forked from osmocom/wireshark
542 lines
17 KiB
Groff
542 lines
17 KiB
Groff
-- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997)
|
|
Lightweight-Directory-Access-Protocol-V3
|
|
--
|
|
-- $Id$
|
|
-- This is based on the ASN.1 definitions in RFC 2251, with changes made
|
|
-- as necessary for Wireshark.
|
|
-- Copyright (C) The Internet Society (1997). This version of
|
|
-- this ASN.1 module is part of RFC 2251;
|
|
-- see the RFC itself for full legal notices.
|
|
--
|
|
DEFINITIONS IMPLICIT TAGS ::=
|
|
BEGIN
|
|
|
|
LDAPMessage ::= SEQUENCE {
|
|
messageID MessageID,
|
|
protocolOp ProtocolOp,
|
|
controls [0] Controls OPTIONAL
|
|
}
|
|
|
|
MessageID ::= INTEGER(0..maxInt)
|
|
|
|
ProtocolOp ::= CHOICE {
|
|
bindRequest BindRequest,
|
|
bindResponse BindResponse,
|
|
unbindRequest UnbindRequest,
|
|
searchRequest SearchRequest,
|
|
searchResEntry SearchResultEntry,
|
|
searchResDone SearchResultDone,
|
|
searchResRef SearchResultReference,
|
|
modifyRequest ModifyRequest,
|
|
modifyResponse ModifyResponse,
|
|
addRequest AddRequest,
|
|
addResponse AddResponse,
|
|
delRequest DelRequest,
|
|
delResponse DelResponse,
|
|
modDNRequest ModifyDNRequest,
|
|
modDNResponse ModifyDNResponse,
|
|
compareRequest CompareRequest,
|
|
compareResponse CompareResponse,
|
|
abandonRequest AbandonRequest,
|
|
extendedReq ExtendedRequest,
|
|
extendedResp ExtendedResponse,
|
|
intermediateResponse IntermediateResponse
|
|
}
|
|
|
|
|
|
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1)
|
|
|
|
LDAPString ::= OCTET STRING
|
|
|
|
LDAPOID ::= OCTET STRING
|
|
|
|
LDAPDN ::= LDAPString
|
|
|
|
RelativeLDAPDN ::= LDAPString
|
|
|
|
AttributeType ::= LDAPString
|
|
|
|
AttributeDescription ::= LDAPString
|
|
|
|
AttributeDescriptionList ::= SEQUENCE OF AttributeDescription
|
|
|
|
AttributeValue ::= OCTET STRING
|
|
|
|
AttributeValueAssertion ::= SEQUENCE {
|
|
attributeDesc AttributeDescription,
|
|
assertionValue AssertionValue
|
|
}
|
|
|
|
AssertionValue ::= OCTET STRING
|
|
|
|
Attribute ::= SEQUENCE {type AttributeDescription,
|
|
vals SET OF AttributeValue
|
|
}
|
|
|
|
MatchingRuleId ::= LDAPString
|
|
|
|
LDAPResult ::= SEQUENCE {
|
|
resultCode
|
|
ENUMERATED {success(0), operationsError(1), protocolError(2),
|
|
timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5),
|
|
compareTrue(6), authMethodNotSupported(7),
|
|
strongAuthRequired(8),
|
|
-- 9 reserved
|
|
referral(10),-- new-- adminLimitExceeded(11),-- new--
|
|
unavailableCriticalExtension(12),-- new--
|
|
confidentialityRequired(13),-- new--
|
|
saslBindInProgress(14),-- new-- noSuchAttribute(16),
|
|
undefinedAttributeType(17), inappropriateMatching(18),
|
|
constraintViolation(19), attributeOrValueExists(20),
|
|
invalidAttributeSyntax(21),
|
|
-- 22-31 unused
|
|
noSuchObject(32), aliasProblem(33),
|
|
invalidDNSyntax(34),
|
|
-- 35 reserved for undefined isLeaf
|
|
aliasDereferencingProblem(36),
|
|
-- 37-47 unused
|
|
inappropriateAuthentication(48), invalidCredentials(49),
|
|
insufficientAccessRights(50), busy(51), unavailable(52),
|
|
unwillingToPerform(53),
|
|
loopDetect(54),
|
|
-- 55-63 unused
|
|
namingViolation(64), objectClassViolation(65),
|
|
notAllowedOnNonLeaf(66), notAllowedOnRDN(67),
|
|
entryAlreadyExists(68),
|
|
objectClassModsProhibited(69),
|
|
-- 70 reserved for CLDAP
|
|
affectsMultipleDSAs(71),-- new--
|
|
-- 72-79 unused
|
|
other(80),
|
|
canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909
|
|
},
|
|
-- 81-90 reserved for APIs
|
|
matchedDN LDAPDN,
|
|
errorMessage ErrorMessage,
|
|
referral [3] Referral OPTIONAL
|
|
}
|
|
|
|
Referral ::= SEQUENCE OF LDAPURL
|
|
|
|
LDAPURL ::= OCTET STRING -- LDAPString - - limited to characters permitted in URLs
|
|
|
|
Controls ::= SEQUENCE OF Control
|
|
|
|
Control ::= SEQUENCE {
|
|
controlType ControlType,
|
|
criticality BOOLEAN DEFAULT FALSE,
|
|
controlValue OCTET STRING OPTIONAL
|
|
}
|
|
|
|
ControlType ::= LDAPOID
|
|
|
|
BindRequest ::= [APPLICATION 0] SEQUENCE {
|
|
version INTEGER(1..127),
|
|
name LDAPDN,
|
|
authentication AuthenticationChoice
|
|
}
|
|
|
|
AuthenticationChoice ::= CHOICE {
|
|
simple [0] Simple,
|
|
-- 1 and 2 reserved
|
|
sasl [3] SaslCredentials,
|
|
-- 10,11 from bug 1148
|
|
ntlmsspNegotiate [10] IMPLICIT OCTET STRING,
|
|
ntlmsspAuth [11] IMPLICIT OCTET STRING
|
|
}
|
|
|
|
Simple ::= OCTET STRING
|
|
|
|
SaslCredentials ::= SEQUENCE {
|
|
mechanism Mechanism,
|
|
credentials Credentials OPTIONAL
|
|
}
|
|
|
|
--4.1.2. String Types
|
|
--
|
|
-- The LDAPString is a notational convenience to indicate that, although
|
|
-- strings of LDAPString type encode as OCTET STRING types, the ISO
|
|
-- 10646 [13] character set (a superset of Unicode) is used, encoded
|
|
-- following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
|
|
-- characters which are the same as ASCII (0x0000 through 0x007F) are
|
|
-- represented as that same ASCII character in a single byte. The other
|
|
-- byte values are used to form a variable-length encoding of an
|
|
-- arbitrary character.
|
|
|
|
-- Mechanism ::= LDAPString
|
|
Mechanism ::= OCTET STRING
|
|
|
|
Credentials ::= OCTET STRING
|
|
|
|
BindResponse ::= [APPLICATION 1] SEQUENCE {
|
|
-- COMPONENTS OF LDAPResult,
|
|
resultCode
|
|
ENUMERATED {success(0), operationsError(1), protocolError(2),
|
|
timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5),
|
|
compareTrue(6), authMethodNotSupported(7),
|
|
strongAuthRequired(8),
|
|
-- 9 reserved
|
|
referral(10),-- new-- adminLimitExceeded(11),-- new--
|
|
unavailableCriticalExtension(12),-- new--
|
|
confidentialityRequired(13),-- new--
|
|
saslBindInProgress(14),-- new-- noSuchAttribute(16),
|
|
undefinedAttributeType(17), inappropriateMatching(18),
|
|
constraintViolation(19), attributeOrValueExists(20),
|
|
invalidAttributeSyntax(21),
|
|
-- 22-31 unused
|
|
noSuchObject(32), aliasProblem(33),
|
|
invalidDNSyntax(34),
|
|
-- 35 reserved for undefined isLeaf
|
|
aliasDereferencingProblem(36),
|
|
-- 37-47 unused
|
|
inappropriateAuthentication(48), invalidCredentials(49),
|
|
insufficientAccessRights(50), busy(51), unavailable(52),
|
|
unwillingToPerform(53),
|
|
loopDetect(54),
|
|
-- 55-63 unused
|
|
namingViolation(64), objectClassViolation(65),
|
|
notAllowedOnNonLeaf(66), notAllowedOnRDN(67),
|
|
entryAlreadyExists(68),
|
|
objectClassModsProhibited(69),
|
|
-- 70 reserved for CLDAP
|
|
affectsMultipleDSAs(71),-- new--
|
|
-- 72-79 unused
|
|
other(80),
|
|
canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909
|
|
},
|
|
-- 81-90 reserved for APIs
|
|
matchedDN LDAPDN,
|
|
errorMessage ErrorMessage,
|
|
referral [3] Referral OPTIONAL,
|
|
|
|
-- end of components
|
|
serverSaslCreds [7] ServerSaslCreds OPTIONAL
|
|
}
|
|
|
|
ServerSaslCreds ::= OCTET STRING
|
|
|
|
ErrorMessage ::= LDAPString
|
|
|
|
UnbindRequest ::= [APPLICATION 2] NULL
|
|
|
|
SearchRequest ::= [APPLICATION 3] SEQUENCE {
|
|
baseObject LDAPDN,
|
|
scope ENUMERATED {baseObject(0), singleLevel(1), wholeSubtree(2)},
|
|
derefAliases
|
|
ENUMERATED {neverDerefAliases(0), derefInSearching(1),
|
|
derefFindingBaseObj(2), derefAlways(3)},
|
|
sizeLimit INTEGER(0..maxInt),
|
|
timeLimit INTEGER(0..maxInt),
|
|
typesOnly BOOLEAN,
|
|
filter Filter,
|
|
attributes AttributeDescriptionList
|
|
}
|
|
|
|
Filter ::= CHOICE {
|
|
and [0] SET OF Filter,
|
|
or [1] SET OF Filter,
|
|
not [2] Filter,
|
|
equalityMatch [3] AttributeValueAssertion,
|
|
substrings [4] SubstringFilter,
|
|
greaterOrEqual [5] AttributeValueAssertion,
|
|
lessOrEqual [6] AttributeValueAssertion,
|
|
present [7] AttributeDescription,
|
|
approxMatch [8] AttributeValueAssertion,
|
|
extensibleMatch [9] MatchingRuleAssertion
|
|
}
|
|
|
|
SubstringFilter ::= SEQUENCE {
|
|
type AttributeDescription,
|
|
-- at least one must be present
|
|
substrings
|
|
SEQUENCE OF
|
|
CHOICE {initial [0] LDAPString,
|
|
any [1] LDAPString,
|
|
final [2] LDAPString}
|
|
}
|
|
|
|
MatchingRuleAssertion ::= SEQUENCE {
|
|
matchingRule [1] MatchingRuleId OPTIONAL,
|
|
type [2] AttributeDescription OPTIONAL,
|
|
matchValue [3] AssertionValue,
|
|
dnAttributes [4] BOOLEAN DEFAULT FALSE
|
|
}
|
|
|
|
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
|
|
objectName LDAPDN,
|
|
attributes PartialAttributeList
|
|
}
|
|
|
|
PartialAttributeList ::=
|
|
SEQUENCE OF SEQUENCE {type AttributeDescription,
|
|
vals SET OF AttributeValue}
|
|
|
|
SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
|
|
|
|
SearchResultDone ::= [APPLICATION 5] LDAPResult
|
|
|
|
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
|
|
object LDAPDN,
|
|
modification
|
|
SEQUENCE OF
|
|
SEQUENCE {operation ENUMERATED {add(0), delete(1), replace(2)},
|
|
modification AttributeTypeAndValues}
|
|
}
|
|
|
|
AttributeTypeAndValues ::= SEQUENCE {
|
|
type AttributeDescription,
|
|
vals SET OF AttributeValue
|
|
}
|
|
|
|
ModifyResponse ::= [APPLICATION 7] LDAPResult
|
|
|
|
AddRequest ::= [APPLICATION 8] SEQUENCE {
|
|
entry LDAPDN,
|
|
attributes AttributeList
|
|
}
|
|
|
|
AttributeList ::=
|
|
SEQUENCE OF SEQUENCE {type AttributeDescription,
|
|
vals SET OF AttributeValue}
|
|
|
|
AddResponse ::= [APPLICATION 9] LDAPResult
|
|
|
|
DelRequest ::= [APPLICATION 10] LDAPDN
|
|
|
|
DelResponse ::= [APPLICATION 11] LDAPResult
|
|
|
|
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
|
|
entry LDAPDN,
|
|
newrdn RelativeLDAPDN,
|
|
deleteoldrdn BOOLEAN,
|
|
newSuperior [0] LDAPDN OPTIONAL
|
|
}
|
|
|
|
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
|
|
|
|
CompareRequest ::= [APPLICATION 14] SEQUENCE {
|
|
entry LDAPDN,
|
|
ava AttributeValueAssertion
|
|
}
|
|
|
|
CompareResponse ::= [APPLICATION 15] LDAPResult
|
|
|
|
AbandonRequest ::= [APPLICATION 16] MessageID
|
|
|
|
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
|
|
requestName [0] LDAPOID,
|
|
requestValue [1] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
|
|
-- COMPONENTS OF LDAPResult,
|
|
resultCode
|
|
ENUMERATED {success(0), operationsError(1), protocolError(2),
|
|
timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5),
|
|
compareTrue(6), authMethodNotSupported(7),
|
|
strongAuthRequired(8),
|
|
-- 9 reserved
|
|
referral(10),-- new-- adminLimitExceeded(11),-- new--
|
|
unavailableCriticalExtension(12),-- new--
|
|
confidentialityRequired(13),-- new--
|
|
saslBindInProgress(14),-- new-- noSuchAttribute(16),
|
|
undefinedAttributeType(17), inappropriateMatching(18),
|
|
constraintViolation(19), attributeOrValueExists(20),
|
|
invalidAttributeSyntax(21),
|
|
-- 22-31 unused
|
|
noSuchObject(32), aliasProblem(33),
|
|
invalidDNSyntax(34),
|
|
-- 35 reserved for undefined isLeaf
|
|
aliasDereferencingProblem(36),
|
|
-- 37-47 unused
|
|
inappropriateAuthentication(48), invalidCredentials(49),
|
|
insufficientAccessRights(50), busy(51), unavailable(52),
|
|
unwillingToPerform(53),
|
|
loopDetect(54),
|
|
-- 55-63 unused
|
|
namingViolation(64), objectClassViolation(65),
|
|
notAllowedOnNonLeaf(66), notAllowedOnRDN(67),
|
|
entryAlreadyExists(68),
|
|
objectClassModsProhibited(69),
|
|
-- 70 reserved for CLDAP
|
|
affectsMultipleDSAs(71),-- new--
|
|
-- 72-79 unused
|
|
other(80),
|
|
canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909
|
|
},
|
|
-- 81-90 reserved for APIs
|
|
matchedDN LDAPDN,
|
|
errorMessage ErrorMessage,
|
|
referral [3] Referral OPTIONAL,
|
|
-- end of COMPONENTS
|
|
responseName [10] ResponseName OPTIONAL,
|
|
response [11] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
|
|
responseName [0] ResponseName OPTIONAL,
|
|
responseValue [1] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
ResponseName ::= LDAPOID
|
|
|
|
-- RFC 2696 - Simple Paged Results Manipulation
|
|
|
|
SearchControlValue ::= SEQUENCE {
|
|
size INTEGER --(0..maxInt)--,
|
|
-- requested page size from client
|
|
-- result set size estimate from server
|
|
cookie OCTET STRING
|
|
}
|
|
|
|
-- RFC 2891 - Server Side Sorting of Search Results
|
|
|
|
SortKeyList ::= SEQUENCE OF SEQUENCE {
|
|
attributeType AttributeDescription,
|
|
orderingRule [0] MatchingRuleId OPTIONAL,
|
|
reverseOrder [1] BOOLEAN DEFAULT FALSE }
|
|
|
|
SortResult ::= SEQUENCE {
|
|
sortResult ENUMERATED {
|
|
success (0), -- results are sorted
|
|
operationsError (1), -- server internal failure
|
|
timeLimitExceeded (3), -- timelimit reached before
|
|
-- sorting was completed
|
|
strongAuthRequired (8), -- refused to return sorted
|
|
-- results via insecure
|
|
-- protocol
|
|
adminLimitExceeded (11), -- too many matching entries
|
|
-- for the server to sort
|
|
noSuchAttribute (16), -- unrecognized attribute
|
|
-- type in sort key
|
|
inappropriateMatching (18), -- unrecognized or
|
|
-- inappropriate matching
|
|
-- rule in sort key
|
|
insufficientAccessRights (50), -- refused to return sorted
|
|
-- results to this client
|
|
busy (51), -- too busy to process
|
|
unwillingToPerform (53), -- unable to sort
|
|
other (80)
|
|
},
|
|
attributeType [0] AttributeDescription OPTIONAL }
|
|
|
|
|
|
-- Draft RFC - but used in some implementations
|
|
-- Normaly it's an integer but we want to generate a subitem
|
|
DirSyncFlagsSubEntry ::= SEQUENCE {
|
|
value [0] INTEGER
|
|
}
|
|
|
|
DirSyncFlags ::= INTEGER
|
|
|
|
DirSyncControlValue ::= SEQUENCE {
|
|
flags DirSyncFlags,
|
|
maxBytes INTEGER,
|
|
cookie OCTET STRING
|
|
}
|
|
|
|
-- RFC 3062
|
|
|
|
--passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1
|
|
|
|
PasswdModifyRequestValue ::= SEQUENCE {
|
|
userIdentity [0] OCTET STRING OPTIONAL,
|
|
oldPasswd [1] OCTET STRING OPTIONAL,
|
|
newPasswd [2] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
PasswdModifyResponseValue ::= SEQUENCE {
|
|
genPasswd [0] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
-- RFC 3909
|
|
|
|
--cancelRequestOID OBJECT IDENTIFIER ::= 1.3.6.1.1.8
|
|
|
|
CancelRequestValue ::= SEQUENCE {
|
|
cancelID MessageID
|
|
}
|
|
|
|
-- RFC 4533
|
|
|
|
--syncRequestOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.1
|
|
|
|
SyncRequestValue ::= SEQUENCE {
|
|
mode ENUMERATED {
|
|
-- 0 unused
|
|
refreshOnly (1),
|
|
-- 2 reserved
|
|
refreshAndPersist (3)
|
|
},
|
|
cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL
|
|
reloadHint BOOLEAN DEFAULT FALSE
|
|
}
|
|
|
|
--syncStateOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.2
|
|
|
|
SyncStateValue ::= SEQUENCE {
|
|
state ENUMERATED {
|
|
present (0),
|
|
add (1),
|
|
modify (2),
|
|
delete (3)
|
|
},
|
|
entryUUID SyncUUID,
|
|
cookie OCTET STRING OPTIONAL -- SyncCookie OPTIONAL
|
|
}
|
|
|
|
--syncDoneOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.3
|
|
|
|
SyncDoneValue ::= SEQUENCE {
|
|
cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL
|
|
refreshDeletes BOOLEAN DEFAULT FALSE
|
|
}
|
|
|
|
--syncInfoOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.4
|
|
|
|
SyncInfoValue ::= CHOICE {
|
|
newcookie [0] OCTET STRING, -- SyncCookie
|
|
refreshDelete [1] SEQUENCE {
|
|
cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL
|
|
refreshDone BOOLEAN DEFAULT TRUE
|
|
},
|
|
refreshPresent [2] SEQUENCE {
|
|
cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL
|
|
refreshDone BOOLEAN DEFAULT TRUE
|
|
},
|
|
syncIdSet [3] SEQUENCE {
|
|
cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL
|
|
refreshDeletes BOOLEAN DEFAULT FALSE,
|
|
syncUUIDs SET OF SyncUUID
|
|
}
|
|
}
|
|
|
|
SyncUUID ::= OCTET STRING(SIZE(16))
|
|
|
|
-- SyncCookie ::= OCTET STRING
|
|
|
|
--
|
|
|
|
-- Draft RFC - Password Policy for LDAP Directories
|
|
-- https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt
|
|
|
|
PasswordPolicyResponseValue ::= SEQUENCE {
|
|
warning [0] CHOICE {
|
|
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
|
|
graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
|
|
error [1] ENUMERATED {
|
|
passwordExpired (0),
|
|
accountLocked (1),
|
|
changeAfterReset (2),
|
|
passwordModNotAllowed (3),
|
|
mustSupplyOldPassword (4),
|
|
insufficientPasswordQuality (5),
|
|
passwordTooShort (6),
|
|
passwordTooYoung (7),
|
|
passwordInHistory (8) } OPTIONAL }
|
|
|
|
END
|
|
|
|
-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D
|
|
|