-- ASN module extracted from ITU-T X.511 (10/2019)
DirectoryAbstractService {joint-iso-itu-t ds(5) module(1) directoryAbstractService(2) 9}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
/*
The types and values defined in this module are exported for use in the other ASN.1
modules contained within these Directory Specifications, and for the use of other
applications which will use them to access Directory services. Other applications may
use them for their own purposes, but this will not constrain extensions and
modifications needed to maintain or improve the Directory service.
*/
IMPORTS
-- from Rec. ITU-T X.501 | ISO/IEC 9594-2
id-at
FROM UsefulDefinitions
{joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 9} WITH SUCCESSORS
Attribute{}, ATTRIBUTE, AttributeType, AttributeTypeAndValue, AttributeTypeAssertion,
AttributeValue, AttributeValueAssertion, CONTEXT, ContextAssertion,
DistinguishedName, MATCHING-RULE, Name, OBJECT-CLASS,
RelativeDistinguishedName, SupportedAttributes, SupportedContexts
FROM InformationFramework
{joint-iso-itu-t ds(5) module(1) informationFramework(1) 9} WITH SUCCESSORS
RelaxationPolicy
FROM ServiceAdministration
{joint-iso-itu-t ds(5) module(1) serviceAdministration(33) 9} WITH SUCCESSORS
OPTIONALLY-PROTECTED{}, OPTIONALLY-PROTECTED-SEQ{}
FROM EnhancedSecurity
{joint-iso-itu-t ds(5) modules(1) enhancedSecurity(28) 9} WITH SUCCESSORS
-- from Rec. ITU-T X.518 | ISO/IEC 9594-4
AccessPoint, ContinuationReference, Exclusions, OperationProgress, ReferenceType
FROM DistributedOperations
{joint-iso-itu-t ds(5) module(1) distributedOperations(3) 9} WITH SUCCESSORS
-- from Rec. ITU-T X.519 | ISO/IEC 9594-5
Code, ERROR, id-errcode-abandoned, id-errcode-abandonFailed,
id-errcode-attributeError, id-errcode-nameError, id-errcode-referral,
id-errcode-securityError, id-errcode-serviceError, id-errcode-updateError,
id-opcode-abandon, id-opcode-addEntry, id-opcode-administerPassword,
id-opcode-compare, id-opcode-changePassword, id-opcode-ldapTransport,
id-opcode-linkedLDAP, id-opcode-list, id-opcode-modifyDN,
id-opcode-modifyEntry, id-opcode-read, id-opcode-removeEntry,
id-opcode-search, InvokeId, OPERATION
FROM CommonProtocolSpecification
{joint-iso-itu-t ds(5) module(1) commonProtocolSpecification(35) 9} WITH SUCCESSORS
-- from Rec. ITU-T X.520 | ISO/IEC 9594-6
DirectoryString{}, UnboundedDirectoryString
FROM SelectedAttributeTypes
{joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 9} WITH SUCCESSORS
-- from Rec. ITU-T X.509 | ISO/IEC 9594-8
AlgorithmIdentifier{}, CertificationPath, ENCRYPTED{}, HASH{}, SIGNED{},
SupportedAlgorithms
FROM AuthenticationFramework
{joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 9} WITH SUCCESSORS
UserPwd
FROM PasswordPolicy
{joint-iso-itu-t ds(5) module(1) passwordPolicy(39) 9} WITH SUCCESSORS
AttributeCertificationPath
FROM AttributeCertificateDefinitions
{joint-iso-itu-t ds(5) module(1) attributeCertificateDefinitions(32) 9}
WITH SUCCESSORS
-- from Rec. ITU-T X.525 | ISO/IEC 9594-9
AgreementID
FROM DirectoryShadowAbstractService
{joint-iso-itu-t ds(5) module(1) directoryShadowAbstractService(15) 9}
WITH SUCCESSORS
-- from IETF RFC 2025
SPKM-ERROR, SPKM-REP-TI, SPKM-REQ
FROM SpkmGssTokens {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) spkm(1) spkmGssTokens(10)}
-- from IETF RFC 4511
LDAPMessage
FROM Lightweight-Directory-Access-Protocol-V3
{iso(1) identified-organization(3) dod(6) internet(1) directory(1) ldap(18)} ;
-- Common data types
CommonArguments ::= SET {
serviceControls [30] ServiceControls DEFAULT {},
securityParameters [29] SecurityParameters OPTIONAL,
requestor [28] DistinguishedName OPTIONAL,
operationProgress [27] OperationProgress
DEFAULT {nameResolutionPhase notStarted},
aliasedRDNs [26] INTEGER OPTIONAL,
criticalExtensions [25] BIT STRING OPTIONAL,
referenceType [24] ReferenceType OPTIONAL,
entryOnly [23] BOOLEAN DEFAULT TRUE,
exclusions [22] Exclusions OPTIONAL,
nameResolveOnMaster [21] BOOLEAN DEFAULT FALSE,
operationContexts [20] ContextSelection OPTIONAL,
familyGrouping [19] FamilyGrouping DEFAULT entryOnly,
... }
CommonArgumentsSeq ::= SEQUENCE {
serviceControls [30] ServiceControls DEFAULT {},
securityParameters [29] SecurityParameters OPTIONAL,
requestor [28] DistinguishedName OPTIONAL,
operationProgress [27] OperationProgress
DEFAULT {nameResolutionPhase notStarted},
aliasedRDNs [26] INTEGER OPTIONAL,
criticalExtensions [25] BIT STRING OPTIONAL,
referenceType [24] ReferenceType OPTIONAL,
entryOnly [23] BOOLEAN DEFAULT TRUE,
exclusions [22] Exclusions OPTIONAL,
nameResolveOnMaster [21] BOOLEAN DEFAULT FALSE,
operationContexts [20] ContextSelection OPTIONAL,
familyGrouping [19] FamilyGrouping DEFAULT entryOnly,
... }
FamilyGrouping ::= ENUMERATED {
entryOnly (1),
compoundEntry (2),
strands (3),
multiStrand (4),
... }
CommonResults ::= SET {
securityParameters [30] SecurityParameters OPTIONAL,
performer [29] DistinguishedName OPTIONAL,
aliasDereferenced [28] BOOLEAN DEFAULT FALSE,
notification [27] SEQUENCE SIZE (1..MAX) OF Attribute
{{SupportedAttributes}} OPTIONAL,
... }
CommonResultsSeq ::= SEQUENCE {
securityParameters [30] SecurityParameters OPTIONAL,
performer [29] DistinguishedName OPTIONAL,
aliasDereferenced [28] BOOLEAN DEFAULT FALSE,
notification [27] SEQUENCE SIZE (1..MAX) OF Attribute
{{SupportedAttributes}} OPTIONAL,
... }
ServiceControls ::= SET {
options [0] ServiceControlOptions DEFAULT {},
priority [1] INTEGER {low(0), medium(1), high(2)} DEFAULT medium,
timeLimit [2] INTEGER OPTIONAL,
sizeLimit [3] INTEGER OPTIONAL,
scopeOfReferral [4] INTEGER {dmd(0), country(1)} OPTIONAL,
attributeSizeLimit [5] INTEGER OPTIONAL,
manageDSAITPlaneRef [6] SEQUENCE {
dsaName Name,
agreementID AgreementID,
...} OPTIONAL,
serviceType [7] OBJECT IDENTIFIER OPTIONAL,
userClass [8] INTEGER OPTIONAL,
... }
ServiceControlOptions ::= BIT STRING {
preferChaining (0),
chainingProhibited (1),
localScope (2),
dontUseCopy (3),
dontDereferenceAliases (4),
subentries (5),
copyShallDo (6),
partialNameResolution (7),
manageDSAIT (8),
noSubtypeMatch (9),
noSubtypeSelection (10),
countFamily (11),
dontSelectFriends (12),
dontMatchFriends (13),
allowWriteableCopy (14)}
EntryInformationSelection ::= SET {
attributes CHOICE {
allUserAttributes [0] NULL,
select [1] SET OF AttributeType
-- empty set implies no attributes are requested -- } DEFAULT allUserAttributes:NULL,
infoTypes [2] INTEGER {
attributeTypesOnly (0),
attributeTypesAndValues (1)} DEFAULT attributeTypesAndValues,
extraAttributes CHOICE {
allOperationalAttributes [3] NULL,
select [4] SET SIZE (1..MAX) OF AttributeType } OPTIONAL,
contextSelection ContextSelection OPTIONAL,
returnContexts BOOLEAN DEFAULT FALSE,
familyReturn FamilyReturn DEFAULT
{memberSelect contributingEntriesOnly} }
ContextSelection ::= CHOICE {
allContexts NULL,
selectedContexts SET SIZE (1..MAX) OF TypeAndContextAssertion,
... }
TypeAndContextAssertion ::= SEQUENCE {
type AttributeType,
contextAssertions CHOICE {
preference SEQUENCE OF ContextAssertion,
all SET OF ContextAssertion,
...},
... }
FamilyReturn ::= SEQUENCE {
memberSelect ENUMERATED {
contributingEntriesOnly (1),
participatingEntriesOnly (2),
compoundEntry (3),
...},
familySelect SEQUENCE SIZE (1..MAX) OF OBJECT-CLASS.&id OPTIONAL,
... }
EntryInformation ::= SEQUENCE {
name Name,
fromEntry BOOLEAN DEFAULT TRUE,
information SET SIZE (1..MAX) OF CHOICE {
attributeType AttributeType,
attribute Attribute{{SupportedAttributes}},
...} OPTIONAL,
incompleteEntry [3] BOOLEAN DEFAULT FALSE,
partialName [4] BOOLEAN DEFAULT FALSE,
derivedEntry [5] BOOLEAN DEFAULT FALSE,
... }
family-information ATTRIBUTE ::= {
WITH SYNTAX FamilyEntries
USAGE directoryOperation
ID id-at-family-information }
FamilyEntries ::= SEQUENCE {
family-class OBJECT-CLASS.&id, -- structural object class value
familyEntries SEQUENCE OF FamilyEntry,
... }
FamilyEntry ::= SEQUENCE {
rdn RelativeDistinguishedName,
information SEQUENCE OF CHOICE {
attributeType AttributeType,
attribute Attribute{{SupportedAttributes}},
...},
family-info SEQUENCE SIZE (1..MAX) OF FamilyEntries OPTIONAL,
... }
Filter ::= CHOICE {
item [0] FilterItem,
and [1] SET OF Filter,
or [2] SET OF Filter,
not [3] Filter,
... }
FilterItem ::= CHOICE {
equality [0] AttributeValueAssertion,
substrings [1] SEQUENCE {
type ATTRIBUTE.&id({SupportedAttributes}),
strings SEQUENCE OF CHOICE {
initial [0] ATTRIBUTE.&Type
({SupportedAttributes}{@substrings.type}),
any [1] ATTRIBUTE.&Type
({SupportedAttributes}{@substrings.type}),
final [2] ATTRIBUTE.&Type
({SupportedAttributes}{@substrings.type}),
control Attribute{{SupportedAttributes}},
-- Used to specify interpretation of following items
... },
... },
greaterOrEqual [2] AttributeValueAssertion,
lessOrEqual [3] AttributeValueAssertion,
present [4] AttributeType,
approximateMatch [5] AttributeValueAssertion,
extensibleMatch [6] MatchingRuleAssertion,
contextPresent [7] AttributeTypeAssertion,
... }
MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] SET SIZE (1..MAX) OF MATCHING-RULE.&id,
type [2] AttributeType OPTIONAL,
matchValue [3] MATCHING-RULE.&AssertionType (CONSTRAINED BY {
-- matchValue shall be a value of type specified by the &AssertionType field of
-- one of the MATCHING-RULE information objects identified by matchingRule -- }),
dnAttributes [4] BOOLEAN DEFAULT FALSE,
... }
PagedResultsRequest ::= CHOICE {
newRequest SEQUENCE {
pageSize INTEGER,
sortKeys SEQUENCE SIZE (1..MAX) OF SortKey OPTIONAL,
reverse [1] BOOLEAN DEFAULT FALSE,
unmerged [2] BOOLEAN DEFAULT FALSE,
pageNumber [3] INTEGER OPTIONAL,
...},
queryReference OCTET STRING,
abandonQuery [0] OCTET STRING,
... }
SortKey ::= SEQUENCE {
type AttributeType,
orderingRule MATCHING-RULE.&id OPTIONAL,
... }
SecurityParameters ::= SET {
certification-path [0] CertificationPath OPTIONAL,
name [1] DistinguishedName OPTIONAL,
time [2] Time OPTIONAL,
random [3] BIT STRING OPTIONAL,
target [4] ProtectionRequest OPTIONAL,
-- [5] Not to be used
operationCode [6] Code OPTIONAL,
-- [7] Not to be used
errorProtection [8] ErrorProtectionRequest OPTIONAL,
errorCode [9] Code OPTIONAL,
... }
ProtectionRequest ::= INTEGER {none(0), signed(1)}
Time ::= CHOICE {
utcTime UTCTime,
generalizedTime GeneralizedTime,
... }
ErrorProtectionRequest ::= INTEGER {none(0), signed(1)}
-- Bind and unbind operations
directoryBind OPERATION ::= {
ARGUMENT DirectoryBindArgument
RESULT DirectoryBindResult
ERRORS {directoryBindError} }
DirectoryBindArgument ::= SET {
credentials [0] Credentials OPTIONAL,
versions [1] Versions DEFAULT {v1},
... }
Credentials ::= CHOICE {
simple [0] SimpleCredentials,
strong [1] StrongCredentials,
externalProcedure [2] EXTERNAL,
spkm [3] SpkmCredentials,
sasl [4] SaslCredentials,
... }
SimpleCredentials ::= SEQUENCE {
name [0] DistinguishedName,
validity [1] SET {
time1 [0] CHOICE {
utc UTCTime,
gt GeneralizedTime} OPTIONAL,
time2 [1] CHOICE {
utc UTCTime,
gt GeneralizedTime} OPTIONAL,
random1 [2] BIT STRING OPTIONAL,
random2 [3] BIT STRING OPTIONAL} OPTIONAL,
password [2] CHOICE {
unprotected OCTET STRING,
protected HASH{OCTET STRING},
...,
userPwd [0] UserPwd } OPTIONAL }
StrongCredentials ::= SET {
certification-path [0] CertificationPath OPTIONAL,
bind-token [1] Token,
name [2] DistinguishedName OPTIONAL,
attributeCertificationPath [3] AttributeCertificationPath OPTIONAL,
... }
SpkmCredentials ::= CHOICE {
req [0] SPKM-REQ,
rep [1] SPKM-REP-TI,
... }
SaslCredentials ::= SEQUENCE {
mechanism [0] DirectoryString{ub-saslMechanism},
credentials [1] OCTET STRING OPTIONAL,
saslAbort [2] BOOLEAN DEFAULT FALSE,
... }
ub-saslMechanism INTEGER ::= 20 -- According to RFC 2222
Token ::= SIGNED{TokenContent}
TokenContent ::= SEQUENCE {
algorithm [0] AlgorithmIdentifier{{SupportedAlgorithms}},
name [1] DistinguishedName,
time [2] Time,
random [3] BIT STRING,
response [4] BIT STRING OPTIONAL,
... }
Versions ::= BIT STRING {v1(0), v2(1)}
DirectoryBindResult ::= SET {
credentials [0] Credentials OPTIONAL,
versions [1] Versions DEFAULT {v1},
...,
pwdResponseValue [2] PwdResponseValue OPTIONAL }
PwdResponseValue ::= SEQUENCE {
warning CHOICE {
timeLeft [0] INTEGER (0..MAX),
graceRemaining [1] INTEGER (0..MAX),
... } OPTIONAL,
error ENUMERATED {
passwordExpired (0),
changeAfterReset (1),
... } OPTIONAL}
directoryBindError ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED {SET {
versions [0] Versions DEFAULT {v1},
error CHOICE {
serviceError [1] ServiceProblem,
securityError [2] SecurityProblem,
...},
securityParameters [30] SecurityParameters OPTIONAL }}}
BindKeyInfo ::= ENCRYPTED{BIT STRING}
-- Operations, arguments, and results
read OPERATION ::= {
ARGUMENT ReadArgument
RESULT ReadResult
ERRORS {attributeError |
nameError |
serviceError |
referral |
abandoned |
securityError}
CODE id-opcode-read }
ReadArgument ::= OPTIONALLY-PROTECTED { ReadArgumentData }
ReadArgumentData ::= SET {
object [0] Name,
selection [1] EntryInformationSelection DEFAULT {},
modifyRightsRequest [2] BOOLEAN DEFAULT FALSE,
...,
...,
COMPONENTS OF CommonArguments }
ReadResult ::= OPTIONALLY-PROTECTED { ReadResultData }
ReadResultData ::= SET {
entry [0] EntryInformation,
modifyRights [1] ModifyRights OPTIONAL,
...,
...,
COMPONENTS OF CommonResults }
ModifyRights ::= SET OF SEQUENCE {
item CHOICE {
entry [0] NULL,
attribute [1] AttributeType,
value [2] AttributeValueAssertion,
...},
permission [3] BIT STRING {
add (0),
remove (1),
rename (2),
move (3)},
... }
compare OPERATION ::= {
ARGUMENT CompareArgument
RESULT CompareResult
ERRORS {attributeError |
nameError |
serviceError |
referral |
abandoned |
securityError}
CODE id-opcode-compare }
CompareArgument ::= OPTIONALLY-PROTECTED { CompareArgumentData }
CompareArgumentData ::= SET {
object [0] Name,
purported [1] AttributeValueAssertion,
...,
...,
COMPONENTS OF CommonArguments }
CompareResult ::= OPTIONALLY-PROTECTED { CompareResultData }
CompareResultData ::= SET {
name Name OPTIONAL,
matched [0] BOOLEAN,
fromEntry [1] BOOLEAN DEFAULT TRUE,
matchedSubtype [2] AttributeType OPTIONAL,
...,
...,
COMPONENTS OF CommonResults }
abandon OPERATION ::= {
ARGUMENT AbandonArgument
RESULT AbandonResult
ERRORS {abandonFailed}
CODE id-opcode-abandon }
AbandonArgument ::=
OPTIONALLY-PROTECTED-SEQ { AbandonArgumentData }
AbandonArgumentData ::= SEQUENCE {
invokeID [0] InvokeId,
... }
AbandonResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { AbandonResultData },
... }
AbandonResultData ::= SEQUENCE {
invokeID InvokeId,
...,
...,
COMPONENTS OF CommonResultsSeq }
list OPERATION ::= {
ARGUMENT ListArgument
RESULT ListResult
ERRORS {nameError |
serviceError |
referral |
abandoned |
securityError}
CODE id-opcode-list }
ListArgument ::= OPTIONALLY-PROTECTED { ListArgumentData }
ListArgumentData ::= SET {
object [0] Name,
pagedResults [1] PagedResultsRequest OPTIONAL,
listFamily [2] BOOLEAN DEFAULT FALSE,
...,
...,
COMPONENTS OF CommonArguments
}
ListResult ::= OPTIONALLY-PROTECTED { ListResultData }
ListResultData ::= CHOICE {
listInfo SET {
name Name OPTIONAL,
subordinates [1] SET OF SEQUENCE {
rdn RelativeDistinguishedName,
aliasEntry [0] BOOLEAN DEFAULT FALSE,
fromEntry [1] BOOLEAN DEFAULT TRUE,
... },
partialOutcomeQualifier [2] PartialOutcomeQualifier OPTIONAL,
...,
...,
COMPONENTS OF CommonResults
},
uncorrelatedListInfo [0] SET OF ListResult,
... }
PartialOutcomeQualifier ::= SET {
limitProblem [0] LimitProblem OPTIONAL,
unexplored [1] SET SIZE (1..MAX) OF ContinuationReference OPTIONAL,
unavailableCriticalExtensions [2] BOOLEAN DEFAULT FALSE,
unknownErrors [3] SET SIZE (1..MAX) OF ABSTRACT-SYNTAX.&Type OPTIONAL,
queryReference [4] OCTET STRING OPTIONAL,
overspecFilter [5] Filter OPTIONAL,
notification [6] SEQUENCE SIZE (1..MAX) OF
Attribute{{SupportedAttributes}} OPTIONAL,
entryCount CHOICE {
bestEstimate [7] INTEGER,
lowEstimate [8] INTEGER,
exact [9] INTEGER,
...} OPTIONAL
-- [10] Not to be used -- }
LimitProblem ::= INTEGER {
timeLimitExceeded (0),
sizeLimitExceeded (1),
administrativeLimitExceeded (2) }
search OPERATION ::= {
ARGUMENT SearchArgument
RESULT SearchResult
ERRORS {attributeError |
nameError |
serviceError |
referral |
abandoned |
securityError}
CODE id-opcode-search }
SearchArgument ::= OPTIONALLY-PROTECTED { SearchArgumentData }
SearchArgumentData ::= SET {
baseObject [0] Name,
subset [1] INTEGER {
baseObject (0),
oneLevel (1),
wholeSubtree (2)} DEFAULT baseObject,
filter [2] Filter DEFAULT and:{},
searchAliases [3] BOOLEAN DEFAULT TRUE,
selection [4] EntryInformationSelection DEFAULT {},
pagedResults [5] PagedResultsRequest OPTIONAL,
matchedValuesOnly [6] BOOLEAN DEFAULT FALSE,
extendedFilter [7] Filter OPTIONAL,
checkOverspecified [8] BOOLEAN DEFAULT FALSE,
relaxation [9] RelaxationPolicy OPTIONAL,
extendedArea [10] INTEGER OPTIONAL,
hierarchySelections [11] HierarchySelections DEFAULT {self},
searchControlOptions [12] SearchControlOptions DEFAULT {searchAliases},
joinArguments [13] SEQUENCE SIZE (1..MAX) OF JoinArgument OPTIONAL,
joinType [14] ENUMERATED {
innerJoin (0),
leftOuterJoin (1),
fullOuterJoin (2)} DEFAULT leftOuterJoin,
...,
...,
COMPONENTS OF CommonArguments }
HierarchySelections ::= BIT STRING {
self (0),
children (1),
parent (2),
hierarchy (3),
top (4),
subtree (5),
siblings (6),
siblingChildren (7),
siblingSubtree (8),
all (9) }
SearchControlOptions ::= BIT STRING {
searchAliases (0),
matchedValuesOnly (1),
checkOverspecified (2),
performExactly (3),
includeAllAreas (4),
noSystemRelaxation (5),
dnAttribute (6),
matchOnResidualName (7),
entryCount (8),
useSubset (9),
separateFamilyMembers (10),
searchFamily (11) }
JoinArgument ::= SEQUENCE {
joinBaseObject [0] Name,
domainLocalID [1] DomainLocalID OPTIONAL,
joinSubset [2] ENUMERATED {
baseObject (0),
oneLevel (1),
wholeSubtree (2),
... } DEFAULT baseObject,
joinFilter [3] Filter OPTIONAL,
joinAttributes [4] SEQUENCE SIZE (1..MAX) OF JoinAttPair OPTIONAL,
joinSelection [5] EntryInformationSelection,
... }
DomainLocalID ::= UnboundedDirectoryString
JoinAttPair ::= SEQUENCE {
baseAtt AttributeType,
joinAtt AttributeType,
joinContext SEQUENCE SIZE (1..MAX) OF JoinContextType OPTIONAL,
... }
JoinContextType ::= CONTEXT.&id({SupportedContexts})
SearchResult ::= OPTIONALLY-PROTECTED { SearchResultData }
SearchResultData ::= CHOICE {
searchInfo SET {
name Name OPTIONAL,
entries [0] SET OF EntryInformation,
partialOutcomeQualifier [2] PartialOutcomeQualifier OPTIONAL,
altMatching [3] BOOLEAN DEFAULT FALSE,
...,
...,
COMPONENTS OF CommonResults
},
uncorrelatedSearchInfo [0] SET OF SearchResult,
... }
addEntry OPERATION ::= {
ARGUMENT AddEntryArgument
RESULT AddEntryResult
ERRORS {attributeError |
nameError |
serviceError |
referral |
securityError |
updateError}
CODE id-opcode-addEntry }
AddEntryArgument ::= OPTIONALLY-PROTECTED { AddEntryArgumentData }
AddEntryArgumentData ::= SET {
object [0] Name,
entry [1] SET OF Attribute{{SupportedAttributes}},
targetSystem [2] AccessPoint OPTIONAL,
...,
...,
COMPONENTS OF CommonArguments }
AddEntryResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { AddEntryResultData },
... }
AddEntryResultData ::= SEQUENCE {
...,
...,
COMPONENTS OF CommonResultsSeq }
removeEntry OPERATION ::= {
ARGUMENT RemoveEntryArgument
RESULT RemoveEntryResult
ERRORS {nameError |
serviceError |
referral |
securityError |
updateError}
CODE id-opcode-removeEntry }
RemoveEntryArgument ::= OPTIONALLY-PROTECTED { RemoveEntryArgumentData }
RemoveEntryArgumentData ::= SET {
object [0] Name,
...,
...,
COMPONENTS OF CommonArguments
}
RemoveEntryResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { RemoveEntryResultData },
... }
RemoveEntryResultData ::= SEQUENCE {
...,
...,
COMPONENTS OF CommonResultsSeq }
modifyEntry OPERATION ::= {
ARGUMENT ModifyEntryArgument
RESULT ModifyEntryResult
ERRORS {attributeError |
nameError |
serviceError |
referral |
securityError |
updateError}
CODE id-opcode-modifyEntry }
ModifyEntryArgument ::= OPTIONALLY-PROTECTED { ModifyEntryArgumentData }
ModifyEntryArgumentData ::= SET {
object [0] Name,
changes [1] SEQUENCE OF EntryModification,
selection [2] EntryInformationSelection OPTIONAL,
...,
...,
COMPONENTS OF CommonArguments }
ModifyEntryResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { ModifyEntryResultData },
... }
ModifyEntryResultData ::= SEQUENCE {
entry [0] EntryInformation OPTIONAL,
...,
...,
COMPONENTS OF CommonResultsSeq }
EntryModification ::= CHOICE {
addAttribute [0] Attribute{{SupportedAttributes}},
removeAttribute [1] AttributeType,
addValues [2] Attribute{{SupportedAttributes}},
removeValues [3] Attribute{{SupportedAttributes}},
alterValues [4] AttributeTypeAndValue,
resetValue [5] AttributeType,
replaceValues [6] Attribute{{SupportedAttributes}},
... }
modifyDN OPERATION ::= {
ARGUMENT ModifyDNArgument
RESULT ModifyDNResult
ERRORS {nameError |
serviceError |
referral |
securityError |
updateError}
CODE id-opcode-modifyDN }
ModifyDNArgument ::= OPTIONALLY-PROTECTED { ModifyDNArgumentData }
ModifyDNArgumentData ::= SET {
object [0] DistinguishedName,
newRDN [1] RelativeDistinguishedName,
deleteOldRDN [2] BOOLEAN DEFAULT FALSE,
newSuperior [3] DistinguishedName OPTIONAL,
...,
...,
COMPONENTS OF CommonArguments }
ModifyDNResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { ModifyDNResultData },
... }
ModifyDNResultData ::= SEQUENCE {
newRDN RelativeDistinguishedName,
...,
...,
COMPONENTS OF CommonResultsSeq }
changePassword OPERATION ::= {
ARGUMENT ChangePasswordArgument
RESULT ChangePasswordResult
ERRORS {securityError |
updateError }
CODE id-opcode-changePassword }
ChangePasswordArgument ::= OPTIONALLY-PROTECTED-SEQ { ChangePasswordArgumentData }
ChangePasswordArgumentData ::= SEQUENCE {
object [0] DistinguishedName,
oldPwd [1] UserPwd,
newPwd [2] UserPwd,
... }
ChangePasswordResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { ChangePasswordResultData },
...}
ChangePasswordResultData ::= SEQUENCE {
...,
...,
COMPONENTS OF CommonResultsSeq }
administerPassword OPERATION ::= {
ARGUMENT AdministerPasswordArgument
RESULT AdministerPasswordResult
ERRORS {securityError |
updateError}
CODE id-opcode-administerPassword }
AdministerPasswordArgument ::=
OPTIONALLY-PROTECTED-SEQ { AdministerPasswordArgumentData }
AdministerPasswordArgumentData ::= SEQUENCE {
object [0] DistinguishedName,
newPwd [1] UserPwd,
... }
AdministerPasswordResult ::= CHOICE {
null NULL,
information OPTIONALLY-PROTECTED-SEQ { AdministerPasswordResultData },
...}
AdministerPasswordResultData ::= SEQUENCE {
...,
...,
COMPONENTS OF CommonResultsSeq }
ldapTransport OPERATION ::= {
ARGUMENT LdapArgument
RESULT SEQUENCE OF LDAPMessage
ERRORS { abandonFailed | abandoned }
CODE id-opcode-ldapTransport }
LdapArgument ::= OPTIONALLY-PROTECTED-SEQ { LdapArgumentData }
LdapArgumentData ::= SEQUENCE {
object DistinguishedName,
ldapMessage LDAPMessage,
linkId LinkId OPTIONAL,
...,
...,
COMPONENTS OF CommonArgumentsSeq }
LinkId ::= INTEGER
LdapResult ::= OPTIONALLY-PROTECTED-SEQ { LdapResultData }
LdapResultData ::= SEQUENCE {
ldapMessages SEQUENCE SIZE (1..MAX) OF LDAPMessage OPTIONAL,
returnToClient BOOLEAN DEFAULT FALSE,
...,
...,
COMPONENTS OF CommonResultsSeq }
linkedLDAP OPERATION ::= {
ARGUMENT LinkedArgument
RESULT LinkedResult
CODE id-opcode-linkedLDAP }
LinkedArgument ::= OPTIONALLY-PROTECTED-SEQ { LinkedArgumentData }
LinkedArgumentData ::= SEQUENCE {
object DistinguishedName,
ldapMessage LDAPMessage,
linkId LinkId,
returnToClient BOOLEAN DEFAULT FALSE,
...,
...,
COMPONENTS OF CommonArgumentsSeq }
LinkedResult ::= NULL
-- Errors and parameters
abandoned ERROR ::= {-- not literally an "error"
PARAMETER OPTIONALLY-PROTECTED { AbandonedData }
CODE id-errcode-abandoned }
AbandonedData ::= SET {
problem AbandonedProblem OPTIONAL,
...,
...,
COMPONENTS OF CommonResults }
AbandonedProblem ::= ENUMERATED {
pagingAbandoned (0) }
abandonFailed ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED { AbandonFailedData }
CODE id-errcode-abandonFailed }
AbandonFailedData ::= SET {
problem [0] AbandonProblem,
operation [1] InvokeId,
...,
...,
COMPONENTS OF CommonResults }
AbandonProblem ::= INTEGER {
noSuchOperation (1),
tooLate (2),
cannotAbandon (3) }
attributeError ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED { AttributeErrorData }
CODE id-errcode-attributeError }
AttributeErrorData ::= SET {
object [0] Name,
problems [1] SET OF SEQUENCE {
problem [0] AttributeProblem,
type [1] AttributeType,
value [2] AttributeValue OPTIONAL,
...},
...,
...,
COMPONENTS OF CommonResults }
AttributeProblem ::= INTEGER {
noSuchAttributeOrValue (1),
invalidAttributeSyntax (2),
undefinedAttributeType (3),
inappropriateMatching (4),
constraintViolation (5),
attributeOrValueAlreadyExists (6),
contextViolation (7) }
nameError ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED { NameErrorData }
CODE id-errcode-nameError }
NameErrorData ::= SET {
problem [0] NameProblem,
matched [1] Name,
...,
...,
COMPONENTS OF CommonResults }
NameProblem ::= INTEGER {
noSuchObject (1),
aliasProblem (2),
invalidAttributeSyntax (3),
aliasDereferencingProblem (4)
-- not to be used (5)-- }
referral ERROR ::= { -- not literally an "error"
PARAMETER OPTIONALLY-PROTECTED { ReferralData }
CODE id-errcode-referral }
ReferralData ::= SET {
candidate [0] ContinuationReference,
...,
...,
COMPONENTS OF CommonResults }
securityError ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED { SecurityErrorData }
CODE id-errcode-securityError }
SecurityErrorData ::= SET {
problem [0] SecurityProblem,
spkmInfo [1] SPKM-ERROR OPTIONAL,
encPwdInfo [2] EncPwdInfo OPTIONAL,
...,
...,
COMPONENTS OF CommonResults }
SecurityProblem ::= INTEGER {
inappropriateAuthentication (1),
invalidCredentials (2),
insufficientAccessRights (3),
invalidSignature (4),
protectionRequired (5),
noInformation (6),
blockedCredentials (7),
-- invalidQOPMatch (8), obsolete
spkmError (9),
unsupportedAuthenticationMethod (10),
passwordExpired (11),
inappropriateAlgorithms (12) }
EncPwdInfo ::= SEQUENCE {
algorithms [0] SEQUENCE OF AlgorithmIdentifier
{{SupportedAlgorithms}} OPTIONAL,
pwdQualityRule [1] SEQUENCE OF AttributeTypeAndValue OPTIONAL,
... }
serviceError ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED { ServiceErrorData }
CODE id-errcode-serviceError }
ServiceErrorData ::= SET {
problem [0] ServiceProblem,
...,
...,
COMPONENTS OF CommonResults }
ServiceProblem ::= INTEGER {
busy (1),
unavailable (2),
unwillingToPerform (3),
chainingRequired (4),
unableToProceed (5),
invalidReference (6),
timeLimitExceeded (7),
administrativeLimitExceeded (8),
loopDetected (9),
unavailableCriticalExtension (10),
outOfScope (11),
ditError (12),
invalidQueryReference (13),
requestedServiceNotAvailable (14),
unsupportedMatchingUse (15),
ambiguousKeyAttributes (16),
saslBindInProgress (17),
notSupportedByLDAP (18) }
updateError ERROR ::= {
PARAMETER OPTIONALLY-PROTECTED { UpdateErrorData }
CODE id-errcode-updateError }
UpdateErrorData ::= SET {
problem [0] UpdateProblem,
attributeInfo [1] SET SIZE (1..MAX) OF CHOICE {
attributeType AttributeType,
attribute Attribute{{SupportedAttributes}},
... } OPTIONAL,
...,
...,
COMPONENTS OF CommonResults }
UpdateProblem ::= INTEGER {
namingViolation (1),
objectClassViolation (2),
notAllowedOnNonLeaf (3),
notAllowedOnRDN (4),
entryAlreadyExists (5),
affectsMultipleDSAs (6),
objectClassModificationProhibited (7),
noSuchSuperior (8),
notAncestor (9),
parentNotAncestor (10),
hierarchyRuleViolation (11),
familyRuleViolation (12),
insufficientPasswordQuality (13),
passwordInHistory (14),
noPasswordSlot (15) }
-- attribute types
id-at-family-information OBJECT IDENTIFIER ::= {id-at 64}
END -- DirectoryAbstractService
Annex B
Operational semantics for Basic Access Control
(This annex does not form an integral part of this Recommendation | International Standard.)
This annex contains a number of charts that describe the semantics associated with Basic Access Control as it applies to the processing of a Directory operation (see Figures B.1 to B.16).
Figure B.1 – Alias dereferencing in Name Resolution
Figure B.2 – Return of Name Error
Figure B.3 – Non-disclosure of the existence of an Entry
Figure B.4 – Return of Distinguished Name
Figure B.5 – Read operation
Figure B.6 – NoSuchAttributeOrValue for Read
Figure B.7 – Compare operation
Figure B.8 – List operation
Figure B.9 – Search operation
Figure B.10 – Alias dereference in Search
Figure B.11 – Entry selection in Search
Figure B.12 – Add Entry operation
Figure B.13 – Remove Entry operation
Figure B.14 – Modify Entry operation
Figure B.15 – ModifyDN operation
Figure B.16 – Modify Add Attribute or Values
Annex C
Examples of searching families of entries
(This annex does not form an integral part of this Recommendation | International Standard.)
C.1 Single family example
Suppose Charles Smith has multiple modes of communication: A landline telephone, a fax, a mobile phone and e-mail, and each mode has its own associated parameters. Suppose further that Charles Smith has two e-mail accounts, one at his place of work and one at home, and that both offer POP3 mailboxes and SMTP servers. All this information can be held in a compound entry, with Charles Smith''s member being the ancestor, with each mode of communication being a child member, and with each e-mail service being a child of the e-mail mode of communication. This is shown in Figure C.1 below. As all the members immediately subordinate to the ancestor has the same structural object class (comAddr), the compound entry consists of a single family.
Figure C.1 – Charles Smith''s family of entries
Suppose a search request is generated with a base object of {...o=Andersen Express}, a filter of {telNo=1234 & tariff=normal}, and a subset of wholeSubtree or oneLevel. With the familyGrouping parameter set to:
a) entryOnly: No members of the family would match the filter.
b) strands or multiStrand: No strand or multi-strand in the family would match the filter.
c) compoundEntry: Member 2 and member 3 would together match the filter and would be marked as contributing members. All the members are marked as participating members.
Nothing from this compound entry would be returned for cases a) and b) above.
For case c) above, the returned information would be dependent on the family return specification (e.g., given by familyReturn in EntryInformationSelection):
i) contributingEntriesOnly: The members marked as contributing members, i.e., members 2 and 3 would be returned.
ii) participatingEntriesOnly and compoundEntry: All the members in the compound entry would be returned.
C.2 Multiple families example
Suppose Charles Smith only has a landline telephone and e-mail, but also has two postal addresses with associated parameters. All this information can be held in a compound entry, with Charles Smith''s member being the ancestor and with each mode of communication or postal address being a child member. This is shown in Figure C.2 below. As the members immediately subordinate to the ancestor are of two different structural object classes (comAddr and postAddr), the compound entry consists of two families, where members 1, 2 and 3 constitute one family, and members 1, 4, 5, 6, 7, 8 and 9 constitute another family.
Figure C.2 – Charles Smith''s families of entries
C.2.1 Filter example 1
Now suppose a Search request is generated with a base object of {...o=Andersen Express}, a filter of {telNo=1234 & service=e-mail & streetAddr=Main & postalCode=3740 }, and a subset of wholeSubtree or oneLevel. With the familyGrouping parameter set to:
a) entryOnly: No single member of the compound entry would match the filter.
b) strands: No single strand in any of the families would match the filter.
c) multiStrand: No combination of strands, one strand from each family, would match the filter.
d) compoundEntry: Members 2, 3, 4 and 5 would together match the filter and would be marked as contributing members. All the members are marked as participating members.
Nothing from this compound entry would be returned for cases a), b) and c) above.
For case d) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: The members marked as contributing members, i.e., members 2, 3, 4 and 5 would be returned.
ii) participatingEntriesOnly and compoundEntry: All the members within the compound entry would be returned.
C.2.2 Filter example 2
If we change the filter to {rfc822=cs@cs.dk & service=e-mail & streetAddr=Main & postalCode=1815}. With the familyGrouping parameter set to:
a) entryOnly: No single member of the compound entry would match the filter.
b) strands: No single strand in any of the families would match the filter.
c) multiStrand: The strand ending in member 2 together with any strand going through member 5 would match the filter. Members 2 and 5 have contributed to the matching and would be marked as contributing members. Members 1, 2, 5, 6, 7, 8 and 9 are marked as participating members.
d) compoundEntry: Members 2 and 5 would together match the filter and would be marked as contributing members. All the members are marked as participating members.
Nothing from this compound entry would be returned for cases a) and b) above.
For case c) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: The members marked as contributing members, i.e., members 2 and 5, would be returned.
ii) participatingEntriesOnly: The members marked as participating members are returned, i.e., the members 1, 2, 5, 6, 7, 8 and 9.
iii) compoundEntry: All the members of the compound entry would be returned.
For case d) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: The members marked as contributing members, i.e., members 2 and 5, would be returned.
ii) participatingEntriesOnly and compoundEntry: All the members of the compound entry would be returned.
C.2.3 Filter example 3
If we now change the filter to {rfc822=cs@cs.dk & service=e-mail}. With the familyGrouping parameter set to:
a) entryOnly: Member 5 alone would match the filter and this member would be marked as a contributing member and as a participating member.
b) strands: Any strand going through member 5 would match the filter. Member 5 would be marked as a contributing member. Members 1, 5, 6, 7, 8 and 9 would be marked as participating members.
c) multiStrand: Any strand going through member 5 together with any strand of the postal address family would match the filter. Entries 5 would be marked as a contributing member. Members 1, 2, 3, 5, 6, 7, 8 and 9 would be marked as participating members.
d) compoundEntry: Member 5 would match the filter and would be marked as a contributing member. All the members are marked as participating members.
For case a) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly and participatingEntriesOnly: Member 5 would be returned.
ii) compoundEntry: All the members of the compound entry would be returned.
For case b) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: Member 5 would be returned.
ii) participatingEntriesOnly: All the members marked as participating members are returned, i.e., the members 1, 5, 6, 7, 8 and 9.
iii) compoundEntry: All the members of the compound entry would be returned.
For case c) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: Member 5 would be returned.
ii) participatingEntriesOnly: All the members marked as participating members are returned, i.e., the member 1, 2, 3, 5, 6, 7, 8 and 9.
iii) compoundEntry: All the members of the compound entry would be returned.
For case d) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: Member 5 would be returned.
ii) participatingEntriesOnly and compoundEntry: All the members of the compound entry would be returned.
C.2.4 Filter example 4
If we finally change the filter to {cn=Smith & givenName=Charles}. The ancestor alone would match the filter.
a) entryOnly: Only the ancestor (member 1) would be marked as a contributing member and as a participating member.
b) strands, multiStrand and compoundEntry: The ancestor would be marked as a contributing member and all members would be marked as participating members.
For case a) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly and participatingEntriesOnly: Member 1 would be returned.
ii) compoundEntry: All the members of the compound entry would be returned.
For case b) above, the returned information would be dependent on the family return specification:
i) contributingEntriesOnly: Member 1 would be returned.
ii) participatingEntriesOnly and compoundEntry: All the members of the compound entry would be returned.
Annex D
External ASN.1 module
(This annex does not form an integral part of this Recommendation | International Standard.)
This annex provides an external ASN.1 module referenced by this Directory Specification. This module is provided for easy compilation of the ASN.1 modules defined by these Directory Specifications.
The following module is an abstract of the module specified by IETF RFC 2025. This module imports data types from of Rec. ITU-T X.501 (1993) | ISO/IEC 9594-2:1995 and Rec. ITU-T X.509 (1993) | ISO/IEC 9594-8:1995. The import statements have been changed to allow import from the latest edition of those two Directory Specifications by adding the WITH SUCCESSORS instruction.
SpkmGssTokens {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) spkm(1) spkmGssTokens(10)} DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL
IMPORTS
Name
FROM InformationFramework {joint-iso-itu-t(2) ds(5) module(1)
informationFramework(1) 9} WITH SUCCESSORS
Certificate, CertificateList, CertificatePair, AlgorithmIdentifier{},
SupportedAlgorithms, Validity
FROM AuthenticationFramework {joint-iso-itu-t(2) ds(5) module(1)
authenticationFramework(7) 9} WITH SUCCESSORS ;
-- types
SPKM-REQ ::= SEQUENCE {
requestToken REQ-TOKEN,
certif-data [0] CertificationData OPTIONAL,
auth-data [1] AuthorizationData OPTIONAL
}
CertificationData ::= SEQUENCE {
certificationPath [0] CertificationPath OPTIONAL,
certificateRevocationList [1] CertificateList OPTIONAL
} -- at least one of the above shall be present
CertificationPath ::= SEQUENCE {
userKeyId [0] OCTET STRING OPTIONAL,
userCertif [1] Certificate OPTIONAL,
verifKeyId [2] OCTET STRING OPTIONAL,
userVerifCertif [3] Certificate OPTIONAL,
theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
} -- Presence of [2] or [3] implies that [0] or [1] must also be
-- present. Presence of [4] implies that at least one of [0], [1],
-- [2], and [3] must also be present.
REQ-TOKEN ::= SEQUENCE {
req-contents Req-contents,
algId AlgorithmIdentifier{{SupportedAlgorithms}},
req-integrity Integrity -- "token" is Req-contents
}
Integrity ::= BIT STRING
-- If corresponding algId specifies a signing algorithm,
-- "Integrity" holds the result of applying the signing procedure
-- specified in algId to the BER-encoded octet string which results
-- from applying the hashing procedure (also specified in algId) to
-- the DER-encoded octets of "token".
-- Alternatively, if corresponding algId specifies a MACing
-- algorithm, "Integrity" holds the result of applying the MACing
-- procedure specified in algId to the DER-encoded octets of
-- "token"
Req-contents ::= SEQUENCE {
tok-id INTEGER(256), -- shall contain 0100 (hex)
context-id Random-Integer,
pvno BIT STRING,
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
randSrc Random-Integer,
targ-name Name,
src-name [0] Name OPTIONAL,
req-data Context-Data,
validity [1] Validity OPTIONAL,
key-estb-set Key-Estb-Algs,
key-estb-req BIT STRING OPTIONAL,
key-src-bind OCTET STRING OPTIONAL
-- This field must be present for the case of SPKM-2
-- unilateral authen. if the K-ALG in use does not provide
-- such a binding (but is optional for all other cases).
-- The octet string holds the result of applying the
-- mandatory hashing procedure (in MANDATORY I-ALG;
-- see Section 2.1) as follows: MD5(src || context_key),
-- where "src" is the DER-encoded octets of src-name,
-- "context-key" is the symmetric key (i.e., the
-- unprotected version of what is transmitted in
-- key-estb-req), and "||" is the concatenation operation.
}
Random-Integer ::= BIT STRING
Context-Data ::= SEQUENCE {
channelId ChannelId OPTIONAL,
seq-number INTEGER OPTIONAL,
options Options,
conf-alg Conf-Algs,
intg-alg Intg-Algs,
owf-alg OWF-Algs
}
ChannelId ::= OCTET STRING
Options ::= BIT STRING {
delegation-state(0), mutual-state(1), replay-det-state(2), sequence-state(3),
conf-avail(4), integ-avail(5), target-certif-data-required(6)}
Conf-Algs ::= CHOICE {
algs [0] SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}},
null [1] NULL
}
Intg-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}
OWF-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}
Key-Estb-Algs ::= SEQUENCE OF AlgorithmIdentifier{{SupportedAlgorithms}}
SPKM-REP-TI ::= SEQUENCE {
responseToken REP-TI-TOKEN,
certif-data CertificationData OPTIONAL
-- present if target-certif-data-required option was
} -- set to TRUE in SPKM-REQ
REP-TI-TOKEN ::= SEQUENCE {
rep-ti-contents Rep-ti-contents,
algId AlgorithmIdentifier{{SupportedAlgorithms}},
rep-ti-integ Integrity -- "token" is Rep-ti-contents
}
Rep-ti-contents ::= SEQUENCE {
tok-id INTEGER(512), -- shall contain 0200 (hex)
context-id Random-Integer,
pvno [0] BIT STRING OPTIONAL,
timestamp UTCTime OPTIONAL, -- mandatory for SPKM-2
randTarg Random-Integer,
src-name [1] Name OPTIONAL,
targ-name Name,
randSrc Random-Integer,
rep-data Context-Data,
validity [2] Validity OPTIONAL,
key-estb-id AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
key-estb-str BIT STRING OPTIONAL
}
SPKM-REP-IT ::= SEQUENCE {
responseToken REP-IT-TOKEN,
algId AlgorithmIdentifier{{SupportedAlgorithms}},
rep-it-integ Integrity -- "token" is REP-IT-TOKEN
}
REP-IT-TOKEN ::= SEQUENCE {
tok-id INTEGER(768), -- shall contain 0300 (hex)
context-id Random-Integer,
randSrc Random-Integer,
randTarg Random-Integer,
targ-name Name,
src-name Name OPTIONAL,
key-estb-rep BIT STRING OPTIONAL
}
SPKM-ERROR ::= SEQUENCE {
errorToken ERROR-TOKEN,
algId AlgorithmIdentifier{{SupportedAlgorithms}},
integrity Integrity -- "token" is ERROR-TOKEN
}
ERROR-TOKEN ::= SEQUENCE {
tok-id INTEGER(1024), -- shall contain 0400 (hex)
context-id Random-Integer
}
SPKM-MIC ::= SEQUENCE {mic-header Mic-Header,
int-cksum BIT STRING
}
Mic-Header ::= SEQUENCE {
tok-id INTEGER(257), -- shall contain 0101 (hex)
context-id Random-Integer,
int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
snd-seq [1] SeqNum OPTIONAL
}
SeqNum ::= SEQUENCE {num INTEGER,
dir-ind BOOLEAN
}
SPKM-WRAP ::= SEQUENCE {wrap-header Wrap-Header,
wrap-body Wrap-Body
}
Wrap-Header ::= SEQUENCE {
tok-id INTEGER(513), -- shall contain 0201 (hex)
context-id Random-Integer,
int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
conf-alg [1] Conf-Alg OPTIONAL,
snd-seq [2] SeqNum OPTIONAL
}
Wrap-Body ::= SEQUENCE {int-cksum BIT STRING,
data BIT STRING
}
Conf-Alg ::= CHOICE {
algId [0] AlgorithmIdentifier{{SupportedAlgorithms}},
null [1] NULL
}
SPKM-DEL ::= SEQUENCE {del-header Del-Header,
int-cksum BIT STRING
}
Del-Header ::= SEQUENCE {
tok-id INTEGER(769), -- shall contain 0301 (hex)
context-id Random-Integer,
int-alg [0] AlgorithmIdentifier{{SupportedAlgorithms}} OPTIONAL,
snd-seq [1] SeqNum OPTIONAL
}
-- other types
-- from [RFC-1508]
MechType ::= OBJECT IDENTIFIER
InitialContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerContextToken SPKMInnerContextToken
} -- when thisMech is SPKM-1 or SPKM-2
SPKMInnerContextToken ::= CHOICE {
req [0] SPKM-REQ,
rep-ti [1] SPKM-REP-TI,
rep-it [2] SPKM-REP-IT,
error [3] SPKM-ERROR,
mic [4] SPKM-MIC,
wrap [5] SPKM-WRAP,
del [6] SPKM-DEL
}
-- from [RFC-1510]
AuthorizationData ::=
SEQUENCE OF SEQUENCE {ad-type INTEGER,
ad-data OCTET STRING}
-- object identifier assignments
md5-DES-CBC OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
integrity(3) md5-DES-CBC(1)}
sum64-DES-CBC OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
integrity(3) sum64-DES-CBC(2)}
spkm-1 OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) spkm(1) spkm-1(1)}
spkm-2 OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) spkm(1) spkm-2(2)}
END -- SpkmGssTokens
Annex E
Use of protected passwords for Bind operations
(This annex does not form an integral part of this Recommendation | International Standard.)
The protected component of SimpleCredentials specifies an OCTET STRING to be hashed. This annex provides information about how this octet string may be constructed. It also proposes some suggested associated procedures.
In its simple form, the octet string is constructed as the DER encoding of the following:
SEQUENCE {
name DistinguishedName,
time1 GeneralizedTime,
random1 BIT STRING,
password OCTET STRING }
The name component is the distinguished name of the sender and the password component is the password of the sender.
The sender generates the two other values as follows:
a) The time1 value should specify the time after which the authentication should fail. This time should be "closely" after the current time.
b) The random1 value is a new random number generated for each authentication attempt. The value should be sufficiently large to prevent the same number to be generated frequently.
The same pair of time1 and random1 should never be used more than once.
The same value of name, time1 and random1 shall be supplied in the SimpleCredentials data type of the Bind.
NOTE 1 – The hashing algorithm is also transferred.
The receiver of a Bind request/result will perform the authentication as follows:
a) If the value in time1, as supplied in the SimpleCredentials, is less than the current time seen by the recipient, the authentication already fails here. Also, the time value should be different from recently received time values.
b) If the value in the random1, as supplied in the SimpleCredentials, is equal to a value received in a recent Bind request/response, the authentication also fails.
c) If time1 and random1 appear to be valid, the name, time1 and random1 included in the Bind request/result, together with the local copy of the password, are used to generate a copy of the message digest using the algorithm indicated.
d) If the generated message digest is equal to the message digest received in the Bind request/result, the authentication is positive, otherwise it fails.
The above procedure allows the password to be protected during transfer and it prevents a replay of the transmission sequence. If the attempted reply is done early, the random number will cause the authentication to fail. If the reply is attempted sometime later, the random number may be accepted, but the authentication will fail due to the time value.
The scheme above may be extended by using the following sequence.
SEQUENCE {
f1 OCTET STRING, -- hashed octet string from above
time2 GeneralizedTime,
random2 BIT STRING }
The DER encoding of this data type is then used as the octet string in the SimpleCredentials.
In this case, the time2 and random2 also have to be included in SimpleCredentials.
The hashing algorithm used for producing the f1 component shall be the same as that used for the hashing, as indicated within the HASH data type within SimpleCredentials.
NOTE 2 – This Directory Specification does not give any recommendation as to how values for time2 and random2 are selected.
Annex F
Amendments and corrigenda
(This annex does not form an integral part of this Recommendation | International Standard.)
This edition of this Directory Specification includes the following amendment to the previous edition that was balloted and approved by ISO/IEC:
– Amendment 1 on General updates
This edition of this Directory Specification does not include any technical corrigenda, as there were no accepted defect reports against the previous edition of this Directory Specification.
________________