Network Working Group                                        D. Chadwick
Request for Comments: 3876                         University of Salford
Category: Standards Track                                      S. Mullan
                                                        Sun Microsystems
                                                          September 2004
        
Network Working Group                                        D. Chadwick
Request for Comments: 3876                         University of Salford
Category: Standards Track                                      S. Mullan
                                                        Sun Microsystems
                                                          September 2004
        

Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3)

返回与轻型目录访问协议版本3(LDAPv3)匹配的值

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2004).

版权所有(C)互联网协会(2004年)。

Abstract

摘要

This document describes a control for the Lightweight Directory Access Protocol version 3 that is used to return a subset of attribute values from an entry. Specifically, only those values that match a "values return" filter. Without support for this control, a client must retrieve all of an attribute's values and search for specific values locally.

本文档描述了轻量级目录访问协议版本3的控件,该控件用于从条目返回属性值的子集。具体来说,只有那些与“值返回”过滤器匹配的值。如果不支持此控件,客户端必须检索属性的所有值并在本地搜索特定值。

1. Introduction
1. 介绍

When reading an attribute from an entry using the Lightweight Directory Access Protocol version 3 (LDAPv3) [2], it is normally only possible to read either the attribute type, or the attribute type and all its values. It is not possible to selectively read just a few of the attribute values. If an attribute holds many values, for example, the userCertificate attribute, or the subschema publishing operational attributes objectClasses and attributeTypes [3], then it may be desirable for the user to be able to selectively retrieve a subset of the values, specifically, those attribute values that match some user defined selection criteria. Without the control specified in this document, a client must read all of the attribute's values and filter out the unwanted values, necessitating the client to implement the matching rules. It also requires the client to

使用轻型目录访问协议版本3(LDAPv3)[2]从条目中读取属性时,通常只能读取属性类型或属性类型及其所有值。仅选择性地读取几个属性值是不可能的。如果一个属性包含许多值,例如userCertificate属性或subschema publishing operational attributes ObjectClass和AttributeType[3],则用户可能希望能够有选择地检索值的子集,具体而言,与某些用户定义的选择条件匹配的属性值。如果没有此文档中指定的控件,客户端必须读取属性的所有值并过滤掉不需要的值,这就需要客户端实现匹配规则。它还要求客户机

potentially read and process many irrelevant values, which can be inefficient if the values are large or complex, or there are many values stored per attribute.

可能会读取和处理许多不相关的值,如果这些值很大或很复杂,或者每个属性存储了许多值,则效率可能会很低。

This document specifies an LDAPv3 control to enable a user to return only those values that matched (i.e., returned TRUE to) one or more elements of a newly defined "values return" filter. This control can be especially useful when used in conjunction with extensible matching rules that match on one or more components of complex binary attribute values.

本文档指定一个LDAPv3控件,使用户能够仅返回与新定义的“值返回”筛选器的一个或多个元素匹配(即返回TRUE)的值。当与匹配复杂二进制属性值的一个或多个组件的可扩展匹配规则结合使用时,此控件尤其有用。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [4].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[4]中的描述进行解释。

2. The valuesReturnFilter Control
2. 值返回过滤器控件

The valuesReturnFilter control is either critical or non-critical as determined by the user. It only has meaning for the Search operation, and SHOULD only be added to the Search operation by the client. If the server supports the control and it is present on a Search operation, the server MUST obey the control, regardless of the value of the criticality flag.

valuesReturnFilter控件由用户确定为关键或非关键。它仅对搜索操作有意义,并且只能由客户端添加到搜索操作中。如果服务器支持该控件,并且该控件出现在搜索操作中,则服务器必须遵守该控件,而不考虑临界性标志的值。

If the control is marked as critical, and either the server does not support the control or the control is applied to an operation other than Search, the server MUST return an unavailableCriticalExtension error. If the control is not marked as critical, and either the server does not support the control or the control is applied to an operation other than Search, then the server MUST ignore the control.

如果控件被标记为关键,并且服务器不支持该控件,或者该控件应用于搜索以外的操作,则服务器必须返回不可用的CriticalExtension错误。如果该控件未标记为关键控件,并且服务器不支持该控件,或者该控件应用于搜索以外的操作,则服务器必须忽略该控件。

The object identifier for this control is 1.2.826.0.1.3344810.2.3.

此控件的对象标识符为1.2.826.0.1.3344810.2.3。

The controlValue is an OCTET STRING, whose value is the BER encoding [6], as per Section 5.1 of RFC 2251 [2], of a value of the ASN.1 [5] type ValuesReturnFilter.

根据RFC 2251[2]第5.1节的规定,controlValue是一个八位字符串,其值是ASN.1[5]类型值返回过滤器值的BER编码[6]。

           ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
        
           ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
        
           SimpleFilterItem ::= CHOICE {
                   equalityMatch   [3] AttributeValueAssertion,
                   substrings      [4] SubstringFilter,
                   greaterOrEqual  [5] AttributeValueAssertion,
                   lessOrEqual     [6] AttributeValueAssertion,
                   present         [7] AttributeDescription,
                   approxMatch     [8] AttributeValueAssertion,
                   extensibleMatch [9] SimpleMatchingAssertion }
        
           SimpleFilterItem ::= CHOICE {
                   equalityMatch   [3] AttributeValueAssertion,
                   substrings      [4] SubstringFilter,
                   greaterOrEqual  [5] AttributeValueAssertion,
                   lessOrEqual     [6] AttributeValueAssertion,
                   present         [7] AttributeDescription,
                   approxMatch     [8] AttributeValueAssertion,
                   extensibleMatch [9] SimpleMatchingAssertion }
        
            SimpleMatchingAssertion ::= SEQUENCE {
                   matchingRule    [1] MatchingRuleId OPTIONAL,
                   type            [2] AttributeDescription OPTIONAL,
   --- at least one of the above must be present
                   matchValue      [3] AssertionValue}
        
            SimpleMatchingAssertion ::= SEQUENCE {
                   matchingRule    [1] MatchingRuleId OPTIONAL,
                   type            [2] AttributeDescription OPTIONAL,
   --- at least one of the above must be present
                   matchValue      [3] AssertionValue}
        

All the above data types have their standard meanings as defined in [2].

上述所有数据类型均具有[2]中定义的标准含义。

If the server supports this control, the server MUST make use of the control as follows:

如果服务器支持此控件,则服务器必须按如下方式使用该控件:

1) The Search Filter is first executed in order to determine which entries satisfy the Search criteria (these are the filtered entries). The control has no impact on this step.

1) 首先执行搜索过滤器,以确定哪些条目满足搜索条件(这些是过滤的条目)。控件对此步骤没有影响。

2) If the typesOnly parameter of the Search Request is TRUE, the control has no effect and the Search Request is processed as if the control had not been specified.

2) 如果搜索请求的typesOnly参数为TRUE,则控件无效,搜索请求的处理方式与未指定控件的处理方式相同。

3) If the attributes parameter of the Search Request consists of a list containing only the attribute with OID "1.1" (specifying that no attributes are to be returned), the control has no effect and the Search Request is processed as if the control had not been specified.

3) 如果搜索请求的attributes参数包含一个仅包含OID为“1.1”(指定不返回任何属性)的属性的列表,则控件无效,搜索请求的处理方式与未指定控件的处理方式相同。

4) For each attribute listed in the attributes parameter of the Search Request, the server MUST apply the control as follows to each entry in the set of filtered entries:

4) 对于搜索请求的attributes参数中列出的每个属性,服务器必须对筛选项集中的每个项应用如下控制:

i) Every attribute value that evaluates TRUE against one or more elements of the ValuesReturnFilter is placed in the corresponding SearchResultEntry.

i) 针对ValuesReturnFilter的一个或多个元素计算为TRUE的每个属性值都放置在相应的SearchResultEntry中。

ii) Every attribute value that evaluates FALSE or undefined against all elements of the ValuesReturnFilter is not placed in the corresponding SearchResultEntry. An attribute that has no values selected is returned with an empty set of values.

ii)针对ValuesReturnFilter的所有元素计算FALSE或undefined的每个属性值都不会放置在相应的SearchResultEntry中。未选择值的属性将返回一组空值。

Note. If the AttributeDescriptionList (see [2]) is empty or comprises "*", then the control MUST be applied against every user attribute. If the AttributeDescriptionList contains a "+", then the control MUST be applied against every operational attribute.

笔记如果AttributeDescriptionList(请参见[2])为空或包含“*”,则必须对每个用户属性应用控件。如果AttributeDescriptionList包含“+”,则必须对每个操作属性应用控件。

3. Relationship to X.500
3. 与X.500的关系

The control is a superset of the matchedValuesOnly (MVO) boolean of the X.500 Directory Access Protocol (DAP) [8] Search argument, as amended in the latest version [9]. Close examination of the matchedValuesOnly boolean by the LDAP Extensions (LDAPEXT) Working Group revealed ambiguities and complexities in the MVO boolean that could not easily be resolved. For example, it was not clear if the MVO boolean governed only those attribute values that contributed to the overall truth of the filter, or all of the attribute values, even if the filter item containing the attribute was evaluated as false. For this reason the LDAPEXT group decided to replace the MVO boolean with a simple filter that removes any uncertainty as to whether an attribute value has been selected or not.

该控件是X.500目录访问协议(DAP)[8]搜索参数的matchedValuesOnly(MVO)布尔值的超集,在最新版本[9]中进行了修订。LDAP扩展(LDAPEXT)工作组对matchedValuesOnly boolean进行了仔细检查,发现MVO boolean中存在不易解决的模糊性和复杂性。例如,不清楚MVO布尔值是否只管理那些对过滤器的整体真实性有贡献的属性值,或者所有属性值,即使包含该属性的过滤器项被计算为false也是如此。出于这个原因,LDAPEXT小组决定用一个简单的过滤器替换MVO布尔值,该过滤器可以消除关于是否选择了属性值的任何不确定性。

4. Relationship to other LDAP Controls
4. 与其他LDAP控件的关系

The purpose of this control is to select zero, one, or more attribute values from each requested attribute in a filtered entry, and to discard the remainder. Once the attribute values have been discarded by this control, they MUST NOT be re-instated into the Search results by other controls.

此控件的目的是从筛选条目中的每个请求属性中选择零、一个或多个属性值,并放弃其余属性值。此控件放弃属性值后,其他控件不得将其重新恢复到搜索结果中。

This control acts independently of other LDAP controls such as server side sorting [13] and duplicate entries [10]. However, there might be interactions between this control and other controls so that a different set of Search Result Entries are returned, or the entries are returned in a different order, depending upon the sequencing of this control and other controls in the LDAP request. For example, with server side sorting, if sorting is done first, and value return filtering second, the set of Search Results may appear to be in the wrong order since the value filtering may remove the attribute values upon which the ordering was done. (The sorting document specifies that entries without any sort key attribute values should be treated as coming after all other attribute values.) Similarly with duplicate entries, if duplication is performed before value filtering, the set of Search Result Entries may contain identical duplicate entries, each with an empty set of attribute values, because the value filtering removed the attribute values that were used to duplicate the results.

此控件独立于其他LDAP控件,如服务器端排序[13]和重复条目[10]。但是,此控件与其他控件之间可能存在交互,因此会返回一组不同的搜索结果条目,或者以不同的顺序返回条目,具体取决于此控件和LDAP请求中其他控件的顺序。例如,对于服务器端排序,如果先进行排序,然后进行值返回筛选,则搜索结果集的顺序可能错误,因为值筛选可能会删除进行排序所依据的属性值。(排序文档规定,没有任何排序键属性值的条目应被视为位于所有其他属性值之后。)同样,对于重复条目,如果在值筛选之前执行重复,则搜索结果条目集可能包含相同的重复条目,每个条目都有一组空的属性值,因为值筛选删除了用于复制结果的属性值。

For these reasons, the ValuesReturnFilter control in a SearchRequest SHOULD precede other controls that affect the number and ordering of SearchResultEntrys.

由于这些原因,SearchRequest中的ValuesReturnFilter控件应优先于影响SearchResulty数量和顺序的其他控件。

5. Examples
5. 例子

All entries are provided in an LDAP Data Interchange Format (LDIF)[11].

所有条目均以LDAP数据交换格式(LDIF)[11]提供。

The string representation of the valuesReturnFilter in the examples below uses the following ABNF [15] notation:

下面示例中valuesReturnFilter的字符串表示法使用以下ABNF[15]表示法:

   valuesReturnFilter = "(" 1*simpleFilterItem ")"
   simpleFilterItem = "(" item ")"
        
   valuesReturnFilter = "(" 1*simpleFilterItem ")"
   simpleFilterItem = "(" item ")"
        

where item is as defined below (adapted from RFC2254 [14]).

其中项目定义如下(改编自RFC2254[14])。

      item         = simple / present / substring / extensible
      simple       = attr filtertype value
      filtertype   = equal / approx / greater / less
      equal        = "="
      approx       = "~="
      greater      = ">="
      less         = "<="
      extensible   = attr [":" matchingrule] ":=" value
                     / ":" matchingrule ":=" value
      present      = attr "=*"
      substring    = attr "=" [initial] any [final]
      initial      = value
      any          = "*" *(value "*")
      final        = value
      attr         = AttributeDescription from Section 4.1.5 of [1]
      matchingrule = MatchingRuleId from Section 4.1.9 of [1]
      value        = AttributeValue from Section 4.1.6 of [1]
        
      item         = simple / present / substring / extensible
      simple       = attr filtertype value
      filtertype   = equal / approx / greater / less
      equal        = "="
      approx       = "~="
      greater      = ">="
      less         = "<="
      extensible   = attr [":" matchingrule] ":=" value
                     / ":" matchingrule ":=" value
      present      = attr "=*"
      substring    = attr "=" [initial] any [final]
      initial      = value
      any          = "*" *(value "*")
      final        = value
      attr         = AttributeDescription from Section 4.1.5 of [1]
      matchingrule = MatchingRuleId from Section 4.1.9 of [1]
      value        = AttributeValue from Section 4.1.6 of [1]
        

1) The first example shows how the control can be set to return all attribute values from one attribute type (e.g., telephoneNumber) and a subset of values from another attribute type (e.g., mail).

1) 第一个示例显示如何将控件设置为返回一种属性类型(例如电话号码)的所有属性值和另一种属性类型(例如邮件)的值子集。

The entries below represent organizationalPerson object classes located somewhere beneath the distinguished name dc=ac,dc=uk.

下面的条目表示位于可分辨名称dc=ac、dc=uk下方的organizationalPerson对象类。

   dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
   cn: Sean Mullan
   sn: Mullan
   objectClass: organizationalPerson
   objectClass: person
   objectClass: inetOrgPerson
   mail: sean.mullan@hotmail.com
   mail: mullan@east.sun.com
   telephoneNumber: + 781 442 0926
   telephoneNumber: 555-9999
        
   dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
   cn: Sean Mullan
   sn: Mullan
   objectClass: organizationalPerson
   objectClass: person
   objectClass: inetOrgPerson
   mail: sean.mullan@hotmail.com
   mail: mullan@east.sun.com
   telephoneNumber: + 781 442 0926
   telephoneNumber: 555-9999
        
   dn: cn=David Chadwick,ou=isi,o=salford,dc=ac,dc=uk
   cn: David Chadwick
   sn: Chadwick
   objectClass: organizationalPerson
   objectClass: person
   objectClass: inetOrgPerson
   mail: d.w.chadwick@salford.ac.uk
        
   dn: cn=David Chadwick,ou=isi,o=salford,dc=ac,dc=uk
   cn: David Chadwick
   sn: Chadwick
   objectClass: organizationalPerson
   objectClass: person
   objectClass: inetOrgPerson
   mail: d.w.chadwick@salford.ac.uk
        

An LDAP search operation is specified with a baseObject set to the DN of the search base (i.e., dc=ac,dc=uk), a subtree scope, a filter set to (sn=mullan), and the list of attributes to be returned set to "mail,telephoneNumber" or "*". In addition, a ValuesReturnFilter control is set to ((mail=*hotmail.com)(telephoneNumber=*)).

指定LDAP搜索操作时,将baseObject设置为搜索库的DN(即dc=ac,dc=uk)、子树作用域、过滤器设置为(sn=mullan),并将要返回的属性列表设置为“mail,telephoneNumber”或“*”。此外,ValuesReturnFilter控件设置为((mail=*hotmail.com)(电话号码=*))。

The search results returned by the server would consist of the following entry:

服务器返回的搜索结果将包含以下条目:

   dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
   mail: sean.mullan@hotmail.com
   telephoneNumber: + 781 442 0926
   telephoneNumber: 555-9999
        
   dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
   mail: sean.mullan@hotmail.com
   telephoneNumber: + 781 442 0926
   telephoneNumber: 555-9999
        

Note that the control has no effect on the values returned for the "telephoneNumber" attribute (all of the values are returned), since the control specified that all values should be returned.

请注意,该控件对“电话号码”属性返回的值没有影响(返回所有值),因为该控件指定应返回所有值。

2) The second example shows how one might retrieve a single attribute type subschema definition for the "gunk" attribute with OID 1.2.3.4.5 from the subschema subentry.

2) 第二个示例显示了如何从子模式子条目中检索OID为1.2.3.4.5的“gunk”属性的单个属性类型子模式定义。

Assume the subschema subentry is held below the root entry with DN cn=subschema subentry,o=myorg and this holds an attributeTypes operational attribute holding the descriptions of the 35 attributes known to this server (each description is held as a single attribute value of the attributeTypes attribute).

假设子模式子项保存在根项下,DN cn=subschema subentry,o=myorg,这保存了一个AttributeType操作属性,该属性保存了该服务器已知的35个属性的描述(每个描述作为AttributeType属性的单个属性值保存)。

dn: cn=subschema subentry,o=myorg cn: subschema subentry objectClass: subschema attributeTypes: ( 2.5.4.3 NAME 'cn' SUP name ) attributeTypes: ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE ) attributeTypes: ( 2.5.4.0 NAME 'objectClass' EQUALITY obj ectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY gen eralizedTimeMatch ORDERING generalizedTimeOrderingMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) attributeTypes: ( 2.5.21.6 NAME 'objectClasses' EQUALITY obj

dn:cn=subschema subentry,o=myorg cn:subschema subentry objectClass:subschema attributeType:(2.5.4.3 NAME'cn'SUP NAME)attributeType:(2.5.4.6 NAME'c'SUP NAME SINGLE-VALUE)attributeType:(2.5.4.0 NAME'objectClass'EQUALITY ObjectIdentifierMatch语法1.3.6.1.4.1.1.1466.115.121.1.38)attributeType:(2.5.18.2名称'modifyTimestamp'相等一般时间匹配排序一般时间排序匹配SYN TAX 1.3.6.1.4.1.1466.115.121.1.24单值无用户修改使用目录操作)属性类型:(2.5.21.6名称'objectClasses'相等对象

ectIdentifierFirstComponentMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.37 USAGE directoryOperation ) attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.44{64} ) attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' EQUALITY obj ectIdentifierFirstComponentMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )

eCIdentifierFirstComponentMatch语法1.3。6.1.4.1.1466.115.121.1.37使用目录操作)AttributeType:(1.2.3.4.5名称'gunk'相等caseIgnoreMat ch SUBSTR CaseIgnoreSubstrings匹配语法1.3.6.1.4.1.1466.115.121.1.44{64})AttributeType:(2.5.21.5名称'AttributeType'相等对象ObjectIdentifierFirstComponentMatch语法1.3.6.1.4.1.1466.115.121.1.3用法目录操作)

plus another 28 - you get the idea.

再加上28个,你就明白了。

The user creates an LDAP search operation with a baseObject set to cn=subschema subentry,o=myorg, a scope of base, a filter set to (objectClass=subschema), the list of attributes to be returned set to "attributeTypes", and the ValuesReturnFilter set to ((attributeTypes=1.2.3.4.5))

用户创建一个LDAP搜索操作,其中baseObject设置为cn=subschema子条目,o=myorg,base范围,过滤器设置为(objectClass=subschema),要返回的属性列表设置为“AttributeType”,ValuesReturnFilter设置为((AttributeType=1.2.3.4.5))

The search result returned by the server would consist of the following entry:

服务器返回的搜索结果将包含以下条目:

   dn: cn=subschema subentry,o=myorg
   attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat
    ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.
    6.1.4.1.1466.115.121.1.44{64} )
        
   dn: cn=subschema subentry,o=myorg
   attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat
    ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.
    6.1.4.1.1466.115.121.1.44{64} )
        

3) The final example shows how the control can be used to match on a userCertificate attribute value. Note that this example requires the LDAP server to support the certificateExactMatch matching rule defined in [12] as the EQUALITY matching rule for userCertificate.

3) 最后一个示例显示如何使用控件匹配userCertificate属性值。请注意,此示例要求LDAP服务器支持[12]中定义的certificateExactMatch匹配规则作为userCertificate的相等匹配规则。

The entry below represents a pkiUser object class stored in the directory.

下面的条目表示存储在目录中的pkiUser对象类。

   dn: cn=David Chadwick,ou=people,o=University of Salford,c=gb
   cn: David Chadwick
   objectClass: person
   objectClass: organizationalPerson
   objectClass: pkiUser
   objectClass: inetOrgPerson
   sn: Chadwick
   mail: d.w.chadwick@salford.ac.uk
   userCertificate;binary: {binary representation of a certificate with
   a serial number of 2468 issued by o=truetrust ltd,c=gb}
   userCertificate;binary: {binary representation of certificate with a
   serial number of 1357 issued by o=truetrust ltd,c=gb}
   userCertificate;binary: {binary representation of certificate with a
   serial number of 1234 issued by dc=certsRus,dc=com}
        
   dn: cn=David Chadwick,ou=people,o=University of Salford,c=gb
   cn: David Chadwick
   objectClass: person
   objectClass: organizationalPerson
   objectClass: pkiUser
   objectClass: inetOrgPerson
   sn: Chadwick
   mail: d.w.chadwick@salford.ac.uk
   userCertificate;binary: {binary representation of a certificate with
   a serial number of 2468 issued by o=truetrust ltd,c=gb}
   userCertificate;binary: {binary representation of certificate with a
   serial number of 1357 issued by o=truetrust ltd,c=gb}
   userCertificate;binary: {binary representation of certificate with a
   serial number of 1234 issued by dc=certsRus,dc=com}
        

An LDAP search operation is specified with a baseObject set to o=University of Salford,c=gb, a subtree scope, a filter set to (sn=chadwick), and the list of attributes to be returned set to "userCertificate;binary". In addition, a ValuesReturnFilter control is set to ((userCertificate=1357$o=truetrust ltd,c=gb)).

指定LDAP搜索操作时,baseObject设置为o=University of Salford,c=gb,子树作用域,筛选器设置为(sn=chadwick),要返回的属性列表设置为“userCertificate;binary”。此外,ValuesReturnFilter控件设置为((userCertificate=1357$o=truetrust ltd,c=gb))。

The search result returned by the server would consist of the following entry:

服务器返回的搜索结果将包含以下条目:

   dn: cn=David Chadwick,ou=people,o=University of Salford,c=gb
   userCertificate;binary: {binary representation of certificate with a
   serial number of 1357 issued by o=truetrust ltd,c=gb}
        
   dn: cn=David Chadwick,ou=people,o=University of Salford,c=gb
   userCertificate;binary: {binary representation of certificate with a
   serial number of 1357 issued by o=truetrust ltd,c=gb}
        
6. Security Considerations
6. 安全考虑

This document does not primarily discuss security issues.

本文档主要不讨论安全问题。

Note however that attribute values MUST only be returned if the access controls applied by the LDAP server allow them to be returned, and in this respect the effect of the ValuesReturnFilter control is of no consequence.

但是,请注意,只有当LDAP服务器应用的访问控制允许返回属性值时,才必须返回属性值,在这方面,ValuesReturnFilter控件的效果无关紧要。

Note that the ValuesReturnFilter control may have a positive effect on the deployment of public key infrastructures. Certain PKI operations, like searching for specific certificates, become more scalable, and more practical when combined with X.509 certificate matching rules at the server, since the control avoids the downloading of potentially large numbers of irrelevant certificates which would have to be processed and filtered locally (which in some cases is very difficult to perform).

请注意,值ReturnFilter控件可能会对公钥基础结构的部署产生积极影响。某些PKI操作(如搜索特定证书)与服务器上的X.509证书匹配规则结合使用时,会变得更具可扩展性和实用性,因为该控件可避免下载大量可能需要本地处理和过滤的不相关证书(在某些情况下很难执行)。

7. IANA Considerations
7. IANA考虑

The Matched Values control as an LDAP Protocol Mechanism [7] has been registered as follows:

匹配值控件作为LDAP协议机制[7]已注册如下:

Subject: Request for LDAP Protocol Mechanism Registration

主题:请求LDAP协议机制注册

      Object Identifier: 1.2.826.0.1.3344810.2.3
      Description: Matched Values Control
      Person & email address to contact for further information:
        David Chadwick <d.w.chadwick@salford.ac.uk>
      Usage: Control
      Specification: RFC3876
      Author/Change Controller: IESG
      Comments: none
        
      Object Identifier: 1.2.826.0.1.3344810.2.3
      Description: Matched Values Control
      Person & email address to contact for further information:
        David Chadwick <d.w.chadwick@salford.ac.uk>
      Usage: Control
      Specification: RFC3876
      Author/Change Controller: IESG
      Comments: none
        

This document uses the OID 1.2.826.0.1.3344810.2.3 to identify the matchedValues control described here. This OID was assigned by TrueTrust Ltd, under its BSI assigned English/Welsh Registered Company number [16].

本文档使用OID 1.2.826.0.1.3344810.2.3标识此处描述的匹配值控件。该OID由TrueTrust Ltd根据其BSI指定的英国/威尔士注册公司编号[16]进行转让。

8. Acknowledgements
8. 致谢

The authors would like to thank members of the LDAPExt list for their constructive comments on earlier versions of this document, and in particular to Harald Alvestrand who first suggested having an attribute return filter and Bruce Greenblatt who first proposed a syntax for this control.

作者要感谢LDAPExt列表的成员对本文档早期版本的建设性意见,特别是Harald Alvestrand,他首先建议使用属性返回过滤器,Bruce Greenblatt,他首先提出了此控件的语法。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996.

[1] Bradner,S.,“互联网标准过程——第3版”,BCP 9,RFC 2026,1996年10月。

[2] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access Protocol (w3)", RFC 2251, December 1997.

[2] Wahl,M.,Howes,T.,和S.Kille,“轻量级目录访问协议(w3)”,RFC 2251,1997年12月。

[3] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.

[3] Wahl,M.,Coulbeck,A.,Howes,T.,和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。

[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[4] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[5] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998, Information Technology - Abstract Syntax Notation One (ASN.1): Specification of Basic Notation

[5] ITU-T建议X.680(1997)| ISO/IEC 8824-1:1998,信息技术-抽象语法符号1(ASN.1):基本符号规范

[6] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1,2,3:1998 Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)

[6] ITU-T建议X.690(1997)| ISO/IEC 8825-1,2,3:1998信息技术-ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范

[7] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002.

[7] Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 3383,2002年9月。

9.2. Informative References
9.2. 资料性引用

[8] ITU-T Rec. X.511, "The Directory: Abstract Service Definition", 1993.

[8] ITU-T Rec.X.511,“目录:抽象服务定义”,1993年。

[9] ISO/IEC 9594 / ITU-T Rec X.511 (2001) The Directory: Abstract Service Definition.

[9] ISO/IEC 9594/ITU-T Rec X.511(2001)目录:抽象服务定义。

[10] Sermersheim, J., "LDAP Control for a Duplicate Entry Representation of Search Results", Work in Progress, October 2000.

[10] Sermersheim,J.,“搜索结果重复条目表示的LDAP控制”,正在进行的工作,2000年10月。

[11] Good, G., "The LDAP Data Interchange Format (LDIF) - Technical Specification", RFC 2849, June 2000.

[11] Good,G.,“LDAP数据交换格式(LDIF)-技术规范”,RFC 28492000年6月。

[12] Chadwick, D. and S.Legg, "Internet X.509 Public Key Infrastructure - Additional LDAP Schema for PKIs", Work in Progress, June 2002

[12] Chadwick,D.和S.Legg,“Internet X.509公钥基础设施-PKI的附加LDAP模式”,正在进行的工作,2002年6月

[13] Howes, T., Wahl, M., and A. Anantha, "LDAP Control Extension for Server Side Sorting of Search Results", RFC 2891, August 2000.

[13] Howes,T.,Wahl,M.,和A.Anantha,“用于搜索结果服务器端排序的LDAP控制扩展”,RFC 28912000年8月。

[14] Howes, T., "The String Representation of LDAP Search Filters", RFC 2254, December 1997.

[14] Howes,T.,“LDAP搜索过滤器的字符串表示”,RFC 2254,1997年12月。

[15] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.

[15] Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 2234,1997年11月。

[16] BRITISH STANDARD BS 7453 Part 1. Procedures for UK Registration for Open System Standards Part 1: Procedures for the UK Name Registration Authority.

[16] 英国标准BS 7453第1部分。开放系统标准的英国注册程序第1部分:英国名称注册机构的程序。

10. Authors' Addresses
10. 作者地址

David Chadwick IS Institute University of Salford Salford M5 4WT England

David Chadwick研究所索尔福德大学索尔福德M5 4WT英格兰

   Phone: +44 161 295 5351
   EMail: d.w.chadwick@salford.ac.uk
        
   Phone: +44 161 295 5351
   EMail: d.w.chadwick@salford.ac.uk
        

Sean Mullan Sun Microsystems One Network Drive Burlington, MA 01803 USA

美国马萨诸塞州伯灵顿市肖恩·穆兰太阳微系统一号网络驱动器01803

   EMail: sean.mullan@sun.com
        
   EMail: sean.mullan@sun.com
        
11. Full Copyright Statement
11. 完整版权声明

Copyright (C) The Internet Society (2004).

版权所有(C)互联网协会(2004年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、其代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关IETF文件中权利的IETF程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。