rfc4511.txt

samba最新软件

   Clients may send multiple Bind requests to change the authentication
   and/or security associations or to complete a multi-stage Bind
   process.  Authentication from earlier binds is subsequently ignored.

   For some SASL authentication mechanisms, it may be necessary for the
   client to invoke the BindRequest multiple times ([RFC4513], Section
   5.2).  Clients MUST NOT invoke operations between two Bind requests
   made as part of a multi-stage Bind.

   A client may abort a SASL bind negotiation by sending a BindRequest
   with a different value in the mechanism field of SaslCredentials, or
   an AuthenticationChoice other than sasl.








Sermersheim                 Standards Track                    [Page 17]

RFC 4511                         LDAPv3                        June 2006


   If the client sends a BindRequest with the sasl mechanism field as an
   empty string, the server MUST return a BindResponse with the
   resultCode set to authMethodNotSupported.  This will allow the client
   to abort a negotiation if it wishes to try again with the same SASL
   mechanism.

4.2.2.  Bind Response

   The Bind response is defined as follows.

        BindResponse ::= [APPLICATION 1] SEQUENCE {
             COMPONENTS OF LDAPResult,
             serverSaslCreds    [7] OCTET STRING OPTIONAL }

   BindResponse consists simply of an indication from the server of the
   status of the client's request for authentication.

   A successful Bind operation is indicated by a BindResponse with a
   resultCode set to success.  Otherwise, an appropriate result code is
   set in the BindResponse.  For BindResponse, the protocolError result
   code may be used to indicate that the version number supplied by the
   client is unsupported.

   If the client receives a BindResponse where the resultCode is set to
   protocolError, it is to assume that the server does not support this
   version of LDAP.  While the client may be able proceed with another
   version of this protocol (which may or may not require closing and
   re-establishing the transport connection), how to proceed with
   another version of this protocol is beyond the scope of this
   document.  Clients that are unable or unwilling to proceed SHOULD
   terminate the LDAP session.

   The serverSaslCreds field is used as part of a SASL-defined bind
   mechanism to allow the client to authenticate the server to which it
   is communicating, or to perform "challenge-response" authentication.
   If the client bound with the simple choice, or the SASL mechanism
   does not require the server to return information to the client, then
   this field SHALL NOT be included in the BindResponse.

4.3.  Unbind Operation

   The function of the Unbind operation is to terminate an LDAP session.
   The Unbind operation is not the antithesis of the Bind operation as
   the name implies.  The naming of these operations are historical.
   The Unbind operation should be thought of as the "quit" operation.






Sermersheim                 Standards Track                    [Page 18]

RFC 4511                         LDAPv3                        June 2006


   The Unbind operation is defined as follows:

        UnbindRequest ::= [APPLICATION 2] NULL

   The client, upon transmission of the UnbindRequest, and the server,
   upon receipt of the UnbindRequest, are to gracefully terminate the
   LDAP session as described in Section 5.3.  Uncompleted operations are
   handled as specified in Section 3.1.

4.4.  Unsolicited Notification

   An unsolicited notification is an LDAPMessage sent from the server to
   the client that is not in response to any LDAPMessage received by the
   server.  It is used to signal an extraordinary condition in the
   server or in the LDAP session between the client and the server.  The
   notification is of an advisory nature, and the server will not expect
   any response to be returned from the client.

   The unsolicited notification is structured as an LDAPMessage in which
   the messageID is zero and protocolOp is set to the extendedResp
   choice using the ExtendedResponse type (See Section 4.12).  The
   responseName field of the ExtendedResponse always contains an LDAPOID
   that is unique for this notification.

   One unsolicited notification (Notice of Disconnection) is defined in
   this document.  The specification of an unsolicited notification
   consists of:

   - the OBJECT IDENTIFIER assigned to the notification (to be specified
     in the responseName,

   - the format of the contents of the responseValue (if any),

   - the circumstances which will cause the notification to be sent, and

   - the semantics of the message.

4.4.1.  Notice of Disconnection

   This notification may be used by the server to advise the client that
   the server is about to terminate the LDAP session on its own
   initiative.  This notification is intended to assist clients in
   distinguishing between an exceptional server condition and a
   transient network failure.  Note that this notification is not a
   response to an Unbind requested by the client.  Uncompleted
   operations are handled as specified in Section 3.1.





Sermersheim                 Standards Track                    [Page 19]

RFC 4511                         LDAPv3                        June 2006


   The responseName is 1.3.6.1.4.1.1466.20036, the responseValue field
   is absent, and the resultCode is used to indicate the reason for the
   disconnection.  When the strongerAuthRequired resultCode is returned
   with this message, it indicates that the server has detected that an
   established security association between the client and server has
   unexpectedly failed or been compromised.

   Upon transmission of the Notice of Disconnection, the server
   gracefully terminates the LDAP session as described in Section 5.3.

4.5.  Search Operation

   The Search operation is used to request a server to return, subject
   to access controls and other restrictions, a set of entries matching
   a complex search criterion.  This can be used to read attributes from
   a single entry, from entries immediately subordinate to a particular
   entry, or from a whole subtree of entries.

4.5.1.  Search Request

   The Search request is defined as follows:

        SearchRequest ::= [APPLICATION 3] SEQUENCE {
             baseObject      LDAPDN,
             scope           ENUMERATED {
                  baseObject              (0),
                  singleLevel             (1),
                  wholeSubtree            (2),
                  ...  },
             derefAliases    ENUMERATED {
                  neverDerefAliases       (0),
                  derefInSearching        (1),
                  derefFindingBaseObj     (2),
                  derefAlways             (3) },
             sizeLimit       INTEGER (0 ..  maxInt),
             timeLimit       INTEGER (0 ..  maxInt),
             typesOnly       BOOLEAN,
             filter          Filter,
             attributes      AttributeSelection }

        AttributeSelection ::= SEQUENCE OF selector LDAPString
                        -- The LDAPString is constrained to
                        -- <attributeSelector> in Section 4.5.1.8

        Filter ::= CHOICE {
             and             [0] SET SIZE (1..MAX) OF filter Filter,
             or              [1] SET SIZE (1..MAX) OF filter Filter,
             not             [2] Filter,



Sermersheim                 Standards Track                    [Page 20]

RFC 4511                         LDAPv3                        June 2006


             equalityMatch   [3] AttributeValueAssertion,
             substrings      [4] SubstringFilter,
             greaterOrEqual  [5] AttributeValueAssertion,
             lessOrEqual     [6] AttributeValueAssertion,
             present         [7] AttributeDescription,
             approxMatch     [8] AttributeValueAssertion,
             extensibleMatch [9] MatchingRuleAssertion,
             ...  }

        SubstringFilter ::= SEQUENCE {
             type           AttributeDescription,
             substrings     SEQUENCE SIZE (1..MAX) OF substring CHOICE {
                  initial [0] AssertionValue,  -- can occur at most once
                  any     [1] AssertionValue,
                  final   [2] AssertionValue } -- can occur at most once
             }

        MatchingRuleAssertion ::= SEQUENCE {
             matchingRule    [1] MatchingRuleId OPTIONAL,
             type            [2] AttributeDescription OPTIONAL,
             matchValue      [3] AssertionValue,
             dnAttributes    [4] BOOLEAN DEFAULT FALSE }

   Note that an X.500 "list"-like operation can be emulated by the
   client requesting a singleLevel Search operation with a filter
   checking for the presence of the 'objectClass' attribute, and that an
   X.500 "read"-like operation can be emulated by a baseObject Search
   operation with the same filter.  A server that provides a gateway to
   X.500 is not required to use the Read or List operations, although it
   may choose to do so, and if it does, it must provide the same
   semantics as the X.500 Search operation.

4.5.1.1.  SearchRequest.baseObject

   The name of the base object entry (or possibly the root) relative to
   which the Search is to be performed.

4.5.1.2.  SearchRequest.scope

   Specifies the scope of the Search to be performed.  The semantics (as
   described in [X.511]) of the defined values of this field are:

      baseObject: The scope is constrained to the entry named by
      baseObject.

      singleLevel: The scope is constrained to the immediate
      subordinates of the entry named by baseObject.




Sermersheim                 Standards Track                    [Page 21]

RFC 4511                         LDAPv3                        June 2006


      wholeSubtree: The scope is constrained to the entry named by
      baseObject and to all its subordinates.

4.5.1.3.  SearchRequest.derefAliases

   An indicator as to whether or not alias entries (as defined in
   [RFC4512]) are to be dereferenced during stages of the Search
   operation.

   The act of dereferencing an alias includes recursively dereferencing
   aliases that refer to aliases.

   Servers MUST detect looping while dereferencing aliases in order to
   prevent denial-of-service attacks of this nature.

   The semantics of the defined values of this field are:

      neverDerefAliases: Do not dereference aliases in searching or in
      locating the base object of the Search.

      derefInSearching: While searching subordinates of the base object,
      dereference any alias within the search scope.  Dereferenced
      objects become the vertices of further search scopes where the
      Search operation is also applied.  If the search scope is
      wholeSubtree, the Search continues in the subtree(s) of any
      dereferenced object.  If the search scope is singleLevel, the
      search is applied to any dereferenced objects and is not applied
      to their subordinates.  Servers SHOULD eliminate duplicate entries
      that arise due to alias dereferencing while searching.

      derefFindingBaseObj: Dereference aliases in locating the base
      object of the Search, but not when searching subordinates of the
      base object.

      derefAlways: Dereference aliases both in searching and in locating
      the base object of the Search.

4.5.1.4.  SearchRequest.sizeLimit

   A size limit that restricts the maximum number of entries to be
   returned as a result of the Search.  A value of zero in this field
   indicates that no client-requested size limit restrictions are in
   effect for the Search.  Servers may also enforce a maximum number of
   entries to return.







Sermersheim                 Standards Track                    [Page 22]

RFC 4511                         LDAPv3                        June 2006


4.5.1.5.  SearchRequest.timeLimit

   A time limit that restricts the maximum time (in seconds) allowed for
   a Search.  A value of zero in this field indicates that no client-
   requested time limit restrictions are in effect for the Search.
   Servers may also enforce a maximum time limit for the Search.