[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 rfc2251                         
Network Working Group                                            M. Wahl
INTERNET-DRAFT                                       Critical Angle Inc.
Obsoletes: RFC 1777, RFC 1798                                   T. Howes
                                           Netscape Communications Corp.
                                                                S. Kille
                                                        ISODE Consortium
Expires in six months from                                30 August 1996
Intended Category: Standards Track


                  Lightweight Directory Access Protocol (v3)
                  <draft-ietf-asid-ldapv3-protocol-02.txt>


Table of Contents - see end of document.

1.  Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas, and
   its working groups.  Note that other groups may also distribute working
   documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference material
   or to cite them other than as "work in progress."

   To learn the current status of any Internet-Draft, please check the
   "1id-abstracts.txt" listing  contained in the Internet-Drafts Shadow
   Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
   ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

2.  Abstract

   The protocol described in this document is designed to provide access
   to directories supporting the X.500 models, while not incurring the
   resource requirements of the X.500 Directory Access Protocol (DAP). This
   protocol is specifically targeted at management applications and browser
   applications that provide read/write interactive access to directories.
   When used with a directory supporting the X.500 protocols, it is
   intended to be a complement to the X.500 DAP.

   Key aspects of this version of LDAP are:

   - All protocol elements of LDAP (RFC 1777) and CLDAP (RFC 1798) are
     supported.

   - Protocol elements are carried directly over TCP or other transport,
     bypassing much of the session/presentation overhead.  Connectionless
     transport (UDP) is also supported for efficient lookup operations.

   - Most protocol data elements can be encoded as ordinary strings
     (e.g., Distinguished Names).

   - New features have been added to enable more powerful clients, such as
     the abilities to retrieve attribute values in binary or search results
     in pages.

Wahl, Howes, Kille                                                [Page 1]


INTERNET-DRAFT                     LDAP                          August 1996

   - Important features of X.500(1993) and X.500(1997) are included.

   - Referrals to other servers may be returned.

   - The protocol may be extended to support bilaterally-defined
     operations.

   - Several session controls may be requested by the client.

3.  Models

   Interest in X.500 [1] directory technologies in the Internet has lead to
   efforts to reduce the high "cost of entry" associated with use of these
   technologies.  This document continues the efforts to define directory
   protocol alternatives: it updates the LDAP [2] protocol specification,
   adding support for new features, including some support for connecting
   to X.500 services that implement the 1993 or 1997 edition protocols.

3.1. Protocol Model

   The general model adopted by this protocol is one of clients
   performing protocol operations against servers. In this model, a
   client transmits a protocol request describing the operation to be
   performed to a server, which is then responsible for performing
   the necessary operation(s) in the directory. Upon completion of
   the operation(s), the server returns a response containing any results or
   errors to the requesting client.

   In keeping with the goal of easing the costs associated with use of
   the directory, it is an objective of this protocol to minimize the
   complexity of clients so as to facilitate widespread deployment of
   applications capable of utilizing the directory.

   Note that, although servers are required to return responses whenever
   such responses are defined in the protocol, there is no requirement
   for synchronous behavior on the part of either clients or servers.
   Requests and responses for multiple operations may be exchanged
   between a client and server in any order, provided the client
   eventually receives a response for every request that requires one.

   In LDAP versions 1 and 2, no provision was made for protocol servers
   returning referrals to clients.  However, for improved performance and
   distribution this version of the protocol permits servers to return to
   clients referrals to other servers if requested.  This allows servers,
   if requested by clients, to offload the work of contacting other servers
   to progress operations.

   Clients may also request that no referrals be returned, in which case
   the server must ensure that the operation is performed against the
   directory, or else return an error.  This is the default.

   Note that this protocol can be mapped to a strict subset of the
   X.500(1997) directory abstract service, so it can be cleanly provided
   by the DAP.  However there is not a one-to-one mapping between LDAP
   protocol operations and DAP operations: server implementations
   acting as a gateway to X.500 directories may need to make multiple DAP
   requests to perform extended operations.

Wahl, Howes, Kille                                                [Page 2]


INTERNET-DRAFT                     LDAP                          August 1996
3.2. Data Model

   This section provides a brief introduction to the X.500 data model, as
   used by LDAP.

   The LDAP protocol assumes there are one or more servers which jointly
   provide access to a Directory Information Tree.  The tree is made up of
   entries.  Entries have names: one or more values from the entry itself
   form its relative distinguished name, which must be unique among all
   its siblings.  The concatenation of the relative distinguished names
   of the line of entries from a particular entry to an immediate
   subordinate of the root of the tree forms that entry's Distinguished
   Name, which is unique in the tree.  An example of a Distinguished Name is

   CN=Steve Kille, O=ISODE Consortium, C=GB

   Entries consist of a set of attributes.  An attribute is a type with
   one or more associated values.  The attribute type, identified by a
   short descriptive name and an OID (object identifier), governs the
   maximum number of values permissible for an attribute of that type
   in an entry, the syntax to which the values must conform, the types
   of matching which can be performed on values of that attribute, and
   other functions.

   An example of an attribute is "mail". There may be one or more values
   of this attribute, they must be IA5 strings, and they are case
   insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").

   Some servers may hold cache or shadow copies of entries, which can be
   used to answer search and comparison queries, but will return referrals
   or contact other servers if modification operations are requested.

3.2.1 Attributes of Entries

   Each entry must have an objectClass attribute.  The objectClass
   attribute specifies the object classes of an entry, which along with
   the system and user schema determine the permitted attributes of an entry.
   Values of this attribute may be modified by clients, but the objectClass
   attribute cannot be removed.  Servers may restrict the modifications of
   this attribute to  prevent the basic structural class of the entry from
   being changed (e.g. one cannot change a person into a country).

   Servers should not permit clients to add attributes to an entry unless
   those attributes are permitted by the object class definitions, the user
   schema controlling that entry (specified in the subschema subentry), or
   are operational attributes known to that server and used for
   administrative purposes.  Note that there is a particular objectClass
   'extensibleObject' defined in [5] which permits all user attributes.

   Entries may contain, among others, the following operational attributes,
   defined in [5], which if present should not be modifiable by clients:

   - creatorsName: the Distinguished Name of the user who added this entry
     to the directory.
   - createTimestamp: the time this entry was added to the directory.
   - modifiersName: the Distinguished Name of the user who last modified
     this entry.
   - modifyTimestamp: the time this entry was last modified.

Wahl, Howes, Kille                                                [Page 3]


INTERNET-DRAFT                     LDAP                          August 1996
   - subschemaSubentry:  the Distinguished Name of the subschema subentry
     which controls the schema for this entry.
   - entryName: the Distinguished Name of the entry.

   Servers may implement other operational attributes.  Servers which
   also make use of X.500(1993) protocols should provide support
   for the attributes defined in X.501, including administrativeRole and
   dseType.  Some servers may permit the retrieval of subschema attributes
   directly from user entries.

3.2.2 Subschema Subentry

   A server may provide access to one or more subschema subentries to
   permit clients to interrogate the schema which is in force for entries
   in the directory.

   A server which masters entries and permits clients to modify these
   entries must implement and provide access to these subschema subentries,
   so that its clients may discover the attributes and object classes which
   are permitted to be present. It is strongly recommended that all other
   servers implement subschema subentries as well.

   The following four attributes, defined in [6] with string representations
   in [5], must be present in all subschema subentries:

   - CN: this attribute should be used to form the RDN of the subschema
     subentry.
   - objectClass: the attribute should have at least the values "top" and
     "subschema".
   - objectClasses: each value of this attribute specifies an object class
     known to the server.
   - attributeTypes: each value of this attribute specifies an attribute
     type known to the server.

   Other operational attributes may be present in subschema subentries,
   in particular dseType, subtreeSpecification, ditStructureRules, nameForms,
   ditContentRules, matchingRules, matchingRuleUse, createTimestamp,
   creatorsName, modifyTimestamp, modifiersName, entryName, as described in
   [6].

   Clients must only retrieve these attributes from a subentry by requesting
   them by name in a baseObject search of the subentry.

3.3. Relationship to X.500

   This document defines LDAP in terms of X.500 as an X.500 access
   mechanism.  An LDAP server should act in accordance with the
   X.500(1993) series of ITU Recommendations when providing the service.
   However, it is not required that an LDAP server make use of any X.500
   protocols in providing this service, e.g. LDAP can be mapped onto any
   other directory system so long as the X.500 data and service model as
   used in LDAP is not violated in the LDAP interface.







Wahl, Howes, Kille                                                [Page 4]


INTERNET-DRAFT                     LDAP                          August 1996

3.4. Server-specific Data Requirements

   An LDAP server must provide information about itself and other
   information that is specific to each server.  This is represented as a
   number of attributes located in the root DSE (DSA-Specific Entry),
   which is named with the zero-length LDAPDN.  These attributes
   should be retrievable if a client performs a base object search of the
   root, however they are subject to access control restrictions.
   They should not be included if the client performs a subtree search
   starting from the root.  The server may, but need not, allow the client to
   modify these attributes.

   The following attributes of the root DSE are defined in section 5.1.3 of
   [5].  Additional attributes may be defined in later documents.

   - administratorAddress: a URL containing address of administrator.
   - currentTime: the current time.
   - serverName: the Distinguished Name of the server.
   - certificationPath: the server's certificate path.
   - namingContexts: naming contexts held in the server.
   - subschemaSubentry: subschema subentries known by this server.
   - altServer: alternative servers in case this one is later unavailable.
   - supportedExtension: list of supported extensions.

   If the server does not master or shadow entries and does not know the
   locations of schema information, the subschemaSubentry attribute should
   not be present in the root DSE.  If the server holds master or shadow
   copies of directory entries under one or more schema rules, there may be
   any number of values of the subschemaSubentry attribute in the root DSE.

4.  Elements of Protocol

   The LDAP protocol is described using Abstract Syntax Notation 1 [3]. It
   is typically transferred using a subset of the Basic Encoding Rules.
   In order to support future extensions to this protocol, clients and
   servers should ignore elements of SEQUENCEs whose tags they do not
   recognize.

   Note that unlike X.500, each change to the LDAP protocol other than through
   the extension mechanisms will have a different version number.  A client
   may indicate the version it supports as part of the bind request,
   described in section 4.1.2.  If a client has not sent a bind, the server
   should assume that version 3 is supported in the client (since version 2
   required that the client bind first).

4.1. Common Elements

   This section describes the LDAPMessage envelope PDU format, as well as
   data type definitions which are used in the protocol operations.

4.1.1. Message Envelope

   For the purposes of protocol exchanges, all protocol operations are
   encapsulated in a common envelope, the LDAPMessage, which is defined
   as follows:



Wahl, Howes, Kille                                                [Page 5]


INTERNET-DRAFT                     LDAP                          August 1996
        LDAPMessage ::= SEQUENCE {
                messageID       MessageID,
                cldapUserName   LDAPDN OPTIONAL,
                protocolOp      CHOICE {
                        bindRequest     BindRequest,
                        bindResponse    BindResponse,
                        unbindRequest   UnbindRequest,
                        searchRequest   SearchRequest,
                        searchResEntry  SearchResultEntry,
                        searchResDone   SearchResultDone,
                        searchResRef    SearchResultReference,
                        searchResFull   SearchResultFull,
                        modifyRequest   ModifyRequest,
                        modifyResponse  ModifyResponse,
                        addRequest      AddRequest,
                        addResponse     AddResponse,
                        delRequest      DelRequest,
                        delResponse     DelResponse,
                        modDNRequest    ModifyDNRequest,
                        modDNResponse   ModifyDNResponse,
                        compareRequest  CompareRequest,
                        compareResponse CompareResponse,
                        abandonRequest  AbandonRequest,
                        sessionRequest  SessionRequest,
                        sessionResponse SessionResponse,
                        resumeRequest   ResumeRequest,
                        resumeError     ResumeError,
                        extendedReq     ExtendedRequest,
                        extendedResp    ExtendedResponse } }

        MessageID ::= INTEGER (0 .. maxInt)

        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

   The function of the LDAPMessage is to provide an envelope containing
   common fields required in all protocol exchanges. At this time the
   only common fields are the message ID and cldapUserName.

   The message ID value must be echoed in all LDAPMessage envelopes
   encapsulating responses corresponding to the request contained in
   the LDAPMessage in which the message ID value was originally used.

   The message ID is required to have a value different from the values of
   any other requests outstanding in the LDAP session of which this
   message is a part.  A client must not send a second request with the same
   message ID as another request if the first request is outstanding.
   If it does so, the behavior is undefined.  Typically a client will
   increment a counter for each request.

   For all requests except for a search with a pageSizeLimit, the message ID
   is outstanding until the client receives the final response for that
   operation.

   For searchRequest with a pageSize limit, if the client did not receive a
   SearchResultDone for that search indicating all results were received,
   the message ID is outstanding until after the operation is abandoned.



Wahl, Howes, Kille                                                [Page 6]


INTERNET-DRAFT                     LDAP                          August 1996

   A client must not reuse the message id of an abandonRequest or the
   abandoned operation until it has received a response from the server for
   another request invoked subsequent to the abandonRequest, as the
   abandonRequest itself does not have a response.

   The cldapUserName identifies the requesting user for this message. It
   is only present for backwards compatability with RFC 1798, if this
   LDAPMessage is carried in a connectionless transport protocol, such as UDP.
   Its significance is equivalent to a bind with a zero-length password.
   When the LDAP session is carried in a connection-oriented transport
   protocol this field must be absent.  LDAPv3 client implementors should not
   use this field in connectionless requests, but instead concatenate a bind
   request with the other operations in the request.  Concatenation and
   connectionless transport are described in section 5.1.3.

4.1.2. String Types

   The LDAPString is a notational convenience to indicate that, although
   strings of LDAPString type encode as OCTET STRING types, the Unicode
   [15] character set is used, encoded following the UTF-8 algorithm [16].
   Note that in the UTF-8 algorithm, characters which are the same as
   ASCII (0000 through 007F) are represented as that same ASCII character
   in a single byte.  The other byte values are used to form a variable-
   length encoding of an arbitrary Unicode character.

        LDAPString ::= OCTET STRING

   The LDAPOID is a notational convenience to indicate that the permitted
   value of this string is a dotted-decimal representation of an OBJECT
   IDENTIFIER.

        LDAPOID ::= OCTET STRING

   For example,
        1.3.6.1.4.1.1466.1.2.3

4.1.3. Distinguished Name and Relative Distinguished Name

   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
   representation of a Distinguished Name and a Relative Distinguished
   Name after encoding according to the specification in [4], such that

        <distinguished-name> ::= <name>

        <relative-distinguished-name> ::= <name-component>

   where <name> and <name-component> are as defined in [4].

        LDAPDN ::= LDAPString

        RelativeLDAPDN ::= LDAPString







Wahl, Howes, Kille                                                [Page 7]


INTERNET-DRAFT                     LDAP                          August 1996

4.1.4. Attribute Type and Description

   An AttributeType takes on as its value the textual string associated
   with that AttributeType in its specification.  This string must begin
   with a letter, and only contain ASCII letters and digit characters.
   If this string is not known, the AttributeType should take the ASCII
   representation of its OBJECT IDENTIFIER, as decimal digits with
   components separated by periods, e.g., "2.5.4.10". The attribute type
   strings which are used in this version of LDAP are described in [5].

        AttributeType ::= LDAPString

   An AttributeDescription is a superset of the definition of the
   AttributeType.  It has the same ASN.1 definition, but allows additional
   options to be specified.

        AttributeDescription ::= LDAPString

   A value of AttributeDescription is based on the following BNF:

        <AttributeDescription> ::= <AttributeType> [ ";" <options> ]

        <options> ::= <option> | <option> ";" <options>

        <option> ::= <language-option> | <binary-option>

        <language-option> ::= "lang=" <lang-code>

        <lang-code> ::= <printable-ascii>  -- as defined in [17]

        <binary-option> ::= "binary"

   If the "binary" option is present, this overrides any string-based
   encoding representation defined for that attribute in [5].  Instead the
   attribute is to be transferred as a DER-encoded binary value [11].

   If the "lang=" option is present, this associates a natural language
   with values for that attribute.  The binary and language tags may both
   be present in an AttributeDescription.  The format and use of language
   tags in LDAP is defined in [17].  (The language tag has no effect on the
   character set encoding for string representations of DirectoryString
   syntax values; UTF-8 is always used).

   Examples of valid AttributeDescription:

        CN
        givenName;lang=en-US
        CN;lang=ja-JP-kanji
        CN;lang=ja-JP-roman
        userCertificate;binary
        1.3.6.1.4.1.1466.99.98.97;binary







Wahl, Howes, Kille                                                [Page 8]


INTERNET-DRAFT                     LDAP                          August 1996

   The data type "AttributeDescriptionList" describes a list of 0 or more
   attribute types.  (A list of zero elements has special significance in
   the Search request.)

        AttributeDescriptionList ::= SEQUENCE OF
                AttributeDescription


4.1.5. Attribute Value

   A field of type AttributeValue takes on as its value either an octet string
   encoding of a AttributeValue data type, or an OCTET STRING containing
   a DER-encoded binary value, depending on whether the "binary" option is
   present in the companion AttributeDescription to this AttributeValue.

   The definition of string encodings for different syntaxes and types may
   be found in companions to this document, in particular [5].

        AttributeValue ::= OCTET STRING

   Note that there is no defined limit on the size of this encoding; thus
   PDUs including multi-megabyte attributes (e.g. photographs) may be
   returned. If the client has limited memory or storage capabilities it
   may wish to set the attrSizeLimit session control before invoking a
   search operation.

   Clients and server implementors should be aware that attributes whose
   type names they do not recognize may have an arbitrary and non-printable
   syntax.  Implementations should not either simply display or attempt to
   decode as DER a value if its syntax is not known.  The implementation
   may attempt to discover the subschema subentry and retrieve the value of
   attributeTypes from it.

4.1.6. Attribute Value Assertion

   The AttributeValueAssertion type definition is similar to the one in
   the X.500 directory standards.  It contains an attribute description
   and a equality matching assertion suitable for that type.

        AttributeValueAssertion ::= SEQUENCE {
                attributeDesc   AttributeDescription,
                assertionValue  AssertionValue }

        AssertionValue ::= OCTET STRING

   If the "binary" option is present in attributeDesc, this signals to the
   server that the assertionValue is a binary DER encoding of the assertion
   value.

   For all the string-valued user attributes described in [5], the assertion
   value syntax is the same as the value syntax.  Note however that the
   assertion syntax may be different than the value syntax for operational
   attributes or for non-equality matching rules.





Wahl, Howes, Kille                                                [Page 9]


INTERNET-DRAFT                     LDAP                          August 1996

4.1.7. Attribute

   An attribute consists of a type and one or more values of that type.
   (Though attributes must have at least one value when stored, due to
   access control restrictions the set may be empty when transferred
   in protocol.  This is described in section 4.5.2, concerning the
   PartialAttributeList type.)

        Attribute ::= SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }

4.1.8. Matching Rule Identifier

   An X.501(1993) Matching Rule is identified in the LDAP protocol by the
   ASCII representation of its OBJECT IDENTIFIER, either as one of the
   strings given in [5], or as decimal digits with components separated by
   periods, e.g. "caseIgnoreIA5Match" or "1.3.6.1.4.1.453.33.33".

        MatchingRuleId ::= LDAPString

4.1.9. Result Message

   The LDAPResult is the construct used in this protocol to return
   success or failure indications from servers to clients. In response
   to various requests, servers will return responses containing fields
   of type LDAPResult to indicate the final status of a protocol
   operation request.






























Wahl, Howes, Kille                                                [Page 10]


INTERNET-DRAFT                     LDAP                          August 1996

        LDAPResult ::= SEQUENCE {
                resultCode      ENUMERATED {
                             success                      (0),
                             operationsError              (1),
                             protocolError                (2),
                             timeLimitExceeded            (3),
                             sizeLimitExceeded            (4),
                             compareFalse                 (5),
                             compareTrue                  (6),

                             authMethodNotSupported       (7),
                             strongAuthRequired           (8),
                                        -- 9 reserved --
                             referral                     (10),  -- new
                             adminLimitExceeded           (11),  -- new
                             unavailableCriticalExtension (12),  -- new
                                        -- 13-15 unused --
                             noSuchAttribute              (16),
                             undefinedAttributeType       (17),
                             inappropriateMatching        (18),
                             constraintViolation          (19),
                             attributeOrValueExists       (20),
                             invalidAttributeSyntax       (21),
                                        -- 22-31 unused --
                             noSuchObject                 (32),
                             aliasProblem                 (33),
                             invalidDNSyntax              (34),
                             -- 35 reserved for undefined isLeaf --
                             aliasDereferencingProblem    (36),
                                        -- 37-47 unused --
                             inappropriateAuthentication  (48),
                             invalidCredentials           (49),
                             insufficientAccessRights     (50),
                             busy                         (51),
                             unavailable                  (52),
                             unwillingToPerform           (53),
                             loopDetect                   (54),
                                        -- 55-63 unused --
                             namingViolation              (64),
                             objectClassViolation         (65),
                             notAllowedOnNonLeaf          (66),
                             notAllowedOnRDN              (67),
                             entryAlreadyExists           (68),
                             objectClassModsProhibited    (69),
                             resultsTooLarge              (70), -- cl only
                             affectsMultipleDSAs          (71), -- new
                                        -- 72-79 unused --
                             other                        (80) },
                             -- 81-90 reserved for APIs --
                matchedDN       LDAPDN,
                errorMessage    LDAPString,
                referral        [3] Referral OPTIONAL }






Wahl, Howes, Kille                                                [Page 11]


INTERNET-DRAFT                     LDAP                          August 1996

   The errorMessage field of this construct may, at the servers option,
   be used to return a string containing a textual, human-readable
   error diagnostic. As this error diagnostic is not standardized,
   implementations should not rely on the values returned.  If the server
   chooses not to return a textual diagnostic, the errorMessage field of
   the LDAPResult type should contain a zero length string.

   For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax
   and aliasDereferencingProblem, the matchedDN field is set to
   the name of the lowest entry (object or alias) in the DIT that was
   matched.  If no aliases were dereferenced while attempting to locate
   the entry, this will be a truncated form of the name provided.
   The matchedDN field should be set to a NULL DN (a zero length
   string) with all other result codes.

4.1.10. Referral

   The referral field is present in an LDAPResult if the
   LDAPResult.resultCode field value is referral, and absent with all other
   result codes.  It contains a reference to another server (or set of
   servers) which may be accessed via LDAP or other protocols.
   At least one LDAPURL must be present in the Reference.

        Referral ::= SEQUENCE OF LDAPURL

        LDAPURL ::= LDAPString  -- limited to characters permitted in URLs

   The client may contact any of the listed URLs [14] of servers to
   continue the request. Each server in the list must be capable of
   processing the operation and presenting a consistent view of the DIT to
   the client. (The mechanisms for how servers achieve this are outside
   the scope of this document.)

   URLs for servers implementing the LDAP protocol are written according
   to [9].  If an alias was dereferenced, the dn part of the URL should
   be present, with the new target object name.  If this is present,
   the client should use this name in its next request, otherwise it
   should use the same name as in the original request.  Some servers
   (e.g. participating in distributed indexing) may change the filter
   in a referral for a search operation.  If the filter part of the URL is
   present in an LDAPURL, the client should use this filter in its next
   request, otherwise it should use the same filter as it used for that
   search.

   Note that UTF-8 characters appearing in a DN or search filter may not
   be legal for URLs (e.g. spaces) and must be escaped using the % method
   in RFC 1738.

   Other kinds of URLs may be returned so long as the operation could be
   performed using that protocol, and the client has indicated (in a session
   control) that it could support that protocol.

   If the client has not indicated that it is capable of handling referrals,
   the server should attempt to progress the referral on behalf of the client.
   Only if it fails to do so may it return a referral, and the URLs in this
   referral must be of the LDAP form.


Wahl, Howes, Kille                                                [Page 12]


INTERNET-DRAFT                     LDAP                          August 1996

4.2.  Bind Operation

   The function of the Bind Operation is to allow authentication information
   to be exchanged between the client and server.

   The Bind Request is defined as follows:

        BindRequest ::= [APPLICATION 0] SEQUENCE {
                version                 INTEGER (1 .. 127),
                name                    LDAPDN,
                authentication          AuthenticationChoice }

        AuthenticationChoice ::= CHOICE {
                simple                  [0] OCTET STRING,
                                         -- 1 and 2 reserved
                sasl                    [3] SaslCredentials }

        SaslCredentials ::= SEQUENCE {
                mechanism               LDAPString,
                credentials             OCTET STRING }

   Parameters of the Bind Request are:

   - version: A version number indicating the version of the protocol to
     be used in this protocol session.  This document describes version
     3 of the LDAP protocol.  Note that there is no version negotiation,
     and the client should just set this parameter to the version it
     desires.  The client may request version 2, in which case the server
     must implement only the protocol as described in [2], and not
     return any v3-specific result codes or protocol fields.

   - name: The name of the directory object that the client wishes to
     bind as.  This field may take on a null value (a zero length
     string) for the purposes of anonymous binds, when authentication
     has been performed at a lower layer, or when using SASL credentials
     with a mechanism that includes the LDAPDN in the credentials.

   - authentication: information used to authenticate the name, if any,
     provided in the Bind Request.

   Upon receipt of a Bind Request, a protocol server will authenticate
   the requesting client, if necessary.  The server will then return a
   Bind Response to the client indicating the status of the authentication.

4.2.1. Sequencing of the Bind Request

   For some authentication mechanisms, it may be necessary for the client
   to invoke the BindRequest multiple times.  If at any stage the client
   wishes to abort the bind process it should drop the underlying
   connection.  Clients must not invoke operations between two Bind requests
   made as part of a multi-stage bind.







Wahl, Howes, Kille                                                [Page 13]


INTERNET-DRAFT                     LDAP                          August 1996

   Unlike LDAP v2, the client need not send a Bind Request in the first
   PDU of the connection.  The client may request any operations and the
   server should treat these as unauthenticated (or authentication may have
   already occured at a lower layer).  If the server requires that the
   client bind first, the server should reject any request other than
   binding or unbinding with the "operationsError" result. If the
   client did not bind before sending a request and receives an
   operationsError, it should close the connection, reopen it and begin
   again by first sending a PDU with a Bind Request.  This will aid in
   interoperating with LDAPv2 servers.

   Clients may send multiple bind requests on an association to change
   their credentials. A subsequent bind process has the effect of abandoning
   all search, compare and resume operations outstanding.
   Authentication or controls from earlier binds are subsequently ignored, and
   so if the bind fails, the connection will be treated as anonymous.
   Clients should resend their session controls if needed after rebinding,
   as session controls may be reset to defaults by servers.

4.2.2 Authentication and Other Security Services

   The simple authentication option provides minimal authentication
   facilities, with the contents of the authentication field consisting
   only of a cleartext password.  Note that the use of cleartext passwords
   is not recommended over open networks when there is no authentication or
   encryption being performed by a lower layer; see the "Security
   Considerations section".

   If no authentication is to be performed, or has been performed at a
   lower layer, then the simple authentication option should be chosen,
   and the password be of zero length.  (This is often done by LDAPv2
   clients.)

   The sasl choice allows for any mechanism defined for use with SASL [18]
   or listed in Appendix B to be used.  The mechanism field contains the
   name of the mechanism.  The credentials field contains the arbitrary data
   used for authentication, inside an OCTET STRING wrapper.  Note that unlike
   some Internet application protocols where SASL is used, LDAP is not
   text-based, thus no base64 transformations are performed on the credentials.

   If any SASL-based integrity or confidentiality services are enabled, they
   take effect following the transmission by the server and reception by
   the client of the final BindResponse with resultCode success.

4.2.3. Bind Response

   The Bind Response is defined as follows.

        BindResponse ::= [APPLICATION 1] SEQUENCE {
             COMPONENTS OF LDAPResult,
             supportedVersion   [5] INTEGER (1..127) OPTIONAL,
             serverURL          [6] LDAPURL OPTIONAL,
             serverCreds        [7] AuthenticationChoice OPTIONAL }

   A BindResponse consists simply of an indication from the server of
   the status of the client's request for authentication.


Wahl, Howes, Kille                                                [Page 14]


INTERNET-DRAFT                     LDAP                          August 1996

   If the bind was successful, the resultCode will be success,
   otherwise it will be one of:

                operationsError
                protocolError
                authMethodNotSupported
                strongAuthRequired
                referral
                inappropriateAuthentication
                invalidCredentials
                unavailable
                unavailableCriticalExtension

   If the client receives a BindResponse response where the resultCode was
   protocolError and the supportedVersion field is absent, it should close
   the connection as the server will be unwilling to accept further
   operations.  (This is for compatability with earlier versions of LDAP.)

   The serverURL contains the URL of this LDAP server, if it wishes to
   provide an "authoritative" URL for itself.  Typically this will be a
   URL of the "ldap:" type, indicating the official host name, and the
   name part of the URL will contain the encoded name of the server itself.
   The serverCreds are used as part of a SASL-defined bind mechanism; to
   allow the client to authenticate the server to which it is communicating,
   or to perform "challenge-response" authentication.  If the client
   bound with the password choice, or the SASL mechanism does not require
   the server to return information to the client, then this field is not
   to be included in the result.

   The supportedVersion field contains the minimum of the version supplied
   by the client in the BindRequest and the highest version of LDAP supported
   in the server.  If the client and server both implement the protocol
   described in this document it will have the value 3.  This field
   should be absent when responding to a version 2 or earlier client.

4.3.  Unbind Operation

   The function of the Unbind Operation is to terminate a protocol
   session.  The Unbind Operation is defined as follows:

        UnbindRequest ::= [APPLICATION 2] NULL

   The Unbind Operation has no response defined. Upon transmission of an
   UnbindRequest, a protocol client may assume that the protocol session
   is terminated. Upon receipt of an UnbindRequest, a protocol server
   may assume that the requesting client has terminated the session and
   that all outstanding requests may be discarded, and may close the
   connection.  All session controls will be forgotten and search result
   caches will be cleared when a connection closes.

4.4.  Session Control Operation

        SessionRequest ::= [APPLICATION 17] Controls

        SessionResponse ::= [APPLICATION 18] SEQUENCE {
                COMPONENTS OF LDAPResult,
                unsupportedCtls         [12] SEQUENCE OF LDAPString }

Wahl, Howes, Kille                                                [Page 15]


INTERNET-DRAFT                     LDAP                          August 1996

        Controls ::= SEQUENCE OF SEQUENCE {
                controlType             LDAPString,
                criticality             BOOLEAN DEFAULT FALSE,
                controlValue            OCTET STRING }

   Session Controls are requests made by the client which affect its
   interaction with the server. Controls are not saved after a session
   unbinds or disconnects abruptly, and do not affect other sessions to
   this or other servers. Session controls do not affect operations which
   have already been requested on this connection, e.g. if the client sends
   a search request and subsequently sends a sessionControlRequest while the
   server is in the middle of sending responses, the session controls which
   were in force when the search operation began should continue to apply
   for all the results of that search.

   Session controls are not cumulative, and a session request will
   override all session controls which were set by a previous request.
   If a control was set on a previous request and was not mentioned in
   a subsequent request, it will be reset by the server to its default
   value.  (This permits session controls, such as supportedProtocol, to
   have multiple values.)

   If the server is not capable of setting one or more requested controls,
   it should set as many as possible.  If any of the controls which the
   server could not set are marked as critical, it should return the
   unavailableCriticalExtension error.

   The controlType field must either be a string defined in this section,
   or a dotted-decimal representation of an OBJECT IDENTIFIER.  This will
   aid in preventing conflicts between privately-defined control extensions.
   String names are case insensitive.

   The following controls have been defined:
       - attrSizeLimit
       - dontUseCopy
       - usePartialCopy
       - referringServer
       - chainingProhibited
       - supportedProtocol
       - useAliasOnUpdate
       - manageDsaIT
       - preferredLanguage

   The attrSizeLimit control may be critical or non-critical at the client's
   request.  The value field contains either an empty string, implying no
   limit, or a string representation of a positive integer, e.g. "10000".
   The default if this control is not present is that there is no limit.
   The attrSizeLimit number is a size in bytes of the largest encoded value
   which the client is capable of processing.  Servers should not return
   attribute values in a search response which are larger than this size.
   (If attribute values are excluded because of this control, the
   incompleteEntry field should be set to TRUE in the SearchResultEntry).

   The dontUseCopy control may be critical or non-critical at the client's
   request.  The value field contains either "TRUE" or "FALSE".  To aid
   interoperability with LDAPv2 clients, the default if this control is
   not set is "FALSE".  This control only affects the Search and Compare
   operations.
Wahl, Howes, Kille                                                [Page 16]


INTERNET-DRAFT                     LDAP                          August 1996

   The usePartialCopy control may be critical or non-critical at the client's
   request.  The value field contains either "TRUE" or "FALSE".  To aid
   interoperability with LDAPv2 clients, the default if this control is
   not set is "FALSE".  This control only affects the Search and Compare
   operations when dontUseCopy is "FALSE".  If present and set to "TRUE",
   then if a contacted server holds at least one requested attribute or
   at least one subtype of a requested attribute type in an entry, that
   entry may be used to satisfy the request, even if not all the requested
   attributes are in the shadowed copy.  If FALSE the server must not
   return attributes from a shadow copy of an entry unless none of the
   requested attributes were excluded from the shadow copy.  (How servers
   replicate information and configure shadowing is outside the scope of
   this specification.)

   The referringServer control is always non-critical.  The value field
   contains the URL of another server which referred an operation to this
   server.  This control should only be present if the connection is being
   made only to process a referral.  If the connection will be held open to
   handle referrals from multiple servers this control should be omitted.
   There is no protocol effect of this control; it is used to assist in
   tracing knowledge inconsistencies in the distributed directory.

   The chainingProhibited control may be critical or non-critical at the
   client's request.  The value should be either "TRUE" or "FALSE".  To aid
   interoperability with LDAPv2 clients, the default if this control is not
   set is "FALSE".  If this control is present and set to "TRUE", the
   server should not contact any other servers as part of processing
   operations requested by this client, if it would be possible to instead
   return to the client a referral.   If the server is a gateway to X.500,
   and DAP is not a supported client referral protocol (see next paragraph),
   the server should set the chainingProhibited service control on any DAP
   or DSP requests it makes.

   The supportedProtocol control is always non-critical.  The field is
   a string name of a protocol which the client implements.  The name of
   the protocol may be "ldap", "cldap", "dap", any IANA-assigned protocol
   name or URL mechanism, or "*" to indicate that any type of referral may
   be returned.  If this control is present, a server should return a
   referral, rather than itself chain to another server using one of the
   indicated protocol.  This control may be present multiple times in a
   session control if the client wishes to name multiple protocols it
   supports.

   If the supportedProtocol control is absent and the server is capable of
   contacting other servers, then it should return not return results with
   referrals, as described in 4.1.10, or SearchResultContinuation, as
   described in 4.5.3.  If however the server is not capable of contacting
   other servers, it may return a referral or continuation containing a URL
   of type "LDAP".

   It is recommended that clients, as a minimum, support LDAP referrals,
   and set the supportedProtocol control to be "ldap".






Wahl, Howes, Kille                                                [Page 17]


INTERNET-DRAFT                     LDAP                          August 1996

   The useAliasOnUpdate control may be critical or non-critical at the
   client's request.  The value should be either "TRUE" or "FALSE".  To
   aid interoperability with LDAPv2 clients, the default if this control
   is not set is "FALSE".  If present and set to TRUE, the server should
   permit alias names to be used as components of a Distinguished Name in
   Add, Modify and Delete operations.  If the server is a gateway to X.500,
   it should set the useAliasOnUpdate critical extension on any DAP/DSP
   AddEntry, ModifyEntry and RemoveEntry requests it makes if this
   control is "TRUE".

   The manageDsaIT control is always critical.  The value should be either
   "TRUE" or "FALSE".  The default, if this control is not set, is "FALSE".
   This control affects the name resolution behavior of the server to
   permit a manager to read and modify knowledge references and other
   X.500 server-specific attributes.  If the server is a gateway to
   X.500, it should set the manageDsaIT critical extension, as well as the
   appropriate common arguments, on any DAP/DSP requests it makes, based on
   this control.

   The preferredLanguage control is always non-critical.  The use of this
   control and its impact on the directory is defined in [17].  The default
   if this control is not set, is that there is no preferred language.

4.5.  Search Operation

   The Search Operation allows a client to request that a search be
   performed on its behalf by a server.

4.5.1. Search Request

   The Search Request is defined as follows:

        SearchRequest ::= [APPLICATION 3] SEQUENCE {
                baseObject      LDAPDN,
                scope           ENUMERATED {
                        baseObject              (0),
                        singleLevel             (1),
                        wholeSubtree            (2) },
                derefAliases    ENUMERATED {
                        neverDerefAliases       (0),
                        derefInSearching        (1),
                        derefFindingBaseObj     (2),
                        derefAlways             (3) },
                sizeLimit       INTEGER (0 .. maxInt),
                timeLimit       INTEGER (0 .. maxInt),
                typesOnly       BOOLEAN,
                filter          Filter,
                attributes      AttributeDescriptionList,
                pageSizeLimit   [0] INTEGER OPTIONAL,
                sortKeys        [1] SortKeyList OPTIONAL }


        SortKeyList ::= SEQUENCE OF SEQUENCE {
                attributeType   AttributeType,
                orderingRule    [0] MatchingRuleId OPTIONAL,
                reverseOrder    [1] BOOLEAN DEFAULT FALSE }


Wahl, Howes, Kille                                                [Page 18]


INTERNET-DRAFT                     LDAP                          August 1996

        Filter ::= CHOICE {
                and             [0] SET OF Filter,
                or              [1] SET OF Filter,
                not             [2] Filter,
                equalityMatch   [3] AttributeValueAssertion,
                substrings      [4] SubstringFilter,
                greaterOrEqual  [5] AttributeValueAssertion,
                lessOrEqual     [6] AttributeValueAssertion,
                present         [7] AttributeType,
                approxMatch     [8] AttributeValueAssertion,
                extensibleMatch [9] MatchingRuleAssertion }

        SubstringFilter ::= SEQUENCE {
                type            AttributeDescription,
                -- at least one must be present
                substrings      SEQUENCE OF CHOICE {
                        initial [0] LDAPString,
                        any     [1] LDAPString,
                        final   [2] LDAPString } }

        MatchingRuleAssertion ::= SEQUENCE {
                matchingRule    [1] MatchingRuleId OPTIONAL,
                type            [2] AttributeType OPTIONAL,
                matchValue      [3] AssertionValue,
                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

   Parameters of the Search Request are:

   - baseObject: An LDAPDN that is the base object entry relative to
     which the search is to be performed.

   - scope: An indicator of the scope of the search to be performed. The
     semantics of the possible values of this field are identical to the
     semantics of the scope field in the X.511 Search Operation.

   - derefAliases: An indicator as to how alias objects should be
     handled in searching.  The semantics of the possible values of
     this field are:

             neverDerefAliases: do not dereference aliases in searching
             or in locating the base object of the search;

             derefInSearching: dereference aliases in subordinates of
             the base object in searching, but not in locating the
             base object of the search;

             derefFindingBaseObject: dereference aliases in locating
             the base object of the search, but not when searching
             subordinates of the base object;

             derefAlways: dereference aliases both in searching and in
             locating the base object of the search.

   - sizelimit: A sizelimit that restricts the maximum number of entries
     to be returned as a result of the search. A value of 0 in this
     field indicates that no sizelimit restrictions are in effect for
     the search.

Wahl, Howes, Kille                                                [Page 19]


INTERNET-DRAFT                     LDAP                          August 1996

   - timelimit: A timelimit that restricts the maximum time (in seconds)
     allowed for a search. A value of 0 in this field indicates that no
     timelimit restrictions are in effect for the search.

   - typesOnly: An indicator as to whether search results should contain
     both attribute types and values, or just attribute types.  Setting
     this field to TRUE causes only attribute types (no values) to be
     returned.  Setting this field to FALSE causes both attribute types
     and values to be returned.

   - filter: A filter that defines the conditions that must be fulfilled
     in order for the search to match a given entry.  The 'and', 'or' and
     'not' choices may be used to form boolean combinations of filters.  At
     least one filter element must be present in an 'and' or 'or'
     choice.  The others match against individual attribute values of
     entries in the scope of the search.

     The extensibleMatch is new in this version of LDAP.  If the
     matchingRule field is absent, the type field must be present, and
     the equality match is performed for that type.  If the type field is
     absent and matchingRule is present, the matchValue is compared
     against all attributes in an entry which support that matchingRule,
     and the matchingRule determines the syntax for the assertion value.
     If the type field is present and matchingRule is present, the
     matchingRule must be one permitted for use with that type.
     If the dnAttributes field is set to TRUE, the match is applied
     against all the attributes in an entry's distinguished name as
     well.  (Editors note: The dnAttributes field is present so that there
     does not need to be multiple versions of generic matching rules such as
     wordMatch, one to apply to entries and another to apply to entries and
     dn attributes as well).

   - attributes: A list of the attributes from each entry found as a
     result of the search to be returned. An empty list signifies that
     all user attributes from each entry found in the search are to be
     returned, as does the special attribute description string "*". (the
     latter technique allows the client to request all user attributes
     along with selected operational attributes).  If the client does not
     want any attributes returned, it can request only the attribute with
     OID "1.1".  Attributes should be named at most once in the list, and
     are returned at most once in an entry.

     Client implementors should note that even if all user attributes are
     requested, some attributes of the entry may not be included in search
     results due to access control restrictions.  Furthermore, servers
     will not return operational attributes, such as modifyRights or
     attributeTypes, unless they are listed by name, since there may be
     extremely large number of values for certain operational attributes.
     (A list of operational attributes for use in LDAP is given in [5].)

   - pageSizeLimit: if present, then if more entries are to be returned than
     the pageSizeLimit, the server should return only as many as this limit
     before returning the SearchResultDone response.  It must cache all of
     the resulting entries from this search, at least until the next
     (non-resume) operation is invoked.  The server may cache all the
     results for as long as the lifetime of the association, although if
     server resources are limited it may clear the cache after the next
     (non-resume) operation is invoked.
Wahl, Howes, Kille                                                [Page 20]


INTERNET-DRAFT                     LDAP                          August 1996

     If a pageSizeLimit was set and reached during the search, the client
     will be able to request more of the entries using the ResumeRequest,
     and the cached results can be cleared by the client sending the Abandon
     operation for this search message id. If the same or fewer entries than
     this limit are to be returned, the server should return all the entries
     and the SearchResultDone response, and need not cache the result. The
     pageSizeLimit does not affect SearchResultReference responses, of which
     any number may be returned by the server.

     If operating over connectionless data transport, the client must not
     set this field.

   - sortKeys: If this field is present, then it specifies one or more
     attribute types and matching rules, and the returned entries should
     be sorted in order based on these types.  If the reverseOrder field is
     set to TRUE, then the entries will be presented in reverse sorted
     order.

     If the server does not recognize any of the attribute types, or the
     ordering rule associated with an attribute type is not applicable, or
     none of the attributes in the search responses are of these types,
     then the sortKeys field is not used and result entries are returned
     in random order.

     If the server does not support sorting with the requested attributes
     or matching rules, then it must return only protocolError (which is what
     an LDAPv2 server would return), undefinedAttributeType or
     inappropriateMatching and no searchResultEntry or
     searchResultReference responses.

   If the client includes the attribute type name 'modifyRights' in the
   search request attribute type list when performing a baseObject search,
   then the server should return the modifyRights attribute as part of
   the response attributes for that entry.  The value of this attribute
   is described in section 6.2.2.1 of [5], and corresponds to the X.511(93)
   ModifyRights field of the ReadResponse.

   Note that an X.500 "list"-like operation can be emulated by the client
   requesting a one-level LDAP search operation with a filter checking for
   the existence of the objectClass attribute, and that an X.500 "read"-like
   operation can be emulated by a base object LDAP search operation with
   the same filter.  A server which provides a gateway to X.500 is not
   required to use the Read or List operations, although it may choose to
   do so.

   If the search filter includes an equality match of the objectClass
   attribute and the value "subentry", then if the server is converting
   to an X.500 protocol, the subentries service control should be set.

4.5.2. Search Result

   The results of the search attempted by the server upon receipt of a
   Search Request are returned in Search Responses, which are LDAP
   messages containing either SearchResultEntry, SearchResultReference,
   SearchResultDone or SearchResultFull data types.



Wahl, Howes, Kille                                                [Page 21]


INTERNET-DRAFT                     LDAP                          August 1996

        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
                objectName      LDAPDN,
                attributes      PartialAttributeList }

        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }
        -- implementors should note that the PartialAttributeList may have
        -- zero elements (if none of the attributes of that entry were
        -- requested, or could be returned), and that the vals set may also
        -- have zero elements (if types only was requested, or all the values
        -- exceeded the attribute size limit or were excluded because of
        -- access control).

        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
        -- at least one LDAPURL element must be present

        SearchResultDone ::= [APPLICATION 5] SEQUENCE {
           COMPONENTS OF LDAPResult,
           totalCount [8] INTEGER OPTIONAL }

        SearchResultFull ::= SEQUENCE OF CHOICE {
                        entry           SearchResultEntry,
                        reference       SearchResultReference,
                        resultCode      SearchResultDone }

   Upon receipt of a Search Request, a server will perform the necessary
   search of the DIT.

   If the LDAP session is operating over a connection-oriented transport
   such as TCP, the server will return to the client a sequence of
   responses in separate LDAP messages.  There may be zero or more
   responses containing SearchResultEntry, one for each entry found
   during the search.  There may also be zero or more responses
   containing SearchResultReference, one for each area not explored by
   this server during the search.  The SearchResultEntry and
   SearchResultReferences may come in any order. Following all the
   SearchResultReference responses and all SearchResultEntry responses up
   to a pageSizeLimit (if any), the server will return a response containing
   the SearchResultDone, which contains an indication of success, or
   detailing any errors that have occurred.

   If the LDAP session is operating over a connectionless transport such
   as UDP, the server will return to the client only one response to the
   search, an LDAPMessage containing a SearchResultFull data type.  All (if
   any) but the last element of the SEQUENCE OF must be of the
   SearchResultEntry or SearchResultReference types, and the last must be of
   the SearchResultDone type.

   The SearchResultFull is never returned over a connection-oriented
   transport.







Wahl, Howes, Kille                                                [Page 22]


INTERNET-DRAFT                     LDAP                          August 1996

   Each entry returned in a SearchResultEntry will contain all attributes,
   complete with associated values if necessary, as specified in the
   attributes field of the Search Request.  Return of attributes is subject
   to access control and other administrative policy.  Some attributes may
   be returned in DER-encoded binary format (indicated by the
   AttributeDescription in the response having the binary option present),
   or in a language-specific subtype (indicated by the AttributeDescription
   in the response having the language option present).

   The following are not strictly attributes of an entry (or a subentry),
   but may appear in the result list if requested.

    - entryName. This operational attribute is maintained by the server and
      appears to be present in each entry.  The value of this attribute
      is the distinguished name of the entry from which it is read.  It
      is expected that the client would retrieve this attribute in binary.

    - modifyRights. Each value is the encoding of an element of modifyRights.
      The attribute is specific to the particular search operation and
      the requestor, and must not be cached or replicated.'

    - incompleteEntry.  This attribute's value is TRUE if one or more
      attributes are not present in the PartialAttributeList, because their
      size would have exceeded the attribute size limit, or if a partial
      shadow copy of the entry was used to satisfy the request and some
      requested attributes are not returned.  It is never set just because
      typesOnly was set to TRUE, or because a requested attribute was not
      present in the (master) entry.

    - fromEntry.  The server may return this attribute's value as FALSE if it
      is known that the search is based upon a shadow or cached copy of the
      entry, and may return it as TRUE if the server masters the entry.

   In a SearchResultEntry, as an encoding optimization, the value of the
   objectName LDAP DN may use a trailing '*' character to refer to the
   baseObject of the corresponding searchRequest.  For example, if the
   baseObject is specified as "o=UofM, c=US", then the following
   objectName LDAPDNs in a response would have the indicated meanings

          objectName returned   actual LDAPDN denoted
          ____________________________________________________
          "*"                   "o=UofM, c=US"
          "cn=Babs Jensen, *"   "cn=Babs Jensen, o=UofM, c=US"

   If the pageSizeLimit field was present, the server must number the
   entries which match the search, and must indicate the
   total number of entries which match the search in the field totalCount
   of the SearchResultDone. The total count would either be the same as
   or greater than the number of SearchResultEntry responses returned at
   this time.  If it is greater, then the server did not return all the
   responses because the pageSizeLimit was reached, and the server must
   cache all the resulting entries.  If it is the same, then the server did
   not exceed the pageSizeLimit, and the server need not cache the responses.

   When the search result exceeded the pageSizeLimit, all matching entries
   are cached (including those for which SearchResultEntry was returned),
   and the server must not clear the cache until an operation other than a
   ResumeRequest for this search is received.
Wahl, Howes, Kille                                                [Page 23]


INTERNET-DRAFT                     LDAP                          August 1996

4.5.3. Continuation References in the Search Result

   If the server was able to locate the entry referred to by the
   baseObject but was unable to search all the entries in the scope at
   and under the baseObject, the server may return one or more
   SearchResultReference, each containing a reference to another set of
   servers for continuing the operation.  The server should return at most
   one SearchResultReference for a new subordinate base object with a
   particular scope and filter.  A server must not return a
   SearchResultReference if it has not located the baseObject and
   thus has not searched any entries; in this case it should return a
   SearchResultDone containing a referral resultCode.

   The SearchResultReference is of the same data type as the Referral.
   A URL in a SearchResultReference may only be included if the client has
   indicated (in the session controls) that it is able to handle that
   protocol.  If the client has not indicated any protocols which the
   server could use to return in a SearchResultReference, the server must
   itself process the entire search.  If the server could not contact
   all other servers, it may return one or more SearchResultReference for
   unexplored subtrees, and must indicate also that only partial results were
   returned by setting the resultCode in the SearchResultDone to be something
   other than success, such as timeLimitExceeded.

   URLs for servers implementing the LDAP protocol are written according
   to [9].  The dn part must be present in the URL, with the new target
   object name.  The client must use this name in its next request.
   Some servers (e.g. participating in distributed indexing) may change
   the filter.  If the filter part of the URL is present in an LDAP URL,
   the client should use this filter in its next request, otherwise it
   should use the same filter as it used for that search.

   Other kinds of URLs may be returned so long as the operation could be
   performed using that protocol, and the client has indicated (in a
   session control) that it is able to handle that protocol.

   The name of an unexplored subtree in a SearchResultReference need not be
   subordinate to the base object if an alias was dereferenced, however it
   should not be a prefix of the base object, otherwise the client will
   loop.  (Client implementations must detect loops; see section 6.2.)

   Note: the "X.500 Non-Specific Subordinate Reference" is not permitted in
   LDAP.  Servers must not return multiple SearchResultReference for the same
   subtree, and any one of (not all of) the servers listed in a
   SearchResultReference may be contacted to perform the entire search in a
   particular subtree.

4.5.3.1 Example

   For example, suppose the contacted server (hosta) holds the entry
   "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW".  It knows that either
   LDAP-capable servers (hostb) or (hostc) hold "OU=People,O=MNN,C=WW" (one
   is the master and the other server a shadow), and that LDAP-capable
   server (hostd) holds the subtree "OU=Roles,O=MNN,C=WW".  If a subtree
   search of "O=MNN,C=WW" is requested to the contacted server in which
   chainingProhibited is set and referrals are permitted, and the filter is
   objectClass=*, the server may return the following responses:

Wahl, Howes, Kille                                                [Page 24]


INTERNET-DRAFT                     LDAP                          August 1996

     SearchResultEntry for O=MNN,C=WW
     SearchResultEntry for CN=Manager,O=MNN,C=WW
     SearchResultReference {
       ldap://hostb/OU=People,O=MNN,C=WW
       ldap://hostc/OU=People,O=MNN,C=WW
     }
     SearchResultReference {
       ldap://hostd/OU=Roles,O=MNN,C=WW
     }
     SearchResultDone (entries = 2)

   Client implementors should note that when following a
   SearchResultReference, additional SearchResultReference may be
   generated.  Continuing the example, if the client contacted the
   server (hostb) and issued the search for the subtree
   "OU=People,O=MNN,C=WW", the server might respond as follows:

     SearchResultEntry for OU=People,O=MNN,C=WW
     SearchResultReference {
      ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
     }
     SearchResultReference {
      ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
     }

4.6.  Resume Search Operation

   The Resume Search Operation is used in conjunction with a Search
   operation which was previously issued on this association.

        ResumeRequest ::= [APPLICATION 20] SEQUENCE {
                searchRequestID         [0] MessageID,
                startAtEntry            [1] INTEGER,
                entriesToReturn         [2] INTEGER }

   The SearchRequest must have been made with the pageSizeLimit
   field present, and the server must not have returned all the results
   at the time of the search, or indicated a resultCode in the
   SearchResultDone other than success, timeLimitExceeded,
   sizeLimitExceeded or adminLimitExcceded.

   A Search which is still in progress (the final SearchResultDone has not
   been returned) or has been abandoned cannot be resumed.

   The searchRequestID field must contain the value of messageID which the
   client used for the original search operation.

   Entries in a result are always numbered starting from 1.

   The startAtEntry number may be any number greater than 0, and the sum of
   startAtEntry and entriesToReturn must not be greater than one plus the
   value of totalCount returned by the server for this search.

   The client may request that the server retransmit entries which it had
   already sent as responses for the search, e.g. by setting startAtEntry
   to "1" and entriesToReturn to be the same as totalCount, all the entries
   will be transmitted.

Wahl, Howes, Kille                                                [Page 25]


INTERNET-DRAFT                     LDAP                          August 1996

   The server will respond to the ResumeRequest with either a ResumeError,
   or with a series of SearchResultEntry responses and a SearchResultDone
   response.  The ResumeError is returned if the server detected a
   problem with the ResumeRequest, such as an invalid searchRequestID, or if
   the server has cleared the cache and cannot resume that search, or if
   the Directory Information Tree has changed such that the search would no
   longer return the same results. The SearchResultEntry and SearchResultDone
   responses from a ResumeRequest have the Message ID of the ResumeRequest,
   not of the original SearchRequest.

   Any SearchResultReferences are returned at the the time of the original
   search, and none returned by a resume operation.

        ResumeError ::= [APPLICATION 21] LDAPResult

   An example of using Resume is as follows:

            CLIENT                              SERVER

            1,SearchRequest (pageSizeLimit=2)
                                  -->
                                                (search matches 5 entries)
                                                1,SearchResultEntry  (1 of 5)
                                  <--
                                                1,SearchResultEntry  (2 of 5)
                                  <--
                                                1,SearchResultDone (5)
                                  <--

            2,ResumeRequest (search id 1, startAtEntry 3, entriesToReturn 3)
                                  -->
                                                2,SearchResultEntry (3 of 5)
                                  <--
                                                2,SearchResultEntry (4 of 5)
                                  <--
                                                2,SearchResultEntry (5 of 5)
                                  <--

                                  <--           2,SearchResultDone (5)

            3,AbandonRequest (id 1)
                                  -->
                                                (search cache cleared)

4.7.  Modify Operation

   The Modify Operation allows a client to request that a modification
   of the DIB be performed on its behalf by a server.  The Modify
   Request is defined as follows:

        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
                object          LDAPDN,
                modification    SEQUENCE OF SEQUENCE {
                        operation       ENUMERATED {
                                                add     (0),
                                                delete  (1),
                                                replace (2) },
                        modification    AttributeTypeAndValues } }
Wahl, Howes, Kille                                                [Page 26]


INTERNET-DRAFT                     LDAP                          August 1996

        AttributeTypeAndValues ::= SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }

   Parameters of the Modify Request are:

   - object: The object to be modified. The value of this field should
     name the object to be modified.  The server will not perform any
     alias dereferencing in determining the object to be modified unless
     the useAliasOnUpdate session control is set to TRUE.

   - A list of modifications to be performed on the entry to be modified.
     The entire list of entry modifications should be performed
     in the order they are listed, as a single atomic operation.  While
     individual modifications may violate the directory schema, the
     resulting entry after the entire list of modifications is performed
     must conform to the requirements of the directory schema. The
     values that may be taken on by the 'operation' field in each
     modification construct have the following semantics respectively:

             add: add values listed to the given attribute, creating
             the attribute if necessary;

             delete: delete values listed from the given attribute,
             removing the entire attribute if no values are listed, or
             if all current values of the attribute are listed for
             deletion;

             replace: replace all existing values of the given attribute
             with the new values listed, creating the attribute if it
             did not already exist.  A replace with no value should delete
             the entire attribute.

   The result of the modify attempted by the server upon receipt of a
   Modify Request is returned in a Modify Response, defined as follows:

        ModifyResponse ::= [APPLICATION 7] LDAPResult

   Upon receipt of a Modify Request, a server will perform the necessary
   modifications to the DIB.

   The server will return to the client a single Modify Response
   indicating either the successful completion of the DIB modification,
   or the reason that the modification failed. Note that due to the
   requirement for atomicity in applying the list of modifications in
   the Modify Request, the client may expect that no modifications of
   the DIB have been performed if the Modify Response received indicates
   any sort of error, and that all requested modifications have been
   performed if the Modify Response indicates successful completion of
   the Modify Operation.  If the connection fails, whether the modification
   occurred or not is indeterminate.

   Note that due to the simplifications made in LDAP, there is not a direct
   mapping of the modifications in an LDAP ModifyRequest onto the
   EntryModifications of a a DAP ModifyEntry operation, and different
   implementations of LDAP-DAP gateways may use different means of
   representing the change.  The final effect of the operations on the
   entry will be identical.
Wahl, Howes, Kille                                                [Page 27]


INTERNET-DRAFT                     LDAP                          August 1996

4.8.  Add Operation

   The Add Operation allows a client to request the addition of an entry
   into the directory. The Add Request is defined as follows:

        AddRequest ::= [APPLICATION 8] SEQUENCE {
                entry           LDAPDN,
                attributes      AttributeList }

        AttributeList ::= SEQUENCE OF SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }

   Parameters of the Add Request are:

   - entry: the Distinguished Name of the entry to be added. Note that
     all components of the name except for the last RDN component must
     exist for the add to succeed.  Note also that the server will not
     dereference any aliases in locating the entry to be added (unless
     the useAliasOnUpdate session control is TRUE), and that there are
     never any entries subordinate to an alias entry.

   - attributes: the list of attributes that make up the content of the
     entry being added.  Clients must included distinguished values in
     this list.

   The result of the add attempted by the server upon receipt of a Add
   Request is returned in the Add Response, defined as follows:

        AddResponse ::= [APPLICATION 9] LDAPResult

   Upon receipt of an Add Request, a server will attempt to perform the
   add requested. The result of the add attempt will be returned to the
   client in the Add Response.

4.9.  Delete Operation

   The Delete Operation allows a client to request the removal of an
   entry from the directory. The Delete Request is defined as follows:

        DelRequest ::= [APPLICATION 10] LDAPDN

   The Delete Request consists of the Distinguished Name of the
   entry to be deleted. Note that the server will not dereference aliases
   while resolving the name of the target entry to be removed, unless
   the useAliasOnUpdate session control is TRUE.

   The result of the delete attempted by the server upon receipt of a
   Delete Request is returned in the Delete Response, defined as follows:

        DelResponse ::= [APPLICATION 11] LDAPResult

   Upon receipt of a Delete Request, a server will attempt to perform
   the entry removal requested. The result of the delete attempt will be
   returned to the client in the Delete Response. Note that only leaf
   objects (with no subordinates) may be deleted with this operation.


Wahl, Howes, Kille                                                [Page 28]


INTERNET-DRAFT                     LDAP                          August 1996

4.10.  Modify DN Operation

   The Modify DN Operation allows a client to change the last component
   of the name of an entry in the directory, or to move a subtree of
   entries to a new location in the directory.  The Modify DN Request is
   defined as follows:

        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
                entry           LDAPDN,
                newrdn          RelativeLDAPDN,
                deleteoldrdn    BOOLEAN,
                newSuperior     [0] LDAPDN OPTIONAL }

   Parameters of the Modify DN Request are:

   - entry: the name of the entry to be changed.

   - newrdn: the RDN that will form the last component of the new name.

   - deleteoldrdn: a boolean parameter that controls whether the old RDN
     attribute values should be retained as attributes of the entry or
     deleted from the entry.

   - newSuperior: if present, this is the name of the entry which
     becomes the immediate superior of the existing entry.

   The result of the name change attempted by the server upon receipt of
   a Modify DN Request is returned in the Modify DN Response, defined
   as follows:

        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

   Upon receipt of a Modify RDN Request, a server will attempt to
   perform the name change. The result of the name change attempt will
   be returned to the client in the Modify DN Response. The attributes
   that make up the old RDN are deleted from the entry, or kept,
   depending on the setting of the deleteoldrdn parameter.

   Note that X.500 restricts the ModifyDN operation to only affect entries
   that are contained within a single server.  If the LDAP server is mapped
   onto DAP, then this restriction will apply, and the resultCode
   affectsMultipleDSAs will be returned.  In general clients should not
   expect to be able to perform arbitrary movements of entries and subtrees.

4.11.  Compare Operation

   The Compare Operation allows a client to compare an assertion
   provided with an entry in the directory. The Compare Request is
   defined as follows:

        CompareRequest ::= [APPLICATION 14] SEQUENCE {
                entry           LDAPDN,
                ava             AttributeValueAssertion }

   Parameters of the Compare Request are:

   - entry: the name of the entry to be compared with.

Wahl, Howes, Kille                                                [Page 29]


INTERNET-DRAFT                     LDAP                          August 1996

   - ava: the assertion with which an attribute in the entry is to be
     compared.

   The result of the compare attempted by the server upon receipt of a
   Compare Request is returned in the Compare Response, defined as
   follows:

        CompareResponse ::= [APPLICATION 15] SEQUENCE {
           COMPONENTS OF LDAPResult,
           matchedSubtype [9] AttributeType OPTIONAL }

   When the resultCode is compareTrue the matchedSubtype field is
   permitted to contain the type name of the attribute whose value
   matched the ava in the Compare operation.  Servers which do not
   implement attribute hierarchies will omit this element.

   Upon receipt of a Compare Request, a server will attempt to perform
   the requested comparison. The result of the comparison will be
   returned to the client in the Compare Response. Note that errors and
   the result of comparison are all returned in the same construct.

   Note that some directory systems may establish access controls which
   permit the values of certain attributes (such as userPassword) to be
   compared but not read.  In a search result, it may be that an attribute
   of that type would be returned, but with an empty set of values.

4.12.  Abandon Operation

   The function of the Abandon Operation is to allow a client to request
   that the server abandon an outstanding operation.  The Abandon
   Request is defined as follows:

        AbandonRequest ::= [APPLICATION 16] MessageID

   The MessageID must be that of a Search, Resume or Compare operation
   which was requested earlier during this association.  Other types of
   operations cannot be abandoned.

   (The abandon request itself has its own message id.  This is distinct
    from the id of the earlier operation being abandoned.)

   There is no response defined in the Abandon Operation. Upon
   transmission of an Abandon Operation, a client may expect that the
   operation identified by the Message ID in the Abandon Request has
   been abandoned. In the event that a server receives an Abandon
   Request on a Search or Resume Operation in the midst of transmitting
   responses to the search, that server should cease transmitting entry
   responses to the abandoned request immediately. Of course, the server
   must ensure that only properly encoded LDAPMessages are transmitted.

   Clients must not send abandon requests for the same operation multiple
   times.  Servers must discard abandon requests for message ids it does
   not recognize, for operations which cannot be abandoned, and for
   operations which have already been abandoned.




Wahl, Howes, Kille                                                [Page 30]


INTERNET-DRAFT                     LDAP                          August 1996

   If the MessageID is for a Search operation in which pageSizeLimit was
   set, the abandon will clear the results from the server's cache.
   Abandoning a Resume operation does not clear the cache, it just stops
   the server from sending responses.

4.13.  Extended Operation

   It may be desirable in some communities to define additional operations
   for services not available in this protocol, for instance digitally
   signed operations and results.  Thus an extension mechanism has been
   added in this version of LDAP.

   The extended operation allows clients to make requests and receive
   responses with predefined syntaxes and semantics.  These may be
   defined in RFCs or be private to particular implementations.  Each
   operation should have a unique OBJECT IDENTIFIER assigned to it.

        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
                requestName      [0] LDAPOID,
                requestValue     [1] OCTET STRING }

   The requestName is a dotted-decimal representation of the
   OBJECT IDENTIFIER corresponding to the request.
   The requestValue is information in a form defined by that request,
   encapsulated inside an OCTET STRING.

   The server will respond to this with an LDAPMessage containing the
   ExtendedResponse.

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
                COMPONENTS OF LDAPResult,
                responseName     [10] LDAPOID OPTIONAL,
                response         [11] OCTET STRING OPTIONAL }

   If the server does not recognize the operation name, it should return
   only the standard response fields, containing the protocolError result
   code.

5.  Protocol Element Encodings and Transfer

   For compatibility with the existing LDAP v2 and CLDAP protocols, four
   underlying services are defined here.  However an LDAP server need not
   implement all of them.

5.1.  Mapping Onto BER-based Transport Services

   This protocol is designed to run over connection-oriented, reliable
   transports, with all 8 bits in an octet being significant in the data
   stream.

   The protocol elements of LDAP are encoded for exchange using the
   Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
   high overhead involved in using certain elements of the BER, the
   following additional restrictions are placed on BER-encodings of LDAP
   protocol elements:

   (1) Only the definite form of length encoding will be used.

Wahl, Howes, Kille                                                [Page 31]


INTERNET-DRAFT                     LDAP                          August 1996

   (2) BIT STRINGs and OCTET STRINGs will be encoded in the primitive form
       only.

   (3) If the value of a BOOLEAN type is true, the encoding should have
       its contents octets set to hex "FF".

   (4) If a value of a type is its default value, it should be absent.
       Only some BOOLEAN and INTEGER types have default values in this
       protocol definition.


   These restrictions do not apply to ASN.1 types encapsulated inside of
   OCTET STRINGs, such as attribute values, unless otherwise noted.

5.1.1.  Transmission Control Protocol (TCP)

   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
   Server implementations running over the TCP should provide a protocol
   listener on port 389.

5.1.2.  Connection Oriented Transport Service (COTS)

   The connection is established.  No special use of T-Connect is made.
   Each LDAPMessage PDU is mapped directly onto T-Data.

5.1.3.  User Datagram Protocol (UDP)

   The LDAPMessage PDUs are mapped directly onto UDP datagrams.  A datagram
   may contain one or more concatenated requests.  Only one response datagram
   is returned, containing all the responses concatenated together. The only
   operations which the client may request are sessionRequest, searchRequest,
   compareRequest and extendedReq.  The server may return sessionResponse,
   searchResFull, compareResponse and extendedResp.  If any of the requests in
   an incoming datagram generates an error (a result other than success,
   compareTrue or compareFalse), the server should ignore any following
   requests in that datagram.

   Server implementations running over the UDP should provide a protocol
   listener on port 389.

5.1.4.  Secure Socket Layer over TCP (SSL)

   LDAP is an application protocol which may be carried inside of an
   Secure Sockets Layer connection [19]. After establishing the SSL
   connection over TCP, the LDAPMessage PDUs are mapped directly onto
   the bytestream.  Server implementations running over SSL/TCP should
   provide a protocol listener on port 636.

   Note: it is expected that future versions of this document may reference
   an IETF specification for equivalent security services, should one
   become available.







Wahl, Howes, Kille                                                [Page 32]


INTERNET-DRAFT                     LDAP                          August 1996

6.  Implementation Guidelines

6.1.  Server Implementations

   The server should be capable of recognizing all the mandatory attribute
   type names and implement the syntaxes specified in [5].  Servers may also
   recognize additional attribute type names.

6.2.  Client Implementations

   For simple lookup applications using the connectionless transport
   protocol UDP, use of a retry algorithm with multiple servers similar
   to that commonly used in DNS stub resolver implementations is
   recommended.  The location of a CLDAP server or servers may be better
   specified using IP addresses (simple or broadcast) rather than names
   that must first be looked up in another directory such as DNS.

6.2.1. Loop Detection

   Clients which request referrals should ensure that they do not loop
   between servers. They must not progress a referral or reference in a
   subtree search where the new name is a superior of the name requested.
   They must not repeatedly contact the same server twice with the same
   target entry name.   Some clients may be using a counter that is
   incremented each time referral handling is handled for an operation,
   and these kind of clients must be able to handle a DIT with up to ten
   layers of naming contexts between the root and a leaf entry.

7.  Security Considerations

   When used with a connection-oriented transport, this version of the
   protocol provides facilities for the LDAP v2 authentication mechanism,
   simple authentication using a cleartext password, as well as any SASL
   mechanism [18].

   It is also permitted that the server can return its credentials to the
   client, if it chooses to do so.

   This document also defines a mapping of LDAP over the Secure Sockets
   Layer (SSL), which can provide strong authentication, integrity and
   privacy of the connection.

   Use of cleartext password is strongly discouraged where the underlying
   transport service cannot guarantee confidentiality.  A password hashing
   mechanism is given in Appendix B.

   When used with SASL, it should be noted that the name field of the
   BindRequest is not protected against modification.  Thus if there is a
   client name (LDAPDN) agreed through the negotiation of the credentials,
   it must take precedence over any value in the unprotected name field.








Wahl, Howes, Kille                                                [Page 33]


INTERNET-DRAFT                     LDAP                          August 1996

   When used with the connectionless transport, no security services are
   available.  There has been some discussion about the desirability of
   authentication with connectionless LDAP requests.  This might take the
   form of a clear text password (which would go against the current IAB
   drive to remove such things from protocols) or some arbitrary
   credentials.  It is felt that, in general, authentication would incur
   sufficient overhead to negate the advantages of the connectionless
   basis of LDAP. If an application requires authenticated access to the
   directory then connectionless LDAP is not an appropriate protocol.

8.  Acknowledgements

   This document is an update to RFC 1777, by Wengyik Yeong, Tim
   Howes, and Steve Kille.  It also includes material from RFC 1798, by
   Alan Young. Design ideas included in this document are based on those
   discussed in ASID and other IETF Working Groups.  The contributions of
   individuals in these working groups is gratefully acknowledged.

9.  Bibliography

   [1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models and
       Service",  1993.

   [2] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access
       Protocol", RFC 1777, March 1995.

   [3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
       Specification of Basic Notation", 1994.

   [4] S. Kille, M. Wahl, "A UTF-8 String Representation of Distinguished
       Names", INTERNET-DRAFT <draft-ietf-asid-ldapv3-dn-00.txt>.
       August 1996.

   [5] M. Wahl, A. Coulbeck, T. Howes, S. Kille, W. Yeong, C. Robbins,
       "Lightweight X.500 Directory Access Protocol Standard and Pilot
       Attribute Definitions", INTERNET-DRAFT
       <draft-ietf-asid-ldapv3-attributes-02.txt>, August 1996.

   [6] ITU-T Rec. X.501, "The Directory: Models", 1993.

   [7] ITU-T Rec. X.520, "The Directory: Selected Attribute Types", 1993.

   [9] T. Howes, M. Smith, "An LDAP URL Format", RFC 1959, June 1996.

   [10] ITU-T Rec. X.518, "The Directory: Procedures for Distributed
        Operation", 1993.

   [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
        Canonical, and Distinguished Encoding Rules", 1994.

   [12] ITU-T Rec. X.509, "The Directory: Authentication Framework",
        1993.

   [13] ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.

   [14] T. Berners-Lee, L. Masinter, M. McCahill, "Uniform Resource
        Locators (URL)", RFC 1738, Dec. 1994.

Wahl, Howes, Kille                                                [Page 34]


INTERNET-DRAFT                     LDAP                          August 1996

   [15] Universal Multiple-Octet Coded Character Set (UCS) - Architecture
        and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993.

   [16] M. Davis, UTF-8, (WG2 N1036) DAM for ISO/IEC 10646-1.

   [17] M. Wahl, T. Howes, "LDAP Use of Language Indications",
        INTERNET-DRAFT <draft-ietf-asid-ldapv3-lang-00.txt"> August 1996.

   [18] J. Meyers, "Simple Authentication and Security Layer",
        INTERNET-DRAFT <draft-myers-auth-sasl-04.txt>, July 1996.

   [19] A. Freier, P. Karlton, P. Kocher, "The SSL Protocol Version 3.0",
        INTERNET-DRAFT <draft-freier-ssl-version3-01.txt>, March 1996.


10.  Authors' Address

       Mark Wahl
       Critical Angle Inc.
       4815 W Braker Lane #502-385
       Austin, TX 78759
       USA

       EMail:  M.Wahl@critical-angle.com


       Tim Howes
       Netscape Communications Corp.
       501 E. Middlefield Rd.
       Mountain View, CA 94043
       USA

       Phone:  +1 415 254-1900
       EMail:   howes@netscape.com

       Steve Kille
       ISODE Consortium
       The Dome, The Square
       Richmond
       TW9 1DT
       UK

       Phone:  +44-181-332-9091
       EMail:  S.Kille@isode.com


Appendix A - Complete ASN.1 Definition

        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
        IMPLICIT TAGS ::=

        BEGIN






Wahl, Howes, Kille                                                [Page 35]


INTERNET-DRAFT                     LDAP                          August 1996

        LDAPMessage ::= SEQUENCE {
                messageID       MessageID,
                cldapUserName   LDAPDN OPTIONAL,
                protocolOp      CHOICE {
                        bindRequest     BindRequest,
                        bindResponse    BindResponse,
                        unbindRequest   UnbindRequest,
                        searchRequest   SearchRequest,
                        searchResEntry  SearchResultEntry,
                        searchResDone   SearchResultDone,
                        searchResRef    SearchResultReference,
                        searchResFull   SearchResultFull,
                        modifyRequest   ModifyRequest,
                        modifyResponse  ModifyResponse,
                        addRequest      AddRequest,
                        addResponse     AddResponse,
                        delRequest      DelRequest,
                        delResponse     DelResponse,
                        modDNRequest    ModifyDNRequest,
                        modDNResponse   ModifyDNResponse,
                        compareRequest  CompareRequest,
                        compareResponse CompareResponse,
                        abandonRequest  AbandonRequest,
                        sessionRequest  SessionRequest,
                        sessionResponse SessionResponse,
                        resumeRequest   ResumeRequest,
                        resumeError     ResumeError,
                        extendedReq     ExtendedRequest,
                        extendedResp    ExtendedResponse } }

        MessageID ::= INTEGER (0 .. maxInt)

        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

        LDAPString ::= OCTET STRING

        LDAPOID ::= OCTET STRING

        LDAPDN ::= LDAPString

        RelativeLDAPDN ::= LDAPString

        AttributeType ::= LDAPString

        AttributeDescription ::= LDAPString

        AttributeDescriptionList ::= SEQUENCE OF
                AttributeDescription


        AttributeValue ::= OCTET STRING

        AttributeValueAssertion ::= SEQUENCE {
                attributeDesc   AttributeDescription,
                assertionValue  AssertionValue }

        AssertionValue ::= OCTET STRING

Wahl, Howes, Kille                                                [Page 36]


INTERNET-DRAFT                     LDAP                          August 1996

        Attribute ::= SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }

        MatchingRuleId ::= LDAPString

        LDAPResult ::= SEQUENCE {
                resultCode      ENUMERATED {
                             success                      (0),
                             operationsError              (1),
                             protocolError                (2),
                             timeLimitExceeded            (3),
                             sizeLimitExceeded            (4),
                             compareFalse                 (5),
                             compareTrue                  (6),

                             authMethodNotSupported       (7),
                             strongAuthRequired           (8),
                                        -- 9 reserved --
                             referral                     (10),  -- new
                             adminLimitExceeded           (11),  -- new
                             unavailableCriticalExtension (12),  -- new
                                        -- 13-15 unused --
                             noSuchAttribute              (16),
                             undefinedAttributeType       (17),
                             inappropriateMatching        (18),
                             constraintViolation          (19),
                             attributeOrValueExists       (20),
                             invalidAttributeSyntax       (21),
                                        -- 22-31 unused --
                             noSuchObject                 (32),
                             aliasProblem                 (33),
                             invalidDNSyntax              (34),
                             -- 35 reserved for undefined isLeaf --
                             aliasDereferencingProblem    (36),
                                        -- 37-47 unused --
                             inappropriateAuthentication  (48),
                             invalidCredentials           (49),
                             insufficientAccessRights     (50),
                             busy                         (51),
                             unavailable                  (52),
                             unwillingToPerform           (53),
                             loopDetect                   (54),
                                        -- 55-63 unused --
                             namingViolation              (64),
                             objectClassViolation         (65),
                             notAllowedOnNonLeaf          (66),
                             notAllowedOnRDN              (67),
                             entryAlreadyExists           (68),
                             objectClassModsProhibited    (69),
                             resultsTooLarge              (70), -- cl only
                             affectsMultipleDSAs          (71), -- new
                                        -- 72-79 unused --
                             other                        (80) },
                             -- 81-90 reserved for APIs --
                matchedDN       LDAPDN,
                errorMessage    LDAPString,
                referral        [3] Referral OPTIONAL }
Wahl, Howes, Kille                                                [Page 37]


INTERNET-DRAFT                     LDAP                          August 1996

        Referral ::= SEQUENCE OF LDAPURL

        LDAPURL ::= LDAPString  -- limited to characters permitted in URLs

        BindRequest ::= [APPLICATION 0] SEQUENCE {
                version                 INTEGER (1 .. 127),
                name                    LDAPDN,
                authentication          AuthenticationChoice }

        AuthenticationChoice ::= CHOICE {
                simple                  [0] OCTET STRING,
                                         -- 1 and 2 reserved
                sasl                    [3] SaslCredentials }

        SaslCredentials ::= SEQUENCE {
                mechanism               LDAPString,
                credentials             OCTET STRING }

        BindResponse ::= [APPLICATION 1] SEQUENCE {
             COMPONENTS OF LDAPResult,
             supportedVersion   [5] INTEGER (1..127) OPTIONAL,
             serverURL          [6] LDAPURL OPTIONAL,
             serverCreds        [7] AuthenticationChoice OPTIONAL }

        UnbindRequest ::= [APPLICATION 2] NULL

        SessionRequest ::= [APPLICATION 17] Controls

        SessionResponse ::= [APPLICATION 18] SEQUENCE {
                COMPONENTS OF LDAPResult,
                unsupportedCtls         [12] SEQUENCE OF LDAPString }

        Controls ::= SEQUENCE OF SEQUENCE {
                controlType             LDAPString,
                criticality             BOOLEAN DEFAULT FALSE,
                controlValue            OCTET STRING }

        SearchRequest ::= [APPLICATION 3] SEQUENCE {
                baseObject      LDAPDN,
                scope           ENUMERATED {
                        baseObject              (0),
                        singleLevel             (1),
                        wholeSubtree            (2) },
                derefAliases    ENUMERATED {
                        neverDerefAliases       (0),
                        derefInSearching        (1),
                        derefFindingBaseObj     (2),
                        derefAlways             (3) },
                sizeLimit       INTEGER (0 .. maxInt),
                timeLimit       INTEGER (0 .. maxInt),
                typesOnly       BOOLEAN,
                filter          Filter,
                attributes      AttributeDescriptionList,
                pageSizeLimit   [0] INTEGER OPTIONAL,
                sortKeys        [1] SortKeyList OPTIONAL }



Wahl, Howes, Kille                                                [Page 38]


INTERNET-DRAFT                     LDAP                          August 1996

        SortKeyList ::= SEQUENCE OF SEQUENCE {
                attributeType   AttributeType,
                orderingRule    [0] MatchingRuleId OPTIONAL,
                reverseOrder    [1] BOOLEAN DEFAULT FALSE }

        Filter ::= CHOICE {
                and             [0] SET OF Filter,
                or              [1] SET OF Filter,
                not             [2] Filter,
                equalityMatch   [3] AttributeValueAssertion,
                substrings      [4] SubstringFilter,
                greaterOrEqual  [5] AttributeValueAssertion,
                lessOrEqual     [6] AttributeValueAssertion,
                present         [7] AttributeType,
                approxMatch     [8] AttributeValueAssertion,
                extensibleMatch [9] MatchingRuleAssertion }

        SubstringFilter ::= SEQUENCE {
                type            AttributeDescription,
                -- at least one must be present
                substrings      SEQUENCE OF CHOICE {
                        initial [0] LDAPString,
                        any     [1] LDAPString,
                        final   [2] LDAPString } }

        MatchingRuleAssertion ::= SEQUENCE {
                matchingRule    [1] MatchingRuleId OPTIONAL,
                type            [2] AttributeType OPTIONAL,
                matchValue      [3] AssertionValue,
                dnAttributes    [4] BOOLEAN DEFAULT FALSE }


        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
                objectName      LDAPDN,
                attributes      PartialAttributeList }

        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }
        -- implementors should note that the PartialAttributeList may have
        -- zero elements (if none of the attributes of that entry were
        -- requested, or could be returned), and that the vals set may also
        -- have zero elements (if types only was requested, or all the values
        -- exceeded the attribute size limit or were excluded because of
        -- access control).

        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
        -- at least one LDAPURL element must be present

        SearchResultDone ::= [APPLICATION 5] SEQUENCE {
           COMPONENTS OF LDAPResult,
           totalCount [8] INTEGER OPTIONAL }

        SearchResultFull ::= SEQUENCE OF CHOICE {
                        entry           SearchResultEntry,
                        reference       SearchResultReference,
                        resultCode      SearchResultDone }

Wahl, Howes, Kille                                                [Page 39]


INTERNET-DRAFT                     LDAP                          August 1996

        ResumeRequest ::= [APPLICATION 20] SEQUENCE {
                searchRequestID         [0] MessageID,
                startAtEntry            [1] INTEGER,
                entriesToReturn         [2] INTEGER }


        ResumeError ::= [APPLICATION 21] LDAPResult

        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
                object          LDAPDN,
                modification    SEQUENCE OF SEQUENCE {
                        operation       ENUMERATED {
                                                add     (0),
                                                delete  (1),
                                                replace (2) },
                        modification    AttributeTypeAndValues } }

        AttributeTypeAndValues ::= SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }

        ModifyResponse ::= [APPLICATION 7] LDAPResult

        AddRequest ::= [APPLICATION 8] SEQUENCE {
                entry           LDAPDN,
                attributes      AttributeList }

        AttributeList ::= SEQUENCE OF SEQUENCE {
                type    AttributeDescription,
                vals    SET OF AttributeValue }


        AddResponse ::= [APPLICATION 9] LDAPResult

        DelRequest ::= [APPLICATION 10] LDAPDN

        DelResponse ::= [APPLICATION 11] LDAPResult

        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
                entry           LDAPDN,
                newrdn          RelativeLDAPDN,
                deleteoldrdn    BOOLEAN,
                newSuperior     [0] LDAPDN OPTIONAL }

        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

        CompareRequest ::= [APPLICATION 14] SEQUENCE {
                entry           LDAPDN,
                ava             AttributeValueAssertion }


        CompareResponse ::= [APPLICATION 15] SEQUENCE {
           COMPONENTS OF LDAPResult,
           matchedSubtype [9] AttributeType OPTIONAL }

        AbandonRequest ::= [APPLICATION 16] MessageID


Wahl, Howes, Kille                                                [Page 40]


INTERNET-DRAFT                     LDAP                          August 1996

        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
                requestName      [0] LDAPOID,
                requestValue     [1] OCTET STRING }

        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
                COMPONENTS OF LDAPResult,
                responseName     [10] LDAPOID OPTIONAL,
                response         [11] OCTET STRING OPTIONAL }


        -- not part of LDAP core protocol, see Appendix B --

        ProtectedPassword ::= SEQUENCE {
                time1                   [0] UTCTime OPTIONAL,
                time2                   [1] UTCTime OPTIONAL,
                random1                 [2] BIT STRING OPTIONAL,
                random2                 [3] BIT STRING OPTIONAL,
                protected               [4] OCTET STRING }

        StrongCredentials ::= SEQUENCE {
                certification-path      [0] AF.CertificationPath OPTIONAL,
                bind-token              [1] DAS.Token }


        END

Appendix B - X.500 Authentication Mechanisms

   This Appendix defines two SASL authentication mechanisms which may
   be used with LDAP.  These mechanisms are only for authentication, they
   have no effect on the protocol encodings and are not designed to
   provide integrity or confidentiality services.

   If an implementation supports these elements, then the following
   additional encoding restrictions apply tor these elements:

   (5) UTC Times should be encoded with the "Z" suffix, not as a local time.

   (6) Unused bits in the final octet of the encoding of a BIT STRING
       value, if there are any, should always be set to zero.

B.1. X.511-Protected

   The "X.511-Protected" authentication mechanism allows a hash of the
   password, combined optionally with the current time and random
   numbers, to be sent to the server.  The protected field contains the hash
   value.  This prevents a password from being carried in the clear.

   The mechanism field is set to the string "X.511-Protected", and the
   credentials field contain the DER encoding of a value of the following
   ASN.1 type:

        ProtectedPassword ::= SEQUENCE {
                time1                   [0] UTCTime OPTIONAL,
                time2                   [1] UTCTime OPTIONAL,
                random1                 [2] BIT STRING OPTIONAL,
                random2                 [3] BIT STRING OPTIONAL,
                protected               [4] OCTET STRING }
Wahl, Howes, Kille                                                [Page 41]


INTERNET-DRAFT                     LDAP                          August 1996

   The use of the time1, time2, random1, random2 and protected fields are
   as defined in ITU-T Rec. X.509 [12] and the functional profile for X.500
   for the environment in which this authentication mechanism is to be used.

   The name field of the BindRequest must be a nonempty string when this
   mechanism is being used to authenticate the client.  Note that this
   security mechanism is not intended to protect against attackers
   modifying the bind name field or other protocol elements.

B.2. X.511-Strong

   Strong authentication to the directory can be accomplished using the
   "X.511-Strong".

   The mechanism field is set to the string "X.511-Strong", and the
   credentials field set to a DER-encoding of a value of the following
   ASN.1 type:

        StrongCredentials ::= SEQUENCE {
                certification-path      [0] AF.CertificationPath OPTIONAL,
                bind-token              [1] DAS.Token }

   The ASN.1 type "CertificationPath" is defined in [12], and the ASN.1
   type "Token" is defined in [13].

   When the credentials are being used to authenticate the client, it is
   recommended that the certification-path field be present, which will
   contain minimally the client's certificate. If the certification-path
   field is supplied, then the name field of the BindRequest must be an
   empty string, and the server will obtain the name of the client from
   the subject field of the certification-path userCertificate.

   It is recommended for interoperability that if the server's or client's
   certificates contain RSA public keys, the PKCS md5WithRSAEncryption
   (1.2.840.113549.1.1.4) algorithm should be used.

Table of Contents

   1.  Status of this Memo ....................................  1
   2.  Abstract ...............................................  1
   3.  Models .................................................  2
   3.1. Protocol Model ........................................  2
   3.2. Data Model ............................................  3
   3.2.1 Attributes of Entries ................................  3
   3.2.2 Subschema Subentry ...................................  4
   3.3. Relationship to X.500 .................................  4
   3.4. Server-specific Data Requirements .....................  5
   4.  Elements of Protocol ...................................  5
   4.1. Common Elements .......................................  5
   4.1.1. Message Envelope ....................................  5
   4.1.2. String Types ........................................  7
   4.1.3. Distinguished Name and Relative Distinguished Name ..  7
   4.1.4. Attribute Type and Description ......................  8
   4.1.5. Attribute Value .....................................  9
   4.1.6. Attribute Value Assertion ...........................  9
   4.1.7. Attribute ........................................... 10
   4.1.8. Matching Rule Identifier ............................ 10
   4.1.9. Result Message ...................................... 10
Wahl, Howes, Kille                                                [Page 42]


INTERNET-DRAFT                     LDAP                          August 1996

   4.1.10. Referral ........................................... 12
   4.2.  Bind Operation ....................................... 13
   4.2.1. Sequencing of the Bind Request ...................... 13
   4.2.2 Authentication and Other Security Services ........... 14
   4.2.3. Bind Response ....................................... 14
   4.3.  Unbind Operation ..................................... 15
   4.4.  Session Control Operation ............................ 15
   4.5.  Search Operation ..................................... 18
   4.5.1. Search Request ...................................... 18
   4.5.2. Search Result ....................................... 21
   4.5.3. Continuation References in the Search Result ........ 24
   4.5.3.1 Example ............................................ 24
   4.6.  Resume Search Operation .............................. 25
   4.7.  Modify Operation ..................................... 26
   4.8.  Add Operation ........................................ 28
   4.9.  Delete Operation ..................................... 28
   4.10.  Modify DN Operation ................................. 29
   4.11.  Compare Operation ................................... 29
   4.12.  Abandon Operation ................................... 30
   4.13.  Extended Operation .................................. 31
   5.  Protocol Element Encodings and Transfer ................ 31
   5.1.  Mapping Onto BER-based Transport Services ............ 31
   5.1.1.  Transmission Control Protocol (TCP) ................ 32
   5.1.2.  Connection Oriented Transport Service (COTS) ....... 32
   5.1.3.  User Datagram Protocol (UDP) ....................... 32
   5.1.4.  Secure Socket Layer over TCP (SSL) ................. 32
   6.  Implementation Guidelines .............................. 32
   6.1.  Server Implementations ............................... 32
   6.2.  Client Implementations ............................... 32
   6.2.1. Loop Detection ...................................... 32
   7.  Security Considerations ................................ 33
   8.  Acknowledgements ....................................... 34
   9.  Bibliography ........................................... 34
   10.  Authors' Address ...................................... 35
   Appendix A - Complete ASN.1 Definition ..................... 35
   Appendix B - X.500 Authentication Mechanisms ............... 41
   B.1. X.511-Protected ....................................... 41
   B.2. X.511-Strong .......................................... 42


<draft-ietf-asid-ldapv3-protocol-02.txt> Expires: March 2, 1997






Wahl, Howes, Kille                                                [Page 43]