idnits 2.17.1 

draft-ietf-ldapbis-protocol-00.txt:
  ** The Abstract section seems to be numbered


  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == There is 1 instance of lines with non-ascii characters in the document.

  == The page length should not exceed 58 lines per page, but there was 5
     longer pages, the longest (page 3) being 59 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.
     (A line matching the expected section header was found, but with an
    unexpected indentation:
     '                scope           ENUMERATED {' )

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([RFC1777], [RFC2119]), which
     it shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     RFC 2119 keyword, line 227: '...e distinguished name (RDN), which MUST...'
     RFC 2119 keyword, line 241: '...ing or shadowing MUST ensure that they...'
     RFC 2119 keyword, line 275: '...   Each entry MUST have an objectClass...'
     RFC 2119 keyword, line 296: '...   Servers MUST NOT permit clients to ...'
     RFC 2119 keyword, line 304: '...   Entries MAY contain, among others, ...'
     (172 more instances...)

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The exact meaning of the all-uppercase expression 'MAY NOT' is not
     defined in RFC 2119.  If it is intended as a requirements expression, it
     should be rewritten using one of the combinations defined in RFC 2119;
     otherwise it should not be all-uppercase.

  == The expression 'MAY NOT', while looking like RFC 2119 requirements text,
     is not defined in RFC 2119, and should not be used.  Consider using 'MUST
     NOT' instead (if that is what you mean).
     
     Found 'MAY NOT' in this paragraph:
     
     - Remove "typically" from "and is typically transferred" in the
     first paragraph. - Change "MUST ignore elements of SEQUENCE encodings
     whose tags they do not recognize" to "MUST ignore tagged elements of
     SEQUENCE encodings that they do not recognize" in the first paragraph. -
     Add "See Section 5.1 for information on mapping the LDAP protocol to
     BER." to the first paragraph. - Change "version 3 " to "version 3 or
     later" in the second paragraph. - Change "protocol version" to "protocol
     versions" in the third paragraph. - Change "version 2 may not provide
     this attribute." to "version 2 MAY NOT provide this attribute, or a root
     DSE." in the third paragraph.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (January 2001) is 8500 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'RFC2026' on line 13 looks like a reference

  -- Missing reference section? 'RFC2119' on line 2066 looks like a reference

  -- Missing reference section? 'RFC1777' on line 2055 looks like a reference

  -- Missing reference section? 'RFC2252' on line 2500 looks like a reference

  -- Missing reference section? '0' on line 2369 looks like a reference

  -- Missing reference section? 'ISO10646' on line 532 looks like a reference

  -- Missing reference section? 'RFC2044' on line 2063 looks like a reference

  -- Missing reference section? 'RFC2253' on line 2079 looks like a reference

  -- Missing reference section? '5' on line 2498 looks like a reference

  -- Missing reference section? '3' on line 2305 looks like a reference

  -- Missing reference section? 'RFC2255' on line 2083 looks like a reference

  -- Missing reference section? 'RFC2396' on line 2086 looks like a reference

  -- Missing reference section? 'APPLICATION 0' on line 2242 looks like a
     reference

  -- Missing reference section? 'RFC2222' on line 2069 looks like a reference

  -- Missing reference section? 'APPLICATION 1' on line 2256 looks like a
     reference

  -- Missing reference section? '7' on line 2290 looks like a reference

  -- Missing reference section? 'APPLICATION 2' on line 2260 looks like a
     reference

  -- Missing reference section? 'APPLICATION 3' on line 2262 looks like a
     reference

  -- Missing reference section? '1' on line 2370 looks like a reference

  -- Missing reference section? '2' on line 2304 looks like a reference

  -- Missing reference section? '4' on line 2306 looks like a reference

  -- Missing reference section? '6' on line 2289 looks like a reference

  -- Missing reference section? '8' on line 2291 looks like a reference

  -- Missing reference section? '9' on line 2292 looks like a reference

  -- Missing reference section? 'APPLICATION 4' on line 2308 looks like a
     reference

  -- Missing reference section? 'APPLICATION 19' on line 2316 looks like a
     reference

  -- Missing reference section? 'APPLICATION 5' on line 2318 looks like a
     reference

  -- Missing reference section? 'APPLICATION 6' on line 2320 looks like a
     reference

  -- Missing reference section? 'APPLICATION 7' on line 2336 looks like a
     reference

  -- Missing reference section? 'APPLICATION 8' on line 2338 looks like a
     reference

  -- Missing reference section? 'APPLICATION 9' on line 2346 looks like a
     reference

  -- Missing reference section? 'APPLICATION 10' on line 2348 looks like a
     reference

  -- Missing reference section? 'APPLICATION 11' on line 2350 looks like a
     reference

  -- Missing reference section? 'APPLICATION 12' on line 2352 looks like a
     reference

  -- Missing reference section? 'APPLICATION 13' on line 2358 looks like a
     reference

  -- Missing reference section? 'APPLICATION 14' on line 2360 looks like a
     reference

  -- Missing reference section? 'APPLICATION 15' on line 2364 looks like a
     reference

  -- Missing reference section? 'APPLICATION 16' on line 2366 looks like a
     reference

  -- Missing reference section? 'APPLICATION 23' on line 2368 looks like a
     reference

  -- Missing reference section? 'APPLICATION 24' on line 2372 looks like a
     reference

  -- Missing reference section? '10' on line 2374 looks like a reference

  -- Missing reference section? '11' on line 2375 looks like a reference

  -- Missing reference section? 'RFC1823' on line 2058 looks like a reference

  -- Missing reference section? 'RFC2234' on line 2072 looks like a reference

  -- Missing reference section? 'RFC2829' on line 2705 looks like a reference

  -- Missing reference section? 'RFC2830' on line 2699 looks like a reference

  -- Missing reference section? 'RFC 1823' on line 2504 looks like a reference


     Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 50 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Internet-Draft                                           J. Sermersheim
3	Intended Category: Standard Track                           Novell, Inc
4	Document: draft-ietf-ldapbis-protocol-00.txt               January 2001
5	Obsoletes: RFC 2251

7	                Lightweight Directory Access Protocol (v3)

9	1. Status of this Memo

11	   This document is an Internet-Draft and is in full conformance with
12	   all provisions of Section 10 of [RFC2026].

14	   Internet-Drafts are working documents of the Internet Engineering
15	   Task Force (IETF), its areas, and its working groups. Note that other
16	   groups may also distribute working documents as Internet-Drafts.
17	   Internet-Drafts are draft documents valid for a maximum of six months
18	   and may be updated, replaced, or obsoleted by other documents at any
19	   time. It is inappropriate to use Internet-Drafts as reference
20	   material or to cite them other than as "work in progress."

22	   The list of current Internet-Drafts can be accessed at
23	   http://www.ietf.org/ietf/1id-abstracts.txt

25	   The list of Internet-Draft Shadow Directories can be accessed at
26	   http://www.ietf.org/shadow.html.

28	   Distribution of this memo is unlimited. Technical discussion of this
29	   document will take place on the IETF LDAP Revision Working Group
30	   (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please send
31	   editorial comments directly to the editor <jimse@novell.com>.

33	Table of Contents

35	   1. Status of this Memo..............................................1
36	   2. Abstract.........................................................3
37	   3. Models...........................................................4
38	   3.1. Protocol Model.................................................4
39	   3.2. Data Model.....................................................4
40	   3.2.1. Attributes of Entries........................................5
41	   3.2.2. Subschema Entries and Subentries.............................6
42	   3.3. Relationship to X.500..........................................7
43	   3.4. Server-specific Data Requirements..............................7
44	   4. Elements of Protocol.............................................8
45	   4.1. Common Elements................................................8
46	   4.1.1. Message Envelope.............................................9
47	   4.1.1.1. Message ID................................................10
48	   4.1.2. String Types................................................10
49	   4.1.3. Distinguished Name and Relative Distinguished Name..........10
50	   4.1.4. Attribute Type..............................................11
51	   4.1.5. Attribute Description.......................................12
52	   4.1.5.1. Binary Option.............................................12
53	   4.1.6. Attribute Value.............................................13
54	              Lightweight Directory Access Protocol Version 3

56	   4.1.7. Attribute Value Assertion...................................13
57	   4.1.8. Attribute...................................................14
58	   4.1.9. Matching Rule Identifier....................................14
59	   4.1.10. Result Message.............................................14
60	   4.1.11. Referral...................................................16
61	   4.1.12. Controls...................................................17
62	   4.2. Bind Operation................................................18
63	   4.2.1. Sequencing of the Bind Request..............................19
64	   4.2.2. Authentication and Other Security Services..................20
65	   4.2.3. Bind Response...............................................20
66	   4.3. Unbind Operation..............................................21
67	   4.4. Unsolicited Notification......................................22
68	   4.4.1. Notice of Disconnection.....................................22
69	   4.5. Search Operation..............................................23
70	   4.5.1. Search Request..............................................23
71	   4.5.2. Search Result...............................................26
72	   4.5.3. Continuation References in the Search Result................28
73	   4.6. Modify Operation..............................................29
74	   4.7. Add Operation.................................................31
75	   4.8. Delete Operation..............................................32
76	   4.9. Modify DN Operation...........................................32
77	   4.10. Compare Operation............................................33
78	   4.11. Abandon Operation............................................34
79	   4.12. Extended Operation...........................................34
80	   5. Protocol Element Encodings and Transfer.........................35
81	   5.1. Mapping Onto BER-based Transport Services.....................35
82	   5.2. Transfer Protocols............................................36
83	   5.2.1. Transmission Control Protocol (TCP).........................36
84	   6. Implementation Guidelines.......................................36
85	   6.1. Server Implementations........................................36
86	   6.2. Client Implementations........................................36
87	   7. Security Considerations.........................................36
88	   8. Acknowledgements................................................37
89	   9. Bibliography....................................................37
90	   10. Editor's Address...............................................38
91	   Appendix A - Complete ASN.1 Definition.............................39
92	   Appendix B - Change History........................................44
93	   Changes made to RFC 2251:..........................................44
94	   B.1 Editorial......................................................44
95	   B.2 Section 1......................................................44
96	   B.3 Section 9......................................................44
97	   Appendix C - Outstanding Work Items................................44
98	   C.1 Integrate result codes draft...................................44
99	   C.2 Section 3.1....................................................44
100	   C.3 Section 4......................................................44
101	   C.4 Section 4.1.1..................................................44
102	   C.5 Section 4.1.1.1................................................45
103	   C.6 Section 4.1.2..................................................45
104	   C.7 Section 4.1.4..................................................45
105	   C.8 Section 4.1.5..................................................45
106	   C.9 Section 4.1.5.1................................................45
107	   C.10 Section 4.1.6.................................................45
108	   C.11 Section 4.1.7.................................................46
109	   C.12 Section 4.1.8.................................................46
110	              Lightweight Directory Access Protocol Version 3

112	   C.13 Section 4.1.11................................................46
113	   C.14 Section 4.1.12................................................46
114	   C.15 Section 4.2...................................................46
115	   C.16 Section 4.2.1.................................................47
116	   C.17 Section 4.2.2.................................................47
117	   C.18 Section 4.2.3.................................................47
118	   C.19 Section 4.3...................................................47
119	   C.20 Section 4.4...................................................47
120	   C.21 Section 4.5.1.................................................47
121	   C.22 Section 4.5.2.................................................48
122	   C.23 Section 4.5.3.................................................48
123	   C.24 Section 4.5.3.1...............................................48
124	   C.25 Section 4.6...................................................48
125	   C.26 Section 4.7...................................................48
126	   C.27 Section 4.10..................................................49
127	   C.28 Section 4.11..................................................49
128	   C.29 Section 4.12..................................................49
129	   C.30 Section 5.1...................................................49
130	   C.31 Section 5.2.1.................................................49
131	   C.32 Section 6.1...................................................49
132	   C.33 Section 7.....................................................49
133	   C.34 Section 8.....................................................50
134	   C.36 Various sections..............................................50

136	2. Abstract

138	   The protocol described in this document is designed to provide access
139	   to directories supporting the [X.500] models, while not incurring the
140	   resource requirements of the X.500 Directory Access Protocol (DAP).
141	   This protocol is specifically targeted at management applications and
142	   browser applications that provide read/write interactive access to
143	   directories. When used with a directory supporting the X.500
144	   protocols, it is intended to be a complement to the X.500 DAP.

146	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
147	   "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
148	   to be interpreted as described in [RFC2119].

150	   Key aspects of this version of LDAP are:

152	   - All protocol elements of LDAPv2 [RFC1777] are supported. The
153	     protocol is carried directly over TCP or other transport,
154	     bypassing much of the session/presentation overhead of X.500 DAP.

156	   - Most protocol data elements can be encoded as ordinary strings
157	     (e.g., Distinguished Names).

159	   - Referrals to other servers may be returned.

161	   - SASL mechanisms may be used with LDAP to provide association
162	     security services.

164	   - Attribute values and Distinguished Names have been
165	     internationalized through the use of the ISO 10646 character set.

167	              Lightweight Directory Access Protocol Version 3

169	   - The protocol can be extended to support new operations, and
170	     controls may be used to extend existing operations.

172	   - Schema is published in the directory to be used by clients.

174	3. Models

176	   Interest in X.500 directory technologies in the Internet has led to
177	   efforts to reduce the high cost of entry associated with use of these
178	   technologies. This document continues the efforts to define directory
179	   protocol alternatives, updating the LDAPv2 protocol specification.

181	3.1. Protocol Model

183	   The general model adopted by this protocol is one of clients
184	   performing protocol operations against servers. In this model, a
185	   client transmits a protocol request describing the operation to be
186	   performed to a server. The server is then responsible for performing
187	   the necessary operation(s) in the directory. Upon completion of the
188	   operation(s), the server returns a response containing any results or
189	   errors to the requesting client.

191	   In keeping with the goal of easing the costs associated with use of
192	   the directory, it is an objective of this protocol to minimize the
193	   complexity of clients so as to facilitate widespread deployment of
194	   applications capable of using the directory.

196	   Note that although servers are required to return responses whenever
197	   such responses are defined in the protocol, there is no requirement
198	   for synchronous behavior on the part of either clients or servers.
199	   Requests and responses for multiple operations may be exchanged
200	   between a client and server in any order, provided the client
201	   eventually receives a response for every request that requires one.

203	   In LDAP versions 1 and 2, no provision was made for protocol servers
204	   returning referrals to clients. However, for improved performance and
205	   distribution, this version of the protocol permits servers to return
206	   to clients, referrals to other servers. This allows servers to
207	   offload the work of contacting other servers to progress operations.

209	   Note that the core protocol operations defined in this document can
210	   be mapped to a strict subset of the X.500(1997) directory abstract
211	   service, so it can be cleanly provided by the DAP. However there is
212	   not a one-to-one mapping between LDAP protocol operations and DAP
213	   operations: server implementations acting as a gateway to X.500
214	   directories may need to make multiple DAP requests.

216	<Editor's Note: Sections 3.2 through 3.4 have not been updated>
217	3.2. Data Model

219	   This section provides a brief introduction to the X.500 data model,
220	   as used by LDAP.

222	              Lightweight Directory Access Protocol Version 3

224	   The LDAP protocol assumes there are one or more servers which jointly
225	   provide access to a Directory Information Tree (DIT). The tree is
226	   made up of entries. Entries have names: one or more attribute values
227	   from the entry form its relative distinguished name (RDN), which MUST
228	   be unique among all its siblings. The concatenation of the relative
229	   distinguished names of the sequence of entries from a particular
230	   entry to an immediate subordinate of the root of the tree forms that
231	   entry's Distinguished Name (DN), which is unique in the tree. An
232	   example of a Distinguished Name is:

234	   CN=Steve Kille, O=Isode Limited, C=GB

236	   Some servers may hold cache or shadow copies of entries, which can be
237	   used to answer search and comparison queries, but will return
238	   referrals or contact other servers if modification operations are
239	   requested.

241	   Servers that perform caching or shadowing MUST ensure that they do
242	   not violate any access control constraints placed on the data by the
243	   originating server.

245	   The largest collection of entries, starting at an entry that is
246	   mastered by a particular server, and including all its subordinates
247	   and their subordinates, down to the entries which are mastered by
248	   different servers, is termed a naming context. The root of the DIT is
249	   a DSA-specific Entry (DSE) and not part of any naming context: each
250	   server has different attribute values in the root DSE. (DSA is an
251	   X.500 term for the directory server).

253	3.2.1. Attributes of Entries

255	   Entries consist of a set of attributes. An attribute is a type with
256	   one or more associated values. The attribute type is identified by a
257	   short descriptive name and an OID (object identifier). The attribute
258	   type governs whether there can be more than one value of an attribute
259	   of that type in an entry, the syntax to which the values must
260	   conform, the kinds of matching which can be performed on values of
261	   that attribute, and other functions.

263	   An example of an attribute is "mail". There may be one or more values
264	   of this attribute, they must be IA5 (ASCII) strings, and they are
265	   case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").

267	   Schema is the collection of attribute type definitions, object class
268	   definitions and other information which a server uses to determine
269	   how to match a filter or attribute value assertion (in a compare
270	   operation) against the attributes of an entry, and whether to permit
271	   add and modify operations. The definition of schema for use with LDAP
272	   is given in [RFC2252] and [X.501]. Additional schema elements may be
273	   defined in other documents.

275	   Each entry MUST have an objectClass attribute. The objectClass
276	   attribute specifies the object classes of an entry, which along with
277	   the system and user schema determine the permitted attributes of an
278	              Lightweight Directory Access Protocol Version 3

280	   entry. Values of this attribute may be modified by clients, but the
281	   objectClass attribute cannot be removed. Servers may restrict the
282	   modifications of this attribute to prevent the basic structural class
283	   of the entry from being changed (e.g. one cannot change a person into
284	   a country). When creating an entry or adding an objectClass value to
285	   an entry, all superclasses of the named classes are implicitly added
286	   as well if not already present, and the client must supply values for
287	   any mandatory attributes of new superclasses.

289	   Some attributes, termed operational attributes, are used by servers
290	   for administering the directory system itself. They are not returned
291	   in search results unless explicitly requested by name. Attributes
292	   which are not operational, such as "mail", will have their schema and
293	   syntax constraints enforced by servers, but servers will generally
294	   not make use of their values.

296	   Servers MUST NOT permit clients to add attributes to an entry unless
297	   those attributes are permitted by the object class definitions, the
298	   schema controlling that entry (specified in the subschema � see
299	   below), or are operational attributes known to that server and used
300	   for administrative purposes. Note that there is a particular
301	   objectClass 'extensibleObject' defined in [RFC2252] which permits all
302	   user attributes to be present in an entry.

304	   Entries MAY contain, among others, the following operational
305	   attributes, defined in [RFC2252]. These attributes are maintained
306	   automatically by the server and are not modifiable by clients:

308	   - creatorsName: the Distinguished Name of the user who added this
309	     entry to the directory.

311	   - createTimestamp: the time this entry was added to the directory.

313	   - modifiersName: the Distinguished Name of the user who last
314	     modified this entry.

316	   - modifyTimestamp: the time this entry was last modified.

318	   - subschemaSubentry: the Distinguished Name of the subschema entry
319	     (or subentry) which controls the schema for this entry.

321	3.2.2. Subschema Entries and Subentries

323	   Subschema entries are used for administering information about the
324	   directory schema, in particular the object classes and attribute
325	   types supported by directory servers. A single subschema entry
326	   contains all schema definitions used by entries in a particular part
327	   of the directory tree.

329	   Servers which follow X.500(93) models SHOULD implement subschema
330	   using the X.500 subschema mechanisms, and so these subschemas are not
331	   ordinary entries. LDAP clients SHOULD NOT assume that servers
332	   implement any of the other aspects of X.500 subschema. A server which
333	   masters entries and permits clients to modify these entries MUST
334	              Lightweight Directory Access Protocol Version 3

336	   implement and provide access to these subschema entries, so that its
337	   clients may discover the attributes and object classes which are
338	   permitted to be present. It is strongly recommended that all other
339	   servers implement this as well.

341	   The following four attributes MUST be present in all subschema
342	   entries:

344	   - cn: this attribute MUST be used to form the RDN of the subschema
345	     entry.

347	   - objectClass: the attribute MUST have at least the values "top" and
348	     "subschema".

350	   - objectClasses: each value of this attribute specifies an object
351	     class known to the server.

353	   - attributeTypes: each value of this attribute specifies an
354	     attribute type known to the server.

356	   These are defined in [RFC2252]. Other attributes MAY be present in
357	   subschema entries, to reflect additional supported capabilities.

359	   These include matchingRules, matchingRuleUse, dITStructureRules,
360	   dITContentRules, nameForms and ldapSyntaxes.

362	   Servers SHOULD provide the attributes createTimestamp and
363	   modifyTimestamp in subschema entries, in order to allow clients to
364	   maintain their caches of schema information.

366	   Clients MUST only retrieve attributes from a subschema entry by
367	   requesting a base object search of the entry, where the search filter
368	   is "(objectClass=subschema)". This will allow LDAPv3 servers which
369	   gateway to X.500(93) to detect that subentry information is being
370	   requested.

372	3.3. Relationship to X.500

374	   This document defines LDAP in terms of X.500 as an X.500 access
375	   mechanism. An LDAP server MUST act in accordance with the X.500(1993)
376	   series of ITU recommendations when providing the service. However, it
377	   is not required that an LDAP server make use of any X.500 protocols
378	   in providing this service, e.g. LDAP can be mapped onto any other
379	   directory system so long as the X.500 data and service model as used
380	   in LDAP is not violated in the LDAP interface.

382	3.4. Server-specific Data Requirements

384	   An LDAP server MUST provide information about itself and other
385	   information that is specific to each server. This is represented as a
386	   group of attributes located in the root DSE (DSA-Specific Entry),
387	   which is named with the zero-length LDAPDN. These attributes are
388	   retrievable if a client performs a base object search of the root
389	   with filter "(objectClass=*)", however they are subject to access
390	              Lightweight Directory Access Protocol Version 3

392	   control restrictions. The root DSE MUST NOT be included if the client
393	   performs a subtree search starting from the root.

395	   Servers may allow clients to modify these attributes.

397	   The following attributes of the root DSE are defined in section 5 of
398	   [RFC2252]. Additional attributes may be defined in other documents.

400	   - namingContexts: naming contexts held in the server. Naming
401	     contexts are defined in section 17 of [X.501].

403	   - subschemaSubentry: subschema entries (or subentries) known by this
404	     server.

406	   - altServer: alternative servers in case this one is later
407	     unavailable.

409	   - supportedExtension: list of supported extended operations.

411	   - supportedControl: list of supported controls.

413	   - supportedSASLMechanisms: list of supported SASL security features.

415	   - supportedLDAPVersion: LDAP versions implemented by the server.

417	   If the server does not master entries and does not know the locations
418	   of schema information, the subschemaSubentry attribute is not present
419	   in the root DSE. If the server masters directory entries under one or
420	   more schema rules, there may be any number of values of the
421	   subschemaSubentry attribute in the root DSE.

423	4. Elements of Protocol

425	   The LDAP protocol is described using Abstract Syntax Notation 1
426	   (ASN.1) [X.680], and is typically transferred using a subset of ASN.1
427	   Basic Encoding Rules [X.690] In order to support future extensions to
428	   this protocol, clients and servers MUST ignore elements of SEQUENCE
429	   encodings whose tags they do not recognize.

431	   Note that unlike X.500, each change to the LDAP protocol other than
432	   through the extension mechanisms will have a different version
433	   number. A client will indicate the version it supports as part of the
434	   bind request, described in section 4.2. If a client has not sent a
435	   bind, the server MUST assume that version 3 is supported in the
436	   client (since version 2 required that the client bind first).

438	   Clients may determine the protocol version a server supports by
439	   reading the supportedLDAPVersion attribute from the root DSE. Servers
440	   which implement version 3 or later versions MUST provide this
441	   attribute. Servers which only implement version 2 may not provide
442	   this attribute.

444	4.1. Common Elements
445	              Lightweight Directory Access Protocol Version 3

447	   This section describes the LDAPMessage envelope PDU (Protocol Data
448	   Unit) format, as well as data type definitions, which are used in the
449	   protocol operations.

451	4.1.1. Message Envelope

453	   For the purposes of protocol exchanges, all protocol operations are
454	   encapsulated in a common envelope, the LDAPMessage, which is defined
455	   as follows:

457	        LDAPMessage ::= SEQUENCE {
458	                messageID       MessageID,
459	                protocolOp      CHOICE {
460	                        bindRequest     BindRequest,
461	                        bindResponse    BindResponse,
462	                        unbindRequest   UnbindRequest,
463	                        searchRequest   SearchRequest,
464	                        searchResEntry  SearchResultEntry,
465	                        searchResDone   SearchResultDone,
466	                        searchResRef    SearchResultReference,
467	                        modifyRequest   ModifyRequest,
468	                        modifyResponse  ModifyResponse,
469	                        addRequest      AddRequest,
470	                        addResponse     AddResponse,
471	                        delRequest      DelRequest,
472	                        delResponse     DelResponse,
473	                        modDNRequest    ModifyDNRequest,
474	                        modDNResponse   ModifyDNResponse,
475	                        compareRequest  CompareRequest,
476	                        compareResponse CompareResponse,
477	                        abandonRequest  AbandonRequest,
478	                        extendedReq     ExtendedRequest,
479	                        extendedResp    ExtendedResponse },
480	                controls        [0] Controls OPTIONAL }

482	        MessageID ::= INTEGER (0 .. maxInt)

484	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

486	   The function of the LDAPMessage is to provide an envelope containing
487	   common fields required in all protocol exchanges. At this time the
488	   only common fields are the message ID and the controls.

490	   If the server receives a PDU from the client in which the LDAPMessage
491	   SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
492	   the tag of the protocolOp is not recognized as a request, or the
493	   encoding structures or lengths of data fields are found to be
494	   incorrect, then the server MUST return the notice of disconnection
495	   described in section 4.4.1, with resultCode protocolError, and
496	   immediately close the connection. In other cases that the server
497	   cannot parse the request received by the client, the server MUST
498	   return an appropriate response to the request, with the resultCode
499	   set to protocolError.

501	              Lightweight Directory Access Protocol Version 3

503	   If the client receives a PDU from the server, which cannot be parsed,
504	   the client may discard the PDU, or may abruptly close the connection.

506	   The ASN.1 type Controls is defined in section 4.1.12.

508	4.1.1.1. Message ID

510	   All LDAPMessage envelopes encapsulating responses contain the
511	   messageID value of the corresponding request LDAPMessage.

513	   The message ID of a request MUST have a value different from the
514	   values of any other requests outstanding in the LDAP session of which
515	   this message is a part.

517	   A client MUST NOT send a second request with the same message ID as
518	   an earlier request on the same connection if the client has not
519	   received the final response from the earlier request. Otherwise the
520	   behavior is undefined. Typical clients increment a counter for each
521	   request.

523	   A client MUST NOT reuse the message id of an abandonRequest of the
524	   abandoned operation until it has received a response from the server
525	   for another request invoked subsequent to the abandonRequest, as the
526	   abandonRequest itself does not have a response.

528	4.1.2. String Types

530	   The LDAPString is a notational convenience to indicate that, although
531	   strings of LDAPString type encode as OCTET STRING types, the
532	   [ISO10646] character set (a superset of Unicode) is used, encoded
533	   following the UTF-8 algorithm [RFC2044]. Note that in the UTF-8
534	   algorithm characters which are the same as ASCII (0x0000 through
535	   0x007F) are represented as that same ASCII character in a single
536	   byte. The other byte values are used to form a variable-length
537	   encoding of an arbitrary character.

539	        LDAPString ::= OCTET STRING

541	   The LDAPOID is a notational convenience to indicate that the
542	   permitted value of this string is a (UTF-8 encoded) dotted-decimal
543	   representation of an OBJECT IDENTIFIER.

545	        LDAPOID ::= OCTET STRING

547	   For example,

549	        1.3.6.1.4.1.1466.1.2.3

551	4.1.3. Distinguished Name and Relative Distinguished Name

553	   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
554	   representation of a Distinguished Name and a Relative Distinguished
555	   Name after encoding according to the specification in [RFC2253], such
556	   that:

558	              Lightweight Directory Access Protocol Version 3

560	        distinguished-name = name

562	        relative-distinguished-name = name-component

564	   where name and name-component are as defined in [RFC2253].

566	        LDAPDN ::= LDAPString

568	        RelativeLDAPDN ::= LDAPString

570	   Only Attribute Types can be present in a relative distinguished name
571	   component--the options of Attribute Descriptions (next section) MUST
572	   NOT be used in specifying distinguished names.

574	4.1.4. Attribute Type

576	   An AttributeType takes on as its value the textual string associated
577	   with that AttributeType in its specification.

579	        AttributeType ::= LDAPString

581	   Each attribute type has a unique OBJECT IDENTIFIER which has been
582	   assigned to it. This identifier may be written as decimal digits with
583	   components separated by periods, e.g. "2.5.4.10".

585	   A specification may also assign one or more textual names for an
586	   attribute type. These names MUST begin with a letter, and only
587	   contain ASCII letters, digit characters and hyphens. They are case
588	   insensitive. These ASCII characters are identical to ISO 10646
589	   characters whose UTF-8 encoding is a single byte between 0x00 and
590	   0x7F.

592	   If the server has a textual name for an attribute type, it MUST use a
593	   textual name for attributes returned in search results. The dotted-
594	   decimal OBJECT IDENTIFIER is only used if there is no textual name
595	   for an attribute type.

597	   Attribute type textual names are non-unique, as two different
598	   specifications (neither in standards track RFCs) may choose the same
599	   name.

601	   A server which masters or shadows entries SHOULD list all the
602	   attribute types it supports in the subschema entries, using the
603	   attributeTypes attribute. Servers which support an open-ended set of
604	   attributes SHOULD include at least the attributeTypes value for the
605	   'objectClass' attribute. Clients MAY retrieve the attributeTypes
606	   value from subschema entries in order to obtain the OBJECT IDENTIFIER
607	   and other information associated with attribute types.

609	   Some attribute type names which are used in this version of LDAP are
610	   described in [RFC2252]. Servers may implement additional attribute
611	   types.

613	              Lightweight Directory Access Protocol Version 3

615	4.1.5. Attribute Description

617	   An AttributeDescription is a superset of the definition of the
618	   AttributeType. It has the same ASN.1 definition, but allows
619	   additional options to be specified. They are also case insensitive.

621	        AttributeDescription ::= LDAPString

623	   A value of AttributeDescription is based on the following BNF:

625	        <AttributeDescription> ::= <AttributeType> [ ";" <options> ]

627	        <options>  ::= <option> | <option> ";" <options>

629	        <option>   ::= <opt-char> <opt-char>*

631	        <opt-char> ::=  ASCII-equivalent letters, numbers and hyphen

633	   Examples of valid AttributeDescription:

635	        cn
636	        userCertificate;binary

638	   One option, "binary", is defined in this document. Additional options
639	   may be defined in IETF standards-track and experimental RFCs. Options
640	   beginning with "x-" are reserved for private experiments. Any option
641	   could be associated with any AttributeType, although not all
642	   combinations may be supported by a server.

644	   An AttributeDescription with one or more options is treated as a
645	   subtype of the attribute type without any options. Options present in
646	   an AttributeDescription are never mutually exclusive. Implementations
647	   MUST generate the <options> list sorted in ascending order, and
648	   servers MUST treat any two AttributeDescription with the same
649	   AttributeType and options as equivalent. A server will treat an
650	   AttributeDescription with any options it does not implement as an
651	   unrecognized attribute type.

653	   The data type "AttributeDescriptionList" describes a list of 0 or
654	   more attribute types. (A list of zero elements has special
655	   significance in the Search request.)

657	        AttributeDescriptionList ::= SEQUENCE OF
658	                AttributeDescription

660	4.1.5.1. Binary Option

662	   If the "binary" option is present in an AttributeDescription, it
663	   overrides any string-based encoding representation defined for that
664	   attribute in [RFC2252]. Instead the attribute is to be transferred as
665	   a binary value encoded using the Basic Encoding Rules [X.690]. The
666	   syntax of the binary value is an ASN.1 data type definition which is
667	   referenced by the "SYNTAX" part of the attribute type definition.

669	              Lightweight Directory Access Protocol Version 3

671	   The presence or absence of the "binary" option only affects the
672	   transfer of attribute values in protocol; servers store any
673	   particular attribute in a single format. If a client requests that a
674	   server return an attribute in the binary format, but the server
675	   cannot generate that format, the server MUST treat this attribute
676	   type as an unrecognized attribute type. Similarly, clients MUST NOT
677	   expect servers to return an attribute in binary format if the client
678	   requested that attribute by name without the binary option.

680	   This option is intended to be used with attributes whose syntax is a
681	   complex ASN.1 data type, and the structure of values of that type is
682	   needed by clients. Examples of this kind of syntax are "Certificate"
683	   and "CertificateList".

685	4.1.6. Attribute Value

687	   A field of type AttributeValue takes on as its value either a string
688	   encoding of a AttributeValue data type, or an OCTET STRING containing
689	   an encoded binary value, depending on whether the "binary" option is
690	   present in the companion AttributeDescription to this AttributeValue.

692	   The definition of string encodings for different syntaxes and types
693	   may be found in other documents, and in particular [RFC2252].

695	        AttributeValue ::= OCTET STRING

697	   Note that there is no defined limit on the size of this encoding;
698	   thus protocol values may include multi-megabyte attributes (e.g.
699	   photographs).

701	   Attributes may be defined which have arbitrary and non-printable
702	   syntax. Implementations MUST NEITHER simply display nor attempt to
703	   decode as ASN.1 a value if its syntax is not known. The
704	   implementation may attempt to discover the subschema of the source
705	   entry, and retrieve the values of attributeTypes from it.

707	   Clients MUST NOT send attribute values in a request which are not
708	   valid according to the syntax defined for the attributes.

710	4.1.7. Attribute Value Assertion

712	   The AttributeValueAssertion type definition is similar to the one in
713	   the X.500 directory standards. It contains an attribute description
714	   and a matching rule assertion value suitable for that type.

716	        AttributeValueAssertion ::= SEQUENCE {
717	                attributeDesc   AttributeDescription,
718	                assertionValue  AssertionValue }

720	        AssertionValue ::= OCTET STRING

722	   If the "binary" option is present in attributeDesc, this signals to
723	   the server that the assertionValue is a binary encoding of the
724	   assertion value.

726	              Lightweight Directory Access Protocol Version 3

728	   For all the string-valued user attributes described in [5], the
729	   assertion value syntax is the same as the value syntax. Clients may
730	   use attribute values as assertion values in compare requests and
731	   search filters.

733	   Note however that the assertion syntax may be different from the
734	   value syntax for other attributes or for non-equality matching rules.
735	   These may have an assertion syntax which contains only part of the
736	   value. See section 20.2.1.8 of [X.501] for examples.

738	4.1.8. Attribute

740	   An attribute consists of a type and one or more values of that type.
741	   (Though attributes MUST have at least one value when stored, due to
742	   access control restrictions the set may be empty when transferred in
743	   protocol. This is described in section 4.5.2, concerning the
744	   PartialAttributeList type.)

746	        Attribute ::= SEQUENCE {
747	                type    AttributeDescription,
748	                vals    SET OF AttributeValue }

750	   Each attribute value is distinct in the set (no duplicates). The
751	   order of attribute values within the vals set is undefined and
752	   implementation-dependent, and MUST NOT be relied upon.

754	4.1.9. Matching Rule Identifier

756	   A matching rule is a means of expressing how a server should compare
757	   an AssertionValue received in a search filter with an abstract data
758	   value. The matching rule defines the syntax of the assertion value
759	   and the process to be performed in the server.

761	   An X.501 (1993) Matching Rule is identified in the LDAP protocol by
762	   the printable representation of its OBJECT IDENTIFIER, either as one
763	   of the strings given in [RFC2252], or as decimal digits with
764	   components separated by periods, e.g. "caseIgnoreIA5Match" or
765	   "1.3.6.1.4.1.453.33.33".

767	        MatchingRuleId ::= LDAPString

769	   Servers which support matching rules for use in the extensibleMatch
770	   search filter MUST list the matching rules they implement in
771	   subschema entries, using the matchingRules attributes. The server
772	   SHOULD also list there, using the matchingRuleUse attribute, the
773	   attribute types with which each matching rule can be used. More
774	   information is given in section 4.4 of [RFC2252].

776	4.1.10. Result Message

778	   The LDAPResult is the construct used in this protocol to return
779	   success or failure indications from servers to clients. In response
780	   to various requests, servers will return responses containing fields
781	              Lightweight Directory Access Protocol Version 3

783	   of type LDAPResult to indicate the final status of a protocol
784	   operation request.

786	        LDAPResult ::= SEQUENCE {
787	                resultCode      ENUMERATED {
788	                        success                      (0),
789	                        operationsError              (1),
790	                        protocolError                (2),
791	                        timeLimitExceeded            (3),
792	                        sizeLimitExceeded            (4),
793	                        compareFalse                 (5),
794	                        compareTrue                  (6),
795	                        authMethodNotSupported       (7),
796	                        strongAuthRequired           (8),
797	                                        -- 9 reserved --
798	                        referral                     (10),  -- new
799	                        adminLimitExceeded           (11),  -- new
800	                        unavailableCriticalExtension (12),  -- new
801	                        confidentialityRequired      (13),  -- new
802	                        saslBindInProgress           (14),  -- new
803	                        noSuchAttribute              (16),
804	                        undefinedAttributeType       (17),
805	                        inappropriateMatching        (18),
806	                        constraintViolation          (19),
807	                        attributeOrValueExists       (20),
808	                        invalidAttributeSyntax       (21),
809	                                        -- 22-31 unused --
810	                        noSuchObject                 (32),
811	                        aliasProblem                 (33),
812	                        invalidDNSyntax              (34),
813	                        -- 35 reserved for undefined isLeaf --
814	                        aliasDereferencingProblem    (36),
815	                                        -- 37-47 unused --
816	                        inappropriateAuthentication  (48),
817	                        invalidCredentials           (49),
818	                        insufficientAccessRights     (50),
819	                        busy                         (51),
820	                        unavailable                  (52),
821	                        unwillingToPerform           (53),
822	                        loopDetect                   (54),
823	                                        -- 55-63 unused --
824	                        namingViolation              (64),
825	                        objectClassViolation         (65),
826	                        notAllowedOnNonLeaf          (66),
827	                        notAllowedOnRDN              (67),
828	                        entryAlreadyExists           (68),
829	                        objectClassModsProhibited    (69),
830	                                -- 70 reserved for CLDAP --
831	                        affectsMultipleDSAs          (71), -- new
832	                                        -- 72-79 unused --
833	                        other                        (80) },
834	                        -- 81-90 reserved for APIs --
835	                matchedDN       LDAPDN,
836	                errorMessage    LDAPString,

838	              Lightweight Directory Access Protocol Version 3

840	                referral        [3] Referral OPTIONAL }

842	   All the result codes with the exception of success, compareFalse and
843	   compareTrue are to be treated as meaning the operation could not be
844	   completed in its entirety.

846	   Most of the result codes are based on problem indications from X.511
847	   error data types. Result codes from 16 to 21 indicate an
848	   AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
849	   codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
850	   indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
851	   UpdateProblem.

853	   If a client receives a result code which is not listed above, it is
854	   to be treated as an unknown error condition.

856	   The errorMessage field of this construct may, at the server's option,
857	   be used to return a string containing a textual, human-readable
858	   (terminal control and page formatting characters should be avoided)
859	   error diagnostic. As this error diagnostic is not standardized,
860	   implementations MUST NOT rely on the values returned. If the server
861	   chooses not to return a textual diagnostic, the errorMessage field of
862	   the LDAPResult type MUST contain a zero length string.

864	   For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
865	   aliasDereferencingProblem, the matchedDN field is set to the name of
866	   the lowest entry (object or alias) in the directory that was matched.
867	   If no aliases were dereferenced while attempting to locate the entry,
868	   this will be a truncated form of the name provided, or if aliases
869	   were dereferenced, of the resulting name, as defined in section 12.5
870	   of [X.511]. The matchedDN field is to be set to a zero length string
871	   with all other result codes.

873	4.1.11. Referral

875	   The referral result code indicates that the contacted server does not
876	   hold the target entry of the request. The referral field is present
877	   in an LDAPResult if the LDAPResult.resultCode field value is
878	   referral, and absent with all other result codes. It contains a
879	   reference to another server (or set of servers) which may be accessed
880	   via LDAP or other protocols. Referrals can be returned in response to
881	   any operation request (except unbind and abandon which do not have
882	   responses). At least one URL MUST be present in the Referral.

884	   The referral is not returned for a singleLevel or wholeSubtree search
885	   in which the search scope spans multiple naming contexts, and several
886	   different servers would need to be contacted to complete the
887	   operation. Instead, continuation references, described in section
888	   4.5.3, are returned.

890	        Referral ::= SEQUENCE OF LDAPURL  -- one or more

892	        LDAPURL ::= LDAPString -- limited to characters permitted in
893	                               -- URLs

895	              Lightweight Directory Access Protocol Version 3

897	   If the client wishes to progress the operation, it MUST follow the
898	   referral by contacting any one of servers. All the URLs MUST be
899	   equally capable of being used to progress the operation. (The
900	   mechanisms for how this is achieved by multiple servers are outside
901	   the scope of this document.)

903	   URLs for servers implementing the LDAP protocol are written according
904	   to [RFC2255]. If an alias was dereferenced, the <dn> part of the URL
905	   MUST be present, with the new target object name. If the <dn> part is
906	   present, the client MUST use this name in its next request to
907	   progress the operation, and if it is not present the client will use
908	   the same name as in the original request. Some servers (e.g.
909	   participating in distributed indexing) may provide a different filter
910	   in a referral for a search operation. If the filter part of the URL
911	   is present in an LDAPURL, the client MUST use this filter in its next
912	   request to progress this search, and if it is not present the client
913	   MUST use the same filter as it used for that search. Other aspects of
914	   the new request may be the same or different as the request which
915	   generated the referral.

917	   Note that UTF-8 characters appearing in a DN or search filter may not
918	   be legal for URLs (e.g. spaces) and MUST be escaped using the %
919	   method in [RFC2396].

921	   Other kinds of URLs may be returned, so long as the operation could
922	   be performed using that protocol.

924	4.1.12. Controls

926	   A control is a way to specify extension information. Controls which
927	   are sent as part of a request apply only to that request and are not
928	   saved.

930	        Controls ::= SEQUENCE OF Control

932	        Control ::= SEQUENCE {
933	                controlType             LDAPOID,
934	                criticality             BOOLEAN DEFAULT FALSE,
935	                controlValue            OCTET STRING OPTIONAL }

937	   The controlType field MUST be a UTF-8 encoded dotted-decimal
938	   representation of an OBJECT IDENTIFIER which uniquely identifies the
939	   control. This prevents conflicts between control names.

941	   The criticality field is either TRUE or FALSE.

943	   If the server recognizes the control type and it is appropriate for
944	   the operation, the server will make use of the control when
945	   performing the operation.

947	   If the server does not recognize the control type and the criticality
948	   field is TRUE, the server MUST NOT perform the operation, and MUST
949	   instead return the resultCode unavailableCriticalExtension.

951	              Lightweight Directory Access Protocol Version 3

953	   If the control is not appropriate for the operation and criticality
954	   field is TRUE, the server MUST NOT perform the operation, and MUST
955	   instead return the resultCode unavailableCriticalExtension.

957	   If the control is unrecognized or inappropriate but the criticality
958	   field is FALSE, the server MUST ignore the control.

960	   The controlValue contains any information associated with the
961	   control, and its format is defined for the control. The server MUST
962	   be prepared to handle arbitrary contents of the controlValue octet
963	   string, including zero bytes. It is absent only if there is no value
964	   information which is associated with a control of its type.

966	   This document does not define any controls. Controls may be defined
967	   in other documents. The definition of a control consists of:

969	   - the OBJECT IDENTIFIER assigned to the control,

971	   - whether the control is always noncritical, always critical, or
972	     critical at the client's option,

974	   - the format of the controlValue contents of the control.

976	   Servers list the controls which they recognize in the
977	   supportedControl attribute in the root DSE.

979	4.2. Bind Operation

981	   The function of the Bind Operation is to allow authentication
982	   information to be exchanged between the client and server.

984	   The Bind Request is defined as follows:

986	        BindRequest ::= [APPLICATION 0] SEQUENCE {
987	                version                 INTEGER (1 .. 127),
988	                name                    LDAPDN,
989	                authentication          AuthenticationChoice }

991	        AuthenticationChoice ::= CHOICE {
992	                simple                  [0] OCTET STRING,
993	                                         -- 1 and 2 reserved
994	                sasl                    [3] SaslCredentials }

996	        SaslCredentials ::= SEQUENCE {
997	                mechanism               LDAPString,
998	                credentials             OCTET STRING OPTIONAL }

1000	   Parameters of the Bind Request are:

1002	   - version: A version number indicating the version of the protocol
1003	     to be used in this protocol session. This document describes
1004	     version 3 of the LDAP protocol. Note that there is no version
1005	     negotiation, and the client just sets this parameter to the
1006	              Lightweight Directory Access Protocol Version 3

1008	     version it desires. If the client requests protocol version 2, a
1009	     server that supports the version 2 protocol as described in
1010	     [RFC1777] will not return any v3-specific protocol fields. (Note
1011	     that not all LDAP servers will support protocol version 2, since
1012	     they may be unable to generate the attribute syntaxes associated
1013	     with version 2.)

1015	   - name: The name of the directory object that the client wishes to
1016	        bind as. This field may take on a null value (a zero length
1017	        string) for the purposes of anonymous binds, when
1018	        authentication has been performed at a lower layer, or when
1019	        using SASL credentials with a mechanism that includes the
1020	        LDAPDN in the credentials.

1022	   - authentication: information used to authenticate the name, if any,
1023	     provided in the Bind Request.

1025	   Upon receipt of a Bind Request, a protocol server will authenticate
1026	   the requesting client, if necessary. The server will then return a
1027	   Bind Response to the client indicating the status of the
1028	   authentication.

1030	   Authorization is the use of this authentication information when
1031	   performing operations. Authorization MAY be affected by factors
1032	   outside of the LDAP Bind request, such as lower layer security
1033	   services.

1035	4.2.1. Sequencing of the Bind Request

1037	   For some SASL authentication mechanisms, it may be necessary for the
1038	   client to invoke the BindRequest multiple times. If at any stage the
1039	   client wishes to abort the bind process it MAY unbind and then drop
1040	   the underlying connection. Clients MUST NOT invoke operations between
1041	   two Bind requests made as part of a multi-stage bind.

1043	   A client may abort a SASL bind negotiation by sending a BindRequest
1044	   with a different value in the mechanism field of SaslCredentials, or
1045	   an AuthenticationChoice other than sasl.

1047	   If the client sends a BindRequest with the sasl mechanism field as an
1048	   empty string, the server MUST return a BindResponse with
1049	   authMethodNotSupported as the resultCode. This will allow clients to
1050	   abort a negotiation if it wishes to try again with the same SASL
1051	   mechanism.

1053	   Unlike LDAP v2, the client need not send a Bind Request in the first
1054	   PDU of the connection. The client may request any operations and the
1055	   server MUST treat these as unauthenticated. If the server requires
1056	   that the client bind before browsing or modifying the directory, the
1057	   server MAY reject a request other than binding, unbinding or an
1058	   extended request with the "operationsError" result.

1060	   If the client did not bind before sending a request and receives an
1061	   operationsError, it may then send a Bind Request. If this also fails
1062	              Lightweight Directory Access Protocol Version 3

1064	   or the client chooses not to bind on the existing connection, it will
1065	   close the connection, reopen it and begin again by first sending a
1066	   PDU with a Bind Request. This will aid in interoperating with servers
1067	   implementing other versions of LDAP.

1069	   Clients MAY send multiple bind requests on a connection to change
1070	   their credentials. A subsequent bind process has the effect of
1071	   abandoning all operations outstanding on the connection. (This
1072	   simplifies server implementation.) Authentication from earlier binds
1073	   are subsequently ignored, and so if the bind fails, the connection
1074	   will be treated as anonymous. If a SASL transfer encryption or
1075	   integrity mechanism has been negotiated, and that mechanism does not
1076	   support the changing of credentials from one identity to another,
1077	   then the client MUST instead establish a new connection.

1079	4.2.2. Authentication and Other Security Services

1081	   The simple authentication option provides minimal authentication
1082	   facilities, with the contents of the authentication field consisting
1083	   only of a cleartext password. Note that the use of cleartext
1084	   passwords is not recommended over open networks when there is no
1085	   authentication or encryption being performed by a lower layer; see
1086	   the "Security Considerations" section.

1088	   If no authentication is to be performed, then the simple
1089	   authentication option MUST be chosen, and the password be of zero
1090	   length. (This is often done by LDAPv2 clients.) Typically the DN is
1091	   also of zero length.

1093	   The sasl choice allows for any mechanism defined for use with SASL
1094	   [RFC2222]. The mechanism field contains the name of the mechanism.
1095	   The credentials field contains the arbitrary data used for
1096	   authentication, inside an OCTET STRING wrapper. Note that unlike some
1097	   Internet application protocols where SASL is used, LDAP is not text-
1098	   based, thus no base64 transformations are performed on the
1099	   credentials.

1101	   If any SASL-based integrity or confidentiality services are enabled,
1102	   they take effect following the transmission by the server and
1103	   reception by the client of the final BindResponse with resultCode
1104	   success.

1106	   The client can request that the server use authentication information
1107	   from a lower layer protocol by using the SASL EXTERNAL mechanism.

1109	4.2.3. Bind Response

1111	   The Bind Response is defined as follows.

1113	        BindResponse ::= [APPLICATION 1] SEQUENCE {
1114	             COMPONENTS OF LDAPResult,
1115	             serverSaslCreds    [7] OCTET STRING OPTIONAL }
1116	              Lightweight Directory Access Protocol Version 3

1118	   BindResponse consists simply of an indication from the server of the
1119	   status of the client's request for authentication.

1121	   If the bind was successful, the resultCode will be success, otherwise
1122	   it will be one of:

1124	   - operationsError: server encountered an internal error.

1126	   - protocolError: unrecognized version number or incorrect PDU
1127	     structure.

1129	   - authMethodNotSupported: unrecognized SASL mechanism name.

1131	   - strongAuthRequired: the server requires authentication be
1132	     performed with a SASL mechanism.

1134	   - referral: this server cannot accept this bind and the client
1135	     should try another.

1137	   - saslBindInProgress: the server requires the client to send a new
1138	     bind request, with the same sasl mechanism, to continue the
1139	     authentication process.

1141	   - inappropriateAuthentication: the server requires the client which
1142	     had attempted to bind anonymously or without supplying credentials
1143	     to provide some form of credentials.

1145	   - invalidCredentials: the wrong password was supplied or the SASL
1146	     credentials could not be processed.

1148	   - unavailable: the server is shutting down.

1150	   If the server does not support the client's requested protocol
1151	   version, it MUST set the resultCode to protocolError.

1153	   If the client receives a BindResponse response where the resultCode
1154	   was protocolError, it MUST close the connection as the server will be
1155	   unwilling to accept further operations. (This is for compatibility
1156	   with earlier versions of LDAP, in which the bind was always the first
1157	   operation, and there was no negotiation.)

1159	   The serverSaslCreds are used as part of a SASL-defined bind mechanism
1160	   to allow the client to authenticate the server to which it is
1161	   communicating, or to perform "challenge-response" authentication. If
1162	   the client bound with the password choice, or the SASL mechanism does
1163	   not require the server to return information to the client, then this
1164	   field is not to be included in the result.

1166	4.3. Unbind Operation

1168	   The function of the Unbind Operation is to terminate a protocol
1169	   session. The Unbind Operation is defined as follows:

1171	        UnbindRequest ::= [APPLICATION 2] NULL
1172	              Lightweight Directory Access Protocol Version 3

1174	   The Unbind Operation has no response defined. Upon transmission of an
1175	   UnbindRequest, a protocol client may assume that the protocol session
1176	   is terminated. Upon receipt of an UnbindRequest, a protocol server
1177	   may assume that the requesting client has terminated the session and
1178	   that all outstanding requests may be discarded, and may close the
1179	   connection.

1181	4.4. Unsolicited Notification

1183	   An unsolicited notification is an LDAPMessage sent from the server to
1184	   the client which is not in response to any LDAPMessage received by
1185	   the server. It is used to signal an extraordinary condition in the
1186	   server or in the connection between the client and the server. The
1187	   notification is of an advisory nature, and the server will not expect
1188	   any response to be returned from the client.

1190	   The unsolicited notification is structured as an LDAPMessage in which
1191	   the messageID is 0 and protocolOp is of the extendedResp form. The
1192	   responseName field of the ExtendedResponse is present. The LDAPOID
1193	   value MUST be unique for this notification, and not be used in any
1194	   other situation.

1196	   One unsolicited notification is defined in this document.

1198	4.4.1. Notice of Disconnection

1200	   This notification may be used by the server to advise the client that
1201	   the server is about to close the connection due to an error
1202	   condition. Note that this notification is NOT a response to an unbind
1203	   requested by the client: the server MUST follow the procedures of
1204	   section 4.3. This notification is intended to assist clients in
1205	   distinguishing between an error condition and a transient network
1206	   failure. As with a connection close due to network failure, the
1207	   client MUST NOT assume that any outstanding requests which modified
1208	   the directory have succeeded or failed.

1210	   The responseName is 1.3.6.1.4.1.1466.20036, the response field is
1211	   absent, and the resultCode is used to indicate the reason for the
1212	   disconnection.

1214	   The following resultCode values are to be used in this notification:

1216	   - protocolError: The server has received data from the client in
1217	     which the LDAPMessage structure could not be parsed.

1219	   - strongAuthRequired: The server has detected that an established
1220	     underlying security association protecting communication between
1221	     the client and server has unexpectedly failed or been compromised.

1223	   - unavailable: This server will stop accepting new connections and
1224	     operations on all existing connections, and be unavailable for an
1225	     extended period of time. The client may make use of an alternative
1226	     server.

1228	              Lightweight Directory Access Protocol Version 3

1230	   After sending this notice, the server MUST close the connection.
1231	   After receiving this notice, the client MUST NOT transmit any further
1232	   on the connection, and may abruptly close the connection.

1234	4.5. Search Operation

1236	   The Search Operation allows a client to request that a search be
1237	   performed on its behalf by a server. This can be used to read
1238	   attributes from a single entry, from entries immediately below a
1239	   particular entry, or a whole subtree of entries.

1241	4.5.1. Search Request

1243	   The Search Request is defined as follows:

1245	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
1246	                baseObject      LDAPDN,
1247	                scope           ENUMERATED {
1248	                        baseObject              (0),
1249	                        singleLevel             (1),
1250	                        wholeSubtree            (2) },
1251	                derefAliases    ENUMERATED {
1252	                        neverDerefAliases       (0),
1253	                        derefInSearching        (1),
1254	                        derefFindingBaseObj     (2),
1255	                        derefAlways             (3) },
1256	                sizeLimit       INTEGER (0 .. maxInt),
1257	                timeLimit       INTEGER (0 .. maxInt),
1258	                typesOnly       BOOLEAN,
1259	                filter          Filter,
1260	                attributes      AttributeDescriptionList }

1262	        Filter ::= CHOICE {
1263	                and             [0] SET OF Filter,
1264	                or              [1] SET OF Filter,
1265	                not             [2] Filter,
1266	                equalityMatch   [3] AttributeValueAssertion,
1267	                substrings      [4] SubstringFilter,
1268	                greaterOrEqual  [5] AttributeValueAssertion,
1269	                lessOrEqual     [6] AttributeValueAssertion,
1270	                present         [7] AttributeDescription,
1271	                approxMatch     [8] AttributeValueAssertion,
1272	                extensibleMatch [9] MatchingRuleAssertion }

1274	        SubstringFilter ::= SEQUENCE {
1275	                type            AttributeDescription,
1276	                -- at least one must be present
1277	                substrings      SEQUENCE OF CHOICE {
1278	                        initial [0] LDAPString,
1279	                        any     [1] LDAPString,
1280	                        final   [2] LDAPString } }

1282	        MatchingRuleAssertion ::= SEQUENCE {
1283	              Lightweight Directory Access Protocol Version 3

1285	                matchingRule    [1] MatchingRuleId OPTIONAL,
1286	                type            [2] AttributeDescription OPTIONAL,
1287	                matchValue      [3] AssertionValue,
1288	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

1290	   Parameters of the Search Request are:

1292	   - baseObject: An LDAPDN that is the base object entry relative to
1293	     which the search is to be performed.

1295	   - scope: An indicator of the scope of the search to be performed.
1296	     The semantics of the possible values of this field are identical
1297	     to the semantics of the scope field in the X.511 Search Operation.

1299	   - derefAliases: An indicator as to how alias objects (as defined in
1300	     X.501) are to be handled in searching. The semantics of the
1301	     possible values of this field are:

1303	             neverDerefAliases: do not dereference aliases in searching
1304	             or in locating the base object of the search;

1306	             derefInSearching: dereference aliases in subordinates of
1307	             the base object in searching, but not in locating the base
1308	             object of the search;

1310	             derefFindingBaseObj: dereference aliases in locating the
1311	             base object of the search, but not when searching
1312	             subordinates of the base object;

1314	             derefAlways: dereference aliases both in searching and in
1315	             locating the base object of the search.

1317	   - sizeLimit: A size limit that restricts the maximum number of
1318	     entries to be returned as a result of the search. A value of 0 in
1319	     this field indicates that no client-requested size limit
1320	     restrictions are in effect for the search. Servers may enforce a
1321	     maximum number of entries to return.

1323	   - timeLimit: A time limit that restricts the maximum time (in
1324	     seconds) allowed for a search. A value of 0 in this field
1325	     indicates that no client-requested time limit restrictions are in
1326	     effect for the search.

1328	   - typesOnly: An indicator as to whether search results will contain
1329	     both attribute types and values, or just attribute types. Setting
1330	     this field to TRUE causes only attribute types (no values) to be
1331	     returned. Setting this field to FALSE causes both attribute types
1332	     and values to be returned.

1334	   - filter: A filter that defines the conditions that must be
1335	     fulfilled in order for the search to match a given entry.

1337	     The 'and', 'or' and 'not' choices can be used to form combinations
1338	     of filters. At least one filter element MUST be present in an
1339	              Lightweight Directory Access Protocol Version 3

1341	     'and' or 'or' choice. The others match against individual
1342	     attribute values of entries in the scope of the search.
1343	     (Implementor's note: the 'not' filter is an example of a tagged
1344	     choice in an implicitly-tagged module. In BER this is treated as
1345	     if the tag was explicit.)

1347	     A server MUST evaluate filters according to the three-valued logic
1348	     of X.511 (1993) section 7.8.1. In summary, a filter is evaluated
1349	     to either "TRUE", "FALSE" or "Undefined". If the filter evaluates
1350	     to TRUE for a particular entry, then the attributes of that entry
1351	     are returned as part of the search result (subject to any
1352	     applicable access control restrictions). If the filter evaluates
1353	     to FALSE or Undefined, then the entry is ignored for the search.

1355	     A filter of the "and" choice is TRUE if all the filters in the SET
1356	     OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
1357	     otherwise Undefined. A filter of the "or" choice is FALSE if all
1358	     of the filters in the SET OF evaluate to FALSE, TRUE if at least
1359	     one filter is TRUE, and Undefined otherwise. A filter of the "not"
1360	     choice is TRUE if the filter being negated is FALSE, FALSE if it
1361	     is TRUE, and Undefined if it is Undefined.

1363	     The present match evaluates to TRUE where there is an attribute or
1364	     subtype of the specified attribute description present in an
1365	     entry, and FALSE otherwise (including a presence test with an
1366	     unrecognized attribute description.)

1368	     The extensibleMatch is new in this version of LDAP. If the
1369	     matchingRule field is absent, the type field MUST be present, and
1370	     the equality match is performed for that type. If the type field
1371	     is absent and matchingRule is present, the matchValue is compared
1372	     against all attributes in an entry which support that
1373	     matchingRule, and the matchingRule determines the syntax for the
1374	     assertion value (the filter item evaluates to TRUE if it matches
1375	     with at least one attribute in the entry, FALSE if it does not
1376	     match any attribute in the entry, and Undefined if the
1377	     matchingRule is not recognized or the assertionValue cannot be
1378	     parsed.) If the type field is present and matchingRule is present,
1379	     the matchingRule MUST be one permitted for use with that type,
1380	     otherwise the filter item is undefined. If the dnAttributes field
1381	     is set to TRUE, the match is applied against all the attributes in
1382	     an entry's distinguished name as well, and also evaluates to TRUE
1383	     if there is at least one attribute in the distinguished name for
1384	     which the filter item evaluates to TRUE. (Editors note: The
1385	     dnAttributes field is present so that there does not need to be
1386	     multiple versions of generic matching rules such as for word
1387	     matching, one to apply to entries and another to apply to entries
1388	     and dn attributes as well).

1390	     A filter item evaluates to Undefined when the server would not be
1391	     able to determine whether the assertion value matches an entry. If
1392	     an attribute description in an equalityMatch, substrings,
1393	     greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch filter
1394	     is not recognized by the server, a matching rule id in the
1395	              Lightweight Directory Access Protocol Version 3

1397	     extensibleMatch is not recognized by the server, the assertion
1398	     value cannot be parsed, or the type of filtering requested is not
1399	     implemented, then the filter is Undefined. Thus for example if a
1400	     server did not recognize the attribute type shoeSize, a filter of
1401	     (shoeSize=*) would evaluate to FALSE, and the filters
1402	     (shoeSize=12), (shoeSize>=12) and (shoeSize<=12) would evaluate to
1403	     Undefined.

1405	     Servers MUST NOT return errors if attribute descriptions or
1406	     matching rule ids are not recognized, or assertion values cannot
1407	     be parsed. More details of filter processing are given in section
1408	     7.8 of [X.511].

1410	   - attributes: A list of the attributes to be returned from each
1411	     entry which matches the search filter. There are two special
1412	     values which may be used: an empty list with no attributes, and
1413	     the attribute description string "*".  Both of these signify that
1414	     all user attributes are to be returned.  (The "*" allows the
1415	     client to request all user attributes in addition to specific
1416	     operational attributes).

1418	     Attributes MUST be named at most once in the list, and are
1419	     returned at most once in an entry. If there are attribute
1420	     descriptions in the list which are not recognized, they are
1421	     ignored by the server.

1423	     If the client does not want any attributes returned, it can
1424	     specify a list containing only the attribute with OID "1.1". This
1425	     OID was chosen arbitrarily and does not correspond to any
1426	     attribute in use.

1428	     Client implementors should note that even if all user attributes
1429	     are requested, some attributes of the entry may not be included in
1430	     search results due to access controls or other restrictions.
1431	     Furthermore, servers will not return operational attributes, such
1432	     as objectClasses or attributeTypes, unless they are listed by
1433	     name, since there may be extremely large number of values for
1434	     certain operational attributes. (A list of operational attributes
1435	     for use in LDAP is given in [RFC2252].)

1437	   Note that an X.500 "list"-like operation can be emulated by the
1438	   client requesting a one-level LDAP search operation with a filter
1439	   checking for the existence of the objectClass attribute, and that an
1440	   X.500 "read"-like operation can be emulated by a base object LDAP
1441	   search operation with the same filter. A server which provides a
1442	   gateway to X.500 is not required to use the Read or List operations,
1443	   although it may choose to do so, and if it does must provide the same
1444	   semantics as the X.500 search operation.

1446	4.5.2. Search Result

1448	   The results of the search attempted by the server upon receipt of a
1449	   Search Request are returned in Search Responses, which are LDAP
1450	              Lightweight Directory Access Protocol Version 3

1452	   messages containing either SearchResultEntry, SearchResultReference,
1453	   ExtendedResponse or SearchResultDone data types.

1455	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
1456	                objectName      LDAPDN,
1457	                attributes      PartialAttributeList }

1459	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
1460	                type    AttributeDescription,
1461	                vals    SET OF AttributeValue }
1462	        -- implementors should note that the PartialAttributeList may
1463	        -- have zero elements (if none of the attributes of that entry
1464	        -- were requested, or could be returned), and that the vals set
1465	        -- may also have zero elements (if types only was requested, or
1466	        -- all values were excluded from the result.)

1468	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
1469	        -- at least one LDAPURL element must be present

1471	        SearchResultDone ::= [APPLICATION 5] LDAPResult

1473	   Upon receipt of a Search Request, a server will perform the necessary
1474	   search of the DIT.

1476	   If the LDAP session is operating over a connection-oriented transport
1477	   such as TCP, the server will return to the client a sequence of
1478	   responses in separate LDAP messages. There may be zero or more
1479	   responses containing SearchResultEntry, one for each entry found
1480	   during the search. There may also be zero or more responses
1481	   containing SearchResultReference, one for each area not explored by
1482	   this server during the search. The SearchResultEntry and
1483	   SearchResultReference PDUs may come in any order. Following all the
1484	   SearchResultReference responses and all SearchResultEntry responses
1485	   to be returned by the server, the server will return a response
1486	   containing the SearchResultDone, which contains an indication of
1487	   success, or detailing any errors that have occurred.

1489	   Each entry returned in a SearchResultEntry will contain all
1490	   attributes, complete with associated values if necessary, as
1491	   specified in the attributes field of the Search Request. Return of
1492	   attributes is subject to access control and other administrative
1493	   policy. Some attributes may be returned in binary format (indicated
1494	   by the AttributeDescription in the response having the binary option
1495	   present).

1497	   Some attributes may be constructed by the server and appear in a
1498	   SearchResultEntry attribute list, although they are not stored
1499	   attributes of an entry. Clients MUST NOT assume that all attributes
1500	   can be modified, even if permitted by access control.

1502	   LDAPMessage responses of the ExtendedResponse form are reserved for
1503	   returning information associated with a control requested by the
1504	   client. These may be defined in future versions of this document.

1506	              Lightweight Directory Access Protocol Version 3

1508	4.5.3. Continuation References in the Search Result

1510	   If the server was able to locate the entry referred to by the
1511	   baseObject but was unable to search all the entries in the scope at
1512	   and under the baseObject, the server may return one or more
1513	   SearchResultReference entries, each containing a reference to another
1514	   set of servers for continuing the operation. A server MUST NOT return
1515	   any SearchResultReference if it has not located the baseObject and
1516	   thus has not searched any entries; in this case it would return a
1517	   SearchResultDone containing a referral resultCode.

1519	   In the absence of indexing information provided to a server from
1520	   servers holding subordinate naming contexts, SearchResultReference
1521	   responses are not affected by search filters and are always returned
1522	   when in scope.

1524	   The SearchResultReference is of the same data type as the Referral.
1525	   URLs for servers implementing the LDAP protocol are written according
1526	   to [RFC2255]. The <dn> part MUST be present in the URL, with the new
1527	   target object name. The client MUST use this name in its next
1528	   request. Some servers (e.g. part of a distributed index exchange
1529	   system) may provide a different filter in the URLs of the
1530	   SearchResultReference. If the filter part of the URL is present in an
1531	   LDAP URL, the client MUST use the new filter in its next request to
1532	   progress the search, and if the filter part is absent the client will
1533	   use again the same filter. Other aspects of the new search request
1534	   may be the same or different as the search which generated the
1535	   continuation references.
1536	   Other kinds of URLs may be returned so long as the operation could be
1537	   performed using that protocol.

1539	   The name of an unexplored subtree in a SearchResultReference need not
1540	   be subordinate to the base object.

1542	   In order to complete the search, the client MUST issue a new search
1543	   operation for each SearchResultReference that is returned. Note that
1544	   the abandon operation described in section 4.11 applies only to a
1545	   particular operation sent on a connection between a client and
1546	   server, and if the client has multiple outstanding search operations
1547	   to different servers, it MUST abandon each operation individually.

1549	   4.5.3.1. Example

1551	   For example, suppose the contacted server (hosta) holds the entry
1552	   "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW". It knows that
1553	   either LDAP-capable servers (hostb) or (hostc) hold
1554	   "OU=People,O=MNN,C=WW" (one is the master and the other server a
1555	   shadow), and that LDAP-capable server (hostd) holds the subtree
1556	   "OU=Roles,O=MNN,C=WW". If a subtree search of "O=MNN,C=WW" is
1557	   requested to the contacted server, it may return the following:

1559	     SearchResultEntry for O=MNN,C=WW
1560	     SearchResultEntry for CN=Manager,O=MNN,C=WW
1561	     SearchResultReference {
1562	              Lightweight Directory Access Protocol Version 3

1564	       ldap://hostb/OU=People,O=MNN,C=WW
1565	       ldap://hostc/OU=People,O=MNN,C=WW
1566	     }
1567	     SearchResultReference {
1568	       ldap://hostd/OU=Roles,O=MNN,C=WW
1569	     }
1570	     SearchResultDone (success)

1572	   Client implementors should note that when following a
1573	   SearchResultReference, additional SearchResultReference may be
1574	   generated. Continuing the example, if the client contacted the server
1575	   (hostb) and issued the search for the subtree "OU=People,O=MNN,C=WW",
1576	   the server might respond as follows:

1578	     SearchResultEntry for OU=People,O=MNN,C=WW
1579	     SearchResultReference {
1580	       ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
1581	     }
1582	     SearchResultReference {
1583	       ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
1584	     }
1585	     SearchResultDone (success)

1587	   If the contacted server does not hold the base object for the search,
1588	   then it will return a referral to the client. For example, if the
1589	   client requests a subtree search of "O=XYZ,C=US" to hosta, the server
1590	   may return only a SearchResultDone containing a referral.

1592	     SearchResultDone (referral) {
1593	       ldap://hostg/
1594	     }

1596	4.6. Modify Operation

1598	   The Modify Operation allows a client to request that a modification
1599	   of an entry be performed on its behalf by a server. The Modify
1600	   Request is defined as follows:

1602	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
1603	                object          LDAPDN,
1604	                modification    SEQUENCE OF SEQUENCE {
1605	                        operation       ENUMERATED {
1606	                                                add     (0),
1607	                                                delete  (1),
1608	                                                replace (2) },
1609	                        modification    AttributeTypeAndValues } }

1611	        AttributeTypeAndValues ::= SEQUENCE {
1612	                type    AttributeDescription,
1613	                vals    SET OF AttributeValue }

1615	   Parameters of the Modify Request are:

1617	              Lightweight Directory Access Protocol Version 3

1619	   - object: The object to be modified. The value of this field
1620	     contains the DN of the entry to be modified. The server will not
1621	     perform any alias dereferencing in determining the object to be
1622	     modified.

1624	   - modification: A list of modifications to be performed on the
1625	     entry. The entire list of entry modifications MUST be performed in
1626	     the order they are listed, as a single atomic operation. While
1627	     individual modifications may violate the directory schema, the
1628	     resulting entry after the entire list of modifications is
1629	     performed MUST conform to the requirements of the directory
1630	     schema. The values that may be taken on by the 'operation' field
1631	     in each modification construct have the following semantics
1632	     respectively:

1634	             add: add values listed to the given attribute, creating the
1635	             attribute if necessary;

1637	             delete: delete values listed from the given attribute,
1638	             removing the entire attribute if no values are listed, or
1639	             if all current values of the attribute are listed for
1640	             deletion;

1642	             replace: replace all existing values of the given attribute
1643	             with the new values listed, creating the attribute if it
1644	             did not already exist. A replace with no value will delete
1645	             the entire attribute if it exists, and is ignored if the
1646	             attribute does not exist.

1648	   The result of the modify attempted by the server upon receipt of a
1649	   Modify Request is returned in a Modify Response, defined as follows:

1651	        ModifyResponse ::= [APPLICATION 7] LDAPResult

1653	   Upon receipt of a Modify Request, a server will perform the necessary
1654	   modifications to the DIT.

1656	   The server will return to the client a single Modify Response
1657	   indicating either the successful completion of the DIT modification,
1658	   or the reason that the modification failed. Note that due to the
1659	   requirement for atomicity in applying the list of modifications in
1660	   the Modify Request, the client may expect that no modifications of
1661	   the DIT have been performed if the Modify Response received indicates
1662	   any sort of error, and that all requested modifications have been
1663	   performed if the Modify Response indicates successful completion of
1664	   the Modify Operation. If the connection fails, whether the
1665	   modification occurred or not is indeterminate.

1667	   The Modify Operation cannot be used to remove from an entry any of
1668	   its distinguished values, those values which form the entry's
1669	   relative distinguished name. An attempt to do so will result in the
1670	   server returning the error notAllowedOnRDN. The Modify DN Operation
1671	   described in section 4.9 is used to rename an entry.

1673	              Lightweight Directory Access Protocol Version 3

1675	   If an equality match filter has not been defined for an attribute
1676	   type, clients MUST NOT attempt to delete individual values of that
1677	   attribute from an entry using the "delete" form of a modification,
1678	   and MUST instead use the "replace" form.

1680	   Note that due to the simplifications made in LDAP, there is not a
1681	   direct mapping of the modifications in an LDAP ModifyRequest onto the
1682	   EntryModifications of a DAP ModifyEntry operation, and different
1683	   implementations of LDAP-DAP gateways may use different means of
1684	   representing the change. If successful, the final effect of the
1685	   operations on the entry MUST be identical.

1687	4.7. Add Operation

1689	   The Add Operation allows a client to request the addition of an entry
1690	   into the directory. The Add Request is defined as follows:

1692	        AddRequest ::= [APPLICATION 8] SEQUENCE {
1693	                entry           LDAPDN,
1694	                attributes      AttributeList }

1696	        AttributeList ::= SEQUENCE OF SEQUENCE {
1697	                type    AttributeDescription,
1698	                vals    SET OF AttributeValue }

1700	   Parameters of the Add Request are:

1702	   - entry: the Distinguished Name of the entry to be added. Note that
1703	     the server will not dereference any aliases in locating the entry
1704	     to be added.

1706	   - attributes: the list of attributes that make up the content of the
1707	     entry being added. Clients MUST include distinguished values
1708	     (those forming the entry's own RDN) in this list, the objectClass
1709	     attribute, and values of any mandatory attributes of the listed
1710	     object classes. Clients MUST NOT supply the createTimestamp or
1711	     creatorsName attributes, since these will be generated
1712	     automatically by the server.

1714	   The entry named in the entry field of the AddRequest MUST NOT exist
1715	   for the AddRequest to succeed. The parent of the entry to be added
1716	   MUST exist. For example, if the client attempted to add
1717	   "CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
1718	   "C=US" entry did exist, then the server would return the error
1719	   noSuchObject with the matchedDN field containing "C=US". If the
1720	   parent entry exists but is not in a naming context held by the
1721	   server, the server SHOULD return a referral to the server holding the
1722	   parent entry.

1724	   Servers implementations SHOULD NOT restrict where entries can be
1725	   located in the directory. Some servers MAY allow the administrator to
1726	   restrict the classes of entries which can be added to the directory.

1728	              Lightweight Directory Access Protocol Version 3

1730	   Upon receipt of an Add Request, a server will attempt to perform the
1731	   add requested. The result of the add attempt will be returned to the
1732	   client in the Add Response, defined as follows:

1734	        AddResponse ::= [APPLICATION 9] LDAPResult

1736	   A response of success indicates that the new entry is present in the
1737	   directory.

1739	4.8. Delete Operation

1741	   The Delete Operation allows a client to request the removal of an
1742	   entry from the directory. The Delete Request is defined as follows:

1744	        DelRequest ::= [APPLICATION 10] LDAPDN

1746	   The Delete Request consists of the Distinguished Name of the entry to
1747	   be deleted. Note that the server will not dereference aliases while
1748	   resolving the name of the target entry to be removed, and that only
1749	   leaf entries (those with no subordinate entries) can be deleted with
1750	   this operation.

1752	   The result of the delete attempted by the server upon receipt of a
1753	   Delete Request is returned in the Delete Response, defined as
1754	   follows:

1756	        DelResponse ::= [APPLICATION 11] LDAPResult

1758	   Upon receipt of a Delete Request, a server will attempt to perform
1759	   the entry removal requested. The result of the delete attempt will be
1760	   returned to the client in the Delete Response.

1762	4.9. Modify DN Operation

1764	   The Modify DN Operation allows a client to change the leftmost (least
1765	   significant) component of the name of an entry in the directory, or
1766	   to move a subtree of entries to a new location in the directory. The
1767	   Modify DN Request is defined as follows:

1769	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
1770	                entry           LDAPDN,
1771	                newrdn          RelativeLDAPDN,
1772	                deleteoldrdn    BOOLEAN,
1773	                newSuperior     [0] LDAPDN OPTIONAL }

1775	   Parameters of the Modify DN Request are:

1777	   - entry: the Distinguished Name of the entry to be changed. This
1778	     entry may or may not have subordinate entries.

1780	   - newrdn: the RDN that will form the leftmost component of the new
1781	     name of the entry.

1783	              Lightweight Directory Access Protocol Version 3

1785	   - deleteoldrdn: a boolean parameter that controls whether the old
1786	     RDN attribute values are to be retained as attributes of the
1787	     entry, or deleted from the entry.

1789	   - newSuperior: if present, this is the Distinguished Name of the
1790	     entry which becomes the immediate superior of the existing entry.

1792	   The result of the name change attempted by the server upon receipt of
1793	   a Modify DN Request is returned in the Modify DN Response, defined as
1794	   follows:

1796	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

1798	   Upon receipt of a ModifyDNRequest, a server will attempt to perform
1799	   the name change. The result of the name change attempt will be
1800	   returned to the client in the Modify DN Response.

1802	   For example, if the entry named in the "entry" parameter was "cn=John
1803	   Smith,c=US", the newrdn parameter was "cn=John Cougar Smith", and the
1804	   newSuperior parameter was absent, then this operation would attempt
1805	   to rename the entry to be "cn=John Cougar Smith,c=US". If there was
1806	   already an entry with that name, the operation would fail with error
1807	   code entryAlreadyExists.

1809	   If the deleteoldrdn parameter is TRUE, the values forming the old RDN
1810	   are deleted from the entry. If the deleteoldrdn parameter is FALSE,
1811	   the values forming the old RDN will be retained as non-distinguished
1812	   attribute values of the entry. The server may not perform the
1813	   operation and return an error code if the setting of the deleteoldrdn
1814	   parameter would cause a schema inconsistency in the entry.

1816	   Note that X.500 restricts the ModifyDN operation to only affect
1817	   entries that are contained within a single server. If the LDAP server
1818	   is mapped onto DAP, then this restriction will apply, and the
1819	   resultCode affectsMultipleDSAs will be returned if this error
1820	   occurred. In general clients MUST NOT expect to be able to perform
1821	   arbitrary movements of entries and subtrees between servers.

1823	4.10. Compare Operation

1825	   The Compare Operation allows a client to compare an assertion
1826	   provided with an entry in the directory. The Compare Request is
1827	   defined as follows:

1829	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
1830	                entry           LDAPDN,
1831	                ava             AttributeValueAssertion }

1833	   Parameters of the Compare Request are:

1835	   - entry: the name of the entry to be compared with.

1837	   - ava: the assertion with which an attribute in the entry is to be
1838	     compared.

1840	              Lightweight Directory Access Protocol Version 3

1842	   The result of the compare attempted by the server upon receipt of a
1843	   Compare Request is returned in the Compare Response, defined as
1844	   follows:

1846	        CompareResponse ::= [APPLICATION 15] LDAPResult

1848	   Upon receipt of a Compare Request, a server will attempt to perform
1849	   the requested comparison. The result of the comparison will be
1850	   returned to the client in the Compare Response. Note that errors and
1851	   the result of comparison are all returned in the same construct.

1853	   Note that some directory systems may establish access controls which
1854	   permit the values of certain attributes (such as userPassword) to be
1855	   compared but not read. In a search result, it may be that an
1856	   attribute of that type would be returned, but with an empty set of
1857	   values.

1859	4.11. Abandon Operation

1861	   The function of the Abandon Operation is to allow a client to request
1862	   that the server abandon an outstanding operation. The Abandon Request
1863	   is defined as follows:

1865	        AbandonRequest ::= [APPLICATION 16] MessageID

1867	   The MessageID MUST be that of a an operation which was requested
1868	   earlier in this connection.

1870	   (The abandon request itself has its own message id. This is distinct
1871	   from the id of the earlier operation being abandoned.)

1873	   There is no response defined in the Abandon Operation. Upon
1874	   transmission of an Abandon Operation, a client may expect that the
1875	   operation identified by the Message ID in the Abandon Request has
1876	   been abandoned. In the event that a server receives an Abandon
1877	   Request on a Search Operation in the midst of transmitting responses
1878	   to the search, that server MUST cease transmitting entry responses to
1879	   the abandoned request immediately, and MUST NOT send the
1880	   SearchResponseDone. Of course, the server MUST ensure that only
1881	   properly encoded LDAPMessage PDUs are transmitted.

1883	   Clients MUST NOT send abandon requests for the same operation
1884	   multiple times, and MUST also be prepared to receive results from
1885	   operations it has abandoned (since these may have been in transit
1886	   when the abandon was requested).

1888	   Servers MUST discard abandon requests for message IDs they do not
1889	   recognize, for operations which cannot be abandoned, and for
1890	   operations which have already been abandoned.

1892	4.12. Extended Operation
1893	              Lightweight Directory Access Protocol Version 3

1895	   An extension mechanism has been added in this version of LDAP, in
1896	   order to allow additional operations to be defined for services not
1897	   available elsewhere in this protocol, for instance digitally signed
1898	   operations and results.

1900	   The extended operation allows clients to make requests and receive
1901	   responses with predefined syntaxes and semantics. These may be
1902	   defined in RFCs or be private to particular implementations. Each
1903	   request MUST have a unique OBJECT IDENTIFIER assigned to it.

1905	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
1906	                requestName      [0] LDAPOID,
1907	                requestValue     [1] OCTET STRING OPTIONAL }

1909	   The requestName is a dotted-decimal representation of the OBJECT
1910	   IDENTIFIER corresponding to the request. The requestValue is
1911	   information in a form defined by that request, encapsulated inside an
1912	   OCTET STRING.

1914	   The server will respond to this with an LDAPMessage containing the
1915	   ExtendedResponse.

1917	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
1918	                COMPONENTS OF LDAPResult,
1919	                responseName     [10] LDAPOID OPTIONAL,
1920	                response         [11] OCTET STRING OPTIONAL }

1922	   If the server does not recognize the request name, it MUST return
1923	   only the response fields from LDAPResult, containing the
1924	   protocolError result code.

1926	5. Protocol Element Encodings and Transfer

1928	   One underlying service is defined here. Clients and servers SHOULD
1929	   implement the mapping of LDAP over TCP described in 5.2.1.

1931	5.1. Mapping Onto BER-based Transport Services

1933	   The protocol elements of LDAP are encoded for exchange using the
1934	   Basic Encoding Rules (BER) [X.690] of ASN.1 [X.680]. However, due to
1935	   the high overhead involved in using certain elements of the BER, the
1936	   following additional restrictions are placed on BER-encodings of LDAP
1937	   protocol elements:

1939	   (1) Only the definite form of length encoding will be used.

1941	   (2) OCTET STRING values will be encoded in the primitive form only.

1943	   (3) If the value of a BOOLEAN type is true, the encoding MUST have
1944	       its contents octets set to hex "FF".

1946	   (4) If a value of a type is its default value, it MUST be absent.
1947	       Only some BOOLEAN and INTEGER types have default values in this
1948	       protocol definition.

1950	              Lightweight Directory Access Protocol Version 3

1952	   These restrictions do not apply to ASN.1 types encapsulated inside of
1953	   OCTET STRING values, such as attribute values, unless otherwise
1954	   noted.

1956	5.2. Transfer Protocols

1958	   This protocol is designed to run over connection-oriented, reliable
1959	   transports, with all 8 bits in an octet being significant in the data
1960	   stream.

1962	5.2.1. Transmission Control Protocol (TCP)

1964	   The LDAPMessage PDUs are mapped directly onto the TCP bytestream. It
1965	   is recommended that server implementations running over the TCP MAY
1966	   provide a protocol listener on the assigned port, 389. Servers may
1967	   instead provide a listener on a different port number. Clients MUST
1968	   support contacting servers on any valid TCP port.

1970	6. Implementation Guidelines

1972	   This document describes an Internet protocol.

1974	6.1. Server Implementations

1976	   The server MUST be capable of recognizing all the mandatory attribute
1977	   type names and implement the syntaxes specified in [RFC2252. Servers
1978	   MAY also recognize additional attribute type names.

1980	6.2. Client Implementations

1982	   Clients which request referrals MUST ensure that they do not loop
1983	   between servers. They MUST NOT repeatedly contact the same server for
1984	   the same request with the same target entry name, scope and filter.
1985	   Some clients may be using a counter that is incremented each time
1986	   referral handling occurs for an operation, and these kinds of clients
1987	   MUST be able to handle a DIT with at least ten layers of naming
1988	   contexts between the root and a leaf entry.

1990	   In the absence of prior agreements with servers, clients SHOULD NOT
1991	   assume that servers support any particular schemas beyond those
1992	   referenced in section 6.1. Different schemas can have different
1993	   attribute types with the same names. The client can retrieve the
1994	   subschema entries referenced by the subschemaSubentry attribute in
1995	   the server's root DSE or in entries held by the server.

1997	7. Security Considerations

1999	   When used with a connection-oriented transport, this version of the
2000	   protocol provides facilities for the LDAP v2 authentication
2001	   mechanism, simple authentication using a cleartext password, as well
2002	   as any SASL mechanism [RFC2222]. SASL allows for integrity and
2003	   privacy services to be negotiated.

2005	              Lightweight Directory Access Protocol Version 3

2007	   It is also permitted that the server can return its credentials to
2008	   the client, if it chooses to do so.

2010	   Use of cleartext password is strongly discouraged where the
2011	   underlying transport service cannot guarantee confidentiality and may
2012	   result in disclosure of the password to unauthorized parties.

2014	   When used with SASL, it should be noted that the name field of the
2015	   BindRequest is not protected against modification. Thus if the
2016	   distinguished name of the client (an LDAPDN) is agreed through the
2017	   negotiation of the credentials, it takes precedence over any value in
2018	   the unprotected name field.

2020	   Implementations which cache attributes and entries obtained via LDAP
2021	   MUST ensure that access controls are maintained if that information
2022	   is to be provided to multiple clients, since servers may have access
2023	   control policies which prevent the return of entries or attributes in
2024	   search results except to particular authenticated clients. For
2025	   example, caches could serve result information only to the client
2026	   whose request caused it to be cache.

2028	8. Acknowledgements

2030	   This document is an update to RFC 2251, by Mark Wahl, Tim Howes, and
2031	   Steve Kille. Their work along with the input of individuals of the
2032	   IETF LDAPEXT, LDUP, LDAPBIS, and other Working Groups is gratefully
2033	   acknowledged.

2035	9. Bibliography

2037	   [ISO10646]Universal Multiple-Octet Coded Character Set (UCS) -
2038	             Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
2039	             : 1993.

2041	   [X.500]   ITU-T Rec. X.500, "The Directory: Overview of Concepts,
2042	             Models and Service", 1993.

2044	   [X.501]   ITU-T Rec. X.501, "The Directory: Models", 1993.

2046	   [X.511]   ITU-T Rec. X.511, "The Directory: Abstract Service
2047	             Definition", 1993.

2049	   [X.680]   ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
2050	             Specification of Basic Notation", 1994.

2052	   [X.690]   ITU-T Rec. X.690, "Specification of ASN.1 encoding rules:
2053	             Basic, Canonical, and Distinguished Encoding Rules", 1994.

2055	   [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory
2056	             Access Protocol", RFC 1777, March 1995.

2058	   [RFC1823] Howes, T., and M. Smith, "The LDAP Application Program
2059	             Interface", RFC 1823, August 1995.

2061	              Lightweight Directory Access Protocol Version 3

2063	   [RFC2044] Yergeau, F., "UTF-8, a transformation format of Unicode
2064	             and ISO 10646", RFC 2044, October 1996.

2066	   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2067	             Requirement Levels", RFC 2119, March 1997.

2069	   [RFC2222] Meyers, J., "Simple Authentication and Security Layer",
2070	             RFC 2222, October 1997.

2072	   [RFC2234] Crocker, D., and P. Overell, "Augmented BNF for Syntax
2073	             Specifications: ABNF", RFC 2234, November 1997.

2075	   [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
2076	             "Lightweight Directory Access Protocol (v3): Attribute
2077	             Syntax Definitions", RFC 2252, December 1997.

2079	   [RFC2253] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory
2080	             Access Protocol (v3): UTF-8 String Representation of
2081	             Distinguished Names", RFC 2253, December 1997.

2083	   [RFC2255] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
2084	             December 1997.

2086	   [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter Uniform
2087	             Resource Identifiers (URI): Generic Syntax", RFC 2396,
2088	             August 1998.

2090	   [RFC2829] Wahl, M., Alvestrand, H., Hodges, J., and R. Morgan,
2091	             "Authentication Methods for LDAP", RFC 2829, May 2000

2093	   [RFC2830] Hodges, J., Morgan, R., and M. Wahl "Lightweight Directory
2094	             Access Protocol (v3): Extension for Transport Layer
2095	             Security", RFC 2830, May 2000

2097	10. Editor's Address

2099	   Jim Sermersheim
2100	   Novell, Inc.
2101	   1800 South Novell Place
2102	   Provo, Utah 84606, USA
2103	   jimse@novell.com
2104	   +1 801 861-3088
2105	              Lightweight Directory Access Protocol Version 3

2107	Appendix A - Complete ASN.1 Definition

2109	        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
2110	        IMPLICIT TAGS ::=

2112	        BEGIN

2114	        LDAPMessage ::= SEQUENCE {
2115	                messageID       MessageID,
2116	                protocolOp      CHOICE {
2117	                        bindRequest     BindRequest,
2118	                        bindResponse    BindResponse,
2119	                        unbindRequest   UnbindRequest,
2120	                        searchRequest   SearchRequest,
2121	                        searchResEntry  SearchResultEntry,
2122	                        searchResDone   SearchResultDone,
2123	                        searchResRef    SearchResultReference,
2124	                        modifyRequest   ModifyRequest,
2125	                        modifyResponse  ModifyResponse,
2126	                        addRequest      AddRequest,
2127	                        addResponse     AddResponse,
2128	                        delRequest      DelRequest,
2129	                        delResponse     DelResponse,
2130	                        modDNRequest    ModifyDNRequest,
2131	                        modDNResponse   ModifyDNResponse,
2132	                        compareRequest  CompareRequest,
2133	                        compareResponse CompareResponse,
2134	                        abandonRequest  AbandonRequest,
2135	                        extendedReq     ExtendedRequest,
2136	                        extendedResp    ExtendedResponse },
2137	                 controls       [0] Controls OPTIONAL }

2139	        MessageID ::= INTEGER (0 .. maxInt)

2141	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

2143	        LDAPString ::= OCTET STRING

2145	        LDAPOID ::= OCTET STRING

2147	        LDAPDN ::= LDAPString

2149	        RelativeLDAPDN ::= LDAPString

2151	        AttributeType ::= LDAPString

2153	        AttributeDescription ::= LDAPString

2155	        AttributeDescriptionList ::= SEQUENCE OF
2156	                AttributeDescription

2158	        AttributeValue ::= OCTET STRING

2160	        AttributeValueAssertion ::= SEQUENCE {
2161	              Lightweight Directory Access Protocol Version 3

2163	                attributeDesc   AttributeDescription,
2164	                assertionValue  AssertionValue }

2166	        AssertionValue ::= OCTET STRING

2168	        Attribute ::= SEQUENCE {
2169	                type    AttributeDescription,
2170	                vals    SET OF AttributeValue }

2172	        MatchingRuleId ::= LDAPString

2174	        LDAPResult ::= SEQUENCE {
2175	                resultCode      ENUMERATED {
2176	                             success                      (0),
2177	                             operationsError              (1),
2178	                             protocolError                (2),
2179	                             timeLimitExceeded            (3),
2180	                             sizeLimitExceeded            (4),
2181	                             compareFalse                 (5),
2182	                             compareTrue                  (6),
2183	                             authMethodNotSupported       (7),
2184	                             strongAuthRequired           (8),
2185	                                        -- 9 reserved --
2186	                             referral                     (10),  -- new
2187	                             adminLimitExceeded           (11),  -- new
2188	                             unavailableCriticalExtension (12),  -- new
2189	                             confidentialityRequired      (13),  -- new
2190	                             saslBindInProgress           (14),  -- new
2191	                             noSuchAttribute              (16),
2192	                             undefinedAttributeType       (17),
2193	                             inappropriateMatching        (18),
2194	                             constraintViolation          (19),
2195	                             attributeOrValueExists       (20),
2196	                             invalidAttributeSyntax       (21),
2197	                                        -- 22-31 unused --
2198	                             noSuchObject                 (32),
2199	                             aliasProblem                 (33),
2200	                             invalidDNSyntax              (34),
2201	                             -- 35 reserved for undefined isLeaf --
2202	                             aliasDereferencingProblem    (36),
2203	                                        -- 37-47 unused --
2204	                             inappropriateAuthentication  (48),
2205	                             invalidCredentials           (49),
2206	                             insufficientAccessRights     (50),
2207	                             busy                         (51),
2208	                             unavailable                  (52),
2209	                             unwillingToPerform           (53),
2210	                             loopDetect                   (54),
2211	                                        -- 55-63 unused --
2212	                             namingViolation              (64),
2213	                             objectClassViolation         (65),
2214	                             notAllowedOnNonLeaf          (66),
2215	                             notAllowedOnRDN              (67),
2216	                             entryAlreadyExists           (68),

2218	              Lightweight Directory Access Protocol Version 3

2220	                             objectClassModsProhibited    (69),
2221	                                        -- 70 reserved for CLDAP --
2222	                             affectsMultipleDSAs          (71), -- new
2223	                                        -- 72-79 unused --
2224	                             other                        (80) },
2225	                             -- 81-90 reserved for APIs --
2226	                matchedDN       LDAPDN,
2227	                errorMessage    LDAPString,
2228	                referral        [3] Referral OPTIONAL }

2230	        Referral ::= SEQUENCE OF LDAPURL

2232	        LDAPURL ::= LDAPString -- limited to characters permitted in
2233	                               -- URLs

2235	        Controls ::= SEQUENCE OF Control

2237	        Control ::= SEQUENCE {
2238	                controlType             LDAPOID,
2239	                criticality             BOOLEAN DEFAULT FALSE,
2240	                controlValue            OCTET STRING OPTIONAL }

2242	        BindRequest ::= [APPLICATION 0] SEQUENCE {
2243	                version                 INTEGER (1 .. 127),
2244	                name                    LDAPDN,
2245	                authentication          AuthenticationChoice }

2247	        AuthenticationChoice ::= CHOICE {
2248	                simple                  [0] OCTET STRING,
2249	                                         -- 1 and 2 reserved
2250	                sasl                    [3] SaslCredentials }

2252	        SaslCredentials ::= SEQUENCE {
2253	                mechanism               LDAPString,
2254	                credentials             OCTET STRING OPTIONAL }

2256	        BindResponse ::= [APPLICATION 1] SEQUENCE {
2257	             COMPONENTS OF LDAPResult,
2258	             serverSaslCreds    [7] OCTET STRING OPTIONAL }

2260	        UnbindRequest ::= [APPLICATION 2] NULL

2262	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
2263	                baseObject      LDAPDN,
2264	                scope           ENUMERATED {
2265	                        baseObject              (0),
2266	                        singleLevel             (1),
2267	                        wholeSubtree            (2) },
2268	                derefAliases    ENUMERATED {
2269	                        neverDerefAliases       (0),
2270	                        derefInSearching        (1),
2271	                        derefFindingBaseObj     (2),
2272	                        derefAlways             (3) },
2273	                sizeLimit       INTEGER (0 .. maxInt),

2275	              Lightweight Directory Access Protocol Version 3

2277	                timeLimit       INTEGER (0 .. maxInt),
2278	                typesOnly       BOOLEAN,
2279	                filter          Filter,
2280	                attributes      AttributeDescriptionList }

2282	        Filter ::= CHOICE {
2283	                and             [0] SET OF Filter,
2284	                or              [1] SET OF Filter,
2285	                not             [2] Filter,
2286	                equalityMatch   [3] AttributeValueAssertion,
2287	                substrings      [4] SubstringFilter,
2288	                greaterOrEqual  [5] AttributeValueAssertion,
2289	                lessOrEqual     [6] AttributeValueAssertion,
2290	                present         [7] AttributeDescription,
2291	                approxMatch     [8] AttributeValueAssertion,
2292	                extensibleMatch [9] MatchingRuleAssertion }

2294	        SubstringFilter ::= SEQUENCE {
2295	                type            AttributeDescription,
2296	                -- at least one must be present
2297	                substrings      SEQUENCE OF CHOICE {
2298	                        initial [0] LDAPString,
2299	                        any     [1] LDAPString,
2300	                        final   [2] LDAPString } }

2302	        MatchingRuleAssertion ::= SEQUENCE {
2303	                matchingRule    [1] MatchingRuleId OPTIONAL,
2304	                type            [2] AttributeDescription OPTIONAL,
2305	                matchValue      [3] AssertionValue,
2306	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

2308	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
2309	                objectName      LDAPDN,
2310	                attributes      PartialAttributeList }

2312	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
2313	                type    AttributeDescription,
2314	                vals    SET OF AttributeValue }

2316	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL

2318	        SearchResultDone ::= [APPLICATION 5] LDAPResult

2320	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
2321	                object          LDAPDN,
2322	                modification    SEQUENCE OF SEQUENCE {
2323	                        operation       ENUMERATED {
2324	                                                add     (0),
2325	                                                delete  (1),
2326	                                                replace (2) },
2327	                        modification    AttributeTypeAndValues } }

2329	        AttributeTypeAndValues ::= SEQUENCE {
2330	                type    AttributeDescription,

2332	              Lightweight Directory Access Protocol Version 3

2334	                vals    SET OF AttributeValue }

2336	        ModifyResponse ::= [APPLICATION 7] LDAPResult

2338	        AddRequest ::= [APPLICATION 8] SEQUENCE {
2339	                entry           LDAPDN,
2340	                attributes      AttributeList }

2342	        AttributeList ::= SEQUENCE OF SEQUENCE {
2343	                type    AttributeDescription,
2344	                vals    SET OF AttributeValue }

2346	        AddResponse ::= [APPLICATION 9] LDAPResult

2348	        DelRequest ::= [APPLICATION 10] LDAPDN

2350	        DelResponse ::= [APPLICATION 11] LDAPResult

2352	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
2353	                entry           LDAPDN,
2354	                newrdn          RelativeLDAPDN,
2355	                deleteoldrdn    BOOLEAN,
2356	                newSuperior     [0] LDAPDN OPTIONAL }

2358	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

2360	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
2361	                entry           LDAPDN,
2362	                ava             AttributeValueAssertion }

2364	        CompareResponse ::= [APPLICATION 15] LDAPResult

2366	        AbandonRequest ::= [APPLICATION 16] MessageID

2368	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
2369	                requestName      [0] LDAPOID,
2370	                requestValue     [1] OCTET STRING OPTIONAL }

2372	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
2373	                COMPONENTS OF LDAPResult,
2374	                responseName     [10] LDAPOID OPTIONAL,
2375	                response         [11] OCTET STRING OPTIONAL }

2377	        END
2378	              Lightweight Directory Access Protocol Version 3

2380	Appendix B - Change History
2381	Changes made to RFC 2251:

2383	B.1 Editorial

2385	   - Bibliography References: Changed all bibliography references to
2386	     use a long name form for readability.
2387	   - Changed occurrences of "unsupportedCriticalExtension"
2388	     "unavailableCriticalExtension"
2389	   - Fixed a small number of misspellings (mostly dropped letters).

2391	B.2 Section 1

2393	   - Removed IESG note.

2395	B.3 Section 9

2397	   - Added references to RFCs 1823, 2234, 2829 and 2830.

2399	Appendix C - Outstanding Work Items

2401	C.1 Integrate result codes draft.

2403	   The result codes draft should be reconciled with this draft.
2404	   Operation-specific instructions will reside with operations while the
2405	   error-specific sections will be added as an appendix.

2407	C.2 Section 3.1

2409	   - Add "This also increases the complexity of clients in this
2410	     version." to fourth paragraph.

2412	C.3 Section 4

2414	   - Remove "typically" from "and is typically transferred" in the
2415	     first paragraph.
2416	   - Change "MUST ignore elements of SEQUENCE encodings whose tags they
2417	     do not recognize" to "MUST ignore tagged elements of SEQUENCE
2418	     encodings that they do not recognize" in the first paragraph.
2419	   - Add "See Section 5.1 for information on mapping the LDAP protocol
2420	     to BER." to the first paragraph.
2421	   - Change "version 3 " to "version 3 or later" in the second
2422	     paragraph.
2423	   - Change "protocol version" to "protocol versions" in the third
2424	     paragraph.
2425	   - Change "version 2 may not provide this attribute." to "version 2
2426	     MAY NOT provide this attribute, or a root DSE." in the third
2427	     paragraph.

2429	C.4 Section 4.1.1

2431	   - Change "the client may discard the PDU, or may abruptly close the
2432	     connection." to "the client MAY discard the PDU, or MAY abruptly
2433	     close the connection." in the fourth paragraph.

2435	              Lightweight Directory Access Protocol Version 3

2437	C.5 Section 4.1.1.1

2439	   - Add "If an unsolicited notification as described in section 4.4 is
2440	     sent from a server, the messageID value MUST be zero." to first
2441	     paragraph.
2442	   - Change "MUST have a value different" to "MUST have a non-zero
2443	     value different" in the second paragraph.
2444	   - Remove "or of the abandoned operation until it has received a
2445	     response from the server for another request invoked subsequent to
2446	     the abandonRequest," from the fourth paragraph as this imposes
2447	     synchronous behavior on the server.

2449	C.6 Section 4.1.2

2451	   - Add ABNF for the textual representation of LDAPOID.

2453	C.7 Section 4.1.4

2455	   - Change "This identifier may be written as decimal digits with
2456	     components separated by periods, e.g. "2.5.4.10"" to "may be
2457	     written as defined by ldapOID in section 4.1.2" in the second
2458	     paragraph.
2459	   - Add "Note that due to the restriction above, and due to this
2460	     allowance, servers MUST ensure that, within a controlling
2461	     subschema, no two attributes be named the same." to the fifth
2462	     paragraph.
2463	   - Resolve issue on list with the subject "Attribute Type character
2464	     set".

2466	C.8 Section 4.1.5

2468	   - Change "A server may treat" to "A server MUST treat" in the second
2469	     to last paragraph.
2470	   - Change "A server MUST treat an AttributeDescription with any
2471	     options it does not implement as an unrecognized attribute type."
2472	     to "A server MUST treat an AttributeDescription with any options
2473	     it does not implement or support as an unrecognized attribute
2474	     type." in the second to last paragraph.
2475	   - Clarify the statement "An AttributeDescription with one or more
2476	     options is treated as a subtype of the attribute type without any
2477	     options". There is an unresolved thread titles "RFC 2596
2478	     questions" on the ietf-ldapext list regarding this.

2480	C.9 Section 4.1.5.1

2482	   - Add "Servers SHOULD only return attributes with printable string
2483	     representations as binary when clients request binary transfer."
2484	     to the second paragraph.
2485	   - Clarify whether the "binary" attribute type option is to be
2486	     treated as a subtype.

2488	C.10 Section 4.1.6
2489	              Lightweight Directory Access Protocol Version 3

2491	   - Add something like "or the attribute syntax is Binary" to
2492	     "depending on whether the "binary" option is present" in first
2493	     paragraph.

2495	C.11 Section 4.1.7

2497	   - Change "For all the string-valued user attributes described in
2498	     [5], the assertion value syntax is the same as the value syntax."
2499	     to "The assertion value syntax for all attributes using human-
2500	     readable syntaxes as described in [RFC2252] is the same as the
2501	     value syntax unless otherwise noted (an example being
2502	     objectIdentifierFirstComponentMatch)." in the third paragraph.
2503	   - Add a fourth paragraph: "Servers SHOULD NOT generate codes 81-90
2504	     as these are reserved for use by historical APIs [RFC 1823].
2505	     Later API specifications SHOULD avoid using the resultCode
2506	     enumeration to represent anything other than a protocol result
2507	     indication."

2509	C.12 Section 4.1.8

2511	   - Change "when transferred in protocol" to "when transferred from
2512	     the server to the client" in the first paragraph.

2514	C.13 Section 4.1.11

2516	   - Resolve the intent of "All the URLs MUST be equally capable of
2517	     being used to progress the operation" This is being discussed as
2518	     "Following referrals" on the list.
2519	   - Change "The referral error" to "The referral result code" in the
2520	     first paragraph.
2521	   - Change "It contains a reference to another server (or set of
2522	     servers)" to "It contains one or more references to one or more
2523	     servers or services" in the first paragraph.
2524	   - Add "after locating the target entry" to the first paragraph.

2526	C.14 Section 4.1.12

2528	   - Change "The server MUST be prepared" to "The client and server
2529	     MUST be prepared" in the eighth paragraph
2530	   - Clarify whether or not a client should ignore the criticality
2531	     field.
2532	   - Specify how unbind and abandon are to handle an unknown or
2533	     inappropriate critical control.
2534	   - Specify whether or not servers are to advertise the OIDs of known
2535	     response controls.

2537	C.15 Section 4.2

2539	   - Resolve anonymous vs. unauthenticated connections. See "anonymous
2540	     binds" on list.
2541	   -Change "LDAPDN" to "identity" in the definition of the name field.
2542	   -Rework definition of the name field to enumerate empty password and
2543	    name combinations. <Needs more work following discussion on list>
2544	              Lightweight Directory Access Protocol Version 3

2546	C.16 Section 4.2.1

2548	   - Change "unauthenticated" to "anonymous" in the fourth paragraph.
2549	   - Resolve the meaning of "no authentication" in first paragraph. See
2550	     "Clarification of "authentication"" on list.
2551	   - Needs to be fixed after resolving issue in C.8

2553	C.17 Section 4.2.2

2555	   - Change "Typically the DN is also of zero length." to "The name
2556	     field SHOULD also be zero length and, if provided, MUST be ignored
2557	     by the server." in the second paragraph. <This needs further
2558	     resolution on the list.>
2559	   - Add "(anonymous bind)" to second paragraph. <Needs to be
2560	     reconciled with work done to 4.2>
2561	   - Add "as the authentication identity" to second paragraph.

2563	C.18 Section 4.2.3

2565	   - Change "If the bind was successful, the resultCode will be
2566	     success, otherwise it will be one of" to "If the bind was
2567	     successful, the resultCode will be success, otherwise it MAY be
2568	     one of" in the third paragraph. <May need further refinement when
2569	     reconciled with resultCode draft>.
2570	   - Change "operationsError" to "other" as a result code.
2571	   - Change "If the client bound with the password choice" to "If the
2572	     client bound with the simple choice" in the last paragraph.

2574	C.19 Section 4.3

2576	   - Change "a protocol client may assume that the protocol session is
2577	     terminated and MAY close the connection." to "a protocol client
2578	     MUST assume that the protocol session is terminated and MAY close
2579	     the connection." in the second paragraph.
2580	   - Change "a protocol server may assume" to "a protocol server MUST
2581	     assume" in the second paragraph.
2582	   - Change "and may close the connection" to "and MUST close the
2583	     connection" in the second paragraph.

2585	C.20 Section 4.4

2587	   - Change "One unsolicited notification is defined" to "One
2588	     unsolicited notification (Notice of Disconnection) is defined" in
2589	     the third paragraph.
2590	   - Add "other than Notice of Disconnection" in the third paragraph.
2591	   - Add "Servers SHOULD NOT assume LDAPv3 clients understand or
2592	     recognize unsolicited notifications or unsolicited controls other
2593	     than Notice of Disconnection defined below.  Servers SHOULD avoid
2594	     sending unsolicited notifications unless they know (by related
2595	     request or other means) that the client can make use of the
2596	     notification." as a fourth paragraph.

2598	C.21 Section 4.5.1
2599	              Lightweight Directory Access Protocol Version 3

2601	   - Make sure the use of "subordinates" in the derefInSearching
2602	     definition is correct. See "derefInSearching" on list.
2603	   - Change "checking for the existence of the objectClass attribute"
2604	     to "checking for the presence of the objectClass attribute" in the
2605	     last paragraph.

2607	C.22 Section 4.5.2

2609	   - Change "Following all the SearchResultReference responses and all
2610	     SearchResultEntry responses to be returned by the server" to
2611	     "Following all the SearchResultReference responses,
2612	     SearchResultEntry responses, and ExtendedResponses to be returned
2613	     by the server" in the third paragraph.
2614	   - Add "associated with a search operation" to the sixth paragraph.
2615	   - Same problem as in C.5.

2617	C.23 Section 4.5.3

2619	   - Add "Similarly, a server MUST NOT return a SearchResultReference
2620	     when the scope of the search is baseObject. If a client receives
2621	     such a SearchResultReference it MUST interpret is as a protocol
2622	     error and MUST NOT follow it." to the first paragraph.
2623	   - Add "If the scope part of the LDAP URL is present, the client MUST
2624	     use the new scope in its next request to progress the search. If
2625	     the scope part is absent the client MUST use subtree scope to
2626	     complete subtree searches and base scope to complete one level
2627	     searches." to the third paragraph.
2628	   - Remove "different" from "outstanding search operations to
2629	     different servers," in the fifth paragraph as they may be to the
2630	     same server.

2632	C.24 Section 4.5.3.1

2634	   - Change examples to use dc naming.

2636	C.25 Section 4.6

2638	   - Resolve the meaning of "and is ignored if the attribute does not
2639	     exist". See "modify: "non-existent attribute"" on the list.
2640	   - Change "clients MUST NOT attempt to delete" to "clients MUST NOT
2641	     attempt to add or delete" in the second to last paragraph.
2642	   - Change "using the "delete" form" to "using the "add" or "delete"
2643	     form" in the second to last paragraph.

2645	C.26 Section 4.7

2647	   - Change "Clients MUST NOT supply the createTimestamp or
2648	     creatorsName attributes, since these will be generated
2649	     automatically by the server." to "Clients MUST NOT supply NO-USER-
2650	     MODIFICATION attributes such as createTimestamp or creatorsName
2651	     attributes, since these are provided by the server." in the
2652	     definition of the attributes field.
2653	   - Change examples to use dc naming.

2655	              Lightweight Directory Access Protocol Version 3

2657	   - Clarify the paragraph that talks about structure rules. See
2658	     "discussing structure rules" on the list.

2660	C.27 Section 4.10

2662	   - Specify what happens when the attr is missing vs. attr isn't in
2663	     schema. Also what happens if there's no equality matching rule.

2665	C.28 Section 4.11

2667	   - Change "has been" to "will be" in the fourth paragraph.
2668	   - Change "(since these may have been in transit when the abandon was
2669	     requested)." to "(since these may either have been in transit when
2670	     the abandon was requested, or are not able to be abandoned)." in
2671	     the fifth paragraph.
2672	   - Add "Abandon and Unbind operations are not able to be abandoned.
2673	     Other operations, in particular update operations, or operations
2674	     that have been chained, may not be abandonable (or immediately
2675	     abandonable)." as the sixth paragraph.

2677	C.29 Section 4.12

2679	   - Change "digitally signed operations and results" to "for instance
2680	     StartTLS [RFC2830]"

2682	C.30 Section 5.1

2684	   - Add "control and extended operation values" to last paragraph. See
2685	     "LBER (BER Restrictions)" on list.

2687	C.31 Section 5.2.1

2689	   - Add "using the BER-based described in section 5.1".

2691	C.32 Section 6.1

2693	   - Add "that are used by those attributes" to the first paragraph.
2694	   - Add "Servers which support update operations MUST, and other
2695	     servers SHOULD, support strong authentication mechanisms described
2696	     in [RFC2829]." as a second paragraph.
2697	   - Add "Servers which provide access to sensitive information MUST,
2698	     and other servers SHOULD support privacy protections such as those
2699	     described in [RFC2829] and [RFC2830]." as a third paragraph.

2701	C.33 Section 7

2703	   - Add "Servers which support update operations MUST, and other
2704	     servers SHOULD, support strong authentication mechanisms described
2705	     in [RFC2829]." as a fourth paragraph.
2706	   - Add "In order to automatically follow referrals, clients may need
2707	     to hold authentication secrets. This poses significant privacy and
2708	     security concerns and SHOULD be avoided." as a sixth paragraph.
2709	   - Add "This document provides a mechanism which clients may use to
2710	     discover operational attributes. Those relying on security by
2711	              Lightweight Directory Access Protocol Version 3

2713	     obscurity should implement appropriate access controls to
2714	     restricts access to operational attributes per local policy." as
2715	     an eighth paragraph.

2717	C.34 Section 8

2719	   - Update section to reflect that this updates RFC 2251.

2721	C.36 Various sections

2723	   - State that alias dereferencing is not to be done for bind, moddn
2724	     and compare. See "When to not deref aliases" on list.

2726	              Lightweight Directory Access Protocol Version 3

2728	   Full Copyright Statement

2730	   Copyright (C) The Internet Society (2000). All Rights Reserved.

2732	   This document and translations of it may be copied and furnished to
2733	   others, and derivative works that comment on or otherwise explain it
2734	   or assist in its implementation may be prepared, copied, published
2735	   and distributed, in whole or in part, without restriction of any
2736	   kind, provided that the above copyright notice and this paragraph are
2737	   included on all such copies and derivative works. However, this
2738	   document itself may not be modified in any way, such as by removing
2739	   the copyright notice or references to the Internet Society or other
2740	   Internet organizations, except as needed for the purpose of
2741	   developing Internet standards in which case the procedures for
2742	   copyrights defined in the Internet Standards process must be
2743	   followed, or as required to translate it into languages other than
2744	   English.

2746	   The limited permissions granted above are perpetual and will not be
2747	   revoked by the Internet Society or its successors or assigns.

2749	   This document and the information contained herein is provided on an
2750	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
2751	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
2752	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
2753	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
2754	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.