This section lists the features of LDAP v3 as defined in IETF RFC 3377.
For the purposes of this analysis, a feature is: "a capability provided by directories to clients though the LDAP protocol".
IETF RFC 3377 describes no LDAP features, but it references eight other RFCs which, together with IETF RFC 3377, make up the specification of the Lightweight Directory Access Protocol, Version 3 (LDAP v3). Those RFCs are:
The features listed in this section are confined to those described in the above RFCs. There are other RFCs that describe extensions to LDAP v3. As of November 2002, these are:
The inclusion in profiles of features defined in RFCs that are not referenced by IETF RFC 3377 is for further study.
The features are listed below by feature group.
Certain aspects of some features are not completely described by the RFCs, and the feature descriptions include substantive additions to the RFC provisions. These cases are indicated by the word "Here" in the "Specified" column of the list.
Feature | Description | Specified | Profile |
---|---|---|---|
RootDSE - LDAP v3 | The server maintains a supportedLDAPVersion attribute in the root DSE that identifies the LDAP versions that it implements. These include LDAP v3. | IETF RFC 2251 §3.4 | Standard |
RootDSE - Controls | The server maintains a supportedControl attribute in the root DSE that identifies its supported controls. | IETF RFC 2251 §3.4 | Standard |
RootDSE - Extensions | The server maintains a supportedExtension attribute in the root DSE that identifies its supported extended operations. | IETF RFC 2251 §3.4 | Standard |
RootDSE - Schema | The server maintains in the root DSE a namingContext attribute that identifies the naming contexts held in the server and a subschemaSubentry attribute that identifies the subschema entries known by the server. | IETF RFC 2251 §3.4 | Standard |
RootDSE - Alt Server | The server maintains an altServer attribute in the root DSE that identifies alternative servers that may be used when it is unavailable. | IETF RFC 2251 §3.4 | Standard |
RootDSE - Supported
SASL Mechanisms | The server maintains a supportedSASLMechanisms attribute in the root DSE that identifies its supported SASL security features. | IETF RFC 2251 §3.4 | Standard |
Feature | Description | Specified | Profile |
---|---|---|---|
Client-Server
Communication | When a client transmits a protocol request describing an operation to be performed to the server, the server performs the necessary operation(s) in the directory and, upon completion of the operation(s), the server returns a response containing any results or errors to the requesting client. | IETF RFC 2251 §3.1 | Base |
TCP as the
transporting protocol | The server implements a mapping of LDAP over TCP in which the LDAP Message PDUs are mapped directly onto the TCP byte stream, and provides a protocol listener for this mode of operation on IP port 389 (it may also provide listeners on other ports). | Here
IETF RFC 2251 §5.2.1 | Base |
SSL over TCP as
the transporting protocol | The server implements a mapping of LDAP over SSL over TCP in which the LDAP Message PDUs are mapped directly onto the SSL byte stream, and provides a protocol listener for this mode of operation on IP port 636 (servers may also provide listeners on other ports). | Here | Base |
Transport Security -
startTLS | The server allows a client to perform a Start TLS operation, and negotiates Transport Layer Security (TLS) as a result. | IETF RFC 2830 §2
IETF RFC 2830 §2.1 IETF RFC 2830 §2.2 IETF RFC 2830 §2.3 IETF RFC 2830 §3 IETF RFC 2830 §3.1 IETF RFC 2830 §3.2 IETF RFC 2830 §3.3 IETF RFC 2830 §3.4 IETF RFC 2830 §3.5 IETF RFC 2830 §4 IETF RFC 2830 §4.1 IETF RFC 2830 §4.2 IETF RFC 2830 §5 IETF RFC 2830 §5.1 IETF RFC 2830 §5.1.1 IETF RFC 2830 §5.2 | Advanced |
Notice of
Disconnection | The server uses a Notice of Disconnection notification to advise a client that it is about to close the connection. | IETF RFC 2251 §4.4.1 | Standard |
Feature | Description | Specified | Profile |
---|---|---|---|
Anonymous Simple
Bind | The server accepts a simple bind request where the password is of zero length, and treats the client as being anonymously authenticated. It also treats a client that has not bound successfully as anonymously authenticated. | IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.2 IETF RFC 2251 §4.2.3 IETF RFC 2251 §4.3 IETF RFC 2829 §4 IETF RFC 2829 §5 IETF RFC 2829 §5.1 | Base |
Anonymous Bind
over SSL | The server accepts a simple bind request over an SSL connection where the password is of zero length, and treats the client as being anonymously authenticated. It also treats a client connected by SSL that has not bound successfully as anonymously authenticated. | Here
IETF RFC 2251 §4 IETF RFC 2251 §4.2 IETF RFC 2251 §4.2.2 IETF RFC 2251 §4.2.3 IETF RFC 2251 §4.3 | Base |
Anonymous Bind
after START TLS | The server treats a client that has invoked TLS via START TLS but has not bound as anonymously authenticated, until the client uses the EXTERNAL SASL mechanism to negotiate the recognition of the client's certificate. | IETF RFC 2829 §10
IETF RFC 2829 §4 IETF RFC 2829 §5 IETF RFC 2829 §5.2 | Advanced |
Authenticated
Simple Bind | The server accepts a simple bind request with the contents of the authentication field consisting of a password, and authenticates the client by that password. | IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.2 IETF RFC 2251 §4.2.3 IETF RFC 2251 §4.3 | Base |
Simple Bind with Password
exchange over SSL | The server accepts a simple bind request over an SSL connection with the contents of the authentication field consisting of a password, and authenticates the client by that password. | Here
IETF RFC 2251 §4.2 IETF RFC 2251 §4.2.2 IETF RFC 2251 §4.2.3 IETF RFC 2251 §4.3 | Base |
Simple Bind with
Password exchange after START TLS | The server negotiates TLS following a START TLS request, and then accepts a simple bind request with the contents of the authentication field consisting of a password, and authenticates the client by that password. | IETF RFC 2829 §10
IETF RFC 2829 §4 IETF RFC 2829 §6 IETF RFC 2829 §6.2 | Advanced |
SASL Bind | The server accepts a SASL bind request and authenticates the client by the SASL credentials. | IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.1 IETF RFC 2251 §4.2.2 IETF RFC 2251 §4.2.3 IETF RFC 2251 §4.3 IETF RFC 2829 §11 IETF RFC 2829 §4 IETF RFC 2829 §9 | Advanced |
Certificate-based
authentication with TLS | The server negotiates TLS following a START TLS request, and authenticates the client by the user's TLS certificate. | IETF RFC 2829 §10
IETF RFC 2829 §4 IETF RFC 2829 §7 IETF RFC 2829 §7.1 IETF RFC 2830 §5.1.2 IETF RFC 2830 §5.1.2.1 IETF RFC 2830 §5.1.2.2 IETF RFC 2830 §5.1.2.3 | Advanced |
External SASL
mechanism | The server accepts a SASL bind request specifying the SASL EXTERNAL mechanism and authenticates the client by information from a lower layer protocol by using the SASL EXTERNAL mechanism. | IETF RFC 2251 §4.2.2
IETF RFC 2829 §4 IETF RFC 2829 §8 | Advanced |
SASL Bind -
Digest-MD5 | The server accepts a SASL bind request specifying the DIGEST-MD5 mechanism and authenticates the client by the DIGEST-MD5 mechanism. | IETF RFC 2829 §4
IETF RFC 2829 §6 IETF RFC 2829 §6.1 | Advanced |
Feature | Description | Specified | Profile |
---|---|---|---|
Distinguished Name | The server correctly encodes and decodes protocol representations of distinguished names. | IETF RFC 2251 §4.1.3
IETF RFC 2253 §2 IETF RFC 2253 §2.1 IETF RFC 2253 §5 | Base |
Relative
Distinguished Name | The server correctly encodes and decodes protocol representations of relative distinguished names. | IETF RFC 2253 §2.2
IETF RFC 2253 §2.3 IETF RFC 2253 §2.4 IETF RFC 2253 §5 | Base |
Parsing | The server correctly parses string representations of distinguished names. | IETF RFC 2253 §3
IETF RFC 2253 §5 | Base |
Relationship with
LDAP v2 | The server accepts but does not generate certain protocol constructs that are legal in LDAP v2 but not in LDAP v3. | IETF RFC 2253 §4
IETF RFC 2253 §5 | Base |
Feature | Description | Specified | Profile |
---|---|---|---|
Search | The server accepts search requests and performs the requested search operations. | IETF RFC 2251 §4.5
IETF RFC 2251 §4.5.1 IETF RFC 2251 §4.5.2 | Base |
Ability to
dereference alias | The server supports alias objects and correctly handles references to them in search requests. | IETF RFC 2251 §4.5.1 | Standard |
Operational
Attributes Retrieval | The server returns operational attributes in response to appropriate search requests. | IETF RFC 2251 §3.4 | Standard |
Compare | The server accepts compare requests and performs the requested compare operations. | IETF RFC 2251 §4.10 | Base |
Feature | Description | Specified | Profile |
---|---|---|---|
Add | The server accepts add requests and performs the requested add operations. | IETF RFC 2251 §4.7 | Base |
Delete | The server accepts delete requests and performs the requested delete operations. | IETF RFC 2251 §4.8 | Base |
Modify (Add, Delete,
Replace) | The server accepts modify requests and performs the requested modify operations, including additions, deletions, and replacements. | IETF RFC 2251 §4.6 | Base |
ModifyDN - Rename a
Leaf Entry | The server accepts modify DN requests to rename leaf entries and performs the requested leaf rename operations. | IETF RFC 2251 §4.9 | Base |
ModifyDN - Move a
Leaf Entry to a New Parent | The server accepts modify DN requests to move leaf entries to new parents and performs the requested leaf move operations. | IETF RFC 2251 §4.9 | Base |
ModifyDN - Move a
Renamed Leaf Entry to a New Parent | The server accepts modify DN requests to rename leaf entries and move them to new parents and performs the requested leaf rename and move operations. | IETF RFC 2251 §4.9 | Base |
ModifyDN - Move
Subtree of Entries | The server accepts modify DN requests to move subtrees of entries to new parents and performs the requested move subtree operations. | IETF RFC 2251 §4.9 | Advanced |
ModifyDN - Move a
Renamed Subtree of Entries to a New Parent | The server accepts modify DN requests to rename subtrees of entries and move them to new parents and performs the requested rename and move subtree operations. | IETF RFC 2251 §4.9 | Advanced |
Feature | Description | Specified | Profile |
---|---|---|---|
BER | The server correctly encodes and decodes protocol elements using ASN.1 BER as required by LDAP. | IETF RFC 2251 §5.1 | Base |
Simple Common
Elements | The server correctly encodes, decodes, and processes the simple common elements of LDAPMessage envelope PDUs. | IETF RFC 2251 §4
IETF RFC 2251 §4.1 IETF RFC 2251 §4.1.1 IETF RFC 2251 §4.1.1.1 IETF RFC 2251 §4.1.10 IETF RFC 2251 §4.1.2 IETF RFC 2251 §4.1.4 IETF RFC 2251 §4.1.5 IETF RFC 2251 §4.1.5.1 IETF RFC 2251 §4.1.6 IETF RFC 2251 §4.1.7 IETF RFC 2251 §4.1.8 IETF RFC 2251 §5 | Base |
Controls | The server correctly encodes, decodes, and processes Controls elements of LDAPMessage envelope PDUs. | IETF RFC 2251 §4.1.12 | Standard |
Extended Operations | The server accepts Extended Operations requests and performs any extended operations that it recognizes. | IETF RFC 2251 §4.12 | Standard |
Unsolicited
Notification | The server sends unsolicited notifications to signal extraordinary conditions in the server or in the connection between the client and the server. | IETF RFC 2251 §4.4 | Standard |
Abandon | The server accepts abandon requests and performs the requested abandon operations. | IETF RFC 2251 §4.11 | Base |
Referral | The server can return referrals to enable requested operations to be performed by other servers. | IETF RFC 2251 §4.1.11
IETF RFC 2254 §3 IETF RFC 2254 §4 IETF RFC 2254 §5 IETF RFC 2255 §3 IETF RFC 2255 §4 IETF RFC 2255 §6 | Standard |
Continuation
References | The server can return continuation references to enable requested operations to be continued by other servers. | IETF RFC 2251 §4.5.3
IETF RFC 2251 §4.5.3.1 | Standard |
Feature | Description | Specified | Profile |
---|---|---|---|
Data Model | Each entry must have an objectClass attribute. The objectClass attribute specifies the object classes of an entry, which along with the system and user schema determine the permitted attributes of an entry. Values of this attribute may be modified by clients, but the objectClass attribute cannot be removed. Servers may restrict the modifications of this attribute to prevent the basic structural class of the entry from being changed (for example, one cannot change a person into a country). When creating an entry or adding an objectClass value to an entry, all superclasses of the named classes are implicitly added as well if not already present, and the client must supply values for any mandatory attributes of new superclasses. | IETF RFC 2251 §3.2 | Base |
Definition of Object
Classes | The server associates entries with object classes in accordance with the X.500 model. | IETF RFC 2251 §3.2.1
IETF RFC 2252 §4.4 | Base |
Definition of
Attributes | The server's entries have attributes in accordance with the X.500 model. The server supports entries, each of which consists of a set of attributes. An attribute is a type with one or more associated values. | IETF RFC 2251 §3.2.1
IETF RFC 2251 §6.1 IETF RFC 2252 §4.2 IETF RFC 2252 §4.3 IETF RFC 2252 §4.3.1 IETF RFC 2252 §4.3.2 | Base |
Definition of
Matching Rules | The server supports matching rules in accordance with the X.500 model. | IETF RFC 2252 §4.5 | Base |
Object Classes | The server recognizes the following object classes listed in IETF RFC 2252, Section 7 and IETF RFC 2256, Section 7 as values of the objectClass attribute: extensibleObject, subschema, top, alias, country, locality, organization, organizationalUnit, person, organizationalPerson, organizationalRole, groupOfNames, residentialPerson, device, and groupOfUniqueNames. | Here
IETF RFC 2252 §7 IETF RFC 2252 §7.1 IETF RFC 2252 §7.2 IETF RFC 2256 §7 IETF RFC 2256 §7.1 IETF RFC 2256 §7.10 IETF RFC 2256 §7.11 IETF RFC 2256 §7.15 IETF RFC 2256 §7.18 IETF RFC 2256 §7.2 IETF RFC 2256 §7.3 IETF RFC 2256 §7.4 IETF RFC 2256 §7.5 IETF RFC 2256 §7.6 IETF RFC 2256 §7.7 IETF RFC 2256 §7.8 IETF RFC 2256 §7.9 | Standard |
Attribute Types | The server recognizes the following attribute types listed in IETF RFC 2256, Section 5: objectClass, aliasedObjectName, cn, sn, serialNumber, c, l, st, street, o, ou, title, description, searchGuide, businessCategory, postalAddress, postalCode, postOfficeBox, physicalDeliveryOfficeName, telephoneNumber, telexNumber, teletexTerminalIdentifier, facsimileTelephoneNumber, x121Address, internationaliSDNNumber, registeredAddress, destinationIndicator, preferredDeliveryMethod, supportedApplicationContext, member, owner, roleOccupant, seeAlso, userPassword, name, givenName, initials, generationQualifier, x500UniqueIdentifier, dnQualifier, enhancedSearchGuide, distinguishedName, uniqueMember, and houseIdentifier. | Here
IETF RFC 2252 §5 IETF RFC 2256 §5 IETF RFC 2256 §5.1 IETF RFC 2256 §5.10 IETF RFC 2256 §5.11 IETF RFC 2256 §5.12 IETF RFC 2256 §5.13 IETF RFC 2256 §5.14 IETF RFC 2256 §5.15 IETF RFC 2256 §5.16 IETF RFC 2256 §5.17 IETF RFC 2256 §5.18 IETF RFC 2256 §5.19 IETF RFC 2256 §5.2 IETF RFC 2256 §5.20 IETF RFC 2256 §5.21 IETF RFC 2256 §5.22 IETF RFC 2256 §5.23 IETF RFC 2256 §5.24 IETF RFC 2256 §5.25 IETF RFC 2256 §5.26 IETF RFC 2256 §5.27 IETF RFC 2256 §5.28 IETF RFC 2256 §5.29 IETF RFC 2256 §5.31 IETF RFC 2256 §5.32 IETF RFC 2256 §5.33 IETF RFC 2256 §5.34 IETF RFC 2256 §5.35 IETF RFC 2256 §5.36 IETF RFC 2256 §5.4 IETF RFC 2256 §5.42 IETF RFC 2256 §5.43 IETF RFC 2256 §5.44 IETF RFC 2256 §5.45 IETF RFC 2256 §5.46 IETF RFC 2256 §5.47 IETF RFC 2256 §5.48 IETF RFC 2256 §5.5 IETF RFC 2256 §5.50 IETF RFC 2256 §5.51 IETF RFC 2256 §5.52 IETF RFC 2256 §5.6 IETF RFC 2256 §5.7 IETF RFC 2256 §5.8 IETF RFC 2256 §5.9 | Standard |
Operational
Attributes | The server implements and maintains the values of operational attributes. | IETF RFC 2251 §3.2.1
IETF RFC 2252 §5 IETF RFC 2252 §5.1 IETF RFC 2252 §5.1.1 IETF RFC 2252 §5.1.2 IETF RFC 2252 §5.1.3 IETF RFC 2252 §5.1.4 IETF RFC 2252 §5.1.5 IETF RFC 2252 §5.1.6 IETF RFC 2252 §5.1.7 IETF RFC 2252 §5.1.8 IETF RFC 2252 §5.1.9 IETF RFC 2252 §5.2 IETF RFC 2252 §5.2.1 IETF RFC 2252 §5.2.2 IETF RFC 2252 §5.2.3 IETF RFC 2252 §5.2.4 IETF RFC 2252 §5.2.5 IETF RFC 2252 §5.2.6 IETF RFC 2252 §5.3 IETF RFC 2252 §5.3.1 IETF RFC 2252 §5.4 IETF RFC 2252 §5.4.1 IETF RFC 2252 §5.4.2 IETF RFC 2252 §5.4.3 | Standard |
Syntaxes | The server recognizes the following syntaxes listed in IETF RFC 2252, Section 6 and IETF RFC 2256, Section 6: Attribute Type Description, Bit String, Boolean, Country String, DN, Directory String, DIT Content Rule Description, Facsimile Telephone Number, Fax, Generalized Time, IA5 String, INTEGER, JPEG, Matching Rule Description, Matching Rule Use Description, Name And Optional UID, Name Form Description, Numeric String, Object Class Description, OID, Other Mailbox, Postal Address, Printable String, Telephone Number, UTC Time, LDAP Syntax Description, DIT Structure Rule Description, Delivery Method, Enhanced Guide, Guide, Octet String, Teletex Terminal Identifier, and Telex Number. | IETF RFC 2252 §6
IETF RFC 2252 §6.1 IETF RFC 2252 §6.10 IETF RFC 2252 §6.11 IETF RFC 2252 §6.12 IETF RFC 2252 §6.13 IETF RFC 2252 §6.14 IETF RFC 2252 §6.15 IETF RFC 2252 §6.16 IETF RFC 2252 §6.17 IETF RFC 2252 §6.18 IETF RFC 2252 §6.19 IETF RFC 2252 §6.21 IETF RFC 2252 §6.22 IETF RFC 2252 §6.23 IETF RFC 2252 §6.24 IETF RFC 2252 §6.25 IETF RFC 2252 §6.26 IETF RFC 2252 §6.27 IETF RFC 2252 §6.29 IETF RFC 2252 §6.3 IETF RFC 2252 §6.30 IETF RFC 2252 §6.31 IETF RFC 2252 §6.32 IETF RFC 2252 §6.33 IETF RFC 2252 §6.4 IETF RFC 2252 §6.8 IETF RFC 2252 §6.9 IETF RFC 2256 §6 IETF RFC 2256 §6.1 IETF RFC 2256 §6.2 IETF RFC 2256 §6.3 IETF RFC 2256 §6.4 IETF RFC 2256 §6.5 IETF RFC 2256 §6.6 | Standard |
Matching Rules
(Extensible Match) | The server supports the extensibleMatch search filter and the extensibleMatch matching rules that are defined in IETF RFC 2256, Section 8. | IETF RFC 2251 §4.1.9
IETF RFC 2252 §8 IETF RFC 2252 §8.2 IETF RFC 2252 §8.3 IETF RFC 2252 §8.4 IETF RFC 2256 §8 IETF RFC 2256 §8.1 | Advanced |
Subschema Entries
and Subentries | The server implements subschema entries and subentries. | IETF RFC 2251 §3.2.2 | Standard |
Contents | Index |