米葫芦网

RFC3088 - OpenLDAP Root Service An experimental LDAP referral service

热度:15℃ 发布时间:2025-03-18 14:33:05

Network Working Group K. Zeilenga
Request for Comments: 3088 OpenLDAP Foundation
Category: EXPerimental April 2001
OpenLDAP Root Service
An experimental LDAP referral service
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The OpenLDAP Project is operating an experimental LDAP (Lightweight
Directory Access Protocol) referral service known as the "OpenLDAP
Root Service". The automated system generates referrals based upon
service location information published in DNS SRV RRs (Domain Name
System location of services resource records). This document
describes this service.
1. Background
LDAP [RFC2251] directories use a hierarchical naming scheme inherited
from X.500 [X500]. Traditionally, X.500 deployments have used a
geo-political naming scheme (e.g., CN=Jane
Doe,OU=Engineering,O=Example,ST=CA,C=US). However, registration
infrastrUCture and location services in many portions of the naming
hierarchical are inadequate or nonexistent.
The construction of a global directory requires a robust registration
infrastructure and location service. Use of Internet domain-based
naming [RFC2247] (e.g., UID=jdoe,DC=eng,DC=example,DC=net) allows
LDAP directory services to leverage the existing DNS [RFC1034]
registration infrastructure and DNS SRV [RFC2782] resource records
can be used to locate services [LOCATE].
1.1. The Glue
Most existing LDAP implementations do not support location of
directory services using DNS SRV resource records. However, most
servers support generation of referrals to "superior" server(s).
This service provides a "root" LDAP service which servers may use as
their superior referral service.
Client may also use the service directly to locate services
associated with an arbitrary Distinguished Name [RFC2253] within the
domain based hierarchy.
Notice:
The mechanisms used by service are experimental. The descriptions
provided by this document are not definitive. Definitive
mechanisms shall be published in a Standard Track document(s).
2. Generating Referrals based upon DNS SRV RRs
This service returns referrals generated from DNS SRV resource
records [RFC2782].
2.1. DN to Domain Name Mapping
The service maps a DN [RFC2253] to a fully qualified domain name
using the following algorithm:
domain = null;
foreach RDN left-to-right // [1]
{
if not multi-valued RDN and
RDN.type == domainComponent
{
if ( domain == null domain == "." )
{ // start
domain = "";
}
else
{ // append separator
domain .= ".";
}
if ( RDN.value == "." )
{ // root
domain = ".";
}
else
{ // append domainComponent
domain .= RDN.value;
}
continue;
}
domain = null;
}
Examples:
Distinguished Name Domain
----------------------------- ------------
DC=example,DC=net example.net
UID=jdoe,DC=example,DC=net example.net
DC=. . [2]
DC=example,DC=net,DC=. . [3]
DC=example,DC=.,DC=net net [4]
DC=example.net example.net [5]
CN=Jane Doe,O=example,C=US null
UID=jdoe,DC=example,C=US null
DC=example,O=example,DC=net net
DC=example+O=example,DC=net net
DC=example,C=US+DC=net null
Notes:
0) A later incarnation will use a Standard Track mechanism.
1) A later incarnation of this service may use a right-to-left
algorithm.
2) RFC2247 does not state how one can map the domain representing
the root of the domain tree to a DN. We suggest the root of the
domain tree be mapped to "DC=." and that this be reversable.
3) RFC2247 states that domain "example.net" should be mapped to the
DN "DC=example,DC=net", not to "DC=example,DC=net,DC=.". As it is
not our intent to introduce or support an alternative domain to DN
mapping, the algorithm ignores domainComponents to the left of
"DC=.".
4) RFC2247 states that domain "example.net" should be mapped to the
DN "DC=example,DC=net", not to "DC=example,DC=.,DC=net". As it is
not our intent to introduce or support an alternative domain to DN
mapping, the algorithm ignores domainComponents to the left of
"DC=." and "DC=." itself if further domainComponents are found to
the right.
5) RFC2247 states that value of an DC attribute type is a domain
component. It should not contain multiple domain components. A
later incarnation of this service may map this domain to null or
be coded to return invalid DN error.
If the domain is null or ".", the service aborts further processing
and returns noSuchObject. Later incarnation of this service may
abort processing if the resulting domain is a top-level domain.
2.2. Locating LDAP services
The root service locates services associated with a given fully
qualified domain name by querying the Domain Name System for LDAP SRV
resource records. For the domain example.net, the service would do a
issue a SRV query for the domain "_ldap._tcp.example.net". A
successful query will return one or more resource records of the
form:
_ldap._tcp.example.net. IN SRV 0 0 389 ldap.example.net.
If no LDAP SRV resource records are returned or any DNS error occurs,
the service aborts further processing and returns noSuchObject.
Later incarnations of this service will better handle transient
errors.
2.3. Constructing an LDAP Referrals
For each DNS SRV resource record returned for the domain, a LDAP URL
[RFC2255] is constructed. For the above resource record, the URL
would be:
ldap://ldap.example.net:389/
These URLs are then returned in the referral. The URLs are currently
returned in resolver order. That is, the server itself does not make
use of priority or weight information in the SRV resource records. A
later incarnation of this service may.
3. Protocol Operations
This section describes how the service performs basic LDAP
operations. The service supports operations extended through certain
controls as described in a later section.
3.1. Basic Operations
Basic (add, compare, delete, modify, rename, search) operations
return a referral result if the target (or base) DN can be mapped to
a set of LDAP URLs as described above. Otherwise a noSuchObject
response or other appropriate response is returned.
3.2. Bind Operation
The service accepts "anonymous" bind specifying version 2 or version
3 of the protocol. All other bind requests will return a non-
successful resultCode. In particular, clients which submit clear
text credentials will be sent an unwillingToPerform resultCode with a
cautionary text regarding providing passWords to strangers.
As this service is read-only, LDAPv3 authentication [RFC2829] is not
supported.
3.3. Unbind Operations
Upon receipt of an unbind request, the server abandons all
outstanding requests made by client and disconnects.
3.4. Extended Operations
The service currently does recognize any extended operation. Later
incarnations of the service may support Start TLS [RFC2830] and other
operations.
3.5. Update Operations
A later incarnation of this service may return unwillingToPerform for
all update operations as this is an unauthenticated service.
4. Controls
The service supports the ManageDSAit control. Unsupported controls
are serviced per RFC2251.
4.1. ManageDSAit Control
The server recognizes and honors the ManageDSAit control [NAMEDREF]
provided with operations.
If DNS location information is available for the base DN itself, the
service will return unwillingToPerform for non-search operations.
For search operations, an entry will be returned if within scope and
matches the provided filter. For example:
c: searchRequest {
base="DC=example,DC=net"
scope=base
filter=(objectClass=*)
ManageDSAit
}
s: searchEntry {
dn: DC=example,DC=net
objectClass: referral
objectClass: extensibleObject
dc: example
ref: ldap://ldap.example.net:389/
associatedDomain: example.net
}
s: searchResult {
success
}
If DNS location information is available for the DC portion of a
subordinate entry, the service will return noSuchObject with the
matchedDN set to the DC portion of the base for search and update
operations.
c: searchRequest {
base="CN=subordinate,DC=example,DC=net"
scope=base
filter=(objectClass=*)
ManageDSAit
}
s: searchResult {
noSuchObject
matchedDN="DC=example,DC=net"
}
5. Using the Service
Servers may be configured to refer superior requests to
<ldap://root.openldap.org:389>.
Though clients may use the service directly, this is not encouraged.
Clients should use a local service and only use this service when
referred to it.
The service supports LDAPv3 and LDAPv2+ [LDAPv2+] clients over
TCP/IPv4. Future incarnations of this service may support TCP/IPv6
or other transport/internet protocols.
6. Lessons Learned
6.1. Scaling / Reliability
This service currently runs on a single host. This host and
associated network resources are not yet exhausted. If they do
become exhausted, we believe we can easily scale to meet the demand
through common distributed load balancing technics. The service can
also easily be duplicated locally.
6.2. Protocol interoperability
This service has able avoided known interoperability issues in
supporting variants of LDAP.
6.2.1. LDAPv3
The server implements all features of LDAPv3 [RFC2251] necessary to
provide the service.
6.2.2. LDAPv2
LDAPv2 [RFC1777] does not support the return of referrals and hence
may not be referred to this service. Though a LDAPv2 client could
connect and issue requests to this service, the client would treat
any referral returned to it as an unknown error.
6.2.3. LDAPv2+
LDAPv2+ [LDAPv2+] provides a number of extensions to LDAPv2,
including referrals. LDAPv2+, like LDAPv3, does not require a bind
operation before issuing of other operations. As the referral
representation differ between LDAPv2+ and LDAPv3, the service returns
LDAPv3 referrals in this case. However, as commonly deployed LDAPv2+
clients issue bind requests (for compatibility with LDAPv2 servers),
this has not generated any interoperability issues (yet).
A future incarnation of this service may drop support for LDAPv2+
(and LDAPv2).
6.2.4. CLDAP
CLDAP [RFC1798] does not support the return of referrals and hence is
not supported.
7. Security Considerations
This service provides information to "anonymous" clients. This
information is derived from the public directories, namely the Domain
Name System.
The use of authentication would require clients to disclose
information to the service. This would be an unnecessary invasion of
privacy.
The lack of encryption allows eavesdropping upon client requests and
responses. A later incarnation of this service may support
encryption (such as via Start TLS [RFC2830]).
Information integrity protection is not provided by the service. The
service is subject to varies forms of DNS spoofing and attacks. LDAP
session or operation integrity would provide false sense of security
concerning the integrity of DNS information. A later incarnation of
this service may support DNSSEC and provide integrity protection (via
SASL, TLS, or IPSEC).
The service is subject to a variety of denial of service attacks.
The service is capable of blocking access by a number of factors.
This capability have yet to be used and likely would be ineffective
in preventing sophisticated attacks. Later incarnations of this
service will likely need better protection from such attacks.
8. Conclusions
DNS is good glue. By leveraging of the Domain Name System, global
LDAP directories may be built without requiring a protocol specific
registration infrastructures.
In addition, use of DNS service location allows global directories to
be built "ad hoc". That is, anyone with a domain name can
participate. There is no requirement that the superior domain
participate.
9. Additional Information
Additional information about the OpenLDAP Project and the OpenLDAP
Root Service can be found at <http://www.openldap.org/>.
10. Author"s Address
Kurt Zeilenga
OpenLDAP Foundation
EMail: kurt@openldap.org
11. Acknowledgments
Internet hosting for this experiment is provided by the Internet
Software Consortium <http://www.isc.org/>. Computing resources were
provided by Net Boolean Incorporated <http://www.boolean.net/>. This
experiment would not have been possible without the contributions of
numerous volunteers of the open source community. Mechanisms
described in this document are based upon those introduced in
[RFC2247] and [LOCATE].
References
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
STD 13, RFC1034, November 1987.
[RFC1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory
Access Protocol", RFC1777, March 1995.
[RFC1798] Young, A., "Connection-less Lightweight Directory Access
Protocol", RFC1798, June 1995.
[RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC2119, March 1997.
[RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S.
Sataluri, "Using Domains in LDAP/X.500 Distinguished
Names", RFC2247, January 1998.
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC2251, December 1997.
[RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory
Access Protocol (v3): UTF-8 String Representation of
Distinguished Names", RFC2253, December 1997.
[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC2255,
December 1997.
[RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC2782,
February 2000.
[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,
"Authentication Methods for LDAP", RFC2829, May 2000.
[RFC2830] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory
Access Protocol (v3): Extension for Transport Layer
Security", RFC2830, May 2000.
[LOCATE] IETF LDAPext WG, "Discovering LDAP Services with DNS",
Work in Progress.
[LDAPv2+] University of Michigan LDAP Team, "Referrals within the
LDAPv2 Protocol", August 1996.
[NAMEDREF] Zeilenga, K. (editor), "Named Subordinate References in
LDAP Directories", Work in Progress.
[X500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993.
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFCEditor function is currently provided by the
Internet Society.

网友评论
评论
发 布

更多软件教程
  • 软件教程推荐
更多+
Greenfoot设置中文的方法

Greenfoot设置中文的方法

Greenfoot是一款简单易用的Java开发环境,该软件界面清爽简约,既可以作为一个开发框使用,也能够作为集成开发环境使用,操作起来十分简单。这款软件支持多种语言,但是默认的语言是英文,因此将该软件下载到电脑上的时候,会发现软件的界面语言是英文版本的,这对于英语基础较差的朋友来说,使用这款软件就会...

07-05

Egret UI Editor修改快捷键的方法

Egret UI Editor修改快捷键的方法

Egret UI Editor是一款开源的2D游戏开发代码编辑软件,其主要功能是针对Egret项目中的Exml皮肤文件进行可视化编辑,功能十分强大。我们在使用这款软件的过程中,可以将一些常用操作设置快捷键,这样就可以简化编程,从而提高代码编辑的工作效率。但是这款软件在日常生活中使用得不多,并且专业性...

07-05

KittenCode新建项目的方法

KittenCode新建项目的方法

KittenCode是一款十分专业的编程软件,该软件给用户提供了可视化的操作界面,支持Python语言的编程开发以及第三方库管理,并且提供了很多实用的工具,功能十分强大。我们在使用这款软件进行编程开发的过程中,最基本、最常做的操作就是新建项目,因此我们很有必要掌握新建项目的方法。但是这款软件的专业性...

07-05

Thonny设置中文的方法

Thonny设置中文的方法

Thonny是一款十分专业的Python编辑软件,该软件界面清爽简单,给用户提供了丰富的编程工具,具备代码补全、语法错误显示等功能,非常的适合新手使用。该软件还支持多种语言,所以在下载这款软件的时候,有时候下载到电脑中的软件是英文版本的,这对于英语基础较差的小伙伴来说,使用这款软件就会变得十分困难,...

07-05

最新软件下载