idnits 2.17.1 

draft-ietf-asid-ldapv3-protocol-02.txt:
  ** The Abstract section seems to be numbered


  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in
     this document.

     Expected boilerplate is as follows today (2024-04-24) according to
     https://trustee.ietf.org/license-info :

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.a:
        This Internet-Draft is submitted in full conformance with the provisions
        of BCP 78 and BCP 79.

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2:
        Copyright (c) 2024 IETF Trust and the persons identified as the document
        authors.  All rights reserved.

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3:
        This document is subject to BCP 78 and the IETF Trust's Legal Provisions
        Relating to IETF Documents
        (https://trustee.ietf.org/license-info) in effect on the date of
        publication of this document.  Please review these documents
        carefully, as they describe your rights and restrictions with
        respect to this document.  Code Components extracted from this
        document must include Simplified BSD License text as described in
        Section 4.e of the Trust Legal Provisions and are provided
        without warranty as described in the Simplified BSD License.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 

  == The page length should not exceed 58 lines per page, but there was 42
     longer pages, the longest (page 2) being 61 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.
     (A line matching the expected section header was found, but with an
    unexpected indentation:
     '                scope           ENUMERATED {' )

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** There are 324 instances of too long lines in the document, the longest
     one being 7 characters in excess of 72.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 286: '...      cldapUserName   LDAPDN OPTIONAL,...'
     RFC 2119 keyword, line 578: '...                referral        [3] Referral OPTIONAL }...'
     RFC 2119 keyword, line 739: '...             supportedVersion   [5] INTEGER (1..127) OPTIONAL,...'
     RFC 2119 keyword, line 740: '...             serverURL          [6] LDAPURL OPTIONAL,...'
     RFC 2119 keyword, line 741: '...             serverCreds        [7] AuthenticationChoice OPTIONAL }...'
     (35 more instances...)

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.

  -- The draft header indicates that this document obsoletes RFC1798, but the
     abstract doesn't seem to directly say this.  It does mention RFC1798
     though, so this could be OK.

  -- The draft header indicates that this document obsoletes RFC1777, but the
     abstract doesn't seem to directly say this.  It does mention RFC1777
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 28 has weird spacing: '...listing  conta...'

  == Line 155 has weird spacing: '...bute to  preve...'

  == Line 1236 has weird spacing: '...eturned   actu...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (30 August 1996) is 10099 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? '1' on line 2285 looks like a reference

  -- Missing reference section? '2' on line 2261 looks like a reference

  -- Missing reference section? '5' on line 2109 looks like a reference

  -- Missing reference section? '6' on line 2110 looks like a reference

  -- Missing reference section? '3' on line 2262 looks like a reference

  -- Missing reference section? '15' on line 1878 looks like a reference

  -- Missing reference section? '16' on line 1881 looks like a reference

  -- Missing reference section? '4' on line 2263 looks like a reference

  -- Missing reference section? '17' on line 1883 looks like a reference

  -- Missing reference section? '11' on line 2215 looks like a reference

  -- Missing reference section? '14' on line 1875 looks like a reference

  -- Missing reference section? '9' on line 2205 looks like a reference

  -- Missing reference section? 'APPLICATION 0' on line 2046 looks like a
     reference

  -- Missing reference section? '0' on line 2284 looks like a reference

  -- Missing reference section? '18' on line 1886 looks like a reference

  -- Missing reference section? 'APPLICATION 1' on line 2060 looks like a
     reference

  -- Missing reference section? '7' on line 2111 looks like a reference

  -- Missing reference section? 'APPLICATION 2' on line 2066 looks like a
     reference

  -- Missing reference section? 'APPLICATION 17' on line 2068 looks like a
     reference

  -- Missing reference section? 'APPLICATION 18' on line 2070 looks like a
     reference

  -- Missing reference section? '12' on line 2287 looks like a reference

  -- Missing reference section? 'APPLICATION 3' on line 2079 looks like a
     reference

  -- Missing reference section? '8' on line 2148 looks like a reference

  -- Missing reference section? 'APPLICATION 4' on line 2129 looks like a
     reference

  -- Missing reference section? 'APPLICATION 19' on line 2143 looks like a
     reference

  -- Missing reference section? 'APPLICATION 5' on line 2146 looks like a
     reference

  -- Missing reference section? 'APPLICATION 20' on line 2155 looks like a
     reference

  -- Missing reference section? 'APPLICATION 21' on line 2160 looks like a
     reference

  -- Missing reference section? 'APPLICATION 6' on line 2162 looks like a
     reference

  -- Missing reference section? 'APPLICATION 7' on line 2175 looks like a
     reference

  -- Missing reference section? 'APPLICATION 8' on line 2177 looks like a
     reference

  -- Missing reference section? 'APPLICATION 9' on line 2185 looks like a
     reference

  -- Missing reference section? 'APPLICATION 10' on line 2187 looks like a
     reference

  -- Missing reference section? 'APPLICATION 11' on line 2189 looks like a
     reference

  -- Missing reference section? 'APPLICATION 12' on line 2191 looks like a
     reference

  -- Missing reference section? 'APPLICATION 13' on line 2197 looks like a
     reference

  -- Missing reference section? 'APPLICATION 14' on line 2199 looks like a
     reference

  -- Missing reference section? 'APPLICATION 15' on line 2203 looks like a
     reference

  -- Missing reference section? 'APPLICATION 16' on line 2207 looks like a
     reference

  -- Missing reference section? 'APPLICATION 23' on line 2208 looks like a
     reference

  -- Missing reference section? 'APPLICATION 24' on line 2212 looks like a
     reference

  -- Missing reference section? '10' on line 2214 looks like a reference

  -- Missing reference section? '19' on line 1889 looks like a reference

  -- Missing reference section? '13' on line 2288 looks like a reference


     Summary: 10 errors (**), 0 flaws (~~), 5 warnings (==), 48 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	Network Working Group                                            M. Wahl
2	INTERNET-DRAFT                                       Critical Angle Inc.
3	Obsoletes: RFC 1777, RFC 1798                                   T. Howes
4	                                           Netscape Communications Corp.
5	                                                                S. Kille
6	                                                        ISODE Consortium
7	Expires in six months from                                30 August 1996
8	Intended Category: Standards Track

10	                  Lightweight Directory Access Protocol (v3)
11	                  <draft-ietf-asid-ldapv3-protocol-02.txt>

13	Table of Contents - see end of document.

15	1.  Status of this Memo

17	   This document is an Internet-Draft.  Internet-Drafts are working
18	   documents of the Internet Engineering Task Force (IETF), its areas, and
19	   its working groups.  Note that other groups may also distribute working
20	   documents as Internet-Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference material
25	   or to cite them other than as "work in progress."

27	   To learn the current status of any Internet-Draft, please check the
28	   "1id-abstracts.txt" listing  contained in the Internet-Drafts Shadow
29	   Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
30	   ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

32	2.  Abstract

34	   The protocol described in this document is designed to provide access
35	   to directories supporting the X.500 models, while not incurring the
36	   resource requirements of the X.500 Directory Access Protocol (DAP). This
37	   protocol is specifically targeted at management applications and browser
38	   applications that provide read/write interactive access to directories.
39	   When used with a directory supporting the X.500 protocols, it is
40	   intended to be a complement to the X.500 DAP.

42	   Key aspects of this version of LDAP are:

44	   - All protocol elements of LDAP (RFC 1777) and CLDAP (RFC 1798) are
45	     supported.

47	   - Protocol elements are carried directly over TCP or other transport,
48	     bypassing much of the session/presentation overhead.  Connectionless
49	     transport (UDP) is also supported for efficient lookup operations.

51	   - Most protocol data elements can be encoded as ordinary strings
52	     (e.g., Distinguished Names).

54	   - New features have been added to enable more powerful clients, such as
55	     the abilities to retrieve attribute values in binary or search results
56	     in pages.

58	   - Important features of X.500(1993) and X.500(1997) are included.

60	   - Referrals to other servers may be returned.

62	   - The protocol may be extended to support bilaterally-defined
63	     operations.

65	   - Several session controls may be requested by the client.

67	3.  Models

69	   Interest in X.500 [1] directory technologies in the Internet has lead to
70	   efforts to reduce the high "cost of entry" associated with use of these
71	   technologies.  This document continues the efforts to define directory
72	   protocol alternatives: it updates the LDAP [2] protocol specification,
73	   adding support for new features, including some support for connecting
74	   to X.500 services that implement the 1993 or 1997 edition protocols.

76	3.1. Protocol Model

78	   The general model adopted by this protocol is one of clients
79	   performing protocol operations against servers. In this model, a
80	   client transmits a protocol request describing the operation to be
81	   performed to a server, which is then responsible for performing
82	   the necessary operation(s) in the directory. Upon completion of
83	   the operation(s), the server returns a response containing any results or
84	   errors to the requesting client.

86	   In keeping with the goal of easing the costs associated with use of
87	   the directory, it is an objective of this protocol to minimize the
88	   complexity of clients so as to facilitate widespread deployment of
89	   applications capable of utilizing the directory.

91	   Note that, although servers are required to return responses whenever
92	   such responses are defined in the protocol, there is no requirement
93	   for synchronous behavior on the part of either clients or servers.
94	   Requests and responses for multiple operations may be exchanged
95	   between a client and server in any order, provided the client
96	   eventually receives a response for every request that requires one.

98	   In LDAP versions 1 and 2, no provision was made for protocol servers
99	   returning referrals to clients.  However, for improved performance and
100	   distribution this version of the protocol permits servers to return to
101	   clients referrals to other servers if requested.  This allows servers,
102	   if requested by clients, to offload the work of contacting other servers
103	   to progress operations.

105	   Clients may also request that no referrals be returned, in which case
106	   the server must ensure that the operation is performed against the
107	   directory, or else return an error.  This is the default.

109	   Note that this protocol can be mapped to a strict subset of the
110	   X.500(1997) directory abstract service, so it can be cleanly provided
111	   by the DAP.  However there is not a one-to-one mapping between LDAP
112	   protocol operations and DAP operations: server implementations
113	   acting as a gateway to X.500 directories may need to make multiple DAP
114	   requests to perform extended operations.

116	3.2. Data Model

118	   This section provides a brief introduction to the X.500 data model, as
119	   used by LDAP.

121	   The LDAP protocol assumes there are one or more servers which jointly
122	   provide access to a Directory Information Tree.  The tree is made up of
123	   entries.  Entries have names: one or more values from the entry itself
124	   form its relative distinguished name, which must be unique among all
125	   its siblings.  The concatenation of the relative distinguished names
126	   of the line of entries from a particular entry to an immediate
127	   subordinate of the root of the tree forms that entry's Distinguished
128	   Name, which is unique in the tree.  An example of a Distinguished Name is

130	   CN=Steve Kille, O=ISODE Consortium, C=GB

132	   Entries consist of a set of attributes.  An attribute is a type with
133	   one or more associated values.  The attribute type, identified by a
134	   short descriptive name and an OID (object identifier), governs the
135	   maximum number of values permissible for an attribute of that type
136	   in an entry, the syntax to which the values must conform, the types
137	   of matching which can be performed on values of that attribute, and
138	   other functions.

140	   An example of an attribute is "mail". There may be one or more values
141	   of this attribute, they must be IA5 strings, and they are case
142	   insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").

144	   Some servers may hold cache or shadow copies of entries, which can be
145	   used to answer search and comparison queries, but will return referrals
146	   or contact other servers if modification operations are requested.

148	3.2.1 Attributes of Entries

150	   Each entry must have an objectClass attribute.  The objectClass
151	   attribute specifies the object classes of an entry, which along with
152	   the system and user schema determine the permitted attributes of an entry.
153	   Values of this attribute may be modified by clients, but the objectClass
154	   attribute cannot be removed.  Servers may restrict the modifications of
155	   this attribute to  prevent the basic structural class of the entry from
156	   being changed (e.g. one cannot change a person into a country).

158	   Servers should not permit clients to add attributes to an entry unless
159	   those attributes are permitted by the object class definitions, the user
160	   schema controlling that entry (specified in the subschema subentry), or
161	   are operational attributes known to that server and used for
162	   administrative purposes.  Note that there is a particular objectClass
163	   'extensibleObject' defined in [5] which permits all user attributes.

165	   Entries may contain, among others, the following operational attributes,
166	   defined in [5], which if present should not be modifiable by clients:

168	   - creatorsName: the Distinguished Name of the user who added this entry
169	     to the directory.
170	   - createTimestamp: the time this entry was added to the directory.
171	   - modifiersName: the Distinguished Name of the user who last modified
172	     this entry.
173	   - modifyTimestamp: the time this entry was last modified.

175	   - subschemaSubentry:  the Distinguished Name of the subschema subentry
176	     which controls the schema for this entry.
177	   - entryName: the Distinguished Name of the entry.

179	   Servers may implement other operational attributes.  Servers which
180	   also make use of X.500(1993) protocols should provide support
181	   for the attributes defined in X.501, including administrativeRole and
182	   dseType.  Some servers may permit the retrieval of subschema attributes
183	   directly from user entries.

185	3.2.2 Subschema Subentry

187	   A server may provide access to one or more subschema subentries to
188	   permit clients to interrogate the schema which is in force for entries
189	   in the directory.

191	   A server which masters entries and permits clients to modify these
192	   entries must implement and provide access to these subschema subentries,
193	   so that its clients may discover the attributes and object classes which
194	   are permitted to be present. It is strongly recommended that all other
195	   servers implement subschema subentries as well.

197	   The following four attributes, defined in [6] with string representations
198	   in [5], must be present in all subschema subentries:

200	   - CN: this attribute should be used to form the RDN of the subschema
201	     subentry.
202	   - objectClass: the attribute should have at least the values "top" and
203	     "subschema".
204	   - objectClasses: each value of this attribute specifies an object class
205	     known to the server.
206	   - attributeTypes: each value of this attribute specifies an attribute
207	     type known to the server.

209	   Other operational attributes may be present in subschema subentries,
210	   in particular dseType, subtreeSpecification, ditStructureRules, nameForms,
211	   ditContentRules, matchingRules, matchingRuleUse, createTimestamp,
212	   creatorsName, modifyTimestamp, modifiersName, entryName, as described in
213	   [6].

215	   Clients must only retrieve these attributes from a subentry by requesting
216	   them by name in a baseObject search of the subentry.

218	3.3. Relationship to X.500

220	   This document defines LDAP in terms of X.500 as an X.500 access
221	   mechanism.  An LDAP server should act in accordance with the
222	   X.500(1993) series of ITU Recommendations when providing the service.
223	   However, it is not required that an LDAP server make use of any X.500
224	   protocols in providing this service, e.g. LDAP can be mapped onto any
225	   other directory system so long as the X.500 data and service model as
226	   used in LDAP is not violated in the LDAP interface.

228	3.4. Server-specific Data Requirements

230	   An LDAP server must provide information about itself and other
231	   information that is specific to each server.  This is represented as a
232	   number of attributes located in the root DSE (DSA-Specific Entry),
233	   which is named with the zero-length LDAPDN.  These attributes
234	   should be retrievable if a client performs a base object search of the
235	   root, however they are subject to access control restrictions.
236	   They should not be included if the client performs a subtree search
237	   starting from the root.  The server may, but need not, allow the client to
238	   modify these attributes.

240	   The following attributes of the root DSE are defined in section 5.1.3 of
241	   [5].  Additional attributes may be defined in later documents.

243	   - administratorAddress: a URL containing address of administrator.
244	   - currentTime: the current time.
245	   - serverName: the Distinguished Name of the server.
246	   - certificationPath: the server's certificate path.
247	   - namingContexts: naming contexts held in the server.
248	   - subschemaSubentry: subschema subentries known by this server.
249	   - altServer: alternative servers in case this one is later unavailable.
250	   - supportedExtension: list of supported extensions.

252	   If the server does not master or shadow entries and does not know the
253	   locations of schema information, the subschemaSubentry attribute should
254	   not be present in the root DSE.  If the server holds master or shadow
255	   copies of directory entries under one or more schema rules, there may be
256	   any number of values of the subschemaSubentry attribute in the root DSE.

258	4.  Elements of Protocol

260	   The LDAP protocol is described using Abstract Syntax Notation 1 [3]. It
261	   is typically transferred using a subset of the Basic Encoding Rules.
262	   In order to support future extensions to this protocol, clients and
263	   servers should ignore elements of SEQUENCEs whose tags they do not
264	   recognize.

266	   Note that unlike X.500, each change to the LDAP protocol other than through
267	   the extension mechanisms will have a different version number.  A client
268	   may indicate the version it supports as part of the bind request,
269	   described in section 4.1.2.  If a client has not sent a bind, the server
270	   should assume that version 3 is supported in the client (since version 2
271	   required that the client bind first).

273	4.1. Common Elements

275	   This section describes the LDAPMessage envelope PDU format, as well as
276	   data type definitions which are used in the protocol operations.

278	4.1.1. Message Envelope

280	   For the purposes of protocol exchanges, all protocol operations are
281	   encapsulated in a common envelope, the LDAPMessage, which is defined
282	   as follows:

284	        LDAPMessage ::= SEQUENCE {
285	                messageID       MessageID,
286	                cldapUserName   LDAPDN OPTIONAL,
287	                protocolOp      CHOICE {
288	                        bindRequest     BindRequest,
289	                        bindResponse    BindResponse,
290	                        unbindRequest   UnbindRequest,
291	                        searchRequest   SearchRequest,
292	                        searchResEntry  SearchResultEntry,
293	                        searchResDone   SearchResultDone,
294	                        searchResRef    SearchResultReference,
295	                        searchResFull   SearchResultFull,
296	                        modifyRequest   ModifyRequest,
297	                        modifyResponse  ModifyResponse,
298	                        addRequest      AddRequest,
299	                        addResponse     AddResponse,
300	                        delRequest      DelRequest,
301	                        delResponse     DelResponse,
302	                        modDNRequest    ModifyDNRequest,
303	                        modDNResponse   ModifyDNResponse,
304	                        compareRequest  CompareRequest,
305	                        compareResponse CompareResponse,
306	                        abandonRequest  AbandonRequest,
307	                        sessionRequest  SessionRequest,
308	                        sessionResponse SessionResponse,
309	                        resumeRequest   ResumeRequest,
310	                        resumeError     ResumeError,
311	                        extendedReq     ExtendedRequest,
312	                        extendedResp    ExtendedResponse } }

314	        MessageID ::= INTEGER (0 .. maxInt)

316	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

318	   The function of the LDAPMessage is to provide an envelope containing
319	   common fields required in all protocol exchanges. At this time the
320	   only common fields are the message ID and cldapUserName.

322	   The message ID value must be echoed in all LDAPMessage envelopes
323	   encapsulating responses corresponding to the request contained in
324	   the LDAPMessage in which the message ID value was originally used.

326	   The message ID is required to have a value different from the values of
327	   any other requests outstanding in the LDAP session of which this
328	   message is a part.  A client must not send a second request with the same
329	   message ID as another request if the first request is outstanding.
330	   If it does so, the behavior is undefined.  Typically a client will
331	   increment a counter for each request.

333	   For all requests except for a search with a pageSizeLimit, the message ID
334	   is outstanding until the client receives the final response for that
335	   operation.

337	   For searchRequest with a pageSize limit, if the client did not receive a
338	   SearchResultDone for that search indicating all results were received,
339	   the message ID is outstanding until after the operation is abandoned.

341	   A client must not reuse the message id of an abandonRequest or the
342	   abandoned operation until it has received a response from the server for
343	   another request invoked subsequent to the abandonRequest, as the
344	   abandonRequest itself does not have a response.

346	   The cldapUserName identifies the requesting user for this message. It
347	   is only present for backwards compatability with RFC 1798, if this
348	   LDAPMessage is carried in a connectionless transport protocol, such as UDP.
349	   Its significance is equivalent to a bind with a zero-length password.
350	   When the LDAP session is carried in a connection-oriented transport
351	   protocol this field must be absent.  LDAPv3 client implementors should not
352	   use this field in connectionless requests, but instead concatenate a bind
353	   request with the other operations in the request.  Concatenation and
354	   connectionless transport are described in section 5.1.3.

356	4.1.2. String Types

358	   The LDAPString is a notational convenience to indicate that, although
359	   strings of LDAPString type encode as OCTET STRING types, the Unicode
360	   [15] character set is used, encoded following the UTF-8 algorithm [16].
361	   Note that in the UTF-8 algorithm, characters which are the same as
362	   ASCII (0000 through 007F) are represented as that same ASCII character
363	   in a single byte.  The other byte values are used to form a variable-
364	   length encoding of an arbitrary Unicode character.

366	        LDAPString ::= OCTET STRING

368	   The LDAPOID is a notational convenience to indicate that the permitted
369	   value of this string is a dotted-decimal representation of an OBJECT
370	   IDENTIFIER.

372	        LDAPOID ::= OCTET STRING

374	   For example,
375	        1.3.6.1.4.1.1466.1.2.3

377	4.1.3. Distinguished Name and Relative Distinguished Name

379	   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
380	   representation of a Distinguished Name and a Relative Distinguished
381	   Name after encoding according to the specification in [4], such that

383	        <distinguished-name> ::= <name>

385	        <relative-distinguished-name> ::= <name-component>

387	   where <name> and <name-component> are as defined in [4].

389	        LDAPDN ::= LDAPString

391	        RelativeLDAPDN ::= LDAPString

393	4.1.4. Attribute Type and Description

395	   An AttributeType takes on as its value the textual string associated
396	   with that AttributeType in its specification.  This string must begin
397	   with a letter, and only contain ASCII letters and digit characters.
398	   If this string is not known, the AttributeType should take the ASCII
399	   representation of its OBJECT IDENTIFIER, as decimal digits with
400	   components separated by periods, e.g., "2.5.4.10". The attribute type
401	   strings which are used in this version of LDAP are described in [5].

403	        AttributeType ::= LDAPString

405	   An AttributeDescription is a superset of the definition of the
406	   AttributeType.  It has the same ASN.1 definition, but allows additional
407	   options to be specified.

409	        AttributeDescription ::= LDAPString

411	   A value of AttributeDescription is based on the following BNF:

413	        <AttributeDescription> ::= <AttributeType> [ ";" <options> ]

415	        <options> ::= <option> | <option> ";" <options>

417	        <option> ::= <language-option> | <binary-option>

419	        <language-option> ::= "lang=" <lang-code>

421	        <lang-code> ::= <printable-ascii>  -- as defined in [17]

423	        <binary-option> ::= "binary"

425	   If the "binary" option is present, this overrides any string-based
426	   encoding representation defined for that attribute in [5].  Instead the
427	   attribute is to be transferred as a DER-encoded binary value [11].

429	   If the "lang=" option is present, this associates a natural language
430	   with values for that attribute.  The binary and language tags may both
431	   be present in an AttributeDescription.  The format and use of language
432	   tags in LDAP is defined in [17].  (The language tag has no effect on the
433	   character set encoding for string representations of DirectoryString
434	   syntax values; UTF-8 is always used).

436	   Examples of valid AttributeDescription:

438	        CN
439	        givenName;lang=en-US
440	        CN;lang=ja-JP-kanji
441	        CN;lang=ja-JP-roman
442	        userCertificate;binary
443	        1.3.6.1.4.1.1466.99.98.97;binary

445	   The data type "AttributeDescriptionList" describes a list of 0 or more
446	   attribute types.  (A list of zero elements has special significance in
447	   the Search request.)

449	        AttributeDescriptionList ::= SEQUENCE OF
450	                AttributeDescription

452	4.1.5. Attribute Value

454	   A field of type AttributeValue takes on as its value either an octet string
455	   encoding of a AttributeValue data type, or an OCTET STRING containing
456	   a DER-encoded binary value, depending on whether the "binary" option is
457	   present in the companion AttributeDescription to this AttributeValue.

459	   The definition of string encodings for different syntaxes and types may
460	   be found in companions to this document, in particular [5].

462	        AttributeValue ::= OCTET STRING

464	   Note that there is no defined limit on the size of this encoding; thus
465	   PDUs including multi-megabyte attributes (e.g. photographs) may be
466	   returned. If the client has limited memory or storage capabilities it
467	   may wish to set the attrSizeLimit session control before invoking a
468	   search operation.

470	   Clients and server implementors should be aware that attributes whose
471	   type names they do not recognize may have an arbitrary and non-printable
472	   syntax.  Implementations should not either simply display or attempt to
473	   decode as DER a value if its syntax is not known.  The implementation
474	   may attempt to discover the subschema subentry and retrieve the value of
475	   attributeTypes from it.

477	4.1.6. Attribute Value Assertion

479	   The AttributeValueAssertion type definition is similar to the one in
480	   the X.500 directory standards.  It contains an attribute description
481	   and a equality matching assertion suitable for that type.

483	        AttributeValueAssertion ::= SEQUENCE {
484	                attributeDesc   AttributeDescription,
485	                assertionValue  AssertionValue }

487	        AssertionValue ::= OCTET STRING

489	   If the "binary" option is present in attributeDesc, this signals to the
490	   server that the assertionValue is a binary DER encoding of the assertion
491	   value.

493	   For all the string-valued user attributes described in [5], the assertion
494	   value syntax is the same as the value syntax.  Note however that the
495	   assertion syntax may be different than the value syntax for operational
496	   attributes or for non-equality matching rules.

498	4.1.7. Attribute

500	   An attribute consists of a type and one or more values of that type.
501	   (Though attributes must have at least one value when stored, due to
502	   access control restrictions the set may be empty when transferred
503	   in protocol.  This is described in section 4.5.2, concerning the
504	   PartialAttributeList type.)

506	        Attribute ::= SEQUENCE {
507	                type    AttributeDescription,
508	                vals    SET OF AttributeValue }

510	4.1.8. Matching Rule Identifier

512	   An X.501(1993) Matching Rule is identified in the LDAP protocol by the
513	   ASCII representation of its OBJECT IDENTIFIER, either as one of the
514	   strings given in [5], or as decimal digits with components separated by
515	   periods, e.g. "caseIgnoreIA5Match" or "1.3.6.1.4.1.453.33.33".

517	        MatchingRuleId ::= LDAPString

519	4.1.9. Result Message

521	   The LDAPResult is the construct used in this protocol to return
522	   success or failure indications from servers to clients. In response
523	   to various requests, servers will return responses containing fields
524	   of type LDAPResult to indicate the final status of a protocol
525	   operation request.

527	        LDAPResult ::= SEQUENCE {
528	                resultCode      ENUMERATED {
529	                             success                      (0),
530	                             operationsError              (1),
531	                             protocolError                (2),
532	                             timeLimitExceeded            (3),
533	                             sizeLimitExceeded            (4),
534	                             compareFalse                 (5),
535	                             compareTrue                  (6),

537	                             authMethodNotSupported       (7),
538	                             strongAuthRequired           (8),
539	                                        -- 9 reserved --
540	                             referral                     (10),  -- new
541	                             adminLimitExceeded           (11),  -- new
542	                             unavailableCriticalExtension (12),  -- new
543	                                        -- 13-15 unused --
544	                             noSuchAttribute              (16),
545	                             undefinedAttributeType       (17),
546	                             inappropriateMatching        (18),
547	                             constraintViolation          (19),
548	                             attributeOrValueExists       (20),
549	                             invalidAttributeSyntax       (21),
550	                                        -- 22-31 unused --
551	                             noSuchObject                 (32),
552	                             aliasProblem                 (33),
553	                             invalidDNSyntax              (34),
554	                             -- 35 reserved for undefined isLeaf --
555	                             aliasDereferencingProblem    (36),
556	                                        -- 37-47 unused --
557	                             inappropriateAuthentication  (48),
558	                             invalidCredentials           (49),
559	                             insufficientAccessRights     (50),
560	                             busy                         (51),
561	                             unavailable                  (52),
562	                             unwillingToPerform           (53),
563	                             loopDetect                   (54),
564	                                        -- 55-63 unused --
565	                             namingViolation              (64),
566	                             objectClassViolation         (65),
567	                             notAllowedOnNonLeaf          (66),
568	                             notAllowedOnRDN              (67),
569	                             entryAlreadyExists           (68),
570	                             objectClassModsProhibited    (69),
571	                             resultsTooLarge              (70), -- cl only
572	                             affectsMultipleDSAs          (71), -- new
573	                                        -- 72-79 unused --
574	                             other                        (80) },
575	                             -- 81-90 reserved for APIs --
576	                matchedDN       LDAPDN,
577	                errorMessage    LDAPString,
578	                referral        [3] Referral OPTIONAL }

580	   The errorMessage field of this construct may, at the servers option,
581	   be used to return a string containing a textual, human-readable
582	   error diagnostic. As this error diagnostic is not standardized,
583	   implementations should not rely on the values returned.  If the server
584	   chooses not to return a textual diagnostic, the errorMessage field of
585	   the LDAPResult type should contain a zero length string.

587	   For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax
588	   and aliasDereferencingProblem, the matchedDN field is set to
589	   the name of the lowest entry (object or alias) in the DIT that was
590	   matched.  If no aliases were dereferenced while attempting to locate
591	   the entry, this will be a truncated form of the name provided.
592	   The matchedDN field should be set to a NULL DN (a zero length
593	   string) with all other result codes.

595	4.1.10. Referral

597	   The referral field is present in an LDAPResult if the
598	   LDAPResult.resultCode field value is referral, and absent with all other
599	   result codes.  It contains a reference to another server (or set of
600	   servers) which may be accessed via LDAP or other protocols.
601	   At least one LDAPURL must be present in the Reference.

603	        Referral ::= SEQUENCE OF LDAPURL

605	        LDAPURL ::= LDAPString  -- limited to characters permitted in URLs

607	   The client may contact any of the listed URLs [14] of servers to
608	   continue the request. Each server in the list must be capable of
609	   processing the operation and presenting a consistent view of the DIT to
610	   the client. (The mechanisms for how servers achieve this are outside
611	   the scope of this document.)

613	   URLs for servers implementing the LDAP protocol are written according
614	   to [9].  If an alias was dereferenced, the dn part of the URL should
615	   be present, with the new target object name.  If this is present,
616	   the client should use this name in its next request, otherwise it
617	   should use the same name as in the original request.  Some servers
618	   (e.g. participating in distributed indexing) may change the filter
619	   in a referral for a search operation.  If the filter part of the URL is
620	   present in an LDAPURL, the client should use this filter in its next
621	   request, otherwise it should use the same filter as it used for that
622	   search.

624	   Note that UTF-8 characters appearing in a DN or search filter may not
625	   be legal for URLs (e.g. spaces) and must be escaped using the % method
626	   in RFC 1738.

628	   Other kinds of URLs may be returned so long as the operation could be
629	   performed using that protocol, and the client has indicated (in a session
630	   control) that it could support that protocol.

632	   If the client has not indicated that it is capable of handling referrals,
633	   the server should attempt to progress the referral on behalf of the client.
634	   Only if it fails to do so may it return a referral, and the URLs in this
635	   referral must be of the LDAP form.

637	4.2.  Bind Operation

639	   The function of the Bind Operation is to allow authentication information
640	   to be exchanged between the client and server.

642	   The Bind Request is defined as follows:

644	        BindRequest ::= [APPLICATION 0] SEQUENCE {
645	                version                 INTEGER (1 .. 127),
646	                name                    LDAPDN,
647	                authentication          AuthenticationChoice }

649	        AuthenticationChoice ::= CHOICE {
650	                simple                  [0] OCTET STRING,
651	                                         -- 1 and 2 reserved
652	                sasl                    [3] SaslCredentials }

654	        SaslCredentials ::= SEQUENCE {
655	                mechanism               LDAPString,
656	                credentials             OCTET STRING }

658	   Parameters of the Bind Request are:

660	   - version: A version number indicating the version of the protocol to
661	     be used in this protocol session.  This document describes version
662	     3 of the LDAP protocol.  Note that there is no version negotiation,
663	     and the client should just set this parameter to the version it
664	     desires.  The client may request version 2, in which case the server
665	     must implement only the protocol as described in [2], and not
666	     return any v3-specific result codes or protocol fields.

668	   - name: The name of the directory object that the client wishes to
669	     bind as.  This field may take on a null value (a zero length
670	     string) for the purposes of anonymous binds, when authentication
671	     has been performed at a lower layer, or when using SASL credentials
672	     with a mechanism that includes the LDAPDN in the credentials.

674	   - authentication: information used to authenticate the name, if any,
675	     provided in the Bind Request.

677	   Upon receipt of a Bind Request, a protocol server will authenticate
678	   the requesting client, if necessary.  The server will then return a
679	   Bind Response to the client indicating the status of the authentication.

681	4.2.1. Sequencing of the Bind Request

683	   For some authentication mechanisms, it may be necessary for the client
684	   to invoke the BindRequest multiple times.  If at any stage the client
685	   wishes to abort the bind process it should drop the underlying
686	   connection.  Clients must not invoke operations between two Bind requests
687	   made as part of a multi-stage bind.

689	   Unlike LDAP v2, the client need not send a Bind Request in the first
690	   PDU of the connection.  The client may request any operations and the
691	   server should treat these as unauthenticated (or authentication may have
692	   already occured at a lower layer).  If the server requires that the
693	   client bind first, the server should reject any request other than
694	   binding or unbinding with the "operationsError" result. If the
695	   client did not bind before sending a request and receives an
696	   operationsError, it should close the connection, reopen it and begin
697	   again by first sending a PDU with a Bind Request.  This will aid in
698	   interoperating with LDAPv2 servers.

700	   Clients may send multiple bind requests on an association to change
701	   their credentials. A subsequent bind process has the effect of abandoning
702	   all search, compare and resume operations outstanding.
703	   Authentication or controls from earlier binds are subsequently ignored, and
704	   so if the bind fails, the connection will be treated as anonymous.
705	   Clients should resend their session controls if needed after rebinding,
706	   as session controls may be reset to defaults by servers.

708	4.2.2 Authentication and Other Security Services

710	   The simple authentication option provides minimal authentication
711	   facilities, with the contents of the authentication field consisting
712	   only of a cleartext password.  Note that the use of cleartext passwords
713	   is not recommended over open networks when there is no authentication or
714	   encryption being performed by a lower layer; see the "Security
715	   Considerations section".

717	   If no authentication is to be performed, or has been performed at a
718	   lower layer, then the simple authentication option should be chosen,
719	   and the password be of zero length.  (This is often done by LDAPv2
720	   clients.)

722	   The sasl choice allows for any mechanism defined for use with SASL [18]
723	   or listed in Appendix B to be used.  The mechanism field contains the
724	   name of the mechanism.  The credentials field contains the arbitrary data
725	   used for authentication, inside an OCTET STRING wrapper.  Note that unlike
726	   some Internet application protocols where SASL is used, LDAP is not
727	   text-based, thus no base64 transformations are performed on the credentials.

729	   If any SASL-based integrity or confidentiality services are enabled, they
730	   take effect following the transmission by the server and reception by
731	   the client of the final BindResponse with resultCode success.

733	4.2.3. Bind Response

735	   The Bind Response is defined as follows.

737	        BindResponse ::= [APPLICATION 1] SEQUENCE {
738	             COMPONENTS OF LDAPResult,
739	             supportedVersion   [5] INTEGER (1..127) OPTIONAL,
740	             serverURL          [6] LDAPURL OPTIONAL,
741	             serverCreds        [7] AuthenticationChoice OPTIONAL }

743	   A BindResponse consists simply of an indication from the server of
744	   the status of the client's request for authentication.

746	   If the bind was successful, the resultCode will be success,
747	   otherwise it will be one of:

749	                operationsError
750	                protocolError
751	                authMethodNotSupported
752	                strongAuthRequired
753	                referral
754	                inappropriateAuthentication
755	                invalidCredentials
756	                unavailable
757	                unavailableCriticalExtension

759	   If the client receives a BindResponse response where the resultCode was
760	   protocolError and the supportedVersion field is absent, it should close
761	   the connection as the server will be unwilling to accept further
762	   operations.  (This is for compatability with earlier versions of LDAP.)

764	   The serverURL contains the URL of this LDAP server, if it wishes to
765	   provide an "authoritative" URL for itself.  Typically this will be a
766	   URL of the "ldap:" type, indicating the official host name, and the
767	   name part of the URL will contain the encoded name of the server itself.
768	   The serverCreds are used as part of a SASL-defined bind mechanism; to
769	   allow the client to authenticate the server to which it is communicating,
770	   or to perform "challenge-response" authentication.  If the client
771	   bound with the password choice, or the SASL mechanism does not require
772	   the server to return information to the client, then this field is not
773	   to be included in the result.

775	   The supportedVersion field contains the minimum of the version supplied
776	   by the client in the BindRequest and the highest version of LDAP supported
777	   in the server.  If the client and server both implement the protocol
778	   described in this document it will have the value 3.  This field
779	   should be absent when responding to a version 2 or earlier client.

781	4.3.  Unbind Operation

783	   The function of the Unbind Operation is to terminate a protocol
784	   session.  The Unbind Operation is defined as follows:

786	        UnbindRequest ::= [APPLICATION 2] NULL

788	   The Unbind Operation has no response defined. Upon transmission of an
789	   UnbindRequest, a protocol client may assume that the protocol session
790	   is terminated. Upon receipt of an UnbindRequest, a protocol server
791	   may assume that the requesting client has terminated the session and
792	   that all outstanding requests may be discarded, and may close the
793	   connection.  All session controls will be forgotten and search result
794	   caches will be cleared when a connection closes.

796	4.4.  Session Control Operation

798	        SessionRequest ::= [APPLICATION 17] Controls

800	        SessionResponse ::= [APPLICATION 18] SEQUENCE {
801	                COMPONENTS OF LDAPResult,
802	                unsupportedCtls         [12] SEQUENCE OF LDAPString }

804	        Controls ::= SEQUENCE OF SEQUENCE {
805	                controlType             LDAPString,
806	                criticality             BOOLEAN DEFAULT FALSE,
807	                controlValue            OCTET STRING }

809	   Session Controls are requests made by the client which affect its
810	   interaction with the server. Controls are not saved after a session
811	   unbinds or disconnects abruptly, and do not affect other sessions to
812	   this or other servers. Session controls do not affect operations which
813	   have already been requested on this connection, e.g. if the client sends
814	   a search request and subsequently sends a sessionControlRequest while the
815	   server is in the middle of sending responses, the session controls which
816	   were in force when the search operation began should continue to apply
817	   for all the results of that search.

819	   Session controls are not cumulative, and a session request will
820	   override all session controls which were set by a previous request.
821	   If a control was set on a previous request and was not mentioned in
822	   a subsequent request, it will be reset by the server to its default
823	   value.  (This permits session controls, such as supportedProtocol, to
824	   have multiple values.)

826	   If the server is not capable of setting one or more requested controls,
827	   it should set as many as possible.  If any of the controls which the
828	   server could not set are marked as critical, it should return the
829	   unavailableCriticalExtension error.

831	   The controlType field must either be a string defined in this section,
832	   or a dotted-decimal representation of an OBJECT IDENTIFIER.  This will
833	   aid in preventing conflicts between privately-defined control extensions.
834	   String names are case insensitive.

836	   The following controls have been defined:
837	       - attrSizeLimit
838	       - dontUseCopy
839	       - usePartialCopy
840	       - referringServer
841	       - chainingProhibited
842	       - supportedProtocol
843	       - useAliasOnUpdate
844	       - manageDsaIT
845	       - preferredLanguage

847	   The attrSizeLimit control may be critical or non-critical at the client's
848	   request.  The value field contains either an empty string, implying no
849	   limit, or a string representation of a positive integer, e.g. "10000".
850	   The default if this control is not present is that there is no limit.
851	   The attrSizeLimit number is a size in bytes of the largest encoded value
852	   which the client is capable of processing.  Servers should not return
853	   attribute values in a search response which are larger than this size.
854	   (If attribute values are excluded because of this control, the
855	   incompleteEntry field should be set to TRUE in the SearchResultEntry).

857	   The dontUseCopy control may be critical or non-critical at the client's
858	   request.  The value field contains either "TRUE" or "FALSE".  To aid
859	   interoperability with LDAPv2 clients, the default if this control is
860	   not set is "FALSE".  This control only affects the Search and Compare
861	   operations.

863	   The usePartialCopy control may be critical or non-critical at the client's
864	   request.  The value field contains either "TRUE" or "FALSE".  To aid
865	   interoperability with LDAPv2 clients, the default if this control is
866	   not set is "FALSE".  This control only affects the Search and Compare
867	   operations when dontUseCopy is "FALSE".  If present and set to "TRUE",
868	   then if a contacted server holds at least one requested attribute or
869	   at least one subtype of a requested attribute type in an entry, that
870	   entry may be used to satisfy the request, even if not all the requested
871	   attributes are in the shadowed copy.  If FALSE the server must not
872	   return attributes from a shadow copy of an entry unless none of the
873	   requested attributes were excluded from the shadow copy.  (How servers
874	   replicate information and configure shadowing is outside the scope of
875	   this specification.)

877	   The referringServer control is always non-critical.  The value field
878	   contains the URL of another server which referred an operation to this
879	   server.  This control should only be present if the connection is being
880	   made only to process a referral.  If the connection will be held open to
881	   handle referrals from multiple servers this control should be omitted.
882	   There is no protocol effect of this control; it is used to assist in
883	   tracing knowledge inconsistencies in the distributed directory.

885	   The chainingProhibited control may be critical or non-critical at the
886	   client's request.  The value should be either "TRUE" or "FALSE".  To aid
887	   interoperability with LDAPv2 clients, the default if this control is not
888	   set is "FALSE".  If this control is present and set to "TRUE", the
889	   server should not contact any other servers as part of processing
890	   operations requested by this client, if it would be possible to instead
891	   return to the client a referral.   If the server is a gateway to X.500,
892	   and DAP is not a supported client referral protocol (see next paragraph),
893	   the server should set the chainingProhibited service control on any DAP
894	   or DSP requests it makes.

896	   The supportedProtocol control is always non-critical.  The field is
897	   a string name of a protocol which the client implements.  The name of
898	   the protocol may be "ldap", "cldap", "dap", any IANA-assigned protocol
899	   name or URL mechanism, or "*" to indicate that any type of referral may
900	   be returned.  If this control is present, a server should return a
901	   referral, rather than itself chain to another server using one of the
902	   indicated protocol.  This control may be present multiple times in a
903	   session control if the client wishes to name multiple protocols it
904	   supports.

906	   If the supportedProtocol control is absent and the server is capable of
907	   contacting other servers, then it should return not return results with
908	   referrals, as described in 4.1.10, or SearchResultContinuation, as
909	   described in 4.5.3.  If however the server is not capable of contacting
910	   other servers, it may return a referral or continuation containing a URL
911	   of type "LDAP".

913	   It is recommended that clients, as a minimum, support LDAP referrals,
914	   and set the supportedProtocol control to be "ldap".

916	   The useAliasOnUpdate control may be critical or non-critical at the
917	   client's request.  The value should be either "TRUE" or "FALSE".  To
918	   aid interoperability with LDAPv2 clients, the default if this control
919	   is not set is "FALSE".  If present and set to TRUE, the server should
920	   permit alias names to be used as components of a Distinguished Name in
921	   Add, Modify and Delete operations.  If the server is a gateway to X.500,
922	   it should set the useAliasOnUpdate critical extension on any DAP/DSP
923	   AddEntry, ModifyEntry and RemoveEntry requests it makes if this
924	   control is "TRUE".

926	   The manageDsaIT control is always critical.  The value should be either
927	   "TRUE" or "FALSE".  The default, if this control is not set, is "FALSE".
928	   This control affects the name resolution behavior of the server to
929	   permit a manager to read and modify knowledge references and other
930	   X.500 server-specific attributes.  If the server is a gateway to
931	   X.500, it should set the manageDsaIT critical extension, as well as the
932	   appropriate common arguments, on any DAP/DSP requests it makes, based on
933	   this control.

935	   The preferredLanguage control is always non-critical.  The use of this
936	   control and its impact on the directory is defined in [17].  The default
937	   if this control is not set, is that there is no preferred language.

939	4.5.  Search Operation

941	   The Search Operation allows a client to request that a search be
942	   performed on its behalf by a server.

944	4.5.1. Search Request

946	   The Search Request is defined as follows:

948	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
949	                baseObject      LDAPDN,
950	                scope           ENUMERATED {
951	                        baseObject              (0),
952	                        singleLevel             (1),
953	                        wholeSubtree            (2) },
954	                derefAliases    ENUMERATED {
955	                        neverDerefAliases       (0),
956	                        derefInSearching        (1),
957	                        derefFindingBaseObj     (2),
958	                        derefAlways             (3) },
959	                sizeLimit       INTEGER (0 .. maxInt),
960	                timeLimit       INTEGER (0 .. maxInt),
961	                typesOnly       BOOLEAN,
962	                filter          Filter,
963	                attributes      AttributeDescriptionList,
964	                pageSizeLimit   [0] INTEGER OPTIONAL,
965	                sortKeys        [1] SortKeyList OPTIONAL }

967	        SortKeyList ::= SEQUENCE OF SEQUENCE {
968	                attributeType   AttributeType,
969	                orderingRule    [0] MatchingRuleId OPTIONAL,
970	                reverseOrder    [1] BOOLEAN DEFAULT FALSE }

972	        Filter ::= CHOICE {
973	                and             [0] SET OF Filter,
974	                or              [1] SET OF Filter,
975	                not             [2] Filter,
976	                equalityMatch   [3] AttributeValueAssertion,
977	                substrings      [4] SubstringFilter,
978	                greaterOrEqual  [5] AttributeValueAssertion,
979	                lessOrEqual     [6] AttributeValueAssertion,
980	                present         [7] AttributeType,
981	                approxMatch     [8] AttributeValueAssertion,
982	                extensibleMatch [9] MatchingRuleAssertion }

984	        SubstringFilter ::= SEQUENCE {
985	                type            AttributeDescription,
986	                -- at least one must be present
987	                substrings      SEQUENCE OF CHOICE {
988	                        initial [0] LDAPString,
989	                        any     [1] LDAPString,
990	                        final   [2] LDAPString } }

992	        MatchingRuleAssertion ::= SEQUENCE {
993	                matchingRule    [1] MatchingRuleId OPTIONAL,
994	                type            [2] AttributeType OPTIONAL,
995	                matchValue      [3] AssertionValue,
996	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

998	   Parameters of the Search Request are:

1000	   - baseObject: An LDAPDN that is the base object entry relative to
1001	     which the search is to be performed.

1003	   - scope: An indicator of the scope of the search to be performed. The
1004	     semantics of the possible values of this field are identical to the
1005	     semantics of the scope field in the X.511 Search Operation.

1007	   - derefAliases: An indicator as to how alias objects should be
1008	     handled in searching.  The semantics of the possible values of
1009	     this field are:

1011	             neverDerefAliases: do not dereference aliases in searching
1012	             or in locating the base object of the search;

1014	             derefInSearching: dereference aliases in subordinates of
1015	             the base object in searching, but not in locating the
1016	             base object of the search;

1018	             derefFindingBaseObject: dereference aliases in locating
1019	             the base object of the search, but not when searching
1020	             subordinates of the base object;

1022	             derefAlways: dereference aliases both in searching and in
1023	             locating the base object of the search.

1025	   - sizelimit: A sizelimit that restricts the maximum number of entries
1026	     to be returned as a result of the search. A value of 0 in this
1027	     field indicates that no sizelimit restrictions are in effect for
1028	     the search.

1030	   - timelimit: A timelimit that restricts the maximum time (in seconds)
1031	     allowed for a search. A value of 0 in this field indicates that no
1032	     timelimit restrictions are in effect for the search.

1034	   - typesOnly: An indicator as to whether search results should contain
1035	     both attribute types and values, or just attribute types.  Setting
1036	     this field to TRUE causes only attribute types (no values) to be
1037	     returned.  Setting this field to FALSE causes both attribute types
1038	     and values to be returned.

1040	   - filter: A filter that defines the conditions that must be fulfilled
1041	     in order for the search to match a given entry.  The 'and', 'or' and
1042	     'not' choices may be used to form boolean combinations of filters.  At
1043	     least one filter element must be present in an 'and' or 'or'
1044	     choice.  The others match against individual attribute values of
1045	     entries in the scope of the search.

1047	     The extensibleMatch is new in this version of LDAP.  If the
1048	     matchingRule field is absent, the type field must be present, and
1049	     the equality match is performed for that type.  If the type field is
1050	     absent and matchingRule is present, the matchValue is compared
1051	     against all attributes in an entry which support that matchingRule,
1052	     and the matchingRule determines the syntax for the assertion value.
1053	     If the type field is present and matchingRule is present, the
1054	     matchingRule must be one permitted for use with that type.
1055	     If the dnAttributes field is set to TRUE, the match is applied
1056	     against all the attributes in an entry's distinguished name as
1057	     well.  (Editors note: The dnAttributes field is present so that there
1058	     does not need to be multiple versions of generic matching rules such as
1059	     wordMatch, one to apply to entries and another to apply to entries and
1060	     dn attributes as well).

1062	   - attributes: A list of the attributes from each entry found as a
1063	     result of the search to be returned. An empty list signifies that
1064	     all user attributes from each entry found in the search are to be
1065	     returned, as does the special attribute description string "*". (the
1066	     latter technique allows the client to request all user attributes
1067	     along with selected operational attributes).  If the client does not
1068	     want any attributes returned, it can request only the attribute with
1069	     OID "1.1".  Attributes should be named at most once in the list, and
1070	     are returned at most once in an entry.

1072	     Client implementors should note that even if all user attributes are
1073	     requested, some attributes of the entry may not be included in search
1074	     results due to access control restrictions.  Furthermore, servers
1075	     will not return operational attributes, such as modifyRights or
1076	     attributeTypes, unless they are listed by name, since there may be
1077	     extremely large number of values for certain operational attributes.
1078	     (A list of operational attributes for use in LDAP is given in [5].)

1080	   - pageSizeLimit: if present, then if more entries are to be returned than
1081	     the pageSizeLimit, the server should return only as many as this limit
1082	     before returning the SearchResultDone response.  It must cache all of
1083	     the resulting entries from this search, at least until the next
1084	     (non-resume) operation is invoked.  The server may cache all the
1085	     results for as long as the lifetime of the association, although if
1086	     server resources are limited it may clear the cache after the next
1087	     (non-resume) operation is invoked.

1089	     If a pageSizeLimit was set and reached during the search, the client
1090	     will be able to request more of the entries using the ResumeRequest,
1091	     and the cached results can be cleared by the client sending the Abandon
1092	     operation for this search message id. If the same or fewer entries than
1093	     this limit are to be returned, the server should return all the entries
1094	     and the SearchResultDone response, and need not cache the result. The
1095	     pageSizeLimit does not affect SearchResultReference responses, of which
1096	     any number may be returned by the server.

1098	     If operating over connectionless data transport, the client must not
1099	     set this field.

1101	   - sortKeys: If this field is present, then it specifies one or more
1102	     attribute types and matching rules, and the returned entries should
1103	     be sorted in order based on these types.  If the reverseOrder field is
1104	     set to TRUE, then the entries will be presented in reverse sorted
1105	     order.

1107	     If the server does not recognize any of the attribute types, or the
1108	     ordering rule associated with an attribute type is not applicable, or
1109	     none of the attributes in the search responses are of these types,
1110	     then the sortKeys field is not used and result entries are returned
1111	     in random order.

1113	     If the server does not support sorting with the requested attributes
1114	     or matching rules, then it must return only protocolError (which is what
1115	     an LDAPv2 server would return), undefinedAttributeType or
1116	     inappropriateMatching and no searchResultEntry or
1117	     searchResultReference responses.

1119	   If the client includes the attribute type name 'modifyRights' in the
1120	   search request attribute type list when performing a baseObject search,
1121	   then the server should return the modifyRights attribute as part of
1122	   the response attributes for that entry.  The value of this attribute
1123	   is described in section 6.2.2.1 of [5], and corresponds to the X.511(93)
1124	   ModifyRights field of the ReadResponse.

1126	   Note that an X.500 "list"-like operation can be emulated by the client
1127	   requesting a one-level LDAP search operation with a filter checking for
1128	   the existence of the objectClass attribute, and that an X.500 "read"-like
1129	   operation can be emulated by a base object LDAP search operation with
1130	   the same filter.  A server which provides a gateway to X.500 is not
1131	   required to use the Read or List operations, although it may choose to
1132	   do so.

1134	   If the search filter includes an equality match of the objectClass
1135	   attribute and the value "subentry", then if the server is converting
1136	   to an X.500 protocol, the subentries service control should be set.

1138	4.5.2. Search Result

1140	   The results of the search attempted by the server upon receipt of a
1141	   Search Request are returned in Search Responses, which are LDAP
1142	   messages containing either SearchResultEntry, SearchResultReference,
1143	   SearchResultDone or SearchResultFull data types.

1145	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
1146	                objectName      LDAPDN,
1147	                attributes      PartialAttributeList }

1149	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
1150	                type    AttributeDescription,
1151	                vals    SET OF AttributeValue }
1152	        -- implementors should note that the PartialAttributeList may have
1153	        -- zero elements (if none of the attributes of that entry were
1154	        -- requested, or could be returned), and that the vals set may also
1155	        -- have zero elements (if types only was requested, or all the values
1156	        -- exceeded the attribute size limit or were excluded because of
1157	        -- access control).

1159	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
1160	        -- at least one LDAPURL element must be present

1162	        SearchResultDone ::= [APPLICATION 5] SEQUENCE {
1163	           COMPONENTS OF LDAPResult,
1164	           totalCount [8] INTEGER OPTIONAL }

1166	        SearchResultFull ::= SEQUENCE OF CHOICE {
1167	                        entry           SearchResultEntry,
1168	                        reference       SearchResultReference,
1169	                        resultCode      SearchResultDone }

1171	   Upon receipt of a Search Request, a server will perform the necessary
1172	   search of the DIT.

1174	   If the LDAP session is operating over a connection-oriented transport
1175	   such as TCP, the server will return to the client a sequence of
1176	   responses in separate LDAP messages.  There may be zero or more
1177	   responses containing SearchResultEntry, one for each entry found
1178	   during the search.  There may also be zero or more responses
1179	   containing SearchResultReference, one for each area not explored by
1180	   this server during the search.  The SearchResultEntry and
1181	   SearchResultReferences may come in any order. Following all the
1182	   SearchResultReference responses and all SearchResultEntry responses up
1183	   to a pageSizeLimit (if any), the server will return a response containing
1184	   the SearchResultDone, which contains an indication of success, or
1185	   detailing any errors that have occurred.

1187	   If the LDAP session is operating over a connectionless transport such
1188	   as UDP, the server will return to the client only one response to the
1189	   search, an LDAPMessage containing a SearchResultFull data type.  All (if
1190	   any) but the last element of the SEQUENCE OF must be of the
1191	   SearchResultEntry or SearchResultReference types, and the last must be of
1192	   the SearchResultDone type.

1194	   The SearchResultFull is never returned over a connection-oriented
1195	   transport.

1197	   Each entry returned in a SearchResultEntry will contain all attributes,
1198	   complete with associated values if necessary, as specified in the
1199	   attributes field of the Search Request.  Return of attributes is subject
1200	   to access control and other administrative policy.  Some attributes may
1201	   be returned in DER-encoded binary format (indicated by the
1202	   AttributeDescription in the response having the binary option present),
1203	   or in a language-specific subtype (indicated by the AttributeDescription
1204	   in the response having the language option present).

1206	   The following are not strictly attributes of an entry (or a subentry),
1207	   but may appear in the result list if requested.

1209	    - entryName. This operational attribute is maintained by the server and
1210	      appears to be present in each entry.  The value of this attribute
1211	      is the distinguished name of the entry from which it is read.  It
1212	      is expected that the client would retrieve this attribute in binary.

1214	    - modifyRights. Each value is the encoding of an element of modifyRights.
1215	      The attribute is specific to the particular search operation and
1216	      the requestor, and must not be cached or replicated.'

1218	    - incompleteEntry.  This attribute's value is TRUE if one or more
1219	      attributes are not present in the PartialAttributeList, because their
1220	      size would have exceeded the attribute size limit, or if a partial
1221	      shadow copy of the entry was used to satisfy the request and some
1222	      requested attributes are not returned.  It is never set just because
1223	      typesOnly was set to TRUE, or because a requested attribute was not
1224	      present in the (master) entry.

1226	    - fromEntry.  The server may return this attribute's value as FALSE if it
1227	      is known that the search is based upon a shadow or cached copy of the
1228	      entry, and may return it as TRUE if the server masters the entry.

1230	   In a SearchResultEntry, as an encoding optimization, the value of the
1231	   objectName LDAP DN may use a trailing '*' character to refer to the
1232	   baseObject of the corresponding searchRequest.  For example, if the
1233	   baseObject is specified as "o=UofM, c=US", then the following
1234	   objectName LDAPDNs in a response would have the indicated meanings

1236	          objectName returned   actual LDAPDN denoted
1237	          ____________________________________________________
1238	          "*"                   "o=UofM, c=US"
1239	          "cn=Babs Jensen, *"   "cn=Babs Jensen, o=UofM, c=US"

1241	   If the pageSizeLimit field was present, the server must number the
1242	   entries which match the search, and must indicate the
1243	   total number of entries which match the search in the field totalCount
1244	   of the SearchResultDone. The total count would either be the same as
1245	   or greater than the number of SearchResultEntry responses returned at
1246	   this time.  If it is greater, then the server did not return all the
1247	   responses because the pageSizeLimit was reached, and the server must
1248	   cache all the resulting entries.  If it is the same, then the server did
1249	   not exceed the pageSizeLimit, and the server need not cache the responses.

1251	   When the search result exceeded the pageSizeLimit, all matching entries
1252	   are cached (including those for which SearchResultEntry was returned),
1253	   and the server must not clear the cache until an operation other than a
1254	   ResumeRequest for this search is received.

1256	4.5.3. Continuation References in the Search Result

1258	   If the server was able to locate the entry referred to by the
1259	   baseObject but was unable to search all the entries in the scope at
1260	   and under the baseObject, the server may return one or more
1261	   SearchResultReference, each containing a reference to another set of
1262	   servers for continuing the operation.  The server should return at most
1263	   one SearchResultReference for a new subordinate base object with a
1264	   particular scope and filter.  A server must not return a
1265	   SearchResultReference if it has not located the baseObject and
1266	   thus has not searched any entries; in this case it should return a
1267	   SearchResultDone containing a referral resultCode.

1269	   The SearchResultReference is of the same data type as the Referral.
1270	   A URL in a SearchResultReference may only be included if the client has
1271	   indicated (in the session controls) that it is able to handle that
1272	   protocol.  If the client has not indicated any protocols which the
1273	   server could use to return in a SearchResultReference, the server must
1274	   itself process the entire search.  If the server could not contact
1275	   all other servers, it may return one or more SearchResultReference for
1276	   unexplored subtrees, and must indicate also that only partial results were
1277	   returned by setting the resultCode in the SearchResultDone to be something
1278	   other than success, such as timeLimitExceeded.

1280	   URLs for servers implementing the LDAP protocol are written according
1281	   to [9].  The dn part must be present in the URL, with the new target
1282	   object name.  The client must use this name in its next request.
1283	   Some servers (e.g. participating in distributed indexing) may change
1284	   the filter.  If the filter part of the URL is present in an LDAP URL,
1285	   the client should use this filter in its next request, otherwise it
1286	   should use the same filter as it used for that search.

1288	   Other kinds of URLs may be returned so long as the operation could be
1289	   performed using that protocol, and the client has indicated (in a
1290	   session control) that it is able to handle that protocol.

1292	   The name of an unexplored subtree in a SearchResultReference need not be
1293	   subordinate to the base object if an alias was dereferenced, however it
1294	   should not be a prefix of the base object, otherwise the client will
1295	   loop.  (Client implementations must detect loops; see section 6.2.)

1297	   Note: the "X.500 Non-Specific Subordinate Reference" is not permitted in
1298	   LDAP.  Servers must not return multiple SearchResultReference for the same
1299	   subtree, and any one of (not all of) the servers listed in a
1300	   SearchResultReference may be contacted to perform the entire search in a
1301	   particular subtree.

1303	4.5.3.1 Example

1305	   For example, suppose the contacted server (hosta) holds the entry
1306	   "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW".  It knows that either
1307	   LDAP-capable servers (hostb) or (hostc) hold "OU=People,O=MNN,C=WW" (one
1308	   is the master and the other server a shadow), and that LDAP-capable
1309	   server (hostd) holds the subtree "OU=Roles,O=MNN,C=WW".  If a subtree
1310	   search of "O=MNN,C=WW" is requested to the contacted server in which
1311	   chainingProhibited is set and referrals are permitted, and the filter is
1312	   objectClass=*, the server may return the following responses:

1314	     SearchResultEntry for O=MNN,C=WW
1315	     SearchResultEntry for CN=Manager,O=MNN,C=WW
1316	     SearchResultReference {
1317	       ldap://hostb/OU=People,O=MNN,C=WW
1318	       ldap://hostc/OU=People,O=MNN,C=WW
1319	     }
1320	     SearchResultReference {
1321	       ldap://hostd/OU=Roles,O=MNN,C=WW
1322	     }
1323	     SearchResultDone (entries = 2)

1325	   Client implementors should note that when following a
1326	   SearchResultReference, additional SearchResultReference may be
1327	   generated.  Continuing the example, if the client contacted the
1328	   server (hostb) and issued the search for the subtree
1329	   "OU=People,O=MNN,C=WW", the server might respond as follows:

1331	     SearchResultEntry for OU=People,O=MNN,C=WW
1332	     SearchResultReference {
1333	      ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
1334	     }
1335	     SearchResultReference {
1336	      ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
1337	     }

1339	4.6.  Resume Search Operation

1341	   The Resume Search Operation is used in conjunction with a Search
1342	   operation which was previously issued on this association.

1344	        ResumeRequest ::= [APPLICATION 20] SEQUENCE {
1345	                searchRequestID         [0] MessageID,
1346	                startAtEntry            [1] INTEGER,
1347	                entriesToReturn         [2] INTEGER }

1349	   The SearchRequest must have been made with the pageSizeLimit
1350	   field present, and the server must not have returned all the results
1351	   at the time of the search, or indicated a resultCode in the
1352	   SearchResultDone other than success, timeLimitExceeded,
1353	   sizeLimitExceeded or adminLimitExcceded.

1355	   A Search which is still in progress (the final SearchResultDone has not
1356	   been returned) or has been abandoned cannot be resumed.

1358	   The searchRequestID field must contain the value of messageID which the
1359	   client used for the original search operation.

1361	   Entries in a result are always numbered starting from 1.

1363	   The startAtEntry number may be any number greater than 0, and the sum of
1364	   startAtEntry and entriesToReturn must not be greater than one plus the
1365	   value of totalCount returned by the server for this search.

1367	   The client may request that the server retransmit entries which it had
1368	   already sent as responses for the search, e.g. by setting startAtEntry
1369	   to "1" and entriesToReturn to be the same as totalCount, all the entries
1370	   will be transmitted.

1372	   The server will respond to the ResumeRequest with either a ResumeError,
1373	   or with a series of SearchResultEntry responses and a SearchResultDone
1374	   response.  The ResumeError is returned if the server detected a
1375	   problem with the ResumeRequest, such as an invalid searchRequestID, or if
1376	   the server has cleared the cache and cannot resume that search, or if
1377	   the Directory Information Tree has changed such that the search would no
1378	   longer return the same results. The SearchResultEntry and SearchResultDone
1379	   responses from a ResumeRequest have the Message ID of the ResumeRequest,
1380	   not of the original SearchRequest.

1382	   Any SearchResultReferences are returned at the the time of the original
1383	   search, and none returned by a resume operation.

1385	        ResumeError ::= [APPLICATION 21] LDAPResult

1387	   An example of using Resume is as follows:

1389	            CLIENT                              SERVER

1391	            1,SearchRequest (pageSizeLimit=2)
1392	                                  -->
1393	                                                (search matches 5 entries)
1394	                                                1,SearchResultEntry  (1 of 5)
1395	                                  <--
1396	                                                1,SearchResultEntry  (2 of 5)
1397	                                  <--
1398	                                                1,SearchResultDone (5)
1399	                                  <--

1401	            2,ResumeRequest (search id 1, startAtEntry 3, entriesToReturn 3)
1402	                                  -->
1403	                                                2,SearchResultEntry (3 of 5)
1404	                                  <--
1405	                                                2,SearchResultEntry (4 of 5)
1406	                                  <--
1407	                                                2,SearchResultEntry (5 of 5)
1408	                                  <--

1410	                                  <--           2,SearchResultDone (5)

1412	            3,AbandonRequest (id 1)
1413	                                  -->
1414	                                                (search cache cleared)

1416	4.7.  Modify Operation

1418	   The Modify Operation allows a client to request that a modification
1419	   of the DIB be performed on its behalf by a server.  The Modify
1420	   Request is defined as follows:

1422	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
1423	                object          LDAPDN,
1424	                modification    SEQUENCE OF SEQUENCE {
1425	                        operation       ENUMERATED {
1426	                                                add     (0),
1427	                                                delete  (1),
1428	                                                replace (2) },
1429	                        modification    AttributeTypeAndValues } }

1431	        AttributeTypeAndValues ::= SEQUENCE {
1432	                type    AttributeDescription,
1433	                vals    SET OF AttributeValue }

1435	   Parameters of the Modify Request are:

1437	   - object: The object to be modified. The value of this field should
1438	     name the object to be modified.  The server will not perform any
1439	     alias dereferencing in determining the object to be modified unless
1440	     the useAliasOnUpdate session control is set to TRUE.

1442	   - A list of modifications to be performed on the entry to be modified.
1443	     The entire list of entry modifications should be performed
1444	     in the order they are listed, as a single atomic operation.  While
1445	     individual modifications may violate the directory schema, the
1446	     resulting entry after the entire list of modifications is performed
1447	     must conform to the requirements of the directory schema. The
1448	     values that may be taken on by the 'operation' field in each
1449	     modification construct have the following semantics respectively:

1451	             add: add values listed to the given attribute, creating
1452	             the attribute if necessary;

1454	             delete: delete values listed from the given attribute,
1455	             removing the entire attribute if no values are listed, or
1456	             if all current values of the attribute are listed for
1457	             deletion;

1459	             replace: replace all existing values of the given attribute
1460	             with the new values listed, creating the attribute if it
1461	             did not already exist.  A replace with no value should delete
1462	             the entire attribute.

1464	   The result of the modify attempted by the server upon receipt of a
1465	   Modify Request is returned in a Modify Response, defined as follows:

1467	        ModifyResponse ::= [APPLICATION 7] LDAPResult

1469	   Upon receipt of a Modify Request, a server will perform the necessary
1470	   modifications to the DIB.

1472	   The server will return to the client a single Modify Response
1473	   indicating either the successful completion of the DIB modification,
1474	   or the reason that the modification failed. Note that due to the
1475	   requirement for atomicity in applying the list of modifications in
1476	   the Modify Request, the client may expect that no modifications of
1477	   the DIB have been performed if the Modify Response received indicates
1478	   any sort of error, and that all requested modifications have been
1479	   performed if the Modify Response indicates successful completion of
1480	   the Modify Operation.  If the connection fails, whether the modification
1481	   occurred or not is indeterminate.

1483	   Note that due to the simplifications made in LDAP, there is not a direct
1484	   mapping of the modifications in an LDAP ModifyRequest onto the
1485	   EntryModifications of a a DAP ModifyEntry operation, and different
1486	   implementations of LDAP-DAP gateways may use different means of
1487	   representing the change.  The final effect of the operations on the
1488	   entry will be identical.

1490	4.8.  Add Operation

1492	   The Add Operation allows a client to request the addition of an entry
1493	   into the directory. The Add Request is defined as follows:

1495	        AddRequest ::= [APPLICATION 8] SEQUENCE {
1496	                entry           LDAPDN,
1497	                attributes      AttributeList }

1499	        AttributeList ::= SEQUENCE OF SEQUENCE {
1500	                type    AttributeDescription,
1501	                vals    SET OF AttributeValue }

1503	   Parameters of the Add Request are:

1505	   - entry: the Distinguished Name of the entry to be added. Note that
1506	     all components of the name except for the last RDN component must
1507	     exist for the add to succeed.  Note also that the server will not
1508	     dereference any aliases in locating the entry to be added (unless
1509	     the useAliasOnUpdate session control is TRUE), and that there are
1510	     never any entries subordinate to an alias entry.

1512	   - attributes: the list of attributes that make up the content of the
1513	     entry being added.  Clients must included distinguished values in
1514	     this list.

1516	   The result of the add attempted by the server upon receipt of a Add
1517	   Request is returned in the Add Response, defined as follows:

1519	        AddResponse ::= [APPLICATION 9] LDAPResult

1521	   Upon receipt of an Add Request, a server will attempt to perform the
1522	   add requested. The result of the add attempt will be returned to the
1523	   client in the Add Response.

1525	4.9.  Delete Operation

1527	   The Delete Operation allows a client to request the removal of an
1528	   entry from the directory. The Delete Request is defined as follows:

1530	        DelRequest ::= [APPLICATION 10] LDAPDN

1532	   The Delete Request consists of the Distinguished Name of the
1533	   entry to be deleted. Note that the server will not dereference aliases
1534	   while resolving the name of the target entry to be removed, unless
1535	   the useAliasOnUpdate session control is TRUE.

1537	   The result of the delete attempted by the server upon receipt of a
1538	   Delete Request is returned in the Delete Response, defined as follows:

1540	        DelResponse ::= [APPLICATION 11] LDAPResult

1542	   Upon receipt of a Delete Request, a server will attempt to perform
1543	   the entry removal requested. The result of the delete attempt will be
1544	   returned to the client in the Delete Response. Note that only leaf
1545	   objects (with no subordinates) may be deleted with this operation.

1547	4.10.  Modify DN Operation

1549	   The Modify DN Operation allows a client to change the last component
1550	   of the name of an entry in the directory, or to move a subtree of
1551	   entries to a new location in the directory.  The Modify DN Request is
1552	   defined as follows:

1554	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
1555	                entry           LDAPDN,
1556	                newrdn          RelativeLDAPDN,
1557	                deleteoldrdn    BOOLEAN,
1558	                newSuperior     [0] LDAPDN OPTIONAL }

1560	   Parameters of the Modify DN Request are:

1562	   - entry: the name of the entry to be changed.

1564	   - newrdn: the RDN that will form the last component of the new name.

1566	   - deleteoldrdn: a boolean parameter that controls whether the old RDN
1567	     attribute values should be retained as attributes of the entry or
1568	     deleted from the entry.

1570	   - newSuperior: if present, this is the name of the entry which
1571	     becomes the immediate superior of the existing entry.

1573	   The result of the name change attempted by the server upon receipt of
1574	   a Modify DN Request is returned in the Modify DN Response, defined
1575	   as follows:

1577	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

1579	   Upon receipt of a Modify RDN Request, a server will attempt to
1580	   perform the name change. The result of the name change attempt will
1581	   be returned to the client in the Modify DN Response. The attributes
1582	   that make up the old RDN are deleted from the entry, or kept,
1583	   depending on the setting of the deleteoldrdn parameter.

1585	   Note that X.500 restricts the ModifyDN operation to only affect entries
1586	   that are contained within a single server.  If the LDAP server is mapped
1587	   onto DAP, then this restriction will apply, and the resultCode
1588	   affectsMultipleDSAs will be returned.  In general clients should not
1589	   expect to be able to perform arbitrary movements of entries and subtrees.

1591	4.11.  Compare Operation

1593	   The Compare Operation allows a client to compare an assertion
1594	   provided with an entry in the directory. The Compare Request is
1595	   defined as follows:

1597	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
1598	                entry           LDAPDN,
1599	                ava             AttributeValueAssertion }

1601	   Parameters of the Compare Request are:

1603	   - entry: the name of the entry to be compared with.

1605	   - ava: the assertion with which an attribute in the entry is to be
1606	     compared.

1608	   The result of the compare attempted by the server upon receipt of a
1609	   Compare Request is returned in the Compare Response, defined as
1610	   follows:

1612	        CompareResponse ::= [APPLICATION 15] SEQUENCE {
1613	           COMPONENTS OF LDAPResult,
1614	           matchedSubtype [9] AttributeType OPTIONAL }

1616	   When the resultCode is compareTrue the matchedSubtype field is
1617	   permitted to contain the type name of the attribute whose value
1618	   matched the ava in the Compare operation.  Servers which do not
1619	   implement attribute hierarchies will omit this element.

1621	   Upon receipt of a Compare Request, a server will attempt to perform
1622	   the requested comparison. The result of the comparison will be
1623	   returned to the client in the Compare Response. Note that errors and
1624	   the result of comparison are all returned in the same construct.

1626	   Note that some directory systems may establish access controls which
1627	   permit the values of certain attributes (such as userPassword) to be
1628	   compared but not read.  In a search result, it may be that an attribute
1629	   of that type would be returned, but with an empty set of values.

1631	4.12.  Abandon Operation

1633	   The function of the Abandon Operation is to allow a client to request
1634	   that the server abandon an outstanding operation.  The Abandon
1635	   Request is defined as follows:

1637	        AbandonRequest ::= [APPLICATION 16] MessageID

1639	   The MessageID must be that of a Search, Resume or Compare operation
1640	   which was requested earlier during this association.  Other types of
1641	   operations cannot be abandoned.

1643	   (The abandon request itself has its own message id.  This is distinct
1644	    from the id of the earlier operation being abandoned.)

1646	   There is no response defined in the Abandon Operation. Upon
1647	   transmission of an Abandon Operation, a client may expect that the
1648	   operation identified by the Message ID in the Abandon Request has
1649	   been abandoned. In the event that a server receives an Abandon
1650	   Request on a Search or Resume Operation in the midst of transmitting
1651	   responses to the search, that server should cease transmitting entry
1652	   responses to the abandoned request immediately. Of course, the server
1653	   must ensure that only properly encoded LDAPMessages are transmitted.

1655	   Clients must not send abandon requests for the same operation multiple
1656	   times.  Servers must discard abandon requests for message ids it does
1657	   not recognize, for operations which cannot be abandoned, and for
1658	   operations which have already been abandoned.

1660	   If the MessageID is for a Search operation in which pageSizeLimit was
1661	   set, the abandon will clear the results from the server's cache.
1662	   Abandoning a Resume operation does not clear the cache, it just stops
1663	   the server from sending responses.

1665	4.13.  Extended Operation

1667	   It may be desirable in some communities to define additional operations
1668	   for services not available in this protocol, for instance digitally
1669	   signed operations and results.  Thus an extension mechanism has been
1670	   added in this version of LDAP.

1672	   The extended operation allows clients to make requests and receive
1673	   responses with predefined syntaxes and semantics.  These may be
1674	   defined in RFCs or be private to particular implementations.  Each
1675	   operation should have a unique OBJECT IDENTIFIER assigned to it.

1677	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
1678	                requestName      [0] LDAPOID,
1679	                requestValue     [1] OCTET STRING }

1681	   The requestName is a dotted-decimal representation of the
1682	   OBJECT IDENTIFIER corresponding to the request.
1683	   The requestValue is information in a form defined by that request,
1684	   encapsulated inside an OCTET STRING.

1686	   The server will respond to this with an LDAPMessage containing the
1687	   ExtendedResponse.

1689	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
1690	                COMPONENTS OF LDAPResult,
1691	                responseName     [10] LDAPOID OPTIONAL,
1692	                response         [11] OCTET STRING OPTIONAL }

1694	   If the server does not recognize the operation name, it should return
1695	   only the standard response fields, containing the protocolError result
1696	   code.

1698	5.  Protocol Element Encodings and Transfer

1700	   For compatibility with the existing LDAP v2 and CLDAP protocols, four
1701	   underlying services are defined here.  However an LDAP server need not
1702	   implement all of them.

1704	5.1.  Mapping Onto BER-based Transport Services

1706	   This protocol is designed to run over connection-oriented, reliable
1707	   transports, with all 8 bits in an octet being significant in the data
1708	   stream.

1710	   The protocol elements of LDAP are encoded for exchange using the
1711	   Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
1712	   high overhead involved in using certain elements of the BER, the
1713	   following additional restrictions are placed on BER-encodings of LDAP
1714	   protocol elements:

1716	   (1) Only the definite form of length encoding will be used.

1718	   (2) BIT STRINGs and OCTET STRINGs will be encoded in the primitive form
1719	       only.

1721	   (3) If the value of a BOOLEAN type is true, the encoding should have
1722	       its contents octets set to hex "FF".

1724	   (4) If a value of a type is its default value, it should be absent.
1725	       Only some BOOLEAN and INTEGER types have default values in this
1726	       protocol definition.

1728	   These restrictions do not apply to ASN.1 types encapsulated inside of
1729	   OCTET STRINGs, such as attribute values, unless otherwise noted.

1731	5.1.1.  Transmission Control Protocol (TCP)

1733	   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
1734	   Server implementations running over the TCP should provide a protocol
1735	   listener on port 389.

1737	5.1.2.  Connection Oriented Transport Service (COTS)

1739	   The connection is established.  No special use of T-Connect is made.
1740	   Each LDAPMessage PDU is mapped directly onto T-Data.

1742	5.1.3.  User Datagram Protocol (UDP)

1744	   The LDAPMessage PDUs are mapped directly onto UDP datagrams.  A datagram
1745	   may contain one or more concatenated requests.  Only one response datagram
1746	   is returned, containing all the responses concatenated together. The only
1747	   operations which the client may request are sessionRequest, searchRequest,
1748	   compareRequest and extendedReq.  The server may return sessionResponse,
1749	   searchResFull, compareResponse and extendedResp.  If any of the requests in
1750	   an incoming datagram generates an error (a result other than success,
1751	   compareTrue or compareFalse), the server should ignore any following
1752	   requests in that datagram.

1754	   Server implementations running over the UDP should provide a protocol
1755	   listener on port 389.

1757	5.1.4.  Secure Socket Layer over TCP (SSL)

1759	   LDAP is an application protocol which may be carried inside of an
1760	   Secure Sockets Layer connection [19]. After establishing the SSL
1761	   connection over TCP, the LDAPMessage PDUs are mapped directly onto
1762	   the bytestream.  Server implementations running over SSL/TCP should
1763	   provide a protocol listener on port 636.

1765	   Note: it is expected that future versions of this document may reference
1766	   an IETF specification for equivalent security services, should one
1767	   become available.

1769	6.  Implementation Guidelines

1771	6.1.  Server Implementations

1773	   The server should be capable of recognizing all the mandatory attribute
1774	   type names and implement the syntaxes specified in [5].  Servers may also
1775	   recognize additional attribute type names.

1777	6.2.  Client Implementations

1779	   For simple lookup applications using the connectionless transport
1780	   protocol UDP, use of a retry algorithm with multiple servers similar
1781	   to that commonly used in DNS stub resolver implementations is
1782	   recommended.  The location of a CLDAP server or servers may be better
1783	   specified using IP addresses (simple or broadcast) rather than names
1784	   that must first be looked up in another directory such as DNS.

1786	6.2.1. Loop Detection

1788	   Clients which request referrals should ensure that they do not loop
1789	   between servers. They must not progress a referral or reference in a
1790	   subtree search where the new name is a superior of the name requested.
1791	   They must not repeatedly contact the same server twice with the same
1792	   target entry name.   Some clients may be using a counter that is
1793	   incremented each time referral handling is handled for an operation,
1794	   and these kind of clients must be able to handle a DIT with up to ten
1795	   layers of naming contexts between the root and a leaf entry.

1797	7.  Security Considerations

1799	   When used with a connection-oriented transport, this version of the
1800	   protocol provides facilities for the LDAP v2 authentication mechanism,
1801	   simple authentication using a cleartext password, as well as any SASL
1802	   mechanism [18].

1804	   It is also permitted that the server can return its credentials to the
1805	   client, if it chooses to do so.

1807	   This document also defines a mapping of LDAP over the Secure Sockets
1808	   Layer (SSL), which can provide strong authentication, integrity and
1809	   privacy of the connection.

1811	   Use of cleartext password is strongly discouraged where the underlying
1812	   transport service cannot guarantee confidentiality.  A password hashing
1813	   mechanism is given in Appendix B.

1815	   When used with SASL, it should be noted that the name field of the
1816	   BindRequest is not protected against modification.  Thus if there is a
1817	   client name (LDAPDN) agreed through the negotiation of the credentials,
1818	   it must take precedence over any value in the unprotected name field.

1820	   When used with the connectionless transport, no security services are
1821	   available.  There has been some discussion about the desirability of
1822	   authentication with connectionless LDAP requests.  This might take the
1823	   form of a clear text password (which would go against the current IAB
1824	   drive to remove such things from protocols) or some arbitrary
1825	   credentials.  It is felt that, in general, authentication would incur
1826	   sufficient overhead to negate the advantages of the connectionless
1827	   basis of LDAP. If an application requires authenticated access to the
1828	   directory then connectionless LDAP is not an appropriate protocol.

1830	8.  Acknowledgements

1832	   This document is an update to RFC 1777, by Wengyik Yeong, Tim
1833	   Howes, and Steve Kille.  It also includes material from RFC 1798, by
1834	   Alan Young. Design ideas included in this document are based on those
1835	   discussed in ASID and other IETF Working Groups.  The contributions of
1836	   individuals in these working groups is gratefully acknowledged.

1838	9.  Bibliography

1840	   [1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models and
1841	       Service",  1993.

1843	   [2] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access
1844	       Protocol", RFC 1777, March 1995.

1846	   [3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
1847	       Specification of Basic Notation", 1994.

1849	   [4] S. Kille, M. Wahl, "A UTF-8 String Representation of Distinguished
1850	       Names", INTERNET-DRAFT <draft-ietf-asid-ldapv3-dn-00.txt>.
1851	       August 1996.

1853	   [5] M. Wahl, A. Coulbeck, T. Howes, S. Kille, W. Yeong, C. Robbins,
1854	       "Lightweight X.500 Directory Access Protocol Standard and Pilot
1855	       Attribute Definitions", INTERNET-DRAFT
1856	       <draft-ietf-asid-ldapv3-attributes-02.txt>, August 1996.

1858	   [6] ITU-T Rec. X.501, "The Directory: Models", 1993.

1860	   [7] ITU-T Rec. X.520, "The Directory: Selected Attribute Types", 1993.

1862	   [9] T. Howes, M. Smith, "An LDAP URL Format", RFC 1959, June 1996.

1864	   [10] ITU-T Rec. X.518, "The Directory: Procedures for Distributed
1865	        Operation", 1993.

1867	   [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
1868	        Canonical, and Distinguished Encoding Rules", 1994.

1870	   [12] ITU-T Rec. X.509, "The Directory: Authentication Framework",
1871	        1993.

1873	   [13] ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.

1875	   [14] T. Berners-Lee, L. Masinter, M. McCahill, "Uniform Resource
1876	        Locators (URL)", RFC 1738, Dec. 1994.

1878	   [15] Universal Multiple-Octet Coded Character Set (UCS) - Architecture
1879	        and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993.

1881	   [16] M. Davis, UTF-8, (WG2 N1036) DAM for ISO/IEC 10646-1.

1883	   [17] M. Wahl, T. Howes, "LDAP Use of Language Indications",
1884	        INTERNET-DRAFT <draft-ietf-asid-ldapv3-lang-00.txt"> August 1996.

1886	   [18] J. Meyers, "Simple Authentication and Security Layer",
1887	        INTERNET-DRAFT <draft-myers-auth-sasl-04.txt>, July 1996.

1889	   [19] A. Freier, P. Karlton, P. Kocher, "The SSL Protocol Version 3.0",
1890	        INTERNET-DRAFT <draft-freier-ssl-version3-01.txt>, March 1996.

1892	10.  Authors' Address

1894	       Mark Wahl
1895	       Critical Angle Inc.
1896	       4815 W Braker Lane #502-385
1897	       Austin, TX 78759
1898	       USA

1900	       EMail:  M.Wahl@critical-angle.com

1902	       Tim Howes
1903	       Netscape Communications Corp.
1904	       501 E. Middlefield Rd.
1905	       Mountain View, CA 94043
1906	       USA

1908	       Phone:  +1 415 254-1900
1909	       EMail:   howes@netscape.com

1911	       Steve Kille
1912	       ISODE Consortium
1913	       The Dome, The Square
1914	       Richmond
1915	       TW9 1DT
1916	       UK

1918	       Phone:  +44-181-332-9091
1919	       EMail:  S.Kille@isode.com

1921	Appendix A - Complete ASN.1 Definition

1923	        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
1924	        IMPLICIT TAGS ::=

1926	        BEGIN
1927	        LDAPMessage ::= SEQUENCE {
1928	                messageID       MessageID,
1929	                cldapUserName   LDAPDN OPTIONAL,
1930	                protocolOp      CHOICE {
1931	                        bindRequest     BindRequest,
1932	                        bindResponse    BindResponse,
1933	                        unbindRequest   UnbindRequest,
1934	                        searchRequest   SearchRequest,
1935	                        searchResEntry  SearchResultEntry,
1936	                        searchResDone   SearchResultDone,
1937	                        searchResRef    SearchResultReference,
1938	                        searchResFull   SearchResultFull,
1939	                        modifyRequest   ModifyRequest,
1940	                        modifyResponse  ModifyResponse,
1941	                        addRequest      AddRequest,
1942	                        addResponse     AddResponse,
1943	                        delRequest      DelRequest,
1944	                        delResponse     DelResponse,
1945	                        modDNRequest    ModifyDNRequest,
1946	                        modDNResponse   ModifyDNResponse,
1947	                        compareRequest  CompareRequest,
1948	                        compareResponse CompareResponse,
1949	                        abandonRequest  AbandonRequest,
1950	                        sessionRequest  SessionRequest,
1951	                        sessionResponse SessionResponse,
1952	                        resumeRequest   ResumeRequest,
1953	                        resumeError     ResumeError,
1954	                        extendedReq     ExtendedRequest,
1955	                        extendedResp    ExtendedResponse } }

1957	        MessageID ::= INTEGER (0 .. maxInt)

1959	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

1961	        LDAPString ::= OCTET STRING

1963	        LDAPOID ::= OCTET STRING

1965	        LDAPDN ::= LDAPString

1967	        RelativeLDAPDN ::= LDAPString

1969	        AttributeType ::= LDAPString

1971	        AttributeDescription ::= LDAPString

1973	        AttributeDescriptionList ::= SEQUENCE OF
1974	                AttributeDescription

1976	        AttributeValue ::= OCTET STRING

1978	        AttributeValueAssertion ::= SEQUENCE {
1979	                attributeDesc   AttributeDescription,
1980	                assertionValue  AssertionValue }

1982	        AssertionValue ::= OCTET STRING
1983	        Attribute ::= SEQUENCE {
1984	                type    AttributeDescription,
1985	                vals    SET OF AttributeValue }

1987	        MatchingRuleId ::= LDAPString

1989	        LDAPResult ::= SEQUENCE {
1990	                resultCode      ENUMERATED {
1991	                             success                      (0),
1992	                             operationsError              (1),
1993	                             protocolError                (2),
1994	                             timeLimitExceeded            (3),
1995	                             sizeLimitExceeded            (4),
1996	                             compareFalse                 (5),
1997	                             compareTrue                  (6),

1999	                             authMethodNotSupported       (7),
2000	                             strongAuthRequired           (8),
2001	                                        -- 9 reserved --
2002	                             referral                     (10),  -- new
2003	                             adminLimitExceeded           (11),  -- new
2004	                             unavailableCriticalExtension (12),  -- new
2005	                                        -- 13-15 unused --
2006	                             noSuchAttribute              (16),
2007	                             undefinedAttributeType       (17),
2008	                             inappropriateMatching        (18),
2009	                             constraintViolation          (19),
2010	                             attributeOrValueExists       (20),
2011	                             invalidAttributeSyntax       (21),
2012	                                        -- 22-31 unused --
2013	                             noSuchObject                 (32),
2014	                             aliasProblem                 (33),
2015	                             invalidDNSyntax              (34),
2016	                             -- 35 reserved for undefined isLeaf --
2017	                             aliasDereferencingProblem    (36),
2018	                                        -- 37-47 unused --
2019	                             inappropriateAuthentication  (48),
2020	                             invalidCredentials           (49),
2021	                             insufficientAccessRights     (50),
2022	                             busy                         (51),
2023	                             unavailable                  (52),
2024	                             unwillingToPerform           (53),
2025	                             loopDetect                   (54),
2026	                                        -- 55-63 unused --
2027	                             namingViolation              (64),
2028	                             objectClassViolation         (65),
2029	                             notAllowedOnNonLeaf          (66),
2030	                             notAllowedOnRDN              (67),
2031	                             entryAlreadyExists           (68),
2032	                             objectClassModsProhibited    (69),
2033	                             resultsTooLarge              (70), -- cl only
2034	                             affectsMultipleDSAs          (71), -- new
2035	                                        -- 72-79 unused --
2036	                             other                        (80) },
2037	                             -- 81-90 reserved for APIs --
2038	                matchedDN       LDAPDN,
2039	                errorMessage    LDAPString,
2040	                referral        [3] Referral OPTIONAL }

2042	        Referral ::= SEQUENCE OF LDAPURL

2044	        LDAPURL ::= LDAPString  -- limited to characters permitted in URLs

2046	        BindRequest ::= [APPLICATION 0] SEQUENCE {
2047	                version                 INTEGER (1 .. 127),
2048	                name                    LDAPDN,
2049	                authentication          AuthenticationChoice }

2051	        AuthenticationChoice ::= CHOICE {
2052	                simple                  [0] OCTET STRING,
2053	                                         -- 1 and 2 reserved
2054	                sasl                    [3] SaslCredentials }

2056	        SaslCredentials ::= SEQUENCE {
2057	                mechanism               LDAPString,
2058	                credentials             OCTET STRING }

2060	        BindResponse ::= [APPLICATION 1] SEQUENCE {
2061	             COMPONENTS OF LDAPResult,
2062	             supportedVersion   [5] INTEGER (1..127) OPTIONAL,
2063	             serverURL          [6] LDAPURL OPTIONAL,
2064	             serverCreds        [7] AuthenticationChoice OPTIONAL }

2066	        UnbindRequest ::= [APPLICATION 2] NULL

2068	        SessionRequest ::= [APPLICATION 17] Controls

2070	        SessionResponse ::= [APPLICATION 18] SEQUENCE {
2071	                COMPONENTS OF LDAPResult,
2072	                unsupportedCtls         [12] SEQUENCE OF LDAPString }

2074	        Controls ::= SEQUENCE OF SEQUENCE {
2075	                controlType             LDAPString,
2076	                criticality             BOOLEAN DEFAULT FALSE,
2077	                controlValue            OCTET STRING }

2079	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
2080	                baseObject      LDAPDN,
2081	                scope           ENUMERATED {
2082	                        baseObject              (0),
2083	                        singleLevel             (1),
2084	                        wholeSubtree            (2) },
2085	                derefAliases    ENUMERATED {
2086	                        neverDerefAliases       (0),
2087	                        derefInSearching        (1),
2088	                        derefFindingBaseObj     (2),
2089	                        derefAlways             (3) },
2090	                sizeLimit       INTEGER (0 .. maxInt),
2091	                timeLimit       INTEGER (0 .. maxInt),
2092	                typesOnly       BOOLEAN,
2093	                filter          Filter,
2094	                attributes      AttributeDescriptionList,
2095	                pageSizeLimit   [0] INTEGER OPTIONAL,
2096	                sortKeys        [1] SortKeyList OPTIONAL }

2098	        SortKeyList ::= SEQUENCE OF SEQUENCE {
2099	                attributeType   AttributeType,
2100	                orderingRule    [0] MatchingRuleId OPTIONAL,
2101	                reverseOrder    [1] BOOLEAN DEFAULT FALSE }

2103	        Filter ::= CHOICE {
2104	                and             [0] SET OF Filter,
2105	                or              [1] SET OF Filter,
2106	                not             [2] Filter,
2107	                equalityMatch   [3] AttributeValueAssertion,
2108	                substrings      [4] SubstringFilter,
2109	                greaterOrEqual  [5] AttributeValueAssertion,
2110	                lessOrEqual     [6] AttributeValueAssertion,
2111	                present         [7] AttributeType,
2112	                approxMatch     [8] AttributeValueAssertion,
2113	                extensibleMatch [9] MatchingRuleAssertion }

2115	        SubstringFilter ::= SEQUENCE {
2116	                type            AttributeDescription,
2117	                -- at least one must be present
2118	                substrings      SEQUENCE OF CHOICE {
2119	                        initial [0] LDAPString,
2120	                        any     [1] LDAPString,
2121	                        final   [2] LDAPString } }

2123	        MatchingRuleAssertion ::= SEQUENCE {
2124	                matchingRule    [1] MatchingRuleId OPTIONAL,
2125	                type            [2] AttributeType OPTIONAL,
2126	                matchValue      [3] AssertionValue,
2127	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

2129	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
2130	                objectName      LDAPDN,
2131	                attributes      PartialAttributeList }

2133	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
2134	                type    AttributeDescription,
2135	                vals    SET OF AttributeValue }
2136	        -- implementors should note that the PartialAttributeList may have
2137	        -- zero elements (if none of the attributes of that entry were
2138	        -- requested, or could be returned), and that the vals set may also
2139	        -- have zero elements (if types only was requested, or all the values
2140	        -- exceeded the attribute size limit or were excluded because of
2141	        -- access control).

2143	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
2144	        -- at least one LDAPURL element must be present

2146	        SearchResultDone ::= [APPLICATION 5] SEQUENCE {
2147	           COMPONENTS OF LDAPResult,
2148	           totalCount [8] INTEGER OPTIONAL }

2150	        SearchResultFull ::= SEQUENCE OF CHOICE {
2151	                        entry           SearchResultEntry,
2152	                        reference       SearchResultReference,
2153	                        resultCode      SearchResultDone }

2155	        ResumeRequest ::= [APPLICATION 20] SEQUENCE {
2156	                searchRequestID         [0] MessageID,
2157	                startAtEntry            [1] INTEGER,
2158	                entriesToReturn         [2] INTEGER }

2160	        ResumeError ::= [APPLICATION 21] LDAPResult

2162	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
2163	                object          LDAPDN,
2164	                modification    SEQUENCE OF SEQUENCE {
2165	                        operation       ENUMERATED {
2166	                                                add     (0),
2167	                                                delete  (1),
2168	                                                replace (2) },
2169	                        modification    AttributeTypeAndValues } }

2171	        AttributeTypeAndValues ::= SEQUENCE {
2172	                type    AttributeDescription,
2173	                vals    SET OF AttributeValue }

2175	        ModifyResponse ::= [APPLICATION 7] LDAPResult

2177	        AddRequest ::= [APPLICATION 8] SEQUENCE {
2178	                entry           LDAPDN,
2179	                attributes      AttributeList }

2181	        AttributeList ::= SEQUENCE OF SEQUENCE {
2182	                type    AttributeDescription,
2183	                vals    SET OF AttributeValue }

2185	        AddResponse ::= [APPLICATION 9] LDAPResult

2187	        DelRequest ::= [APPLICATION 10] LDAPDN

2189	        DelResponse ::= [APPLICATION 11] LDAPResult

2191	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
2192	                entry           LDAPDN,
2193	                newrdn          RelativeLDAPDN,
2194	                deleteoldrdn    BOOLEAN,
2195	                newSuperior     [0] LDAPDN OPTIONAL }

2197	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

2199	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
2200	                entry           LDAPDN,
2201	                ava             AttributeValueAssertion }

2203	        CompareResponse ::= [APPLICATION 15] SEQUENCE {
2204	           COMPONENTS OF LDAPResult,
2205	           matchedSubtype [9] AttributeType OPTIONAL }

2207	        AbandonRequest ::= [APPLICATION 16] MessageID
2208	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
2209	                requestName      [0] LDAPOID,
2210	                requestValue     [1] OCTET STRING }

2212	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
2213	                COMPONENTS OF LDAPResult,
2214	                responseName     [10] LDAPOID OPTIONAL,
2215	                response         [11] OCTET STRING OPTIONAL }

2217	        -- not part of LDAP core protocol, see Appendix B --

2219	        ProtectedPassword ::= SEQUENCE {
2220	                time1                   [0] UTCTime OPTIONAL,
2221	                time2                   [1] UTCTime OPTIONAL,
2222	                random1                 [2] BIT STRING OPTIONAL,
2223	                random2                 [3] BIT STRING OPTIONAL,
2224	                protected               [4] OCTET STRING }

2226	        StrongCredentials ::= SEQUENCE {
2227	                certification-path      [0] AF.CertificationPath OPTIONAL,
2228	                bind-token              [1] DAS.Token }

2230	        END

2232	Appendix B - X.500 Authentication Mechanisms

2234	   This Appendix defines two SASL authentication mechanisms which may
2235	   be used with LDAP.  These mechanisms are only for authentication, they
2236	   have no effect on the protocol encodings and are not designed to
2237	   provide integrity or confidentiality services.

2239	   If an implementation supports these elements, then the following
2240	   additional encoding restrictions apply tor these elements:

2242	   (5) UTC Times should be encoded with the "Z" suffix, not as a local time.

2244	   (6) Unused bits in the final octet of the encoding of a BIT STRING
2245	       value, if there are any, should always be set to zero.

2247	B.1. X.511-Protected

2249	   The "X.511-Protected" authentication mechanism allows a hash of the
2250	   password, combined optionally with the current time and random
2251	   numbers, to be sent to the server.  The protected field contains the hash
2252	   value.  This prevents a password from being carried in the clear.

2254	   The mechanism field is set to the string "X.511-Protected", and the
2255	   credentials field contain the DER encoding of a value of the following
2256	   ASN.1 type:

2258	        ProtectedPassword ::= SEQUENCE {
2259	                time1                   [0] UTCTime OPTIONAL,
2260	                time2                   [1] UTCTime OPTIONAL,
2261	                random1                 [2] BIT STRING OPTIONAL,
2262	                random2                 [3] BIT STRING OPTIONAL,
2263	                protected               [4] OCTET STRING }

2265	   The use of the time1, time2, random1, random2 and protected fields are
2266	   as defined in ITU-T Rec. X.509 [12] and the functional profile for X.500
2267	   for the environment in which this authentication mechanism is to be used.

2269	   The name field of the BindRequest must be a nonempty string when this
2270	   mechanism is being used to authenticate the client.  Note that this
2271	   security mechanism is not intended to protect against attackers
2272	   modifying the bind name field or other protocol elements.

2274	B.2. X.511-Strong

2276	   Strong authentication to the directory can be accomplished using the
2277	   "X.511-Strong".

2279	   The mechanism field is set to the string "X.511-Strong", and the
2280	   credentials field set to a DER-encoding of a value of the following
2281	   ASN.1 type:

2283	        StrongCredentials ::= SEQUENCE {
2284	                certification-path      [0] AF.CertificationPath OPTIONAL,
2285	                bind-token              [1] DAS.Token }

2287	   The ASN.1 type "CertificationPath" is defined in [12], and the ASN.1
2288	   type "Token" is defined in [13].

2290	   When the credentials are being used to authenticate the client, it is
2291	   recommended that the certification-path field be present, which will
2292	   contain minimally the client's certificate. If the certification-path
2293	   field is supplied, then the name field of the BindRequest must be an
2294	   empty string, and the server will obtain the name of the client from
2295	   the subject field of the certification-path userCertificate.

2297	   It is recommended for interoperability that if the server's or client's
2298	   certificates contain RSA public keys, the PKCS md5WithRSAEncryption
2299	   (1.2.840.113549.1.1.4) algorithm should be used.

2301	Table of Contents

2303	   1.  Status of this Memo ....................................  1
2304	   2.  Abstract ...............................................  1
2305	   3.  Models .................................................  2
2306	   3.1. Protocol Model ........................................  2
2307	   3.2. Data Model ............................................  3
2308	   3.2.1 Attributes of Entries ................................  3
2309	   3.2.2 Subschema Subentry ...................................  4
2310	   3.3. Relationship to X.500 .................................  4
2311	   3.4. Server-specific Data Requirements .....................  5
2312	   4.  Elements of Protocol ...................................  5
2313	   4.1. Common Elements .......................................  5
2314	   4.1.1. Message Envelope ....................................  5
2315	   4.1.2. String Types ........................................  7
2316	   4.1.3. Distinguished Name and Relative Distinguished Name ..  7
2317	   4.1.4. Attribute Type and Description ......................  8
2318	   4.1.5. Attribute Value .....................................  9
2319	   4.1.6. Attribute Value Assertion ...........................  9
2320	   4.1.7. Attribute ........................................... 10
2321	   4.1.8. Matching Rule Identifier ............................ 10
2322	   4.1.9. Result Message ...................................... 10
2323	   4.1.10. Referral ........................................... 12
2324	   4.2.  Bind Operation ....................................... 13
2325	   4.2.1. Sequencing of the Bind Request ...................... 13
2326	   4.2.2 Authentication and Other Security Services ........... 14
2327	   4.2.3. Bind Response ....................................... 14
2328	   4.3.  Unbind Operation ..................................... 15
2329	   4.4.  Session Control Operation ............................ 15
2330	   4.5.  Search Operation ..................................... 18
2331	   4.5.1. Search Request ...................................... 18
2332	   4.5.2. Search Result ....................................... 21
2333	   4.5.3. Continuation References in the Search Result ........ 24
2334	   4.5.3.1 Example ............................................ 24
2335	   4.6.  Resume Search Operation .............................. 25
2336	   4.7.  Modify Operation ..................................... 26
2337	   4.8.  Add Operation ........................................ 28
2338	   4.9.  Delete Operation ..................................... 28
2339	   4.10.  Modify DN Operation ................................. 29
2340	   4.11.  Compare Operation ................................... 29
2341	   4.12.  Abandon Operation ................................... 30
2342	   4.13.  Extended Operation .................................. 31
2343	   5.  Protocol Element Encodings and Transfer ................ 31
2344	   5.1.  Mapping Onto BER-based Transport Services ............ 31
2345	   5.1.1.  Transmission Control Protocol (TCP) ................ 32
2346	   5.1.2.  Connection Oriented Transport Service (COTS) ....... 32
2347	   5.1.3.  User Datagram Protocol (UDP) ....................... 32
2348	   5.1.4.  Secure Socket Layer over TCP (SSL) ................. 32
2349	   6.  Implementation Guidelines .............................. 32
2350	   6.1.  Server Implementations ............................... 32
2351	   6.2.  Client Implementations ............................... 32
2352	   6.2.1. Loop Detection ...................................... 32
2353	   7.  Security Considerations ................................ 33
2354	   8.  Acknowledgements ....................................... 34
2355	   9.  Bibliography ........................................... 34
2356	   10.  Authors' Address ...................................... 35
2357	   Appendix A - Complete ASN.1 Definition ..................... 35
2358	   Appendix B - X.500 Authentication Mechanisms ............... 41
2359	   B.1. X.511-Protected ....................................... 41
2360	   B.2. X.511-Strong .......................................... 42

2362	<draft-ietf-asid-ldapv3-protocol-02.txt> Expires: March 2, 1997