INTERNET-DRAFT                                    Kurt D. Zeilenga
Intended Category: Standard Track                 OpenLDAP Foundation
Date: 22 April 2002                               Steven Legg
Expires in six months                             Adacel Technologies


                            Subentries in LDAP
                  <draft-zeilenga-ldap-subentry-04.txt>


Status of this Memo

  This document is an Internet-Draft and is in full conformance with all
  provisions of Section 10 of RFC2026.

  This document is intended to be, after appropriate review and
  revision, submitted to the RFC Editor as a Standard Track document.
  Distribution of this memo is unlimited.  Technical discussion of this
  document will take place on the IETF LDAP Extension Working Group
  mailing list <ietf-ldapext@netscape.com>.  Please send editorial
  comments directly to the author <Kurt@OpenLDAP.org>.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its areas, and its working groups.  Note that other
  groups may also distribute working documents as Internet-Drafts.
  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time.  It is inappropriate to use Internet-Drafts as reference
  material or to cite them other than as ``work in progress.''

  The list of current Internet-Drafts can be accessed at
  <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
  Internet-Draft Shadow Directories can be accessed at
  <http://www.ietf.org/shadow.html>.

  Copyright 2002, The Internet Society.  All Rights Reserved.

  Please see the Copyright section near the end of this document for
  more information.


Abstract

  In X.500 directories, subentries are special entries used to hold
  information associated with a subtree or subtree refinement.  This
  document adapts X.500 subentries mechanisms for use with Lightweight
  Directory Access Protocol (LDAP).




Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 1]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


Conventions

  Schema definitions are provided using LDAP description formats
  [RFC2252].  Definitions provided here are formatted (line wrapped) for
  readability.

  Protocol elements are described using ASN.1 [X.680].  The term
  "BER-encoded" means the element is to be encoded using the Basic
  Encoding Rules [X.690] under the restrictions detailed in Section 5.1
  of [RFC2251].

  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
  document are to be interpreted as described in BCP 14 [RFC2119].


1. Overview

  From [X.501]:
      A subentry is a special kind of entry immediately subordinate to
      an administrative point.  It contains attributes that pertain to a
      subtree (or subtree refinement) associated with its administrative
      point.  The subentries and their administrative point are part of
      the same naming context.

      A single subentry may serve all or several aspects of
      administrative authority.  Alternatively, a specific aspect of
      administrative authority may be handled through one or more of its
      own subentries.

  Subentries in Lightweight Directory Access Protocol (LDAP) [LDAPTS]
  SHALL behave in accordance with X.501 unless noted otherwise in this
  specification.

  In absence of the subentries control (detailed in Section 3),
  subentries SHALL NOT be considered in one-level and subtree scope
  search operations.  For all other operations, including base scope
  search operations, subentries SHALL be considered.


2. Subentry Schema

2.1. Subtree Specification Syntax

  The Subtree Specification syntax provides a general purpose mechanism
  for the specification of a subset of entries in a subtree of the
  Directory Information Tree (DIT).  A subtree begins at some base entry
  and includes the subordinates of that entry down to some identified



Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 2]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  lower boundary, possibly extending to the leaf entries.  A subtree
  specification is always used within a context or scope which
  implicitly determines the bounds of the subtree.  For example, the
  scope of a subtree specification for a subschema administrative area
  does not include the subtrees of any subordinate administrative point
  entries for subschema administration.  Where a subtree specification
  does not identify a contiguous subset of the entries within a single
  subtree the collection is termed a subtree refinement.

  This syntax corresponds to the SubtreeSpecification ASN.1 type
  described in [X.501], Section 11.3.  This ASN.1 data type definition
  is reproduced here for completeness.

    SubtreeSpecification ::= SEQUENCE {
        base                [0] LocalName DEFAULT { },
                                COMPONENTS OF ChopSpecification,
        specificationFilter [4] Refinement OPTIONAL }


    LocalName ::= RDNSequence

    ChopSpecification ::= SEQUENCE {
        specificExclusions  [1] SET OF CHOICE {
                                chopBefore [0] LocalName,
                                chopAfter [1] LocalName } OPTIONAL,
        minimum             [2] BaseDistance DEFAULT 0,
        maximum             [3] BaseDistance OPTIONAL}

    BaseDistance ::= INTEGER (0 .. MAX)

    Refinement ::= CHOICE {
        item                [0] OBJECT-CLASS.&id,
        and                 [1] SET OF Refinement,
        or                  [2] SET OF Refinement,
        not                 [3] Refinement }

  The components of SubtreeSpecification are: base, which identifies the
  base entry of the subtree or subtree refinement, and
  specificExclusions, minimum, maximum and specificationFilter, which
  then reduce the set of subordinate entries of the base entry.  The
  subtree or subtree refinement contains all the entries within scope
  that are not excluded by any of the components of the subtree
  specification.  When all of the components of SubtreeSpecification are
  absent (i.e. when a value of the Subtree Specification syntax is the
  empty sequence, {}), the subtree so specified implicitly includes all
  the entries within scope.

  Any particular use of this mechanism MAY impose limitations or



Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 3]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  constraints on the components of SubtreeSpecification.

  The LDAP syntax specification is:

      ( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' )

  The native LDAP encoding of values of this syntax is defined by the
  Generic String Encoding Rules [GSER].   Appendix A provides an
  equivalent ABNF for this syntax.


2.1.1. Base

  The base component of SubtreeSpecification nominates the base entry of
  the subtree or subtree refinement.  The base entry may be an entry
  which is subordinate to the root entry of the scope in which the
  subtree specification is used, in which case the base component
  contains a sequence of RDNs relative to the root entry of the scope,
  or may be the root entry of the scope itself (the default), in which
  case the base component is absent or contains an empty sequence of
  RDNs.

  Entries that are not subordinates of the base entry are excluded from
  the subtree or subtree refinement.


2.1.2. Specific Exclusions

  The specificExclusions component of a ChopSpecification is a list of
  exclusions that specify entries and their subordinates to be excluded
  from the the subtree or subtree refinement.  The entry is specified by
  a sequence of RDNs relative to the base entry (i.e.  a LocalName).
  Each exclusion is of either the chopBefore or chopAfter form.  If the
  chopBefore form is used then the specified entry and its subordinates
  are excluded from the subtree or subtree refinement.  If the chopAfter
  form is used then only the subordinates of the specified entry are
  excluded from the subtree or subtree refinement.


2.1.3. Minimum and Maximum

  The minimum and maximum components of a ChopSpecification allow the
  exclusion of entries based on their depth in the DIT.

  Entries that are less than the minimum number of RDN arcs below the
  base entry are excluded from the subtree or subtree refinement.  A
  minimum value of zero (the default) corresponds to the base entry.




Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 4]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  Entries that are more than the maximum number of RDN arcs below the
  base entry are excluded from the subtree or subtree refinement.  An
  absent maximum component indicates that there is no upper limit on the
  number of RDN arcs below the base entry for entries in the subtree or
  subtree refinement.

2.1.4. Specification Filter

  The specificationFilter component is a boolean expression of
  assertions about the values of the objectClass attribute of the base
  entry and its subordinates.  A Refinement assertion item evaluates to
  true for an entry if that entry's objectClass attribute contains the
  OID nominated in the assertion.  Entries for which the overall filter
  evaluates to false are excluded from the subtree refinement.  If the
  specificationFilter is absent then no entries are excluded from the
  subtree or subtree refinement because of their objectClass attribute
  values.


2.2. Administrative Role Attribute Type

  The Administrative Model defined in [X.501], clause 10 requires that
  administrative entries contain an administrativeRole attribute to
  indicate that the associated administrative area is concerned with one
  or more administrative roles.

  The administrativeRole operational attribute is specified as follows:

      ( 2.5.18.5 NAME 'administrativeRole'
          EQUALITY objectIdentifierMatch
          USAGE directoryOperation
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

  The possible values of this attribute defined in X.501 are:

       OID            NAME
       --------  -------------------------------
      2.5.23.1   autonomousArea
      2.5.23.2   accessControlSpecificArea
      2.5.23.3   accessControlInnerArea
      2.5.23.4   subschemaAdminSpecificArea
      2.5.23.5   collectiveAttributeSpecificArea
      2.5.23.6   collectiveAttributeInnerArea

  Other values may be defined in other specifications.  Names associated
  with each administrative role are Object Identifier Descriptors
  [LDAPIANA].




Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 5]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  The administrativeRole operational attribute is also used to regulate
  the subentries permitted to be subordinate to an administrative entry.
  A subentry not of a class permitted by the administrativeRole
  attribute cannot be subordinate to the administrative entry.


2.3. Subtree Specification Attribute Type

  The subtreeSpecification operational attribute is defined as follows:

      ( 2.5.18.6 NAME 'subtreeSpecification'
          SINGLE-VALUE
          USAGE directoryOperation
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.45 )

  This attribute is present in all subentries.  See [X.501], clause 10.
  Values of the subtreeSpecification attribute nominate collections of
  entries within the DIT for one or more aspects of administrative
  authority.


2.4. Subentry Object Class

  The subentry object class is a structural object class.

      ( 2.5.20.0 NAME 'subentry'
          SUP top STRUCTURAL
          MUST ( cn $ subtreeSpecification ) )


3. Subentries Control

  The subentries control MAY be sent with a searchRequest to control the
  visibility of entries and subentries which are within scope.
  Non-visible entries or subentries are not returned in response to the
  request.

  The subentries control is an LDAP Control whose controlType is
  1.3.6.1.4.1.4203.1.10.1, criticality is TRUE or FALSE (hence absent),
  and controlValue contains a BER-encoded BOOLEAN indicating visibility.
  A controlValue containing the value TRUE indicates that subentries are
  visible and normal entries are not.  A controlValue containing the
  value FALSE indicates that normal entries are visible and subentries
  are not.

  Note that TRUE visibility has the three octet encoding { 01 01 FF }
  and FALSE visibility has the three octet encoding { 01 01 00 }.




Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 6]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  The controlValue SHALL NOT be absent.

  In absence of this control, subentries are not visible to singleLevel
  and wholeSubtree scope Search requests but are visible to baseObject
  scope Search requests.

  There is no corresponding response control.

  This control is not appropriate for non-Search operations.


4. Security Considerations

  Subentries often hold administrative information or other sensitive
  information and should be protected from unauthorized access and
  disclosure as described in [RFC2829][RFC2830].

  General LDAP [LDAPTS] security considerations also apply.


5. Acknowledgment

  This document is based on engineering done by IETF LDUP and LDAPext
  Working Groups including "LDAP Subentry Schema" by Ed Reed.  This
  document also borrows from a number of ITU documents including X.501.


6. Authors' Addresses

  Kurt D. Zeilenga
  OpenLDAP Foundation

  Email: Kurt@OpenLDAP.org

  Steven Legg
  Adacel Technologies Ltd.
  405-409 Ferntree Gully Road
  Mount Waverley, Victoria 3149
  AUSTRALIA

  Phone: +61 3 9451 2107
    Fax: +61 3 9541 2121
  EMail: steven.legg@adacel.com.au


7. Normative References

  [X.501]     ITU-T, "The Directory -- Models," X.501, 1993.



Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 7]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  [X.680]     ITU-T, "Abstract Syntax Notation One (ASN.1) -
              Specification of Basic Notation", X.680, 1994.

  [X.690]     ITU-T, "Specification of ASN.1 encoding rules:  Basic,
              Canonical, and Distinguished Encoding Rules", X.690, 1994.

  [RFC2119]   S. Bradner, "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14 (was RFC 2119), March 1997.

  [RFC2251]   M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
              Protocol (v3)", RFC 2251, December 1997.

  [RFC2252]   M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
              Directory Access Protocol (v3):  Attribute Syntax
              Definitions", RFC 2252, December 1997.

  [RFC2829]   M. Wahl, H. Alvestrand, J. Hodges, R. Morgan,
              "Authentication Methods for LDAP", RFC 2829, May 2000

  [RFC2830]   J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory
              Access Protocol (v3): Extension for Transport Layer
              Security", RFC 2830, May 2000.

  [LDAPTS]    J. Hodges, R.L. Morgan, "Lightweight Directory Access
              Protocol (v3): Technical Specification",
              draft-ietf-ldapbis-ldapv3-ts-xx.txt, a work in progress.

  [GSER] S. Legg, "Generic String Encoding Rules for ASN.1 Types",
              draft-legg-ldapext-gser--xx.txt, a work in progress.

  [LDAPIANA]  K. Zeilenga, "IANA Considerations for LDAP", draft-ietf-
              ldapbis-xx.txt, a work in progress.


8. Informative References

  [RFC2234]   D. Crocker, P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 2234, November 1997.

  [GCE]       S. Legg, "Common Elements of GSER Encodings",
              draft-legg-ldap-gser-abnf-xx.txt, a work in progress.


A. Subtree Specification ABNF

  This appendix is non-normative.

  The LDAP-specific native string encoding for the Subtree Specification



Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 8]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


  syntax is specified by the Generic String Encoding Rules [GSER].  The
  ABNF [RFC2234] in this appendix for this syntax is provided only as a
  convenience and is equivalent to the encoding specified by the
  application of [GSER].  Since the SubtreeSpecification ASN.1 type may
  be extended in future editions of [X.501], the provided ABNF should be
  regarded as a snapshot in time.  The native LDAP encoding for any
  extension to the SubtreeSpecification ASN.1 type can be determined
  from [GSER].

  In the event that there is a discrepancy between this ABNF and the
  encoding determined by [GSER], [GSER] is to be taken as definitive.

    SubtreeSpecification = "{"    [ sp base ]
                              [ sep sp specificExclusions ]
                              [ sep sp minimum ]
                              [ sep sp maximum ]
                              [ sep sp specificationFilter ]
                                    sp "}"

    base                = id-base                msp LocalName
    specificExclusions  = id-specificExclusions  msp SpecificExclusions
    minimum             = id-minimum             msp BaseDistance
    maximum             = id-maximum             msp BaseDistance
    specificationFilter = id-specificationFilter msp Refinement

    id-base                = %x62.61.73.65 ; "base"
    id-specificExclusions  = %x73.70.65.63.69.66.69.63.45.78.63.6C.75.73
                                %x69.6F.6E.73 ; "specificExclusions"
    id-minimum             = %x6D.69.6E.69.6D.75.6D ; "minimum"
    id-maximum             = %x6D.61.78.69.6D.75.6D ; "maximum"
    id-specificationFilter = %x73.70.65.63.69.66.69.63.61.74.69.6F.6E.46
                                %x69.6C.74.65.72 ; "specificationFilter"

    SpecificExclusions = "{" sp SpecificExclusion
                            *( "," sp SpecificExclusion ) sp "}"
    SpecificExclusion  = chopBefore / chopAfter
    chopBefore         = id-chopBefore ":" LocalName
    chopAfter          = id-chopAfter  ":" LocalName
    id-chopBefore      = %x63.68.6F.70.42.65.66.6F.72.65 ; "chopBefore"
    id-chopAfter       = %x63.68.6F.70.41.66.74.65.72    ; "chopAfter"

    Refinement  = item / and / or / not
    item        = id-item ":" OBJECT-IDENTIFIER
    and         = id-and  ":" Refinements
    or          = id-or   ":" Refinements
    not         = id-not  ":" Refinement
    Refinements = "{" [ sp Refinement
                     *( "," sp Refinement ) ] sp "}"



Zeilenga             draft-zeilenga-ldap-subentry-04            [Page 9]


INTERNET-DRAFT             Subentries in LDAP              22 April 2002


    id-item     = %x69.74.65.6D ; "item"
    id-and      = %x61.6E.64    ; "and"
    id-or       = %x6F.72       ; "or"
    id-not      = %x6E.6F.74    ; "not"

    BaseDistance = INTEGER

  The <sp>, <msp>, <sep>, <INTEGER>, <OBJECT-IDENTIFIER> and <LocalName>
  rules are defined in [GCE].


Copyright 2002, The Internet Society.  All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published and
  distributed, in whole or in part, without restriction of any kind,
  provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works.  However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the  purpose of
  developing Internet standards in which case the procedures for
  copyrights defined in the Internet Standards process must be followed,
  or as required to translate it into languages other than English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an
  "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
  ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
















Zeilenga             draft-zeilenga-ldap-subentry-04           [Page 10]