WDIFF

draft-ietf-asid-ldapv3-protocol-02.txt --> draft-ietf-asid-ldapv3-protocol-03.txt

Network Working Group M. Wahl
INTERNET-DRAFT Critical Angle Inc.
Obsoletes:
Replaces: RFC 1777, RFC 1798 T. Howes
Netscape Communications Corp.
S. Kille
ISODE Consortium
Expires in six months from 30 August 22 October 1996
Intended Category: Standards Track

Lightweight Directory Access Protocol (v3)
<draft-ietf-asid-ldapv3-protocol-02.txt>
<draft-ietf-asid-ldapv3-protocol-03.txt>

Table of Contents - see end of document.

1. Status of this Memo

This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

2. Abstract

The protocol described in this document is designed to provide access
to directories supporting the X.500 models, while not incurring the
resource requirements of the X.500 Directory Access Protocol (DAP). This
protocol is specifically targeted at management applications and browser
applications that provide read/write interactive access to directories.
When used with a directory supporting the X.500 protocols, it is
intended to be a complement to the X.500 DAP.

Key aspects of this version of LDAP are:

- All protocol elements of LDAP (RFC 1777) and CLDAP (RFC 1798) are
supported.

- Protocol elements are carried directly over TCP or other transport,
bypassing much of the session/presentation overhead. Connectionless
transport (UDP) is also supported for efficient lookup operations.

- Most protocol data elements can be encoded as ordinary strings
(e.g., Distinguished Names).

Wahl, Howes & Kille [Page 1]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

- New features have been added to enable more powerful clients, added, such as the abilities to retrieve
attribute values in binary or search results in pages.

Wahl, Howes, Kille [Page 1]

INTERNET-DRAFT LDAP August 1996

- Important features of X.500(1993) and X.500(1997) are included.

- Referrals to other servers may can be returned.

- The protocol may can be extended to support bilaterally-defined
operations.

- Several session controls may be requested by the client.

3. Models

Interest in X.500 [1] directory technologies in the Internet has lead to
efforts to reduce the high "cost of entry" associated with use of these
technologies. This document continues the efforts to define directory
protocol alternatives: it updates the LDAP [2] protocol specification,
adding support for new features, including some support for connecting
to X.500 services that implement the 1993 or 1997 edition protocols.

3.1. Protocol Model

The general model adopted by this protocol is one of clients
performing protocol operations against servers. In this model, a
client transmits a protocol request describing the operation to be
performed to a server, which is then responsible for performing
the necessary operation(s) in the directory. Upon completion of
the operation(s), the server returns a response containing any results or
errors to the requesting client.

In keeping with the goal of easing the costs associated with use of
the directory, it is an objective of this protocol to minimize the
complexity of clients so as to facilitate widespread deployment of
applications capable of utilizing the directory.

Note that, although servers are required to return responses whenever
such responses are defined in the protocol, there is no requirement
for synchronous behavior on the part of either clients or servers.
Requests and responses for multiple operations may be exchanged
between a client and server in any order, provided the client
eventually receives a response for every request that requires one.

In LDAP versions 1 and 2, no provision was made for protocol servers
returning referrals to clients. However, for improved performance and
distribution this version of the protocol permits servers to return to
clients referrals to other servers if requested. This allows servers,
if requested by clients, to offload the work of contacting other servers
to progress operations.

Clients may also request that no referrals be returned, in which case
the server must ensure that the operation is performed against the
directory, or else return an error. This is the default.

Wahl, Howes & Kille [Page 2]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

Note that this protocol can be mapped to a strict subset of the
X.500(1997) directory abstract service, so it can be cleanly provided
by the DAP. However there is not a one-to-one mapping between LDAP
protocol operations and DAP operations: server implementations
acting as a gateway to X.500 directories may need to make multiple DAP
requests to perform extended operations.

Wahl, Howes, Kille [Page 2]

INTERNET-DRAFT LDAP August 1996

3.2. Data Model

This section provides a brief introduction to the X.500 data model, as
used by LDAP.

The LDAP protocol assumes there are one or more servers which jointly
provide access to a Directory Information Tree. Tree (DIT). The tree is made up
of entries. Entries have names: one or more values from the entry itself
form its relative distinguished name, name (RDN), which must be unique among all
its siblings. The concatenation of the relative distinguished names
of the line of entries from a particular entry to an immediate
subordinate of the root of the tree forms that entry's Distinguished
Name,
Name (DN), which is unique in the tree. An example of a Distinguished
Name is

CN=Steve Kille, O=ISODE Consortium, C=GB

Some servers may hold cache or shadow copies of entries, which can be
used to answer search and comparison queries, but will return referrals
or contact other servers if modification operations are requested.

The largest collection of entries, starting an entry that is mastered by
a particular server, and all its subordinates and their subordinates,
down to an entry which is mastered by a different server, is termed a
naming context. For example, in the following sample DIT, one server
might master only the entry C=GB, and another server master both the
entries O=Foo,C=US and O=Bar,C=US. Each of these entries are in a separate
naming context. The root of the DIT is not an entry and not part of any
naming context.

(ROOT)
|
C=GB
/------------/ \--------------\
O=Foo O=Bar

3.2.1 Attributes of Entries

Entries consist of a set of attributes. An attribute is a type with
one or more associated values. The attribute type, identified by a
short descriptive name and an OID (object identifier), governs the
maximum number of values permissible for an attribute of that type
in an entry, the syntax to which the values must conform, the types
of matching which can be performed on values of that attribute, and
other functions.

Wahl, Howes & Kille [Page 3]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

An example of an attribute is "mail". There may be one or more values
of this attribute, they must be IA5 strings, and they are case
insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").

3.2.1 Attributes of Entries

Each entry must have an objectClass attribute. The objectClass
attribute specifies the object classes of an entry, which along with
the system and user schema determine the permitted attributes of an entry.
Values of this attribute may be modified by clients, but the objectClass
attribute cannot be removed. Servers may restrict the modifications of
this attribute to prevent the basic structural class of the entry from
being changed (e.g. one cannot change a person into a country).

Servers should not permit clients to add attributes to an entry unless
those attributes

A small number of attributes, termed operational attributes, are permitted used by
servers for administering the object class definitions, the user
schema controlling that entry (specified in the subschema subentry), directory system itself. They are not
returned in search results unless they were explicitly requested by name.
Attributes which are not operational, such as "mail", will have their
schema and syntax constraints enforced by servers, but servers will
generally not make use of their values.

Servers must not permit clients to add attributes to an entry unless
those attributes are permitted by the object class definitions, the
schema controlling that entry (specified in the subschema subentry - see
below), or are operational attributes known to that server and used for
administrative purposes. Note that there is a particular objectClass
'extensibleObject' defined in [5] which permits all user attributes. attributes
to be present in an entry.

Entries may contain, among others, the following operational attributes,
defined in [5], which if present should [5]. These attributes are maintained automatically by the
server are not be modifiable by clients:

- creatorsName: the Distinguished Name of the user who added this entry
to the directory.
- createTimestamp: the time this entry was added to the directory.
- modifiersName: the Distinguished Name of the user who last modified
this entry.
- modifyTimestamp: the time this entry was last modified.

Wahl, Howes, Kille [Page 3]

INTERNET-DRAFT LDAP August 1996
- subschemaSubentry: the Distinguished Name of the subschema subentry
which controls the schema for this entry.
- entryName: the Distinguished Name of the entry.

Servers may implement other operational attributes. Servers which
also make use of X.500(1993) protocols should will provide support for more of
the attributes defined in X.501, including administrativeRole and dseType.
Some servers may permit the retrieval of subschema attributes directly
from user entries.

3.2.2 Subschema Subentry

A subentry is a special kind of entry which is used by servers and holds
attributes for administering the directory system. Subentries are defined
in clause 11.6 of X.501 [6]. Subschema subentries are used for
administering information about the directory schema, in particular the
object classes and attribute types supported by directory servers.

Wahl, Howes & Kille [Page 4]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

A server may provide access to one or more subschema subentries to
permit clients to interrogate the schema which is in force for entries
in the directory.

A server which masters entries and permits clients to modify these
entries must implement and provide access to these subschema subentries,
so that its clients may discover the attributes and object classes which
are permitted to be present. It is strongly recommended that all other
servers implement subschema subentries as well.

The following four attributes, defined in [6] with string representations
in [5], must be present in all subschema subentries:

- CN: this attribute should must be used to form the RDN of the subschema
subentry.
- objectClass: the attribute should must have at least the values "top" and
"subschema".
- objectClasses: each value of this attribute specifies an object class
known to the server.
- attributeTypes: each value of this attribute specifies an attribute
type known to the server.

Other operational attributes may be present in subschema subentries,
in particular dseType, subtreeSpecification, ditStructureRules, nameForms,
ditContentRules, matchingRules, matchingRuleUse, createTimestamp,
creatorsName, modifyTimestamp, modifiersName, entryName, as described in
[6].

Clients must only retrieve these attributes from a subentry by requesting
them by name in a baseObject search of the subentry.

3.3. Relationship to X.500

This document defines LDAP in terms of X.500 as an X.500 access
mechanism. An LDAP server should must act in accordance with the
X.500(1993) series of ITU Recommendations when providing the service.
However, it is not required that an LDAP server make use of any X.500
protocols in providing this service, e.g. LDAP can be mapped onto any
other directory system so long as the X.500 data and service model as
used in LDAP is not violated in the LDAP interface.

Wahl, Howes, Kille [Page 4]

INTERNET-DRAFT LDAP August 1996

3.4. Server-specific Data Requirements

An LDAP server must provide information about itself and other
information that is specific to each server. This is represented as a
number of attributes located in the root DSE (DSA-Specific Entry),
which is named with the zero-length LDAPDN. These attributes
should be
are retrievable if a client performs a base object search of the
root, however they are subject to access control restrictions.
They should must not be included if the client performs a subtree search
starting from the root. The server may, but need not, Servers in general will not allow the client clients to
modify these attributes.

Wahl, Howes & Kille [Page 5]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

The following attributes of the root DSE are defined in section 5.1.3 of
[5]. Additional attributes may be defined in later documents.

- administratorAddress: a URL containing address of administrator.
- currentTime: the current time.
- serverName: the Distinguished Name of the server.
- certificationPath: the server's certificate path.
- namingContexts: naming contexts held in the server.
- subschemaSubentry: subschema subentries known by this server.
- altServer: alternative servers in case this one is later unavailable.
- supportedExtension: list of supported extensions. extended operations.
- supportedControl: list of supported session controls.

If the server does not master or shadow entries and does not know the
locations of schema information, the subschemaSubentry attribute should must
not be present in the root DSE. If the server holds master or shadow
copies of directory entries under one or more schema rules, there may be
any number of values of the subschemaSubentry attribute in the root DSE.

4. Elements of Protocol

The LDAP protocol is described using Abstract Syntax Notation 1 [3]. It
is typically transferred using a subset of the Basic Encoding Rules.
In order to support future extensions to this protocol, clients and
servers should must ignore elements of SEQUENCEs whose tags they do not
recognize.

Note that unlike X.500, each change to the LDAP protocol other than through
the extension mechanisms will have a different version number. A client
may
will indicate the version it supports as part of the bind request,
described in section 4.1.2. If a client has not sent a bind, the server
should
MUST assume that version 3 is supported in the client (since version 2
required that the client bind first).

4.1. Common Elements

This section describes the LDAPMessage envelope PDU format, as well as
data type definitions which are used in the protocol operations.

4.1.1. Message Envelope

For the purposes of protocol exchanges, all protocol operations are
encapsulated in a common envelope, the LDAPMessage, which is defined
as follows:

Wahl, Howes, Howes & Kille [Page 5] 6]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

LDAPMessage ::= SEQUENCE {
messageID MessageID,
cldapUserName LDAPDN OPTIONAL,
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
searchResFull SearchResultFull,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
sessionRequest SessionRequest,
sessionResponse SessionResponse,
resumeRequest ResumeRequest,
resumeError ResumeError,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse } }

MessageID ::= INTEGER (0 .. maxInt)

maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

The function of the LDAPMessage is to provide an envelope containing
common fields required in all protocol exchanges. At this time the
only common fields are the message ID and cldapUserName.

The message ID value must be echoed in all

All LDAPMessage envelopes encapsulating responses corresponding to contain the messageID
value of the request contained in
the LDAPMessage in which the message ID value was originally used. LDAPMessage.

The message ID is required to have a value different from the values of
any other requests outstanding in the LDAP session of which this
message is a part. A client must not send a second request with the same
message ID as another request if the first request is outstanding.
If it does so, the behavior is undefined. Typically a client will
increment a counter for each request.

For all requests except for a search with a pageSizeLimit, search, unbind and abandon, the message ID is
outstanding until the client receives the final response for that operation.

For searchRequest with a pageSize limit, if the client did searchRequest which has not receive a
SearchResultDone for that search indicating all results were received, been abandoned, the message ID is
outstanding until after the operation SearchResultDone for that search is abandoned. received.

Wahl, Howes, Howes & Kille [Page 6] 7]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

A client must not reuse the message id of an abandonRequest or the
abandoned operation until it has received a response from the server for
another request invoked subsequent to the abandonRequest, as the
abandonRequest itself does not have a response.

The cldapUserName identifies the requesting user for this message. It
is only present for backwards compatability compatibility with RFC 1798, if this
LDAPMessage is carried in a connectionless transport protocol, such as UDP.
Its significance is equivalent to a bind with a zero-length password.
When the LDAP session is carried in a connection-oriented transport
protocol this field must be absent. LDAPv3 client implementors should must not
use this field in connectionless requests, but instead concatenate a bind
request with the other operations in the request. Concatenation and
connectionless transport are described in section 5.1.3.

4.1.2. String Types

The LDAPString is a notational convenience to indicate that, although
strings of LDAPString type encode as OCTET STRING types, the Unicode ISO 10646
[15] character set (a superset of Unicode) is used, encoded following the
UTF-8 algorithm [16]. Note that in the UTF-8 algorithm, characters which
are the same as ASCII (0000 through 007F) are represented as that same
ASCII character in a single byte. The other byte values are used to form
a variable-
length variable-length encoding of an arbitrary Unicode character.

LDAPString ::= OCTET STRING

The LDAPOID is a notational convenience to indicate that the permitted
value of this string is a dotted-decimal representation of an OBJECT
IDENTIFIER.

LDAPOID ::= OCTET STRING

For example,
1.3.6.1.4.1.1466.1.2.3

4.1.3. Distinguished Name and Relative Distinguished Name

An LDAPDN and a RelativeLDAPDN are respectively defined to be the
representation of a Distinguished Name and a Relative Distinguished
Name after encoding according to the specification in [4], such that

<distinguished-name> ::= <name>

<relative-distinguished-name> ::= <name-component>

where <name> and <name-component> are as defined in [4].

LDAPDN ::= LDAPString

RelativeLDAPDN ::= LDAPString

Only Attribute Types can be present in a relative distinguished name
component; the options of Attribute Descriptions (next section) must
not be used in specifying distinguished names.

Wahl, Howes, Howes & Kille [Page 7] 8]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

4.1.4. Attribute Type and Description

An AttributeType takes on as its value the textual string associated
with that AttributeType in its specification. This string must begin
with a letter, and only contain ASCII letters and digit characters.
If this string is not known, the AttributeType should will take the ASCII
representation of its OBJECT IDENTIFIER, as decimal digits with
components separated by periods, e.g., "2.5.4.10". The attribute type
strings which are used in this version of LDAP are described in [5].
They are case insensitive.

AttributeType ::= LDAPString

An AttributeDescription is a superset of the definition of the
AttributeType. It has the same ASN.1 definition, but allows additional
options to be specified. They are also case insensitive.

AttributeDescription ::= LDAPString

A value of AttributeDescription is based on the following BNF:

<AttributeDescription> ::= <AttributeType> [ ";" <options> ]

<language-option> ::= "lang=" <lang-code>

<lang-code> ::= <printable-ascii> -- as defined in [17]

<binary-option> ::= "binary"

<dynamic-option> ::= "dynamic"

If the "binary" option is present, this overrides any string-based
encoding representation defined for that attribute in [5]. Instead the
attribute is to be transferred as a DER-encoded an encoded binary value [11].

If the "lang=" option is present, this associates a natural language
with values for that attribute. The binary and language tags options may both
be present in an AttributeDescription. The format and use of language
tags in LDAP is defined in [17].
(The language tag code has no effect on the character set encoding for string
representations of DirectoryString syntax values; UTF-8 is always used).

If the "dynamic" option is present, this implies that the values are not
permanent parts of the directory entry and may disappear unexpectedly.

Wahl, Howes & Kille [Page 9]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

Examples of valid AttributeDescription:

CN
givenName;lang=en-US
CN;lang=ja-JP-kanji
CN;lang=ja-JP-roman
CN;lang=ja-JP-romaji
userCertificate;binary
1.3.6.1.4.1.1466.99.98.97;binary

Wahl, Howes, Kille [Page 8]

INTERNET-DRAFT LDAP August 1996
1.3.6.1.4.1.1466.99.98.97;binary;dynamic

An AttributeDescription with one or more options is treated as a subtype of
the attribute without any options. Options are never exclusive and may be
listed in any order. Not all options are applicable not every attribute,
however.

For example, if a client requests a "description" attribute, the server
may return an attribute "description;lang=fr". However if the client
requests a "description;lang=en", the server must not return "description"
or "description;lang=fr", but may return "description;lang=en;dynamic".

Later documents may define additional options.

The data type "AttributeDescriptionList" describes a list of 0 or more
attribute types. (A list of zero elements has special significance in
the Search request.)

AttributeDescriptionList ::= SEQUENCE OF
AttributeDescription

4.1.5. Attribute Value

A field of type AttributeValue takes on as its value either an octet string
encoding of a AttributeValue data type, or an OCTET STRING containing
a DER-encoded
an encoded binary value, depending on whether the "binary" option is
present in the companion AttributeDescription to this AttributeValue.

The definition of string encodings for different syntaxes and types may
be found in companions to this document, in particular [5].

AttributeValue ::= OCTET STRING

Note that there is no defined limit on the size of this encoding; thus
PDUs including multi-megabyte attributes (e.g. photographs) may be
returned. If the client has limited memory or storage capabilities it
may wish to set the attrSizeLimit session control before invoking a
search operation.

Clients and server implementors should be aware that attributes whose
type names they do not recognize may have an arbitrary and non-printable
syntax. Implementations should must not either simply display or attempt to
decode as DER ASN.1 a value if its syntax is not known. The implementation
may attempt to discover the subschema subentry and retrieve the value of
attributeTypes from it.

4.1.6. Attribute Value Assertion

The AttributeValueAssertion type definition is similar to

Wahl, Howes & Kille [Page 10]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

4.1.6. Attribute Value Assertion

The AttributeValueAssertion type definition is similar to the one in
the X.500 directory standards. It contains an attribute description
and a equality matching assertion suitable for that type.

AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription,
assertionValue AssertionValue }

AssertionValue ::= OCTET STRING

If the "binary" option is present in attributeDesc, this signals to the
server that the assertionValue is a binary DER encoding of the assertion
value.

For all the string-valued user attributes described in [5], the assertion
value syntax is the same as the value syntax. Note however that the
assertion syntax may be different than the value syntax for operational
attributes or for non-equality matching rules.

Wahl, Howes, Kille [Page 9]

INTERNET-DRAFT LDAP August 1996

4.1.7. Attribute

An attribute consists of a type and one or more values of that type.
(Though attributes must have at least one value when stored, due to
access control restrictions the set may be empty when transferred
in protocol. This is described in section 4.5.2, concerning the
PartialAttributeList type.)

Attribute ::= SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }

4.1.8. Matching Rule Identifier

An X.501(1993) Matching Rule is identified in the LDAP protocol by the
ASCII representation of its OBJECT IDENTIFIER, either as one of the
strings given in [5], or as decimal digits with components separated by
periods, e.g. "caseIgnoreIA5Match" or "1.3.6.1.4.1.453.33.33".

MatchingRuleId ::= LDAPString

4.1.9. Result Message

The LDAPResult is the construct used in this protocol to return
success or failure indications from servers to clients. In response
to various requests, servers will return responses containing fields
of type LDAPResult to indicate the final status of a protocol
operation request.

Wahl, Howes, Howes & Kille [Page 10] 11]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),

authMethodNotSupported (7),
strongAuthRequired (8),
-- 9 reserved --
referral (10), -- new
adminLimitExceeded (11), -- new
unavailableCriticalExtension (12), -- new
-- 13-15 unused --
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
-- 22-31 unused --
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
-- 35 reserved for undefined isLeaf --
aliasDereferencingProblem (36),
-- 37-47 unused --
inappropriateAuthentication (48),
invalidCredentials (49),
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
-- 55-63 unused --
namingViolation (64),
objectClassViolation (65),
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
resultsTooLarge (70), -- cl only
affectsMultipleDSAs (71), -- new
-- 72-79 unused --
other (80) },
-- 81-90 reserved for APIs --
matchedDN LDAPDN,
errorMessage LDAPString,
referral [3] Referral OPTIONAL }

Wahl, Howes, Howes & Kille [Page 11] 12]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

All the result codes with the exception of success, compareFalse and
compareTrue are to be treated as meaning the operation could not be
completed in its entirety. If a client receives a result code which
is not listed above, it is to be treated as an unknown error condition.

The errorMessage field of this construct may, at the servers option,
be used to return a string containing a textual, human-readable
error diagnostic. As this error diagnostic is not standardized,
implementations should must not rely on the values returned. If the server
chooses not to return a textual diagnostic, the errorMessage field of
the LDAPResult type should must contain a zero length string.

For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax
and aliasDereferencingProblem, the matchedDN field is set to
the name of the lowest entry (object or alias) in the DIT that was
matched. If no aliases were dereferenced while attempting to locate
the entry, this will be a truncated form of the name provided.
The matchedDN field should is to be set to a NULL DN (a zero length
string) with all other result codes.

4.1.10. Referral

The referral field is present in an LDAPResult if the
LDAPResult.resultCode field value is referral, and absent with all other
result codes. It contains a reference to another server (or set of
servers) which may be accessed via LDAP or other protocols.
At least one LDAPURL must be present in the Reference.

Referral ::= SEQUENCE OF LDAPURL

LDAPURL ::= LDAPString -- limited to characters permitted in URLs

The client may contact any of the listed URLs [14] of servers to
continue the request. Each server in the list must be capable of
processing the operation and presenting a consistent view of the DIT to
the client. (The mechanisms for how servers achieve this are outside
the scope of this document.)

URLs for servers implementing the LDAP protocol are written according
to [9]. If an alias was dereferenced, the dn part of the URL should must
be present, with the new target object name. If this is present,
the client should must use this name in its next request, otherwise request to progress this search,
and if it
should is not present the client will use the same name as in the
original request. Some servers (e.g. participating in distributed indexing)
may change the filter in a referral for a search operation. If the filter
part of the URL is present in an LDAPURL, the client should must use this filter
in its next
request, otherwise request to progress this search, and if it should is not present the
client use the same filter as it used for that search.

Note that UTF-8 characters appearing in a DN or search filter may not
be legal for URLs (e.g. spaces) and must be escaped using the % method
in RFC 1738.

Wahl, Howes & Kille [Page 13]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

Other kinds of URLs may be returned so long as the operation could be
performed using that protocol, and the client has indicated (in a session
control) that it could support that protocol.

If the client has not indicated that it is capable of handling referrals,
the server should must attempt to progress the referral on behalf of the client.
Only if it fails to do so may it return a referral, and the URLs in this
referral must be of the LDAP form.

Wahl, Howes, Kille [Page 12]

INTERNET-DRAFT LDAP August 1996

4.2. Bind Operation

The function of the Bind Operation is to allow authentication information
to be exchanged between the client and server.

The Bind Request is defined as follows:

BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name LDAPDN,
authentication AuthenticationChoice }

AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl [3] SaslCredentials }

SaslCredentials ::= SEQUENCE {
mechanism LDAPString,
credentials OCTET STRING }

Parameters of the Bind Request are:

- version: A version number indicating the version of the protocol to
be used in this protocol session. This document describes version
3 of the LDAP protocol. Note that there is no version negotiation,
and the client should just set this parameter to the version it
desires. The client may request version 2, in which case the server
must implement only the protocol as described in [2], and not
return any v3-specific result codes or protocol fields.

- name: The name of the directory object that the client wishes to
bind as. This field may take on a null value (a zero length
string) for the purposes of anonymous binds, when authentication
has been performed at a lower layer, or when using SASL credentials
with a mechanism that includes the LDAPDN in the credentials.

- authentication: information used to authenticate the name, if any,
provided in the Bind Request.

Upon receipt of a Bind Request, a protocol server will authenticate
the requesting client, if necessary. The server will then return a
Bind Response to the client indicating the status of the authentication.

Wahl, Howes & Kille [Page 14]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

4.2.1. Sequencing of the Bind Request

For some authentication mechanisms, it may be necessary for the client
to invoke the BindRequest multiple times. If at any stage the client
wishes to abort the bind process it should drop the underlying
connection. Clients must not invoke operations between two Bind requests
made as part of a multi-stage bind.

Wahl, Howes, Kille [Page 13]

INTERNET-DRAFT LDAP August 1996

Unlike LDAP v2, the client need not send a Bind Request in the first
PDU of the connection. The client may request any operations and the
server should must treat these as unauthenticated (or (unless authentication may have has
already occured occurred at a lower layer). If the server requires that the
client bind first, the server should must reject any request other than
binding or unbinding with the "operationsError" result. If the
client did not bind before sending a request and receives an
operationsError, it should must close the connection, reopen it and begin
again by first sending a PDU with a Bind Request. This will aid in
interoperating with LDAPv2 servers. servers implementing other versions of LDAP.

Clients may send multiple bind requests on an association to change
their credentials. A subsequent bind process has the effect of abandoning
all search, compare search and resume compare operations outstanding.
Authentication or controls from earlier binds are subsequently ignored, and
so if the bind fails, the connection will be treated as anonymous.
Clients should must resend their session controls if needed after rebinding,
as session controls may be reset to defaults by servers.

4.2.2 Authentication and Other Security Services

The simple authentication option provides minimal authentication
facilities, with the contents of the authentication field consisting
only of a cleartext password. Note that the use of cleartext passwords
is not recommended over open networks when there is no authentication or
encryption being performed by a lower layer; see the "Security
Considerations section".
Considerations" section.

If no authentication is to be performed, or has been performed at a
lower layer, then the simple authentication option should be chosen,
and the password be of zero length. (This is often done by LDAPv2
clients.)

The sasl choice allows for any mechanism defined for use with SASL [18] [17]
or listed in Appendix B to be used. The mechanism field contains the
name of the mechanism. The credentials field contains the arbitrary data
used for authentication, inside an OCTET STRING wrapper. Note that unlike
some Internet application protocols where SASL is used, LDAP is not
text-based, thus no base64 transformations are performed on the credentials.

If any SASL-based integrity or confidentiality services are enabled, they
take effect following the transmission by the server and reception by
the client of the final BindResponse with resultCode success.

Wahl, Howes & Kille [Page 15]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

4.2.3. Bind Response

The Bind Response is defined as follows.

BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
supportedVersion [5] INTEGER (1..127) OPTIONAL,
serverURL [6] LDAPURL OPTIONAL,
serverCreds [7] AuthenticationChoice OPTIONAL }

A BindResponse consists simply of an indication from the server of
the status of the client's request for authentication.

Wahl, Howes, Kille [Page 14]

INTERNET-DRAFT LDAP August 1996

If the bind was successful, the resultCode will be success,
otherwise it will be one of:

operationsError
protocolError
authMethodNotSupported
strongAuthRequired
referral
inappropriateAuthentication
invalidCredentials
unavailable
unavailableCriticalExtension

If the client receives a BindResponse response where the resultCode was
protocolError and the supportedVersion field is absent, it should must close
the connection as the server will be unwilling to accept further
operations. (This is for compatability compatibility with earlier versions of LDAP.)

The serverURL contains the URL of this LDAP server, if it wishes to
provide an "authoritative" URL for itself. Typically this will be a
URL of the "ldap:" type, indicating the official host name, and the
name part of the URL will contain the encoded name of the server itself.
The serverCreds are used as part of a SASL-defined bind mechanism; to
allow the client to authenticate the server to which it is communicating,
or to perform "challenge-response" authentication. If the client
bound with the password choice, or the SASL mechanism does not require
the server to return information to the client, then this field is not
to be included in the result.

The supportedVersion field contains the minimum of the version supplied
by the client in the BindRequest and the highest version of LDAP supported
in the server. If the client and server both implement the protocol
described in this document it will have the value 3. This field
should
will be absent when responding to a version 2 or earlier client.

Wahl, Howes & Kille [Page 16]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

4.3. Unbind Operation

The function of the Unbind Operation is to terminate a protocol
session. The Unbind Operation is defined as follows:

UnbindRequest ::= [APPLICATION 2] NULL

The Unbind Operation has no response defined. Upon transmission of an
UnbindRequest, a protocol client may assume that the protocol session
is terminated. Upon receipt of an UnbindRequest, a protocol server
may assume that the requesting client has terminated the session and
that all outstanding requests may be discarded, and may close the
connection. All session controls will be forgotten and search result
caches will be cleared when a connection closes.

4.4. Session Control Operation

SessionRequest ::= [APPLICATION 17] Controls

SessionResponse ::= [APPLICATION 18] SEQUENCE {
COMPONENTS OF LDAPResult,
unsupportedCtls [12] SEQUENCE OF LDAPString }

Wahl, Howes, Kille [Page 15]

INTERNET-DRAFT LDAP August 1996

Controls ::= SEQUENCE OF SEQUENCE {
controlType LDAPString,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING }

Session Controls are requests made by the client which affect its
interaction with the server. Controls are not saved after a session
unbinds or disconnects abruptly, and do not affect other sessions to
this or other servers. Session controls do not affect operations which
have already been requested on this connection, e.g. if the client sends
a search request and subsequently sends a sessionControlRequest while the
server is in the middle of sending responses, the session controls which
were in force when the search operation began should continue to still apply for all the
results of that search. search until the SearchResultDone is returned.

Session controls are not cumulative, and a session request will
override all session controls which were set by a previous request.
If a control was set on a previous request and was not mentioned in
a subsequent request, it will be reset by the server to its default
value. (This permits session controls, such as supportedProtocol, to
have multiple values.)

If the server is not capable of setting one or more requested controls,
it should set as many as possible. If any of the controls which the
server could not set are marked as critical, it should must return the
unavailableCriticalExtension error.

The controlType field must either be a string defined in this section,
or a dotted-decimal representation of an OBJECT IDENTIFIER. This will
aid in preventing conflicts between privately-defined control extensions.
String names are case insensitive.

Wahl, Howes & Kille [Page 17]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

The following controls have been defined:
-

NAME CRITICAL? VALUE CONTAINS DEFAULT
=================== ================ =============== =============
attrSizeLimit
- clients option integer no limit
dontUseCopy
- clients option boolean FALSE
usePartialCopy
- clients option boolean FALSE
referringServer
- non-critical URL none
chainingProhibited
- clients option boolean FALSE
supportedProtocol
- non-critical protocol name none
useAliasOnUpdate
- clients option boolean FALSE
manageDsaIT
- critical boolean FALSE
preferredLanguage non-critical string no preference

The attrSizeLimit control may be critical or non-critical at the client's
request. The value field contains either an empty string, implying no
limit, or a string representation of a positive integer, e.g. "10000".
The default if this control is not present is that there is no limit.
The attrSizeLimit number is a size in bytes of the largest encoded value
which the client is capable of processing. Servers should not return
attribute values in a search response which are larger than this size.
(If attribute values are excluded because of this control, the
incompleteEntry field should attribute must be set to present with the value TRUE in the
SearchResultEntry).

The dontUseCopy control may be critical or non-critical at the client's
request. The value field contains either "TRUE" or "FALSE". To aid
interoperability with LDAPv2 clients, the
The default if this control is not set is "FALSE". This control only
affects the Search and Compare operations.
Wahl, Howes, Kille [Page 16]

INTERNET-DRAFT LDAP August 1996 If present and set to "TRUE",
servers should not make use of information from cached or shadowed
copies of entries in these operations. This control overrides any
setting of the usePartialCopy control.

The usePartialCopy control may be critical or non-critical at the client's
request. The value field contains either "TRUE" or "FALSE". To aid
interoperability with LDAPv2 clients, the
The default if this control is not set is "FALSE". This control only
affects the Search and Compare
operations when dontUseCopy operations. If the dontUsecopy control is "FALSE".
set to "TRUE", this control is ignored. If usePartialCopy is present and
set to "TRUE", then if a contacted server holds at least one requested attribute in a
shadow or
at least one subtype cached copy of a requested attribute type in an entry, then that entry may be used to satisfy
the request, even if not all the requested attributes are in the shadowed
copy. If FALSE this control is "FALSE" and dontUseCopy is also "FALSE", the
server must not return attributes from a an incomplete shadow copy of an
entry unless none of the requested attributes or their subtypes were
excluded from the shadow copy. (How servers replicate information and
configure shadowing is outside the scope of this specification.)

The referringServer control is always non-critical. The value field
contains the URL of another server which referred an operation to this
server. This control should must only be present if the connection is being
made only to process a referral. If the connection will be held open to
handle referrals from multiple servers this control should must be omitted.
There is no protocol effect of this control; it is used to assist in
tracing knowledge inconsistencies in the distributed directory.

Wahl, Howes & Kille [Page 18]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

The chainingProhibited control may be critical or non-critical at the
client's request. The value should must be either "TRUE" or "FALSE". To aid
interoperability with LDAPv2 clients, the default if this control is not
set is "FALSE". If this control is present and set to "TRUE", the
server should must not contact any other servers as part of processing operations
requested by this client, if it would be possible to instead
return to the client a referral. If the server is a gateway to X.500,
and DAP is not a supported client referral protocol (see next paragraph),
the server should must set the chainingProhibited service control on any DAP
or DSP requests it makes.

The supportedProtocol control is always non-critical. The field is
a string name of a protocol which the client implements. The name of
the protocol may be "ldap", "cldap", "dap", any IANA-assigned protocol
name or URL mechanism, or "*" to indicate that any type of referral may
be returned. If this control is present, a server should must return a
referral, rather than itself chain to another server using one of the
indicated protocol. This control may be present multiple times in a
session control if the client wishes to name multiple protocols it
supports.

If the supportedProtocol control is absent and the server is capable of
contacting other servers, then it should return must not return results with
referrals, as described in 4.1.10, or SearchResultContinuation, as
described in 4.5.3. If however 4.5.3, unless the server is not capable of contacting
other servers, in which case it may return a referral or continuation
containing a URL of type "LDAP".

It is recommended that clients, as a minimum, support LDAP referrals,
and set the supportedProtocol control to be "ldap".

Wahl, Howes, Kille [Page 17]

INTERNET-DRAFT LDAP August 1996

The useAliasOnUpdate control may be critical or non-critical at the
client's request. The value should must be either "TRUE" or "FALSE". To
aid interoperability with LDAPv2 clients, the default if this control
is not set is "FALSE". If present and set to TRUE, the server should must
permit alias names to be used as components of a Distinguished Name in
Add, Modify and Delete operations. If the server is a gateway to X.500,
it should must set the useAliasOnUpdate critical extension on any DAP/DSP
AddEntry, ModifyEntry and RemoveEntry requests it makes if this
control is "TRUE". This control does not affect the ModifyDN operation,
which only allows Distinguished Names to be provided.

The manageDsaIT control is always critical. The value should must be either
"TRUE" or "FALSE". The default, if this control is not set, is "FALSE".
This control affects the name resolution behavior of the server to
permit a manager to read and modify knowledge references and other
X.500 server-specific attributes. If the server is a gateway to
X.500, it should must set the manageDsaIT critical extension, as well as the
appropriate common arguments, on any DAP/DSP requests it makes, based on
this control.

The preferredLanguage control is always non-critical.

Wahl, Howes & Kille [Page 19]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

The preferredLanguage control is always non-critical. The use of this
control and its impact on the directory is will be defined in [17]. future drafts.
The default if this control is not set, is that there is no preferred
language.

4.5. Search Operation

The Search Operation allows a client to request that a search be
performed on its behalf by a server. This can be used to read attributes
from a single entry, or a whole subtree of entries.

4.5.1. Search Request

The Search Request is defined as follows:

SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2) },
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeDescriptionList,
pageSizeLimit [0] INTEGER OPTIONAL,
sortKeys [1] SortKeyList OPTIONAL,
prevSearchId [2] MessageID OPTIONAL,
startLocation [3] INTEGER OPTIONAL }

SortKeyList ::= SEQUENCE OF SEQUENCE {
attributeType AttributeType,
orderingRule [0] MatchingRuleId OPTIONAL,
reverseOrder [1] BOOLEAN DEFAULT FALSE }

Wahl, Howes, Kille [Page 18]

INTERNET-DRAFT LDAP August 1996

Filter ::= CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeType,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion }

Wahl, Howes & Kille [Page 20]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

SubstringFilter ::= SEQUENCE {
type AttributeDescription,
-- at least one must be present
substrings SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1] LDAPString,
final [2] LDAPString } }

MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeType OPTIONAL,
matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE }

Parameters of the Search Request are:

- baseObject: An LDAPDN that is the base object entry relative to
which the search is to be performed.

- scope: An indicator of the scope of the search to be performed. The
semantics of the possible values of this field are identical to the
semantics of the scope field in the X.511 Search Operation.

- derefAliases: An indicator as to how alias objects should are to be be
handled in searching. The semantics of the possible values of
this field are:

neverDerefAliases: do not dereference aliases in searching
or in locating the base object of the search;

derefInSearching: dereference aliases in subordinates of
the base object in searching, but not in locating the
base object of the search;

derefFindingBaseObject: dereference aliases in locating
the base object of the search, but not when searching
subordinates of the base object;

derefAlways: dereference aliases both in searching and in
locating the base object of the search.

- sizelimit: A sizelimit that restricts the maximum number of entries
to be returned as a result of the search. A value of 0 in this
field indicates that no sizelimit restrictions are in effect for
the search.

Wahl, Howes, Kille [Page 19]

INTERNET-DRAFT LDAP August 1996

- timelimit: A timelimit that restricts the maximum time (in seconds)
allowed for a search. A value of 0 in this field indicates that no
timelimit restrictions are in effect for the search.

- typesOnly: An indicator as to whether search results should will contain
both attribute types and values, or just attribute types. Setting
this field to TRUE causes only attribute types (no values) to be
returned. Setting this field to FALSE causes both attribute types
and values to be returned.

Wahl, Howes & Kille [Page 21]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

- filter: A filter that defines the conditions that must be fulfilled
in order for the search to match a given entry. The 'and', 'or' and
'not' choices may be used to form boolean combinations of filters. At
least one filter element must be present in an 'and' or 'or'
choice. The others match against individual attribute values of
entries in the scope of the search.

The extensibleMatch is new in this version of LDAP. If the
matchingRule field is absent, the type field must be present, and
the equality match is performed for that type. If the type field is
absent and matchingRule is present, the matchValue is compared
against all attributes in an entry which support that matchingRule,
and the matchingRule determines the syntax for the assertion value.
If the type field is present and matchingRule is present, the
matchingRule must be one permitted for use with that type.
If the dnAttributes field is set to TRUE, the match is applied
against all the attributes in an entry's distinguished name as
well. (Editors note: The dnAttributes field is present so that there
does not need to be multiple versions of generic matching rules such as
wordMatch, one to apply to entries and another to apply to entries and
dn attributes as well).

- attributes: A list of the attributes from each entry found as a
result of the search to be returned. An empty list signifies that
all user attributes from each entry found in the search are to be
returned, as does the special attribute description string "*". (the
latter technique allows the client to request all user attributes
along with selected operational attributes). If the client does not
want any attributes returned, it can request only the attribute with
OID "1.1". Attributes should must be named at most once in the list, and
are returned at most once in an entry.

Client implementors should note that even if all user attributes are
requested, some attributes of the entry may not be included in search
results due to access control restrictions. Furthermore, servers
will not return operational attributes, such as modifyRights or
attributeTypes, unless they are listed by name, since there may be
extremely large number of values for certain operational attributes.
(A list of operational attributes for use in LDAP is given in [5].)

- pageSizeLimit: if present, then if more entries are to be returned than
the pageSizeLimit, the server should must return only as many as this limit
before returning the SearchResultDone response. It must cache all of
the resulting entries from this search, at least until the next
(non-resume) operation is invoked. The server may cache all the
results for as long as the lifetime of the association, although if
server resources are limited it may clear the cache after the next
(non-resume) operation is invoked.
Wahl, Howes, Kille [Page 20]

INTERNET-DRAFT LDAP August 1996

If a pageSizeLimit was set and reached during the search, the client
will be able to request more of the entries using the ResumeRequest,
and the cached results can be cleared by the client sending the Abandon
operation for this search message id. If the same or fewer
entries than this limit are to be returned, the server should must return all
the entries and the SearchResultDone response, and need not cache the result. response.

The pageSizeLimit does not affect SearchResultReference responses, which
are not counted as entries and of which any number may be returned by the
server.

If operating over connectionless data transport, the client must not
set this field.

- sortKeys:

Wahl, Howes & Kille [Page 22]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

If this field is present, then it specifies one or more
attribute types and matching rules, a pageSizeLimit was set and reached during the returned entries should search, the client
will be sorted in order able to request more of the entries using a subsequent
SearchRequest with the prevSearchId field present.

It is strongly recommended that clients include the sortKeys field when
including this field.

- sortKeys: If this field is present, then it specifies one or more
attribute types and matching rules, and the returned entries must
be sorted in order based on these types. If the reverseOrder field is
set to TRUE, then the entries will be presented in reverse sorted
order.

Only if the server does not recognize any of the attribute types, or the
ordering rule associated with an attribute type is not applicable, or
none of the attributes in the search responses are of these types,
then the sortKeys field is not used and result entries are returned
in random order.

If the server does not support sorting with the requested attributes
or matching rules, then it must return only protocolError (which is what
an LDAPv2 server would return), undefinedAttributeType or
inappropriateMatching and no searchResultEntry or
searchResultReference responses.

If the client includes the attribute type name 'modifyRights' sortKeys field is absent, there is no defined order for returning
entries in the
search request attribute type list when performing a baseObject search,
then search result.

- prevSearchId: If this field is present, this informs the server should return that,
with possibly the modifyRights attribute as part exception of the response attributes for that entry. The value of the startLocation field,
this attribute request is described in section 6.2.2.1 of [5], and corresponds identical to a searchRequest made previously on this
association. If the X.511(93)
ModifyRights field of the ReadResponse.

Note that an X.500 "list"-like operation can be emulated by server does not recognize this as the client
requesting message id
of a one-level LDAP previous search operation with a filter checking for
the existence of the objectClass attribute, operation, it must silently ignore this field and that an X.500 "read"-like
operation can be emulated by a base object LDAP
perform this search operation with as normal. The client must ensure that all fields,
other than startLocation, are the same filter. A server which provides a gateway to X.500 is not
required to use as in the Read or List operations, although it may choose to
do so.

If earlier search,
otherwise the search filter includes an equality match of the objectClass
attribute and the value "subentry", then if the server is converting
to an X.500 protocol, the subentries service control should be set.

4.5.2. Search Result

The results contents of the entries returned from this search attempted by the server upon receipt of a
Search Request are returned in Search Responses, which not
defined. If clients are LDAP
messages containing either SearchResultEntry, SearchResultReference,
SearchResultDone or SearchResultFull data types.

Wahl, Howes, Kille [Page 21]

INTERNET-DRAFT LDAP August 1996

SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }

PartialAttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
-- implementors should note that performing the PartialAttributeList may have
-- zero elements (if none of same search more than twice on an
association, then the attributes prevSearchId field of that entry were
-- requested, or could be returned), and that the vals set may also
-- have zero elements (if types only was requested, or all but the values
-- exceeded the attribute size limit or were excluded because of
-- access control).

SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
-- at least one LDAPURL element must be present

SearchResultDone ::= [APPLICATION 5] SEQUENCE {
COMPONENTS OF LDAPResult,
totalCount [8] INTEGER OPTIONAL }

SearchResultFull ::= SEQUENCE OF CHOICE {
entry SearchResultEntry,
reference SearchResultReference,
resultCode SearchResultDone }

Upon receipt of a Search Request, a server will perform the necessary first search of the DIT.

If the LDAP session is operating over a connection-oriented transport
such as TCP, the server will return to
must contain the client a sequence messageID of
responses in separate LDAP messages. There may be zero or more
responses containing SearchResultEntry, one for each entry found
during the that first search. There

- startLocation: this field may also be zero or more responses
containing SearchResultReference, one for each area not explored by
this server during present if the search. The SearchResultEntry pageSizeLimit is
present. After filtering and
SearchResultReferences may come in any order. Following all selecting the
SearchResultReference responses and all SearchResultEntry responses up entries to be returned in
a pageSizeLimit (if any), search, the server will discard this many entries before starting
to return a response containing
the SearchResultDone, which contains an indication of success, or
detailing any errors that have occurred.

If the LDAP session SearchResultEntry responses. Thus setting startLocation 0 is operating over a connectionless transport such
as UDP,
the server will return to same as not including a startLocation field. If the client only one response to the
search, an LDAPMessage containing a SearchResultFull data type. All (if
any) but sends a
value of startLocation which is larger than the last element number of entries in the SEQUENCE OF must be
result, the server will only return any of the
SearchResultEntry or SearchResultReference types,
responses, and then the last must be of SearchResultDone response. (The server should
indicate in the SearchResultDone type.

The SearchResultFull is never returned over a connection-oriented
transport. value of totalCount which the client
may use to make a better choice of startLocation in a subsequent search).

The startLocation does not affect SearchResultReference responses, which
are not counted as entries.

Wahl, Howes, Howes & Kille [Page 22] 23]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

Each entry returned

It is strongly recommended that clients include the sortKeys field when
including this field.

If the client includes the attribute type name 'modifyRights' in the
search request attribute type list when performing a SearchResultEntry will contain all attributes,
complete with associated values if necessary, as specified in baseObject search,
then the
attributes field of server may return the Search Request. Return modifyRights attribute as part of
the response attributes for that entry. The value of this attribute
is subject
to access control described in section 6.2.2.1 of [5], and other administrative policy. Some attributes may corresponds to the X.511(93)
ModifyRights field of the ReadResponse.

Note that an X.500 "list"-like operation can be returned in DER-encoded binary format (indicated emulated by the
AttributeDescription in client
requesting a one-level LDAP search operation with a filter checking for
the response having existence of the binary option present),
or in a language-specific subtype (indicated objectClass attribute, and that an X.500 "read"-like
operation can be emulated by a base object LDAP search operation with
the AttributeDescription
in same filter. A server which provides a gateway to X.500 is not
required to use the response having Read or List operations, although it may choose to
do so.

If the language option present).

The following are not strictly attributes of search filter includes an entry (or a subentry),
but may appear in equality match of the result list if requested.

- entryName. This operational objectClass
attribute is maintained by and the value "subentry", then if the server and
appears is converting
to an X.500 protocol, the subentries service control must be present in each entry. set.
Thus clients must not search for both subentries and ordinary entries
with a single search operation.

4.5.2. Search Result

The value results of this attribute
is the distinguished name of search attempted by the entry from server upon receipt of a
Search Request are returned in Search Responses, which it is read. It
is expected are LDAP
messages containing either SearchResultEntry, SearchResultReference,
SearchResultDone or SearchResultFull data types.

SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }

PartialAttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
-- implementors should note that the client would retrieve this attribute in binary.

- modifyRights. Each value is the encoding of an element PartialAttributeList may have
-- zero elements (if none of modifyRights.
The attribute is specific to the particular search operation attributes of that entry were
-- requested, or could be returned), and that the requestor, and must not be cached or replicated.'

- incompleteEntry. This attribute's value is TRUE if one vals set may also
-- have zero elements (if types only was requested, or more
attributes are not present in all the PartialAttributeList, because their
size would have values
-- exceeded the attribute size limit, limit or if a partial
shadow copy were excluded because of the
-- access control).

SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
-- at least one LDAPURL element must be present

SearchResultDone ::= [APPLICATION 5] SEQUENCE {
COMPONENTS OF LDAPResult,
totalCount [8] INTEGER OPTIONAL }

Wahl, Howes & Kille [Page 24]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

SearchResultFull ::= SEQUENCE OF CHOICE {
entry was used to satisfy the request and some
requested attributes are not returned. It is never set just because
typesOnly was set to TRUE, or because SearchResultEntry,
reference SearchResultReference,
resultCode SearchResultDone }

Upon receipt of a Search Request, a requested attribute was not
present in the (master) entry.

- fromEntry. The server may return this attribute's value as FALSE if it
is known that will perform the necessary
search is based upon a shadow or cached copy of the
entry, and may return it DIT.

If the LDAP session is operating over a connection-oriented transport
such as TRUE if TCP, the server masters will return to the entry.

In client a SearchResultEntry, as an encoding optimization, the value sequence of the
objectName
responses in separate LDAP DN messages. There may use a trailing '*' character to refer to be zero or more
responses containing SearchResultEntry, one for each entry found
during the
baseObject of search. There may also be zero or more responses
containing SearchResultReference, one for each area not explored by
this server during the corresponding searchRequest. For example, if search. The SearchResultEntry and
SearchResultReferences may come in any order. Following all the
baseObject is specified as "o=UofM, c=US", then
SearchResultReference responses and all SearchResultEntry responses up
to a pageSizeLimit (if any), the following
objectName LDAPDNs in server will return a response would have containing
the indicated meanings

objectName returned actual LDAPDN denoted
____________________________________________________
"*" "o=UofM, c=US"
"cn=Babs Jensen, *" "cn=Babs Jensen, o=UofM, c=US" SearchResultDone, which contains an indication of success, or
detailing any errors that have occurred.

If the pageSizeLimit field was present, LDAP session is operating over a connectionless transport such
as UDP, the server must number will return to the
entries which match client only one response to the
search, and an LDAPMessage containing a SearchResultFull data type. All (if
any) but the last element of the SEQUENCE OF must indicate be of the
total number
SearchResultEntry or SearchResultReference types, and the last must be of entries which match
the search SearchResultDone type.

The SearchResultFull is never returned over a connection-oriented
transport.

Each entry returned in a SearchResultEntry will contain all attributes,
complete with associated values if necessary, as specified in the
attributes field totalCount of the SearchResultDone. The total count would either Search Request. Return of attributes is subject
to access control and other administrative policy. Some attributes may
be returned in binary format (indicated by the same as AttributeDescription in the
response having the binary option present), or greater than in a language-specific
subtype (indicated by the number of SearchResultEntry responses returned at
this time. If it is greater, then AttributeDescription in the server did response having the
language option present).

The following are not return all strictly attributes of an entry (or a subentry),
but may appear in the
responses because result list if requested.

- entryName. This operational attribute is maintained by the pageSizeLimit was reached, server and
appears to be present in each entry. The value of this attribute
is the server must
cache all distinguished name of the resulting entries. If entry from which it is read. It
is expected that the same, then the server did
not exceed the pageSizeLimit, client would request and the server need not cache would return
this attribute in binary.

- modifyRights. Each value is the responses.

When encoding of an element of modifyRights.
The attribute is specific to the particular search result exceeded the pageSizeLimit, all matching entries
are cached (including those for which SearchResultEntry was returned), operation and
the server requestor, and must not clear the cache until an operation other than a
ResumeRequest for this search is received. be cached or replicated.

Wahl, Howes, Howes & Kille [Page 23] 25]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

4.5.3. Continuation References in the Search Result

If the server was able to locate the entry referred to by the
baseObject but was unable to search all the entries in the scope at
and under the baseObject, the server may return

- incompleteEntry. This attribute's value is TRUE if one or more
SearchResultReference, each containing a reference to another set of
servers for continuing the operation. The server should return at most
one SearchResultReference for a new subordinate base object with a
particular scope and filter. A server must not return a
SearchResultReference if it has not located the baseObject and
thus has
attributes are not searched any entries; present in this case it should return a
SearchResultDone containing a referral resultCode.

The SearchResultReference is of the same data type as the Referral.
A URL in a SearchResultReference may only be included if PartialAttributeList, because their
size would have exceeded the client has
indicated (in attribute size limit, or if a partial
shadow copy of the session controls) that it is able entry was used to handle that
protocol. If satisfy the client has request and some
requested attributes are not indicated any protocols which the
server could use returned. It is never set just because
typesOnly was set to return in TRUE, or because a SearchResultReference, the server must
itself process the entire search. If requested attribute was not
actually present in the entry.

- fromEntry. The server could not contact
all other servers, it may return one this attribute's value as FALSE if it
is known that the search is based upon a shadow or more SearchResultReference for
unexplored subtrees, cached copy of the
entry, and must indicate also that only partial results were
returned by setting may return it as TRUE if the resultCode in server masters the SearchResultDone to be something
other than success, such entry.

In a SearchResultEntry, as timeLimitExceeded.

URLs for servers implementing an encoding optimization, the LDAP protocol are written according value of the
objectName LDAPDN may have a trailing '*' character to refer to [9]. The dn part must be present in the URL, with
baseObject of the new target
object name. The client must use this name in its next request.
Some servers (e.g. participating corresponding searchRequest. For example, if the
baseObject is specified as "o=UofM, c=US", then the following objectName
LDAPDNs in distributed indexing) may change a response would have the filter. indicated meanings

objectName returned actual LDAPDN denoted
____________________________________________________
"*" "o=UofM, c=US"
"cn=Babs Jensen, *" "cn=Babs Jensen, o=UofM, c=US"

If the filter part of pageSizeLimit field was present, the URL is present in an LDAP URL, server may indicate the client should use this total
number of entries which could have matched the search filter in its next request, otherwise it
should use the same filter as it used for that search.

Other kinds field
totalCount of URLs may be returned so long as the operation could SearchResultDone. The total count would be
performed using that protocol, and the client has indicated (in a
session control) that same or
greater than the number of SearchResultEntry responses returned at this
time. If it is able to handle that protocol.

The name of an unexplored subtree in a SearchResultReference need greater, then the server did not be
subordinate to return all the base object if an alias responses
because the pageSizeLimit was dereferenced, however it
should reached. This field is not be a prefix of affected by any
requested startLocation field. Client implementors should note that
subsequent search requests with the base object, otherwise same fields may return a different value
for totalCount if the client will
loop. (Client implementations DIT is being modified by other users. The totalCount
field must detect loops; see section 6.2.)

Note: be absent if the "X.500 Non-Specific Subordinate Reference" is pageSizeLimit field was not permitted included in
LDAP. the
request.

Servers must should not return multiple SearchResultReference for the same
subtree, and any one of (not all of) the servers listed in resultCode sizeLimitExceeded merely because
a
SearchResultReference may be contacted to perform the entire search pageSizeLimit was reached.

4.5.3. Continuation References in a
particular subtree.

4.5.3.1 Example

For example, suppose the contacted Search Result

If the server (hosta) holds was able to locate the entry
"O=MNN,C=WW" and referred to by the entry "CN=Manager,O=MNN,C=WW". It knows that either
LDAP-capable servers (hostb) or (hostc) hold "OU=People,O=MNN,C=WW" (one
is
baseObject but was unable to search all the master and entries in the other server a shadow), scope at
and that LDAP-capable
server (hostd) holds under the subtree "OU=Roles,O=MNN,C=WW". If baseObject, the server may return one or more
SearchResultReference, each containing a subtree
search of "O=MNN,C=WW" is requested reference to another set of
servers for continuing the contacted operation. The server in which
chainingProhibited is set and referrals are permitted, must return at most
one SearchResultReference for a new subordinate base object with a
particular scope and the filter is
objectClass=*, the filter. A server may must not return a
SearchResultReference if it has not located the following responses: baseObject and
thus has not searched any entries; in this case it would return a
SearchResultDone containing a referral resultCode.

Wahl, Howes, Howes & Kille [Page 24] 26]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

SearchResultEntry for O=MNN,C=WW
SearchResultEntry for CN=Manager,O=MNN,C=WW
SearchResultReference {
ldap://hostb/OU=People,O=MNN,C=WW
ldap://hostc/OU=People,O=MNN,C=WW
}

The SearchResultReference {
ldap://hostd/OU=Roles,O=MNN,C=WW
}
SearchResultDone (entries = 2)

Client implementors should note that when following is of the same data type as the Referral.
A URL in a
SearchResultReference, additional SearchResultReference may only be
generated. Continuing the example, included if the client contacted the
server (hostb) and issued the search for the subtree
"OU=People,O=MNN,C=WW", has
indicated (in the server might respond as follows:

SearchResultEntry for OU=People,O=MNN,C=WW
SearchResultReference {
ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
}
SearchResultReference {
ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
}

4.6. Resume Search Operation

The Resume Search Operation session controls) that it is used in conjunction with a Search
operation which was previously issued on this association.

ResumeRequest ::= [APPLICATION 20] SEQUENCE {
searchRequestID [0] MessageID,
startAtEntry [1] INTEGER,
entriesToReturn [2] INTEGER }

The SearchRequest must have been made with able to handle that
protocol. If the client has not indicated any protocols which the pageSizeLimit
field present, and
server could use to return in a SearchResultReference, the server must
itself process the entire search. If the server could not have returned contact
all the other servers, it may return one or more SearchResultReference for
unexplored subtrees, and must indicate also that only partial results
at the time of were
returned by setting the search, or indicated a resultCode in the SearchResultDone to be something
other than success, timeLimitExceeded,
sizeLimitExceeded or adminLimitExcceded.

A Search which is still in progress (the final SearchResultDone has not
been returned) or has been abandoned cannot such as timeLimitExceeded.

URLs for servers implementing the LDAP protocol are written according
to [9]. The dn part must be resumed. present in the URL, with the new target
object name. The searchRequestID field client must contain use this name in its next request.
Some servers (e.g. participating in distributed indexing) may change
the value filter. If the filter part of messageID which the URL is present in an LDAP URL,
the client must use this filter in its next request to progress this
search, and if the filter is absent the client will use the same filter as
it used for the original search operation.

Entries in a result are always numbered starting from 1.

The startAtEntry number that search.

Other kinds of URLs may be any number greater than 0, returned so long as the operation could be
performed using that protocol, and the sum client has indicated (in a
session control) that it is able to handle that protocol.

The name of
startAtEntry and entriesToReturn must an unexplored subtree in a SearchResultReference need not be greater than one plus
subordinate to the
value base object if an alias was dereferenced, however it
must not be a prefix of totalCount returned by the server for this search.

The base object, otherwise the client may request that will
loop. (Client implementations must detect loops; see section 6.2.)

Note: the server retransmit entries which it had
already sent as responses "X.500 Non-Specific Subordinate Reference" is not permitted in
LDAP. Servers must not return multiple SearchResultReference for the search, e.g. by setting startAtEntry
to "1" and entriesToReturn to be the same as totalCount,
subtree, and any one of (not all of) the entries
will servers listed in a
SearchResultReference may be transmitted.

Wahl, Howes, Kille [Page 25]

INTERNET-DRAFT LDAP August 1996

The server will respond contacted to perform the ResumeRequest with either a ResumeError,
or with entire search in a series of SearchResultEntry responses
particular subtree.

4.5.3.1. Example

For example, suppose the contacted server (hosta) holds the entry
"O=MNN,C=WW" and a SearchResultDone
response. The ResumeError the entry "CN=Manager,O=MNN,C=WW". It knows that either
LDAP-capable servers (hostb) or (hostc) hold "OU=People,O=MNN,C=WW" (one
is returned if the master and the other server detected a
problem with shadow), and that LDAP-capable
server (hostd) holds the ResumeRequest, such as an invalid searchRequestID, or if subtree "OU=Roles,O=MNN,C=WW". If a subtree
search of "O=MNN,C=WW" is requested to the contacted server has cleared the cache in which
chainingProhibited is set and referrals are permitted, and cannot resume that search, or if the Directory Information Tree has changed such that filter is
objectClass=*, the search would no
longer server may return the same results. The following responses:

Wahl, Howes & Kille [Page 27]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

SearchResultEntry and for O=MNN,C=WW
SearchResultEntry for CN=Manager,O=MNN,C=WW
SearchResultReference {
ldap://hostb/OU=People,O=MNN,C=WW
ldap://hostc/OU=People,O=MNN,C=WW
}
SearchResultReference {
ldap://hostd/OU=Roles,O=MNN,C=WW
}
SearchResultDone
responses from (entries = 2)

Client implementors should note that when following a ResumeRequest have the Message ID of
SearchResultReference, additional SearchResultReference may be
generated. Continuing the ResumeRequest,
not of example, if the original SearchRequest.

Any SearchResultReferences are returned at client contacted the
server (hostb) and issued the time of search for the original
search, and none returned by a resume operation.

ResumeError ::= [APPLICATION 21] LDAPResult

An example of using Resume is subtree
"OU=People,O=MNN,C=WW", the server might respond as follows:

CLIENT SERVER

1,SearchRequest (pageSizeLimit=2)
-->
(search matches 5 entries)
1,SearchResultEntry (1 of 5)
<--
1,SearchResultEntry (2 of 5)
<--
1,SearchResultDone (5)
<--

2,ResumeRequest (search id 1, startAtEntry 3, entriesToReturn 3)
-->
2,SearchResultEntry (3 of 5)
<--
2,SearchResultEntry (4 of 5)
<--
2,SearchResultEntry (5 of 5)
<--

<-- 2,SearchResultDone (5)

3,AbandonRequest (id 1)
-->
(search cache cleared)

4.7.

SearchResultEntry for OU=People,O=MNN,C=WW
SearchResultReference {
ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
}
SearchResultReference {
ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
}

4.6. Modify Operation

The Modify Operation allows a client to request that a modification
of the DIB an entry be performed on its behalf by a server. The Modify
Request is defined as follows:

ModifyRequest ::= [APPLICATION 6] SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2) },
modification AttributeTypeAndValues } }
Wahl, Howes, Kille [Page 26]

INTERNET-DRAFT LDAP August 1996

AttributeTypeAndValues ::= SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }

Parameters of the Modify Request are:

- object: The object to be modified. The value of this field should
name contains the object
DN of the entry to be modified. The server will not perform any
alias dereferencing in determining the object to be modified unless
the useAliasOnUpdate session control is set to TRUE.

Wahl, Howes & Kille [Page 28]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

- A list of modifications to be performed on the entry to be modified.
The entire list of entry modifications should must be performed
in the order they are listed, as a single atomic operation. While
individual modifications may violate the directory schema, the
resulting entry after the entire list of modifications is performed
must conform to the requirements of the directory schema. The
values that may be taken on by the 'operation' field in each
modification construct have the following semantics respectively:

add: add values listed to the given attribute, creating
the attribute if necessary;

delete: delete values listed from the given attribute,
removing the entire attribute if no values are listed, or
if all current values of the attribute are listed for
deletion;

replace: replace all existing values of the given attribute
with the new values listed, creating the attribute if it
did not already exist. A replace with no value should will delete
the entire attribute.

The result of the modify attempted by the server upon receipt of a
Modify Request is returned in a Modify Response, defined as follows:

ModifyResponse ::= [APPLICATION 7] LDAPResult

Upon receipt of a Modify Request, a server will perform the necessary
modifications to the DIB. DIT.

The server will return to the client a single Modify Response
indicating either the successful completion of the DIB DIT modification,
or the reason that the modification failed. Note that due to the
requirement for atomicity in applying the list of modifications in
the Modify Request, the client may expect that no modifications of
the DIB DIT have been performed if the Modify Response received indicates
any sort of error, and that all requested modifications have been
performed if the Modify Response indicates successful completion of
the Modify Operation. If the connection fails, whether the modification
occurred or not is indeterminate.

Note that due to the simplifications made in LDAP, there is not a direct
mapping of the modifications in an LDAP ModifyRequest onto the
EntryModifications of a a DAP ModifyEntry operation, and different
implementations of LDAP-DAP gateways may use different means of
representing the change. The final effect of the operations on the
entry will be identical.

Wahl, Howes, Howes & Kille [Page 27] 29]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

4.8.

4.7. Add Operation

The Add Operation allows a client to request the addition of an entry
into the directory. The Add Request is defined as follows:

AddRequest ::= [APPLICATION 8] SEQUENCE {
entry LDAPDN,
attributes AttributeList }

AttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }

Parameters of the Add Request are:

- entry: the Distinguished Name of the entry to be added. Note that
all components of the name except for the last RDN component must
exist for the add to succeed. Note also that the server will not
dereference any aliases in locating the entry to be added (unless
the useAliasOnUpdate session control is TRUE), and that there are
never any entries subordinate to an alias entry.

- attributes: the list of attributes that make up the content of the
entry being added. Clients must included distinguished values in
this list.

The result of the add attempted by the server upon receipt of a Add
Request is returned in the Add Response, defined as follows:

AddResponse ::= [APPLICATION 9] LDAPResult

Upon receipt of an Add Request, a server will attempt to perform the
add requested. The result of the add attempt will be returned to the
client in the Add Response.

4.9.

4.8. Delete Operation

The Delete Operation allows a client to request the removal of an
entry from the directory. The Delete Request is defined as follows:

DelRequest ::= [APPLICATION 10] LDAPDN

The Delete Request consists of the Distinguished Name of the
entry to be deleted. Note that the server will not dereference aliases
while resolving the name of the target entry to be removed, unless
the useAliasOnUpdate session control is TRUE.

The result of the delete attempted by the server upon receipt of a
Delete Request is returned in the Delete Response, defined as follows:

DelResponse ::= [APPLICATION 11] LDAPResult

Wahl, Howes & Kille [Page 30]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

Upon receipt of a Delete Request, a server will attempt to perform
the entry removal requested. The result of the delete attempt will be
returned to the client in the Delete Response. Note that only leaf
objects (with no subordinates) may be deleted with this operation.

Wahl, Howes, Kille [Page 28]

INTERNET-DRAFT LDAP August 1996

4.10.

4.9. Modify DN Operation

The Modify DN Operation allows a client to change the last component
of the name of an entry in the directory, or to move a subtree of
entries to a new location in the directory. The Modify DN Request is
defined as follows:

ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
entry LDAPDN,
newrdn RelativeLDAPDN,
deleteoldrdn BOOLEAN,
newSuperior [0] LDAPDN OPTIONAL }

Parameters of the Modify DN Request are:

- entry: the name of the entry to be changed.

- newrdn: the RDN that will form the last component of the new name.

- deleteoldrdn: a boolean parameter that controls whether the old RDN
attribute values should is to be retained as attributes of the entry entry, or
deleted from the entry.

- newSuperior: if present, this is the name of the entry which
becomes the immediate superior of the existing entry.

The result of the name change attempted by the server upon receipt of
a Modify DN Request is returned in the Modify DN Response, defined
as follows:

ModifyDNResponse ::= [APPLICATION 13] LDAPResult

Upon receipt of a Modify RDN Request, ModifyDNRequest, a server will attempt to
perform the name change. The result of the name change attempt will
be returned to the client in the Modify DN Response. The attributes
that make up the old RDN are deleted from the entry, or kept,
depending on the setting of the deleteoldrdn parameter.

Note that X.500 restricts the ModifyDN operation to only affect entries
that are contained within a single server. If the LDAP server is mapped
onto DAP, then this restriction will apply, and the resultCode
affectsMultipleDSAs will be returned. In general clients should must not
expect to be able to perform arbitrary movements of entries and subtrees.

4.11.

Wahl, Howes & Kille [Page 31]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

4.10. Compare Operation

The Compare Operation allows a client to compare an assertion
provided with an entry in the directory. The Compare Request is
defined as follows:

CompareRequest ::= [APPLICATION 14] SEQUENCE {
entry LDAPDN,
ava AttributeValueAssertion }

Parameters of the Compare Request are:

- entry: the name of the entry to be compared with.

Wahl, Howes, Kille [Page 29]

INTERNET-DRAFT LDAP August 1996

- ava: the assertion with which an attribute in the entry is to be
compared.

The result of the compare attempted by the server upon receipt of a
Compare Request is returned in the Compare Response, defined as
follows:

CompareResponse ::= [APPLICATION 15] SEQUENCE {
COMPONENTS OF LDAPResult,
matchedSubtype [9] AttributeType AttributeDescription OPTIONAL }

When the resultCode is compareTrue the matchedSubtype field is
permitted to contain the type name of the attribute whose value
matched the ava in the Compare operation. Servers which do not
implement attribute hierarchies will omit this element.

Upon receipt of a Compare Request, a server will attempt to perform
the requested comparison. The result of the comparison will be
returned to the client in the Compare Response. Note that errors and
the result of comparison are all returned in the same construct.

Note that some directory systems may establish access controls which
permit the values of certain attributes (such as userPassword) to be
compared but not read. In a search result, it may be that an attribute
of that type would be returned, but with an empty set of values.

4.12.

4.11. Abandon Operation

The function of the Abandon Operation is to allow a client to request
that the server abandon an outstanding operation. The Abandon
Request is defined as follows:

AbandonRequest ::= [APPLICATION 16] MessageID

The MessageID must be that of a Search, Resume Search or Compare operation
which was requested earlier during this association. Other types of
operations cannot be abandoned.

(The abandon request itself has its own message id. This is distinct
from the id of the earlier operation being abandoned.)

Wahl, Howes & Kille [Page 32]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

There is no response defined in the Abandon Operation. Upon
transmission of an Abandon Operation, a client may expect that the
operation identified by the Message ID in the Abandon Request has
been abandoned. In the event that a server receives an Abandon
Request on a Search or Resume Operation in the midst of transmitting
responses to the search, that server should must cease transmitting entry
responses to the abandoned request immediately. Of course, the server
must ensure that only properly encoded LDAPMessages are transmitted.

Clients must not send abandon requests for the same operation multiple
times. Servers must discard abandon requests for message ids it does
not recognize, for operations which cannot be abandoned, and for
operations which have already been abandoned.

Wahl, Howes, Kille [Page 30]

INTERNET-DRAFT LDAP August 1996

If the MessageID is for a Search operation in which pageSizeLimit was
set, the abandon will clear the results from the server's cache.
Abandoning a Resume the same operation multiple
times. Servers must discard abandon requests for message ids it does
not clear the cache, it just stops
the server from sending responses.

4.13. recognize, for operations which cannot be abandoned, and for
operations which have already been abandoned.

4.12. Extended Operation

It may be desirable in some communities to define additional operations
for services not available in this protocol, for instance digitally
signed operations and results. Thus an extension mechanism has been
added in this version of LDAP.

The extended operation allows clients to make requests and receive
responses with predefined syntaxes and semantics. These may be
defined in RFCs or be private to particular implementations. Each
operation should must have a unique OBJECT IDENTIFIER assigned to it.

ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING }

The requestName is a dotted-decimal representation of the
OBJECT IDENTIFIER corresponding to the request.
The requestValue is information in a form defined by that request,
encapsulated inside an OCTET STRING.

The server will respond to this with an LDAPMessage containing the
ExtendedResponse.

ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }

If the server does not recognize the operation name, it should must return
only the standard response fields, containing the protocolError result
code.

5. Protocol Element Encodings and Transfer

For compatibility with the existing LDAP v2 and CLDAP protocols, four

Four underlying services are defined here. However an LDAP server need not At a minimum, clients and
servers must implement all the mapping of them. LDAP over TCP described in 5.1.1.

Wahl, Howes & Kille [Page 33]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

5.1. Mapping Onto BER-based Transport Services

This protocol is designed to run over connection-oriented, reliable
transports, with all 8 bits in an octet being significant in the data
stream.

The protocol elements of LDAP are encoded for exchange using the
Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
high overhead involved in using certain elements of the BER, the
following additional restrictions are placed on BER-encodings of LDAP
protocol elements:

(1) Only the definite form of length encoding will be used.

Wahl, Howes, Kille [Page 31]

INTERNET-DRAFT LDAP August 1996

(2) BIT STRINGs and OCTET STRINGs will be encoded in the primitive form only.

(3) If the value of a BOOLEAN type is true, the encoding should must have
its contents octets set to hex "FF".

(4) If a value of a type is its default value, it should must be absent.
Only some BOOLEAN and INTEGER types have default values in this
protocol definition.

These restrictions do not apply to ASN.1 types encapsulated inside of
OCTET STRINGs, such as attribute values, unless otherwise noted.

5.1.1. Transmission Control Protocol (TCP)

The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
Server implementations running over the TCP should provide a protocol
listener on port the assigned port, 389.

5.1.2. Connection Oriented Transport Service (COTS)

The connection is established. No special use of T-Connect is made.
Each LDAPMessage PDU is mapped directly onto T-Data.

5.1.3. User Datagram Protocol (UDP)

The LDAPMessage PDUs are mapped directly onto UDP datagrams. A datagram
may contain one or more concatenated requests. Only one response datagram
is returned, containing all the responses concatenated together. The only
operations which the client may request are sessionRequest, searchRequest,
compareRequest and extendedReq. The server may return sessionResponse,
searchResFull, compareResponse and extendedResp. If any of the requests in
an incoming datagram generates an error (a result other than success,
compareTrue or compareFalse), the server should ignore any following
requests in that datagram.

Server implementations running over the UDP should provide a protocol
listener on port the assigned port, 389.

Wahl, Howes & Kille [Page 34]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

5.1.4. Secure Socket Layer over TCP (SSL)

LDAP is an application protocol which may be carried inside of an
Secure Sockets Layer connection [19]. [8]. After establishing the SSL
connection over TCP, the LDAPMessage PDUs are mapped directly onto
the bytestream. Server implementations running over SSL/TCP should
provide a protocol listener on the assigned port for LDAP-SSL, port 636.

Note: it is expected that future versions of this document may reference
an IETF specification for equivalent transport layer security services,
should one become available.

Wahl, Howes, Kille [Page 32]

INTERNET-DRAFT LDAP August 1996

6. Implementation Guidelines

6.1. Server Implementations

The server should must be capable of recognizing all the mandatory attribute
type names and implement the syntaxes specified in [5]. Servers may also
recognize additional attribute type names.

6.2. Client Implementations

6.2.1. CLDAP Retry

For simple lookup applications using the connectionless transport
protocol UDP, use of a retry algorithm with multiple servers similar
to that commonly used in DNS stub resolver implementations is
recommended. The location of a CLDAP server or servers may be better
specified using IP addresses (simple or broadcast) rather than names
that must first be looked up in another directory such as DNS.

6.2.1.

6.2.2. Loop Detection

Clients which request referrals should must ensure that they do not loop
between servers. They must not progress a referral or reference in a
subtree search where the new name is a superior of the name requested.
They must not repeatedly contact the same server twice with the same
target entry name. Some clients may be using a counter that is
incremented each time referral handling is handled for an operation,
and these kind of clients must be able to handle a DIT with up to ten
layers of naming contexts between the root and a leaf entry.

7. Security Considerations

When used with a connection-oriented transport, this version of the
protocol provides facilities for the LDAP v2 authentication mechanism,
simple authentication using a cleartext password, as well as any SASL
mechanism [18]. [17].

It is also permitted that the server can return its credentials to the
client, if it chooses to do so.

Wahl, Howes & Kille [Page 35]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

This document also defines a mapping of LDAP over the Secure Sockets
Layer (SSL), which can provide strong authentication, integrity and
privacy of the connection.

Use of cleartext password is strongly discouraged where the underlying
transport service cannot guarantee confidentiality. A password hashing
mechanism is given in Appendix B.

When used with SASL, it should be noted that the name field of the
BindRequest is not protected against modification. Thus if there is a
client name (LDAPDN) agreed through the negotiation of the credentials,
it must take precedence over any value in the unprotected name field.

Wahl, Howes, Kille [Page 33]

INTERNET-DRAFT LDAP August 1996

When used with the connectionless transport, no security services are
available. There has been some discussion about the desirability of
authentication with connectionless LDAP requests. This might take the
form of a clear text password (which would go against the current IAB
drive to remove such things from protocols) or some arbitrary
credentials. It is felt that, in general, authentication would incur
sufficient overhead to negate the advantages of the connectionless
basis of LDAP. If an application requires authenticated access to the
directory then connectionless LDAP is not an appropriate protocol.

8. Acknowledgements

This document is an update to RFC 1777, by Wengyik Yeong, Tim
Howes, and Steve Kille. It also includes material from RFC 1798, by
Alan Young. Design ideas included in this document are based on those
discussed in ASID and other IETF Working Groups. The contributions of
individuals in these working groups is gratefully acknowledged.

9. Bibliography

[1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models and
Service", 1993.

[2] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access
Protocol", RFC 1777, March 1995.

[3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
Specification of Basic Notation", 1994.

[4] S. Kille, M. Wahl, "A UTF-8 String Representation of Distinguished
Names", INTERNET-DRAFT <draft-ietf-asid-ldapv3-dn-00.txt>.
August 1996.

[5] M. Wahl, A. Coulbeck, T. Howes, S. Kille, W. Yeong, C. Robbins,
"Lightweight X.500 Directory Access Protocol Standard and Pilot
Attribute Definitions", INTERNET-DRAFT
<draft-ietf-asid-ldapv3-attributes-02.txt>, August 1996.

[6] ITU-T Rec. X.501, "The Directory: Models", 1993.

[7] ITU-T Rec. X.520, "The Directory: Selected Attribute Types", 1993.

Wahl, Howes & Kille [Page 36]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

[8] A. Freier, P. Karlton, P. Kocher, "The SSL Protocol Version 3.0",
INTERNET-DRAFT <draft-freier-ssl-version3-01.txt>, March 1996.

[9] T. Howes, M. Smith, "An LDAP URL Format", RFC 1959, June 1996.

[10] ITU-T Rec. X.518, "The Directory: Procedures for Distributed
Operation", 1993.

[11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
Canonical, and Distinguished Encoding Rules", 1994.

[12] ITU-T Rec. X.509, "The Directory: Authentication Framework",
1993.

[13] ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.

[14] T. Berners-Lee, L. Masinter, M. McCahill, "Uniform Resource
Locators (URL)", RFC 1738, Dec. 1994.

Wahl, Howes, Kille [Page 34]

INTERNET-DRAFT LDAP August 1996

[15] Universal Multiple-Octet Coded Character Set (UCS) - Architecture
and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993.

[16] M. Davis, UTF-8, (WG2 N1036) DAM for ISO/IEC 10646-1.

[17] M. Wahl, T. Howes, "LDAP Use of Language Indications",
INTERNET-DRAFT <draft-ietf-asid-ldapv3-lang-00.txt"> August 1996.

[18] J. Meyers, "Simple Authentication and Security Layer",
INTERNET-DRAFT <draft-myers-auth-sasl-04.txt>, July 1996.

[19] A. Freier, P. Karlton, P. Kocher, "The SSL Protocol Version 3.0",
INTERNET-DRAFT <draft-freier-ssl-version3-01.txt>, March 1996.

10. Authors' Address

Mark Wahl
Critical Angle Inc.
4815 W Braker Lane #502-385
Austin, TX 78759
USA

EMail: M.Wahl@critical-angle.com

Tim Howes
Netscape Communications Corp.
501 E. Middlefield Rd.
Mountain View, CA 94043
USA

Phone: +1 415 254-1900
EMail: howes@netscape.com

Wahl, Howes & Kille [Page 37]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

Steve Kille
ISODE Consortium
The Dome, The Square
Richmond
TW9 1DT
UK

Phone: +44-181-332-9091
EMail: S.Kille@isode.com

Appendix A - Complete ASN.1 Definition

Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
IMPLICIT TAGS ::=

BEGIN

Wahl, Howes, Kille [Page 35]

INTERNET-DRAFT LDAP August 1996 ASN.1 Definition

Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
IMPLICIT TAGS ::=

BEGIN

MessageID ::= INTEGER (0 .. maxInt)

maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

LDAPString ::= OCTET STRING

LDAPOID ::= OCTET STRING

Wahl, Howes & Kille [Page 38]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

LDAPDN ::= LDAPString

RelativeLDAPDN ::= LDAPString

AttributeType ::= LDAPString

AttributeDescription ::= LDAPString

AttributeDescriptionList ::= SEQUENCE OF
AttributeDescription

AttributeValue ::= OCTET STRING

AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription,
assertionValue AssertionValue }

AssertionValue ::= OCTET STRING

Wahl, Howes, Kille [Page 36]

INTERNET-DRAFT LDAP August 1996

Attribute ::= SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }

MatchingRuleId ::= LDAPString

Wahl, Howes & Kille [Page 39]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),

INTERNET-DRAFT LDAP August 1996

Referral ::= SEQUENCE OF LDAPURL

Wahl, Howes & Kille [Page 40]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

LDAPURL ::= LDAPString -- limited to characters permitted in URLs

BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name LDAPDN,
authentication AuthenticationChoice }

AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl [3] SaslCredentials }

SaslCredentials ::= SEQUENCE {
mechanism LDAPString,
credentials OCTET STRING }

BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
supportedVersion [5] INTEGER (1..127) OPTIONAL,
serverURL [6] LDAPURL OPTIONAL,
serverCreds [7] AuthenticationChoice OPTIONAL }

UnbindRequest ::= [APPLICATION 2] NULL

SessionRequest ::= [APPLICATION 17] Controls

SessionResponse ::= [APPLICATION 18] SEQUENCE {
COMPONENTS OF LDAPResult,
unsupportedCtls [12] SEQUENCE OF LDAPString }

Controls ::= SEQUENCE OF SEQUENCE {
controlType LDAPString,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING }

Wahl, Howes, Howes & Kille [Page 38] 41]

INTERNET-DRAFT LDAP August Lightweight Directory Access Protocol (v3) October 1996

SortKeyList ::= SEQUENCE OF SEQUENCE {
attributeType AttributeType,
orderingRule [0] MatchingRuleId OPTIONAL,
reverseOrder [1] BOOLEAN DEFAULT FALSE }

SubstringFilter ::= SEQUENCE {
type AttributeDescription,
-- at least one must be present
substrings SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1] LDAPString,
final [2] LDAPString } }

MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeType OPTIONAL,
matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE }

SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }

PartialAttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
-- implementors should note that the PartialAttributeList may have
-- zero elements (if none of the attributes of that entry were
-- requested, or could be returned), and that the vals set may also
-- have zero elements (if types only was requested, or all the values
-- exceeded the attribute size limit or were excluded because of
-- access control).

SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
-- at least one LDAPURL element must be present

SearchResultDone ::= [APPLICATION 5] SEQUENCE {
COMPONENTS OF LDAPResult,
totalCount [8] INTEGER OPTIONAL }

Wahl, Howes & Kille [Page 42]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

SearchResultFull ::= SEQUENCE OF CHOICE {
entry SearchResultEntry,
reference SearchResultReference,
resultCode SearchResultDone }

Wahl, Howes, Kille [Page 39]

INTERNET-DRAFT LDAP August 1996

ResumeRequest ::= [APPLICATION 20] SEQUENCE {
searchRequestID [0] MessageID,
startAtEntry [1] INTEGER,
entriesToReturn [2] INTEGER }

ResumeError ::= [APPLICATION 21] LDAPResult

ModifyRequest ::= [APPLICATION 6] SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2) },
modification AttributeTypeAndValues } }

AttributeTypeAndValues ::= SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }

ModifyResponse ::= [APPLICATION 7] LDAPResult

AddRequest ::= [APPLICATION 8] SEQUENCE {
entry LDAPDN,
attributes AttributeList }

AttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }

AddResponse ::= [APPLICATION 9] LDAPResult

DelRequest ::= [APPLICATION 10] LDAPDN

DelResponse ::= [APPLICATION 11] LDAPResult

ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
entry LDAPDN,
newrdn RelativeLDAPDN,
deleteoldrdn BOOLEAN,
newSuperior [0] LDAPDN OPTIONAL }

ModifyDNResponse ::= [APPLICATION 13] LDAPResult

CompareRequest ::= [APPLICATION 14] SEQUENCE {
entry LDAPDN,
ava AttributeValueAssertion }

CompareResponse ::= [APPLICATION 15] SEQUENCE {
COMPONENTS OF LDAPResult,
matchedSubtype [9] AttributeType AttributeDescription OPTIONAL }

AbandonRequest ::= [APPLICATION 16] MessageID

Wahl, Howes, Kille [Page 40]

INTERNET-DRAFT LDAP August 1996

ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING }

Wahl, Howes & Kille [Page 43]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }

-- not part of LDAP core protocol, see Appendix B --

ProtectedPassword ::= SEQUENCE {
time1 [0] UTCTime OPTIONAL,
time2 [1] UTCTime OPTIONAL,
random1 [2] BIT STRING OPTIONAL,
random2 [3] BIT STRING OPTIONAL,
protected
algorithmIdentifier [4] OCTET LDAPOID,
encipheredPassword [5] BIT STRING }

StrongCredentials ::= SEQUENCE {
certification-path [0] AF.CertificationPath OPTIONAL,
bind-token [1] DAS.Token }

END

Appendix B - X.500 Authentication Mechanisms

This Appendix defines two SASL authentication mechanisms which may
be used with LDAP. These mechanisms are only for authentication, they
have no effect on the protocol encodings protocol encodings and are not designed to
provide integrity or confidentiality services.

If an implementation supports these elements, then the following
additional encoding restrictions apply to these elements:

- BIT STRING values are to be encoded in primitive form only. Unused bits
in the final octet of the encoding of a BIT STRING value, if there are
any, should always be set to zero.

- UTC Times must be encoded with the "Z" suffix, not as a local time.

The client may include one of these mechanisms and its credential in the
BindRequest. The server will return a BindResponse of either:
- success, and the serverCreds field absent, implying that the server
successfully authenticated the client but is not returning any
authentication information about the server,
- success, and are not designed to
provide integrity or confidentiality services.

If an implementation supports these elements, then the following
additional encoding restrictions apply tor these elements:

(5) UTC Times should be encoded serverCreds field present, with the "Z" suffix, not same mechanism
as a local time.

(6) Unused bits in that requested by the final octet client, and the credentials of the encoding server
itself,
- any of a BIT STRING
value, if there are any, should always be set to zero. the resultCodes listen in 4.2.3, with the serverCreds field
absent, indicating that the server did not successfully authenticate
the client or another problem occurred.

Wahl, Howes & Kille [Page 44]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

B.1. X.511-Protected

The "X.511-Protected" authentication mechanism allows a hash of the
password, combined optionally with the current time and random
numbers, to be sent to or returned from the server. The protected field
contains the hash value. This prevents a password from being carried in
the clear.

The mechanism field is set to the string "X.511-Protected", and the
credentials field contain the DER encoding of a value of the following
ASN.1 type:

INTERNET-DRAFT LDAP August 1996

The use of the time1, time2, random1, random2 and protected encryptedPassword fields
are as defined in ITU-T Rec. X.509 [12] and the functional profile for X.500
for the environment in which this authentication mechanism is to be used.

The name field of the BindRequest must be a nonempty string when this
mechanism is being used to authenticate the client. Note that this
security mechanism is not intended to protect against attackers
modifying the bind name field or other protocol elements.

B.2. X.511-Strong

Strong authentication to the directory can be accomplished using the
"X.511-Strong".

The mechanism field is set to the string "X.511-Strong", and the
credentials field set to a DER-encoding of a value of the following
ASN.1 type:

StrongCredentials ::= SEQUENCE {
certification-path [0] AF.CertificationPath OPTIONAL,
bind-token [1] DAS.Token }

The ASN.1 type "CertificationPath" is defined in [12], and the ASN.1
type "Token" is defined in [13].

When the credentials are being used to authenticate the client, it is
recommended that the certification-path field be present, which will
contain minimally the client's certificate. If the certification-path
field is supplied, then the name field of the BindRequest must be an
empty string, and the server will obtain the name of the client from
the subject field of the certification-path userCertificate.

Wahl, Howes & Kille [Page 45]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

It is recommended for interoperability that if the server's or client's
certificates contain RSA public keys, the PKCS md5WithRSAEncryption
(1.2.840.113549.1.1.4) algorithm should be used.

Table of Contents

1. Status of this Memo .................................... 1
2. Abstract ............................................... 1
3. Models ................................................. 2
3.1. Protocol Model ........................................ 2
3.2. Data Model ............................................ 3
3.2.1 Attributes of Entries ................................ 3
3.2.2 Subschema Subentry ................................... 4
3.3. Relationship to X.500 ................................. 4 5
3.4. Server-specific Data Requirements ..................... 5
4. Elements of Protocol ................................... 5 6
4.1. Common Elements ....................................... 5 6
4.1.1. Message Envelope .................................... 5 6
4.1.2. String Types ........................................ 7 8
4.1.3. Distinguished Name and Relative Distinguished Name .. 7 8
4.1.4. Attribute Type and Description ...................... 8 9
4.1.5. Attribute Value ..................................... 9 10
4.1.6. Attribute Value Assertion ........................... 9 11
4.1.7. Attribute ........................................... 10 11
4.1.8. Matching Rule Identifier ............................ 10 11
4.1.9. Result Message ...................................... 10
Wahl, Howes, Kille [Page 42]

INTERNET-DRAFT LDAP August 1996 11
4.1.10. Referral ........................................... 12 13
4.2. Bind Operation ....................................... 13 14
4.2.1. Sequencing of the Bind Request ...................... 13 15
4.2.2 Authentication and Other Security Services ........... 14 15
4.2.3. Bind Response ....................................... 14 16
4.3. Unbind Operation ..................................... 15 17
4.4. Session Control Operation ............................ 15 17
4.5. Search Operation ..................................... 18 20
4.5.1. Search Request ...................................... 18 20
4.5.2. Search Result ....................................... 21 24
4.5.3. Continuation References in the Search Result ........ 24
4.5.3.1 26
4.5.3.1. Example ............................................ 24 ........................................... 27
4.6. Resume Search Operation .............................. 25
4.7. Modify Operation ..................................... 26
4.8. 28
4.7. Add Operation ........................................ 28
4.9. 30
4.8. Delete Operation ..................................... 28
4.10. 30
4.9. Modify DN Operation ................................. 29
4.11. .................................. 31
4.10. Compare Operation ................................... 29
4.12. 32
4.11. Abandon Operation ................................... 30
4.13. 32
4.12. Extended Operation .................................. 31 33
5. Protocol Element Encodings and Transfer ................ 31 33
5.1. Mapping Onto BER-based Transport Services ............ 31 34
5.1.1. Transmission Control Protocol (TCP) ................ 32 34
5.1.2. Connection Oriented Transport Service (COTS) ....... 32 34
5.1.3. User Datagram Protocol (UDP) ....................... 32 34
5.1.4. Secure Socket Layer over TCP (SSL) ................. 32 35
6. Implementation Guidelines .............................. 32 35
6.1. Server Implementations ............................... 32 35

Wahl, Howes & Kille [Page 46]

INTERNET-DRAFT Lightweight Directory Access Protocol (v3) October 1996

6.2. Client Implementations ............................... 32 35
6.2.1. CLDAP Retry ......................................... 35
6.2.2. Loop Detection ...................................... 32 35
7. Security Considerations ................................ 33 35
8. Acknowledgements ....................................... 34 36
9. Bibliography ........................................... 34 36
10. Authors' Address ...................................... 35 37
Appendix A - Complete ASN.1 Definition ..................... 35 38
Appendix B - X.500 Authentication Mechanisms ............... 41 44
B.1. X.511-Protected ....................................... 41 45
B.2. X.511-Strong .......................................... 42

<draft-ietf-asid-ldapv3-protocol-02.txt> 45

<draft-ietf-asid-ldapv3-protocol-03.txt> Expires: March 2, April 5, 1997

Wahl, Howes, Kille [Page 43] 47]

----