rfc1777.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                           W. Yeong
Request for Comments: 1777             Performance Systems International
Obsoletes: 1487                                                 T. Howes
Category: Standards Track                         University of Michigan
                                                                S. Kille
                                                        ISODE Consortium
                                                              March 1995


                 Lightweight Directory Access Protocol

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The protocol described in this document is designed to provide access
   to the X.500 Directory while not incurring the resource requirements
   of the Directory Access Protocol (DAP). This protocol is specifically
   targeted at simple management applications and browser applications
   that provide simple read/write interactive access to the X.500
   Directory, and is intended to be a complement to the DAP itself.

   Key aspects of LDAP are:

   - Protocol elements are carried directly over TCP or other transport,
     bypassing much of the session/presentation overhead.

   - Many protocol data elements are encoding as ordinary strings (e.g.,
     Distinguished Names).

   - A lightweight BER encoding is used to encode all protocol elements.

1.  History

   The tremendous interest in X.500 [1,2] technology in the Internet has
   lead to efforts to reduce the high "cost of entry" associated with
   use of the technology, such as the Directory Assistance Service [3]
   and DIXIE [4]. While efforts such as these have met with success,
   they have been solutions based on particular implementations and as
   such have limited applicability.  This document continues the efforts
   to define Directory protocol alternatives but departs from previous
   efforts in that it consciously avoids dependence on particular



Yeong, Howes & Kille                                            [Page 1]

RFC 1777                          LDAP                        March 1995


   implementations.

2.  Protocol Model

   The general model adopted by this protocol is one of clients
   performing protocol operations against servers. In this model, this
   is accomplished by a client transmitting a protocol request
   describing the operation to be performed to a server, which is then
   responsible for performing the necessary operations on the Directory.
   Upon completion of the necessary operations, the server returns a
   response containing any results or errors to the requesting client.
   In keeping with the goal of easing the costs associated with use of
   the Directory, it is an objective of this protocol to minimize the
   complexity of clients so as to facilitate widespread deployment of
   applications capable of utilizing the Directory.

   Note that, although servers are required to return responses whenever
   such responses are defined in the protocol, there is no requirement
   for synchronous behavior on the part of either client or server
   implementations: requests and responses for multiple operations may
   be exchanged by client and servers in any order, as long as clients
   eventually receive a response for every request that requires one.

   Consistent with the model of servers performing protocol operations
   on behalf of clients, it is also to be noted that protocol servers
   are expected to handle referrals without resorting to the return of
   such referrals to the client. This protocol makes no provisions for
   the return of referrals to clients, as the model is one of servers
   ensuring the performance of all necessary operations in the
   Directory, with only final results or errors being returned by
   servers to clients.

   Note that this protocol can be mapped to a strict subset of the
   directory abstract service, so it can be cleanly provided by the DAP.

3.  Mapping Onto Transport Services

   This protocol is designed to run over connection-oriented, reliable
   transports, with all 8 bits in an octet being significant in the data
   stream.  Specifications for two underlying services are defined here,
   though others are also possible.

3.1.  Transmission Control Protocol (TCP)

   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
   Server implementations running over the TCP should provide a protocol
   listener on port 389.




Yeong, Howes & Kille                                            [Page 2]

RFC 1777                          LDAP                        March 1995


3.2.  Connection Oriented Transport Service (COTS)

   The connection is established.  No special use of T-Connect is made.
   Each LDAPMessage PDU is mapped directly onto T-Data.

4.  Elements of Protocol

   For the purposes of protocol exchanges, all protocol operations are
   encapsulated in a common envelope, the LDAPMessage, which is defined
   as follows:

     LDAPMessage ::=
         SEQUENCE {
              messageID      MessageID,
              protocolOp     CHOICE {
                                  bindRequest         BindRequest,
                                  bindResponse        BindResponse,
                                  unbindRequest       UnbindRequest,
                                  searchRequest       SearchRequest,
                                  searchResponse      SearchResponse,
                                  modifyRequest       ModifyRequest,
                                  modifyResponse      ModifyResponse,
                                  addRequest          AddRequest,
                                  addResponse         AddResponse,
                                  delRequest          DelRequest,
                                  delResponse         DelResponse,
                                  modifyRDNRequest    ModifyRDNRequest,
                                  modifyRDNResponse   ModifyRDNResponse,
                                  compareDNRequest    CompareRequest,
                                  compareDNResponse   CompareResponse,
                                  abandonRequest      AbandonRequest
                             }
         }

     MessageID ::= INTEGER (0 .. maxInt)

   The function of the LDAPMessage is to provide an envelope containing
   common fields required in all protocol exchanges. At this time the
   only common field is a message ID, which is required to have a value
   different from the values of any other requests outstanding in the
   LDAP session of which this message is a part.

   The message ID value must be echoed in all LDAPMessage envelopes
   encapsulting responses corresponding to the request contained in the
   LDAPMessage in which the message ID value was originally used.

   In addition to the LDAPMessage defined above, the following
   definitions are also used in defining protocol operations:



Yeong, Howes & Kille                                            [Page 3]

RFC 1777                          LDAP                        March 1995


     LDAPString ::= OCTET STRING

   The LDAPString is a notational convenience to indicate that, although
   strings of LDAPString type encode as OCTET STRING types, the legal
   character set in such strings is limited to the IA5 character set.

     LDAPDN ::= LDAPString

     RelativeLDAPDN ::= LDAPString

   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
   representation of a Distinguished Name and a Relative Distinguished
   Name after encoding according to the specification in [5], such that

     <distinguished-name> ::= <name>

     <relative-distinguished-name> ::= <name-component>

   where <name> and <name-component> are as defined in [5].

     AttributeValueAssertion ::=
         SEQUENCE {
              attributeType       AttributeType,
              attributeValue      AttributeValue
         }

   The AttributeValueAssertion type definition  is similar to the one in
   the X.500 Directory standards.

     AttributeType ::= LDAPString

     AttributeValue ::= OCTET STRING

   An AttributeType value takes on as its value the textual string
   associated with that AttributeType in the X.500 Directory standards.
   For example, the AttributeType 'organizationName' with object
   identifier 2.5.4.10 is represented as an AttributeType in this
   protocol by the string "organizationName".  In the event that a
   protocol implementation encounters an Attribute Type with which it
   cannot associate a textual string, an ASCII string encoding of the
   object identifier associated with the Attribute Type may be
   subsitituted.  For example, the organizationName AttributeType may be
   represented by the ASCII string "2.5.4.10" if a protocol
   implementation is unable to associate the string "organizationName"
   with it.






Yeong, Howes & Kille                                            [Page 4]

RFC 1777                          LDAP                        March 1995


   A field of type AttributeValue takes on as its value an octet string
   encoding of a Directory AttributeValue type. The definition of these
   string encodings for different Directory AttributeValue types may be
   found in companions to this document that define the encodings of
   various attribute syntaxes such as [6].

     LDAPResult ::=
         SEQUENCE {
             resultCode    ENUMERATED {
                             success                      (0),
                             operationsError              (1),
                             protocolError                (2),
                             timeLimitExceeded            (3),
                             sizeLimitExceeded            (4),
                             compareFalse                 (5),
                             compareTrue                  (6),
                             authMethodNotSupported       (7),
                             strongAuthRequired           (8),
                             noSuchAttribute              (16),
                             undefinedAttributeType       (17),
                             inappropriateMatching        (18),
                             constraintViolation          (19),
                             attributeOrValueExists       (20),
                             invalidAttributeSyntax       (21),
                             noSuchObject                 (32),
                             aliasProblem                 (33),
                             invalidDNSyntax              (34),
                             isLeaf                       (35),
                             aliasDereferencingProblem    (36),
                             inappropriateAuthentication  (48),
                             invalidCredentials           (49),
                             insufficientAccessRights     (50),
                             busy                         (51),
                             unavailable                  (52),
                             unwillingToPerform           (53),
                             loopDetect                   (54),
                             namingViolation              (64),
                             objectClassViolation         (65),
                             notAllowedOnNonLeaf          (66),
                             notAllowedOnRDN              (67),
                             entryAlreadyExists           (68),
                             objectClassModsProhibited    (69),
                             other                        (80)
                           },
             matchedDN     LDAPDN,
             errorMessage  LDAPString
         }




Yeong, Howes & Kille                                            [Page 5]

RFC 1777                          LDAP                        March 1995


   The LDAPResult is the construct used in this protocol to return
   success or failure indications from servers to clients. In response
   to various requests, servers will return responses containing fields
   of type LDAPResult to indicate the final status of a protocol
   operation request.  The errorMessage field of this construct may, at
   the servers option, be used to return an ASCII string containing a
   textual, human-readable error diagnostic. As this error diagnostic is
   not standardized, implementations should not rely on the values
   returned.  If the server chooses not to return a textual diagnostic,
   the errorMessage field of the LDAPResult type should contain a zero
   length string.

   For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax,
   isLeaf, and aliasDereferencingProblem, the matchedDN field is set to
   the name of the lowest entry (object or alias) in the DIT that was
   matched and is a truncated form of the name provided or, if an alias
   has been dereferenced, of the resulting name.  The matchedDN field
   should be set to NULL DN (a zero length string) in all other cases.

4.1.  Bind Operation

   The function of the Bind Operation is to initiate a protocol session
   between a client and a server, and to allow the authentication of the
   client to the server. The Bind Operation must be the first operation
   request received by a server from a client in a protocol session.
   The Bind Request is defined as follows:

     BindRequest ::=
         [APPLICATION 0] SEQUENCE {
                             version   INTEGER (1 .. 127),
                             name      LDAPDN,
                             authentication CHOICE {
                                  simple        [0] OCTET STRING,
                                  krbv42LDAP    [1] OCTET STRING,
                                  krbv42DSA     [2] OCTET STRING
                             }
         }

   Parameters of the Bind Request are:

   - version: A version number indicating the version of the protocol to
     be used in this protocol session.  This document describes version
     2 of the LDAP protocol.  Note that there is no version negotiation,
     and the client should just set this parameter to the version it
     desires.






Yeong, Howes & Kille                                            [Page 6]

RFC 1777                          LDAP                        March 1995


   - name: The name of the Directory object that the client wishes to
     bind as.  This field may take on a null value (a zero length
     string) for the purposes of anonymous binds.

   - authentication: information used to authenticate the name, if any,
     provided in the Bind Request. The "simple" authentication option
     provides minimal authentication facilities, with the contents of
     the authentication field consisting only of a cleartext password.
     This option should also be used when unauthenticated or anonymous
     binds are to be performed, with the field containing a zero length
     string in such cases. Kerberos version 4 [7] authentication to the
     LDAP server and the DSA is accomplished by using the "krbv42LDAP"
     and "krbv42DSA" authentication options, respectively.  Note that
     though they are referred to as separate entities here, there is no
     requirement these two entities be distinct (i.e., a DSA could speak
     LDAP directly).  Two separate authentication options are provided
     to support all implementations.  Each octet string should contain
     the kerberos ticket (e.g., as returned by krb_mk_req()) for the
     appropriate service.  The suggested service name for authentication
     to the LDAP server is "ldapserver".  The suggested service name for
     authentication to the DSA is "x500dsa".  In both cases, the
     suggested instance name for the service is the name of the host on
     which the service is running.  Of course, the actual service names
     and instances will depend on what is entered in the local kerberos
     principle database.

   The Bind Operation requires a response, the Bind Response, which is
   defined as:

     BindResponse ::= [APPLICATION 1] LDAPResult

   A Bind Response consists simply of an indication from the server of
   the status of the client's request for the initiation of a protocol
   session.

   Upon receipt of a Bind Request, a protocol server will authenticate
   the requesting client if necessary, and attempt to set up a protocol
   session with that client. The server will then return a Bind Response
   to the client indicating the status of the session setup request.

4.2.  Unbind Operation

   The function of the Unbind Operation is to terminate a protocol
   session.  The Unbind Operation is defined as follows:

     UnbindRequest ::= [APPLICATION 2] NULL





Yeong, Howes & Kille                                            [Page 7]

RFC 1777                          LDAP                        March 1995


   The Unbind Operation has no response defined. Upon transmission of an
   UnbindRequest, a protocol client may assume that the protocol session
   is terminated. Upon receipt of an UnbindRequest, a protocol server
   may assume that the requesting client has terminated the session and
   that all outstanding requests may be discarded.

4.3.  Search Operation

   The Search Operation allows a client to request that a search be
   performed on its behalf by a server. The Search Request is defined as
   follows:

     SearchRequest ::=
         [APPLICATION 3] SEQUENCE {