Network Working Group                                        K. Zeilenga
Request for Comments: 3296                           OpenLDAP Foundation
Category: Standards Track                                      July 2002
        
Network Working Group                                        K. Zeilenga
Request for Comments: 3296                           OpenLDAP Foundation
Category: Standards Track                                      July 2002
        

Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories

轻量级目录访问协议(LDAP)目录中的命名从属引用

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

Abstract

摘要

This document details schema and protocol elements for representing and managing named subordinate references in Lightweight Directory Access Protocol (LDAP) Directories.

本文档详细介绍了在轻量级目录访问协议(LDAP)目录中表示和管理命名从属引用的模式和协议元素。

Conventions

习俗

Schema definitions are provided using LDAPv3 description formats [RFC2252]. Definitions provided here are formatted (line wrapped) for readability.

模式定义使用LDAPv3描述格式[RFC2252]提供。为了便于阅读,这里提供的定义是格式化的(换行)。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" used in this document are to be interpreted as described in BCP 14 [RFC2119].

本文件中使用的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14[RFC2119]中的说明进行解释。

1. Background and Intended Usage
1. 背景和预期用途

The broadening of interest in LDAP (Lightweight Directory Access Protocol) [RFC2251] directories beyond their use as front ends to X.500 [X.500] directories has created a need to represent knowledge information in a more general way. Knowledge information is information about one or more servers maintained in another server, used to link servers and services together.

随着人们对LDAP(轻型目录访问协议)[RFC2251]目录的兴趣从用作前端扩展到X.500[X.500]目录,人们需要以更通用的方式表示知识信息。知识信息是关于在另一台服务器中维护的一个或多个服务器的信息,用于将服务器和服务链接在一起。

This document details schema and protocol elements for representing and manipulating named subordinate references in LDAP directories. A referral object is used to hold subordinate reference information in

本文档详细介绍了用于表示和操作LDAP目录中的命名从属引用的模式和协议元素。引用对象用于在中保存下级引用信息

the directory. These referral objects hold one or more URIs [RFC2396] contained in values of the ref attribute type and are used to generate protocol referrals and continuations.

目录。这些引用对象包含ref属性类型的值中包含的一个或多个uri[RFC2396],用于生成协议引用和延续。

A control, ManageDsaIT, is defined to allow manipulation of referral and other special objects as normal objects. As the name of control implies, it is intended to be analogous to the ManageDsaIT service option described in X.511(97) [X.511].

控件ManageDsaIT被定义为允许将引用和其他特殊对象作为普通对象进行操作。正如控件的名称所暗示的,它旨在类似于X.511(97)[X.511]中描述的ManageDsaIT服务选项。

Other forms of knowledge information are not detailed by this document. These forms may be described in subsequent documents.

本文件未详细说明其他形式的知识信息。这些表格可在后续文件中描述。

This document details subordinate referral processing requirements for servers. This document does not describe protocol syntax and semantics. This is detailed in RFC 2251 [RFC2251].

本文档详细说明了服务器的下级转诊处理要求。本文档不描述协议语法和语义。这在RFC 2251[RFC2251]中有详细说明。

This document does not detail use of subordinate knowledge references to support replicated environments nor distributed operations (e.g., chaining of operations from one server to other servers).

本文档未详细说明如何使用从属知识引用来支持复制环境或分布式操作(例如,将操作从一台服务器链接到其他服务器)。

2. Schema
2. 模式
2.1. The referral Object Class
2.1. 引用对象类

A referral object is a directory entry whose structural object class is (or is derived from) the referral object class.

引用对象是一个目录项,其结构对象类是(或派生自)引用对象类。

( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'named subordinate reference object' STRUCTURAL MUST ref )

(2.16.840.1.113730.3.2.6名称“参考”描述“命名从属参考对象”结构必须参考)

The referral object class is a structural object class used to represent a subordinate reference in the directory. The referral object class SHOULD be used in conjunction with the extensibleObject object class to support the naming attributes used in the entry's Distinguished Name (DN) [RFC2253].

引用对象类是一个结构对象类,用于表示目录中的从属引用。引用对象类应与extensibleObject对象类结合使用,以支持条目的可分辨名称(DN)[RFC2253]中使用的命名属性。

Referral objects are normally instantiated at DSEs immediately subordinate to object entries within a naming context held by the DSA. Referral objects are analogous to X.500 subordinate knowledge (subr) DSEs [X.501].

引用对象通常在直接从属于DSA持有的命名上下文中的对象条目的DSE上实例化。参考对象类似于X.500从属知识(subr)DSE[X.501]。

In the presence of a ManageDsaIT control, referral objects are treated as normal entries as described in section 3. Note that the ref attribute is operational and will only be returned in a search entry response when requested.

在ManageDsaIT控件存在的情况下,参照对象被视为正常条目,如第3节所述。请注意,ref属性是可操作的,只有在请求时才会在搜索条目响应中返回。

In the absence of a ManageDsaIT control, the content of referral objects are used to construct referrals and search references as described in Section 4 and, as such, the referral entries are not themselves visible to clients.

在缺少ManageDsaIT控件的情况下,引用对象的内容用于构造引用和搜索引用,如第4节所述,因此,引用条目本身对客户端不可见。

2.2 The ref Attribute Type
2.2 ref属性类型

( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'named reference - a labeledURI' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE distributedOperation )

(2.16.840.1.113730.3.1.34名称“ref”DESC“命名引用-labeledURI”相等caseExactMatch语法1.3.6.1.4.1.1466.115.121.1.15使用分布操作)

The ref attribute type has directoryString syntax and is case sensitive. The ref attribute is multi-valued. Values placed in the attribute MUST conform to the specification given for the labeledURI attribute [RFC2079]. The labeledURI specification defines a format that is a URI, optionally followed by whitespace and a label. This document does not make use of the label portion of the syntax. Future documents MAY enable new functionality by imposing additional structure on the label portion of the syntax as it appears in the ref attribute.

ref属性类型具有directoryString语法,并且区分大小写。ref属性是多值的。放置在属性中的值必须符合为labeledURI属性[RFC2079]给定的规范。labeledURI规范定义了一种URI格式,可以选择后跟空格和标签。本文档不使用语法的标签部分。未来的文档可能会通过在ref属性中出现的语法标签部分施加额外的结构来启用新功能。

If the URI contained in a ref attribute value refers to a LDAP [RFC2251] server, it MUST be in the form of a LDAP URL [RFC2255]. The LDAP URL SHOULD NOT contain an explicit scope specifier, filter, attribute description list, or any extensions. The LDAP URL SHOULD contain a non-empty DN. The handling of LDAP URLs with absent or empty DN parts or with explicit scope specifier is not defined by this specification.

如果ref属性值中包含的URI引用LDAP[RFC2251]服务器,则它必须采用LDAP URL[RFC2255]的形式。LDAP URL不应包含显式范围说明符、筛选器、属性描述列表或任何扩展。LDAP URL应包含非空DN。本规范未定义使用缺失或空DN部分或显式作用域说明符处理LDAP URL。

Other URI schemes MAY be used so long as all operations returning referrals based upon the value could be performed. This document does not detail use of non-LDAP URIs. This is left to future specifications.

只要可以执行基于该值返回引用的所有操作,就可以使用其他URI方案。本文档不详细说明非LDAP URI的使用。这将留待将来的规范决定。

The referential integrity of the URI SHOULD NOT be validated by the server holding or returning the URI (whether as a value of the attribute or as part of a referral result or search reference response).

URI的引用完整性不应由持有或返回URI的服务器验证(无论是作为属性值还是作为引用结果或搜索引用响应的一部分)。

When returning a referral result or search continuation, the server MUST NOT return the separator or label portions of the attribute values as part of the reference. When the attribute contains multiple values, the URI part of each value is used to construct the referral result or search continuation.

返回引用结果或搜索继续时,服务器不得返回属性值的分隔符或标签部分作为引用的一部分。当属性包含多个值时,每个值的URI部分用于构造引用结果或搜索继续。

The ref attribute values SHOULD NOT be used as a relative name-component of an entry's DN [RFC2253].

ref属性值不应用作条目DN[RFC2253]的相对名称组件。

This document uses the ref attribute in conjunction with the referral object class to represent subordinate references. The ref attribute may be used for other purposes as defined by other documents.

本文档将ref属性与referral对象类结合使用来表示从属引用。ref属性可用于其他文档定义的其他目的。

3. The ManageDsaIT Control
3. ManageDsaIT控件

The client may provide the ManageDsaIT control with an operation to indicate that the operation is intended to manage objects within the DSA (server) Information Tree. The control causes Directory-specific entries (DSEs), regardless of type, to be treated as normal entries allowing clients to interrogate and update these entries using LDAP operations.

客户端可以向ManageDsaIT控件提供一个操作,以指示该操作旨在管理DSA(服务器)信息树中的对象。该控件使特定于目录的条目(DSE),无论其类型如何,都被视为正常条目,允许客户端使用LDAP操作查询和更新这些条目。

A client MAY specify the following control when issuing an add, compare, delete, modify, modifyDN, search request or an extended operation for which the control is defined.

客户端在发出添加、比较、删除、修改、修改DN、搜索请求或为其定义控件的扩展操作时,可以指定以下控件。

The control type is 2.16.840.1.113730.3.4.2. The control criticality may be TRUE or, if FALSE, absent. The control value is absent.

控制类型为2.16.840.1.113730.3.4.2。控制关键性可能为真,如果为假,则不存在。没有控制值。

When the control is present in the request, the server SHALL NOT generate a referral or continuation reference based upon information held in referral objects and instead SHALL treat the referral object as a normal entry. The server, however, is still free to return referrals for other reasons. When not present, referral objects SHALL be handled as described above.

当请求中存在控件时,服务器不应基于引用对象中保存的信息生成引用或继续引用,而应将引用对象视为正常条目。但是,服务器仍然可以出于其他原因自由返回推荐。不存在时,应按照上述方法处理参考对象。

The control MAY cause other objects to be treated as normal entries as defined by subsequent documents.

该控件可能导致其他对象被视为后续文档定义的正常条目。

4. Named Subordinate References
4. 命名从属引用

A named subordinate reference is constructed by instantiating a referral object in the referencing server with ref attribute values which point to the corresponding subtree maintained in the referenced server. In general, the name of the referral object is the same as the referenced object and this referenced object is a context prefix [X.501].

命名的从属引用是通过使用ref属性值实例化引用服务器中的引用对象来构造的,ref属性值指向被引用服务器中维护的对应子树。通常,引用对象的名称与引用对象的名称相同,并且该引用对象是上下文前缀[X.501]。

That is, if server A holds "DC=example,DC=net" and server B holds "DC=sub,DC=example,DC=net", server A may contain a referral object named "DC=sub,DC=example,DC=net" which contains a ref attribute with value of "ldap://B/DC=sub,DC=example,DC=net".

也就是说,如果服务器A持有“DC=example,DC=net”且服务器B持有“DC=sub,DC=example,DC=net”,则服务器A可能包含名为“DC=sub,DC=example,DC=net”的引用对象,其中包含值为ldap://B/DC=sub,DC=示例,DC=净”。

      dn: DC=sub,DC=example,DC=net
      dc: sub
      ref: ldap://B/DC=sub,DC=example,DC=net
      objectClass: referral
      objectClass: extensibleObject
        
      dn: DC=sub,DC=example,DC=net
      dc: sub
      ref: ldap://B/DC=sub,DC=example,DC=net
      objectClass: referral
      objectClass: extensibleObject
        

Typically the DN of the referral object and the DN of the object in the referenced server are the same.

通常,引用对象的DN与被引用服务器中对象的DN相同。

If the ref attribute has multiple values, all the DNs contained within the LDAP URLs SHOULD be equivalent. Administrators SHOULD avoid configuring naming loops using referrals.

如果ref属性有多个值,则LDAP URL中包含的所有DNs都应该是等效的。管理员应避免使用引用配置命名循环。

Named references MUST be treated as normal entries if the request includes the ManageDsaIT control as described in section 3.

如果请求包含第3节所述的ManageDsaIT控件,则命名引用必须视为正常条目。

5. Scenarios
5. 情节

The following sections contain specifications of how referral objects should be used in different scenarios followed by examples that illustrate that usage. The scenarios described here consist of referral object handling when finding target of a non-search operation, when finding the base of a search operation, and when generating search references. Lastly, other operation processing considerations are presented.

以下各节包含如何在不同场景中使用引用对象的规范,后面是说明该用法的示例。这里描述的场景包括查找非搜索操作的目标、查找搜索操作的基础以及生成搜索引用时的引用对象处理。最后,介绍了其他操作处理注意事项。

It is to be noted that, in this document, a search operation is conceptually divided into two distinct, sequential phases: (1) finding the base object where the search is to begin, and (2) performing the search itself. The first phase is similar to, but not the same as, finding the target of a non-search operation.

需要注意的是,在本文档中,搜索操作在概念上分为两个不同的连续阶段:(1)查找搜索开始的基础对象,以及(2)执行搜索本身。第一阶段与查找非搜索操作的目标类似,但不同。

It should also be noted that the ref attribute may have multiple values and, where these sections refer to a single ref attribute value, multiple ref attribute values may be substituted and SHOULD be processed and returned (in any order) as a group in a referral or search reference in the same way as described for a single ref attribute value.

还应注意,ref属性可能有多个值,如果这些部分涉及单个ref属性值,则可以替换多个ref属性值,并应以与单个ref属性值相同的方式(以任何顺序)作为引用或搜索引用中的一个组进行处理和返回。

Search references returned for a given request may be returned in any order.

为给定请求返回的搜索引用可以按任何顺序返回。

5.1. Example Configuration
5.1. 示例配置

For example, suppose the contacted server (hosta) holds the entry "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW" and the following referral objects:

例如,假设联系的服务器(hosta)持有条目“O=MNN,C=WW”和条目“CN=Manager,O=MNN,C=WW”以及以下引用对象:

      dn: OU=People,O=MNN,C=WW
      ou: People
      ref: ldap://hostb/OU=People,O=MNN,C=US
      ref: ldap://hostc/OU=People,O=MNN,C=US
      objectClass: referral
      objectClass: extensibleObject
        
      dn: OU=People,O=MNN,C=WW
      ou: People
      ref: ldap://hostb/OU=People,O=MNN,C=US
      ref: ldap://hostc/OU=People,O=MNN,C=US
      objectClass: referral
      objectClass: extensibleObject
        
      dn: OU=Roles,O=MNN,C=WW
      ou: Roles
      ref: ldap://hostd/OU=Roles,O=MNN,C=WW
      objectClass: referral
      objectClass: extensibleObject
        
      dn: OU=Roles,O=MNN,C=WW
      ou: Roles
      ref: ldap://hostd/OU=Roles,O=MNN,C=WW
      objectClass: referral
      objectClass: extensibleObject
        

The first referral object provides the server with the knowledge that subtree "OU=People,O=MNN,C=WW" is held by hostb and hostc (e.g., one is the master and the other a shadow). The second referral object provides the server with the knowledge that the subtree "OU=Roles,O=MNN,C=WW" is held by hostd.

第一个引用对象向服务器提供子树“OU=People,O=MNN,C=WW”由hostb和hostc持有的知识(例如,一个是主目录,另一个是影子目录)。第二个引用对象向服务器提供了子树“OU=Roles,O=MNN,C=WW”由hostd持有的知识。

Also, in the context of this document, the "nearest naming context" means the deepest context which the object is within. That is, if the object is within multiple naming contexts, the nearest naming context is the one which is subordinate to all other naming contexts the object is within.

此外,在本文档的上下文中,“最近的命名上下文”是指对象所在的最深上下文。也就是说,如果对象位于多个命名上下文中,则最近的命名上下文是从属于该对象所在的所有其他命名上下文的上下文。

5.2. Target Object Considerations
5.2. 目标对象注意事项

This section details referral handling for add, compare, delete, modify, and modify DN operations. If the client requests any of these operations, there are four cases that the server must handle with respect to the target object.

本节详细介绍添加、比较、删除、修改和修改DN操作的引用处理。如果客户机请求这些操作中的任何一个,则服务器必须针对目标对象处理四种情况。

The DN part MUST be modified such that it refers to the appropriate target in the referenced server (as detailed below). Even where the DN to be returned is the same as the target DN, the DN part SHOULD NOT be trimmed.

必须修改DN部分,使其引用引用的服务器中的相应目标(如下所述)。即使要返回的DN与目标DN相同,也不应修剪DN部分。

In cases where the URI to be returned is a LDAP URL, the server SHOULD trim any present scope, filter, or attribute list from the URI before returning it. Critical extensions MUST NOT be trimmed or modified.

如果要返回的URI是LDAP URL,则服务器应在返回URI之前从URI中修剪任何现有的作用域、筛选器或属性列表。不得修剪或修改关键扩展。

Case 1: The target object is not held by the server and is not within or subordinate to any naming context nor subordinate to any referral object held by the server.

案例1:目标对象不由服务器持有,不在任何命名上下文内或从属于任何命名上下文,也不从属于服务器持有的任何引用对象。

The server SHOULD process the request normally as appropriate for a non-existent base which is not within any naming context of the server (generally return noSuchObject or a referral based upon superior knowledge reference information). This document does not detail management or processing of superior knowledge reference information.

对于不在服务器的任何命名上下文中的不存在的库,服务器应该正常地处理请求(通常返回noSuchObject或基于高级知识参考信息的引用)。本文件未详细说明高级知识参考信息的管理或处理。

Case 2: The target object is held by the server and is a referral object.

案例2:目标对象由服务器持有,是一个引用对象。

The server SHOULD return the URI value contained in the ref attribute of the referral object appropriately modified as described above.

服务器应该返回引用对象的ref属性中包含的URI值,并按照上面所述进行适当修改。

Example: If the client issues a modify request for the target object of "OU=People,O=MNN,c=WW", the server will return:

示例:如果客户端对目标对象“OU=People,O=MNN,c=WW”发出修改请求,服务器将返回:

         ModifyResponse (referral) {
             ldap://hostb/OU=People,O=MNN,C=WW
             ldap://hostc/OU=People,O=MNN,C=WW
         }
        
         ModifyResponse (referral) {
             ldap://hostb/OU=People,O=MNN,C=WW
             ldap://hostc/OU=People,O=MNN,C=WW
         }
        

Case 3: The target object is not held by the server, but the nearest naming context contains no referral object which the target object is subordinate to.

案例3:目标对象不由服务器持有,但最近的命名上下文不包含目标对象从属的引用对象。

If the nearest naming context contains no referral object which the target is subordinate to, the server SHOULD process the request as appropriate for a nonexistent target (generally return noSuchObject).

如果最近的命名上下文不包含目标从属于的引用对象,则服务器应根据不存在的目标处理请求(通常返回noSuchObject)。

Case 4: The target object is not held by the server, but the nearest naming context contains a referral object which the target object is subordinate to.

案例4:目标对象不由服务器持有,但最近的命名上下文包含目标对象从属的引用对象。

If a client requests an operation for which the target object is not held by the server and the nearest naming context contains a referral object which the target object is subordinate to, the server SHOULD return a referral response constructed from the URI portion of the ref value of the referral object.

如果客户端请求的操作的目标对象不由服务器持有,并且最近的命名上下文包含目标对象从属于的引用对象,则服务器应返回由引用对象的ref值的URI部分构造的引用响应。

Example: If the client issues an add request where the target object has a DN of "CN=Manager,OU=Roles,O=MNN,C=WW", the server will return:

示例:如果客户端发出添加请求,其中目标对象的DN为“CN=Manager,OU=Roles,O=MNN,C=WW”,则服务器将返回:

         AddResponse (referral) {
             ldap://hostd/CN=Manager,OU=Roles,O=MNN,C=WW"
         }
        
         AddResponse (referral) {
             ldap://hostd/CN=Manager,OU=Roles,O=MNN,C=WW"
         }
        

Note that the DN part of the LDAP URL is modified such that it refers to the appropriate entry in the referenced server.

请注意,LDAP URL的DN部分已修改,以便它引用引用的服务器中的相应条目。

5.3. Base Object Considerations
5.3. 基本对象注意事项

This section details referral handling for base object processing within search operations. Like target object considerations for non-search operations, there are the four cases.

本节详细介绍搜索操作中基本对象处理的引用处理。与非搜索操作的目标对象注意事项一样,有四种情况。

In cases where the URI to be returned is a LDAP URL, the server MUST provide an explicit scope specifier from the LDAP URL prior to returning it. In addition, the DN part MUST be modified such that it refers to the appropriate target in the referenced server (as detailed below).

如果要返回的URI是LDAP URL,则服务器必须在返回它之前从LDAP URL提供显式范围说明符。此外,必须修改DN部分,使其引用引用的服务器中的适当目标(如下所述)。

If aliasing dereferencing was necessary in finding the referral object, the DN part of the URI MUST be replaced with the base DN as modified by the alias dereferencing such that the return URL refers to the new target object per [RFC2251, 4.1.11].

如果在查找引用对象时需要别名取消引用,则URI的DN部分必须替换为由别名取消引用修改的基本DN,以便返回URL根据[RFC2251,4.1.11]引用新的目标对象。

Critical extensions MUST NOT be trimmed nor modified.

不得修剪或修改关键扩展。

Case 1: The base object is not held by the server and is not within nor subordinate to any naming context held by the server.

案例1:基本对象不由服务器持有,不在服务器持有的任何命名上下文内,也不从属于服务器持有的任何命名上下文。

The server SHOULD process the request normally as appropriate for a non-existent base which not within any naming context of the server (generally return a superior referral or noSuchObject). This document does not detail management or processing of superior knowledge references.

对于不在服务器任何命名上下文中的不存在的基,服务器应该正常地处理请求(通常返回上级引用或noSuchObject)。本文件未详细说明高级知识参考的管理或处理。

Case 2: The base object is held by the server and is a referral object.

案例2:基本对象由服务器持有,是一个引用对象。

The server SHOULD return the URI value contained in the ref attribute of the referral object appropriately modified as described above.

服务器应该返回引用对象的ref属性中包含的URI值,并按照上面所述进行适当修改。

   Example: If the client issues a subtree search in which the base
      object is "OU=Roles,O=MNN,C=WW", the server will return
        
   Example: If the client issues a subtree search in which the base
      object is "OU=Roles,O=MNN,C=WW", the server will return
        
         SearchResultDone (referral) {
             ldap://hostd/OU=Roles,O=MNN,C=WW??sub
         }
        
         SearchResultDone (referral) {
             ldap://hostd/OU=Roles,O=MNN,C=WW??sub
         }
        

If the client were to issue a base or oneLevel search instead of subtree, the returned LDAP URL would explicitly specify "base" or "one", respectively, instead of "sub".

如果客户机要发出基本或一级搜索而不是子树,则返回的LDAP URL将分别显式指定“基本”或“一”,而不是“子”。

Case 3: The base object is not held by the server, but the nearest naming context contains no referral object which the base object is subordinate to.

案例3:基本对象不由服务器持有,但最近的命名上下文不包含基本对象从属的引用对象。

If the nearest naming context contains no referral object which the base is subordinate to, the request SHOULD be processed normally as appropriate for a nonexistent base (generally return noSuchObject).

如果最近的命名上下文不包含基从属于的引用对象,则应根据不存在的基(通常返回noSuchObject)的情况正常处理请求。

Case 4: The base object is not held by the server, but the nearest naming context contains a referral object which the base object is subordinate to.

案例4:基本对象不由服务器持有,但最近的命名上下文包含基本对象从属的引用对象。

If a client requests an operation for which the target object is not held by the server and the nearest naming context contains a referral object which the target object is subordinate to, the server SHOULD return a referral response which is constructed from the URI portion of the ref value of the referral object.

如果客户端请求的操作的目标对象不由服务器持有,并且最近的命名上下文包含目标对象从属于的引用对象,则服务器应返回引用响应,该响应由引用对象的ref值的URI部分构造。

   Example: If the client issues a base search request for
      "CN=Manager,OU=Roles,O=MNN,C=WW", the server will return
        
   Example: If the client issues a base search request for
      "CN=Manager,OU=Roles,O=MNN,C=WW", the server will return
        
         SearchResultDone (referral) {
             ldap://hostd/CN=Manager,OU=Roles,O=MNN,C=WW??base"
         }
        
         SearchResultDone (referral) {
             ldap://hostd/CN=Manager,OU=Roles,O=MNN,C=WW??base"
         }
        

If the client were to issue a subtree or oneLevel search instead of subtree, the returned LDAP URL would explicitly specify "sub" or "one", respectively, instead of "base".

如果客户端发出子树或一级搜索而不是子树,则返回的LDAP URL将分别显式指定“sub”或“one”,而不是“base”。

Note that the DN part of the LDAP URL is modified such that it refers to the appropriate entry in the referenced server.

请注意,LDAP URL的DN部分已修改,以便它引用引用的服务器中的相应条目。

5.4. Search Continuation Considerations
5.4. 搜索继续注意事项

For search operations, once the base object has been found and determined not to be a referral object, the search may progress. Any entry matching the filter and scope of the search which is not a referral object is returned to the client normally as described in [RFC2251].

对于搜索操作,一旦找到基本对象并确定其不是引用对象,搜索可能会继续。如[RFC2251]中所述,任何与筛选器和搜索范围匹配的条目(不是引用对象)都会返回给客户机。

For each referral object within the requested scope, regardless of the search filter, the server SHOULD return a SearchResultReference which is constructed from the URI component of values of the ref attribute. If the URI component is not a LDAP URL, it should be returned as is. If the LDAP URL's DN part is absent or empty, the DN part must be modified to contain the DN of the referral object. If the URI component is a LDAP URL, the URI SHOULD be modified to add an explicit scope specifier.

对于请求范围内的每个引用对象,无论搜索筛选器如何,服务器都应返回一个SearchResultReference,该引用由ref属性值的URI组件构造而成。如果URI组件不是LDAP URL,则应按原样返回。如果LDAP URL的DN部分不存在或为空,则必须修改DN部分以包含引用对象的DN。如果URI组件是LDAP URL,则应修改URI以添加显式范围说明符。

Subtree Example:

子树示例:

If a client requests a subtree search of "O=MNN,C=WW", then in addition to any entries within scope which match the filter, hosta will also return two search references as the two referral objects are within scope. One possible response might be:

如果客户端请求“O=MNN,C=WW”的子树搜索,那么除了范围内与筛选器匹配的任何条目外,hosta还将返回两个搜索引用,因为两个引用对象都在范围内。一种可能的反应可能是:

          SearchEntry for O=MNN,C=WW
          SearchResultReference {
              ldap://hostb/OU=People,O=MNN,C=WW??sub
              ldap://hostc/OU=People,O=MNN,C=WW??sub
          }
          SearchEntry for CN=Manager,O=MNN,C=WW
          SearchResultReference {
              ldap://hostd/OU=Roles,O=MNN,C=WW??sub
          }
          SearchResultDone (success)
        
          SearchEntry for O=MNN,C=WW
          SearchResultReference {
              ldap://hostb/OU=People,O=MNN,C=WW??sub
              ldap://hostc/OU=People,O=MNN,C=WW??sub
          }
          SearchEntry for CN=Manager,O=MNN,C=WW
          SearchResultReference {
              ldap://hostd/OU=Roles,O=MNN,C=WW??sub
          }
          SearchResultDone (success)
        

One Level Example:

一级示例:

If a client requests a one level search of "O=MNN,C=WW" then, in addition to any entries one level below the "O=MNN,C=WW" entry matching the filter, the server will also return two search references as the two referral objects are within scope. One possible sequence is shown:

如果客户端请求“O=MNN,C=WW”的一级搜索,则除了匹配筛选器的“O=MNN,C=WW”条目下一级的任何条目外,服务器还将返回两个搜索引用,因为两个引用对象都在范围内。一种可能的顺序如下所示:

          SearchResultReference {
              ldap://hostb/OU=People,O=MNN,C=WW??base
              ldap://hostc/OU=People,O=MNN,C=WW??base
          }
          SearchEntry for CN=Manager,O=MNN,C=WW
          SearchResultReference {
              ldap://hostd/OU=Roles,O=MNN,C=WW??base
          }
          SearchResultDone (success)
        
          SearchResultReference {
              ldap://hostb/OU=People,O=MNN,C=WW??base
              ldap://hostc/OU=People,O=MNN,C=WW??base
          }
          SearchEntry for CN=Manager,O=MNN,C=WW
          SearchResultReference {
              ldap://hostd/OU=Roles,O=MNN,C=WW??base
          }
          SearchResultDone (success)
        

Note: Unlike the examples in Section 4.5.3.1 of RFC 2251, the LDAP URLs returned with the SearchResultReference messages contain, as required by this specification, an explicit scope specifier.

注意:与RFC 2251第4.5.3.1节中的示例不同,随SearchResultReference消息返回的LDAP URL包含本规范要求的显式范围说明符。

5.6. Other Considerations
5.6. 其他考虑

This section details processing considerations for other operations.

本节详细介绍了其他操作的处理注意事项。

5.6.1 Bind
5.6.1 绑定

Servers SHOULD NOT return referral result code if the bind name (or authentication identity or authorization identity) is (or is subordinate to) a referral object but MAY use the knowledge information to process the bind request (such as in support a future distributed operation specification). Where the server makes no use of the knowledge information, the server processes the request normally as appropriate for a non-existent authentication or authorization identity (e.g., return invalidCredentials).

如果绑定名称(或身份验证标识或授权标识)是(或从属于)引用对象,但可以使用知识信息来处理绑定请求(如支持未来的分布式操作规范),则服务器不应返回引用结果代码。在服务器不使用知识信息的情况下,服务器通常会根据不存在的身份验证或授权标识(例如,返回invalidCredentials)处理请求。

5.6.2 Modify DN
5.6.2 修改DN

If the newSuperior is a referral object or is subordinate to a referral object, the server SHOULD return affectsMultipleDSAs. If the newRDN already exists but is a referral object, the server SHOULD return affectsMultipleDSAs instead of entryAlreadyExists.

如果newSuperior是引用对象或从属于引用对象,则服务器应返回affectsMultipleDSAs。如果newRDN已经存在,但它是一个引用对象,那么服务器应该返回affectsMultipleDSAs,而不是entryAlreadyExists。

6. Security Considerations
6. 安全考虑

This document defines mechanisms that can be used to tie LDAP (and other) servers together. The information used to tie services together should be protected from unauthorized modification. If the server topology information is not public information, it should be protected from unauthorized disclosure as well.

本文档定义了可用于将LDAP(和其他)服务器连接在一起的机制。应保护用于将服务连接在一起的信息,防止未经授权的修改。如果服务器拓扑信息不是公共信息,则还应保护它不被未经授权的泄露。

7. Acknowledgments
7. 致谢

This document borrows heavily from previous work by IETF LDAPext Working Group. In particular, this document is based upon "Named Referral in LDAP Directories" (an expired Internet Draft) by Christopher Lukas, Tim Howes, Michael Roszkowski, Mark C. Smith, and Mark Wahl.

本文件大量借鉴了IETF LDAPext工作组以前的工作。特别是,本文档基于Christopher Lukas、Tim Howes、Michael Roszkowski、Mark C.Smith和Mark Wahl的“LDAP目录中的命名引用”(过期的互联网草案)。

8. Normative References
8. 规范性引用文件

[RFC2079] Smith, M., "Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)", RFC 2079, January 1997.

[RFC2079]Smith,M.“X.500属性类型和用于保存统一资源标识符(URI)的对象类的定义”,RFC 2079,1997年1月。

[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.

[RFC2251]Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。

[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.

[RFC2252]Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。

[RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.

[RFC2253]Wahl,M.,Kille,S.和T.Howes,“轻量级目录访问协议(v3):可分辨名称的UTF-8字符串表示”,RFC 2253,1997年12月。

[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, December, 1997.

[RFC2255]Howes,T.和M.Smith,“LDAP URL格式”,RFC2255,1997年12月。

[RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998.

[RFC2396]Berners Lee,T.,Fielding,R.和L.Masinter,“统一资源标识符(URI):通用语法”,RFC 2396,1998年8月。

[X.501] ITU-T, "The Directory: Models", X.501, 1993.

[X.501]ITU-T,“目录:模型”,X.5011993年。

9. Informative References
9. 资料性引用

[X.500] ITU-T, "The Directory: Overview of Concepts, Models, and Services", X.500, 1993.

[X.500]ITU-T,“目录:概念、模型和服务概述”,X.500,1993年。

[X.511] ITU-T, "The Directory: Abstract Service Definition", X.500, 1997.

[X.511]ITU-T,“目录:抽象服务定义”,X.500,1997年。

10. Author's Address
10. 作者地址

Kurt D. Zeilenga OpenLDAP Foundation

库尔特D.Zeeliga OpenLDAP基金会

   EMail: Kurt@OpenLDAP.org
        
   EMail: Kurt@OpenLDAP.org
        
11. Full Copyright Statement
11. 完整版权声明

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。