Network Working Group                                        K. Zeilenga
Request for Comments: 4528                           OpenLDAP Foundation
Category: Standards Track                                      June 2006
        
Network Working Group                                        K. Zeilenga
Request for Comments: 4528                           OpenLDAP Foundation
Category: Standards Track                                      June 2006
        

Lightweight Directory Access Protocol (LDAP) Assertion Control

轻量级目录访问协议(LDAP)断言控制

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

Abstract

摘要

This document defines the Lightweight Directory Access Protocol (LDAP) Assertion Control, which allows a client to specify that a directory operation should only be processed if an assertion applied to the target entry of the operation is true. It can be used to construct "test and set", "test and clear", and other conditional operations.

本文档定义了轻量级目录访问协议(LDAP)断言控件,该控件允许客户端指定仅当应用于操作目标项的断言为true时才应处理目录操作。它可以用于构造“测试和设置”、“测试和清除”以及其他条件操作。

Table of Contents

目录

   1. Overview ........................................................2
   2. Terminology .....................................................2
   3. The Assertion Control ...........................................2
   4. Security Considerations .........................................3
   5. IANA Considerations .............................................4
      5.1. Object Identifier ..........................................4
      5.2. LDAP Protocol Mechanism ....................................4
      5.3. LDAP Result Code ...........................................4
   6. Acknowledgements ................................................5
   7. References ......................................................5
      7.1. Normative References .......................................5
      7.2. Informative References .....................................5
        
   1. Overview ........................................................2
   2. Terminology .....................................................2
   3. The Assertion Control ...........................................2
   4. Security Considerations .........................................3
   5. IANA Considerations .............................................4
      5.1. Object Identifier ..........................................4
      5.2. LDAP Protocol Mechanism ....................................4
      5.3. LDAP Result Code ...........................................4
   6. Acknowledgements ................................................5
   7. References ......................................................5
      7.1. Normative References .......................................5
      7.2. Informative References .....................................5
        
1. Overview
1. 概述

This document defines the Lightweight Directory Access Protocol (LDAP) [RFC4510] assertion control. The assertion control allows the client to specify a condition that must be true for the operation to be processed normally. Otherwise, the operation is not performed. For instance, the control can be used with the Modify operation [RFC4511] to perform atomic "test and set" and "test and clear" operations.

本文档定义了轻量级目录访问协议(LDAP)[RFC4510]断言控制。断言控件允许客户端指定一个条件,该条件必须为true才能正常处理操作。否则,不执行该操作。例如,该控件可以与修改操作[RFC4511]一起使用,以执行原子“测试和设置”以及“测试和清除”操作。

The control may be attached to any update operation to support conditional addition, deletion, modification, and renaming of the target object. The asserted condition is evaluated as an integral part the operation.

控件可以附加到任何更新操作,以支持有条件地添加、删除、修改和重命名目标对象。断言的条件作为操作的一个组成部分进行评估。

The control may also be used with the search operation. Here, the assertion is applied to the base object of the search before searching for objects that match the search scope and filter.

该控件也可用于搜索操作。在这里,在搜索与搜索范围和筛选器匹配的对象之前,断言将应用于搜索的基本对象。

The control may also be used with the compare operation. Here, it extends the compare operation to allow a more complex assertion.

该控件也可与比较操作一起使用。在这里,它扩展了比较操作以允许更复杂的断言。

2. Terminology
2. 术语

Protocol elements are described using ASN.1 [X.680] with implicit tags. The term "BER-encoded" means the element is to be encoded using the Basic Encoding Rules [X.690] under the restrictions detailed in Section 5.1 of [RFC4511].

协议元素使用带有隐式标记的ASN.1[X.680]进行描述。术语“BER编码”是指根据[RFC4511]第5.1节详述的限制,使用基本编码规则[X.690]对元素进行编码。

DSA stands for Directory System Agent (or server). DSE stands for DSA-specific Entry.

DSA代表目录系统代理(或服务器)。DSE代表DSA特定条目。

In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14 [RFC2119].

在本文件中,关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14[RFC2119]中的说明进行解释。

3. The Assertion Control
3. 断言控件

The assertion control is an LDAP Control [RFC4511] whose controlType is 1.3.6.1.1.12 and whose controlValue is a BER-encoded Filter [Protocol, Section 4.5.1]. The criticality may be TRUE or FALSE. There is no corresponding response control.

断言控件是LDAP控件[RFC4511],其controlType为1.3.6.1.1.12,其controlValue为BER编码的筛选器[协议,第4.5.1节]。临界状态可能是真的,也可能是假的。没有相应的响应控制。

The control is appropriate for both LDAP interrogation and update operations [RFC4511], including Add, Compare, Delete, Modify, ModifyDN (rename), and Search. It is inappropriate for Abandon, Bind, Unbind, and StartTLS operations.

该控件适用于LDAP查询和更新操作[RFC4511],包括添加、比较、删除、修改、修改DN(重命名)和搜索。它不适合放弃、绑定、解除绑定和启动TLS操作。

When the control is attached to an LDAP request, the processing of the request is conditional on the evaluation of the Filter as applied against the target of the operation. If the Filter evaluates to TRUE, then the request is processed normally. If the Filter evaluates to FALSE or Undefined, then assertionFailed (122) resultCode is returned, and no further processing is performed.

当控件附加到LDAP请求时,请求的处理取决于针对操作目标应用的过滤器的评估。如果筛选器的计算结果为TRUE,则请求将正常处理。如果筛选器的计算结果为FALSE或Undefined,则返回assertionFailed(122)resultCode,并且不执行进一步的处理。

For Add, Compare, and ModifyDN operations, the target is indicated by the entry field in the request. For Modify operations, the target is indicated by the object field. For Delete operations, the target is indicated by the DelRequest type. For Compare operations and all update operations, the evaluation of the assertion MUST be performed as an integral part of the operation. That is, the evaluation of the assertion and the normal processing of the operation SHALL be done as one atomic action.

对于添加、比较和修改DN操作,目标由请求中的输入字段指示。对于修改操作,目标由对象字段指示。对于删除操作,目标由DelRequest类型指示。对于比较操作和所有更新操作,断言的评估必须作为操作的一个组成部分执行。也就是说,断言的评估和操作的正常处理应作为一个原子操作来完成。

For Search operations, the target is indicated by the baseObject field, and the evaluation is done after "finding" but before "searching" [RFC4511]. Hence, no entries or continuations references are returned if the assertion fails.

对于搜索操作,目标由baseObject字段指示,评估在“查找”之后但在“搜索”之前完成[RFC4511]。因此,如果断言失败,则不会返回任何条目或continuations引用。

Servers implementing this technical specification SHOULD publish the object identifier 1.3.6.1.1.12 as a value of the 'supportedControl' attribute [RFC4512] in their root DSE. A server MAY choose to advertise this extension only when the client is authorized to use it.

实现本技术规范的服务器应在其根DSE中将对象标识符1.3.6.1.1.12作为“supportedControl”属性[RFC4512]的值发布。只有当客户机被授权使用此扩展时,服务器才可以选择公布此扩展。

Other documents may specify how this control applies to other LDAP operations. In doing so, they must state how the target entry is determined.

其他文档可能会指定此控件如何应用于其他LDAP操作。在执行此操作时,他们必须说明如何确定目标条目。

4. Security Considerations
4. 安全考虑

The filter may, like other components of the request, contain sensitive information. When it does, this information should be appropriately protected.

与请求的其他组件一样,筛选器可能包含敏感信息。如果确实如此,则应适当保护此信息。

As with any general assertion mechanism, the mechanism can be used to determine directory content. Hence, this mechanism SHOULD be subject to appropriate access controls.

与任何常规断言机制一样,该机制可用于确定目录内容。因此,该机制应受到适当的访问控制。

Some assertions may be very complex, requiring significant time and resources to evaluate. Hence, this mechanism SHOULD be subject to appropriate administrative controls.

有些断言可能非常复杂,需要大量时间和资源进行评估。因此,这一机制应受到适当的行政管制。

Security considerations for the base operations [RFC4511] extended by this control, as well as general LDAP security considerations [RFC4510], generally apply to implementation and use of this extension.

此控件扩展的基本操作[RFC4511]的安全注意事项以及一般LDAP安全注意事项[RFC4510]通常适用于此扩展的实现和使用。

5. IANA Considerations
5. IANA考虑
5.1. Object Identifier
5.1. 对象标识符

The IANA has assigned an LDAP Object Identifier [RFC4520] to identify the LDAP Assertion Control defined in this document.

IANA已分配LDAP对象标识符[RFC4520]来标识本文档中定义的LDAP断言控件。

       Subject: Request for LDAP Object Identifier Registration
       Person & email address to contact for further information:
           Kurt Zeilenga <kurt@OpenLDAP.org>
       Specification: RFC 4528
       Author/Change Controller: IESG
       Comments:
           Identifies the LDAP Assertion Control
        
       Subject: Request for LDAP Object Identifier Registration
       Person & email address to contact for further information:
           Kurt Zeilenga <kurt@OpenLDAP.org>
       Specification: RFC 4528
       Author/Change Controller: IESG
       Comments:
           Identifies the LDAP Assertion Control
        
5.2. LDAP Protocol Mechanism
5.2. LDAP协议机制

Registration of this protocol mechanism [RFC4520] is requested.

请求注册此协议机制[RFC4520]。

       Subject: Request for LDAP Protocol Mechanism Registration
       Object Identifier: 1.3.6.1.1.12
       Description: Assertion Control
       Person & email address to contact for further information:
           Kurt Zeilenga <kurt@openldap.org>
       Usage: Control
       Specification: RFC 4528
       Author/Change Controller: IESG
       Comments: none
        
       Subject: Request for LDAP Protocol Mechanism Registration
       Object Identifier: 1.3.6.1.1.12
       Description: Assertion Control
       Person & email address to contact for further information:
           Kurt Zeilenga <kurt@openldap.org>
       Usage: Control
       Specification: RFC 4528
       Author/Change Controller: IESG
       Comments: none
        
5.3. LDAP Result Code
5.3. LDAP结果代码

The IANA has assigned an LDAP Result Code [RFC4520] called 'assertionFailed' (122).

IANA分配了一个名为“断言失败”(122)的LDAP结果代码[RFC4520]。

       Subject: LDAP Result Code Registration
       Person & email address to contact for further information:
           Kurt Zeilenga <kurt@OpenLDAP.org>
       Result Code Name: assertionFailed
       Specification: RFC 4528
       Author/Change Controller: IESG
       Comments:  none
        
       Subject: LDAP Result Code Registration
       Person & email address to contact for further information:
           Kurt Zeilenga <kurt@OpenLDAP.org>
       Result Code Name: assertionFailed
       Specification: RFC 4528
       Author/Change Controller: IESG
       Comments:  none
        
6. Acknowledgements
6. 致谢

The assertion control concept is attributed to Morteza Ansari.

断言控制概念是由Morteza Ansari提出的。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.

[RFC4510]Zeilenga,K.,Ed.“轻量级目录访问协议(LDAP):技术规范路线图”,RFC45102006年6月。

[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006.

[RFC4511]Sermersheim,J.,Ed.,“轻量级目录访问协议(LDAP):协议”,RFC4511,2006年6月。

[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006.

[RFC4512]Zeilenga,K.,“轻量级目录访问协议(LDAP):目录信息模型”,RFC4512,2006年6月。

[X.680] International Telecommunication Union - Telecommunication Standardization Sector, "Abstract Syntax Notation One (ASN.1) - Specification of Basic Notation", X.680(2002) (also ISO/IEC 8824-1:2002).

[X.680]国际电信联盟-电信标准化部门,“抽象语法符号1(ASN.1)-基本符号规范”,X.680(2002)(也称ISO/IEC 8824-1:2002)。

[X.690] International Telecommunication Union - Telecommunication Standardization Sector, "Specification of ASN.1 encoding rules: Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER)", X.690(2002) (also ISO/IEC 8825-1:2002).

[X.690]国际电信联盟-电信标准化部门,“ASN.1编码规则规范:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)”,X.690(2002)(另见ISO/IEC 8825-1:2002)。

7.2. Informative References
7.2. 资料性引用

[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

[RFC4520]Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 4520,2006年6月。

Author's Address

作者地址

Kurt D. Zeilenga OpenLDAP Foundation

库尔特D.Zeeliga OpenLDAP基金会

   EMail: Kurt@OpenLDAP.org
        
   EMail: Kurt@OpenLDAP.org
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).

RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。