rfc4511.txt

samba最新软件

Network Working Group                                J. Sermersheim, Ed.
Request for Comments: 4511                                  Novell, Inc.
Obsoletes: 2251, 2830, 3771                                    June 2006
Category: Standards Track


      Lightweight Directory Access Protocol (LDAP): The Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes the protocol elements, along with their
   semantics and encodings, of the Lightweight Directory Access Protocol
   (LDAP).  LDAP provides access to distributed directory services that
   act in accordance with X.500 data and service models.  These protocol
   elements are based on those described in the X.500 Directory Access
   Protocol (DAP).

Table of Contents

   1. Introduction ....................................................3
      1.1. Relationship to Other LDAP Specifications ..................3
   2. Conventions .....................................................3
   3. Protocol Model ..................................................4
      3.1. Operation and LDAP Message Layer Relationship ..............5
   4. Elements of Protocol ............................................5
      4.1. Common Elements ............................................5
           4.1.1. Message Envelope ....................................6
           4.1.2. String Types ........................................7
           4.1.3. Distinguished Name and Relative Distinguished Name ..8
           4.1.4. Attribute Descriptions ..............................8
           4.1.5. Attribute Value .....................................8
           4.1.6. Attribute Value Assertion ...........................9
           4.1.7. Attribute and PartialAttribute ......................9
           4.1.8. Matching Rule Identifier ...........................10
           4.1.9. Result Message .....................................10
           4.1.10. Referral ..........................................12



Sermersheim                 Standards Track                     [Page 1]

RFC 4511                         LDAPv3                        June 2006


           4.1.11. Controls ..........................................14
      4.2. Bind Operation ............................................16
           4.2.1. Processing of the Bind Request .....................17
           4.2.2. Bind Response ......................................18
      4.3. Unbind Operation ..........................................18
      4.4. Unsolicited Notification ..................................19
           4.4.1. Notice of Disconnection ............................19
      4.5. Search Operation ..........................................20
           4.5.1. Search Request .....................................20
           4.5.2. Search Result ......................................27
           4.5.3. Continuation References in the Search Result .......28
      4.6. Modify Operation ..........................................31
      4.7. Add Operation .............................................33
      4.8. Delete Operation ..........................................34
      4.9. Modify DN Operation .......................................34
      4.10. Compare Operation ........................................36
      4.11. Abandon Operation ........................................36
      4.12. Extended Operation .......................................37
      4.13. IntermediateResponse Message .............................39
           4.13.1. Usage with LDAP ExtendedRequest and
                   ExtendedResponse ..................................40
           4.13.2. Usage with LDAP Request Controls ..................40
      4.14. StartTLS Operation .......................................40
           4.14.1. StartTLS Request ..................................40
           4.14.2. StartTLS Response .................................41
           4.14.3. Removal of the TLS Layer ..........................41
   5. Protocol Encoding, Connection, and Transfer ....................42
      5.1. Protocol Encoding .........................................42
      5.2. Transmission Control Protocol (TCP) .......................43
      5.3. Termination of the LDAP session ...........................43
   6. Security Considerations ........................................43
   7. Acknowledgements ...............................................45
   8. Normative References ...........................................46
   9. Informative References .........................................48
   10. IANA Considerations ...........................................48
   Appendix A. LDAP Result Codes .....................................49
      A.1. Non-Error Result Codes ....................................49
      A.2. Result Codes ..............................................49
   Appendix B. Complete ASN.1 Definition .............................54
   Appendix C. Changes ...............................................60
      C.1. Changes Made to RFC 2251 ..................................60
      C.2. Changes Made to RFC 2830 ..................................66
      C.3. Changes Made to RFC 3771 ..................................66








Sermersheim                 Standards Track                     [Page 2]

RFC 4511                         LDAPv3                        June 2006


1.  Introduction

   The Directory is "a collection of open systems cooperating to provide
   directory services" [X.500].  A directory user, which may be a human
   or other entity, accesses the Directory through a client (or
   Directory User Agent (DUA)).  The client, on behalf of the directory
   user, interacts with one or more servers (or Directory System Agents
   (DSA)).  Clients interact with servers using a directory access
   protocol.

   This document details the protocol elements of the Lightweight
   Directory Access Protocol (LDAP), along with their semantics.
   Following the description of protocol elements, it describes the way
   in which the protocol elements are encoded and transferred.

1.1.  Relationship to Other LDAP Specifications

   This document is an integral part of the LDAP Technical Specification
   [RFC4510], which obsoletes the previously defined LDAP technical
   specification, RFC 3377, in its entirety.

   This document, together with [RFC4510], [RFC4513], and [RFC4512],
   obsoletes RFC 2251 in its entirety.  Section 3.3 is obsoleted by
   [RFC4510].  Sections 4.2.1 (portions) and 4.2.2 are obsoleted by
   [RFC4513].  Sections 3.2, 3.4, 4.1.3 (last paragraph), 4.1.4, 4.1.5,
   4.1.5.1, 4.1.9 (last paragraph), 5.1, 6.1, and 6.2 (last paragraph)
   are obsoleted by [RFC4512].  The remainder of RFC 2251 is obsoleted
   by this document.  Appendix C.1 summarizes substantive changes in the
   remainder.

   This document obsoletes RFC 2830, Sections 2 and 4.  The remainder of
   RFC 2830 is obsoleted by [RFC4513].  Appendix C.2 summarizes
   substantive changes to the remaining sections.

   This document also obsoletes RFC 3771 in entirety.

2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
   to be interpreted as described in [RFC2119].

   Character names in this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.






Sermersheim                 Standards Track                     [Page 3]

RFC 4511                         LDAPv3                        June 2006


   Note: a glossary of terms used in Unicode can be found in [Glossary].
   Information on the Unicode character encoding model can be found in
   [CharModel].

   The term "transport connection" refers to the underlying transport
   services used to carry the protocol exchange, as well as associations
   established by these services.

   The term "TLS layer" refers to Transport Layer Security (TLS)
   services used in providing security services, as well as associations
   established by these services.

   The term "SASL layer" refers to Simply Authentication and Security
   Layer (SASL) services used in providing security services, as well as
   associations established by these services.

   The term "LDAP message layer" refers to the LDAP Message Protocol
   Data Unit (PDU) services used in providing directory services, as
   well as associations established by these services.

   The term "LDAP session" refers to combined services (transport
   connection, TLS layer, SASL layer, LDAP message layer) and their
   associations.

   See the table in Section 5 for an illustration of these four terms.

3.  Protocol Model

   The general model adopted by this protocol is one of clients
   performing protocol operations against servers.  In this model, a
   client transmits a protocol request describing the operation to be
   performed to a server.  The server is then responsible for performing
   the necessary operation(s) in the Directory.  Upon completion of an
   operation, the server typically returns a response containing
   appropriate data to the requesting client.

   Protocol operations are generally independent of one another.  Each
   operation is processed as an atomic action, leaving the directory in
   a consistent state.

   Although servers are required to return responses whenever such
   responses are defined in the protocol, there is no requirement for
   synchronous behavior on the part of either clients or servers.
   Requests and responses for multiple operations generally may be
   exchanged between a client and server in any order.  If required,
   synchronous behavior may be controlled by client applications.





Sermersheim                 Standards Track                     [Page 4]

RFC 4511                         LDAPv3                        June 2006


   The core protocol operations defined in this document can be mapped
   to a subset of the X.500 (1993) Directory Abstract Service [X.511].
   However, there is not a one-to-one mapping between LDAP operations
   and X.500 Directory Access Protocol (DAP) operations.  Server
   implementations acting as a gateway to X.500 directories may need to
   make multiple DAP requests to service a single LDAP request.

3.1.  Operation and LDAP Message Layer Relationship

   Protocol operations are exchanged at the LDAP message layer.  When
   the transport connection is closed, any uncompleted operations at the
   LDAP message layer are abandoned (when possible) or are completed
   without transmission of the response (when abandoning them is not
   possible).  Also, when the transport connection is closed, the client
   MUST NOT assume that any uncompleted update operations have succeeded
   or failed.

4.  Elements of Protocol

   The protocol is described using Abstract Syntax Notation One
   ([ASN.1]) and is transferred using a subset of ASN.1 Basic Encoding
   Rules ([BER]).  Section 5 specifies how the protocol elements are
   encoded and transferred.

   In order to support future extensions to this protocol, extensibility
   is implied where it is allowed per ASN.1 (i.e., sequence, set,
   choice, and enumerated types are extensible).  In addition, ellipses
   (...) have been supplied in ASN.1 types that are explicitly
   extensible as discussed in [RFC4520].  Because of the implied
   extensibility, clients and servers MUST (unless otherwise specified)
   ignore trailing SEQUENCE components whose tags they do not recognize.

   Changes to the protocol other than through the extension mechanisms
   described here require a different version number.  A client
   indicates the version it is using as part of the BindRequest,
   described in Section 4.2.  If a client has not sent a Bind, the
   server MUST assume the client is using version 3 or later.

   Clients may attempt to determine the protocol versions a server
   supports by reading the 'supportedLDAPVersion' attribute from the
   root DSE (DSA-Specific Entry) [RFC4512].

4.1.  Common Elements

   This section describes the LDAPMessage envelope Protocol Data Unit
   (PDU) format, as well as data type definitions, which are used in the
   protocol operations.




Sermersheim                 Standards Track                     [Page 5]

RFC 4511                         LDAPv3                        June 2006


4.1.1.  Message Envelope

   For the purposes of protocol exchanges, all protocol operations are
   encapsulated in a common envelope, the LDAPMessage, which is defined
   as follows:

        LDAPMessage ::= SEQUENCE {
             messageID       MessageID,
             protocolOp      CHOICE {
                  bindRequest           BindRequest,
                  bindResponse          BindResponse,
                  unbindRequest         UnbindRequest,
                  searchRequest         SearchRequest,
                  searchResEntry        SearchResultEntry,
                  searchResDone         SearchResultDone,
                  searchResRef          SearchResultReference,
                  modifyRequest         ModifyRequest,
                  modifyResponse        ModifyResponse,
                  addRequest            AddRequest,
                  addResponse           AddResponse,
                  delRequest            DelRequest,
                  delResponse           DelResponse,
                  modDNRequest          ModifyDNRequest,
                  modDNResponse         ModifyDNResponse,
                  compareRequest        CompareRequest,