Previous section.

Directory: LDAP Features for Certification
Copyright © 2003 The Open Group

LDAP Features

This section lists the features of LDAP v3 as defined in IETF RFC 3377.

For the purposes of this analysis, a feature is: "a capability provided by directories to clients though the LDAP protocol".

IETF RFC 3377 describes no LDAP features, but it references eight other RFCs which, together with IETF RFC 3377, make up the specification of the Lightweight Directory Access Protocol, Version 3 (LDAP v3). Those RFCs are:

The features listed in this section are confined to those described in the above RFCs. There are other RFCs that describe extensions to LDAP v3. As of November 2002, these are:

The inclusion in profiles of features defined in RFCs that are not referenced by IETF RFC 3377 is for further study.

The features are listed below by feature group.

Certain aspects of some features are not completely described by the RFCs, and the feature descriptions include substantive additions to the RFC provisions. These cases are indicated by the word "Here" in the "Specified" column of the list.

Publication

Feature Description Specified Profile
RootDSE - LDAP v3 The server maintains a supportedLDAPVersion attribute in the root DSE that identifies the LDAP versions that it implements. These include LDAP v3. IETF RFC 2251 §3.4 Standard
RootDSE - Controls The server maintains a supportedControl attribute in the root DSE that identifies its supported controls. IETF RFC 2251 §3.4 Standard
RootDSE - Extensions The server maintains a supportedExtension attribute in the root DSE that identifies its supported extended operations. IETF RFC 2251 §3.4 Standard
RootDSE - Schema The server maintains in the root DSE a namingContext attribute that identifies the naming contexts held in the server and a subschemaSubentry attribute that identifies the subschema entries known by the server. IETF RFC 2251 §3.4 Standard
RootDSE - Alt Server The server maintains an altServer attribute in the root DSE that identifies alternative servers that may be used when it is unavailable. IETF RFC 2251 §3.4 Standard
RootDSE - Supported
SASL Mechanisms
The server maintains a supportedSASLMechanisms attribute in the root DSE that identifies its supported SASL security features. IETF RFC 2251 §3.4 Standard

Connection

Feature Description Specified Profile
Client-Server
Communication
When a client transmits a protocol request describing an operation to be performed to the server, the server performs the necessary operation(s) in the directory and, upon completion of the operation(s), the server returns a response containing any results or errors to the requesting client. IETF RFC 2251 §3.1 Base
TCP as the
transporting protocol
The server implements a mapping of LDAP over TCP in which the LDAP Message PDUs are mapped directly onto the TCP byte stream, and provides a protocol listener for this mode of operation on IP port 389 (it may also provide listeners on other ports). Here
IETF RFC 2251 §5.2.1
Base
SSL over TCP as
the transporting
protocol
The server implements a mapping of LDAP over SSL over TCP in which the LDAP Message PDUs are mapped directly onto the SSL byte stream, and provides a protocol listener for this mode of operation on IP port 636 (servers may also provide listeners on other ports). Here Base
Transport Security -
startTLS
The server allows a client to perform a Start TLS operation, and negotiates Transport Layer Security (TLS) as a result. IETF RFC 2830 §2
IETF RFC 2830 §2.1
IETF RFC 2830 §2.2
IETF RFC 2830 §2.3
IETF RFC 2830 §3
IETF RFC 2830 §3.1
IETF RFC 2830 §3.2
IETF RFC 2830 §3.3
IETF RFC 2830 §3.4
IETF RFC 2830 §3.5
IETF RFC 2830 §4
IETF RFC 2830 §4.1
IETF RFC 2830 §4.2
IETF RFC 2830 §5
IETF RFC 2830 §5.1
IETF RFC 2830 §5.1.1
IETF RFC 2830 §5.2
Advanced
Notice of
Disconnection
The server uses a Notice of Disconnection notification to advise a client that it is about to close the connection. IETF RFC 2251 §4.4.1 Standard

Authentication

Feature Description Specified Profile
Anonymous Simple
Bind
The server accepts a simple bind request where the password is of zero length, and treats the client as being anonymously authenticated. It also treats a client that has not bound successfully as anonymously authenticated. IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.2
IETF RFC 2251 §4.2.3
IETF RFC 2251 §4.3
IETF RFC 2829 §4
IETF RFC 2829 §5
IETF RFC 2829 §5.1
Base
Anonymous Bind
over SSL
The server accepts a simple bind request over an SSL connection where the password is of zero length, and treats the client as being anonymously authenticated. It also treats a client connected by SSL that has not bound successfully as anonymously authenticated. Here
IETF RFC 2251 §4
IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.2
IETF RFC 2251 §4.2.3
IETF RFC 2251 §4.3
Base
Anonymous Bind
after START TLS
The server treats a client that has invoked TLS via START TLS but has not bound as anonymously authenticated, until the client uses the EXTERNAL SASL mechanism to negotiate the recognition of the client's certificate. IETF RFC 2829 §10
IETF RFC 2829 §4
IETF RFC 2829 §5
IETF RFC 2829 §5.2
Advanced
Authenticated
Simple Bind
The server accepts a simple bind request with the contents of the authentication field consisting of a password, and authenticates the client by that password. IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.2
IETF RFC 2251 §4.2.3
IETF RFC 2251 §4.3
Base
Simple Bind with Password
exchange over SSL
The server accepts a simple bind request over an SSL connection with the contents of the authentication field consisting of a password, and authenticates the client by that password. Here
IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.2
IETF RFC 2251 §4.2.3
IETF RFC 2251 §4.3
Base
Simple Bind with
Password exchange
after START TLS
The server negotiates TLS following a START TLS request, and then accepts a simple bind request with the contents of the authentication field consisting of a password, and authenticates the client by that password. IETF RFC 2829 §10
IETF RFC 2829 §4
IETF RFC 2829 §6
IETF RFC 2829 §6.2
Advanced
SASL Bind The server accepts a SASL bind request and authenticates the client by the SASL credentials. IETF RFC 2251 §4.2
IETF RFC 2251 §4.2.1
IETF RFC 2251 §4.2.2
IETF RFC 2251 §4.2.3
IETF RFC 2251 §4.3
IETF RFC 2829 §11
IETF RFC 2829 §4
IETF RFC 2829 §9
Advanced
Certificate-based
authentication
with TLS
The server negotiates TLS following a START TLS request, and authenticates the client by the user's TLS certificate. IETF RFC 2829 §10
IETF RFC 2829 §4
IETF RFC 2829 §7
IETF RFC 2829 §7.1
IETF RFC 2830 §5.1.2
IETF RFC 2830 §5.1.2.1
IETF RFC 2830 §5.1.2.2
IETF RFC 2830 §5.1.2.3
Advanced
External SASL
mechanism
The server accepts a SASL bind request specifying the SASL EXTERNAL mechanism and authenticates the client by information from a lower layer protocol by using the SASL EXTERNAL mechanism. IETF RFC 2251 §4.2.2
IETF RFC 2829 §4
IETF RFC 2829 §8
Advanced
SASL Bind -
Digest-MD5
The server accepts a SASL bind request specifying the DIGEST-MD5 mechanism and authenticates the client by the DIGEST-MD5 mechanism. IETF RFC 2829 §4
IETF RFC 2829 §6
IETF RFC 2829 §6.1
Advanced

Conversion

Feature Description Specified Profile
Distinguished Name The server correctly encodes and decodes protocol representations of distinguished names. IETF RFC 2251 §4.1.3
IETF RFC 2253 §2
IETF RFC 2253 §2.1
IETF RFC 2253 §5
Base
Relative
Distinguished Name
The server correctly encodes and decodes protocol representations of relative distinguished names. IETF RFC 2253 §2.2
IETF RFC 2253 §2.3
IETF RFC 2253 §2.4
IETF RFC 2253 §5
Base
Parsing The server correctly parses string representations of distinguished names. IETF RFC 2253 §3
IETF RFC 2253 §5
Base
Relationship with
LDAP v2
The server accepts but does not generate certain protocol constructs that are legal in LDAP v2 but not in LDAP v3. IETF RFC 2253 §4
IETF RFC 2253 §5
Base

Retrieval

Feature Description Specified Profile
Search The server accepts search requests and performs the requested search operations. IETF RFC 2251 §4.5
IETF RFC 2251 §4.5.1
IETF RFC 2251 §4.5.2
Base
Ability to
dereference alias
The server supports alias objects and correctly handles references to them in search requests. IETF RFC 2251 §4.5.1 Standard
Operational
Attributes Retrieval
The server returns operational attributes in response to appropriate search requests. IETF RFC 2251 §3.4 Standard
Compare The server accepts compare requests and performs the requested compare operations. IETF RFC 2251 §4.10 Base

Storage and Update

Feature Description Specified Profile
Add The server accepts add requests and performs the requested add operations. IETF RFC 2251 §4.7 Base
Delete The server accepts delete requests and performs the requested delete operations. IETF RFC 2251 §4.8 Base
Modify (Add, Delete,
Replace)
The server accepts modify requests and performs the requested modify operations, including additions, deletions, and replacements. IETF RFC 2251 §4.6 Base
ModifyDN - Rename a
Leaf Entry
The server accepts modify DN requests to rename leaf entries and performs the requested leaf rename operations. IETF RFC 2251 §4.9 Base
ModifyDN - Move a
Leaf Entry to
a New Parent
The server accepts modify DN requests to move leaf entries to new parents and performs the requested leaf move operations. IETF RFC 2251 §4.9 Base
ModifyDN - Move a
Renamed Leaf Entry
to a New Parent
The server accepts modify DN requests to rename leaf entries and move them to new parents and performs the requested leaf rename and move operations. IETF RFC 2251 §4.9 Base
ModifyDN - Move
Subtree of Entries
The server accepts modify DN requests to move subtrees of entries to new parents and performs the requested move subtree operations. IETF RFC 2251 §4.9 Advanced
ModifyDN - Move a
Renamed Subtree of
Entries to a New Parent
The server accepts modify DN requests to rename subtrees of entries and move them to new parents and performs the requested rename and move subtree operations. IETF RFC 2251 §4.9 Advanced

Protocol

Feature Description Specified Profile
BER The server correctly encodes and decodes protocol elements using ASN.1 BER as required by LDAP. IETF RFC 2251 §5.1 Base
Simple Common
Elements
The server correctly encodes, decodes, and processes the simple common elements of LDAPMessage envelope PDUs. IETF RFC 2251 §4
IETF RFC 2251 §4.1
IETF RFC 2251 §4.1.1
IETF RFC 2251 §4.1.1.1
IETF RFC 2251 §4.1.10
IETF RFC 2251 §4.1.2
IETF RFC 2251 §4.1.4
IETF RFC 2251 §4.1.5
IETF RFC 2251 §4.1.5.1
IETF RFC 2251 §4.1.6
IETF RFC 2251 §4.1.7
IETF RFC 2251 §4.1.8
IETF RFC 2251 §5
Base
Controls The server correctly encodes, decodes, and processes Controls elements of LDAPMessage envelope PDUs. IETF RFC 2251 §4.1.12 Standard
Extended Operations The server accepts Extended Operations requests and performs any extended operations that it recognizes. IETF RFC 2251 §4.12 Standard
Unsolicited
Notification
The server sends unsolicited notifications to signal extraordinary conditions in the server or in the connection between the client and the server. IETF RFC 2251 §4.4 Standard
Abandon The server accepts abandon requests and performs the requested abandon operations. IETF RFC 2251 §4.11 Base
Referral The server can return referrals to enable requested operations to be performed by other servers. IETF RFC 2251 §4.1.11
IETF RFC 2254 §3
IETF RFC 2254 §4
IETF RFC 2254 §5
IETF RFC 2255 §3
IETF RFC 2255 §4
IETF RFC 2255 §6
Standard
Continuation
References
The server can return continuation references to enable requested operations to be continued by other servers. IETF RFC 2251 §4.5.3
IETF RFC 2251 §4.5.3.1
Standard

Organization

Feature Description Specified Profile
Data Model Each entry must have an objectClass attribute. The objectClass attribute specifies the object classes of an entry, which along with the system and user schema determine the permitted attributes of an entry. Values of this attribute may be modified by clients, but the objectClass attribute cannot be removed. Servers may restrict the modifications of this attribute to prevent the basic structural class of the entry from being changed (for example, one cannot change a person into a country). When creating an entry or adding an objectClass value to an entry, all superclasses of the named classes are implicitly added as well if not already present, and the client must supply values for any mandatory attributes of new superclasses. IETF RFC 2251 §3.2 Base
Definition of Object
Classes
The server associates entries with object classes in accordance with the X.500 model. IETF RFC 2251 §3.2.1
IETF RFC 2252 §4.4
Base
Definition of
Attributes
The server's entries have attributes in accordance with the X.500 model. The server supports entries, each of which consists of a set of attributes. An attribute is a type with one or more associated values. IETF RFC 2251 §3.2.1
IETF RFC 2251 §6.1
IETF RFC 2252 §4.2
IETF RFC 2252 §4.3
IETF RFC 2252 §4.3.1
IETF RFC 2252 §4.3.2
Base
Definition of
Matching Rules
The server supports matching rules in accordance with the X.500 model. IETF RFC 2252 §4.5 Base
Object Classes The server recognizes the following object classes listed in IETF RFC 2252, Section 7 and IETF RFC 2256, Section 7 as values of the objectClass attribute: extensibleObject, subschema, top, alias, country, locality, organization, organizationalUnit, person, organizationalPerson, organizationalRole, groupOfNames, residentialPerson, device, and groupOfUniqueNames. Here
IETF RFC 2252 §7
IETF RFC 2252 §7.1
IETF RFC 2252 §7.2
IETF RFC 2256 §7
IETF RFC 2256 §7.1
IETF RFC 2256 §7.10
IETF RFC 2256 §7.11
IETF RFC 2256 §7.15
IETF RFC 2256 §7.18
IETF RFC 2256 §7.2
IETF RFC 2256 §7.3
IETF RFC 2256 §7.4
IETF RFC 2256 §7.5
IETF RFC 2256 §7.6
IETF RFC 2256 §7.7
IETF RFC 2256 §7.8
IETF RFC 2256 §7.9
Standard
Attribute Types The server recognizes the following attribute types listed in IETF RFC 2256, Section 5: objectClass, aliasedObjectName, cn, sn, serialNumber, c, l, st, street, o, ou, title, description, searchGuide, businessCategory, postalAddress, postalCode, postOfficeBox, physicalDeliveryOfficeName, telephoneNumber, telexNumber, teletexTerminalIdentifier, facsimileTelephoneNumber, x121Address, internationaliSDNNumber, registeredAddress, destinationIndicator, preferredDeliveryMethod, supportedApplicationContext, member, owner, roleOccupant, seeAlso, userPassword, name, givenName, initials, generationQualifier, x500UniqueIdentifier, dnQualifier, enhancedSearchGuide, distinguishedName, uniqueMember, and houseIdentifier. Here
IETF RFC 2252 §5
IETF RFC 2256 §5
IETF RFC 2256 §5.1
IETF RFC 2256 §5.10
IETF RFC 2256 §5.11
IETF RFC 2256 §5.12
IETF RFC 2256 §5.13
IETF RFC 2256 §5.14
IETF RFC 2256 §5.15
IETF RFC 2256 §5.16
IETF RFC 2256 §5.17
IETF RFC 2256 §5.18
IETF RFC 2256 §5.19
IETF RFC 2256 §5.2
IETF RFC 2256 §5.20
IETF RFC 2256 §5.21
IETF RFC 2256 §5.22
IETF RFC 2256 §5.23
IETF RFC 2256 §5.24
IETF RFC 2256 §5.25
IETF RFC 2256 §5.26
IETF RFC 2256 §5.27
IETF RFC 2256 §5.28
IETF RFC 2256 §5.29
IETF RFC 2256 §5.31
IETF RFC 2256 §5.32
IETF RFC 2256 §5.33
IETF RFC 2256 §5.34
IETF RFC 2256 §5.35
IETF RFC 2256 §5.36
IETF RFC 2256 §5.4
IETF RFC 2256 §5.42
IETF RFC 2256 §5.43
IETF RFC 2256 §5.44
IETF RFC 2256 §5.45
IETF RFC 2256 §5.46
IETF RFC 2256 §5.47
IETF RFC 2256 §5.48
IETF RFC 2256 §5.5
IETF RFC 2256 §5.50
IETF RFC 2256 §5.51
IETF RFC 2256 §5.52
IETF RFC 2256 §5.6
IETF RFC 2256 §5.7
IETF RFC 2256 §5.8
IETF RFC 2256 §5.9
Standard
Operational
Attributes
The server implements and maintains the values of operational attributes. IETF RFC 2251 §3.2.1
IETF RFC 2252 §5
IETF RFC 2252 §5.1
IETF RFC 2252 §5.1.1
IETF RFC 2252 §5.1.2
IETF RFC 2252 §5.1.3
IETF RFC 2252 §5.1.4
IETF RFC 2252 §5.1.5
IETF RFC 2252 §5.1.6
IETF RFC 2252 §5.1.7
IETF RFC 2252 §5.1.8
IETF RFC 2252 §5.1.9
IETF RFC 2252 §5.2
IETF RFC 2252 §5.2.1
IETF RFC 2252 §5.2.2
IETF RFC 2252 §5.2.3
IETF RFC 2252 §5.2.4
IETF RFC 2252 §5.2.5
IETF RFC 2252 §5.2.6
IETF RFC 2252 §5.3
IETF RFC 2252 §5.3.1
IETF RFC 2252 §5.4
IETF RFC 2252 §5.4.1
IETF RFC 2252 §5.4.2
IETF RFC 2252 §5.4.3
Standard
Syntaxes The server recognizes the following syntaxes listed in IETF RFC 2252, Section 6 and IETF RFC 2256, Section 6: Attribute Type Description, Bit String, Boolean, Country String, DN, Directory String, DIT Content Rule Description, Facsimile Telephone Number, Fax, Generalized Time, IA5 String, INTEGER, JPEG, Matching Rule Description, Matching Rule Use Description, Name And Optional UID, Name Form Description, Numeric String, Object Class Description, OID, Other Mailbox, Postal Address, Printable String, Telephone Number, UTC Time, LDAP Syntax Description, DIT Structure Rule Description, Delivery Method, Enhanced Guide, Guide, Octet String, Teletex Terminal Identifier, and Telex Number. IETF RFC 2252 §6
IETF RFC 2252 §6.1
IETF RFC 2252 §6.10
IETF RFC 2252 §6.11
IETF RFC 2252 §6.12
IETF RFC 2252 §6.13
IETF RFC 2252 §6.14
IETF RFC 2252 §6.15
IETF RFC 2252 §6.16
IETF RFC 2252 §6.17
IETF RFC 2252 §6.18
IETF RFC 2252 §6.19
IETF RFC 2252 §6.21
IETF RFC 2252 §6.22
IETF RFC 2252 §6.23
IETF RFC 2252 §6.24
IETF RFC 2252 §6.25
IETF RFC 2252 §6.26
IETF RFC 2252 §6.27
IETF RFC 2252 §6.29
IETF RFC 2252 §6.3
IETF RFC 2252 §6.30
IETF RFC 2252 §6.31
IETF RFC 2252 §6.32
IETF RFC 2252 §6.33
IETF RFC 2252 §6.4
IETF RFC 2252 §6.8
IETF RFC 2252 §6.9
IETF RFC 2256 §6
IETF RFC 2256 §6.1
IETF RFC 2256 §6.2
IETF RFC 2256 §6.3
IETF RFC 2256 §6.4
IETF RFC 2256 §6.5
IETF RFC 2256 §6.6
Standard
Matching Rules
(Extensible Match)
The server supports the extensibleMatch search filter and the extensibleMatch matching rules that are defined in IETF RFC 2256, Section 8. IETF RFC 2251 §4.1.9
IETF RFC 2252 §8
IETF RFC 2252 §8.2
IETF RFC 2252 §8.3
IETF RFC 2252 §8.4
IETF RFC 2256 §8
IETF RFC 2256 §8.1
Advanced
Subschema Entries
and Subentries
The server implements subschema entries and subentries. IETF RFC 2251 §3.2.2 Standard

Contents Index