it is a lightweight protocol for accessing directory services,
specifically {{TERM:X.500}}-based directory services. LDAP runs
over {{TERM:TCP}}/{{TERM:IP}} or other connection oriented transfer
-services. The nitty-gritty details of LDAP are defined in
-{{REF:RFC2251}} "The Lightweight Directory Access Protocol (v3)"
-and other documents comprising the technical specification
-{{REF:RFC3377}}. This section gives an overview of LDAP from a
+services. LDAP is an {{ORG:IETF}} Standard Track protocol and is
+specified as detailed in "Lightweight Directory Access Protocol
+(LDAP) Technical Specification Road Map" {{REF:RFC4510}}.
+
+This section gives an overview of LDAP from a
user's perspective.
{{What kind of information can be stored in the directory?}} The
entry for Barbara Jensen in the Internet naming example above has
an RDN of {{EX:uid=babs}} and a DN of
{{EX:uid=babs,ou=People,dc=example,dc=com}}. The full DN format
-is described in {{REF:RFC2253}}, "Lightweight Directory Access
-Protocol (v3): UTF-8 String Representation of Distinguished Names."
+is described in {{REF:RFC4514}}, "LDAP: String Representation of
+Distinguished Names."
{{How is the information accessed?}} LDAP defines operations for
interrogating and updating the directory. Operations are provided
A template is a prototype for generating LDAP search requests.
Templates are described by a prototype search filter and a list of
attributes which are required in queries generated from the template.
-The representation for prototype filter is similar to RFC 2254,
+The representation for prototype filter is similar to {{REF:RFC4515}},
except that the assertion values are missing. Examples of prototype
filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by
search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.
OpenLDAP clients and servers are capable of authenticating via the
{{TERM[expand]SASL}} ({{TERM:SASL}}) framework, which is detailed
-in {{REF:RFC2222}}. This chapter describes how to make use of
+in {{REF:RFC4422}}. This chapter describes how to make use of
SASL in OpenLDAP.
There are several industry standard authentication mechanisms that
The {{attributetype}} directive is used to define a new attribute
type. The directive uses the same Attribute Type Description
-(as defined in {{REF:RFC2252}}) used by the attributeTypes
+(as defined in {{REF:RFC4512}}) used by the attributeTypes
attribute found in the subschema subentry, e.g.:
-E: attributetype <{{REF:RFC2252}} Attribute Type Description>
+E: attributetype <{{REF:RFC4512}} Attribute Type Description>
where Attribute Type Description is defined by the following
{{TERM:BNF}}:
The {{objectclasses}} directive is used to define a new object
class. The directive uses the same Object Class Description
-(as defined in {{REF:RFC2252}}) used by the objectClasses
+(as defined in {{REF:RFC4512}}) used by the objectClasses
attribute found in the subschema subentry, e.g.:
-E: objectclass <{{REF:RFC2252}} Object Class Description>
+E: objectclass <{{REF:RFC4512}} Object Class Description>
where Object Class Description is defined by the following
{{TERM:BNF}}:
!if 0
H2: Transferring Schema
-Since the {{slapd.conf}}(5) schema directives use {{REF:RFC2252}}
+Since the {{slapd.conf}}(5) schema directives use {{REF:RFC4512}}
format values, you can extract schema elements published by
any LDAPv3 server and easily construct directives for use with
{{slapd}}(8).
objectClass.
-H4: olcAttributeTypes: <{{REF:RFC2252}} Attribute Type Description>
+H4: olcAttributeTypes: <{{REF:RFC4512}} Attribute Type Description>
This directive defines an attribute type.
Please see the {{SECT:Schema Specification}} chapter
for information regarding how to use this directive.
-H4: olcObjectClasses: <{{REF:RFC2252}} Object Class Description>
+H4: olcObjectClasses: <{{REF:RFC4512}} Object Class Description>
This directive defines an object class.
Please see the {{SECT:Schema Specification}} chapter for
> olcRootPW: secret
-It is also permissible to provide a hash of the password in RFC 2307
-form. {{slappasswd}}(8) may be used to generate the password hash.
+It is also permissible to provide a hash of the password in
+{{REF:RFC2307}} form. {{slappasswd}}(8) may be used to generate
+the password hash.
\Example:
discussed further in this document.) The third form is used to
select entries which are within the requested scope of DN. The
<DN> is a string representation of the Distinguished Name, as
-described in {{REF:RFC2253}}.
+described in {{REF:RFC4514}}.
The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
or {{EX:children}}. Where {{EX:base}} matches only the entry with
> to filter=<ldap filter>
where <ldap filter> is a string representation of an LDAP
-search filter, as described in {{REF:RFC2254}}. For example:
+search filter, as described in {{REF:RFC4515}}. For example:
> to filter=(objectClass=person)
both authenticated and anonymous users read access.
-H4: attributetype <{{REF:RFC2252}} Attribute Type Description>
+H4: attributetype <{{REF:RFC4512}} Attribute Type Description>
This directive defines an attribute type.
Please see the {{SECT:Schema Specification}} chapter
E: loglevel 256
-H4: objectclass <{{REF:RFC2252}} Object Class Description>
+H4: objectclass <{{REF:RFC4512}} Object Class Description>
This directive defines an object class.
Please see the {{SECT:Schema Specification}} chapter for
> rootpw secret
-It is also permissible to provide hash of the password in RFC 2307
+It is also permissible to provide hash of the password in {{REF:RFC2307}}
form. {{slappasswd}}(8) may be used to generate the password hash.
\Example:
discussed further in this document.) The third form is used to
select entries which are within the requested scope of DN. The
<DN> is a string representation of the Distinguished Name, as
-described in {{REF:RFC2253}}.
+described in {{REF:RFC4514}}.
The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
or {{EX:children}}. Where {{EX:base}} matches only the entry with
> to filter=<ldap filter>
where <ldap filter> is a string representation of an LDAP
-search filter, as described in {{REF:RFC2254}}. For example:
+search filter, as described in {{REF:RFC4515}}. For example:
> to filter=(objectClass=person)
{{TERM[expand]TLS}} ({{TERM:TLS}}) framework to provide
integrity and confidentiality protections and to support
LDAP authentication using the {{TERM:SASL}} EXTERNAL mechanism.
+TLS is defined in {{REF:RFC4346}}.
H2: TLS Certificates
to name the server, and the {{EX:CN}} must carry the server's
fully qualified domain name. Additional alias names and wildcards
may be present in the {{EX:subjectAltName}} certificate extension.
-More details on server certificate names are in {{REF:RFC2830}}.
+More details on server certificate names are in {{REF:RFC4513}}.
H3: Client Certificates
!block references; data
Reference|Status|Document|Jump
RFC2079|PS|Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifers|http://www.rfc-editor.org/rfc/rfc2079.txt
-RFC2222|PS|Simple Authentication and Security Layer|http://www.rfc-editor.org/rfc/rfc2222.txt
-RFC2251|PS|Lightweight Directory Access Protocol (v3)|http://www.rfc-editor.org/rfc/rfc2251.txt
-RFC2252|PS|LDAPv3: Attribute Syntax Definitions|http://www.rfc-editor.org/rfc/rfc2252.txt
-RFC2253|PS|LDAPv3: UTF-8 String Representation of Distinguished Names|http://www.rfc-editor.org/rfc/rfc2253.txt
-RFC2254|PS|The String Representation of LDAP Search Filters|http://www.rfc-editor.org/rfc/rfc2254.txt
-RFC2255|PS|The LDAP URL Format|http://www.rfc-editor.org/rfc/rfc2255.txt
-RFC2256|PS|A Summary of the X.500(96) User Schema for use with LDAPv3|http://www.rfc-editor.org/rfc/rfc2256.txt
RFC2296|PS|Use of Language Codes in LDAP|http://www.rfc-editor.org/rfc/rfc2296.txt
+RFC2307|X|An Approach for Using LDAP as a Network Information Service|http://www.rfc-editor.org/rfc/rfc2307.txt
RFC2798|INFO|Definition of the inetOrgPerson LDAP Object Class|http://www.rfc-editor.org/rfc/rfc2798.txt
-RFC2829|PS|Authentication Methods for LDAP|http://www.rfc-editor.org/rfc/rfc2829.txt
-RFC2830|PS|LDAPv3: Extension for Transport Layer Security|http://www.rfc-editor.org/rfc/rfc2830.txt
RFC2831|PS|Using Digest Authentication as a SASL Mechanism|http://www.rfc-editor.org/rfc/rfc2831.txt
RFC2849|PS|The LDAP Data Interchange Format|http://www.rfc-editor.org/rfc/rfc2849.txt
RFC3088|X|OpenLDAP Root Service|http://www.rfc-editor.org/rfc/rfc3088.txt
RFC3296|PS|Named Subordinate References in LDAP|http://www.rfc-editor.org/rfc/rfc3296.txt
-RFC3377|PS|Lightweight Directory Access Protocol (v3): Technical Specification|http://www.rfc-editor.org/rfc/rfc3377.txt
-RFC3383|BCP|Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)|http://www.rfc-editor.org/rfc/rfc3383.txt
RFC3384|INFO|Lightweight Directory Access Protocol (version 3) Replication Requirements|http://www.rfc-editor.org/rfc/rfc3384.txt
RFC3494|INFO|Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status|http://www.rfc-editor.org/rfc/rfc3494.txt
RFC4013|PS|SASLprep: Stringprep Profile for User Names and Passwords
+RFC4346|PS|The Transport Layer Security (TLS) Protocol, Version 1.1|http://www.rfc-editor.org/rfc/rfc4346.txt
+RFC4422|PS|Simple Authentication and Security Layer (SASL)|http://www.rfc-editor.org/rfc/rfc4422.txt
+RFC4510|PS|Lightweight Directory Access Protocol (LDAP) Technical Specification Roadmap|http://www.rfc-editor.org/rfc/rfc4510.txt
+RFC4511|PS|Lightweight Directory Access Protocol (LDAP): The Protocol|http://www.rfc-editor.org/rfc/rfc4512.txt
+RFC4512|PS|Lightweight Directory Access Protocol (LDAP): Directory Information Models|http://www.rfc-editor.org/rfc/rfc4512.txt
+RFC4513|PS|Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms|http://www.rfc-editor.org/rfc/rfc4513.txt
+RFC4514|PS|Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names|http://www.rfc-editor.org/rfc/rfc4514.txt
+RFC4515|PS|Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters|http://www.rfc-editor.org/rfc/rfc4515.txt
+RFC4516|PS|Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator|http://www.rfc-editor.org/rfc/rfc4516.txt
+RFC4517|PS|Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules|http://www.rfc-editor.org/rfc/rfc4517.txt
+RFC4518|PS|Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation|http://www.rfc-editor.org/rfc/rfc4518.txt
+RFC4519|PS|Lightweight Directory Access Protocol (LDAP): Schema for User Applications|http://www.rfc-editor.org/rfc/rfc4519.txt
!endblock
opens a connection to an LDAP server, binds, and deletes one or more
entries. If one or more \fIDN\fP arguments are provided, entries with
those Distinguished Names are deleted. Each \fIDN\fP should be provided
-using the LDAPv3 string representation as defined in RFC 2253.
+using the LDAPv3 string representation as defined in RFC 4514.
If no \fIdn\fP arguments
are provided, a list of DNs is read from standard input (or from
\fIfile\fP if the -f flag is used).
.B ldapsearch
opens a connection to an LDAP server, binds, and performs a search
using specified parameters. The \fIfilter\fP should conform to
-the string representation for search filters as defined in RFC 2254.
+the string representation for search filters as defined in RFC 4515.
If not provided, the default filter, (objectClass=*), is used.
.LP
If
General extensions:
.nf
- [!]assert=<filter> (an RFC 2254 Filter)
+ [!]assert=<filter> (an RFC 4515 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
.fi
.SH DESCRIPTION
.LP
-The Lightweight Directory Access Protocol (LDAP) (RFC 3377) provides
+The Lightweight Directory Access Protocol (LDAP) (RFC 4510) provides
access to X.500 directory services. These services may be stand\-alone
or part of a distributed directory service. This client API supports
-LDAP over TCP (RFC2251), LDAP over TLS/SSL, and LDAP over IPC (UNIX
-domain sockets). This API supports SASL (RFC2829) and Start TLS
-(RFC2830) as well as a number of protocol extensions. This API is
+LDAP over TCP (RFC 4511), LDAP over TLS/SSL, and LDAP over IPC (UNIX
+domain sockets). This API supports SASL (RFC 4513) and Start TLS
+(RFC 4513) as well as a number of protocol extensions. This API is
loosely based upon IETF/LDAPEXT C LDAP API draft specification, a (orphaned)
work in progress.
.LP
.BR ldap_err2string (3).
.SH LDAP versions
This library supports version 3 of the Lightweight Directory Access
-Protocol (LDAPv3) as defined in RFC 3377. It also supports a variant
+Protocol (LDAPv3) as defined in RFC 4510. It also supports a variant
of version 2 of LDAP as defined by U-Mich LDAP and, to some degree,
-RFC 1777. Version 2 (all variants) should be viewed as obsolete.
+RFC 1777. Version 2 (all variants) are considered obsolete.
Version 3 should be used instead.
.LP
For backwards compatibility reasons, the library defaults to version 2.
encoded Unicode (version 3.2).
.LP
Distinguished names (DN) (and relative distinguished names (RDN) to
-be passed to the LDAP routines should conform to RFC 2253 UTF\-8
+be passed to the LDAP routines should conform to RFC 4514 UTF\-8
string representation.
.LP
Search filters to be passed to the search routines are to be
-constructed by hand and should conform to RFC 2254 UTF\-8
+constructed by hand and should conform to RFC 4515 UTF\-8
string representation.
.LP
LDAP URL are to be passed to routines are expected to conform
-to RFC 2255 syntax. The
+to RFC 4516 format. The
.BR ldap_url (3)
routines can be used to work with LDAP URLs.
.SH DISPLAYING RESULTS
.BR ldap_open (3),
.BR ldap_set_option (3),
.BR ldap_url_parse (3)
-.B RFC 2222
-(http://www.ietf.org),
+.B RFC 4422
+(http://www.rfc-editor.org),
.B Cyrus SASL
(http://asg.web.cmu.edu/sasl/)
.SH ACKNOWLEDGEMENTS
These routines allow LDAP entry names (Distinguished Names, or DNs)
to be obtained, parsed, converted to a user-friendly form, and tested.
A DN has the form described in
-RFC 2253 "Lightweight Directory Access Protocol (v3):
-UTF-8 String Representation of Distinguished Names".
+RFC 4414 "Lightweight Directory Access Protocol (LDAP):
+String Representation of Distinguished Names".
.LP
The
.B ldap_get_dn()
or
.B LDAP_AVA_BINARY,
the latter meaning that the value is BER/DER encoded and thus must
-be represented as, quoting from RFC 2253, " ... an
+be represented as, quoting from RFC 4514, " ... an
octothorpe character ('#' ASCII 35) followed by the hexadecimal
representation of each of the bytes of the BER encoding of the X.500
AttributeValue."
LDAP_DN_FORMAT_DCE
.fi
-which defines what DN syntax is expected (according to RFC 2253,
+which defines what DN syntax is expected (according to RFC 4514,
RFC 1779 and DCE, respectively).
The format can be \fIOR\fPed to the flags
.LP
int code;
.SH DESCRIPTION
These routines are used to parse schema definitions in the syntax
-defined in RFC 2252 into structs and handle these structs. These
+defined in RFC 4512 into structs and handle these structs. These
routines handle four kinds of definitions: syntaxes, matching rules,
attribute types and object classes. For each definition kind, four
routines are provided.
.LP
.B ldap_str2xxx()
-takes a definition in RFC 2252 format in argument
+takes a definition in RFC 4512 format in argument
.IR s
as a NUL-terminated string and returns, if possible, a pointer to a
newly allocated struct of the appropriate kind. The caller is
syntax recognized. The following values are defined:
.TP
.B LDAP_SCHEMA_ALLOW_NONE
-strict parsing according to RFC 2252.
+strict parsing according to RFC 4512.
.TP
.B LDAP_SCHEMA_ALLOW_NO_OID
permit definitions that do not contain an initial OID.
.LP
Routines
.B ldap_xxx2str()
-return a string representation in the format described by RFC 2252 of
+return a string representation in the format described by RFC 4512 of
the struct passed in the argument. The string is a newly allocated
string that must be freed by the caller. These routines may return
NULL if no memory can be allocated for the string.
.LP
The '~=' construct is used to specify approximate matching. The
representation for <attributetype> and <attributevalue> are as
-described in RFC
2254. In addition, <attributevalue> can be a single *
+described in RFC
4515. In addition, <attributevalue> can be a single *
to achieve an attribute existence test, or can contain text and *'s
interspersed to achieve substring matching.
.LP
attribute. The filter "(mail=*@terminator.rs.itd.umich.edu)" will find
any entries that have a mail attribute ending in the specified string.
To put parentheses in a filter, escape them with a backslash '\\'
-character. See RFC 2254 for a more complete description of allowable
+character. See RFC 4515 for a more complete description of allowable
filters.
.LP
\fIAttrs\fP is a null-terminated array of attribute types to return
ldap_free_urldesc( LDAPURLDesc *ludp )
.SH DESCRIPTION
These routines support the use of LDAP URLs (Uniform Resource Locators)
-as detailed in RFC 2255. LDAP URLs look like this:
+as detailed in RFC 4516. LDAP URLs look like this:
.nf
\fBldap://\fP\fIhostport\fP\fB/\fP\fIdn\fP[\fB?\fP\fIattrs\fP[\fB?\fP\fIscope\fP[\fB?\fP\fIfilter\fP[\fB?\fP\fIexts\fP]]]]
.SH SEE ALSO
.BR ldap (3)
.LP
-.B The LDAP URL Format, RFC 2255,
+.B LDAP: Uniform Resource Locator, RFC 4516,
Tim Howes and Mark Smith, December 1997.
.SH ACKNOWLEDGEMENTS
.B OpenLDAP
.B search
operation when the
.B manageDSAit
-control (RFC3296) is used, otherwise for every operation a referral,
+control (RFC 3296) is used, otherwise for every operation a referral,
whenever appropriate, or an error is returned.
Currently, there is no means to condition the returning of the referral
by means of ACLs; no access control is implemented, except for
.LP
The statement
.B filter=<ldapfilter>
-selects the entries based on a valid LDAP filter as described in RFC 2254.
+selects the entries based on a valid LDAP filter as described in RFC 4515.
A filter of
.B (objectClass=*)
is implied if no
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
-RFC 2251 reserves options beginning with `x-' for private experiments.
-Other options should be registered with IANA, see RFC 3383 section 3.4.
+RFC 4520 reserves options beginning with `x-' for private experiments.
+Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.HP
[NO\-USER\-MODIFICATION]\
[USAGE\ <attributeUsage>]\ )"
.RS
-Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
[MAY\ <oids>]\
[NOT\ <oids>]\ )"
.RS
-Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
[{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
[MUST\ <oids>] [MAY\ <oids>] )"
.RS
-Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
.B
A template is defined by a filter string and an index identifying a set of
attributes. The \fBtemplate string\fP for a query can be obtained by
-removing assertion values from the RFC 2254 representation of its search
+removing assertion values from the RFC 4515 representation of its search
filter. A query belongs to a template if its template string and set of
projected attributes correspond to a cacheable template.
Examples of template strings are \fB(mail=)\fP, \fB(|(sn=)(cn=))\fP,
time=
.RS 4
-generalizedTimeString as specified in section 6.14 of [RFC2252]
+GeneralizedTime as specified in section 3.3.13 of [RFC4517]
.RE
.P
.RS 4
This is the string representation of the dotted-decimal OID that
defines the syntax used to store the password. numericoid is
-described in section 4.1 of [RFC2252].
+described in section 1.4 of [RFC4512].
.RE
-length = numericstring
+length = NumericString
.RS 4
-The number of octets in the data. numericstring is described in
-section 4.1 of [RFC2252].
+The number of octets in the data. NumericString is described in
+section 3.3.23 of [RFC4517].
.RE
data =
into a command.
.SH LIMITATIONS
The practice storing hashed passwords in userPassword violates
-Standard Track (RFC 2256) schema specifications and may hinder
+Standard Track (RFC 4519) schema specifications and may hinder
interoperability. A new attribute type, authPassword, to hold
hashed passwords has been defined (RFC 3112), but is not yet
implemented in
.BR slapd (8)
.BR slapd.conf (5)
.B RFC 2307
-.B RFC 2256
+.B RFC 4519
.B RFC 3112
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
projects / openldap / commitdiff