7 INTERNET-DRAFT Kurt D. Zeilenga
8 Intended Category: Experimental OpenLDAP Foundation
9 Expires in six months 27 February 2006
13 The LDAP Manage Directory Information Tree Control
14 <draft-zeilenga-ldap-managedit-00.txt>
19 This document is intended to be, after appropriate review and
20 revision, submitted to the RFC Editor for publication as an
21 Experimental document. Distribution of this memo is unlimited.
22 Technical discussion of this document will take place on the IETF LDAP
23 Extensions mailing list <ldapext@ietf.org>. Please send editorial
24 comments directly to the author <Kurt@OpenLDAP.org>.
26 By submitting this Internet-Draft, each author represents that any
27 applicable patent or other IPR claims of which he or she is aware have
28 been or will be disclosed, and any of which he or she becomes aware
29 will be disclosed, in accordance with Section 6 of BCP 79.
31 Internet-Drafts are working documents of the Internet Engineering Task
32 Force (IETF), its areas, and its working groups. Note that other
33 groups may also distribute working documents as Internet-Drafts.
35 Internet-Drafts are draft documents valid for a maximum of six months
36 and may be updated, replaced, or obsoleted by other documents at any
37 time. It is inappropriate to use Internet-Drafts as reference material
38 or to cite them other than as "work in progress."
40 The list of current Internet-Drafts can be accessed at
41 http://www.ietf.org/1id-abstracts.html
43 The list of Internet-Draft Shadow Directories can be accessed at
44 http://www.ietf.org/shadow.html
47 Copyright (C) The Internet Society (2006). All Rights Reserved.
49 Please see the Full Copyright section near the end of this document
58 Zeilenga LDAP Manage DIT Control [Page 1]
60 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
65 This document defines the Lightweight Directory Access Protocol (LDAP)
66 Manage Directory Information Tree (DIT) Control which allows a
67 directory user agent (a client) to request the directory service
68 temporarily relax enforcement of constraints of the X.500 models.
71 1. Background and Intended Use
73 Directory servers accessible via Lightweight Directory Access Protocol
74 (LDAP) [Roadmap] are expected to act in accordance with the X.500
75 series of ITU-T Recommendations. In particular, servers are expected
76 to ensure the X.500 data and service models are not violated.
78 An LDAP server is expected to prevent modification of the structural
79 object class of an object [Models]. That is, the X.500 models do not
80 allow a 'person' object to be transformed into an
81 'organizationalPerson' object through modification of the object.
82 Instead, the 'person' object must be deleted and then a new
83 'organizationalPerson' object created in its place. This approach,
84 aside from being inconvient, is problematic for a number reasons.
85 First, as LDAP does not have a standardized method for performing the
86 two operations in a single transaction, the intermediate directory
87 state (after the delete, before the add) is visible to other clients,
88 which may lead to undesirable client behavior. Second, attributes
89 such as entryUUID [entryUUID] will reflect the object was replaced,
92 An LDAP server is expected to prevent clients from modifying values of
93 NO-USER-MODIFICATION attributes [Models]. For instance, an entry is
94 not allowed to assign or modify the value of the entryUUID attribute.
95 However, where an administrator is restoring a previously existing
96 object, for instance when repartitioning data between directory
97 servers or when migrating from one vendor server product to another,
98 it may be desirable to allow the client to assign or modify the value
99 of the entryUUID attribute.
101 This document specifies the Manage Directory Information Tree (DIT)
102 control. The Manage DIT control may be attached to LDAP requests to
103 update the DIT to request DIT restrictions be temporarily relaxed
104 during the performance of the requested DIT update. The server is
105 however to ensure the resulting directory state is valid.
107 Use of this control is expected that use of this extension will be
108 restricted by administrative and/or access controls. It is intended
109 to be used by directory administrators.
114 Zeilenga LDAP Manage DIT Control [Page 2]
116 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
119 This extension is considered experimental as it is not yet clear
120 whether it adequately addresses directory administrators' needs for
121 flexible mechanisms for managing directory objects. It is hoped that
122 after suitable amount of time, either this extension or a suitable
123 replacement will be standardization.
128 Protocol elements are described using ASN.1 [X.680] with implicit
129 tags. The term "BER-encoded" means the element is to be encoded using
130 the Basic Encoding Rules [X.690] under the restrictions detailed in
131 Section 5.2 of [Protocol].
133 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
134 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
135 document are to be interpreted as described in BCP 14 [RFC2119].
137 DSA stands for Directory System Agent, a server. DSE stands for DSA-
141 2. The Manage DIT Control
143 The Manage DIT control is an LDAP Control [Protocol] whose controlType
144 is IANA-ASSIGNED-OID, controlValue is empty, and the criticality of
147 There is no corresponding response control.
149 The control is appropriate for all LDAP update requests, including
150 add, delete, modify, and modifyDN (rename) [Protocol].
152 The presence of the Manage DIT control in an LDAP update request
153 indicates the server temporarily relax X.500 model contraints during
154 performance of the directory update.
156 The server may restrict use of this control and/or limit the extent of
157 the relaxation provided based upon local policy or factors.
159 The server is obligated to ensure the resulting directory state is
160 consistent with the X.500 models. For instance, the server ensure
161 that values of attributes conform to the value syntax.
163 It is noted that while this extension may be used to add or modify
164 objects in a manner which violate the controlling subschema, the
165 presence of objects in the DIT is not inconsistent with the X.500
166 models. For instance, an object created prior to establshment of a
170 Zeilenga LDAP Manage DIT Control [Page 3]
172 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
175 DIT content rule may contain an attribute now precluded by the current
176 controlling DIT Content Rule.
178 Servers implementing this technical specification SHOULD publish the
179 object identifier IANA-ASSIGNED-OID as a value of the
180 'supportedControl' attribute [Models] in their root DSE. A server MAY
181 choose to advertise this extension only when the client is authorized
187 3.1. Object metamorphism
189 In absence of this control, an attempt to modify an object's
190 'objectClass' in a manner which cause a change in the structural
191 object class of the object would normally lead to an
192 objectClassModsProhibited error [Protocol]. The presence of the
193 Manage DIT control in the modify request requests the change be
194 allowed. If the server is willing and able to allow the change in the
195 structural object class of the object.
197 For instance, to change an 'organization' object into an
198 'organizationalUnit' object, a client could issue the following LDAP
201 dn: o=Unit,dc=example,dc=net
202 control: IANA-ASSIGNED-OID
205 objectClass: organization
208 objectClass: organizationalUnit
211 In this case, the server is expected to either effect the requested
212 change in the structural object class, including updating of the value
213 of the structural object class, or fail the operation.
216 3.2. Inactive Attribute Types
218 In absence of the Manage DIT control, an attempt to add or modify
219 values to an attribute whose type has been marked inactive in the
220 controlling subschema (its attribute type description contains the
221 OBSOLETE field) [Models] normally results in a failure.
226 Zeilenga LDAP Manage DIT Control [Page 4]
228 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
231 In the presence of the Manage DIT control, the server performs the
232 update operation as if the attribute's type is marked active in the
233 controlling subschema (its attribute type description does not contain
237 3.3. DIT Content Rules
239 In absence of the Manage DIT control, an attempt to include the name
240 (or OID) of an auxiliary class to an object's 'objectClass' which is
241 not allowed by the controlling DIT Content Rule would be disallowed
242 [Models]. Additionally, an attempt to add values of an attribute not
243 allowed (or explicitly precluded) by the DIT Content Rule would fail.
245 In presence of the Manage DIT control, the server performs the update
246 operation as if the controlling DIT Content Rule allowed any and all
247 known auxiliary classses to be present and allowed any and all known
248 attributes to be present (and precluded no attributes).
251 3.4. DIT Structure Rules and Name Forms
253 In absence of the Manage DIT control, the service enforces DIT
254 structure rules and name form requirements of the controlling
257 In the presence of the Manage DIT control, the server performs the
258 update operation ignoring all DIT structure rules and name forms in
259 the controlling subschema.
262 3.5. Modification of Nonconformant Objects
264 It is also noted that in absense of this control, modification of an
265 object which presently violates the controlling subschema will fail
266 unless the modification would result in the object conforming to the
267 controlling subschema. That is, modifications of an non-conformant
268 object should result in a conformant object.
270 In the presence of this control, modifications of a non-conformant
271 object need not result in a conformant object.
274 3.6. NO-USER-MODIFICATION attribute modification
276 In absence of this control, an attempt to modify values of a
277 NO-USER-MODIFICATION attribute would normally lead to a
278 constraintViolation or other appropriate error [Protocol]. In the
282 Zeilenga LDAP Manage DIT Control [Page 5]
284 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
287 presence of the Manage DIT control in the update request requests the
288 modification be allowed.
290 Relaxation of the NO-USER-MODIFICATION constraint is not appropriate
291 for some operational attribute types. For instance, as the value of
292 the 'structuralObjectClass' is derived by the values of the
293 'objectClass' attribute, the 'structuralObjectClass' attribute type's
294 NO-USER-MODIFICATION contraint MUST NOT be relaxed. To effect a
295 change in the structuralObjectClass class, values of objectClass
296 should be changed as discussed in Section 3.1. Other attributes for
297 which the NO-USER-MODIFICATION constraint should not be relaxed
298 include 'entryDN' [EntryDN], 'subschemaSubentry' [Models], and
299 'collectiveAttributeSubentries' [RFC3671].
301 The subsections of this section discuss modification of various
302 operational attributes where their NO-USER-MODIFICATION constraint may
303 be relaxed. Future documents may specify where NO-USER-MODIFICATION
304 constraints on other operational attribute may be relaxed. In absence
305 of a document detailing that the NO-USER-MODIFICATION constraint on a
306 particular operational attribute may be relaxed, implementors SHOULD
307 assume relaxation of the constraint is not appropriate for that
313 To provide a value for the 'entryUUID' attribute on entry creation,
314 the client should issue an LDAP Add request with a Manage DIT control
315 providing the desired value. For instance:
317 dn: ou=Unit,dc=example,dc=net
318 control: IANA-ASSIGNED-OID
320 objectClass: organizationalUnit
322 entryUUID: 597ae2f6-16a6-1027-98f4-d28b5365dc14
324 In this case, the server is either to add the entry using the
325 provided 'entryUUID' value or fail the request.
327 To provide a replacement value for the 'entryUUID' after entry
328 creation, the client should issue an LDAP Modify request with a
329 Manage DIT control including an approrpiate change. For instance:
331 dn: ou=Unit,dc=example,dc=net
332 control: IANA-ASSIGNED-OID
338 Zeilenga LDAP Manage DIT Control [Page 6]
340 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
343 entryUUID: 597ae2f6-16a6-1027-98f4-d28b5365dc14
346 In this case, the server is either to replace the 'entryUUID' value
347 as requested or fail the request.
350 3.2.2. createTimestamp
352 To provide a value for the 'createTimestamp' attribute on entry
353 creation, the client should issue an LDAP Add request with a Manage
354 DIT control providing the desired 'createTimestamp' value. For
357 dn: ou=Unit,dc=example,dc=net
358 control: IANA-ASSIGNED-OID
360 objectClass: organizationalUnit
362 createTimestamp: 20060101000000Z
364 In this case, the server is either to add the entry using the
365 provided 'createTimestamp' value or fail the request.
367 To provide a replacement value for the 'createTimestamp' after
368 entry creation, the client should issue an LDAP Modify request with
369 a Manage DIT control including an approrpiate change. For instance:
371 dn: ou=Unit,dc=example,dc=net
372 control: IANA-ASSIGNED-OID
374 replace: createTimestamp
375 createTimestamp: 20060101000000Z
378 In this case, the server is either to replace the 'createTimestamp'
379 value as requested or fail the request.
381 The server should ensure the requested 'createTimestamp' value is
382 appropriate. In particular, it should fail the request if the
383 requested 'createTimestamp' value is in the future or is greater
384 than the value of the 'modifyTimestamp' attribute.
387 3.2.3. modifyTimestamp
389 To provide a value for the 'modifyTimestamp' attribute on entry
390 creation, the client should issue an LDAP Add request with a Manage
394 Zeilenga LDAP Manage DIT Control [Page 7]
396 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
399 DIT control providing the desired 'modifyTimestamp' value. For
402 dn: ou=Unit,dc=example,dc=net
403 control: IANA-ASSIGNED-OID
405 objectClass: organizationalUnit
407 modifyTimestamp: 20060101000000Z
409 In this case, the server is either to add the entry using
410 the provided 'modifyTimestamp' value or fail the request.
412 To provide a replacement value for the 'modifyTimestamp' after
413 entry creation, the client should issue an LDAP Modify
414 request with a Manage DIT control including an approrpiate
415 change. For instance:
417 dn: ou=Unit,dc=example,dc=net
418 control: IANA-ASSIGNED-OID
420 replace: modifyTimestamp
421 modifyTimestamp: 20060101000000Z
424 In this case, the server is either to replace the 'modifyTimestamp'
425 value as requested or fail the request.
427 The server should ensure the requested 'modifyTimestamp' value is
428 appropriate. In particular, it should fail the request if the
429 requested 'modifyTimestamp' value is in the future or is less than
430 the value of the 'createTimestamp' attribute.
433 3.2.3. creatorsName and modifiersName
435 To provide a value for the 'creatorsName' and/or 'modifiersName'
436 attribute on entry creation, the client should issue an LDAP Add
437 request with a Manage DIT control providing the desired values.
440 dn: ou=Unit,dc=example,dc=net
441 control: IANA-ASSIGNED-OID
443 objectClass: organizationalUnit
445 creatorsName: cn=Jane Doe,dc=example,net
446 modifiersName: cn=Jane Doe,dc=example,net
450 Zeilenga LDAP Manage DIT Control [Page 8]
452 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
455 In this case, the server is either to add the entry using
456 the provided values or fail the request.
458 To provide a replacement values after entry creation for either of
459 the 'creatorsName' or 'modifiersName' attributes or both, the
460 client should issue an LDAP Modify request with a Manage DIT control
461 including the approrpiate changes. For instance:
463 dn: ou=Unit,dc=example,dc=net
464 control: IANA-ASSIGNED-OID
466 replace: creatorsName
467 creatorsName: cn=Jane Doe,dc=example,net
469 replace: modifiersName
470 modifiersName: cn=Jane Doe,dc=example,net
473 In this case, the server is either to replace the provided
474 values as requested or fail the request.
477 4. Security Considerations
479 Use of this extension should be subject to appropriate administrative
480 and access controls. Use of this mechanism is intended to be
481 restricted to directory administrators.
483 Security considerations for the base operations [Protocol] extended
484 by this control, as well as general LDAP security considerations
485 [Roadmap], generally apply to implementation and use of this
489 5. IANA Considerations
491 5.1. Object Identifier
493 It is requested that IANA assign a LDAP Object Identifier [BCP64bis]
494 to identify the LDAP Assertion Control defined in this document.
496 Subject: Request for LDAP Object Identifier Registration
497 Person & email address to contact for further information:
498 Kurt Zeilenga <kurt@OpenLDAP.org>
499 Specification: RFC XXXX
500 Author/Change Controller: Kurt Zeilenga <kurt@openldap.org>
501 Comments: Identifies the LDAP Manage DIT Control
506 Zeilenga LDAP Manage DIT Control [Page 9]
508 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
511 5.2 LDAP Protocol Mechanism
513 Registration of this protocol mechanism [BCP64bis] is requested.
515 Subject: Request for LDAP Protocol Mechanism Registration
516 Object Identifier: IANA-ASSIGNED-OID
517 Description: Manage DIT Control
518 Person & email address to contact for further information:
519 Kurt Zeilenga <kurt@openldap.org>
521 Specification: RFC XXXX
522 Author/Change Controller: Kurt Zeilenga <kurt@openldap.org>
531 Email: Kurt@OpenLDAP.org
536 [[Note to the RFC Editor: please replace the citation tags used in
537 referencing Internet-Drafts with tags of the form RFCnnnn where
541 7.1. Normative References
543 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
544 Requirement Levels", BCP 14 (also RFC 2119), March 1997.
546 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
547 Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
550 [Models] Zeilenga, K. (editor), "LDAP: Directory Information
551 Models", draft-ietf-ldapbis-models-xx.txt, a work in
556 7.2. Informative References
558 [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP",
562 Zeilenga LDAP Manage DIT Control [Page 10]
564 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
567 draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.
569 [EntryUUID] Zeilenga, K., "The LDAP EntryUUID Operational
570 Attribute", draft-zeilenga-ldap-uuid-xx.txt, a work in
573 [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
574 Technical Specification", RFC 2849, June 2000.
578 Intellectual Property Rights
580 The IETF takes no position regarding the validity or scope of any
581 Intellectual Property Rights or other rights that might be claimed to
582 pertain to the implementation or use of the technology described in
583 this document or the extent to which any license under such rights
584 might or might not be available; nor does it represent that it has
585 made any independent effort to identify any such rights. Information
586 on the procedures with respect to rights in RFC documents can be found
587 in BCP 78 and BCP 79.
589 Copies of IPR disclosures made to the IETF Secretariat and any
590 assurances of licenses to be made available, or the result of an
591 attempt made to obtain a general license or permission for the use of
592 such proprietary rights by implementers or users of this specification
593 can be obtained from the IETF on-line IPR repository at
594 http://www.ietf.org/ipr.
596 The IETF invites any interested party to bring to its attention any
597 copyrights, patents or patent applications, or other proprietary
598 rights that may cover technology that may be required to implement
599 this standard. Please address the information to the IETF at
606 Copyright (C) The Internet Society (2006).
608 This document is subject to the rights, licenses and restrictions
609 contained in BCP 78, and except as set forth therein, the authors
610 retain all their rights.
612 This document and the information contained herein are provided on an
613 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
614 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
618 Zeilenga LDAP Manage DIT Control [Page 11]
620 INTERNET-DRAFT draft-zeilenga-ldap-managedit-00 27 February 2006
623 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
624 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
625 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
626 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
674 Zeilenga LDAP Manage DIT Control [Page 12]