diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4511.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4511.txt')
-rw-r--r-- | doc/rfc/rfc4511.txt | 3811 |
1 files changed, 3811 insertions, 0 deletions
diff --git a/doc/rfc/rfc4511.txt b/doc/rfc/rfc4511.txt new file mode 100644 index 0000000..8041f30 --- /dev/null +++ b/doc/rfc/rfc4511.txt @@ -0,0 +1,3811 @@ + + + + + + +Network Working Group J. Sermersheim, Ed. +Request for Comments: 4511 Novell, Inc. +Obsoletes: 2251, 2830, 3771 June 2006 +Category: Standards Track + + + Lightweight Directory Access Protocol (LDAP): The Protocol + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes the protocol elements, along with their + semantics and encodings, of the Lightweight Directory Access Protocol + (LDAP). LDAP provides access to distributed directory services that + act in accordance with X.500 data and service models. These protocol + elements are based on those described in the X.500 Directory Access + Protocol (DAP). + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Relationship to Other LDAP Specifications ..................3 + 2. Conventions .....................................................3 + 3. Protocol Model ..................................................4 + 3.1. Operation and LDAP Message Layer Relationship ..............5 + 4. Elements of Protocol ............................................5 + 4.1. Common Elements ............................................5 + 4.1.1. Message Envelope ....................................6 + 4.1.2. String Types ........................................7 + 4.1.3. Distinguished Name and Relative Distinguished Name ..8 + 4.1.4. Attribute Descriptions ..............................8 + 4.1.5. Attribute Value .....................................8 + 4.1.6. Attribute Value Assertion ...........................9 + 4.1.7. Attribute and PartialAttribute ......................9 + 4.1.8. Matching Rule Identifier ...........................10 + 4.1.9. Result Message .....................................10 + 4.1.10. Referral ..........................................12 + + + +Sermersheim Standards Track [Page 1] + +RFC 4511 LDAPv3 June 2006 + + + 4.1.11. Controls ..........................................14 + 4.2. Bind Operation ............................................16 + 4.2.1. Processing of the Bind Request .....................17 + 4.2.2. Bind Response ......................................18 + 4.3. Unbind Operation ..........................................18 + 4.4. Unsolicited Notification ..................................19 + 4.4.1. Notice of Disconnection ............................19 + 4.5. Search Operation ..........................................20 + 4.5.1. Search Request .....................................20 + 4.5.2. Search Result ......................................27 + 4.5.3. Continuation References in the Search Result .......28 + 4.6. Modify Operation ..........................................31 + 4.7. Add Operation .............................................33 + 4.8. Delete Operation ..........................................34 + 4.9. Modify DN Operation .......................................34 + 4.10. Compare Operation ........................................36 + 4.11. Abandon Operation ........................................36 + 4.12. Extended Operation .......................................37 + 4.13. IntermediateResponse Message .............................39 + 4.13.1. Usage with LDAP ExtendedRequest and + ExtendedResponse ..................................40 + 4.13.2. Usage with LDAP Request Controls ..................40 + 4.14. StartTLS Operation .......................................40 + 4.14.1. StartTLS Request ..................................40 + 4.14.2. StartTLS Response .................................41 + 4.14.3. Removal of the TLS Layer ..........................41 + 5. Protocol Encoding, Connection, and Transfer ....................42 + 5.1. Protocol Encoding .........................................42 + 5.2. Transmission Control Protocol (TCP) .......................43 + 5.3. Termination of the LDAP session ...........................43 + 6. Security Considerations ........................................43 + 7. Acknowledgements ...............................................45 + 8. Normative References ...........................................46 + 9. Informative References .........................................48 + 10. IANA Considerations ...........................................48 + Appendix A. LDAP Result Codes .....................................49 + A.1. Non-Error Result Codes ....................................49 + A.2. Result Codes ..............................................49 + Appendix B. Complete ASN.1 Definition .............................54 + Appendix C. Changes ...............................................60 + C.1. Changes Made to RFC 2251 ..................................60 + C.2. Changes Made to RFC 2830 ..................................66 + C.3. Changes Made to RFC 3771 ..................................66 + + + + + + + + +Sermersheim Standards Track [Page 2] + +RFC 4511 LDAPv3 June 2006 + + +1. Introduction + + The Directory is "a collection of open systems cooperating to provide + directory services" [X.500]. A directory user, which may be a human + or other entity, accesses the Directory through a client (or + Directory User Agent (DUA)). The client, on behalf of the directory + user, interacts with one or more servers (or Directory System Agents + (DSA)). Clients interact with servers using a directory access + protocol. + + This document details the protocol elements of the Lightweight + Directory Access Protocol (LDAP), along with their semantics. + Following the description of protocol elements, it describes the way + in which the protocol elements are encoded and transferred. + +1.1. Relationship to Other LDAP Specifications + + This document is an integral part of the LDAP Technical Specification + [RFC4510], which obsoletes the previously defined LDAP technical + specification, RFC 3377, in its entirety. + + This document, together with [RFC4510], [RFC4513], and [RFC4512], + obsoletes RFC 2251 in its entirety. Section 3.3 is obsoleted by + [RFC4510]. Sections 4.2.1 (portions) and 4.2.2 are obsoleted by + [RFC4513]. Sections 3.2, 3.4, 4.1.3 (last paragraph), 4.1.4, 4.1.5, + 4.1.5.1, 4.1.9 (last paragraph), 5.1, 6.1, and 6.2 (last paragraph) + are obsoleted by [RFC4512]. The remainder of RFC 2251 is obsoleted + by this document. Appendix C.1 summarizes substantive changes in the + remainder. + + This document obsoletes RFC 2830, Sections 2 and 4. The remainder of + RFC 2830 is obsoleted by [RFC4513]. Appendix C.2 summarizes + substantive changes to the remaining sections. + + This document also obsoletes RFC 3771 in entirety. + +2. Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are + to be interpreted as described in [RFC2119]. + + Character names in this document use the notation for code points and + names from the Unicode Standard [Unicode]. For example, the letter + "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>. + + + + + + +Sermersheim Standards Track [Page 3] + +RFC 4511 LDAPv3 June 2006 + + + Note: a glossary of terms used in Unicode can be found in [Glossary]. + Information on the Unicode character encoding model can be found in + [CharModel]. + + The term "transport connection" refers to the underlying transport + services used to carry the protocol exchange, as well as associations + established by these services. + + The term "TLS layer" refers to Transport Layer Security (TLS) + services used in providing security services, as well as associations + established by these services. + + The term "SASL layer" refers to Simply Authentication and Security + Layer (SASL) services used in providing security services, as well as + associations established by these services. + + The term "LDAP message layer" refers to the LDAP Message Protocol + Data Unit (PDU) services used in providing directory services, as + well as associations established by these services. + + The term "LDAP session" refers to combined services (transport + connection, TLS layer, SASL layer, LDAP message layer) and their + associations. + + See the table in Section 5 for an illustration of these four terms. + +3. Protocol Model + + The general model adopted by this protocol is one of clients + performing protocol operations against servers. In this model, a + client transmits a protocol request describing the operation to be + performed to a server. The server is then responsible for performing + the necessary operation(s) in the Directory. Upon completion of an + operation, the server typically returns a response containing + appropriate data to the requesting client. + + Protocol operations are generally independent of one another. Each + operation is processed as an atomic action, leaving the directory in + a consistent state. + + Although servers are required to return responses whenever such + responses are defined in the protocol, there is no requirement for + synchronous behavior on the part of either clients or servers. + Requests and responses for multiple operations generally may be + exchanged between a client and server in any order. If required, + synchronous behavior may be controlled by client applications. + + + + + +Sermersheim Standards Track [Page 4] + +RFC 4511 LDAPv3 June 2006 + + + The core protocol operations defined in this document can be mapped + to a subset of the X.500 (1993) Directory Abstract Service [X.511]. + However, there is not a one-to-one mapping between LDAP operations + and X.500 Directory Access Protocol (DAP) operations. Server + implementations acting as a gateway to X.500 directories may need to + make multiple DAP requests to service a single LDAP request. + +3.1. Operation and LDAP Message Layer Relationship + + Protocol operations are exchanged at the LDAP message layer. When + the transport connection is closed, any uncompleted operations at the + LDAP message layer are abandoned (when possible) or are completed + without transmission of the response (when abandoning them is not + possible). Also, when the transport connection is closed, the client + MUST NOT assume that any uncompleted update operations have succeeded + or failed. + +4. Elements of Protocol + + The protocol is described using Abstract Syntax Notation One + ([ASN.1]) and is transferred using a subset of ASN.1 Basic Encoding + Rules ([BER]). Section 5 specifies how the protocol elements are + encoded and transferred. + + In order to support future extensions to this protocol, extensibility + is implied where it is allowed per ASN.1 (i.e., sequence, set, + choice, and enumerated types are extensible). In addition, ellipses + (...) have been supplied in ASN.1 types that are explicitly + extensible as discussed in [RFC4520]. Because of the implied + extensibility, clients and servers MUST (unless otherwise specified) + ignore trailing SEQUENCE components whose tags they do not recognize. + + Changes to the protocol other than through the extension mechanisms + described here require a different version number. A client + indicates the version it is using as part of the BindRequest, + described in Section 4.2. If a client has not sent a Bind, the + server MUST assume the client is using version 3 or later. + + Clients may attempt to determine the protocol versions a server + supports by reading the 'supportedLDAPVersion' attribute from the + root DSE (DSA-Specific Entry) [RFC4512]. + +4.1. Common Elements + + This section describes the LDAPMessage envelope Protocol Data Unit + (PDU) format, as well as data type definitions, which are used in the + protocol operations. + + + + +Sermersheim Standards Track [Page 5] + +RFC 4511 LDAPv3 June 2006 + + +4.1.1. Message Envelope + + For the purposes of protocol exchanges, all protocol operations are + encapsulated in a common envelope, the LDAPMessage, which is defined + as follows: + + LDAPMessage ::= SEQUENCE { + messageID MessageID, + protocolOp CHOICE { + bindRequest BindRequest, + bindResponse BindResponse, + unbindRequest UnbindRequest, + searchRequest SearchRequest, + searchResEntry SearchResultEntry, + searchResDone SearchResultDone, + searchResRef SearchResultReference, + modifyRequest ModifyRequest, + modifyResponse ModifyResponse, + addRequest AddRequest, + addResponse AddResponse, + delRequest DelRequest, + delResponse DelResponse, + modDNRequest ModifyDNRequest, + modDNResponse ModifyDNResponse, + compareRequest CompareRequest, + compareResponse CompareResponse, + abandonRequest AbandonRequest, + extendedReq ExtendedRequest, + extendedResp ExtendedResponse, + ..., + intermediateResponse IntermediateResponse }, + controls [0] Controls OPTIONAL } + + MessageID ::= INTEGER (0 .. maxInt) + + maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) -- + + The ASN.1 type Controls is defined in Section 4.1.11. + + The function of the LDAPMessage is to provide an envelope containing + common fields required in all protocol exchanges. At this time, the + only common fields are the messageID and the controls. + + If the server receives an LDAPMessage from the client in which the + LDAPMessage SEQUENCE tag cannot be recognized, the messageID cannot + be parsed, the tag of the protocolOp is not recognized as a request, + or the encoding structures or lengths of data fields are found to be + incorrect, then the server SHOULD return the Notice of Disconnection + + + +Sermersheim Standards Track [Page 6] + +RFC 4511 LDAPv3 June 2006 + + + described in Section 4.4.1, with the resultCode set to protocolError, + and MUST immediately terminate the LDAP session as described in + Section 5.3. + + In other cases where the client or server cannot parse an LDAP PDU, + it SHOULD abruptly terminate the LDAP session (Section 5.3) where + further communication (including providing notice) would be + pernicious. Otherwise, server implementations MUST return an + appropriate response to the request, with the resultCode set to + protocolError. + +4.1.1.1. MessageID + + All LDAPMessage envelopes encapsulating responses contain the + messageID value of the corresponding request LDAPMessage. + + The messageID of a request MUST have a non-zero value different from + the messageID of any other request in progress in the same LDAP + session. The zero value is reserved for the unsolicited notification + message. + + Typical clients increment a counter for each request. + + A client MUST NOT send a request with the same messageID as an + earlier request in the same LDAP session unless it can be determined + that the server is no longer servicing the earlier request (e.g., + after the final response is received, or a subsequent Bind + completes). Otherwise, the behavior is undefined. For this purpose, + note that Abandon and successfully abandoned operations do not send + responses. + +4.1.2. String Types + + The LDAPString is a notational convenience to indicate that, although + strings of LDAPString type encode as ASN.1 OCTET STRING types, the + [ISO10646] character set (a superset of [Unicode]) is used, encoded + following the UTF-8 [RFC3629] algorithm. Note that Unicode + characters U+0000 through U+007F are the same as ASCII 0 through 127, + respectively, and have the same single octet UTF-8 encoding. Other + Unicode characters have a multiple octet UTF-8 encoding. + + LDAPString ::= OCTET STRING -- UTF-8 encoded, + -- [ISO10646] characters + + The LDAPOID is a notational convenience to indicate that the + permitted value of this string is a (UTF-8 encoded) dotted-decimal + representation of an OBJECT IDENTIFIER. Although an LDAPOID is + + + + +Sermersheim Standards Track [Page 7] + +RFC 4511 LDAPv3 June 2006 + + + encoded as an OCTET STRING, values are limited to the definition of + <numericoid> given in Section 1.4 of [RFC4512]. + + LDAPOID ::= OCTET STRING -- Constrained to <numericoid> + -- [RFC4512] + + For example, + + 1.3.6.1.4.1.1466.1.2.3 + +4.1.3. Distinguished Name and Relative Distinguished Name + + An LDAPDN is defined to be the representation of a Distinguished Name + (DN) after encoding according to the specification in [RFC4514]. + + LDAPDN ::= LDAPString + -- Constrained to <distinguishedName> [RFC4514] + + A RelativeLDAPDN is defined to be the representation of a Relative + Distinguished Name (RDN) after encoding according to the + specification in [RFC4514]. + + RelativeLDAPDN ::= LDAPString + -- Constrained to <name-component> [RFC4514] + +4.1.4. Attribute Descriptions + + The definition and encoding rules for attribute descriptions are + defined in Section 2.5 of [RFC4512]. Briefly, an attribute + description is an attribute type and zero or more options. + + AttributeDescription ::= LDAPString + -- Constrained to <attributedescription> + -- [RFC4512] + +4.1.5. Attribute Value + + A field of type AttributeValue is an OCTET STRING containing an + encoded attribute value. The attribute value is encoded according to + the LDAP-specific encoding definition of its corresponding syntax. + The LDAP-specific encoding definitions for different syntaxes and + attribute types may be found in other documents and in particular + [RFC4517]. + + AttributeValue ::= OCTET STRING + + + + + + +Sermersheim Standards Track [Page 8] + +RFC 4511 LDAPv3 June 2006 + + + Note that there is no defined limit on the size of this encoding; + thus, protocol values may include multi-megabyte attribute values + (e.g., photographs). + + Attribute values may be defined that have arbitrary and non-printable + syntax. Implementations MUST NOT display or attempt to decode an + attribute value if its syntax is not known. The implementation may + attempt to discover the subschema of the source entry and to retrieve + the descriptions of 'attributeTypes' from it [RFC4512]. + + Clients MUST only send attribute values in a request that are valid + according to the syntax defined for the attributes. + +4.1.6. Attribute Value Assertion + + The AttributeValueAssertion (AVA) type definition is similar to the + one in the X.500 Directory standards. It contains an attribute + description and a matching rule ([RFC4512], Section 4.1.3) assertion + value suitable for that type. Elements of this type are typically + used to assert that the value in assertionValue matches a value of an + attribute. + + AttributeValueAssertion ::= SEQUENCE { + attributeDesc AttributeDescription, + assertionValue AssertionValue } + + AssertionValue ::= OCTET STRING + + The syntax of the AssertionValue depends on the context of the LDAP + operation being performed. For example, the syntax of the EQUALITY + matching rule for an attribute is used when performing a Compare + operation. Often this is the same syntax used for values of the + attribute type, but in some cases the assertion syntax differs from + the value syntax. See objectIdentiferFirstComponentMatch in + [RFC4517] for an example. + +4.1.7. Attribute and PartialAttribute + + Attributes and partial attributes consist of an attribute description + and attribute values. A PartialAttribute allows zero values, while + Attribute requires at least one value. + + PartialAttribute ::= SEQUENCE { + type AttributeDescription, + vals SET OF value AttributeValue } + + + + + + +Sermersheim Standards Track [Page 9] + +RFC 4511 LDAPv3 June 2006 + + + Attribute ::= PartialAttribute(WITH COMPONENTS { + ..., + vals (SIZE(1..MAX))}) + + No two of the attribute values may be equivalent as described by + Section 2.2 of [RFC4512]. The set of attribute values is unordered. + Implementations MUST NOT rely upon the ordering being repeatable. + +4.1.8. Matching Rule Identifier + + Matching rules are defined in Section 4.1.3 of [RFC4512]. A matching + rule is identified in the protocol by the printable representation of + either its <numericoid> or one of its short name descriptors + [RFC4512], e.g., 'caseIgnoreMatch' or '2.5.13.2'. + + MatchingRuleId ::= LDAPString + +4.1.9. Result Message + + The LDAPResult is the construct used in this protocol to return + success or failure indications from servers to clients. To various + requests, servers will return responses containing the elements found + in LDAPResult to indicate the final status of the protocol operation + request. + + LDAPResult ::= SEQUENCE { + resultCode ENUMERATED { + success (0), + operationsError (1), + protocolError (2), + timeLimitExceeded (3), + sizeLimitExceeded (4), + compareFalse (5), + compareTrue (6), + authMethodNotSupported (7), + strongerAuthRequired (8), + -- 9 reserved -- + referral (10), + adminLimitExceeded (11), + unavailableCriticalExtension (12), + confidentialityRequired (13), + saslBindInProgress (14), + noSuchAttribute (16), + undefinedAttributeType (17), + inappropriateMatching (18), + constraintViolation (19), + attributeOrValueExists (20), + invalidAttributeSyntax (21), + + + +Sermersheim Standards Track [Page 10] + +RFC 4511 LDAPv3 June 2006 + + + -- 22-31 unused -- + noSuchObject (32), + aliasProblem (33), + invalidDNSyntax (34), + -- 35 reserved for undefined isLeaf -- + aliasDereferencingProblem (36), + -- 37-47 unused -- + inappropriateAuthentication (48), + invalidCredentials (49), + insufficientAccessRights (50), + busy (51), + unavailable (52), + unwillingToPerform (53), + loopDetect (54), + -- 55-63 unused -- + namingViolation (64), + objectClassViolation (65), + notAllowedOnNonLeaf (66), + notAllowedOnRDN (67), + entryAlreadyExists (68), + objectClassModsProhibited (69), + -- 70 reserved for CLDAP -- + affectsMultipleDSAs (71), + -- 72-79 unused -- + other (80), + ... }, + matchedDN LDAPDN, + diagnosticMessage LDAPString, + referral [3] Referral OPTIONAL } + + The resultCode enumeration is extensible as defined in Section 3.8 of + [RFC4520]. The meanings of the listed result codes are given in + Appendix A. If a server detects multiple errors for an operation, + only one result code is returned. The server should return the + result code that best indicates the nature of the error encountered. + Servers may return substituted result codes to prevent unauthorized + disclosures. + + The diagnosticMessage field of this construct may, at the server's + option, be used to return a string containing a textual, human- + readable diagnostic message (terminal control and page formatting + characters should be avoided). As this diagnostic message is not + standardized, implementations MUST NOT rely on the values returned. + Diagnostic messages typically supplement the resultCode with + additional information. If the server chooses not to return a + textual diagnostic, the diagnosticMessage field MUST be empty. + + + + + +Sermersheim Standards Track [Page 11] + +RFC 4511 LDAPv3 June 2006 + + + For certain result codes (typically, but not restricted to + noSuchObject, aliasProblem, invalidDNSyntax, and + aliasDereferencingProblem), the matchedDN field is set (subject to + access controls) to the name of the last entry (object or alias) used + in finding the target (or base) object. This will be a truncated + form of the provided name or, if an alias was dereferenced while + attempting to locate the entry, of the resulting name. Otherwise, + the matchedDN field is empty. + +4.1.10. Referral + + The referral result code indicates that the contacted server cannot + or will not perform the operation and that one or more other servers + may be able to. Reasons for this include: + + - The target entry of the request is not held locally, but the server + has knowledge of its possible existence elsewhere. + + - The operation is restricted on this server -- perhaps due to a + read-only copy of an entry to be modified. + + The referral field is present in an LDAPResult if the resultCode is + set to referral, and it is absent with all other result codes. It + contains one or more references to one or more servers or services + that may be accessed via LDAP or other protocols. Referrals can be + returned in response to any operation request (except Unbind and + Abandon, which do not have responses). At least one URI MUST be + present in the Referral. + + During a Search operation, after the baseObject is located, and + entries are being evaluated, the referral is not returned. Instead, + continuation references, described in Section 4.5.3, are returned + when other servers would need to be contacted to complete the + operation. + + Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI + + URI ::= LDAPString -- limited to characters permitted in + -- URIs + + If the client wishes to progress the operation, it contacts one of + the supported services found in the referral. If multiple URIs are + present, the client assumes that any supported URI may be used to + progress the operation. + + Clients that follow referrals MUST ensure that they do not loop + between servers. They MUST NOT repeatedly contact the same server + for the same request with the same parameters. Some clients use a + + + +Sermersheim Standards Track [Page 12] + +RFC 4511 LDAPv3 June 2006 + + + counter that is incremented each time referral handling occurs for an + operation, and these kinds of clients MUST be able to handle at least + ten nested referrals while progressing the operation. + + A URI for a server implementing LDAP and accessible via TCP/IP (v4 or + v6) [RFC793][RFC791] is written as an LDAP URL according to + [RFC4516]. + + Referral values that are LDAP URLs follow these rules: + + - If an alias was dereferenced, the <dn> part of the LDAP URL MUST be + present, with the new target object name. + + - It is RECOMMENDED that the <dn> part be present to avoid ambiguity. + + - If the <dn> part is present, the client uses this name in its next + request to progress the operation, and if it is not present the + client uses the same name as in the original request. + + - Some servers (e.g., participating in distributed indexing) may + provide a different filter in a URL of a referral for a Search + operation. + + - If the <filter> part of the LDAP URL is present, the client uses + this filter in its next request to progress this Search, and if it + is not present the client uses the same filter as it used for that + Search. + + - For Search, it is RECOMMENDED that the <scope> part be present to + avoid ambiguity. + + - If the <scope> part is missing, the scope of the original Search is + used by the client to progress the operation. + + - Other aspects of the new request may be the same as or different + from the request that generated the referral. + + Other kinds of URIs may be returned. The syntax and semantics of + such URIs is left to future specifications. Clients may ignore URIs + that they do not support. + + UTF-8 encoded characters appearing in the string representation of a + DN, search filter, or other fields of the referral value may not be + legal for URIs (e.g., spaces) and MUST be escaped using the % method + in [RFC3986]. + + + + + + +Sermersheim Standards Track [Page 13] + +RFC 4511 LDAPv3 June 2006 + + +4.1.11. Controls + + Controls provide a mechanism whereby the semantics and arguments of + existing LDAP operations may be extended. One or more controls may + be attached to a single LDAP message. A control only affects the + semantics of the message it is attached to. + + Controls sent by clients are termed 'request controls', and those + sent by servers are termed 'response controls'. + + Controls ::= SEQUENCE OF control Control + + Control ::= SEQUENCE { + controlType LDAPOID, + criticality BOOLEAN DEFAULT FALSE, + controlValue OCTET STRING OPTIONAL } + + The controlType field is the dotted-decimal representation of an + OBJECT IDENTIFIER that uniquely identifies the control. This + provides unambiguous naming of controls. Often, response control(s) + solicited by a request control share controlType values with the + request control. + + The criticality field only has meaning in controls attached to + request messages (except UnbindRequest). For controls attached to + response messages and the UnbindRequest, the criticality field SHOULD + be FALSE, and MUST be ignored by the receiving protocol peer. A + value of TRUE indicates that it is unacceptable to perform the + operation without applying the semantics of the control. + Specifically, the criticality field is applied as follows: + + - If the server does not recognize the control type, determines that + it is not appropriate for the operation, or is otherwise unwilling + to perform the operation with the control, and if the criticality + field is TRUE, the server MUST NOT perform the operation, and for + operations that have a response message, it MUST return with the + resultCode set to unavailableCriticalExtension. + + - If the server does not recognize the control type, determines that + it is not appropriate for the operation, or is otherwise unwilling + to perform the operation with the control, and if the criticality + field is FALSE, the server MUST ignore the control. + + - Regardless of criticality, if a control is applied to an + operation, it is applied consistently and impartially to the + entire operation. + + + + + +Sermersheim Standards Track [Page 14] + +RFC 4511 LDAPv3 June 2006 + + + The controlValue may contain information associated with the + controlType. Its format is defined by the specification of the + control. Implementations MUST be prepared to handle arbitrary + contents of the controlValue octet string, including zero bytes. It + is absent only if there is no value information that is associated + with a control of its type. When a controlValue is defined in terms + of ASN.1, and BER-encoded according to Section 5.1, it also follows + the extensibility rules in Section 4. + + Servers list the controlType of request controls they recognize in + the 'supportedControl' attribute in the root DSE (Section 5.1 of + [RFC4512]). + + Controls SHOULD NOT be combined unless the semantics of the + combination has been specified. The semantics of control + combinations, if specified, are generally found in the control + specification most recently published. When a combination of + controls is encountered whose semantics are invalid, not specified + (or not known), the message is considered not well-formed; thus, the + operation fails with protocolError. Controls with a criticality of + FALSE may be ignored in order to arrive at a valid combination. + Additionally, unless order-dependent semantics are given in a + specification, the order of a combination of controls in the SEQUENCE + is ignored. Where the order is to be ignored but cannot be ignored + by the server, the message is considered not well-formed, and the + operation fails with protocolError. Again, controls with a + criticality of FALSE may be ignored in order to arrive at a valid + combination. + + This document does not specify any controls. Controls may be + specified in other documents. Documents detailing control extensions + are to provide for each control: + + - the OBJECT IDENTIFIER assigned to the control, + + - direction as to what value the sender should provide for the + criticality field (note: the semantics of the criticality field are + defined above should not be altered by the control's + specification), + + - whether the controlValue field is present, and if so, the format of + its contents, + + - the semantics of the control, and + + - optionally, semantics regarding the combination of the control with + other controls. + + + + +Sermersheim Standards Track [Page 15] + +RFC 4511 LDAPv3 June 2006 + + +4.2. Bind Operation + + The function of the Bind operation is to allow authentication + information to be exchanged between the client and server. The Bind + operation should be thought of as the "authenticate" operation. + Operational, authentication, and security-related semantics of this + operation are given in [RFC4513]. + + The Bind request is defined as follows: + + BindRequest ::= [APPLICATION 0] SEQUENCE { + version INTEGER (1 .. 127), + name LDAPDN, + authentication AuthenticationChoice } + + AuthenticationChoice ::= CHOICE { + simple [0] OCTET STRING, + -- 1 and 2 reserved + sasl [3] SaslCredentials, + ... } + + SaslCredentials ::= SEQUENCE { + mechanism LDAPString, + credentials OCTET STRING OPTIONAL } + + Fields of the BindRequest are: + + - version: A version number indicating the version of the protocol to + be used at the LDAP message layer. This document describes version + 3 of the protocol. There is no version negotiation. The client + sets this field to the version it desires. If the server does not + support the specified version, it MUST respond with a BindResponse + where the resultCode is set to protocolError. + + - name: If not empty, the name of the Directory object that the + client wishes to bind as. This field may take on a null value (a + zero-length string) for the purposes of anonymous binds ([RFC4513], + Section 5.1) or when using SASL [RFC4422] authentication + ([RFC4513], Section 5.2). Where the server attempts to locate the + named object, it SHALL NOT perform alias dereferencing. + + - authentication: Information used in authentication. This type is + extensible as defined in Section 3.7 of [RFC4520]. Servers that do + not support a choice supplied by a client return a BindResponse + with the resultCode set to authMethodNotSupported. + + + + + + +Sermersheim Standards Track [Page 16] + +RFC 4511 LDAPv3 June 2006 + + + Textual passwords (consisting of a character sequence with a known + character set and encoding) transferred to the server using the + simple AuthenticationChoice SHALL be transferred as UTF-8 [RFC3629] + encoded [Unicode]. Prior to transfer, clients SHOULD prepare text + passwords as "query" strings by applying the SASLprep [RFC4013] + profile of the stringprep [RFC3454] algorithm. Passwords + consisting of other data (such as random octets) MUST NOT be + altered. The determination of whether a password is textual is a + local client matter. + +4.2.1. Processing of the Bind Request + + Before processing a BindRequest, all uncompleted operations MUST + either complete or be abandoned. The server may either wait for the + uncompleted operations to complete, or abandon them. The server then + proceeds to authenticate the client in either a single-step or + multi-step Bind process. Each step requires the server to return a + BindResponse to indicate the status of authentication. + + After sending a BindRequest, clients MUST NOT send further LDAP PDUs + until receiving the BindResponse. Similarly, servers SHOULD NOT + process or respond to requests received while processing a + BindRequest. + + If the client did not bind before sending a request and receives an + operationsError to that request, it may then send a BindRequest. If + this also fails or the client chooses not to bind on the existing + LDAP session, it may terminate the LDAP session, re-establish it, and + begin again by first sending a BindRequest. This will aid in + interoperating with servers implementing other versions of LDAP. + + Clients may send multiple Bind requests to change the authentication + and/or security associations or to complete a multi-stage Bind + process. Authentication from earlier binds is subsequently ignored. + + For some SASL authentication mechanisms, it may be necessary for the + client to invoke the BindRequest multiple times ([RFC4513], Section + 5.2). Clients MUST NOT invoke operations between two Bind requests + made as part of a multi-stage Bind. + + A client may abort a SASL bind negotiation by sending a BindRequest + with a different value in the mechanism field of SaslCredentials, or + an AuthenticationChoice other than sasl. + + + + + + + + +Sermersheim Standards Track [Page 17] + +RFC 4511 LDAPv3 June 2006 + + + If the client sends a BindRequest with the sasl mechanism field as an + empty string, the server MUST return a BindResponse with the + resultCode set to authMethodNotSupported. This will allow the client + to abort a negotiation if it wishes to try again with the same SASL + mechanism. + +4.2.2. Bind Response + + The Bind response is defined as follows. + + BindResponse ::= [APPLICATION 1] SEQUENCE { + COMPONENTS OF LDAPResult, + serverSaslCreds [7] OCTET STRING OPTIONAL } + + BindResponse consists simply of an indication from the server of the + status of the client's request for authentication. + + A successful Bind operation is indicated by a BindResponse with a + resultCode set to success. Otherwise, an appropriate result code is + set in the BindResponse. For BindResponse, the protocolError result + code may be used to indicate that the version number supplied by the + client is unsupported. + + If the client receives a BindResponse where the resultCode is set to + protocolError, it is to assume that the server does not support this + version of LDAP. While the client may be able proceed with another + version of this protocol (which may or may not require closing and + re-establishing the transport connection), how to proceed with + another version of this protocol is beyond the scope of this + document. Clients that are unable or unwilling to proceed SHOULD + terminate the LDAP session. + + The serverSaslCreds field is used as part of a SASL-defined bind + mechanism to allow the client to authenticate the server to which it + is communicating, or to perform "challenge-response" authentication. + If the client bound with the simple choice, or the SASL mechanism + does not require the server to return information to the client, then + this field SHALL NOT be included in the BindResponse. + +4.3. Unbind Operation + + The function of the Unbind operation is to terminate an LDAP session. + The Unbind operation is not the antithesis of the Bind operation as + the name implies. The naming of these operations are historical. + The Unbind operation should be thought of as the "quit" operation. + + + + + + +Sermersheim Standards Track [Page 18] + +RFC 4511 LDAPv3 June 2006 + + + The Unbind operation is defined as follows: + + UnbindRequest ::= [APPLICATION 2] NULL + + The client, upon transmission of the UnbindRequest, and the server, + upon receipt of the UnbindRequest, are to gracefully terminate the + LDAP session as described in Section 5.3. Uncompleted operations are + handled as specified in Section 3.1. + +4.4. Unsolicited Notification + + An unsolicited notification is an LDAPMessage sent from the server to + the client that is not in response to any LDAPMessage received by the + server. It is used to signal an extraordinary condition in the + server or in the LDAP session between the client and the server. The + notification is of an advisory nature, and the server will not expect + any response to be returned from the client. + + The unsolicited notification is structured as an LDAPMessage in which + the messageID is zero and protocolOp is set to the extendedResp + choice using the ExtendedResponse type (See Section 4.12). The + responseName field of the ExtendedResponse always contains an LDAPOID + that is unique for this notification. + + One unsolicited notification (Notice of Disconnection) is defined in + this document. The specification of an unsolicited notification + consists of: + + - the OBJECT IDENTIFIER assigned to the notification (to be specified + in the responseName, + + - the format of the contents of the responseValue (if any), + + - the circumstances which will cause the notification to be sent, and + + - the semantics of the message. + +4.4.1. Notice of Disconnection + + This notification may be used by the server to advise the client that + the server is about to terminate the LDAP session on its own + initiative. This notification is intended to assist clients in + distinguishing between an exceptional server condition and a + transient network failure. Note that this notification is not a + response to an Unbind requested by the client. Uncompleted + operations are handled as specified in Section 3.1. + + + + + +Sermersheim Standards Track [Page 19] + +RFC 4511 LDAPv3 June 2006 + + + The responseName is 1.3.6.1.4.1.1466.20036, the responseValue field + is absent, and the resultCode is used to indicate the reason for the + disconnection. When the strongerAuthRequired resultCode is returned + with this message, it indicates that the server has detected that an + established security association between the client and server has + unexpectedly failed or been compromised. + + Upon transmission of the Notice of Disconnection, the server + gracefully terminates the LDAP session as described in Section 5.3. + +4.5. Search Operation + + The Search operation is used to request a server to return, subject + to access controls and other restrictions, a set of entries matching + a complex search criterion. This can be used to read attributes from + a single entry, from entries immediately subordinate to a particular + entry, or from a whole subtree of entries. + +4.5.1. Search Request + + The Search request is defined as follows: + + SearchRequest ::= [APPLICATION 3] SEQUENCE { + baseObject LDAPDN, + scope ENUMERATED { + baseObject (0), + singleLevel (1), + wholeSubtree (2), + ... }, + derefAliases ENUMERATED { + neverDerefAliases (0), + derefInSearching (1), + derefFindingBaseObj (2), + derefAlways (3) }, + sizeLimit INTEGER (0 .. maxInt), + timeLimit INTEGER (0 .. maxInt), + typesOnly BOOLEAN, + filter Filter, + attributes AttributeSelection } + + AttributeSelection ::= SEQUENCE OF selector LDAPString + -- The LDAPString is constrained to + -- <attributeSelector> in Section 4.5.1.8 + + Filter ::= CHOICE { + and [0] SET SIZE (1..MAX) OF filter Filter, + or [1] SET SIZE (1..MAX) OF filter Filter, + not [2] Filter, + + + +Sermersheim Standards Track [Page 20] + +RFC 4511 LDAPv3 June 2006 + + + equalityMatch [3] AttributeValueAssertion, + substrings [4] SubstringFilter, + greaterOrEqual [5] AttributeValueAssertion, + lessOrEqual [6] AttributeValueAssertion, + present [7] AttributeDescription, + approxMatch [8] AttributeValueAssertion, + extensibleMatch [9] MatchingRuleAssertion, + ... } + + SubstringFilter ::= SEQUENCE { + type AttributeDescription, + substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE { + initial [0] AssertionValue, -- can occur at most once + any [1] AssertionValue, + final [2] AssertionValue } -- can occur at most once + } + + MatchingRuleAssertion ::= SEQUENCE { + matchingRule [1] MatchingRuleId OPTIONAL, + type [2] AttributeDescription OPTIONAL, + matchValue [3] AssertionValue, + dnAttributes [4] BOOLEAN DEFAULT FALSE } + + Note that an X.500 "list"-like operation can be emulated by the + client requesting a singleLevel Search operation with a filter + checking for the presence of the 'objectClass' attribute, and that an + X.500 "read"-like operation can be emulated by a baseObject Search + operation with the same filter. A server that provides a gateway to + X.500 is not required to use the Read or List operations, although it + may choose to do so, and if it does, it must provide the same + semantics as the X.500 Search operation. + +4.5.1.1. SearchRequest.baseObject + + The name of the base object entry (or possibly the root) relative to + which the Search is to be performed. + +4.5.1.2. SearchRequest.scope + + Specifies the scope of the Search to be performed. The semantics (as + described in [X.511]) of the defined values of this field are: + + baseObject: The scope is constrained to the entry named by + baseObject. + + singleLevel: The scope is constrained to the immediate + subordinates of the entry named by baseObject. + + + + +Sermersheim Standards Track [Page 21] + +RFC 4511 LDAPv3 June 2006 + + + wholeSubtree: The scope is constrained to the entry named by + baseObject and to all its subordinates. + +4.5.1.3. SearchRequest.derefAliases + + An indicator as to whether or not alias entries (as defined in + [RFC4512]) are to be dereferenced during stages of the Search + operation. + + The act of dereferencing an alias includes recursively dereferencing + aliases that refer to aliases. + + Servers MUST detect looping while dereferencing aliases in order to + prevent denial-of-service attacks of this nature. + + The semantics of the defined values of this field are: + + neverDerefAliases: Do not dereference aliases in searching or in + locating the base object of the Search. + + derefInSearching: While searching subordinates of the base object, + dereference any alias within the search scope. Dereferenced + objects become the vertices of further search scopes where the + Search operation is also applied. If the search scope is + wholeSubtree, the Search continues in the subtree(s) of any + dereferenced object. If the search scope is singleLevel, the + search is applied to any dereferenced objects and is not applied + to their subordinates. Servers SHOULD eliminate duplicate entries + that arise due to alias dereferencing while searching. + + derefFindingBaseObj: Dereference aliases in locating the base + object of the Search, but not when searching subordinates of the + base object. + + derefAlways: Dereference aliases both in searching and in locating + the base object of the Search. + +4.5.1.4. SearchRequest.sizeLimit + + A size limit that restricts the maximum number of entries to be + returned as a result of the Search. A value of zero in this field + indicates that no client-requested size limit restrictions are in + effect for the Search. Servers may also enforce a maximum number of + entries to return. + + + + + + + +Sermersheim Standards Track [Page 22] + +RFC 4511 LDAPv3 June 2006 + + +4.5.1.5. SearchRequest.timeLimit + + A time limit that restricts the maximum time (in seconds) allowed for + a Search. A value of zero in this field indicates that no client- + requested time limit restrictions are in effect for the Search. + Servers may also enforce a maximum time limit for the Search. + +4.5.1.6. SearchRequest.typesOnly + + An indicator as to whether Search results are to contain both + attribute descriptions and values, or just attribute descriptions. + Setting this field to TRUE causes only attribute descriptions (and + not values) to be returned. Setting this field to FALSE causes both + attribute descriptions and values to be returned. + +4.5.1.7. SearchRequest.filter + + A filter that defines the conditions that must be fulfilled in order + for the Search to match a given entry. + + The 'and', 'or', and 'not' choices can be used to form combinations + of filters. At least one filter element MUST be present in an 'and' + or 'or' choice. The others match against individual attribute values + of entries in the scope of the Search. (Implementor's note: the + 'not' filter is an example of a tagged choice in an implicitly-tagged + module. In BER this is treated as if the tag were explicit.) + + A server MUST evaluate filters according to the three-valued logic of + [X.511] (1993), Clause 7.8.1. In summary, a filter is evaluated to + "TRUE", "FALSE", or "Undefined". If the filter evaluates to TRUE for + a particular entry, then the attributes of that entry are returned as + part of the Search result (subject to any applicable access control + restrictions). If the filter evaluates to FALSE or Undefined, then + the entry is ignored for the Search. + + A filter of the "and" choice is TRUE if all the filters in the SET OF + evaluate to TRUE, FALSE if at least one filter is FALSE, and + Undefined otherwise. A filter of the "or" choice is FALSE if all the + filters in the SET OF evaluate to FALSE, TRUE if at least one filter + is TRUE, and Undefined otherwise. A filter of the 'not' choice is + TRUE if the filter being negated is FALSE, FALSE if it is TRUE, and + Undefined if it is Undefined. + + A filter item evaluates to Undefined when the server would not be + able to determine whether the assertion value matches an entry. + Examples include: + + + + + +Sermersheim Standards Track [Page 23] + +RFC 4511 LDAPv3 June 2006 + + + - An attribute description in an equalityMatch, substrings, + greaterOrEqual, lessOrEqual, approxMatch, or extensibleMatch filter + is not recognized by the server. + + - The attribute type does not define the appropriate matching rule. + + - A MatchingRuleId in the extensibleMatch is not recognized by the + server or is not valid for the attribute type. + + - The type of filtering requested is not implemented. + + - The assertion value is invalid. + + For example, if a server did not recognize the attribute type + shoeSize, the filters (shoeSize=*), (shoeSize=12), (shoeSize>=12), + and (shoeSize<=12) would each evaluate to Undefined. + + Servers MUST NOT return errors if attribute descriptions or matching + rule ids are not recognized, assertion values are invalid, or the + assertion syntax is not supported. More details of filter processing + are given in Clause 7.8 of [X.511]. + +4.5.1.7.1. SearchRequest.filter.equalityMatch + + The matching rule for an equalityMatch filter is defined by the + EQUALITY matching rule for the attribute type or subtype. The filter + is TRUE when the EQUALITY rule returns TRUE as applied to the + attribute or subtype and the asserted value. + +4.5.1.7.2. SearchRequest.filter.substrings + + There SHALL be at most one 'initial' and at most one 'final' in the + 'substrings' of a SubstringFilter. If 'initial' is present, it SHALL + be the first element of 'substrings'. If 'final' is present, it + SHALL be the last element of 'substrings'. + + The matching rule for an AssertionValue in a substrings filter item + is defined by the SUBSTR matching rule for the attribute type or + subtype. The filter is TRUE when the SUBSTR rule returns TRUE as + applied to the attribute or subtype and the asserted value. + + Note that the AssertionValue in a substrings filter item conforms to + the assertion syntax of the EQUALITY matching rule for the attribute + type rather than to the assertion syntax of the SUBSTR matching rule + for the attribute type. Conceptually, the entire SubstringFilter is + converted into an assertion value of the substrings matching rule + prior to applying the rule. + + + + +Sermersheim Standards Track [Page 24] + +RFC 4511 LDAPv3 June 2006 + + +4.5.1.7.3. SearchRequest.filter.greaterOrEqual + + The matching rule for a greaterOrEqual filter is defined by the + ORDERING matching rule for the attribute type or subtype. The filter + is TRUE when the ORDERING rule returns FALSE as applied to the + attribute or subtype and the asserted value. + +4.5.1.7.4. SearchRequest.filter.lessOrEqual + + The matching rules for a lessOrEqual filter are defined by the + ORDERING and EQUALITY matching rules for the attribute type or + subtype. The filter is TRUE when either the ORDERING or EQUALITY + rule returns TRUE as applied to the attribute or subtype and the + asserted value. + +4.5.1.7.5. SearchRequest.filter.present + + A present filter is TRUE when there is an attribute or subtype of the + specified attribute description present in an entry, FALSE when no + attribute or subtype of the specified attribute description is + present in an entry, and Undefined otherwise. + +4.5.1.7.6. SearchRequest.filter.approxMatch + + An approxMatch filter is TRUE when there is a value of the attribute + type or subtype for which some locally-defined approximate matching + algorithm (e.g., spelling variations, phonetic match, etc.) returns + TRUE. If a value matches for equality, it also satisfies an + approximate match. If approximate matching is not supported for the + attribute, this filter item should be treated as an equalityMatch. + +4.5.1.7.7. SearchRequest.filter.extensibleMatch + + The fields of the extensibleMatch filter item are evaluated as + follows: + + - If the matchingRule field is absent, the type field MUST be + present, and an equality match is performed for that type. + + - If the type field is absent and the matchingRule is present, the + matchValue is compared against all attributes in an entry that + support that matchingRule. + + - If the type field is present and the matchingRule is present, the + matchValue is compared against the specified attribute type and its + subtypes. + + + + + +Sermersheim Standards Track [Page 25] + +RFC 4511 LDAPv3 June 2006 + + + - If the dnAttributes field is set to TRUE, the match is additionally + applied against all the AttributeValueAssertions in an entry's + distinguished name, and it evaluates to TRUE if there is at least + one attribute or subtype in the distinguished name for which the + filter item evaluates to TRUE. The dnAttributes field is present + to alleviate the need for multiple versions of generic matching + rules (such as word matching), where one applies to entries and + another applies to entries and DN attributes as well. + + The matchingRule used for evaluation determines the syntax for the + assertion value. Once the matchingRule and attribute(s) have been + determined, the filter item evaluates to TRUE if it matches at least + one attribute type or subtype in the entry, FALSE if it does not + match any attribute type or subtype in the entry, and Undefined if + the matchingRule is not recognized, the matchingRule is unsuitable + for use with the specified type, or the assertionValue is invalid. + +4.5.1.8. SearchRequest.attributes + + A selection list of the attributes to be returned from each entry + that matches the search filter. Attributes that are subtypes of + listed attributes are implicitly included. LDAPString values of this + field are constrained to the following Augmented Backus-Naur Form + (ABNF) [RFC4234]: + + attributeSelector = attributedescription / selectorspecial + + selectorspecial = noattrs / alluserattrs + + noattrs = %x31.2E.31 ; "1.1" + + alluserattrs = %x2A ; asterisk ("*") + + The <attributedescription> production is defined in Section 2.5 of + [RFC4512]. + + There are three special cases that may appear in the attributes + selection list: + + 1. An empty list with no attributes requests the return of all + user attributes. + + 2. A list containing "*" (with zero or more attribute + descriptions) requests the return of all user attributes in + addition to other listed (operational) attributes. + + + + + + +Sermersheim Standards Track [Page 26] + +RFC 4511 LDAPv3 June 2006 + + + 3. A list containing only the OID "1.1" indicates that no + attributes are to be returned. If "1.1" is provided with other + attributeSelector values, the "1.1" attributeSelector is + ignored. This OID was chosen because it does not (and can not) + correspond to any attribute in use. + + Client implementors should note that even if all user attributes are + requested, some attributes and/or attribute values of the entry may + not be included in Search results due to access controls or other + restrictions. Furthermore, servers will not return operational + attributes, such as objectClasses or attributeTypes, unless they are + listed by name. Operational attributes are described in [RFC4512]. + + Attributes are returned at most once in an entry. If an attribute + description is named more than once in the list, the subsequent names + are ignored. If an attribute description in the list is not + recognized, it is ignored by the server. + +4.5.2. Search Result + + The results of the Search operation are returned as zero or more + SearchResultEntry and/or SearchResultReference messages, followed by + a single SearchResultDone message. + + SearchResultEntry ::= [APPLICATION 4] SEQUENCE { + objectName LDAPDN, + attributes PartialAttributeList } + + PartialAttributeList ::= SEQUENCE OF + partialAttribute PartialAttribute + + SearchResultReference ::= [APPLICATION 19] SEQUENCE + SIZE (1..MAX) OF uri URI + + SearchResultDone ::= [APPLICATION 5] LDAPResult + + Each SearchResultEntry represents an entry found during the Search. + Each SearchResultReference represents an area not yet explored during + the Search. The SearchResultEntry and SearchResultReference messages + may come in any order. Following all the SearchResultReference and + SearchResultEntry responses, the server returns a SearchResultDone + response, which contains an indication of success or details any + errors that have occurred. + + Each entry returned in a SearchResultEntry will contain all + appropriate attributes as specified in the attributes field of the + Search Request, subject to access control and other administrative + policy. Note that the PartialAttributeList may hold zero elements. + + + +Sermersheim Standards Track [Page 27] + +RFC 4511 LDAPv3 June 2006 + + + This may happen when none of the attributes of an entry were + requested or could be returned. Note also that the partialAttribute + vals set may hold zero elements. This may happen when typesOnly is + requested, access controls prevent the return of values, or other + reasons. + + Some attributes may be constructed by the server and appear in a + SearchResultEntry attribute list, although they are not stored + attributes of an entry. Clients SHOULD NOT assume that all + attributes can be modified, even if this is permitted by access + control. + + If the server's schema defines short names [RFC4512] for an attribute + type, then the server SHOULD use one of those names in attribute + descriptions for that attribute type (in preference to using the + <numericoid> [RFC4512] format of the attribute type's object + identifier). The server SHOULD NOT use the short name if that name + is known by the server to be ambiguous, or if it is otherwise likely + to cause interoperability problems. + +4.5.3. Continuation References in the Search Result + + If the server was able to locate the entry referred to by the + baseObject but was unable or unwilling to search one or more non- + local entries, the server may return one or more + SearchResultReference messages, each containing a reference to + another set of servers for continuing the operation. A server MUST + NOT return any SearchResultReference messages if it has not located + the baseObject and thus has not searched any entries. In this case, + it would return a SearchResultDone containing either a referral or + noSuchObject result code (depending on the server's knowledge of the + entry named in the baseObject). + + If a server holds a copy or partial copy of the subordinate naming + context (Section 5 of [RFC4512]), it may use the search filter to + determine whether or not to return a SearchResultReference response. + Otherwise, SearchResultReference responses are always returned when + in scope. + + The SearchResultReference is of the same data type as the Referral. + + If the client wishes to progress the Search, it issues a new Search + operation for each SearchResultReference that is returned. If + multiple URIs are present, the client assumes that any supported URI + may be used to progress the operation. + + + + + + +Sermersheim Standards Track [Page 28] + +RFC 4511 LDAPv3 June 2006 + + + Clients that follow search continuation references MUST ensure that + they do not loop between servers. They MUST NOT repeatedly contact + the same server for the same request with the same parameters. Some + clients use a counter that is incremented each time search result + reference handling occurs for an operation, and these kinds of + clients MUST be able to handle at least ten nested referrals while + progressing the operation. + + Note that the Abandon operation described in Section 4.11 applies + only to a particular operation sent at the LDAP message layer between + a client and server. The client must individually abandon subsequent + Search operations it wishes to. + + A URI for a server implementing LDAP and accessible via TCP/IP (v4 or + v6) [RFC793][RFC791] is written as an LDAP URL according to + [RFC4516]. + + SearchResultReference values that are LDAP URLs follow these rules: + + - The <dn> part of the LDAP URL MUST be present, with the new target + object name. The client uses this name when following the + reference. + + - Some servers (e.g., participating in distributed indexing) may + provide a different filter in the LDAP URL. + + - If the <filter> part of the LDAP URL is present, the client uses + this filter in its next request to progress this Search, and if it + is not present the client uses the same filter as it used for that + Search. + + - If the originating search scope was singleLevel, the <scope> part + of the LDAP URL will be "base". + + - It is RECOMMENDED that the <scope> part be present to avoid + ambiguity. In the absence of a <scope> part, the scope of the + original Search request is assumed. + + - Other aspects of the new Search request may be the same as or + different from the Search request that generated the + SearchResultReference. + + - The name of an unexplored subtree in a SearchResultReference need + not be subordinate to the base object. + + Other kinds of URIs may be returned. The syntax and semantics of + such URIs is left to future specifications. Clients may ignore URIs + that they do not support. + + + +Sermersheim Standards Track [Page 29] + +RFC 4511 LDAPv3 June 2006 + + + UTF-8-encoded characters appearing in the string representation of a + DN, search filter, or other fields of the referral value may not be + legal for URIs (e.g., spaces) and MUST be escaped using the % method + in [RFC3986]. + +4.5.3.1. Examples + + For example, suppose the contacted server (hosta) holds the entry + <DC=Example,DC=NET> and the entry <CN=Manager,DC=Example,DC=NET>. It + knows that both LDAP servers (hostb) and (hostc) hold + <OU=People,DC=Example,DC=NET> (one is the master and the other server + a shadow), and that LDAP-capable server (hostd) holds the subtree + <OU=Roles,DC=Example,DC=NET>. If a wholeSubtree Search of + <DC=Example,DC=NET> is requested to the contacted server, it may + return the following: + + SearchResultEntry for DC=Example,DC=NET + SearchResultEntry for CN=Manager,DC=Example,DC=NET + SearchResultReference { + ldap://hostb/OU=People,DC=Example,DC=NET??sub + ldap://hostc/OU=People,DC=Example,DC=NET??sub } + SearchResultReference { + ldap://hostd/OU=Roles,DC=Example,DC=NET??sub } + SearchResultDone (success) + + Client implementors should note that when following a + SearchResultReference, additional SearchResultReference may be + generated. Continuing the example, if the client contacted the + server (hostb) and issued the Search request for the subtree + <OU=People,DC=Example,DC=NET>, the server might respond as follows: + + SearchResultEntry for OU=People,DC=Example,DC=NET + SearchResultReference { + ldap://hoste/OU=Managers,OU=People,DC=Example,DC=NET??sub } + SearchResultReference { + ldap://hostf/OU=Consultants,OU=People,DC=Example,DC=NET??sub } + SearchResultDone (success) + + Similarly, if a singleLevel Search of <DC=Example,DC=NET> is + requested to the contacted server, it may return the following: + + SearchResultEntry for CN=Manager,DC=Example,DC=NET + SearchResultReference { + ldap://hostb/OU=People,DC=Example,DC=NET??base + ldap://hostc/OU=People,DC=Example,DC=NET??base } + SearchResultReference { + ldap://hostd/OU=Roles,DC=Example,DC=NET??base } + SearchResultDone (success) + + + +Sermersheim Standards Track [Page 30] + +RFC 4511 LDAPv3 June 2006 + + + If the contacted server does not hold the base object for the Search, + but has knowledge of its possible location, then it may return a + referral to the client. In this case, if the client requests a + subtree Search of <DC=Example,DC=ORG> to hosta, the server returns a + SearchResultDone containing a referral. + + SearchResultDone (referral) { + ldap://hostg/DC=Example,DC=ORG??sub } + +4.6. Modify Operation + + The Modify operation allows a client to request that a modification + of an entry be performed on its behalf by a server. The Modify + Request is defined as follows: + + ModifyRequest ::= [APPLICATION 6] SEQUENCE { + object LDAPDN, + changes SEQUENCE OF change SEQUENCE { + operation ENUMERATED { + add (0), + delete (1), + replace (2), + ... }, + modification PartialAttribute } } + + Fields of the Modify Request are: + + - object: The value of this field contains the name of the entry to + be modified. The server SHALL NOT perform any alias dereferencing + in determining the object to be modified. + + - changes: A list of modifications to be performed on the entry. The + entire list of modifications MUST be performed in the order they + are listed as a single atomic operation. While individual + modifications may violate certain aspects of the directory schema + (such as the object class definition and Directory Information Tree + (DIT) content rule), the resulting entry after the entire list of + modifications is performed MUST conform to the requirements of the + directory model and controlling schema [RFC4512]. + + - operation: Used to specify the type of modification being + performed. Each operation type acts on the following + modification. The values of this field have the following + semantics, respectively: + + add: add values listed to the modification attribute, + creating the attribute if necessary. + + + + +Sermersheim Standards Track [Page 31] + +RFC 4511 LDAPv3 June 2006 + + + delete: delete values listed from the modification attribute. + If no values are listed, or if all current values of the + attribute are listed, the entire attribute is removed. + + replace: replace all existing values of the modification + attribute with the new values listed, creating the attribute + if it did not already exist. A replace with no value will + delete the entire attribute if it exists, and it is ignored + if the attribute does not exist. + + - modification: A PartialAttribute (which may have an empty SET + of vals) used to hold the attribute type or attribute type and + values being modified. + + Upon receipt of a Modify Request, the server attempts to perform the + necessary modifications to the DIT and returns the result in a Modify + Response, defined as follows: + + ModifyResponse ::= [APPLICATION 7] LDAPResult + + The server will return to the client a single Modify Response + indicating either the successful completion of the DIT modification, + or the reason that the modification failed. Due to the requirement + for atomicity in applying the list of modifications in the Modify + Request, the client may expect that no modifications of the DIT have + been performed if the Modify Response received indicates any sort of + error, and that all requested modifications have been performed if + the Modify Response indicates successful completion of the Modify + operation. Whether or not the modification was applied cannot be + determined by the client if the Modify Response was not received + (e.g., the LDAP session was terminated or the Modify operation was + abandoned). + + Servers MUST ensure that entries conform to user and system schema + rules or other data model constraints. The Modify operation cannot + be used to remove from an entry any of its distinguished values, + i.e., those values which form the entry's relative distinguished + name. An attempt to do so will result in the server returning the + notAllowedOnRDN result code. The Modify DN operation described in + Section 4.9 is used to rename an entry. + + For attribute types that specify no equality matching, the rules in + Section 2.5.1 of [RFC4512] are followed. + + Note that due to the simplifications made in LDAP, there is not a + direct mapping of the changes in an LDAP ModifyRequest onto the + changes of a DAP ModifyEntry operation, and different implementations + + + + +Sermersheim Standards Track [Page 32] + +RFC 4511 LDAPv3 June 2006 + + + of LDAP-DAP gateways may use different means of representing the + change. If successful, the final effect of the operations on the + entry MUST be identical. + +4.7. Add Operation + + The Add operation allows a client to request the addition of an entry + into the Directory. The Add Request is defined as follows: + + AddRequest ::= [APPLICATION 8] SEQUENCE { + entry LDAPDN, + attributes AttributeList } + + AttributeList ::= SEQUENCE OF attribute Attribute + + Fields of the Add Request are: + + - entry: the name of the entry to be added. The server SHALL NOT + dereference any aliases in locating the entry to be added. + + - attributes: the list of attributes that, along with those from the + RDN, make up the content of the entry being added. Clients MAY or + MAY NOT include the RDN attribute(s) in this list. Clients MUST + NOT supply NO-USER-MODIFICATION attributes such as the + createTimestamp or creatorsName attributes, since the server + maintains these automatically. + + Servers MUST ensure that entries conform to user and system schema + rules or other data model constraints. For attribute types that + specify no equality matching, the rules in Section 2.5.1 of [RFC4512] + are followed (this applies to the naming attribute in addition to any + multi-valued attributes being added). + + The entry named in the entry field of the AddRequest MUST NOT exist + for the AddRequest to succeed. The immediate superior (parent) of an + object or alias entry to be added MUST exist. For example, if the + client attempted to add <CN=JS,DC=Example,DC=NET>, the + <DC=Example,DC=NET> entry did not exist, and the <DC=NET> entry did + exist, then the server would return the noSuchObject result code with + the matchedDN field containing <DC=NET>. + + Upon receipt of an Add Request, a server will attempt to add the + requested entry. The result of the Add attempt will be returned to + the client in the Add Response, defined as follows: + + AddResponse ::= [APPLICATION 9] LDAPResult + + + + + +Sermersheim Standards Track [Page 33] + +RFC 4511 LDAPv3 June 2006 + + + A response of success indicates that the new entry has been added to + the Directory. + +4.8. Delete Operation + + The Delete operation allows a client to request the removal of an + entry from the Directory. The Delete Request is defined as follows: + + DelRequest ::= [APPLICATION 10] LDAPDN + + The Delete Request consists of the name of the entry to be deleted. + The server SHALL NOT dereference aliases while resolving the name of + the target entry to be removed. + + Only leaf entries (those with no subordinate entries) can be deleted + with this operation. + + Upon receipt of a Delete Request, a server will attempt to perform + the entry removal requested and return the result in the Delete + Response defined as follows: + + DelResponse ::= [APPLICATION 11] LDAPResult + +4.9. Modify DN Operation + + The Modify DN operation allows a client to change the Relative + Distinguished Name (RDN) of an entry in the Directory and/or to move + a subtree of entries to a new location in the Directory. The Modify + DN Request is defined as follows: + + ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { + entry LDAPDN, + newrdn RelativeLDAPDN, + deleteoldrdn BOOLEAN, + newSuperior [0] LDAPDN OPTIONAL } + + Fields of the Modify DN Request are: + + - entry: the name of the entry to be changed. This entry may or may + not have subordinate entries. + + - newrdn: the new RDN of the entry. The value of the old RDN is + supplied when moving the entry to a new superior without changing + its RDN. Attribute values of the new RDN not matching any + attribute value of the entry are added to the entry, and an + appropriate error is returned if this fails. + + + + + +Sermersheim Standards Track [Page 34] + +RFC 4511 LDAPv3 June 2006 + + + - deleteoldrdn: a boolean field that controls whether the old RDN + attribute values are to be retained as attributes of the entry or + deleted from the entry. + + - newSuperior: if present, this is the name of an existing object + entry that becomes the immediate superior (parent) of the + existing entry. + + The server SHALL NOT dereference any aliases in locating the objects + named in entry or newSuperior. + + Upon receipt of a ModifyDNRequest, a server will attempt to perform + the name change and return the result in the Modify DN Response, + defined as follows: + + ModifyDNResponse ::= [APPLICATION 13] LDAPResult + + For example, if the entry named in the entry field was <cn=John + Smith,c=US>, the newrdn field was <cn=John Cougar Smith>, and the + newSuperior field was absent, then this operation would attempt to + rename the entry as <cn=John Cougar Smith,c=US>. If there was + already an entry with that name, the operation would fail with the + entryAlreadyExists result code. + + Servers MUST ensure that entries conform to user and system schema + rules or other data model constraints. For attribute types that + specify no equality matching, the rules in Section 2.5.1 of [RFC4512] + are followed (this pertains to newrdn and deleteoldrdn). + + The object named in newSuperior MUST exist. For example, if the + client attempted to add <CN=JS,DC=Example,DC=NET>, the + <DC=Example,DC=NET> entry did not exist, and the <DC=NET> entry did + exist, then the server would return the noSuchObject result code with + the matchedDN field containing <DC=NET>. + + If the deleteoldrdn field is TRUE, the attribute values forming the + old RDN (but not the new RDN) are deleted from the entry. If the + deleteoldrdn field is FALSE, the attribute values forming the old RDN + will be retained as non-distinguished attribute values of the entry. + + Note that X.500 restricts the ModifyDN operation to affect only + entries that are contained within a single server. If the LDAP + server is mapped onto DAP, then this restriction will apply, and the + affectsMultipleDSAs result code will be returned if this error + occurred. In general, clients MUST NOT expect to be able to perform + arbitrary movements of entries and subtrees between servers or + between naming contexts. + + + + +Sermersheim Standards Track [Page 35] + +RFC 4511 LDAPv3 June 2006 + + +4.10. Compare Operation + + The Compare operation allows a client to compare an assertion value + with the values of a particular attribute in a particular entry in + the Directory. The Compare Request is defined as follows: + + CompareRequest ::= [APPLICATION 14] SEQUENCE { + entry LDAPDN, + ava AttributeValueAssertion } + + Fields of the Compare Request are: + + - entry: the name of the entry to be compared. The server SHALL NOT + dereference any aliases in locating the entry to be compared. + + - ava: holds the attribute value assertion to be compared. + + Upon receipt of a Compare Request, a server will attempt to perform + the requested comparison and return the result in the Compare + Response, defined as follows: + + CompareResponse ::= [APPLICATION 15] LDAPResult + + The resultCode is set to compareTrue, compareFalse, or an appropriate + error. compareTrue indicates that the assertion value in the ava + field matches a value of the attribute or subtype according to the + attribute's EQUALITY matching rule. compareFalse indicates that the + assertion value in the ava field and the values of the attribute or + subtype did not match. Other result codes indicate either that the + result of the comparison was Undefined (Section 4.5.1.7), or that + some error occurred. + + Note that some directory systems may establish access controls that + permit the values of certain attributes (such as userPassword) to be + compared but not interrogated by other means. + +4.11. Abandon Operation + + The function of the Abandon operation is to allow a client to request + that the server abandon an uncompleted operation. The Abandon + Request is defined as follows: + + AbandonRequest ::= [APPLICATION 16] MessageID + + The MessageID is that of an operation that was requested earlier at + this LDAP message layer. The Abandon request itself has its own + MessageID. This is distinct from the MessageID of the earlier + operation being abandoned. + + + +Sermersheim Standards Track [Page 36] + +RFC 4511 LDAPv3 June 2006 + + + There is no response defined in the Abandon operation. Upon receipt + of an AbandonRequest, the server MAY abandon the operation identified + by the MessageID. Since the client cannot tell the difference + between a successfully abandoned operation and an uncompleted + operation, the application of the Abandon operation is limited to + uses where the client does not require an indication of its outcome. + + Abandon, Bind, Unbind, and StartTLS operations cannot be abandoned. + + In the event that a server receives an Abandon Request on a Search + operation in the midst of transmitting responses to the Search, that + server MUST cease transmitting entry responses to the abandoned + request immediately, and it MUST NOT send the SearchResultDone. Of + course, the server MUST ensure that only properly encoded LDAPMessage + PDUs are transmitted. + + The ability to abandon other (particularly update) operations is at + the discretion of the server. + + Clients should not send Abandon requests for the same operation + multiple times, and they MUST also be prepared to receive results + from operations they have abandoned (since these might have been in + transit when the Abandon was requested or might not be able to be + abandoned). + + Servers MUST discard Abandon requests for messageIDs they do not + recognize, for operations that cannot be abandoned, and for + operations that have already been abandoned. + +4.12. Extended Operation + + The Extended operation allows additional operations to be defined for + services not already available in the protocol; for example, to Add + operations to install transport layer security (see Section 4.14). + + The Extended operation allows clients to make requests and receive + responses with predefined syntaxes and semantics. These may be + defined in RFCs or be private to particular implementations. + + Each Extended operation consists of an Extended request and an + Extended response. + + ExtendedRequest ::= [APPLICATION 23] SEQUENCE { + requestName [0] LDAPOID, + requestValue [1] OCTET STRING OPTIONAL } + + + + + + +Sermersheim Standards Track [Page 37] + +RFC 4511 LDAPv3 June 2006 + + + The requestName is a dotted-decimal representation of the unique + OBJECT IDENTIFIER corresponding to the request. The requestValue is + information in a form defined by that request, encapsulated inside an + OCTET STRING. + + The server will respond to this with an LDAPMessage containing an + ExtendedResponse. + + ExtendedResponse ::= [APPLICATION 24] SEQUENCE { + COMPONENTS OF LDAPResult, + responseName [10] LDAPOID OPTIONAL, + responseValue [11] OCTET STRING OPTIONAL } + + The responseName field, when present, contains an LDAPOID that is + unique for this extended operation or response. This field is + optional (even when the extension specification defines an LDAPOID + for use in this field). The field will be absent whenever the server + is unable or unwilling to determine the appropriate LDAPOID to + return, for instance, when the requestName cannot be parsed or its + value is not recognized. + + Where the requestName is not recognized, the server returns + protocolError. (The server may return protocolError in other cases.) + + The requestValue and responseValue fields contain information + associated with the operation. The format of these fields is defined + by the specification of the Extended operation. Implementations MUST + be prepared to handle arbitrary contents of these fields, including + zero bytes. Values that are defined in terms of ASN.1 and BER- + encoded according to Section 5.1 also follow the extensibility rules + in Section 4. + + Servers list the requestName of Extended Requests they recognize in + the 'supportedExtension' attribute in the root DSE (Section 5.1 of + [RFC4512]). + + Extended operations may be specified in other documents. The + specification of an Extended operation consists of: + + - the OBJECT IDENTIFIER assigned to the requestName, + + - the OBJECT IDENTIFIER (if any) assigned to the responseName (note + that the same OBJECT IDENTIFIER may be used for both the + requestName and responseName), + + + + + + + +Sermersheim Standards Track [Page 38] + +RFC 4511 LDAPv3 June 2006 + + + - the format of the contents of the requestValue and responseValue + (if any), and + + - the semantics of the operation. + +4.13. IntermediateResponse Message + + While the Search operation provides a mechanism to return multiple + response messages for a single Search request, other operations, by + nature, do not provide for multiple response messages. + + The IntermediateResponse message provides a general mechanism for + defining single-request/multiple-response operations in LDAP. This + message is intended to be used in conjunction with the Extended + operation to define new single-request/multiple-response operations + or in conjunction with a control when extending existing LDAP + operations in a way that requires them to return Intermediate + response information. + + It is intended that the definitions and descriptions of Extended + operations and controls that make use of the IntermediateResponse + message will define the circumstances when an IntermediateResponse + message can be sent by a server and the associated meaning of an + IntermediateResponse message sent in a particular circumstance. + + IntermediateResponse ::= [APPLICATION 25] SEQUENCE { + responseName [0] LDAPOID OPTIONAL, + responseValue [1] OCTET STRING OPTIONAL } + + IntermediateResponse messages SHALL NOT be returned to the client + unless the client issues a request that specifically solicits their + return. This document defines two forms of solicitation: Extended + operation and request control. IntermediateResponse messages are + specified in documents describing the manner in which they are + solicited (i.e., in the Extended operation or request control + specification that uses them). These specifications include: + + - the OBJECT IDENTIFIER (if any) assigned to the responseName, + + - the format of the contents of the responseValue (if any), and + + - the semantics associated with the IntermediateResponse message. + + Extensions that allow the return of multiple types of + IntermediateResponse messages SHALL identify those types using unique + responseName values (note that one of these may specify no value). + + + + + +Sermersheim Standards Track [Page 39] + +RFC 4511 LDAPv3 June 2006 + + + Sections 4.13.1 and 4.13.2 describe additional requirements on the + inclusion of responseName and responseValue in IntermediateResponse + messages. + +4.13.1. Usage with LDAP ExtendedRequest and ExtendedResponse + + A single-request/multiple-response operation may be defined using a + single ExtendedRequest message to solicit zero or more + IntermediateResponse messages of one or more kinds, followed by an + ExtendedResponse message. + +4.13.2. Usage with LDAP Request Controls + + A control's semantics may include the return of zero or more + IntermediateResponse messages prior to returning the final result + code for the operation. One or more kinds of IntermediateResponse + messages may be sent in response to a request control. + + All IntermediateResponse messages associated with request controls + SHALL include a responseName. This requirement ensures that the + client can correctly identify the source of IntermediateResponse + messages when: + + - two or more controls using IntermediateResponse messages are + included in a request for any LDAP operation or + + - one or more controls using IntermediateResponse messages are + included in a request with an LDAP Extended operation that uses + IntermediateResponse messages. + +4.14. StartTLS Operation + + The Start Transport Layer Security (StartTLS) operation's purpose is + to initiate installation of a TLS layer. The StartTLS operation is + defined using the Extended operation mechanism described in Section + 4.12. + +4.14.1. StartTLS Request + + A client requests TLS establishment by transmitting a StartTLS + request message to the server. The StartTLS request is defined in + terms of an ExtendedRequest. The requestName is + "1.3.6.1.4.1.1466.20037", and the requestValue field is always + absent. + + + + + + + +Sermersheim Standards Track [Page 40] + +RFC 4511 LDAPv3 June 2006 + + + The client MUST NOT send any LDAP PDUs at this LDAP message layer + following this request until it receives a StartTLS Extended response + and, in the case of a successful response, completes TLS + negotiations. + + Detected sequencing problems (particularly those detailed in Section + 3.1.1 of [RFC4513]) result in the resultCode being set to + operationsError. + + If the server does not support TLS (whether by design or by current + configuration), it returns with the resultCode set to protocolError + as described in Section 4.12. + +4.14.2. StartTLS Response + + When a StartTLS request is received, servers supporting the operation + MUST return a StartTLS response message to the requestor. The + responseName is "1.3.6.1.4.1.1466.20037" when provided (see Section + 4.12). The responseValue is always absent. + + If the server is willing and able to negotiate TLS, it returns the + StartTLS response with the resultCode set to success. Upon client + receipt of a successful StartTLS response, protocol peers may + commence with TLS negotiation as discussed in Section 3 of [RFC4513]. + + If the server is otherwise unwilling or unable to perform this + operation, the server is to return an appropriate result code + indicating the nature of the problem. For example, if the TLS + subsystem is not presently available, the server may indicate this by + returning with the resultCode set to unavailable. In cases where a + non-success result code is returned, the LDAP session is left without + a TLS layer. + +4.14.3. Removal of the TLS Layer + + Either the client or server MAY remove the TLS layer and leave the + LDAP message layer intact by sending and receiving a TLS closure + alert. + + The initiating protocol peer sends the TLS closure alert and MUST + wait until it receives a TLS closure alert from the other peer before + sending further LDAP PDUs. + + When a protocol peer receives the initial TLS closure alert, it may + choose to allow the LDAP message layer to remain intact. In this + case, it MUST immediately transmit a TLS closure alert. Following + this, it MAY send and receive LDAP PDUs. + + + + +Sermersheim Standards Track [Page 41] + +RFC 4511 LDAPv3 June 2006 + + + Protocol peers MAY terminate the LDAP session after sending or + receiving a TLS closure alert. + +5. Protocol Encoding, Connection, and Transfer + + This protocol is designed to run over connection-oriented, reliable + transports, where the data stream is divided into octets (8-bit + units), with each octet and each bit being significant. + + One underlying service, LDAP over TCP, is defined in Section 5.2. + This service is generally applicable to applications providing or + consuming X.500-based directory services on the Internet. This + specification was generally written with the TCP mapping in mind. + Specifications detailing other mappings may encounter various + obstacles. + + Implementations of LDAP over TCP MUST implement the mapping as + described in Section 5.2. + + This table illustrates the relationship among the different layers + involved in an exchange between two protocol peers: + + +----------------------+ + | LDAP message layer | + +----------------------+ > LDAP PDUs + +----------------------+ < data + | SASL layer | + +----------------------+ > SASL-protected data + +----------------------+ < data + | TLS layer | + Application +----------------------+ > TLS-protected data + ------------+----------------------+ < data + Transport | transport connection | + +----------------------+ + +5.1. Protocol Encoding + + The protocol elements of LDAP SHALL be encoded for exchange using the + Basic Encoding Rules [BER] of [ASN.1] with the following + restrictions: + + - Only the definite form of length encoding is used. + + - OCTET STRING values are encoded in the primitive form only. + + - If the value of a BOOLEAN type is true, the encoding of the value + octet is set to hex "FF". + + + + +Sermersheim Standards Track [Page 42] + +RFC 4511 LDAPv3 June 2006 + + + - If a value of a type is its default value, it is absent. Only some + BOOLEAN and INTEGER types have default values in this protocol + definition. + + These restrictions are meant to ease the overhead of encoding and + decoding certain elements in BER. + + These restrictions do not apply to ASN.1 types encapsulated inside of + OCTET STRING values, such as attribute values, unless otherwise + stated. + +5.2. Transmission Control Protocol (TCP) + + The encoded LDAPMessage PDUs are mapped directly onto the TCP + [RFC793] bytestream using the BER-based encoding described in Section + 5.1. It is recommended that server implementations running over the + TCP provide a protocol listener on the Internet Assigned Numbers + Authority (IANA)-assigned LDAP port, 389 [PortReg]. Servers may + instead provide a listener on a different port number. Clients MUST + support contacting servers on any valid TCP port. + +5.3. Termination of the LDAP session + + Termination of the LDAP session is typically initiated by the client + sending an UnbindRequest (Section 4.3), or by the server sending a + Notice of Disconnection (Section 4.4.1). In these cases, each + protocol peer gracefully terminates the LDAP session by ceasing + exchanges at the LDAP message layer, tearing down any SASL layer, + tearing down any TLS layer, and closing the transport connection. + + A protocol peer may determine that the continuation of any + communication would be pernicious, and in this case, it may abruptly + terminate the session by ceasing communication and closing the + transport connection. + + In either case, when the LDAP session is terminated, uncompleted + operations are handled as specified in Section 3.1. + +6. Security Considerations + + This version of the protocol provides facilities for simple + authentication using a cleartext password, as well as any SASL + [RFC4422] mechanism. Installing SASL and/or TLS layers can provide + integrity and other data security services. + + It is also permitted that the server can return its credentials to + the client, if it chooses to do so. + + + + +Sermersheim Standards Track [Page 43] + +RFC 4511 LDAPv3 June 2006 + + + Use of cleartext password is strongly discouraged where the + underlying transport service cannot guarantee confidentiality and may + result in disclosure of the password to unauthorized parties. + + Servers are encouraged to prevent directory modifications by clients + that have authenticated anonymously [RFC4513]. + + Security considerations for authentication methods, SASL mechanisms, + and TLS are described in [RFC4513]. + + Note that SASL authentication exchanges do not provide data + confidentiality or integrity protection for the version or name + fields of the BindRequest or the resultCode, diagnosticMessage, or + referral fields of the BindResponse, nor for any information + contained in controls attached to Bind requests or responses. Thus, + information contained in these fields SHOULD NOT be relied on unless + it is otherwise protected (such as by establishing protections at the + transport layer). + + Implementors should note that various security factors (including + authentication and authorization information and data security + services) may change during the course of the LDAP session or even + during the performance of a particular operation. For instance, + credentials could expire, authorization identities or access controls + could change, or the underlying security layer(s) could be replaced + or terminated. Implementations should be robust in the handling of + changing security factors. + + In some cases, it may be appropriate to continue the operation even + in light of security factor changes. For instance, it may be + appropriate to continue an Abandon operation regardless of the + change, or to continue an operation when the change upgraded (or + maintained) the security factor. In other cases, it may be + appropriate to fail or alter the processing of the operation. For + instance, if confidential protections were removed, it would be + appropriate either to fail a request to return sensitive data or, + minimally, to exclude the return of sensitive data. + + Implementations that cache attributes and entries obtained via LDAP + MUST ensure that access controls are maintained if that information + is to be provided to multiple clients, since servers may have access + control policies that prevent the return of entries or attributes in + Search results except to particular authenticated clients. For + example, caches could serve result information only to the client + whose request caused it to be in the cache. + + + + + + +Sermersheim Standards Track [Page 44] + +RFC 4511 LDAPv3 June 2006 + + + Servers may return referrals or Search result references that + redirect clients to peer servers. It is possible for a rogue + application to inject such referrals into the data stream in an + attempt to redirect a client to a rogue server. Clients are advised + to be aware of this and possibly reject referrals when + confidentiality measures are not in place. Clients are advised to + reject referrals from the StartTLS operation. + + The matchedDN and diagnosticMessage fields, as well as some + resultCode values (e.g., attributeOrValueExists and + entryAlreadyExists), could disclose the presence or absence of + specific data in the directory that is subject to access and other + administrative controls. Server implementations should restrict + access to protected information equally under both normal and error + conditions. + + Protocol peers MUST be prepared to handle invalid and arbitrary- + length protocol encodings. Invalid protocol encodings include: BER + encoding exceptions, format string and UTF-8 encoding exceptions, + overflow exceptions, integer value exceptions, and binary mode on/off + flag exceptions. The LDAPv3 PROTOS [PROTOS-LDAP] test suite provides + excellent examples of these exceptions and test cases used to + discover flaws. + + In the event that a protocol peer senses an attack that in its nature + could cause damage due to further communication at any layer in the + LDAP session, the protocol peer should abruptly terminate the LDAP + session as described in Section 5.3. + +7. Acknowledgements + + This document is based on RFC 2251 by Mark Wahl, Tim Howes, and Steve + Kille. RFC 2251 was a product of the IETF ASID Working Group. + + It is also based on RFC 2830 by Jeff Hodges, RL "Bob" Morgan, and + Mark Wahl. RFC 2830 was a product of the IETF LDAPEXT Working Group. + + It is also based on RFC 3771 by Roger Harrison and Kurt Zeilenga. + RFC 3771 was an individual submission to the IETF. + + This document is a product of the IETF LDAPBIS Working Group. + Significant contributors of technical review and content include Kurt + Zeilenga, Steven Legg, and Hallvard Furuseth. + + + + + + + + +Sermersheim Standards Track [Page 45] + +RFC 4511 LDAPv3 June 2006 + + +8. Normative References + + [ASN.1] ITU-T Recommendation X.680 (07/2002) | ISO/IEC 8824- + 1:2002 "Information Technology - Abstract Syntax + Notation One (ASN.1): Specification of basic notation". + + [BER] ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002, + "Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), Canonical + Encoding Rules (CER) and Distinguished Encoding Rules + (DER)", 2002. + + [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - + Architecture and Basic Multilingual Plane, ISO/IEC + 10646-1 : 1993. + + [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC + 793, September 1981. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3454] Hoffman P. and M. Blanchet, "Preparation of + Internationalized Strings ('stringprep')", RFC 3454, + December 2002. + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", STD 63, RFC 3629, November 2003. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, + "Uniform Resource Identifier (URI): Generic Syntax", + STD 66, RFC 3986, January 2005. + + [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User + Names and Passwords", RFC 4013, February 2005. + + [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", RFC 4234, October 2005. + + [RFC4346] Dierks, T. and E. Rescorla, "The TLS Protocol Version + 1.1", RFC 4346, March 2006. + + [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple + Authentication and Security Layer (SASL)", RFC 4422, + June 2006. + + + +Sermersheim Standards Track [Page 46] + +RFC 4511 LDAPv3 June 2006 + + + [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access + Protocol (LDAP): Technical Specification Road Map", RFC + 4510, June 2006. + + [RFC4512] Zeilenga, K., Lightweight Directory Access Protocol + (LDAP): Directory Information Models", RFC 4512, June + 2006. + + [RFC4513] Harrison, R., Ed., "Lightweight Directory Access + Protocol (LDAP): Authentication Methods and Security + Mechanisms", RFC 4513, June 2006. + + [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access + Protocol (LDAP): String Representation of Distinguished + Names", RFC 4514, June 2006. + + [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory + Access Protocol (LDAP): Uniform Resource Locator", RFC + 4516, June 2006. + + [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol + (LDAP): Syntaxes and Matching Rules", RFC 4517, June + 2006. + + [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority + (IANA) Considerations for the Lightweight Directory + Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006. + + [Unicode] The Unicode Consortium, "The Unicode Standard, Version + 3.2.0" is defined by "The Unicode Standard, Version + 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201- + 61633-5), as amended by the "Unicode Standard Annex + #27: Unicode 3.1" + (http://www.unicode.org/reports/tr27/) and by the + "Unicode Standard Annex #28: Unicode 3.2" + (http://www.unicode.org/reports/tr28/). + + [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts, + Models and Service", 1993. + + [X.511] ITU-T Rec. X.511, "The Directory: Abstract Service + Definition", 1993. + + + + + + + + + +Sermersheim Standards Track [Page 47] + +RFC 4511 LDAPv3 June 2006 + + +9. Informative References + + [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report + #17, Character Encoding Model", UTR17, + <http://www.unicode.org/unicode/reports/tr17/>, August + 2000. + + [Glossary] The Unicode Consortium, "Unicode Glossary", + <http://www.unicode.org/glossary/>. + + [PortReg] IANA, "Port Numbers", + <http://www.iana.org/assignments/port-numbers>. + + [PROTOS-LDAP] University of Oulu, "PROTOS Test-Suite: c06-ldapv3" + <http://www.ee.oulu.fi/research/ouspg/protos/testing/ + c06/ldapv3/>. + +10. IANA Considerations + + The Internet Assigned Numbers Authority (IANA) has updated the LDAP + result code registry to indicate that this document provides the + definitive technical specification for result codes 0-36, 48-54, 64- + 70, 80-90. It is also noted that one resultCode value + (strongAuthRequired) has been renamed (to strongerAuthRequired). + + The IANA has also updated the LDAP Protocol Mechanism registry to + indicate that this document and [RFC4513] provides the definitive + technical specification for the StartTLS (1.3.6.1.4.1.1466.20037) + Extended operation. + + IANA has assigned LDAP Object Identifier 18 [RFC4520] to identify the + ASN.1 module defined in this document. + + Subject: Request for LDAP Object Identifier Registration + Person & email address to contact for further information: + Jim Sermersheim <jimse@novell.com> + Specification: RFC 4511 + Author/Change Controller: IESG + Comments: + Identifies the LDAP ASN.1 module + + + + + + + + + + + +Sermersheim Standards Track [Page 48] + +RFC 4511 LDAPv3 June 2006 + + +Appendix A. LDAP Result Codes + + This normative appendix details additional considerations regarding + LDAP result codes and provides a brief, general description of each + LDAP result code enumerated in Section 4.1.9. + + Additional result codes MAY be defined for use with extensions + [RFC4520]. Client implementations SHALL treat any result code that + they do not recognize as an unknown error condition. + + The descriptions provided here do not fully account for result code + substitutions used to prevent unauthorized disclosures (such as + substitution of noSuchObject for insufficientAccessRights, or + invalidCredentials for insufficientAccessRights). + +A.1. Non-Error Result Codes + + These result codes (called "non-error" result codes) do not indicate + an error condition: + + success (0), + compareFalse (5), + compareTrue (6), + referral (10), and + saslBindInProgress (14). + + The success, compareTrue, and compareFalse result codes indicate + successful completion (and, hence, are referred to as "successful" + result codes). + + The referral and saslBindInProgress result codes indicate the client + needs to take additional action to complete the operation. + +A.2. Result Codes + + Existing LDAP result codes are described as follows: + + success (0) + Indicates the successful completion of an operation. Note: + this code is not used with the Compare operation. See + compareFalse (5) and compareTrue (6). + + + + + + + + + + +Sermersheim Standards Track [Page 49] + +RFC 4511 LDAPv3 June 2006 + + + operationsError (1) + Indicates that the operation is not properly sequenced with + relation to other operations (of same or different type). + + For example, this code is returned if the client attempts to + StartTLS [RFC4346] while there are other uncompleted operations + or if a TLS layer was already installed. + + protocolError (2) + Indicates the server received data that is not well-formed. + + For Bind operation only, this code is also used to indicate + that the server does not support the requested protocol + version. + + For Extended operations only, this code is also used to + indicate that the server does not support (by design or + configuration) the Extended operation associated with the + requestName. + + For request operations specifying multiple controls, this may + be used to indicate that the server cannot ignore the order + of the controls as specified, or that the combination of the + specified controls is invalid or unspecified. + + timeLimitExceeded (3) + Indicates that the time limit specified by the client was + exceeded before the operation could be completed. + + sizeLimitExceeded (4) + Indicates that the size limit specified by the client was + exceeded before the operation could be completed. + + compareFalse (5) + Indicates that the Compare operation has successfully + completed and the assertion has evaluated to FALSE or + Undefined. + + compareTrue (6) + Indicates that the Compare operation has successfully + completed and the assertion has evaluated to TRUE. + + authMethodNotSupported (7) + Indicates that the authentication method or mechanism is not + supported. + + + + + + +Sermersheim Standards Track [Page 50] + +RFC 4511 LDAPv3 June 2006 + + + strongerAuthRequired (8) + Indicates the server requires strong(er) authentication in + order to complete the operation. + + When used with the Notice of Disconnection operation, this + code indicates that the server has detected that an + established security association between the client and + server has unexpectedly failed or been compromised. + + referral (10) + Indicates that a referral needs to be chased to complete the + operation (see Section 4.1.10). + + adminLimitExceeded (11) + Indicates that an administrative limit has been exceeded. + + unavailableCriticalExtension (12) + Indicates a critical control is unrecognized (see Section + 4.1.11). + + confidentialityRequired (13) + Indicates that data confidentiality protections are required. + + saslBindInProgress (14) + Indicates the server requires the client to send a new bind + request, with the same SASL mechanism, to continue the + authentication process (see Section 4.2). + + noSuchAttribute (16) + Indicates that the named entry does not contain the specified + attribute or attribute value. + + undefinedAttributeType (17) + Indicates that a request field contains an unrecognized + attribute description. + + inappropriateMatching (18) + Indicates that an attempt was made (e.g., in an assertion) to + use a matching rule not defined for the attribute type + concerned. + + constraintViolation (19) + Indicates that the client supplied an attribute value that + does not conform to the constraints placed upon it by the + data model. + + For example, this code is returned when multiple values are + supplied to an attribute that has a SINGLE-VALUE constraint. + + + +Sermersheim Standards Track [Page 51] + +RFC 4511 LDAPv3 June 2006 + + + attributeOrValueExists (20) + Indicates that the client supplied an attribute or value to + be added to an entry, but the attribute or value already + exists. + + invalidAttributeSyntax (21) + Indicates that a purported attribute value does not conform + to the syntax of the attribute. + + noSuchObject (32) + Indicates that the object does not exist in the DIT. + + aliasProblem (33) + Indicates that an alias problem has occurred. For example, + the code may used to indicate an alias has been dereferenced + that names no object. + + invalidDNSyntax (34) + Indicates that an LDAPDN or RelativeLDAPDN field (e.g., search + base, target entry, ModifyDN newrdn, etc.) of a request does + not conform to the required syntax or contains attribute + values that do not conform to the syntax of the attribute's + type. + + aliasDereferencingProblem (36) + Indicates that a problem occurred while dereferencing an + alias. Typically, an alias was encountered in a situation + where it was not allowed or where access was denied. + + inappropriateAuthentication (48) + Indicates the server requires the client that had attempted + to bind anonymously or without supplying credentials to + provide some form of credentials. + + invalidCredentials (49) + Indicates that the provided credentials (e.g., the user's name + and password) are invalid. + + insufficientAccessRights (50) + Indicates that the client does not have sufficient access + rights to perform the operation. + + busy (51) + Indicates that the server is too busy to service the + operation. + + + + + + +Sermersheim Standards Track [Page 52] + +RFC 4511 LDAPv3 June 2006 + + + unavailable (52) + Indicates that the server is shutting down or a subsystem + necessary to complete the operation is offline. + + unwillingToPerform (53) + Indicates that the server is unwilling to perform the + operation. + + loopDetect (54) + Indicates that the server has detected an internal loop (e.g., + while dereferencing aliases or chaining an operation). + + namingViolation (64) + Indicates that the entry's name violates naming restrictions. + + objectClassViolation (65) + Indicates that the entry violates object class restrictions. + + notAllowedOnNonLeaf (66) + Indicates that the operation is inappropriately acting upon a + non-leaf entry. + + notAllowedOnRDN (67) + Indicates that the operation is inappropriately attempting to + remove a value that forms the entry's relative distinguished + name. + + entryAlreadyExists (68) + Indicates that the request cannot be fulfilled (added, moved, + or renamed) as the target entry already exists. + + objectClassModsProhibited (69) + Indicates that an attempt to modify the object class(es) of + an entry's 'objectClass' attribute is prohibited. + + For example, this code is returned when a client attempts to + modify the structural object class of an entry. + + affectsMultipleDSAs (71) + Indicates that the operation cannot be performed as it would + affect multiple servers (DSAs). + + other (80) + Indicates the server has encountered an internal error. + + + + + + + +Sermersheim Standards Track [Page 53] + +RFC 4511 LDAPv3 June 2006 + + +Appendix B. Complete ASN.1 Definition + + This appendix is normative. + + Lightweight-Directory-Access-Protocol-V3 {1 3 6 1 1 18} + -- Copyright (C) The Internet Society (2006). This version of + -- this ASN.1 module is part of RFC 4511; see the RFC itself + -- for full legal notices. + DEFINITIONS + IMPLICIT TAGS + EXTENSIBILITY IMPLIED ::= + + BEGIN + + LDAPMessage ::= SEQUENCE { + messageID MessageID, + protocolOp CHOICE { + bindRequest BindRequest, + bindResponse BindResponse, + unbindRequest UnbindRequest, + searchRequest SearchRequest, + searchResEntry SearchResultEntry, + searchResDone SearchResultDone, + searchResRef SearchResultReference, + modifyRequest ModifyRequest, + modifyResponse ModifyResponse, + addRequest AddRequest, + addResponse AddResponse, + delRequest DelRequest, + delResponse DelResponse, + modDNRequest ModifyDNRequest, + modDNResponse ModifyDNResponse, + compareRequest CompareRequest, + compareResponse CompareResponse, + abandonRequest AbandonRequest, + extendedReq ExtendedRequest, + extendedResp ExtendedResponse, + ..., + intermediateResponse IntermediateResponse }, + controls [0] Controls OPTIONAL } + + MessageID ::= INTEGER (0 .. maxInt) + + maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) -- + + LDAPString ::= OCTET STRING -- UTF-8 encoded, + -- [ISO10646] characters + + + + +Sermersheim Standards Track [Page 54] + +RFC 4511 LDAPv3 June 2006 + + + LDAPOID ::= OCTET STRING -- Constrained to <numericoid> + -- [RFC4512] + + LDAPDN ::= LDAPString -- Constrained to <distinguishedName> + -- [RFC4514] + + RelativeLDAPDN ::= LDAPString -- Constrained to <name-component> + -- [RFC4514] + + AttributeDescription ::= LDAPString + -- Constrained to <attributedescription> + -- [RFC4512] + + AttributeValue ::= OCTET STRING + + AttributeValueAssertion ::= SEQUENCE { + attributeDesc AttributeDescription, + assertionValue AssertionValue } + + AssertionValue ::= OCTET STRING + + PartialAttribute ::= SEQUENCE { + type AttributeDescription, + vals SET OF value AttributeValue } + + Attribute ::= PartialAttribute(WITH COMPONENTS { + ..., + vals (SIZE(1..MAX))}) + + MatchingRuleId ::= LDAPString + + LDAPResult ::= SEQUENCE { + resultCode ENUMERATED { + success (0), + operationsError (1), + protocolError (2), + timeLimitExceeded (3), + sizeLimitExceeded (4), + compareFalse (5), + compareTrue (6), + authMethodNotSupported (7), + strongerAuthRequired (8), + -- 9 reserved -- + referral (10), + adminLimitExceeded (11), + unavailableCriticalExtension (12), + confidentialityRequired (13), + saslBindInProgress (14), + + + +Sermersheim Standards Track [Page 55] + +RFC 4511 LDAPv3 June 2006 + + + noSuchAttribute (16), + undefinedAttributeType (17), + inappropriateMatching (18), + constraintViolation (19), + attributeOrValueExists (20), + invalidAttributeSyntax (21), + -- 22-31 unused -- + noSuchObject (32), + aliasProblem (33), + invalidDNSyntax (34), + -- 35 reserved for undefined isLeaf -- + aliasDereferencingProblem (36), + -- 37-47 unused -- + inappropriateAuthentication (48), + invalidCredentials (49), + insufficientAccessRights (50), + busy (51), + unavailable (52), + unwillingToPerform (53), + loopDetect (54), + -- 55-63 unused -- + namingViolation (64), + objectClassViolation (65), + notAllowedOnNonLeaf (66), + notAllowedOnRDN (67), + entryAlreadyExists (68), + objectClassModsProhibited (69), + -- 70 reserved for CLDAP -- + affectsMultipleDSAs (71), + -- 72-79 unused -- + other (80), + ... }, + matchedDN LDAPDN, + diagnosticMessage LDAPString, + referral [3] Referral OPTIONAL } + + Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI + + URI ::= LDAPString -- limited to characters permitted in + -- URIs + + Controls ::= SEQUENCE OF control Control + + Control ::= SEQUENCE { + controlType LDAPOID, + criticality BOOLEAN DEFAULT FALSE, + controlValue OCTET STRING OPTIONAL } + + + + +Sermersheim Standards Track [Page 56] + +RFC 4511 LDAPv3 June 2006 + + + BindRequest ::= [APPLICATION 0] SEQUENCE { + version INTEGER (1 .. 127), + name LDAPDN, + authentication AuthenticationChoice } + + AuthenticationChoice ::= CHOICE { + simple [0] OCTET STRING, + -- 1 and 2 reserved + sasl [3] SaslCredentials, + ... } + + SaslCredentials ::= SEQUENCE { + mechanism LDAPString, + credentials OCTET STRING OPTIONAL } + + BindResponse ::= [APPLICATION 1] SEQUENCE { + COMPONENTS OF LDAPResult, + serverSaslCreds [7] OCTET STRING OPTIONAL } + + UnbindRequest ::= [APPLICATION 2] NULL + + SearchRequest ::= [APPLICATION 3] SEQUENCE { + baseObject LDAPDN, + scope ENUMERATED { + baseObject (0), + singleLevel (1), + wholeSubtree (2), + ... }, + derefAliases ENUMERATED { + neverDerefAliases (0), + derefInSearching (1), + derefFindingBaseObj (2), + derefAlways (3) }, + sizeLimit INTEGER (0 .. maxInt), + timeLimit INTEGER (0 .. maxInt), + typesOnly BOOLEAN, + filter Filter, + attributes AttributeSelection } + + AttributeSelection ::= SEQUENCE OF selector LDAPString + -- The LDAPString is constrained to + -- <attributeSelector> in Section 4.5.1.8 + + Filter ::= CHOICE { + and [0] SET SIZE (1..MAX) OF filter Filter, + or [1] SET SIZE (1..MAX) OF filter Filter, + not [2] Filter, + equalityMatch [3] AttributeValueAssertion, + + + +Sermersheim Standards Track [Page 57] + +RFC 4511 LDAPv3 June 2006 + + + substrings [4] SubstringFilter, + greaterOrEqual [5] AttributeValueAssertion, + lessOrEqual [6] AttributeValueAssertion, + present [7] AttributeDescription, + approxMatch [8] AttributeValueAssertion, + extensibleMatch [9] MatchingRuleAssertion, + ... } + + SubstringFilter ::= SEQUENCE { + type AttributeDescription, + substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE { + initial [0] AssertionValue, -- can occur at most once + any [1] AssertionValue, + final [2] AssertionValue } -- can occur at most once + } + + MatchingRuleAssertion ::= SEQUENCE { + matchingRule [1] MatchingRuleId OPTIONAL, + type [2] AttributeDescription OPTIONAL, + matchValue [3] AssertionValue, + dnAttributes [4] BOOLEAN DEFAULT FALSE } + + SearchResultEntry ::= [APPLICATION 4] SEQUENCE { + objectName LDAPDN, + attributes PartialAttributeList } + + PartialAttributeList ::= SEQUENCE OF + partialAttribute PartialAttribute + + SearchResultReference ::= [APPLICATION 19] SEQUENCE + SIZE (1..MAX) OF uri URI + + SearchResultDone ::= [APPLICATION 5] LDAPResult + + ModifyRequest ::= [APPLICATION 6] SEQUENCE { + object LDAPDN, + changes SEQUENCE OF change SEQUENCE { + operation ENUMERATED { + add (0), + delete (1), + replace (2), + ... }, + modification PartialAttribute } } + + ModifyResponse ::= [APPLICATION 7] LDAPResult + + + + + + +Sermersheim Standards Track [Page 58] + +RFC 4511 LDAPv3 June 2006 + + + AddRequest ::= [APPLICATION 8] SEQUENCE { + entry LDAPDN, + attributes AttributeList } + + AttributeList ::= SEQUENCE OF attribute Attribute + + AddResponse ::= [APPLICATION 9] LDAPResult + + DelRequest ::= [APPLICATION 10] LDAPDN + + DelResponse ::= [APPLICATION 11] LDAPResult + + ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { + entry LDAPDN, + newrdn RelativeLDAPDN, + deleteoldrdn BOOLEAN, + newSuperior [0] LDAPDN OPTIONAL } + + ModifyDNResponse ::= [APPLICATION 13] LDAPResult + + CompareRequest ::= [APPLICATION 14] SEQUENCE { + entry LDAPDN, + ava AttributeValueAssertion } + + CompareResponse ::= [APPLICATION 15] LDAPResult + + AbandonRequest ::= [APPLICATION 16] MessageID + + ExtendedRequest ::= [APPLICATION 23] SEQUENCE { + requestName [0] LDAPOID, + requestValue [1] OCTET STRING OPTIONAL } + + ExtendedResponse ::= [APPLICATION 24] SEQUENCE { + COMPONENTS OF LDAPResult, + responseName [10] LDAPOID OPTIONAL, + responseValue [11] OCTET STRING OPTIONAL } + + IntermediateResponse ::= [APPLICATION 25] SEQUENCE { + responseName [0] LDAPOID OPTIONAL, + responseValue [1] OCTET STRING OPTIONAL } + + END + + + + + + + + + +Sermersheim Standards Track [Page 59] + +RFC 4511 LDAPv3 June 2006 + + +Appendix C. Changes + + This appendix is non-normative. + + This appendix summarizes substantive changes made to RFC 2251, RFC + 2830, and RFC 3771. + +C.1. Changes Made to RFC 2251 + + This section summarizes the substantive changes made to Sections 1, + 2, 3.1, and 4, and the remainder of RFC 2251. Readers should + consult [RFC4512] and [RFC4513] for summaries of changes to other + sections. + +C.1.1. Section 1 (Status of this Memo) + + - Removed IESG note. Post publication of RFC 2251, mandatory LDAP + authentication mechanisms have been standardized which are + sufficient to remove this note. See [RFC4513] for authentication + mechanisms. + +C.1.2. Section 3.1 (Protocol Model) and others + + - Removed notes giving history between LDAP v1, v2, and v3. Instead, + added sufficient language so that this document can stand on its + own. + +C.1.3. Section 4 (Elements of Protocol) + + - Clarified where the extensibility features of ASN.1 apply to the + protocol. This change affected various ASN.1 types by the + inclusion of ellipses (...) to certain elements. + - Removed the requirement that servers that implement version 3 or + later MUST provide the 'supportedLDAPVersion' attribute. This + statement provided no interoperability advantages. + +C.1.4. Section 4.1.1 (Message Envelope) + + - There was a mandatory requirement for the server to return a + Notice of Disconnection and drop the transport connection when a + PDU is malformed in a certain way. This has been updated such that + the server SHOULD return the Notice of Disconnection, and it MUST + terminate the LDAP Session. + +C.1.5. Section 4.1.1.1 (Message ID) + + - Required that the messageID of requests MUST be non-zero as the + zero is reserved for Notice of Disconnection. + + + +Sermersheim Standards Track [Page 60] + +RFC 4511 LDAPv3 June 2006 + + + - Specified when it is and isn't appropriate to return an already + used messageID. RFC 2251 accidentally imposed synchronous server + behavior in its wording of this. + +C.1.6. Section 4.1.2 (String Types) + + - Stated that LDAPOID is constrained to <numericoid> from [RFC4512]. + +C.1.7. Section 4.1.5.1 (Binary Option) and others + + - Removed the Binary Option from the specification. There are + numerous interoperability problems associated with this method of + alternate attribute type encoding. Work to specify a suitable + replacement is ongoing. + +C.1.8. Section 4.1.8 (Attribute) + + - Combined the definitions of PartialAttribute and Attribute here, + and defined Attribute in terms of PartialAttribute. + +C.1.9. Section 4.1.10 (Result Message) + + - Renamed "errorMessage" to "diagnosticMessage" as it is allowed to + be sent for non-error results. + - Moved some language into Appendix A, and referred the reader there. + - Allowed matchedDN to be present for other result codes than those + listed in RFC 2251. + - Renamed the code "strongAuthRequired" to "strongerAuthRequired" to + clarify that this code may often be returned to indicate that a + stronger authentication is needed to perform a given operation. + +C.1.10. Section 4.1.11 (Referral) + + - Defined referrals in terms of URIs rather than URLs. + - Removed the requirement that all referral URIs MUST be equally + capable of progressing the operation. The statement was ambiguous + and provided no instructions on how to carry it out. + - Added the requirement that clients MUST NOT loop between servers. + - Clarified the instructions for using LDAPURLs in referrals, and in + doing so added a recommendation that the scope part be present. + - Removed imperatives which required clients to use URLs in specific + ways to progress an operation. These did nothing for + interoperability. + + + + + + + + +Sermersheim Standards Track [Page 61] + +RFC 4511 LDAPv3 June 2006 + + +C.1.11. Section 4.1.12 (Controls) + + - Specified how control values defined in terms of ASN.1 are to be + encoded. + - Noted that the criticality field is only applied to request + messages (except UnbindRequest), and must be ignored when present + on response messages and UnbindRequest. + - Specified that non-critical controls may be ignored at the + server's discretion. There was confusion in the original wording + which led some to believe that recognized controls may not be + ignored as long as they were associated with a proper request. + - Added language regarding combinations of controls and the ordering + of controls on a message. + - Specified that when the semantics of the combination of controls + is undefined or unknown, it results in a protocolError. + - Changed "The server MUST be prepared" to "Implementations MUST be + prepared" in paragraph 8 to reflect that both client and server + implementations must be able to handle this (as both parse + controls). + +C.1.12. Section 4.2 (Bind Operation) + + - Mandated that servers return protocolError when the version is not + supported. + - Disambiguated behavior when the simple authentication is used, the + name is empty, and the password is non-empty. + - Required servers to not dereference aliases for Bind. This was + added for consistency with other operations and to help ensure + data consistency. + - Required that textual passwords be transferred as UTF-8 encoded + Unicode, and added recommendations on string preparation. This was + to help ensure interoperability of passwords being sent from + different clients. + +C.1.13. Section 4.2.1 (Sequencing of the Bind Request) + + - This section was largely reorganized for readability, and language + was added to clarify the authentication state of failed and + abandoned Bind operations. + - Removed: "If a SASL transfer encryption or integrity mechanism has + been negotiated, that mechanism does not support the changing of + credentials from one identity to another, then the client MUST + instead establish a new connection." + If there are dependencies between multiple negotiations of a + particular SASL mechanism, the technical specification for that + SASL mechanism details how applications are to deal with them. + LDAP should not require any special handling. + - Dropped MUST imperative in paragraph 3 to align with [RFC2119]. + + + +Sermersheim Standards Track [Page 62] + +RFC 4511 LDAPv3 June 2006 + + + - Mandated that clients not send non-Bind operations while a Bind is + in progress, and suggested that servers not process them if they + are received. This is needed to ensure proper sequencing of the + Bind in relationship to other operations. + +C.1.14. Section 4.2.3 (Bind Response) + + - Moved most error-related text to Appendix A, and added text + regarding certain errors used in conjunction with the Bind + operation. + - Prohibited the server from specifying serverSaslCreds when not + appropriate. + +C.1.15. Section 4.3 (Unbind Operation) + + - Specified that both peers are to cease transmission and terminate + the LDAP session for the Unbind operation. + +C.1.16. Section 4.4 (Unsolicited Notification) + + - Added instructions for future specifications of Unsolicited + Notifications. + +C.1.17. Section 4.5.1 (Search Request) + + - SearchRequest attributes is now defined as an AttributeSelection + type rather than AttributeDescriptionList, and an ABNF is + provided. + - SearchRequest attributes may contain duplicate attribute + descriptions. This was previously prohibited. Now servers are + instructed to ignore subsequent names when they are duplicated. + This was relaxed in order to allow different short names and also + OIDs to be requested for an attribute. + - The present search filter now evaluates to Undefined when the + specified attribute is not known to the server. It used to + evaluate to FALSE, which caused behavior inconsistent with what + most would expect, especially when the 'not' operator was used. + - The Filter choice SubstringFilter substrings type is now defined + with a lower bound of 1. + - The SubstringFilter substrings 'initial, 'any', and 'final' types + are now AssertionValue rather than LDAPString. Also, added + imperatives stating that 'initial' (if present) must be listed + first, and 'final' (if present) must be listed last. + - Disambiguated the semantics of the derefAliases choices. There was + question as to whether derefInSearching applied to the base object + in a wholeSubtree Search. + - Added instructions for equalityMatch, substrings, greaterOrEqual, + lessOrEqual, and approxMatch. + + + +Sermersheim Standards Track [Page 63] + +RFC 4511 LDAPv3 June 2006 + + + +C.1.18. Section 4.5.2 (Search Result) + + - Recommended that servers not use attribute short names when it + knows they are ambiguous or may cause interoperability problems. + - Removed all mention of ExtendedResponse due to lack of + implementation. + +C.1.19. Section 4.5.3 (Continuation References in the Search Result) + + - Made changes similar to those made to Section 4.1.11. + +C.1.20. Section 4.5.3.1 (Example) + + - Fixed examples to adhere to changes made to Section 4.5.3. + +C.1.21. Section 4.6 (Modify Operation) + + - Replaced AttributeTypeAndValues with Attribute as they are + equivalent. + - Specified the types of modification changes that might + temporarily violate schema. Some readers were under the impression + that any temporary schema violation was allowed. + +C.1.22. Section 4.7 (Add Operation) + + - Aligned Add operation with X.511 in that the attributes of the RDN + are used in conjunction with the listed attributes to create the + entry. Previously, Add required that the distinguished values be + present in the listed attributes. + - Removed requirement that the objectClass attribute MUST be + specified as some DSE types do not require this attribute. + Instead, generic wording was added, requiring the added entry to + adhere to the data model. + - Removed recommendation regarding placement of objects. This is + covered in the data model document. + +C.1.23. Section 4.9 (Modify DN Operation) + + - Required servers to not dereference aliases for Modify DN. This + was added for consistency with other operations and to help ensure + data consistency. + - Allow Modify DN to fail when moving between naming contexts. + - Specified what happens when the attributes of the newrdn are not + present on the entry. + + + + + + +Sermersheim Standards Track [Page 64] + +RFC 4511 LDAPv3 June 2006 + + +C.1.24. Section 4.10 (Compare Operation) + + - Specified that compareFalse means that the Compare took place and + the result is false. There was confusion that led people to + believe that an Undefined match resulted in compareFalse. + - Required servers to not dereference aliases for Compare. This was + added for consistency with other operations and to help ensure + data consistency. + +C.1.25. Section 4.11 (Abandon Operation) + + - Explained that since Abandon returns no response, clients should + not use it if they need to know the outcome. + - Specified that Abandon and Unbind cannot be abandoned. + +C.1.26. Section 4.12 (Extended Operation) + + - Specified how values of Extended operations defined in terms of + ASN.1 are to be encoded. + - Added instructions on what Extended operation specifications + consist of. + - Added a recommendation that servers advertise supported Extended + operations. + +C.1.27. Section 5.2 (Transfer Protocols) + + - Moved referral-specific instructions into referral-related + sections. + +C.1.28. Section 7 (Security Considerations) + + - Reworded notes regarding SASL not protecting certain aspects of + the LDAP Bind messages. + - Noted that Servers are encouraged to prevent directory + modifications by clients that have authenticated anonymously + [RFC4513]. + - Added a note regarding the possibility of changes to security + factors (authentication, authorization, and data confidentiality). + - Warned against following referrals that may have been injected in + the data stream. + - Noted that servers should protect information equally, whether in + an error condition or not, and mentioned matchedDN, + diagnosticMessage, and resultCodes specifically. + - Added a note regarding malformed and long encodings. + + + + + + + +Sermersheim Standards Track [Page 65] + +RFC 4511 LDAPv3 June 2006 + + +C.1.29. Appendix A (Complete ASN.1 Definition) + + - Added "EXTENSIBILITY IMPLIED" to ASN.1 definition. + - Removed AttributeType. It is not used. + +C.2. Changes Made to RFC 2830 + + This section summarizes the substantive changes made to Sections of + RFC 2830. Readers should consult [RFC4513] for summaries of changes + to other sections. + +C.2.1. Section 2.3 (Response other than "success") + + - Removed wording indicating that referrals can be returned from + StartTLS. + - Removed requirement that only a narrow set of result codes can be + returned. Some result codes are required in certain scenarios, but + any other may be returned if appropriate. + - Removed requirement that the ExtendedResponse.responseName MUST be + present. There are circumstances where this is impossible, and + requiring this is at odds with language in Section 4.12. + +C.2.1. Section 4 (Closing a TLS Connection) + + - Reworded most of this section to align with definitions of the + LDAP protocol layers. + - Removed instructions on abrupt closure as this is covered in other + areas of the document (specifically, Section 5.3) + +C.3. Changes Made to RFC 3771 + + - Rewrote to fit into this document. In general, semantics were + preserved. Supporting and background language seen as redundant + due to its presence in this document was omitted. + + - Specified that Intermediate responses to a request may be of + different types, and one of the response types may be specified to + have no response value. + + + + + + + + + + + + + +Sermersheim Standards Track [Page 66] + +RFC 4511 LDAPv3 June 2006 + + +Editor's Address + + Jim Sermersheim + Novell, Inc. + 1800 South Novell Place + Provo, Utah 84606, USA + + Phone: +1 801 861-3088 + EMail: jimse@novell.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Sermersheim Standards Track [Page 67] + +RFC 4511 LDAPv3 June 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Sermersheim Standards Track [Page 68] + |