rfc4516.txt

samba最新软件

   a client should use an anonymous LDAP session.  (Note that clients
   conforming to previous LDAP URL specifications, where all LDAP
   sessions are anonymous and unprotected, are consistent with this
   specification; they simply have the default security policy.)  Simply
   opening a transport connection to another server may violate some
   users' privacy requirements, so clients should provide the user with
   a way to control URL processing.

   Some authentication methods, in particular, reusable passwords sent
   to the server, may reveal easily-abused information to the remote
   server or to eavesdroppers in transit and should not be used in URL
   processing unless they are explicitly permitted by policy.
   Confirmation by the human user of the use of authentication
   information is appropriate in many circumstances.  Use of strong
   authentication methods that do not reveal sensitive information is
   much preferred.  If the URL represents a referral for an update
   operation, strong authentication methods SHOULD be used.  Please
   refer to the Security Considerations section of [RFC4513] for more
   information.

   The LDAP URL format allows the specification of an arbitrary LDAP
   search operation to be performed when evaluating the LDAP URL.
   Following an LDAP URL may cause unexpected results, for example, the
   retrieval of large amounts of data or the initiation of a long-lived



Smith & Howes               Standards Track                     [Page 8]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


   search.  The security implications of resolving an LDAP URL are the
   same as those of resolving an LDAP search query.

6.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, November 2003.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC4234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 4234, October 2005.

   [RFC4510]  Zeilenga, K., Ed., "Lightweight Directory Access Protocol
              (LDAP): Technical Specification Road Map", RFC 4510, June
              2006.

   [RFC4511]  Sermersheim, J., Ed., "Lightweight Directory Access
              Protocol (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4512]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): Directory Information Models", RFC 4512, June
              2006.

   [RFC4513]  Harrison, R., Ed., "Lightweight Directory Access Protocol
              (LDAP): Authentication Methods and Security Mechanisms",
              RFC 4513, June 2006.

   [RFC4514]  Zeilenga, K., Ed., "Lightweight Directory Access Protocol
              (LDAP): String Representation of Distinguished Names", RFC
              4514, June 2006.

   [RFC4515]  Smith, M. Ed. and T. Howes, "Lightweight Directory Access
              Protocol (LDAP): String Representation of Search Filters",
              RFC 4515, June 2006.











Smith & Howes               Standards Track                     [Page 9]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


7.  Informative References

   [RFC2396]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifiers (URI): Generic Syntax", RFC 2396,
              August 1998.

   [RFC4520]  Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
              Considerations for the Lightweight Directory Access
              Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

8.  Acknowledgements

   The LDAP URL format was originally defined at the University of
   Michigan.  This material is based upon work supported by the National
   Science Foundation under Grant No. NCR-9416667.  The support of both
   the University of Michigan and the National Science Foundation is
   gratefully acknowledged.

   This document obsoletes RFC 2255 by Tim Howes and Mark Smith.
   Changes included in this revised specification are based upon
   discussions among the authors, discussions within the LDAP (v3)
   Revision Working Group (ldapbis), and discussions within other IETF
   Working Groups.  The contributions of individuals in these working
   groups is gratefully acknowledged.  Several people in particular have
   made valuable comments on this document: RL "Bob" Morgan, Mark Wahl,
   Kurt Zeilenga, Jim Sermersheim, and Hallvard Furuseth deserve special
   thanks for their contributions.
























Smith & Howes               Standards Track                    [Page 10]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


Appendix A: Changes Since RFC 2255

A.1.  Technical Changes

   The following technical changes were made to the contents of the "URL
   Definition" section:

   Revised all of the ABNF to use common productions from [RFC4512].

   Replaced references to [RFC2396] with a reference to [RFC3986] (this
   allows literal IPv6 addresses to be used inside the <host> portion of
   the URL, and a note was added to remind the reader of this
   enhancement).  Referencing [RFC3986] required changes to the ABNF and
   text so that productions that are no longer defined by [RFC3986] are
   not used.  For example, <hostport> is not defined by [RFC3986] so it
   has been replaced with host [COLON port].  Note that [RFC3986]
   includes new definitions for the "Reserved" and "Unreserved" sets of
   characters, and the net result is that the following two additional
   characters should be percent-encoded when they appear anywhere in the
   data used to construct an LDAP URL: "[" and "]" (these two characters
   were first added to the Reserved set by RFC 2732).

   Changed the definition of <attrdesc> to refer to <attributeSelector>
   from [RFC4511].  This allows the use of "*" in the <attrdesc> part of
   the URL.  It is believed that existing implementations of RFC 2255
   already support this.

   Avoided use of <prose-val> (bracketed-string) productions in the
   <dn>, <host>, <attrdesc>, and <exvalue> rules.

   Changed the ABNF for <ldapurl> to group the <dn> component with the
   preceding <SLASH>.

   Changed the <extype> rule to be an <oid> from [RFC4512].

   Changed the text about extension types so it references [RFC4520].
   Reordered rules to more closely follow the order in which the
   elements appear in the URL.

   "Bindname Extension": removed due to lack of known implementations.

A.2.  Editorial Changes

   Changed document title to include "LDAP:" prefix.

   IESG Note: removed note about lack of satisfactory mandatory
   authentication mechanisms.




Smith & Howes               Standards Track                    [Page 11]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


   "Status of this Memo" section: updated boilerplate to match current
   I-D guidelines.

   "Abstract" section: separated from introductory material.

   "Table of Contents" and "Intellectual Property" sections: added.

   "Introduction" section: new section; separated from the Abstract.
   Changed the text indicate that RFC 2255 is replaced by this document
   (instead of RFC 1959).  Added text to indicate that LDAP URLs are
   used for references and referrals.  Fixed typo (replaced the nonsense
   phrase "to perform to retrieve" with "used to retrieve").  Added a
   note to let the reader know that not all of the parameters of the
   LDAP search operation described in [RFC4511] can be expressed using
   this format.

   "URL Definition" section: removed second copy of <ldapurl> grammar
   and following two paragraphs (editorial error in RFC 2255).  Fixed
   line break within '!' sequence.  Reformatted the ABNF to improve
   readability by aligning comments and adding some blank lines.
   Replaced "residing in the LDAP server" with "accessible from the LDAP
   server" in the sentence immediately following the ABNF.  Removed the
   sentence "Individual attrdesc names are as defined for
   AttributeDescription in [RFC4511]."  because [RFC4511]'s
   <attributeSelector> is now used directly in the ABNF.  Reworded last
   paragraph to clarify which characters must be percent-encoded.  Added
   text to indicate that LDAP URLs are used for references and
   referrals.  Added text that refers to the ABNF from RFC 4234.
   Clarified and strengthened the requirements with respect to
   processing of URLs that contain implemented and not implemented
   extensions (the approach now closely matches that specified in
   [RFC4511] for LDAP controls).

   "Defaults for Fields of the LDAP URL" section: added; formed by
   moving text about defaults out of the "URL Definition" section.
   Replaced direct reference to the attribute name "*" with a reference
   to the special <alluserattrs> selector "*" defined in [RFC4511].

   "URL Processing" section: removed.

   "Examples" section: Modified examples to use example.com and
   example.net hostnames.  Added missing '?' to the LDAP URL example
   whose filter contains three null bytes.  Removed space after one
   comma within a DN.  Revised the bindname example to use e-bindname.
   Changed the name of an attribute used in one example from "int" to
   "four-octet" to avoid potential confusion.  Added an example that
   demonstrates the interaction between DN escaping and URL percent-
   encoding.  Added some examples to show URL equivalence with respect



Smith & Howes               Standards Track                    [Page 12]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


   to the <dn> portion of the URL.  Used uppercase in some examples to
   remind the reader that some tokens are case-insensitive.

   "Security Considerations" section: Added a note about connection
   reuse.  Added a note about using strong authentication methods for
   updates.  Added a reference to [RFC4513].  Added note that simply
   opening a connection may violate some users' privacy requirements.
   Adopted the working group's revised LDAP terminology specification by
   replacing the word "connection" with "LDAP session" or "LDAP
   connection" as appropriate.

   "Acknowledgements" section: added statement that this document
   obsoletes RFC 2255.  Added Kurt Zeilenga, Jim Sermersheim, and
   Hallvard Furuseth.

   "Normative References" section: renamed from "References" per new RFC
   guidelines.  Changed from [1] style to [RFC4511] style throughout the
   document.  Added references to RFC 4234 and RFC 3629.  Updated all
   RFC 1738 references to point to the appropriate sections within
   [RFC3986].  Updated the LDAP references to refer to LDAPBis WG
   documents.  Removed the reference to the LDAP Attribute Syntaxes
   document and added references to the [RFC4513], [RFC4520], and
   [RFC4510] documents.

   "Informative References" section: added.

   Header and "Authors' Addresses" sections: added "editor" next to Mark
   Smith's name.  Updated affiliation and contact information.

   Copyright: updated the year.

   Throughout the document: surrounded the names of all ABNF productions
   with "<" and ">" where they are used in descriptive text.


















Smith & Howes               Standards Track                    [Page 13]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


Authors' Addresses

   Mark Smith, Editor
   Pearl Crescent, LLC
   447 Marlpool Dr.
   Saline, MI 48176
   USA

   Phone: +1 734 944-2856
   EMail: mcs@pearlcrescent.com


   Tim Howes
   Opsware, Inc.
   599 N. Mathilda Ave.
   Sunnyvale, CA 94085
   USA

   Phone: +1 408 744-7509
   EMail: howes@opsware.com































Smith & Howes               Standards Track                    [Page 14]

RFC 4516             LDAP: Uniform Resource Locator            June 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Smith & Howes               Standards Track                    [Page 15]