rfc4514.txt

samba最新软件

Network Working Group                                   K. Zeilenga, Ed.
Request for Comments: 4514                           OpenLDAP Foundation
Obsoletes: 2253                                                June 2006
Category: Standards Track


             Lightweight Directory Access Protocol (LDAP):
              String Representation of Distinguished Names

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The X.500 Directory uses distinguished names (DNs) as primary keys to
   entries in the directory.  This document defines the string
   representation used in the Lightweight Directory Access Protocol
   (LDAP) to transfer distinguished names.  The string representation is
   designed to give a clean representation of commonly used
   distinguished names, while being able to represent any distinguished
   name.

1.  Background and Intended Usage

   In X.500-based directory systems [X.500], including those accessed
   using the Lightweight Directory Access Protocol (LDAP) [RFC4510],
   distinguished names (DNs) are used to unambiguously refer to
   directory entries [X.501][RFC4512].

   The structure of a DN [X.501] is described in terms of ASN.1 [X.680].
   In the X.500 Directory Access Protocol [X.511] (and other ITU-defined
   directory protocols), DNs are encoded using the Basic Encoding Rules
   (BER) [X.690].  In LDAP, DNs are represented in the string form
   described in this document.

   It is important to have a common format to be able to unambiguously
   represent a distinguished name.  The primary goal of this
   specification is ease of encoding and decoding.  A secondary goal is
   to have names that are human readable.  It is not expected that LDAP



Zeilenga                    Standards Track                     [Page 1]

RFC 4514               LDAP: Distinguished Names               June 2006


   implementations with a human user interface would display these
   strings directly to the user, but that they would most likely be
   performing translations (such as expressing attribute type names in
   the local national language).

   This document defines the string representation of Distinguished
   Names used in LDAP [RFC4511][RFC4517].  Section 2 details the
   RECOMMENDED algorithm for converting a DN from its ASN.1 structured
   representation to a string.  Section 3 details how to convert a DN
   from a string to an ASN.1 structured representation.

   While other documents may define other algorithms for converting a DN
   from its ASN.1 structured representation to a string, all algorithms
   MUST produce strings that adhere to the requirements of Section 3.

   This document does not define a canonical string representation for
   DNs.  Comparison of DNs for equality is to be performed in accordance
   with the distinguishedNameMatch matching rule [RFC4517].

   This document is a integral part of the LDAP technical specification
   [RFC4510], which obsoletes the previously defined LDAP technical
   specification, RFC 3377, in its entirety.  This document obsoletes
   RFC 2253.  Changes since RFC 2253 are summarized in Appendix B.

   This specification assumes familiarity with X.500 [X.500] and the
   concept of Distinguished Name [X.501][RFC4512].

1.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119].

   Character names in this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.

   Note: a glossary of terms used in Unicode can be found in [Glossary].
   Information on the Unicode character encoding model can be found in
   [CharModel].











Zeilenga                    Standards Track                     [Page 2]

RFC 4514               LDAP: Distinguished Names               June 2006


2.  Converting DistinguishedName from ASN.1 to a String

   X.501 [X.501] defines the ASN.1 [X.680] structure of distinguished
   name.  The following is a variant provided for discussion purposes.

      DistinguishedName ::= RDNSequence

      RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

      RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
          AttributeTypeAndValue

      AttributeTypeAndValue ::= SEQUENCE {
          type  AttributeType,
          value AttributeValue }

   This section defines the RECOMMENDED algorithm for converting a
   distinguished name from an ASN.1-structured representation to a UTF-8
   [RFC3629] encoded Unicode [Unicode] character string representation.
   Other documents may describe other algorithms for converting a
   distinguished name to a string, but only strings that conform to the
   grammar defined in Section 3 SHALL be produced by LDAP
   implementations.

2.1.  Converting the RDNSequence

   If the RDNSequence is an empty sequence, the result is the empty or
   zero-length string.

   Otherwise, the output consists of the string encodings of each
   RelativeDistinguishedName in the RDNSequence (according to Section
   2.2), starting with the last element of the sequence and moving
   backwards toward the first.

   The encodings of adjoining RelativeDistinguishedNames are separated
   by a comma (',' U+002C) character.

2.2.  Converting RelativeDistinguishedName

   When converting from an ASN.1 RelativeDistinguishedName to a string,
   the output consists of the string encodings of each
   AttributeTypeAndValue (according to Section 2.3), in any order.

   Where there is a multi-valued RDN, the outputs from adjoining
   AttributeTypeAndValues are separated by a plus sign ('+' U+002B)
   character.





Zeilenga                    Standards Track                     [Page 3]

RFC 4514               LDAP: Distinguished Names               June 2006


2.3.  Converting AttributeTypeAndValue

   The AttributeTypeAndValue is encoded as the string representation of
   the AttributeType, followed by an equals sign ('=' U+003D) character,
   followed by the string representation of the AttributeValue.  The
   encoding of the AttributeValue is given in Section 2.4.

   If the AttributeType is defined to have a short name (descriptor)
   [RFC4512] and that short name is known to be registered [REGISTRY]
   [RFC4520] as identifying the AttributeType, that short name, a
   <descr>, is used.  Otherwise the AttributeType is encoded as the
   dotted-decimal encoding, a <numericoid>, of its OBJECT IDENTIFIER.
   The <descr> and <numericoid> are defined in [RFC4512].

   Implementations are not expected to dynamically update their
   knowledge of registered short names.  However, implementations SHOULD
   provide a mechanism to allow their knowledge of registered short
   names to be updated.

2.4.  Converting an AttributeValue from ASN.1 to a String

   If the AttributeType is of the dotted-decimal form, the
   AttributeValue is represented by an number sign ('#' U+0023)
   character followed by the hexadecimal encoding of each of the octets
   of the BER encoding of the X.500 AttributeValue.  This form is also
   used when the syntax of the AttributeValue does not have an LDAP-
   specific ([RFC4517], Section 3.1) string encoding defined for it, or
   the LDAP-specific string encoding is not restricted to UTF-8-encoded
   Unicode characters.  This form may also be used in other cases, such
   as when a reversible string representation is desired (see Section
   5.2).

   Otherwise, if the AttributeValue is of a syntax that has a LDAP-
   specific string encoding, the value is converted first to a UTF-8-
   encoded Unicode string according to its syntax specification (see
   [RFC4517], Section 3.3, for examples).  If that UTF-8-encoded Unicode
   string does not have any of the following characters that need
   escaping, then that string can be used as the string representation
   of the value.

      - a space (' ' U+0020) or number sign ('#' U+0023) occurring at
        the beginning of the string;

      - a space (' ' U+0020) character occurring at the end of the
        string;






Zeilenga                    Standards Track                     [Page 4]

RFC 4514               LDAP: Distinguished Names               June 2006


      - one of the characters '"', '+', ',', ';', '<', '>',  or '\'
        (U+0022, U+002B, U+002C, U+003B, U+003C, U+003E, or U+005C,
        respectively);

      - the null (U+0000) character.

   Other characters may be escaped.

   Each octet of the character to be escaped is replaced by a backslash
   and two hex digits, which form a single octet in the code of the
   character.  Alternatively, if and only if the character to be escaped
   is one of

      ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\'
      (U+0020, U+0022, U+0023, U+002B, U+002C, U+003B,
       U+003C, U+003D, U+003E, U+005C, respectively)

   it can be prefixed by a backslash ('\' U+005C).

   Examples of the escaping mechanism are shown in Section 4.

3.  Parsing a String Back to a Distinguished Name

   The string representation of Distinguished Names is restricted to
   UTF-8 [RFC3629] encoded Unicode [Unicode] characters.  The structure
   of this string representation is specified using the following
   Augmented BNF [RFC4234] grammar:

      distinguishedName = [ relativeDistinguishedName
          *( COMMA relativeDistinguishedName ) ]
      relativeDistinguishedName = attributeTypeAndValue
          *( PLUS attributeTypeAndValue )
      attributeTypeAndValue = attributeType EQUALS attributeValue
      attributeType = descr / numericoid
      attributeValue = string / hexstring

      ; The following characters are to be escaped when they appear
      ; in the value to be encoded: ESC, one of <escaped>, leading
      ; SHARP or SPACE, trailing SPACE, and NULL.
      string =   [ ( leadchar / pair ) [ *( stringchar / pair )
         ( trailchar / pair ) ] ]

      leadchar = LUTF1 / UTFMB
      LUTF1 = %x01-1F / %x21 / %x24-2A / %x2D-3A /
         %x3D / %x3F-5B / %x5D-7F

      trailchar  = TUTF1 / UTFMB
      TUTF1 = %x01-1F / %x21 / %x23-2A / %x2D-3A /



Zeilenga                    Standards Track                     [Page 5]