Network Working Group                                        K. Zeilenga
Request for Comments: 3672                           OpenLDAP Foundation
Category: Standards Track                                        S. Legg
                                                     Adacel Technologies
                                                           December 2003
        
Network Working Group                                        K. Zeilenga
Request for Comments: 3672                           OpenLDAP Foundation
Category: Standards Track                                        S. Legg
                                                     Adacel Technologies
                                                           December 2003
        

Subentries in the Lightweight Directory Access Protocol (LDAP)

轻量级目录访问协议(LDAP)中的子项

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2003). All Rights Reserved.

版权所有(C)互联网协会(2003年)。版权所有。

Abstract

摘要

In X.500 directories, subentries are special entries used to hold information associated with a subtree or subtree refinement. This document adapts X.500 subentries mechanisms for use with the Lightweight Directory Access Protocol (LDAP).

在X.500目录中,子条目是用于保存与子树或子树细化相关联的信息的特殊条目。本文档调整了X.500子条目机制,以便与轻量级目录访问协议(LDAP)一起使用。

1. Overview
1. 概述

From [X.501]:

从[X.501]:

A subentry is a special kind of entry immediately subordinate to an administrative point. It contains attributes that pertain to a subtree (or subtree refinement) associated with its administrative point. The subentries and their administrative point are part of the same naming context.

子条目是直接从属于管理点的一种特殊条目。它包含与管理点关联的子树(或子树细化)相关的属性。子条目及其管理点是同一命名上下文的一部分。

A single subentry may serve all or several aspects of administrative authority. Alternatively, a specific aspect of administrative authority may be handled through one or more of its own subentries.

一个分项可以服务于行政权力的所有或几个方面。或者,可以通过一个或多个子条目处理行政权力的特定方面。

Subentries in the Lightweight Directory Access Protocol (LDAP) [RFC3377] SHALL behave in accordance with X.501 unless noted otherwise in this specification.

除非本规范中另有说明,否则轻型目录访问协议(LDAP)[RFC3377]中的子项的行为应符合X.501。

In absence of the subentries control (detailed in Section 3), subentries SHALL NOT be considered in one-level and subtree scope search operations. For all other operations, including base scope search operations, subentries SHALL be considered.

在缺乏子条目控制的情况下(详见第3节),在一级和子树范围搜索操作中不应考虑子条目。对于所有其他操作,包括基本范围搜索操作,应考虑子项。

1.1. Conventions
1.1. 习俗

Schema definitions are provided using LDAP description formats [RFC2252]. Definitions provided here are formatted (line wrapped) for readability.

模式定义使用LDAP描述格式[RFC2252]提供。为了便于阅读,这里提供的定义是格式化的(换行)。

Protocol elements are described using ASN.1 [X.680]. The term "BER-encoded" means the element is to be encoded using the Basic Encoding Rules [X.690] under the restrictions detailed in Section 5.1 of [RFC2251].

协议元素使用ASN.1[X.680]进行描述。术语“BER编码”是指根据[RFC2251]第5.1节详述的限制,使用基本编码规则[X.690]对元素进行编码。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14[RFC2119]中所述进行解释。

2. Subentry Schema
2. 子项模式
2.1. Subtree Specification Syntax
2.1. 子树规范语法

The Subtree Specification syntax provides a general purpose mechanism for the specification of a subset of entries in a subtree of the Directory Information Tree (DIT). A subtree begins at some base entry and includes the subordinates of that entry down to some identified lower boundary, possibly extending to the leaf entries. A subtree specification is always used within a context or scope which implicitly determines the bounds of the subtree. For example, the scope of a subtree specification for a subschema administrative area does not include the subtrees of any subordinate administrative point entries for subschema administration. Where a subtree specification does not identify a contiguous subset of the entries within a single subtree the collection is termed a subtree refinement.

子树规范语法提供了一种通用机制,用于规范目录信息树(DIT)子树中的条目子集。子树从某个基本条目开始,包括该条目的下级,直至某个已确定的下边界,可能延伸到叶条目。子树规范总是在隐式确定子树边界的上下文或范围内使用。例如,子模式管理区域的子树规范的范围不包括子模式管理的任何下级管理点条目的子树。如果子树规范未标识单个子树中的条目的连续子集,则该集合称为子树细化。

This syntax corresponds to the SubtreeSpecification ASN.1 type described in [X.501], Section 11.3. This ASN.1 data type definition is reproduced here for completeness.

此语法对应于[X.501]第11.3节中描述的子树规范ASN.1类型。为了完整起见,这里复制了ASN.1数据类型定义。

     SubtreeSpecification ::= SEQUENCE {
         base                [0] LocalName DEFAULT { },
                                 COMPONENTS OF ChopSpecification,
         specificationFilter [4] Refinement OPTIONAL }
        
     SubtreeSpecification ::= SEQUENCE {
         base                [0] LocalName DEFAULT { },
                                 COMPONENTS OF ChopSpecification,
         specificationFilter [4] Refinement OPTIONAL }
        
     LocalName ::= RDNSequence
        
     LocalName ::= RDNSequence
        
     ChopSpecification ::= SEQUENCE {
         specificExclusions  [1] SET OF CHOICE {
                                 chopBefore [0] LocalName,
                                 chopAfter [1] LocalName } OPTIONAL,
         minimum             [2] BaseDistance DEFAULT 0,
         maximum             [3] BaseDistance OPTIONAL }
        
     ChopSpecification ::= SEQUENCE {
         specificExclusions  [1] SET OF CHOICE {
                                 chopBefore [0] LocalName,
                                 chopAfter [1] LocalName } OPTIONAL,
         minimum             [2] BaseDistance DEFAULT 0,
         maximum             [3] BaseDistance OPTIONAL }
        
     BaseDistance ::= INTEGER (0 .. MAX)
        
     BaseDistance ::= INTEGER (0 .. MAX)
        
     Refinement ::= CHOICE {
         item                [0] OBJECT-CLASS.&id,
         and                 [1] SET OF Refinement,
         or                  [2] SET OF Refinement,
         not                 [3] Refinement }
        
     Refinement ::= CHOICE {
         item                [0] OBJECT-CLASS.&id,
         and                 [1] SET OF Refinement,
         or                  [2] SET OF Refinement,
         not                 [3] Refinement }
        

The components of SubtreeSpecification are: base, which identifies the base entry of the subtree or subtree refinement, and specificExclusions, minimum, maximum and specificationFilter, which then reduce the set of subordinate entries of the base entry. The subtree or subtree refinement contains all the entries within scope that are not excluded by any of the components of the subtree specification. When all of the components of SubtreeSpecification are absent (i.e., when a value of the Subtree Specification syntax is the empty sequence, {}), the specified subtree implicitly includes all the entries within scope.

子树指定的组件包括:base,用于标识子树或子树细化的基本条目;SpecificExclutions、minimum、maximum和specificationFilter,用于减少基本条目的从属条目集。子树或子树细化包含范围内未被子树规范的任何组件排除的所有条目。当子树规范的所有组件都不存在时(即,子树规范语法的值为空序列{}),指定的子树隐式地包含范围内的所有条目。

Any particular use of this mechanism MAY impose limitations or constraints on the components of SubtreeSpecification.

此机制的任何特定使用都可能对子树指定的组件施加限制或约束。

The LDAP syntax specification is:

LDAP语法规范是:

( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' )

(1.3.6.1.4.1.1466.115.121.1.45描述“子树规范”)

The LDAP-specific encoding of values of this syntax is defined by the Generic String Encoding Rules [RFC3641]. Appendix A provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC2234] for this syntax.

此语法值的LDAP特定编码由通用字符串编码规则[RFC3641]定义。附录A为该语法提供了一个等效的扩展巴科斯诺尔形式(ABNF)[RFC2234]。

2.1.1. Base
2.1.1. 基础

The base component of SubtreeSpecification nominates the base entry of the subtree or subtree refinement. The base entry may be an entry which is subordinate to the root entry of the scope in which the subtree specification is used, in which case the base component contains a sequence of Relative Distinguished Names (RDNs) relative to the root entry of the scope, or may be the root entry of the scope itself (the default), in which case the base component is absent or contains an empty sequence of RDNs.

子树指定的基本组件指定子树或子树细化的基本条目。基本条目可以是从属于使用子树规范的范围的根条目的条目,在这种情况下,基本组件包含相对于范围的根条目的相对可分辨名称(RDN)序列,或者可以是范围本身的根条目(默认),在这种情况下,基本组件不存在或包含空的RDN序列。

Entries that are not subordinates of the base entry are excluded from the subtree or subtree refinement.

子树或子树精化将排除不是基本项的从属项的项。

2.1.2. Specific Exclusions
2.1.2. 具体排除

The specificExclusions component of a ChopSpecification is a list of exclusions that specify entries and their subordinates to be excluded from the subtree or subtree refinement. The entry is specified by a sequence of RDNs relative to the base entry (i.e., a LocalName). Each exclusion is of either the chopBefore or chopAfter form. If the chopBefore form is used then the specified entry and its subordinates are excluded from the subtree or subtree refinement. If the chopAfter form is used then only the subordinates of the specified entry are excluded from the subtree or subtree refinement.

ChopSpecification的SpecificExclutions组件是一个排除列表,用于指定要从子树或子树细化中排除的条目及其从属项。该条目由相对于基本条目(即LocalName)的RDN序列指定。每一项除外条款均为“之前盖章”或“之后盖章”形式。如果使用chopBefore表单,则指定的条目及其从属条目将从子树或子树细化中排除。如果使用chopAfter表单,则子树或子树细化中仅排除指定条目的从属项。

2.1.3. Minimum and Maximum
2.1.3. 最小值和最大值

The minimum and maximum components of a ChopSpecification allow the exclusion of entries based on their depth in the DIT.

ChopSpecification的最小和最大组件允许根据条目在DIT中的深度排除条目。

Entries that are less than the minimum number of RDN arcs below the base entry are excluded from the subtree or subtree refinement. A minimum value of zero (the default) corresponds to the base entry.

在子树或子树细化中,将排除低于基本项的最小RDN弧数的项。最小值零(默认值)对应于基本条目。

Entries that are more than the maximum number of RDN arcs below the base entry are excluded from the subtree or subtree refinement. An absent maximum component indicates that there is no upper limit on the number of RDN arcs below the base entry for entries in the subtree or subtree refinement.

超过基本项下最大RDN弧数的项将从子树或子树细化中排除。缺少最大值组件表示子树或子树细化中的条目的基本条目下方的RDN弧数没有上限。

2.1.4. Specification Filter
2.1.4. 规格过滤器

The specificationFilter component is a boolean expression of assertions about the values of the objectClass attribute of the base entry and its subordinates. A Refinement assertion item evaluates to true for an entry if that entry's objectClass attribute contains the OID nominated in the assertion. Entries for which the overall filter evaluates to false are excluded from the subtree refinement. If the specificationFilter is absent then no entries are excluded from the subtree or subtree refinement because of their objectClass attribute values.

specificationFilter组件是一个布尔表达式,用于断言基本项及其从属项的objectClass属性的值。如果条目的objectClass属性包含在断言中指定的OID,则优化断言项对该条目的计算结果为true。整个筛选器计算为false的条目将从子树细化中排除。如果缺少specificationFilter,则不会因为条目的objectClass属性值而将其排除在子树或子树细化之外。

2.2. Administrative Role Attribute Type
2.2. 管理角色属性类型

The Administrative Model defined in [X.501], clause 10 requires that administrative entries contain an administrativeRole attribute to indicate that the associated administrative area is concerned with one or more administrative roles.

[X.501]第10条中定义的管理模型要求管理条目包含AdministrativeOLE属性,以指示关联的管理区域涉及一个或多个管理角色。

The administrativeRole operational attribute is specified as follows:

AdministrativeOLE操作属性指定如下:

( 2.5.18.5 NAME 'administrativeRole' EQUALITY objectIdentifierMatch USAGE directoryOperation SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

(2.5.18.5名称'AdministrativeOLE'相等对象标识符匹配用法目录操作语法1.3.6.1.4.1.1466.115.121.1.38)

The possible values of this attribute defined in X.501 are:

X.501中定义的该属性的可能值为:

        OID            NAME
        --------  -------------------------------
       2.5.23.1   autonomousArea
       2.5.23.2   accessControlSpecificArea
       2.5.23.3   accessControlInnerArea
       2.5.23.4   subschemaAdminSpecificArea
       2.5.23.5   collectiveAttributeSpecificArea
       2.5.23.6   collectiveAttributeInnerArea
        
        OID            NAME
        --------  -------------------------------
       2.5.23.1   autonomousArea
       2.5.23.2   accessControlSpecificArea
       2.5.23.3   accessControlInnerArea
       2.5.23.4   subschemaAdminSpecificArea
       2.5.23.5   collectiveAttributeSpecificArea
       2.5.23.6   collectiveAttributeInnerArea
        

Other values may be defined in other specifications. Names associated with each administrative role are Object Identifier Descriptors [RFC3383].

其他值可在其他规范中定义。与每个管理角色关联的名称是对象标识符描述符[RFC3383]。

The administrativeRole operational attribute is also used to regulate the subentries permitted to be subordinate to an administrative entry. A subentry not of a class permitted by the administrativeRole attribute cannot be subordinate to the administrative entry.

AdministrativeOLE操作属性还用于调节允许从属于管理条目的子条目。不属于AdministrativeOLE属性允许的类的子项不能从属于该管理项。

2.3. Subtree Specification Attribute Type
2.3. 子树规范属性类型

The subtreeSpecification operational attribute is defined as follows:

SubtreesSpecification操作属性定义如下:

( 2.5.18.6 NAME 'subtreeSpecification' SINGLE-VALUE USAGE directoryOperation SYNTAX 1.3.6.1.4.1.1466.115.121.1.45 )

(2.5.18.6名称“子树指定”单值使用目录操作语法1.3.6.1.4.1.1466.115.121.1.45)

This attribute is present in all subentries. See [X.501], clause 10. Values of the subtreeSpecification attribute nominate collections of entries within the DIT for one or more aspects of administrative authority.

此属性存在于所有子项中。见[X.501],第10条。SubtreesSpecification属性的值指定DIT中管理权限的一个或多个方面的条目集合。

2.4. Subentry Object Class
2.4. 子项对象类

The subentry object class is a structural object class.

子条目对象类是一个结构对象类。

( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )

(2.5.17.0名称“子条目”辅助结构必须(cn$子树规范))

3. Subentries Control
3. 子项控制

The subentries control MAY be sent with a searchRequest to control the visibility of entries and subentries which are within scope. Non-visible entries or subentries are not returned in response to the request.

子条目控件可以与searchRequest一起发送,以控制范围内条目和子条目的可见性。不可见的条目或子条目不会在响应请求时返回。

The subentries control is an LDAP Control whose controlType is 1.3.6.1.4.1.4203.1.10.1, criticality is TRUE or FALSE (hence absent), and controlValue contains a BER-encoded BOOLEAN indicating visibility. A controlValue containing the value TRUE indicates that subentries are visible and normal entries are not. A controlValue containing the value FALSE indicates that normal entries are visible and subentries are not.

子条目控件是一个LDAP控件,其controlType为1.3.6.1.4.1.4203.1.10.1,临界性为真或假(因此不存在),controlValue包含一个指示可见性的BER编码布尔值。包含值TRUE的controlValue表示子项可见,而普通项不可见。包含值FALSE的controlValue表示正常条目可见,子条目不可见。

Note that TRUE visibility has the three octet encoding { 01 01 FF } and FALSE visibility has the three octet encoding { 01 01 00 }.

请注意,真实可见性具有三个八位组编码{01 01 FF},而虚假可见性具有三个八位组编码{01 01 00}。

The controlValue SHALL NOT be absent.

不得缺少控制值。

In absence of this control, subentries are not visible to singleLevel and wholeSubtree scope Search requests but are visible to baseObject scope Search requests.

在缺少此控件的情况下,子项对单级和整子树范围搜索请求不可见,但对baseObject范围搜索请求可见。

There is no corresponding response control.

没有相应的响应控制。

This control is not appropriate for non-Search operations.

此控件不适用于非搜索操作。

4. Security Considerations
4. 安全考虑

Subentries often hold administrative information or other sensitive information and should be protected from unauthorized access and disclosure as described in [RFC2829][RFC2830].

子条目通常包含管理信息或其他敏感信息,应按照[RFC2829][RFC2830]中的说明进行保护,防止未经授权的访问和披露。

General LDAP [RFC3377] security considerations also apply.

一般LDAP[RFC3377]安全注意事项也适用。

5. IANA Considerations
5. IANA考虑
5.1. Descriptors
5.1. 描述符

The IANA has registered the LDAP descriptors detailed in this technical specification. The following registration template is suggested:

IANA已经注册了本技术规范中详述的LDAP描述符。建议使用以下注册模板:

Subject: Request for LDAP Descriptor Registration Descriptor (short name): see comment Object Identifier: see comment Person & email address to contact for further information: Kurt Zeilenga <kurt@OpenLDAP.org> Usage: see comment Specification: RFC3672 Author/Change Controller: IESG Comments:

主题:请求LDAP描述符注册描述符(简称):请参阅注释对象标识符:请参阅注释联系人和电子邮件地址以获取更多信息:Kurt Zeilenga<kurt@OpenLDAP.org>用法:请参阅注释规范:RFC3672作者/更改控制器:IESG注释:

         NAME                            Type OID
         ------------------------        ---- --------
         accessControlInnerArea          R    2.5.23.3
         accessControlSpecificArea       R    2.5.23.2
         administrativeRole              A    2.5.18.5
         autonomousArea                  R    2.5.23.1
         collectiveAttributeInnerArea    R    2.5.23.6
         collectiveAttributeSpecificArea R    2.5.23.5
         subentry                        O    2.5.17.0
         subschemaAdminSpecificArea      R    2.5.23.4
         subtreeSpecification            A    2.5.18.6
        
         NAME                            Type OID
         ------------------------        ---- --------
         accessControlInnerArea          R    2.5.23.3
         accessControlSpecificArea       R    2.5.23.2
         administrativeRole              A    2.5.18.5
         autonomousArea                  R    2.5.23.1
         collectiveAttributeInnerArea    R    2.5.23.6
         collectiveAttributeSpecificArea R    2.5.23.5
         subentry                        O    2.5.17.0
         subschemaAdminSpecificArea      R    2.5.23.4
         subtreeSpecification            A    2.5.18.6
        

where Type A is Attribute, Type O is ObjectClass, and Type R is Administrative Role.

其中,类型A是属性,类型O是对象类,类型R是管理角色。

5.2. Object Identifiers
5.2. 对象标识符

This document uses the OID 1.3.6.1.4.1.4203.1.10.1 to identify an LDAP protocol element defined herein. This OID was assigned [ASSIGN] by OpenLDAP Foundation, under its IANA-assigned private enterprise allocation [PRIVATE], for use in this specification.

本文档使用OID 1.3.6.1.4.1.4203.1.10.1来标识此处定义的LDAP协议元素。此OID由OpenLDAP基金会指派(赋值),在其IANA分配的私有企业分配(私有)下,用于本规范中。

Other OIDs which appear in this document were either assigned by the ISO/IEC Joint Technical Committee 1 - Subcommittee 6 to identify elements of X.500 schema or assigned in RFC 2252 for the use described here.

本文件中出现的其他OID由ISO/IEC联合技术委员会1-第6小组委员会指定,以识别X.500模式的元素,或在RFC 2252中指定,用于此处所述的用途。

5.3. Protocol Mechanisms
5.3. 协议机制

The IANA has registered the LDAP protocol mechanisms [RFC3383] detailed in this specification.

IANA已经注册了本规范中详述的LDAP协议机制[RFC3383]。

Subject: Request for LDAP Protocol Mechanism Registration

主题:请求LDAP协议机制注册

Description: Subentries

说明:分项

   Person & email address to contact for further information:
        Kurt Zeilenga <kurt@openldap.org>
        
   Person & email address to contact for further information:
        Kurt Zeilenga <kurt@openldap.org>
        

Usage: Control

用法:对照

Specification: RFC3672

规格:RFC3672

Author/Change Controller: IESG

作者/变更控制员:IESG

Comments: none

评论:无

6. Acknowledgment
6. 致谢

This document is based on engineering done by IETF LDUP and LDAPext Working Groups including "LDAP Subentry Schema" by Ed Reed. This document also borrows from a number of ITU documents including X.501.

本文档基于IETF LDUP和LDAPext工作组完成的工程,包括Ed Reed的“LDAP子项模式”。本文件还借鉴了许多国际电联文件,包括X.501。

7. Intellectual Property Statement
7. 知识产权声明

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。

A. Subtree Specification ABNF

A.子树规范ABNF

This appendix is non-normative.

本附录为非规范性附录。

The LDAP-specific string encoding for the Subtree Specification syntax is specified by the Generic String Encoding Rules [RFC3641]. The ABNF [RFC2234] in this appendix for this syntax is provided only as a convenience and is equivalent to the encoding specified by the application of [RFC3641]. Since the SubtreeSpecification ASN.1 type may be extended in future editions of [X.501], the provided ABNF should be regarded as a snapshot in time. The LDAP-specific encoding for any extension to the SubtreeSpecification ASN.1 type can be determined from [RFC3641].

子树规范语法的LDAP特定字符串编码由通用字符串编码规则[RFC3641]指定。本附录中用于此语法的ABNF[RFC2234]仅为方便起见提供,等同于[RFC3641]应用程序指定的编码。由于子树规范ASN.1类型可能会在[X.501]的未来版本中进行扩展,因此提供的ABNF应及时视为快照。子树指定ASN.1类型的任何扩展的LDAP特定编码可以从[RFC3641]中确定。

In the event that there is a discrepancy between this ABNF and the encoding determined by [RFC3641], [RFC3641] is to be taken as definitive.

如果此ABNF与[RFC3641]确定的编码之间存在差异,则将[RFC3641]视为最终编码。

   SubtreeSpecification = "{"    [ sp ss-base ]
                             [ sep sp ss-specificExclusions ]
                             [ sep sp ss-minimum ]
                             [ sep sp ss-maximum ]
                             [ sep sp ss-specificationFilter ]
                                   sp "}"
        
   SubtreeSpecification = "{"    [ sp ss-base ]
                             [ sep sp ss-specificExclusions ]
                             [ sep sp ss-minimum ]
                             [ sep sp ss-maximum ]
                             [ sep sp ss-specificationFilter ]
                                   sp "}"
        

ss-base = id-base msp LocalName ss-specificExclusions = id-specificExclusions msp SpecificExclusions ss-minimum = id-minimum msp BaseDistance ss-maximum = id-maximum msp BaseDistance ss-specificationFilter = id-specificationFilter msp Refinement

ss base=id base msp LocalName ss SpecificExclutions=id SpecificExclutions msp SpecificExclutions ss minimum=id minimum msp BaseDistance ss maximum=id maximum msp BaseDistance ss specificationFilter=id specificationFilter msp优化

   id-base                = %x62.61.73.65 ; "base"
   id-specificExclusions  = %x73.70.65.63.69.66.69.63.45.78.63.6C.75.73
                               %x69.6F.6E.73 ; "specificExclusions"
   id-minimum             = %x6D.69.6E.69.6D.75.6D ; "minimum"
   id-maximum             = %x6D.61.78.69.6D.75.6D ; "maximum"
   id-specificationFilter = %x73.70.65.63.69.66.69.63.61.74.69.6F.6E.46
                               %x69.6C.74.65.72 ; "specificationFilter"
        
   id-base                = %x62.61.73.65 ; "base"
   id-specificExclusions  = %x73.70.65.63.69.66.69.63.45.78.63.6C.75.73
                               %x69.6F.6E.73 ; "specificExclusions"
   id-minimum             = %x6D.69.6E.69.6D.75.6D ; "minimum"
   id-maximum             = %x6D.61.78.69.6D.75.6D ; "maximum"
   id-specificationFilter = %x73.70.65.63.69.66.69.63.61.74.69.6F.6E.46
                               %x69.6C.74.65.72 ; "specificationFilter"
        
   SpecificExclusions = "{" [ sp SpecificExclusion
                           *( "," sp SpecificExclusion ) ] sp "}"
   SpecificExclusion  = chopBefore / chopAfter
   chopBefore         = id-chopBefore ":" LocalName
   chopAfter          = id-chopAfter  ":" LocalName
   id-chopBefore      = %x63.68.6F.70.42.65.66.6F.72.65 ; "chopBefore"
   id-chopAfter       = %x63.68.6F.70.41.66.74.65.72    ; "chopAfter"
        
   SpecificExclusions = "{" [ sp SpecificExclusion
                           *( "," sp SpecificExclusion ) ] sp "}"
   SpecificExclusion  = chopBefore / chopAfter
   chopBefore         = id-chopBefore ":" LocalName
   chopAfter          = id-chopAfter  ":" LocalName
   id-chopBefore      = %x63.68.6F.70.42.65.66.6F.72.65 ; "chopBefore"
   id-chopAfter       = %x63.68.6F.70.41.66.74.65.72    ; "chopAfter"
        
   Refinement  = item / and / or / not
   item        = id-item ":" OBJECT-IDENTIFIER
   and         = id-and  ":" Refinements
   or          = id-or   ":" Refinements
   not         = id-not  ":" Refinement
   Refinements = "{" [ sp Refinement
                    *( "," sp Refinement ) ] sp "}"
   id-item     = %x69.74.65.6D ; "item"
   id-and      = %x61.6E.64    ; "and"
   id-or       = %x6F.72       ; "or"
   id-not      = %x6E.6F.74    ; "not"
        
   Refinement  = item / and / or / not
   item        = id-item ":" OBJECT-IDENTIFIER
   and         = id-and  ":" Refinements
   or          = id-or   ":" Refinements
   not         = id-not  ":" Refinement
   Refinements = "{" [ sp Refinement
                    *( "," sp Refinement ) ] sp "}"
   id-item     = %x69.74.65.6D ; "item"
   id-and      = %x61.6E.64    ; "and"
   id-or       = %x6F.72       ; "or"
   id-not      = %x6E.6F.74    ; "not"
        
   BaseDistance = INTEGER-0-MAX
        
   BaseDistance = INTEGER-0-MAX
        

The <sp>, <msp>, <sep>, <INTEGER>, <INTEGER-0-MAX>, <OBJECT-IDENTIFIER> and <LocalName> rules are defined in [RFC3642].

[RFC3642]中定义了<sp>、<msp>、<sep>、<INTEGER>、<INTEGER-0-MAX>、<OBJECT-IDENTIFIER>和<LocalName>规则。

Normative References

规范性引用文件

[X.501] ITU-T, "The Directory -- Models," X.501, 1993.

[X.501]ITU-T,“目录——模型”,X.5011993。

[X.680] ITU-T, "Abstract Syntax Notation One (ASN.1) - Specification of Basic Notation", X.680, 1994.

[X.680]ITU-T,“抽象语法符号一(ASN.1)-基本符号规范”,X.680,1994年。

[X.690] ITU-T, "Specification of ASN.1 encoding rules: Basic, Canonical, and Distinguished Encoding Rules", X.690, 1994.

[X.690]ITU-T,“ASN.1编码规则规范:基本、规范和区分编码规则”,X.690,1994年。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.

[RFC2251]Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。

[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.

[RFC2252]Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。

[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan, "Authentication Methods for LDAP", RFC 2829, May 2000.

[RFC2829]Wahl,M.,Alvestrand,H.,Hodges,J.和R.Morgan,“LDAP的身份验证方法”,RFC 28292000年5月。

[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000.

[RFC2830]Hodges,J.,Morgan,R.和M.Wahl,“轻量级目录访问协议(v3):传输层安全扩展”,RFC 28302000年5月。

[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002.

[RFC3377]Hodges,J.和R.Morgan,“轻量级目录访问协议(v3):技术规范”,RFC 3377,2002年9月。

[RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", RFC 3383, September 2002.

[RFC3383]Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,RFC 3383,2002年9月。

[RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1 Types", RFC 3641, October 2003.

[RFC3641]Legg,S.“ASN.1类型的通用字符串编码规则(GSER)”,RFC 3641,2003年10月。

Informative References

资料性引用

[RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.

[RFC2234]Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 2234,1997年11月。

[RFC3642] Legg, S., "Common Elements of Generic String Encoding Rules (GSER) Encodings", RFC 3642, October 2003.

[RFC3642]Legg,S.,“通用字符串编码规则(GSER)编码的公共元素”,RFC 3642,2003年10月。

   [ASSIGN]    OpenLDAP Foundation, "OpenLDAP OID Delegations",
               http://www.openldap.org/foundation/oid-delegate.txt
        
   [ASSIGN]    OpenLDAP Foundation, "OpenLDAP OID Delegations",
               http://www.openldap.org/foundation/oid-delegate.txt
        
   [PRIVATE]   IANA, "Private Enterprise Numbers",
               http://www.iana.org/assignments/enterprise-numbers
        
   [PRIVATE]   IANA, "Private Enterprise Numbers",
               http://www.iana.org/assignments/enterprise-numbers
        

Authors' Addresses

作者地址

Kurt D. Zeilenga OpenLDAP Foundation

库尔特D.Zeeliga OpenLDAP基金会

   EMail: Kurt@OpenLDAP.org
        
   EMail: Kurt@OpenLDAP.org
        

Steven Legg Adacel Technologies Ltd. 250 Bay Street Brighton, Victoria 3186 AUSTRALIA

Steven Legg Adacel Technologies Ltd.澳大利亚维多利亚州布莱顿湾街250号,邮编:3186

   Phone: +61 3 8530 7710
   Fax:   +61 3 8530 7888
   EMail: steven.legg@adacel.com.au
        
   Phone: +61 3 8530 7710
   Fax:   +61 3 8530 7888
   EMail: steven.legg@adacel.com.au
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2003). All Rights Reserved.

版权所有(C)互联网协会(2003年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。