idnits 2.17.1 

draft-ietf-asid-ldapv3-protocol-06.txt:
  ** The Abstract section seems to be numbered


  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in
     this document.

     Expected boilerplate is as follows today (2024-04-26) according to
     https://trustee.ietf.org/license-info :

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.a:
        This Internet-Draft is submitted in full conformance with the provisions
        of BCP 78 and BCP 79.

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2:
        Copyright (c) 2024 IETF Trust and the persons identified as the document
        authors.  All rights reserved.

     IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3:
        This document is subject to BCP 78 and the IETF Trust's Legal Provisions
        Relating to IETF Documents
        (https://trustee.ietf.org/license-info) in effect on the date of
        publication of this document.  Please review these documents
        carefully, as they describe your rights and restrictions with
        respect to this document.  Code Components extracted from this
        document must include Simplified BSD License text as described in
        Section 4.e of the Trust Legal Provisions and are provided
        without warranty as described in the Simplified BSD License.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 

  == The page length should not exceed 58 lines per page, but there was 42
     longer pages, the longest (page 2) being 60 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** There are 55 instances of too long lines in the document, the longest
     one being 2 characters in excess of 72.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 115: '...e distinguished name (RDN), which MUST...'
     RFC 2119 keyword, line 129: '...ing or shadowing MUST ensure that they...'
     RFC 2119 keyword, line 163: '...   Each entry MUST have an objectClass...'
     RFC 2119 keyword, line 182: '...   Servers MUST NOT permit clients to ...'
     RFC 2119 keyword, line 190: '...   Entries MAY contain, among others, ...'
     (132 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 28 has weird spacing: '...listing  conta...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (11 July 1997) is 9786 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? '1' on line 2150 looks like a reference

  -- Missing reference section? '2' on line 2088 looks like a reference

  -- Missing reference section? '5' on line 2072 looks like a reference

  -- Missing reference section? '6' on line 2073 looks like a reference

  -- Missing reference section? '3' on line 2089 looks like a reference

  -- Missing reference section? '11' on line 2155 looks like a reference

  -- Missing reference section? '0' on line 2149 looks like a reference

  -- Missing reference section? '13' on line 1863 looks like a reference

  -- Missing reference section? '14' on line 1866 looks like a reference

  -- Missing reference section? '4' on line 2090 looks like a reference

  -- Missing reference section? '15' on line 1869 looks like a reference

  -- Missing reference section? '7' on line 2074 looks like a reference

  -- Missing reference section? '9' on line 2076 looks like a reference

  -- Missing reference section? 'APPLICATION 0' on line 2030 looks like a
     reference

  -- Missing reference section? '12' on line 1860 looks like a reference

  -- Missing reference section? '8' on line 2075 looks like a reference

  -- Missing reference section? 'APPLICATION 1' on line 2044 looks like a
     reference

  -- Missing reference section? 'APPLICATION 2' on line 2048 looks like a
     reference

  -- Missing reference section? 'APPLICATION 3' on line 2049 looks like a
     reference

  -- Missing reference section? 'APPLICATION 4' on line 2092 looks like a
     reference

  -- Missing reference section? 'APPLICATION 19' on line 2100 looks like a
     reference

  -- Missing reference section? 'APPLICATION 5' on line 2102 looks like a
     reference

  -- Missing reference section? 'APPLICATION 6' on line 2103 looks like a
     reference

  -- Missing reference section? 'APPLICATION 7' on line 2116 looks like a
     reference

  -- Missing reference section? 'APPLICATION 8' on line 2118 looks like a
     reference

  -- Missing reference section? 'APPLICATION 9' on line 2126 looks like a
     reference

  -- Missing reference section? 'APPLICATION 10' on line 2128 looks like a
     reference

  -- Missing reference section? 'APPLICATION 11' on line 2130 looks like a
     reference

  -- Missing reference section? 'APPLICATION 12' on line 2132 looks like a
     reference

  -- Missing reference section? 'APPLICATION 13' on line 2138 looks like a
     reference

  -- Missing reference section? 'APPLICATION 14' on line 2140 looks like a
     reference

  -- Missing reference section? 'APPLICATION 15' on line 2144 looks like a
     reference

  -- Missing reference section? 'APPLICATION 16' on line 2146 looks like a
     reference

  -- Missing reference section? 'APPLICATION 23' on line 2148 looks like a
     reference

  -- Missing reference section? 'APPLICATION 24' on line 2152 looks like a
     reference

  -- Missing reference section? '10' on line 2154 looks like a reference


     Summary: 9 errors (**), 0 flaws (~~), 2 warnings (==), 38 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	Network Working Group                                            M. Wahl
2	INTERNET-DRAFT                                       Critical Angle Inc.
3	Replaces: RFC 1777                                              T. Howes
4	                                           Netscape Communications Corp.
5	                                                                S. Kille
6	                                                           Isode Limited
7	Expires in six months from                                  11 July 1997
8	Intended Category: Standards Track

10	                  Lightweight Directory Access Protocol (v3)
11	                  <draft-ietf-asid-ldapv3-protocol-06.txt>

13	Table of Contents - see end of document.

15	1.  Status of this Memo

17	   This document is an Internet-Draft.  Internet-Drafts are working
18	   documents of the Internet Engineering Task Force (IETF), its areas, and
19	   its working groups.  Note that other groups may also distribute working
20	   documents as Internet-Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference material
25	   or to cite them other than as "work in progress."

27	   To learn the current status of any Internet-Draft, please check the
28	   "1id-abstracts.txt" listing  contained in the Internet-Drafts Shadow
29	   Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
30	   ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

32	2.  Abstract

34	   The protocol described in this document is designed to provide access
35	   to directories supporting the X.500 models, while not incurring the
36	   resource requirements of the X.500 Directory Access Protocol (DAP).
37	   This protocol is specifically targeted at management applications and
38	   browser applications that provide read/write interactive access to
39	   directories. When used with a directory supporting the X.500
40	   protocols, it is intended to be a complement to the X.500 DAP.

42	   Key aspects of this version of LDAP are:

44	   - All protocol elements of LDAPv2 (RFC 1777) are supported. The
45	     protocol is carried directly over TCP or other transport, bypassing
46	     much of the session/presentation overhead of X.500 DAP.

48	   - Most protocol data elements can be encoded as ordinary strings
49	     (e.g., Distinguished Names).

51	   - Referrals to other servers may be returned.

53	   - SASL and TLS mechanisms may be used with LDAP to provide association
54	     security services.

56	   - Attribute values and Distinguished Names have been internationalized
57	     through the use of the ISO 10646 character set.

59	   - The protocol can be extended to support new operations, and controls
60	     may be used to extend existing operations.

62	   - Schema is published in the directory for use by clients.

64	3.  Models

66	   Interest in X.500 [1] directory technologies in the Internet has led
67	   to efforts to reduce the high cost of entry associated with use of
68	   these technologies.  This document continues the efforts to define
69	   directory protocol alternatives, updating the LDAP [2] protocol
70	   specification.

72	3.1. Protocol Model

74	   The general model adopted by this protocol is one of clients
75	   performing protocol operations against servers. In this model, a
76	   client transmits a protocol request describing the operation to be
77	   performed to a server. The server is then responsible for performing
78	   the necessary operation(s) in the directory. Upon completion of
79	   the operation(s), the server returns a response containing any results
80	   or errors to the requesting client.

82	   In keeping with the goal of easing the costs associated with use of
83	   the directory, it is an objective of this protocol to minimize the
84	   complexity of clients so as to facilitate widespread deployment of
85	   applications capable of using the directory.

87	   Note that although servers are required to return responses whenever
88	   such responses are defined in the protocol, there is no requirement
89	   for synchronous behavior on the part of either clients or servers.
90	   Requests and responses for multiple operations may be exchanged
91	   between a client and server in any order, provided the client
92	   eventually receives a response for every request that requires one.

94	   In LDAP versions 1 and 2, no provision was made for protocol servers
95	   returning referrals to clients.  However, for improved performance and
96	   distribution this version of the protocol permits servers to return to
97	   clients referrals to other servers.  This allows servers to offload
98	   the work of contacting other servers to progress operations.

100	   Note that the core protocol operations defined in this document can be
101	   mapped to a strict subset of the X.500(1997) directory abstract
102	   service, so it can be cleanly provided by the DAP.  However there is
103	   not a one-to-one mapping between LDAP protocol operations and DAP
104	   operations: server implementations acting as a gateway to X.500
105	   directories may need to make multiple DAP requests.

107	3.2. Data Model

109	   This section provides a brief introduction to the X.500 data model, as
110	   used by LDAP.

112	   The LDAP protocol assumes there are one or more servers which jointly
113	   provide access to a Directory Information Tree (DIT).  The tree is
114	   made up of entries.  Entries have names: one or more attribute values
115	   from the entry form its relative distinguished name (RDN), which MUST
116	   be unique among all its siblings.  The concatenation of the relative
117	   distinguished names of the sequence of entries from a particular
118	   entry to an immediate subordinate of the root of the tree forms that
119	   entry's Distinguished Name (DN), which is unique in the tree.  An
120	   example of a Distinguished Name is

122	   CN=Steve Kille, O=Isode Limited, C=GB

124	   Some servers may hold cache or shadow copies of entries, which can be
125	   used to answer search and comparison queries, but will return
126	   referrals or contact other servers if modification operations are
127	   requested.

129	   Servers which perform caching or shadowing MUST ensure that they do
130	   not violate any access control constraints placed on the data by the
131	   originating server.

133	   The largest collection of entries, starting at an entry that is
134	   mastered by a particular server, and including all its subordinates
135	   and their subordinates, down to the entries which are mastered by
136	   different servers, is termed a naming context.  The root of the DIT
137	   is a DSA-specific Entry (DSE) and not part of any naming context:
138	   each server has different attribute values in the root DSE.  (DSA is
139	   an X.500 term for the directory server).

141	3.2.1. Attributes of Entries

143	   Entries consist of a set of attributes.  An attribute is a type with
144	   one or more associated values.  The attribute type is identified by a
145	   short descriptive name and an OID (object identifier). The attribute
146	   type governs whether there can be more than one value of an
147	   attribute of that type in an entry, the syntax to which the values
148	   must conform, the kinds of matching which can be performed on values
149	   of that attribute, and other functions.

151	   An example of an attribute is "mail". There may be one or more values
152	   of this attribute, they must be IA5 (ASCII) strings, and they are
153	   case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").

155	   Schema is the collection of attribute type definitions, object class
156	   definitions and other information which a server uses to determine
157	   how to match a filter or attribute value assertion (in a compare
158	   operation) against the attributes of an entry, and whether to permit
159	   add and modify operations.  The definition of schema for use with
160	   LDAP is given in [5] and [6].  Additional schema elements may be
161	   defined in other documents.

163	   Each entry MUST have an objectClass attribute.  The objectClass
164	   attribute specifies the object classes of an entry, which along with
165	   the system and user schema determine the permitted attributes of an
166	   entry.  Values of this attribute may be modified by clients, but the
167	   objectClass attribute cannot be removed.  Servers may restrict the
168	   modifications of this attribute to prevent the basic structural
169	   class of the entry from being changed (e.g. one cannot change a
170	   person into a country).  When creating an entry or adding an
171	   objectClass value to an entry, all superclasses of the named classes
172	   are implicitly added as well if not already present, and the client
173	   must supply values for any mandatory attributes of new superclasses.

175	   Some attributes, termed operational attributes, are used by servers
176	   for administering the directory system itself.  They are not returned
177	   in search results unless explicitly requested by name.  Attributes
178	   which are not operational, such as "mail", will have their schema and
179	   syntax constraints enforced by servers, but servers will generally
180	   not make use of their values.

182	   Servers MUST NOT permit clients to add attributes to an entry unless
183	   those attributes are permitted by the object class definitions, the
184	   schema controlling that entry (specified in the subschema - see
185	   below), or are operational attributes known to that server and used
186	   for administrative purposes.  Note that there is a particular
187	   objectClass 'extensibleObject' defined in [5] which permits all user
188	   attributes to be present in an entry.

190	   Entries MAY contain, among others, the following operational
191	   attributes, defined in [5]. These attributes are maintained
192	   automatically by the server and are not modifiable by clients:

194	   - creatorsName: the Distinguished Name of the user who added this
195	     entry to the directory.

197	   - createTimestamp: the time this entry was added to the directory.

199	   - modifiersName: the Distinguished Name of the user who last modified
200	     this entry.

202	   - modifyTimestamp: the time this entry was last modified.

204	   - subschemaSubentry:  the Distinguished Name of the subschema entry
205	     (or subentry) which controls the schema for this entry.

207	3.2.2. Subschema Entries and Subentries

209	   Subschema entries are used for administering information about the
210	   directory schema, in particular the object classes and attribute types
211	   supported by directory servers.  A single subschema entry contains
212	   all schema definitions used by entries in a particular part of the
213	   directory tree.

215	   Servers which follow X.500(93) models SHOULD implement subschema
216	   using the X.500 subschema mechanisms, and so these subschemas are not
217	   ordinary entries.  LDAP clients SHOULD NOT assume that servers
218	   implement any of the other aspects of X.500 subschema.
219	   A server which masters entries and permits clients to modify these
220	   entries MUST implement and provide access to these subschema entries,
221	   so that its clients may discover the attributes and object classes
222	   which are permitted to be present. It is strongly recommended that
223	   all other servers implement this as well.

225	   The following four attributes MUST be present in all subschema
226	   entries:

228	   - cn: this attribute MUST be used to form the RDN of the subschema
229	     entry.

231	   - objectClass: the attribute MUST have at least the values "top" and
232	     "subschema".

234	   - objectClasses: each value of this attribute specifies an object
235	     class known to the server.

237	   - attributeTypes: each value of this attribute specifies an attribute
238	     type known to the server.

240	   These are defined in [5]. Other attributes MAY be present in subschema
241	   entries, to reflect additional supported capabilities. These include
242	   matchingRules, matchingRuleUse, dITStructureRules, dITContentRules,
243	   nameForms and ldapSyntaxes.

245	   Servers SHOULD provide the attributes createTimestamp and
246	   modifyTimestamp in subschema entries, in order to allow clients to
247	   maintain their caches of schema information.

249	   Clients MUST only retrieve attributes from a subschema entry by
250	   requesting a base object search of the entry, where the search filter
251	   is "(objectClass=subschema)". (This will allow LDAPv3 servers which
252	   gateway to X.500(93) to detect that subentry information is being
253	   requested.)

255	3.3. Relationship to X.500

257	   This document defines LDAP in terms of X.500 as an X.500 access
258	   mechanism.  An LDAP server MUST act in accordance with the
259	   X.500(1993) series of ITU recommendations when providing the service.
260	   However, it is not required that an LDAP server make use of any X.500
261	   protocols in providing this service, e.g. LDAP can be mapped onto any
262	   other directory system so long as the X.500 data and service model as
263	   used in LDAP is not violated in the LDAP interface.

265	3.4. Server-specific Data Requirements

267	   An LDAP server MUST provide information about itself and other
268	   information that is specific to each server.  This is represented as
269	   a group of attributes located in the root DSE (DSA-Specific Entry),
270	   which is named with the zero-length LDAPDN.  These attributes
271	   are retrievable if a client performs a base object search of the
272	   root with filter "(objectClass=*)", however they are subject to
273	   access control restrictions.
274	   The root DSE MUST NOT be included if the client performs a subtree
275	   search starting from the root.

277	   Servers may allow clients to modify these attributes.

279	   The following attributes of the root DSE are defined in section 5
280	   of [5].  Additional attributes may be defined in other documents.

282	   - namingContexts: naming contexts held in the server. Naming contexts
283	     are defined in section 17 of X.501 [6].

285	   - subschemaSubentry: subschema entries (or subentries) known by this
286	     server.

288	   - altServer: alternative servers in case this one is later
289	     unavailable.

291	   - supportedExtension: list of supported extended operations.

293	   - supportedControl: list of supported controls.

295	   - supportedSASLMechanisms: list of supported SASL security features.

297	   - supportedLDAPVersion: LDAP versions implemented by the server.

299	   If the server does not master entries and does not know the locations
300	   of schema information, the subschemaSubentry attribute is not present
301	   in the root DSE.  If the server masters directory entries under one or
302	   more schema rules, there may be any number of values of the
303	   subschemaSubentry attribute in the root DSE.

305	4.  Elements of Protocol

307	   The LDAP protocol is described using Abstract Syntax Notation 1
308	   (ASN.1) [3], and is typically transferred using a subset of ASN.1
309	   Basic Encoding Rules [11]. In order to support future extensions to
310	   this protocol, clients and servers MUST ignore elements of SEQUENCEs
311	   whose tags they do not recognize.

313	   Note that unlike X.500, each change to the LDAP protocol other than
314	   through the extension mechanisms will have a different version
315	   number.  A client will indicate the version it supports as part of
316	   the bind request, described in section 4.2.  If a client has not sent
317	   a bind, the server MUST assume that version 3 is supported in the
318	   client (since version 2 required that the client bind first).

320	   Clients may determine the protocol version a server supports by
321	   reading the supportedLDAPVersion attribute from the root DSE.
322	   Servers which implement version 3 or later versions MUST provide this
323	   attribute.  Servers which only implement version 2 may not provide
324	   this attribute.

326	4.1. Common Elements

328	   This section describes the LDAPMessage envelope PDU (Protocol Data
329	   Unit) format, as well as data type definitions which are used in the
330	   protocol operations.

332	4.1.1. Message Envelope

334	   For the purposes of protocol exchanges, all protocol operations are
335	   encapsulated in a common envelope, the LDAPMessage, which is defined
336	   as follows:

338	        LDAPMessage ::= SEQUENCE {
339	                messageID       MessageID,
340	                protocolOp      CHOICE {
341	                        bindRequest     BindRequest,
342	                        bindResponse    BindResponse,
343	                        unbindRequest   UnbindRequest,
344	                        searchRequest   SearchRequest,
345	                        searchResEntry  SearchResultEntry,
346	                        searchResDone   SearchResultDone,
347	                        searchResRef    SearchResultReference,
348	                        modifyRequest   ModifyRequest,
349	                        modifyResponse  ModifyResponse,
350	                        addRequest      AddRequest,
351	                        addResponse     AddResponse,
352	                        delRequest      DelRequest,
353	                        delResponse     DelResponse,
354	                        modDNRequest    ModifyDNRequest,
355	                        modDNResponse   ModifyDNResponse,
356	                        compareRequest  CompareRequest,
357	                        compareResponse CompareResponse,
358	                        abandonRequest  AbandonRequest,
359	                        extendedReq     ExtendedRequest,
360	                        extendedResp    ExtendedResponse },
361	                 controls       [0] Controls OPTIONAL }

363	        MessageID ::= INTEGER (0 .. maxInt)

365	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

367	   The function of the LDAPMessage is to provide an envelope containing
368	   common fields required in all protocol exchanges. At this time the
369	   only common fields are the message ID and the controls.

371	   If the server receives a PDU from the client in which the LDAPMessage
372	   SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
373	   the tag of the protocolOp is not recognized as a request, or the
374	   encoding structures or lengths of data fields are found to be
375	   incorrect, then the server MUST return the notice of disconnection
376	   described in section 4.4.1, with resultCode protocolError, and
377	   immediately close the connection. In other cases that the server
378	   cannot parse the request received by the client, the server MUST
379	   return an appropriate response to the request, with the resultCode
380	   set to protocolError.

382	   If the client receives a PDU from the server which cannot be parsed,
383	   the client may discard the PDU, or may abruptly close the connection.

385	   The ASN.1 type Controls is defined in section 4.1.12.

387	4.1.1.1. Message ID

389	   All LDAPMessage envelopes encapsulating responses contain the
390	   messageID value of the corresponding request LDAPMessage.

392	   The message ID of a request MUST have a value different from the
393	   values of any other requests outstanding in the LDAP session of which
394	   this message is a part.

396	   A client MUST NOT send a second request with the same message ID as
397	   an earlier request on the same connection if the client has not
398	   received the final response from the earlier request.  Otherwise the
399	   behavior is undefined.  Typical clients increment a counter for each
400	   request.

402	   A client MUST NOT reuse the message id of an abandonRequest or of the
403	   abandoned operation until it has received a response from the server
404	   for another request invoked subsequent to the abandonRequest, as the
405	   abandonRequest itself does not have a response.

407	4.1.2. String Types

409	   The LDAPString is a notational convenience to indicate that, although
410	   strings of LDAPString type encode as OCTET STRING types, the ISO 10646
411	   [13] character set (a superset of Unicode) is used, encoded following
412	   the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm characters
413	   which are the same as ASCII (0x0000 through 0x007F) are represented
414	   as that same ASCII character in a single byte.  The other byte values
415	   are used to form a variable-length encoding of an arbitrary character.

417	        LDAPString ::= OCTET STRING

419	   The LDAPOID is a notational convenience to indicate that the permitted
420	   value of this string is a (UTF-8 encoded) dotted-decimal
421	   representation of an OBJECT IDENTIFIER.

423	        LDAPOID ::= OCTET STRING

425	   For example,

427	        1.3.6.1.4.1.1466.1.2.3

429	4.1.3. Distinguished Name and Relative Distinguished Name

431	   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
432	   representation of a Distinguished Name and a Relative Distinguished
433	   Name after encoding according to the specification in [4], such that

435	        <distinguished-name> ::= <name>

437	        <relative-distinguished-name> ::= <name-component>

439	   where <name> and <name-component> are as defined in [4].

441	        LDAPDN ::= LDAPString

443	        RelativeLDAPDN ::= LDAPString

445	   Only Attribute Types can be present in a relative distinguished name
446	   component; the options of Attribute Descriptions (next section)
447	   MUST NOT be used in specifying distinguished names.

449	4.1.4. Attribute Type

451	   An AttributeType takes on as its value the textual string associated
452	   with that AttributeType in its specification.

454	        AttributeType ::= LDAPString

456	   Each attribute type has a unique OBJECT IDENTIFIER which has been
457	   assigned to it.  This identifier may be written as decimal digits
458	   with components separated by periods, e.g. "2.5.4.10".

460	   A specification may also assign one or more textual names for an
461	   attribute type.  These names MUST begin with a letter, and only
462	   contain ASCII letters, digit characters and hyphens.  They are case
463	   insensitive.  (These ASCII characters are identical to ISO 10646
464	   characters whose UTF-8 encoding is a single byte between 0x00 and
465	   0x7F.)

467	   If the server has a textual name for an attribute type, it MUST use
468	   that name for attributes returned in search results.  The dotted-
469	   decimal OBJECT IDENTIFIER is only used if there is no textual name
470	   for an attribute type.

472	   Attribute type names are non-unique, as two different specifications
473	   (neither in standards track RFCs) may choose the same name.

475	   A server which masters or shadows entries SHOULD list all the
476	   attribute types it supports in the subschema entries, using the
477	   attributeTypes attribute.  Servers which support an open-ended set of
478	   attributes SHOULD include at least the attributeTypes value for the
479	   'objectClass' attribute. Clients MAY retrieve the attributeTypes
480	   value from subschema entries in order to obtain the OBJECT IDENTIFIER
481	   and other information associated with attribute types.

483	   Some attribute type names which are used in this version of LDAP are
484	   described in [5].  Servers may implement additional attribute types.

486	4.1.5. Attribute Description

488	   An AttributeDescription is a superset of the definition of the
489	   AttributeType.  It has the same ASN.1 definition, but allows
490	   additional options to be specified.  They are also case insensitive.

492	        AttributeDescription ::= LDAPString

494	   A value of AttributeDescription is based on the following BNF:

496	        <AttributeDescription> ::= <AttributeType> [ ";" <options> ]

498	        <options> ::= <option> | <option> ";" <options>

500	        <option> ::= <opt-char> <opt-char>*

502	        <opt-char> ::=  ASCII-equivalent letters, numbers and hyphen

504	   Examples of valid AttributeDescription:

506	        cn
507	        userCertificate;binary

509	   One option, "binary", is defined in this document.  Additional
510	   documents may define other options.

512	   An AttributeDescription with one or more options is treated as a
513	   subtype of the attribute type without any options.  Options present
514	   in an AttributeDescription are never mutually exclusive.
515	   Implementations should generate the <options> list sorted in
516	   ascending order, and servers MUST treat any two AttributeDescription
517	   with the same AttributeType and options as equivalent.  A server will
518	   treat an AttributeDescription with any options it does not implement
519	   as an unrecognized attribute type.

521	   The data type "AttributeDescriptionList" describes a list of 0 or
522	   more attribute types.  (A list of zero elements has special
523	   significance in the Search request.)

525	        AttributeDescriptionList ::= SEQUENCE OF
526	                AttributeDescription

528	4.1.5.1. Binary Option

530	   If the "binary" option is present in an AttributeDescription, it
531	   overrides any string-based encoding representation defined for that
532	   attribute in [5]. Instead the attribute is to be transferred as a
533	   binary value encoded using the Basic Encoding Rules [11].  The syntax
534	   of the binary value is an ASN.1 data type definition which is
535	   referenced by the "SYNTAX" part of the attribute type definition.

537	   The presence or absence of the "binary" option only affects the
538	   transfer of attribute values in protocol; servers store any
539	   particular attribute in a single format.  If a client requests that a
540	   server return an attribute in the binary format, but the server
541	   cannot generate that format, the server MUST treat this attribute
542	   type as an unrecognized attribute type.  Similarly, clients MUST NOT
543	   expect servers to return an attribute in binary format if the client
544	   requested that attribute by name without the binary option.

546	   This option is intended to be used with attributes whose syntax is a
547	   complex ASN.1 data type, and the structure of values of that type is
548	   needed by clients.  Examples of this kind of syntax are "Certificate"
549	   and "CertificateList".

551	4.1.6. Attribute Value

553	   A field of type AttributeValue takes on as its value either a string
554	   encoding of a AttributeValue data type, or an OCTET STRING containing
555	   an encoded binary value, depending on whether the "binary" option is
556	   present in the companion AttributeDescription to this AttributeValue.

558	   The definition of string encodings for different syntaxes and types
559	   may be found in other documents, and in particular [5].

561	        AttributeValue ::= OCTET STRING

563	   Note that there is no defined limit on the size of this encoding;
564	   thus protocol values may include multi-megabyte attributes (e.g.
565	   photographs).

567	   Attributes may be defined which have arbitrary and non-printable
568	   syntax.  Implementations MUST NEITHER simply display nor attempt to
569	   decode as ASN.1 a value if its syntax is not known.  The
570	   implementation may attempt to discover the subschema of the source
571	   entry, and retrieve the values of attributeTypes from it.

573	4.1.7. Attribute Value Assertion

575	   The AttributeValueAssertion type definition is similar to the one in
576	   the X.500 directory standards.  It contains an attribute description
577	   and a matching rule assertion value suitable for that type.

579	        AttributeValueAssertion ::= SEQUENCE {
580	                attributeDesc   AttributeDescription,
581	                assertionValue  AssertionValue }

583	        AssertionValue ::= OCTET STRING

585	   If the "binary" option is present in attributeDesc, this signals to
586	   the server that the assertionValue is a binary encoding of the
587	   assertion value.

589	   For all the string-valued user attributes described in [5], the
590	   assertion value syntax is the same as the value syntax.  Clients may
591	   use attribute values as assertion values in compare requests and
592	   search filters.

594	   Note however that the assertion syntax may be different from the value
595	   syntax for other attributes or for non-equality matching rules.
596	   These may have an assertion syntax which contains only part of the
597	   value.  See section 20.2.1.8 of X.501 [6] for examples.

599	4.1.8. Attribute

601	   An attribute consists of a type and one or more values of that type.
602	   (Though attributes MUST have at least one value when stored, due to
603	   access control restrictions the set may be empty when transferred
604	   in protocol.  This is described in section 4.5.2, concerning the
605	   PartialAttributeList type.)

607	        Attribute ::= SEQUENCE {
608	                type    AttributeDescription,
609	                vals    SET OF AttributeValue }

611	   Each attribute value is distinct in the set (no duplicates).  The
612	   order of attribute values within the vals set is undefined and
613	   implementation-dependent, and MUST NOT be relied upon.

615	4.1.9. Matching Rule Identifier

617	   A matching rule is a means of expressing how a server should compare
618	   an AssertionValue receive in a search filter with an abstract data
619	   value.  The matching rule defines the syntax of the assertion value
620	   and the process to be performed in the server.

622	   An X.501(1993) Matching Rule is identified in the LDAP protocol by the
623	   printable representation of its OBJECT IDENTIFIER, either as one of
624	   the strings given in [5], or as decimal digits with components
625	   separated by periods, e.g. "caseIgnoreIA5Match" or
626	   "1.3.6.1.4.1.453.33.33".

628	        MatchingRuleId ::= LDAPString

630	   Servers which support matching rules for use in the extensibleMatch
631	   search filter MUST list the matching rules they implement in
632	   subschema entries, using the matchingRules attributes.  The server
633	   SHOULD also list there, using the matchingRuleUse attribute, the
634	   attribute types with which each matching rule can be used.  More
635	   information is given in section 4.4 of [5].

637	4.1.10. Result Message

639	   The LDAPResult is the construct used in this protocol to return
640	   success or failure indications from servers to clients. In response
641	   to various requests servers will return responses containing fields
642	   of type LDAPResult to indicate the final status of a protocol
643	   operation request.

645	        LDAPResult ::= SEQUENCE {
646	                resultCode      ENUMERATED {
647	                             success                      (0),
648	                             operationsError              (1),
649	                             protocolError                (2),
650	                             timeLimitExceeded            (3),
651	                             sizeLimitExceeded            (4),
652	                             compareFalse                 (5),
653	                             compareTrue                  (6),

655	                             authMethodNotSupported       (7),
656	                             strongAuthRequired           (8),
657	                                        -- 9 reserved --
658	                             referral                     (10),  -- new
659	                             adminLimitExceeded           (11),  -- new
660	                             unavailableCriticalExtension (12),  -- new
661	                             confidentialityRequired      (13),  -- new
662	                                        -- 14-15 unused --
663	                             noSuchAttribute              (16),
664	                             undefinedAttributeType       (17),
665	                             inappropriateMatching        (18),
666	                             constraintViolation          (19),
667	                             attributeOrValueExists       (20),
668	                             invalidAttributeSyntax       (21),
669	                                        -- 22-31 unused --
670	                             noSuchObject                 (32),
671	                             aliasProblem                 (33),
672	                             invalidDNSyntax              (34),
673	                             -- 35 reserved for undefined isLeaf --
674	                             aliasDereferencingProblem    (36),
675	                                        -- 37-47 unused --
676	                             inappropriateAuthentication  (48),
677	                             invalidCredentials           (49),
678	                             insufficientAccessRights     (50),
679	                             busy                         (51),
680	                             unavailable                  (52),
681	                             unwillingToPerform           (53),
682	                             loopDetect                   (54),
683	                                        -- 55-63 unused --

685	                             namingViolation              (64),
686	                             objectClassViolation         (65),
687	                             notAllowedOnNonLeaf          (66),
688	                             notAllowedOnRDN              (67),
689	                             entryAlreadyExists           (68),
690	                             objectClassModsProhibited    (69),
691	                                        -- 70 reserved for CLDAP --
692	                             affectsMultipleDSAs          (71), -- new
693	                                        -- 72-79 unused --
694	                             other                        (80) },
695	                             -- 81-90 reserved for APIs --
696	                matchedDN       LDAPDN,
697	                errorMessage    LDAPString,
698	                referral        [3] Referral OPTIONAL }

700	   All the result codes with the exception of success, compareFalse and
701	   compareTrue are to be treated as meaning the operation could not be
702	   completed in its entirety.

704	   Most of the result codes are based on problem indications from X.511
705	   error data types.  Result codes from 16 to 21 indicate an
706	   AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
707	   codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
708	   indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
709	   UpdateProblem.

711	   If a client receives a result code which is not listed above, it is
712	   to be treated as an unknown error condition.

714	   The errorMessage field of this construct may, at the server's option,
715	   be used to return a string containing a textual, human-readable
716	   (terminal control and page formatting characters should be avoided)
717	   error diagnostic. As this error diagnostic is not standardized,
718	   implementations MUST NOT rely on the values returned.  If the server
719	   chooses not to return a textual diagnostic, the errorMessage field of
720	   the LDAPResult type MUST contain a zero length string.

722	   For result codes of noSuchObject, aliasProblem, invalidDNSyntax
723	   and aliasDereferencingProblem, the matchedDN field is set to
724	   the name of the lowest entry (object or alias) in the directory that
725	   was matched.  If no aliases were dereferenced while attempting to
726	   locate the entry, this will be a truncated form of the name provided,
727	   or if aliases were dereferenced, of the resulting name, as defined in
728	   section 12.5 of X.511 [15]. The matchedDN field is to be set to a
729	   zero length string with all other result codes.

731	4.1.11. Referral

733	   The referral field is present in an LDAPResult if the
734	   LDAPResult.resultCode field value is referral, and absent with all
735	   other result codes.  It contains a reference to another server (or
736	   set of servers) which may be accessed via LDAP or other protocols.
737	   Referrals can be returned in responses to any operation request
738	   (except unbind and abandon which do not have responses). At least one
739	   LDAPURL MUST be present in the reference.

741	        Referral ::= SEQUENCE OF LDAPURL

743	        LDAPURL ::= LDAPString -- limited to characters permitted in URLs

745	   The client MUST contact one of the listed URLs [7] of servers to
746	   continue the request. Each server in the list MUST be capable of
747	   processing the operation and presenting a consistent view of the
748	   directory to the client, so the client may choose any URL in the
749	   list. (The mechanisms for how servers achieve this are outside the
750	   scope of this document.)

752	   URLs for servers implementing the LDAP protocol are written according
753	   to [9].  If an alias was dereferenced, the <dn> part of the URL MUST
754	   be present, with the new target object name.  If this is present,
755	   the client MUST use this name in its next request to progress the
756	   operation, and if it is not present the client will use the same name
757	   as in the original request.  Some servers (e.g. participating in
758	   distributed indexing) may provide an different filter in a referral
759	   for a search operation.  If the filter part of the URL is present in
760	   an LDAPURL, the client MUST use this filter in its next request to
761	   progress this search, and if it is not present the client MUST use
762	   the same filter as it used for that search.

764	   Note that UTF-8 characters appearing in a DN or search filter may not
765	   be legal for URLs (e.g. spaces) and MUST be escaped using the % method
766	   in RFC 1738.

768	   Other kinds of URLs may be returned, so long as the operation could be
769	   performed using that protocol.

771	4.1.12. Controls

773	   A control is a way to specify extension information. Controls which
774	   are sent as part of a request apply only to that request and are not
775	   saved.

777	        Controls ::= SEQUENCE OF Control

779	        Control ::= SEQUENCE {
780	                controlType             LDAPOID,
781	                criticality             BOOLEAN DEFAULT FALSE,
782	                controlValue            OCTET STRING OPTIONAL }

784	   The controlType field MUST be a UTF-8 encoded dotted-decimal
785	   representation of an OBJECT IDENTIFIER which uniquely identifies the
786	   control.  This prevents conflicts between control names.

788	   The criticality field is either TRUE or FALSE.

790	   If the server recognizes the control type and it is appropriate for
791	   the operation, the server will make use of the control when
792	   performing the operation.

794	   If the server does not recognize the control type and the criticality
795	   field is TRUE, the server MUST NOT perform the operation, and MUST
796	   instead return the resultCode unsupportedCriticalExtension.

798	   If the control is not appropriate for the operation and criticality
799	   field is TRUE, the server MUST NOT perform the operation, and MUST
800	   instead return the resultCode unsupportedCriticalExtension.

802	   If the control is unrecognized or inappropriate but the criticality
803	   field is FALSE, the server MUST ignore the control.

805	   The controlValue contains any information associated with the control,
806	   and its format is defined for the control.  The server MUST be
807	   prepared to handle arbitrary contents of the controlValue octet
808	   string, including zero bytes.  It is absent only if there is no value
809	   information which is associated with a control of its type.

811	   This document does not define any controls.  Controls may be defined
812	   in other documents.  The definition of a control consists of:

814	     - the OBJECT IDENTIFIER assigned to the control,

816	     - whether the control is always noncritical, always critical, or
817	       critical at the client's option,

819	     - the format of the controlValue contents of the control.

821	   Servers list the controls which they recognize in the supportedControl
822	   attribute in the root DSE.

824	4.2. Bind Operation

826	   The function of the Bind Operation is to allow authentication
827	   information to be exchanged between the client and server.

829	   The Bind Request is defined as follows:

831	        BindRequest ::= [APPLICATION 0] SEQUENCE {
832	                version                 INTEGER (1 .. 127),
833	                name                    LDAPDN,
834	                authentication          AuthenticationChoice }

836	        AuthenticationChoice ::= CHOICE {
837	                simple                  [0] OCTET STRING,
838	                                         -- 1 and 2 reserved
839	                sasl                    [3] SaslCredentials }

841	        SaslCredentials ::= SEQUENCE {
842	                mechanism               LDAPString,
843	                credentials             OCTET STRING OPTIONAL }

845	   Parameters of the Bind Request are:

847	   - version: A version number indicating the version of the protocol to
848	     be used in this protocol session.  This document describes version
849	     3 of the LDAP protocol.  Note that there is no version negotiation,
850	     and the client just sets this parameter to the version it desires.
851	     If the client requests protocol version 2, a server that supports
852	     the version 2 protocol as described in [2] will not return any
853	     v3-specific protocol fields.  (Note that not all LDAP servers will
854	     support protocol version 2, since they may be unable to generate
855	     the attribute syntaxes associated with version 2.)

857	   - name: The name of the directory object that the client wishes to
858	     bind as.  This field may take on a null value (a zero length
859	     string) for the purposes of anonymous binds, when authentication
860	     has been performed at a lower layer, or when using SASL credentials
861	     with a mechanism that includes the LDAPDN in the credentials.

863	   - authentication: information used to authenticate the name, if any,
864	     provided in the Bind Request.

866	   Upon receipt of a Bind Request, a protocol server will authenticate
867	   the requesting client, if necessary.  The server will then return a
868	   Bind Response to the client indicating the status of the
869	   authentication.

871	   Authorization is the use of this authentication information when
872	   performing operations.  Authorization MAY be affected by factors
873	   outside of the LDAP Bind request, such as lower layer security
874	   services.

876	4.2.1. Sequencing of the Bind Request

878	   For some SASL authentication mechanisms, it may be necessary for the
879	   client to invoke the BindRequest multiple times.  If at any stage the
880	   client wishes to abort the bind process it MAY unbind and then drop
881	   the underlying connection.  Clients MUST NOT invoke operations
882	   between two Bind requests made as part of a multi-stage bind.

884	   A client may abort a SASL bind negotiation by sending a BindRequest
885	   with a different value in the mechanism field of SaslCredentials,
886	   or an AuthenticationChoice other than sasl.

888	   If the client sends a BindRequest with the sasl mechanism field as
889	   an empty string, the server MUST return a BindResponse with
890	   authMethodNotSupported as the resultCode.  This will allow clients
891	   to abort a negotiation if it wishes to try again with the same SASL
892	   mechanism.

894	   Unlike LDAP v2, the client need not send a Bind Request in the first
895	   PDU of the connection.  The client may request any operations and the
896	   server MUST treat these as unauthenticated. If the server requires
897	   that the client bind before browsing or modifying the directory, the
898	   server MAY reject a request other than binding, unbinding or an
899	   extended request with the "operationsError" result.

901	   If the client did not bind before sending a request and receives an
902	   operationsError, it may then send a Bind Request.  If this also fails
903	   or the client chooses not to bind on the existing connection, it will
904	   close the connection, reopen it and begin again by first sending a PDU
905	   with a Bind Request.  This will aid in interoperating with servers
906	   implementing other versions of LDAP.

908	   Clients MAY send multiple bind requests on a connection to change
909	   their credentials.  A subsequent bind process has the effect of
910	   abandoning all operations outstanding on the connection.  (This
911	   simplifies server implementation.)  Authentication from earlier binds
912	   are subsequently ignored, and so if the bind fails, the connection
913	   will be treated as anonymous. If a SASL transfer encryption or
914	   integrity mechanism has been negotiated, and that mechanism does not
915	   support the changing of credentials from one identity to another,
916	   then the client MUST instead establish a new connection.

918	4.2.2. Authentication and Other Security Services

920	   The simple authentication option provides minimal authentication
921	   facilities, with the contents of the authentication field consisting
922	   only of a cleartext password.  Note that the use of cleartext
923	   passwords is not recommended over open networks when there is no
924	   authentication or encryption being performed by a lower layer; see
925	   the "Security Considerations" section.

927	   If no authentication is to be performed, then the simple
928	   authentication option MUST be chosen, and the password be of zero
929	   length.  (This is often done by LDAPv2 clients.)  Typically the
930	   DN is also of zero length.

932	   The sasl choice allows for any mechanism defined for use with SASL
933	   [12].  The mechanism field contains the name of the mechanism.  The
934	   credentials field contains the arbitrary data used for authentication,
935	   inside an OCTET STRING wrapper.  Note that unlike some Internet
936	   application protocols where SASL is used, LDAP is not text-based,
937	   thus no base64 transformations are performed on the credentials.

939	   If any SASL-based integrity or confidentiality services are enabled,
940	   they take effect following the transmission by the server and
941	   reception by the client of the final BindResponse with resultCode
942	   success.

944	   The client can request that the server use authentication information
945	   from a lower layer protocol, such as TLS [8], by using the SASL
946	   EXTERNAL mechanism.

948	4.2.3. Bind Response

950	   The Bind Response is defined as follows.

952	        BindResponse ::= [APPLICATION 1] SEQUENCE {
953	             COMPONENTS OF LDAPResult,
954	             serverSaslCreds    [7] OCTET STRING OPTIONAL }

956	   A BindResponse consists simply of an indication from the server of
957	   the status of the client's request for authentication.

959	   If the bind was successful, the resultCode will be success,
960	   otherwise it will be one of:

962	    - operationsError: server encountered an internal error,

964	    - protocolError: unrecognized version number or incorrect PDU
965	      structure,

967	    - authMethodNotSupported: unrecognized SASL mechanism name,

969	    - strongAuthRequired: the server requires authentication be
970	      performed with a SASL mechanism,

972	    - referral: this server cannot accept this bind and the client
973	      should try another,

975	    - inappropriateAuthentication: the server requires the client
976	      which had attempted to bind anonymously or without supplying
977	      credentials to provide some form of credentials,

979	    - invalidCredentials: the wrong password was supplied or the SASL
980	      credentials could not be processed,

982	    - unavailable: the server is shutting down.

984	   If the server does not support the client's requested protocol
985	   version, it MUST set the resultCode to protocolError.

987	   If the client receives a BindResponse response where the resultCode
988	   was protocolError, it MUST close the connection as the server will be
989	   unwilling to accept further operations.  (This is for compatibility
990	   with earlier versions of LDAP, in which the bind was always the first
991	   operation, and there was no negotiation.)

993	   The serverSaslCreds are used as part of a SASL-defined bind mechanism
994	   to allow the client to authenticate the server to which it is
995	   communicating, or to perform "challenge-response" authentication.
996	   If the client bound with the password choice, or the SASL mechanism
997	   does not require the server to return information to the client, then
998	   this field is not to be included in the result.

1000	4.3. Unbind Operation

1002	   The function of the Unbind Operation is to terminate a protocol
1003	   session.  The Unbind Operation is defined as follows:

1005	        UnbindRequest ::= [APPLICATION 2] NULL

1007	   The Unbind Operation has no response defined. Upon transmission of an
1008	   UnbindRequest, a protocol client may assume that the protocol session
1009	   is terminated. Upon receipt of an UnbindRequest, a protocol server
1010	   may assume that the requesting client has terminated the session and
1011	   that all outstanding requests may be discarded, and may close the
1012	   connection.

1014	4.4. Unsolicited Notification

1016	   An unsolicited notification is an LDAPMessage sent from the server to
1017	   the client which is not in response to any LDAPMessage received by
1018	   the server. It is used to signal an extraordinary condition in the
1019	   server or in the connection between the client and the server.  The
1020	   notification is of an advisory nature, and the server will not expect
1021	   any response to be returned from the client.

1023	   The unsolicited notification is structured as an LDAPMessage in which
1024	   the messageID is 0 and protocolOp is of the extendedResp form.  The
1025	   responseName field of the ExtendedResponse is present. The LDAPOID
1026	   value MUST be unique for this notification, and not be used in any
1027	   other situation.

1029	   One unsolicited notification is defined in this document.

1031	4.4.1. Notice of Disconnection

1033	   This notification may be used by the server to advise the client that
1034	   the server is about to close the connection due to an error condition.
1035	   Note that this notification is NOT a response to an unbind requested
1036	   by the client: the server MUST follow the procedures of section 4.3.
1037	   This notification is intended to assist clients in distinguishing
1038	   between an error condition and a transient network failure.  As with
1039	   a connection close due to network failure, the client MUST NOT assume
1040	   that any outstanding requests which modified the directory have
1041	   succeeded or failed.

1043	   The responseName is 1.3.6.1.4.1.1466.20036, the response field is
1044	   absent, and the resultCode is used to indicate the reason for the
1045	   disconnection.

1047	   The following resultCode values are to be used in this notification:

1049	   - protocolError: The server has received data from the client in which
1050	     the LDAPMessage structure could not be parsed.

1052	   - strongAuthRequired: The server has detected that an established
1053	     underlying security association protecting communication between the
1054	     client and server has unexpectedly failed or been compromised.

1056	   - unavailable: This server will stop accepting new connections and
1057	     operations on all existing connections, and be unavailable for an
1058	     extended period of time.  The client may make use of an alternative
1059	     server.

1061	   After sending this notice, the server MUST close the connection.
1062	   After receiving this notice, the client MUST NOT transmit any further
1063	   on the connection, and may abruptly close the connection.

1065	4.5. Search Operation

1067	   The Search Operation allows a client to request that a search be
1068	   performed on its behalf by a server.  This can be used to read
1069	   attributes from a single entry, from entries immediately below a
1070	   particular entry, or a whole subtree of entries.

1072	4.5.1. Search Request

1074	   The Search Request is defined as follows:

1076	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
1077	                baseObject      LDAPDN,
1078	                scope           ENUMERATED {
1079	                        baseObject              (0),
1080	                        singleLevel             (1),
1081	                        wholeSubtree            (2) },
1082	                derefAliases    ENUMERATED {
1083	                        neverDerefAliases       (0),
1084	                        derefInSearching        (1),
1085	                        derefFindingBaseObj     (2),
1086	                        derefAlways             (3) },
1087	                sizeLimit       INTEGER (0 .. maxInt),
1088	                timeLimit       INTEGER (0 .. maxInt),
1089	                typesOnly       BOOLEAN,
1090	                filter          Filter,
1091	                attributes      AttributeDescriptionList }

1093	        Filter ::= CHOICE {
1094	                and             [0] SET OF Filter,
1095	                or              [1] SET OF Filter,
1096	                not             [2] Filter,
1097	                equalityMatch   [3] AttributeValueAssertion,
1098	                substrings      [4] SubstringFilter,
1099	                greaterOrEqual  [5] AttributeValueAssertion,
1100	                lessOrEqual     [6] AttributeValueAssertion,
1101	                present         [7] AttributeDescription,
1102	                approxMatch     [8] AttributeValueAssertion,
1103	                extensibleMatch [9] MatchingRuleAssertion }

1105	        SubstringFilter ::= SEQUENCE {
1106	                type            AttributeDescription,
1107	                -- at least one must be present
1108	                substrings      SEQUENCE OF CHOICE {
1109	                        initial [0] LDAPString,
1110	                        any     [1] LDAPString,
1111	                        final   [2] LDAPString } }

1113	        MatchingRuleAssertion ::= SEQUENCE {
1114	                matchingRule    [1] MatchingRuleId OPTIONAL,
1115	                type            [2] AttributeDescription OPTIONAL,
1116	                matchValue      [3] AssertionValue,
1117	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

1119	   Parameters of the Search Request are:

1121	   - baseObject: An LDAPDN that is the base object entry relative to
1122	     which the search is to be performed.

1124	   - scope: An indicator of the scope of the search to be performed. The
1125	     semantics of the possible values of this field are identical to the
1126	     semantics of the scope field in the X.511 Search Operation.
1127	   - derefAliases: An indicator as to how alias objects (as defined in
1128	     X.501) are to be handled in searching.  The semantics of the
1129	     possible values of this field are:

1131	             neverDerefAliases: do not dereference aliases in searching
1132	             or in locating the base object of the search;

1134	             derefInSearching: dereference aliases in subordinates of
1135	             the base object in searching, but not in locating the
1136	             base object of the search;

1138	             derefFindingBaseObj: dereference aliases in locating
1139	             the base object of the search, but not when searching
1140	             subordinates of the base object;

1142	             derefAlways: dereference aliases both in searching and in
1143	             locating the base object of the search.

1145	   - sizelimit: A sizelimit that restricts the maximum number of entries
1146	     to be returned as a result of the search. A value of 0 in this
1147	     field indicates that no client-requested sizelimit restrictions are
1148	     in effect for the search.  Servers may enforce a maximum number of
1149	     entries to return.

1151	   - timelimit: A timelimit that restricts the maximum time (in seconds)
1152	     allowed for a search. A value of 0 in this field indicates that no
1153	     client-requested timelimit restrictions are in effect for the
1154	     search.

1156	   - typesOnly: An indicator as to whether search results will contain
1157	     both attribute types and values, or just attribute types.  Setting
1158	     this field to TRUE causes only attribute types (no values) to be
1159	     returned.  Setting this field to FALSE causes both attribute types
1160	     and values to be returned.

1162	   - filter: A filter that defines the conditions that must be fulfilled
1163	     in order for the search to match a given entry.  The 'and', 'or' and
1164	     'not' choices may be used to form combinations of filters.
1165	     At least one filter element MUST be present in an 'and' or 'or'
1166	     choice.  The others match against individual attribute values of
1167	     entries in the scope of the search.

1169	     (Implementor's note: the 'not' filter is an example of a tagged
1170	      choice in an implicitly-tagged module.  In BER this is treated as
1171	      if the tag was explicit.)

1173	     A server MUST evaluate filters according to the three-valued logic
1174	     of X.511(93) section 7.8.1.  In summary, a filter is evaluated to
1175	     either "TRUE", "FALSE" or "Undefined".  If the filter evaluates
1176	     to TRUE for a particular entry, then the attributes of that entry
1177	     are returned as part of the search result. If the filter evaluates
1178	     to FALSE or Undefined, then the entry is ignored for the search.

1180	     A filter of the "and" choice is TRUE if all the filters in the SET
1181	     OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
1182	     otherwise Undefined.  A filter of the "or" choice is FALSE if all
1183	     of the filters in the SET OF evaluate to FALSE, TRUE if at least
1184	     one filter is TRUE, and Undefined otherwise.  A filter of the "not"
1185	     choice is TRUE if the filter being negated is FALSE, FALSE if it is
1186	     TRUE, and Undefined if it is Undefined.

1188	     The present match evaluates to TRUE where there is an attribute or
1189	     subtype of the specified attribute description present in an entry,
1190	     and FALSE otherwise (including a presence test with an unrecognized
1191	     attribute description.) The present match only evaluates to
1192	     Undefined if access controls in the server prevent this filter
1193	     evaluation.

1195	     The extensibleMatch is new in this version of LDAP.  If the
1196	     matchingRule field is absent, the type field MUST be present, and
1197	     the equality match is performed for that type.  If the type field is
1198	     absent and matchingRule is present, the matchValue is compared
1199	     against all attributes in an entry which support that matchingRule,
1200	     and the matchingRule determines the syntax for the assertion value.
1201	     If the type field is present and matchingRule is present, the
1202	     matchingRule MUST be one permitted for use with that type.
1203	     If the dnAttributes field is set to TRUE, the match is applied
1204	     against all the attributes in an entry's distinguished name as
1205	     well.  (Editors note: The dnAttributes field is present so that
1206	     there does not need to be multiple versions of generic matching
1207	     rules such as wordMatch, one to apply to entries and another to
1208	     apply to entries and dn attributes as well).

1210	     If an attribute description in an equalityMatch, substrings,
1211	     greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch
1212	     filter is not recognized by the server, a matching rule id in the
1213	     extensibleMatch is not recognized by the server, or the type of
1214	     filtering requested is not implemented, then the filter is
1215	     Undefined.  Thus for example if a server did not recognize the
1216	     attribute type shoeSize, a filter of (shoeSize=*) would evaluate
1217	     to FALSE, and the filters (shoeSize=12), (shoeSize>=12) and
1218	     (shoeSize<=12) would evaluate to Undefined.

1220	     A server may return the error inappropriateMatching if it does not
1221	     permit a particular form of matching (e.g. substrings match on an
1222	     integer value). Servers may return the error invalidAttributeSyntax
1223	     if the value part of a search filter is improperly specified.
1224	     Servers do not return errors if attribute descriptions or matching
1225	     rule ids are not recognized.  More details of filter processing are
1226	     given in section 7.8 of X.511 [15].

1228	   - attributes: A list of the attributes from each entry found as a
1229	     result of the search to be returned. An empty list signifies that
1230	     all user attributes from each entry found in the search are to be
1231	     returned, as does the special attribute description string "*". (the
1232	     latter technique allows the client to request all user attributes
1233	     along with selected operational attributes).  If the client does not
1234	     want any attributes returned, it can request only the attribute with
1235	     OID "1.1" (this OID is arbitrary).  Attributes MUST be named at
1236	     most once in the list, and are returned at most once in an entry.

1238	     Servers MUST ignore requests for unrecognized attribute types.  If
1239	     no attributes specified by the client are recognized, then no
1240	     attributes will be included in the result entries.

1242	     Client implementors should note that even if all user attributes are
1243	     requested, some attributes of the entry may not be included in
1244	     search results due to access control or other restrictions.
1245	     Furthermore, servers will not return operational attributes, such
1246	     as objectClasses or attributeTypes, unless they are listed by name,
1247	     since there may be extremely large number of values for certain
1248	     operational attributes. (A list of operational attributes for use
1249	     in LDAP is given in [5].)

1251	   Note that an X.500 "list"-like operation can be emulated by the client
1252	   requesting a one-level LDAP search operation with a filter checking
1253	   for the existence of the objectClass attribute, and that an X.500
1254	   "read"-like operation can be emulated by a base object LDAP search
1255	   operation with the same filter.  A server which provides a gateway to
1256	   X.500 is not required to use the Read or List operations, although it
1257	   may choose to do so.

1259	4.5.2. Search Result

1261	   The results of the search attempted by the server upon receipt of a
1262	   Search Request are returned in Search Responses, which are LDAP
1263	   messages containing either SearchResultEntry, SearchResultReference,
1264	   ExtendedResponse or SearchResultDone data types.

1266	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
1267	                objectName      LDAPDN,
1268	                attributes      PartialAttributeList }

1270	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
1271	                type    AttributeDescription,
1272	                vals    SET OF AttributeValue }
1273	        -- implementors should note that the PartialAttributeList may
1274	        -- have zero elements (if none of the attributes of that entry
1275	        -- were requested, or could be returned), and that the vals set
1276	        -- may also have zero elements (if types only was requested, or
1277	        -- all values were excluded from the result.)

1279	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
1280	        -- at least one LDAPURL element must be present

1282	        SearchResultDone ::= [APPLICATION 5] LDAPResult

1284	   Upon receipt of a Search Request, a server will perform the necessary
1285	   search of the DIT.

1287	   If the LDAP session is operating over a connection-oriented transport
1288	   such as TCP, the server will return to the client a sequence of
1289	   responses in separate LDAP messages.  There may be zero or more
1290	   responses containing SearchResultEntry, one for each entry found
1291	   during the search.  There may also be zero or more responses
1292	   containing SearchResultReference, one for each area not explored by
1293	   this server during the search.  The SearchResultEntry and
1294	   SearchResultReference PDUs may come in any order. Following all the
1295	   SearchResultReference responses and all SearchResultEntry responses
1296	   to be returned by the server, the server will return a response
1297	   containing the SearchResultDone, which contains an indication of
1298	   success, or detailing any errors that have occurred.

1300	   Each entry returned in a SearchResultEntry will contain all
1301	   attributes, complete with associated values if necessary, as
1302	   specified in the attributes field of the Search Request.  Return of
1303	   attributes is subject to access control and other administrative
1304	   policy.  Some attributes may be returned in binary format (indicated
1305	   by the AttributeDescription in the response having the binary option
1306	   present).

1308	   Some attributes may be constructed by the server and appear in a
1309	   SearchResultEntry attribute list, although they are not stored
1310	   attributes of an entry. Clients MUST NOT assume that all attributes
1311	   can be modified, even if permitted by access control.

1313	   Response LDAPMessages of the ExtendedResponse form are reserved for
1314	   returning information associated with a control requested by the
1315	   client.  These may be defined in future versions of this document.

1317	4.5.3. Continuation References in the Search Result

1319	   If the server was able to locate the entry referred to by the
1320	   baseObject but was unable to search all the entries in the scope at
1321	   and under the baseObject, the server may return one or more
1322	   SearchResultReference, each containing a reference to another set of
1323	   servers for continuing the operation.  The server will return
1324	   a SearchResultReference for each new base object with a
1325	   particular scope and filter.  A server MUST NOT return any
1326	   SearchResultReference if it has not located the baseObject and
1327	   thus has not searched any entries; in this case it would return a
1328	   SearchResultDone containing a referral resultCode.

1330	   The SearchResultReference is of the same data type as the Referral.
1331	   URLs for servers implementing the LDAP protocol are written according
1332	   to [9].  The <dn> part MUST be present in the URL, with the new target
1333	   object name.  The client MUST use this name in its next request.
1334	   Some servers (e.g. part of a distributed index exchange system) may
1335	   provide a different filter in the URLs of the SearchResultReference.
1336	   If the filter part of the URL is present in an LDAP URL, the client
1337	   MUST use the new filter in its next request to progress the search,
1338	   and if the filter part is absent the client will use again the filter
1339	   from the original search.

1341	   Other kinds of URLs may be returned so long as the operation could be
1342	   performed using that protocol.

1344	   The name of an unexplored subtree in a SearchResultReference need not
1345	   be subordinate to the base object.

1347	   In order to complete the search, the client MUST issue a new search
1348	   operation for each SearchResultReference that is returned.  Note that
1349	   the abandon operation described in section 4.11 applies only to a
1350	   particular operation sent on a connection between a client and server,
1351	   and if the client has multiple outstanding search operations to
1352	   different servers, it MUST abandon each operation individually.

1354	4.5.3.1. Example

1356	   For example, suppose the contacted server (hosta) holds the entry
1357	   "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW".  It knows that
1358	   either LDAP-capable servers (hostb) or (hostc) hold
1359	   "OU=People,O=MNN,C=WW" (one is the master and the other server a
1360	   shadow), and that LDAP-capable server (hostd) holds the subtree
1361	   "OU=Roles,O=MNN,C=WW".  If a subtree search of "O=MNN,C=WW" is
1362	   requested to the contacted server, the server may return the
1363	   following responses:

1365	     SearchResultEntry for O=MNN,C=WW
1366	     SearchResultEntry for CN=Manager,O=MNN,C=WW
1367	     SearchResultReference {
1368	       ldap://hostb/OU=People,O=MNN,C=WW
1369	       ldap://hostc/OU=People,O=MNN,C=WW
1370	     }
1371	     SearchResultReference {
1372	       ldap://hostd/OU=Roles,O=MNN,C=WW
1373	     }
1374	     SearchResultDone (success)

1376	   Client implementors should note that when following a
1377	   SearchResultReference, additional SearchResultReference may be
1378	   generated.  Continuing the example, if the client contacted the
1379	   server (hostb) and issued the search for the subtree
1380	   "OU=People,O=MNN,C=WW", the server might respond as follows:

1382	     SearchResultEntry for OU=People,O=MNN,C=WW
1383	     SearchResultReference {
1384	      ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
1385	     }
1386	     SearchResultReference {
1387	      ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
1388	     }
1389	     SearchResultDone (success)

1391	   If the contacted server does not hold the base object for the search,
1392	   then it will return a referral to the client.  For example, if the
1393	   client requests a subtree search of "O=XYZ,C=US" to hosta, the server
1394	   may return only a SearchResultDone containing a referral.

1396	     SearchResultDone (referral) {
1397	       ldap://hostg/O=XYZ,C=US
1398	     }

1400	4.6. Modify Operation

1402	   The Modify Operation allows a client to request that a modification
1403	   of an entry be performed on its behalf by a server.  The Modify
1404	   Request is defined as follows:

1406	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
1407	                object          LDAPDN,
1408	                modification    SEQUENCE OF SEQUENCE {
1409	                        operation       ENUMERATED {
1410	                                                add     (0),
1411	                                                delete  (1),
1412	                                                replace (2) },
1413	                        modification    AttributeTypeAndValues } }

1415	        AttributeTypeAndValues ::= SEQUENCE {
1416	                type    AttributeDescription,
1417	                vals    SET OF AttributeValue }

1419	   Parameters of the Modify Request are:

1421	   - object: The object to be modified. The value of this field contains
1422	     the DN of the entry to be modified.  The server will not perform
1423	     any alias dereferencing in determining the object to be modified.

1425	   - modification: A list of modifications to be performed on the entry.
1426	     The entire list of entry modifications MUST be performed
1427	     in the order they are listed, as a single atomic operation.  While
1428	     individual modifications may violate the directory schema, the
1429	     resulting entry after the entire list of modifications is performed
1430	     MUST conform to the requirements of the directory schema. The
1431	     values that may be taken on by the 'operation' field in each
1432	     modification construct have the following semantics respectively:

1434	             add: add values listed to the given attribute, creating
1435	             the attribute if necessary;

1437	             delete: delete values listed from the given attribute,
1438	             removing the entire attribute if no values are listed, or
1439	             if all current values of the attribute are listed for
1440	             deletion;

1442	             replace: replace all existing values of the given attribute
1443	             with the new values listed, creating the attribute if it
1444	             did not already exist.  A replace with no value will delete
1445	             the entire attribute.

1447	   The result of the modify attempted by the server upon receipt of a
1448	   Modify Request is returned in a Modify Response, defined as follows:

1450	        ModifyResponse ::= [APPLICATION 7] LDAPResult
1451	   Upon receipt of a Modify Request, a server will perform the necessary
1452	   modifications to the DIT.

1454	   The server will return to the client a single Modify Response
1455	   indicating either the successful completion of the DIT modification,
1456	   or the reason that the modification failed. Note that due to the
1457	   requirement for atomicity in applying the list of modifications in
1458	   the Modify Request, the client may expect that no modifications of
1459	   the DIT have been performed if the Modify Response received indicates
1460	   any sort of error, and that all requested modifications have been
1461	   performed if the Modify Response indicates successful completion of
1462	   the Modify Operation.  If the connection fails, whether the
1463	   modification occurred or not is indeterminate.

1465	   The Modify Operation cannot be used to remove from an entry any of
1466	   its distinguished values, those values which form the entry's
1467	   relative distinguished name.  An attempt to do so will result in the
1468	   server returning the error notAllowedOnRDN.  The Modify DN Operation
1469	   described in section 4.9 is used to rename an entry.

1471	   Note that due to the simplifications made in LDAP, there is not a
1472	   direct mapping of the modifications in an LDAP ModifyRequest onto the
1473	   EntryModifications of a DAP ModifyEntry operation, and different
1474	   implementations of LDAP-DAP gateways may use different means of
1475	   representing the change.  If successful, the final effect of the
1476	   operations on the entry MUST be identical.

1478	4.7. Add Operation

1480	   The Add Operation allows a client to request the addition of an entry
1481	   into the directory. The Add Request is defined as follows:

1483	        AddRequest ::= [APPLICATION 8] SEQUENCE {
1484	                entry           LDAPDN,
1485	                attributes      AttributeList }

1487	        AttributeList ::= SEQUENCE OF SEQUENCE {
1488	                type    AttributeDescription,
1489	                vals    SET OF AttributeValue }

1491	   Parameters of the Add Request are:

1493	   - entry: the Distinguished Name of the entry to be added. Note that
1494	     the server will not dereference any aliases in locating the entry
1495	     to be added.

1497	   - attributes: the list of attributes that make up the content of the
1498	     entry being added.  Clients MUST include distinguished values (those
1499	     forming the entry's own RDN) in this list, the objectClass
1500	     attribute, and values of any mandatory attributes of the listed
1501	     object classes.  Clients MUST NOT supply the createTimestamp or
1502	     creatorsName attributes, since these will be generated
1503	     automatically by the server.

1505	   The entry named in the entry field of the AddRequest MUST NOT exist
1506	   for the AddRequest to succeed.  The parent of the entry to be added
1507	   MUST exist.  For example, if the client attempted to add
1508	   "CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
1509	   "C=US" entry did exist, then the server would return the error
1510	   noSuchObject with the matchedDN field containing "C=US".  If the
1511	   parent entry exists but is not in a naming context held by the
1512	   server, the server SHOULD return a referral to the server holding
1513	   the parent entry.

1515	   Servers implementations SHOULD NOT restrict where entries can be
1516	   located in the directory.  Some servers MAY allow the administrator to
1517	   restrict the classes of entries which can be added to the directory.

1519	   Upon receipt of an Add Request, a server will attempt to perform the
1520	   add requested.  The result of the add attempt will be returned to the
1521	   client in the Add Response.

1523	   The result of the add attempted by the server upon receipt of a Add
1524	   Request is returned in the Add Response, defined as follows:

1526	        AddResponse ::= [APPLICATION 9] LDAPResult

1528	   A response of success indicates that the new entry is present in the
1529	   directory.

1531	4.8. Delete Operation

1533	   The Delete Operation allows a client to request the removal of an
1534	   entry from the directory. The Delete Request is defined as follows:

1536	        DelRequest ::= [APPLICATION 10] LDAPDN

1538	   The Delete Request consists of the Distinguished Name of the
1539	   entry to be deleted. Note that the server will not dereference
1540	   aliases while resolving the name of the target entry to be removed,
1541	   and that only leaf entries (those with no subordinate entries) may be
1542	   deleted with this operation.

1544	   The result of the delete attempted by the server upon receipt of a
1545	   Delete Request is returned in the Delete Response, defined as follows:

1547	        DelResponse ::= [APPLICATION 11] LDAPResult

1549	   Upon receipt of a Delete Request, a server will attempt to perform
1550	   the entry removal requested. The result of the delete attempt will be
1551	   returned to the client in the Delete Response.

1553	4.9. Modify DN Operation

1555	   The Modify DN Operation allows a client to change the leftmost
1556	   (least significant) component of the name of an entry in the
1557	   directory, or to move a subtree of entries to a new location in the
1558	   directory.  The Modify DN Request is defined as follows:

1560	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
1561	                entry           LDAPDN,
1562	                newrdn          RelativeLDAPDN,
1563	                deleteoldrdn    BOOLEAN,
1564	                newSuperior     [0] LDAPDN OPTIONAL }

1566	   Parameters of the Modify DN Request are:

1568	   - entry: the Distinguished Name of the entry to be changed.  This
1569	     entry may or may not have subordinate entries.

1571	   - newrdn: the RDN that will form the leftmost component of the new
1572	     name of the entry.

1574	   - deleteoldrdn: a boolean parameter that controls whether the old RDN
1575	     attribute values are to be retained as attributes of the entry, or
1576	     deleted from the entry.

1578	   - newSuperior: if present, this is the Distinguished Name of the entry
1579	     which becomes the immediate superior of the existing entry.

1581	   The result of the name change attempted by the server upon receipt of
1582	   a Modify DN Request is returned in the Modify DN Response, defined
1583	   as follows:

1585	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

1587	   Upon receipt of a ModifyDNRequest, a server will attempt to
1588	   perform the name change. The result of the name change attempt will
1589	   be returned to the client in the Modify DN Response.

1591	   For example, if the entry named in the "entry" parameter was
1592	   "cn=John Smith,c=US", the newrdn parameter was "cn=John Cougar Smith",
1593	   and the newSuperior parameter was absent, then this operation would
1594	   attempt to rename the entry to be "cn=John Cougar Smith,c=US".  If
1595	   there was already an entry with that name, the operation would fail
1596	   with error code entryAlreadyExists.

1598	   If the deleteoldrdn parameter is TRUE, the values forming the old
1599	   RDN are deleted from the entry.  If the deleteoldrdn parameter is
1600	   FALSE, the values forming the old RDN will be retained as
1601	   non-distinguished attribute values of the entry.  The server may
1602	   not perform the operation and return an error code if the setting of
1603	   the deleteoldrdn parameter would cause a schema inconsistency in the
1604	   entry.

1606	   Note that X.500 restricts the ModifyDN operation to only affect
1607	   entries that are contained within a single server.  If the LDAP
1608	   server is mapped onto DAP, then this restriction will apply, and the
1609	   resultCode affectsMultipleDSAs will be returned if this error
1610	   occurred.  In general clients MUST NOT expect to be able to perform
1611	   arbitrary movements of entries and subtrees between servers.

1613	4.10. Compare Operation

1615	   The Compare Operation allows a client to compare an assertion
1616	   provided with an entry in the directory. The Compare Request is
1617	   defined as follows:

1619	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
1620	                entry           LDAPDN,
1621	                ava             AttributeValueAssertion }

1623	   Parameters of the Compare Request are:

1625	   - entry: the name of the entry to be compared with.

1627	   - ava: the assertion with which an attribute in the entry is to be
1628	     compared.

1630	   The result of the compare attempted by the server upon receipt of a
1631	   Compare Request is returned in the Compare Response, defined as
1632	   follows:

1634	        CompareResponse ::= [APPLICATION 15] LDAPResult

1636	   Upon receipt of a Compare Request, a server will attempt to perform
1637	   the requested comparison. The result of the comparison will be
1638	   returned to the client in the Compare Response. Note that errors and
1639	   the result of comparison are all returned in the same construct.

1641	   Note that some directory systems may establish access controls which
1642	   permit the values of certain attributes (such as userPassword) to be
1643	   compared but not read.  In a search result, it may be that an
1644	   attribute of that type would be returned, but with an empty set of
1645	   values.

1647	4.11. Abandon Operation

1649	   The function of the Abandon Operation is to allow a client to request
1650	   that the server abandon an outstanding operation.  The Abandon
1651	   Request is defined as follows:

1653	        AbandonRequest ::= [APPLICATION 16] MessageID

1655	   The MessageID MUST be that of a an operation which was requested
1656	   earlier in this connection.

1658	   (The abandon request itself has its own message id.  This is distinct
1659	    from the id of the earlier operation being abandoned.)

1661	   There is no response defined in the Abandon Operation. Upon
1662	   transmission of an Abandon Operation, a client may expect that the
1663	   operation identified by the Message ID in the Abandon Request has
1664	   been abandoned. In the event that a server receives an Abandon
1665	   Request on a Search Operation in the midst of transmitting
1666	   responses to the search, that server MUST cease transmitting entry
1667	   responses to the abandoned request immediately, and MUST NOT send the
1668	   SearchResponseDone.  Of course, the server MUST ensure that only
1669	   properly encoded LDAPMessage PDUs are transmitted.

1671	   Clients MUST NOT send abandon requests for the same operation multiple
1672	   times, and MUST also be prepared to receive results from operations it
1673	   has abandoned (since these may have been in transit when the abandon
1674	   was requested).

1676	   Servers MUST discard abandon requests for message IDs they do not
1677	   recognize, for operations which cannot be abandoned, and for
1678	   operations which have already been abandoned.

1680	4.12. Extended Operation

1682	   An extension mechanism has been added in this version of LDAP, in
1683	   order to allow additional operations to be defined for services not
1684	   available elsewhere in this protocol, for instance digitally signed
1685	   operations and results.

1687	   The extended operation allows clients to make requests and receive
1688	   responses with predefined syntaxes and semantics.  These may be
1689	   defined in RFCs or be private to particular implementations.  Each
1690	   request MUST have a unique OBJECT IDENTIFIER assigned to it.

1692	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
1693	                requestName      [0] LDAPOID,
1694	                requestValue     [1] OCTET STRING OPTIONAL }

1696	   The requestName is a dotted-decimal representation of the
1697	   OBJECT IDENTIFIER corresponding to the request.
1698	   The requestValue is information in a form defined by that request,
1699	   encapsulated inside an OCTET STRING.

1701	   The server will respond to this with an LDAPMessage containing the
1702	   ExtendedResponse.

1704	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
1705	                COMPONENTS OF LDAPResult,
1706	                responseName     [10] LDAPOID OPTIONAL,
1707	                response         [11] OCTET STRING OPTIONAL }

1709	   If the server does not recognize the request name, it MUST return
1710	   only the response fields from LDAPResult, containing the
1711	   protocolError result code.

1713	5.  Protocol Element Encodings and Transfer

1715	   One underlying service is defined here.  Clients and servers SHOULD
1716	   implement the mapping of LDAP over TCP described in 5.2.1.

1718	5.1. Mapping Onto BER-based Transport Services

1720	   The protocol elements of LDAP are encoded for exchange using the
1721	   Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
1722	   high overhead involved in using certain elements of the BER, the
1723	   following additional restrictions are placed on BER-encodings of LDAP
1724	   protocol elements:

1726	   (1) Only the definite form of length encoding will be used.

1728	   (2) OCTET STRINGs will be encoded in the primitive form only.

1730	   (3) If the value of a BOOLEAN type is true, the encoding MUST have
1731	       its contents octets set to hex "FF".

1733	   (4) If a value of a type is its default value, it MUST be absent.
1734	       Only some BOOLEAN and INTEGER types have default values in this
1735	       protocol definition.

1737	   These restrictions do not apply to ASN.1 types encapsulated inside of
1738	   OCTET STRINGs, such as attribute values, unless otherwise noted.

1740	5.2. Transfer Protocols

1742	   This protocol is designed to run over connection-oriented, reliable
1743	   transports, with all 8 bits in an octet being significant in the data
1744	   stream.

1746	5.2.1. Transmission Control Protocol (TCP)

1748	   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
1749	   It is recommended that server implementations running over the TCP MAY
1750	   provide a protocol listener on the assigned port, 389.  Servers may
1751	   instead provide a listener on a different port number. Clients MUST
1752	   support contacting servers on any valid TCP port.

1754	6.  Implementation Guidelines

1756	   This document describes an Internet protocol. Terms are defined in
1757	   [10].

1759	6.1. Server Implementations

1761	   The server MUST be capable of recognizing all the mandatory attribute
1762	   type names and implement the syntaxes specified in [5].  Servers MAY
1763	   also recognize additional attribute type names.

1765	6.2. Client Implementations

1767	   Clients which request referrals MUST ensure that they do not loop
1768	   between servers. They MUST NOT repeatedly contact the same server
1769	   for the same request with the same target entry name, scope and
1770	   filter.  Some clients may be using a counter that is incremented
1771	   each time referral handling occurs for an operation, and these
1772	   kinds of clients MUST be able to handle a DIT with at least ten
1773	   layers of naming contexts between the root and a leaf entry.

1775	   In the absence of prior agreements with servers, clients SHOULD NOT
1776	   assume that servers support any particular schemas beyond those
1777	   referenced in section 6.1. Different schemas can have different
1778	   attribute types with the same names.  The client can retrieve
1779	   the subschema entries referenced by the subschemaSubentry attribute
1780	   in the server's root DSE or in entries held by the server.

1782	7.  Security Considerations

1784	   When used with a connection-oriented transport, this version of the
1785	   protocol provides facilities for the LDAP v2 authentication mechanism,
1786	   simple authentication using a cleartext password, as well as any SASL
1787	   mechanism [12].  SASL allows for integrity and privacy services to be
1788	   negotiated.

1790	   It is also permitted that the server can return its credentials to the
1791	   client, if it chooses to do so.

1793	   An extension document [8] defines how LDAP can be used with the
1794	   Transport Layer Security (TLS) services, which can provide strong
1795	   authentication, integrity and privacy of the association.

1797	   Use of cleartext password is strongly discouraged where the underlying
1798	   transport service cannot guarantee confidentiality and may result in
1799	   disclosure of the password to unauthorized parties.

1801	   When used with SASL, it should be noted that the name field of the
1802	   BindRequest is not protected against modification.  Thus if the
1803	   distinguished name of the client (an LDAPDN) is agreed through the
1804	   negotiation of the credentials, it takes precedence over any value in
1805	   the unprotected name field.

1807	   Implementations which cache attributes and entries obtained via LDAP
1808	   MUST ensure that access controls are maintained if that information is
1809	   to be provided to multiple clients, since servers may have access
1810	   control policies which prevent the return of entries or attributes in
1811	   search results except to particular authenticated clients.  For
1812	   example, caches could serve result information only to the client
1813	   whose request caused it to be cache.

1815	8.  Acknowledgements

1817	   This document is an update to RFC 1777, by Wengyik Yeong, Tim
1818	   Howes, and Steve Kille.  Design ideas included in this document are
1819	   based on those discussed in ASID and other IETF Working Groups.  The
1820	   contributions of individuals in these working groups is gratefully
1821	   acknowledged.

1823	9.  Bibliography

1825	   [1] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models and
1826	       Service",  1993.

1828	   [2] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access
1829	       Protocol", RFC 1777, March 1995.

1831	   [3] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
1832	       Specification of Basic Notation", 1994.

1834	   [4] S. Kille, M. Wahl, "A UTF-8 String Representation of Distinguished
1835	       Names", INTERNET-DRAFT <draft-ietf-asid-ldapv3-dn-03.txt>.

1837	   [5] M. Wahl, A. Coulbeck, T. Howes, S. Kille, W. Yeong, C. Robbins,
1838	       "Lightweight Directory Access Protocol Attribute Syntax
1839	       Definitions", INTERNET-DRAFT
1840	       <draft-ietf-asid-ldapv3-attributes-06.txt>, July 1997.

1842	   [6] ITU-T Rec. X.501, "The Directory: Models", 1993.

1844	   [7] T. Berners-Lee, L. Masinter, M. McCahill, "Uniform Resource
1845	        Locators (URL)", RFC 1738, Dec. 1994.

1847	   [8] J. Hodges, B. Morgan, M. Wahl, "Lightweight Directory Access
1848	       Protocol (v3) Extension for Transport Layer Security",
1849	       INTERNET-DRAFT <draft-ietf-asid-ldapv3-tls-01.txt>, June 1997.

1851	   [9] T. Howes, M. Smith, "The LDAP URL Format", INTERNET-DRAFT
1852	       <draft-ietf-asid-ldapv3-url-02.txt>, May 1997.

1854	   [10] S. Bradner, "Key words for use in RFCs to Indicate Requirement
1855	        Levels", RFC 2119.

1857	   [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic,
1858	        Canonical, and Distinguished Encoding Rules", 1994.

1860	   [12] J. Meyers, "Simple Authentication and Security Layer",
1861	        INTERNET-DRAFT <draft-myers-auth-sasl-11.txt>.

1863	   [13] Universal Multiple-Octet Coded Character Set (UCS) - Architecture
1864	        and Basic Multilingual Plane, ISO/IEC 10646-1 : 1993.

1866	   [14] F. Yergeau, "UTF-8, a transformation format of Unicode and ISO
1867	        10646", RFC 2044, October 1996.

1869	   [15] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
1870	        1993.

1872	10. Authors' Address

1874	       Mark Wahl
1875	       Critical Angle Inc.
1876	       4815 W Braker Lane #502-385
1877	       Austin, TX 78759
1878	       USA

1880	       Phone:  +1 512 372-3160
1881	       EMail:  M.Wahl@critical-angle.com

1883	       Tim Howes
1884	       Netscape Communications Corp.
1885	       501 E. Middlefield Rd.
1886	       Mountain View, CA 94043
1887	       USA

1889	       Phone:  +1 415 254-1900
1890	       EMail:   howes@netscape.com
1891	       Steve Kille
1892	       Isode Limited
1893	       The Dome, The Square
1894	       Richmond
1895	       TW9 1DT
1896	       UK

1898	       Phone:  +44-181-332-9091
1899	       EMail:  S.Kille@isode.com

1901	Appendix A - Complete ASN.1 Definition

1903	        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
1904	        IMPLICIT TAGS ::=

1906	        BEGIN

1908	        LDAPMessage ::= SEQUENCE {
1909	                messageID       MessageID,
1910	                protocolOp      CHOICE {
1911	                        bindRequest     BindRequest,
1912	                        bindResponse    BindResponse,
1913	                        unbindRequest   UnbindRequest,
1914	                        searchRequest   SearchRequest,
1915	                        searchResEntry  SearchResultEntry,
1916	                        searchResDone   SearchResultDone,
1917	                        searchResRef    SearchResultReference,
1918	                        modifyRequest   ModifyRequest,
1919	                        modifyResponse  ModifyResponse,
1920	                        addRequest      AddRequest,
1921	                        addResponse     AddResponse,
1922	                        delRequest      DelRequest,
1923	                        delResponse     DelResponse,
1924	                        modDNRequest    ModifyDNRequest,
1925	                        modDNResponse   ModifyDNResponse,
1926	                        compareRequest  CompareRequest,
1927	                        compareResponse CompareResponse,
1928	                        abandonRequest  AbandonRequest,
1929	                        extendedReq     ExtendedRequest,
1930	                        extendedResp    ExtendedResponse },
1931	                 controls       [0] Controls OPTIONAL }

1933	        MessageID ::= INTEGER (0 .. maxInt)

1935	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

1937	        LDAPString ::= OCTET STRING

1939	        LDAPOID ::= OCTET STRING

1941	        LDAPDN ::= LDAPString

1943	        RelativeLDAPDN ::= LDAPString

1945	        AttributeType ::= LDAPString
1946	        AttributeDescription ::= LDAPString

1948	        AttributeDescriptionList ::= SEQUENCE OF
1949	                AttributeDescription

1951	        AttributeValue ::= OCTET STRING

1953	        AttributeValueAssertion ::= SEQUENCE {
1954	                attributeDesc   AttributeDescription,
1955	                assertionValue  AssertionValue }

1957	        AssertionValue ::= OCTET STRING

1959	        Attribute ::= SEQUENCE {
1960	                type    AttributeDescription,
1961	                vals    SET OF AttributeValue }

1963	        MatchingRuleId ::= LDAPString

1965	        LDAPResult ::= SEQUENCE {
1966	                resultCode      ENUMERATED {
1967	                             success                      (0),
1968	                             operationsError              (1),
1969	                             protocolError                (2),
1970	                             timeLimitExceeded            (3),
1971	                             sizeLimitExceeded            (4),
1972	                             compareFalse                 (5),
1973	                             compareTrue                  (6),
1974	                             authMethodNotSupported       (7),
1975	                             strongAuthRequired           (8),
1976	                                        -- 9 reserved --
1977	                             referral                     (10),  -- new
1978	                             adminLimitExceeded           (11),  -- new
1979	                             unavailableCriticalExtension (12),  -- new
1980	                             confidentialityRequired      (13),  -- new
1981	                                        -- 14-15 unused --
1982	                             noSuchAttribute              (16),
1983	                             undefinedAttributeType       (17),
1984	                             inappropriateMatching        (18),
1985	                             constraintViolation          (19),
1986	                             attributeOrValueExists       (20),
1987	                             invalidAttributeSyntax       (21),
1988	                                        -- 22-31 unused --
1989	                             noSuchObject                 (32),
1990	                             aliasProblem                 (33),
1991	                             invalidDNSyntax              (34),
1992	                             -- 35 reserved for undefined isLeaf --
1993	                             aliasDereferencingProblem    (36),
1994	                                        -- 37-47 unused --

1996	                             inappropriateAuthentication  (48),
1997	                             invalidCredentials           (49),
1998	                             insufficientAccessRights     (50),
1999	                             busy                         (51),
2000	                             unavailable                  (52),
2001	                             unwillingToPerform           (53),
2002	                             loopDetect                   (54),
2003	                                        -- 55-63 unused --
2004	                             namingViolation              (64),
2005	                             objectClassViolation         (65),
2006	                             notAllowedOnNonLeaf          (66),
2007	                             notAllowedOnRDN              (67),
2008	                             entryAlreadyExists           (68),
2009	                             objectClassModsProhibited    (69),
2010	                                        -- 70 reserved for CLDAP --
2011	                             affectsMultipleDSAs          (71), -- new
2012	                                        -- 72-79 unused --
2013	                             other                        (80) },
2014	                             -- 81-90 reserved for APIs --
2015	                matchedDN       LDAPDN,
2016	                errorMessage    LDAPString,
2017	                referral        [3] Referral OPTIONAL }

2019	        Referral ::= SEQUENCE OF LDAPURL

2021	        LDAPURL ::= LDAPString -- limited to characters permitted in URLs

2023	        Controls ::= SEQUENCE OF Control

2025	        Control ::= SEQUENCE {
2026	                controlType             LDAPOID,
2027	                criticality             BOOLEAN DEFAULT FALSE,
2028	                controlValue            OCTET STRING OPTIONAL }

2030	        BindRequest ::= [APPLICATION 0] SEQUENCE {
2031	                version                 INTEGER (1 .. 127),
2032	                name                    LDAPDN,
2033	                authentication          AuthenticationChoice }

2035	        AuthenticationChoice ::= CHOICE {
2036	                simple                  [0] OCTET STRING,
2037	                                         -- 1 and 2 reserved
2038	                sasl                    [3] SaslCredentials }

2040	        SaslCredentials ::= SEQUENCE {
2041	                mechanism               LDAPString,
2042	                credentials             OCTET STRING OPTIONAL }

2044	        BindResponse ::= [APPLICATION 1] SEQUENCE {
2045	             COMPONENTS OF LDAPResult,
2046	             serverSaslCreds    [7] OCTET STRING OPTIONAL }

2048	        UnbindRequest ::= [APPLICATION 2] NULL
2049	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
2050	                baseObject      LDAPDN,
2051	                scope           ENUMERATED {
2052	                        baseObject              (0),
2053	                        singleLevel             (1),
2054	                        wholeSubtree            (2) },
2055	                derefAliases    ENUMERATED {
2056	                        neverDerefAliases       (0),
2057	                        derefInSearching        (1),
2058	                        derefFindingBaseObj     (2),
2059	                        derefAlways             (3) },
2060	                sizeLimit       INTEGER (0 .. maxInt),
2061	                timeLimit       INTEGER (0 .. maxInt),
2062	                typesOnly       BOOLEAN,
2063	                filter          Filter,
2064	                attributes      AttributeDescriptionList }

2066	        Filter ::= CHOICE {
2067	                and             [0] SET OF Filter,
2068	                or              [1] SET OF Filter,
2069	                not             [2] Filter,
2070	                equalityMatch   [3] AttributeValueAssertion,
2071	                substrings      [4] SubstringFilter,
2072	                greaterOrEqual  [5] AttributeValueAssertion,
2073	                lessOrEqual     [6] AttributeValueAssertion,
2074	                present         [7] AttributeDescription,
2075	                approxMatch     [8] AttributeValueAssertion,
2076	                extensibleMatch [9] MatchingRuleAssertion }

2078	        SubstringFilter ::= SEQUENCE {
2079	                type            AttributeDescription,
2080	                -- at least one must be present
2081	                substrings      SEQUENCE OF CHOICE {
2082	                        initial [0] LDAPString,
2083	                        any     [1] LDAPString,
2084	                        final   [2] LDAPString } }

2086	        MatchingRuleAssertion ::= SEQUENCE {
2087	                matchingRule    [1] MatchingRuleId OPTIONAL,
2088	                type            [2] AttributeDescription OPTIONAL,
2089	                matchValue      [3] AssertionValue,
2090	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

2092	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
2093	                objectName      LDAPDN,
2094	                attributes      PartialAttributeList }

2096	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
2097	                type    AttributeDescription,
2098	                vals    SET OF AttributeValue }

2100	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL

2102	        SearchResultDone ::= [APPLICATION 5] LDAPResult
2103	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
2104	                object          LDAPDN,
2105	                modification    SEQUENCE OF SEQUENCE {
2106	                        operation       ENUMERATED {
2107	                                                add     (0),
2108	                                                delete  (1),
2109	                                                replace (2) },
2110	                        modification    AttributeTypeAndValues } }

2112	        AttributeTypeAndValues ::= SEQUENCE {
2113	                type    AttributeDescription,
2114	                vals    SET OF AttributeValue }

2116	        ModifyResponse ::= [APPLICATION 7] LDAPResult

2118	        AddRequest ::= [APPLICATION 8] SEQUENCE {
2119	                entry           LDAPDN,
2120	                attributes      AttributeList }

2122	        AttributeList ::= SEQUENCE OF SEQUENCE {
2123	                type    AttributeDescription,
2124	                vals    SET OF AttributeValue }

2126	        AddResponse ::= [APPLICATION 9] LDAPResult

2128	        DelRequest ::= [APPLICATION 10] LDAPDN

2130	        DelResponse ::= [APPLICATION 11] LDAPResult

2132	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
2133	                entry           LDAPDN,
2134	                newrdn          RelativeLDAPDN,
2135	                deleteoldrdn    BOOLEAN,
2136	                newSuperior     [0] LDAPDN OPTIONAL }

2138	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

2140	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
2141	                entry           LDAPDN,
2142	                ava             AttributeValueAssertion }

2144	        CompareResponse ::= [APPLICATION 15] LDAPResult

2146	        AbandonRequest ::= [APPLICATION 16] MessageID

2148	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
2149	                requestName      [0] LDAPOID,
2150	                requestValue     [1] OCTET STRING OPTIONAL }

2152	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
2153	                COMPONENTS OF LDAPResult,
2154	                responseName     [10] LDAPOID OPTIONAL,
2155	                response         [11] OCTET STRING OPTIONAL }

2157	        END

2159	Table of Contents

2161	1.  Status of this Memo .................................... 1
2162	2.  Abstract ............................................... 1
2163	3.  Models ................................................. 2
2164	3.1. Protocol Model ........................................ 2
2165	3.2. Data Model ............................................ 3
2166	3.2.1. Attributes of Entries ............................... 3
2167	3.2.2. Subschema Entries and Subentries .................... 4
2168	3.3. Relationship to X.500 ................................. 5
2169	3.4. Server-specific Data Requirements ..................... 6
2170	4.  Elements of Protocol ................................... 6
2171	4.1. Common Elements ....................................... 7
2172	4.1.1. Message Envelope .................................... 7
2173	4.1.1.1. Message ID ........................................ 8
2174	4.1.2. String Types ........................................ 8
2175	4.1.3. Distinguished Name and Relative Distinguished Name .. 9
2176	4.1.4. Attribute Type ...................................... 9
2177	4.1.5. Attribute Description ............................... 10
2178	4.1.5.1. Binary Option ..................................... 11
2179	4.1.6. Attribute Value ..................................... 11
2180	4.1.7. Attribute Value Assertion ........................... 11
2181	4.1.8. Attribute ........................................... 12
2182	4.1.9. Matching Rule Identifier ............................ 12
2183	4.1.10. Result Message ..................................... 13
2184	4.1.11. Referral ........................................... 14
2185	4.1.12. Controls ........................................... 15
2186	4.2. Bind Operation ........................................ 16
2187	4.2.1. Sequencing of the Bind Request ...................... 17
2188	4.2.2. Authentication and Other Security Services .......... 18
2189	4.2.3. Bind Response ....................................... 19
2190	4.3. Unbind Operation ...................................... 19
2191	4.4. Unsolicited Notification .............................. 20
2192	4.4.1. Notice of Disconnection ............................. 20
2193	4.5. Search Operation ...................................... 21
2194	4.5.1. Search Request ...................................... 21
2195	4.5.2. Search Result ....................................... 25
2196	4.5.3. Continuation References in the Search Result ........ 26
2197	4.5.3.1. Example ........................................... 26
2198	4.6. Modify Operation ...................................... 27
2199	4.7. Add Operation ......................................... 29
2200	4.8. Delete Operation ...................................... 30
2201	4.9. Modify DN Operation ................................... 30
2202	4.10. Compare Operation .................................... 31
2203	4.11. Abandon Operation .................................... 32
2204	4.12. Extended Operation ................................... 33
2205	5.  Protocol Element Encodings and Transfer ................ 33
2206	5.1. Mapping Onto BER-based Transport Services ............. 33
2207	5.2. Transfer Protocols .................................... 34
2208	5.2.1. Transmission Control Protocol (TCP) ................. 34
2209	6.  Implementation Guidelines .............................. 34
2210	6.1. Server Implementations ................................ 34
2211	6.2. Client Implementations ................................ 34
2212	7.  Security Considerations ................................ 35
2213	8.  Acknowledgements ....................................... 35
2214	9.  Bibliography ........................................... 35
2215	10. Authors' Address ....................................... 36
2216	Appendix A - Complete ASN.1 Definition ..................... 37