📄 rfc1777.txt
字号:
baseObject LDAPDN, scope ENUMERATED { baseObject (0), singleLevel (1), wholeSubtree (2) }, derefAliases ENUMERATED { neverDerefAliases (0), derefInSearching (1), derefFindingBaseObj (2), derefAlways (3) }, sizeLimit INTEGER (0 .. maxInt), timeLimit INTEGER (0 .. maxInt), attrsOnly BOOLEAN, filter Filter, attributes SEQUENCE OF AttributeType } Filter ::= CHOICE { and [0] SET OF Filter, or [1] SET OF Filter, not [2] Filter, equalityMatch [3] AttributeValueAssertion, substrings [4] SubstringFilter, greaterOrEqual [5] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion, present [7] AttributeType, approxMatch [8] AttributeValueAssertion } SubstringFilter SEQUENCE {Yeong, Howes & Kille [Page 8]
RFC 1777 LDAP March 1995 type AttributeType, SEQUENCE OF CHOICE { initial [0] LDAPString, any [1] LDAPString, final [2] LDAPString } } Parameters of the Search Request are: - baseObject: An LDAPDN that is the base object entry relative to which the search is to be performed. - scope: An indicator of the scope of the search to be performed. The semantics of the possible values of this field are identical to the semantics of the scope field in the Directory Search Operation. - derefAliases: An indicator as to how alias objects should be handled in searching. The semantics of the possible values of this field are, in order of increasing value: neverDerefAliases: do not dereference aliases in searching or in locating the base object of the search; derefInSearching: dereference aliases in subordinates of the base object in searching, but not in locating the base object of the search; derefFindingBaseObject: dereference aliases in locating the base object of the search, but not when searching subordinates of the base object; derefAlways: dereference aliases both in searching and in locating the base object of the search. - sizelimit: A sizelimit that restricts the maximum number of entries to be returned as a result of the search. A value of 0 in this field indicates that no sizelimit restrictions are in effect for the search. - timelimit: A timelimit that restricts the maximum time (in seconds) allowed for a search. A value of 0 in this field indicates that no timelimit restrictions are in effect for the search. - attrsOnly: An indicator as to whether search results should contain both attribute types and values, or just attribute types. Setting this field to TRUE causes only attribute types (no values) to be returned. Setting this field to FALSE causes both attribute typesYeong, Howes & Kille [Page 9]
RFC 1777 LDAP March 1995 and values to be returned. - filter: A filter that defines the conditions that must be fulfilled in order for the search to match a given entry. - attributes: A list of the attributes from each entry found as a result of the search to be returned. An empty list signifies that all attributes from each entry found in the search are to be returned. The results of the search attempted by the server upon receipt of a Search Request are returned in Search Responses, defined as follows: Search Response ::= CHOICE { entry [APPLICATION 4] SEQUENCE { objectName LDAPDN, attributes SEQUENCE OF SEQUENCE { AttributeType, SET OF AttributeValue } }, resultCode [APPLICATION 5] LDAPResult } Upon receipt of a Search Request, a server will perform the necessary search of the DIT. The server will return to the client a sequence of responses comprised of: - Zero or more Search Responses each consisting of an entry found during the search; with the response sequence terminated by - A single Search Response containing an indication of success, or detailing any errors that have occurred. Each entry returned will contain all attributes, complete with associated values if necessary, as specified in the 'attributes' field of the Search Request. Note that an X.500 "list" operation can be emulated by a one-level LDAP search operation with a filter checking for the existence of the objectClass attribute, and that an X.500 "read" operation can be emulated by a base object LDAP search operation with the same filter.Yeong, Howes & Kille [Page 10]
RFC 1777 LDAP March 19954.4. Modify Operation The Modify Operation allows a client to request that a modification of the DIB be performed on its behalf by a server. The Modify Request is defined as follows:ModifyRequest ::= [APPLICATION 6] SEQUENCE { object LDAPDN, modification SEQUENCE OF SEQUENCE { operation ENUMERATED { add (0), delete (1), replace (2) }, modification SEQUENCE { type AttributeType, values SET OF AttributeValue } } } Parameters of the Modify Request are: - object: The object to be modified. The value of this field should name the object to be modified after all aliases have been dereferenced. The server will not perform any alias dereferencing in determining the object to be modified. - A list of modifications to be performed on the entry to be modified. The entire list of entry modifications should be performed in the order they are listed, as a single atomic operation. While individual modifications may violate the Directory schema, the resulting entry after the entire list of modifications is performed must conform to the requirements of the Directory schema. The values that may be taken on by the 'operation' field in each modification construct have the following semantics respectively: add: add values listed to the given attribute, creating the attribute if necessary; delete: delete values listed from the given attribute, removing the entire attribute if no values are listed, or if all current values of the attribute are listed for deletion;Yeong, Howes & Kille [Page 11]
RFC 1777 LDAP March 1995 replace: replace existing values of the given attribute with the new values listed, creating the attribute if necessary. The result of the modify attempted by the server upon receipt of a Modify Request is returned in a Modify Response, defined as follows: ModifyResponse ::= [APPLICATION 7] LDAPResult Upon receipt of a Modify Request, a server will perform the necessary modifications to the DIB. The server will return to the client a single Modify Response indicating either the successful completion of the DIB modification, or the reason that the modification failed. Note that due to the requirement for atomicity in applying the list of modifications in the Modify Request, the client may expect that no modifications of the DIB have been performed if the Modify Response received indicates any sort of error, and that all requested modifications have been performed if the Modify Response indicates successful completion of the Modify Operation.4.5. Add Operation The Add Operation allows a client to request the addition of an entry into the Directory. The Add Request is defined as follows: AddRequest ::= [APPLICATION 8] SEQUENCE { entry LDAPDN, attrs SEQUENCE OF SEQUENCE { type AttributeType, values SET OF AttributeValue } } Parameters of the Add Request are: - entry: the Distinguished Name of the entry to be added. Note that all components of the name except for the last RDN component must exist for the add to succeed. - attrs: the list of attributes that make up the content of the entry being added. The result of the add attempted by the server upon receipt of a Add Request is returned in the Add Response, defined as follows:Yeong, Howes & Kille [Page 12]
RFC 1777 LDAP March 1995 AddResponse ::= [APPLICATION 9] LDAPResult Upon receipt of an Add Request, a server will attempt to perform the add requested. The result of the add attempt will be returned to the client in the Add Response.4.6. Delete Operation The Delete Operation allows a client to request the removal of an entry from the Directory. The Delete Request is defined as follows: DelRequest ::= [APPLICATION 10] LDAPDN The Delete Request consists only of the Distinguished Name of the entry to be deleted. The result of the delete attempted by the server upon receipt of a Delete Request is returned in the Delete Response, defined as follows: DelResponse ::= [APPLICATION 11] LDAPResult Upon receipt of a Delete Request, a server will attempt to perform the entry removal requested. The result of the delete attempt will be returned to the client in the Delete Response. Note that only leaf objects may be deleted with this operation.4.7. Modify RDN Operation The Modify RDN Operation allows a client to change the last component of the name of an entry in the Directory. The Modify RDN Request is defined as follows: ModifyRDNRequest ::= [APPLICATION 12] SEQUENCE { entry LDAPDN, newrdn RelativeLDAPDN, deleteoldrdn BOOLEAN } Parameters of the Modify RDN Request are: - entry: the name of the entry to be changed. - newrdn: the RDN that will form the last component of the new name. - deleteoldrdn: a boolean parameter that controls whether the old RDN attribute values should be retained as attributes of the entry or deleted from the entry.Yeong, Howes & Kille [Page 13]
RFC 1777 LDAP March 1995 The result of the name change attempted by the server upon receipt of a Modify RDN Request is returned in the Modify RDN Response, defined as follows: ModifyRDNResponse ::= [APPLICATION 13] LDAPResult Upon receipt of a Modify RDN Request, a server will attempt to perform the name change. The result of the name change attempt will be returned to the client in the Modify RDN Response. The attributes that make up the old RDN are deleted from the entry, or kept, depending on the setting of the deleteoldrdn parameter.4.8. Compare Operation The Compare Operation allows a client to compare an assertion provided with an entry in the Directory. The Compare Request is defined as follows: CompareRequest ::= [APPLICATION 14] SEQUENCE { entry LDAPDN, ava AttributeValueAssertion } Parameters of the Compare Request are: - entry: the name of the entry to be compared with. - ava: the assertion with which the entry is to be compared. The result of the compare attempted by the server upon receipt of a Compare Request is returned in the Compare Response, defined as follows: CompareResponse ::= [APPLICATION 15] LDAPResult Upon receipt of a Compare Request, a server will attempt to perform the requested comparison. The result of the comparison will be returned to the client in the Compare Response. Note that errors and the result of comparison are all returned in the same construct.6.9. Abandon Operation The function of the Abandon Operation is to allow a client to request that the server abandon an outstanding operation. The Abandon Request is defined as follows: AbandonRequest ::= [APPLICATION 16] MessageIDYeong, Howes & Kille [Page 14]
RFC 1777 LDAP March 1995 There is no response defined in the Abandon Operation. Upon transmission of an Abandon Operation, a client may expect that the operation identityfied by the Message ID in the Abandon Request has been abandoned. In the event that a server receives an Abandon Request on a Search Operation in the midst of transmitting responses to that search, that server should cease transmitting responses to the abandoned search immediately.5. Protocol Element Encodings The protocol elements of LDAP are encoded for exchange using the Basic Encoding Rules (BER) [12] of ASN.1 [11]. However, due to the high overhead involved in using certain elements of the BER, the following additional restrictions are placed on BER-encodings of LDAP protocol elements: (1) Only the definite form of length encoding will be used. (2) Bitstrings and octet strings and all character string types will be encoded in the primitive form only.6. Security Considerations This version of the protocol provides facilities only for simple authentication using a cleartext password, and for kerberos version 4 authentication. Future versions of LDAP will likely include support for other authentication methods.7. Bibliography [1] The Directory: Overview of Concepts, Models and Service. CCITT Recommendation X.500, 1988. [2] Information Processing Systems -- Open Systems Interconnection --⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -