--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
+ <!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
+ <!ENTITY rfc822 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.0822.xml'>
+ <!ENTITY rfc2222 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2222.xml'>
+ <!ENTITY rfc2251 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2251.xml'>
+ <!ENTITY rfc2252 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2252.xml'>
+ <!ENTITY rfc2254 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2254.xml'>
+ <!ENTITY rfc2255 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2255.xml'>
+ <!ENTITY rfc3377 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3377.xml'>
+ <!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
+
+]>
+<?xml-stylesheet type='text/xsl' href='http://www.greenbytes.de/tech/webdav/rfc2629.xslt' ?>
+<?rfc toc="yes" ?>
+<?rfc tocdepth="2" ?>
+<?rfc tocindent="no" ?>
+<?rfc symrefs="yes" ?>
+<?rfc sortrefs="yes"?>
+<?rfc iprnotified="no" ?>
+<?rfc strict="yes" ?>
+<rfc ipr="full3978" docName="draft-chu-ldap-xordered-00.txt">
+ <front>
+ <title abbrev="LDAP Ordering Extension">Ordered Entries and Values in LDAP</title>
+ <author initials="H" fullname="Howard Chu" surname="Chu">
+ <organization>Symas Corp.</organization>
+ <address>
+ <postal>
+ <street>18740 Oxnard Street, Suite 313A</street>
+ <city>Tarzana</city>
+ <region>California</region>
+ <code>91356</code>
+ <country>USA</country>
+ </postal>
+ <phone>+1 818 757-7087</phone>
+ <email>hyc@symas.com</email>
+ </address>
+ </author>
+ <date year="2006" month="May"/>
+ <abstract>
+ <t>As LDAP is used more extensively for managing various
+kinds of data, one often encounters a need to preserve both the
+ordering and the content of data, despite the inherently unordered
+structure of entries and attribute values in the directory. This
+document describes a scheme to attach ordering information to
+attributes in a directory so that the ordering may be
+preserved and propagated to other LDAP applications.</t>
+ </abstract>
+ </front>
+
+ <middle>
+
+ <section title="Introduction">
+ <t>Information in LDAP directories is usually handled by
+applications in the form of ordered lists, which tends to encourage
+application developers to
+assume they are maintained as such, i.e., it is assumed that information
+stored in a particular order will always be retrieved and presented in
+that same order. The fact that directory attributes actually store sets of
+values, which are inherently unordered, often causes grief to users
+migrating their data into LDAP. Similar concerns arise over the order
+in which entries themselves are stored and retrieved from the directory.</t>
+ <t>This document describes a schema extension that may be
+used in LDAP attribute definitions to store ordering information along
+with the attribute values, so that the ordering can be recovered when
+retrieved by an LDAP client. The extension also provides automated
+management of this ordering information to ease manipulation of the
+ordered values.</t>
+ </section>
+
+ <section title="Conventions">
+ <t>Imperative keywords defined in <xref target="RFC2119"/> are used
+in this document, and carry the meanings described there.</t>
+ </section>
+
+ <section title="Ordering Extension">
+ <section title="Overview">
+ <t>The "X-ORDERED" schema extension is added to an
+AttributeTypeDescription to signify the use of this ordering mechanism. The
+extension has two variants, selected by either the 'VALUES' or 'SIBLINGS'
+qdstrings. In general this extension is only compatible with AttributeTypes
+that have a string-oriented syntax.</t>
+ <t>The "X-ORDERED 'VALUES'" extension is used with multi-valued
+attributes to maintain the order of multiple values of a given attribute.
+For example, this feature is useful for storing data such as access control
+rules, which must be evaluated in a specific order. If the access control
+information is stored in a multi-valued attribute without a means of
+preserving the the order of the rules, the access control rules cannot be
+evaluated properly. As the use of LDAP to store security policy and access
+control information becomes more prevalent, the necessity of this feature
+continues to grow.</t>
+ <t>
+The "X-ORDERED 'SIBLINGS'" extension is used with single-valued attributes
+to maintain the order of all the onelevel children of a parent entry. That is,
+ordering will be maintained for all the child entries whose RDNs are all of
+the same AttributeType. The motivation for this feature is much the same
+as for the 'VALUES' feature. Sometimes the information with the ordering
+dependency is too complex or highly structured to be conveniently stored
+in values of a multi-valued attribute. For example, one could store a
+prioritized list of servers as a set of separate entries, each entry
+containing separate attributes for a URL, a set of authentication
+credentials, and various other parameters. Using the 'SIBLINGS' feature
+with the attribute in the entries' RDNs would ensure that when obtaining
+the list of these entries, the list is returned in the intended order.
+ </t>
+ </section>
+ <section title="Encoding">
+ <t>Ordering information is encoded by prepending a value's ordinal
+index to each value, enclosed in braces. The following BNF specifies the
+encoding. It uses elements defined in <xref target="RFC2252"/>.
+ <list style="empty">
+ <t>d = "0" / "1" / "2" / "3" / "4" / "5" / "6" / "7" / "8" / "9"</t>
+ <t>numericstring = 1*d</t>
+ <t>ordering-prefix = "{" numericstring "}"</t>
+ <t>value = <any sequence of octets></t>
+ <t>ordered-value = ordering-prefix value</t>
+ </list></t>
+ <t>The ordinals are zero-based and increment by one for each value.</t>
+ <t>Note that when storing ordered-values into the directory, the
+ordering-prefix can usually be omitted as it will be generated automatically.
+But if the original value already begins with a sequence of characters in
+the form of an ordering-prefix, then an ordering-prefix must always be
+provided with that value, otherwise the value will be processed and
+stored incorrectly.</t>
+ <t>Using this extension on an attribute requires that ordering-prefix
+is a legal value of the LDAP syntax of that attribute.</t>
+ </section>
+ <section title="Ordering Properties">
+ <t>Since the ordering-prefix is stored with the attribute values,
+it will be propagated to any clients or servers that access the data.</t>
+ <t>Servers implementing this scheme SHOULD sort the values according
+to their ordering-prefix before returning them in search results.</t>
+ <t>The presence of the ordering extension alters the matching rules
+that apply to the attribute:
+ <list>
+ <t>When presented with an AssertionValue that does not have an
+ordering-prefix, the ordering-prefix in the AttributeValue is ignored.</t>
+ <t>When presented with an AssertionValue that consists solely of an
+ordering-prefix, only the ordering-prefix of the AttributeValue is compared;
+the remainder of the value is ignored.</t>
+ <t>When presented with an AssertionValue containing both the
+ordering-prefix and a value, both components are compared to determine a match.</t>
+ </list></t>
+ <t>A side effect of these properties is that even attributes that
+normally would have no equality matching rule can be matched by an
+ordering-prefix.</t>
+ <t>The ordering-prefix may also be used in Modification requests to
+specify which values to delete, and in which position values should be added.
+When processing deletions and insertions, all of the ordinals are recounted
+after each individual modification.</t>
+ <t>If a value being added does not have
+an ordering-prefix, it is simply appended to the list and the appropriate
+ordering-prefix is automatically generated. Likewise if an ordering-prefix
+is provided that is greater than or equal to the number of existing values.</t>
+ <t>See the examples in the next section.</t>
+ </section>
+ </section>
+ <section title="Examples">
+ <section title="Sample Schema">
+ <t>This schema is used for all of the examples:</t>
+ <t>( EXAMPLE_AT.1 NAME 'olcDatabase'<vspace/>
+ EQUALITY caseIgnoreMatch<vspace/>
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15<vspace/>
+ SINGLE-VALUE X-ORDERED 'SIBLINGS' )</t>
+ <t>( EXAMPLE_AT.2 NAME 'olcSuffix'<vspace/>
+ EQUALITY distinguishedNameMatch<vspace/>
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12<vspace/>
+ X-ORDERED 'VALUES' )</t>
+ <t>( EXAMPLE_OC.1 NAME 'olcDatabaseConfig' <vspace/>
+ SUP top STRUCTURAL<vspace/>
+ MAY ( olcDatabase $ olcSuffix ) )</t>
+ </section>
+ <section title="Ordered Values">
+ <t>Given this entry:</t>
+ <t>dn: olcDatabase={1}bdb,cn=config<vspace/>
+ olcDatabase: {1}bdb<vspace/>
+ objectClass: olcDatabaseConfig<vspace/>
+ olcSuffix: {0}dc=example,dc=com<vspace/>
+ olcSuffix: {1}o=example.com<vspace/>
+ olcSuffix: {2}o=The Example Company<vspace/>
+ olcSuffix: {3}o=example,c=us</t>
+
+ <t>We can perform these Modify operations:
+ <list style="numbers">
+
+ <t>dn: olcDatabase={1}bdb,cn=config<vspace/>
+ changetype: modify<vspace/>
+ delete: olcSuffix<vspace/>
+ olcSuffix: {0}<vspace/>
+ -<vspace/>
+ This operation deletes the first olcSuffix, regardless of its
+ value. All other values are bumped up one position. The olcSuffix
+ attribute will end up containing:<vspace/>
+ olcSuffix: {0}o=example.com<vspace/>
+ olcSuffix: {1}o=The Example Company<vspace/>
+ olcSuffix: {2}o=example,c=us</t>
+
+ <t>Starting from the original entry, we could issue this change
+ instead:<vspace/>
+ delete: olcSuffix<vspace/>
+ olcSuffix: o=example.com<vspace/>
+ -<vspace/>
+ This operation deletes the olcSuffix that matches the value,
+ regardless of its ordering-prefix. The olcSuffix attribute will contain:<vspace/>
+ olcSuffix: {0}dc=example,dc=com<vspace/>
+ olcSuffix: {1}o=The Example Company<vspace/>
+ olcSuffix: {2}o=example,c=us</t>
+
+ <t>Again, starting from the original entry, we could issue this
+ change:<vspace/>
+ delete: olcSuffix<vspace/>
+ olcSuffix: {2}o=The Example Company<vspace/>
+ -<vspace/>
+ Here both the ordering-prefix and the value must match, otherwise
+ the Modify would fail with noSuchAttribute. In this case the
+ olcSuffix attribute results in:<vspace/>
+ olcSuffix: {0}dc=example,dc=com<vspace/>
+ olcSuffix: {1}o=example.com<vspace/>
+ olcSuffix: {2}o=example,c=us</t>
+
+ <t>Adding a new value without an ordering-prefix simply appends:<vspace/>
+ add: olcSuffix<vspace/>
+ olcSuffix: o=example.org<vspace/>
+ -<vspace/>
+ The resulting attribute would be:<vspace/>
+ olcSuffix: {0}dc=example,dc=com<vspace/>
+ olcSuffix: {1}o=example.com<vspace/>
+ olcSuffix: {2}o=The Example Company<vspace/>
+ olcSuffix: {3}o=example,c=us<vspace/>
+ olcSuffix: {4}o=example.org</t>
+
+ <t>Adding a new value with an ordering-prefix inserts into the
+ specified position:<vspace/>
+ add: olcSuffix<vspace/>
+ olcSuffix: {0}o=example.org<vspace/>
+ -<vspace/>
+ The resulting attribute would be:<vspace/>
+ olcSuffix: {0}o=example.org<vspace/>
+ olcSuffix: {1}dc=example,dc=com<vspace/>
+ olcSuffix: {2}o=example.com<vspace/>
+ olcSuffix: {3}o=The Example Company<vspace/>
+ olcSuffix: {4}o=example,c=us</t>
+
+ <t>Modifying multiple values in one operation:<vspace/>
+ add: olcSuffix<vspace/>
+ olcSuffix: {0}ou=Dis,o=example.com<vspace/>
+ olcSuffix: {0}ou=Dat,o=example,com<vspace/>
+ -<vspace/>
+ delete: olcSuffix:<vspace/>
+ olcSuffix: {2}<vspace/>
+ olcSuffix: {1}<vspace/>
+ -<vspace/>
+ The resulting attribute would be:<vspace/>
+ olcSuffix: {0}ou=Dat,o=example,com<vspace/>
+ olcSuffix: {1}dc=example,dc=com<vspace/>
+ olcSuffix: {2}o=example.com<vspace/>
+ olcSuffix: {3}o=The Example Company<vspace/>
+ olcSuffix: {4}o=example,c=us</t>
+
+ <t>If the Adds and Deletes in the previous example were done
+ in the opposite order:<vspace/>
+ delete: olcSuffix:<vspace/>
+ olcSuffix: {2}<vspace/>
+ olcSuffix: {1}<vspace/>
+ -<vspace/>
+ add: olcSuffix<vspace/>
+ olcSuffix: {0}ou=Dis,o=example.com<vspace/>
+ olcSuffix: {0}ou=Dat,o=example,com<vspace/>
+ -<vspace/>
+ The result would be:<vspace/>
+ olcSuffix: {0}ou=Dat,o=example,com<vspace/>
+ olcSuffix: {1}ou=Dis,o=example.com<vspace/>
+ olcSuffix: {2}o=example.org<vspace/>
+ olcSuffix: {3}o=The Example Company<vspace/>
+ olcSuffix: {4}o=example,c=us</t>
+ </list>
+
+ </t>
+ <t>Note that matching against an ordering-prefix can also
+ be done in Compare operations and Search filters. E.g.,
+ the filter "(olcSuffix={4})" would match all entries with
+ at least 5 olcSuffix values.</t>
+ </section>
+ <section title="Ordered Siblings">
+ <t>The rules for Ordered Siblings are basically the same
+as for Ordered Values, except instead of working primarily with the Modify
+request, the operations of interest here are Add, Delete, and ModRDN.</t>
+ <t>Given these entries:</t>
+ <t>dn: olcDatabase={0}config,cn=config<vspace/>
+ olcDatabase: {0}config<vspace/>
+ objectClass: olcDatabaseConfig<vspace/>
+ olcSuffix: {0}cn=config</t>
+
+ <t>dn: olcDatabase={1}bdb,cn=config<vspace/>
+ olcDatabase: {1}bdb<vspace/>
+ objectClass: olcDatabaseConfig<vspace/>
+ olcSuffix: {0}dc=example,dc=com</t>
+
+ <t>We can perform these operations:
+ <list style="numbers">
+ <t>Add a new entry with no ordering-prefix:<vspace/>
+ dn: olcDatabase=hdb,cn=config<vspace/>
+ changetype: add<vspace/>
+ olcDatabase: hdb<vspace/>
+ objectClass: olcDatabaseConfig<vspace/>
+ olcSuffix: {0}dc=example,dc=org<vspace/>
+ The resulting entry will be:<vspace/>
+ dn: olcDatabase={2}hdb,cn=config<vspace/>
+ olcDatabase: {2}hdb<vspace/>
+ objectClass: olcDatabaseConfig<vspace/>
+ olcSuffix: {0}dc=example,dc=org</t>
+
+ <t>Continuing on with these three entries, we can add another
+ entry with a specific ordering-prefix:<vspace/>
+ dn: olcDatabase={1}ldif,cn=config<vspace/>
+ changetype: add<vspace/>
+ olcDatabase: {1}ldif<vspace/>
+ objectClass: olcDatabaseConfig<vspace/>
+ olcSuffix: {0}o=example.com<vspace/>
+ <vspace/>This would give us four entries, whose DNs are:
+ <list style="empty">
+ <t>dn: olcDatabase={0}config,cn=config</t>
+ <t>dn: olcDatabase={1}ldif,cn=config</t>
+ <t>dn: olcDatabase={2}bdb,cn=config</t>
+ <t>dn: olcDatabase={3}hdb,cn=config</t>
+ </list>
+ </t>
+
+ <t>Issuing a ModRDN request will cause multiple entries to
+ be renamed:<vspace/>
+ dn: olcDatabase={1}ldif,cn=config<vspace/>
+ changetype: modrdn<vspace/>
+ newrdn: olcDatabase={99}ldif<vspace/>
+ deleteoldrdn: 1<vspace/>
+ <vspace/>The resulting entries would be named:
+ <list style="empty">
+ <t>dn: olcDatabase={0}config,cn=config</t>
+ <t>dn: olcDatabase={1}bdb,cn=config</t>
+ <t>dn: olcDatabase={2}hdb,cn=config</t>
+ <t>dn: olcDatabase={3}ldif,cn=config</t>
+ </list>
+ </t>
+
+ <t>As may be expected, a Delete request will also rename the
+ remaining entries:<vspace/>
+ dn: olcDatabase={1}bdb,cn=config<vspace/>
+ changetype: delete<vspace/>
+ <vspace/>The remaining entries would be named:
+ <list style="empty">
+ <t>dn: olcDatabase={0}config,cn=config</t>
+ <t>dn: olcDatabase={1}hdb,cn=config</t>
+ <t>dn: olcDatabase={2}ldif,cn=config</t>
+ </list>
+ </t>
+ </list>
+ </t>
+ </section>
+
+ </section>
+ <section title="Security Considerations">
+ <t>General LDAP security considerations <xref target="RFC3377"/>
+ apply.</t>
+ </section>
+ </middle>
+
+ <back>
+ <references title="Normative References">
+ &rfc2119;
+ &rfc2252;
+ &rfc3377;
+ &rfc3383;
+ <reference anchor="X680">
+ <front>
+ <title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
+ <author>
+ <organization>International Telecommunications Union</organization>
+ </author>
+ <date month="July" year="2002"/>
+ </front>
+ <seriesInfo name="ITU-T" value="Recommendation X.680"/>
+ </reference>
+ </references>
+
+ <section title="IANA Considerations">
+ <t>In accordance with <xref target="RFC3383"/> (what needs to be done here?) . We probably need an OID for advertising in supportedFeatures.
+ </t>
+
+ </section>
+ </back>
+</rfc>