LDAP documents
Tim Howes <tim@terminator.rs.itd.umich.edu> Thu, 10 November 1994 21:05 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa10483; 10 Nov 94 16:05 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa10475; 10 Nov 94 16:05 EST
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa15813; 10 Nov 94 16:04 EST
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.04575-0@haig.cs.ucl.ac.uk>; Thu, 10 Nov 1994 20:37:37 +0000
Received: from terminator.rs.itd.umich.edu by bells.cs.ucl.ac.uk with Internet SMTP id <g.24554-0@bells.cs.ucl.ac.uk>; Thu, 10 Nov 1994 20:36:36 +0000
Received: from terminator.rs.itd.umich.edu by terminator.rs.itd.umich.edu (8.6.9/2.3) with SMTP id PAA19127; Thu, 10 Nov 1994 15:36:30 -0500
Message-Id: <199411102036.PAA19127@terminator.rs.itd.umich.edu>
Reply-To: osi-ds@cs.ucl.ac.uk
To: osi-ds@cs.ucl.ac.uk
cc: ietf-asid@umich.edu
Subject: LDAP documents
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Date: Thu, 10 Nov 1994 15:36:30 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Tim Howes <tim@terminator.rs.itd.umich.edu>
Ooops. Here are the docs. -- Tim
Network Working Group Wengyik Yeong
INTERNET-DRAFT Performance Systems International
Tim Howes
University of Michigan
Steve Kille
ISODE Consortium
Lightweight Directory Access Protocol
1. Status of this Memo
This draft document will be submitted to the RFC Editor as a standards
document. Distribution of this memo is unlimited. Please send comments
to the authors, or the discussion group <osi-ds@cs.ucl.ac.uk>.
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
2. Abstract
The protocol described in this document is designed to provide access to
the X.500 Directory while not incurring the resource requirements of the
Directory Access Protocol (DAP). This protocol is specifically targeted
at simple management applications and browser applications that provide
simple read/write interactive access to the X.500 Directory, and is
intended to be a complement to the DAP itself.
Key aspects of LDAP are
- Protocol elements are carried directly over TCP or other transport,
bypassing much of the session/presentation overhead.
- Many protocol data elements are encoding as ordinary strings (e.g.,
Expires 4/1/95 [Page 1]
LDAP July 1993
Distinguished Names).
- A lightweight BER encoding is used to encode all protocol elements.
3. History
The tremendous interest in X.500 [1,2] technology in the Internet has
lead to efforts to reduce the high ``cost of entry'' associated with use
of the technology, such as the Directory Assistance Service [3] and
DIXIE [4]. While efforts such as these have met with success, they have
been solutions based on particular implementations and as such have lim-
ited applicability. This document continues the efforts to define
Directory protocol alternatives but departs from previous efforts in
that it consciously avoids dependence on particular implementations.
4. Protocol Model
The general model adopted by this protocol is one of clients performing
protocol operations against servers. In this model, this is accomplished
by a client transmitting a protocol request describing the operation to
be performed to a server, which is then responsible for performing the
necessary operations on the Directory. Upon completion of the necessary
operations, the server returns a response containing any results or
errors to the requesting client. In keeping with the goal of easing the
costs associated with use of the Directory, it is an objective of this
protocol to minimize the complexity of clients so as to facilitate
widespread deployment of applications capable of utilizing the Direc-
tory.
Note that, although servers are required to return responses whenever
such responses are defined in the protocol, there is no requirement for
synchronous behavior on the part of either client or server implementa-
tions: requests and responses for multiple operations may be exchanged
by client and servers in any order, as long as clients eventually
receive a response for every request that requires one.
Consistent with the model of servers performing protocol operations on
behalf of clients, it is also to be noted that protocol servers are
expected to handle referrals without resorting to the return of such
referrals to the client. This protocol makes no provisions for the
return of referrals to clients, as the model is one of servers ensuring
the performance of all necessary operations in the Directory, with only
final results or errors being returned by servers to clients.
Note that this protocol can be mapped to a strict subset of the direc-
tory abstract service, so it can be cleanly provided by the DAP.
Expires 4/1/95 [Page 2]
LDAP July 1993
5. Mapping Onto Transport Services
This protocol is designed to run over connection-oriented, reliable
transports, with all 8 bits in an octet being significant in the data
stream. Specifications for two underlying services are defined here,
though others are also possible.
5.1. Transmission Control Protocol (TCP)
The LDAPMessage PDUs are mapped directly onto the TCP bytestream.
Server implementations running over the TCP should provide a protocol
listener on port 389.
5.2. Connection Oriented Transport Service (COTS)
The connection is established. No special use of T-Connect is made.
Each LDAPMessage PDU is mapped directly onto T-Data.
6. Elements of Protocol
For the purposes of protocol exchanges, all protocol operations are
encapsulated in a common envelope, the LDAPMessage, which is defined as
follows:
LDAPMessage ::=
SEQUENCE {
messageID MessageID,
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResponse SearchResponse,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modifyRDNRequest ModifyRDNRequest,
modifyRDNResponse ModifyRDNResponse,
compareDNRequest CompareRequest,
compareDNResponse CompareResponse,
abandonRequest AbandonRequest
}
}
MessageID ::= INTEGER (0 .. maxInt)
Expires 4/1/95 [Page 3]
LDAP July 1993
The function of the LDAPMessage is to provide an envelope containing
common fields required in all protocol exchanges. At this time the only
common field is a message ID, which is required to have a value dif-
ferent from the values of any other requests outstanding in the LDAP
session of which this message is a part.
The message ID value must be echoed in all LDAPMessage envelopes encap-
sulting responses corresponding to the request contained in the LDAPMes-
sage in which the message ID value was originally used.
In addition to the LDAPMessage defined above, the following definitions
are also used in defining protocol operations:
LDAPString ::= OCTET STRING
The LDAPString is a notational convenience to indicate that, although
strings of LDAPString type encode as OCTET STRING types, the legal char-
acter set in such strings is limited to the IA5 character set.
LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
An LDAPDN and a RelativeLDAPDN are respectively defined to be the
representation of a Distinguished Name and a Relative Distinguished Name
after encoding according to the specification in [5], such that
<distinguished-name> ::= <name>
<relative-distinguished-name> ::= <name-component>
where <name> and <name-component> are as defined in [5].
AttributeValueAssertion ::=
SEQUENCE {
attributeType AttributeType,
attributeValue AttributeValue
}
The AttributeValueAssertion type definition is similar to the one in
the X.500 Directory standards.
AttributeType ::= LDAPString
AttributeValue ::= OCTET STRING
Expires 4/1/95 [Page 4]
LDAP July 1993
An AttributeType value takes on as its value the textual string associ-
ated with that AttributeType in the X.500 Directory standards. For
example, the AttributeType 'organizationName' with object identifier
2.5.4.10 is represented as an AttributeType in this protocol by the
string ``organizationName''. In the event that a protocol implementa-
tion encounters an Attribute Type with which it cannot associate a tex-
tual string, an ASCII string encoding of the object identifier associ-
ated with the Attribute Type may be subsitituted. For example, the
organizationName AttributeType may be represented by the ASCII string
"2.5.4.10" if a protocol implementation is unable to associate the
string ``organizationName'' with it.
A field of type AttributeValue takes on as its value an octet string
encoding of a Directory AttributeValue type. The definition of these
string encodings for different Directory AttributeValue types may be
found in companions to this document that define the encodings of vari-
ous attribute syntaxes such as [6].
LDAPResult ::=
SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),
authMethodNotSupported (7),
strongAuthRequired (8),
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
isLeaf (35),
aliasDereferencingProblem (36),
inappropriateAuthentication (48),
invalidCredentials (49),
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
Expires 4/1/95 [Page 5]
LDAP July 1993
namingViolation (64),
objectClassViolation (65),
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
other (80)
},
matchedDN LDAPDN,
errorMessage LDAPString
}
The LDAPResult is the construct used in this protocol to return success
or failure indications from servers to clients. In response to various
requests, servers will return responses containing fields of type
LDAPResult to indicate the final status of a protocol operation request.
The errorMessage field of this construct may, at the servers option, be
used to return an ASCII string containing a textual, human-readable
error diagnostic. As this error diagnostic is not standardized, imple-
mentations should not rely on the values returned. If the server
chooses not to return a textual diagnostic, the errorMessage field of
the LDAPResult type should contain a zero length string.
For resultCodes of noSuchObject, aliasProblem, invalidDNSyntax, isLeaf,
and aliasDereferencingProblem, the matchedDN field is set to the name of
the lowest entry (object or alias) in the DIT that was matched and is a
truncated form of the name provided or, if an alias has been derefer-
enced, of the resulting name. The matchedDN field should be set to NULL
DN (a zero length string) in all other cases.
6.1. Bind Operation
The function of the Bind Operation is to initiate a protocol session
between a client and a server, and to allow the authentication of the
client to the server. The Bind Operation must be the first operation
request received by a server from a client in a protocol session. The
Bind Request is defined as follows:
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name LDAPDN,
authentication CHOICE {
simple [0] OCTET STRING,
krbv42LDAP [1] OCTET STRING,
krbv42DSA [2] OCTET STRING
}
}
Expires 4/1/95 [Page 6]
LDAP July 1993
Parameters of the Bind Request are:
- version: A version number indicating the version of the protocol to
be used in this protocol session. This document describes version
2 of the LDAP protocol. Note that there is no version negotiation,
and the client should just set this parameter to the version it
desires.
- name: The name of the Directory object that the client wishes to
bind as. This field may take on a null value (a zero length
string) for the purposes of anonymous binds.
- authentication: information used to authenticate the name, if any,
provided in the Bind Request. The ``simple'' authentication option
provides minimal authentication facilities, with the contents of
the authentication field consisting only of a cleartext password.
This option should also be used when unauthenticated or anonymous
binds are to be performed, with the field containing a zero length
string in such cases. Kerberos version 4 [7] authentication to the
LDAP server and the DSA is accomplished by using the ``krbv42LDAP''
and ``krbv42DSA'' authentication options, respectively. Note that
though they are referred to as separate entities here, there is no
requirement these two entities be distinct (i.e., a DSA could speak
LDAP directly). Two separate authentication options are provided
to support all implementations. Each octet string should contain
the kerberos ticket (e.g., as returned by krb_mk_req()) for the
appropriate service. The suggested service name for authentication
to the LDAP server is "ldapserver". The suggested service name for
authentication to the DSA is "x500dsa". In both cases, the sug-
gested instance name for the service is the name of the host on
which the service is running. Of course, the actual service names
and instances will depend on what is entered in the local kerberos
principle database.
The Bind Operation requires a response, the Bind Response, which is
defined as:
BindResponse ::= [APPLICATION 1] LDAPResult
A Bind Response consists simply of an indication from the server of the
status of the client's request for the initiation of a protocol session.
Upon receipt of a Bind Request, a protocol server will authenticate the
requesting client if necessary, and attempt to set up a protocol session
with that client. The server will then return a Bind Response to the
client indicating the status of the session setup request.
Expires 4/1/95 [Page 7]
LDAP July 1993
6.2. Unbind Operation
The function of the Unbind Operation is to terminate a protocol session.
The Unbind Operation is defined as follows:
UnbindRequest ::= [APPLICATION 2] NULL
The Unbind Operation has no response defined. Upon transmission of an
UnbindRequest, a protocol client may assume that the protocol session is
terminated. Upon receipt of an UnbindRequest, a protocol server may
assume that the requesting client has terminated the session and that
all outstanding requests may be discarded.
6.3. Search Operation
The Search Operation allows a client to request that a search be per-
formed on its behalf by a server. The Search Request is defined as fol-
lows:
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2)
},
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3)
},
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
attrsOnly BOOLEAN,
filter Filter,
attributes SEQUENCE OF AttributeType
}
Filter ::=
CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
Expires 4/1/95 [Page 8]
LDAP July 1993
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeType,
approxMatch [8] AttributeValueAssertion
}
SubstringFilter
SEQUENCE {
type AttributeType,
SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1] LDAPString,
final [2] LDAPString
}
}
Parameters of the Search Request are:
- baseObject: An LDAPDN that is the base object entry relative to
which the search is to be performed.
- scope: An indicator of the scope of the search to be performed. The
semantics of the possible values of this field are identical to the
semantics of the scope field in the Directory Search Operation.
- derefAliases: An indicator as to how alias objects should be han-
dled in searching. The semantics of the possible values of this
field are, in order of increasing value:
neverDerefAliases: do not dereference aliases in search-
ing or in locating the base object of the search;
derefInSearching: dereference aliases in subordinates of
the base object in searching, but not in locating the
base object of the search;
derefFindingBaseObject: dereference aliases in locating
the base object of the search, but not when searching
subordinates of the base object;
derefAlways: dereference aliases both in searching and in
locating the base object of the search.
- sizelimit: A sizelimit that restricts the maximum number of entries
to be returned as a result of the search. A value of 0 in this
field indicates that no sizelimit restrictions are in effect for
the search.
- timelimit: A timelimit that restricts the maximum time (in seconds)
Expires 4/1/95 [Page 9]
LDAP July 1993
allowed for a search. A value of 0 in this field indicates that no
timelimit restrictions are in effect for the search.
- attrsOnly: An indicator as to whether search results should contain
both attribute types and values, or just attribute types. Setting
this field to TRUE causes only attribute types (no values) to be
returned. Setting this field to FALSE causes both attribute types
and values to be returned.
- filter: A filter that defines the conditions that must be fulfilled
in order for the search to match a given entry.
- attributes: A list of the attributes from each entry found as a
result of the search to be returned. An empty list signifies that
all attributes from each entry found in the search are to be
returned.
The results of the search attempted by the server upon receipt of a
Search Request are returned in Search Responses, defined as follows:
Search Response ::=
CHOICE {
entry [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes SEQUENCE OF SEQUENCE {
AttributeType,
SET OF AttributeValue
}
},
resultCode [APPLICATION 5] LDAPResult
}
Upon receipt of a Search Request, a server will perform the necessary
search of the DIT.
The server will return to the client a sequence of responses comprised
of:
- Zero or more Search Responses each consisting of an entry found
during the search; with the response sequence terminated by
- A single Search Response containing an indication of success, or
detailing any errors that have occurred.
Each entry returned will contain all attributes, complete with associ-
ated values if necessary, as specified in the 'attributes' field of the
Search Request.
Expires 4/1/95 [Page 10]
LDAP July 1993
Note that an X.500 ``list'' operation can be emulated by a one-level
LDAP search operation with a filter checking for the existence of the
objectClass attribute, and that an X.500 ``read'' operation can be emu-
lated by a base object LDAP search operation with the same filter.
6.4. Modify Operation
The Modify Operation allows a client to request that a modification of
the DIB be performed on its behalf by a server. The Modify Request is
defined as follows:
ModifyRequest ::=
[APPLICATION 6] SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2)
},
modification SEQUENCE {
type AttributeType,
values SET OF
AttributeValue
}
}
}
Parameters of the Modify Request are:
- object: The object to be modified. The value of this field should
name the object to be modified after all aliases have been derefer-
enced. The server will not perform any alias dereferencing in
determining the object to be modified.
- A list of modifications to be performed on the entry to be modi-
fied. The entire list of entry modifications should be performed
in the order they are listed, as a single atomic operation. While
individual modifications may violate the Directory schema, the
resulting entry after the entire list of modifications is performed
must conform to the requirements of the Directory schema. The
values that may be taken on by the 'operation' field in each modif-
ication construct have the following semantics respectively:-
add: add values listed to the given attribute, creating
the attribute if necessary;
delete: delete values listed from the given attribute,
Expires 4/1/95 [Page 11]
LDAP July 1993
removing the entire attribute if no values are listed, or
if all current values of the attribute are listed for
deletion;
replace: replace existing values of the given attribute
with the new values listed, creating the attribute if
necessary.
The result of the modify attempted by the server upon receipt of a
Modify Request is returned in a Modify Response, defined as follows:
ModifyResponse ::= [APPLICATION 7] LDAPResult
Upon receipt of a Modify Request, a server will perform the necessary
modifications to the DIB.
The server will return to the client a single Modify Response indicating
either the successful completion of the DIB modification, or the reason
that the modification failed. Note that due to the requirement for atom-
icity in applying the list of modifications in the Modify Request, the
client may expect that no modifications of the DIB have been performed
if the Modify Response received indicates any sort of error, and that
all requested modifications have been performed if the Modify Response
indicates successful completion of the Modify Operation.
6.5. Add Operation
The Add Operation allows a client to request the addition of an entry
into the Directory. The Add Request is defined as follows:
AddRequest ::=
[APPLICATION 8] SEQUENCE {
entry LDAPDN,
attrs SEQUENCE OF SEQUENCE {
type AttributeType,
values SET OF AttributeValue
}
}
Parameters of the Add Request are:
- entry: the Distinguished Name of the entry to be added. Note that
all components of the name except for the last RDN component must
exist for the add to succeed.
- attrs: the list of attributes that make up the content of the entry
being added.
Expires 4/1/95 [Page 12]
LDAP July 1993
The result of the add attempted by the server upon receipt of a Add
Request is returned in the Add Response, defined as follows:
AddResponse ::= [APPLICATION 9] LDAPResult
Upon receipt of an Add Request, a server will attempt to perform the add
requested. The result of the add attempt will be returned to the client
in the Add Response.
6.6. Delete Operation
The Delete Operation allows a client to request the removal of an entry
from the Directory. The Delete Request is defined as follows:
DelRequest ::= [APPLICATION 10] LDAPDN
The Delete Request consists only of the Distinguished Name of the entry
to be deleted. The result of the delete attempted by the server upon
receipt of a Delete Request is returned in the Delete Response, defined
as follows:
DelResponse ::= [APPLICATION 11] LDAPResult
Upon receipt of a Delete Request, a server will attempt to perform the
entry removal requested. The result of the delete attempt will be
returned to the client in the Delete Response. Note that only leaf
objects may be deleted with this operation.
6.7. Modify RDN Operation
The Modify RDN Operation allows a client to change the last component of
the name of an entry in the Directory. The Modify RDN Request is defined
as follows:
ModifyRDNRequest ::=
[APPLICATION 12] SEQUENCE {
entry LDAPDN,
newrdn RelativeLDAPDN,
deleteoldrdn BOOLEAN
}
Parameters of the Modify RDN Request are:
- entry: the name of the entry to be changed.
- newrdn: the RDN that will form the last component of the new name.
- deleteoldrdn: a boolean parameter that controls whether the old RDN
Expires 4/1/95 [Page 13]
LDAP July 1993
attribute values should be retained as attributes of the entry or
deleted from the entry.
The result of the name change attempted by the server upon receipt of a
Modify RDN Request is returned in the Modify RDN Response, defined as
follows:
ModifyRDNResponse ::= [APPLICATION 13] LDAPResult
Upon receipt of a Modify RDN Request, a server will attempt to perform
the name change. The result of the name change attempt will be returned
to the client in the Modify RDN Response. The attributes that make up
the old RDN are deleted from the entry, or kept, depending on the set-
ting of the deleteoldrdn parameter.
6.8. Compare Operation
The Compare Operation allows a client to compare an assertion provided
with an entry in the Directory. The Compare Request is defined as fol-
lows:
CompareRequest ::=
[APPLICATION 14] SEQUENCE {
entry LDAPDN,
ava AttributeValueAssertion
}
Parameters of the Compare Request are:
- entry: the name of the entry to be compared with.
- ava: the assertion with which the entry is to be compared.
The result of the compare attempted by the server upon receipt of a Com-
pare Request is returned in the Compare Response, defined as follows:
CompareResponse ::= [APPLICATION 15] LDAPResult
Upon receipt of a Compare Request, a server will attempt to perform the
requested comparison. The result of the comparison will be returned to
the client in the Compare Response. Note that errors and the result of
comparison are all returned in the same construct.
6.9. Abandon Operation
The function of the Abandon Operation is to allow a client to request
that the server abandon an outstanding operation. The Abandon Request
is defined as follows:
Expires 4/1/95 [Page 14]
LDAP July 1993
AbandonRequest ::= [APPLICATION 16] MessageID
There is no response defined in the Abandon Operation. Upon transmission
of an Abandon Operation, a client may expect that the operation identi-
fied by the Message ID in the Abandon Request has been abandoned. In the
event that a server receives an Abandon Request on a Search Operation in
the midst of transmitting responses to that search, that server should
cease transmitting responses to the abandoned search immediately.
7. Protocol Element Encodings
The protocol elements of LDAP are encoded for exchange using the Basic
Encoding Rules (BER) [12] of ASN.1 [11]. However, due to the high over-
head involved in using certain elements of the BER, the following addi-
tional restrictions are placed on BER-encodings of LDAP protocol ele-
ments:
(1) Only the definite form of length encoding will be used.
(2) Bitstrings and octet strings and all character string types will be
encoded in the primitive form only.
8. Security Considerations
This version of the protocol provides facilities only for simple authen-
tication using a cleartext password, and for kerberos version 4 authen-
tication. Future versions of LDAP will likely include support for other
authentication methods.
9. Bibliography
[1] The Directory: Overview of Concepts, Models and Service. CCITT
Recommendation X.500, 1988
[2] Information Processing Systems -- Open Systems Interconnection --
The Directory: Overview of Concepts, Models and Service. ISO/IEC
JTC 1/SC21; International Standard 9594-1, 1988
[3] Directory Assistance Service. M.T. Rose; RFC 1202, February 1991.
[4] DIXIE protocol specification. T. Howes, M. Smith, B. Beecher; RFC
1249, August 1991.
[5] A String Representation of Distinguished Names. Steve Kille; RFC
XXXX
[6] The String Representation of Standard Attribute Syntaxes. T.
Howes, S. Kille, W. Yeong, C.J. Robbins; RFC 1488
Expires 4/1/95 [Page 15]
LDAP July 1993
[7] Kerberos Authentication and Authorization System. S.P. Miller,
B.C. Neuman, J.I. Schiller, J.H. Saltzer; MIT Project Athena Docu-
mentation Section E.2.1, December 1987
[8] The Directory: Models. CCITT Recommendation X.501 ISO/IEC JTC
1/SC21; International Standard 9594-2, 1988
[10] The Directory: Abstract Service Definition. CCITT Recommendation
X.511, ISO/IEC JTC 1/SC21; International Standard 9594-3, 1988
[11] Specification of Abstract Syntax Notation One (ASN.1). CCITT
Recommendation X.208, 1988.
[12] Specification of Basic Encoding Rules for Abstract Syntax Notation
One (ASN.1). CCITT Recommendation X.209, 1988.
10. Author's Addresses
Wengyik Yeong
PSI Inc.
510 Huntmar Park Drive
Herndon, VA 22070
USA
+1 703-450-8001
yeongw@psilink.com
Tim Howes
University of Michigan
ITD Research Systems
535 W William St.
Ann Arbor, MI 48103-4943
USA
+1 313 747-4454
tim@umich.edu
Steve Kille
ISODE Consortium
PO Box 505
London
SW11 1DX
UK
+44-71-223-4062
S.Kille@isode.com
Expires 4/1/95 [Page 16]
LDAP July 1993
Appendix A
Complete ASN.1 Definition
Lightweight-Directory-Access-Protocol DEFINITIONS IMPLICIT TAGS ::=
BEGIN
LDAPMessage ::=
SEQUENCE {
messageID MessageID,
-- unique id in request,
-- to be echoed in response(s)
protocolOp CHOICE {
searchRequest SearchRequest,
searchResponse SearchResponse,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modifyDNRequest ModifyDNRequest,
modifyDNResponse ModifyDNResponse,
compareDNRequest CompareRequest,
compareDNResponse CompareResponse,
bindRequest BindRequest,
bindResponse BindResponse,
abandonRequest AbandonRequest,
unbindRequest UnbindRequest
}
}
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
-- current version is 2
name LDAPDN,
-- null name implies an anonymous bind
authentication CHOICE {
simple [0] OCTET STRING,
-- a zero length octet string
-- implies an unauthenticated
-- bind.
krbv42LDAP [1] OCTET STRING,
krbv42DSA [2] OCTET STRING
-- values as returned by krb_mk_req()
Expires 4/1/95 [Page 17]
LDAP July 1993
-- Other values in later versions
-- of this protocol.
}
}
BindResponse ::= [APPLICATION 1] LDAPResult
UnbindRequest ::= [APPLICATION 2] NULL
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2)
},
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
alwaysDerefAliases (3)
},
sizeLimit INTEGER (0 .. maxInt),
-- value of 0 implies no sizelimit
timeLimit INTEGER (0 .. maxInt),
-- value of 0 implies no timelimit
attrsOnly BOOLEAN,
-- TRUE, if only attributes (without values)
-- to be returned.
filter Filter,
attributes SEQUENCE OF AttributeType
}
SearchResponse ::=
CHOICE {
entry [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes SEQUENCE OF SEQUENCE {
AttributeType,
SET OF
AttributeValue
}
},
resultCode [APPLICATION 5] LDAPResult
}
ModifyRequest ::=
Expires 4/1/95 [Page 18]
LDAP July 1993
[APPLICATION 6] SEQUENCE {
object LDAPDN,
modifications SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2)
},
modification SEQUENCE {
type AttributeType,
values SET OF
AttributeValue
}
}
}
ModifyResponse ::= [APPLICATION 7] LDAPResult
AddRequest ::=
[APPLICATION 8] SEQUENCE {
entry LDAPDN,
attrs SEQUENCE OF SEQUENCE {
type AttributeType,
values SET OF AttributeValue
}
}
AddResponse ::= [APPLICATION 9] LDAPResult
DelRequest ::= [APPLICATION 10] LDAPDN
DelResponse ::= [APPLICATION 11] LDAPResult
ModifyRDNRequest ::=
[APPLICATION 12] SEQUENCE {
entry LDAPDN,
newrdn RelativeLDAPDN -- old RDN always deleted
}
ModifyRDNResponse ::= [APPLICATION 13] LDAPResult
CompareRequest ::=
[APPLICATION 14] SEQUENCE {
entry LDAPDN,
ava AttributeValueAssertion
}
Expires 4/1/95 [Page 19]
LDAP July 1993
CompareResponse ::= [APPLICATION 15] LDAPResult
AbandonRequest ::= [APPLICATION 16] MessageID
MessageID ::= INTEGER (0 .. maxInt)
LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
Filter ::=
CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeType,
approxMatch [8] AttributeValueAssertion
}
LDAPResult ::=
SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),
authMethodNotSupported (7),
strongAuthRequired (8),
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
isLeaf (35),
aliasDereferencingProblem (36),
inappropriateAuthentication (48),
invalidCredentials (49),
Expires 4/1/95 [Page 20]
LDAP July 1993
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
namingViolation (64),
objectClassViolation (65),
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
other (80)
},
matchedDN LDAPDN,
errorMessage LDAPString
}
AttributeType ::= LDAPString
-- text name of the attribute, or dotted
-- OID representation
AttributeValue ::= OCTET STRING
AttributeValueAssertion ::=
SEQUENCE {
attributeType AttributeType,
attributeValue AttributeValue
}
SubstringFilter ::=
SEQUENCE {
type AttributeType,
SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1] LDAPString,
final [2] LDAPString
}
}
LDAPString ::= OCTET STRING
maxInt INTEGER ::= 65535
END
Expires 4/1/95 [Page 21]
Network Working Group Tim Howes
INTERNET-DRAFT University of Michigan
Steve Kille
ISODE Consortium
Wengyik Yeong
Performance Systems International
Colin Robbins
NeXor Ltd.
The String Representation of Standard Attribute Syntaxes
1. Status of this Memo
This draft document will be submitted to the RFC Editor as a standards
document. Distribution of this memo is unlimited. Please send comments
to the authors, or the discussion group <osi-ds@cs.ucl.ac.uk>.
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
2. Abstract
The Lightweight Directory Access Protocol (LDAP) [9] requires that the
contents of AttributeValue fields in protocol elements be octet strings.
This document defines the requirements that must be satisfied by encod-
ing rules used to render X.500 Directory attribute syntaxes into a form
suitable for use in the LDAP, then goes on to define the encoding rules
for the standard set of attribute syntaxes defined in [1,2] and [3].
3. Attribute Syntax Encoding Requirements.
This section defines general requirements for lightweight directory pro-
tocol attribute syntax encodings. All documents defining attribute
Expires 4/1/95 [Page 1]
Syntax Encoding July 1993
syntax encodings for use by the lightweight directory protocols are
expected to conform to these requirements.
The encoding rules defined for a given attribute syntax must produce
octet strings. To the greatest extent possible, encoded octet strings
should be usable in their native encoded form for display purposes. In
particular, encoding rules for attribute syntaxes defining non-binary
values should produce strings that can be displayed with little or no
translation by clients implementing the lightweight directory protocols.
4. Standard Attribute Syntax Encodings
For the purposes of defining the encoding rules for the standard attri-
bute syntaxes, the following auxiliary BNF definitions will be used:
<a> ::= 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'g' | 'h' | 'i' |
'j' | 'k' | 'l' | 'm' | 'n' | 'o' | 'p' | 'q' | 'r' |
's' | 't' | 'u' | 'v' | 'w' | 'x' | 'y' | 'z' | 'A' |
'B' | 'C' | 'D' | 'E' | 'F' | 'G' | 'H' | 'I' | 'J' |
'K' | 'L' | 'M' | 'N' | 'O' | 'P' | 'Q' | 'R' | 'S' |
'T' | 'U' | 'V' | 'W' | 'X' | 'Y' | 'Z'
<d> ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9'
<hex-digit> ::= <d> | 'a' | 'b' | 'c' | 'd' | 'e' | 'f' |
'A' | 'B' | 'C' | 'D' | 'E' | 'F'
<k> ::= <a> | <d> | '-'
<p> ::= <a> | <d> | ''' | '(' | ')' | '+' | ',' | '-' | '.' |
'/' | ':' | '?' | ' '
<CRLF> ::= The ASCII newline character with hexadecimal value 0x0A
<letterstring> ::= <a> | <a> <letterstring>
<numericstring> ::= <d> | <d> <numericstring>
<keystring> ::= <a> | <a> <anhstring>
<anhstring> ::= <k> | <k> <anhstring>
<printablestring> ::= <p> | <p> <printablestring>
<space> ::= ' ' | ' ' <space>
Expires 4/1/95 [Page 2]
Syntax Encoding July 1993
4.1. Undefined
Values of type Undefined are encoded as if they were values of type
Octet String, with the string value being the BER-encoded version of the
value.
4.2. Case Ignore String
A string of type caseIgnoreStringSyntax is encoded as the string value
itself.
4.3. Case Exact String
The encoding of a string of type caseExactStringSyntax is the string
value itself.
4.4. Printable String
The encoding of a string of type printableStringSyntax is the string
value itself.
4.5. Numeric String
The encoding of a string of type numericStringSyntax is the string value
itself.
4.6. Octet String
The encoding of a string of type octetStringSyntax is the string value
itself.
4.7. Case Ignore IA5 String
The encoding of a string of type caseIgnoreIA5String is the string value
itself.
4.8. IA5 String
The encoding of a string of type iA5StringSyntax is the string value
itself.
4.9. T61 String
The encoding of a string of type t61StringSyntax is the string value
itself.
Expires 4/1/95 [Page 3]
Syntax Encoding July 1993
4.10. Case Ignore List
Values of type caseIgnoreListSyntax are encoded according to the follow-
ing BNF:
<caseignorelist> ::= <caseignorestring> |
<caseignorestring> '$' <caseignorelist>
<caseignorestring> ::= a string encoded according to the rules for Case
Ignore String as above.
4.11. Case Exact List
Values of type caseExactListSyntax are encoded according to the follow-
ing BNF:
<caseexactlist> ::= <caseexactstring> |
<caseexactstring> '$' <caseexactlist>
<caseexactstring> ::= a string encoded according to the rules for Case
Exact String as above.
4.12. Distinguished Name
Values of type distinguishedNameSyntax are encoded to have the represen-
tation defined in [5].
4.13. Boolean
Values of type booleanSyntax are encoded according to the following BNF:
<boolean> ::= "TRUE" | "FALSE"
Boolean values have an encoding of "TRUE" if they are logically true,
and have an encoding of "FALSE" otherwise.
4.14. Integer
Values of type integerSyntax are encoded as the decimal representation
of their values, with each decimal digit represented by the its charac-
ter equivalent. So the digit 1 is represented by the character '1', the
digit 2 is represented by the character '2' and so on.
4.15. Object Identifier
Values of type objectIdentifierSyntax are encoded according to the
Expires 4/1/95 [Page 4]
Syntax Encoding July 1993
following BNF:
<oid> ::= <descr> | <descr> '.' <numericoid> | <numericoid>
<descr> ::= <keystring>
<numericoid> ::= <numericstring> | <numericstring> '.' <numericoid>
In the above BNF, <descr> is the syntactic representation of an object
descriptor. When encoding values of type objectIdentifierSyntax, the
first encoding option should be used in preference to the second, which
should be used in preference to the third wherever possible. That is, in
encoding object identifiers, object descriptors (where assigned and
known by the implementation) should be used in preference to numeric
oids to the greatest extent possible. For example, in encoding the
object identifier representing an organizationName, the descriptor
``organizationName'' is preferable to ``ds.4.10'', which is in turn
preferable to the string ``2.5.4.10''.
4.16. Telephone Number
Values of type telephoneNumberSyntax are encoded as if they were Print-
able String types.
4.17. Telex Number
Values of type telexNumberSyntax are encoded according to the following
BNF:
<telex-number> ::= <actual-number> '$' <country> '$' <answerback>
<actual-number> ::= <printablestring>
<country> ::= <printablestring>
<answerback> ::= <printablestring>
In the above, <actual-number> is the syntactic representation of the number
portion of the TELEX number being encoded, <country> is the TELEX
country code, and <answerback> is the answerback code of a TELEX terminal.
4.18. Teletex Terminal Identifier
Values of type teletexTerminalIdentifier are encoded according to the
following BNF:
<teletex-id> ::= <printablestring> 0*('$' <ttx-parm>)
Expires 4/1/95 [Page 5]
Syntax Encoding July 1993
<ttx-param> ::= <ttx-key> ':' <ttx-value>
<ttx-key> ::= 'graphic' | 'control' | 'misc' | 'page' | 'private'
<ttx-value> ::= <octetstring>
In the above, the first <printablestring> is the encoding of the first
portion of the teletex terminal identifier to be encoded, and the subse-
quent 0 or more <printablestrings> are subsequent portions of the
teletex terminal identifier.
4.19. Facsimile Telephone Number
Values of type FacsimileTelephoneNumber are encoded according to the
following BNF:
<fax-number> ::= <printablestring> [ '$' <faxparameters> ]
<faxparameters> ::= <faxparm> | <faxparm> '$' <faxparameters>
<faxparm> ::= 'twoDimensional' | 'fineResolution' | 'unlimitedLength' |
'b4Length' | 'a3Width' | 'b4Width' | 'uncompressed'
In the above, the first <printablestring> is the actual fax number, and
the <faxparm> tokens represent fax parameters.
4.20. Presentation Address
Values of type PresentationAddress are encoded to have the representa-
tion described in [6].
4.21. UTC Time
Values of type uTCTimeSyntax are encoded as if they were Printable
Strings with the strings containing a UTCTime value.
4.22. Guide (search guide)
Values of type Guide, such as values of the searchGuide attribute, are
encoded according to the following BNF:
<guide-value> ::= [ <object-class> '#' ] <criteria>
<object-class> ::= an encoded value of type objectIdentifierSyntax
<criteria> ::= <criteria-item> | <criteria-set> | '!' <criteria>
<criteria-set> ::= [ '(' ] <criteria> '&' <criteria-set> [ ')' ] |
Expires 4/1/95 [Page 6]
Syntax Encoding July 1993
[ '(' ] <criteria> '|' <criteria-set> [ ')' ]
<criteria-item> ::= [ '(' ] <attributetype> '$' <match-type> [ ')' ]
<match-type> ::= "EQ" | "SUBSTR" | "GE" | "LE" | "APPROX"
4.23. Postal Address
Values of type PostalAddress are encoded according to the following BNF:
<postal-address> ::= <t61string> | <t61string> '$' <postal-address>
In the above, each <t61string> component of a postal address value is
encoded as a value of type t61StringSyntax.
4.24. User Password
Values of type userPasswordSyntax are encoded as if they were of type
octetStringSyntax.
4.25. User Certificate
Values of type userCertificate are encoded according to the following
BNF:
<certificate> ::= <version> '#' <serial> '#' <signature-algorithm-id>
'#' <issuer> '#' <validity> '#' <subject>
'#' <public-key-info> '#' <encrypted-sign-value>
<version> ::= <integervalue>
<serial> ::= <integervalue>
<signature-algorithm-id> ::= <algorithm-id>
<issuer> ::= an encoded Distinguished Name
<validity> ::= <not-before-time> '#' <not-after-time>
<not-before-time> ::= <utc-time>
<not-after-time> ::= <utc-time>
<algorithm-parameters> ::= <null> | <integervalue> |
'{ASN}' <hex-string>
<subject> ::= an encoded Distinguished Name
Expires 4/1/95 [Page 7]
Syntax Encoding July 1993
<public-key-info> ::= <algorithm-id> '#' <encrypted-sign-value>
<encrypted-sign-value> ::= <hex-string> | <hex-string> '-' <d>
<algorithm-id> ::= <oid> '#' <algorithm-parameters>
<utc-time> ::= an encoded UTCTime value
<hex-string> ::= <hex-digit> | <hex-digit> <hex-string>
4.26. CA Certificate
Values of type cACertificate are encoded as if the values were of type
userCertificate.
4.27. Authority Revocation List
Values of type authorityRevocationList are encoded according to the fol-
lowing BNF:
<certificate-list> ::= <signature-algorithm-id> '#' <issuer> '#' <utc-time>
[ '#' <revoked-certificates> ]
'#' <signature-algorithm-id>
'#' <encrypted-sign-value>
<revoked-certificates> ::= 1*( '#' <revoked-certificate> )
<signature-algorithm-id> '#' <encrypted-sign-value>
<revoked-certificate> ::= <signature-algorithm-id> '#' <issuer> '#'
<serial> '#' <utc-time>
The syntactic components <signature-algorithm-id>, <issuer>,
<encrypted-sign-value>, <utc-time>, <subject> and <serial> have the same
definitions as in the BNF for the userCertificate attribute syntax.
4.28. Certificate Revocation List
Values of type certificateRevocationList are encoded as if the values
were of type authorityRevocationList.
4.29. Cross Certificate Pair
Values of type crossCertificatePair are encoded according to the follow-
ing BNF:
<certificate-pair> ::= <forward> '#' <reverse>
| <forward>
Expires 4/1/95 [Page 8]
Syntax Encoding July 1993
| <reverse>
<forward> ::= 'forward:' <certificate>
<reverse> ::= 'reverse:' <certificate>
The syntactic component <certificate> has the same definition as in the
BNF for the userCertificate attribute syntax.
4.30. Delivery Method
Values of type deliveryMethod are encoded according to the following
BNF:
<delivery-value> ::= <pdm> | <pdm> '$' <delivery-value>
<pdm> ::= 'any' | 'mhs' | 'physical' | 'telex' | 'teletex' |
'g3fax' | 'g4fax' | 'ia5' | 'videotex' | 'telephone'
4.31. Other Mailbox
Values of the type otherMailboxSyntax are encoded according to the fol-
lowing BNF:
<otherMailbox> ::= <mailbox-type> '$' <mailbox>
<mailbox-type> ::= an encoded Printable String
<mailbox> ::= an encoded IA5 String
In the above, <mailbox-type> represents the type of mail system in which
the mailbox resides, for example "Internet" or "MCIMail"; and <mailbox>
is the actual mailbox in the mail system defined by <mailbox-type>.
4.32. Mail Preference
Values of type mailPreferenceOption are encoded according to the follow-
ing BNF:
<mail-preference> ::= "NO-LISTS" | "ANY-LIST" | "PROFESSIONAL-LISTS"
4.33. MHS OR Address
Values of type MHS OR Address are encoded as strings, according to the
format defined in [10].
Expires 4/1/95 [Page 9]
Syntax Encoding July 1993
4.34. Distribution List Submit Permission
Values of type DLSubmitPermission are encoded as strings, according to
the following BNF:
<dlsubmit-perm> ::= <dlgroup_label> ':' <dlgroup-value>
| <dl-label> ':' <dl-value>
<dlgroup-label> ::= 'group_member'
<dlgroup-value> ::= <name>
<name> ::= an encoded Distinguished Name
<dl-label> ::= 'individual' | 'dl_member' | 'pattern'
<dl-value> ::= <orname>
<orname> ::= <address> '#' <dn>
| <address>
<address> ::= <add-label> ':' <oraddress>
<dn> ::= <dn-label> ':' <name>
<add-label> = 'X400'
<dn-label> = 'X500'
where <oraddress> is as defined in RFC 1327.
4.35. Photo
Values of type Photo are encoded as if they were octet strings contain-
ing JPEG images in the JPEG File Interchange Format (JFIF), as described
in [8].
4.36. Fax
Values of type Fax are encoded as if they were octet strings containing
Group 3 Fax images as defined in [7].
5. Security Considerations
Security considerations are not discussed in this document.
Expires 4/1/95 [Page 10]
Syntax Encoding July 1993
6. Acknowledgements
Many of the attribute syntax encodings defined in this document are
adapted from those used in the QUIPU X.500 implementation. The contribu-
tions of the authors of the QUIPU implementation in the specification of
the QUIPU syntaxes [4] are gratefully acknowledged.
7. Bibliography
[1] The Directory: Selected Attribute Syntaxes. CCITT, Recommendation
X.520
[2] Information Processing Systems -- Open Systems Interconnection --
The Directory: Selected Attribute Syntaxes
[3] The COSINE and Internet X.500 Schema. Paul Barker, Steve Kille;
Request for Comment (RFC) 1274
[4] The ISO Development Environment: User's Manual -- Volume 5: QUIPU.
Colin Robbins, Stephen E. Kille
[5] A String Representation of Distinguished Names. Steve Kille, RFC
1485
[6] A String Representation for Presentation Addresses. Steve Kille;
Request for Comment (RFC) 1278
[7] Terminal Equipment and Protocols for Telematic Services - Standard-
ization of Group 3 facsimile apparatus for document transmission.
CCITT, Recommendation T.4
[8] JPEG File Interchange Format (Version 1.02). Eric Hamilton, C-Cube
Microsystems, Milpitas, CA, September 1, 1992
[9] Lightweight Directory Access Protocol. Wengyik Yeong, Tim Howes,
Steve Kille, Request for Comment (RFC) 1488
[10] Mapping between X.400 and RFC-822 Message Bodies. H. Alvestrand,
S. Kille, R. Miles, M. Rose, S. Thompson, Request for Comment
(RFC) 1495
8. Author's Addresses
Tim Howes
University of Michigan
ITD Research Systems
535 W William St.
Ann Arbor, MI 48103-4943
Expires 4/1/95 [Page 11]
Syntax Encoding July 1993
USA
+1 313 747-4454
tim@umich.edu
Steve Kille
ISODE Consortium
PO Box 505
London
SW11 1DX
UK
+44-71-223-4062
S.Kille@isode.com
Wengyik Yeong
PSI Inc.
510 Huntmar Park Drive
Herndon, VA 22070
USA
+1 703-450-8001
yeongw@psilink.com
Colin Robbins
NeXor Ltd
University Park
Nottingham
NG7 2RD
UK
Expires 4/1/95 [Page 12]
- LDAP documents Tim Howes
- Re: LDAP documents Henri Altarac