1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
|
Network Working Group K. Zeilenga
Request for Comments: 4533 OpenLDAP Foundation
Category: Experimental J.H. Choi
IBM Corporation
June 2006
The Lightweight Directory Access Protocol (LDAP)
Content Synchronization Operation
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
IESG Note
The IESG notes that this work was originally discussed in the LDUP
working group. The group came to consensus on a different approach,
documented in RFC 3928; that document is on the standards track and
should be reviewed by those considering implementation of this
proposal.
Abstract
This specification describes the Lightweight Directory Access
Protocol (LDAP) Content Synchronization Operation. The operation
allows a client to maintain a copy of a fragment of the Directory
Information Tree (DIT). It supports both polling for changes and
listening for changes. The operation is defined as an extension of
the LDAP Search Operation.
Zeilenga & Choi Experimental [Page 1]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Table of Contents
1. Introduction ....................................................3
1.1. Background .................................................3
1.2. Intended Usage .............................................4
1.3. Overview ...................................................5
1.4. Conventions ................................................8
2. Elements of the Sync Operation ..................................8
2.1. Common ASN.1 Elements ......................................9
2.2. Sync Request Control .......................................9
2.3. Sync State Control ........................................10
2.4. Sync Done Control .........................................10
2.5. Sync Info Message .........................................11
2.6. Sync Result Codes .........................................11
3. Content Synchronization ........................................11
3.1. Synchronization Session ...................................12
3.2. Content Determination .....................................12
3.3. refreshOnly Mode ..........................................13
3.4. refreshAndPersist Mode ....................................16
3.5. Search Request Parameters .................................17
3.6. objectName ................................................18
3.7. Canceling the Sync Operation ..............................19
3.8. Refresh Required ..........................................19
3.9. Chattiness Considerations .................................20
3.10. Operation Multiplexing ...................................21
4. Meta Information Considerations ................................22
4.1. Entry DN ..................................................22
4.2. Operational Attributes ....................................22
4.3. Collective Attributes .....................................23
4.4. Access and Other Administrative Controls ..................23
5. Interaction with Other Controls ................................23
5.1. ManageDsaIT Control .......................................24
5.2. Subentries Control ........................................24
6. Shadowing Considerations .......................................24
7. Security Considerations ........................................25
8. IANA Considerations ............................................26
8.1. Object Identifier .........................................26
8.2. LDAP Protocol Mechanism ...................................26
8.3. LDAP Result Codes .........................................26
9. Acknowledgements ...............................................26
10. Normative References ..........................................27
11. Informative References ........................................28
Appendix A. CSN-based Implementation Considerations ..............29
Zeilenga & Choi Experimental [Page 2]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
1. Introduction
The Lightweight Directory Access Protocol (LDAP) [RFC4510] provides a
mechanism, the search operation [RFC4511], that allows a client to
request directory content matching a complex set of assertions and to
request that the server return this content, subject to access
control and other restrictions, to the client. However, LDAP does
not provide (despite the introduction of numerous extensions in this
area) an effective and efficient mechanism for maintaining
synchronized copies of directory content. This document introduces a
new mechanism specifically designed to meet the content
synchronization requirements of sophisticated directory applications.
This document defines the LDAP Content Synchronization Operation, or
Sync Operation for short, which allows a client to maintain a
synchronized copy of a fragment of a Directory Information Tree
(DIT). The Sync Operation is defined as a set of controls and other
protocol elements that extend the Search Operation.
1.1. Background
Over the years, a number of content synchronization approaches have
been suggested for use in LDAP directory services. These approaches
are inadequate for one or more of the following reasons:
- failure to ensure a reasonable level of convergence;
- failure to detect that convergence cannot be achieved (without
reload);
- require pre-arranged synchronization agreements;
- require the server to maintain histories of past changes to DIT
content and/or meta information;
- require the server to maintain synchronization state on a per-
client basis; and/or
- are overly chatty.
The Sync Operation provides eventual convergence of synchronized
content when possible and, when not, notification that a full reload
is required.
The Sync Operation does not require pre-arranged synchronization
agreements.
Zeilenga & Choi Experimental [Page 3]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
The Sync Operation does not require that servers maintain or use any
history of past changes to the DIT or to meta information. However,
servers may maintain and use histories (e.g., change logs,
tombstones, DIT snapshots) to reduce the number of messages generated
and to reduce their size. As it is not always feasible to maintain
and use histories, the operation may be implemented using purely
(current) state-based approaches. The Sync Operation allows use of
either the state-based approach or the history-based approach on an
operation-by-operation basis to balance the size of history and the
amount of traffic. The Sync Operation also allows the combined use
of the state-based and the history-based approaches.
The Sync Operation does not require that servers maintain
synchronization state on a per-client basis. However, servers may
maintain and use per-client state information to reduce the number of
messages generated and the size of such messages.
A synchronization mechanism can be considered overly chatty when
synchronization traffic is not reasonably bounded. The Sync
Operation traffic is bounded by the size of updated (or new) entries
and the number of unchanged entries in the content. The operation is
designed to avoid full content exchanges, even when the history
information available to the server is insufficient to determine the
client's state. The operation is also designed to avoid transmission
of out-of-content history information, as its size is not bounded by
the content and it is not always feasible to transmit such history
information due to security reasons.
This document includes a number of non-normative appendices providing
additional information to server implementors.
1.2. Intended Usage
The Sync Operation is intended to be used in applications requiring
eventually-convergent content synchronization. Upon completion of
each synchronization stage of the operation, all information to
construct a synchronized client copy of the content has been provided
to the client or the client has been notified that a complete content
reload is necessary. Except for transient inconsistencies due to
concurrent operation (or other) processing at the server, the client
copy is an accurate reflection of the content held by the server.
Transient inconsistencies will be resolved by subsequent
synchronization operations.
Zeilenga & Choi Experimental [Page 4]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Possible uses include the following:
- White page service applications may use the Sync Operation to
maintain a current copy of a DIT fragment, for example, a mail
user agent that uses the sync operation to maintain a local
copy of an enterprise address book.
- Meta-information engines may use the Sync Operation to maintain
a copy of a DIT fragment.
- Caching proxy services may use the Sync Operation to maintain a
coherent content cache.
- Lightweight master-slave replication between heterogeneous
directory servers. For example, the Sync Operation can be used
by a slave server to maintain a shadow copy of a DIT fragment.
(Note: The International Telephone Union (ITU) has defined the
X.500 Directory [X.500] Information Shadowing Protocol (DISP)
[X.525], which may be used for master-slave replication between
directory servers. Other experimental LDAP replication
protocols also exist.)
This protocol is not intended to be used in applications requiring
transactional data consistency.
As this protocol transfers all visible values of entries belonging to
the content upon change instead of change deltas, this protocol is
not appropriate for bandwidth-challenged applications or deployments.
1.3. Overview
This section provides an overview of basic ways the Sync Operation
can be used to maintain a synchronized client copy of a DIT fragment.
- Polling for changes: refreshOnly mode
- Listening for changes: refreshAndPersist mode
1.3.1. Polling for Changes (refreshOnly)
To obtain its initial client copy, the client issues a Sync request:
a search request with the Sync Request Control with mode set to
refreshOnly. The server, much like it would with a normal search
operation, returns (subject to access controls and other
restrictions) the content matching the search criteria (baseObject,
scope, filter, attributes). Additionally, with each entry returned,
the server provides a Sync State Control indicating state add. This
control contains the Universally Unique Identifier (UUID) [UUID] of
Zeilenga & Choi Experimental [Page 5]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
the entry [RFC4530]. Unlike the Distinguished Name (DN), which may
change over time, an entry's UUID is stable. The initial content is
followed by a SearchResultDone with a Sync Done Control. The Sync
Done Control provides a syncCookie. The syncCookie represents
session state.
To poll for updates to the client copy, the client reissues the Sync
Operation with the syncCookie previously returned. The server, much
as it would with a normal search operation, determines which content
would be returned as if the operation were a normal search operation.
However, using the syncCookie as an indicator of what content the
client was sent previously, the server sends copies of entries that
have changed with a Sync State Control indicating state add. For
each changed entry, all (modified or unmodified) attributes belonging
to the content are sent.
The server may perform either or both of the two distinct
synchronization phases that are distinguished by how to synchronize
entries deleted from the content: the present and the delete phases.
When the server uses a single phase for the refresh stage, each phase
is marked as ended by a SearchResultDone with a Sync Done Control. A
present phase is identified by a FALSE refreshDeletes value in the
Sync Done Control. A delete phase is identified by a TRUE
refreshDeletes value. The present phase may be followed by a delete
phase. The two phases are delimited by a refreshPresent Sync Info
Message having a FALSE refreshDone value. In the case that both the
phases are used, the present phase is used to bring the client copy
up to the state at which the subsequent delete phase can begin.
In the present phase, the server sends an empty entry (i.e., no
attributes) with a Sync State Control indicating state present for
each unchanged entry.
The delete phase may be used when the server can reliably determine
which entries in the prior client copy are no longer present in the
content and the number of such entries is less than or equal to the
number of unchanged entries. In the delete mode, the server sends an
empty entry with a Sync State Control indicating state delete for
each entry that is no longer in the content, instead of returning an
empty entry with state present for each present entry.
The server may send syncIdSet Sync Info Messages containing the set
of UUIDs of either unchanged present entries or deleted entries,
instead of sending multiple individual messages. If refreshDeletes
of syncIdSet is set to FALSE, the UUIDs of unchanged present entries
are contained in the syncUUIDs set; if refreshDeletes of syncIdSet is
set to TRUE, the UUIDs of the entries no longer present in the
content are contained in the syncUUIDs set. An optional cookie can
Zeilenga & Choi Experimental [Page 6]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
be included in the syncIdSet to represent the state of the content
after synchronizing the presence or the absence of the entries
contained in the syncUUIDs set.
The synchronized copy of the DIT fragment is constructed by the
client.
If refreshDeletes of syncDoneValue is FALSE, the new copy includes
all changed entries returned by the reissued Sync Operation, as well
as all unchanged entries identified as being present by the reissued
Sync Operation, but whose content is provided by the previous Sync
Operation. The unchanged entries not identified as being present are
deleted from the client content. They had been either deleted,
moved, or otherwise scoped-out from the content.
If refreshDeletes of syncDoneValue is TRUE, the new copy includes all
changed entries returned by the reissued Sync Operation, as well as
all other entries of the previous copy except for those that are
identified as having been deleted from the content.
The client can, at some later time, re-poll for changes to this
synchronized client copy.
1.3.2. Listening for Changes (refreshAndPersist)
Polling for changes can be expensive in terms of server, client, and
network resources. The refreshAndPersist mode allows for active
updates of changed entries in the content.
By selecting the refreshAndPersist mode, the client requests that the
server send updates of entries that are changed after the initial
refresh content is determined. Instead of sending a SearchResultDone
Message as in polling, the server sends a Sync Info Message to the
client indicating that the refresh stage is complete and then enters
the persist stage. After receipt of this Sync Info Message, the
client will construct a synchronized copy as described in Section
1.3.1.
The server may then send change notifications as the result of the
original Sync search request, which now remains persistent in the
server. For entries to be added to the returned content, the server
sends a SearchResultEntry (with attributes) with a Sync State Control
indicating state add. For entries to be deleted from the content,
the server sends a SearchResultEntry containing no attributes and a
Sync State Control indicating state delete. For entries to be
modified in the return content, the server sends a SearchResultEntry
(with attributes) with a Sync State Control indicating state modify.
Zeilenga & Choi Experimental [Page 7]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Upon modification of an entry, all (modified or unmodified)
attributes belonging to the content are sent.
Note that renaming an entry of the DIT may cause an add state change
where the entry is renamed into the content, a delete state change
where the entry is renamed out of the content, and a modify state
change where the entry remains in the content. Also note that a
modification of an entry of the DIT may cause an add, delete, or
modify state change to the content.
Upon receipt of a change notification, the client updates its copy of
the content.
If the server desires to update the syncCookie during the persist
stage, it may include the syncCookie in any Sync State Control or
Sync Info Message returned.
The operation persists until canceled [RFC3909] by the client or
terminated by the server. A Sync Done Control shall be attached to
SearchResultDone Message to provide a new syncCookie.
1.4. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
Protocol elements are described using ASN.1 [X.680] with implicit
tags. The term "BER-encoded" means the element is to be encoded
using the Basic Encoding Rules [X.690] under the restrictions
detailed in Section 5.1 of [RFC4511].
2. Elements of the Sync Operation
The Sync Operation is defined as an extension to the LDAP Search
Operation [RFC4511] where the directory user agent (DUA or client)
submits a SearchRequest Message with a Sync Request Control and the
directory system agent (DSA or server) responds with zero or more
SearchResultEntry Messages, each with a Sync State Control; zero or
more SearchResultReference Messages, each with a Sync State Control;
zero or more Sync Info Intermediate Response Messages; and a
SearchResultDone Message with a Sync Done Control.
To allow clients to discover support for this operation, servers
implementing this operation SHOULD publish 1.3.6.1.4.1.4203.1.9.1.1
as a value of the 'supportedControl' attribute [RFC4512] of the root
DSA-specific entry (DSE). A server MAY choose to advertise this
extension only when the client is authorized to use it.
Zeilenga & Choi Experimental [Page 8]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
2.1. Common ASN.1 Elements
2.1.1. syncUUID
The syncUUID data type is an OCTET STRING holding a 128-bit
(16-octet) Universally Unique Identifier (UUID) [UUID].
syncUUID ::= OCTET STRING (SIZE(16))
-- constrained to UUID
2.1.2. syncCookie
The syncCookie is a notational convenience to indicate that, while
the syncCookie type is encoded as an OCTET STRING, its value is an
opaque value containing information about the synchronization session
and its state. Generally, the session information would include a
hash of the operation parameters that the server requires not be
changed and the synchronization state information would include a
commit (log) sequence number, a change sequence number, or a time
stamp. For convenience of description, the term "no cookie" refers
either to a null cookie or to a cookie with pre-initialized
synchronization state.
syncCookie ::= OCTET STRING
2.2. Sync Request Control
The Sync Request Control is an LDAP Control [RFC4511] where the
controlType is the object identifier 1.3.6.1.4.1.4203.1.9.1.1 and the
controlValue, an OCTET STRING, contains a BER-encoded
syncRequestValue. The criticality field is either TRUE or FALSE.
syncRequestValue ::= SEQUENCE {
mode ENUMERATED {
-- 0 unused
refreshOnly (1),
-- 2 reserved
refreshAndPersist (3)
},
cookie syncCookie OPTIONAL,
reloadHint BOOLEAN DEFAULT FALSE
}
The Sync Request Control is only applicable to the SearchRequest
Message.
Zeilenga & Choi Experimental [Page 9]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
2.3. Sync State Control
The Sync State Control is an LDAP Control [RFC4511] where the
controlType is the object identifier 1.3.6.1.4.1.4203.1.9.1.2 and the
controlValue, an OCTET STRING, contains a BER-encoded syncStateValue.
The criticality is FALSE.
syncStateValue ::= SEQUENCE {
state ENUMERATED {
present (0),
add (1),
modify (2),
delete (3)
},
entryUUID syncUUID,
cookie syncCookie OPTIONAL
}
The Sync State Control is only applicable to SearchResultEntry and
SearchResultReference Messages.
2.4. Sync Done Control
The Sync Done Control is an LDAP Control [RFC4511] where the
controlType is the object identifier 1.3.6.1.4.1.4203.1.9.1.3 and the
controlValue contains a BER-encoded syncDoneValue. The criticality
is FALSE (and hence absent).
syncDoneValue ::= SEQUENCE {
cookie syncCookie OPTIONAL,
refreshDeletes BOOLEAN DEFAULT FALSE
}
The Sync Done Control is only applicable to the SearchResultDone
Message.
Zeilenga & Choi Experimental [Page 10]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
2.5. Sync Info Message
The Sync Info Message is an LDAP Intermediate Response Message
[RFC4511] where responseName is the object identifier
1.3.6.1.4.1.4203.1.9.1.4 and responseValue contains a BER-encoded
syncInfoValue. The criticality is FALSE (and hence absent).
syncInfoValue ::= CHOICE {
newcookie [0] syncCookie,
refreshDelete [1] SEQUENCE {
cookie syncCookie OPTIONAL,
refreshDone BOOLEAN DEFAULT TRUE
},
refreshPresent [2] SEQUENCE {
cookie syncCookie OPTIONAL,
refreshDone BOOLEAN DEFAULT TRUE
},
syncIdSet [3] SEQUENCE {
cookie syncCookie OPTIONAL,
refreshDeletes BOOLEAN DEFAULT FALSE,
syncUUIDs SET OF syncUUID
}
}
2.6. Sync Result Codes
The following LDAP resultCode [RFC4511] is defined:
e-syncRefreshRequired (4096)
3. Content Synchronization
The Sync Operation is invoked when the client sends a SearchRequest
Message with a Sync Request Control.
The absence of a cookie or an initialized synchronization state in a
cookie indicates a request for initial content, while the presence of
a cookie representing a state of a client copy indicates a request
for a content update. Synchronization Sessions are discussed in
Section 3.1. Content Determination is discussed in Section 3.2.
The mode is either refreshOnly or refreshAndPersist. The refreshOnly
and refreshAndPersist modes are discussed in Sections 3.3 and 3.4,
respectively. The refreshOnly mode consists only of a refresh stage,
while the refreshAndPersist mode consists of a refresh stage and a
subsequent persist stage.
Zeilenga & Choi Experimental [Page 11]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
3.1. Synchronization Session
A sequence of Sync Operations where the last cookie returned by the
server for one operation is provided by the client in the next
operation is said to belong to the same Synchronization Session.
The client MUST specify the same content-controlling parameters (see
Section 3.5) in each Search Request of the session. The client
SHOULD also issue each Sync request of a session under the same
authentication and authorization associations with equivalent
integrity and protections. If the server does not recognize the
request cookie or the request is made under different associations or
non-equivalent protections, the server SHALL return the initial
content as if no cookie had been provided or return an empty content
with the e-syncRefreshRequired LDAP result code. The decision
between the return of the initial content and the return of the empty
content with the e-syncRefreshRequired result code MAY be based on
reloadHint in the Sync Request Control from the client. If the
server recognizes the request cookie as representing empty or initial
synchronization state of the client copy, the server SHALL return the
initial content.
A Synchronization Session may span multiple LDAP sessions between the
client and the server. The client SHOULD issue each Sync request of
a session to the same server. (Note: Shadowing considerations are
discussed in Section 6.)
3.2. Content Determination
The content to be provided is determined by parameters of the Search
Request, as described in [RFC4511], and possibly other controls. The
same content parameters SHOULD be used in each Sync request of a
session. If different content is requested and the server is
unwilling or unable to process the request, the server SHALL return
the initial content as if no cookie had been provided or return an
empty content with the e-syncRefreshRequired LDAP result code. The
decision between the return of the initial content and the return of
the empty content with the e-syncRefreshRequired result code MAY be
based on reloadHint in the Sync Request Control from the client.
The content may not necessarily include all entries or references
that would be returned by a normal search operation, nor, for those
entries included, all attributes returned by a normal search. When
the server is unwilling or unable to provide synchronization for any
attribute for a set of entries, the server MUST treat all filter
components matching against these attributes as Undefined and MUST
NOT return these attributes in SearchResultEntry responses.
Zeilenga & Choi Experimental [Page 12]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Servers SHOULD support synchronization for all non-collective user-
application attributes for all entries.
The server may also return continuation references to other servers
or to itself. The latter is allowed as the server may partition the
entries it holds into separate synchronization contexts.
The client may chase all or some of these continuations, each as a
separate content synchronization session.
3.3. refreshOnly Mode
A Sync request with mode refreshOnly and with no cookie is a poll for
initial content. A Sync request with mode refreshOnly and with a
cookie representing a synchronization state is a poll for content
update.
3.3.1. Initial Content Poll
Upon receipt of the request, the server provides the initial content
using a set of zero or more SearchResultEntry and
SearchResultReference Messages followed by a SearchResultDone
Message.
Each SearchResultEntry Message SHALL include a Sync State Control of
state add, an entryUUID containing the entry's UUID, and no cookie.
Each SearchResultReference Message SHALL include a Sync State Control
of state add, an entryUUID containing the UUID associated with the
reference (normally the UUID of the associated named referral
[RFC3296] object), and no cookie. The SearchResultDone Message SHALL
include a Sync Done Control having refreshDeletes set to FALSE.
A resultCode value of success indicates that the operation
successfully completed. Otherwise, the result code indicates the
nature of the failure. The server may return e-syncRefreshRequired
result code on the initial content poll if it is safe to do so when
it is unable to perform the operation due to various reasons.
reloadHint is set to FALSE in the SearchRequest Message requesting
the initial content poll.
If the operation is successful, a cookie representing the
synchronization state of the current client copy SHOULD be returned
for use in subsequent Sync Operations.
3.3.2. Content Update Poll
Upon receipt of the request, the server provides the content refresh
using a set of zero or more SearchResultEntry and
Zeilenga & Choi Experimental [Page 13]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
SearchResultReference Messages followed by a SearchResultDone
Message.
The server is REQUIRED to:
a) provide the sequence of messages necessary for eventual
convergence of the client's copy of the content to the server's
copy,
b) treat the request as an initial content request (e.g., ignore
the cookie or the synchronization state represented in the
cookie),
c) indicate that the incremental convergence is not possible by
returning e-syncRefreshRequired,
d) return a resultCode other than success or e-
syncRefreshRequired.
A Sync Operation may consist of a single present phase, a single
delete phase, or a present phase followed by a delete phase.
In each phase, for each entry or reference that has been added to the
content or been changed since the previous Sync Operation indicated
by the cookie, the server returns a SearchResultEntry or
SearchResultReference Message, respectively, each with a Sync State
Control consisting of state add, an entryUUID containing the UUID of
the entry or reference, and no cookie. Each SearchResultEntry
Message represents the current state of a changed entry. Each
SearchResultReference Message represents the current state of a
changed reference.
In the present phase, for each entry that has not been changed since
the previous Sync Operation, an empty SearchResultEntry is returned
whose objectName reflects the entry's current DN, whose attributes
field is empty, and whose Sync State Control consists of state
present, an entryUUID containing the UUID of the entry, and no
cookie. For each reference that has not been changed since the
previous Sync Operation, an empty SearchResultReference containing an
empty SEQUENCE OF LDAPURL is returned with a Sync State Control
consisting of state present, an entryUUID containing the UUID of the
entry, and no cookie. No messages are sent for entries or references
that are no longer in the content.
Multiple empty entries with a Sync State Control of state present
SHOULD be coalesced into one or more Sync Info Messages of syncIdSet
value with refreshDeletes set to FALSE. syncUUIDs contain a set of
UUIDs of the entries and references unchanged since the last Sync
Zeilenga & Choi Experimental [Page 14]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Operation. syncUUIDs may be empty. The Sync Info Message of
syncIdSet may contain a cookie to represent the state of the content
after performing the synchronization of the entries in the set.
In the delete phase, for each entry no longer in the content, the
server returns a SearchResultEntry whose objectName reflects a past
DN of the entry or is empty, whose attributes field is empty, and
whose Sync State Control consists of state delete, an entryUUID
containing the UUID of the deleted entry, and no cookie. For each
reference no longer in the content, a SearchResultReference
containing an empty SEQUENCE OF LDAPURL is returned with a Sync State
Control consisting of state delete, an entryUUID containing the UUID
of the deleted reference, and no cookie.
Multiple empty entries with a Sync State Control of state delete
SHOULD be coalesced into one or more Sync Info Messages of syncIdSet
value with refreshDeletes set to TRUE. syncUUIDs contain a set of
UUIDs of the entries and references that have been deleted from the
content since the last Sync Operation. syncUUIDs may be empty. The
Sync Info Message of syncIdSet may contain a cookie to represent the
state of the content after performing the synchronization of the
entries in the set.
When a present phase is followed by a delete phase, the two phases
are delimited by a Sync Info Message containing syncInfoValue of
refreshPresent, which may contain a cookie representing the state
after completing the present phase. The refreshPresent contains
refreshDone, which is always FALSE in the refreshOnly mode of Sync
Operation because it is followed by a delete phase.
If a Sync Operation consists of a single phase, each phase and hence
the Sync Operation are marked as ended by a SearchResultDone Message
with Sync Done Control, which SHOULD contain a cookie representing
the state of the content after completing the Sync Operation. The
Sync Done Control contains refreshDeletes, which is set to FALSE for
the present phase and set to TRUE for the delete phase.
If a Sync Operation consists of a present phase followed by a delete
phase, the Sync Operation is marked as ended at the end of the delete
phase by a SearchResultDone Message with Sync Done Control, which
SHOULD contain a cookie representing the state of the content after
completing the Sync Operation. The Sync Done Control contains
refreshDeletes, which is set to TRUE.
The client can specify whether it prefers to receive an initial
content by supplying reloadHint of TRUE or to receive a e-
syncRefreshRequired resultCode by supplying reloadHint of FALSE
(hence absent), in the case that the server determines that it is
Zeilenga & Choi Experimental [Page 15]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
impossible or inefficient to achieve the eventual convergence by
continuing the current incremental synchronization thread.
A resultCode value of success indicates that the operation is
successfully completed. A resultCode value of e-syncRefreshRequired
indicates that a full or partial refresh is needed. Otherwise, the
result code indicates the nature of failure. A cookie is provided in
the Sync Done Control for use in subsequent Sync Operations for
incremental synchronization.
3.4. refreshAndPersist Mode
A Sync request with mode refreshAndPersist asks for initial content
or content update (during the refresh stage) followed by change
notifications (during the persist stage).
3.4.1. refresh Stage
The content refresh is provided as described in Section 3.3, except
that the successful completion of content refresh is indicated by
sending a Sync Info Message of refreshDelete or refreshPresent with a
refreshDone value set to TRUE instead of a SearchResultDone Message
with resultCode success. A cookie SHOULD be returned in the Sync
Info Message to represent the state of the content after finishing
the refresh stage of the Sync Operation.
3.4.2. persist Stage
Change notifications are provided during the persist stage.
As updates are made to the DIT, the server notifies the client of
changes to the content. DIT updates may cause entries and references
to be added to the content, deleted from the content, or modified
within the content. DIT updates may also cause references to be
added, deleted, or modified within the content.
Where DIT updates cause an entry to be added to the content, the
server provides a SearchResultEntry Message that represents the entry
as it appears in the content. The message SHALL include a Sync State
Control with state of add, an entryUUID containing the entry's UUID,
and an optional cookie.
Where DIT updates cause a reference to be added to the content, the
server provides a SearchResultReference Message that represents the
reference in the content. The message SHALL include a Sync State
Control with state of add, an entryUUID containing the UUID
associated with the reference, and an optional cookie.
Zeilenga & Choi Experimental [Page 16]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Where DIT updates cause an entry to be modified within the content,
the server provides a SearchResultEntry Message that represents the
entry as it appears in the content. The message SHALL include a Sync
State Control with state of modify, an entryUUID containing the
entry's UUID, and an optional cookie.
Where DIT updates cause a reference to be modified within the
content, the server provides a SearchResultReference Message that
represents the reference in the content. The message SHALL include a
Sync State Control with state of modify, an entryUUID containing the
UUID associated with the reference, and an optional cookie.
Where DIT updates cause an entry to be deleted from the content, the
server provides a SearchResultEntry Message with no attributes. The
message SHALL include a Sync State Control with state of delete, an
entryUUID containing the entry's UUID, and an optional cookie.
Where DIT updates cause a reference to be deleted from the content,
the server provides a SearchResultReference Message with an empty
SEQUENCE OF LDAPURL. The message SHALL include a Sync State Control
with state of delete, an entryUUID containing the UUID associated
with the reference, and an optional cookie.
Multiple empty entries with a Sync State Control of state delete
SHOULD be coalesced into one or more Sync Info Messages of syncIdSet
value with refreshDeletes set to TRUE. syncUUIDs contain a set of
UUIDs of the entries and references that have been deleted from the
content. The Sync Info Message of syncIdSet may contain a cookie to
represent the state of the content after performing the
synchronization of the entries in the set.
With each of these messages, the server may provide a new cookie to
be used in subsequent Sync Operations. Additionally, the server may
also return Sync Info Messages of choice newCookie to provide a new
cookie. The client SHOULD use the newest (last) cookie it received
from the server in subsequent Sync Operations.
3.5. Search Request Parameters
As stated in Section 3.1, the client SHOULD specify the same
content-controlling parameters in each Search Request of the session.
All fields of the SearchRequest Message are considered content-
controlling parameters except for sizeLimit and timeLimit.
Zeilenga & Choi Experimental [Page 17]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
3.5.1. baseObject
As with the normal search operation, the refresh and persist stages
are not isolated from DIT changes. It is possible that the entry
referred to by the baseObject is deleted, renamed, or moved. It is
also possible that the alias object used in finding the entry
referred to by the baseObject is changed such that the baseObject
refers to a different entry.
If the DIT is updated during processing of the Sync Operation in a
manner that causes the baseObject no longer to refer to any entry or
in a manner that changes the entry the baseObject refers to, the
server SHALL return an appropriate non-success result code, such as
noSuchObject, aliasProblem, aliasDereferencingProblem, referral, or
e-syncRefreshRequired.
3.5.2. derefAliases
This operation does not support alias dereferencing during searching.
The client SHALL specify neverDerefAliases or derefFindingBaseObj for
the SearchRequest derefAliases parameter. The server SHALL treat
other values (e.g., derefInSearching, derefAlways) as protocol
errors.
3.5.3. sizeLimit
The sizeLimit applies only to entries (regardless of their state in
Sync State Control) returned during the refreshOnly operation or the
refresh stage of the refreshAndPersist operation.
3.5.4. timeLimit
For a refreshOnly Sync Operation, the timeLimit applies to the whole
operation. For a refreshAndPersist operation, the timeLimit applies
only to the refresh stage including the generation of the Sync Info
Message with a refreshDone value of TRUE.
3.5.5. filter
The client SHOULD avoid filter assertions that apply to the values of
the attributes likely to be considered by the server as ones holding
meta-information. See Section 4.
3.6. objectName
The Sync Operation uses entryUUID values provided in the Sync State
Control as the primary keys to entries. The client MUST use these
entryUUIDs to correlate synchronization messages.
Zeilenga & Choi Experimental [Page 18]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
In some circumstances, the DN returned may not reflect the entry's
current DN. In particular, when the entry is being deleted from the
content, the server may provide an empty DN if the server does not
wish to disclose the entry's current DN (or, if deleted from the DIT,
the entry's last DN).
Also note that the entry's DN may be viewed as meta information (see
Section 4.1).
3.7. Canceling the Sync Operation
Servers MUST implement the LDAP Cancel [RFC3909] Operation and
support cancellation of outstanding Sync Operations as described
here.
To cancel an outstanding Sync Operation, the client issues an LDAP
Cancel [RFC3909] Operation.
If at any time the server becomes unwilling or unable to continue
processing a Sync Operation, the server SHALL return a
SearchResultDone with a non-success resultCode indicating the reason
for the termination of the operation.
Whether the client or the server initiated the termination, the
server may provide a cookie in the Sync Done Control for use in
subsequent Sync Operations.
3.8. Refresh Required
In order to achieve the eventually-convergent synchronization, the
server may terminate the Sync Operation in the refresh or persist
stages by returning an e-syncRefreshRequired resultCode to the
client. If no cookie is provided, a full refresh is needed. If a
cookie representing a synchronization state is provided in this
response, an incremental refresh is needed.
To obtain a full refresh, the client then issues a new
synchronization request with no cookie. To obtain an incremental
reload, the client issues a new synchronization with the provided
cookie.
The server may choose to provide a full copy in the refresh stage
(e.g., ignore the cookie or the synchronization state represented in
the cookie) instead of providing an incremental refresh in order to
achieve the eventual convergence.
Zeilenga & Choi Experimental [Page 19]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
The decision between the return of the initial content and the return
of the e-syncRefreshRequired result code may be based on reloadHint
in the Sync Request Control from the client.
In the case of persist stage Sync, the server returns the resultCode
of e-syncRefreshRequired to the client to indicate that the client
needs to issue a new Sync Operation in order to obtain a synchronized
copy of the content. If no cookie is provided, a full refresh is
needed. If a cookie representing a synchronization state is
provided, an incremental refresh is needed.
The server may also return e-syncRefreshRequired if it determines
that a refresh would be more efficient than sending all the messages
required for convergence.
Note that the client may receive one or more of SearchResultEntry,
SearchResultReference, and/or Sync Info Messages before it receives a
SearchResultDone Message with the e-syncRefreshRequired result code.
3.9. Chattiness Considerations
The server MUST ensure that the number of entry messages generated to
refresh the client content does not exceed the number of entries
presently in the content. While there is no requirement for servers
to maintain history information, if the server has sufficient history
to allow it to reliably determine which entries in the prior client
copy are no longer present in the content and the number of such
entries is less than or equal to the number of unchanged entries, the
server SHOULD generate delete entry messages instead of present entry
messages (see Section 3.3.2).
When the amount of history information maintained in the server is
not enough for the clients to perform infrequent refreshOnly Sync
Operations, it is likely that the server has incomplete history
information (e.g., due to truncation) by the time those clients
connect again.
The server SHOULD NOT resort to full reload when the history
information is not enough to generate delete entry messages. The
server SHOULD generate either present entry messages only or present
entry messages followed by delete entry messages to bring the client
copy to the current state. In the latter case, the present entry
messages bring the client copy to a state covered by the history
information maintained in the server.
The server SHOULD maintain enough (current or historical) state
information (such as a context-wide last modify time stamp) to
determine if no changes were made in the context since the content
Zeilenga & Choi Experimental [Page 20]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
refresh was provided and, when no changes were made, generate zero
delete entry messages instead of present messages.
The server SHOULD NOT use the history information when its use does
not reduce the synchronization traffic or when its use can expose
sensitive information not allowed to be received by the client.
The server implementor should also consider chattiness issues that
span multiple Sync Operations of a session. As noted in Section 3.8,
the server may return e-syncRefreshRequired if it determines that a
reload would be more efficient than continuing under the current
operation. If reloadHint in the Sync Request is TRUE, the server may
initiate a reload without directing the client to request a reload.
The server SHOULD transfer a new cookie frequently to avoid having to
transfer information already provided to the client. Even where DIT
changes do not cause content synchronization changes to be
transferred, it may be advantageous to provide a new cookie using a
Sync Info Message. However, the server SHOULD avoid overloading the
client or network with Sync Info Messages.
During persist mode, the server SHOULD coalesce multiple outstanding
messages updating the same entry. The server MAY delay generation of
an entry update in anticipation of subsequent changes to that entry
that could be coalesced. The length of the delay should be long
enough to allow coalescing of update requests issued back to back but
short enough that the transient inconsistency induced by the delay is
corrected in a timely manner.
The server SHOULD use the syncIdSet Sync Info Message when there are
multiple delete or present messages to reduce the amount of
synchronization traffic.
Also note that there may be many clients interested in a particular
directory change, and that servers attempting to service all of these
at once may cause congestion on the network. The congestion issues
are magnified when the change requires a large transfer to each
interested client. Implementors and deployers of servers should take
steps to prevent and manage network congestion.
3.10. Operation Multiplexing
The LDAP protocol model [RFC4511] allows operations to be multiplexed
over a single LDAP session. Clients SHOULD NOT maintain multiple
LDAP sessions with the same server. Servers SHOULD ensure that
responses from concurrently processed operations are interleaved
fairly.
Zeilenga & Choi Experimental [Page 21]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Clients SHOULD combine Sync Operations whose result set is largely
overlapping. This avoids having to return multiple messages, once
for each overlapping session, for changes to entries in the overlap.
Clients SHOULD NOT combine Sync Operations whose result sets are
largely non-overlapping. This ensures that an event requiring an
e-syncRefreshRequired response can be limited to as few result sets
as possible.
4. Meta Information Considerations
4.1. Entry DN
As an entry's DN is constructed from its relative DN (RDN) and the
entry's parent's DN, it is often viewed as meta information.
While renaming or moving to a new superior causes the entry's DN to
change, that change SHOULD NOT, by itself, cause synchronization
messages to be sent for that entry. However, if the renaming or the
moving could cause the entry to be added or deleted from the content,
appropriate synchronization messages should be generated to indicate
this to the client.
When a server treats the entry's DN as meta information, the server
SHALL either
- evaluate all MatchingRuleAssertions [RFC4511] to TRUE if
matching a value of an attribute of the entry, otherwise
Undefined, or
- evaluate all MatchingRuleAssertion with dnAttributes of TRUE as
Undefined.
The latter choice is offered for ease of server implementation.
4.2. Operational Attributes
Where values of an operational attribute are determined by values not
held as part of the entry it appears in, the operational attribute
SHOULD NOT support synchronization of that operational attribute.
For example, in servers that implement the X.501 subschema model
[X.501], servers should not support synchronization of the
subschemaSubentry attribute as its value is determined by values held
and administrated in subschema subentries.
Zeilenga & Choi Experimental [Page 22]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
As a counter example, servers that implement aliases [RFC4512][X.501]
can support synchronization of the aliasedObjectName attribute as its
values are held and administrated as part of the alias entries.
Servers SHOULD support synchronization of the following operational
attributes: createTimestamp, modifyTimestamp, creatorsName,
modifiersName [RFC4512]. Servers MAY support synchronization of
other operational attributes.
4.3. Collective Attributes
A collective attribute is "a user attribute whose values are the same
for each member of an entry collection" [X.501]. Use of collective
attributes in LDAP is discussed in [RFC3671].
Modification of a collective attribute generally affects the content
of multiple entries, which are the members of the collection. It is
inefficient to include values of collective attributes visible in
entries of the collection, as a single modification of a collective
attribute requires transmission of multiple SearchResultEntry (one
for each entry of the collection that the modification affected).
Servers SHOULD NOT synchronize collective attributes appearing in
entries of any collection. Servers MAY support synchronization of
collective attributes appearing in collective attribute subentries.
4.4. Access and Other Administrative Controls
Entries are commonly subject to access and other administrative
Controls. While portions of the policy information governing a
particular entry may be held in the entry, policy information is
often held elsewhere (in superior entries, in subentries, in the root
DSE, in configuration files, etc.). Because of this, changes to
policy information make it difficult to ensure eventual convergence
during incremental synchronization.
Where it is impractical or infeasible to generate content changes
resulting from a change to policy information, servers may opt to
return e-syncRefreshRequired or to treat the Sync Operation as an
initial content request (e.g., ignore the cookie or the
synchronization state represented in the cookie).
5. Interaction with Other Controls
The Sync Operation may be used with:
- ManageDsaIT Control [RFC3296]
Zeilenga & Choi Experimental [Page 23]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
- Subentries Control [RFC3672]
as described below. The Sync Operation may be used with other LDAP
extensions as detailed in other documents.
5.1. ManageDsaIT Control
The ManageDsaIT Control [RFC3296] indicates that the operation acts
upon the DSA Information Tree and causes referral and other special
entries to be treated as object entries with respect to the
operation.
5.2. Subentries Control
The Subentries Control is used with the search operation "to control
the visibility of entries and subentries which are within scope"
[RFC3672]. When used with the Sync Operation, the subentries control
and other factors (search scope, filter, etc.) are used to determine
whether an entry or subentry appears in the content.
6. Shadowing Considerations
As noted in [RFC4511], some servers may hold shadow copies of entries
that can be used to answer search and comparison queries. Such
servers may also support content synchronization requests. This
section discusses considerations for implementors and deployers for
the implementation and deployment of the Sync operation in shadowed
directories.
While a client may know of multiple servers that are equally capable
of being used to obtain particular directory content from, a client
SHOULD NOT assume that each of these servers is equally capable of
continuing a content synchronization session. As stated in Section
3.1, the client SHOULD issue each Sync request of a Sync session to
the same server.
However, through domain naming or IP address redirection or other
techniques, multiple physical servers can be made to appear as one
logical server to a client. Only servers that are equally capable in
regards to their support for the Sync operation and that hold equally
complete copies of the entries should be made to appear as one
logical server. In particular, each physical server acting as one
logical server SHOULD be equally capable of continuing a content
synchronization based upon cookies provided by any of the other
physical servers without requiring a full reload. Because there is
no standard LDAP shadowing mechanism, the specification of how to
independently implement equally capable servers (as well as the
precise definition of "equally capable") is left to future documents.
Zeilenga & Choi Experimental [Page 24]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Note that it may be difficult for the server to reliably determine
what content was provided to the client by another server, especially
in the shadowing environments that allow shadowing events to be
coalesced. For these servers, the use of the delete phase discussed
in Section 3.3.2 may not be applicable.
7. Security Considerations
In order to maintain a synchronized copy of the content, a client is
to delete information from its copy of the content as described
above. However, the client may maintain knowledge of information
disclosed to it by the server separate from its copy of the content
used for synchronization. Management of this knowledge is beyond the
scope of this document. Servers should be careful not to disclose
information for content the client is not authorized to have
knowledge of and/or about.
While the information provided by a series of refreshOnly Sync
Operations is similar to that provided by a series of Search
Operations, persist stage may disclose additional information. A
client may be able to discern information about the particular
sequence of update operations that caused content change.
Implementors should take precautions against malicious cookie
content, including malformed cookies or valid cookies used with
different security associations and/or protections in an attempt to
obtain unauthorized access to information. Servers may include a
digital signature in the cookie to detect tampering.
The operation may be the target of direct denial-of-service attacks.
Implementors should provide safeguards to ensure the operation is not
abused. Servers may place access control or other restrictions upon
the use of this operation.
Note that even small updates to the directory may cause a significant
amount of traffic to be generated to clients using this operation. A
user could abuse its update privileges to mount an indirect denial of
service to these clients, other clients, and/or portions of the
network. Servers should provide safeguards to ensure that update
operations are not abused.
Implementors of this (or any) LDAP extension should be familiar with
general LDAP security considerations [RFC4510].
Zeilenga & Choi Experimental [Page 25]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
8. IANA Considerations
Registration of the following values have been completed by the IANA
[RFC4520].
8.1. Object Identifier
The OID arc 1.3.6.1.4.1.4203.1.9.1 was assigned [ASSIGN] by the
OpenLDAP Foundation, under its IANA-assigned private enterprise
allocation [PRIVATE], for use in this specification.
8.2. LDAP Protocol Mechanism
The IANA has registered the LDAP Protocol Mechanism described in this
document.
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: 1.3.6.1.4.1.4203.1.9.1.1
Description: LDAP Content Synchronization Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC 4533
Author/Change Controller: Kurt D. Zeilenga, Jong Hyuk Choi
Comments: none
8.3. LDAP Result Codes
The IANA has registered the LDAP Result Code described in this
document.
Subject: LDAP Result Code Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Result Code Name: e-syncRefreshRequired (4096)
Specification: RFC 4533
Author/Change Controller: Kurt D. Zeilenga, Jong Hyuk Choi
Comments: none
9. Acknowledgements
This document borrows significantly from the LDAP Client Update
Protocol [RFC3928], a product of the IETF LDUP working group. This
document also benefited from Persistent Search [PSEARCH], Triggered
Search [TSEARCH], and Directory Synchronization [DIRSYNC] works.
This document also borrows from "Lightweight Directory Access
Protocol (v3)" [RFC2251].
Zeilenga & Choi Experimental [Page 26]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
10. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3296] Zeilenga, K., "Named Subordinate References in
Lightweight Directory Access Protocol (LDAP)
Directories", RFC 3296, July 2002.
[RFC3671] Zeilenga, K., "Collective Attributes in the Lightweight
Directory Access Protocol (LDAP)", RFC 3671, December
2003.
[RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
Access Protocol (LDAP)", RFC 3672, December 2003.
[RFC3909] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP) Cancel Operation", RFC 3909, October 2004.
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510, June
2006.
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June
2006.
[RFC4530] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP) entryUUID Operational Attribute", RFC 4530, June
2006.
[UUID] International Organization for Standardization (ISO),
"Information technology - Open Systems Interconnection -
Remote Procedure Call", ISO/IEC 11578:1996
[X.501] International Telecommunication Union - Telecommunication
Standardization Sector, "The Directory -- Models,"
X.501(1993) (also ISO/IEC 9594-2:1994).
[X.680] International Telecommunication Union - Telecommunication
Standardization Sector, "Abstract Syntax Notation One
(ASN.1) - Specification of Basic Notation", X.680(1997)
(also ISO/IEC 8824-1:1998).
Zeilenga & Choi Experimental [Page 27]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
[X.690] International Telecommunication Union - Telecommunication
Standardization Sector, "Specification of ASN.1 encoding
rules: Basic Encoding Rules (BER), Canonical Encoding
Rules (CER), and Distinguished Encoding Rules (DER)",
X.690(1997) (also ISO/IEC 8825-1:1998).
11. Informative References
[RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[RFC3928] Megginson, R., Ed., Smith, M., Natkovich, O., and J.
Parham, "Lightweight Directory Access Protocol (LDAP)
Client Update Protocol (LCUP)", RFC 3928, October 2004.
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
Considerations for the Lightweight Directory Access
Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
[PRIVATE] IANA, "Private Enterprise Numbers",
http://www.iana.org/assignments/enterprise-numbers.
[ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
http://www.openldap.org/foundation/oid-delegate.txt.
[X.500] International Telecommunication Union - Telecommunication
Standardization Sector, "The Directory -- Overview of
concepts, models and services," X.500(1993) (also ISO/IEC
9594-1:1994).
[X.525] International Telecommunication Union - Telecommunication
Standardization Sector, "The Directory: Replication",
X.525(1993).
[DIRSYNC] Armijo, M., "Microsoft LDAP Control for Directory
Synchronization", Work in Progress.
[PSEARCH] Smith, M., et al., "Persistent Search: A Simple LDAP
Change Notification Mechanism", Work in Progress.
[TSEARCH] Wahl, M., "LDAPv3 Triggered Search Control", Work in
Progress.
Zeilenga & Choi Experimental [Page 28]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Appendix A. CSN-based Implementation Considerations
This appendix is provided for informational purposes only; it is not
a normative part of the LDAP Content Synchronization Operation's
technical specification.
This appendix discusses LDAP Content Synchronization Operation server
implementation considerations associated with Change Sequence Number
based approaches.
Change Sequence Number based approaches are targeted for use in
servers that do not maintain history information (e.g., change logs,
state snapshots) about changes made to the Directory and hence, must
rely on current directory state and minimal synchronization state
information embedded in Sync Cookie. Servers that maintain history
information should consider other approaches that exploit the history
information.
A Change Sequence Number is effectively a time stamp that has
sufficient granularity to ensure that the precedence relationship in
time of two updates to the same object can be determined. Change
Sequence Numbers are not to be confused with Commit Sequence Numbers
or Commit Log Record Numbers. A Commit Sequence Number allows one to
determine how two commits (to the same object or different objects)
relate to each other in time. A Change Sequence Number associated
with different entries may be committed out of order. In the
remainder of this Appendix, the term CSN refers to a Change Sequence
Number.
In these approaches, the server not only maintains a CSN for each
directory entry (the entry CSN) but also maintains a value that we
will call the context CSN. The context CSN is the greatest committed
entry CSN that is not greater than any outstanding (uncommitted)
entry CSNs for all entries in a directory context. The values of
context CSN are used in syncCookie values as synchronization state
indicators.
As search operations are not isolated from individual directory
update operations and individual update operations cannot be assumed
to be serialized, one cannot assume that the returned content
incorporates each relevant change whose change sequence number is
less than or equal to the greatest entry CSN in the content. The
content incorporates all the relevant changes whose change sequence
numbers are less than or equal to context CSN before search
processing. The content may also incorporate any subset of the
changes whose change sequence number is greater than context CSN
before search processing but less than or equal to the context CSN
after search processing. The content does not incorporate any of the
Zeilenga & Choi Experimental [Page 29]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
changes whose CSN is greater than the context CSN after search
processing.
A simple server implementation could use the value of the context CSN
before search processing to indicate state. Such an implementation
would embed this value into each SyncCookie returned. We'll call
this the cookie CSN. When a refresh was requested, the server would
simply generate "update" messages for all entries in the content
whose CSN is greater than the supplied cookie CSN and generate
"present" messages for all other entries in the content. However, if
the current context CSN is the same as the cookie CSN, the server
should instead generate zero "updates" and zero "delete" messages and
indicate a refreshDeletes of TRUE, as the directory has not changed.
The implementation should also consider the impact of changes to meta
information, such as access controls, that affect content
determination. One approach is for the server to maintain a
context-wide meta information CSN or meta CSN. This meta CSN would
be updated whenever meta information affecting content determination
was changed. If the value of the meta CSN is greater than the cookie
CSN, the server should ignore the cookie and treat the request as an
initial request for content.
Additionally, servers may want to consider maintaining some per-
session history information to reduce the number of messages needed
to be transferred during incremental refreshes. Specifically, a
server could record information about entries as they leave the scope
of a disconnected sync session and later use this information to
generate delete messages instead of present messages.
When the history information is truncated, the CSN of the latest
truncated history information entry may be recorded as the truncated
CSN of the history information. The truncated CSN may be used to
determine whether a client copy can be covered by the history
information by comparing it to the synchronization state contained in
the cookie supplied by the client.
When there is a large number of sessions, it may make sense to
maintain such history only for the selected clients. Also, servers
taking this approach need to consider resource consumption issues to
ensure reasonable server operation and to protect against abuse. It
may be appropriate to restrict this mode of operation by policy.
Zeilenga & Choi Experimental [Page 30]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Authors' Addresses
Kurt D. Zeilenga
OpenLDAP Foundation
EMail: Kurt@OpenLDAP.org
Jong Hyuk Choi
IBM Corporation
EMail: jongchoi@us.ibm.com
Zeilenga & Choi Experimental [Page 31]
^L
RFC 4533 LDAP Content Synchronization Operation June 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78 and at www.rfc-editor.org/copyright.html, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Zeilenga & Choi Experimental [Page 32]
^L
|