Network Working Group                                            M. Wahl
INTERNET-DRAFT                                          ISODE Consortium
Obsoletes: RFC 1777, RFC 1798                                   T. Howes
                                                  University of Michigan
                                                                S. Kille
                                                        ISODE Consortium
Expires in six months from                              23 February 1996
Intended Category: Standards Track


                  Lightweight Directory Access Protocol (v3)
                  <draft-ietf-asid-ldapv3-protocol-00.txt>



1.  Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas, and
   its working groups.  Note that other groups may also distribute working
   documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference material
   or to cite them other than as "work in progress."

   To learn the current status of any Internet-Draft, please check the
   "1id-abstracts.txt" listing  contained in the Internet-Drafts Shadow
   Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
   ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

2.  Abstract

   The protocol described in this document is designed to provide access
   to X.500 Directories while not incurring the resource requirements
   of the Directory Access Protocol (DAP). This protocol is specifically
   targeted at management applications and browser applications that
   provide read/write interactive access to the X.500 Directory, and
   is intended to be a complement to the DAP itself.

   Key aspects of this version of LDAP are:

   - All protocol elements of LDAP (RFC 1777) and CLDAP (RFC 1798) are
     supported.

   - Protocol elements are carried directly over TCP or other transport,
     bypassing much of the session/presentation overhead.  Connectionless
     transport (UDP) is also supported for efficient lookup operations.

   - If desired, many protocol data elements can be encoded as ordinary
     strings (e.g., Distinguished Names).

   - Important parameters of X.500(1993) DAP can be used.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   - Referrals to other servers may be returned.

   - The protocol may be extended to support bilaterally-defined
     operations.

   - Several of the service controls may be requested by the client.

3.  Models

   Interest in X.500 [1] technology in the Internet has lead to
   efforts to reduce the high "cost of entry" associated with use of the
   technology.  This document continues the efforts to define Directory
   protocol alternatives: it builds heavily on the LDAP [2] protocol
   specification, and allows support for additional X.500(1993) features.

3.1. Protocol Model

   The general model adopted by this protocol is one of clients
   performing protocol operations against servers. In this model, this
   is accomplished by a client transmitting a protocol request
   describing the operation to be performed to a server, which is then
   responsible for performing the necessary operations on the Directory.
   Upon completion of the necessary operations, the server returns a
   response containing any results or errors to the requesting client.
   In keeping with the goal of easing the costs associated with use of
   the Directory, it is an objective of this protocol to minimize the
   complexity of clients so as to facilitate widespread deployment of
   applications capable of utilizing the Directory.

   Note that, although servers are required to return responses whenever
   such responses are defined in the protocol, there is no requirement
   for synchronous behavior on the part of either client or server
   implementations: requests and responses for multiple operations may
   be exchanged by client and servers in any order, as long as clients
   eventually receive a response for every request that requires one.

   In LDAP versions 1 and 2, no provision was made for protocol servers
   returning referrals to clients.  However, for improved performance and
   distribution this version of the protocol permits servers to return to
   clients referrals to other servers if requested.
   Clients may also request that no referrals be returned, in
   which case the server must ensure that the operation is performed
   against the Directory, or else return an error.

   Note that this protocol can be mapped to a strict subset of the
   directory abstract service, so it can be cleanly provided by the DAP.
   However there is not a one-to-one mapping between LDAP protocol
   operations and DAP operations: some server implementations may need to
   make multiple DAP requests to perform extended operations.

3.2. Data Model

   This section provides a brief introduction to the X.500 data model, as
   used by LDAP.  Schema rules and other features are not described here.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   The LDAP protocol assumes there is one or more servers which jointly
   provide access to a Directory Information Tree.  The tree is made up of
   entries.  Entries have names: one or more values from the entry itself
   form its relative distinguished name, which must be unique among all
   its siblings.  The concatenation of the relative distinguished names
   of entries, starting from the immediate subordinate of the unnamed
   root of the tree and continuing to a specific entry form's that entry's
   Distinguished Name, which is unique in the tree.  An example of a
   Distinguished Name is
                <CN=Mark Wahl, O=ISODE Consortium, C=GB>

   Entries consist of a set of attributes.  An attribute is a type with
   one or more values associated with that type.  The attribute type is
   an OID (object identifier) which governs the maximum number of values
   permissible for that type in an entry, and the syntax to which the
   values must conform.
   An example of an attribute type is "rfc822Mailbox": the values of this
   attribute must be IA5 strings.

   All the attributes of an entry are mastered together in a single
   server.  Shadow or cached copies of entries may be held in other
   servers, but these cannot be updated directly by users.

3.3. Relationship to X.500

   This document defines LDAP in terms of X.500 as an X.500 access
   mechanism.  An LDAP server should act in accordance with the
   X.500(1993) series of ITU Recommendations when providing the service.
   However, it is not required that an LDAP server make use of any X.500
   protocols in providing this service: e.g. LDAP can be mapped onto any
   other Directory system so long as the X.500 data and service model is
   supported in the LDAP interface.

3.4. Additional server data requirements

   An LDAP server must provide a number of attributes in the root DSE,
   that which is named with the zero-length LDAPDN.  These attributes
   should be retrievable if a client performs a base object search of the
   root.  They should not be included if the client performs a subtree
   search starting from the root.  The server need not allow the client
   to modify these attributes.

   The attributes are as follows:

   - administratorAddress
   This attribute's value is a string containing the RFC 822 address
   of the LDAP server's human administrator.  This information may be of
   use when tracking down problems in a distributed directory.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   - currentTime
   This attribute's value is a string containing a UTCTime character
   value.  This attribute need only be present if the server supports
   strong or protected simple authentication.  Otherwise if the server
   does not know the current time this attribute should not be present.
   The client may wish to use this field to detect whether a strong or
   protected bind would fail because the client and server clocks are
   not sufficiently synchronized.  Clients should not use this time field
   for setting their own system clock.

   - binaryName
   This attribute's value is the binary ASN.1 encoding of the server's
   Distinguished Name.  If the server does not have a Distinguished Name
   it will not be able to accept strong authentication, and this attribute
   should be absent.

   - path
   This attribute contains a binary encoding of the AF.CertificationPath
   data type, with the certificate path for the server.  If the server
   does not have a certificate path this attribute should be absent.

   - context
   The values of this attribute are the string representations of
   Distinguished Names.  Each value corresponds to a naming context which
   this server masters or shadows.  If the server does not master any
   information (e.g. it is an LDAP gateway to a public X.500 Directory)
   this attribute should be absent.  If the server believes it contains
   the entire Directory, the attribute should have a single value, and
   that value should be the empty string (indicating the null DN of the
   root).

   - altLdapServer
   The values of this attribute are URLs of other LDAP servers which
   may be contacted when this server becomes unavailable.  If the server
   does not know of any other LDAP servers which could be used this
   attribute should be absent.  Clients should cache this information in
   case their preferred LDAP server later becomes unavailable.

   - altX500Server
   The values of this attribute are encoded with the AccessPoint93
   syntax.  They are the access points of X.500 DSAs which could be
   contacted when this server becomes unavailable.  If this server does
   not know of any X.500 DSAs this attribute should be absent.  Clients
   which support DAP should cache this information in case their
   preferred LDAP server later becomes unavailable.

   - supportedExtension
   The values of this attribute are the string representations of
   OBJECT IDENTIFIERs, in the dotted decimal form.  Each value is the
   name of an extended request which this server supports (see section
   4.11).  If the server does not support any extended operations this
   attribute should be absent.

   The ASN.1 type DistinguishedName is defined in [6], and the type
   CertificationPath is defined in [12]. They are included in Appendix B
   for reference.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

4.  Elements of Protocol

   The LDAP protocol is described using Abstract Syntax Notation 1 [3]. It
   is typically transferred using a subset of the Basic Encoding Rules.
   In order to support future extensions to this protocol, clients and
   servers should ignore elements of SEQUENCEs whose tags they do not
   recognize.

4.1. Common Elements

   This section describes the LDAPMessage envelope PDU format, as well as
   data type definitions which are used in the protocol operations.

4.1.1. Message Envelope

   For the purposes of protocol exchanges, all protocol operations are
   encapsulated in a common envelope, the LDAPMessage, which is defined
   as follows:

        LDAPMessage ::= SEQUENCE {
                messageID       MessageID,
                cldapUserName   LDAPDN OPTIONAL,
                protocolOp      CHOICE {
                        bindRequest     BindRequest,
                        bindRespBasic   BindResponseBasic,
                        bindRespExtd    BindResponseExtended,
                        unbindRequest   UnbindRequest,
                        searchRequest   SearchRequest,
                        searchResEntry  SearchResultEntry,
                        searchResDone   SearchResultDone,
                        searchResRef    SearchResultReference,
                        searchResFull   SearchResultFull,
                        modifyRequest   ModifyRequest,
                        modifyResponse  ModifyResponse,
                        addRequest      AddRequest,
                        addResponse     AddResponse,
                        delRequest      DelRequest,
                        delResponse     DelResponse,
                        modDNRequest    ModifyDNRequest,
                        modDNResponse   ModifyDNResponse,
                        compareRequest  CompareRequest,
                        compareResponse CompareResponse,
                        abandonRequest  AbandonRequest,
                        extendedReq     ExtendedRequest,
                        extendedResp    ExtendedResponse } }

        MessageID ::= INTEGER (0 .. maxInt )

        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
        -- later may be extended to 9223372036854775807 (2^^63 - 1) --

   The function of the LDAPMessage is to provide an envelope containing
   common fields required in all protocol exchanges. At this time the
   only common fields are the message ID and cldapUserName.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   The message ID is required to have a value different from the values of
   any other requests outstanding in the LDAP session of which this
   message is a part.  Typically a client may increment a counter for each
   request. The message ID value must be echoed in all LDAPMessage
   envelopes encapsulating responses corresponding to the request
   contained in the LDAPMessage in which the message ID value was
   originally used.

   The cldapUserName identifies the requesting user for this message. It
   is only present if this LDAPMessage is carried in a connectionless
   transport protocol, such as UDP.  This is described in section 5.1.3.
   When the LDAP session is carried in a connection-oriented transport
   protocol this field must be absent.

4.1.2. String

   The LDAPString is a notational convenience to indicate that, although
   strings of LDAPString type encode as OCTET STRING types, the legal
   character set in such strings is limited to the IA5 character set.

        LDAPString ::= OCTET STRING

4.1.3. Distinguished Name and Relative Distinguished Name

   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
   representation of a Distinguished Name and a Relative Distinguished
   Name after encoding according to the specification in [4], such that

        <distinguished-name> ::= <name>

        <relative-distinguished-name> ::= <name-component>

   where <name> and <name-component> are as defined in [4].

        LDAPDN ::= LDAPString

        RelativeLDAPDN ::= LDAPString

4.1.4. Attribute Type

   An AttributeType takes on as its value the textual string associated
   with that AttributeType in its specification.  If this string is not
   known, the AttributeType should take the ASCII representation of its
   OBJECT IDENTIFIER, as decimal digits with components separated by
   periods, e.g. "2.5.4.10". The attribute type strings which must be
   supported are described in section [5].

        AttributeType ::= LDAPString

   This data type describes a list of 0 or more attribute types.  Clients
   and servers should be prepared to accept a list of many hundreds of
   attribute types.

        AttributeTypeList ::= SEQUENCE SIZE (0..maxInt) OF AttributeType


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

4.1.5. Attribute Value

   A field of type AttributeValue takes on as its value an octet string
   encoding of a Directory AttributeValue type. The definition of these
   string encodings for different Directory AttributeValue types may be
   found in companions to this document that define the encodings of
   various attribute syntaxes such as [5].

        AttributeValue ::= OCTET STRING

   Note that there is no defined limit on the size of this encoding; thus
   PDUs including multi-megabyte photograph attributes may be returned. If
   the client has limited memory or storage capabilities it may wish to
   set the attrSizeLimit field when invoking a search operation.

4.1.6. Attribute Value Assertion

   The AttributeValueAssertion type definition is similar to the one in
   the X.500 Directory standards.  It contains an attribute type and a
   equality matching assertion suitable for that type.

        AttributeValueAssertion ::= SEQUENCE {
                attributeType   AttributeType,
                assertionValue  AssertionValue }

        AssertionValue ::= OCTET STRING

   For all the standard attributes, the assertion value syntax is the
   same as the value syntax.

4.1.7. Attribute

   An attribute consists of a type and one or more values of that type.

        Attribute ::= SEQUENCE {
                type    AttributeType,
                vals    SET SIZE (1..maxInt) OF AttributeValue }

   Clients and servers should be prepared to accept attributes with
   many hundreds of values.

4.1.8. Matching Rule Identifier

   An X.501(1993) Matching Rule is identified in the LDAP protocol by the
   ASCII representation of its OBJECT IDENTIFIER, as decimal digits with
   components separated by periods, e.g. "1.3.6.1.4.1.453.33.33".

        MatchingRuleId ::= LDAPString

4.1.9. Result Message

   The LDAPResult is the construct used in this protocol to return
   success or failure indications from servers to clients. In response
   to various requests, servers will return responses containing fields
   of type LDAPResult to indicate the final status of a protocol
   operation request.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        LDAPResult ::= SEQUENCE {
                resultCode      ENUMERATED {
                             success                      (0),
                             operationsError              (1),
                             protocolError                (2),
                             timeLimitExceeded            (3),
                             sizeLimitExceeded            (4),
                             compareFalse                 (5),
                             compareTrue                  (6),
                             authMethodNotSupported       (7),
                             strongAuthRequired           (8),
                                        -- 9 reserved --
                             referral                     (10),  -- new
                             adminLimitExceeded           (11),  -- new
                             unavailableCriticalExtension (12),  -- new
                                        -- 14-15 unused --
                             noSuchAttribute              (16),
                             undefinedAttributeType       (17),
                             inappropriateMatching        (18),
                             constraintViolation          (19),
                             attributeOrValueExists       (20),
                             invalidAttributeSyntax       (21),
                                        -- 22-31 unused --
                             noSuchObject                 (32),
                             aliasProblem                 (33),
                             invalidDNSyntax              (34),
                             isLeaf                       (35),
                             aliasDereferencingProblem    (36),
                                        -- 37-47 unused --
                             inappropriateAuthentication  (48),
                             invalidCredentials           (49),
                             insufficientAccessRights     (50),
                             busy                         (51),
                             unavailable                  (52),
                             unwillingToPerform           (53),
                             loopDetect                   (54),
                                        -- 55-63 unused --
                             namingViolation              (64),
                             objectClassViolation         (65),
                             notAllowedOnNonLeaf          (66),
                             notAllowedOnRDN              (67),
                             entryAlreadyExists           (68),
                             objectClassModsProhibited    (69),
                             resultsTooLarge              (70), -- cl only
                             affectsMultipleDSAs          (71), -- new
                                        -- 72-79 unused --
                             other                        (80) },
                matchedDN       LDAPDN,
                errorMessage    LDAPString (SIZE (0..maxInt)),
                referral        [3] Referral OPTIONAL,
                matchedSubtype  [4] AttributeType OPTIONAL }


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   The errorMessage field of this construct may, at the servers option,
   be used to return an ASCII string containing a textual, human-readable
   error diagnostic. As this error diagnostic is not standardized,
   implementations should not rely on the values returned.  If the server
   chooses not to return a textual diagnostic, the errorMessage field of
   the LDAPResult type should contain a zero length string.

   For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax,
   isLeaf, and aliasDereferencingProblem, the matchedDN field is set to
   the name of the lowest entry (object or alias) in the DIT that was
   matched and is a truncated form of the name provided or, if an alias
   has been dereferenced, of the resulting name in a Search or Compare
   result.  The matchedDN field should be set to a NULL DN (a zero length
   string) in all other cases.

   When the resultCode is compareTrue or compareFalse the matchedSubtype
   field will contain the type name of the attribute whose value matched
   the ava in the Compare operation.

4.1.10. Referral

   The referral field is present in an LDAPResult if the
   LDAPResult.resultCode field value is referral.  It contains a reference
   to another server (or set of servers) which may be accessed via LDAP
   or other protocols.

        Referral ::= SEQUENCE {
                servers         [0] SET SIZE (1..maxInt) OF LDAPURL }

   The servers field contains a list of URLs of servers, and each must be
   capable of processing the operation and presenting a consistent view
   to clients.  URLs for servers implementing the LDAP protocol are
   written according to [9].

        LDAPURL ::= LDAPString

   The ASN.1 type Exclusions is defined in [10], and is included in
   Appendix B for reference.  The server should place its own URL in the
   referringServer field, as this information may be useful for tracing
   referral loops and inconsistencies.

4.2.  Bind Operation

   The function of the Bind Operation is to initiate a protocol session
   between a client and a server, and to allow the authentication of the
   client to the server. The Bind Request is defined as follows:


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        BindRequest ::= [APPLICATION 0] SEQUENCE {
                version                 INTEGER (1 .. 127),
                name                    LDAPDN,
                authentication          AuthenticationChoice,
                serviceControls         [7] Controls OPTIONAL }

        AuthenticationChoice ::= CHOICE {
                simple                  [1] OCTET STRING,
                krbv42LDAP              [2] OCTET STRING,
                krbv42DSA               [3] OCTET STRING,
                protected               [4] ProtectedPassword,
                strong                  [5] StrongCredentials,
                nonstandard             [6] NonstandardCredentials }

        ProtectedPassword ::= SEQUENCE {
                time1                   [0] UTCTime OPTIONAL,
                time2                   [1] UTCTime OPTIONAL,
                random1                 [2] BIT STRING OPTIONAL,
                random2                 [3] BIT STRING OPTIONAL,
                protected               [4] OCTET STRING }

        StrongCredentials ::= SEQUENCE {
                certification-path      [0] AF.CertificationPath OPTIONAL,
                bind-token              [1] DAS.Token }

        NonstandardCredentials ::= SEQUENCE {
                authMechanism           [0] LDAPString,
                authToken               [1] OCTET STRING }

        Controls ::= SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                criticality             [0] BOOLEAN DEFAULT FALSE,
                control                 ServiceControl }

        ServiceControl ::= CHOICE {
                referringServer         [0] LDAPURL,
                chainingProhibited      [1] BOOLEAN,
                scopeOfReferral         [2] ENUMERATED {
                                                any(-1),
                                                dmd(0),
                                                country(1) },
                referToLDAPServers      [3] BOOLEAN,
                referToDAPServers       [4] BOOLEAN,
                preferredSyntax         [5] SyntaxEncoding,
                extendedControl         [6] ExtendedControl }

        SyntaxEncoding ::= SEQUENCE {
                attributeType           [0] AttributeType,
                encodingPreference      [1] SyntaxName  }

        SyntaxName ::= LDAPString

        ExtendedControl ::= SEQUENCE {
                controlName             [0] LDAPString,
                controlValue            [1] OCTET STRING }


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   Parameters of the Bind Request are:

   - version: A version number indicating the version of the protocol to
     be used in this protocol session.  This document describes version
     3 of the LDAP protocol.  Note that there is no version negotiation,
     and the client should just set this parameter to the version it
     desires.  The client may request version 2, in which case the server
     should implement only the protocol as described in [2], by NOT
     returning:
        - BindResponseExtended in response to this request,
        - result codes referral, adminLimitExceeded,
          unavailableCriticalExtension,
          resultsTooLarge or affectsMultipleDSAs,
        - referral or matchedSubtype in LDAPResult,
        - fromEntry in SearchResultEntry,
        - SearchResultReference in response to searches.

   - name: The name of the Directory object that the client wishes to
     bind as.  This field may take on a null value (a zero length
     string) for the purposes of anonymous binds.

   - authentication: information used to authenticate the name, if any,
     provided in the Bind Request.

   - serviceControls: additional requests the client may make about the
     protocol.

   Upon receipt of a Bind Request, a protocol server will authenticate
   the requesting client if necessary, and attempt to set up a protocol
   session with that client. The server will then return a Bind Response
   to the client indicating the status of the session setup request.

   Unlike LDAP v2, the client need not send a Bind Request in the first
   PDU of the connection.  The client may request any operations and the
   server should treat these as unauthenticated.  If the server requires
   that the client bind first, the server should reject any request other
   that binding or unbinding with the "operationsError" result. If the
   client did not bind before sending a request and receives an
   operationsError, it should close the connection, reopen it and begin
   again by first sending a PDU with a Bind Request.  This will aid in
   interoperating with LDAPv2 servers.

   Clients should not send more than one Bind Request on a connection.

4.2.1 Authentication

   The "simple" authentication option provides minimal authentication
   facilities, with the contents of the authentication field consisting
   only of a cleartext password.  This option should also be used when
   unauthenticated or anonymous binds are to be performed, with the field
   containing a zero length string in such cases.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   Kerberos version 4 [14] authentication to the LDAP server and the DSA
   is accomplished by using the krbv42LDAP and krbv42DSA authentication
   options, respectively.  Note that though they are referred to as
   separate entities here, there is no requirement these two entities be
   distinct (i.e., a DSA could speak LDAP directly).  Two separate
   authentication options are provided to support all implementations.
   Each octet string should contain the kerberos ticket (e.g., as
   returned by krb_mk_req()) for the appropriate service.  The suggested
   service name for authentication to the LDAP server is "ldapserver".
   The suggested service name for authentication to the DSA is "x500dsa".
   In both cases, the suggested instance name for the service is the name
   of the host on which the service is running.  Of course, the actual
   service names and instances will depend on what is entered in the
   local kerberos principle database.

   The ProtectedPassword authentication option allows a hash of the
   password, combined optionally with the current time and a random
   number, to be sent to the DSA.  The protected field contains the hash
   value.

   Strong authentication to the Directory can be accomplished using the
   strong credentials option.  The ASN.1 type "CertificationPath" is
   defined in [12], and the ASN.1 type "Token" is defined in [13].  They
   are included in Appendix B for Reference.

   Nonstandard authentication to the Directory can be performed using the
   nonstandard credentials option.  The authMechanism must be the
   dotted-decimal printable representation of an OBJECT IDENTIFIER of that
   authentication mechanism: for interoperability the full decimal format
   must be used.  The authToken is arbitrary information of a form
   defined by that authentication mechanism, encoded in an OCTET STRING.

4.2.1.1.  Strong Credentials Signature Algorithm

   It is recommended for interoperability that if strong authentication
   is to be performed, then if the server's or client's certificates
   contain RSA public keys the PKCS md5WithRSAEncryption
   (1.2.840.113549.1.1.4) algorithm should be used.

4.2.2. Service Controls

   Service Controls are requests made by the client which affect its
   interaction with the server. Controls are not saved after a session
   unbinds or disconnects abruptly, and do not affect other sessions to
   this or other servers.

   If the server is not capable of setting one or more requested controls,
   it should set as many as possible.  If any of the controls which the
   server could not set are marked as critical, it should return the
   unavailableCriticalExtension error.

   The referringServer control is non-critical.  This field contains the URL
   of another server which referred an operation to this server.  This control
   should only be present if the connection is being made only to process a
   referral.  If the connection will be held open to handle referrals from
   other servers this control should be omitted.

   If the chainingProhibited field is set to TRUE, the server set the
   chainingProhibited service control on any DAP requests it makes.  If
   the referToLDAPServers or returnToDAPServers fields are set to TRUE,
   the server should return referrals to clients.  Otherwise if neither
   of these are set to TRUE the server should itself follow referrals.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   If the referToLDAPServers field is set to TRUE, the server is permitted
   by the client to return referrals to other LDAP servers.

   If the referToDAPServers field is set to TRUE, the server is permitted
   by the client to return referrals to other X.500 servers which accept
   incoming DAP associations.

   The preferredSyntax fields control how the server should in Search
   Responses return values of attributes, and how it should interpret
   values presented in Compare, Add and Modify arguments.  The attribute
   field is the attribute whose syntax preference is being noted, if the
   field is a zero length string the preference applies to all attributes.
   The following encodingPref values have been defined:
   - The zero-length empty string corresponds to the default syntax for
     the server.  It may be binary, readable or something else for each
     attribute.

   - The string "binary" requests that the binary BER encoding be used for
     the selected (or all) attributes.  Note that Attribute Types, as
     well as distinguished names transferred as protocol elements (not as
     attribute values) are still carried in string representations.

   - The string "readable" requests that printable encodings be used for
     the selected attributes, and that IA5 character sets be used where
     possible.  If the attribute field is of zero length this requests the
     server to encode unrecognized attributes using the "Readable"
     default encoding.

   Subsequent documents may define additional encoding preference values
   to support internationalization.

   The extendedControl is used to exchange bilaterally-defined information
   from a client to a server.  The controlName must be the dotted-decimal
   printable representation of an OBJECT IDENTIFIER of that control: for
   interoperability the full decimal format must be used.  The
   controlValue is arbitrary information of a form defined by that
   control, encoded in an OCTET STRING.

4.2.3. Bind Response

   The Bind Response will be one of the following, either
   BindResponseBasic or BindResponseExtended.

        BindResponseBasic ::= [APPLICATION 1] LDAPResult

   A BindResponseBasic consists simply of an indication from the server of
   the status of the client's request for the initiation of a protocol
   session.  If the bind was successful, the resultCode will be success,
   otherwise it will be one of:


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

                operationsError
                protocolError
                authMethodNotSupported
                strongAuthRequired
                referral
                inappropriateAuthentication
                invalidCredentials
                unavailable

   If the client receives a BindResponseBasic response where the
   resultCode was not success, it should close the connection as the
   server will be unwilling to accept further operations.

   A BindResponseExtended will only be returned if the bind was successful
   and additional information is to be returned to the client.

        BindResponseExtended ::= [APPLICATION 17] SEQUENCE {
                serverURL       [0] LDAPURL,
                serverCreds     AuthenticationChoice }

   The serverURL contains the URL of this LDAP server.  The serverCreds
   allows the client to authenticate the server to which it is
   communicating.

4.3.  Unbind Operation

   The function of the Unbind Operation is to terminate a protocol
   session.  The Unbind Operation is defined as follows:

        UnbindRequest ::= [APPLICATION 2] NULL

   The Unbind Operation has no response defined. Upon transmission of an
   UnbindRequest, a protocol client may assume that the protocol session
   is terminated. Upon receipt of an UnbindRequest, a protocol server
   may assume that the requesting client has terminated the session and
   that all outstanding requests may be discarded.

4.4.  Search Operation

   The Search Operation allows a client to request that a search be
   performed on its behalf by a server. The Search Request is defined as
   follows:

        SearchRequest ::= [APPLICATION 3] SEQUENCE {
                baseObject      LDAPDN,
                scope           ENUMERATED {
                        baseObject              (0),
                        singleLevel             (1),
                        wholeSubtree            (2) },
                derefAliases    ENUMERATED {
                        neverDerefAliases       (0),
                        derefInSearching        (1),
                        derefFindingBaseObj     (2),
                        derefAlways             (3) },
                sizeLimit       INTEGER (0 .. maxInt),
                timeLimit       INTEGER (0 .. maxInt),


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

                typesOnly       BOOLEAN,
                filter          Filter,
                attributes      AttributeTypeList,
                matchedOnly     [0] BOOLEAN DEFAULT FALSE,
                sortKeys        [1] SortKeyList OPTIONAL,
                reverseSort     [2] BOOLEAN DEFAULT FALSE,
                modifyRightsReq [3] BOOLEAN DEFAULT FALSE,
                extraAttributes [4] BOOLEAN DEFAULT FALSE,
                attrSizeLimit   [5] INTEGER OPTIONAL,
                subentries      [6] BOOLEAN DEFAULT FALSE,
                dontUseCopy     [7] BOOLEAN DEFAULT FALSE }

        SortKeyList ::= SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                attributeType   AttributeType,
                orderingRule    [0] MatchingRuleId OPTIONAL,
                startFrom       [1] AssertionValue OPTIONAL,
                endWith         [2] AssertionValue OPTIONAL }

        Filter ::= CHOICE {
                and             [0] SET SIZE (1..maxInt) OF Filter,
                or              [1] SET SIZE (1..maxInt) OF Filter,
                not             [2] Filter,
                equalityMatch   [3] AttributeValueAssertion,
                substrings      [4] SubstringFilter,
                greaterOrEqual  [5] AttributeValueAssertion,
                lessOrEqual     [6] AttributeValueAssertion,
                present         [7] AttributeType,
                approxMatch     [8] AttributeValueAssertion,
                extensibleMatch [9] MatchingRuleAssertion }

        SubstringFilter ::= SEQUENCE {
                type            AttributeType,
                substrings      SEQUENCE SIZE (1..maxInt) OF CHOICE {
                        initial [0] LDAPString,
                        any     [1] LDAPString,
                        final   [2] LDAPString } }

        MatchingRuleAssertion ::= SEQUENCE {
                matchingRules   [1] SET SIZE (0..maxInt) OF MatchingRuleId,
                type            [2] AttributeType,
                matchValue      [3] AssertionValue,
                dnAttributes    [4] BOOLEAN }

   Parameters of the Search Request are:

   - baseObject: An LDAPDN that is the base object entry relative to
     which the search is to be performed.

   - scope: An indicator of the scope of the search to be performed. The
     semantics of the possible values of this field are identical to the
     semantics of the scope field in the Directory Search Operation.

   - derefAliases: An indicator as to how alias objects should be
     handled in searching.  The semantics of the possible values of
     this field are:

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

             neverDerefAliases: do not dereference aliases in searching
             or in locating the base object of the search;

             derefInSearching: dereference aliases in subordinates of
             the base object in searching, but not in locating the
             base object of the search;

             derefFindingBaseObject: dereference aliases in locating
             the base object of the search, but not when searching
             subordinates of the base object;

             derefAlways: dereference aliases both in searching and in
             locating the base object of the search.

   - sizelimit: A sizelimit that restricts the maximum number of entries
     to be returned as a result of the search. A value of 0 in this
     field indicates that no sizelimit restrictions are in effect for
     the search.

   - timelimit: A timelimit that restricts the maximum time (in seconds)
     allowed for a search. A value of 0 in this field indicates that no
     timelimit restrictions are in effect for the search.

   - typesOnly: An indicator as to whether search results should contain
     both attribute types and values, or just attribute types.  Setting
     this field to TRUE causes only attribute types (no values) to be
     returned.  Setting this field to FALSE causes both attribute types
     and values to be returned.

   - filter: A filter that defines the conditions that must be fulfilled
     in order for the search to match a given entry.  The and, or and not
     choices may be used to form boolean combinations of filters.

   - attributes: A list of the attributes from each entry found as a
     result of the search to be returned. An empty list signifies that
     all attributes from each entry found in the search are to be
     returned.

   - matchedOnly: If this field is set to TRUE, then in search results if
     there are multivalued attributes where some but not all of the values
     contributed to the search filter returning TRUE via filters other
     than equality or present, then the values which did not contribute
     are not returned in the entry attribute list.

   - sortKeys: If this field is present, then it specifies one or more
     attribute types and matching rules, and the returned entries should
     be sorted in order based on these types.

     The startFrom and endWith assertion values specify a range of entries
     which are to be returned. If an entry matches a specified sortKey but
     with a value before the startFrom assertion or after the endWith
     assertion, that entry is not returned as a result.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

     If the server does not recognize any of the attribute types, or the
     ordering rule associated with an attribute type is not applicable, or
     none of the attributes in the search responses are of these types,
     then the sortKeys field is ignored and result entries are returned
     in random order.

     Support for this field is optional, and clients should expect that
     not all servers will implement result sorting.

   - reverseSort: If this field is set to TRUE and the sortKeys field is
     also present, then the entries will be presented in reverse sorted
     order.

   - modifyRightsReq: If this field is set to TRUE and the scope field is
     set to baseObject, then the client requests that the modification
     rights for the entry be included in the search result.  Support for
     this field is optional, and clients should expect that not all
     servers will implement returning modify rights.

   - extraAttributes: If this field is present and set to TRUE then
     all operational attributes are requested to be returned as well.
     Note that specific operational attributes may instead be listed in
     the attributes field. Servers are permitted to ignore extraAttributes
     if returning this information is prohibited by security policy.
     Clients should note that many operational attributes are not
     modifiable.

   - attrSizeLimit: If this field is present, then if the size in bytes
     of an attribute and all its values which would be returned in a
     result entry exceeds this size in bytes, then the attribute is not
     included in the result and the incompleteEntry field is set to TRUE.

   - subentries: if present and set to TRUE, the server should ignore
     ordinary entries and only perform the search against subentries.  If
     the server not support subentries and this field is TRUE it should
     not do any searching, and either return an error (protocolError) or
     an empty result.

   - dontUseCopy: if present and set to TRUE, only the server which holds
     the master copy of the entry is permitted to perform the filtering
     and attribute selection.

   The results of the search attempted by the server upon receipt of a
   Search Request are returned in Search Responses, which are LDAP
   messages containing either SearchResultEntry, SearchResultReference,
   SearchResultDone or SearchResultFull data types.

        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
                objectName      LDAPDN,
                attributes      PartialAttributeList,
                modifyRights    [2] ModifyRights OPTIONAL,
                incompleteEntry [3] BOOLEAN DEFAULT FALSE,
                fromEntry       [4] BOOLEAN DEFAULT FALSE }

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        PartialAttributeList ::= SEQUENCE SIZE (0..maxInt) OF SEQUENCE {
                type    AttributeType,
                vals    SET SIZE (0..maxInt) OF AttributeValue }

        SearchResultReference ::= [APPLICATION 18] Referral

        SearchResultDone ::= [APPLICATION 5] LDAPResult

        SearchResultFull ::= SEQUENCE SIZE (1..maxInt) OF CHOICE {
                        entry           SearchResultEntry,
                        reference       SearchResultReference,
                        resultCode      SearchResultDone }

        ModifyRights ::= SEQUENCE {
                entryRemove     BOOLEAN,
                entryModifyDN   BOOLEAN,
                attrRights      SET SIZE (0..maxInt) OF SEQUENCE {
                                        type            AttributeType,
                                        grantAdd        BOOLEAN,
                                        grantRemove     BOOLEAN } }

   Upon receipt of a Search Request, a server will perform the necessary
   search of the DIT.

   If the LDAP session is operating over a connection-oriented transport
   such as TCP, the server will return to the client a sequence of
   responses in separate LDAP messages.  There may be zero or more
   responses containing SearchResultEntry, one for each entry found
   during the search.  There may also be zero or more responses
   containing SearchResultReference, one for each area not explored by
   this server during the search.  There must always be a final response
   containing the SearchResultDone, which contains an indication of
   success, or detailing any errors that have occurred.

   If the LDAP session is operating over a connectionless transport such
   as UDP, the server will return to the client only one response, a
   LDAPMessage containing a SearchResultFull data type.  All if any but
   the last element of the SEQUENCE OF must be of the SearchResultEntry
   type, and the last must be of the SearchResultDone type.

   Each entry returned in a SearchResultEntry will contain all attributes,
   complete with associated values if necessary, as specified in the
   attributes field of the Search Request.

   In a SearchResultEntry, as an encoding optimisation, the value of the
   objectName LDAP DN may use a trailing '*' character to refer to the
   baseObject of the corresponding searchRequest.  For example, if the
   baseObject is specified as "o=UofM, c=US", then the following
   objectName LDAPDNs in a response would have the indicated meanings

          objectName returned   actual LDAPDN denoted
          ____________________________________________________
          "*"                   "o=UofM, c=US"
          "cn=Babs Jensen, *"   "cn=Babs Jensen, o=UofM, c=US"


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   If (and only if) the modifyRightsReq field was present in the Search
   Request may the server also include the ModifyRights field in the
   entry. This field details the operations which are expected to succeed
   if requested by that user later in this session.  The server need not
   guarantee that these permissions will be granted, however it should
   avoid suggesting permissions that are not currently granted.  If no
   information is available the server should not include the
   modifyRights field in the response.

   The incompleteEntry flag is set if one or more attributes are not
   present in the PartialAttributeList, because their size would have
   exceeded the attribute size limit.  It is never set if typesOnly was
   set to TRUE.

   The server may set the fromEntry field in a SearchResult entry to TRUE
   if it is known that the search is not based upon a shadow or cached
   copy of the entry, but that the source of entry data has been directly
   contacted.

   If the server was able to locate the entry referred to by the
   baseObject but was unable to search all the entries in the scope at
   and under the baseObject, the server may return one or more
   SearchResultReference, each containing a reference to another LDAP or
   to an X.500 server for continuing the operation.  The server should
   return at most one SearchResultReference for a subtree.  A server must
   not return a SearchResultReference if it has located the baseObject
   and thus has not searched any entries; in this case it should return a
   SearchResultDone containing a referral resultCode and the
   continuationReference.

   Note that an X.500 "list" operation can be emulated by a one-level
   LDAP search operation with a filter checking for the existence of the
   objectClass attribute, and that an X.500 "read" operation can be
   emulated by a base object LDAP search operation with the same filter.

4.5.  Modify Operation

   The Modify Operation allows a client to request that a modification
   of the DIB be performed on its behalf by a server.  The Modify
   Request is defined as follows:

        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
                object          LDAPDN,
                modification    SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                        operation       ENUMERATED {
                                                add     (0),
                                                delete  (1),
                                                replace (2) },
                        modification    Attribute } }

   Parameters of the Modify Request are:

   - object: The object to be modified. The value of this field should
     name the object to be modified.  The server will not perform any
     alias dereferencing in determining the object to be modified.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   - A list of modifications to be performed on the entry to be modified.
     The entire list of entry modifications should be performed
     in the order they are listed, as a single atomic operation.  While
     individual modifications may violate the Directory schema, the
     resulting entry after the entire list of modifications is performed
     must conform to the requirements of the Directory schema. The
     values that may be taken on by the 'operation' field in each
     modification construct have the following semantics respectively:

             add: add values listed to the given attribute, creating
             the attribute if necessary;

             delete: delete values listed from the given attribute,
             removing the entire attribute if no values are listed, or
             if all current values of the attribute are listed for
             deletion;

             replace: replace existing values of the given attribute
             with the new values listed, creating the attribute if
             necessary.

   The result of the modify attempted by the server upon receipt of a
   Modify Request is returned in a Modify Response, defined as follows:

        ModifyResponse ::= [APPLICATION 7] LDAPResult

   Upon receipt of a Modify Request, a server will perform the necessary
   modifications to the DIB.

   The server will return to the client a single Modify Response
   indicating either the successful completion of the DIB modification,
   or the reason that the modification failed. Note that due to the
   requirement for atomicity in applying the list of modifications in
   the Modify Request, the client may expect that no modifications of
   the DIB have been performed if the Modify Response received indicates
   any sort of error, and that all requested modifications have been
   performed if the Modify Response indicates successful completion of
   the Modify Operation.

4.6.  Add Operation

   The Add Operation allows a client to request the addition of an entry
   into the Directory. The Add Request is defined as follows:

        AddRequest ::= [APPLICATION 8] SEQUENCE {
                entry           LDAPDN,
                attributes      AttributeList }

        AttributeList ::= SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                type    AttributeType,
                vals    SET SIZE (1..maxInt) OF AttributeValue }


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   Parameters of the Add Request are:

   - entry: the Distinguished Name of the entry to be added. Note that
     all components of the name except for the last RDN component must
     exist for the add to succeed.  Note also that the server will not
     dereference any aliases in locating the entry to be added, and that
     there are never any entries subordinate to an alias entry.

   - attributes: the list of attributes that make up the content of the
     entry being added.

   The result of the add attempted by the server upon receipt of a Add
   Request is returned in the Add Response, defined as follows:

        AddResponse ::= [APPLICATION 9] LDAPResult

   Upon receipt of an Add Request, a server will attempt to perform the
   add requested. The result of the add attempt will be returned to the
   client in the Add Response.

4.7.  Delete Operation

   The Delete Operation allows a client to request the removal of an
   entry from the Directory. The Delete Request is defined as follows:

        DelRequest ::= [APPLICATION 10] LDAPDN

   The Delete Request consists of the Distinguished Name of the
   entry to be deleted. Note that the server will not dereference aliases
   while resolving the name of the target entry to be removed.

   The result of the delete attempted by the server upon receipt of a
   Delete Request is returned in the Delete Response, defined as follows:

        DelResponse ::= [APPLICATION 11] LDAPResult

   Upon receipt of a Delete Request, a server will attempt to perform
   the entry removal requested. The result of the delete attempt will be
   returned to the client in the Delete Response. Note that only leaf
   objects may be deleted with this operation.

4.8.  Modify DN Operation

   The Modify DN Operation allows a client to change the last component
   of the name of an entry in the Directory, or to move a subtree of
   entries to a new location in the Directory.  The Modify DN Request is
   defined as follows:

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
                entry           LDAPDN,
                newrdn          RelativeLDAPDN,
                deleteoldrdn    BOOLEAN,
                newSuperior     [0] LDAPDN OPTIONAL }

   Parameters of the Modify DN Request are:

   - entry: the name of the entry to be changed.

   - newrdn: the RDN that will form the last component of the new name.

   - deleteoldrdn: a boolean parameter that controls whether the old RDN
     attribute values should be retained as attributes of the entry or
     deleted from the entry.

   - newSuperior: if present, this is the name of another entry which
     should be the superior of the subtree in the entry field.

   The result of the name change attempted by the server upon receipt of
   a Modify DN Request is returned in the Modify DN Response, defined
   as follows:

        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

   Upon receipt of a Modify RDN Request, a server will attempt to
   perform the name change. The result of the name change attempt will
   be returned to the client in the Modify DN Response. The attributes
   that make up the old RDN are deleted from the entry, or kept,
   depending on the setting of the deleteoldrdn parameter.

4.9.  Compare Operation

   The Compare Operation allows a client to compare an assertion
   provided with an entry in the Directory. The Compare Request is
   defined as follows:

        CompareRequest ::= [APPLICATION 14] SEQUENCE {
                entry           LDAPDN,
                ava             AttributeValueAssertion,
                timeLimit       [0] INTEGER (0 .. maxInt) OPTIONAL,
                dontUseCopy     [1] BOOLEAN DEFAULT FALSE }

   Parameters of the Compare Request are:

   - entry: the name of the entry to be compared with.

   - ava: the assertion with which an attribute in the entry is to be
     compared.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   - timeLimit: the maximum time in seconds the server should spend in
     handling this operation.

   - dontUseCopy: if present and set to TRUE, only the server which holds
     the master copy of the entry is permitted to return the compareTrue
     or compareFalse results.

   The result of the compare attempted by the server upon receipt of a
   Compare Request is returned in the Compare Response, defined as
   follows:

        CompareResponse ::= [APPLICATION 15] LDAPResult

   Upon receipt of a Compare Request, a server will attempt to perform
   the requested comparison. The result of the comparison will be
   returned to the client in the Compare Response. Note that errors and
   the result of comparison are all returned in the same construct.

   This operation is defined for backwards compatability with earlier
   versions of LDAP.  Any new clients written should not use the
   comparison operation, but instead should use the search operation,
   with scope set to baseObject and filter containing one element, an
   equality match.  Note that different results will be returned than
   from the comparison operation: in search if the filter match is
   successful, the entry will be returned, and if the attribute
   value is not present, no entries will be returned.

4.10.  Abandon Operation

   The function of the Abandon Operation is to allow a client to request
   that the server abandon an outstanding operation.  The Abandon
   Request is defined as follows:

        AbandonRequest ::= [APPLICATION 16] MessageID

   The MessageID must be that of a Search or Compare operation which was
   requested earlier during this association.  Other types of operations
   cannot be abandoned.

   There is no response defined in the Abandon Operation. Upon
   transmission of an Abandon Operation, a client may expect that the
   operation identified by the Message ID in the Abandon Request has
   been abandoned. In the event that a server receives an Abandon
   Request on a Search Operation in the midst of transmitting responses
   to that search, that server should cease transmitting entry responses
   to the abandoned search immediately.



INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

4.11 Extended Operation

   The following operation allows clients to make requests of forms not
   defined in this document.  The requestName is a dotted-decimal
   representation of the OBJECT IDENTIFIER corresponding to the request.
   The requestValue is information in a form defined by that request,
   encapsulated inside an OCTET STRING.

        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
                requestName             [0] LDAPString,
                requestValue            [1] OCTET STRING }

   The server will respond to this with an LDAPMessage containing the
   ExtendedResponse.

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
                response                [0] OCTET STRING OPTIONAL,
                standardResponse        [1] LDAPResult }

    If the server does not recognize the operation name, it should return
    only the standardResponse, containing the protocolError result code.

5.  Protocol Element Encodings and Transfer

   The protocol elements of LDAP are encoded for exchange using the
   Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
   high overhead involved in using certain elements of the BER, the
   following additional restrictions are placed on BER-encodings of LDAP
   protocol elements:

   (1) Only the definite form of length encoding will be used.

   (2) Bitstrings and octet strings and all character string types
       will be encoded in the primitive form only.

   (3) UTC Times should be encoded with the "Z" suffix, not as a local
       time.

   (4) If the value of a BOOLEAN type is true, the encoding should have
       its contents octets set to hex "FF".

   (5) The components of a SET type, currently only DO.AccessPoint, should
       be encoded in ascending order of tag value.

   (6) Unused bits in the final octet of the encoding of a BIT STRING
       value, if there are any, should always be set to zero.

   (7) If a value of a type is its default value, it should be absent.
       Only BOOLEAN and ENUMERATED types have default values.

   These restrictions do not apply to ASN.1 types encapsulated inside of
   OCTET STRINGs.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

5.1.  Mapping Onto Transport Services

   This protocol is designed to run over connection-oriented, reliable
   transports, with all 8 bits in an octet being significant in the data
   stream.  For compatibility with the existing LDAP v2 and CLDAP
   protocols, three underlying services are defined here.  However an
   LDAP server need not implement all three.  Separate documents may
   define other mappings, such as to a MIME Content-type for use in
   messaging and WWW.

5.1.1.  Transmission Control Protocol (TCP)

   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
   Server implementations running over the TCP should provide a protocol
   listener on port 389.

5.1.2.  Connection Oriented Transport Service (COTS)

   The connection is established.  No special use of T-Connect is made.
   Each LDAPMessage PDU is mapped directly onto T-Data.

5.1.3.  User Datagram Protocol (UDP)

   The LDAPMessage PDUs are mapped directly onto UDP datagrams.  Only
   one request may be sent in a single datagram. Only one response may
   be sent in a single datagram.  Server implementations running over
   the UDP should provide a protocol listener on port 389.

   The only operations which the client may request are searchRequest and
   abandonRequest.  The server may only respond with the searchResultFull.

6.  Implementation Guidelines

6.1.  Server Implementations

   The server should be capable of recognizing all the attribute type
   names and implement the syntaxes specified in [5].  Servers may also
   recognize additional attribute type names.

   In order to prevent confusion, the server should respond with the OID
   form for the "uniqueIdentifier" standard and pilot attribute.

6.2.  Client Implementations

   As there is a conflict of names, the client must not request the
   "uniqueIdentifier" attribute.  Instead it should use the OID form.

   For simple lookup applications using the connectionless transport
   protocol UDP, use of a retry algorithm with multiple servers similar
   to that commonly used in DNS stub resolver implementations is
   recommended.  The location of a CLDAP server or servers may be better
   specified using IP addresses (simple or broadcast) rather than names
   that must first be looked up in another directory such as DNS.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   Servers will not dereference aliases encountered when performing an
   Add, Delete or Modify operation.  If an alias was encountered an error
   will be returned.  The client must retry the operation with an updated
   target entry name.  Note that multiple aliases may be encounted while
   resolving the entry's true name.

7.  Security Considerations

   When used with a connection-oriented transport, this version of the
   protocol provides facilities for the LDAP v2 authentication mechanisms:
   simple authentication using a cleartext password and kerberos version 4
   authentication.  It also provides for two other authentication
   mechanisms as described in X.511: transfer of a hash of the client's
   password, and strong authentication based on the private key of the
   client.

   When used with the connectionless transport, no security services are
   available.  There has been some discussion about the desirability of
   authentication with connectionless LDAP requests.  This might take the
   form of a clear text password (which would go against the current IAB
   drive to remove such things from protocols) or some arbitrary
   credentials.  It is felt that, in general, authentication would incur
   sufficient overhead to negate the advantages of the connectionless
   basis of CLDAP. If an application requires authenticated access to the
   Directory then CLDAP is not an appropriate protocol.

8.  Acknowledgements

   This document is based heavily on RFC 1777, by Wengyik Yeong, Tim
   Howes, and Steve Kille.  It also includes material from RFC 1798, by
   Alan Young. Design ideas included in this document are based on those
   discussed in ASID and other IETF Working Groups.

9.  Bibliography

   [1] The Directory: Overview of Concepts, Models and Service.  ITU-T
       Recommendation X.500, 1993.

   [2] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access
       Protocol", RFC 1777, March 1995.

   [3] Specification of Abstract Syntax Notation One (ASN.1).  CCITT
       Recommendation X.208, 1988.

   [4] S. Kille, "A String Representation of Distinguished Names", RFC
       1779, March 1995.

   [5] M. Wahl, A. Coulbeck, T. Howes, S. Kille, W. Yeong, C. Robbins,
       "Lightweight X.500 Directory Access Protocol Standard and Pilot
       Attribute Definitions", <draft-ietf-asid-ldapv3-attributes-00.txt>,
       February 1996.

   [6] The Directory: Models. ITU-T Recommendation X.501, 1993.

   [7] The Directory: Selected Attribute Types. ITU-T Recommendation
       X.520, 1993.

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

   [9] T. Howes, M. Smith, An LDAP URL Format, December 1995,
       <draft-ietf-asid-ldap-format-03.txt>

   [10] The Directory: Procedures for Distributed Operation.  ITU-T
        Recommendation X.518, 1993.

   [11] Specification of Basic Encoding Rules for Abstract Syntax
        Notation One (ASN.1).  CCITT Recommendation X.209, 1988.

   [12] The Directory: Authentication Framework. ITU-T Recommendation
        X.509, 1993.

   [13] The Directory: Abstract Service Definition.  ITU-T Recommendation
        X.511, 1993.

   [14] Kerberos Authentication and Authorization System.  S.P. Miller,
        B.C. Neuman, J.I. Schiller, J.H. Saltzer; MIT Project Athena
        Documentation Section E.2.1, December 1987.

10.  Authors' Address

       Mark Wahl
       ISODE Consortium Inc.
       3925 West Braker Lane, Suite 333
       Austin, TX 78759
       USA

       Phone:  +1 512-305-0280
       EMail:  M.Wahl@isode.com


       Tim Howes
       University of Michigan
       ITD Research Systems
       535 W William St.
       Ann Arbor, MI 48103-4943
       USA

       Phone:  +1 313 747-4454
       EMail:   tim@umich.edu

       Steve Kille
       ISODE Consortium
       The Dome, The Square
       Richmond
       TW9 1DT
       UK

       Phone:  +44-181-332-9091
       EMail:  S.Kille@isode.com


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

Appendix A - Complete ASN.1 Definition

   In the IMPORTS statement the "AF" module refers to X.509(1993),
   and the "DAS" module to X.511(1993).

        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
        IMPLICIT TAGS ::=

        BEGIN

        IMPORTS CertificationPath FROM AF
                Token FROM DAS;


        LDAPMessage ::= SEQUENCE {
                messageID       MessageID,
                cldapUserName   LDAPDN OPTIONAL,
                protocolOp      CHOICE {
                        bindRequest     BindRequest,
                        bindRespBasic   BindResponseBasic,
                        bindRespExtd    BindResponseExtended,
                        unbindRequest   UnbindRequest,
                        searchRequest   SearchRequest,
                        searchResEntry  SearchResultEntry,
                        searchResDone   SearchResultDone,
                        searchResRef    SearchResultReference,
                        searchResFull   SearchResultFull,
                        modifyRequest   ModifyRequest,
                        modifyResponse  ModifyResponse,
                        addRequest      AddRequest,
                        addResponse     AddResponse,
                        delRequest      DelRequest,
                        delResponse     DelResponse,
                        modDNRequest    ModifyDNRequest,
                        modDNResponse   ModifyDNResponse,
                        compareRequest  CompareRequest,
                        compareResponse CompareResponse,
                        abandonRequest  AbandonRequest,
                        extendedReq     ExtendedRequest,
                        extendedResp    ExtendedResponse } }


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        MessageID ::= INTEGER (0 .. maxInt )

        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
        -- later may be extended to 9223372036854775807 (2^^63 - 1) --

        LDAPString ::= OCTET STRING

        LDAPDN ::= LDAPString

        RelativeLDAPDN ::= LDAPString

        AttributeType ::= LDAPString

        AttributeTypeList ::= SEQUENCE SIZE (0..maxInt) OF AttributeType

        AttributeValue ::= OCTET STRING

        AttributeValueAssertion ::= SEQUENCE {
                attributeType   AttributeType,
                assertionValue  AssertionValue }

        AssertionValue ::= OCTET STRING

        Attribute ::= SEQUENCE {
                type    AttributeType,
                vals    SET SIZE (1..maxInt) OF AttributeValue }

        MatchingRuleId ::= LDAPString

        LDAPResult ::= SEQUENCE {
                resultCode      ENUMERATED {
                             success                      (0),
                             operationsError              (1),
                             protocolError                (2),
                             timeLimitExceeded            (3),
                             sizeLimitExceeded            (4),
                             compareFalse                 (5),
                             compareTrue                  (6),
                             authMethodNotSupported       (7),
                             strongAuthRequired           (8),
                                        -- 9 reserved --
                             referral                     (10),  -- new
                             adminLimitExceeded           (11),  -- new
                             unavailableCriticalExtension (12),  -- new
                                        -- 14-15 unused --
                             noSuchAttribute              (16),
                             undefinedAttributeType       (17),
                             inappropriateMatching        (18),
                             constraintViolation          (19),
                             attributeOrValueExists       (20),
                             invalidAttributeSyntax       (21),
                                        -- 22-31 unused --
                             noSuchObject                 (32),
                             aliasProblem                 (33),
                             invalidDNSyntax              (34),
                             isLeaf                       (35),
                             aliasDereferencingProblem    (36),

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

                                        -- 37-47 unused --
                             inappropriateAuthentication  (48),
                             invalidCredentials           (49),
                             insufficientAccessRights     (50),
                             busy                         (51),
                             unavailable                  (52),
                             unwillingToPerform           (53),
                             loopDetect                   (54),
                                        -- 55-63 unused --
                             namingViolation              (64),
                             objectClassViolation         (65),
                             notAllowedOnNonLeaf          (66),
                             notAllowedOnRDN              (67),
                             entryAlreadyExists           (68),
                             objectClassModsProhibited    (69),
                             resultsTooLarge              (70), -- cl only
                             affectsMultipleDSAs          (71), -- new
                                        -- 72-79 unused --
                             other                        (80) },
                matchedDN       LDAPDN,
                errorMessage    LDAPString (SIZE (0..maxInt)),
                referral        [3] Referral OPTIONAL,
                matchedSubtype  [4] AttributeType OPTIONAL }

        Referral ::= SEQUENCE {
                servers         [0] SET SIZE (1..maxInt) OF LDAPURL }

        LDAPURL ::= OCTET STRING

        BindRequest ::= [APPLICATION 0] SEQUENCE {
                version                 INTEGER (1 .. 127),
                name                    LDAPDN,
                authentication          AuthenticationChoice,
                serviceControls         [7] Controls OPTIONAL }

        AuthenticationChoice ::= CHOICE {
                simple                  [1] OCTET STRING,
                krbv42LDAP              [2] OCTET STRING,
                krbv42DSA               [3] OCTET STRING,
                protected               [4] ProtectedPassword,
                strong                  [5] StrongCredentials,
                nonstandard             [6] NonstandardCredentials }


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        ProtectedPassword ::= SEQUENCE {
                time1                   [0] UTCTime OPTIONAL,
                time2                   [1] UTCTime OPTIONAL,
                random1                 [2] BIT STRING OPTIONAL,
                random2                 [3] BIT STRING OPTIONAL,
                protected               [4] OCTET STRING }

        StrongCredentials ::= SEQUENCE {
                certification-path      [0] AF.CertificationPath OPTIONAL,
                bind-token              [1] DAS.Token }

        NonstandardCredentials ::= SEQUENCE {
                authMechanism           [0] LDAPString,
                authToken               [1] OCTET STRING }

        Controls ::= SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                criticality             [0] BOOLEAN DEFAULT FALSE,
                control                 ServiceControl }

        ServiceControl ::= CHOICE {
                referringServer         [0] LDAPURL,
                chainingProhibited      [1] BOOLEAN,
                scopeOfReferral         [2] ENUMERATED {
                                                any(-1),
                                                dmd(0),
                                                country(1) },
                referToLDAPServers      [3] BOOLEAN,
                referToDAPServers       [4] BOOLEAN,
                preferredSyntax         [5] SyntaxEncoding,
                extendedControl         [6] ExtendedControl }

        SyntaxEncoding ::= SEQUENCE {
                attributeType           [0] AttributeType,
                encodingPreference      [1] SyntaxName  }

        SyntaxName ::= LDAPString

        ExtendedControl ::= SEQUENCE {
                controlName             [0] LDAPString,
                controlValue            [1] OCTET STRING }

        BindResponseBasic ::= [APPLICATION 1] LDAPResult

        BindResponseExtended ::= [APPLICATION 17] SEQUENCE {
                serverURL       [0] LDAPURL,
                serverCreds     AuthenticationChoice }

        UnbindRequest ::= [APPLICATION 2] NULL

        SearchRequest ::= [APPLICATION 3] SEQUENCE {
                baseObject      LDAPDN,
                scope           ENUMERATED {
                        baseObject              (0),
                        singleLevel             (1),
                        wholeSubtree            (2) },

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

                derefAliases    ENUMERATED {
                        neverDerefAliases       (0),
                        derefInSearching        (1),
                        derefFindingBaseObj     (2),
                        derefAlways             (3) },
                sizeLimit       INTEGER (0 .. maxInt),
                timeLimit       INTEGER (0 .. maxInt),
                typesOnly       BOOLEAN,
                filter          Filter,
                attributes      AttributeTypeList,
                matchedOnly     [0] BOOLEAN DEFAULT FALSE,
                sortKeys        [1] SortKeyList OPTIONAL,
                reverseSort     [2] BOOLEAN DEFAULT FALSE,
                modifyRightsReq [3] BOOLEAN DEFAULT FALSE,
                extraAttributes [4] BOOLEAN DEFAULT FALSE,
                attrSizeLimit   [5] INTEGER OPTIONAL,
                subentries      [6] BOOLEAN DEFAULT FALSE,
                dontUseCopy     [7] BOOLEAN DEFAULT FALSE }

        SortKeyList ::= SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                attributeType   AttributeType,
                orderingRule    [0] MatchingRuleId OPTIONAL,
                startFrom       [1] AssertionValue OPTIONAL,
                endWith         [2] AssertionValue OPTIONAL }

        Filter ::= CHOICE {
                and             [0] SET SIZE (1..maxInt) OF Filter,
                or              [1] SET SIZE (1..maxInt) OF Filter,
                not             [2] Filter,
                equalityMatch   [3] AttributeValueAssertion,
                substrings      [4] SubstringFilter,
                greaterOrEqual  [5] AttributeValueAssertion,
                lessOrEqual     [6] AttributeValueAssertion,
                present         [7] AttributeType,
                approxMatch     [8] AttributeValueAssertion,
                extensibleMatch [9] MatchingRuleAssertion }

        SubstringFilter ::= SEQUENCE {
                type            AttributeType,
                substrings      SEQUENCE SIZE (1..maxInt) OF CHOICE {
                        initial [0] LDAPString,
                        any     [1] LDAPString,
                        final   [2] LDAPString } }

        MatchingRuleAssertion ::= SEQUENCE {
                matchingRules   [1] SET SIZE (0..maxInt) OF MatchingRuleId,
                type            [2] AttributeType,
                matchValue      [3] AssertionValue,
                dnAttributes    [4] BOOLEAN }

        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
                objectName      LDAPDN,
                attributes      PartialAttributeList,
                modifyRights    [2] ModifyRights OPTIONAL,
                incompleteEntry [3] BOOLEAN DEFAULT FALSE,
                fromEntry       [4] BOOLEAN DEFAULT FALSE }

INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        PartialAttributeList ::= SEQUENCE SIZE (0..maxInt) OF SEQUENCE {
                type    AttributeType,
                vals    SET SIZE (0..maxInt) OF AttributeValue }

        SearchResultReference ::= [APPLICATION 18] Referral

        SearchResultDone ::= [APPLICATION 5] LDAPResult

        SearchResultFull ::= SEQUENCE SIZE (1..maxInt) OF CHOICE {
                        entry           SearchResultEntry,
                        reference       SearchResultReference,
                        resultCode      SearchResultDone }

        ModifyRights ::= SEQUENCE {
                entryRemove     BOOLEAN,
                entryModifyDN   BOOLEAN,
                attrRights      SET SIZE (0..maxInt) OF SEQUENCE {
                                        type            AttributeType,
                                        grantAdd        BOOLEAN,
                                        grantRemove     BOOLEAN } }

        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
                object          LDAPDN,
                modification    SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                        operation       ENUMERATED {
                                                add     (0),
                                                delete  (1),
                                                replace (2) },
                        modification    Attribute } }

        ModifyResponse ::= [APPLICATION 7] LDAPResult

        AddRequest ::= [APPLICATION 8] SEQUENCE {
                entry           LDAPDN,
                attributes      AttributeList }

        AttributeList ::= SEQUENCE SIZE (1..maxInt) OF SEQUENCE {
                type    AttributeType,
                vals    SET SIZE (1..maxInt) OF AttributeValue }

        AddResponse ::= [APPLICATION 9] LDAPResult

        DelRequest ::= [APPLICATION 10] LDAPDN

        DelResponse ::= [APPLICATION 11] LDAPResult


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
                entry           LDAPDN,
                newrdn          RelativeLDAPDN,
                deleteoldrdn    BOOLEAN,
                newSuperior     [0] LDAPDN OPTIONAL }

        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

        CompareRequest ::= [APPLICATION 14] SEQUENCE {
                entry           LDAPDN,
                ava             AttributeValueAssertion,
                timeLimit       [0] INTEGER (0 .. maxInt) OPTIONAL,
                dontUseCopy     [1] BOOLEAN DEFAULT FALSE }

        CompareResponse ::= [APPLICATION 15] LDAPResult

        AbandonRequest ::= [APPLICATION 16] MessageID

        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
                requestName             [0] LDAPString,
                requestValue            [1] OCTET STRING }

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
                response                [0] OCTET STRING OPTIONAL,
                standardResponse        [1] LDAPResult }


        END

Appendix B - Imported ASN.1 Definitions

   Note that the types described here are distinct from those defined in
   the body of this document.


INTERNET-DRAFT Lightweight Directory Access Protocol    19 February 1996

B.1. Types from X.509(1993) "Authentication Framework"

   The type "Certificate" is defined in X.509(1993).  It it strongly
   recommended that clients and server implementations which support
   certificates implement the draft addendums to X.509 which provide
   certificate extensions.

        AlgorithmIdentifier ::= SEQUENCE {
                algorithm  OBJECT IDENTIFIER,
                parameters ANY OPTIONAL }

        CertificatePair ::= SEQUENCE {
                forward [0] Certificate OPTIONAL,
                reverse [1] Certificate OPTIONAL
                        -- at least one of the pair shall be present -- }

        CertificationPath ::= SEQUENCE {
                userCertificate         Certificate,
                theCACertificates       SEQUENCE OF CertificatePair
                                                OPTIONAL }

B.2. Types from X.511(1993) "Directory Abstract Syntax"

   The type "DistinguishedName" is defined in X.501(1993).  It is the
   ASN.1 encoding, not a string encoding.

        Token ::= SIGNED { SEQUENCE {
                algorithm       [0] AlgorithmIdentifier,
                name            [1] DistinguishedName,
                time            [2] UTCTime,
                random          [3] BIT STRING } }