeAndValues with Attribute as they are - Replaced AttributeTypeAndValues with Attribute as they are
equivalent. equivalent.
- Specified the types of modification changes which might - Specified the types of modification changes which might
temporarily violate schema. Some readers were under the impression temporarily violate schema. Some readers were under the impression
that any temporary schema violation was allowed. that any temporary schema violation was allowed.
skipping to change at line 3086 skipping to change at line 3087
- Required servers to not dereference aliases for Compare. This was - Required servers to not dereference aliases for Compare. This was
added for consistency with other operations and to help ensure added for consistency with other operations and to help ensure
data consistency. data consistency.
C.1.25 Section 4.11 (Abandon Operation) C.1.25 Section 4.11 (Abandon Operation)
- Explained that since Abandon returns no response, clients should - Explained that since Abandon returns no response, clients should
not use it if they need to know the outcome. not use it if they need to know the outcome.
- Specified that Abandon and Unbind cannot be abandoned. - Specified that Abandon and Unbind cannot be abandoned.
C.1.26 Section 4.12 (Extended Operation)
Lightweight Directory Access Protocol Version 3 Lightweight Directory Access Protocol Version 3
C.1.26 Section 4.12 (Extended Operation)
- Specified how values of Extended operations defined in terms of - Specified how values of Extended operations defined in terms of
ASN.1 are to be encoded. ASN.1 are to be encoded.
- Added instructions on what Extended operation specifications - Added instructions on what Extended operation specifications
consist of. consist of.
- Added a recommendation that servers advertise supported Extended - Added a recommendation that servers advertise supported Extended
operations. operations.
C.1.27 Section 5.2 (Transfer Protocols) C.1.27 Section 5.2 (Transfer Protocols)
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/