rfc3088.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 620 行 · 第 1/2 页
TXT
620 行
c: searchRequest {
base="CN=subordinate,DC=example,DC=net"
scope=base
filter=(objectClass=*)
ManageDSAit
}
s: searchResult {
noSuchObject
matchedDN="DC=example,DC=net"
}
5. Using the Service
Servers may be configured to refer superior requests to
<ldap://root.openldap.org:389>.
Though clients may use the service directly, this is not encouraged.
Clients should use a local service and only use this service when
referred to it.
The service supports LDAPv3 and LDAPv2+ [LDAPv2+] clients over
TCP/IPv4. Future incarnations of this service may support TCP/IPv6
or other transport/internet protocols.
Zeilenga Experimental [Page 6]
RFC 3088 OpenLDAP Root Service April 2001
6. Lessons Learned
6.1. Scaling / Reliability
This service currently runs on a single host. This host and
associated network resources are not yet exhausted. If they do
become exhausted, we believe we can easily scale to meet the demand
through common distributed load balancing technics. The service can
also easily be duplicated locally.
6.2. Protocol interoperability
This service has able avoided known interoperability issues in
supporting variants of LDAP.
6.2.1. LDAPv3
The server implements all features of LDAPv3 [RFC2251] necessary to
provide the service.
6.2.2. LDAPv2
LDAPv2 [RFC1777] does not support the return of referrals and hence
may not be referred to this service. Though a LDAPv2 client could
connect and issue requests to this service, the client would treat
any referral returned to it as an unknown error.
6.2.3. LDAPv2+
LDAPv2+ [LDAPv2+] provides a number of extensions to LDAPv2,
including referrals. LDAPv2+, like LDAPv3, does not require a bind
operation before issuing of other operations. As the referral
representation differ between LDAPv2+ and LDAPv3, the service returns
LDAPv3 referrals in this case. However, as commonly deployed LDAPv2+
clients issue bind requests (for compatibility with LDAPv2 servers),
this has not generated any interoperability issues (yet).
A future incarnation of this service may drop support for LDAPv2+
(and LDAPv2).
6.2.4. CLDAP
CLDAP [RFC1798] does not support the return of referrals and hence is
not supported.
Zeilenga Experimental [Page 7]
RFC 3088 OpenLDAP Root Service April 2001
7. Security Considerations
This service provides information to "anonymous" clients. This
information is derived from the public directories, namely the Domain
Name System.
The use of authentication would require clients to disclose
information to the service. This would be an unnecessary invasion of
privacy.
The lack of encryption allows eavesdropping upon client requests and
responses. A later incarnation of this service may support
encryption (such as via Start TLS [RFC2830]).
Information integrity protection is not provided by the service. The
service is subject to varies forms of DNS spoofing and attacks. LDAP
session or operation integrity would provide false sense of security
concerning the integrity of DNS information. A later incarnation of
this service may support DNSSEC and provide integrity protection (via
SASL, TLS, or IPSEC).
The service is subject to a variety of denial of service attacks.
The service is capable of blocking access by a number of factors.
This capability have yet to be used and likely would be ineffective
in preventing sophisticated attacks. Later incarnations of this
service will likely need better protection from such attacks.
8. Conclusions
DNS is good glue. By leveraging of the Domain Name System, global
LDAP directories may be built without requiring a protocol specific
registration infrastructures.
In addition, use of DNS service location allows global directories to
be built "ad hoc". That is, anyone with a domain name can
participate. There is no requirement that the superior domain
participate.
9. Additional Information
Additional information about the OpenLDAP Project and the OpenLDAP
Root Service can be found at <http://www.openldap.org/>.
Zeilenga Experimental [Page 8]
RFC 3088 OpenLDAP Root Service April 2001
10. Author's Address
Kurt Zeilenga
OpenLDAP Foundation
EMail: kurt@openldap.org
11. Acknowledgments
Internet hosting for this experiment is provided by the Internet
Software Consortium <http://www.isc.org/>. Computing resources were
provided by Net Boolean Incorporated <http://www.boolean.net/>. This
experiment would not have been possible without the contributions of
numerous volunteers of the open source community. Mechanisms
described in this document are based upon those introduced in
[RFC2247] and [LOCATE].
References
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
STD 13, RFC 1034, November 1987.
[RFC1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory
Access Protocol", RFC 1777, March 1995.
[RFC1798] Young, A., "Connection-less Lightweight Directory Access
Protocol", RFC 1798, June 1995.
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S.
Sataluri, "Using Domains in LDAP/X.500 Distinguished
Names", RFC 2247, January 1998.
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory
Access Protocol (v3): UTF-8 String Representation of
Distinguished Names", RFC 2253, December 1997.
[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255,
December 1997.
[RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
Zeilenga Experimental [Page 9]
RFC 3088 OpenLDAP Root Service April 2001
[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,
"Authentication Methods for LDAP", RFC 2829, May 2000.
[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory
Access Protocol (v3): Extension for Transport Layer
Security", RFC 2830, May 2000.
[LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS",
Work in Progress.
[LDAPv2+] University of Michigan LDAP Team, "Referrals within the
LDAPv2 Protocol", August 1996.
[NAMEDREF] Zeilenga, K. (editor), "Named Subordinate References in
LDAP Directories", Work in Progress.
[X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993.
Zeilenga Experimental [Page 10]
RFC 3088 OpenLDAP Root Service April 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Zeilenga Experimental [Page 11]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?