ldapv3协议解读
PDU (Protocol Data Unit)协议数据单元
运行在TCP/IP之上的访问协议—LDAP
ldap协议使用asn.1编码描述
LDAP协议封装于如下结构的信封中
LDAPMessage ::= SEQUENCE {
messageID MessageID,//唯一标识,客户端在一次连接中不会重复发送相同表示的数据包
//基本上客户端会对发送的数据包进行计数
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse },
controls [0] Controls OPTIONAL }
MessageID ::= INTEGER (0 .. maxInt)
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
所有的LDAP数据包必须要被LDAPMESSAGE所包含。
如果服务器端接受到不能解析的ldap协议包将会断开连接,返回protocolError的结果,并且立即关闭连接
客户端会抛弃从服务器下发的不能解析的PDU。或者突然断开连接
LDAPString 以OCTET String作为编码类型,使用UTF8方式.
Distinguished Name(可分辨名称) and Relative Distinguished Name(相对可分辨名称)
<distinguished-name> ::= <name>
<relative-distinguished-name> ::= <name-component>
where <name> and <name-component> are as defined in [4].
LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
属性类型
AttributeType ::= LDAPString
每个属性都拥有一个对象唯一标识,如果属性拥有字符串标识必须使用字符串标识,如果没有则使用对象唯一标识(OBJECT IDENTIFIER )
属性结构
Attribute ::= SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
AttributeDescription ::= LDAPString
<AttributeDescription> ::= <AttributeType> [ ";" <options> ]
<options> ::= <option> | <option> ";" <options>
<option> ::= <opt-char> <opt-char>*
<opt-char> ::= ASCII-equivalent letters, numbers and hyphen
Result Message:用于返回服务器端/客户端响应成功失败的结果
LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),
authMethodNotSupported (7),
strongAuthRequired (8),
-- 9 reserved --
referral (10), -- new
adminLimitExceeded (11), -- new
unavailableCriticalExtension (12), -- new
confidentialityRequired (13), -- new
saslBindInProgress (14), -- new
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
-- 22-31 unused --
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
-- 35 reserved for undefined isLeaf --
aliasDereferencingProblem (36),
-- 37-47 unused --
inappropriateAuthentication (48),
invalidCredentials (49),
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
-- 55-63 unused --
namingViolation (64),
objectClassViolation (65),
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
-- 70 reserved for CLDAP --
affectsMultipleDSAs (71), -- new
-- 72-79 unused --
other (80) },
-- 81-90 reserved for APIs --
matchedDN LDAPDN,
errorMessage LDAPString,
referral [3] Referral OPTIONAL }
结果中除了success, compareFalse,compareTrue 之外都将被认为操作不能完成,绝大多数的结果依赖于x.511的错误类型。没有列出来的返回结果被认为未知错误,返回结果中
|
16-21 |
属性有问题 |
|
32, 33, 34和36 |
名称有问题 |
|
48, 49和50 |
安全有问题 |
|
51-54 |
服务有问题 |
|
64 ,69 ,71 |
更新有问题 |
referral错误表明服务器中不存在目标请求的节点
Referral ::= SEQUENCE OF LDAPURL -- one or more
LDAPURL ::= LDAPString -- limited to characters permitted in URLs
Controls
Controls ::= SEQUENCE OF Control
Control ::= SEQUENCE {
controlType LDAPOID,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL }
绑定操作
绑定操作的功能是允许认证信息在客户端和服务器端之间进行传输
绑定请求的定义如下:
BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),//版本,没有通过协商确认,而是由客户端自己来设想
name LDAPDN,//客户端期待绑定的DN
authentication AuthenticationChoice }//认证信息
AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl [3] SaslCredentials }
SaslCredentials ::= SEQUENCE {
mechanism LDAPString,
credentials OCTET STRING OPTIONAL }
绑定请求序列
对于一些SASL认证机制,可能要求发送多次BindRequest,如果期间客户端想要推出绑定操作,都将抛弃已经建立的连接,客户端不能在两次绑定请求间插入如何操作。
客户端通过在绑定请求中发送一个不同的认证凭据来取消绑定SASL协商操作
绑定响应
BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL }
如果绑定成功则resultCode为SUCCESS,否则为以下之一:
- operationsError: server encountered an internal error,
- protocolError: unrecognized version number or incorrect PDU
structure,
- authMethodNotSupported: unrecognized SASL mechanism name,
- strongAuthRequired: the server requires authentication be
performed with a SASL mechanism,
- referral: this server cannot accept this bind and the client
should try another,
- saslBindInProgress: the server requires the client to send a
new bind request, with the same sasl mechanism, to continue the
authentication process,
- inappropriateAuthentication: the server requires the client
which had attempted to bind anonymously or without supplying
credentials to provide some form of credentials,
- invalidCredentials: the wrong password was supplied or the SASL
credentials could not be processed,
- unavailable: the server is shutting down.
取消绑定操作:结束协议session
UnbindRequest ::= [APPLICATION 2] NULL
断开通知:服务器向客户端发送连接关闭信息
查询操作
SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN,//baseDN
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2) },
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeDescriptionList }
Filter ::= CHOICE {//过滤条件
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion }
SubstringFilter ::= SEQUENCE {//过滤子条件
type AttributeDescription,
-- at least one must be present
substrings SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1] LDAPString,
final [2] LDAPString } }
MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeDescription OPTIONAL,
matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE }
Search Result
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }
PartialAttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL
SearchResultDone ::= [APPLICATION 5] LDAPResult
Modify Operation
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2) },
modification AttributeTypeAndValues } }
AttributeTypeAndValues ::= SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
Add Operation
AddRequest ::= [APPLICATION 8] SEQUENCE {
entry LDAPDN,
attributes AttributeList }
AttributeList ::= SEQUENCE OF SEQUENCE {
type AttributeDescription,
vals SET OF AttributeValue }
AddResponse ::= [APPLICATION 9] LDAPResult
Delete Operation
DelRequest ::= [APPLICATION 10] LDAPDN
DelResponse ::= [APPLICATION 11] LDAPResult
Modify DN Operation
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
entry LDAPDN,
newrdn RelativeLDAPDN,
deleteoldrdn BOOLEAN,
newSuperior [0] LDAPDN OPTIONAL }
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
Compare Operation
CompareRequest ::= [APPLICATION 14] SEQUENCE {
entry LDAPDN,
ava AttributeValueAssertion }
CompareResponse ::= [APPLICATION 15] LDAPResult
Abandon Operation
AbandonRequest ::= [APPLICATION 16] MessageID
Extended Operation
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING OPTIONAL }
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }
