...
The LDAP ASN.1 Grammar is described in RFC 2251. Here is the grammar :
| No Format |
|---|
LDAPLightweight-Directory-Access-Protocol-V3 {1 DEFINITIONS
3 6 1 1 18}
IMPLICIT TAGS ::= --pragma {packagePrefix: "ldapd.common.ber"}
BEGIN
Copyright (C) The Internet Society (2006). This version of
LDAPMessage ::= SEQUENCE {
-- this ASN.1 module is part of RFC 4511; see the RFC itself
messageID -- MessageID,
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
for full legal notices.
searchResDone SearchResultDone,DEFINITIONS
IMPLICIT TAGS
EXTENSIBILITY IMPLIED ::=
searchResRef SearchResultReference,BEGIN
LDAPMessage ::= SEQUENCE {
modifyRequestmessageID ModifyRequest,
MessageID,
protocolOp CHOICE modifyResponse ModifyResponse,{
bindRequest addRequest AddRequestBindRequest,
bindResponse addResponse AddResponseBindResponse,
unbindRequest delRequest DelRequestUnbindRequest,
searchRequest delResponse DelResponseSearchRequest,
searchResEntry modDNRequest ModifyDNRequestSearchResultEntry,
searchResDone modDNResponse ModifyDNResponseSearchResultDone,
searchResRef compareRequest CompareRequestSearchResultReference,
modifyRequest compareResponse CompareResponseModifyRequest,
modifyResponse abandonRequest AbandonRequestModifyResponse,
addRequest extendedReq ExtendedRequestAddRequest,
addResponse extendedResp ExtendedResponse }AddResponse,
delRequest controls [0] Controls OPTIONAL }DelRequest,
MessageID ::= INTEGER (0 .. maxInt)
delResponse maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
DelResponse,
LDAPString ::= OCTET STRING
modDNRequest LDAPOID ::= OCTET STRING
ModifyDNRequest,
LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
modDNResponse AttributeType ::= LDAPStringModifyDNResponse,
AttributeDescription ::= LDAPString
AttributeDescriptionListcompareRequest ::= SEQUENCE OF
CompareRequest,
AttributeDescription
AttributeValuecompareResponse ::= OCTET STRING
CompareResponse,
AttributeValueAssertion ::= SEQUENCE {
abandonRequest attributeDesc AttributeDescriptionAbandonRequest,
assertionValue AssertionValueextendedReq }
AssertionValue ::= OCTET STRING
ExtendedRequest,
Attribute ::= SEQUENCE {
extendedResp type AttributeDescriptionExtendedResponse,
vals SET OF AttributeValue }
...,
MatchingRuleId ::= LDAPString
LDAPResultintermediateResponse ::= SEQUENCEIntermediateResponse {},
controls resultCode [0] Controls ENUMERATEDOPTIONAL {}
MessageID ::= INTEGER (0 .. maxInt)
maxInt INTEGER ::= 2147483647 -- (2^^31 - success 1) --
LDAPString ::= OCTET STRING -- UTF-8 encoded,
(0),
operationsError -- [ISO10646] characters
(1),
LDAPOID ::= OCTET STRING -- Constrained to <numericoid>
protocolError -- [RFC4512]
(2),
LDAPDN ::= LDAPString -- Constrained to <distinguishedName>
timeLimitExceeded (3),-- [RFC4514]
RelativeLDAPDN ::= LDAPString -- Constrained to <name-component>
sizeLimitExceeded (4),
-- [RFC4514]
AttributeDescription ::= LDAPString
compareFalse (5),
-- Constrained to <attributedescription>
compareTrue -- [RFC4512]
(6),
AttributeValue ::= OCTET STRING
AttributeValueAssertion ::= SEQUENCE {
authMethodNotSupported attributeDesc (7)AttributeDescription,
assertionValue AssertionValue }
AssertionValue ::= strongAuthRequiredOCTET STRING
PartialAttribute ::= SEQUENCE (8),{
type AttributeDescription,
vals SET --OF 9value reservedAttributeValue --}
Attribute ::= PartialAttribute(WITH COMPONENTS {
...,
referral vals (SIZE(1..MAX))})
MatchingRuleId (10),::= LDAPString
-- new
LDAPResult ::= SEQUENCE {
resultCode adminLimitExceeded ENUMERATED {
(11), -- new
success unavailableCriticalExtension (120),
-- new
operationsError confidentialityRequired(1),
(13), -- new
protocolError (2),
saslBindInProgress (14), -- new
timeLimitExceeded (3),
noSuchAttribute sizeLimitExceeded (164),
compareFalse undefinedAttributeType (175),
compareTrue inappropriateMatching (186),
authMethodNotSupported (7),
constraintViolationstrongerAuthRequired (198),
-- 9 reserved --
attributeOrValueExists (20),
referral invalidAttributeSyntax(10),
(21),
adminLimitExceeded (11),
-- 22-31 unused --
unavailableCriticalExtension (12),
confidentialityRequired (13),
noSuchObject saslBindInProgress (32),
(14),
noSuchAttribute aliasProblem (16),
(33),
undefinedAttributeType (17),
invalidDNSyntax inappropriateMatching (3418),
constraintViolation -- 35 reserved for undefined isLeaf --(19),
attributeOrValueExists (20),
aliasDereferencingProblem (36),
invalidAttributeSyntax (21),
-- 3722-4731 unused --
noSuchObject inappropriateAuthentication (4832),
aliasProblem invalidCredentials (4933),
invalidDNSyntax insufficientAccessRights (5034),
-- 35 reserved for undefined isLeaf busy--
aliasDereferencingProblem (5136),
-- 37-47 unused --
unavailable inappropriateAuthentication (5248),
invalidCredentials (49),
unwillingToPerform (53),
insufficientAccessRights (50),
busy loopDetect (5451),
unavailable (52),
-- 55-63 unused --
unwillingToPerform (53),
namingViolation loopDetect (64),
(54),
objectClassViolation (65),
-- 55-63 unused --
namingViolation notAllowedOnNonLeaf (6664),
objectClassViolation (65),
notAllowedOnRDN notAllowedOnNonLeaf (67),
(66),
notAllowedOnRDN entryAlreadyExists (6867),
entryAlreadyExists (68),
objectClassModsProhibited (69),
objectClassModsProhibited (69),
-- 70 reserved for CLDAP --
affectsMultipleDSAs (71), -- new
-- 72-79 unused --
other other (80),
... (80) },
matchedDN LDAPDN,
-- 81-90 reserved for APIs -- diagnosticMessage LDAPString,
referral matchedDN LDAPDN,
[3] Referral OPTIONAL }
Referral ::= SEQUENCE errorMessage LDAPString,
SIZE (1..MAX) OF uri URI
URI ::= LDAPString -- limited referralto characters permitted in
[3] Referral OPTIONAL }
Referral ::= SEQUENCE OF LDAPURL
LDAPURL ::= LDAPString -- limited to characters permitted in URLsURIs
Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE {
controlType LDAPOID,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL }
BindRequest ::= [DIRxSBOX:APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name LDAPDN,
authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl sasl [3] SaslCredentials,
[3] SaslCredentials ... }
SaslCredentials ::= SEQUENCE {
mechanism LDAPString,
credentials OCTET STRING OPTIONAL }
BindResponse ::= [DIRxSBOX:APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL }
UnbindRequest ::= [DIRxSBOX:APPLICATION 2] NULL
SearchRequest ::= [DIRxSBOX:APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree wholeSubtree (2),
(2) },
... },
derefAliases ENUMERATED {
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeDescriptionListAttributeSelection }
FilterAttributeSelection ::= CHOICESEQUENCE {
OF and [0] SET OF Filter,
orselector LDAPString
[1] SET OF Filter,
-- The LDAPString is constrained to
not [2] Filter,
-- <attributeSelector> in Section 4.5.1.8
equalityMatch Filter [3] AttributeValueAssertion,::= CHOICE {
and substrings [4] SubstringFilter,
[0] SET SIZE (1..MAX) OF filter Filter,
greaterOrEqual [5] AttributeValueAssertion,
or lessOrEqual[1] SET SIZE (1..MAX) OF [6]filter AttributeValueAssertionFilter,
not present [72] AttributeDescriptionFilter,
equalityMatch approxMatch [83] AttributeValueAssertion,
substrings extensibleMatch [94] MatchingRuleAssertion }
SubstringFilter,
SubstringFilter ::= SEQUENCE {
greaterOrEqual [5] AttributeValueAssertion,
type lessOrEqual AttributeDescription,
[6] AttributeValueAssertion,
-- at least one must be present
substrings[7] AttributeDescription,
SEQUENCE OF CHOICE {
approxMatch [8] AttributeValueAssertion,
initialextensibleMatch [09] LDAPStringMatchingRuleAssertion,
... }
SubstringFilter ::= SEQUENCE {
any [1] LDAPString,
type AttributeDescription,
final [2] LDAPString } }
substrings SEQUENCE SIZE MatchingRuleAssertion ::= SEQUENCE(1..MAX) OF substring CHOICE {
matchingRule initial [10] AssertionValue, MatchingRuleId OPTIONAL,
-- can occur at most once
type any [21] AttributeDescription OPTIONALAssertionValue,
matchValue final [32] AssertionValue,
} -- can occur at most once
dnAttributes [4] BOOLEAN DEFAULT FALSE }
SearchResultEntryMatchingRuleAssertion ::= [DIRxSBOX:APPLICATION 4] SEQUENCE {
matchingRule objectName [1] MatchingRuleId LDAPDNOPTIONAL,
attributestype PartialAttributeList }
[2] PartialAttributeList ::= SEQUENCE OF SEQUENCE {AttributeDescription OPTIONAL,
matchValue type [3] AttributeDescriptionAssertionValue,
dnAttributes vals [4] BOOLEAN SETDEFAULT OF AttributeValueFALSE }
SearchResultReferenceSearchResultEntry ::= [DIRxSBOX:APPLICATION 194] SEQUENCE OF LDAPURL
{
objectName SearchResultDone ::= [DIRxSBOX:APPLICATION 5] LDAPResult
LDAPDN,
attributes ModifyRequest ::= [DIRxSBOX:APPLICATION 6] SEQUENCEPartialAttributeList {}
PartialAttributeList ::= SEQUENCE OF
object LDAPDN,
partialAttribute PartialAttribute
modification SearchResultReference ::= SEQUENCE[APPLICATION OF19] SEQUENCE
{
operation ENUMERATED {
SIZE (1..MAX) OF uri URI
SearchResultDone ::= [APPLICATION 5] LDAPResult
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
object add (0)LDAPDN,
changes SEQUENCE OF change SEQUENCE {
delete (1),
operation ENUMERATED {
add (0),
replace (2) },
delete (1),
modification AttributeTypeAndValues } }
replace (2),
AttributeTypeAndValues ::= SEQUENCE {
type ... AttributeDescription},
vals modification SET OFPartialAttribute AttributeValue} }
ModifyResponse ::= [DIRxSBOX:APPLICATION 7] LDAPResult
AddRequest ::= [DIRxSBOX:APPLICATION 8] SEQUENCE {
entry LDAPDN,
attributes AttributeList attributes}
AttributeList } ::= SEQUENCE OF attribute Attribute
AttributeListAddResponse ::= SEQUENCE[APPLICATION OF SEQUENCE {9] LDAPResult
DelRequest ::= [APPLICATION 10] LDAPDN
type AttributeDescription,
DelResponse ::= [APPLICATION 11] LDAPResult
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE vals{
SET OF AttributeValue }
entry AddResponse ::= [DIRxSBOX:APPLICATION 9] LDAPResult
LDAPDN,
DelRequest ::= [DIRxSBOX:APPLICATION 10] LDAPDN
newrdn DelResponse ::= [DIRxSBOX:APPLICATION 11] LDAPResult
RelativeLDAPDN,
ModifyDNRequest ::= [DIRxSBOX:APPLICATION 12] SEQUENCE {
deleteoldrdn BOOLEAN,
entry newSuperior [0] LDAPDN,
OPTIONAL }
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
newrdn CompareRequest ::= [APPLICATION 14] SEQUENCE {
RelativeLDAPDN,
entry deleteoldrdn BOOLEANLDAPDN,
ava newSuperior [0] LDAPDN OPTIONALAttributeValueAssertion }
ModifyDNResponseCompareResponse ::= [DIRxSBOX:APPLICATION 1315] LDAPResult
CompareRequestAbandonRequest ::= [DIRxSBOX:APPLICATION 1416] SEQUENCE {MessageID
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
entry requestName LDAPDN,
[0] LDAPOID,
ava requestValue [1] OCTET STRING OPTIONAL AttributeValueAssertion }
CompareResponseExtendedResponse ::= [DIRxSBOX:APPLICATION 1524] LDAPResult
AbandonRequest ::= [DIRxSBOX:APPLICATION 16] MessageID
SEQUENCE {
ExtendedRequest ::= [DIRxSBOX:APPLICATION 23] SEQUENCE {
COMPONENTS OF LDAPResult,
requestName responseName [010] LDAPOID OPTIONAL,
responseValue requestValue [111] OCTET STRING OPTIONAL }
ExtendedResponseIntermediateResponse ::= [DIRxSBOX:APPLICATION 2425] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [DIRxSBOX:100] LDAPOID OPTIONAL,
response responseValue [DIRxSBOX:111] OCTET STRING OPTIONAL }
END
|
...
ExtendedRequest
ExtendedResponse
IntermediateResponse
TODO Add diagram