WPCL 2BJ|x H   X  6p&6p&   Hh   c4 P  Fascicle VIII.8 Rec. X.511 PAGE1 ~  HH   c4 P PAGE26 Fascicle VIII.8 Rec. X.511 ~ Hh Hp P X`h!(# X   c4 P  The drawings contained in this Recommendation have been done in AUTOCAD Recommendation X.511 (@ c4 P THE DIRECTORY ABSTRACT SERVICE DEFINITION    HH ЁЍ)Recommendation X.511 and ISO 95943, Information Processing Systems Open Systems Interconnection The Directory Abstract Service Definition, were developed in close collaboration and are technically aligned. ) (N c4 P  (Melbourne, 1988) (RCONTENTS 0 Introduction 1 Scope and field of application SECTION 1 General 2 References 3 Definitions 4 Abbreviations 5 Conventions SECTION 2 Abstract service 6 Overview of the directory service 7 Information types 8 Bind and unbind operations 9 Directory read operations 10  Directory search operations 11  Directory modify operations 12  Errors Annex A Abstract service in ASN.1 Annex B Directory object identifiers HP X`h!(#Ђ 0X Introduction  H Hp P X`h!(#Ё0.1  This document, together with the others of the series, has been produced to facilitate the interconnection of information processing systems to provide directory services. The set of all such systems, together with the directory information which they hold, can be viewed as an integrated whole, called the Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication between, with or about objects such as applicationentities, people, terminals, and distribution lists.  H 0.2  The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of technical agreement outside of the interconnection standards themselves, the interconnection of information processing systems:   pfrom different manufacturers;   punder different managements;   pof different levels of complexity; and   pof different ages. HH   H 0.3  This Recommendation defines the capabilities provided by the Directory to its users. 0.4  Annex A provides the ASN.1 module which contains all the definitions associated with the abstract service. HP X`h!(#Ђ 1X Scope and field of application Hp P X`h!(#Ё1.1  This Recommendation defines in an abstract way the externally visible service provided by the Directory. 1.2  This Recommendation does not specify individual implementation or products. SECTION 1 General HP X`h!(#Ђ 2X References  H Hp P X`h!(#ЁRecommendation X.200 Open Systems Interconnection Basic Reference Model.  H Recommendation X.208 Specification of Abstract Syntax Notation One (ASN.1).  H Recommendation X.500 The Directory Overview of Concepts, Models and Services. Recommendation X.501 The Directory Models.  H Recommendation X.518 The Directory Procedures for Distributed Operation. Recommendation X.519 The Directory Protocol Specifications. Recommendation X.520 The Directory Selected Attribute Types. Recommendation X.521 The Directory Selected Object Classes. Recommendation X.509 The Directory Authentication Framework. Recommendation X.219 Remote Operations Model, Notation and Service Definition. Recommendation X.229 Remote Operations Protocol Specification. Recommendation X.407 Abstract Service Definition Conventions. HP X`h!(#Ђ 3X Definitions 3.1h  Basic Directory definitions Hp P X`h!(# This Recommendation makes use of the following terms defined in Recommendation X.500:   a)pDirectory;   b)pDirectory Information Base (DIB);   c)p(Directory) User.  HH HP X`h!(#3.2h  Directory model definitions  H Hp P X`h!(# This Recommendation makes use of the following terms defined in RecommendationX.501:   a)  Directory System Agent;   b)pDirectory User Agent.  HH HP X`h!(#3.3h  Directory information base definitions  H Hp P X`h!(# This Recommendation makes use of the following terms defined in Recommendation X.501:   a)palias entry;   b)pDirectory Information Tree;   c)p(Directory) entry;   d)pimmediate superior;   e)pimmediately superior entry/object;   f)pobject;   g)pobject class;   h)pobject entry;   i)psubordinate;   j)psuperior.  HH HP X`h!(#3.4h  Directory entry definitions  H Hp P X`h!(# This Recommendation makes use of the following terms defined in RecommendationX.501:   a)pattribute;   b)pattribute type;   c)pattribute value;   d)pattribute value assertion.  HH HP X`h!(#3.5h  Name definitions  H Hp P X`h!(# This Recommendation makes use of the following terms defined in Recommendation X.501:   a)palias, alias name;   b)pdistinguished name;   c)p(directory) name;   d)ppurported name;   e)prelative distinguished name.  HH HP X`h!(#3.6h  Distributed operations definitions  H Hp P X`h!(# This Recommendation makes use of the following terms defined in Recommendation X.518:   a)pchaining;   b)preferral.  HH HP X`h!(#3.7h  Abstract service definitions Hp P X`h!(# This Recommendation defines the following terms:  H   a)pfilter: an assertion about the presence or value of certain attributes of an entry in order to limit the scope of a search;  H   b)pservice controls: parameters conveyed as part of an abstractoperation which constrain various aspects of its performance;   c)poriginator: the user that originated an operation.  HH HP X`h!(#Ђ 4X Abbreviations Hp P X`h!(#Ё This Recommendation makes use of the following abbreviations:   AVAp Attribute Value Assertion   DIBp  Directory Information Base   DITp  Directory Information Tree   DMDp Directory Management Domain   DSAp Directory System Agent   DUAp Directory User Agent   RDNp Relative Distinguished Name HP X`h!(#Ђ 5X Conventions  Hh Hp P X`h!(#Ё This Recommendation makes use of the abstract service definition conventions defined in RecommendationX.407. SECTION 2 Abstract service HP X`h!(#Ђ 6X Overview of the directory service  H Hp P X`h!(#Ё6.1  As described in Recommendation X.501 the services of the Directory are provided through access points to DUAs, each acting on behalf of a user. These concepts are depicted in Figure1/X.511. K c4 P FIGURE 1/X.511 T070448088  c4 P   H Ё6.2  In principle, access points to the Directory may be of different types, providing different combinations of services. It is valuable to consider  H the Directory as an object, supporting a number of types of port. Each port defines a particular kind of interaction which the Directory can participate in with a DUA. Each access point corresponds to a particular combination of port types.  H 6.3  Using the notation defined in Recommendation X.407 the Directory can be defined as follows:   directory  hpOBJECT  hph pPORTS { readPort [S],  hph   searchPort [S],  hph   modifyPort [S]}   ::=pidotdirectory  H  The Directory supplies operations via: Read Ports, which support reading information from a particular named entry in the DIB; Search Ports, which allow more "exploration" of the DIB; and Modify Ports, which enable the modification of entries in the DIB.  Note ĩ It is intended that in the future there may be other types of Directory port.  H 6.4  Similarly, a DUA (from the viewpoint of the Directory) can be defined as follows:   dua  hpOBJECT  hph pPORTS { readPort [C],  hph   searchPort [C],  hph   modifyPort [C]}   ::=pidotdua  -ƌ HH  The DUA consumes the services provided by the Directory. 6.5  The ports cited from 6.2 to 6.4 can be defined as follows:   readPort  hpPORT  hph pCONSUMER INVOKES {  hph Read, Compare, Abandon}   ::=pidptsearch   searchPort  hpPORT  hph pCONSUMER INVOKES {  hph List, Search}   ::=pidptsearch   modifyPort  hpPORT  hpCONSUMER INVOKES {  hph pAddEntry, RemoveEntry,  hph pModifyEntry, ModifyRDN}   ::=pidptmodify  H 6.6  The operations from the readPort , searchPort and the modifyPort are defined in 9, 10, and 11 respectively.  H 6.7  These ports are used only as a method of structuring the description of the Directory service. Conformance to the Directory operations is specified in RecommendationX.519. HP X`h!(#Ђ 7X Information types 7.1h   Introduction Hp P X`h!(#7.1.1 This paragraph identifies, and in some cases defines, a number of information types which are subsequently used in the definition of Directory operations. The information types concerned are those which are common to more than one operation, are likely to be in the future, or which are sufficiently complex or selfcontained as to merit being defined separately from the operation which uses them.  H 7.1.2 Several of the information types used in the definition of the Directory service are actually defined elsewhere. Paragraph7.2 identifies types and indicates the source of their definition. Each of the remaining (7.3 to7.10) identifies and defines an information type. HP X`h!(#7.2h  Information types defined elsewhere  H Hp P X`h!(#7.2.1 The following information types are defined in RecommendationX.501:   a)p Attribute;   b)p AttributeType;   c)p AttributeValue;   d)p AttributeValueAssertion;   e)p DistinguishedName;   f)p Name;   g)p RelativeDistinguishedName.  H 7.2.2 The following information type is defined in Recommendation X.520:   a)p PresentationAddress.  HH   H 7.2.3 The following information types are defined in Recommendation X.509:   a)p Certificate;   b)p SIGNED;   c)p CertificationPath.  H 7.2.4 The following information type is defined in RecommendationX.219:   a)p InvokeID.  H 7.2.5 The following information types are defined in Recommendation X.518:   a)p OperationProgress;   b)p ContinuationReference.  HH HP X`h!(#7.3h  Common arguments  H Hp P X`h!(#7.3.1 The CommonArguments information may be present to qualify the invocation of each operation that the Directory can perform.   CommonArguments ::= X%SET {  hp[30] ServiceControls DEFAULT { },  hp[29] SecurityParameters DEFAULT { },  hprequestor [28] DistinguishedName  hph   X%OPTIONAL,  hp[27] OperationProgress DEFAULT notStarted,  hpaliasedRDNs [26] INTEGER OPTIONAL,  hpextensions [25] SET OF EXTENSION OPTIONAL}   Extension ::= SET {  hpidentifier [0] INTEGER,  hpcritical  [1] BOOLEAN DEFAULT FALSE,  hpitem   [2] ANY DEFINED BY identifier}  H 7.3.2 The various components have the meanings as defined in 7.3.2.1 to 7.3.2.4.  H 7.3.2.1pThe ServiceControls component is specified in 7.5. Its absence is deemed equivalent to there being an empty set of controls.  H 7.3.2.2pThe SecurityParameters component is specified in 7.9. Its absence is deemed equivalent to there being an empty set of security parameters. 7.3.2.3pThe requestor DistinguishedName identifies the originator of a particular abstract operation. It holds the name of the user as identified  H at the time of binding to the Directory. It may be required when the request is to be signed (see 7.10), and shall hold the name of the user who initiated the request.  H 7.3.2.4pThe OperationProgress defines the role that the DSA is to play in the distributed evaluation of the request. It is more fully defined in RecommendationX.518. 7.3.2.5pThe aliasedRDNs component indicates to the DSA that the object component of the operation was created by the dereferencing of an alias on an earlier operation attempt. The integer value indicates the number of RDNs in the object that came from dereferencing the alias. (The value would have been set in the referral response of the previous operation.)  H 7.3.2.6pThe extensions component provides a mechanism to express standardized extensions to the form of the argument of a Directory abstractoperation.  H  Note ĩ The form of the result of such an extended abstractoperation is identical to that of the nonextended version. (Nonetheless, the result of a particular extended abstractoperation may differ from its nonextended counterpart).  The subcomponents are as defined in 7.3.2.6.1 to 7.3.2.6.3.  H 7.3.2.6.1pThe identifier serves to identify a particular extension. Values of this component shall be assigned only by future versions of this series of Recommendations. 7.3.2.6.2pThe critical subcomponent allows the originator of the extended abstractoperation to indicate that the performance of only the extended form of the abstractoperation is acceptable (i.e. that the nonextended form is not acceptable). In this case the extension is a critical extension. If the Directory, or some part of it, is unable to perform a critical extension  H it returns an indication of unavailableCriticalExtension (as a ServiceError or PartialOutcomeQualifier ). If the Directory is unable to perform an extension which is not critical, it ignores the presence of the extension.  H 7.3.2.6.3pThe item subcomponent provides the information needed for the Directory to perform the extended form of the abstractoperation. HP X`h!(#7.4h  Common results  H Hp P X`h!(#7.4.1 The CommonResults information should be present to qualify the result of each retrieval operation that the Directory can perform.   CommonResults ::=#X%SET {  hp[30] SecurityParameters&*OPTIONAL,  hpperformer [29] DistinguishedName  hph   X%OPTIONAL,   aliasDereferenced [28]#X%%*BOOLEAN  hp  DEFAULT FALSE}  H 7.4.2 The various components have the meanings as defined in 7.4.2.1 to 7.4.2.3.  H 7.4.2.1pThe SecurityParameters component is specified in 7.9. Its absence is deemed equivalent to there being an empty set of security parameters. 7.4.2.2pThe performer DistinguishedName identifies the performer of a particular operation. It may be required when the result is to be signed (see 7.10), and shall hold the name of the DSA which signed the result.  H 7.4.2.3pThe aliasDereferenced Component is set to TRUE when the purported name of an object or base object which is the target of the operation included on alias which was dereferenced. HP X`h!(#7.5h  Service controls  H Hp P X`h!(#7.5.1 A ServiceControls parameter contains the controls, if any, that are to direct or constrain the provision of the service.   ServiceControls ::=#X%SET {  hpoptions [0] BIT STRING {  hph ppreferChaining(0)  hph pchainingProhibited (1),  hph plocalScope (2),  hph pdontUseCopy (3),  hph pdontDereferenceAliases(4)}  hph pDEFAULT {},   priority [1] INTEGER {  hplow (0),  hpmedium (1),  hphigh (2) } DEFAULT medium,   timeLimit [2] X%INTEGER OPTIONAL,   sizeLimit [3] INTEGER OPTIONAL,   scopeOfReferral [4] INTEGER {  hph   dmd(0),  hph   country(1)}  hph   OPTIONAL }  H 7.5.2 The various components have the meanings as defined in 7.5.2.1 to 7.5.2.5.  H 7.5.2.1pThe options component contains a number of indications, each of which, if set, asserts the condition suggested. Thus:  H   a)p preferChaining indicates that the preference is that chaining, rather than referrals, be used to provide the service. The Directory is not obliged to follow this preference;  H   b)p chainingProhibited indicates that chaining, and other methods of distributing the request around the Directory, are prohibited;  H   c)p localScope indicates that the operation is to be limited to a local scope. The definition of this option is itself a local matter. For example, within a single DSA or a single DMD;  H   d)p dontUseCopy indicates that copied information (as defined in Recommendation X.518) shall not be used to provide the service;  H   e)p dontDereferenceAliases indicate that any alias used to identify the entry affected by an operation is not to be dereferenced;  H  Note ĩ This is necessary to allow reference to an alias entry itself rather than the aliased entry, e.g. in order to read the alias entry. -Ԍ H  If this component is omitted, the following are assumed: no preference for chaining but chaining not prohibited, no limit on the scope of the operation, use of copy permitted, and aliases will be dereferenced (except for modify operations where aliases will never be dereferenced). 7.5.2.2pThe priority (low, medium or high) at which the service is to be provided. Note that this is not a guaranteed service in that Directory, as a whole, does not implement queuing. There is no relationship implied with the use of "priorities" in underlying layers.  H 7.5.2.3pThe timeLimit indicates the maximum elapsed time, in seconds, within which the service shall be provided. If the constraint cannot be met, an error is reported. If this component is omitted, no time limit is implied. In the case of time limit exceeded on a List or Search, the result is an arbitrary selection of the accumulated results.  H  Note ĩ This component does not imply the length of time spent processing the request during the elapsed time: any number of DSAs may be involved in processing the request during the elapsed time.  H 7.5.2.4pThe sizeLimit is only applicable to List and Search operations. It indicates the maximum number of objects to be returned. In the case of size limit exceeded, the results of List and Search may be an arbitrary selection of the accumulated results, equal in number to the size limit. Any further results shall be discarded.  H 7.5.2.5pThe scopeOfReferral indicates the scope to which a referral returned by a DSA should be relevant. Depending on whether the value dmd or country are selected, only referrals to other DSAs within the selected scope will be returned.  H  This applies to the referrals in both a ReferralError and the unexplored parameter of List and Search results.  H 7.5.3 Certain combinations of priority, timeLimit , and sizeLimit may result in conflicts. For example, a short time limit could conflict with low priority; a high size limit could conflict with a low time limit, etc. HP X`h!(#7.6h  Entry information selection  H Hp P X`h!(#7.6.1 An EntryInformationSelection parameter indicates what information is being requested from an entry in a retrieval service.   EntryInformationSelection ::= SET {  hpattributeTypes  hph pCHOICE {  hph  allAttributes [0] NULL,  hph  select [1]] SET OF AttributeType  hph   empty set implies no attributes  hph   are requested }  hph pDEFAULT allAttributes NULL,  hpInfoTypes [2] INTEGER {  hph pattributeTypesOnly (0),  hph pattributeTypesAndValues (1) }  hph pDEFAULT attributeTypesAndValues }  H 7.6.2 The various components have the meanings as defined in 7.6.2.1 and 7.6.2.2.  H 7.6.2.1pThe attributeTypes component specifies the set of attributes about which information is requested:  H  a) if the select option is chosen, then the attributes involved are listed. If the list is empty, then no attributes will be returned. Information about a selected attribute shall be returned if the attribute is present. An AttributeError with the noSuchAttribute problem shall only be returned if none of the attributes selected is present;  H   b)pif the allAttributes option is selected, then information is requested about all attributes in the entry.  H  Attribute information is only returned if access rights are sufficient. A SecurityError (with an insufficientAccessRights problem) will only be returned in the case where access rights preclude the reading of all attribute values requested.  H 7.6.2.2pThe infoTypes component specifies whether both attribute type and attribute value information (the default) or attribute type information only is requested. If the attributeTypes component (7.6.2.1) is such as to request no attributes, then this component is not meaningful. HP X`h!(#7.7h  Entry information  H Hp P X`h!(#7.7.1 An EntryInformation parameter conveys selected information from an entry.   EntryInformation ::=#X%SEQUENCE {  hpDistinguishedName,  hpfromEntry BOOLEAN DEFAULT TRUE,  hpSET OF CHOICE {  hph pAttributeType,  hph pAttribute} OPTIONAL }  HH 7.7.2 The DistinguishedName of the entry is always included.  H 7.7.3 The fromEntry parameter indicates whether the information was obtained from the entry ( TRUE ) or a copy of the entry ( FALSE ).  H 7.7.4 A set of AttributeTypes or Attributes are included, if relevant, each of which may be alone or accompanied by one or more attribute values. HP X`h!(#7.8h  Filter  H Hp P X`h!(#7.8.1 A Filter parameter applies a test that is either satisfied or not by a particular entry. The filter is expressed in terms of assertions about the presence or value of certain attributes of the entry, and is satisfied if and only if it evaluates to TRUE .  Note ĩ A Filter may be TRUE, FALSE, or undefined.   Filter ::= CHOICE {  hpitem  [0] FilterItem,  hpand  [1] SET OF Filter,  hpor  [2] SET OF Filter,  hpnot  [3] Filter }   FilterItem ::= CHOICE {  hpequality  [0]#X%AttributeValueAssertion,  hpsubstrings [1] SEQUENCE {  hph ptype  AttributeType,  hph pstrings SEQUENCE OF CHOICE {  hph  Initial$**/[0]2`4AttributeValue,  hph  any X%%*[1]-/AttributeValue,  hph  final"X%%*[2]-/AttributeValue}}, hpgreaterOrEqual X%[2](*AttributeValueAssertion,  hplessOrEqual [3]#X%AttributeValueAssertion,  hppresent  X%[4](*AttributeType,  hpapproximateMatchX%[5](*AttributeValueAssertion }  H 7.8.2 A Filter is either a FilterItem (see 7.8.3), or an expression involving simpler Filters composed together using the logical operators and , or , and not . The Filter is undefined if it is a FilterItem which is undefined, or if it involves one or more simpler Filters, all of which are undefined. Otherwise, where the Filter is:  H   a)pan item , it is TRUE if and only if the corresponding FilterItem is TRUE ;  H   b)pan and , it is TRUE unless any of the nested Filters is FALSE ;  H   Note ĩ Thus, if there are no nested Filters the and evaluates to TRUE .  Hh   c)pan or , it is FALSE unless any of the nested Filters is TRUE ;  H   Note ĩ Thus, if there are no nested Filters the or evaluates to FALSE .  Hh   d)pa not , it is TRUE if and only if the nested Filter is FALSE .  H 7.8.3 A FilterItem is an assertion about the presence or value(s) of an attribute of a particular type in the entry under test. Each such assertion is TRUE, FALSE , or undefined. 7.8.3.1pEvery FilterItem includes an AttributeType which identifies the particular attribute concerned.  H 7.8.3.2pAny assertion about the value of such an attribute is only defined if the AttributeType is known, and the purported AttributeValue (s) conforms to the attribute syntax defined for that attribute type.  H  Note 1 ĩ Where these conditions are not met the FilterItem is undefined.  H  Note 2 ĩ Access control restrictions may require that the FilterItem be considered undefined.  H 7.8.3.3pAssertions about the value of an attribute are evaluated using the matching rules associated with the attribute syntax defined for that attribute type. A matching rule not defined for a particular attribute syntax cannot be used to make assertions about that attribute.  Note ĩ Where this condition is not met, the FilterItem is undefined.  H 7.8.3.4pA FilterItem may be undefined (as described in 7.8.3.2 and 7.8.3.3 above). Otherwise, where the FilterItem asserts:  H   a)p equality , it is TRUE if and only if there is a value of the attribute which is equal to that asserted;  H   b)p substrings , it is TRUE if and only if there is a value of the attribute in which the specified substrings appear in the given order. The substrings shall be nonoverlapping, and may (but need not) be separated from the ends of the attribute value and from one another by zero or more string elements.  H  If initial is present, the substring shall match the initial substring of the attribute value; if final is present, the substring shall match the final substring of the attribute value; if any is present, the substring may match any substring in the attribute value;  H   c)p greaterOrEqual , it is TRUE if and only if the relative ordering (as defined by the appropriate ordering algorithm) places the supplied value before or equal to any value of the attribute;  H   d)p lessOrEqual , it is TRUE if and only if the relative ordering (as defined by the appropriate ordering algorithm) places the supplied value after or equal to any value of the attribute;  H   e)p present , it is TRUE if and only if such an attribute is present in the entry;  H   f)p approximateMatch , it is TRUE if and only if there is a value of the attribute which matches that which is asserted by some locallydefined approximate matching algorithm (e.g. spelling variations, phonetic match, etc.). There are no specific guidelines for approximate matching in this version of the Recommendation. If approximate matching is not supported, this FilterItem should be treated as a match for equality .  HH HP X`h!(#7.9h  Security Parameters  H Hp P X`h!(#7.9.1 The SecurityParameters govern the operation of various security features associated with a Directory operation.  H  Note ĩ These parameters are conveyed from sender to recipient. Where the parameters appear in the argument of an abstractoperation the requestor is the sender, and the performer is the recipient. In a result, the roles are reversed.   SecurityParametersX%::=(**/SET {  hpcertificationpath!X%%**/[0]  hpCertificationPath X%OPTIONAL,  hpname P  [1] DistinguishedName  hph   X%OPTIONAL,   time   X%[2](*UTCTime OPTIONAL,   random   [3]#X%BIT STRING OPTIONAL,   target P   [4]#X%ProtectionRequest OPTIONAL  hph   X%%**/}  ProtectionRequest X%::=(*INTEGER {  hph   X%none(0),  hph   X%signed (1)}  H 7.9.2 The various components have the meanings as defined in 7.9.2.1 to 7.9.2.5.  H 7.9.2.1pThe CertificationPath component consists of the sender's certificate, and, optionally, a sequence of certificate pairs. The certificate is used  H to associate the sender's public key and distinguished name, and may be used to verify the signature on the argument or result. This parameter shall be present if the argument or result is signed. The sequence of certification pairs consists of certification authority cross certificates. It is used to enable the sender's certificate to be validated. It is not required if the recipient shares the same certification authority as the sender. If the recipient requires a valid set of certificate pairs, and this parameter is not present, whether the recipient rejects the signature on the argument or result, or attempts to generate the certification path, is a local matter.  H 7.9.2.2pThe name is the distinguished name of the first intended recipient of the argument or result. For example, if a DUA generates a signed argument, the name is the distinguished name of the DSA to which the operation is submitted.  H 7.9.2.3pThe time is the intended expiry time for the validity of the signature, when signed arguments are used. It is used in conjunction with the random number to enable the detection of replay attacks.  H 7.9.2.4pThe random component is a number which should be different for each unexpired token. It is used in conjunction with the time parameter to enable the detection of replay attacks when the argument or result has been signed.  H 7.9.2.5pThe target ProtectionRequest may appear only in the request for an operation to be carried out, and indicates the requestor's preference regarding the degree of protection to be provided to the result. Two levels are provided: none (no protection requested), and signed (the Directory is requested to sign the result, the default). The degree of protection actually provided to the result is indicated by the form of result and may be equal to or lower than that requested, based on the limitations of the Directory. HP X`h!(#7.10  OPTIONALLYSIGNED  H Hp P X`h!(#7.10.1 An OPTIONALLYSIGNED information type is one whose values may, at the option of the generator, be accompanied by their digital signature. This capability is specified by means of the following macro:   OPTIONALLYSIGNED MACRO$*::=   BEGIN   TYPE NOTATION ::=#X%type (Type)   VALUE NOTATION ::= $*value (VALUE  hpCHOICE { Type, SIGNED Type})   END  H 7.10.2 The SIGNED macro, which describes the form of the signed form of the information, is specified in Recommendation X.509. -ԌHP X`h!(#Ђ 8X Bind and unbind operations  H Hp P X`h!(#Ё The DirectoryBind and DirectoryUnbind operations, defined in 8.1 and 8.2 respectively, are used by the DUA at the beginning and end of a particular period of accessing the Directory. HP X`h!(#8.1h  Directory bind Hp P X`h!(#8.1.1 A DirectoryBind operation is used at the beginning of a period of accessing the Directory.   DirectoryBind X%::=(*ABSTRACTBIND  hpTO { readPort, searchPort, modifyPort }  hpBIND  hpARGUMENT DirectoryBindArgument  hpRESULT  DirectoryBindResult  hpBINDERROR DirectoryBindError   DirectoryBindArgument"X%::=(*SET {  hpcredentials X%[0](*Credentials OPTIONAL,  hpversions   X%[1](*Versions DEFAULT  hph   X%%*v1988}   Credentials  ::=#X%CHOICE {  hpsimple  X%[0](*SimpleCredentials,  hpstrong  X%[1](*StrongCredentials,  hpexternalProcedure [2] EXTERNAL }   SimpleCredentials ::=#X%SEQUENCE {  hpname   [0]#X%DistinguishedName,  hpvalidity  X%[1](*SET {  hph ptime1  [0]#X%UTCTime OPTIONAL,  hph pTime2  [1]#X%UTCTime OPTIONAL,  hph prandom1  [2]#X%BIT STRING OPTIONAL,  hph prandom2  [3]#X%BIT STRING OPTIONAL } OPTIONAL,  hph p in most instances the argument for  hph p time and random are relevant in  hph p dialogues employing protected password  hph p mechanisms and derive their meaning  hph p as per bilateral agreements   password [2] OCTET STRING OPTIONAL }  hp the value could be an unprotected  hp password or Protected1 or Protected2  hp as specified in Recommendation X.509.   StrongCredentials ::=#X%SET {  hpcertificationpath[0]$*CertificationPath  hph   X%%*OPTIONAL,  hpbindtoken  [1]#X%%*Token }   Token   ::=#X%SIGNED SEQUENCE {  hpalgorithm  [0]#X%AlgorithmIdentifier,  hpname   [1]#X%DistinguishedName,  hptime   X%[2](*UTCTime,  hprandom  X%[3](*BIT STRING }   Versions  X%::=(*BIT STRING {v1988(0)}   DirectoryBindResult X%::=(*DirectoryBindArgument   DirectoryBindErrorX%%*::=-//`4SET {  hpversions  [0] Versions DEFAULT v1988,  hpCHOICE {  hph pserviceError X%[1](*ServiceProblem  hph psecurityErrorX%%*[2]-/SecurityProblem   }}  H 8.1.2 The various arguments have the meanings as defined in 8.1.2.1 to 8.1.2.2.  H 8.1.2.1pThe Credentials of the DirectoryBindArgument allow the Directory to establish the identity of the user. They may be either simple, strong (as described in Recommendation X.509) or externally defined ( externalProcedure ).  H 8.1.2.1.1p SimpleCredentials consist of a name (always the distinguished name of an object) and (optionally) a password. This provides a limited degree of security. If the password is protected as described in 5 of RecommendationX.509, then SimpleCredentials includes name, password and (optionally) time and/or random numbers which are used to detect replay. In some instances a protected password may be checked by an object which knows the password only after locally regenerating the protection to its own copy of the password and computing the result with the value in the bind argument (password). In other instances a direct compare may be possible. 8.1.2.1.2p StrongCredentials consist of a bind token and, optionally, a certificate and sequence of certificationauthority crosscertificate (as defined in RecommendationX.509). This enables the Directory to authenticate the identity of the request establishing the association, and vice versa.  The arguments of the bind token are used as follows: algorithm is the identifier of the algorithm employed to sign the information; name is the name of the intended recipient. The time parameter contains the expiry time of the token. The random number is a number which should be different for each unexpired token, and may be used by the recipient to detect replay attacks.  H 8.1.2.1.3p If externalProcedure is used then the semantics of the authentication scheme being used is outside the scope of the Directory document.  H 8.1.2.2pThe Versions argument of the DirectoryBindArgument identifies the versions of the service which the DUA is prepared to participate in. For this version of the protocol the value shall be set to v1988 (0).  H 8.1.2.3pMigration to future versions of the Directory should be facilitated by:  H   a)pany elements of DirectoryBindArgument other than those defined in this Recommendation shall be accepted and ignored;  H   b)padditional options for named bits of DirectoryBindArgument (e.g. Versions ) not defined shall be accepted and ignored.  H 8.1.3 Should the bind request succeed, a result will be returned. The result parameters have the meanings as defined in 8.1.3.1 and 8.1.3.2.  H 8.1.3.1pThe Credentials of the DirectoryBindResult allow the user to establish the identity of the DSA. They allow information identifying the DSA (that  H is directly providing the Directory service) to be conveyed to the DUA. They shall be of the same form (i.e. CHOICE ) as those supplied by the user.  H 8.1.3.2pThe Versions parameter of the DirectoryBindResult indicates which of the versions of the service requested by the DUA is actually going to be provided by this DSA.  H 8.1.4 Should the bind request fail, a bind error will be returned as defined in 8.1.4.1 and 8.1.4.2. 8.1.4.1pThe Versions parameter of the DirectoryBindError indicates which versions are supported by this DSA. 8.1.4.2pA securityError or serviceError shall be supplied as follows:   p securityErrorX%inappropriateAuthentication   p   invalidCredentials   p serviceError unavailable.  HH HP X`h!(#8.2h  Directory unbind  H Hp P X`h!(#8.2.1 A DirectoryUnbind operation is used at the end of a period of accessing the Directory.   DirectoryUnbind ::=#X%ABSTRACTUNBIND  hpFROM {readPort, searchPort, modifyPort }  HH 8.2.2 The DirectoryUnbind has no arguments. HP X`h!(#Ђ 9X Directory read operations  H Hp P X`h!(#Ё There are two "readlike" operations: Read and Compare , defined in 9.1 and 9.2, respectively. The Abandon operation, defined in 9.3, is grouped with the Read operations for convenience. HP X`h!(#9.1h  Read Hp P X`h!(#9.1.1 A Read operation is used to extract information from an explicitly identified entry. It may also be used to verify a distinguished name. The arguments of the operation may optionally be signed (see 7.10) by the requestor. If so requested, the Directory may sign the result.   Read ::= ABSTRACTOPERATION  hpARGUMENT !X%%*ReadArgument  hpRESULT ReadResult  hpERRORS {  hph AttributeError, NameError, - ƌ hph ServiceError, Referral, Abandoned,  hph SecurityError }   ReadArgument ::= OPTIONALLYSIGNED SET {  hpobject  [0]#X%Name,  HX  hpselection [1]#X%Selection F c4 P 13  c4 P EntryInformationSelection  hph   X%DEFAULT {}  hpCOMPONENTS OF CommonArguments }   ReadResult  X%::=(*OPTIONALLYSIGNED SET {  hpentry  X%[0](*EntryInformation,  hpCOMPONENTS OF CommonResults }  H 9.1.2 The various arguments have the meanings as defined in 9.1.2.1 to 9.1.2.3. 9.1.2.1pThe object argument identifies the object entry from which the information is requested. Should the Name involve one or more aliases, they are dereferenced (unless this is prohibited by the relevant service controls).  H 9.1.2.2pThe selection argument indicates what information from the entry is requested (see 7.6).  H 9.1.2.3pThe CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the purposes of this operation the sizeLimit component is not relevant and is ignored if provided.  H 9.1.3 Should the request succeed, the result will be returned. The result parameters have the meanings as defined in 9.1.3.1 and 7.4.  H 9.1.3.1pThe entry result parameter holds the requested information (see 7.7).  H 9.1.4 Should the request fail, one of the listed errors will be reported. If none of the attributes explicitly listed in selection can be returned, then an AttributeError with problem noSuchAttribute will be reported. The circumstances under which other errors will be reported are defined in 12. HP X`h!(#9.2h  Compare  H Hp P X`h!(#9.2.1 A Compare operation is used to compare a value (which is supplied as an argument of the request) with the value(s) of a particular attribute type in a particular object entry. The arguments of the operation may optionally be signed (see 7.10) by the requestor. If so requested, the Directory may sign the result.   CompareP ::= ABSTRACTOPERATION  hpARGUMENT  CompareArgument  hpRESULT  CompareResult  hpERRORS {  hph pAttributeError, NameError,  hph pServiceError, Referral, Abandoned,  hph pSecurityError } CompareArgument ::=#X%OPTIONALLYSIGNED   SET {  hpobject  X%[0](*Name,  hppurported  [1]#X%AttributeValueAssertion,  hpCOMPONENTS OF CommonArguments }   CompareResult X%::=(*OPTIONALLYSIGNED   SET {  hpDistinguishedName X%%*OPTIONAL,  hpmatched  X%[0](*BOOLEAN,  hpfrom Entry [1] BOOLEAN DEFAULT TRUE,  hpCOMPONENTS OF CommonResults }  H 9.2.2 The various arguments have the meanings as defined in 9.2.2.1 to 9.2.2.3. 9.2.2.1pThe object argument is the name of the particular object entry concerned. Should the Name involve one or more aliases, they are dereferenced (unless prohibited by the relevant service control).  H 9.2.2.2pThe purported argument identifies the attribute type and the value to be compared with that in the entry.  H 9.2.2.3pThe CommonArguments (see 7.3) specify the service controls applying to the request. For the purposes of this operation the sizeLimit component is not relevant and is ignored, if provided.  H 9.2.3 Should the request succeed (i.e. the comparison is actually carried out), the result will be returned. The result parameters have the meanings as described in 9.2.3.1, 9.2.3.2 and 7.4.  H 9.2.3.1pThe DistinguishedName is present if an alias was dereferenced and represents the distinguished name of the object itself.  H 9.2.3.2pThe matched result parameter, holds the result of the comparison. The parameter takes the value TRUE if the values were compared and matched, and FALSE if they did not.  H 9.2.3.3pIf fromEntry is TRUE the information was compared against the entry; if FALSE some of the information was compared against a copy.  H 9.2.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be reported are defined in 12. HP X`h!(#9.3h  Abandon  H Hp P X`h!(#9.3.1 Operations that interrogate the Directory may be abandoned using the Abandon operation if the user is no longer interested in the result.   AbandonP  ::= ABSTRACTOPERATION  hpARGUMENT  AbandonArgument  hpRESULT  AbandonResult  hpERRORS   {AbandonFailed}   AbandonArgument ::=#X%SEQUENCE {  hpInvokeID  [0]#X%InvokeID}   AbandonResult X%::=(*NULL  H 9.3.2 There is a single argument, the InvokeID which identifies the operation that is to be abandoned. The value of the invokeID is the same invokeID which was used to invoke the operation which is to be abandoned. 9.3.3 Should the request succeed, a result will be returned, although no information will be conveyed with it. The original operation will fail with an Abandoned error.  H 9.3.4 Should the request fail, the AbandonFailed error will be reported. This error is described in 12.3. 9.3.5  Abandon is only applicable to interrogation operations, i.e., Read , Compare , List and Search . 9.3.6 A DSA may abandon an operation locally. If the DSA has chained or multicasted the operation to other DSAs, it may in turn request them to abandon the operation. A DSA may choose not to abandon the operation and shall then return the AbandonFailed error. HP X`h!(#Ђ 10  Directory search operations  H Hp P X`h!(#Ё There are two "searchlike" operations: List and Search , defined in 10.1 and 10.2 respectively. HP X`h!(#10.1  List  H Hp P X`h!(#10.1.1 A List operation is used to obtain a list of the immediate subordinates of an explicitly identified entry. Under some circumstances, the list returned may be incomplete. The arguments of the operation may optionally be signed (see 7.10) by the requestor. If so requested, the Directory may sign the result.   List ::=  ABSTRACTOPERATION  hpARGUMENT  ListArgument  hpRESULT  ListResult  hpERRORS {  hph   NameError  hph pServiceError, Referral, Abandoned,  hph pSecurityError }   List Argument X%::=(*OPTIONALLYSIGNED SET {  hpobject  X%[0](*Name,  hpCOMPONENTS OF CommonArguments }   ListResult ::= OPTIONALLYSIGNED   CHOICE {  hplistInfo SET {  hpDistinguishedName OPTIONAL,  hpsubordinates [1]X%SET OF SEQUENCE {  hph pRelativeDistinguishedName,  hph paliasEntry [0] X%BOOLEAN DEFAULT FALSE  hph pfromEntry [1] X%BOOLEAN DEFAULT TRUE},  hppartialOutcomeQualifier [2]  hph   X%PartialOutcomeQualifier<>OPTIONAL  hpCOMPONENTS OF CommonResults },  hpuncorrelatedListInfo#X%[0] SET OF  hph   ListResult }   PartialOutcomeQualifier ::=(*SET {  hp limitProblem [0] LimitProblem  hph pOPTIONAL,  hpunexplored [1] SET OF  hph pContinuationReference'*OPTIONAL,  hpunavailableCriticalExtensions [2] BOOLEAN DEFAULT FALSE }   LimitProblem ::= INTEGER {  hptimeLimitExceeded (0),  hpsizeLimitExceeded (1),  hpadministrativeLimitExceeded (2) }  H 10.1.2 The various arguments have the meanings as defined in 10.1.2.1 and 7.3.  H 10.1.2.1pThe object argument identifies the object entry (or possibly the root) whose immediate subordinates are to be listed. Should the Name involve one or more aliases, they are dereferenced (unless prohibited by the relevant service control).  H 10.1.3 The request succeeds if the object is located regardless of whether there is any subordinate information to return. The result parameters have the meanings as defined in 10.1.3.1 to 10.1.3.4 and 7.4.  H 10.1.3.1pThe DistinguishedName is present if an alias was dereferenced. It represents the distinguished name of the object itself.  H 10.1.3.2pThe subordinates parameter conveys the information on the immediate subordinate, if any, of the named entry. Should any of the subordinate entries be aliases, they will not be dereferenced. 10.1.3.2.1 The RelativeDistinguishedName is that of the subordinate. 10.1.3.2.2 The fromEntry parameter indicates whether the information was obtained from the entry (TRUE) or a copy of the entry ( FALSE ).  H 10.1.3.2.3 The aliasEntry parameter indicates whether the subordinate entry is an alias entry (TRUE) or not( FALSE ).  H 10.1.3.3p The PartialOutcomeQualifier consists of three subcomponents as defined in 10.1.3.3.1 to 10.1.3.3.3. This parameter shall be present whenever the result is incomplete.  H 10.1.3.3.1 The LimitProblem parameter indicates whether the time limit, the size limit, or an administrative limit has been exceeded. The results being returned are those which were available when the limit was reached. - Ԍ H 10.1.3.3.2 The unexplored parameter shall be present if regions of the DIT were not explored. Its information allows the DUA to continue the processing of the List operation by contacting other access points if it so chooses. The parameter consists of a set (possibly empty) of ContinuationReferences , each consisting of the name of a base object from which the operation may be progressed, an appropriate value of OperationProgress , and a set of access points from which the request may be further progressed. The ContinuationReferences that are returned shall be within the scope of referral requested in the operation service control.  H 10.1.3.3.3 The unavailableCriticalExtensions parameter indicates, if present, that one or more critical extensions were unavailable in some part of the Directory.  H 10.1.3.4p When the DUA has requested a protection request of signed , the uncorrelatedListInfo parameter may comprise a number of sets of result parameters originating from and signed by different components of the Directory. If no DSA in the chain can correlate all the results, the DUA must assemble the actual result from the various pieces.  H 10.1.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be reported are defined in 12. HP X`h!(#10.2  Search  H Hp P X`h!(#10.2.1 A Search operation is used to search a portion of the DIT for entries of interest and to return selected information from those entries. The arguments of the operation may optionally be signed (see 7.10) by the requestor. If so requested, the Directory may sign the result.   Search ::= ABSTRACTOPERATION  hpARGUMENT  SearchArgument  hpRESULT  SearchResult  hpERRORS {  hph pAttributeError, NameError,  hph pServiceError, Referral, Abandoned,  hph pSecurityError }   SearchArgument ::= OPTIONALLYSIGNED   SET {  hpbaseObject [0] Name,  hpsubset  X%[1] INTEGER {  hph pbaseObject  (0),  hph poneLevel (1),  hph pwholeSubtree(2)} DEFAULT baseObject,  hpfilter  X%[2] Filter DEFAULT and {}.  hpsearchAliases [3] BOOLEAN DEFAULT TRUE,  Hh  hpselection  X%[4] EntryInformationSelection DEFAULT {}  hph pCOMPONENTS OF CommonArguments } SearchResult ::="X%OPTIONALLYSIGNED  hpCHOICE {  hpsearchInfo SET {  hpDistinguishedName OPTIONAL,  hpentries [0]  SET OF EntryInformation,  hppartialOutcomeQualifier  hph p[2]PartialOutcomeQualifier OPTIONAL,   COMPONENTS OF CommonResults },   uncorrelatedSearchInfo [0] SET OF  hpSearchResult }  H 10.2.2 The various arguments have the meanings as defined in 10.2.2.1 to 10.2.2.3, 10.2.2.5, and 7.3.  H 10.2.2.1pThe baseObject argument identifies the object entry (or possibly the root) relative to which the search is to take place.  H 10.2.2.2pThe subset argument indicates whether the search is to be applied to:   a)pthe baseObject only;  Hx   b)pthe immediate subordinates of the base object only ( oneLevel );   c)pthe base object and all its subordinates ( wholeSubtree ).  H 10.2.2.3pThe filter argument is used to eliminate entries from the search space which are not of interest. Information will only be returned on entries which satisfy the filter (see 7.8).  H 10.2.2.4pAliases shall be dereferenced while locating the base object, subject to the setting of the dontDereferenceAliasesServiceControl . Aliases among the subordinates of the base object shall be dereferenced during the search, subject to the setting of the searchAliases parameter. If the searchAliases parameter is TRUE , aliases shall be dereferenced, if the parameter is FALSE , aliases shall not be dereferenced. If the searchAliases parameter is TRUE , the search shall continue in the subtree of the aliased object.  H 10.2.2.5pThe selection argument indicates what information from the entries is requested (see 7.6).  H 10.2.3 The request succeeds if the base object is located, regardless of whether there are any subordinates to return.  Note ĩ As a corollary to this, the outcome of an (unfiltered) Search applied to a single entry may not be identical to a Read which seeks to interrogate the same set of attributes of the entry. This is because the latter will return an AttributeError if none of the selected attributes exist in the entry.  The result parameters have the meanings as defined in 10.2.3.1 to 10.2.3.4 and 7.3.  H 10.2.3.1pThe DistinguishedName is present if an alias was dereferenced, and represents the distinguished name of the base object.  H 10.2.3.2pThe entries parameter conveys the requested information from each entry (zero or more) which satisfied the filter (see 7.5).  H 10.2.3.3pThe PartialOutcomeQualifier consists of two subcomponents as described for the List operation in10.1.3.4. 10.2.3.4pThe uncorrelatedSearchInfo parameter is as described for uncorrelatedListInfo in 10.1.3.4.  H 10.2.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be reported are defined in 12. HP X`h!(#Ђ 11  Directory modify operations  H Hp P X`h!(#Ё There are four operations to modify the Directory: AddEntry , RemoveEntry , ModifyEntry and ModifyRDN defined in 11.1 to 11.4 respectively.  H  Note 1 ĩ Each of these abstractoperations identifies the target entry by means of its distinguished name.  H  Note 2 ĩ The success of AddEntry , RemoveEntry , and ModifyRDN operations will be dependent on the physical distribution of the DIB across the Directory. Failure will be reported with an UpdateError and problem affectsMultipleDSAs . See Recommendation X.518.HP X`h!(#  11.1P Add entry  H Hp P X`h!(#11.1.1 An AddEntry operation is used to add a leaf entry (either an object entry, or an alias entry) to the DIT. The arguments of the operation may optionally be signed (see 7.10) by the requestor.   AddEntry   ::= $*ABSTRACTOPERATION  hpARGUMENT  AddEntryArgument  hpRESULT  AddEntryResult  hpERRORS {  hph pAttributeError, NameError,  hph pServiceError, Referral, SecurityError,  hph pUpdateError }   AddEntryArgument ::=#X%OPTIONALLYSIGNED   SET {  hpobject  X%[0](*DistinguishedName,  hpentryP   [1]#X%SET OF Attribute,  hpCOMPONENTS OF CommonArguments }   AddEntryResult ::=#X%NULL  H 11.1.2 The various arguments have the meanings as defined in 11.1.2.1 to 11.1.2.3.  H 11.1.2.1pThe object argument identifies the entry to be added. Its immediate superior, which must already exist for the operation to succeed, can be determined by removing the last RDN component (which belongs to the entry to be created).  H 11.1.2.2pThe entry argument contains the attribute information which, together with that from the RDN, constitutes the entry to be created. The Directory shall ensure that the entry conforms to the Directory schema. Where the entry being created is an alias, no check is made to ensure that the aliasedObjectName attribute points to a valid entry.  H 11.1.2.3pThe CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if provided. Aliases are never dereferenced by this operation. 11.1.3 Should the request succeed, a result will be returned, although no information will be conveyed with it.  H 11.1.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be reported are defined in 12. HP X`h!(#11.2  Remove Entry  H Hp P X`h!(#11.2.1 A RemoveEntry operation is used to remove a leaf entry (either an object entry or an alias entry) from the DIT. The arguments of the operation may optionally be signed (see 7.10) by the requestor.   RemoveEntry ::= ABSTRACTOPERATION  hpARGUMENT RemoveEntryArgument  hpRESULT   RemoveEntryResult  hpERRORS {  hph pNameError,  hph pServiceError, Referral, SecurityError,  hph pUpdateError}   RemoveEntryArgument ::=OPTIONALLYSIGNED SET {  hpobject  [0]#X%DistinguishedName,  hpCOMPONENTSOFCommonArguments }   RemoveEntryResult ::= NULL  H 11.2.2 The various arguments have the meanings as defined in 11.2.2.1 and 11.2.2.2.  H 11.2.2.1pThe object argument identifies the entry to be deleted. Aliases in the name will not be dereferenced.  H 11.2.2.2pThe CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if provided. Aliases are never dereferenced by this operation. 11.2.3 Should the request succeed, a result will be returned, although no information will be conveyed with it.  H 11.2.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be reported are defined in 12. HP X`h!(#11.3  Modify Entry  H Hp P X`h!(#11.3.1 The ModifyEntry operation is used to perform a series of one or more of the following modifications to a single entry:   a)padd a new attribute;   b)premove an attribute;   c)padd attribute values;   d)premove attribute values;   e)preplace attribute values;   f)pmodify an alias.  H  The arguments of the operation may optionally be signed (see 7.10) by the requestor.   ModifyEntry   ::=#X%ABSTRACTOPERATION  hpARGUMENT ModifyEntryArgument  hpRESULT  ModifyEntryResult  hpERRORS {  hph pAttributeError, NameError,  hph pServiceError, Referral, SecurityError,  hph pUpdateError }   ModifyEntryArgument::=$**/OPTIONALLYSIGNED SET {  hpobject  X%[0](*DistinguishedName,  hpchanges  X%[1](*SEQUENCE OF EntryModification,  hpCOMPONENTS OF CommonArguments }   ModifyEntryResult ::=$*NULL   EntryModification ::=#X%CHOICE {  hpaddAttribute [0]#X%%*Attribute,  hpremoveAttribute X%[1] AttributeType,  hpaddValues  X%[2] Attribute,  hpremoveValues [3]#X%Attribute }  H 11.3.2 The various arguments have the meanings as defined in 11.3.2.1 and 11.3.2.2.  H 11.3.2.1pThe object argument identifies the entry to which the modifications should be applied. Any aliases in the name will not be dereferenced.  H 11.3.2.2pThe changes argument defines a sequence of modifications, which are applied in the order specified. If any of the individual modifications fails, then an AttributeError is generated and the entry left in the state it was prior to the operation. That is, the operation is atomic. The end result of the sequence of modifications shall not violate the Directory schema. However, it is possible, and sometimes necessary, for the individual EntryModification changes to appear to do so. The following types of modification may occur:  H   a)p addAttribute : This identifies a new attribute to be added to the entry, which is fully specified by the argument. Any attempt to add an already existing attribute results in an AttributeError;  H   b)p removeAttribute : The argument identifies (by its type) an attribute to be removed from the entry. Any attempt to remove a nonexisting attribute results in an AttributeError;  H  Note ĩ This operation is not allowed if the attribute type is present in the RDN.  H   c)p addValues : This identifies an attribute by the attribute type in the argument, and specifies one or more attribute values to be added to the attribute. An attempt to add an already existing value results in an error. An attempt to add a value to a nonexistent type results in an error;  H   d)p removeValues : This identifies an attribute by the attribute type in the argument and specifies one or more attribute values to be removed from the attribute. If the values are not present in the attribute, this results in an AttributeError. If an attempt is made to modify the object class attribute, an update - error is returned.  H  Note ĩ This operation is now allowed if one of the values is present in the RDN.  H  Values may be replaced by a combination of addValues and removeValues in a single ModifyEntry operation.  H 11.3.2.3pThe CommonArguments (see 7.3) include a specification of the service controls applying to the request. For the purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if provided. Aliases are never dereferenced by this operation. 11.3.3 Should the request succeed, a result will be returned although no information will be conveyed with it.  H 11.3.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be reported are defined in 12. HP X`h!(#11.4  Modify RDN  H Hp P X`h!(#11.4.1 The ModifyRDN operation is used to change the Relative Distinguished Name of a leaf entry (either an object entry or an alias entry) in the DIT. The arguments of the operation may optionally be signed (see 7.10) by the requestor.   ModifyRDN ::= X%ABSTRACTOPERATION  hpARGUMENT  ModifyRDNArgument  hpRESULT  ModifyRDNResult  hpERRORS {  hph pNameError,  hph pServiceError, Referral, SecurityError,  hph pUpdateError }   ModifyRDNArgument ::=$*OPTIONALLYSIGNED SET {  hpobject  X%[0](*DistinguishedName,  hpnewRDN  X%[1](*RelativeDistinguishedName,  hpdeleteOldRDN [2]#X%BOOLEAN DEFAULT FALSE,  hpCOMPONENTS OF CommonArguments }   ModifyRDNResult ::=#X%NULL  H 11.4.2 The various parameters have the meanings as defined in 11.4.2.1 to 11.4.2.5.  H 11.4.2.1pThe object argument identifies the entry whose Relative Distinguished Name is to be modified. Aliases in the name will not be dereferenced. The immediate superior entry shall not have any NonSpecific Subordinate References (see Recommendation X.518). 11.4.2.2pThe newRDN argument specifies the new RDN of the entry.  H 11.4.2.3pIf an attribute value in the new RDN does not already exist in the entry (either as part of the old RDN or as a nondistinguished value) it is added. If it cannot be added, an error is returned.  H 11.4.2.4pIf the deleteOldRDN flag is set, all attribute values in the old RDN which are not in the new RDN are deleted. If this flag is not set, the old values should remain in the entry (not as a part of the RDN). The flag shall be set where a single value attribute in the RDN has its value changed by the operation. If this operation removes the last attribute value of an attribute, that attribute shall be deleted.  H 11.4.2.5pThe Common Arguments (see 7.3) include a specification of the service controls applying to the request. For the purposes of this operation the dontDereferenceAlias option and the sizeLimit component are not relevant and are ignored if provided. Aliases are never dereferenced by this operation. 11.4.3 Should the request succeed, a result will be returned, although no information will be conveyed with it.  H 11.4.4 Should the request fail, one of the listed errors will be reported. The circumstances under which the particular errors will be returned are defined in 12.  H 11.4.5 As defined in this Recommendation this operation may only be used on a leaf entry.HP X`h!(#Ђ  12Errors  HH Ё12.1  Error Precedence  H Hp P X`h!(#12.1.1 The Directory does not continue to perform an operation beyond the point at which it determines that an error is to be reported.  H  Note 1 ĩ An implication of this rule is that the first error encountered can differ for repeated instances of the same query, as there is not a specific logical order in which to process a given query. For example, DSAs may be searched in different orders.  H  Note 2 ĩ The rules of error precedence specified here apply only to the abstract service provided by the Directory as a whole. Different rules apply when the internal structure of the Directory is taken into account. 12.1.2 Should the Directory simultaneously detect more than one error, the following list determines which error is reported. An error higher in the list has a higher logical precedence than one below it and is the error which is reported.   a)p NameError   b)p UpdateError   c)p AttributeError   d)p SecurityError   e)p ServiceError.  HX 12.1.3 The following errors do not present any precedence conflicts:  H   a)p AbandonFailed , because it is specific to one operation, Abandon , which can encounter no other error;  H   b)p Abandoned , which is not reported if an Abandon operation is received simultaneously with the detection of an error. In this case an AbandonFailed error, reporting the problem tooLate is reported along with the report of the actual error encountered;  H   c)p Referral , which is not a "real" error, only an indication that the Directory has detected that the DUA must present its request to another access point.  HH HP X`h!(#12.2  Abandoned  H Hp P X`h!(#12.2.1 This outcome may be reported for any outstanding directory enquiry operation (i.e. Read , Search , Compare , List ) if the DUA invokes an Abandon operation with the appropriate InvokeID .   Abandoned ::= ABSTRACTERROR not literally an "error"  HH 12.2.2 There are no parameters associated with this error. HP X`h!(#12.3  Abandon Failed  H Hp P X`h!(#12.3.1 The AbandonFailed error reports a problem encountered during an attempt to abandon an operation.   AbandonFailed::=X%ABSTRACTERROR  hpPARAMETER SET {  hph pproblem [0] AbandonProblem,  hph poperation [1] InvokeID}   AbandonProblem::=X%INTEGER  hph   noSuchOperation (1),  hph   tooLate (2),  hph   cannotAbandon (3) }  H 12.3.2 The various parameters have the meanings as defined in 12.3.2.1 and 12.3.2.2.  H 12.3.2.1pThe particular problem encountered is specified. Any of the following problems may be indicated:  H   a)p noSuchOperation , when the Directory has no knowledge of the operation which is to be abandoned (this could be because no such invoke took place or because the Directory has forgotten about it);  H   b)p tooLate , when the Directory has already responded to the operation;  H   c)p cannotAbandon , when an attempt has been made to abandon an operation for which this is prohibited (e.g. modify), or the abandon could not be performed.  H 12.3.2.2pThe identification of the particular operation (invocation) to be abandoned. HP X`h!(#12.4  Attribute Error Hp P X`h!(#12.4.1 An AttributeError reports an attributerelated problem.   AttributeError ::= ABSTRACTERROR  hpPARAMETER SET {  hph pobject [0] Name,  hph pproblems [1] SET OF SEQUENCE {  hph problem [0] AttributeProblem,  hph type [1] AttributeType,  hph value [2] AttributeValue  hph   X%OPTIONAL }}   AttributeProblem ::= INTEGER {  hpnoSuchAttributeOrValue (1),  hpInvalidAttributeSyntax (2),  hpundefinedAttributeType (3),  hpInappropriateMatching (4),  hpconstraintViolation (5)  hpattributeOrValueAlreadyExists (6) }  H 12.4.2 The various parameters have the meanings as described in 12.4.2.1 and 12.4.2.2.  H 12.4.2.1pThe object parameter identifies the entry to which the operation was being applied when the error occurred.  H 12.4.2.2pOne or more problems may be specified. Each problem identified below is accompanied by an indication of the attribute type , and if necessary to avoid ambiguity, the value , which caused the problem:  H   a)p noSuchAttributeOrValue : The named entry lacks one of the attributes or attribute values specified as an argument of the operation;  H   b)p invalidAttributeSyntax : A purported attribute value, specified as an argument of the operation, does not conform to the attribute syntax of the attribute type;  H   c)p undefinedAttributeType : An undefined attribute type was provided as an argument to the operation. This error may occur only in relation to Add, Remove, Modify or ModifyRDN operations;  H   d)p inappropriateMatching : An attempt was made, e.g. in a filter, to use a matching rule not defined for the attribute type concerned;  H   e)p constraintViolation : An attribute or attribute value supplied in the argument of abstract operation does not conform to the constraints imposed by Recommendation X.501 or by the attribute definition (e.g. the value exceeds the maximum size allowed);  H   f)p attributeOrValueAlreadyExists : An attempt was made to add an attribute which already existed in the entry, or a value which already existed in the attribute.  HH HP X`h!(#12.5  Name Error  H Hp P X`h!(#12.5.1 A NameError reports a problem related to the name provided as an argument to an operation.   NameError ::= ABSTRACTERROR  hpPARAMETER SET {  hph pproblem [0] NameProblem,  hph pmatched [1] Name}   NameProblem ::= INTEGER {  hpnoSuchObject (1),  hpaliasProblem (2),  hpinvalidAttributeSyntax (3),  hpaliasDereferencingProblem (4) }  H 12.5.2 The various parameters have the meanings as described in 12.5.2.1 and 12.5.2.2.  H 12.5.2.1pThe particular problem encountered. Any of the following problems may be indicated:  H   a)p noSuchObject : The name supplied does not match the name of any object;  H   c)p invalidAttributeSyntax : An attribute type and its accompanying attribute value in AVA in the name are incompatible;  H   d)p aliasDereferencingProblem : An alias was encountered in a situation where it was not allowed.  H 12.5.2.2pThe matched parameter contains the name of the lowest entry (object or alias) in the DIT that was matched and is a truncated form of the name provided or, if an alias has been dereferenced, of the resulting name.  H  Note ĩ If there is a problem with the attribute types and/or values in the name offered in a directory operation argument, this is reported via a NameError (with problem invalidAttributeSyntax) rather than as an AttributeError or an UpdateError. HP X`h!(#12.6  Referral  H Hp P X`h!(#12.6.1 A Referral redirects the serviceuser to one or more access points better equipped to carry out the requested operation.   Referral ::= ABSTRACTERROR not literally an "error"  hpPARAMETER SET {  hpcandidate [0] ContinuationReference }  H 12.6.2 The error has a single parameter which contains a ContinuationReference which can be used to progress the operation (see RecommendationX.518). HP X`h!(#12.7  Security Error Hp P X`h!(#12.7.1 A SecurityError reports a problem in carrying out an operation for security reasons.   SecurityError ::= ABSTRACTERROR  hpPARAMETER SET {  hpproblem [0] SecurityProblem }   SecurityProblem ::= INTEGER {  hph pInappropriateAuthentication (1),  hph pInvalidCredentials (2),  hph pInsufficientAccessRights (3),  hph pInvalidSignature (4),  hph pprotectionRequired (5),  hph pnoInformation (6) }  H 12.7.2 The error has a single parameter, which reports the particular problem encountered. The following problems may be indicated:  H   a)p inappropriateAuthentication : The level of security associated with the requestor's credentials is inconsistent with the level of protection requested, e.g. simple credentials were supplied while strong credentials were required;  HX   b)p invalidCredentials : The supplied credentials were invalid;  H   c)p insufficientAccessRights : The requestor does not have the right to carry out the requested operation;  H   d)p invalidSignature : The signature of the request was found to be invalid;  H   e)p protectionRequired : The Directory was unwilling to carry out the requested operation because the argument was not signed;  H   f)p noInformation : The requested operation produced a security error for which no information is available. HH HP X`h!(#  12.8P Service Error  H Hp P X`h!(#12.8.1 A ServiceError reports a problem related to the provision of the service.   ServiceError ::= ABSTRACTERROR  hpPARAMETER SET {  hph pproblem [0] ServiceProblem },   ServiceProblem ::= INTEGER {  hpbusy (1),  hpunavailable (2),  hpunwillingToPerform (3),  hpchainingRequired (4),  hpunableToProceed (5),  hpinvalidReference (6),  hptimeLimitExceeded (7),  hpadministrativeLimitExceeded (8),  hploopDetected (9),  hpunavailableCriticalExtension (10),  hpoutOfScope (11),  hpditError (12) }  H 12.8.2 The error has a single parameter, which reports the particular problem encountered. The following problems may be indicated:  H   a)p busy : The Directory, or some part of it, is presently too busy to perform the requested operation, but may be able to do so after a short while;  Hh   b)p navailable : The Directory, or some part of it, is currently unavailable;  H   c)p unwillingToPerform : The Directory, or some part of it, is not prepared to execute this request, e.g. because it would lead to excessive consumption of resources or violate the policy of an Administrative Authority involved;  H   d)p hainingRequired : The Directory is unable to accomplish the request other than by chaining, however chaining was prohibited by means of the chainingProhibited service control option;  H   e)p unableToProceed : The DSA returning this error did not have administrative authority for the appropriate naming context and as a consequence was not able to participate in name resolution;  H   f)p unvalidReference : The DSA was unable to perform the request as directed by the DUA (in  H   g)p timeLimitExceeded : The Directory has reached the limit of time set by the user in a service control. No partial results are available to return to the user;  H   h)p administrativeLimitExceeded : The Directory has reached some limit set by an administrative authority, and no partial results are available to return to the user;  H   i)p loopDetected : The Directory is unable to accomplish the request due to an internal loop;  H   j)p unavailableCriticalExtension : The Directory was unable to execute the request because one or more critical extensions were not available;  H   k)p outOfScope : No referrals were available within the requested scope;  H   l)p ditError : The Directory is unable to accomplish the request due to a DIT consistency problem.  HH HP X`h!(#12.9  Update Error  H Hp P X`h!(#12.9.1 An UpdateError reports problems related to attempts to add, delete, or modify information in the DIB.   UpdateError ::= ABSTRACTERROR  hph pPARAMETER SET {  hph problem [0] UpdateProblem } UpdateProblem ::= INTEGER {  hph pnamingViolation (1),  hph pobjectClassViolation (2),  hph pnotAllowedOnNonLeaf (3),  hph pnotAllowedOnRDN (4),  hph pentryAlreadyExists (5),  hph paffectsMultipleDSAs (6),  hph pobjectClassModificationProhibited (7) }  H 12.9.2 The error has a single problem parameter, which reports the particular problem encountered. The following problems may be indicated:  H   a)p namingViolation : The attempted addition or modification would violate the structure rules of the DIT as defined in the Directory schema and RecommendationX.501. That is, it would place an entry as the subordinate of an alias entry, or in a region of the DIT not permitted to a member of its object class or would define an RDN for an entry to include a forbidden attribute type;  H   b)p objectClassViolation : The attempted update would produce an entry inconsistent with the definition provided by its object class or with the definitions of Recommendation X.501 as they pertain to object classes;  H   c)p notAllowedOnNonLeaf : The attempted operation is only allowed on leaf entries of the DIT;  H   d)p notAllowedOnRDN : The attempted operation would affect the RDN (e.g. removal of an attribute which is a part of the RDN);  H   e)p entryAlreadyExists : An attempted AddEntry operation names an entry which already exists;  H   f)p affectsMultipleDSAs : An attempted update would need to operate on multiple DSAs, which is not permitted;  H   g)p objectClassModificationProhibited : An operation attempted to modify the object class attribute.  H  Note ĩ The UpdateError is not used to report problems with attribute types, values or constraint violations encountered in an AddEntry , RemoveEntry , ModifyEntry or ModifyRDN operation. Such problems are reported via an AttributeError .