1 <?xml version="1.0" encoding="UTF-8"?>
3 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
4 <!ENTITY rfc2119 PUBLIC ''
5 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
6 <!ENTITY rfc4510 PUBLIC ''
7 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4510.xml'>
8 <!ENTITY rfc4511 PUBLIC ''
9 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
10 <!ENTITY rfc4512 PUBLIC ''
11 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4512.xml'>
12 <!ENTITY rfc4517 PUBLIC ''
13 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
18 <rfc category="std" ipr="full3978" docName="draft-masarati-ldap-deref-00.txt">
20 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
23 <?rfc symrefs="yes" ?>
24 <?rfc sortrefs="yes"?>
25 <?rfc iprnotified="no" ?>
29 <title abbrev='LDAP Deref'>LDAP Dereference Control</title>
30 <author initials='P.' surname="Masarati" fullname='Pierangelo Masarati'>
31 <organization abbrev='Politecnico di Milano'>
36 <street>Dipartimento di Ingegneria Aerospaziale</street>
37 <street>via La Masa 34</street>
42 <phone>+39 02 2399 8309</phone>
43 <facsimile>+39 02 2399 8334</facsimile>
44 <email>ando@OpenLDAP.org</email>
45 <uri>http://www.aero.polimi.it/masarati/</uri>
48 <author initials="H.Y." surname="Chu" fullname="Howard Y. Chu">
49 <organization abbrev="Symas Corp.">
54 <street>18740 Oxnard St., Suite 313A</street>
56 <region>California</region>
58 <country>USA</country>
60 <phone>+1 818 757-7087</phone>
61 <email>hyc@symas.com</email>
62 <uri>http://www.symas.com/</uri>
68 This document describes the Dereference Control for LDAP.
69 This control is intended to provide a concise means to collect
70 extra information related to cross-links present in entries
71 returned as part of search responses.
77 <section title="Background and Intended Use">
79 Cross-links between entries are often used to describe relationships
81 To exploit the uniqueness of entries naming, these links are usually
82 represented by the distinguished name (DN) of the linked entries.
86 In many cases, DUAs need to collect information about linked entries.
87 This requires to explicitly dereference each linked entry in order to
88 collect the desired attributes, resulting in the need to perform a
89 specific sequence of search operations, using the links as search base,
90 with a SearchRequest.scope of baseObject <xref target="RFC4511" />.
94 This document describes a LDAP Control <xref target="RFC4511" />
95 that allows a DUA to request the DSA to return specific attributes
96 of linked entries along with the link, under the assumption that
97 this operation can be performed by the DSA in a more efficient manner
98 than the DUA would itself by performing the complete sequence
99 of required search operations.
103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
104 "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
105 and "OPTIONAL" in this document are to be interpreted as
106 described in <xref target="RFC2119" />.
110 <section title="The LDAP Dereference Control">
111 <section title="Control Semantics">
113 This control allows specifying a dereference attribute and a set
114 of attributes to be dereferenced, as illustrated
115 in <xref target="control_request" />.
116 The dereference attribute's syntax MUST be 1.3.6.1.4.1.1466.115.121.1.12
117 (DN) <xref target="RFC4517" />.
118 Each value of the dereference attribute in a SearchResultEntry SHOULD
119 result in dereferencing the corresponding entry, collecting the values
120 of the attributes to be dereferenced, and returning them as part
121 of the control value in the SearchResultEntry response, in the format
122 detailed in <xref target="control_response" />.
126 The control value may contain dereference attribute values without any
127 dereferenced attribute values, as detailed in
128 <xref target="control_response" />.
129 The control semantics does not specify whether this is a consequence
130 of a dangling link or of the application of access restrictions
131 on the values of the attributes to be dereferenced.
135 Attribute description hierarchy <xref target="RFC4512" /> SHALL NOT
136 be exploited when collecting the values of the attributes
138 On the contrary, all of the attribute descriptions in an attribute
139 hierarchy SHOULD be treated as distinct and unrelated descriptions.
143 This control is only appropriate for the search operation
144 <xref target="RFC4511" />.
148 The semantics of the criticality field are specified in
149 <xref target="RFC4511" />.
150 In detail, the criticality of the control determines whether the control
151 will or will not be used, and if it will not be used, whether the operation
152 will continue without returning the control in the response, or fail,
153 returning unavailableCriticalExtension.
154 If the control is appropriate for an operation and, for any reason,
155 it cannot be applied in its entirety to a single SearchResultEntry response,
156 it MUST NOT be applied to that specific SearchResultEntry response,
157 without affecting its application to any subsequent SearchResultEntry
162 Servers implementing this technical specification SHOULD publish
163 the object identifier deref-oid (IANA assigned;
164 see <xref target="iana_considerations" />) as a value
165 of the 'supportedControl' attribute <xref target="RFC4512" />
170 This control is totally unrelated to alias dereferencing
171 <xref target="RFC4511" />.
175 <section anchor="control_request" title="Control Request">
178 The control type is deref-oid (IANA assigned;
179 see <xref target="iana_considerations" />).
180 The specification of the Dereference Control request is:
183 controlValue ::= SEQUENCE OF derefSpec DerefSpec
185 DerefSpec ::= SEQUENCE {
186 derefAttr attributeDescription, ; with DN syntax
187 attributes AttributeList }
189 AttributeList ::= SEQUENCE OF attr AttributeDescription
192 Each derefSpec.derefAttr MUST be unique within controlValue.
197 <section anchor="control_response" title="Control Response">
200 The control type is deref-oid (IANA assigned;
201 see <xref target="iana_considerations" />).
202 The specification of the Dereference Control response is:
205 controlValue ::= SEQUENCE OF derefRes DerefRes
207 DerefRes ::= SEQUENCE {
208 derefAttr AttributeDescription,
210 attrVals [0] PartialAttributeList OPTIONAL }
212 PartialAttributeList ::= SEQUENCE OF
213 partialAttribute PartialAttribute
218 PartialAttribute is defined in <xref target="RFC4511" />;
219 the definition is reported here for clarity:
222 PartialAttribute ::= SEQUENCE {
223 type AttributeDescription,
224 vals SET OF value AttributeValue }
227 If partialAttribute.vals is empty, the corresponding partialAttribute
229 If all partialAttribute.vals in attrVals are empty, that derefRes.attrVals
236 <section title="Examples">
242 dn: cn=Howard Chu,ou=people,dc=example,dc=org
243 objectClass: inetOrgPerson
248 dn: cn=Pierangelo Masarati,ou=people,dc=example,dc=org
249 objectClass: inetOrgPerson
250 cn: Pierangelo Masarati
254 dn: cn=Test Group,ou=groups,dc=example,dc=org
255 objectClass: groupOfNames
257 member: cn=Howard Chu,ou=people,dc=example,dc=org
258 member: cn=Pierangelo Masarati,ou=people,dc=example,dc=org
263 A search could be performed with a Dereference request control value
272 and the "cn=Test Group" entry would be returned with the response control
276 { { member, cn=Howard Chu,ou=people,dc=example,dc=org,
277 { { uid, [hyc] } } },
278 { member, cn=Pierangelo Masarati,ou=people,dc=example,dc=org,
279 { { uid, [ando] } } } }
284 <section title="Implementation Notes">
286 This LDAP extension is currently implemented in OpenLDAP software
287 using the temporary OID 1.3.6.1.4.1.4203.666.5.16 under OpenLDAP's
288 experimental OID arc.
292 <section title="Security Considerations">
294 The control result MUST NOT disclose information the client's identity
295 could not have accessed by performing the related search operations.
296 The presence of a derefRes.derefVal in the response control, with
297 no derefRes.attrVals, does not imply neither the existence of nor any
298 access privilege to the corresponding entry.
299 It is merely a consequence of the read access the client's identity has
300 on the corresponding value of the derefRes.derefAttr that would be returned
301 as part of the attributes of a SearchResultEntry response
302 <xref target="RFC4511" />.
305 Security considerations described in documents listed in
306 <xref target="RFC4510" /> apply.
310 <section anchor="iana_considerations" title="IANA Considerations">
311 <section title="Object Identifier Registration">
314 It is requested that IANA register upon Standards Action an LDAP
315 Object Identifier for use in this technical specification.
318 Subject: Request for LDAP OID Registration
319 Person & email address to contact for further information:
320 Pierangelo Masarati <ando@OpenLDAP.org>
322 Author/Change Controller: IESG
324 Identifies the LDAP Dereference Control request
331 <section title="Acknowledgments">
339 <references title='Normative References'>