One document matched: draft-zeilenga-ldapbis-vd-01.txt
Differences from draft-zeilenga-ldapbis-vd-00.txt
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Informational OpenLDAP Foundation
Expires: 4 August 2001 4 February 2001
Lightweight Directory Access Protocol: version differences
draft-zeilenga-ldapbis-vd-01
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
This document is intended to be, after appropriate review and
revision, submitted to the RFC Editor as an Informational document.
Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Revision (Proposed) Working
Group (LDAPbis) mailing list <ietf-ldapbis@openldap.org>. Please send
editorial comments directly to the author <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft
Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
Copyright 2001, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
1. Overview
This document details differences between Lightweight Directory Access
Protocol versions 2 [RFC1777] and 3 [RFC2251].
There has been significant interest within the community to develop
applications which implement both LDAPv2 and LDAPv3. These are
referred to as "dual" implementations in this document. This
discusses issues specific to dual implementations.
Zeilenga [Page 1]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
2. X.500 Issues
LDAPv2 is defined in terms of X.500(1988) series of ITU
Recommendations whereas LDAPv3 is defined in terms of the X.500(1993)
series.
2.1. Directory Strings
The X.520(1988) directoryString is defined as:
DirectoryString { INTEGER : maxSize } ::= CHOICE {
teletexString TeletexString (SIZE (1..maxSize)),
printableString PrintableString (SIZE (1..maxSize)) }
LDAPv2 requires that the encoding of values of the directoryString
syntax is the string value itself [RFC1778]. As each choice was a
subset of the T.61, the transferred value is restricted to T.61.
A choice of universalString was added in the X.500(1993). LDAPv2
implementations which support this choice should transliterate values
to T.61.
LDAPv3 requires that values of directoryString syntax be encoded as
ISO 10646-1 UTF-8 strings [RFC2252]. DirectoryString values of
teletexString choice must be transliterated.
A dual implementation must be able transliterate strings between ISO
10646-1 and T.61 or restrict strings to IA5 (which is a subset of both
ISO 10646-1 and T.61).
2.2. Attribute type
X.500(1988) makes no distinction between user, operational, and
collective attributes whereas X.500(1993) does. Hence, LDAPv2 makes
no distinction whereas LDAPv3 does.
For example, a LDAPv2 search request with an empty attribute list
returns all attributes whereas LDAPv3 only returns all user
attributes. LDAPv3 only returns operational attributes unless
specifically requested, whereas LDAPv2 has no such restriction.
X.500(1993) also states that a search "request for a particular
attribute is always treated as a request for the attribute and all
subtypes of that attribute (except for requests processed by
1988-edition systems)". LDAPv2 does not support subtyping whereas
LDAPv3 does (though it is optional).
Zeilenga [Page 2]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
2.3. Object Classes
X.500(1988) makes no distinction between structural, auxiliary, and
abstract object classes whereas X.500(1993) does. Hence, LDAPv2 makes
no distinction whereas LDAPv3 does.
2.3. ExtensibleMatch
X.500(1993) introduces extensible matching. LDAPv2 does not support
extensible matching, LDAPv3 does.
3. Protocol elements
LDAPv3 supports all protocol elements of LDAPv2. LDAPv3, besides
defining additional protocol elements, alters the syntax and semantics
of existing protocol elements.
3.1. LDAPString
The LDAPString is a notational convenience to indicate that, although
strings of LDAPString type encode as OCTET STRING types, the legal
character set in such strings is restricted. LDAPv2 restricts
LDAPString to IA5 (ASCII) characters. LDAPv3 restricts LDAPString to
UTF-8 encoded ISO 10646-1 characters. The change to UTF-8 allows
internationalized strings.
For example, an LDAPv3 server can provide localized errorMessage
textual error diagnostic using non-IA5 characters. LDAPv2 is
restricted errorMessages to IA5.
A number of protocol fields are restricted by LDAPString. In most
cases, this is not problematic for dual implementations as LDAPv3
restricts these fields to IA5 subset of UTF-8 by other means. For
instance, attributeType which is an LDAPString is specifically
restricted to a subset of IA5.
3.2. Distinguished Names
DNs are restricted to IA5 when transferred by LDAPv2 and are
restricted to UTF-8 when transferred by LDAPv3 as DNs.
LDAPv2 DN [RFC1779] syntax does not support escaping of arbitrary
characters within values. The BER encoding mechanism must be used for
all attribute values contain any non-IA5 characters.
Zeilenga [Page 3]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
LDAPv3 DN [RFC2253] syntax supports escaping of arbitrary characters.
LDAPv2 and LDAPv3 special character escaping requirements are
different.
LDAPv2 set of valid "keywords" is different from the set defined for
LDAPv3.
LDAPv2 and LDAPv3 DNs use incompatible mechanisms for specifying
attribute types by OIDs.
RFC 2253, Section 4 details additional requirements for LDAPv2
implementations. However, these requirements are too restrictive as
they disallow encoding of a DN in a number of cases (such as when OIDs
must be used). The requirements also do not account for the fact that
encodings produced per RFC 2253, Section 2 may not be transferable in
an LDAPv2 LDAPString or may contain elements (such as hex pair
escaping) not allowed by RFC 1779 grammar.
A dual implementation should:
- parse and generate LDAPv2 DNs per RFC 1779,
- parse and generate LDAPv3 DNs per RFC 2253,
- convert between LDAPv2 and LDAPv3 DN representations by though
intermediate conversion to the DNs BER encoding.
The latter may be complicated due to differences between X.500(1988)
and X.500(1993) ASN.1 definitions.
3.4. AttributeDescription
LDAPv3 supports AttributeDescription options, LDAPv2 does not. An
LDAPv2 implementation has no mechanism to transfer attribute types
with options including the binary transfer and language tag options.
LDAPv3 requires certain attributes to be transferred using ";binary".
LDAPv2 requires these attributes to be transferred using their string
encoding. A dual server should be prepared to convert between a
syntax's string and binary encodings. It should be noted that certain
syntaxes, such as certificate, have protocol specific requirements
which restrict possible conversions.
LDAPv2 has no mechanism to support attribute descriptions containing
language tags. Applications requiring use of language tags should use
LDAPv3 and [RFC2596].
3.5. AttributeDescriptionList
Zeilenga [Page 4]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
LDAPv2 has no special "*" to indicate transfer of all user attributes
(see section 2). An LDAPv2 client requesting "*" should expect a
protocolError to be returned.
3.6. ExtensibleMatch
LDAPv3 Filter supports a choice of extensibleMatch. An LDAPv2 does
not. A LDAPv2 implementation would likely treat an unknown filter
choice as a protocol error.
3.7. Empty 'or' and 'and' filters sets
LDAPv3 requires 'and' and 'or' filter sets to be non-empty. LDAPv2
does not explicitly require filter sets to be non-empty and support
for non-empty sets is implied by the statement that an X.500 "read"
operation can be emulated by a base object LDAP search operation with
the same filter. As X.500(1988) supports 'and' and 'or' empty filters
sets, it is reasonable to expect some LDAPv2 servers may also support
filters with empty 'and' and 'or' sets. However, as defined filter
string representation cannot represent an empty filter set, support
for empty filter sets cannot be presumed to be present. Dual
implementations should avoid empty 'or' and 'and' filter sets.
3.8. LDAPResult
LDAPv3 extends LDAPResult to allow additional resultCode values and
the inclusion of an optional referral field. LDAPv3 also requires
that unknown result codes be treated as unknown error condition
LDAPv2 does not have any such requirement.
3.9. Unrecognized Tags
LDAPv3 implementations must ignore elements of SEQUENCE encodings
whose tags they do not recognize. LDAPv2 does not have any such
requirement. A LDAPv2 implementation will likely treat an
unrecognized as protocol error.
3.10. Controls
LDAPv3 introduces Controls which may alter the behavior of operations.
LDAPv2 does not support Controls. A LDAPv2 implementation will likely
treat a control as a protocol error.
Zeilenga [Page 5]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
3.11. New LDAP Message Types
LDAPv3 introduces three new LDAP PDU choices: extended requests,
extended responses, and search reference responses. LDAPv2 does not
support these new PDUs and likely will treat such as a protocol error.
4. Protocol Semantics
This section details semantical differences in the protocols.
4.1. Bind Operation
Per RFC 1777, The LDAPv2 Bind operation is used to initiate a session.
It must be the first operation and cannot be used subsequently.
However, many LDAPv2 implementations do not requre use of the Bind
operation to initiate a session. A dual implementation MUST treat a
session without an initial Bind operation as LDAPv3. This may result
in interoperability problems with clients which do not strictly adhere
to the LDAPv2 specifications.
4.2. Search Operation
LDAPv3 search operation can return in addition to entries, references
and extended responses. LDAPv2 search operation can only entries. A
dual server implementation should be prepared to chain requests to
other servers.
4.3. Modify Operation
LDAPv3 alters the semantics of the Modify/replace. In LDAPv2, a
replace with no values commonly results in a protocolError. In
LDAPv3, a replace with no values is treated as a delete with no values
excepting no error is generated if the attribute does not exist.
4.4. Unsolicited Notifications
LDAPv2 implementations do not support Unsolicited Notifications. A
dual implementation should avoid returning an Unsolicited Notification
unless a request has been received and this request is not a LDAPv2
bind request.
5. Protocol Encoding
Zeilenga [Page 6]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
LDAPv3 places additional restrictions on the BER encoding of protocol
elements.
6. Schema
LDAPv2 and LDAPv3 schema is dramatically different.
6.1 Syntaxes
6.1.1. Common Syntax Encodings
An number of BNF definitions differ between LDAPv2 and LDAPv3.
LDAPv3 allows ";" in the production k whereas LDAPv2 does not.
Production k is used by production anhstring.
LDAPv3 allows """ in the production p whereas LDAPv2 does not. LDAPv2
allows "'" in the production p whereas LDAPv3 does not. Production p
is used by production printablestring.
The differences in these productions affects the specification of many
common syntaxes. A dual implementation must ensure produces values
which are consistent with the syntax restrictions of the protocol in
use.
6.1.2. Object Identifier Syntax
LDAPv2 and LDAPv3 use different string representations for object
identifier (OIDs) syntax. LDAPv2 defines an OID to be:
oid = <descr> / <descr> '.' <numericoid> / <numericoid>
whereas LDAPv3 defines an OID to be:
oid = descr / numericoid
LDAPv3 eliminates the mixed descr-numeric form.
In LDAPv2, when encoding the object identifier representing an
organizationName, the descriptor "organizationName" is preferable to
"ds.4.10", which is in turn preferable to the string "2.5.4.10".
In LDAPv3, when encoding the object identifier representing an
organization name (o), the descriptor "o" is preferred to the string
"2.5.4.20.
Zeilenga [Page 7]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
A dual implementation must ensure it does not produce the eliminated
form when using LDAPv3. Also note that LDAPv2 and LDAPv3 often use
different descriptors for some schema elements.
6.1.3. Distinguished Name Syntax
The issues discussed in Section 3.2 generally apply to values of
Distinguished Name syntax.
6.1.4. Certificate and related syntaxes
LDAPv2 defines a string representation for X.509 certificates,
revocation lists, and other related syntaxes. LDAPv3 does not use
these string representation and instead requires ";binary" transfer of
such values. LDAPv2 does not support ";binary" transfer.
Dual implementations must be prepared to recognize and generate the
encoding required by the protocol.
6.2. Attribute Types
LDAPv2, in general, uses X.500 names such as commonName and
organizationalName. LDAPv3 uses short names such as cn and o. Dual
implementations should use attribute names appropriate for the
protocol session.
7. Other Version Differences
Many LDAP applications use LDIF as an intermediate format. LDIFv1
[RFC2849] is designed specifically for LDAPv3. LDIFv0 [SLAPD] was
designed for LDAPv2, but often used with LDAPv3. Neither format
provides any information regarding which the protocol version
associated with the presented data.
8. Liberties Taken
Dual implementations of LDAPv2 and LDAPv3 have taken significant
liberties to support both protocols. The most common liberties taken
are to apply the restrictions of one protocol to the other. For
example, it is common for dual implementations to ignore the LDAPv2
LDAPString IA5 restriction and/or the LDAPv2 directoryString T.61
restriction.
Zeilenga [Page 8]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
9. Security Considerations
LDAPv3 supports SASL [RFC2829] and TLS [RFC2830]. LDAPv2 does not
offer integrity or confidentiality services. LDAPv2 Kerberos bind
choices are not widely nor consistently implemented. Use of LDAPv3
with appropriate privacy protections MUST be used when updating the
directory.
10. Summary
There are numerous differences between LDAPv2 and LDAPv3 which make it
very difficult for an application to properly support both protocols.
11. References
[X.500] "The Directory -- Overview of Concepts, Models and
Services," ITU-T Rec. X.500(1993).
[X.501] "The Directory -- Models," ITU-T Rec. X.501(1993).
[X.511] "The Directory: Abstract Service Definition", ITU-T Rec.
X.511(1993).
[RFC1777] W. Yeong, T. Howes, and S. Kille, "Lightweight Directory
Access Protocol", RFC 1777, March 1995.
[RFC1778] T. Howes, S. Kille, W. Yeong, C. Robbins, "The String
Representation of Standard Attribute Syntaxes", RFC 1778,
March 1995.
[RFC1779] S. Kille, "A String Representation of Distinguished Names",
RFC 1779, March 1995.
[RFC1960] T. Howes, "A String Representation of LDAP Search Filters",
RFC 1960, June 1996.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119.
[RFC2234] D. Crocker, P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[RFC2279] F. Yergeau, "UTF-8, a transformation format of ISO 10646",
RFC 2279, January 1998.
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
Zeilenga [Page 9]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
Protocol (v3)", RFC 2251, December 1997.
[RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
Directory Access Protocol (v3): Attribute Syntax
Definitions", RFC 2252, December 1997.
[RFC2253] M. Wahl, S. Kille, T. Howes, "Lightweight Directory Access
Protocol (v3): UTF-8 String Representation of Distinguished
Names", RFC 2253, December 1997.
[RFC2254] T. Howes, "A String Representation of LDAP Search Filters",
RFC 2254, December 1997.
[RFC2255] T. Howes, M. Smith, "The LDAP URL Format", RFC 2255,
December, 1997.
[RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema for use
with LDAPv3", RFC 2256, December 1997.
[RFC2829] M. Wahl, H. Alvestrand, J. Hodges, RL "Bob" Morgan,
"Authentication Methods for LDAP", RFC 2829, June 2000.
[RFC2830] J. Hodges, R. Morgan, and M. Wahl, "Lightweight Directory
Access Protocol (v3): Extension for Transport Layer
Security", RFC 2830, May 2000.
[SLAPD] The SLAPD and SLURPD Administrators Guide. University of
Michigan, April 1996. <URL:
http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/>
Copyright 2001, The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
Zeilenga [Page 10]
INTERNET-DRAFT draft-zeilenga-ldapbis-vd-01 4 February 2001
This document and the information contained herein is provided on an
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Zeilenga [Page 11]
| PAFTECH AB 2003-2026 | 2026-04-23 04:11:40 |