INTERNET-DRAFT Kurt D. Zeilenga Intended Category: Informational OpenLDAP Foundation Expires: 7 May 2001 7 November 2000 Lightweight Directory Access Protocol: version differences draft-zeilenga-ldapbis-vd-00 This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. This document is intended to be, after appropriate review and revision, submitted to the RFC Editor as an Informational document. Distribution of this memo is unlimited. Technical discussion of this document will take place on the IETF LDAP Revision (Proposed) Working Group (LDAPbis) mailing list . Please send editorial comments directly to the author . Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright 2000, The Internet Society. All Rights Reserved. Please see the Copyright section near the end of this document for more information. 1. Overview This document details differences between Lightweight Directory Access Protocol versions 2 [RFC1777] and 3 [RFC2251]. There has been is significant interest within the community to develop applications which implement both LDAPv2 and LDAPv3. These are referred to as dual implementations in this document. This discusses issues specific to dual implementations. Zeilenga [Page 1] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 2. X.500 Issues LDAPv2 is defined in terms of X.500(1988) series of ITU Recommendations whereas LDAPv3 is defined in terms of the X.500(1993) series. 2.1. Directory Strings The X.520(1988) directoryString is defined as: DirectoryString { INTEGER : maxSize } ::= CHOICE { teletexString TeletexString (SIZE (1..maxSize)), printableString PrintableString (SIZE (1..maxSize)) } LDAPv2 requires [RFC2252] that the encoding of values of the directoryString syntax is the string value itself. As each choice was a subset of the T.61, the transferred value is restricted to T.61. A choice of universalString was added in the X.500(1993). LDAPv2 implementations which support this choice should transliterate values to T.61. LDAPv3 requires that values of directoryString syntax be encoded as ISO 10646-1 UTF-8 strings. DirectoryString values of teletexString choice must be transliterated. A dual implementation must be able transliterate strings between ISO 10646-1 and T.61 or restrict strings to IA5 (which is a subset of both ISO 10646-1 and T.61). 2.2. Attribute type X.500(1988) makes no distinction between user, operational, and collective attributes whereas X.500(1993) does. Hence, LDAPv2 makes no distinction whereas LDAPv3 does. For example, a LDAPv2 search request with an empty attribute list returns all attributes whereas LDAPv3 only returns all user attributes. LDAPv3 only returns operational attributes unless specifically requested, whereas LDAPv2 has no such restriction. X.500(1993) also states that a search "request for a particular attribute is always treated as a request for the attribute and all subtypes of that attribute (except for requests processed by 1988-edition systems)". LDAPv2 does not support subtyping whereas LDAPv3 does (though it is optional). Zeilenga [Page 2] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 2.3. Object Classes X.500(1988) makes no distinction between structural, auxiliary, and abstract object classes whereas X.500(1993) does. Hence, LDAPv2 makes no distinction whereas LDAPv3 does. 2.3. ExtensibleMatch X.500(1993) introduces extensible matching. LDAPv2 does not support extensible matching, LDAPv3 does. 3. Protocol elements LDAPv3 supports all protocol elements of LDAPv2. LDAPv3, besides defining additional protocol elements, alters the syntax and semantics of existing protocol elements. 3.1. LDAPString The LDAPString is a notational convenience to indicate that, although strings of LDAPString type encode as OCTET STRING types, the legal character set in such strings is restricted. LDAPv2 restricts LDAPString to IA5 (ASCII) characters. LDAPv3 restricts LDAPString to UTF-8 encoded ISO 10646-1 characters. The change to UTF-8 allows strings to be internationalized. For example, an LDAPv3 server can provide localized errorMessage textual error diagnostic using non-IA5 characters. LDAPv2 is restricted errorMessages to IA5. A number of protocol fields are restricted by LDAPString. In most cases, this is not problematic for dual implementations as LDAPv3 restricts these fields to IA5 subset of UTF-8 by other means. For instance, attributeType which is an LDAPString is specifically restricted to a subset of IA5. There is however one case in which is quite problematic for dual implementations, Distinguished Names. 3.2. Distinguished Names DNs are restricted to IA5 when transferred by LDAPv2 and are restricted to UTF-8 when transferred by LDAPv3 as DNs. Zeilenga [Page 3] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 LDAPv2 DN syntax does not support escaping of arbitrary characters within values. The BER encoding mechanism must be used for all attribute values contain any non-IA5 characters. LDAPv3 DN syntax supports escaping of arbitrary characters. LDAPv2 and LDAPv3 special character escaping requirements are different. LDAPv2 set of valid "keywords" is different from the set defined for LDAPv3. LDAPv2 and LDAPv3 DNs use incompatible mechanisms for specifying attribute types by OIDs. RFC 2253, Section 4 details additional requirements for LDAPv2 implementations. However, these requirements are too restrictive as they disallow encoding of DN in a number of cases (such as when OIDs must be used). The requirements also do not account for the fact that encodings produced per RFC2253, Section 2 may not be transferable in an LDAPv2 LDAPString or may contain elements (such as hex pair escaping) not allowed by RFC 1779 grammar. A dual implementation should: - parse and generate LDAPv2 DNs per RFC 1779, - parse and generate LDAPv3 DNs per RFC 2253, - convert between LDAPv2 and LDAPv3 DN representations by though intermediate conversion to the DNs BER encoding. 3.4. AttributeDescription LDAPv3 supports AttributeDescriptions, LDAPv2 doesn't. An LDAPv2 implementation has no mechanism to transfer attribute types with options. 3.5. AttributeDescriptionList LDAPv2 has no special "*" to indicate transfer of all user attributes (see section 2). An LDAPv2 client requesting "*" should expect a protocolError to be returned. 3.6. ExtensibleMatch LDAPv3 Filter supports a choice of extensibleMatch. An LDAPv2 doesn't. A LDAPv2 implementation would likely treat an unknown filter Zeilenga [Page 4] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 choice as a protocol error. 3.7. Empty 'or' and 'and' filters sets LDAPv3 requires 'and' and 'or' filter sets to be non-empty. Though LDAPv2 does not explicitly require filter sets to be non-empty, support for non-empty sets is implied by the statement that an X.500 "read" operation can be emulated by a base object LDAP search operation with the same filter. That is, X.500(1988) supports 'and' and 'or' empty filters sets. However, as defined filter string representation cannot represent an empty filter set, support for empty filter sets cannot be presumed to be present. 3.8. LDAPResult LDAPv3 extends LDAPResult to allow additional resultCode values and the inclusion of an optional referral field. LDAPv3 also requires that unknown result codes be treated as unknown error condition LDAPv2 does not have any such requirement. 3.9. Unrecognized Tags LDAPv3 implementations must ignore elements of SEQUENCE encodings whose tags they do not recognize. LDAPv2 does not have any such requirement. A LDAPv2 implementation will likely treat an unrecognized as protocol error. 3.10. Controls LDAPv3 introduces Controls which may alter the behavior of operations. LDAPv2 does not support Controls. A LDAPv2 implementation will likely treat a control as a protocol error. 3.11. New LDAP Message Types LDAPv3 introduces three new LDAP PDU choices: extended requests, extended responses, and search reference responses. LDAPv2 does not support these new PDUs and likely will treat such as a protocol error. 4. Protocol Semantics This section details semantical differences in the protocols. Zeilenga [Page 5] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 4.1. Bind Operation This section will describe Bind operation issues. 4.2. Search Operation This section will describe Search operation issues. 4.3. Modify Operation LDAPv3 alters the semantics of the Modify/replace. In LDAPv2, a replace with no values commonly results in a protocolError. In LDAPv3, a replace with no values is treated as a delete with no values excepting no error is generated if the attribute doesn't exist. 4.4. Modify DN Operation This section will describe Modify DN/RDN operation issues. 4.5. Unsolicited Notifications LDAPv2 implementations do not support Unsolicited Notifications. A dual implementation should avoid returning an Unsolicited Notification unless a request has been received and this request is not a LDAPv2 bind request. 5. Protocol Encoding LDAPv3 places additional restrictions on the BER encoding of protocol elements. 6. Schema LDAPv2 and LDAPv3 utilize dramatically different schema. 6.1 Syntaxes 6.1.1. Common Syntax Encodings An number of BNF definitions differ between LDAPv2 and LDAPv3. Zeilenga [Page 6] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 LDAPv3 allows ";" in the production k whereas LDAPv2 does not. Production k is used by production anhstring. LDAPv3 allows """ in the production p whereas LDAPv2 does not. LDAPv2 allows "'" in the production p whereas LDAPv3 does not. Production p is used by production printablestring. The differences in these productions affects the specification of many common syntaxes. A dual implement must ensure produces values which are consistent with the syntax restrictions of the protocol in use. 6.1.2. Object Identifier Syntax LDAPv2 and LDAPv3 use different string representations for object identifier (OIDs) syntax. LDAPv2 defines an OID to be: oid = / '.' / whereas LDAPv3 defines an OID to be: oid = descr / numericoid Note the LDAPv3 eliminates one of the LDAPv3 forms. For example in LDAPv2, in encoding the object identifier representing an organizationName, the descriptor "organizationName" is preferable to "ds.4.10", which is in turn preferable to the string "2.5.4.10". For example in LDAPv3, in encoding the object identifier representing an organization name (o), the descriptor "o" is preferred to the string "2.5.4.20. A dual implementation must ensure it does not produce the eliminated form when using LDAPv3. 6.1.3. Distinguished Name Syntax The issues discussed in Section 3.2 generally apply to values of Distinguished Name syntax. 6.1.4. Certificate and related syntaxes LDAPv2 defines a string representation for X.509 certificates, revocation lists, and other related syntaxes. LDAPv3 does not use these string representation and instead requires ";binary" transfer of Zeilenga [Page 7] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 such values. LDAPv2 does not support ";binary" transfer. Dual implementations must be prepared to recognize and generate the encoding required by the protocol. 6.2. Attribute Types LDAPv2, in general, uses X.500 names such as commonName and organizationalName. LDAPv3 uses short names such as cn and o. Dual implementations should use attribute names appropriate for the the current protocol. 7. Other version differences This section will discuss (when written) other version differences. 8. Security Considerations LDAPv3 supports SASL [RFC2829] and TLS [RFC2830]. LDAPv2 does not offer integrity or confidentiality services. LDAPv2 Kerberos bind choices are not widely nor consistently implemented. Use of LDAPv3 security features is RECOMMENDED when updating the directory or accessing sensitive information. 9. Liberties taken Dual implementations of LDAPv2 and LDAPv3 have taken significant liberties to support both protocols. The most common liberties take are to apply the restrictions of one protocol to both (while ignoring the restrictions of one protocol). For example, it is common for dual implementations to ignore the LDAPv2 LDAPString IA5 restriction and/or the LDAPv2 directoryString T.61 restriction. 10. Summary There are numerous differences between LDAPv2 and LDAPv3 which make in difficult for an application to properly support both protocols. In addition, any application which implements LDAPv2 as specified is likely not to interoperate well due to the large deployment of non- conforming LDAPv2 implementations. The value of applications which properly implement both LDAPv2 and LDAPv3. There is little value in not adhere to specifications. Hence, it is recommended that applications only implement LDAPv3. Zeilenga [Page 8] INTERNET-DRAFT draft-zeilenga-ldapbis-vd-00 7 November 2000 Copyright 2000, The Internet Society. All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Zeilenga [Page 9]