One document matched: draft-zeilenga-ldapbis-vd-00.txt
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Informational OpenLDAP Foundation
Expires: 7 May 2001 7 November 2000
Lightweight Directory Access Protocol: version differences
draft-zeilenga-ldapbis-vd-00
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as an Informational document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Revision (Proposed) Working
Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please send
editorial comments directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft
Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
Copyright 2000, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
1. Overview
This document details differences between Lightweight Directory Access
Protocol versions 2 [RFC1777] and 3 [RFC2251].
There has been is significant interest within the community to develop
applications which implement both LDAPv2 and LDAPv3. These are
referred to as dual implementations in this document. This discusses
issues specific to dual implementations.
Zeilenga [Page 1]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
2. X.500 Issues
LDAPv2 is defined in terms of X.500(1988) series of ITU
Recommendations whereas LDAPv3 is defined in terms of the X.500(1993)
series.
2.1. Directory Strings
The X.520(1988) directoryString is defined as:
DirectoryString { INTEGER : maxSize } ::= CHOICE {
teletexString TeletexString (SIZE (1..maxSize)),
printableString PrintableString (SIZE (1..maxSize)) }
LDAPv2 requires [RFC2252] that the encoding of values of the
directoryString syntax is the string value itself. As each choice was
a subset of the T.61, the transferred value is restricted to T.61.
A choice of universalString was added in the X.500(1993). LDAPv2
implementations which support this choice should transliterate values
to T.61.
LDAPv3 requires that values of directoryString syntax be encoded as
ISO 10646-1 UTF-8 strings. DirectoryString values of teletexString
choice must be transliterated.
A dual implementation must be able transliterate strings between ISO
10646-1 and T.61 or restrict strings to IA5 (which is a subset of both
ISO 10646-1 and T.61).
2.2. Attribute type
X.500(1988) makes no distinction between user, operational, and
collective attributes whereas X.500(1993) does. Hence, LDAPv2 makes
no distinction whereas LDAPv3 does.
For example, a LDAPv2 search request with an empty attribute list
returns all attributes whereas LDAPv3 only returns all user
attributes. LDAPv3 only returns operational attributes unless
specifically requested, whereas LDAPv2 has no such restriction.
X.500(1993) also states that a search "request for a particular
attribute is always treated as a request for the attribute and all
subtypes of that attribute (except for requests processed by
1988-edition systems)". LDAPv2 does not support subtyping whereas
LDAPv3 does (though it is optional).
Zeilenga [Page 2]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
2.3. Object Classes
X.500(1988) makes no distinction between structural, auxiliary, and
abstract object classes whereas X.500(1993) does. Hence, LDAPv2 makes
no distinction whereas LDAPv3 does.
2.3. ExtensibleMatch
X.500(1993) introduces extensible matching. LDAPv2 does not support
extensible matching, LDAPv3 does.
3. Protocol elements
LDAPv3 supports all protocol elements of LDAPv2. LDAPv3, besides
defining additional protocol elements, alters the syntax and semantics
of existing protocol elements.
3.1. LDAPString
The LDAPString is a notational convenience to indicate that, although
strings of LDAPString type encode as OCTET STRING types, the legal
character set in such strings is restricted. LDAPv2 restricts
LDAPString to IA5 (ASCII) characters. LDAPv3 restricts LDAPString to
UTF-8 encoded ISO 10646-1 characters. The change to UTF-8 allows
strings to be internationalized.
For example, an LDAPv3 server can provide localized errorMessage
textual error diagnostic using non-IA5 characters. LDAPv2 is
restricted errorMessages to IA5.
A number of protocol fields are restricted by LDAPString. In most
cases, this is not problematic for dual implementations as LDAPv3
restricts these fields to IA5 subset of UTF-8 by other means. For
instance, attributeType which is an LDAPString is specifically
restricted to a subset of IA5.
There is however one case in which is quite problematic for dual
implementations, Distinguished Names.
3.2. Distinguished Names
DNs are restricted to IA5 when transferred by LDAPv2 and are
restricted to UTF-8 when transferred by LDAPv3 as DNs.
Zeilenga [Page 3]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
LDAPv2 DN syntax does not support escaping of arbitrary characters
within values. The BER encoding mechanism must be used for all
attribute values contain any non-IA5 characters.
LDAPv3 DN syntax supports escaping of arbitrary characters.
LDAPv2 and LDAPv3 special character escaping requirements are
different.
LDAPv2 set of valid "keywords" is different from the set defined for
LDAPv3.
LDAPv2 and LDAPv3 DNs use incompatible mechanisms for specifying
attribute types by OIDs.
RFC 2253, Section 4 details additional requirements for LDAPv2
implementations. However, these requirements are too restrictive as
they disallow encoding of DN in a number of cases (such as when OIDs
must be used). The requirements also do not account for the fact that
encodings produced per RFC2253, Section 2 may not be transferable in
an LDAPv2 LDAPString or may contain elements (such as hex pair
escaping) not allowed by RFC 1779 grammar.
A dual implementation should:
- parse and generate LDAPv2 DNs per RFC 1779,
- parse and generate LDAPv3 DNs per RFC 2253,
- convert between LDAPv2 and LDAPv3 DN representations by though
intermediate conversion to the DNs BER encoding.
3.4. AttributeDescription
LDAPv3 supports AttributeDescriptions, LDAPv2 doesn't. An LDAPv2
implementation has no mechanism to transfer attribute types with
options.
3.5. AttributeDescriptionList
LDAPv2 has no special "*" to indicate transfer of all user attributes
(see section 2). An LDAPv2 client requesting "*" should expect a
protocolError to be returned.
3.6. ExtensibleMatch
LDAPv3 Filter supports a choice of extensibleMatch. An LDAPv2
doesn't. A LDAPv2 implementation would likely treat an unknown filter
Zeilenga [Page 4]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
choice as a protocol error.
3.7. Empty 'or' and 'and' filters sets
LDAPv3 requires 'and' and 'or' filter sets to be non-empty. Though
LDAPv2 does not explicitly require filter sets to be non-empty,
support for non-empty sets is implied by the statement that an X.500
"read" operation can be emulated by a base object LDAP search
operation with the same filter. That is, X.500(1988) supports 'and'
and 'or' empty filters sets. However, as defined filter string
representation cannot represent an empty filter set, support for empty
filter sets cannot be presumed to be present.
3.8. LDAPResult
LDAPv3 extends LDAPResult to allow additional resultCode values and
the inclusion of an optional referral field. LDAPv3 also requires
that unknown result codes be treated as unknown error condition
LDAPv2 does not have any such requirement.
3.9. Unrecognized Tags
LDAPv3 implementations must ignore elements of SEQUENCE encodings
whose tags they do not recognize. LDAPv2 does not have any such
requirement. A LDAPv2 implementation will likely treat an
unrecognized as protocol error.
3.10. Controls
LDAPv3 introduces Controls which may alter the behavior of operations.
LDAPv2 does not support Controls. A LDAPv2 implementation will likely
treat a control as a protocol error.
3.11. New LDAP Message Types
LDAPv3 introduces three new LDAP PDU choices: extended requests,
extended responses, and search reference responses. LDAPv2 does not
support these new PDUs and likely will treat such as a protocol error.
4. Protocol Semantics
This section details semantical differences in the protocols.
Zeilenga [Page 5]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
4.1. Bind Operation
This section will describe Bind operation issues.
4.2. Search Operation
This section will describe Search operation issues.
4.3. Modify Operation
LDAPv3 alters the semantics of the Modify/replace. In LDAPv2, a
replace with no values commonly results in a protocolError. In
LDAPv3, a replace with no values is treated as a delete with no values
excepting no error is generated if the attribute doesn't exist.
4.4. Modify DN Operation
This section will describe Modify DN/RDN operation issues.
4.5. Unsolicited Notifications
LDAPv2 implementations do not support Unsolicited Notifications. A
dual implementation should avoid returning an Unsolicited Notification
unless a request has been received and this request is not a LDAPv2
bind request.
5. Protocol Encoding
LDAPv3 places additional restrictions on the BER encoding of protocol
elements.
6. Schema
LDAPv2 and LDAPv3 utilize dramatically different schema.
6.1 Syntaxes
6.1.1. Common Syntax Encodings
An number of BNF definitions differ between LDAPv2 and LDAPv3.
Zeilenga [Page 6]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
LDAPv3 allows ";" in the production k whereas LDAPv2 does not.
Production k is used by production anhstring.
LDAPv3 allows """ in the production p whereas LDAPv2 does not. LDAPv2
allows "'" in the production p whereas LDAPv3 does not. Production p
is used by production printablestring.
The differences in these productions affects the specification of many
common syntaxes. A dual implement must ensure produces values which
are consistent with the syntax restrictions of the protocol in use.
6.1.2. Object Identifier Syntax
LDAPv2 and LDAPv3 use different string representations for object
identifier (OIDs) syntax. LDAPv2 defines an OID to be:
oid = <descr> / <descr> '.' <numericoid> / <numericoid>
whereas LDAPv3 defines an OID to be:
oid = descr / numericoid
Note the LDAPv3 eliminates one of the LDAPv3 forms.
For example in LDAPv2, in encoding the object identifier representing
an organizationName, the descriptor "organizationName" is preferable
to "ds.4.10", which is in turn preferable to the string "2.5.4.10".
For example in LDAPv3, in encoding the object identifier representing
an organization name (o), the descriptor "o" is preferred to the
string "2.5.4.20.
A dual implementation must ensure it does not produce the eliminated
form when using LDAPv3.
6.1.3. Distinguished Name Syntax
The issues discussed in Section 3.2 generally apply to values of
Distinguished Name syntax.
6.1.4. Certificate and related syntaxes
LDAPv2 defines a string representation for X.509 certificates,
revocation lists, and other related syntaxes. LDAPv3 does not use
these string representation and instead requires ";binary" transfer of
Zeilenga [Page 7]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
such values. LDAPv2 does not support ";binary" transfer.
Dual implementations must be prepared to recognize and generate the
encoding required by the protocol.
6.2. Attribute Types
LDAPv2, in general, uses X.500 names such as commonName and
organizationalName. LDAPv3 uses short names such as cn and o. Dual
implementations should use attribute names appropriate for the the
current protocol.
7. Other version differences
This section will discuss (when written) other version differences.
8. Security Considerations
LDAPv3 supports SASL [RFC2829] and TLS [RFC2830]. LDAPv2 does not
offer integrity or confidentiality services. LDAPv2 Kerberos bind
choices are not widely nor consistently implemented. Use of LDAPv3
security features is RECOMMENDED when updating the directory or
accessing sensitive information.
9. Liberties taken
Dual implementations of LDAPv2 and LDAPv3 have taken significant
liberties to support both protocols. The most common liberties take
are to apply the restrictions of one protocol to both (while ignoring
the restrictions of one protocol). For example, it is common for dual
implementations to ignore the LDAPv2 LDAPString IA5 restriction and/or
the LDAPv2 directoryString T.61 restriction.
10. Summary
There are numerous differences between LDAPv2 and LDAPv3 which make in
difficult for an application to properly support both protocols. In
addition, any application which implements LDAPv2 as specified is
likely not to interoperate well due to the large deployment of non-
conforming LDAPv2 implementations. The value of applications which
properly implement both LDAPv2 and LDAPv3. There is little value in
not adhere to specifications. Hence, it is recommended that
applications only implement LDAPv3.
Zeilenga [Page 8]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000
Copyright 2000, The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Zeilenga [Page 9]
| PAFTECH AB 2003-2026 | 2026-04-23 04:17:14 |