GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Problem, Formatting or Query -  Send Feedback

Was this page helpful?-10+1


rfc:rfc1487

Network Working Group W. Yeong Request for Comments: 1487 Performance Systems International

                                                              T. Howes
                                                University of Michigan
                                                              S. Kille
                                                      ISODE Consortium
                                                             July 1993
            X.500 Lightweight Directory Access Protocol

Status of this Memo

 This RFC specifies an IAB standards track protocol for the Internet
 community, and requests discussion and suggestions for improvements.
 Please refer to the current edition of the "IAB Official Protocol
 Standards" for the standardization state and status of this protocol.
 Distribution of this memo is unlimited.

Abstract

 The protocol described in this document is designed to provide access
 to the Directory while not incurring the resource requirements of the
 Directory Access Protocol (DAP). This protocol is specifically
 targeted at simple management applications and browser applications
 that provide simple read/write interactive access to the Directory,
 and is intended to be a complement to the DAP itself.
 Key aspects of LDAP are:
  1. Protocol elements are carried directly over TCP or other transport,

bypassing much of the session/presentation overhead.

  1. Many protocol data elements are encoding as ordinary strings (e.g.,

Distinguished Names).

  1. A lightweight BER encoding is used to encode all protocol elements.

1. History

 The tremendous interest in X.500 [1,2] technology in the Internet has
 lead to efforts to reduce the high "cost of entry" associated with
 use of the technology, such as the Directory Assistance Service [3]
 and DIXIE [4]. While efforts such as these have met with success,
 they have been solutions based on particular implementations and as
 such have limited applicability.  This document continues the efforts
 to define Directory protocol alternatives but departs from previous
 efforts in that it consciously avoids dependence on particular

Yeong, Howes & Kille [Page 1] RFC 1487 X.500 LDAP July 1993

 implementations.

2. Protocol Model

 The general model adopted by this protocol is one of clients
 performing protocol operations against servers. In this model, this
 is accomplished by a client transmitting a protocol request
 describing the operation to be performed to a server, which is then
 responsible for performing the necessary operations on the Directory.
 Upon completion of the necessary operations, the server returns a
 response containing any results or errors to the requesting client.
 In keeping with the goal of easing the costs associated with use of
 the Directory, it is an objective of this protocol to minimize the
 complexity of clients so as to facilitate widespread deployment of
 applications capable of utilizing the Directory.
 Note that, although servers are required to return responses whenever
 such responses are defined in the protocol, there is no requirement
 for synchronous behavior on the part of either client or server
 implementations: requests and responses for multiple operations may
 be exchanged by client and servers in any order, as long as clients
 eventually receive a response for every request that requires one.
 Consistent with the model of servers performing protocol operations
 on behalf of clients, it is also to be noted that protocol servers
 are expected to handle referrals without resorting to the return of
 such referrals to the client. This protocol makes no provisions for
 the return of referrals to clients, as the model is one of servers
 ensuring the performance of all necessary operations in the
 Directory, with only final results or errors being returned by
 servers to clients.
 Note that this protocol can be mapped to a strict subset of the
 directory abstract service, so it can be cleanly provided by the DAP.

3. Mapping Onto Transport Services

 This protocol is designed to run over connection-oriented, reliable
 transports, with all 8 bits in an octet being significant in the data
 stream.  Specifications for two underlying services are defined here,
 though others are also possible.

3.1. Transmission Control Protocol (TCP)

 The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
 Server implementations running over the TCP should provide a protocol
 listener on port 389.

Yeong, Howes & Kille [Page 2] RFC 1487 X.500 LDAP July 1993

3.2. Connection Oriented Transport Service (COTS)

 The connection is established.  No special special use of T-Connect
 is made.  Each LDAPMessage PDU is mapped directly onto T-Data.

4. Elements of Protocol

 For the purposes of protocol exchanges, all protocol operations are
 encapsulated in a common envelope, the LDAPMessage, which is defined
 as follows:
   LDAPMessage ::=
       SEQUENCE {
            messageID      MessageID,
            protocolOp     CHOICE {
                                bindRequest         BindRequest,
                                bindResponse        BindResponse,
                                unbindRequest       UnbindRequest
                                searchRequest       SearchRequest,
                                searchResponse      SearchResponse,
                                modifyRequest       ModifyRequest,
                                modifyResponse      ModifyResponse,
                                addRequest          AddRequest,
                                addResponse         AddResponse,
                                delRequest          DelRequest,
                                delResponse         DelResponse,
                                modifyRDNRequest    ModifyRDNRequest,
                                modifyRDNResponse   ModifyRDNResponse,
                                compareDNRequest    CompareRequest,
                                compareDNResponse   CompareResponse,
                                abandonRequest      AbandonRequest
                           }
       }
   MessageID ::= INTEGER (0 .. MaxInt)
 The function of the LDAPMessage is to provide an envelope containing
 common fields required in all protocol exchanges. At this time the
 only common field is a message ID, which is required to have a value
 different from the values of any other requests outstanding in the
 LDAP session of which this message is a part.
 The message ID value must be echoed in all LDAPMessage envelopes
 encapsulting responses corresponding to the request contained in the
 LDAPMessage in which the message ID value was originally used.
 In addition to the LDAPMessage defined above, the following
 definitions are also used in defining protocol operations:

Yeong, Howes & Kille [Page 3] RFC 1487 X.500 LDAP July 1993

   IA5String ::= OCTET STRING
 The IA5String is a notational convenience to indicate that, although
 strings of IA5String type encode as OCTET STRING types, the legal
 character set in such strings is limited to the IA5 character set.
   LDAPDN ::= IA5String
   RelativeLDAPDN ::= IA5String
 An LDAPDN and a RelativeLDAPDN are respectively defined to be the
 representation of a Distinguished Name and a Relative Distinguished
 Name after encoding according to the specification in [5], such that
   <distinguished-name> ::= <name>
   <relative-distinguished-name> ::= <name-component>
 where <name> and <name-component> are as defined in [5].
   AttributeValueAssertion ::=
       SEQUENCE {
            attributeType       AttributeType
            attributeValue      AttributeValue
       }
 The AttributeValueAssertion type definition  is similar to the one in
 the Directory standards.
   AttributeType ::= IA5String
   AttributeValue ::= OCTET STRING
 An AttributeType value takes on as its value the textual string
 associated with that AttributeType in the Directory standards. For
 example, the AttributeType 'organizationName' with object identifier
 2.5.4.10 is represented as an AttributeType in this protocol by the
 string "organizationName".  In the event that a protocol
 implementation encounters an Attribute Type with which it cannot
 associate a textual string, an ASCII string encoding of the object
 identifier associated with the Attribute Type may be subsitituted.
 For example, the organizationName AttributeType may be represented by
 the ASCII string "2.5.4.10" if a protocol implementation is unable to
 associate the string "organizationName" with it.
 A field of type AttributeValue takes on as its value an octet string
 encoding of a Directory AttributeValue type. The definition of these
 string encodings for different Directory AttributeValue types may be

Yeong, Howes & Kille [Page 4] RFC 1487 X.500 LDAP July 1993

 found in companions to this document that define the encodings of
 various attribute syntaxes such as [6].
   LDAPResult ::=
       SEQUENCE {
           resultCode    ENUMERATED {
                           success                      (0),
                           operationsError              (1),
                           protocolError                (2),
                           timeLimitExceeded            (3),
                           sizeLimitExceeded            (4),
                           compareFalse                 (5),
                           compareTrue                  (6),
                           authMethodNotSupported       (7),
                           strongAuthRequired           (8),
                           noSuchAttribute              (16),
                           undefinedAttributeType       (17),
                           inappropriateMatching        (18),
                           constraintViolation          (19),
                           attributeOrValueExists       (20),
                           invalidAttributeSyntax       (21),
                           noSuchObject                 (32),
                           aliasProblem                 (33),
                           invalidDNSyntax              (34),
                           isLeaf                       (35),
                           aliasDereferencingProblem    (36),
                           inappropriateAuthentication  (48),
                           invalidCredentials           (49),
                           insufficientAccessRights     (50),
                           busy                         (51),
                           unavailable                  (52),
                           unwillingToPerform           (53),
                           loopDetect                   (54),
                           namingViolation              (64),
                           objectClassViolation         (65),
                           notAllowedOnNonLeaf          (66),
                           notAllowedOnRDN              (67),
                           entryAlreadyExists           (68),
                           objectClassModsProhibited    (69),
                           other                        (80)
                         },
           matchedDN     LDAPDN,
           errorMessage  IA5String
       }
 The LDAPResult is the construct used in this protocol to return
 success or failure indications from servers to clients. In response
 to various requests, servers will return responses containing fields

Yeong, Howes & Kille [Page 5] RFC 1487 X.500 LDAP July 1993

 of type LDAPResult to indicate the final status of a protocol
 operation request.  The errorMessage field of this construct may, at
 the servers option, be used to return an ASCII string containing a
 textual, human-readable error diagnostic. As this error diagnostic is
 not standardized, implementations should not rely on the values
 returned.  If the server chooses not to return a textual diagnostic,
 the errorMessage field of the LDAPResult type should contain a zero
 length string.
 For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax,
 isLeaf, and aliasDereferencingProblem, the matchedDN field is set to
 the name of the lowest entry (object or alias) in the DIT that was
 matched and is a truncated form of the name provided or, if an alias
 has been dereferenced, of the resulting name.  The matchedDN field
 should be set to NULL DN (a zero length string) in all other cases.

4.1. Bind Operation

 The function of the Bind Operation is to initiate a protocol session
 between a client and a server, and to allow the authentication of the
 client to the server. The Bind Operation must be the first operation
 request received by a server from a client in a protocol session.
 The Bind Request is defined as follows:
   BindRequest ::=
       [APPLICATION 0] SEQUENCE {
                           version   INTEGER (1 .. 127),
                           name      LDAPDN,
                           authentication CHOICE {
                                simple        [0] OCTET STRING,
                                krbv42LDAP    [1] OCTET STRING,
                                krbv42DSA     [2] OCTET STRING
                           }
       }
 Parameters of the Bind Request are:
  1. version: A version number indicating the version of the protocol to

be used in this protocol session. This document describes version

   2 of the LDAP protocol.  Note that there is no version negotiation,
   and the client should just set this parameter to the version it
   desires.
  1. name: The name of the Directory object that the client wishes to

bind as. This field may take on a null value (a zero length

   string) for the purposes of anonymous binds.
  1. authentication: information used to authenticate the name, if any,

Yeong, Howes & Kille [Page 6] RFC 1487 X.500 LDAP July 1993

   provided in the Bind Request. The "simple" authentication option
   provides minimal authentication facilities, with the contents of
   the authentication field consisting only of a cleartext password.
   This option should also be used when unauthenticated or anonymous
   binds are to be performed, with the field containing a zero length
   string in such cases. Kerberos version 4 [7] authentication to the
   LDAP server and the DSA is accomplished by using the "krbv42LDAP"
   and "krbv42DSA" authentication options, respectively.  Note that
   though they are referred to as separate entities here, there is no
   requirement these two entities be distinct (i.e., a DSA could speak
   LDAP directly).  Two separate authentication options are provided
   to support all implementations.  Each octet string should contain
   the kerberos ticket (e.g., as returned by krb_mk_req()) for the
   appropriate service.  The suggested service name for authentication
   to the LDAP server is "ldapserver".  The suggested service name for
   authentication to the DSA is "x500dsa".  In both cases, the
   suggested instance name for the service is the name of the host
   on which the service is running.  Of course, the actual service
   names and instances will depend on what is entered in the local
   kerberos principle database.
 The Bind Operation requires a response, the Bind Response, which is
 defined as:
   BindResponse ::= [APPLICATION 1] LDAPResult
 A Bind Response consists simply of an indication from the server of
 the status of the client's request for the initiation of a protocol
 session.
 Upon receipt of a Bind Request, a protocol server will authenticate
 the requesting client if necessary, and attempt to set up a protocol
 session with that client. The server will then return a Bind Response
 to the client indicating the status of the session setup request.

4.2. Unbind Operation

 The function of the Unbind Operation is to terminate a protocol
 session.  The Unbind Operation is defined as follows:
   UnbindRequest ::= [APPLICATION 2] NULL
 The Unbind Operation has no response defined. Upon transmission of an
 UnbindRequest, a protocol client may assume that the protocol session
 is terminated. Upon receipt of an UnbindRequest, a protocol server
 may assume that the requesting client has terminated the session and
 that all outstanding requests may be discarded.

Yeong, Howes & Kille [Page 7] RFC 1487 X.500 LDAP July 1993

4.3. Search Operation

 The Search Operation allows a client to request that a search be
 performed on its behalf by a server. The Search Request is defined as
 follows:
   SearchRequest ::=
       [APPLICATION 3] SEQUENCE {
           baseObject    LDAPDN,
           scope         ENUMERATED {
                              baseObject            (0),
                              singleLevel           (1),
                              wholeSubtree          (2)
                         },
           derefAliases  ENUMERATED {
                                      neverDerefAliases     (0),
                                      derefInSearching      (1),
                                      derefFindingBaseObj   (2),
                                      derefAlways           (3)
                                 },
           sizeLimit     INTEGER (0 .. MaxInt),
           timeLimit     INTEGER (0 .. MaxInt),
           attrsOnly     BOOLEAN,
           filter        Filter,
           attributes    SEQUENCE OF AttributeType
   }
   Filter ::=
       CHOICE {
           and                [0] SET OF Filter,
           or                 [1] SET OF Filter,
           not                [2] Filter,
           equalityMatch      [3] AttributeValueAssertion,
           substrings         [4] SubstringFilter,
           greaterOrEqual     [5] AttributeValueAssertion,
           lessOrEqual        [6] AttributeValueAssertion,
           present            [7] AttributeType,
           approxMatch        [8] AttributeValueAssertion
       }
   SubstringFilter
       SEQUENCE {
           type               AttributeType,
           SEQUENCE OF CHOICE {
               initial        [0] IA5String,
               any            [1] IA5String,
               final          [2] IA5String
           }

Yeong, Howes & Kille [Page 8] RFC 1487 X.500 LDAP July 1993

       }
 Parameters of the Search Request are:
  1. baseObject: An LDAPDN that is the base object entry relative to

which the search is to be performed.

  1. scope: An indicator of the scope of the search to be performed. The

semantics of the possible values of this field are identical to the

   semantics of the scope field in the Directory Search Operation.
  1. derefAliases: An indicator as to how alias objects should be handled

in searching. The semantics of the possible values of this

   field are, in order of increasing value:
           neverDerefAliases: do not dereference aliases in searching
           or in locating the base object of the search;
           derefInSearching: dereference aliases in subordinates of
           the base object in searching, but not in locating the
           base object of the search;
           derefFindingBaseObject: dereference aliases in locating
           the base object of the search, but not when searching
           subordinates of the base object;
           derefAlways: dereference aliases both in searching and in
           locating the base object of the search.
  1. sizelimit: A sizelimit that restricts the maximum number of entries

to be returned as a result of the search. A value of 0 in this

   field indicates that no sizelimit restrictions are in effect for
   the search.
  1. timelimit: A timelimit that restricts the maximum time (in seconds)

allowed for a search. A value of 0 in this field indicates that no

   timelimit restrictions are in effect for the search.
  1. attrsOnly: An indicator as to whether search results should contain

both attribute types and values, or just attribute types. Setting

   this field to TRUE causes only attribute types (no values) to be
   returned.  Setting this field to FALSE causes both attribute types
   and values to be returned.
  1. filter: A filter that defines the conditions that must be fulfilled

in order for the search to match a given entry.

  1. attributes: A list of the attributes from each entry found as a

Yeong, Howes & Kille [Page 9] RFC 1487 X.500 LDAP July 1993

   result of the search to be returned. An empty list signifies that
   all attributes from each entry found in the search are to be
   returned.
 The results of the search attempted by the server upon receipt of a
 Search Request are returned in Search Responses, defined as follows:

Search Response ::=

   CHOICE {
        entry          [APPLICATION 4] SEQUENCE {
                            objectName     LDAPDN,
                            attributes     SEQUENCE OF SEQUENCE {
                                                AttributeType,
                                                SET OF AttributeValue
                                           }
                       },
        resultCode     [APPLICATION 5] LDAPResult
    }
 Upon receipt of a Search Request, a server will perform the necessary
 search of the DIT.
 The server will return to the client a sequence of responses
 comprised of:
  1. Zero or more Search Responses each consisting of an entry found

during the search; with the response sequence terminated by

  1. A single Search Response containing an indication of success, or

detailing any errors that have occurred.

 Each entry returned will contain all attributes, complete with
 associated values if necessary, as specified in the 'attributes'
 field of the Search Request.
 Note that an X.500 "list" operation can be emulated by a one-level
 LDAP search operation with a filter checking for the existence of the
 objectClass attribute, and that an X.500 "read" operation can be
 emulated by a base object LDAP search operation with the same filter.

4.4. Modify Operation

 The Modify Operation allows a client to request that a modification
 of the DIB be performed on its behalf by a server.  The Modify
 Request is defined as follows:

Yeong, Howes & Kille [Page 10] RFC 1487 X.500 LDAP July 1993

ModifyRequest ::=

   [APPLICATION 6] SEQUENCE {
        object         LDAPDN,
        modification   SEQUENCE OF SEQUENCE {
                            operation      ENUMERATED {
                                                add       (0),
                                                delete    (1),
                                                replace   (2)
                                           },
                            modification   SEQUENCE {
                                              type    AttributeType,
                                              values  SET OF
                                                        AttributeValue
                                           }
                       }
   }
 Parameters of the Modify Request are:
  1. object: The object to be modified. The value of this field should

name the object to be modified after all aliases have been

   dereferenced. The server will not perform any alias dereferencing in
   determining the object to be modified.
  1. A list of modifications to be performed on the entry to be modified.

The entire list of entry modifications should be performed

   in the order they are listed, as a single atomic operation.  While
   individual modifications may violate the Directory schema, the
   resulting entry after the entire list of modifications is performed
   must conform to the requirements of the Directory schema. The
   values that may be taken on by the 'operation' field in each
   modification construct have the following semantics respectively:
           add: add values listed to the given attribute, creating
           the attribute if necessary;
           delete: delete values listed from the given attribute,
           removing the entire attribute if no values are listed, or
           if all current values of the attribute are listed for
           deletion;
           replace: replace existing values of the given attribute
           with the new values listed, creating the attribute if
           necessary.
 The result of the modify attempted by the server upon receipt of a
 Modify Request is returned in a Modify Response, defined as follows:

Yeong, Howes & Kille [Page 11] RFC 1487 X.500 LDAP July 1993

   ModifyResponse ::= [APPLICATION 7] LDAPResult
 Upon receipt of a Modify Request, a server will perform the necessary
 modifications to the DIB.
 The server will return to the client a single Modify Response
 indicating either the successful completion of the DIB modification,
 or the reason that the modification failed. Note that due to the
 requirement for atomicity in applying the list of modifications in
 the Modify Request, the client may expect that no modifications of
 the DIB have been performed if the Modify Response received indicates
 any sort of error, and that all requested modifications have been
 performed if the Modify Response indicates successful completion of
 the Modify Operation.

4.5. Add Operation

 The Add Operation allows a client to request the addition of an entry
 into the Directory. The Add Request is defined as follows:
   AddRequest ::=
       [APPLICATION 8] SEQUENCE {
            entry          LDAPDN,
            attrs          SEQUENCE OF SEQUENCE {
                                type          AttributeType,
                                values        SET OF AttributeValue
                           }
       }
 Parameters of the Add Request are:
  1. entry: the Distinguished Name of the entry to be added. Note that

all components of the name except for the last RDN component must

   exist for the add to succeed.
  1. attrs: the list of attributes that make up the content of the entry

being added.

 The result of the add attempted by the server upon receipt of a Add
 Request is returned in the Add Response, defined as follows:
   AddResponse ::= [APPLICATION 9] LDAPResult
 Upon receipt of an Add Request, a server will attempt to perform the
 add requested. The result of the add attempt will be returned to the
 client in the Add Response.

Yeong, Howes & Kille [Page 12] RFC 1487 X.500 LDAP July 1993

4.6. Delete Operation

 The Delete Operation allows a client to request the removal of an
 entry from the Directory. The Delete Request is defined as follows:
   DelRequest ::= [APPLICATION 10] LDAPDN
 The Delete Request consists only of the Distinguished Name of the
 entry to be deleted.  The result of the delete attempted by the
 server upon receipt of a Delete Request is returned in the Delete
 Response, defined as follows:
   DelResponse ::= [APPLICATION 11] LDAPResult
 Upon receipt of a Delete Request, a server will attempt to perform
 the entry removal requested. The result of the delete attempt will be
 returned to the client in the Delete Response. Note that only leaf
 objects may be deleted with this operation.

4.7. Modify RDN Operation

 The Modify RDN Operation allows a client to change the last component
 of the name of an entry in the Directory. The Modify RDN Request is
 defined as follows:
   ModifyRDNRequest ::=
       [APPLICATION 12] SEQUENCE {
            entry          LDAPDN,
            newrdn         RelativeLDAPDN
       }
 Parameters of the Modify RDN Request are:
  1. entry: the name of the entry to be changed.
  1. newrdn: the RDN that will form the last component of the new name.
 The result of the name change attempted by the server upon receipt of
 a Modify RDN Request is returned in the Modify RDN Response, defined
 as follows:
   ModifyRDNResponse ::= [APPLICATION 13] LDAPResult
 Upon receipt of a Modify RDN Request, a server will attempt to
 perform the name change. The result of the name change attempt will
 be returned to the client in the Modify RDN Response. The attributes
 that make up the old RDN are deleted from the entry.

Yeong, Howes & Kille [Page 13] RFC 1487 X.500 LDAP July 1993

4.8. Compare Operation

 The Compare Operation allows a client to compare an assertion
 provided with an entry in the Directory. The Compare Request is
 defined as follows:
   CompareRequest ::=
       [APPLICATION 14] SEQUENCE {
            entry          LDAPDN,
            ava            AttributeValueAssertion
       }
 Parameters of the Compare Request are:
  1. entry: the name of the entry to be compared with.
  1. ava: the assertion with which the entry is to be compared.
 The result of the compare attempted by the server upon receipt of a
 Compare Request is returned in the Compare Response, defined as
 follows:
   CompareResponse ::= [APPLICATION 15] LDAPResult
 Upon receipt of a Compare Request, a server will attempt to perform
 the requested comparison. The result of the comparison will be
 returned to the client in the Compare Response. Note that errors and
 the result of comparison are all returned in the same construct.

4.9. Abandon Operation

 The function of the Abandon Operation is to allow a client to request
 that the server abandon an outstanding operation.  The Abandon
 Request is defined as follows:
   AbandonRequest ::= [APPLICATION 16] MessageID
 There is no response defined in the Abandon Operation. Upon
 transmission of an Abandon Operation, a client may expect that the
 operation identified by the Message ID in the Abandon Request has
 been abandoned. In the event that a server receives an Abandon
 Request on a Search Operation in the midst of transmitting responses
 to that search, that server should cease transmitting responses to
 the abandoned search immediately.

Yeong, Howes & Kille [Page 14] RFC 1487 X.500 LDAP July 1993

5. Protocol Element Encodings

 The protocol elements of LDAP are encoded for exchange using the
 Basic Encoding Rules (BER) [11] of ASN.1 [10]. However, due to the
 high overhead involved in using certain elements of the BER, the
 following additional restrictions are placed on BER-encodings of LDAP
 protocol elements:
 (1)  Only the definite form of length encoding will be used.
 (2)  Bitstrings and octet strings will be encoded in the primitive form
      only.

6. Security Considerations

 This version of the protocol provides facilities only for simple
 authentication using a cleartext password, and for kerberos version 4
 authentication.  Future versions of LDAP will likely include support
 for other authentication methods.

7. Bibliography

 [1] The Directory: Overview of Concepts, Models and Service.  CCITT
     Recommendation X.500, 1988.
 [2] Information Processing Systems -- Open Systems Interconnection --
     The Directory: Overview of Concepts, Models and Service.  ISO/IEC
     JTC 1/SC21; International Standard 9594-1, 1988.
 [3] Rose, M., "Directory Assistance Service", RFC 1202, Performance
     Systems International, Inc., February 1991.
 [4] Howes, R., Smith, M., and B. Beecher, "DIXIE Protocol
     Specification", RFC 1249, University of Michigan, August 1991.
 [5] Kille, S., "A String Representation of Distinguished Names", RFC
     1485, ISODE Consortium, July 1993.
 [6] Howes, T., Kille, S., Yeong, W., and C. Robbins, "The String
     Representation of Standard Attribute Syntaxes", RFC 1488,
     University of Michigan, ISODE Consortium, Performance Systems
     International, NeXor Ltd., July 1993.
 [7] Kerberos Authentication and Authorization System.  S.P. Miller,
     B.C. Neuman, J.I. Schiller, J.H. Saltzer; MIT Project Athena
     Documentation Section E.2.1, December 1987.

Yeong, Howes & Kille [Page 15] RFC 1487 X.500 LDAP July 1993

 [8] The Directory: Models.  CCITT Recommendation X.501 ISO/IEC JTC
     1/SC21; International Standard 9594-2, 1988.
 [9] The Directory: Abstract Service Definition.  CCITT Recommendation
     X.511, ISO/IEC JTC 1/SC21; International Standard 9594-3, 1988.
[10] Specification of Abstract Syntax Notation One (ASN.1).  CCITT
     Recommendation X.208, 1988.
[11] Specification of Basic Encoding Rules for Abstract Syntax
     Notation One (ASN.1).  CCITT Recommendation X.209, 1988.

9. Security Considerations

 Security issues are not discussed in this memo.

9. Authors' Addresses

 Wengyik Yeong
 PSI, Inc.
 510 Huntmar Park Drive
 Herndon, VA 22070
 USA
 Phone: +1 703-450-8001
 EMail: yeongw@psilink.com
 Tim Howes
 University of Michigan
 ITD Research Systems
 535 W William St.
 Ann Arbor, MI 48103-4943
 USA
 Phone: +1 313 747-4454
 EMail: tim@umich.edu
 Steve Kille
 ISODE Consortium
 PO Box 505
 London
 SW11 1DX
 UK
 Phone: +44-71-223-4062
 EMail: S.Kille@isode.com

Yeong, Howes & Kille [Page 16] RFC 1487 X.500 LDAP July 1993

Appendix A

                       Complete ASN.1 Definition

Lightweight-Directory-Access-Protocol DEFINITIONS ::=

IMPLICIT TAGS

BEGIN

LDAPMessage ::=

  SEQUENCE {
       messageID      MessageID,
                      -- unique id in request,
                      -- to be echoed in response(s)
       protocolOp     CHOICE {
                           searchRequest       SearchRequest,
                           searchResponse      SearchResponse,
                           modifyRequest       ModifyRequest,
                           modifyResponse      ModifyResponse,
                           addRequest          AddRequest,
                           addResponse         AddResponse,
                           delRequest          DelRequest,
                           delResponse         DelResponse,
                           modifyDNRequest     ModifyDNRequest,
                           modifyDNResponse    ModifyDNResponse,
                           compareDNRequest    CompareRequest,
                           compareDNResponse   CompareResponse,
                           bindRequest         BindRequest,
                           bindResponse        BindResponse,
                           abandonRequest      AbandonRequest,
                           unbindRequest       UnbindRequest
                      }
  }

BindRequest ::=

  [APPLICATION 0] SEQUENCE {
       version        INTEGER (1 .. 127),
                      -- current version is 2
       name           LDAPDN,
                      -- null name implies an anonymous bind
       authentication CHOICE {
                           simple        [0] OCTET STRING,
                                     -- a zero length octet string
                                     -- implies an unauthenticated
                                     -- bind.
                           krbv42LDAP    [1] OCTET STRING,
                           krbv42DSA     [2] OCTET STRING

Yeong, Howes & Kille [Page 17] RFC 1487 X.500 LDAP July 1993

  1. - values as returned by
  2. - krb_mk_req()
  3. - Other values in later
  4. - versions of this protocol.

}

  }

BindResponse ::= [APPLICATION 1] LDAPResult

UnbindRequest ::= [APPLICATION 2] NULL

SearchRequest ::=

  [APPLICATION 3] SEQUENCE {
       baseObject     LDAPDN,
       scope          ENUMERATED {
                           baseObject            (0),
                           singleLevel           (1),
                           wholeSubtree          (2)
                      },
       derefAliases   ENUMERATED {
                           neverDerefAliases     (0),
                           derefInSearching      (1),
                           derefFindingBaseObj   (2),
                           alwaysDerefAliases    (3)
                      },
       sizeLimit      INTEGER (0 .. MaxInt),
                      -- value of 0 implies no sizelimit
       timeLimit      INTEGER (0 .. MaxInt),
                      -- value of 0 implies no timelimit
       attrsOnly     BOOLEAN,
                      -- TRUE, if only attributes (without values)
                      -- to be returned.
       filter         Filter,
       attributes     SEQUENCE OF AttributeType
  }

SearchResponse ::=

  CHOICE {
       entry          [APPLICATION 4] SEQUENCE {
                           objectName     LDAPDN,
                           attributes     SEQUENCE OF SEQUENCE {
                                            AttributeType,
                                            SET OF
                                              AttributeValue
                                          }
                      },
       resultCode     [APPLICATION 5] LDAPResult
  }

Yeong, Howes & Kille [Page 18] RFC 1487 X.500 LDAP July 1993

ModifyRequest ::=

  [APPLICATION 6] SEQUENCE {
       object         LDAPDN,
       modifications  SEQUENCE OF SEQUENCE {
                           operation     ENUMERATED {
                                           add      (0),
                                           delete   (1),
                                           replace  (2)
                                         },
                           modification  SEQUENCE {
                                           type     AttributeType,
                                           values   SET OF
                                                      AttributeValue
                                         }
                      }
  }

ModifyResponse ::= [APPLICATION 7] LDAPResult

AddRequest ::=

  [APPLICATION 8] SEQUENCE {
       entry          LDAPDN,
       attrs          SEQUENCE OF SEQUENCE {
                           type          AttributeType,
                           values        SET OF AttributeValue
                      }
  }

AddResponse ::= [APPLICATION 9] LDAPResult

DelRequest ::= [APPLICATION 10] LDAPDN

DelResponse ::= [APPLICATION 11] LDAPResult

ModifyRDNRequest ::=

  [APPLICATION 12] SEQUENCE {
       entry          LDAPDN,
       newrdn         RelativeLDAPDN -- old RDN always deleted
  }

ModifyRDNResponse ::= [APPLICATION 13] LDAPResult

CompareRequest ::=

  [APPLICATION 14] SEQUENCE {
       entry          LDAPDN,
       ava            AttributeValueAssertion
  }

Yeong, Howes & Kille [Page 19] RFC 1487 X.500 LDAP July 1993

CompareResponse ::= [APPLICATION 15] LDAPResult

AbandonRequest ::= [APPLICATION 16] MessageID

MessageID ::= INTEGER (0 .. MaxInt)

LDAPDN ::= IA5String

RelativeLDAPDN ::= IA5String

Filter ::=

  CHOICE {
      and            [0] SET OF Filter,
      or             [1] SET OF Filter,
      not            [2] Filter,
      equalityMatch  [3] AttributeValueAssertion,
      substrings     [4] SubstringFilter,
      greaterOrEqual [5] AttributeValueAssertion,
      lessOrEqual    [6] AttributeValueAssertion,
      present        [7] AttributeType,
      approxMatch    [8] AttributeValueAssertion
  }

LDAPResult ::=

  SEQUENCE {
      resultCode    ENUMERATED {
                      success                      (0),
                      operationsError              (1),
                      protocolError                (2),
                      timeLimitExceeded            (3),
                      sizeLimitExceeded            (4),
                      compareFalse                 (5),
                      compareTrue                  (6),
                      authMethodNotSupported       (7),
                      strongAuthRequired           (8),
                      noSuchAttribute              (16),
                      undefinedAttributeType       (17),
                      inappropriateMatching        (18),
                      constraintViolation          (19),
                      attributeOrValueExists       (20),
                      invalidAttributeSyntax       (21),
                      noSuchObject                 (32),
                      aliasProblem                 (33),
                      invalidDNSyntax              (34),
                      isLeaf                       (35),
                      aliasDereferencingProblem    (36),
                      inappropriateAuthentication  (48),
                      invalidCredentials           (49),

Yeong, Howes & Kille [Page 20] RFC 1487 X.500 LDAP July 1993

                      insufficientAccessRights     (50),
                      busy                         (51),
                      unavailable                  (52),
                      unwillingToPerform           (53),
                      loopDetect                   (54),
                      namingViolation              (64),
                      objectClassViolation         (65),
                      notAllowedOnNonLeaf          (66),
                      notAllowedOnRDN              (67),
                      entryAlreadyExists           (68),
                      objectClassModsProhibited    (69),
                      other                        (80)
                    },
      matchedDN     LDAPDN,
      errorMessage  IA5String
  }

AttributeType ::= IA5String

  1. - text name of the attribute, or dotted
  2. - OID representation

AttributeValue ::= OCTET STRING

AttributeValueAssertion ::=

  SEQUENCE {
      attributeType        AttributeType,
      attributeValue       AttributeValue
  }

SubstringFilter

  SEQUENCE {
      type               AttributeType,
      SEQUENCE OF CHOICE {
        initial          [0] IA5String,
        any              [1] IA5String,
        final            [2] IA5String
    }
  }

IA5String ::= OCTET STRING

MaxInt ::= 65535 END

Yeong, Howes & Kille [Page 21]

/data/webs/external/dokuwiki/data/pages/rfc/rfc1487.txt · Last modified: 1993/07/28 21:09 (external edit)