Network Working Group                                        K. Zeilenga
Request for Comments: 3088                           OpenLDAP Foundation
Category: Experimental                                        April 2001
        
Network Working Group                                        K. Zeilenga
Request for Comments: 3088                           OpenLDAP Foundation
Category: Experimental                                        April 2001
        

OpenLDAP Root Service An experimental LDAP referral service

OpenLDAP根服务是一个实验性的LDAP引用服务

Status of this Memo

本备忘录的状况

This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.

这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

Abstract

摘要

The OpenLDAP Project is operating an experimental LDAP (Lightweight Directory Access Protocol) referral service known as the "OpenLDAP Root Service". The automated system generates referrals based upon service location information published in DNS SRV RRs (Domain Name System location of services resource records). This document describes this service.

OpenLDAP项目正在运行一个实验性的LDAP(轻量级目录访问协议)引用服务,称为“OpenLDAP根服务”。自动系统根据DNS SRV RRs(服务资源记录的域名系统位置)中发布的服务位置信息生成转介。本文档介绍此服务。

1. Background
1. 出身背景

LDAP [RFC2251] directories use a hierarchical naming scheme inherited from X.500 [X500]. Traditionally, X.500 deployments have used a geo-political naming scheme (e.g., CN=Jane Doe,OU=Engineering,O=Example,ST=CA,C=US). However, registration infrastructure and location services in many portions of the naming hierarchical are inadequate or nonexistent.

LDAP[RFC2251]目录使用从X.500[X500]继承的分层命名方案。传统上,X.500部署使用地理政治命名方案(例如,CN=Jane Doe,OU=Engineering,O=Example,ST=CA,C=US)。然而,在命名层次结构的许多部分中,注册基础设施和位置服务不足或不存在。

The construction of a global directory requires a robust registration infrastructure and location service. Use of Internet domain-based naming [RFC2247] (e.g., UID=jdoe,DC=eng,DC=example,DC=net) allows LDAP directory services to leverage the existing DNS [RFC1034] registration infrastructure and DNS SRV [RFC2782] resource records can be used to locate services [LOCATE].

全球目录的构建需要强大的注册基础设施和位置服务。使用基于Internet域的命名[RFC2247](例如,UID=jdoe,DC=eng,DC=example,DC=net)允许LDAP目录服务利用现有的DNS[RFC1034]注册基础架构,DNS SRV[RFC2782]资源记录可用于定位服务[locate]。

1.1. The Glue
1.1. 胶水

Most existing LDAP implementations do not support location of directory services using DNS SRV resource records. However, most servers support generation of referrals to "superior" server(s). This service provides a "root" LDAP service which servers may use as their superior referral service.

大多数现有的LDAP实现不支持使用DNS SRV资源记录定位目录服务。但是,大多数服务器支持生成对“上级”服务器的推荐。此服务提供一个“根”LDAP服务,服务器可以将其用作其上级参考服务。

Client may also use the service directly to locate services associated with an arbitrary Distinguished Name [RFC2253] within the domain based hierarchy.

客户端还可以直接使用该服务来定位与基于域的层次结构中的任意可分辨名称[RFC2253]关联的服务。

Notice: The mechanisms used by service are experimental. The descriptions provided by this document are not definitive. Definitive mechanisms shall be published in a Standard Track document(s).

注意:服务使用的机制是实验性的。本文件提供的说明不具有决定性。最终机制应在标准跟踪文件中公布。

2. Generating Referrals based upon DNS SRV RRs
2. 基于DNS SRV RRs生成转介

This service returns referrals generated from DNS SRV resource records [RFC2782].

此服务返回从DNS SRV资源记录[RFC2782]生成的引用。

2.1. DN to Domain Name Mapping
2.1. DN到域名映射

The service maps a DN [RFC2253] to a fully qualified domain name using the following algorithm:

该服务使用以下算法将DN[RFC2253]映射到完全限定的域名:

       domain = null;
       foreach RDN left-to-right        // [1]
        
       domain = null;
       foreach RDN left-to-right        // [1]
        
       {
           if not multi-valued RDN and
               RDN.type == domainComponent
           {
               if ( domain == null || domain == "." )
               {   // start
                   domain = "";
               }
               else
               {   // append separator
                   domain .= ".";
               }
        
       {
           if not multi-valued RDN and
               RDN.type == domainComponent
           {
               if ( domain == null || domain == "." )
               {   // start
                   domain = "";
               }
               else
               {   // append separator
                   domain .= ".";
               }
        
               if ( RDN.value == "."  )
               {   // root
                   domain = ".";
               }
               else
        
               if ( RDN.value == "."  )
               {   // root
                   domain = ".";
               }
               else
        
               {   // append domainComponent
                   domain .= RDN.value;
               }
               continue;
           }
           domain = null;
       }
        
               {   // append domainComponent
                   domain .= RDN.value;
               }
               continue;
           }
           domain = null;
       }
        

Examples:

示例:

       Distinguished Name              Domain
       -----------------------------   ------------
       DC=example,DC=net               example.net
       UID=jdoe,DC=example,DC=net      example.net
       DC=.                            .            [2]
       DC=example,DC=net,DC=.          .            [3]
       DC=example,DC=.,DC=net          net          [4]
       DC=example.net                  example.net  [5]
       CN=Jane Doe,O=example,C=US      null
       UID=jdoe,DC=example,C=US        null
       DC=example,O=example,DC=net     net
       DC=example+O=example,DC=net     net
       DC=example,C=US+DC=net          null
        
       Distinguished Name              Domain
       -----------------------------   ------------
       DC=example,DC=net               example.net
       UID=jdoe,DC=example,DC=net      example.net
       DC=.                            .            [2]
       DC=example,DC=net,DC=.          .            [3]
       DC=example,DC=.,DC=net          net          [4]
       DC=example.net                  example.net  [5]
       CN=Jane Doe,O=example,C=US      null
       UID=jdoe,DC=example,C=US        null
       DC=example,O=example,DC=net     net
       DC=example+O=example,DC=net     net
       DC=example,C=US+DC=net          null
        

Notes:

笔记:

0) A later incarnation will use a Standard Track mechanism.

0) 稍后的化身将使用标准的跟踪机制。

1) A later incarnation of this service may use a right-to-left algorithm.

1) 此服务的后续版本可能会使用从右向左的算法。

2) RFC 2247 does not state how one can map the domain representing the root of the domain tree to a DN. We suggest the root of the domain tree be mapped to "DC=." and that this be reversable.

2) RFC 2247没有说明如何将表示域树根的域映射到DN。我们建议将域树的根映射到“DC=”,并且这是可逆的。

3) RFC 2247 states that domain "example.net" should be mapped to the DN "DC=example,DC=net", not to "DC=example,DC=net,DC=.". As it is not our intent to introduce or support an alternative domain to DN mapping, the algorithm ignores domainComponents to the left of "DC=.".

3) RFC 2247声明域“example.net”应该映射到DN“DC=example,DC=net”,而不是“DC=example,DC=net,DC=”。由于我们无意引入或支持域到DN的替代映射,因此该算法忽略了“DC=”左侧的domainComponents。

4) RFC 2247 states that domain "example.net" should be mapped to the DN "DC=example,DC=net", not to "DC=example,DC=.,DC=net". As it is not our intent to introduce or support an alternative domain to DN mapping, the algorithm ignores domainComponents to the left of "DC=." and "DC=." itself if further domainComponents are found to the right.

4) RFC 2247声明域“example.net”应该映射到DN“DC=example,DC=net”,而不是“DC=example,DC=,DC=net”。由于我们无意引入或支持另一种域到DN的映射,因此如果在右侧找到更多的域组件,该算法将忽略“DC=”和“DC=”左侧的域组件本身。

5) RFC 2247 states that value of an DC attribute type is a domain component. It should not contain multiple domain components. A later incarnation of this service may map this domain to null or be coded to return invalid DN error.

5) RFC 2247声明DC属性类型的值是域组件。它不应该包含多个域组件。此服务的后续版本可能会将此域映射为null,或对其进行编码以返回无效的DN错误。

If the domain is null or ".", the service aborts further processing and returns noSuchObject. Later incarnation of this service may abort processing if the resulting domain is a top-level domain.

如果域为null或“.”,服务将中止进一步处理并返回noSuchObject。如果生成的域是顶级域,则此服务的后续体现可能会中止处理。

2.2. Locating LDAP services
2.2. 查找LDAP服务

The root service locates services associated with a given fully qualified domain name by querying the Domain Name System for LDAP SRV resource records. For the domain example.net, the service would do a issue a SRV query for the domain "_ldap._tcp.example.net". A successful query will return one or more resource records of the form:

根服务通过查询域名系统中的LDAP SRV资源记录来定位与给定完全限定域名关联的服务。对于域example.net,服务将为域“\u ldap.\u tcp.example.net”发出一个SRV查询。成功的查询将返回表单的一个或多个资源记录:

_ldap._tcp.example.net. IN SRV 0 0 389 ldap.example.net.

_ldap.\u tcp.example.net。在SRV 0 389 ldap.example.net中。

If no LDAP SRV resource records are returned or any DNS error occurs, the service aborts further processing and returns noSuchObject. Later incarnations of this service will better handle transient errors.

如果未返回LDAP SRV资源记录或发生任何DNS错误,服务将中止进一步处理并返回noSuchObject。此服务的后续版本将更好地处理暂时性错误。

2.3. Constructing an LDAP Referrals
2.3. 构造LDAP引用

For each DNS SRV resource record returned for the domain, a LDAP URL [RFC2255] is constructed. For the above resource record, the URL would be:

对于为域返回的每个DNS SRV资源记录,将构造LDAP URL[RFC2255]。对于上述资源记录,URL应为:

     ldap://ldap.example.net:389/
        
     ldap://ldap.example.net:389/
        

These URLs are then returned in the referral. The URLs are currently returned in resolver order. That is, the server itself does not make use of priority or weight information in the SRV resource records. A later incarnation of this service may.

然后,这些URL将在引用中返回。URL当前以解析程序顺序返回。也就是说,服务器本身不使用SRV资源记录中的优先级或权重信息。这项服务的稍后化身可能会出现。

3. Protocol Operations
3. 协议操作

This section describes how the service performs basic LDAP operations. The service supports operations extended through certain controls as described in a later section.

本节介绍服务如何执行基本LDAP操作。该服务支持通过某些控件扩展的操作,如下文所述。

3.1. Basic Operations
3.1. 基本操作

Basic (add, compare, delete, modify, rename, search) operations return a referral result if the target (or base) DN can be mapped to a set of LDAP URLs as described above. Otherwise a noSuchObject response or other appropriate response is returned.

如果目标(或基本)DN可以如上所述映射到一组LDAP URL,则基本(添加、比较、删除、修改、重命名、搜索)操作将返回引用结果。否则将返回noSuchObject响应或其他适当的响应。

3.2. Bind Operation
3.2. 绑定操作

The service accepts "anonymous" bind specifying version 2 or version 3 of the protocol. All other bind requests will return a non-successful resultCode. In particular, clients which submit clear text credentials will be sent an unwillingToPerform resultCode with a cautionary text regarding providing passwords to strangers.

该服务接受指定协议版本2或版本3的“匿名”绑定。所有其他绑定请求将返回一个不成功的resultCode。特别是,提交明文凭据的客户端将被发送一个不情愿的操作结果代码,其中包含关于向陌生人提供密码的警告文本。

As this service is read-only, LDAPv3 authentication [RFC2829] is not supported.

由于此服务是只读的,因此不支持LDAPv3身份验证[RFC2829]。

3.3. Unbind Operations
3.3. 解绑作业

Upon receipt of an unbind request, the server abandons all outstanding requests made by client and disconnects.

在收到解除绑定请求后,服务器将放弃客户端发出的所有未完成请求并断开连接。

3.4. Extended Operations
3.4. 扩展操作

The service currently does recognize any extended operation. Later incarnations of the service may support Start TLS [RFC2830] and other operations.

该服务当前无法识别任何扩展操作。服务的后续版本可能支持启动TLS[RFC2830]和其他操作。

3.5. Update Operations
3.5. 更新操作

A later incarnation of this service may return unwillingToPerform for all update operations as this is an unauthenticated service.

此服务的后续版本可能会返回所有更新操作的不情愿操作,因为这是一个未经验证的服务。

4. Controls
4. 控制

The service supports the ManageDSAit control. Unsupported controls are serviced per RFC 2251.

该服务支持ManageDSAit控件。不支持的控件按照RFC 2251进行维护。

4.1. ManageDSAit Control
4.1. ManageDSAit控制

The server recognizes and honors the ManageDSAit control [NAMEDREF] provided with operations.

服务器识别并尊重随操作提供的ManageDSAit控件[NAMEDREF]。

If DNS location information is available for the base DN itself, the service will return unwillingToPerform for non-search operations. For search operations, an entry will be returned if within scope and matches the provided filter. For example:

如果基本DN本身的DNS位置信息可用,则服务将返回非搜索操作的不愿意操作。对于搜索操作,如果在范围内并且与提供的筛选器匹配,则将返回一个条目。例如:

       c: searchRequest {
           base="DC=example,DC=net"
           scope=base
           filter=(objectClass=*)
           ManageDSAit
       }
        
       c: searchRequest {
           base="DC=example,DC=net"
           scope=base
           filter=(objectClass=*)
           ManageDSAit
       }
        
       s: searchEntry {
           dn: DC=example,DC=net
           objectClass: referral
           objectClass: extensibleObject
           dc: example
           ref: ldap://ldap.example.net:389/
           associatedDomain: example.net
       }
       s: searchResult {
           success
       }
        
       s: searchEntry {
           dn: DC=example,DC=net
           objectClass: referral
           objectClass: extensibleObject
           dc: example
           ref: ldap://ldap.example.net:389/
           associatedDomain: example.net
       }
       s: searchResult {
           success
       }
        

If DNS location information is available for the DC portion of a subordinate entry, the service will return noSuchObject with the matchedDN set to the DC portion of the base for search and update operations.

如果DNS位置信息可用于从属条目的DC部分,则服务将返回noSuchObject,并将matchedDN设置为基本条目的DC部分,以进行搜索和更新操作。

       c: searchRequest {
           base="CN=subordinate,DC=example,DC=net"
           scope=base
           filter=(objectClass=*)
           ManageDSAit
       }
        
       c: searchRequest {
           base="CN=subordinate,DC=example,DC=net"
           scope=base
           filter=(objectClass=*)
           ManageDSAit
       }
        
       s: searchResult {
           noSuchObject
           matchedDN="DC=example,DC=net"
       }
        
       s: searchResult {
           noSuchObject
           matchedDN="DC=example,DC=net"
       }
        
5. Using the Service
5. 使用服务

Servers may be configured to refer superior requests to <ldap://root.openldap.org:389>.

服务器可以配置为将上级请求提交给<ldap://root.openldap.org:389>.

Though clients may use the service directly, this is not encouraged. Clients should use a local service and only use this service when referred to it.

虽然客户可以直接使用该服务,但不鼓励这样做。客户端应使用本地服务,并且仅在引用该服务时才使用该服务。

The service supports LDAPv3 and LDAPv2+ [LDAPv2+] clients over TCP/IPv4. Future incarnations of this service may support TCP/IPv6 or other transport/internet protocols.

该服务通过TCP/IPv4支持LDAPv3和LDAPv2+[LDAPv2+]客户端。此服务的未来版本可能支持TCP/IPv6或其他传输/互联网协议。

6. Lessons Learned
6. 经验教训
6.1. Scaling / Reliability
6.1. 缩放/可靠性

This service currently runs on a single host. This host and associated network resources are not yet exhausted. If they do become exhausted, we believe we can easily scale to meet the demand through common distributed load balancing technics. The service can also easily be duplicated locally.

此服务当前在单个主机上运行。此主机和关联的网络资源尚未用尽。如果他们真的精疲力竭了,我们相信我们可以通过通用的分布式负载平衡技术轻松扩展以满足需求。该服务也可以轻松地在本地复制。

6.2. Protocol interoperability
6.2. 协议互操作性

This service has able avoided known interoperability issues in supporting variants of LDAP.

该服务在支持LDAP变体时避免了已知的互操作性问题。

6.2.1. LDAPv3
6.2.1. LDAPv3

The server implements all features of LDAPv3 [RFC2251] necessary to provide the service.

服务器实现了提供服务所需的LDAPv3[RFC2251]的所有功能。

6.2.2. LDAPv2
6.2.2. LDAPv2

LDAPv2 [RFC1777] does not support the return of referrals and hence may not be referred to this service. Though a LDAPv2 client could connect and issue requests to this service, the client would treat any referral returned to it as an unknown error.

LDAPv2[RFC1777]不支持返回转介,因此可能不会被转介到此服务。虽然LDAPv2客户端可以连接并向该服务发出请求,但客户端会将返回给它的任何引用视为未知错误。

6.2.3. LDAPv2+
6.2.3. LDAPv2+

LDAPv2+ [LDAPv2+] provides a number of extensions to LDAPv2, including referrals. LDAPv2+, like LDAPv3, does not require a bind operation before issuing of other operations. As the referral representation differ between LDAPv2+ and LDAPv3, the service returns LDAPv3 referrals in this case. However, as commonly deployed LDAPv2+ clients issue bind requests (for compatibility with LDAPv2 servers), this has not generated any interoperability issues (yet).

LDAPv2+[LDAPv2+]为LDAPv2提供了许多扩展,包括转介。LDAPv2+与LDAPv3一样,在发出其他操作之前不需要绑定操作。由于LDAPv2+和LDAPv3之间的引用表示不同,因此在这种情况下,服务返回LDAPv3引用。但是,由于通常部署的LDAPv2+客户端会发出绑定请求(为了与LDAPv2服务器兼容),因此尚未产生任何互操作性问题(目前)。

A future incarnation of this service may drop support for LDAPv2+ (and LDAPv2).

此服务的未来版本可能会放弃对LDAPv2+(和LDAPv2)的支持。

6.2.4. CLDAP
6.2.4. CLDAP

CLDAP [RFC1798] does not support the return of referrals and hence is not supported.

CLDAP[RFC1798]不支持返回推荐,因此不受支持。

7. Security Considerations
7. 安全考虑

This service provides information to "anonymous" clients. This information is derived from the public directories, namely the Domain Name System.

此服务向“匿名”客户端提供信息。此信息来自公共目录,即域名系统。

The use of authentication would require clients to disclose information to the service. This would be an unnecessary invasion of privacy.

使用身份验证将要求客户端向服务披露信息。这将是对隐私的不必要侵犯。

The lack of encryption allows eavesdropping upon client requests and responses. A later incarnation of this service may support encryption (such as via Start TLS [RFC2830]).

由于缺少加密,因此可以窃听客户端请求和响应。此服务的后续版本可能支持加密(例如通过Start TLS[RFC2830])。

Information integrity protection is not provided by the service. The service is subject to varies forms of DNS spoofing and attacks. LDAP session or operation integrity would provide false sense of security concerning the integrity of DNS information. A later incarnation of this service may support DNSSEC and provide integrity protection (via SASL, TLS, or IPSEC).

该服务不提供信息完整性保护。该服务受到各种形式的DNS欺骗和攻击。LDAP会话或操作完整性将提供有关DNS信息完整性的错误安全感。此服务的后续版本可能支持DNSSEC并提供完整性保护(通过SASL、TLS或IPSEC)。

The service is subject to a variety of denial of service attacks. The service is capable of blocking access by a number of factors. This capability have yet to be used and likely would be ineffective in preventing sophisticated attacks. Later incarnations of this service will likely need better protection from such attacks.

该服务受到各种拒绝服务攻击。该服务能够通过多种因素阻止访问。这一能力尚未被使用,可能无法有效防止复杂的攻击。此服务的后续版本可能需要更好的保护,以防此类攻击。

8. Conclusions
8. 结论

DNS is good glue. By leveraging of the Domain Name System, global LDAP directories may be built without requiring a protocol specific registration infrastructures.

DNS是很好的粘合剂。通过利用域名系统,可以构建全局LDAP目录,而无需特定于协议的注册基础设施。

In addition, use of DNS service location allows global directories to be built "ad hoc". That is, anyone with a domain name can participate. There is no requirement that the superior domain participate.

此外,DNS服务位置的使用允许“临时”构建全局目录。也就是说,任何拥有域名的人都可以参与。不要求上级域参与。

9. Additional Information
9. 补充资料

Additional information about the OpenLDAP Project and the OpenLDAP Root Service can be found at <http://www.openldap.org/>.

有关OpenLDAP项目和OpenLDAP根服务的更多信息,请访问<http://www.openldap.org/>.

10. Author's Address
10. 作者地址

Kurt Zeilenga OpenLDAP Foundation

库尔特泽伦加OpenLDAP基金会

   EMail: kurt@openldap.org
        
   EMail: kurt@openldap.org
        
11. Acknowledgments
11. 致谢

Internet hosting for this experiment is provided by the Internet Software Consortium <http://www.isc.org/>. Computing resources were provided by Net Boolean Incorporated <http://www.boolean.net/>. This experiment would not have been possible without the contributions of numerous volunteers of the open source community. Mechanisms described in this document are based upon those introduced in [RFC2247] and [LOCATE].

本实验的互联网托管由互联网软件联盟提供<http://www.isc.org/>. 计算资源由净布尔公司提供<http://www.boolean.net/>. 如果没有开源社区众多志愿者的贡献,这个实验是不可能的。本文件中描述的机制基于[RFC2247]和[LOCATE]中介绍的机制。

References

工具书类

[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", STD 13, RFC 1034, November 1987.

[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。

[RFC1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.

[RFC1777]Yeong,W.,Howes,T.和S.Kille,“轻量级目录访问协议”,RFC 17771995年3月。

[RFC1798] Young, A., "Connection-less Lightweight Directory Access Protocol", RFC 1798, June 1995.

[RFC1798]杨,A.,“无连接轻型目录访问协议”,RFC17981995年6月。

[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. Sataluri, "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, January 1998.

[RFC2247]Kille,S.,Wahl,M.,Grimstad,A.,Huber,R.和S.Sataluri,“在LDAP/X.500可分辨名称中使用域”,RFC 2247,1998年1月。

[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.

[RFC2251]Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。

[RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.

[RFC2253]Wahl,M.,Kille,S.和T.Howes,“轻量级目录访问协议(v3):可分辨名称的UTF-8字符串表示”,RFC 2253,1997年12月。

[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, December 1997.

[RFC2255]Howes,T.和M.Smith,“LDAP URL格式”,RFC2255,1997年12月。

[RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000.

[RFC2782]Gulbrandsen,A.,Vixie,P.和L.Esibov,“用于指定服务位置(DNS SRV)的DNS RR”,RFC 2782,2000年2月。

[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan, "Authentication Methods for LDAP", RFC 2829, May 2000.

[RFC2829]Wahl,M.,Alvestrand,H.,Hodges,J.和R.Morgan,“LDAP的身份验证方法”,RFC 28292000年5月。

[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000.

[RFC2830]Hodges,J.,Morgan,R.和M.Wahl,“轻量级目录访问协议(v3):传输层安全扩展”,RFC 28302000年5月。

[LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS", Work in Progress.

[定位]IETF LDAPext工作组,“使用DNS发现LDAP服务”,工作正在进行中。

[LDAPv2+] University of Michigan LDAP Team, "Referrals within the LDAPv2 Protocol", August 1996.

[LDAPv2+]密歇根大学LDAP团队,1996年8月“LDAPv2协议内的推荐”。

[NAMEDREF] Zeilenga, K. (editor), "Named Subordinate References in LDAP Directories", Work in Progress.

[NAMEDREF]Zeilenga,K.(编辑),“LDAP目录中的命名从属引用”,正在进行中。

[X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models and Service", 1993.

[X500]ITU-T Rec.X.500,“目录:概念、模型和服务概述”,1993年。

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2001). All Rights Reserved.

版权所有(C)互联网协会(2001年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。