rfc1487.txt
来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,179 行 · 第 1/3 页
TXT
1,179 行
Network Working Group W. YeongRequest for Comments: 1487 Performance Systems International T. Howes University of Michigan S. Kille ISODE Consortium July 1993 X.500 Lightweight Directory Access ProtocolStatus of this Memo This RFC specifies an IAB standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "IAB Official Protocol Standards" for the standardization state and status of this protocol. Distribution of this memo is unlimited.Abstract The protocol described in this document is designed to provide access to the Directory while not incurring the resource requirements of the Directory Access Protocol (DAP). This protocol is specifically targeted at simple management applications and browser applications that provide simple read/write interactive access to the Directory, and is intended to be a complement to the DAP itself. Key aspects of LDAP are: - Protocol elements are carried directly over TCP or other transport, bypassing much of the session/presentation overhead. - Many protocol data elements are encoding as ordinary strings (e.g., Distinguished Names). - A lightweight BER encoding is used to encode all protocol elements.1. History The tremendous interest in X.500 [1,2] technology in the Internet has lead to efforts to reduce the high "cost of entry" associated with use of the technology, such as the Directory Assistance Service [3] and DIXIE [4]. While efforts such as these have met with success, they have been solutions based on particular implementations and as such have limited applicability. This document continues the efforts to define Directory protocol alternatives but departs from previous efforts in that it consciously avoids dependence on particularYeong, Howes & Kille [Page 1]
RFC 1487 X.500 LDAP July 1993 implementations.2. Protocol Model The general model adopted by this protocol is one of clients performing protocol operations against servers. In this model, this is accomplished by a client transmitting a protocol request describing the operation to be performed to a server, which is then responsible for performing the necessary operations on the Directory. Upon completion of the necessary operations, the server returns a response containing any results or errors to the requesting client. In keeping with the goal of easing the costs associated with use of the Directory, it is an objective of this protocol to minimize the complexity of clients so as to facilitate widespread deployment of applications capable of utilizing the Directory. Note that, although servers are required to return responses whenever such responses are defined in the protocol, there is no requirement for synchronous behavior on the part of either client or server implementations: requests and responses for multiple operations may be exchanged by client and servers in any order, as long as clients eventually receive a response for every request that requires one. Consistent with the model of servers performing protocol operations on behalf of clients, it is also to be noted that protocol servers are expected to handle referrals without resorting to the return of such referrals to the client. This protocol makes no provisions for the return of referrals to clients, as the model is one of servers ensuring the performance of all necessary operations in the Directory, with only final results or errors being returned by servers to clients. Note that this protocol can be mapped to a strict subset of the directory abstract service, so it can be cleanly provided by the DAP.3. Mapping Onto Transport Services This protocol is designed to run over connection-oriented, reliable transports, with all 8 bits in an octet being significant in the data stream. Specifications for two underlying services are defined here, though others are also possible.3.1. Transmission Control Protocol (TCP) The LDAPMessage PDUs are mapped directly onto the TCP bytestream. Server implementations running over the TCP should provide a protocol listener on port 389.Yeong, Howes & Kille [Page 2]
RFC 1487 X.500 LDAP July 19933.2. Connection Oriented Transport Service (COTS) The connection is established. No special special use of T-Connect is made. Each LDAPMessage PDU is mapped directly onto T-Data.4. Elements of Protocol For the purposes of protocol exchanges, all protocol operations are encapsulated in a common envelope, the LDAPMessage, which is defined as follows: LDAPMessage ::= SEQUENCE { messageID MessageID, protocolOp CHOICE { bindRequest BindRequest, bindResponse BindResponse, unbindRequest UnbindRequest searchRequest SearchRequest, searchResponse SearchResponse, modifyRequest ModifyRequest, modifyResponse ModifyResponse, addRequest AddRequest, addResponse AddResponse, delRequest DelRequest, delResponse DelResponse, modifyRDNRequest ModifyRDNRequest, modifyRDNResponse ModifyRDNResponse, compareDNRequest CompareRequest, compareDNResponse CompareResponse, abandonRequest AbandonRequest } } MessageID ::= INTEGER (0 .. MaxInt) The function of the LDAPMessage is to provide an envelope containing common fields required in all protocol exchanges. At this time the only common field is a message ID, which is required to have a value different from the values of any other requests outstanding in the LDAP session of which this message is a part. The message ID value must be echoed in all LDAPMessage envelopes encapsulting responses corresponding to the request contained in the LDAPMessage in which the message ID value was originally used. In addition to the LDAPMessage defined above, the following definitions are also used in defining protocol operations:Yeong, Howes & Kille [Page 3]
RFC 1487 X.500 LDAP July 1993 IA5String ::= OCTET STRING The IA5String is a notational convenience to indicate that, although strings of IA5String type encode as OCTET STRING types, the legal character set in such strings is limited to the IA5 character set. LDAPDN ::= IA5String RelativeLDAPDN ::= IA5String An LDAPDN and a RelativeLDAPDN are respectively defined to be the representation of a Distinguished Name and a Relative Distinguished Name after encoding according to the specification in [5], such that <distinguished-name> ::= <name> <relative-distinguished-name> ::= <name-component> where <name> and <name-component> are as defined in [5]. AttributeValueAssertion ::= SEQUENCE { attributeType AttributeType attributeValue AttributeValue } The AttributeValueAssertion type definition is similar to the one in the Directory standards. AttributeType ::= IA5String AttributeValue ::= OCTET STRING An AttributeType value takes on as its value the textual string associated with that AttributeType in the Directory standards. For example, the AttributeType 'organizationName' with object identifier 2.5.4.10 is represented as an AttributeType in this protocol by the string "organizationName". In the event that a protocol implementation encounters an Attribute Type with which it cannot associate a textual string, an ASCII string encoding of the object identifier associated with the Attribute Type may be subsitituted. For example, the organizationName AttributeType may be represented by the ASCII string "2.5.4.10" if a protocol implementation is unable to associate the string "organizationName" with it. A field of type AttributeValue takes on as its value an octet string encoding of a Directory AttributeValue type. The definition of these string encodings for different Directory AttributeValue types may beYeong, Howes & Kille [Page 4]
RFC 1487 X.500 LDAP July 1993 found in companions to this document that define the encodings of various attribute syntaxes such as [6]. LDAPResult ::= SEQUENCE { resultCode ENUMERATED { success (0), operationsError (1), protocolError (2), timeLimitExceeded (3), sizeLimitExceeded (4), compareFalse (5), compareTrue (6), authMethodNotSupported (7), strongAuthRequired (8), noSuchAttribute (16), undefinedAttributeType (17), inappropriateMatching (18), constraintViolation (19), attributeOrValueExists (20), invalidAttributeSyntax (21), noSuchObject (32), aliasProblem (33), invalidDNSyntax (34), isLeaf (35), aliasDereferencingProblem (36), inappropriateAuthentication (48), invalidCredentials (49), insufficientAccessRights (50), busy (51), unavailable (52), unwillingToPerform (53), loopDetect (54), namingViolation (64), objectClassViolation (65), notAllowedOnNonLeaf (66), notAllowedOnRDN (67), entryAlreadyExists (68), objectClassModsProhibited (69), other (80) }, matchedDN LDAPDN, errorMessage IA5String } The LDAPResult is the construct used in this protocol to return success or failure indications from servers to clients. In response to various requests, servers will return responses containing fieldsYeong, Howes & Kille [Page 5]
RFC 1487 X.500 LDAP July 1993 of type LDAPResult to indicate the final status of a protocol operation request. The errorMessage field of this construct may, at the servers option, be used to return an ASCII string containing a textual, human-readable error diagnostic. As this error diagnostic is not standardized, implementations should not rely on the values returned. If the server chooses not to return a textual diagnostic, the errorMessage field of the LDAPResult type should contain a zero length string. For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax, isLeaf, and aliasDereferencingProblem, the matchedDN field is set to the name of the lowest entry (object or alias) in the DIT that was matched and is a truncated form of the name provided or, if an alias has been dereferenced, of the resulting name. The matchedDN field should be set to NULL DN (a zero length string) in all other cases.4.1. Bind Operation The function of the Bind Operation is to initiate a protocol session between a client and a server, and to allow the authentication of the client to the server. The Bind Operation must be the first operation request received by a server from a client in a protocol session. The Bind Request is defined as follows: BindRequest ::= [APPLICATION 0] SEQUENCE { version INTEGER (1 .. 127), name LDAPDN, authentication CHOICE { simple [0] OCTET STRING, krbv42LDAP [1] OCTET STRING, krbv42DSA [2] OCTET STRING } } Parameters of the Bind Request are: - version: A version number indicating the version of the protocol to be used in this protocol session. This document describes version 2 of the LDAP protocol. Note that there is no version negotiation, and the client should just set this parameter to the version it desires. - name: The name of the Directory object that the client wishes to bind as. This field may take on a null value (a zero length string) for the purposes of anonymous binds. - authentication: information used to authenticate the name, if any,Yeong, Howes & Kille [Page 6]
RFC 1487 X.500 LDAP July 1993 provided in the Bind Request. The "simple" authentication option provides minimal authentication facilities, with the contents of the authentication field consisting only of a cleartext password. This option should also be used when unauthenticated or anonymous binds are to be performed, with the field containing a zero length string in such cases. Kerberos version 4 [7] authentication to the LDAP server and the DSA is accomplished by using the "krbv42LDAP" and "krbv42DSA" authentication options, respectively. Note that though they are referred to as separate entities here, there is no requirement these two entities be distinct (i.e., a DSA could speak LDAP directly). Two separate authentication options are provided to support all implementations. Each octet string should contain the kerberos ticket (e.g., as returned by krb_mk_req()) for the appropriate service. The suggested service name for authentication to the LDAP server is "ldapserver". The suggested service name for authentication to the DSA is "x500dsa". In both cases, the suggested instance name for the service is the name of the host on which the service is running. Of course, the actual service names and instances will depend on what is entered in the local kerberos principle database. The Bind Operation requires a response, the Bind Response, which is defined as: BindResponse ::= [APPLICATION 1] LDAPResult A Bind Response consists simply of an indication from the server of the status of the client's request for the initiation of a protocol session. Upon receipt of a Bind Request, a protocol server will authenticate the requesting client if necessary, and attempt to set up a protocol session with that client. The server will then return a Bind Response to the client indicating the status of the session setup request.4.2. Unbind Operation The function of the Unbind Operation is to terminate a protocol session. The Unbind Operation is defined as follows: UnbindRequest ::= [APPLICATION 2] NULL The Unbind Operation has no response defined. Upon transmission of an UnbindRequest, a protocol client may assume that the protocol session is terminated. Upon receipt of an UnbindRequest, a protocol server may assume that the requesting client has terminated the session and that all outstanding requests may be discarded.⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?