Network Working Group K. Zeilenga
Request for Comments: 4527 OpenLDAP Foundation
Category: Standards Track June 2006
Network Working Group K. Zeilenga
Request for Comments: 4527 OpenLDAP Foundation
Category: Standards Track June 2006
Lightweight Directory Access Protocol (LDAP) Read Entry Controls
轻型目录访问协议(LDAP)读取条目控件
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
This document specifies an extension to the Lightweight Directory Access Protocol (LDAP) to allow the client to read the target entry of an update operation. The client may request to read the entry before and/or after the modifications are applied. These reads are done as an atomic part of the update operation.
本文档指定了轻量级目录访问协议(LDAP)的扩展,以允许客户端读取更新操作的目标条目。客户可以在应用修改之前和/或之后请求读取条目。这些读取作为更新操作的原子部分完成。
Table of Contents
目录
1. Background and Intent of Use ....................................2
2. Terminology .....................................................2
3. Read Entry Controls .............................................3
3.1. The Pre-Read Controls ......................................3
3.2. The Post-Read Controls .....................................3
4. Interaction with Other Controls .................................4
5. Security Considerations .........................................4
6. IANA Considerations .............................................5
6.1. Object Identifier ..........................................5
6.2. LDAP Protocol Mechanisms ...................................5
7. Acknowledgement .................................................5
8. References ......................................................6
8.1. Normative References .......................................6
8.2. Informative References .....................................7
1. Background and Intent of Use ....................................2
2. Terminology .....................................................2
3. Read Entry Controls .............................................3
3.1. The Pre-Read Controls ......................................3
3.2. The Post-Read Controls .....................................3
4. Interaction with Other Controls .................................4
5. Security Considerations .........................................4
6. IANA Considerations .............................................5
6.1. Object Identifier ..........................................5
6.2. LDAP Protocol Mechanisms ...................................5
7. Acknowledgement .................................................5
8. References ......................................................6
8.1. Normative References .......................................6
8.2. Informative References .....................................7
This document specifies an extension to the Lightweight Directory Access Protocol (LDAP) [RFC4510] to allow the client to read the target entry of an update operation (e.g., Add, Delete, Modify, ModifyDN). The extension utilizes controls [RFC4511] attached to update requests to request and return copies of the target entry. One request control, called the Pre-Read request control, indicates that a copy of the entry before application of update is to be returned. Another control, called the Post-Read request control, indicates that a copy of the entry after application of the update is to be returned. Each request control has a corresponding response control used to return the entry.
本文档指定了轻量级目录访问协议(LDAP)[RFC4510]的扩展,以允许客户端读取更新操作的目标条目(例如,添加、删除、修改、修改DN)。扩展利用附加到更新请求的控件[RFC4511]来请求和返回目标条目的副本。一个称为预读请求控件的请求控件指示在应用更新之前返回条目的副本。另一个控件称为读后请求控件,指示在应用更新后返回条目的副本。每个请求控件都有一个用于返回条目的相应响应控件。
To ensure proper isolation, the controls are processed as an atomic part of the update operation.
为了确保适当的隔离,控件作为更新操作的原子部分进行处理。
The functionality offered by these controls is based upon similar functionality in the X.500 Directory Access Protocol (DAP) [X.511].
这些控件提供的功能基于X.500目录访问协议(DAP)[X.511]中的类似功能。
The Pre-Read controls may be used to obtain replaced or deleted values of modified attributes or a copy of the entry being deleted.
预读控件可用于获取已修改属性的替换或删除值或正在删除的条目的副本。
The Post-Read controls may be used to obtain values of operational attributes, such as the 'entryUUID' [RFC4530] and 'modifyTimestamp' [RFC4512] attributes, updated by the server as part of the update operation.
读取后控件可用于获取操作属性的值,例如“entryUUID”[RFC4530]和“modifyTimestamp”[RFC4512]属性,这些属性由服务器作为更新操作的一部分进行更新。
Protocol elements are described using ASN.1 [X.680] with implicit tags. The term "BER-encoded" means the element is to be encoded using the Basic Encoding Rules [X.690] under the restrictions detailed in Section 5.1 of [RFC4511].
协议元素使用带有隐式标记的ASN.1[X.680]进行描述。术语“BER编码”是指根据[RFC4511]第5.1节详述的限制,使用基本编码规则[X.690]对元素进行编码。
DN stands for Distinguished Name. DSA stands for Directory System Agent (i.e., a directory server). DSE stands for DSA-specific Entry.
DN代表可分辨名称。DSA代表目录系统代理(即目录服务器)。DSE代表DSA特定条目。
In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14 [RFC2119].
在本文件中,关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14[RFC2119]中的说明进行解释。
The Pre-Read request and response controls are identified by the 1.3.6.1.1.13.1 object identifier. Servers implementing these controls SHOULD publish 1.3.6.1.1.13.1 as a value of the 'supportedControl' [RFC4512] in their root DSE.
预读请求和响应控制由1.3.6.1.1.13.1对象标识符标识。实现这些控件的服务器应在其根DSE中将1.3.6.1.1.13.1作为“supportedControl”[RFC4512]的值发布。
The Pre-Read request control is a LDAP Control [RFC4511] whose controlType is 1.3.6.1.1.13.1 and whose controlValue is a BER-encoded AttributeSelection [RFC4511], as extended by [RFC3673]. The criticality may be TRUE or FALSE. This control is appropriate for the modifyRequest, delRequest, and modDNRequest LDAP messages.
预读请求控件是LDAP控件[RFC4511],其控制类型为1.3.6.1.1.13.1,其控制值为BER编码的属性选择[RFC4511],扩展为[RFC3673]。临界状态可能是真的,也可能是假的。此控件适用于modifyRequest、delRequest和modDNRequest LDAP消息。
The corresponding response control is a LDAP Control whose controlType is 1.3.6.1.1.13.1 and whose the controlValue, an OCTET STRING, contains a BER-encoded SearchResultEntry. The criticality may be TRUE or FALSE. This control is appropriate for the modifyResponse, delResponse, and modDNResponse LDAP messages with a resultCode of success (0).
相应的响应控件是一个LDAP控件,其controlType为1.3.6.1.1.13.1,其controlValue(八位字节字符串)包含一个BER编码的SearchResultEntry。临界状态可能是真的,也可能是假的。此控件适用于modifyResponse、delResponse和modDNResponse LDAP消息,其结果代码为成功(0)。
When the request control is attached to an appropriate update LDAP request, the control requests the return of a copy of the target entry prior to the application of the update. The AttributeSelection indicates, as discussed in [RFC4511][RFC3673], which attributes are requested to appear in the copy. The server is to return a SearchResultEntry containing, subject to access controls and other constraints, values of the requested attributes.
当请求控件附加到适当的更新LDAP请求时,该控件请求在应用更新之前返回目标条目的副本。如[RFC4511][RFC3673]中所述,属性选择指示请求在副本中显示哪些属性。服务器将返回一个SearchResulty,根据访问控制和其他约束,其中包含所请求属性的值。
The normal processing of the update operation and the processing of this control MUST be performed as one atomic action isolated from other update operations.
更新操作的正常处理和此控件的处理必须作为与其他更新操作隔离的一个原子操作来执行。
If the update operation fails (in either normal or control processing), no Pre-Read response control is provided.
如果更新操作失败(在正常或控制处理中),则不提供预读取响应控制。
The Post-Read request and response controls are identified by the 1.3.6.1.1.13.2 object identifier. Servers implementing these controls SHOULD publish 1.3.6.1.1.13.2 as a value of the 'supportedControl' [RFC4512] in their root DSE.
读取后请求和响应控制由1.3.6.1.1.13.2对象标识符标识。实现这些控件的服务器应在其根DSE中将1.3.6.1.1.13.2作为“supportedControl”[RFC4512]的值发布。
The Post-Read request control is a LDAP Control [RFC4511] whose controlType is 1.3.6.1.1.13.2 and whose controlValue, an OCTET STRING, contains a BER-encoded AttributeSelection [RFC4511], as extended by [RFC3673]. The criticality may be TRUE or FALSE. This
读后请求控件是LDAP控件[RFC4511],其controlType为1.3.6.1.1.13.2,其controlValue(八位字节字符串)包含BER编码的属性选择[RFC4511],扩展为[RFC3673]。临界状态可能是真的,也可能是假的。这
control is appropriate for the addRequest, modifyRequest, and modDNRequest LDAP messages.
控件适用于addRequest、modifyRequest和modDNRequest LDAP消息。
The corresponding response control is a LDAP Control whose controlType is 1.3.6.1.1.13.2 and whose controlValue is a BER-encoded SearchResultEntry. The criticality may be TRUE or FALSE. This control is appropriate for the addResponse, modifyResponse, and modDNResponse LDAP messages with a resultCode of success (0).
相应的响应控件是LDAP控件,其controlType为1.3.6.1.1.13.2,其controlValue为BER编码的SearchResultEntry。临界状态可能是真的,也可能是假的。此控件适用于结果代码为成功(0)的addResponse、modifyResponse和modDNResponse LDAP消息。
When the request control is attached to an appropriate update LDAP request, the control requests the return of a copy of the target entry after the application of the update. The AttributeSelection indicates, as discussed in [RFC4511][RFC3673], which attributes are requested to appear in the copy. The server is to return a SearchResultEntry containing, subject to access controls and other constraints, values of the requested attributes.
当请求控件附加到适当的更新LDAP请求时,该控件请求在应用更新后返回目标条目的副本。如[RFC4511][RFC3673]中所述,属性选择指示请求在副本中显示哪些属性。服务器将返回一个SearchResulty,根据访问控制和其他约束,其中包含所请求属性的值。
The normal processing of the update operation and the processing of this control MUST be performed as one atomic action isolated from other update operations.
更新操作的正常处理和此控件的处理必须作为与其他更新操作隔离的一个原子操作来执行。
If the update operation fails (in either normal or control processing), no Post-Read response control is provided.
如果更新操作失败(在正常或控制处理中),则不提供读取后响应控制。
The Pre-Read and Post-Read controls may be combined with each other and/or with a variety of other controls. When combined with the assertion control [RFC4528] and/or the manageDsaIT control [RFC3296], the semantics of each control included in the combination applies. The Pre-Read and Post-Read controls may be combined with other controls as detailed in other technical specifications.
预读取和后读取控件可以彼此组合和/或与各种其他控件组合。当与断言控件[RFC4528]和/或manageDsaIT控件[RFC3296]组合时,组合中包含的每个控件的语义适用。读前和读后控制可与其他技术规范中详述的其他控制结合使用。
The controls defined in this document extend update operations to support read capabilities. Servers MUST ensure that the client is authorized for reading of the information provided in this control and that the client is authorized to perform the requested directory update.
本文档中定义的控件扩展了更新操作以支持读取功能。服务器必须确保客户端有权读取此控件中提供的信息,并且客户端有权执行请求的目录更新。
Security considerations for the update operations [RFC4511] extended by this control, as well as general LDAP security considerations [RFC4510], generally apply to implementation and use of this extension
此控件扩展的更新操作[RFC4511]的安全注意事项以及一般LDAP安全注意事项[RFC4510]通常适用于此扩展的实现和使用
Registration of the following protocol values [RFC4520] have been completed by the IANA.
IANA已完成以下协议值[RFC4520]的注册。
The IANA has registered an LDAP Object Identifier to identify LDAP protocol elements defined in this document.
IANA已注册LDAP对象标识符,以标识本文档中定义的LDAP协议元素。
Subject: Request for LDAP Object Identifier Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Specification: RFC 4527
Author/Change Controller: IESG
Comments: Identifies the LDAP Read Entry Controls
Subject: Request for LDAP Object Identifier Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Specification: RFC 4527
Author/Change Controller: IESG
Comments: Identifies the LDAP Read Entry Controls
The IANA has registered the LDAP Protocol Mechanism described in this document.
IANA已经注册了本文档中描述的LDAP协议机制。
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: 1.3.6.1.1.13.1
Description: LDAP Pre-read Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC 4527
Author/Change Controller: IESG
Comments: none
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: 1.3.6.1.1.13.1
Description: LDAP Pre-read Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC 4527
Author/Change Controller: IESG
Comments: none
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: 1.3.6.1.1.13.2
Description: LDAP Post-read Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC 4527
Author/Change Controller: IESG
Comments: none
Subject: Request for LDAP Protocol Mechanism Registration
Object Identifier: 1.3.6.1.1.13.2
Description: LDAP Post-read Control
Person & email address to contact for further information:
Kurt Zeilenga <kurt@openldap.org>
Usage: Control
Specification: RFC 4527
Author/Change Controller: IESG
Comments: none
The LDAP Pre-Read and Post-Read controls are modeled after similar capabilities offered in the DAP [X.511].
LDAP读前和读后控件是根据DAP[X.511]中提供的类似功能建模的。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3296] Zeilenga, K., "Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories", RFC 3296, July 2002.
[RFC3296]Zeilenga,K.,“轻量级目录访问协议(LDAP)目录中的命名从属引用”,RFC3296,2002年7月。
[RFC3673] Zeilenga, K., "Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes", RFC 3673, December 2003.
[RFC3673]Zeilenga,K.,“轻型目录访问协议版本3(LDAPv3):所有操作属性”,RFC 36732003年12月。
[RFC4510] Zeilenga, K., Ed, "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.
[RFC4510]Zeilenga,K.,Ed,“轻量级目录访问协议(LDAP):技术规范路线图”,RFC45102006年6月。
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006.
[RFC4511]Sermersheim,J.,Ed.,“轻量级目录访问协议(LDAP):协议”,RFC4511,2006年6月。
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006.
[RFC4512]Zeilenga,K.,“轻量级目录访问协议(LDAP):目录信息模型”,RFC4512,2006年6月。
[RFC4528] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP) Assertion Control", RFC 4528, June 2006.
[RFC4528]Zeilenga,K.,“轻量级目录访问协议(LDAP)断言控制”,RFC4528,2006年6月。
[X.680] International Telecommunication Union - Telecommunication Standardization Sector, "Abstract Syntax Notation One (ASN.1) - Specification of Basic Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
[X.680]国际电信联盟-电信标准化部门,“抽象语法符号1(ASN.1)-基本符号规范”,X.680(1997)(也称ISO/IEC 8824-1:1998)。
[X.690] International Telecommunication Union - Telecommunication Standardization Sector, "Specification of ASN.1 encoding rules: Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER)", X.690(1997) (also ISO/IEC 8825-1:1998).
[X.690]国际电信联盟-电信标准化部门,“ASN.1编码规则规范:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)”,X.690(1997)(另见ISO/IEC 8825-1:1998)。
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
[RFC4520]Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 4520,2006年6月。
[RFC4530] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP) EntryUUID Operational Attribute", RFC 4530, June 2006.
[RFC4530]Zeilenga,K.,“轻量级目录访问协议(LDAP)入口UUID操作属性”,RFC4530,2006年6月。
[X.511] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Abstract Service Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
[X.511]国际电信联盟-电信标准化部门,“目录:抽象服务定义”,X.511(1993)(也称ISO/IEC 9594-3:1993)。
Author's Address
作者地址
Kurt D. Zeilenga OpenLDAP Foundation
库尔特D.Zeeliga OpenLDAP基金会
EMail: Kurt@OpenLDAP.org
EMail: Kurt@OpenLDAP.org
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。