Network Working Group Y. Yaacovi
Request for Comments: 2589 Microsoft
Category: Standards Track M. Wahl
Innosoft International, Inc.
T. Genovese
Microsoft
May 1999
Network Working Group Y. Yaacovi
Request for Comments: 2589 Microsoft
Category: Standards Track M. Wahl
Innosoft International, Inc.
T. Genovese
Microsoft
May 1999
Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services
轻量级目录访问协议(v3):动态目录服务的扩展
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document defines the requirements for dynamic directory services and specifies the format of request and response extended operations for supporting client-server interoperation in a dynamic directories environment.
本文档定义了动态目录服务的要求,并指定了请求和响应扩展操作的格式,以支持动态目录环境中的客户机-服务器互操作。
The Lightweight Directory Access Protocol (LDAP) [1] supports lightweight access to static directory services, allowing relatively fast search and update access. Static directory services store information about people that persists in its accuracy and value over a long period of time.
轻量级目录访问协议(LDAP)[1]支持对静态目录服务的轻量级访问,允许相对快速的搜索和更新访问。静态目录服务存储有关人员的信息,这些信息在很长一段时间内保持其准确性和价值。
Dynamic directory services are different in that they store information that only persists in its accuracy and value when it is being periodically refreshed. This information is stored as dynamic entries in the directory. A typical use will be a client or a person that is either online - in which case it has an entry in the directory, or is offline - in which case its entry disappears from the directory. Though the protocol operations and attributes used by dynamic directory services are similar to the ones used for static directory services, clients that store dynamic information in the directory need to periodically refresh this information, in order to prevent it from disappearing. If dynamic entries are not refreshed
动态目录服务的不同之处在于,它们存储的信息只有在定期刷新时才能保持其准确性和价值。此信息作为动态条目存储在目录中。一个典型的用途是一个在线的客户机或个人,在这种情况下,它在目录中有一个条目,或者是离线的,在这种情况下,它的条目从目录中消失。虽然动态目录服务使用的协议操作和属性与静态目录服务使用的协议操作和属性类似,但在目录中存储动态信息的客户端需要定期刷新此信息,以防止其消失。如果未刷新动态条目
within a given timeout, they will be removed from the directory. For example, this will happen if the client that set them goes offline.
在给定的超时时间内,它们将从目录中删除。例如,如果设置它们的客户端脱机,就会发生这种情况。
A flow control mechanism from the server is also described that allows a server to inform clients how often they should refresh their presence.
还描述了来自服务器的流控制机制,该机制允许服务器通知客户端他们应该多长时间刷新其状态。
The protocol extensions must allow accessing dynamic information in a directory in a standard LDAP manner, to allow clients to access static and dynamic information in the same way.
协议扩展必须允许以标准LDAP方式访问目录中的动态信息,以允许客户端以相同的方式访问静态和动态信息。
By definition, dynamic entries are not persistent and clients may go away gracefully or not. The proposed extensions must offer a way for a server to tell if entries are still valid, and to do this in a way that is scalable. There also must be a mechanism for clients to reestablish their entry with the server.
根据定义,动态条目不是持久的,客户端可能会优雅地离开,也可能不会。提议的扩展必须为服务器提供一种方法来判断条目是否仍然有效,并以一种可扩展的方式来做到这一点。客户机还必须有一种机制,以便在服务器上重新建立其条目。
There must be a way for clients to find out, in a standard LDAP manner, if servers support the dynamic extensions.
必须有一种方法让客户机以标准LDAP方式查明服务器是否支持动态扩展。
Finally, to allow clients to broadly use the dynamic extensions, the extensions need to be registered as standard LDAP extended operations.
最后,为了允许客户端广泛使用动态扩展,需要将扩展注册为标准LDAP扩展操作。
The Lightweight Directory Access Protocol (LDAP) [1] permits additional operation requests and responses to be added to the protocol. This proposal takes advantage of these to support directories which contain dynamic information in a manner which is fully integrated with LDAP.
轻量级目录访问协议(LDAP)[1]允许向协议中添加额外的操作请求和响应。该方案利用这些功能来支持包含动态信息的目录,其方式与LDAP完全集成。
The approach described in this proposal defines dynamic entries in order to allow implementing directories with dynamic information. An implementation of dynamic directories, must be able to support dynamic directory entries.
本提案中描述的方法定义了动态条目,以便使用动态信息实现目录。一个动态目录的实现,必须能够支持动态目录条目。
A dynamic entry is an object in the directory tree which has a time-to-live associated with it. This time-to-live is set when the entry is created. The time-to-live is automatically decremented, and when it expires the dynamic entry disappears. By invoking the refresh extended operation (defined below) to re-set the time-to-live, a client can cause the entry to remain present a while longer.
动态条目是目录树中的一个对象,它具有与其关联的生存时间。此生存时间在创建条目时设置。生存时间自动递减,到期时动态条目消失。通过调用refresh extended操作(定义如下)重新设置生存时间,客户机可以使条目保持更长的时间。
A dynamic entry is created by including the objectClass value given in section 5 in the list of attributes when adding an entry. This method is subject to standard access control restrictions.
在添加条目时,通过在属性列表中包含第5节中给出的objectClass值来创建动态条目。此方法受标准访问控制限制的约束。
The extended operation covered here, allows a client to refresh a dynamic entry by invoking, at intervals, refresh operations containing that entry's name. Dynamic entries will be treated the same as non-dynamic entries when processing search, compare, add, delete, modify and modifyDN operations. However if clients stop sending refresh operations for an entry, then the server will automatically and without notification remove that entry from the directory. This removal will be treated the same as if the entry had been deleted by an LDAP protocol operation.
这里介绍的扩展操作允许客户端通过每隔一段时间调用包含动态条目名称的刷新操作来刷新该条目。在处理搜索、比较、添加、删除、修改和修改DN操作时,动态条目将被视为与非动态条目相同。但是,如果客户端停止发送某个条目的刷新操作,则服务器将自动从目录中删除该条目,而不发出通知。此删除将被视为与LDAP协议操作删除了条目相同。
There is no way to change a static entry into a dynamic one and vice-versa. If the client is using Modify with an objectClass of dynamicObject on a static entry, the server must return a service error either "objectClassModsProhibited" (if the server does not allow objectClass modifications at all) or "objectClassViolation" (if the server does allow objectClass modifications in general).
无法将静态条目更改为动态条目,反之亦然。如果客户端在静态条目上对dynamicObject的objectClass使用Modify,则服务器必须返回服务错误“objectClassModsProhibited”(如果服务器根本不允许修改objectClass)或“objectClassViolation”(如果服务器通常允许修改objectClass)。
A dynamic entry may be removed by the client using the delete operation. This operation will be subject to access control restrictions.
客户端可以使用删除操作删除动态条目。此操作将受到访问控制限制。
A non-dynamic entry cannot be added subordinate to a dynamic entry: the server must return an appropriate update or service error if this is attempted.
无法将非动态项添加到动态项的从属项:如果尝试此操作,服务器必须返回相应的更新或服务错误。
The support of dynamic attributes of an otherwise static object, are outside the scope of this document.
对其他静态对象的动态属性的支持超出了本文档的范围。
The way dynamicObject is defined, it has a time-to-live associated with it, and that's about it. Though the most common dynamic object is a person object, there is no specific type associated with the dynamicObject as defined here. By the use of the dynamic object's attributes, one can make this object represent practically anything.
按照dynamicObject的定义方式,它有一个与之相关联的生存时间,仅此而已。尽管最常见的动态对象是person对象,但这里没有定义与dynamicObject关联的特定类型。通过使用动态对象的属性,可以使该对象实际表示任何内容。
Specifically, Meetings (conferences) can be represented by dynamic objects. While full-featured meeting support requires special semantics and handling by the server (and is not in the scope of this document), the extensions described here, provide basic meetings support. A meeting object can be refreshed by the meeting participants, and when it is not, the meeting entry disappears. The one meeting type that is naturally supported by the dynamic extensions is creator-owned meeting.
具体而言,会议可以由动态对象表示。虽然全功能会议支持需要特殊的语义和服务器处理(不在本文档的范围内),但这里描述的扩展提供了基本的会议支持。会议参与者可以刷新会议对象,否则,会议条目将消失。动态扩展自然支持的一种会议类型是创建者拥有的会议。
Creator-owned meetings are created by a client that sets the time-to-live attribute for the entry, and it is this client's responsibility to refresh the meeting entry, so that it will not disappear. Others might join the meeting, by modifying the appropriate attribute, but they are not allowed to refresh the entry. When the client that created the entry goes away, it can delete the meeting entry, or it might disappear when its time-to-live expires. This is consistent with the common model for dynamicObject as described above.
创建者拥有的会议由为条目设置生存时间属性的客户端创建,该客户端负责刷新会议条目,以使其不会消失。其他人可以通过修改适当的属性加入会议,但不允许他们刷新条目。当创建会议记录的客户端离开时,它可以删除会议记录,或者在其生存时间到期时它可能会消失。这与上述dynamicObject的通用模型一致。
Refresh is a protocol operation sent by a client to tell the server that the client is still alive and the dynamic directory entry is still accurate and valuable. The client sends a Refresh request periodically based on the value of the client refresh period (CRP). The server can request that the client change this value. As long as the server receives a Refresh request within the timeout period, the directory entry is guaranteed to persist on the server. Client implementers should be aware that since the intervening network between the client and server is unreliable, a Refresh request packet may be delayed or lost while in transit. If this occurs, the entry may disappear, and the client will need to detect this and re-add the entry.
刷新是客户端发送的一种协议操作,用于告诉服务器客户端仍然处于活动状态,并且动态目录条目仍然准确且有价值。客户端根据客户端刷新周期(CRP)的值定期发送刷新请求。服务器可以请求客户端更改此值。只要服务器在超时时间内收到刷新请求,目录项就保证在服务器上保持不变。客户机实现者应该知道,由于客户机和服务器之间的中间网络不可靠,刷新请求数据包在传输过程中可能会延迟或丢失。如果发生这种情况,条目可能会消失,客户端需要检测到这种情况并重新添加条目。
A client may request this operation by transmitting an LDAP PDU containing an ExtendedRequest. An LDAP ExtendedRequest is defined as follows:
客户端可以通过传输包含ExtendedRequest的LDAP PDU来请求此操作。LDAP ExtendedRequest的定义如下:
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING OPTIONAL }
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING OPTIONAL }
The requestName field must be set to the string "1.3.6.1.4.1.1466.101.119.1".
requestName字段必须设置为字符串“1.3.6.1.4.1.1466.101.119.1”。
The requestValue field will contain as a value the DER-encoding of the following ASN.1 data type:
requestValue字段将包含以下ASN.1数据类型的DER编码值:
SEQUENCE {
entryName [0] LDAPDN,
requestTtl [1] INTEGER
}
SEQUENCE {
entryName [0] LDAPDN,
requestTtl [1] INTEGER
}
The entryName field is the UTF-8 string representation of the name of the dynamic entry [3]. This entry must already exist.
entryName字段是动态条目名称的UTF-8字符串表示形式[3]。此条目必须已存在。
The requestTtl is a time in seconds (between 1 and 31557600) that the client requests that the entry exists in the directory before being automatically removed. Servers are not required to accept this value and might return a different TTL value to the client. Clients must be able to use this server-dictated value as their CRP.
requestTtl是客户端在自动删除条目之前请求该条目存在于目录中的时间,单位为秒(介于1和31557600之间)。服务器不需要接受此值,可能会向客户端返回不同的TTL值。客户端必须能够使用此服务器指定的值作为其CRP。
If a server implements this extension, then when the request is made it will return an LDAP PDU containing an ExtendedResponse. An LDAP ExtendedResponse is defined as follows:
如果服务器实现了此扩展,那么在发出请求时,它将返回一个包含ExtendedResponse的LDAP PDU。LDAP ExtendedResponse的定义如下:
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }
The responseName field contains the same string as that present in the request.
responseName字段包含与请求中存在的字符串相同的字符串。
The response field will contain as a value the DER-encoding of the following ASN.1 data type:
响应字段将包含以下ASN.1数据类型的DER编码值:
SEQUENCE {
responseTtl [1] INTEGER
}
SEQUENCE {
responseTtl [1] INTEGER
}
The responseTtl field is the time in seconds which the server chooses to have as the time-to-live field for that entry. It must not be any smaller than that which the client requested, and it may be larger. However, to allow servers to maintain a relatively accurate directory, and to prevent clients from abusing the dynamic extensions, servers are permitted to shorten a client-requested time-to-live value, down to a minimum of 86400 seconds (one day).
responseTtl字段是服务器选择作为该条目的生存时间字段的时间(以秒为单位)。它不能小于客户要求的值,也可以更大。但是,为了允许服务器维护相对准确的目录,并防止客户端滥用动态扩展,允许服务器将客户端请求的生存时间值缩短到至少86400秒(一天)。
If the operation was successful, the errorCode field in the standardResponse part of an ExtendedResponse will be set to success.
如果操作成功,ExtendedResponse的standardResponse部分中的errorCode字段将设置为success。
In case of an error, the responseTtl field will have the value 0, and the errorCode field will contain an appropriate value, as follows: If the entry named by entryName could not be located, the errorCode field will contain "noSuchObject". If the entry is not dynamic, the errorCode field will contain "objectClassViolation". If the requester does not have permission to refresh the entry, the
如果出现错误,responseTtl字段的值为0,errorCode字段将包含一个适当的值,如下所示:如果找不到entryName命名的条目,errorCode字段将包含“noSuchObject”。如果条目不是动态的,errorCode字段将包含“objectClassViolation”。如果请求者没有刷新条目的权限,则
errorCode field will contain "insufficientAccessRights". If the requestTtl field is too large, the errorCode field will contain "sizeLimitExceeded".
errorCode字段将包含“insufficientAccessRights”。如果requestTtl字段太大,errorCode字段将包含“SizeLimitExceed”。
If a server does not implement this extension, it will return an LDAP PDU containing an ExtendedResponse, which contains only the standardResponse element (the responseName and response elements will be absent). The LDAPResult element will indicate the protocolError result code.
如果服务器未实现此扩展,它将返回一个包含ExtendedResponse的LDAP PDU,其中只包含standardResponse元素(responseName和response元素将不存在)。LDAPResult元素将指示协议错误结果代码。
This request is permitted to be invoked when LDAP is carried by a connectionless transport.
当LDAP由无连接传输承载时,允许调用此请求。
When using a connection-oriented transport, there is no requirement that this operation be on the same particular connection as any other. A client may open multiple connections, or close and then reopen a connection.
当使用面向连接的传输时,不要求此操作与任何其他操作在同一特定连接上。客户端可以打开多个连接,或者关闭然后重新打开连接。
X.500/DAP servers can map the Refresh request and response operations into the X.500/DAP Modify(97) operation.
X.500/DAP服务器可以将刷新请求和响应操作映射到X.500/DAP修改(97)操作中。
All dynamic entries must have the dynamicObject value in their objectClass attribute. This object class is defined as follows (using the ObjectClassDescription notation of [2]):
所有动态条目的objectClass属性中都必须具有dynamicObject值。该对象类的定义如下(使用[2]的ObjectClassDescription表示法):
( 1.3.6.1.4.1.1466.101.119.2 NAME 'dynamicObject' DESC 'This class, if present in an entry, indicates that this entry has a limited lifetime and may disappear automatically when its time-to-live has reached 0. There are no mandatory attributes of this class, however if the client has not supplied a value for the entryTtl attribute, the server will provide one.' SUP top AUXILIARY )
(1.3.6.1.4.1.1466.101.119.2名称'dynamicObject'DESC'此类,如果存在于条目中,则表示该条目有一个有限的生存期,并且可能在其生存时间达到0时自动消失。此类没有强制属性,但是如果客户端没有为entryTtl属性提供值,服务器将提供一个“辅助顶部(辅助顶部))
Furthermore, the dynamic entry must have the following operational attribute. It is described using the AttributeTypeDescription notation of [2]:
此外,动态条目必须具有以下操作属性。使用[2]的AttributeTypeDescription表示法对其进行描述:
( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl' DESC 'This operational attribute is maintained by the server and appears to be present in every dynamic entry. The attribute is not present when the entry does not contain the dynamicObject object class. The value of this attribute is the time in seconds that the entry will continue to exist
(1.3.6.1.4.1.1466.101.119.3 NAME'entryTtl'DESC'此操作属性由服务器维护,并出现在每个动态条目中。当条目不包含dynamicObject对象类时,该属性不存在。此属性的值是该条目将继续存在的时间(以秒为单位)
before disappearing from the directory. In the absence of intervening refresh operations, the values returned by reading the attribute in two successive searches are guaranteed to be nonincreasing. The smallest permissible value is 0, indicating that the entry may disappear without warning. The attribute is marked NO-USER-MODIFICATION since it may only be changed using the refresh operation.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
在从目录中消失之前。在没有中间刷新操作的情况下,通过在两次连续搜索中读取属性返回的值保证为非递增。最小允许值为0,表示条目可能会在没有警告的情况下消失。该属性被标记为“无用户修改”,因为只能使用刷新操作对其进行更改。“语法1.3.6.1.4.1.1466.115.121.1.27单值无用户修改用法dSAOperation)
To allow servers to support dynamic entries in only a part of the DIT, the following operational attribute is defined. It is described using the AttributeTypeDescription notation of [2]:
为了允许服务器仅在DIT的一部分中支持动态条目,定义了以下操作属性。使用[2]的AttributeTypeDescription表示法对其进行描述:
( 1.3.6.1.4.1.1466.101.119.4 NAME 'dynamicSubtrees' DESC 'This operational attribute is maintained by the server and is present in the Root DSE, if the server supports the dynamic extensions described in this memo. The attribute contains a list of all the subtrees in this directory for which the server supports the dynamic extensions.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation )
(1.3.6.1.4.1.1466.101.119.4名称'dynamicSubtrees'DESC'如果服务器支持此备忘录中描述的动态扩展,则此操作属性由服务器维护,并存在于根DSE中。该属性包含此目录中服务器支持动态扩展的所有子树的列表。'语法1.3。6.1.4.1.1466.115.121.1.12无用户修改使用(DSA操作)
Clients can find out if a server supports the dynamic extensions by checking the supportedExtension field in the root DSE, to see if the OBJECT IDENTIFIER described in section 4 is present. Since servers may select to support the dynamic extensions in only some of the subtrees of the DIT, clients must check the dynamicSubtrees operational attribute in the root DSE to find out if the dynamic extensions are supported on a specific subtree.
客户端可以通过检查根DSE中的supportedExtension字段来确定服务器是否支持动态扩展,以查看是否存在第4节中描述的对象标识符。由于服务器可能选择仅在DIT的某些子树中支持动态扩展,因此客户端必须检查根DSE中的dynamicSubtrees操作属性,以确定特定子树上是否支持动态扩展。
Once a dynamic entry has been created, clients are responsible for invoking the refresh extended operation, in order to keep that entry present in the directory.
创建动态条目后,客户机负责调用刷新扩展操作,以便将该条目保留在目录中。
Clients must not expect that a dynamic entry will be present in the DIT after it has timed out, however it must not require that the server remove the entry immediately (some servers may only process timing out entries at intervals). If the client wishes to ensure the entry does not exist it should issue a RemoveRequest for that entry.
客户端不得期望动态条目在超时后出现在DIT中,但不得要求服务器立即删除该条目(某些服务器可能仅每隔一段时间处理超时条目)。如果客户希望确保该条目不存在,则应针对该条目发出RemoveRequest。
Initially, a client needs to know how often it should send refresh requests to the server. This value is defined as the CRP (Client Refresh Period) and is set by the server based on the entryTtl.
最初,客户机需要知道应该多久向服务器发送一次刷新请求。此值定义为CRP(客户端刷新周期),由服务器根据entryTtl设置。
Since the LDAP AddRequest operation is left unchanged and is not modified in this proposal to return this value, a client must issue a Refresh extended operation immediately after an Add that created a dynamic entry. The Refresh Response will return the CRP (in responseTtl) to the client.
由于LDAP AddRequest操作保持不变,并且在本方案中没有修改以返回此值,因此客户端必须在创建动态条目的Add之后立即发出刷新扩展操作。刷新响应将把CRP(in responseTtl)返回给客户端。
Clients must not issue the refresh request for dynamic entries which they have not created. If an anonymous client attempts to do so, a server is permitted to return insufficientAccessRights (50) in the RefreshResponse, enforcing the client to bind first. Please note that servers which allow anonymous clients to create and refresh dynamic entries will not be able to enforce the above.
客户端不得对尚未创建的动态条目发出刷新请求。如果匿名客户端尝试这样做,则允许服务器在RefreshResponse中返回不足的AccessRights(50),强制客户端首先绑定。请注意,允许匿名客户端创建和刷新动态条目的服务器将无法执行上述操作。
Clients should always be ready to handle the case in which their entry timed out. In such a case, the Refresh operation will fail with an error code such as noSuchObject, and the client is expected to re-create its entry.
客户端应该随时准备好处理其输入超时的情况。在这种情况下,刷新操作将失败,并出现错误代码,如noSuchObject,客户机将重新创建其条目。
Clients should be prepared to experience refresh operations failing with protocolError, even though the add and any previous refresh requests succeeded. This might happen if a proxy between the client and the server goes down, and another proxy is used which does not support the Refresh extended operation.
即使添加和任何以前的刷新请求成功,客户端也应该准备好在protocolError中遇到刷新操作失败的情况。如果客户端和服务器之间的代理关闭,并且使用了另一个不支持刷新扩展操作的代理,则可能会发生这种情况。
Servers are responsible for removing dynamic entries when they time out. Servers are not required to do this immediately.
服务器负责在动态条目超时时删除它们。服务器不需要立即执行此操作。
Servers must enforce the structural rules listed in above section 3.
服务器必须执行上述第3节中列出的结构规则。
Servers must ensure that the operational attribute described in section 5 is present in dynamic entries
服务器必须确保第5节中描述的操作属性存在于动态条目中
Servers may permit anonymous users to refresh entries. However, to eliminate the possibility of a malicious use of the Refresh operation, servers may require the refreshing client to bind first. A server implementation can achieve this by presenting ACLs on the entryTtl attribute, and returning insufficientAccessRights (50) in the RefreshResponse, if the client is not allowed to refresh the entry. Doing this, though, might have performance implications on the server and might impact the server's scalability.
服务器可能允许匿名用户刷新条目。但是,为了消除恶意使用刷新操作的可能性,服务器可能需要先绑定刷新客户端。如果不允许客户端刷新条目,服务器实现可以通过在entryTtl属性上显示ACL,并在RefreshResponse中返回insufficientAccessRights(50)来实现这一点。但是,这样做可能会影响服务器的性能,并可能影响服务器的可伸缩性。
Servers may require that a client which attempts to create a dynamic entry have a remove permission for that entry.
服务器可能要求尝试创建动态条目的客户端对该条目具有删除权限。
Servers which implement the dynamic extensions must have the OBJECT IDENTIFIER, described above in section 4 for the request and
实现动态扩展的服务器必须具有对象标识符,如上文第4节所述,用于请求和扩展
response, present as a value of the supportedExtension field in the root DSE. They must also have as values in the attributeTypes and objectClasses attributes of their subschema subentries, the AttributeTypeDescription and ObjectClassDescription from section 5.
响应,作为根DSE中supportedExtension字段的值显示。它们的子模式子项的AttributeType和objectClasses属性、第5节中的AttributeType描述和ObjectClassDescription中也必须具有as值。
Servers can limit the support of the dynamic extensions to only some of the subtrees in the DIT. Servers indicate for which subtrees they support the extensions, by specifying the OIDs for the supported subtrees in the dynamicSubtrees attribute described in section 5. If a server supports the dynamic extensions for all naming contexts it holds, the dynamicSubtrees attribute may be absent.
服务器可以将动态扩展的支持仅限于DIT中的一些子树。服务器通过在第5节中描述的dynamicSubtrees属性中指定受支持子树的OID来指示它们支持扩展的子树。如果服务器支持其持有的所有命名上下文的动态扩展,则dynamicSubtrees属性可能不存在。
Dynamic information is expected to change very often. In addition, Refresh requests are expected to arrive at the server very often. Disk-based databases that static directory services often use are likely inappropriate for storing dynamic information. We recommend that server implementations store dynamic entries in memory sufficient to avoid paging. This is not a requirement.
动态信息预计会经常发生变化。此外,刷新请求通常会到达服务器。静态目录服务经常使用的基于磁盘的数据库可能不适合存储动态信息。我们建议服务器实现在内存中存储足够的动态条目,以避免分页。这不是一项要求。
We expect LDAP servers to be able to store static and dynamic entries. If an LDAP server does not support dynamic entries, it should respond with an error code such as objectClassViolation.
我们希望LDAP服务器能够存储静态和动态条目。如果LDAP服务器不支持动态条目,它应该以错误代码(如objectClassViolation)进行响应。
In some cases, the client might not get a Refresh response. This may happen as a result of a server crash after receiving the Refresh request, the TCP/IP socket timing out in the connection case, or the UDP packet getting lost in the connection-less case.
在某些情况下,客户端可能无法获得刷新响应。这可能是由于收到刷新请求后服务器崩溃、连接情况下TCP/IP套接字超时或无连接情况下UDP数据包丢失造成的。
It is recommended that in such a case, the client will retry the Refresh operation immediately, and if this Refresh request does not get a response as well, it will resort to its original Refresh cycle, i.e. send a Refresh request at its Client Refresh Period (CRP).
在这种情况下,建议客户机立即重试刷新操作,如果此刷新请求也没有得到响应,它将求助于其原始刷新周期,即在其客户机刷新周期(CRP)发送刷新请求。
We recommend that servers will provide administrators with the ability to configure the default client refresh period (CRP), and also a minimum and maximum CRP values. This, together with allowing administrators to request that the server will not change the CRP dynamically, will allow administrators to set CRP values which will enforce a low refresh traffic, or - on the other extreme, an highly up-to-date directory.
我们建议服务器为管理员提供配置默认客户端刷新周期(CRP)以及最小和最大CRP值的能力。这一点,再加上允许管理员请求服务器不会动态更改CRP,将允许管理员设置CRP值,这将强制执行较低的刷新流量,或者在另一个极端情况下,强制执行高度最新的目录。
Replication is only partially addressed in this memo. There is a separate effort in progress at the IETF on replication of static and dynamic directories.
本备忘录仅部分介绍了复制。IETF正在进行一项关于静态和动态目录复制的单独工作。
it is allowed to replicate a dynamic entry or a static entry with dynamic attributes. Since the entryTtl is expressed as a relative time (how many seconds till the entry will expire), replicating it means that the replicated entry will be "off" by the replication time.
允许复制动态条目或具有动态属性的静态条目。由于entryTtl表示为一个相对时间(到条目到期还有多少秒),因此复制它意味着复制的条目将在复制时间之前“关闭”。
The are no localization issues for this extended operation.
此扩展操作没有本地化问题。
Standard LDAP security rules and support apply for the extensions described in this document, and there are no special security issues for these extensions. Please note, though, that servers may permit anonymous clients to refresh entries which they did not create. Servers are also permitted to control a refresh access to an entry by requiring clients to bind before issuing a RefreshRequest. This will have implications on the server performance and scalability.
标准LDAP安全规则和支持适用于本文档中描述的扩展,这些扩展没有特殊的安全问题。但请注意,服务器可能允许匿名客户端刷新它们未创建的条目。服务器还可以通过要求客户端在发出刷新请求之前绑定来控制对条目的刷新访问。这将对服务器性能和可伸缩性产生影响。
Also, Care should be taken in making use of information obtained from directory servers that has been supplied by client, as it may now be out of date. In many networks, for example, IP addresses are automatically assigned when a host connects to the network, and may be reassigned if that host later disconnects. An IP address obtained from the directory may no longer be assigned to the host that placed the address in the directory. This issue is not specific to LDAP or dynamic directories.
此外,在使用从客户机提供的目录服务器获得的信息时应注意,因为这些信息现在可能已过时。例如,在许多网络中,当主机连接到网络时,IP地址会自动分配,如果该主机稍后断开连接,IP地址可能会重新分配。从目录中获取的IP地址可能不再分配给将该地址放置在该目录中的主机。此问题不特定于LDAP或动态目录。
Design ideas included in this document are based on those discussed in ASID and other IETF Working Groups.
本文件中包含的设计思想基于ASID和其他IETF工作组中讨论的设计思想。
Yoram Yaacovi Microsoft One Microsoft way Redmond, WA 98052 USA
Yoram Yaacovi Microsoft One Microsoft way Redmond,WA 98052美国
Phone: +1 206-936-9629
EMail: yoramy@microsoft.com
Phone: +1 206-936-9629
EMail: yoramy@microsoft.com
Mark Wahl Innosoft International, Inc. 8911 Capital of Texas Hwy #4140 Austin, TX 78759 USA
Mark Wahl Innosoft International,Inc.位于美国德克萨斯州奥斯汀市德克萨斯Hwy#4140的首府8911号,邮编78759
Email: M.Wahl@innosoft.com
Email: M.Wahl@innosoft.com
Tony Genovese Microsoft One Microsoft way Redmond, WA 98052 USA
Tony Genovese Microsoft One Microsoft way Redmond,WA 98052美国
Phone: +1 206-703-0852
EMail: tonyg@microsoft.com
Phone: +1 206-703-0852
EMail: tonyg@microsoft.com
[1] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (Version 3)", RFC 2251, December 1997.
[1] Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(版本3)”,RFC 2251,1997年12月。
[2] Wahl, M. Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.
[2] Wahl,M.Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。
[3] Wahl, M. and S. Kille, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.
[3] Wahl,M.和S.Kille,“轻量级目录访问协议(v3):可分辨名称的UTF-8字符串表示”,RFC 2253,1997年12月。
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。