idnits 2.17.1 

draft-ietf-ldapbis-protocol-01.txt:
  ** The Abstract section seems to be numbered


  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == There is 1 instance of lines with non-ascii characters in the document.

  == The page length should not exceed 58 lines per page, but there was 5
     longer pages, the longest (page 3) being 59 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.
     (A line matching the expected section header was found, but with an
    unexpected indentation:
     '                scope           ENUMERATED {' )

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([RFC1777], [RFC2119]), which
     it shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     RFC 2119 keyword, line 227: '...e distinguished name (RDN), which MUST...'
     RFC 2119 keyword, line 241: '...ing or shadowing MUST ensure that they...'
     RFC 2119 keyword, line 277: '...   Each entry MUST have an objectClass...'
     RFC 2119 keyword, line 296: '...   Servers MUST NOT permit clients to ...'
     RFC 2119 keyword, line 304: '...   Entries MAY contain, among others, ...'
     (177 more instances...)

  == The 'Obsoletes: ' line in the draft header should list only the
     _numbers_ of the RFCs which will be obsoleted by this document (if
     approved); it should not include the word 'RFC' in the list.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The exact meaning of the all-uppercase expression 'MAY NOT' is not
     defined in RFC 2119.  If it is intended as a requirements expression, it
     should be rewritten using one of the combinations defined in RFC 2119;
     otherwise it should not be all-uppercase.

  == The expression 'MAY NOT', while looking like RFC 2119 requirements text,
     is not defined in RFC 2119, and should not be used.  Consider using 'MUST
     NOT' instead (if that is what you mean).
     
     Found 'MAY NOT' in this paragraph:
     
     - Remove "typically" from "and is typically transferred" in the
     first paragraph. - Change "MUST ignore elements of SEQUENCE encodings
     whose tags they do not recognize" to "MUST ignore tagged elements of
     SEQUENCE encodings that they do not recognize" in the first paragraph. -
     Add "See Section 5.1 for information on mapping the LDAP protocol to
     BER." to the first paragraph. - Change "version 3 " to "version 3 or
     later" in the second paragraph. - Change "protocol version" to "protocol
     versions" in the third paragraph. - Change "version 2 may not provide
     this attribute." to "version 2 MAY NOT provide this attribute, or a root
     DSE." in the third paragraph.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (February 2001) is 8464 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'RFC2026' on line 13 looks like a reference

  -- Missing reference section? 'RFC2119' on line 2080 looks like a reference

  -- Missing reference section? 'RFC1777' on line 2071 looks like a reference

  -- Missing reference section? 'RFC2252' on line 2558 looks like a reference

  -- Missing reference section? '0' on line 2386 looks like a reference

  -- Missing reference section? 'ISO10646' on line 533 looks like a reference

  -- Missing reference section? 'RFC2044' on line 2077 looks like a reference

  -- Missing reference section? 'RFC2253' on line 2093 looks like a reference

  -- Missing reference section? '5' on line 2556 looks like a reference

  -- Missing reference section? '3' on line 2322 looks like a reference

  -- Missing reference section? 'RFC2255' on line 2097 looks like a reference

  -- Missing reference section? 'RFC2396' on line 2100 looks like a reference

  -- Missing reference section? 'APPLICATION 0' on line 2259 looks like a
     reference

  -- Missing reference section? 'RFC2222' on line 2083 looks like a reference

  -- Missing reference section? 'APPLICATION 1' on line 2273 looks like a
     reference

  -- Missing reference section? '7' on line 2307 looks like a reference

  -- Missing reference section? 'APPLICATION 2' on line 2277 looks like a
     reference

  -- Missing reference section? 'APPLICATION 3' on line 2279 looks like a
     reference

  -- Missing reference section? '1' on line 2387 looks like a reference

  -- Missing reference section? '2' on line 2321 looks like a reference

  -- Missing reference section? '4' on line 2323 looks like a reference

  -- Missing reference section? '6' on line 2306 looks like a reference

  -- Missing reference section? '8' on line 2308 looks like a reference

  -- Missing reference section? '9' on line 2309 looks like a reference

  -- Missing reference section? 'APPLICATION 4' on line 2325 looks like a
     reference

  -- Missing reference section? 'APPLICATION 19' on line 2333 looks like a
     reference

  -- Missing reference section? 'APPLICATION 5' on line 2335 looks like a
     reference

  -- Missing reference section? 'APPLICATION 6' on line 2337 looks like a
     reference

  -- Missing reference section? 'APPLICATION 7' on line 2353 looks like a
     reference

  -- Missing reference section? 'APPLICATION 8' on line 2355 looks like a
     reference

  -- Missing reference section? 'APPLICATION 9' on line 2363 looks like a
     reference

  -- Missing reference section? 'APPLICATION 10' on line 2365 looks like a
     reference

  -- Missing reference section? 'APPLICATION 11' on line 2367 looks like a
     reference

  -- Missing reference section? 'APPLICATION 12' on line 2369 looks like a
     reference

  -- Missing reference section? 'APPLICATION 13' on line 2375 looks like a
     reference

  -- Missing reference section? 'APPLICATION 14' on line 2377 looks like a
     reference

  -- Missing reference section? 'APPLICATION 15' on line 2381 looks like a
     reference

  -- Missing reference section? 'APPLICATION 16' on line 2383 looks like a
     reference

  -- Missing reference section? 'APPLICATION 23' on line 2385 looks like a
     reference

  -- Missing reference section? 'APPLICATION 24' on line 2389 looks like a
     reference

  -- Missing reference section? '10' on line 2391 looks like a reference

  -- Missing reference section? '11' on line 2392 looks like a reference

  -- Missing reference section? 'RFC1823' on line 2074 looks like a reference

  -- Missing reference section? 'RFC2234' on line 2086 looks like a reference

  -- Missing reference section? 'RFC2829' on line 2768 looks like a reference

  -- Missing reference section? 'RFC2830' on line 2762 looks like a reference

  -- Missing reference section? 'RFC 1823' on line 2565 looks like a reference


     Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 50 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Internet-Draft                                  Editor:  J. Sermersheim
3	Intended Category: Standard Track                           Novell, Inc
4	Document: draft-ietf-ldapbis-protocol-01.txt              February 2001
5	Obsoletes: RFC 2251

7	                Lightweight Directory Access Protocol (v3)

9	1. Status of this Memo

11	   This document is an Internet-Draft and is in full conformance with
12	   all provisions of Section 10 of [RFC2026].

14	   Internet-Drafts are working documents of the Internet Engineering
15	   Task Force (IETF), its areas, and its working groups. Note that other
16	   groups may also distribute working documents as Internet-Drafts.
17	   Internet-Drafts are draft documents valid for a maximum of six months
18	   and may be updated, replaced, or obsoleted by other documents at any
19	   time. It is inappropriate to use Internet-Drafts as reference
20	   material or to cite them other than as "work in progress."

22	   The list of current Internet-Drafts can be accessed at
23	   http://www.ietf.org/ietf/1id-abstracts.txt

25	   The list of Internet-Draft Shadow Directories can be accessed at
26	   http://www.ietf.org/shadow.html.

28	   Distribution of this memo is unlimited. Technical discussion of this
29	   document will take place on the IETF LDAP Revision Working Group
30	   (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please send
31	   editorial comments directly to the editor <jimse@novell.com>.

33	Table of Contents

35	   1. Status of this Memo..............................................1
36	   2. Abstract.........................................................3
37	   3. Models...........................................................4
38	   3.1. Protocol Model.................................................4
39	   3.2. Data Model.....................................................4
40	   3.2.1. Attributes of Entries........................................5
41	   3.2.2. Subschema Entries and Subentries.............................6
42	   3.3. Relationship to X.500..........................................7
43	   3.4. Server-specific Data Requirements..............................7
44	   4. Elements of Protocol.............................................8
45	   4.1. Common Elements................................................9
46	   4.1.1. Message Envelope.............................................9
47	   4.1.1.1. Message ID................................................10
48	   4.1.2. String Types................................................10
49	   4.1.3. Distinguished Name and Relative Distinguished Name..........10
50	   4.1.4. Attribute Type..............................................11
51	   4.1.5. Attribute Description.......................................12
52	   4.1.5.1. Binary Option.............................................12
53	   4.1.6. Attribute Value.............................................13
54	              Lightweight Directory Access Protocol Version 3

56	   4.1.7. Attribute Value Assertion...................................13
57	   4.1.8. Attribute...................................................14
58	   4.1.9. Matching Rule Identifier....................................14
59	   4.1.10. Result Message.............................................15
60	   4.1.11. Referral...................................................16
61	   4.1.12. Controls...................................................17
62	   4.2. Bind Operation................................................18
63	   4.2.1. Sequencing of the Bind Request..............................19
64	   4.2.2. Authentication and Other Security Services..................20
65	   4.2.3. Bind Response...............................................21
66	   4.3. Unbind Operation..............................................22
67	   4.4. Unsolicited Notification......................................22
68	   4.4.1. Notice of Disconnection.....................................22
69	   4.5. Search Operation..............................................23
70	   4.5.1. Search Request..............................................23
71	   4.5.2. Search Result...............................................27
72	   4.5.3. Continuation References in the Search Result................28
73	   4.6. Modify Operation..............................................29
74	   4.7. Add Operation.................................................31
75	   4.8. Delete Operation..............................................32
76	   4.9. Modify DN Operation...........................................32
77	   4.10. Compare Operation............................................33
78	   4.11. Abandon Operation............................................34
79	   4.12. Extended Operation...........................................35
80	   5. Protocol Element Encodings and Transfer.........................35
81	   5.1. Mapping Onto BER-based Transport Services.....................35
82	   5.2. Transfer Protocols............................................36
83	   5.2.1. Transmission Control Protocol (TCP).........................36
84	   6. Implementation Guidelines.......................................36
85	   6.1. Server Implementations........................................36
86	   6.2. Client Implementations........................................36
87	   7. Security Considerations.........................................37
88	   8. Acknowledgements................................................37
89	   9. Bibliography....................................................37
90	   10. Editor's Address...............................................38
91	   Appendix A - Complete ASN.1 Definition.............................40
92	   Appendix B - Change History........................................45
93	   Changes made to RFC 2251:..........................................45
94	   B.1 Editorial......................................................45
95	   B.2 Section 1......................................................45
96	   B.3 Section 9......................................................45
97	   B.4 Section 4.1.6..................................................45
98	   B.5 Section 4.1.7..................................................45
99	   B.6 Sections 4.2, 4.9, 4.10........................................45
100	   B.7 Sections 4.5 and Appendix A....................................46
101	   Appendix C - Outstanding Work Items................................46
102	   C.1 Integrate result codes draft...................................46
103	   C.2 Section 3.1....................................................46
104	   C.3 Section 4......................................................46
105	   C.4 Section 4.1.1..................................................46
106	   C.5 Section 4.1.1.1................................................46
107	   C.6 Section 4.1.2..................................................47
108	   C.7 Section 4.1.4..................................................47
109	   C.8 Section 4.1.5..................................................47
110	              Lightweight Directory Access Protocol Version 3

112	   C.9 Section 4.1.5.1................................................47
113	   C.11 Section 4.1.7.................................................47
114	   C.12 Section 4.1.8.................................................48
115	   C.13 Section 4.1.11................................................48
116	   C.14 Section 4.1.12................................................48
117	   C.15 Section 4.2...................................................48
118	   C.16 Section 4.2.1.................................................48
119	   C.17 Section 4.2.2.................................................48
120	   C.18 Section 4.2.3.................................................49
121	   C.19 Section 4.3...................................................49
122	   C.20 Section 4.4...................................................49
123	   C.21 Section 4.5.1.................................................49
124	   C.22 Section 4.5.2.................................................49
125	   C.23 Section 4.5.3.................................................50
126	   C.24 Section 4.5.3.1...............................................50
127	   C.25 Section 4.6...................................................50
128	   C.26 Section 4.7...................................................50
129	   C.27 Section 4.10..................................................50
130	   C.28 Section 4.11..................................................50
131	   C.29 Section 4.12..................................................51
132	   C.30 Section 5.1...................................................51
133	   C.31 Section 5.2.1.................................................51
134	   C.32 Section 6.1...................................................51
135	   C.33 Section 7.....................................................51

137	2. Abstract

139	   The protocol described in this document is designed to provide access
140	   to directories supporting the [X.500] models, while not incurring the
141	   resource requirements of the X.500 Directory Access Protocol (DAP).
142	   This protocol is specifically targeted at management applications and
143	   browser applications that provide read/write interactive access to
144	   directories. When used with a directory supporting the X.500
145	   protocols, it is intended to be a complement to the X.500 DAP.

147	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
148	   "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
149	   to be interpreted as described in [RFC2119].

151	   Key aspects of this version of LDAP are:

153	   - All protocol elements of LDAPv2 [RFC1777] are supported. The
154	     protocol is carried directly over TCP or other transport,
155	     bypassing much of the session/presentation overhead of X.500 DAP.

157	   - Most protocol data elements can be encoded as ordinary strings
158	     (e.g., Distinguished Names).

160	   - Referrals to other servers may be returned.

162	   - SASL mechanisms may be used with LDAP to provide association
163	     security services.

165	              Lightweight Directory Access Protocol Version 3

167	   - Attribute values and Distinguished Names have been
168	     internationalized through the use of the ISO 10646 character set.

170	   - The protocol can be extended to support new operations, and
171	     controls may be used to extend existing operations.

173	   - Schema is published in the directory to be used by clients.

175	3. Models

177	   Interest in X.500 directory technologies in the Internet has led to
178	   efforts to reduce the high cost of entry associated with use of these
179	   technologies. This document continues the efforts to define directory
180	   protocol alternatives, updating the LDAPv2 protocol specification.

182	3.1. Protocol Model

184	   The general model adopted by this protocol is one of clients
185	   performing protocol operations against servers. In this model, a
186	   client transmits a protocol request describing the operation to be
187	   performed to a server. The server is then responsible for performing
188	   the necessary operation(s) in the directory. Upon completion of the
189	   operation(s), the server returns a response containing any results or
190	   errors to the requesting client.

192	   In keeping with the goal of easing the costs associated with use of
193	   the directory, it is an objective of this protocol to minimize the
194	   complexity of clients so as to facilitate widespread deployment of
195	   applications capable of using the directory.

197	   Note that although servers are required to return responses whenever
198	   such responses are defined in the protocol, there is no requirement
199	   for synchronous behavior on the part of either clients or servers.
200	   Requests and responses for multiple operations may be exchanged
201	   between a client and server in any order, provided the client
202	   eventually receives a response for every request that requires one.

204	   In LDAP versions 1 and 2, no provision was made for protocol servers
205	   returning referrals to clients. However, for improved performance and
206	   distribution, this version of the protocol permits servers to return
207	   to clients, referrals to other servers. This allows servers to
208	   offload the work of contacting other servers to progress operations.

210	   Note that the core protocol operations defined in this document can
211	   be mapped to a strict subset of the X.500(1997) directory abstract
212	   service, so it can be cleanly provided by the DAP. However there is
213	   not a one-to-one mapping between LDAP protocol operations and DAP
214	   operations: server implementations acting as a gateway to X.500
215	   directories may need to make multiple DAP requests.

217	<Editor's Note: Sections 3.2 through 3.4 have not been updated>
218	3.2. Data Model
219	              Lightweight Directory Access Protocol Version 3

221	   This section provides a brief introduction to the X.500 data model,
222	   as used by LDAP.

224	   The LDAP protocol assumes there are one or more servers which jointly
225	   provide access to a Directory Information Tree (DIT). The tree is
226	   made up of entries. Entries have names: one or more attribute values
227	   from the entry form its relative distinguished name (RDN), which MUST
228	   be unique among all its siblings. The concatenation of the relative
229	   distinguished names of the sequence of entries from a particular
230	   entry to an immediate subordinate of the root of the tree forms that
231	   entry's Distinguished Name (DN), which is unique in the tree. An
232	   example of a Distinguished Name is:

234	   CN=Steve Kille, O=Isode Limited, C=GB

236	   Some servers may hold cache or shadow copies of entries, which can be
237	   used to answer search and comparison queries, but will return
238	   referrals or contact other servers if modification operations are
239	   requested.

241	   Servers that perform caching or shadowing MUST ensure that they do
242	   not violate any access control constraints placed on the data by the
243	   originating server.

245	   The largest collection of entries, starting at an entry that is
246	   mastered by a particular server, and including all its subordinates
247	   and their subordinates, down to the entries which are mastered by
248	   different servers, is termed a naming context. The root of the DIT is
249	   a DSA-specific Entry (DSE) and not part of any naming context: each
250	   server has different attribute values in the root DSE. (DSA is an
251	   X.500 term for the directory server).

253	3.2.1. Attributes of Entries

255	   Entries consist of a set of attributes. An attribute is a type with
256	   one or more associated values. The attribute type is identified by a
257	   short descriptive name and an OID (object identifier). The attribute
258	   type governs whether there can be more than one value of an attribute
259	   of that type in an entry, the syntax to which the values must
260	   conform, the kinds of matching which can be performed on values of
261	   that attribute, and other functions.

263	   An example of an attribute is "mail". There may be one or more values
264	   of this attribute, they must be IA5 (ASCII) strings, and they are
265	   case insensitive (e.g. "foo@bar.com" will match "FOO@BAR.COM").

267	   Schema is the collection of attribute type definitions, object class
268	   definitions and other information which a server uses to determine
269	   how to match a filter or attribute value assertion (in a compare
270	   operation) against the attributes of an entry, and whether to permit
271	   add and modify operations. The definition of schema for use with LDAP
272	   is given in [RFC2252] and [X.501]. Additional schema elements may be
273	   defined in other documents.

275	              Lightweight Directory Access Protocol Version 3

277	   Each entry MUST have an objectClass attribute. The objectClass
278	   attribute specifies the object classes of an entry, which along with
279	   the system and user schema determine the permitted attributes of an
280	   entry. Values of this attribute may be modified by clients, but the
281	   objectClass attribute cannot be removed. Servers may restrict the
282	   modifications of this attribute to prevent the basic structural class
283	   of the entry from being changed (e.g. one cannot change a person into
284	   a country). When creating an entry or adding an objectClass value to
285	   an entry, all superclasses of the named classes are implicitly added
286	   as well if not already present, and the client must supply values for
287	   any mandatory attributes of new superclasses.

289	   Some attributes, termed operational attributes, are used by servers
290	   for administering the directory system itself. They are not returned
291	   in search results unless explicitly requested by name. Attributes
292	   which are not operational, such as "mail", will have their schema and
293	   syntax constraints enforced by servers, but servers will generally
294	   not make use of their values.

296	   Servers MUST NOT permit clients to add attributes to an entry unless
297	   those attributes are permitted by the object class definitions, the
298	   schema controlling that entry (specified in the subschema � see
299	   below), or are operational attributes known to that server and used
300	   for administrative purposes. Note that there is a particular
301	   objectClass 'extensibleObject' defined in [RFC2252] which permits all
302	   user attributes to be present in an entry.

304	   Entries MAY contain, among others, the following operational
305	   attributes, defined in [RFC2252]. These attributes are maintained
306	   automatically by the server and are not modifiable by clients:

308	   - creatorsName: the Distinguished Name of the user who added this
309	     entry to the directory.

311	   - createTimestamp: the time this entry was added to the directory.

313	   - modifiersName: the Distinguished Name of the user who last
314	     modified this entry.

316	   - modifyTimestamp: the time this entry was last modified.

318	   - subschemaSubentry: the Distinguished Name of the subschema entry
319	     (or subentry) which controls the schema for this entry.

321	3.2.2. Subschema Entries and Subentries

323	   Subschema entries are used for administering information about the
324	   directory schema, in particular the object classes and attribute
325	   types supported by directory servers. A single subschema entry
326	   contains all schema definitions used by entries in a particular part
327	   of the directory tree.

329	   Servers which follow X.500(93) models SHOULD implement subschema
330	   using the X.500 subschema mechanisms, and so these subschemas are not
331	              Lightweight Directory Access Protocol Version 3

333	   ordinary entries. LDAP clients SHOULD NOT assume that servers
334	   implement any of the other aspects of X.500 subschema. A server which
335	   masters entries and permits clients to modify these entries MUST
336	   implement and provide access to these subschema entries, so that its
337	   clients may discover the attributes and object classes which are
338	   permitted to be present. It is strongly recommended that all other
339	   servers implement this as well.

341	   The following four attributes MUST be present in all subschema
342	   entries:

344	   - cn: this attribute MUST be used to form the RDN of the subschema
345	     entry.

347	   - objectClass: the attribute MUST have at least the values "top" and
348	     "subschema".

350	   - objectClasses: each value of this attribute specifies an object
351	     class known to the server.

353	   - attributeTypes: each value of this attribute specifies an
354	     attribute type known to the server.

356	   These are defined in [RFC2252]. Other attributes MAY be present in
357	   subschema entries, to reflect additional supported capabilities.

359	   These include matchingRules, matchingRuleUse, dITStructureRules,
360	   dITContentRules, nameForms and ldapSyntaxes.

362	   Servers SHOULD provide the attributes createTimestamp and
363	   modifyTimestamp in subschema entries, in order to allow clients to
364	   maintain their caches of schema information.

366	   Clients MUST only retrieve attributes from a subschema entry by
367	   requesting a base object search of the entry, where the search filter
368	   is "(objectClass=subschema)". This will allow LDAPv3 servers which
369	   gateway to X.500(93) to detect that subentry information is being
370	   requested.

372	3.3. Relationship to X.500

374	   This document defines LDAP in terms of X.500 as an X.500 access
375	   mechanism. An LDAP server MUST act in accordance with the X.500(1993)
376	   series of ITU recommendations when providing the service. However, it
377	   is not required that an LDAP server make use of any X.500 protocols
378	   in providing this service, e.g. LDAP can be mapped onto any other
379	   directory system so long as the X.500 data and service model as used
380	   in LDAP is not violated in the LDAP interface.

382	3.4. Server-specific Data Requirements

384	   An LDAP server MUST provide information about itself and other
385	   information that is specific to each server. This is represented as a
386	   group of attributes located in the root DSE (DSA-Specific Entry),
387	              Lightweight Directory Access Protocol Version 3

389	   which is named with the zero-length LDAPDN. These attributes are
390	   retrievable if a client performs a base object search of the root
391	   with filter "(objectClass=*)", however they are subject to access
392	   control restrictions. The root DSE MUST NOT be included if the client
393	   performs a subtree search starting from the root.

395	   Servers may allow clients to modify these attributes.

397	   The following attributes of the root DSE are defined in section 5 of
398	   [RFC2252]. Additional attributes may be defined in other documents.

400	   - namingContexts: naming contexts held in the server. Naming
401	     contexts are defined in section 17 of [X.501].

403	   - subschemaSubentry: subschema entries (or subentries) known by this
404	     server.

406	   - altServer: alternative servers in case this one is later
407	     unavailable.

409	   - supportedExtension: list of supported extended operations.

411	   - supportedControl: list of supported controls.

413	   - supportedSASLMechanisms: list of supported SASL security features.

415	   - supportedLDAPVersion: LDAP versions implemented by the server.

417	   If the server does not master entries and does not know the locations
418	   of schema information, the subschemaSubentry attribute is not present
419	   in the root DSE. If the server masters directory entries under one or
420	   more schema rules, there may be any number of values of the
421	   subschemaSubentry attribute in the root DSE.

423	4. Elements of Protocol

425	   The LDAP protocol is described using Abstract Syntax Notation 1
426	   (ASN.1) [X.680], and is typically transferred using a subset of ASN.1
427	   Basic Encoding Rules [X.690] In order to support future extensions to
428	   this protocol, clients and servers MUST ignore elements of SEQUENCE
429	   encodings whose tags they do not recognize.

431	   Note that unlike X.500, each change to the LDAP protocol other than
432	   through the extension mechanisms will have a different version
433	   number. A client will indicate the version it supports as part of the
434	   bind request, described in section 4.2. If a client has not sent a
435	   bind, the server MUST assume that version 3 is supported in the
436	   client (since version 2 required that the client bind first).

438	   Clients may determine the protocol version a server supports by
439	   reading the supportedLDAPVersion attribute from the root DSE. Servers
440	   which implement version 3 or later versions MUST provide this
441	   attribute. Servers which only implement version 2 may not provide
442	   this attribute.

444	              Lightweight Directory Access Protocol Version 3

446	4.1. Common Elements

448	   This section describes the LDAPMessage envelope PDU (Protocol Data
449	   Unit) format, as well as data type definitions, which are used in the
450	   protocol operations.

452	4.1.1. Message Envelope

454	   For the purposes of protocol exchanges, all protocol operations are
455	   encapsulated in a common envelope, the LDAPMessage, which is defined
456	   as follows:

458	        LDAPMessage ::= SEQUENCE {
459	                messageID       MessageID,
460	                protocolOp      CHOICE {
461	                        bindRequest     BindRequest,
462	                        bindResponse    BindResponse,
463	                        unbindRequest   UnbindRequest,
464	                        searchRequest   SearchRequest,
465	                        searchResEntry  SearchResultEntry,
466	                        searchResDone   SearchResultDone,
467	                        searchResRef    SearchResultReference,
468	                        modifyRequest   ModifyRequest,
469	                        modifyResponse  ModifyResponse,
470	                        addRequest      AddRequest,
471	                        addResponse     AddResponse,
472	                        delRequest      DelRequest,
473	                        delResponse     DelResponse,
474	                        modDNRequest    ModifyDNRequest,
475	                        modDNResponse   ModifyDNResponse,
476	                        compareRequest  CompareRequest,
477	                        compareResponse CompareResponse,
478	                        abandonRequest  AbandonRequest,
479	                        extendedReq     ExtendedRequest,
480	                        extendedResp    ExtendedResponse },
481	                controls        [0] Controls OPTIONAL }

483	        MessageID ::= INTEGER (0 .. maxInt)

485	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

487	   The function of the LDAPMessage is to provide an envelope containing
488	   common fields required in all protocol exchanges. At this time the
489	   only common fields are the message ID and the controls.

491	   If the server receives a PDU from the client in which the LDAPMessage
492	   SEQUENCE tag cannot be recognized, the messageID cannot be parsed,
493	   the tag of the protocolOp is not recognized as a request, or the
494	   encoding structures or lengths of data fields are found to be
495	   incorrect, then the server MUST return the notice of disconnection
496	   described in section 4.4.1, with resultCode protocolError, and
497	   immediately close the connection. In other cases that the server
498	   cannot parse the request received by the client, the server MUST
499	              Lightweight Directory Access Protocol Version 3

501	   return an appropriate response to the request, with the resultCode
502	   set to protocolError.

504	   If the client receives a PDU from the server, which cannot be parsed,
505	   the client may discard the PDU, or may abruptly close the connection.

507	   The ASN.1 type Controls is defined in section 4.1.12.

509	4.1.1.1. Message ID

511	   All LDAPMessage envelopes encapsulating responses contain the
512	   messageID value of the corresponding request LDAPMessage.

514	   The message ID of a request MUST have a value different from the
515	   values of any other requests outstanding in the LDAP session of which
516	   this message is a part.

518	   A client MUST NOT send a second request with the same message ID as
519	   an earlier request on the same connection if the client has not
520	   received the final response from the earlier request. Otherwise the
521	   behavior is undefined. Typical clients increment a counter for each
522	   request.

524	   A client MUST NOT reuse the message id of an abandonRequest of the
525	   abandoned operation until it has received a response from the server
526	   for another request invoked subsequent to the abandonRequest, as the
527	   abandonRequest itself does not have a response.

529	4.1.2. String Types

531	   The LDAPString is a notational convenience to indicate that, although
532	   strings of LDAPString type encode as OCTET STRING types, the
533	   [ISO10646] character set (a superset of Unicode) is used, encoded
534	   following the UTF-8 algorithm [RFC2044]. Note that in the UTF-8
535	   algorithm characters which are the same as ASCII (0x0000 through
536	   0x007F) are represented as that same ASCII character in a single
537	   byte. The other byte values are used to form a variable-length
538	   encoding of an arbitrary character.

540	        LDAPString ::= OCTET STRING

542	   The LDAPOID is a notational convenience to indicate that the
543	   permitted value of this string is a (UTF-8 encoded) dotted-decimal
544	   representation of an OBJECT IDENTIFIER.

546	        LDAPOID ::= OCTET STRING

548	   For example,

550	        1.3.6.1.4.1.1466.1.2.3

552	4.1.3. Distinguished Name and Relative Distinguished Name
553	              Lightweight Directory Access Protocol Version 3

555	   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
556	   representation of a Distinguished Name and a Relative Distinguished
557	   Name after encoding according to the specification in [RFC2253], such
558	   that:

560	        distinguished-name = name

562	        relative-distinguished-name = name-component

564	   where name and name-component are as defined in [RFC2253].

566	        LDAPDN ::= LDAPString

568	        RelativeLDAPDN ::= LDAPString

570	   Only Attribute Types can be present in a relative distinguished name
571	   component--the options of Attribute Descriptions (next section) MUST
572	   NOT be used in specifying distinguished names.

574	4.1.4. Attribute Type

576	   An AttributeType takes on as its value the textual string associated
577	   with that AttributeType in its specification.

579	        AttributeType ::= LDAPString

581	   Each attribute type has a unique OBJECT IDENTIFIER which has been
582	   assigned to it. This identifier may be written as decimal digits with
583	   components separated by periods, e.g. "2.5.4.10".

585	   A specification may also assign one or more textual names for an
586	   attribute type. These names MUST begin with a letter, and only
587	   contain ASCII letters, digit characters and hyphens. They are case
588	   insensitive. These ASCII characters are identical to ISO 10646
589	   characters whose UTF-8 encoding is a single byte between 0x00 and
590	   0x7F.

592	   If the server has a textual name for an attribute type, it MUST use a
593	   textual name for attributes returned in search results. The dotted-
594	   decimal OBJECT IDENTIFIER is only used if there is no textual name
595	   for an attribute type.

597	   Attribute type textual names are non-unique, as two different
598	   specifications (neither in standards track RFCs) may choose the same
599	   name.

601	   A server which masters or shadows entries SHOULD list all the
602	   attribute types it supports in the subschema entries, using the
603	   attributeTypes attribute. Servers which support an open-ended set of
604	   attributes SHOULD include at least the attributeTypes value for the
605	   'objectClass' attribute. Clients MAY retrieve the attributeTypes
606	   value from subschema entries in order to obtain the OBJECT IDENTIFIER
607	   and other information associated with attribute types.

609	              Lightweight Directory Access Protocol Version 3

611	   Some attribute type names which are used in this version of LDAP are
612	   described in [RFC2252]. Servers may implement additional attribute
613	   types.

615	4.1.5. Attribute Description

617	   An AttributeDescription is a superset of the definition of the
618	   AttributeType. It has the same ASN.1 definition, but allows
619	   additional options to be specified. They are also case insensitive.

621	        AttributeDescription ::= LDAPString

623	   A value of AttributeDescription is based on the following BNF:

625	        <AttributeDescription> ::= <AttributeType> [ ";" <options> ]

627	        <options>  ::= <option> | <option> ";" <options>

629	        <option>   ::= <opt-char> <opt-char>*

631	        <opt-char> ::=  ASCII-equivalent letters, numbers and hyphen

633	   Examples of valid AttributeDescription:

635	        cn
636	        userCertificate;binary

638	   One option, "binary", is defined in this document. Additional options
639	   may be defined in IETF standards-track and experimental RFCs. Options
640	   beginning with "x-" are reserved for private experiments. Any option
641	   could be associated with any AttributeType, although not all
642	   combinations may be supported by a server.

644	   An AttributeDescription with one or more options is treated as a
645	   subtype of the attribute type without any options. Options present in
646	   an AttributeDescription are never mutually exclusive. Implementations
647	   MUST generate the <options> list sorted in ascending order, and
648	   servers MUST treat any two AttributeDescription with the same
649	   AttributeType and options as equivalent. A server will treat an
650	   AttributeDescription with any options it does not implement as an
651	   unrecognized attribute type.

653	   The data type "AttributeDescriptionList" describes a list of 0 or
654	   more attribute types. (A list of zero elements has special
655	   significance in the Search request.)

657	        AttributeDescriptionList ::= SEQUENCE OF
658	                AttributeDescription

660	4.1.5.1. Binary Option

662	   If the "binary" option is present in an AttributeDescription, it
663	   overrides any string-based encoding representation defined for that
664	   attribute in [RFC2252]. Instead the attribute is to be transferred as
665	              Lightweight Directory Access Protocol Version 3

667	   a binary value encoded using the Basic Encoding Rules [X.690]. The
668	   syntax of the binary value is an ASN.1 data type definition which is
669	   referenced by the "SYNTAX" part of the attribute type definition.

671	   The presence or absence of the "binary" option only affects the
672	   transfer of attribute values in protocol; servers store any
673	   particular attribute in a single format. If a client requests that a
674	   server return an attribute in the binary format, but the server
675	   cannot generate that format, the server MUST treat this attribute
676	   type as an unrecognized attribute type. Similarly, clients MUST NOT
677	   expect servers to return an attribute in binary format if the client
678	   requested that attribute by name without the "binary" option.

680	   This option is intended to be used with attributes whose syntax is a
681	   complex ASN.1 data type, and the structure of values of that type is
682	   needed by clients. Examples of this kind of syntax are "Certificate"
683	   and "CertificateList".

685	4.1.6. Attribute Value

687	   A field of type AttributeValue is an OCTET STRING containing an
688	   encoded value of an AttributeValue data type. The value is string
689	   encoded unless an option specifying the transfer encoding is present
690	   in the companion AttributeDescription to this AttributeValue (e.g.
691	   "binary"). Multiple options specifying transfer encoding MUST NOT be
692	   present.

694	   The definition of string encodings for different syntaxes and types
695	   may be found in other documents, and in particular [RFC2252].

697	   At the time of this writing, there is only one AttributeDescription
698	   option used to specify transfer encoding--"binary", described in
699	   section 4.1.5.1.

701	        AttributeValue ::= OCTET STRING

703	   Note that there is no defined limit on the size of this encoding;
704	   thus protocol values may include multi-megabyte attributes (e.g.
705	   photographs).

707	   Attributes may be defined which have arbitrary and non-printable
708	   syntax. Implementations MUST NEITHER simply display nor attempt to
709	   decode as ASN.1 a value if its syntax is not known. The
710	   implementation may attempt to discover the subschema of the source
711	   entry, and retrieve the values of attributeTypes from it.

713	   Clients MUST NOT send attribute values in a request which are not
714	   valid according to the syntax defined for the attributes.

716	4.1.7. Attribute Value Assertion

718	   The AttributeValueAssertion type definition is similar to the one in
719	   the X.500 directory standards. It contains an attribute description
720	   and a matching rule assertion value suitable for that type.

722	              Lightweight Directory Access Protocol Version 3

724	        AttributeValueAssertion ::= SEQUENCE {
725	                attributeDesc   AttributeDescription,
726	                assertionValue  AssertionValue }

728	        AssertionValue ::= OCTET STRING

730	   If an option specifying the transfer encoding is present in
731	   attributeDesc, the assertionValue is encoded as specified by the
732	   option. For example, if the "binary" option is present in the
733	   attributeDesc, the AssertionValue is BER encoded.

735	   For all the string-valued user attributes described in [5], the
736	   assertion value syntax is the same as the value syntax. Clients may
737	   use attribute values as assertion values in compare requests and
738	   search filters.

740	   Note however that the assertion syntax may be different from the
741	   value syntax for other attributes or for non-equality matching rules.
742	   These may have an assertion syntax which contains only part of the
743	   value. See section 20.2.1.8 of [X.501] for examples.

745	4.1.8. Attribute

747	   An attribute consists of a type and one or more values of that type.
748	   (Though attributes MUST have at least one value when stored, due to
749	   access control restrictions the set may be empty when transferred in
750	   protocol. This is described in section 4.5.2, concerning the
751	   PartialAttributeList type.)

753	        Attribute ::= SEQUENCE {
754	                type    AttributeDescription,
755	                vals    SET OF AttributeValue }

757	   Each attribute value is distinct in the set (no duplicates). The
758	   order of attribute values within the vals set is undefined and
759	   implementation-dependent, and MUST NOT be relied upon.

761	4.1.9. Matching Rule Identifier

763	   A matching rule is a means of expressing how a server should compare
764	   an AssertionValue received in a search filter with an abstract data
765	   value. The matching rule defines the syntax of the assertion value
766	   and the process to be performed in the server.

768	   An X.501 (1993) Matching Rule is identified in the LDAP protocol by
769	   the printable representation of its OBJECT IDENTIFIER, either as one
770	   of the strings given in [RFC2252], or as decimal digits with
771	   components separated by periods, e.g. "caseIgnoreIA5Match" or
772	   "1.3.6.1.4.1.453.33.33".

774	        MatchingRuleId ::= LDAPString
775	              Lightweight Directory Access Protocol Version 3

777	   Servers which support matching rules for use in the extensibleMatch
778	   search filter MUST list the matching rules they implement in
779	   subschema entries, using the matchingRules attributes. The server
780	   SHOULD also list there, using the matchingRuleUse attribute, the
781	   attribute types with which each matching rule can be used. More
782	   information is given in section 4.4 of [RFC2252].

784	4.1.10. Result Message

786	   The LDAPResult is the construct used in this protocol to return
787	   success or failure indications from servers to clients. In response
788	   to various requests, servers will return responses containing fields
789	   of type LDAPResult to indicate the final status of a protocol
790	   operation request.

792	        LDAPResult ::= SEQUENCE {
793	                resultCode      ENUMERATED {
794	                        success                      (0),
795	                        operationsError              (1),
796	                        protocolError                (2),
797	                        timeLimitExceeded            (3),
798	                        sizeLimitExceeded            (4),
799	                        compareFalse                 (5),
800	                        compareTrue                  (6),
801	                        authMethodNotSupported       (7),
802	                        strongAuthRequired           (8),
803	                                        -- 9 reserved --
804	                        referral                     (10),  -- new
805	                        adminLimitExceeded           (11),  -- new
806	                        unavailableCriticalExtension (12),  -- new
807	                        confidentialityRequired      (13),  -- new
808	                        saslBindInProgress           (14),  -- new
809	                        noSuchAttribute              (16),
810	                        undefinedAttributeType       (17),
811	                        inappropriateMatching        (18),
812	                        constraintViolation          (19),
813	                        attributeOrValueExists       (20),
814	                        invalidAttributeSyntax       (21),
815	                                        -- 22-31 unused --
816	                        noSuchObject                 (32),
817	                        aliasProblem                 (33),
818	                        invalidDNSyntax              (34),
819	                        -- 35 reserved for undefined isLeaf --
820	                        aliasDereferencingProblem    (36),
821	                                        -- 37-47 unused --
822	                        inappropriateAuthentication  (48),
823	                        invalidCredentials           (49),
824	                        insufficientAccessRights     (50),
825	                        busy                         (51),
826	                        unavailable                  (52),
827	                        unwillingToPerform           (53),
828	                        loopDetect                   (54),
829	                                        -- 55-63 unused --
830	                        namingViolation              (64),

832	              Lightweight Directory Access Protocol Version 3

834	                        objectClassViolation         (65),
835	                        notAllowedOnNonLeaf          (66),
836	                        notAllowedOnRDN              (67),
837	                        entryAlreadyExists           (68),
838	                        objectClassModsProhibited    (69),
839	                                -- 70 reserved for CLDAP --
840	                        affectsMultipleDSAs          (71), -- new
841	                                        -- 72-79 unused --
842	                        other                        (80) },
843	                        -- 81-90 reserved for APIs --
844	                matchedDN       LDAPDN,
845	                errorMessage    LDAPString,
846	                referral        [3] Referral OPTIONAL }

848	   All the result codes with the exception of success, compareFalse and
849	   compareTrue are to be treated as meaning the operation could not be
850	   completed in its entirety.

852	   Most of the result codes are based on problem indications from X.511
853	   error data types. Result codes from 16 to 21 indicate an
854	   AttributeProblem, codes 32, 33, 34 and 36 indicate a NameProblem,
855	   codes 48, 49 and 50 indicate a SecurityProblem, codes 51 to 54
856	   indicate a ServiceProblem, and codes 64 to 69 and 71 indicates an
857	   UpdateProblem.

859	   If a client receives a result code which is not listed above, it is
860	   to be treated as an unknown error condition.

862	   The errorMessage field of this construct may, at the server's option,
863	   be used to return a string containing a textual, human-readable
864	   (terminal control and page formatting characters should be avoided)
865	   error diagnostic. As this error diagnostic is not standardized,
866	   implementations MUST NOT rely on the values returned. If the server
867	   chooses not to return a textual diagnostic, the errorMessage field of
868	   the LDAPResult type MUST contain a zero length string.

870	   For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
871	   aliasDereferencingProblem, the matchedDN field is set to the name of
872	   the lowest entry (object or alias) in the directory that was matched.
873	   If no aliases were dereferenced while attempting to locate the entry,
874	   this will be a truncated form of the name provided, or if aliases
875	   were dereferenced, of the resulting name, as defined in section 12.5
876	   of [X.511]. The matchedDN field is to be set to a zero length string
877	   with all other result codes.

879	4.1.11. Referral

881	   The referral result code indicates that the contacted server does not
882	   hold the target entry of the request. The referral field is present
883	   in an LDAPResult if the LDAPResult.resultCode field value is
884	   referral, and absent with all other result codes. It contains a
885	   reference to another server (or set of servers) which may be accessed
886	   via LDAP or other protocols. Referrals can be returned in response to
887	              Lightweight Directory Access Protocol Version 3

889	   any operation request (except unbind and abandon which do not have
890	   responses). At least one URL MUST be present in the Referral.

892	   The referral is not returned for a singleLevel or wholeSubtree search
893	   in which the search scope spans multiple naming contexts, and several
894	   different servers would need to be contacted to complete the
895	   operation. Instead, continuation references, described in section
896	   4.5.3, are returned.

898	        Referral ::= SEQUENCE OF LDAPURL  -- one or more

900	        LDAPURL ::= LDAPString -- limited to characters permitted in
901	                               -- URLs

903	   If the client wishes to progress the operation, it MUST follow the
904	   referral by contacting any one of servers. All the URLs MUST be
905	   equally capable of being used to progress the operation. (The
906	   mechanisms for how this is achieved by multiple servers are outside
907	   the scope of this document.)

909	   URLs for servers implementing the LDAP protocol are written according
910	   to [RFC2255]. If an alias was dereferenced, the <dn> part of the URL
911	   MUST be present, with the new target object name. If the <dn> part is
912	   present, the client MUST use this name in its next request to
913	   progress the operation, and if it is not present the client will use
914	   the same name as in the original request. Some servers (e.g.
915	   participating in distributed indexing) may provide a different filter
916	   in a referral for a search operation. If the filter part of the URL
917	   is present in an LDAPURL, the client MUST use this filter in its next
918	   request to progress this search, and if it is not present the client
919	   MUST use the same filter as it used for that search. Other aspects of
920	   the new request may be the same or different as the request which
921	   generated the referral.

923	   Note that UTF-8 characters appearing in a DN or search filter may not
924	   be legal for URLs (e.g. spaces) and MUST be escaped using the %
925	   method in [RFC2396].

927	   Other kinds of URLs may be returned, so long as the operation could
928	   be performed using that protocol.

930	4.1.12. Controls

932	   A control is a way to specify extension information. Controls which
933	   are sent as part of a request apply only to that request and are not
934	   saved.

936	        Controls ::= SEQUENCE OF Control

938	        Control ::= SEQUENCE {
939	                controlType             LDAPOID,
940	                criticality             BOOLEAN DEFAULT FALSE,
941	                controlValue            OCTET STRING OPTIONAL }

943	              Lightweight Directory Access Protocol Version 3

945	   The controlType field MUST be a UTF-8 encoded dotted-decimal
946	   representation of an OBJECT IDENTIFIER which uniquely identifies the
947	   control. This prevents conflicts between control names.

949	   The criticality field is either TRUE or FALSE.

951	   If the server recognizes the control type and it is appropriate for
952	   the operation, the server will make use of the control when
953	   performing the operation.

955	   If the server does not recognize the control type and the criticality
956	   field is TRUE, the server MUST NOT perform the operation, and MUST
957	   instead return the resultCode unavailableCriticalExtension.

959	   If the control is not appropriate for the operation and criticality
960	   field is TRUE, the server MUST NOT perform the operation, and MUST
961	   instead return the resultCode unavailableCriticalExtension.

963	   If the control is unrecognized or inappropriate but the criticality
964	   field is FALSE, the server MUST ignore the control.

966	   The controlValue contains any information associated with the
967	   control, and its format is defined for the control. The server MUST
968	   be prepared to handle arbitrary contents of the controlValue octet
969	   string, including zero bytes. It is absent only if there is no value
970	   information which is associated with a control of its type.

972	   This document does not define any controls. Controls may be defined
973	   in other documents. The definition of a control consists of:

975	   - the OBJECT IDENTIFIER assigned to the control,

977	   - whether the control is always noncritical, always critical, or
978	     critical at the client's option,

980	   - the format of the controlValue contents of the control.

982	   Servers list the controls which they recognize in the
983	   supportedControl attribute in the root DSE.

985	4.2. Bind Operation

987	   The function of the Bind Operation is to allow authentication
988	   information to be exchanged between the client and server.

990	   The Bind Request is defined as follows:

992	        BindRequest ::= [APPLICATION 0] SEQUENCE {
993	                version                 INTEGER (1 .. 127),
994	                name                    LDAPDN,
995	                authentication          AuthenticationChoice }

997	        AuthenticationChoice ::= CHOICE {
998	                simple                  [0] OCTET STRING,

1000	              Lightweight Directory Access Protocol Version 3

1002	                                         -- 1 and 2 reserved
1003	                sasl                    [3] SaslCredentials }

1005	        SaslCredentials ::= SEQUENCE {
1006	                mechanism               LDAPString,
1007	                credentials             OCTET STRING OPTIONAL }

1009	   Parameters of the Bind Request are:

1011	   - version: A version number indicating the version of the protocol
1012	     to be used in this protocol session. This document describes
1013	     version 3 of the LDAP protocol. Note that there is no version
1014	     negotiation, and the client just sets this parameter to the
1015	     version it desires. If the client requests protocol version 2, a
1016	     server that supports the version 2 protocol as described in
1017	     [RFC1777] will not return any v3-specific protocol fields. (Note
1018	     that not all LDAP servers will support protocol version 2, since
1019	     they may be unable to generate the attribute syntaxes associated
1020	     with version 2.)

1022	   - name: The name of the directory object that the client wishes to
1023	     bind as. This field may take on a null value (a zero length
1024	     string) for the purposes of anonymous binds, when authentication
1025	     has been performed at a lower layer, or when using SASL
1026	     credentials with a mechanism that includes the LDAPDN in the
1027	     credentials. Note that the server SHOULD NOT perform any alias
1028	     dereferencing in determining the object to bind as.

1030	   - authentication: information used to authenticate the name, if any,
1031	     provided in the Bind Request.

1033	   Upon receipt of a Bind Request, a protocol server will authenticate
1034	   the requesting client, if necessary. The server will then return a
1035	   Bind Response to the client indicating the status of the
1036	   authentication.

1038	   Authorization is the use of this authentication information when
1039	   performing operations. Authorization MAY be affected by factors
1040	   outside of the LDAP Bind request, such as lower layer security
1041	   services.

1043	4.2.1. Sequencing of the Bind Request

1045	   For some SASL authentication mechanisms, it may be necessary for the
1046	   client to invoke the BindRequest multiple times. If at any stage the
1047	   client wishes to abort the bind process it MAY unbind and then drop
1048	   the underlying connection. Clients MUST NOT invoke operations between
1049	   two Bind requests made as part of a multi-stage bind.

1051	   A client may abort a SASL bind negotiation by sending a BindRequest
1052	   with a different value in the mechanism field of SaslCredentials, or
1053	   an AuthenticationChoice other than sasl.

1055	              Lightweight Directory Access Protocol Version 3

1057	   If the client sends a BindRequest with the sasl mechanism field as an
1058	   empty string, the server MUST return a BindResponse with
1059	   authMethodNotSupported as the resultCode. This will allow clients to
1060	   abort a negotiation if it wishes to try again with the same SASL
1061	   mechanism.

1063	   Unlike LDAP v2, the client need not send a Bind Request in the first
1064	   PDU of the connection. The client may request any operations and the
1065	   server MUST treat these as unauthenticated. If the server requires
1066	   that the client bind before browsing or modifying the directory, the
1067	   server MAY reject a request other than binding, unbinding or an
1068	   extended request with the "operationsError" result.

1070	   If the client did not bind before sending a request and receives an
1071	   operationsError, it may then send a Bind Request. If this also fails
1072	   or the client chooses not to bind on the existing connection, it will
1073	   close the connection, reopen it and begin again by first sending a
1074	   PDU with a Bind Request. This will aid in interoperating with servers
1075	   implementing other versions of LDAP.

1077	   Clients MAY send multiple bind requests on a connection to change
1078	   their credentials. A subsequent bind process has the effect of
1079	   abandoning all operations outstanding on the connection. (This
1080	   simplifies server implementation.) Authentication from earlier binds
1081	   are subsequently ignored, and so if the bind fails, the connection
1082	   will be treated as anonymous. If a SASL transfer encryption or
1083	   integrity mechanism has been negotiated, and that mechanism does not
1084	   support the changing of credentials from one identity to another,
1085	   then the client MUST instead establish a new connection.

1087	4.2.2. Authentication and Other Security Services

1089	   The simple authentication option provides minimal authentication
1090	   facilities, with the contents of the authentication field consisting
1091	   only of a cleartext password. Note that the use of cleartext
1092	   passwords is not recommended over open networks when there is no
1093	   authentication or encryption being performed by a lower layer; see
1094	   the "Security Considerations" section.

1096	   If no authentication is to be performed, then the simple
1097	   authentication option MUST be chosen, and the password be of zero
1098	   length. (This is often done by LDAPv2 clients.) Typically the DN is
1099	   also of zero length.

1101	   The sasl choice allows for any mechanism defined for use with SASL
1102	   [RFC2222]. The mechanism field contains the name of the mechanism.
1103	   The credentials field contains the arbitrary data used for
1104	   authentication, inside an OCTET STRING wrapper. Note that unlike some
1105	   Internet application protocols where SASL is used, LDAP is not text-
1106	   based, thus no base64 transformations are performed on the
1107	   credentials.

1109	   If any SASL-based integrity or confidentiality services are enabled,
1110	   they take effect following the transmission by the server and
1111	              Lightweight Directory Access Protocol Version 3

1113	   reception by the client of the final BindResponse with resultCode
1114	   success.

1116	   The client can request that the server use authentication information
1117	   from a lower layer protocol by using the SASL EXTERNAL mechanism.

1119	4.2.3. Bind Response

1121	   The Bind Response is defined as follows.

1123	        BindResponse ::= [APPLICATION 1] SEQUENCE {
1124	             COMPONENTS OF LDAPResult,
1125	             serverSaslCreds    [7] OCTET STRING OPTIONAL }

1127	   BindResponse consists simply of an indication from the server of the
1128	   status of the client's request for authentication.

1130	   If the bind was successful, the resultCode will be success, otherwise
1131	   it will be one of:

1133	   - operationsError: server encountered an internal error.

1135	   - protocolError: unrecognized version number or incorrect PDU
1136	     structure.

1138	   - authMethodNotSupported: unrecognized SASL mechanism name.

1140	   - strongAuthRequired: the server requires authentication be
1141	     performed with a SASL mechanism.

1143	   - referral: this server cannot accept this bind and the client
1144	     should try another.

1146	   - saslBindInProgress: the server requires the client to send a new
1147	     bind request, with the same sasl mechanism, to continue the
1148	     authentication process.

1150	   - inappropriateAuthentication: the server requires the client which
1151	     had attempted to bind anonymously or without supplying credentials
1152	     to provide some form of credentials.

1154	   - invalidCredentials: the wrong password was supplied or the SASL
1155	     credentials could not be processed.

1157	   - unavailable: the server is shutting down.

1159	   If the server does not support the client's requested protocol
1160	   version, it MUST set the resultCode to protocolError.

1162	   If the client receives a BindResponse response where the resultCode
1163	   was protocolError, it MUST close the connection as the server will be
1164	   unwilling to accept further operations. (This is for compatibility
1165	   with earlier versions of LDAP, in which the bind was always the first
1166	   operation, and there was no negotiation.)
1167	              Lightweight Directory Access Protocol Version 3

1169	   The serverSaslCreds are used as part of a SASL-defined bind mechanism
1170	   to allow the client to authenticate the server to which it is
1171	   communicating, or to perform "challenge-response" authentication. If
1172	   the client bound with the password choice, or the SASL mechanism does
1173	   not require the server to return information to the client, then this
1174	   field is not to be included in the result.

1176	4.3. Unbind Operation

1178	   The function of the Unbind Operation is to terminate a protocol
1179	   session. The Unbind Operation is defined as follows:

1181	        UnbindRequest ::= [APPLICATION 2] NULL

1183	   The Unbind Operation has no response defined. Upon transmission of an
1184	   UnbindRequest, a protocol client may assume that the protocol session
1185	   is terminated. Upon receipt of an UnbindRequest, a protocol server
1186	   may assume that the requesting client has terminated the session and
1187	   that all outstanding requests may be discarded, and may close the
1188	   connection.

1190	4.4. Unsolicited Notification

1192	   An unsolicited notification is an LDAPMessage sent from the server to
1193	   the client which is not in response to any LDAPMessage received by
1194	   the server. It is used to signal an extraordinary condition in the
1195	   server or in the connection between the client and the server. The
1196	   notification is of an advisory nature, and the server will not expect
1197	   any response to be returned from the client.

1199	   The unsolicited notification is structured as an LDAPMessage in which
1200	   the messageID is 0 and protocolOp is of the extendedResp form. The
1201	   responseName field of the ExtendedResponse is present. The LDAPOID
1202	   value MUST be unique for this notification, and not be used in any
1203	   other situation.

1205	   One unsolicited notification is defined in this document.

1207	4.4.1. Notice of Disconnection

1209	   This notification may be used by the server to advise the client that
1210	   the server is about to close the connection due to an error
1211	   condition. Note that this notification is NOT a response to an unbind
1212	   requested by the client: the server MUST follow the procedures of
1213	   section 4.3. This notification is intended to assist clients in
1214	   distinguishing between an error condition and a transient network
1215	   failure. As with a connection close due to network failure, the
1216	   client MUST NOT assume that any outstanding requests which modified
1217	   the directory have succeeded or failed.

1219	   The responseName is 1.3.6.1.4.1.1466.20036, the response field is
1220	   absent, and the resultCode is used to indicate the reason for the
1221	   disconnection.

1223	              Lightweight Directory Access Protocol Version 3

1225	   The following resultCode values are to be used in this notification:

1227	   - protocolError: The server has received data from the client in
1228	     which the LDAPMessage structure could not be parsed.

1230	   - strongAuthRequired: The server has detected that an established
1231	     underlying security association protecting communication between
1232	     the client and server has unexpectedly failed or been compromised.

1234	   - unavailable: This server will stop accepting new connections and
1235	     operations on all existing connections, and be unavailable for an
1236	     extended period of time. The client may make use of an alternative
1237	     server.

1239	   After sending this notice, the server MUST close the connection.
1240	   After receiving this notice, the client MUST NOT transmit any further
1241	   on the connection, and may abruptly close the connection.

1243	4.5. Search Operation

1245	   The Search Operation allows a client to request that a search be
1246	   performed on its behalf by a server. This can be used to read
1247	   attributes from a single entry, from entries immediately below a
1248	   particular entry, or a whole subtree of entries.

1250	4.5.1. Search Request

1252	   The Search Request is defined as follows:

1254	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
1255	                baseObject      LDAPDN,
1256	                scope           ENUMERATED {
1257	                        baseObject              (0),
1258	                        singleLevel             (1),
1259	                        wholeSubtree            (2) },
1260	                derefAliases    ENUMERATED {
1261	                        neverDerefAliases       (0),
1262	                        derefInSearching        (1),
1263	                        derefFindingBaseObj     (2),
1264	                        derefAlways             (3) },
1265	                sizeLimit       INTEGER (0 .. maxInt),
1266	                timeLimit       INTEGER (0 .. maxInt),
1267	                typesOnly       BOOLEAN,
1268	                filter          Filter,
1269	                attributes      AttributeDescriptionList }

1271	        Filter ::= CHOICE {
1272	                and             [0] SET OF Filter,
1273	                or              [1] SET OF Filter,
1274	                not             [2] Filter,
1275	                equalityMatch   [3] AttributeValueAssertion,
1276	                substrings      [4] SubstringFilter,
1277	                greaterOrEqual  [5] AttributeValueAssertion,

1279	              Lightweight Directory Access Protocol Version 3

1281	                lessOrEqual     [6] AttributeValueAssertion,
1282	                present         [7] AttributeDescription,
1283	                approxMatch     [8] AttributeValueAssertion,
1284	                extensibleMatch [9] MatchingRuleAssertion }

1286	        SubstringFilter ::= SEQUENCE {
1287	                type            AttributeDescription,
1288	                -- at least one must be present
1289	                substrings      SEQUENCE OF CHOICE {
1290	                        initial [0] AssertionValue,
1291	                        any     [1] AssertionValue,
1292	                        final   [2] AssertionValue } }

1294	        MatchingRuleAssertion ::= SEQUENCE {
1295	                matchingRule    [1] MatchingRuleId OPTIONAL,
1296	                type            [2] AttributeDescription OPTIONAL,
1297	                matchValue      [3] AssertionValue,
1298	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

1300	   Parameters of the Search Request are:

1302	   - baseObject: An LDAPDN that is the base object entry relative to
1303	     which the search is to be performed.

1305	   - scope: An indicator of the scope of the search to be performed.
1306	     The semantics of the possible values of this field are identical
1307	     to the semantics of the scope field in the X.511 Search Operation.

1309	   - derefAliases: An indicator as to how alias objects (as defined in
1310	     X.501) are to be handled in searching. The semantics of the
1311	     possible values of this field are:

1313	             neverDerefAliases: do not dereference aliases in searching
1314	             or in locating the base object of the search;

1316	             derefInSearching: dereference aliases in subordinates of
1317	             the base object in searching, but not in locating the base
1318	             object of the search;

1320	             derefFindingBaseObj: dereference aliases in locating the
1321	             base object of the search, but not when searching
1322	             subordinates of the base object;

1324	             derefAlways: dereference aliases both in searching and in
1325	             locating the base object of the search.

1327	   - sizeLimit: A size limit that restricts the maximum number of
1328	     entries to be returned as a result of the search. A value of 0 in
1329	     this field indicates that no client-requested size limit
1330	     restrictions are in effect for the search. Servers may enforce a
1331	     maximum number of entries to return.

1333	   - timeLimit: A time limit that restricts the maximum time (in
1334	     seconds) allowed for a search. A value of 0 in this field
1335	              Lightweight Directory Access Protocol Version 3

1337	     indicates that no client-requested time limit restrictions are in
1338	     effect for the search.

1340	   - typesOnly: An indicator as to whether search results will contain
1341	     both attribute types and values, or just attribute types. Setting
1342	     this field to TRUE causes only attribute types (no values) to be
1343	     returned. Setting this field to FALSE causes both attribute types
1344	     and values to be returned.

1346	   - filter: A filter that defines the conditions that must be
1347	     fulfilled in order for the search to match a given entry.

1349	     The 'and', 'or' and 'not' choices can be used to form combinations
1350	     of filters. At least one filter element MUST be present in an
1351	     'and' or 'or' choice. The others match against individual
1352	     attribute values of entries in the scope of the search.
1353	     (Implementor's note: the 'not' filter is an example of a tagged
1354	     choice in an implicitly-tagged module. In BER this is treated as
1355	     if the tag was explicit.)

1357	     A server MUST evaluate filters according to the three-valued logic
1358	     of X.511 (1993) section 7.8.1. In summary, a filter is evaluated
1359	     to either "TRUE", "FALSE" or "Undefined". If the filter evaluates
1360	     to TRUE for a particular entry, then the attributes of that entry
1361	     are returned as part of the search result (subject to any
1362	     applicable access control restrictions). If the filter evaluates
1363	     to FALSE or Undefined, then the entry is ignored for the search.

1365	     A filter of the "and" choice is TRUE if all the filters in the SET
1366	     OF evaluate to TRUE, FALSE if at least one filter is FALSE, and
1367	     otherwise Undefined. A filter of the "or" choice is FALSE if all
1368	     of the filters in the SET OF evaluate to FALSE, TRUE if at least
1369	     one filter is TRUE, and Undefined otherwise. A filter of the "not"
1370	     choice is TRUE if the filter being negated is FALSE, FALSE if it
1371	     is TRUE, and Undefined if it is Undefined.

1373	     The present match evaluates to TRUE where there is an attribute or
1374	     subtype of the specified attribute description present in an
1375	     entry, and FALSE otherwise (including a presence test with an
1376	     unrecognized attribute description.)

1378	     The extensibleMatch is new in this version of LDAP. If the
1379	     matchingRule field is absent, the type field MUST be present, and
1380	     the equality match is performed for that type. If the type field
1381	     is absent and matchingRule is present, the matchValue is compared
1382	     against all attributes in an entry which support that
1383	     matchingRule, and the matchingRule determines the syntax for the
1384	     assertion value (the filter item evaluates to TRUE if it matches
1385	     with at least one attribute in the entry, FALSE if it does not
1386	     match any attribute in the entry, and Undefined if the
1387	     matchingRule is not recognized or the assertionValue cannot be
1388	     parsed.) If the type field is present and matchingRule is present,
1389	     the matchingRule MUST be one permitted for use with that type,
1390	     otherwise the filter item is undefined. If the dnAttributes field
1391	              Lightweight Directory Access Protocol Version 3

1393	     is set to TRUE, the match is applied against all the attributes in
1394	     an entry's distinguished name as well, and also evaluates to TRUE
1395	     if there is at least one attribute in the distinguished name for
1396	     which the filter item evaluates to TRUE. (Editors note: The
1397	     dnAttributes field is present so that there does not need to be
1398	     multiple versions of generic matching rules such as for word
1399	     matching, one to apply to entries and another to apply to entries
1400	     and dn attributes as well).

1402	     A filter item evaluates to Undefined when the server would not be
1403	     able to determine whether the assertion value matches an entry. If
1404	     an attribute description in an equalityMatch, substrings,
1405	     greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch filter
1406	     is not recognized by the server, a matching rule id in the
1407	     extensibleMatch is not recognized by the server, the assertion
1408	     value cannot be parsed, or the type of filtering requested is not
1409	     implemented, then the filter is Undefined. Thus for example if a
1410	     server did not recognize the attribute type shoeSize, a filter of
1411	     (shoeSize=*) would evaluate to FALSE, and the filters
1412	     (shoeSize=12), (shoeSize>=12) and (shoeSize<=12) would evaluate to
1413	     Undefined.

1415	     Servers MUST NOT return errors if attribute descriptions or
1416	     matching rule ids are not recognized, or assertion values cannot
1417	     be parsed. More details of filter processing are given in section
1418	     7.8 of [X.511].

1420	   - attributes: A list of the attributes to be returned from each
1421	     entry which matches the search filter. There are two special
1422	     values which may be used: an empty list with no attributes, and
1423	     the attribute description string "*".  Both of these signify that
1424	     all user attributes are to be returned.  (The "*" allows the
1425	     client to request all user attributes in addition to specific
1426	     operational attributes).

1428	     Attributes MUST be named at most once in the list, and are
1429	     returned at most once in an entry. If there are attribute
1430	     descriptions in the list which are not recognized, they are
1431	     ignored by the server.

1433	     If the client does not want any attributes returned, it can
1434	     specify a list containing only the attribute with OID "1.1". This
1435	     OID was chosen arbitrarily and does not correspond to any
1436	     attribute in use.

1438	     Client implementors should note that even if all user attributes
1439	     are requested, some attributes of the entry may not be included in
1440	     search results due to access controls or other restrictions.
1441	     Furthermore, servers will not return operational attributes, such
1442	     as objectClasses or attributeTypes, unless they are listed by
1443	     name, since there may be extremely large number of values for
1444	     certain operational attributes. (A list of operational attributes
1445	     for use in LDAP is given in [RFC2252].)
1446	              Lightweight Directory Access Protocol Version 3

1448	   Note that an X.500 "list"-like operation can be emulated by the
1449	   client requesting a one-level LDAP search operation with a filter
1450	   checking for the existence of the objectClass attribute, and that an
1451	   X.500 "read"-like operation can be emulated by a base object LDAP
1452	   search operation with the same filter. A server which provides a
1453	   gateway to X.500 is not required to use the Read or List operations,
1454	   although it may choose to do so, and if it does must provide the same
1455	   semantics as the X.500 search operation.

1457	4.5.2. Search Result

1459	   The results of the search attempted by the server upon receipt of a
1460	   Search Request are returned in Search Responses, which are LDAP
1461	   messages containing either SearchResultEntry, SearchResultReference,
1462	   ExtendedResponse or SearchResultDone data types.

1464	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
1465	                objectName      LDAPDN,
1466	                attributes      PartialAttributeList }

1468	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
1469	                type    AttributeDescription,
1470	                vals    SET OF AttributeValue }
1471	        -- implementors should note that the PartialAttributeList may
1472	        -- have zero elements (if none of the attributes of that entry
1473	        -- were requested, or could be returned), and that the vals set
1474	        -- may also have zero elements (if types only was requested, or
1475	        -- all values were excluded from the result.)

1477	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
1478	        -- at least one LDAPURL element must be present

1480	        SearchResultDone ::= [APPLICATION 5] LDAPResult

1482	   Upon receipt of a Search Request, a server will perform the necessary
1483	   search of the DIT.

1485	   If the LDAP session is operating over a connection-oriented transport
1486	   such as TCP, the server will return to the client a sequence of
1487	   responses in separate LDAP messages. There may be zero or more
1488	   responses containing SearchResultEntry, one for each entry found
1489	   during the search. There may also be zero or more responses
1490	   containing SearchResultReference, one for each area not explored by
1491	   this server during the search. The SearchResultEntry and
1492	   SearchResultReference PDUs may come in any order. Following all the
1493	   SearchResultReference responses and all SearchResultEntry responses
1494	   to be returned by the server, the server will return a response
1495	   containing the SearchResultDone, which contains an indication of
1496	   success, or detailing any errors that have occurred.

1498	   Each entry returned in a SearchResultEntry will contain all
1499	   attributes, complete with associated values if necessary, as
1500	   specified in the attributes field of the Search Request. Return of
1501	   attributes is subject to access control and other administrative
1502	              Lightweight Directory Access Protocol Version 3

1504	   policy. Some attributes may be returned in binary format (indicated
1505	   by the AttributeDescription in the response having the "binary"
1506	   option present).

1508	   Some attributes may be constructed by the server and appear in a
1509	   SearchResultEntry attribute list, although they are not stored
1510	   attributes of an entry. Clients MUST NOT assume that all attributes
1511	   can be modified, even if permitted by access control.

1513	   LDAPMessage responses of the ExtendedResponse form are reserved for
1514	   returning information associated with a control requested by the
1515	   client. These may be defined in future versions of this document.

1517	4.5.3. Continuation References in the Search Result

1519	   If the server was able to locate the entry referred to by the
1520	   baseObject but was unable to search all the entries in the scope at
1521	   and under the baseObject, the server may return one or more
1522	   SearchResultReference entries, each containing a reference to another
1523	   set of servers for continuing the operation. A server MUST NOT return
1524	   any SearchResultReference if it has not located the baseObject and
1525	   thus has not searched any entries; in this case it would return a
1526	   SearchResultDone containing a referral resultCode.

1528	   In the absence of indexing information provided to a server from
1529	   servers holding subordinate naming contexts, SearchResultReference
1530	   responses are not affected by search filters and are always returned
1531	   when in scope.

1533	   The SearchResultReference is of the same data type as the Referral.
1534	   URLs for servers implementing the LDAP protocol are written according
1535	   to [RFC2255]. The <dn> part MUST be present in the URL, with the new
1536	   target object name. The client MUST use this name in its next
1537	   request. Some servers (e.g. part of a distributed index exchange
1538	   system) may provide a different filter in the URLs of the
1539	   SearchResultReference. If the filter part of the URL is present in an
1540	   LDAP URL, the client MUST use the new filter in its next request to
1541	   progress the search, and if the filter part is absent the client will
1542	   use again the same filter. Other aspects of the new search request
1543	   may be the same or different as the search which generated the
1544	   continuation references.
1545	   Other kinds of URLs may be returned so long as the operation could be
1546	   performed using that protocol.

1548	   The name of an unexplored subtree in a SearchResultReference need not
1549	   be subordinate to the base object.

1551	   In order to complete the search, the client MUST issue a new search
1552	   operation for each SearchResultReference that is returned. Note that
1553	   the abandon operation described in section 4.11 applies only to a
1554	   particular operation sent on a connection between a client and
1555	   server, and if the client has multiple outstanding search operations
1556	   to different servers, it MUST abandon each operation individually.

1558	              Lightweight Directory Access Protocol Version 3

1560	   4.5.3.1. Example

1562	   For example, suppose the contacted server (hosta) holds the entry
1563	   "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW". It knows that
1564	   either LDAP-capable servers (hostb) or (hostc) hold
1565	   "OU=People,O=MNN,C=WW" (one is the master and the other server a
1566	   shadow), and that LDAP-capable server (hostd) holds the subtree
1567	   "OU=Roles,O=MNN,C=WW". If a subtree search of "O=MNN,C=WW" is
1568	   requested to the contacted server, it may return the following:

1570	     SearchResultEntry for O=MNN,C=WW
1571	     SearchResultEntry for CN=Manager,O=MNN,C=WW
1572	     SearchResultReference {
1573	       ldap://hostb/OU=People,O=MNN,C=WW
1574	       ldap://hostc/OU=People,O=MNN,C=WW
1575	     }
1576	     SearchResultReference {
1577	       ldap://hostd/OU=Roles,O=MNN,C=WW
1578	     }
1579	     SearchResultDone (success)

1581	   Client implementors should note that when following a
1582	   SearchResultReference, additional SearchResultReference may be
1583	   generated. Continuing the example, if the client contacted the server
1584	   (hostb) and issued the search for the subtree "OU=People,O=MNN,C=WW",
1585	   the server might respond as follows:

1587	     SearchResultEntry for OU=People,O=MNN,C=WW
1588	     SearchResultReference {
1589	       ldap://hoste/OU=Managers,OU=People,O=MNN,C=WW
1590	     }
1591	     SearchResultReference {
1592	       ldap://hostf/OU=Consultants,OU=People,O=MNN,C=WW
1593	     }
1594	     SearchResultDone (success)

1596	   If the contacted server does not hold the base object for the search,
1597	   then it will return a referral to the client. For example, if the
1598	   client requests a subtree search of "O=XYZ,C=US" to hosta, the server
1599	   may return only a SearchResultDone containing a referral.

1601	     SearchResultDone (referral) {
1602	       ldap://hostg/
1603	     }

1605	4.6. Modify Operation

1607	   The Modify Operation allows a client to request that a modification
1608	   of an entry be performed on its behalf by a server. The Modify
1609	   Request is defined as follows:

1611	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
1612	                object          LDAPDN,
1613	                modification    SEQUENCE OF SEQUENCE {

1615	              Lightweight Directory Access Protocol Version 3

1617	                        operation       ENUMERATED {
1618	                                                add     (0),
1619	                                                delete  (1),
1620	                                                replace (2) },
1621	                        modification    AttributeTypeAndValues } }

1623	        AttributeTypeAndValues ::= SEQUENCE {
1624	                type    AttributeDescription,
1625	                vals    SET OF AttributeValue }

1627	   Parameters of the Modify Request are:

1629	   - object: The object to be modified. The value of this field
1630	     contains the DN of the entry to be modified. The server will not
1631	     perform any alias dereferencing in determining the object to be
1632	     modified.

1634	   - modification: A list of modifications to be performed on the
1635	     entry. The entire list of entry modifications MUST be performed in
1636	     the order they are listed, as a single atomic operation. While
1637	     individual modifications may violate the directory schema, the
1638	     resulting entry after the entire list of modifications is
1639	     performed MUST conform to the requirements of the directory
1640	     schema. The values that may be taken on by the 'operation' field
1641	     in each modification construct have the following semantics
1642	     respectively:

1644	             add: add values listed to the given attribute, creating the
1645	             attribute if necessary;

1647	             delete: delete values listed from the given attribute,
1648	             removing the entire attribute if no values are listed, or
1649	             if all current values of the attribute are listed for
1650	             deletion;

1652	             replace: replace all existing values of the given attribute
1653	             with the new values listed, creating the attribute if it
1654	             did not already exist. A replace with no value will delete
1655	             the entire attribute if it exists, and is ignored if the
1656	             attribute does not exist.

1658	   The result of the modify attempted by the server upon receipt of a
1659	   Modify Request is returned in a Modify Response, defined as follows:

1661	        ModifyResponse ::= [APPLICATION 7] LDAPResult

1663	   Upon receipt of a Modify Request, a server will perform the necessary
1664	   modifications to the DIT.

1666	   The server will return to the client a single Modify Response
1667	   indicating either the successful completion of the DIT modification,
1668	   or the reason that the modification failed. Note that due to the
1669	   requirement for atomicity in applying the list of modifications in
1670	   the Modify Request, the client may expect that no modifications of
1671	              Lightweight Directory Access Protocol Version 3

1673	   the DIT have been performed if the Modify Response received indicates
1674	   any sort of error, and that all requested modifications have been
1675	   performed if the Modify Response indicates successful completion of
1676	   the Modify Operation. If the connection fails, whether the
1677	   modification occurred or not is indeterminate.

1679	   The Modify Operation cannot be used to remove from an entry any of
1680	   its distinguished values, those values which form the entry's
1681	   relative distinguished name. An attempt to do so will result in the
1682	   server returning the error notAllowedOnRDN. The Modify DN Operation
1683	   described in section 4.9 is used to rename an entry.

1685	   If an equality match filter has not been defined for an attribute
1686	   type, clients MUST NOT attempt to delete individual values of that
1687	   attribute from an entry using the "delete" form of a modification,
1688	   and MUST instead use the "replace" form.

1690	   Note that due to the simplifications made in LDAP, there is not a
1691	   direct mapping of the modifications in an LDAP ModifyRequest onto the
1692	   EntryModifications of a DAP ModifyEntry operation, and different
1693	   implementations of LDAP-DAP gateways may use different means of
1694	   representing the change. If successful, the final effect of the
1695	   operations on the entry MUST be identical.

1697	4.7. Add Operation

1699	   The Add Operation allows a client to request the addition of an entry
1700	   into the directory. The Add Request is defined as follows:

1702	        AddRequest ::= [APPLICATION 8] SEQUENCE {
1703	                entry           LDAPDN,
1704	                attributes      AttributeList }

1706	        AttributeList ::= SEQUENCE OF SEQUENCE {
1707	                type    AttributeDescription,
1708	                vals    SET OF AttributeValue }

1710	   Parameters of the Add Request are:

1712	   - entry: the Distinguished Name of the entry to be added. Note that
1713	     the server will not dereference any aliases in locating the entry
1714	     to be added.

1716	   - attributes: the list of attributes that make up the content of the
1717	     entry being added. Clients MUST include distinguished values
1718	     (those forming the entry's own RDN) in this list, the objectClass
1719	     attribute, and values of any mandatory attributes of the listed
1720	     object classes. Clients MUST NOT supply the createTimestamp or
1721	     creatorsName attributes, since these will be generated
1722	     automatically by the server.

1724	   The entry named in the entry field of the AddRequest MUST NOT exist
1725	   for the AddRequest to succeed. The parent of the entry to be added
1726	   MUST exist. For example, if the client attempted to add
1727	              Lightweight Directory Access Protocol Version 3

1729	   "CN=JS,O=Foo,C=US", the "O=Foo,C=US" entry did not exist, and the
1730	   "C=US" entry did exist, then the server would return the error
1731	   noSuchObject with the matchedDN field containing "C=US". If the
1732	   parent entry exists but is not in a naming context held by the
1733	   server, the server SHOULD return a referral to the server holding the
1734	   parent entry.

1736	   Servers implementations SHOULD NOT restrict where entries can be
1737	   located in the directory. Some servers MAY allow the administrator to
1738	   restrict the classes of entries which can be added to the directory.

1740	   Upon receipt of an Add Request, a server will attempt to perform the
1741	   add requested. The result of the add attempt will be returned to the
1742	   client in the Add Response, defined as follows:

1744	        AddResponse ::= [APPLICATION 9] LDAPResult

1746	   A response of success indicates that the new entry is present in the
1747	   directory.

1749	4.8. Delete Operation

1751	   The Delete Operation allows a client to request the removal of an
1752	   entry from the directory. The Delete Request is defined as follows:

1754	        DelRequest ::= [APPLICATION 10] LDAPDN

1756	   The Delete Request consists of the Distinguished Name of the entry to
1757	   be deleted. Note that the server will not dereference aliases while
1758	   resolving the name of the target entry to be removed, and that only
1759	   leaf entries (those with no subordinate entries) can be deleted with
1760	   this operation.

1762	   The result of the delete attempted by the server upon receipt of a
1763	   Delete Request is returned in the Delete Response, defined as
1764	   follows:

1766	        DelResponse ::= [APPLICATION 11] LDAPResult

1768	   Upon receipt of a Delete Request, a server will attempt to perform
1769	   the entry removal requested. The result of the delete attempt will be
1770	   returned to the client in the Delete Response.

1772	4.9. Modify DN Operation

1774	   The Modify DN Operation allows a client to change the leftmost (least
1775	   significant) component of the name of an entry in the directory, or
1776	   to move a subtree of entries to a new location in the directory. The
1777	   Modify DN Request is defined as follows:

1779	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
1780	                entry           LDAPDN,
1781	                newrdn          RelativeLDAPDN,
1782	                deleteoldrdn    BOOLEAN,

1784	              Lightweight Directory Access Protocol Version 3

1786	                newSuperior     [0] LDAPDN OPTIONAL }

1788	   Parameters of the Modify DN Request are:

1790	   - entry: the Distinguished Name of the entry to be changed. This
1791	     entry may or may not have subordinate entries. Note that the
1792	     server will not dereference any aliases in locating the entry to
1793	     be changed.

1795	   - newrdn: the RDN that will form the leftmost component of the new
1796	     name of the entry.

1798	   - deleteoldrdn: a boolean parameter that controls whether the old
1799	     RDN attribute values are to be retained as attributes of the
1800	     entry, or deleted from the entry.

1802	   - newSuperior: if present, this is the Distinguished Name of the
1803	     entry which becomes the immediate superior of the existing entry.

1805	   The result of the name change attempted by the server upon receipt of
1806	   a Modify DN Request is returned in the Modify DN Response, defined as
1807	   follows:

1809	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

1811	   Upon receipt of a ModifyDNRequest, a server will attempt to perform
1812	   the name change. The result of the name change attempt will be
1813	   returned to the client in the Modify DN Response.

1815	   For example, if the entry named in the "entry" parameter was "cn=John
1816	   Smith,c=US", the newrdn parameter was "cn=John Cougar Smith", and the
1817	   newSuperior parameter was absent, then this operation would attempt
1818	   to rename the entry to be "cn=John Cougar Smith,c=US". If there was
1819	   already an entry with that name, the operation would fail with error
1820	   code entryAlreadyExists.

1822	   If the deleteoldrdn parameter is TRUE, the values forming the old RDN
1823	   are deleted from the entry. If the deleteoldrdn parameter is FALSE,
1824	   the values forming the old RDN will be retained as non-distinguished
1825	   attribute values of the entry. The server may not perform the
1826	   operation and return an error code if the setting of the deleteoldrdn
1827	   parameter would cause a schema inconsistency in the entry.

1829	   Note that X.500 restricts the ModifyDN operation to only affect
1830	   entries that are contained within a single server. If the LDAP server
1831	   is mapped onto DAP, then this restriction will apply, and the
1832	   resultCode affectsMultipleDSAs will be returned if this error
1833	   occurred. In general clients MUST NOT expect to be able to perform
1834	   arbitrary movements of entries and subtrees between servers.

1836	4.10. Compare Operation
1837	              Lightweight Directory Access Protocol Version 3

1839	   The Compare Operation allows a client to compare an assertion
1840	   provided with an entry in the directory. The Compare Request is
1841	   defined as follows:

1843	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
1844	                entry           LDAPDN,
1845	                ava             AttributeValueAssertion }

1847	   Parameters of the Compare Request are:

1849	   - entry: the name of the entry to be compared with. Note that the
1850	     server SHOULD NOT dereference any aliases in locating the entry to
1851	     be compared with.

1853	   - ava: the assertion with which an attribute in the entry is to be
1854	     compared.

1856	   The result of the compare attempted by the server upon receipt of a
1857	   Compare Request is returned in the Compare Response, defined as
1858	   follows:

1860	        CompareResponse ::= [APPLICATION 15] LDAPResult

1862	   Upon receipt of a Compare Request, a server will attempt to perform
1863	   the requested comparison. The result of the comparison will be
1864	   returned to the client in the Compare Response. Note that errors and
1865	   the result of comparison are all returned in the same construct.

1867	   Note that some directory systems may establish access controls which
1868	   permit the values of certain attributes (such as userPassword) to be
1869	   compared but not read. In a search result, it may be that an
1870	   attribute of that type would be returned, but with an empty set of
1871	   values.

1873	4.11. Abandon Operation

1875	   The function of the Abandon Operation is to allow a client to request
1876	   that the server abandon an outstanding operation. The Abandon Request
1877	   is defined as follows:

1879	        AbandonRequest ::= [APPLICATION 16] MessageID

1881	   The MessageID MUST be that of a an operation which was requested
1882	   earlier in this connection.

1884	   (The abandon request itself has its own message id. This is distinct
1885	   from the id of the earlier operation being abandoned.)

1887	   There is no response defined in the Abandon Operation. Upon
1888	   transmission of an Abandon Operation, a client may expect that the
1889	   operation identified by the Message ID in the Abandon Request has
1890	   been abandoned. In the event that a server receives an Abandon
1891	   Request on a Search Operation in the midst of transmitting responses
1892	   to the search, that server MUST cease transmitting entry responses to
1893	              Lightweight Directory Access Protocol Version 3

1895	   the abandoned request immediately, and MUST NOT send the
1896	   SearchResponseDone. Of course, the server MUST ensure that only
1897	   properly encoded LDAPMessage PDUs are transmitted.

1899	   Clients MUST NOT send abandon requests for the same operation
1900	   multiple times, and MUST also be prepared to receive results from
1901	   operations it has abandoned (since these may have been in transit
1902	   when the abandon was requested).

1904	   Servers MUST discard abandon requests for message IDs they do not
1905	   recognize, for operations which cannot be abandoned, and for
1906	   operations which have already been abandoned.

1908	4.12. Extended Operation

1910	   An extension mechanism has been added in this version of LDAP, in
1911	   order to allow additional operations to be defined for services not
1912	   available elsewhere in this protocol, for instance digitally signed
1913	   operations and results.

1915	   The extended operation allows clients to make requests and receive
1916	   responses with predefined syntaxes and semantics. These may be
1917	   defined in RFCs or be private to particular implementations. Each
1918	   request MUST have a unique OBJECT IDENTIFIER assigned to it.

1920	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
1921	                requestName      [0] LDAPOID,
1922	                requestValue     [1] OCTET STRING OPTIONAL }

1924	   The requestName is a dotted-decimal representation of the OBJECT
1925	   IDENTIFIER corresponding to the request. The requestValue is
1926	   information in a form defined by that request, encapsulated inside an
1927	   OCTET STRING.

1929	   The server will respond to this with an LDAPMessage containing the
1930	   ExtendedResponse.

1932	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
1933	                COMPONENTS OF LDAPResult,
1934	                responseName     [10] LDAPOID OPTIONAL,
1935	                response         [11] OCTET STRING OPTIONAL }

1937	   If the server does not recognize the request name, it MUST return
1938	   only the response fields from LDAPResult, containing the
1939	   protocolError result code.

1941	5. Protocol Element Encodings and Transfer

1943	   One underlying service is defined here. Clients and servers SHOULD
1944	   implement the mapping of LDAP over TCP described in 5.2.1.

1946	5.1. Mapping Onto BER-based Transport Services
1947	              Lightweight Directory Access Protocol Version 3

1949	   The protocol elements of LDAP are encoded for exchange using the
1950	   Basic Encoding Rules (BER) [X.690] of ASN.1 [X.680]. However, due to
1951	   the high overhead involved in using certain elements of the BER, the
1952	   following additional restrictions are placed on BER-encodings of LDAP
1953	   protocol elements:

1955	   (1) Only the definite form of length encoding will be used.

1957	   (2) OCTET STRING values will be encoded in the primitive form only.

1959	   (3) If the value of a BOOLEAN type is true, the encoding MUST have
1960	       its contents octets set to hex "FF".

1962	   (4) If a value of a type is its default value, it MUST be absent.
1963	       Only some BOOLEAN and INTEGER types have default values in this
1964	       protocol definition.

1966	   These restrictions do not apply to ASN.1 types encapsulated inside of
1967	   OCTET STRING values, such as attribute values, unless otherwise
1968	   noted.

1970	5.2. Transfer Protocols

1972	   This protocol is designed to run over connection-oriented, reliable
1973	   transports, with all 8 bits in an octet being significant in the data
1974	   stream.

1976	5.2.1. Transmission Control Protocol (TCP)

1978	   The LDAPMessage PDUs are mapped directly onto the TCP bytestream. It
1979	   is recommended that server implementations running over the TCP MAY
1980	   provide a protocol listener on the assigned port, 389. Servers may
1981	   instead provide a listener on a different port number. Clients MUST
1982	   support contacting servers on any valid TCP port.

1984	6. Implementation Guidelines

1986	   This document describes an Internet protocol.

1988	6.1. Server Implementations

1990	   The server MUST be capable of recognizing all the mandatory attribute
1991	   type names and implement the syntaxes specified in [RFC2252. Servers
1992	   MAY also recognize additional attribute type names.

1994	6.2. Client Implementations

1996	   Clients which request referrals MUST ensure that they do not loop
1997	   between servers. They MUST NOT repeatedly contact the same server for
1998	   the same request with the same target entry name, scope and filter.
1999	   Some clients may be using a counter that is incremented each time
2000	   referral handling occurs for an operation, and these kinds of clients
2001	   MUST be able to handle a DIT with at least ten layers of naming
2002	   contexts between the root and a leaf entry.

2004	              Lightweight Directory Access Protocol Version 3

2006	   In the absence of prior agreements with servers, clients SHOULD NOT
2007	   assume that servers support any particular schemas beyond those
2008	   referenced in section 6.1. Different schemas can have different
2009	   attribute types with the same names. The client can retrieve the
2010	   subschema entries referenced by the subschemaSubentry attribute in
2011	   the server's root DSE or in entries held by the server.

2013	7. Security Considerations

2015	   When used with a connection-oriented transport, this version of the
2016	   protocol provides facilities for the LDAP v2 authentication
2017	   mechanism, simple authentication using a cleartext password, as well
2018	   as any SASL mechanism [RFC2222]. SASL allows for integrity and
2019	   privacy services to be negotiated.

2021	   It is also permitted that the server can return its credentials to
2022	   the client, if it chooses to do so.

2024	   Use of cleartext password is strongly discouraged where the
2025	   underlying transport service cannot guarantee confidentiality and may
2026	   result in disclosure of the password to unauthorized parties.

2028	   When used with SASL, it should be noted that the name field of the
2029	   BindRequest is not protected against modification. Thus if the
2030	   distinguished name of the client (an LDAPDN) is agreed through the
2031	   negotiation of the credentials, it takes precedence over any value in
2032	   the unprotected name field.

2034	   Implementations which cache attributes and entries obtained via LDAP
2035	   MUST ensure that access controls are maintained if that information
2036	   is to be provided to multiple clients, since servers may have access
2037	   control policies which prevent the return of entries or attributes in
2038	   search results except to particular authenticated clients. For
2039	   example, caches could serve result information only to the client
2040	   whose request caused it to be cache.

2042	8. Acknowledgements

2044	   This document is an update to RFC 2251, by Mark Wahl, Tim Howes, and
2045	   Steve Kille. Their work along with the input of individuals of the
2046	   IETF LDAPEXT, LDUP, LDAPBIS, and other Working Groups is gratefully
2047	   acknowledged.

2049	9. Bibliography

2051	   [ISO10646]Universal Multiple-Octet Coded Character Set (UCS) -
2052	             Architecture and Basic Multilingual Plane, ISO/IEC 10646-1
2053	             : 1993.

2055	   [X.500]   ITU-T Rec. X.500, "The Directory: Overview of Concepts,
2056	             Models and Service", 1993.

2058	   [X.501]   ITU-T Rec. X.501, "The Directory: Models", 1993.

2060	              Lightweight Directory Access Protocol Version 3

2062	   [X.511]   ITU-T Rec. X.511, "The Directory: Abstract Service
2063	             Definition", 1993.

2065	   [X.680]   ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) -
2066	             Specification of Basic Notation", 1994.

2068	   [X.690]   ITU-T Rec. X.690, "Specification of ASN.1 encoding rules:
2069	             Basic, Canonical, and Distinguished Encoding Rules", 1994.

2071	   [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory
2072	             Access Protocol", RFC 1777, March 1995.

2074	   [RFC1823] Howes, T., and M. Smith, "The LDAP Application Program
2075	             Interface", RFC 1823, August 1995.

2077	   [RFC2044] Yergeau, F., "UTF-8, a transformation format of Unicode
2078	             and ISO 10646", RFC 2044, October 1996.

2080	   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2081	             Requirement Levels", RFC 2119, March 1997.

2083	   [RFC2222] Meyers, J., "Simple Authentication and Security Layer",
2084	             RFC 2222, October 1997.

2086	   [RFC2234] Crocker, D., and P. Overell, "Augmented BNF for Syntax
2087	             Specifications: ABNF", RFC 2234, November 1997.

2089	   [RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,
2090	             "Lightweight Directory Access Protocol (v3): Attribute
2091	             Syntax Definitions", RFC 2252, December 1997.

2093	   [RFC2253] Kille, S., Wahl, M., and T. Howes, "Lightweight Directory
2094	             Access Protocol (v3): UTF-8 String Representation of
2095	             Distinguished Names", RFC 2253, December 1997.

2097	   [RFC2255] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
2098	             December 1997.

2100	   [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter Uniform
2101	             Resource Identifiers (URI): Generic Syntax", RFC 2396,
2102	             August 1998.

2104	   [RFC2829] Wahl, M., Alvestrand, H., Hodges, J., and R. Morgan,
2105	             "Authentication Methods for LDAP", RFC 2829, May 2000

2107	   [RFC2830] Hodges, J., Morgan, R., and M. Wahl "Lightweight Directory
2108	             Access Protocol (v3): Extension for Transport Layer
2109	             Security", RFC 2830, May 2000

2111	10. Editor's Address

2113	   Jim Sermersheim
2114	   Novell, Inc.

2116	              Lightweight Directory Access Protocol Version 3

2118	   1800 South Novell Place
2119	   Provo, Utah 84606, USA
2120	   jimse@novell.com
2121	   +1 801 861-3088
2122	              Lightweight Directory Access Protocol Version 3

2124	Appendix A - Complete ASN.1 Definition

2126	        Lightweight-Directory-Access-Protocol-V3 DEFINITIONS
2127	        IMPLICIT TAGS ::=

2129	        BEGIN

2131	        LDAPMessage ::= SEQUENCE {
2132	                messageID       MessageID,
2133	                protocolOp      CHOICE {
2134	                        bindRequest     BindRequest,
2135	                        bindResponse    BindResponse,
2136	                        unbindRequest   UnbindRequest,
2137	                        searchRequest   SearchRequest,
2138	                        searchResEntry  SearchResultEntry,
2139	                        searchResDone   SearchResultDone,
2140	                        searchResRef    SearchResultReference,
2141	                        modifyRequest   ModifyRequest,
2142	                        modifyResponse  ModifyResponse,
2143	                        addRequest      AddRequest,
2144	                        addResponse     AddResponse,
2145	                        delRequest      DelRequest,
2146	                        delResponse     DelResponse,
2147	                        modDNRequest    ModifyDNRequest,
2148	                        modDNResponse   ModifyDNResponse,
2149	                        compareRequest  CompareRequest,
2150	                        compareResponse CompareResponse,
2151	                        abandonRequest  AbandonRequest,
2152	                        extendedReq     ExtendedRequest,
2153	                        extendedResp    ExtendedResponse },
2154	                 controls       [0] Controls OPTIONAL }

2156	        MessageID ::= INTEGER (0 .. maxInt)

2158	        maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --

2160	        LDAPString ::= OCTET STRING

2162	        LDAPOID ::= OCTET STRING

2164	        LDAPDN ::= LDAPString

2166	        RelativeLDAPDN ::= LDAPString

2168	        AttributeType ::= LDAPString

2170	        AttributeDescription ::= LDAPString

2172	        AttributeDescriptionList ::= SEQUENCE OF
2173	                AttributeDescription

2175	        AttributeValue ::= OCTET STRING

2177	        AttributeValueAssertion ::= SEQUENCE {
2178	              Lightweight Directory Access Protocol Version 3

2180	                attributeDesc   AttributeDescription,
2181	                assertionValue  AssertionValue }

2183	        AssertionValue ::= OCTET STRING

2185	        Attribute ::= SEQUENCE {
2186	                type    AttributeDescription,
2187	                vals    SET OF AttributeValue }

2189	        MatchingRuleId ::= LDAPString

2191	        LDAPResult ::= SEQUENCE {
2192	                resultCode      ENUMERATED {
2193	                             success                      (0),
2194	                             operationsError              (1),
2195	                             protocolError                (2),
2196	                             timeLimitExceeded            (3),
2197	                             sizeLimitExceeded            (4),
2198	                             compareFalse                 (5),
2199	                             compareTrue                  (6),
2200	                             authMethodNotSupported       (7),
2201	                             strongAuthRequired           (8),
2202	                                        -- 9 reserved --
2203	                             referral                     (10),  -- new
2204	                             adminLimitExceeded           (11),  -- new
2205	                             unavailableCriticalExtension (12),  -- new
2206	                             confidentialityRequired      (13),  -- new
2207	                             saslBindInProgress           (14),  -- new
2208	                             noSuchAttribute              (16),
2209	                             undefinedAttributeType       (17),
2210	                             inappropriateMatching        (18),
2211	                             constraintViolation          (19),
2212	                             attributeOrValueExists       (20),
2213	                             invalidAttributeSyntax       (21),
2214	                                        -- 22-31 unused --
2215	                             noSuchObject                 (32),
2216	                             aliasProblem                 (33),
2217	                             invalidDNSyntax              (34),
2218	                             -- 35 reserved for undefined isLeaf --
2219	                             aliasDereferencingProblem    (36),
2220	                                        -- 37-47 unused --
2221	                             inappropriateAuthentication  (48),
2222	                             invalidCredentials           (49),
2223	                             insufficientAccessRights     (50),
2224	                             busy                         (51),
2225	                             unavailable                  (52),
2226	                             unwillingToPerform           (53),
2227	                             loopDetect                   (54),
2228	                                        -- 55-63 unused --
2229	                             namingViolation              (64),
2230	                             objectClassViolation         (65),
2231	                             notAllowedOnNonLeaf          (66),
2232	                             notAllowedOnRDN              (67),
2233	                             entryAlreadyExists           (68),

2235	              Lightweight Directory Access Protocol Version 3

2237	                             objectClassModsProhibited    (69),
2238	                                        -- 70 reserved for CLDAP --
2239	                             affectsMultipleDSAs          (71), -- new
2240	                                        -- 72-79 unused --
2241	                             other                        (80) },
2242	                             -- 81-90 reserved for APIs --
2243	                matchedDN       LDAPDN,
2244	                errorMessage    LDAPString,
2245	                referral        [3] Referral OPTIONAL }

2247	        Referral ::= SEQUENCE OF LDAPURL

2249	        LDAPURL ::= LDAPString -- limited to characters permitted in
2250	                               -- URLs

2252	        Controls ::= SEQUENCE OF Control

2254	        Control ::= SEQUENCE {
2255	                controlType             LDAPOID,
2256	                criticality             BOOLEAN DEFAULT FALSE,
2257	                controlValue            OCTET STRING OPTIONAL }

2259	        BindRequest ::= [APPLICATION 0] SEQUENCE {
2260	                version                 INTEGER (1 .. 127),
2261	                name                    LDAPDN,
2262	                authentication          AuthenticationChoice }

2264	        AuthenticationChoice ::= CHOICE {
2265	                simple                  [0] OCTET STRING,
2266	                                         -- 1 and 2 reserved
2267	                sasl                    [3] SaslCredentials }

2269	        SaslCredentials ::= SEQUENCE {
2270	                mechanism               LDAPString,
2271	                credentials             OCTET STRING OPTIONAL }

2273	        BindResponse ::= [APPLICATION 1] SEQUENCE {
2274	             COMPONENTS OF LDAPResult,
2275	             serverSaslCreds    [7] OCTET STRING OPTIONAL }

2277	        UnbindRequest ::= [APPLICATION 2] NULL

2279	        SearchRequest ::= [APPLICATION 3] SEQUENCE {
2280	                baseObject      LDAPDN,
2281	                scope           ENUMERATED {
2282	                        baseObject              (0),
2283	                        singleLevel             (1),
2284	                        wholeSubtree            (2) },
2285	                derefAliases    ENUMERATED {
2286	                        neverDerefAliases       (0),
2287	                        derefInSearching        (1),
2288	                        derefFindingBaseObj     (2),
2289	                        derefAlways             (3) },
2290	                sizeLimit       INTEGER (0 .. maxInt),

2292	              Lightweight Directory Access Protocol Version 3

2294	                timeLimit       INTEGER (0 .. maxInt),
2295	                typesOnly       BOOLEAN,
2296	                filter          Filter,
2297	                attributes      AttributeDescriptionList }

2299	        Filter ::= CHOICE {
2300	                and             [0] SET OF Filter,
2301	                or              [1] SET OF Filter,
2302	                not             [2] Filter,
2303	                equalityMatch   [3] AttributeValueAssertion,
2304	                substrings      [4] SubstringFilter,
2305	                greaterOrEqual  [5] AttributeValueAssertion,
2306	                lessOrEqual     [6] AttributeValueAssertion,
2307	                present         [7] AttributeDescription,
2308	                approxMatch     [8] AttributeValueAssertion,
2309	                extensibleMatch [9] MatchingRuleAssertion }

2311	        SubstringFilter ::= SEQUENCE {
2312	                type            AttributeDescription,
2313	                -- at least one must be present
2314	                substrings      SEQUENCE OF CHOICE {
2315	                        initial [0] AssertionValue,
2316	                        any     [1] AssertionValue,
2317	                        final   [2] AssertionValue } }

2319	        MatchingRuleAssertion ::= SEQUENCE {
2320	                matchingRule    [1] MatchingRuleId OPTIONAL,
2321	                type            [2] AttributeDescription OPTIONAL,
2322	                matchValue      [3] AssertionValue,
2323	                dnAttributes    [4] BOOLEAN DEFAULT FALSE }

2325	        SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
2326	                objectName      LDAPDN,
2327	                attributes      PartialAttributeList }

2329	        PartialAttributeList ::= SEQUENCE OF SEQUENCE {
2330	                type    AttributeDescription,
2331	                vals    SET OF AttributeValue }

2333	        SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL

2335	        SearchResultDone ::= [APPLICATION 5] LDAPResult

2337	        ModifyRequest ::= [APPLICATION 6] SEQUENCE {
2338	                object          LDAPDN,
2339	                modification    SEQUENCE OF SEQUENCE {
2340	                        operation       ENUMERATED {
2341	                                                add     (0),
2342	                                                delete  (1),
2343	                                                replace (2) },
2344	                        modification    AttributeTypeAndValues } }

2346	        AttributeTypeAndValues ::= SEQUENCE {
2347	                type    AttributeDescription,

2349	              Lightweight Directory Access Protocol Version 3

2351	                vals    SET OF AttributeValue }

2353	        ModifyResponse ::= [APPLICATION 7] LDAPResult

2355	        AddRequest ::= [APPLICATION 8] SEQUENCE {
2356	                entry           LDAPDN,
2357	                attributes      AttributeList }

2359	        AttributeList ::= SEQUENCE OF SEQUENCE {
2360	                type    AttributeDescription,
2361	                vals    SET OF AttributeValue }

2363	        AddResponse ::= [APPLICATION 9] LDAPResult

2365	        DelRequest ::= [APPLICATION 10] LDAPDN

2367	        DelResponse ::= [APPLICATION 11] LDAPResult

2369	        ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
2370	                entry           LDAPDN,
2371	                newrdn          RelativeLDAPDN,
2372	                deleteoldrdn    BOOLEAN,
2373	                newSuperior     [0] LDAPDN OPTIONAL }

2375	        ModifyDNResponse ::= [APPLICATION 13] LDAPResult

2377	        CompareRequest ::= [APPLICATION 14] SEQUENCE {
2378	                entry           LDAPDN,
2379	                ava             AttributeValueAssertion }

2381	        CompareResponse ::= [APPLICATION 15] LDAPResult

2383	        AbandonRequest ::= [APPLICATION 16] MessageID

2385	        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
2386	                requestName      [0] LDAPOID,
2387	                requestValue     [1] OCTET STRING OPTIONAL }

2389	        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
2390	                COMPONENTS OF LDAPResult,
2391	                responseName     [10] LDAPOID OPTIONAL,
2392	                response         [11] OCTET STRING OPTIONAL }

2394	        END
2395	              Lightweight Directory Access Protocol Version 3

2397	Appendix B - Change History

2399	Changes made to RFC 2251:

2401	B.1 Editorial

2403	   - Bibliography References: Changed all bibliography references to
2404	     use a long name form for readability.
2405	   - Changed occurrences of "unsupportedCriticalExtension"
2406	     "unavailableCriticalExtension"
2407	   - Fixed a small number of misspellings (mostly dropped letters).

2409	B.2 Section 1

2411	   - Removed IESG note.

2413	B.3 Section 9

2415	   - Added references to RFCs 1823, 2234, 2829 and 2830.

2417	Changes made to draft-ietf-ldapbis-protocol-00.txt:

2419	B.4 Section 4.1.6

2421	   - In the first paragraph, clarified what the contents of an
2422	     AttributeValue are. There was confusion regarding whether or not
2423	     an AttributeValue that is BER encoded (due to the "binary" option)
2424	     is to be wrapped in an extra OCTET STRING.
2425	   - To the first paragraph, added wording that doesn't restrict other
2426	     transfer encoding specifiers from being used. The previous wording
2427	     only allowed for the string encoding and the ;binary encoding.
2428	   - To the first paragraph, added a statement restricting multiple
2429	     options that specify transfer encoding from being present. This
2430	     was never specified in the previous version and was seen as a
2431	     potential interoperability problem.
2432	   - Added a third paragraph stating that the ;binary option is
2433	     currently the only option defined that specifies the transfer
2434	     encoding. This is for completeness.

2436	B.5 Section 4.1.7

2438	   - Generalized the second paragraph to read "If an option specifying
2439	     the transfer encoding is present in attributeDesc, the
2440	     AssertionValue is encoded as specified by the option...".
2441	     Previously, only the ;binary option was mentioned.

2443	B.6 Sections 4.2, 4.9, 4.10

2445	   - Added alias dereferencing specifications. In the case of modDN,
2446	     followed precedent set on other update operations (... alias is
2447	     not dereferenced...) In the case of bind and compare stated that
2448	     servers SHOULD NOT dereference aliases. Specifications were added
2449	     because they were missing from the previous version and caused
2450	              Lightweight Directory Access Protocol Version 3

2452	     interoperability problems. Concessions were made for bind and
2453	     compare (neither should have ever allowed alias dereferencing) by
2454	     using SHOULD NOT language, due to the behavior of some existing
2455	     implementations.

2457	B.7 Sections 4.5 and Appendix A

2459	   - Changed SubstringFilter.substrings.initial, any, and all from
2460	     LDAPString to AssertionValue. This was causing an incompatibility
2461	     with X.500 and confusion among other TS RFCs.

2463	Appendix C - Outstanding Work Items

2465	C.1 Integrate result codes draft.

2467	   The result codes draft should be reconciled with this draft.
2468	   Operation-specific instructions will reside with operations while the
2469	   error-specific sections will be added as an appendix.

2471	C.2 Section 3.1

2473	   - Add "This also increases the complexity of clients in this
2474	     version." to fourth paragraph.

2476	C.3 Section 4

2478	   - Remove "typically" from "and is typically transferred" in the
2479	     first paragraph.
2480	   - Change "MUST ignore elements of SEQUENCE encodings whose tags they
2481	     do not recognize" to "MUST ignore tagged elements of SEQUENCE
2482	     encodings that they do not recognize" in the first paragraph.
2483	   - Add "See Section 5.1 for information on mapping the LDAP protocol
2484	     to BER." to the first paragraph.
2485	   - Change "version 3 " to "version 3 or later" in the second
2486	     paragraph.
2487	   - Change "protocol version" to "protocol versions" in the third
2488	     paragraph.
2489	   - Change "version 2 may not provide this attribute." to "version 2
2490	     MAY NOT provide this attribute, or a root DSE." in the third
2491	     paragraph.

2493	C.4 Section 4.1.1

2495	   - Change "the client may discard the PDU, or may abruptly close the
2496	     connection." to "the client MAY discard the PDU, or MAY abruptly
2497	     close the connection." in the fourth paragraph.

2499	C.5 Section 4.1.1.1

2501	   - Add "If an unsolicited notification as described in section 4.4 is
2502	     sent from a server, the messageID value MUST be zero." to first
2503	     paragraph.
2504	   - Change "MUST have a value different" to "MUST have a non-zero
2505	     value different" in the second paragraph.

2507	              Lightweight Directory Access Protocol Version 3

2509	   - Remove "or of the abandoned operation until it has received a
2510	     response from the server for another request invoked subsequent to
2511	     the abandonRequest," from the fourth paragraph as this imposes
2512	     synchronous behavior on the server.

2514	C.6 Section 4.1.2

2516	   - Add ABNF for the textual representation of LDAPOID.

2518	C.7 Section 4.1.4

2520	   - Change "This identifier may be written as decimal digits with
2521	     components separated by periods, e.g. "2.5.4.10"" to "may be
2522	     written as defined by ldapOID in section 4.1.2" in the second
2523	     paragraph.
2524	   - Add "Note that due to the restriction above, and due to this
2525	     allowance, servers MUST ensure that, within a controlling
2526	     subschema, no two attributes be named the same." to the fifth
2527	     paragraph.
2528	   - Resolve issue on list with the subject "Attribute Type character
2529	     set".

2531	C.8 Section 4.1.5

2533	   - Change "A server may treat" to "A server MUST treat" in the second
2534	     to last paragraph.
2535	   - Change "A server MUST treat an AttributeDescription with any
2536	     options it does not implement as an unrecognized attribute type."
2537	     to "A server MUST treat an AttributeDescription with any options
2538	     it does not implement or support as an unrecognized attribute
2539	     type." in the second to last paragraph.
2540	   - Clarify the statement "An AttributeDescription with one or more
2541	     options is treated as a subtype of the attribute type without any
2542	     options". There is an unresolved thread titles "RFC 2596
2543	     questions" on the ietf-ldapext list regarding this.

2545	C.9 Section 4.1.5.1

2547	   - Add "Servers SHOULD only return attributes with printable string
2548	     representations as binary when clients request binary transfer."
2549	     to the second paragraph.
2550	   - Clarify whether the "binary" attribute type option is to be
2551	     treated as a subtype.

2553	C.11 Section 4.1.7

2555	   - Change "For all the string-valued user attributes described in
2556	     [5], the assertion value syntax is the same as the value syntax."
2557	     to "The assertion value syntax for all attributes using human-
2558	     readable syntaxes as described in [RFC2252] is the same as the
2559	     value syntax unless otherwise noted (an example being
2560	     objectIdentifierFirstComponentMatch)." in the third paragraph.

2562	              Lightweight Directory Access Protocol Version 3

2564	   - Add a fourth paragraph: "Servers SHOULD NOT generate codes 81-90
2565	     as these are reserved for use by historical APIs [RFC 1823].
2566	     Later API specifications SHOULD avoid using the resultCode
2567	     enumeration to represent anything other than a protocol result
2568	     indication."

2570	C.12 Section 4.1.8

2572	   - Change "when transferred in protocol" to "when transferred from
2573	     the server to the client" in the first paragraph.

2575	C.13 Section 4.1.11

2577	   - Resolve the intent of "All the URLs MUST be equally capable of
2578	     being used to progress the operation" This is being discussed as
2579	     "Following referrals" on the list.
2580	   - Change "The referral error" to "The referral result code" in the
2581	     first paragraph.
2582	   - Change "It contains a reference to another server (or set of
2583	     servers)" to "It contains one or more references to one or more
2584	     servers or services" in the first paragraph.
2585	   - Add "after locating the target entry" to the first paragraph.

2587	C.14 Section 4.1.12

2589	   - Change "The server MUST be prepared" to "The client and server
2590	     MUST be prepared" in the eighth paragraph
2591	   - Clarify whether or not a client should ignore the criticality
2592	     field.
2593	   - Specify how unbind and abandon are to handle an unknown or
2594	     inappropriate critical control.
2595	   - Specify whether or not servers are to advertise the OIDs of known
2596	     response controls.

2598	C.15 Section 4.2

2600	   - Resolve anonymous vs. unauthenticated connections. See "anonymous
2601	     binds" on list.
2602	   -Change "LDAPDN" to "identity" in the definition of the name field.
2603	   -Rework definition of the name field to enumerate empty password and
2604	    name combinations. <Needs more work following discussion on list>

2606	C.16 Section 4.2.1

2608	   - Change "unauthenticated" to "anonymous" in the fourth paragraph.
2609	   - Resolve the meaning of "no authentication" in first paragraph. See
2610	     "Clarification of "authentication"" on list.
2611	   - Needs to be fixed after resolving issue in C.8

2613	C.17 Section 4.2.2

2615	   - Change "Typically the DN is also of zero length." to "The name
2616	     field SHOULD also be zero length and, if provided, MUST be ignored
2617	              Lightweight Directory Access Protocol Version 3

2619	     by the server." in the second paragraph. <This needs further
2620	     resolution on the list.>
2621	   - Add "(anonymous bind)" to second paragraph. <Needs to be
2622	     reconciled with work done to 4.2>
2623	   - Add "as the authentication identity" to second paragraph.

2625	C.18 Section 4.2.3

2627	   - Change "If the bind was successful, the resultCode will be
2628	     success, otherwise it will be one of" to "If the bind was
2629	     successful, the resultCode will be success, otherwise it MAY be
2630	     one of" in the third paragraph. <May need further refinement when
2631	     reconciled with resultCode draft>.
2632	   - Change "operationsError" to "other" as a result code.
2633	   - Change "If the client bound with the password choice" to "If the
2634	     client bound with the simple choice" in the last paragraph.

2636	C.19 Section 4.3

2638	   - Change "a protocol client may assume that the protocol session is
2639	     terminated and MAY close the connection." to "a protocol client
2640	     MUST assume that the protocol session is terminated and MAY close
2641	     the connection." in the second paragraph.
2642	   - Change "a protocol server may assume" to "a protocol server MUST
2643	     assume" in the second paragraph.
2644	   - Change "and may close the connection" to "and MUST close the
2645	     connection" in the second paragraph.

2647	C.20 Section 4.4

2649	   - Change "One unsolicited notification is defined" to "One
2650	     unsolicited notification (Notice of Disconnection) is defined" in
2651	     the third paragraph.
2652	   - Add "other than Notice of Disconnection" in the third paragraph.
2653	   - Add "Servers SHOULD NOT assume LDAPv3 clients understand or
2654	     recognize unsolicited notifications or unsolicited controls other
2655	     than Notice of Disconnection defined below.  Servers SHOULD avoid
2656	     sending unsolicited notifications unless they know (by related
2657	     request or other means) that the client can make use of the
2658	     notification." as a fourth paragraph.

2660	C.21 Section 4.5.1

2662	   - Make sure the use of "subordinates" in the derefInSearching
2663	     definition is correct. See "derefInSearching" on list.
2664	   - Change "checking for the existence of the objectClass attribute"
2665	     to "checking for the presence of the objectClass attribute" in the
2666	     last paragraph.

2668	C.22 Section 4.5.2

2670	   - Change "Following all the SearchResultReference responses and all
2671	     SearchResultEntry responses to be returned by the server" to
2672	     "Following all the SearchResultReference responses,
2673	              Lightweight Directory Access Protocol Version 3

2675	     SearchResultEntry responses, and ExtendedResponses to be returned
2676	     by the server" in the third paragraph.
2677	   - Add "associated with a search operation" to the sixth paragraph.
2678	   - Same problem as in C.5.

2680	C.23 Section 4.5.3

2682	   - Add "Similarly, a server MUST NOT return a SearchResultReference
2683	     when the scope of the search is baseObject. If a client receives
2684	     such a SearchResultReference it MUST interpret is as a protocol
2685	     error and MUST NOT follow it." to the first paragraph.
2686	   - Add "If the scope part of the LDAP URL is present, the client MUST
2687	     use the new scope in its next request to progress the search. If
2688	     the scope part is absent the client MUST use subtree scope to
2689	     complete subtree searches and base scope to complete one level
2690	     searches." to the third paragraph.
2691	   - Remove "different" from "outstanding search operations to
2692	     different servers," in the fifth paragraph as they may be to the
2693	     same server.

2695	C.24 Section 4.5.3.1

2697	   - Change examples to use dc naming.

2699	C.25 Section 4.6

2701	   - Resolve the meaning of "and is ignored if the attribute does not
2702	     exist". See "modify: "non-existent attribute"" on the list.
2703	   - Change "clients MUST NOT attempt to delete" to "clients MUST NOT
2704	     attempt to add or delete" in the second to last paragraph.
2705	   - Change "using the "delete" form" to "using the "add" or "delete"
2706	     form" in the second to last paragraph.

2708	C.26 Section 4.7

2710	   - Change "Clients MUST NOT supply the createTimestamp or
2711	     creatorsName attributes, since these will be generated
2712	     automatically by the server." to "Clients MUST NOT supply NO-USER-
2713	     MODIFICATION attributes such as createTimestamp or creatorsName
2714	     attributes, since these are provided by the server." in the
2715	     definition of the attributes field.
2716	   - Change examples to use dc naming.
2717	   - Clarify the paragraph that talks about structure rules. See
2718	     "discussing structure rules" on the list.

2720	C.27 Section 4.10

2722	   - Specify what happens when the attr is missing vs. attr isn't in
2723	     schema. Also what happens if there's no equality matching rule.

2725	C.28 Section 4.11

2727	   - Change "has been" to "will be" in the fourth paragraph.

2729	              Lightweight Directory Access Protocol Version 3

2731	   - Change "(since these may have been in transit when the abandon was
2732	     requested)." to "(since these may either have been in transit when
2733	     the abandon was requested, or are not able to be abandoned)." in
2734	     the fifth paragraph.
2735	   - Add "Abandon and Unbind operations are not able to be abandoned.
2736	     Other operations, in particular update operations, or operations
2737	     that have been chained, may not be abandonable (or immediately
2738	     abandonable)." as the sixth paragraph.

2740	C.29 Section 4.12

2742	   - Change "digitally signed operations and results" to "for instance
2743	     StartTLS [RFC2830]"

2745	C.30 Section 5.1

2747	   - Add "control and extended operation values" to last paragraph. See
2748	     "LBER (BER Restrictions)" on list.

2750	C.31 Section 5.2.1

2752	   - Add "using the BER-based described in section 5.1".

2754	C.32 Section 6.1

2756	   - Add "that are used by those attributes" to the first paragraph.
2757	   - Add "Servers which support update operations MUST, and other
2758	     servers SHOULD, support strong authentication mechanisms described
2759	     in [RFC2829]." as a second paragraph.
2760	   - Add "Servers which provide access to sensitive information MUST,
2761	     and other servers SHOULD support privacy protections such as those
2762	     described in [RFC2829] and [RFC2830]." as a third paragraph.

2764	C.33 Section 7

2766	   - Add "Servers which support update operations MUST, and other
2767	     servers SHOULD, support strong authentication mechanisms described
2768	     in [RFC2829]." as a fourth paragraph.
2769	   - Add "In order to automatically follow referrals, clients may need
2770	     to hold authentication secrets. This poses significant privacy and
2771	     security concerns and SHOULD be avoided." as a sixth paragraph.
2772	   - Add "This document provides a mechanism which clients may use to
2773	     discover operational attributes. Those relying on security by
2774	     obscurity should implement appropriate access controls to
2775	     restricts access to operational attributes per local policy." as
2776	     an eighth paragraph.

2778	              Lightweight Directory Access Protocol Version 3

2780	   Full Copyright Statement

2782	   Copyright (C) The Internet Society (2000). All Rights Reserved.

2784	   This document and translations of it may be copied and furnished to
2785	   others, and derivative works that comment on or otherwise explain it
2786	   or assist in its implementation may be prepared, copied, published
2787	   and distributed, in whole or in part, without restriction of any
2788	   kind, provided that the above copyright notice and this paragraph are
2789	   included on all such copies and derivative works. However, this
2790	   document itself may not be modified in any way, such as by removing
2791	   the copyright notice or references to the Internet Society or other
2792	   Internet organizations, except as needed for the purpose of
2793	   developing Internet standards in which case the procedures for
2794	   copyrights defined in the Internet Standards process must be
2795	   followed, or as required to translate it into languages other than
2796	   English.

2798	   The limited permissions granted above are perpetual and will not be
2799	   revoked by the Internet Society or its successors or assigns.

2801	   This document and the information contained herein is provided on an
2802	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
2803	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
2804	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
2805	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
2806	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.