LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services

To locate the specifics of protocols such as LDAP v3, look at RFCs and Internet Drafts. RFC, which stands for Request for Comments, is where each distinct version of an Internet standards- related specification is published as part of the Request for Comments (RFC) document series. This archival series is the official publication channel for Internet standards documents and other publications of the Internet community.

The sites below do not list all the RFCs defining a particular standard; some, are classified as Experimental, Informational, Historic, or Early (before IETFstandards track). Most RFCs start off as Internet Drafts before being approved as RFCs. When you are searching for a particular RFC or Internet Draft, you will find that it is available at mirrored sites all over the world.

The following sites are not complete but can be used as a starting place for locating your favorite (and most useful) RFCs:

http://www.rfc-editor.org/rfcsearch.html

http://www.ietf.org/rfc/rfc.html

http://src.doc.ic.ac.uk/computing/internet/rfc/

ftp://src.doc.ic.ac.uk/computing/internet/rfc/

http:// info .internet.isi.edu:80/in-notes/rfc/files/

ftp://ds.internic.net/rfc/

For example, if you want to access a particular RFC and you know the specific RFC number, say, RFC 2251, you would type 2251 in the box provided. If you do not know the RFC number, use the URL in the following example to locate the RFC you are interested in.

http://www.rfc-editor.org/rfcsearch.htm

This Web site enables you to specify the RFC number and other information such as the Title . You can enter the word LDAP and, assuming you have set the maximum number of entries returned high enough, all the LDAP-related RFCs will be returned. Be aware that if you search for an Internet Draft and you are unable to find it, it does not mean that the draft does not exist! You may need to refine your searchtry searching for the same draft with a higher number.

Life Cycle of an RFC

The first step toward publication of an RFC is publication of the document as an Internet Draft. Internet Drafts are working documents of the IETF, its areas, and its working groups (sometimes ending in ietf- workinggroupname ). Today, many LDAP related drafts are individual submissions and they do not have an ietf extension.

Once an Internet Draft has been submitted, it has a life span of six months; after that time the Internet Draft expires. Expiration means either that a new draft is submitted (which typically means that a new draft is issued with a higher sequential number) or that the Internet Draft has expired and is no longer available. When an Internet Draft expires , it is deleted. Sometimes, you receive a date and timestamp with the information that a particular Internet Draft was deleted.

When the document reaches consensus of the Internet community, it is published as an RFC. RFCs can be of different types, such as the Standards Tracks RFC which include the Proposed Standard, Draft Standard, and Standard. Not all documents are published in the Standards Track; it is also possible to have the documents published as Historical, Experimental, or Informational; these are not Internet Standards.

You can also find Internet Drafts at these sites:

IETF: ftp://ftp.ietf.org/internet-drafts/

Africa: ftp.is.co.za

Canada: ftp.normos.org

Sweden: ftp.nordu.net

Switzerland: ftp://sunsite.cnlab-switch.ch

Italy: ftp.nic.it

Pacific Rim: munnari.oz.au

US West Coast: ftp.isi.edu

South America: ftp.ietf.rnp.br

LDAP RFCs and Internet Drafts

This section lists some of the LDAP RFCs and provides a sample of LDAP Internet Drafts.

LDAP RFCs

RFC 1823: The C LDAP Application Program Interface

RFC 1823 defines the old LDAPv2 interface. This RFC will eventually be replaced by a document that is currently an Internet Draft. This Internet Draft defines the LDAPv3 extensions to the C API for accessing LDAP.

Status: INFORMATIONAL

RFC 2247: Using Domains in LDAP/X.500 Distinguished Names

This document defines an algorithm by which a name registered with the Internet Domain Name System (DNS) can be represented as an LDAP-distinguished name .

Status: PROPOSED STANDARD

RFC 2251: Lightweight Directory Access Protocol (v3)

This is the main RFC for LDAPv3 and defines the protocol operations, data representation, and data organization.

Status: PROPOSED STANDARD

RFC 2252: Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

LDAP transmits most attribute values as strings, rather than as binary structures. For example, the number 4,000 is transmitted as "4000" . This document defines the standard attribute type representations and specifies how attribute values are compared for each standard type during a search operation.

Status: PROPOSED STANDARD

RFC 2253: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names

Each entry in an LDAP directory is uniquely identified by its distinguished name (DN), represented as a string. This document defines the syntax and structure of these names.

Status: PROPOSED STANDARD

RFC 2254: The String Representation of LDAP Search Filters

The basic LDAPv3 RFC (RFC 2251) defines a binary format for search expressions passed from a client to a server. However, users of clients compose and submit search requests in an easily readable and printable string format, which is defined in RFC 2254.

Status: PROPOSED STANDARD

RFC 2255: The LDAP URL Format

RFC 2255 defines the URL format for expressing an LDAP search. You can enter an LDAP URL in many browsers to perform an LDAP search.

Status: PROPOSED STANDARD

RFC 2256: A Summary of the X.500(96) User Schema for Use with LDAPv3

Where possible, LDAP leverages the schema standardization work of X.500, rather than inventing new standards for schema information. This document defines standard attributes for representing a person in an LDAP entry. These attributes are based on the X.500 standard.

Status: PROPOSED STANDARD

RFC 2307: An Approach for Using LDAP as a Network Information Service

This document describes an experimental mechanism for mapping entities related to TCP/IP and the UNIX system into X.500 entries so that they can be resolved with the LDAP protocol.

Status: EXPERIMENTAL

RFC 2589: LDAPv3 Extensions for Dynamic Directory Services

This document defines extended operations to support dynamic (short-lived) directory data storage.

Status: PROPOSED STANDARD

RFC 2596: Use of Language Codes in LDAP

This document describes how language codes as defined in RFC 1766 are carried in LDAP and are to be interpreted by LDAP servers.

Status: PROPOSED STANDARD

RFC 2696: LDAP Control Extension for Simple Paged Results Manipulation

This document describes an LDAPv3 control extension for simple paging of search results. This control extension allows a client to control the rate at which an LDAP server returns the results of an LDAP search operation.

Status: INFORMATIONAL

RFC 2713: Schema for Representing Java Objects in an LDAP Directory

This document defines the schema for representing Java objects in an LDAP (v3) directory.

Status: INFORMATIONAL

RFC 2714: Schema for Representing CORBA Object References in an LDAP Directory

This document defines the schema for representing CORBA object references in an LDAP (v3) directory.

Status: INFORMATIONAL

RFC 2739: Calendar Attributes for vCard and LDAP

This document describes a mechanism to locate (URI) an individual user's calendar and free/busy time.

Status: PROPOSED STANDARD

RFC 2798: Definition of the inetOrgPerson LDAP Object Class

This document defines a person object class that meets the requirements found in today's Internet and Intranet directory service deployments.

Status: INFORMATIONAL

RFC 2829: Authentication Methods for LDAP

This document specifies particular combinations of security mechanisms which are required and recommended in LDAP implementations .

Status: PROPOSED STANDARD

RFC 2830: Lightweight Directory Access Protocol (v3) Extension for Transport Layer Security

This document defines the Start Transport Layer Security (TLS) Operation for LDAP [LDAPv3, TLS]. This operation provides for TLS establishment in an LDAP association and is defined in terms of an LDAP extended request.

Status: PROPOSED STANDARD

RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification

This document specifies an Internet standards track protocol for the Internet community and requests discussion and suggestions for improvements.

Status: PROPOSED STANDARD

RFC 2891: LDAP Control Extension for Server Side Sorting of Search Results

This document describes two LDAP v3 control extensions for server side sorting of search results. These controls allow a client to specify the attribute types and matching rules a server should use when returning the results to an LDAP search request. The sort controls allow a server to return a result code for the sorting of the results that is independent of the result code returned for the search operation.

Status: PROPOSED STANDARD

RFC 3045: Storing Vendor Information in the LDAP root DSE

This document specifies two Lightweight Directory Access Protocol (LDAP) attributes, vendorName and vendorVersion that may be included in the root DSAspecific Entry (DSE) to advertise vendor-specific information. These two attributes supplement the attributes defined in section 3.4 of RFC 2251. The information held in these attributes MAY be used for display and informational purposes and must not be used for feature advertisement or discovery.

Status: INFORMATIONAL

RFC 3296: Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories

This RFC describes schema and protocol elements for representing and managing named subordinate references in Lightweight Directory Access Protocol (LDAP) Directories.

Status: PROPOSED STANDARD

RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification

This document specifies the set of RFCs comprising the Lightweight Directory Access Protocol Version 3 (LDAPv3), and addresses an IESG Note attached to RFCs 2251 through 2256.

Status: PROPOSED STANDARD

LDAP Internet Drafts

Internet Drafts have a set path that they follow every six months. When you start looking at Internet Drafts, you will be amazed by the number of available drafts that are related to LDAP.

The LDAP Bis is a newly created working group whose charter will be to move the LDAP v3 to a Standard, by reissuing the LDAP v3 RFCs and renewing ambiguities .

The LDAPEXT (LDAP Extension) working group is just as important as the LDUP working group by providing LDAP v3 with a standard access control model for the representation and semantic access control information.

The LDUP (LDAP Duplication Replication Update Protocols) working group is a working group for LDAP users. This working group is in its finishing up, and is in the process of publishing most of the work as INFORMATIONAL and EXPERIMENTAL, implying that this working group will not define a standard for LDAP server replication.

Controls and Extended Operations

Persistent Search: A Simple LDAP Change Notification Mechanism , ( draft-ietf-ldapext-psearch-03.txt )

This document defines two controls that extend the LDAP v3 search operation to provide a simple mechanism by which an LDAP client can receive notification of changes that occur in an LDAP server. The mechanism is designed to be very flexible yet easy for clients and servers to implement. Since the IETF is likely to pursue a different, more comprehensive solution in this area, this document will eventually be published with Informational status in order to document an existing practice.

LDAP Extensions for Scrolling View Browsing of Search Results , ( draft-ietf-ldapext-ldapv3-vlv-09.txt )

This document describes a Virtual List View (vlv) control extension for the LDAP Search operation. This control is designed to allow the "virtual list box" feature, common in existing commercial email address book applications, to be supported efficiently by LDAP servers. LDAP servers' inability to support this client feature is a significant impediment to LDAP replacing proprietary protocols in commercial email systems. The control allows a client to specify that the server return, for a given LDAP search with associated sort keys, a contiguous subset of the search result set. This subset is specified in terms of offsets into the ordered list, or in terms of a greater than or equal comparison value.

LDAP Control for a Duplicate Entry Representation of Search Results , ( draft-ietf-ldapext-ldapv3-dupent-04.txt )

This document describes a Duplicate Entry Representation control extension for the LDAP Search operation. By using the control with an LDAP search, a client requests that the server return separate entries for each value held in the specified attributes. For instance, if a specified attribute of an entry holds multiple values, the search operation will return multiple instances of that entry, each instance holding a separate single value in that attribute.

Returning Matched Values with LDAP v3 , ( draft-ietf-ldapext-matchedval-02.txt )

This document describes a control for the LDAP v3 that is used to return a subset of attribute values from an entry, specifically , only those values that match a "values return" filter. Without support for this control, a client must retrieve all of an attribute's values and search for specific values locally.

A Taxonomy of Methods for LDAP Clients Finding Servers , ( draft-ietf-ldapext-ldap-taxonomy-02.txt )

There are several different methods for an LDAP client to find an LDAP server. This draft discusses these methods and provides pointers for interested parties to learn more about implementing a particular method.

Discovering LDAP Services with DNS , ( draft-ietf-ldapext-locate-03.txt )

This document specifies a method for discovering such servers using information in the Domain Name System.

Authentication and Security

X.509 Authentication SASL Mechanism , ( draft-ietf-ldapext-x509-sasl-03.txt )

This document defines a SASL authentication mechanism based on X.509 strong authentication, providing two-way authentication. This mechanism is only for authentication and has no effect on the protocol encodings and is not designed to provide integrity or confidentiality services.

Information and X.500 Documents

A great deal of the LDAP standards are based on the standards model of X.500. As you may have noticed, the LDAP standards documentation is freely available on the Internet today. This is not the case when dealing with the basic X.500 documentation. If you are interested in gaining access to this documentation, then you must purchase it from the International Telecommunication Union (ITU) or International Organization for Standardization (ISO). Here is the location from which the X.500 documentation may be purchased:

http://www.itu.int/itudoc/ itu-t /rec/x/x500up/

The following list of documents has been taken from the book Understanding X.500 The Directory by David Chadwick.

  • The Directory (CCITT REC. X.500-X.521 ISO/IEC Standard 9594:1993)

  • X.500: Overview of Concepts, Models and Services

  • X.501: Models

  • X.509: Authentication Framework

  • X.511: Abstract Service Definition

  • X.518: Procedures for Distributed Operations

  • X.519: Protocol Specifications

  • X.520: Selected Attribute Types

  • X.521: Selected Object Classes

  • X.525: Replication

The North American Directory Forum (NADF) Documents (April 1993)

  • SD-0: NADF Standing Documents: A Brief Overview

  • SD-1: Terms of Reference

  • SD-2: Program Plan

  • SD-3: Service Description

  • SD-4: The Directory Schema

  • SD-5: An X.500 Naming Scheme for National DIT Subtrees and Its Application for C=CA and C=US

  • SD-6: Guidelines on Naming and Subtrees

  • SD-7: Mapping the North American DIT onto Directory Management Domains

  • SD-8: The Experimental Pilot Plan

  • SD-9: Charter, Procedure, and Operations of the Central Administration for NADF

  • SD-10: Security and Privacy: Policy and Services

  • SD-11: Directory Security: Mechanisms and Practicality

  • SD-12: Registry of ADDMD Names

EWOS Directory Functional Standards

  • A/711 (A/DI1): Directory Access , published as ENV 41 210 (also published as ISP 10615 parts 1 and 2)

  • A/712 (A/DI2): Directory System Protocol , published as ENV 41 212 (also published as ISP 10615 parts 3 and 4)

  • A/713 (A/DI32): Dynamic Behavior of DSAs for Distributed Operations , published as ENV 41 215 (also published as ISP 10615 part 6)

  • A/714 (A/DI31): Directory User Agents Distributed Operation , published as ENV 41 217 (also published as ISP 10615 part 5)

  • Q/511 (F/DI11): Common Directory Use , published as ENV 41 512 (also published as ISP 10616; see also ISO/IEC PDISP)

  • Q/512 (F/DI2): Directory Data Definitions Directory Use by MHS

  • Q/513 (F/DI3): Directory Data Definitions FTAM Use of the Directory (to be published as ISP 11190)

  • ETG XXX: Introduction to Directory Profiles (final draft)

  • ETG 017: Error Handling in the OSI Directory (final draft, May 1992)

  • ETG XXX: Security Architecture for the Directory (fifth draft in 1992)

Joint ISO Standards and CCITT Recommendations

  • ISO/IEC 8824:1988 CCITT X.208: Specification of Abstract Syntax Notation One (ASN.1)

  • ISO/IEC 8824-2 DIS (1993) CCITT X.208-2: Abstract Syntax Notation One (ASN.1): Information Object Specification

  • ISO/IEC 8825-1 CCITT X.209-1: Part 1: Basic Encoding Rules (BER)

  • ISO/IEC 8825-3 DIS (1993) CCITT X.209-3: Part 3: Distinguished Encoding Rules

  • ISO/IEC 9072-1 CCITT X.219: Remote Operations Model, Notation and Service Definition

  • ISO 8649:1988 CCITT X.217: Service Definition for the Association Control Service Element

Other ISO Documents

  • ISO/IEC JTC 1/SC21 N6063: Use of Object Identifiers to Access Directory Information (May 1991)

  • ISO 3166:1988: Codes for the Representation of Names of Countries

  • ISO IS 10162/3: Documentation Search and Retrieve Service Definition/Protocol Specification

  • ISO 6523:1984: Data Interchange Structure for the Identification of Organizations

  • ISO/IEC 10646-1:1993: (E) Information Technology Universal Multiple-Octet Coded Character Set (UCS)

  • ISO/IEC PDISP 10616: International Standardized Profile FDI11 Directory Data Definitions Common Directory Use (February 1993)

Категории