Internet Engineering Task Force (IETF)                       K. Zeilenga
Request for Comments: 6171                                 Isode Limited
Category: Standards Track                                     March 2011
ISSN: 2070-1721

The Lightweight Directory Access Protocol (LDAP) Don't Use Copy Control

LDAP(Lightweight Directory Access Protocol)はコピー制御を使用しないでください。



This document defines the Lightweight Directory Access Protocol (LDAP) Don't Use Copy control extension, which allows a client to specify that copied information should not be used in providing service. This control is based upon the X.511 dontUseCopy service control option.

このドキュメントでは、LDAP(Lightweight Directory Access Protocol)をクライアントにコピーされた情報は、サービスを提供する際に使用されないように指定することを可能にするコピー制御拡張子を使用しないでください定義します。この制御はX.511 dontUseCopyサービス制御オプションに基づいています。

Status of This Memo


This is an Internet Standards Track document.


This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

このドキュメントはインターネットエンジニアリングタスクフォース(IETF)の製品です。これは、IETFコミュニティの総意を表しています。これは、公開レビューを受けており、インターネットエンジニアリング運営グループ(IESG)によって公表のために承認されています。インターネット標準の詳細については、RFC 5741のセクション2で利用可能です。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at


Copyright Notice


Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

著作権(C)2011 IETF信託とドキュメントの作成者として特定の人物。全著作権所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

この文書では、BCP 78と、この文書の発行日に有効なIETFドキュメント(に関連IETFトラストの法律の規定に従うものとします。彼らは、この文書に関してあなたの権利と制限を説明するように、慎重にこれらの文書を確認してください。コードコンポーネントは、トラスト法規定のセクションで説明4.eおよび簡体BSDライセンスで説明したように、保証なしで提供されているよう簡体BSDライセンスのテキストを含める必要があり、この文書から抽出されました。

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.


1. Background and Intended Usage

This document defines the Lightweight Directory Access Protocol (LDAP) [RFC4510] Don't Use Copy control extension. The control may be attached to request messages to indicate that copied (replicated or cached) information [X.500] is not be used in providing service. This control is based upon the X.511 [X.511] dontUseCopy service control option.

この文書では、コピー制御の拡張機能を使用していないのLDAP(Lightweight Directory Access Protocol)[RFC4510]を定義します。制御は、コピー(複製またはキャッシュされた)情報が[X.500]サービスを提供する際に使用されていないことを示すためにメッセージを要求するために取り付けられてもよいです。この制御はX.511 [X.511] dontUseCopyサービス制御オプションに基づいています。

The Don't Use Copy control is intended to be used where the client requires the service be provided using original (master) information [X.500]. In absence of this control, the server is free to make use of copied (i.e., non-authoritative) information in providing the requested service.


For instance, a client might desire to have an authoritative answer to a question of whether or not a particular user is a member of a group. To ask this question of a server, the client might issue a compare request [RFC4511], with the Don't Use Copy control, where the entry parameter is the Distinguished Name (DN) of the group, the ava.attributeDesc is 'member', and the ava.assertionValue is the DN of the user in question. If the server has access to the original (master) information directly or through chaining, it performs the operation against the original (master) information and returns compareTrue or compareFalse (or an error). If the server does not have access to the original information, the server is obligated to either return a referral or an error.


It is not intended that this control be used generally (e.g., for all LDAP interrogation operations) but only as required to ensure proper directory application behavior. In general, directory applications ought to designed to use copied information well.


2. Terminology

DSA stands for Directory System Agent (or server). DSE stands for DSA-Specific Entry.

DSAは、ディレクトリシステムエージェント(またはサーバー)の略です。 DSEは、DSA固有のエントリを表します。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

この文書のキーワード "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", および "OPTIONAL" はRFC 2119 [RFC2119]に記載されているように解釈されます。

3. The Don't Use Copy Control

The Don't Use Copy control is an LDAP Control [RFC4511] whose controlType is and controlValue is absent. The criticality MUST be TRUE. There is no corresponding response control.


The control is appropriate for LDAP interrogation operations, including Compare and Search operations [RFC4511]. It is inappropriate for all other operations, including Abandon, Bind, Delete, Modify, ModifyDN, StartTLS, and Unbind operations [RFC4511].


When the control is attached to an LDAP request, the requested operation MUST NOT be performed on copied information. That is, the requested operation MUST be performed on original information.


If original (master) information for the target or base object of the operation is not available (either locally or through chaining), the server MUST either return a referral directing the client to a server believed to be better able to service the request or return an appropriate result code (e.g., unwillingToPerform).


It is noted that a referral, if returned, is not necessarily to the server holding the original (master) information. It is also noted that an authoritative answer to the question might not be available to the client for any number of reasons.


Where the client chases a referral to a server (as referenced by an LDAP URL) in the server response in order to obtain an authoritative response, the client MUST provide the dontUseCopy control with the interrogation request it makes to the referred to server. While LDAP allows return of other kinds of URIs, the syntax and semantics of other kinds of URIs are left to future specifications. The particulars of how to act upon other kinds of URIs are also left to future specifications.

クライアントが権限応答を得るために、サーバの応答でサーバ(LDAPのURLで参照される)への紹介を追う場合、クライアントは、サーバへの言及になり尋問要求にdontUseCopy制御を提供しなければなりません。 LDAPは、URIの他の種類の復帰を可能にしながら、URIの他の種類の構文とセマンティクスは将来の仕様に残されています。 URIの他の種類に作用する方法の詳細は、将来の仕様に残されています。

Servers implementing this technical specification SHOULD publish the object identifier as a value of the 'supportedControl' attribute [RFC4512] in their root DSE. A server MAY choose to advertise this extension only when the client is authorized to use it.


4. Security Considerations

This control is intended to be provided where providing service using copied information might lead to unexpected application behavior.


Use of the Don't Use Copy control may permit an attacker to perform or amplify a denial-of-service attack by causing additional server resources to be employed, such as when the server chooses to chain the request instead of returning a referral. Servers capable of such chaining can mitigate this threat by limiting chaining to a particular group of authenticated entities.


LDAP is frequently used for storage and distribution of security-sensitive information, including access control and security policy information. Failure to use the Don't Use Copy control may thus permit an attacker to gain unauthorized access by allowing reliance on stale data.


5. IANA Considerations
5. IANAの考慮事項
5.1. Object Identifier
5.1. オブジェクト識別子

IANA has assigned an LDAP Object Identifier [RFC4520] to identify the LDAP Don't Use Copy Control defined in this document.


Subject: Request for LDAP Object Identifier Registration Person & email address to contact for further information: Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> Specification: RFC 6171 Author/Change Controller: IESG Comments: Identifies the LDAP Don't Use Copy Control

件名:詳細のために連絡するLDAPオブジェクト識別子の登録人とEメールアドレスの要求:クルトZeilenga <Kurt.Zeilenga@Isode.COM>仕様:RFC 6171著者/変更コントローラ:IESGコメント:LDAPを識別コピー制御を使用しないでください。

5.2. LDAP Protocol Mechanism
5.2. LDAPプロトコルメカニズム

IANA has registered this protocol mechanism [RFC4520] as follows.


Subject: Request for LDAP Protocol Mechanism Registration Object Identifier: Description: Don't Use Copy Control Person & email address to contact for further information: Kurt Zeilenga <Kurt.Zeilenga@Isode.COM> Usage: Control Specification: RFC 6171 Author/Change Controller: IESG Comments: none

件名:LDAPプロトコルメカニズム登録オブジェクト識別子の要求:説明:詳細のために連絡するコピー制御人とEメールアドレスを使用しないでください:クルトZeilenga <Kurt.Zeilenga@Isode.COM>使用方法:コントロール仕様: RFC 6171著者/変更コントローラ:IESGコメント:なし

6. Acknowledgements

The author thanks Ben Campbell, Phillip Hallam-Baker, and Ted Hardie for providing review and specific suggestions.


7. References
7.1. Normative References
7.1. 引用規格

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]ブラドナーの、S.、 "要件レベルを示すためにRFCsにおける使用のためのキーワード"、BCP 14、RFC 2119、1997年3月。

[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.

[RFC4510] Zeilenga、K.、エド、 "ライトウェイトディレクトリアクセスプロトコル(LDAP):技術仕様ロードマップ"。、RFC 4510、2006年6月。

[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006.

[RFC4511] Sermersheim、J.、エド、 "ライトウェイトディレクトリアクセスプロトコル(LDAP):プロトコル"、RFC 4511、2006年6月。

[RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006.

[RFC4512] Zeilenga、K.、エド、。 "のLDAP(Lightweight Directory Access Protocol):ディレクトリ情報モデル"、RFC 4512、2006年6月。

7.2. Informative References
7.2. 参考文献

[X.500] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory -- Overview of concepts, models and services," X.500(1993) (also ISO/IEC 9594-1:1994).

[X.500]国際電気通信連合 - 電気通信標準化部門、 "ディレクトリ - 概念、モデルとサービスの概要、" X.500(1993)(また、ISO / IEC 9594から1:1994)。

[X.511] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Abstract Service Definition", X.511(1993) (also ISO/IEC 9594-3:1993).

[X.511]国際電気通信連合 - 電気通信標準化部門、 "ディレクトリ:抽象サービス定義"、X.511(1993)(また、ISO / IEC 9594から3:1993)。

[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

[RFC4520] Zeilenga、K.、 "IANA(Internet Assigned Numbers Authority)のライトウェイトディレクトリアクセスプロトコル(LDAP)に関する考慮事項"、BCP 64、RFC 4520、2006年6月。

Author's Address


Kurt D. Zeilenga Isode Limited

クルトD. Zeilenga ISODEリミテッド

EMail: Kurt.Zeilenga@Isode.COM