File: rfc1487.txt

package info (click to toggle)
doc-rfc 20181229-2
  • links: PTS, VCS
  • area: non-free
  • in suites: buster
  • size: 570,944 kB
  • sloc: xml: 285,646; sh: 107; python: 90; perl: 42; makefile: 14
file content (1179 lines) | stat: -rw-r--r-- 44,950 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179






Network Working Group                                           W. Yeong
Request for Comments: 1487             Performance Systems International
                                                                T. Howes
                                                  University of Michigan
                                                                S. Kille
                                                        ISODE Consortium
                                                               July 1993


              X.500 Lightweight Directory Access Protocol

Status of this Memo

   This RFC specifies an IAB standards track protocol for the Internet
   community, and requests discussion and suggestions for improvements.
   Please refer to the current edition of the "IAB Official Protocol
   Standards" for the standardization state and status of this protocol.
   Distribution of this memo is unlimited.

Abstract

   The protocol described in this document is designed to provide access
   to the Directory while not incurring the resource requirements of the
   Directory Access Protocol (DAP). This protocol is specifically
   targeted at simple management applications and browser applications
   that provide simple read/write interactive access to the Directory,
   and is intended to be a complement to the DAP itself.

   Key aspects of LDAP are:

   - Protocol elements are carried directly over TCP or other transport,
     bypassing much of the session/presentation overhead.

   - Many protocol data elements are encoding as ordinary strings (e.g.,
     Distinguished Names).

   - A lightweight BER encoding is used to encode all protocol elements.

1.  History

   The tremendous interest in X.500 [1,2] technology in the Internet has
   lead to efforts to reduce the high "cost of entry" associated with
   use of the technology, such as the Directory Assistance Service [3]
   and DIXIE [4]. While efforts such as these have met with success,
   they have been solutions based on particular implementations and as
   such have limited applicability.  This document continues the efforts
   to define Directory protocol alternatives but departs from previous
   efforts in that it consciously avoids dependence on particular



Yeong, Howes & Kille                                            [Page 1]

RFC 1487                       X.500 LDAP                      July 1993


   implementations.

2.  Protocol Model

   The general model adopted by this protocol is one of clients
   performing protocol operations against servers. In this model, this
   is accomplished by a client transmitting a protocol request
   describing the operation to be performed to a server, which is then
   responsible for performing the necessary operations on the Directory.
   Upon completion of the necessary operations, the server returns a
   response containing any results or errors to the requesting client.
   In keeping with the goal of easing the costs associated with use of
   the Directory, it is an objective of this protocol to minimize the
   complexity of clients so as to facilitate widespread deployment of
   applications capable of utilizing the Directory.

   Note that, although servers are required to return responses whenever
   such responses are defined in the protocol, there is no requirement
   for synchronous behavior on the part of either client or server
   implementations: requests and responses for multiple operations may
   be exchanged by client and servers in any order, as long as clients
   eventually receive a response for every request that requires one.

   Consistent with the model of servers performing protocol operations
   on behalf of clients, it is also to be noted that protocol servers
   are expected to handle referrals without resorting to the return of
   such referrals to the client. This protocol makes no provisions for
   the return of referrals to clients, as the model is one of servers
   ensuring the performance of all necessary operations in the
   Directory, with only final results or errors being returned by
   servers to clients.

   Note that this protocol can be mapped to a strict subset of the
   directory abstract service, so it can be cleanly provided by the DAP.

3.  Mapping Onto Transport Services

   This protocol is designed to run over connection-oriented, reliable
   transports, with all 8 bits in an octet being significant in the data
   stream.  Specifications for two underlying services are defined here,
   though others are also possible.

3.1.  Transmission Control Protocol (TCP)

   The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
   Server implementations running over the TCP should provide a protocol
   listener on port 389.




Yeong, Howes & Kille                                            [Page 2]

RFC 1487                       X.500 LDAP                      July 1993


3.2.  Connection Oriented Transport Service (COTS)

   The connection is established.  No special special use of T-Connect
   is made.  Each LDAPMessage PDU is mapped directly onto T-Data.

4.  Elements of Protocol

   For the purposes of protocol exchanges, all protocol operations are
   encapsulated in a common envelope, the LDAPMessage, which is defined
   as follows:

     LDAPMessage ::=
         SEQUENCE {
              messageID      MessageID,
              protocolOp     CHOICE {
                                  bindRequest         BindRequest,
                                  bindResponse        BindResponse,
                                  unbindRequest       UnbindRequest
                                  searchRequest       SearchRequest,
                                  searchResponse      SearchResponse,
                                  modifyRequest       ModifyRequest,
                                  modifyResponse      ModifyResponse,
                                  addRequest          AddRequest,
                                  addResponse         AddResponse,
                                  delRequest          DelRequest,
                                  delResponse         DelResponse,
                                  modifyRDNRequest    ModifyRDNRequest,
                                  modifyRDNResponse   ModifyRDNResponse,
                                  compareDNRequest    CompareRequest,
                                  compareDNResponse   CompareResponse,
                                  abandonRequest      AbandonRequest
                             }
         }

     MessageID ::= INTEGER (0 .. MaxInt)

   The function of the LDAPMessage is to provide an envelope containing
   common fields required in all protocol exchanges. At this time the
   only common field is a message ID, which is required to have a value
   different from the values of any other requests outstanding in the
   LDAP session of which this message is a part.

   The message ID value must be echoed in all LDAPMessage envelopes
   encapsulting responses corresponding to the request contained in the
   LDAPMessage in which the message ID value was originally used.

   In addition to the LDAPMessage defined above, the following
   definitions are also used in defining protocol operations:



Yeong, Howes & Kille                                            [Page 3]

RFC 1487                       X.500 LDAP                      July 1993


     IA5String ::= OCTET STRING

   The IA5String is a notational convenience to indicate that, although
   strings of IA5String type encode as OCTET STRING types, the legal
   character set in such strings is limited to the IA5 character set.

     LDAPDN ::= IA5String

     RelativeLDAPDN ::= IA5String

   An LDAPDN and a RelativeLDAPDN are respectively defined to be the
   representation of a Distinguished Name and a Relative Distinguished
   Name after encoding according to the specification in [5], such that

     <distinguished-name> ::= <name>

     <relative-distinguished-name> ::= <name-component>

   where <name> and <name-component> are as defined in [5].

     AttributeValueAssertion ::=
         SEQUENCE {
              attributeType       AttributeType
              attributeValue      AttributeValue
         }

   The AttributeValueAssertion type definition  is similar to the one in
   the Directory standards.

     AttributeType ::= IA5String

     AttributeValue ::= OCTET STRING

   An AttributeType value takes on as its value the textual string
   associated with that AttributeType in the Directory standards. For
   example, the AttributeType 'organizationName' with object identifier
   2.5.4.10 is represented as an AttributeType in this protocol by the
   string "organizationName".  In the event that a protocol
   implementation encounters an Attribute Type with which it cannot
   associate a textual string, an ASCII string encoding of the object
   identifier associated with the Attribute Type may be subsitituted.
   For example, the organizationName AttributeType may be represented by
   the ASCII string "2.5.4.10" if a protocol implementation is unable to
   associate the string "organizationName" with it.

   A field of type AttributeValue takes on as its value an octet string
   encoding of a Directory AttributeValue type. The definition of these
   string encodings for different Directory AttributeValue types may be



Yeong, Howes & Kille                                            [Page 4]

RFC 1487                       X.500 LDAP                      July 1993


   found in companions to this document that define the encodings of
   various attribute syntaxes such as [6].

     LDAPResult ::=
         SEQUENCE {
             resultCode    ENUMERATED {
                             success                      (0),
                             operationsError              (1),
                             protocolError                (2),
                             timeLimitExceeded            (3),
                             sizeLimitExceeded            (4),
                             compareFalse                 (5),
                             compareTrue                  (6),
                             authMethodNotSupported       (7),
                             strongAuthRequired           (8),
                             noSuchAttribute              (16),
                             undefinedAttributeType       (17),
                             inappropriateMatching        (18),
                             constraintViolation          (19),
                             attributeOrValueExists       (20),
                             invalidAttributeSyntax       (21),
                             noSuchObject                 (32),
                             aliasProblem                 (33),
                             invalidDNSyntax              (34),
                             isLeaf                       (35),
                             aliasDereferencingProblem    (36),
                             inappropriateAuthentication  (48),
                             invalidCredentials           (49),
                             insufficientAccessRights     (50),
                             busy                         (51),
                             unavailable                  (52),
                             unwillingToPerform           (53),
                             loopDetect                   (54),
                             namingViolation              (64),
                             objectClassViolation         (65),
                             notAllowedOnNonLeaf          (66),
                             notAllowedOnRDN              (67),
                             entryAlreadyExists           (68),
                             objectClassModsProhibited    (69),
                             other                        (80)
                           },
             matchedDN     LDAPDN,
             errorMessage  IA5String
         }

   The LDAPResult is the construct used in this protocol to return
   success or failure indications from servers to clients. In response
   to various requests, servers will return responses containing fields



Yeong, Howes & Kille                                            [Page 5]

RFC 1487                       X.500 LDAP                      July 1993


   of type LDAPResult to indicate the final status of a protocol
   operation request.  The errorMessage field of this construct may, at
   the servers option, be used to return an ASCII string containing a
   textual, human-readable error diagnostic. As this error diagnostic is
   not standardized, implementations should not rely on the values
   returned.  If the server chooses not to return a textual diagnostic,
   the errorMessage field of the LDAPResult type should contain a zero
   length string.

   For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax,
   isLeaf, and aliasDereferencingProblem, the matchedDN field is set to
   the name of the lowest entry (object or alias) in the DIT that was
   matched and is a truncated form of the name provided or, if an alias
   has been dereferenced, of the resulting name.  The matchedDN field
   should be set to NULL DN (a zero length string) in all other cases.

4.1.  Bind Operation

   The function of the Bind Operation is to initiate a protocol session
   between a client and a server, and to allow the authentication of the
   client to the server. The Bind Operation must be the first operation
   request received by a server from a client in a protocol session.
   The Bind Request is defined as follows:

     BindRequest ::=
         [APPLICATION 0] SEQUENCE {
                             version   INTEGER (1 .. 127),
                             name      LDAPDN,
                             authentication CHOICE {
                                  simple        [0] OCTET STRING,
                                  krbv42LDAP    [1] OCTET STRING,
                                  krbv42DSA     [2] OCTET STRING
                             }
         }

   Parameters of the Bind Request are:

   - version: A version number indicating the version of the protocol to
     be used in this protocol session.  This document describes version
     2 of the LDAP protocol.  Note that there is no version negotiation,
     and the client should just set this parameter to the version it
     desires.

   - name: The name of the Directory object that the client wishes to
     bind as.  This field may take on a null value (a zero length
     string) for the purposes of anonymous binds.

   - authentication: information used to authenticate the name, if any,



Yeong, Howes & Kille                                            [Page 6]

RFC 1487                       X.500 LDAP                      July 1993


     provided in the Bind Request. The "simple" authentication option
     provides minimal authentication facilities, with the contents of
     the authentication field consisting only of a cleartext password.
     This option should also be used when unauthenticated or anonymous
     binds are to be performed, with the field containing a zero length
     string in such cases. Kerberos version 4 [7] authentication to the
     LDAP server and the DSA is accomplished by using the "krbv42LDAP"
     and "krbv42DSA" authentication options, respectively.  Note that
     though they are referred to as separate entities here, there is no
     requirement these two entities be distinct (i.e., a DSA could speak
     LDAP directly).  Two separate authentication options are provided
     to support all implementations.  Each octet string should contain
     the kerberos ticket (e.g., as returned by krb_mk_req()) for the
     appropriate service.  The suggested service name for authentication
     to the LDAP server is "ldapserver".  The suggested service name for
     authentication to the DSA is "x500dsa".  In both cases, the
     suggested instance name for the service is the name of the host
     on which the service is running.  Of course, the actual service
     names and instances will depend on what is entered in the local
     kerberos principle database.

   The Bind Operation requires a response, the Bind Response, which is
   defined as:

     BindResponse ::= [APPLICATION 1] LDAPResult

   A Bind Response consists simply of an indication from the server of
   the status of the client's request for the initiation of a protocol
   session.

   Upon receipt of a Bind Request, a protocol server will authenticate
   the requesting client if necessary, and attempt to set up a protocol
   session with that client. The server will then return a Bind Response
   to the client indicating the status of the session setup request.

4.2.  Unbind Operation

   The function of the Unbind Operation is to terminate a protocol
   session.  The Unbind Operation is defined as follows:

     UnbindRequest ::= [APPLICATION 2] NULL

   The Unbind Operation has no response defined. Upon transmission of an
   UnbindRequest, a protocol client may assume that the protocol session
   is terminated. Upon receipt of an UnbindRequest, a protocol server
   may assume that the requesting client has terminated the session and
   that all outstanding requests may be discarded.




Yeong, Howes & Kille                                            [Page 7]

RFC 1487                       X.500 LDAP                      July 1993


4.3.  Search Operation

   The Search Operation allows a client to request that a search be
   performed on its behalf by a server. The Search Request is defined as
   follows:

     SearchRequest ::=
         [APPLICATION 3] SEQUENCE {
             baseObject    LDAPDN,
             scope         ENUMERATED {
                                baseObject            (0),
                                singleLevel           (1),
                                wholeSubtree          (2)
                           },
             derefAliases  ENUMERATED {
                                        neverDerefAliases     (0),
                                        derefInSearching      (1),
                                        derefFindingBaseObj   (2),
                                        derefAlways           (3)
                                   },
             sizeLimit     INTEGER (0 .. MaxInt),
             timeLimit     INTEGER (0 .. MaxInt),
             attrsOnly     BOOLEAN,
             filter        Filter,
             attributes    SEQUENCE OF AttributeType
     }

     Filter ::=
         CHOICE {
             and                [0] SET OF Filter,
             or                 [1] SET OF Filter,
             not                [2] Filter,
             equalityMatch      [3] AttributeValueAssertion,
             substrings         [4] SubstringFilter,
             greaterOrEqual     [5] AttributeValueAssertion,
             lessOrEqual        [6] AttributeValueAssertion,
             present            [7] AttributeType,
             approxMatch        [8] AttributeValueAssertion
         }

     SubstringFilter
         SEQUENCE {
             type               AttributeType,
             SEQUENCE OF CHOICE {
                 initial        [0] IA5String,
                 any            [1] IA5String,
                 final          [2] IA5String
             }



Yeong, Howes & Kille                                            [Page 8]

RFC 1487                       X.500 LDAP                      July 1993


         }

   Parameters of the Search Request are:

   - baseObject: An LDAPDN that is the base object entry relative to
     which the search is to be performed.

   - scope: An indicator of the scope of the search to be performed. The
     semantics of the possible values of this field are identical to the
     semantics of the scope field in the Directory Search Operation.

   - derefAliases: An indicator as to how alias objects should be handled
     in searching.  The semantics of the possible values of this
     field are, in order of increasing value:

             neverDerefAliases: do not dereference aliases in searching
             or in locating the base object of the search;

             derefInSearching: dereference aliases in subordinates of
             the base object in searching, but not in locating the
             base object of the search;

             derefFindingBaseObject: dereference aliases in locating
             the base object of the search, but not when searching
             subordinates of the base object;

             derefAlways: dereference aliases both in searching and in
             locating the base object of the search.

   - sizelimit: A sizelimit that restricts the maximum number of entries
     to be returned as a result of the search. A value of 0 in this
     field indicates that no sizelimit restrictions are in effect for
     the search.

   - timelimit: A timelimit that restricts the maximum time (in seconds)
     allowed for a search. A value of 0 in this field indicates that no
     timelimit restrictions are in effect for the search.

   - attrsOnly: An indicator as to whether search results should contain
     both attribute types and values, or just attribute types.  Setting
     this field to TRUE causes only attribute types (no values) to be
     returned.  Setting this field to FALSE causes both attribute types
     and values to be returned.

   - filter: A filter that defines the conditions that must be fulfilled
     in order for the search to match a given entry.

   - attributes: A list of the attributes from each entry found as a



Yeong, Howes & Kille                                            [Page 9]

RFC 1487                       X.500 LDAP                      July 1993


     result of the search to be returned. An empty list signifies that
     all attributes from each entry found in the search are to be
     returned.

   The results of the search attempted by the server upon receipt of a
   Search Request are returned in Search Responses, defined as follows:

 Search Response ::=
     CHOICE {
          entry          [APPLICATION 4] SEQUENCE {
                              objectName     LDAPDN,
                              attributes     SEQUENCE OF SEQUENCE {
                                                  AttributeType,
                                                  SET OF AttributeValue
                                             }
                         },
          resultCode     [APPLICATION 5] LDAPResult
      }

   Upon receipt of a Search Request, a server will perform the necessary
   search of the DIT.

   The server will return to the client a sequence of responses
   comprised of:

   - Zero or more Search Responses each consisting of an entry found
     during the search; with the response sequence terminated by

   - A single Search Response containing an indication of success, or
     detailing any errors that have occurred.

   Each entry returned will contain all attributes, complete with
   associated values if necessary, as specified in the 'attributes'
   field of the Search Request.

   Note that an X.500 "list" operation can be emulated by a one-level
   LDAP search operation with a filter checking for the existence of the
   objectClass attribute, and that an X.500 "read" operation can be
   emulated by a base object LDAP search operation with the same filter.

4.4.  Modify Operation

   The Modify Operation allows a client to request that a modification
   of the DIB be performed on its behalf by a server.  The Modify
   Request is defined as follows:






Yeong, Howes & Kille                                           [Page 10]

RFC 1487                       X.500 LDAP                      July 1993


 ModifyRequest ::=
     [APPLICATION 6] SEQUENCE {
          object         LDAPDN,
          modification   SEQUENCE OF SEQUENCE {
                              operation      ENUMERATED {
                                                  add       (0),
                                                  delete    (1),
                                                  replace   (2)
                                             },
                              modification   SEQUENCE {
                                                type    AttributeType,
                                                values  SET OF
                                                          AttributeValue
                                             }
                         }
     }

   Parameters of the Modify Request are:

   - object: The object to be modified. The value of this field should
     name the object to be modified after all aliases have been
     dereferenced. The server will not perform any alias dereferencing in
     determining the object to be modified.

   - A list of modifications to be performed on the entry to be modified.
     The entire list of entry modifications should be performed
     in the order they are listed, as a single atomic operation.  While
     individual modifications may violate the Directory schema, the
     resulting entry after the entire list of modifications is performed
     must conform to the requirements of the Directory schema. The
     values that may be taken on by the 'operation' field in each
     modification construct have the following semantics respectively:

             add: add values listed to the given attribute, creating
             the attribute if necessary;

             delete: delete values listed from the given attribute,
             removing the entire attribute if no values are listed, or
             if all current values of the attribute are listed for
             deletion;

             replace: replace existing values of the given attribute
             with the new values listed, creating the attribute if
             necessary.

   The result of the modify attempted by the server upon receipt of a
   Modify Request is returned in a Modify Response, defined as follows:




Yeong, Howes & Kille                                           [Page 11]

RFC 1487                       X.500 LDAP                      July 1993


     ModifyResponse ::= [APPLICATION 7] LDAPResult

   Upon receipt of a Modify Request, a server will perform the necessary
   modifications to the DIB.

   The server will return to the client a single Modify Response
   indicating either the successful completion of the DIB modification,
   or the reason that the modification failed. Note that due to the
   requirement for atomicity in applying the list of modifications in
   the Modify Request, the client may expect that no modifications of
   the DIB have been performed if the Modify Response received indicates
   any sort of error, and that all requested modifications have been
   performed if the Modify Response indicates successful completion of
   the Modify Operation.

4.5.  Add Operation

   The Add Operation allows a client to request the addition of an entry
   into the Directory. The Add Request is defined as follows:

     AddRequest ::=
         [APPLICATION 8] SEQUENCE {
              entry          LDAPDN,
              attrs          SEQUENCE OF SEQUENCE {
                                  type          AttributeType,
                                  values        SET OF AttributeValue
                             }
         }

   Parameters of the Add Request are:

   - entry: the Distinguished Name of the entry to be added. Note that
     all components of the name except for the last RDN component must
     exist for the add to succeed.

   - attrs: the list of attributes that make up the content of the entry
     being added.

   The result of the add attempted by the server upon receipt of a Add
   Request is returned in the Add Response, defined as follows:

     AddResponse ::= [APPLICATION 9] LDAPResult

   Upon receipt of an Add Request, a server will attempt to perform the
   add requested. The result of the add attempt will be returned to the
   client in the Add Response.





Yeong, Howes & Kille                                           [Page 12]

RFC 1487                       X.500 LDAP                      July 1993


4.6.  Delete Operation

   The Delete Operation allows a client to request the removal of an
   entry from the Directory. The Delete Request is defined as follows:

     DelRequest ::= [APPLICATION 10] LDAPDN

   The Delete Request consists only of the Distinguished Name of the
   entry to be deleted.  The result of the delete attempted by the
   server upon receipt of a Delete Request is returned in the Delete
   Response, defined as follows:

     DelResponse ::= [APPLICATION 11] LDAPResult

   Upon receipt of a Delete Request, a server will attempt to perform
   the entry removal requested. The result of the delete attempt will be
   returned to the client in the Delete Response. Note that only leaf
   objects may be deleted with this operation.

4.7.  Modify RDN Operation

   The Modify RDN Operation allows a client to change the last component
   of the name of an entry in the Directory. The Modify RDN Request is
   defined as follows:

     ModifyRDNRequest ::=
         [APPLICATION 12] SEQUENCE {
              entry          LDAPDN,
              newrdn         RelativeLDAPDN
         }

   Parameters of the Modify RDN Request are:

   - entry: the name of the entry to be changed.

   - newrdn: the RDN that will form the last component of the new name.

   The result of the name change attempted by the server upon receipt of
   a Modify RDN Request is returned in the Modify RDN Response, defined
   as follows:

     ModifyRDNResponse ::= [APPLICATION 13] LDAPResult

   Upon receipt of a Modify RDN Request, a server will attempt to
   perform the name change. The result of the name change attempt will
   be returned to the client in the Modify RDN Response. The attributes
   that make up the old RDN are deleted from the entry.




Yeong, Howes & Kille                                           [Page 13]

RFC 1487                       X.500 LDAP                      July 1993


4.8.  Compare Operation

   The Compare Operation allows a client to compare an assertion
   provided with an entry in the Directory. The Compare Request is
   defined as follows:

     CompareRequest ::=
         [APPLICATION 14] SEQUENCE {
              entry          LDAPDN,
              ava            AttributeValueAssertion
         }

   Parameters of the Compare Request are:

   - entry: the name of the entry to be compared with.

   - ava: the assertion with which the entry is to be compared.

   The result of the compare attempted by the server upon receipt of a
   Compare Request is returned in the Compare Response, defined as
   follows:

     CompareResponse ::= [APPLICATION 15] LDAPResult

   Upon receipt of a Compare Request, a server will attempt to perform
   the requested comparison. The result of the comparison will be
   returned to the client in the Compare Response. Note that errors and
   the result of comparison are all returned in the same construct.

4.9.  Abandon Operation

   The function of the Abandon Operation is to allow a client to request
   that the server abandon an outstanding operation.  The Abandon
   Request is defined as follows:

     AbandonRequest ::= [APPLICATION 16] MessageID

   There is no response defined in the Abandon Operation. Upon
   transmission of an Abandon Operation, a client may expect that the
   operation identified by the Message ID in the Abandon Request has
   been abandoned. In the event that a server receives an Abandon
   Request on a Search Operation in the midst of transmitting responses
   to that search, that server should cease transmitting responses to
   the abandoned search immediately.







Yeong, Howes & Kille                                           [Page 14]

RFC 1487                       X.500 LDAP                      July 1993


5.  Protocol Element Encodings

   The protocol elements of LDAP are encoded for exchange using the
   Basic Encoding Rules (BER) [11] of ASN.1 [10]. However, due to the
   high overhead involved in using certain elements of the BER, the
   following additional restrictions are placed on BER-encodings of LDAP
   protocol elements:

   (1)  Only the definite form of length encoding will be used.

   (2)  Bitstrings and octet strings will be encoded in the primitive form
        only.

6.  Security Considerations

   This version of the protocol provides facilities only for simple
   authentication using a cleartext password, and for kerberos version 4
   authentication.  Future versions of LDAP will likely include support
   for other authentication methods.

7.  Bibliography

   [1] The Directory: Overview of Concepts, Models and Service.  CCITT
       Recommendation X.500, 1988.

   [2] Information Processing Systems -- Open Systems Interconnection --
       The Directory: Overview of Concepts, Models and Service.  ISO/IEC
       JTC 1/SC21; International Standard 9594-1, 1988.

   [3] Rose, M., "Directory Assistance Service", RFC 1202, Performance
       Systems International, Inc., February 1991.

   [4] Howes, R., Smith, M., and B. Beecher, "DIXIE Protocol
       Specification", RFC 1249, University of Michigan, August 1991.

   [5] Kille, S., "A String Representation of Distinguished Names", RFC
       1485, ISODE Consortium, July 1993.

   [6] Howes, T., Kille, S., Yeong, W., and C. Robbins, "The String
       Representation of Standard Attribute Syntaxes", RFC 1488,
       University of Michigan, ISODE Consortium, Performance Systems
       International, NeXor Ltd., July 1993.

   [7] Kerberos Authentication and Authorization System.  S.P. Miller,
       B.C. Neuman, J.I. Schiller, J.H. Saltzer; MIT Project Athena
       Documentation Section E.2.1, December 1987.





Yeong, Howes & Kille                                           [Page 15]

RFC 1487                       X.500 LDAP                      July 1993


   [8] The Directory: Models.  CCITT Recommendation X.501 ISO/IEC JTC
       1/SC21; International Standard 9594-2, 1988.

   [9] The Directory: Abstract Service Definition.  CCITT Recommendation
       X.511, ISO/IEC JTC 1/SC21; International Standard 9594-3, 1988.

  [10] Specification of Abstract Syntax Notation One (ASN.1).  CCITT
       Recommendation X.208, 1988.

  [11] Specification of Basic Encoding Rules for Abstract Syntax
       Notation One (ASN.1).  CCITT Recommendation X.209, 1988.

9.  Security Considerations

   Security issues are not discussed in this memo.

9.  Authors' Addresses

   Wengyik Yeong
   PSI, Inc.
   510 Huntmar Park Drive
   Herndon, VA 22070
   USA

   Phone: +1 703-450-8001
   EMail: yeongw@psilink.com


   Tim Howes
   University of Michigan
   ITD Research Systems
   535 W William St.
   Ann Arbor, MI 48103-4943
   USA

   Phone: +1 313 747-4454
   EMail: tim@umich.edu


   Steve Kille
   ISODE Consortium
   PO Box 505
   London
   SW11 1DX
   UK

   Phone: +44-71-223-4062
   EMail: S.Kille@isode.com



Yeong, Howes & Kille                                           [Page 16]

RFC 1487                       X.500 LDAP                      July 1993


Appendix A

                         Complete ASN.1 Definition

Lightweight-Directory-Access-Protocol DEFINITIONS ::=

IMPLICIT TAGS

BEGIN

LDAPMessage ::=
    SEQUENCE {
         messageID      MessageID,
                        -- unique id in request,
                        -- to be echoed in response(s)
         protocolOp     CHOICE {
                             searchRequest       SearchRequest,
                             searchResponse      SearchResponse,
                             modifyRequest       ModifyRequest,
                             modifyResponse      ModifyResponse,
                             addRequest          AddRequest,
                             addResponse         AddResponse,
                             delRequest          DelRequest,
                             delResponse         DelResponse,
                             modifyDNRequest     ModifyDNRequest,
                             modifyDNResponse    ModifyDNResponse,
                             compareDNRequest    CompareRequest,
                             compareDNResponse   CompareResponse,
                             bindRequest         BindRequest,
                             bindResponse        BindResponse,
                             abandonRequest      AbandonRequest,
                             unbindRequest       UnbindRequest
                        }
    }

BindRequest ::=
    [APPLICATION 0] SEQUENCE {
         version        INTEGER (1 .. 127),
                        -- current version is 2
         name           LDAPDN,
                        -- null name implies an anonymous bind
         authentication CHOICE {
                             simple        [0] OCTET STRING,
                                       -- a zero length octet string
                                       -- implies an unauthenticated
                                       -- bind.
                             krbv42LDAP    [1] OCTET STRING,
                             krbv42DSA     [2] OCTET STRING



Yeong, Howes & Kille                                           [Page 17]

RFC 1487                       X.500 LDAP                      July 1993


                                       -- values as returned by
                                       -- krb_mk_req()
                                       -- Other values in later
                                       -- versions of this protocol.
                        }
    }

BindResponse ::= [APPLICATION 1] LDAPResult

UnbindRequest ::= [APPLICATION 2] NULL

SearchRequest ::=
    [APPLICATION 3] SEQUENCE {
         baseObject     LDAPDN,
         scope          ENUMERATED {
                             baseObject            (0),
                             singleLevel           (1),
                             wholeSubtree          (2)
                        },
         derefAliases   ENUMERATED {
                             neverDerefAliases     (0),
                             derefInSearching      (1),
                             derefFindingBaseObj   (2),
                             alwaysDerefAliases    (3)
                        },
         sizeLimit      INTEGER (0 .. MaxInt),
                        -- value of 0 implies no sizelimit
         timeLimit      INTEGER (0 .. MaxInt),
                        -- value of 0 implies no timelimit
         attrsOnly     BOOLEAN,
                        -- TRUE, if only attributes (without values)
                        -- to be returned.
         filter         Filter,
         attributes     SEQUENCE OF AttributeType
    }

SearchResponse ::=
    CHOICE {
         entry          [APPLICATION 4] SEQUENCE {
                             objectName     LDAPDN,
                             attributes     SEQUENCE OF SEQUENCE {
                                              AttributeType,
                                              SET OF
                                                AttributeValue
                                            }
                        },
         resultCode     [APPLICATION 5] LDAPResult
    }



Yeong, Howes & Kille                                           [Page 18]

RFC 1487                       X.500 LDAP                      July 1993


ModifyRequest ::=
    [APPLICATION 6] SEQUENCE {
         object         LDAPDN,
         modifications  SEQUENCE OF SEQUENCE {
                             operation     ENUMERATED {
                                             add      (0),
                                             delete   (1),
                                             replace  (2)
                                           },
                             modification  SEQUENCE {
                                             type     AttributeType,
                                             values   SET OF
                                                        AttributeValue
                                           }
                        }
    }


ModifyResponse ::= [APPLICATION 7] LDAPResult

AddRequest ::=
    [APPLICATION 8] SEQUENCE {
         entry          LDAPDN,
         attrs          SEQUENCE OF SEQUENCE {
                             type          AttributeType,
                             values        SET OF AttributeValue
                        }
    }

AddResponse ::= [APPLICATION 9] LDAPResult

DelRequest ::= [APPLICATION 10] LDAPDN

DelResponse ::= [APPLICATION 11] LDAPResult

ModifyRDNRequest ::=
    [APPLICATION 12] SEQUENCE {
         entry          LDAPDN,
         newrdn         RelativeLDAPDN -- old RDN always deleted
    }

ModifyRDNResponse ::= [APPLICATION 13] LDAPResult

CompareRequest ::=
    [APPLICATION 14] SEQUENCE {
         entry          LDAPDN,
         ava            AttributeValueAssertion
    }



Yeong, Howes & Kille                                           [Page 19]

RFC 1487                       X.500 LDAP                      July 1993


CompareResponse ::= [APPLICATION 15] LDAPResult

AbandonRequest ::= [APPLICATION 16] MessageID

MessageID ::= INTEGER (0 .. MaxInt)

LDAPDN ::= IA5String

RelativeLDAPDN ::= IA5String

Filter ::=
    CHOICE {
        and            [0] SET OF Filter,
        or             [1] SET OF Filter,
        not            [2] Filter,
        equalityMatch  [3] AttributeValueAssertion,
        substrings     [4] SubstringFilter,
        greaterOrEqual [5] AttributeValueAssertion,
        lessOrEqual    [6] AttributeValueAssertion,
        present        [7] AttributeType,
        approxMatch    [8] AttributeValueAssertion
    }

LDAPResult ::=
    SEQUENCE {
        resultCode    ENUMERATED {
                        success                      (0),
                        operationsError              (1),
                        protocolError                (2),
                        timeLimitExceeded            (3),
                        sizeLimitExceeded            (4),
                        compareFalse                 (5),
                        compareTrue                  (6),
                        authMethodNotSupported       (7),
                        strongAuthRequired           (8),
                        noSuchAttribute              (16),
                        undefinedAttributeType       (17),
                        inappropriateMatching        (18),
                        constraintViolation          (19),
                        attributeOrValueExists       (20),
                        invalidAttributeSyntax       (21),
                        noSuchObject                 (32),
                        aliasProblem                 (33),
                        invalidDNSyntax              (34),
                        isLeaf                       (35),
                        aliasDereferencingProblem    (36),
                        inappropriateAuthentication  (48),
                        invalidCredentials           (49),



Yeong, Howes & Kille                                           [Page 20]

RFC 1487                       X.500 LDAP                      July 1993


                        insufficientAccessRights     (50),
                        busy                         (51),
                        unavailable                  (52),
                        unwillingToPerform           (53),
                        loopDetect                   (54),
                        namingViolation              (64),
                        objectClassViolation         (65),
                        notAllowedOnNonLeaf          (66),
                        notAllowedOnRDN              (67),
                        entryAlreadyExists           (68),
                        objectClassModsProhibited    (69),
                        other                        (80)
                      },
        matchedDN     LDAPDN,
        errorMessage  IA5String
    }

AttributeType ::= IA5String
                -- text name of the attribute, or dotted
                -- OID representation

AttributeValue ::= OCTET STRING

AttributeValueAssertion ::=
    SEQUENCE {
        attributeType        AttributeType,
        attributeValue       AttributeValue
    }

SubstringFilter
    SEQUENCE {
        type               AttributeType,
        SEQUENCE OF CHOICE {
          initial          [0] IA5String,
          any              [1] IA5String,
          final            [2] IA5String
      }
    }

IA5String ::= OCTET STRING

MaxInt ::= 65535
END








Yeong, Howes & Kille                                           [Page 21]