LDAP API
Downloads
Getting Started
Documentation
- Five minute tutorial
- User Guide
- API 1 to 2 migration
- JavaDocs 2
- JavaDocs
- Cross-Reference 2
- Cross-Reference
- Developer Guide
- Internal Guide
Support
Community
About Apache
Table of content
- 4.2 - ASN/1 LDAP Grammar
- LDAPMessage
- LDAPResult
- Controls
- AbandonRequest
- AddRequest
- AddResponse
- BindRequest
- BindResponse
- CompareRequest
- CompareResponse
- DelRequest
- DelResponse
- ExtendedRequest
- ExtendedResponse
- IntermediateResponse
- ModifyRequest
- ModifyResponse
- ModifyDNRequest
- ModifyDNResponse
- SearchRequest
- SearchResultDone
- SearchResultEntry
- SearchResultReference
- UnbindRequest
ASN/1 LDAP grammar
The LDAP grammar is defined in RFC 4511, appendix B.
Here it is:
Lightweight-Directory-Access-Protocol-V3 {1 3 6 1 1 18}
-- Copyright (C) The Internet Society (2006). This version of
-- this ASN.1 module is part of RFC 4511; see the RFC itself
-- for full legal notices.
DEFINITIONS
IMPLICIT TAGS
EXTENSIBILITY IMPLIED ::=
BEGIN
LDAPMessage ::= SEQUENCE {
messageID MessageID,
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse,
...,
intermediateResponse IntermediateResponse },
controls [0] Controls OPTIONAL }
MessageID ::= INTEGER (0 .. maxInt)
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
LDAPString ::= OCTET STRING -- UTF-8 encoded,
-- [ISO10646] characters
LDAPOID ::= OCTET STRING -- Constrained to <numericoid>
-- [RFC4512]
LDAPDN ::= LDAPString -- Constrained to <distinguishedName>
-- [RFC4514]
RelativeLDAPDN ::= LDAPString -- Constrained to <name-component>
-- [RFC4514]
AttributeDescription ::= LDAPString
-- Constrained to <attributedescription>
-- [RFC4512]
AttributeValue ::= OCTET STRING
AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription,
assertionValue AssertionValue }
AssertionValue ::= OCTET STRING
PartialAttribute ::= SEQUENCE {
type AttributeDescription,
vals SET OF value AttributeValue }
Attribute ::= PartialAttribute(WITH COMPONENTS {
...,
vals (SIZE(1..MAX))})
MatchingRuleId ::= LDAPString
LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),
authMethodNotSupported (7),
strongerAuthRequired (8),
-- 9 reserved --
referral (10),
adminLimitExceeded (11),
unavailableCriticalExtension (12),
confidentialityRequired (13),
saslBindInProgress (14),
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
-- 22-31 unused --
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
-- 35 reserved for undefined isLeaf --
aliasDereferencingProblem (36),
-- 37-47 unused --
inappropriateAuthentication (48),
invalidCredentials (49),
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
-- 55-63 unused --
namingViolation (64),
objectClassViolation (65),
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
-- 70 reserved for CLDAP --
affectsMultipleDSAs (71),
-- 72-79 unused --
other (80),
... },
matchedDN LDAPDN,
diagnosticMessage LDAPString,
referral [3] Referral OPTIONAL }
Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
URI ::= LDAPString -- limited to characters permitted in
-- URIs
Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE {
controlType LDAPOID,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL }
BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name LDAPDN,
authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl [3] SaslCredentials,
... }
SaslCredentials ::= SEQUENCE {
mechanism LDAPString,
credentials OCTET STRING OPTIONAL }
BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL }
UnbindRequest ::= [APPLICATION 2] NULL
SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2),
... },
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeSelection }
AttributeSelection ::= SEQUENCE OF selector LDAPString
-- The LDAPString is constrained to
-- <attributeSelector> in Section 4.5.1.8
Filter ::= CHOICE {
and [0] SET SIZE (1..MAX) OF filter Filter,
or [1] SET SIZE (1..MAX) OF filter Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion,
... }
SubstringFilter ::= SEQUENCE {
type AttributeDescription,
substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
initial [0] AssertionValue, -- can occur at most once
any [1] AssertionValue,
final [2] AssertionValue } -- can occur at most once
}
MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeDescription OPTIONAL,
matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE }
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }
PartialAttributeList ::= SEQUENCE OF
partialAttribute PartialAttribute
SearchResultReference ::= [APPLICATION 19] SEQUENCE
SIZE (1..MAX) OF uri URI
SearchResultDone ::= [APPLICATION 5] LDAPResult
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
object LDAPDN,
changes SEQUENCE OF change SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2),
increment (3), // RFC 4525 addition
... },
modification PartialAttribute } }
ModifyResponse ::= [APPLICATION 7] LDAPResult
AddRequest ::= [APPLICATION 8] SEQUENCE {
entry LDAPDN,
attributes AttributeList }
AttributeList ::= SEQUENCE OF attribute Attribute
AddResponse ::= [APPLICATION 9] LDAPResult
DelRequest ::= [APPLICATION 10] LDAPDN
DelResponse ::= [APPLICATION 11] LDAPResult
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
entry LDAPDN,
newrdn RelativeLDAPDN,
deleteoldrdn BOOLEAN,
newSuperior [0] LDAPDN OPTIONAL }
ModifyDNResponse ::= [APPLICATION 13] LDAPResult
CompareRequest ::= [APPLICATION 14] SEQUENCE {
entry LDAPDN,
ava AttributeValueAssertion }
CompareResponse ::= [APPLICATION 15] LDAPResult
AbandonRequest ::= [APPLICATION 16] MessageID
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING OPTIONAL }
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
responseValue [11] OCTET STRING OPTIONAL }
IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
responseName [0] LDAPOID OPTIONAL,
responseValue [1] OCTET STRING OPTIONAL }
END
LdapMessage
The LDAPMessage grammar starts with this part:
LDAPMessage ::= SEQUENCE {
messageID INTEGER (0 .. maxInt),
protocolOp CHOICE {
bindRequest BindRequest,
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse,
...,
intermediateResponse IntermediateResponse },
controls [0] Controls OPTIONAL }
We have three parts:
- The message ID
- The protocol part
- The optional controls
The following picture gives a clear view of the existing transitions:
The green boxes are sub-transitions, which will be descibed below. The red arrow indicates which transition are mandatory. Each transition is based on the tag used between two states. Dashed arrows are optional transitions.
There are 15 mandatory transitions:
- ADD_REQUEST_STATE
- ADD_RESPONSE_STATE
- BIND_REQUEST_STATE
- BIND_RESPONSE_STATE
- COMPARE_REQUEST_STATE
- COMPARE_RESPONSE_STATE
- DEL_RESPONSE_STATE
- EXTENDED_RESPONSE_STATE
- MODIFY_DN_REQUEST_STATE
- MODIFY_DN_RESPONSE_STATE
- MODIFY_REQUEST_STATE
- MODIFY_RESPONSE_STATE
- SEARCH_REQUEST_STATE
- SEARCH_RESULT_DONE_STATE
- SEARCH_RESULT_ENTRY_STATE
Here is a flat representation of a LDAP message structure, where we see the encapsulated TLVs:
+---+---+-----------------------------------------------------------------------------------------------------------------+
| | | +---+---+------------+ +---+---+--------------------+ [+---+---+---------------------------------------------+] |
| | | | | | | | | | | [| | | +---+---+---------+ +---+---+---------+ |] |
| T | L | | T | L | message ID | | T | L | protocol operation | [| T | L | | T | L | control | ... | T | L | control | |] |
| | | | | | | | | | | [| | | +-o-+-o-+----o----+ +---+---+---------+ |] |
| | | +-o-+-o-+-----o------+ +-o-+-o-+---------o----------+ [+-o-+-o-+---|---|------|------------------------------+] |
+-o-+-o-+---|---|-------|----------|---|-----------|---------------|---|-----|---|------|---------------------------------+
| | | | | | | | | | | | |
| | | | | | | | | | | | +----------> A control's encoded value
| | | | | | | | | | | |
| | | | | | | | | | | +-----------------> A control's length
| | | | | | | | | | |
| | | | | | | | | | +---------------------> A control's sequence (0x30)
| | | | | | | | | |
| | | | | | | | | +---------------------------> The controls total length
| | | | | | | | |
| | | | | | | | +-------------------------------> The controls sequence tag (0xA0)
| | | | | | | |
| | | | | | | +-----------------------------------------------> The encoded operation
| | | | | | |
| | | | | | +-----------------------------------------------------------> The operation length
| | | | | |
| | | | | +---------------------------------------------------------------> The operation code (can be 0x60 for a BindRequest)
| | | | |
| | | | +--------------------------------------------------------------------------> The message ID
| | | |
| | | +----------------------------------------------------------------------------------> The message ID's length (from 1 to 4)
| | |
| | +--------------------------------------------------------------------------------------> The message ID's tag, 0x02 for an INTEGER
| |
| +--------------------------------------------------------------------------------------------> The LDAP message's length
|
+------------------------------------------------------------------------------------------------> The LDAP message sequence (0x30)
Now, here is the sub-message protocolOp:
It covers all the existing LDAP messages.
LdapResult
The LDAPResult element is part of all the LDAP response. It contains the following informations:
- A result code, indicating either a success (code 0) or an error (code from 1 to 80, but it may be higher in a future version)
- A DN representing the associated entry
- A diagnostic message in case of an error
- An optional list of LDAP URL that may be able to process the operation.
Here is the complete grammar, as defined in RFC4511:
LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),
authMethodNotSupported (7),
strongerAuthRequired (8),
referral (10),
adminLimitExceeded (11),
unavailableCriticalExtension (12),
confidentialityRequired (13),
saslBindInProgress (14),
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
aliasDereferencingProblem (36),
inappropriateAuthentication (48),
invalidCredentials (49),
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
namingViolation (64),
objectClassViolation (65),
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
affectsMultipleDSAs (71),
other (80),
... },
matchedDN OCTET STRING,
diagnosticMessage OCTET STRING,
referral [3] Referral OPTIONAL }
Referral ::= SEQUENCE SIZE (1..MAX) OF uri OCTET STRING
URI ::= LDAPString -- limited to characters permitted in
-- URIs
The associated state machine is given by this schema:
Controls
The Control grammar is the following:
Controls ::= SEQUENCE OF control Control
Control ::= SEQUENCE {
controlType OCTET STRING,
criticality BOOLEAN DEFAULT FALSE,
controlValue OCTET STRING OPTIONAL
The associated state machine is given by this schema:
There is no mandatory transition.
AbandonRequest operation
The AbandonRequest message grammar is the following:
AbandonRequest ::= [APPLICATION 16] INTEGER (0 .. maxInt)
The state machine for this operation is already described in the LdapMessage state machine. The operation code (0x50) is completed with the ID of the message to be abandonned.
AddRequest operation
The AddRequest message grammar is the following:
AddRequest ::= [APPLICATION 8] SEQUENCE {
entry OCTET STRING,
attributes AttributeList }
AttributeList ::= SEQUENCE OF attribute Attribute
Attribute ::= PartialAttribute(WITH COMPONENTS {
...,
vals (SIZE(1..MAX))})
PartialAttribute ::= SEQUENCE {
type OCTET STRING,
vals SET OF value OCTET STRING }
Its state machine is shown in this picture:
For a AddRequest, only one state is mandatory and must be followed by another state:
- ENTRY_STATE
AddResponse operation
The Add operation response is described by this part of the LDAP grammar:
AddResponse ::= [APPLICATION 9] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
BindRequest operation
The BindRequest message grammar is the following:
BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name OCTET STRING,
authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
sasl [3] SaslCredentials,
... }
SaslCredentials ::= SEQUENCE {
mechanism OCTET STRING,
credentials OCTET STRING OPTIONAL }
Its state machine is shown in this picture:
We have two flavors of Bind:
- Simple bind, which uses a name and its credentials, in clear text
- SASL bind, which use a name, a mechanism and some added data. A dialog will be established, in which some responses and requests will be exchanged, until the authentication is established.
For a BindRequest, only two states are mandatory and must be followed by another state:
- VERSION_STATE
- NAME_STATE
BindResponse operation
The BindResponse message contains two elements:
- A LdapResult element
- An optional response used in a aunthentication dialogue, if the BindRequest message was a SASL one
BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL }
The associated state machine is shown below:
Just because we may have some data after the LDAPResult element, we use a special version of the LDAPResult state machine:
In any case, two states are mandatory:
- RESULT_CODE_BR_STATE
- MATCHED_DN_BR_STATE
CompareRequest operation
The CompareRequest message grammar is the following:
CompareRequest ::= [APPLICATION 14] SEQUENCE {
entry OCTET STRING,
ava AttributeValueAssertion }
AttributeValueAssertion ::= SEQUENCE {
attributeDesc OCTET STRING,
assertionValue OCTET STRING }
Its state machine is shown in this picture:
For a CompareRequest, only one state is mandatory and must be followed by another state:
- AVA_COMP_STATE
CompareResponse operation
The CompareResponse message is described by this part of the LDAP grammar:
CompareResponse ::= [APPLICATION 15] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
DelRequest operation
The DelRequest message is described by this part of the LDAP grammar:
DelRequest ::= [APPLICATION 10] OCTET STRING
The state machine for this operation is already described in the LdapMessage state machine. The operation code (0x4A) is completed with the Object’s DN to be removed.
DelResponse operation
The DelResponse message is described by this part of the LDAP grammar:
DelResponse ::= [APPLICATION 11] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
ExtendedRequest operation
The ExtendedRequest message is described by this part of the LDAP grammar:
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] OCTET STRING,
requestValue [1] OCTET STRING OPTIONAL }
The associated state machine is shown below:
There are no mandatory state.
ExtendedResponse operation
The ExtendedResponse message is described by this part of the LDAP grammar:
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] OCTET STRING OPTIONAL,
responseValue [11] OCTET STRING OPTIONAL }
The associated state machine is shown below:
There are no mandatory state.
Just because we may have some data after the LDAPResult element, we use a special version of the LDAPResult state machine:
In any case, two states are mandatory:
- RESULT_CODE_ER_STATE
- MATCHED_DN_ER_STATE
IntermediateResponse operation
The IntermediateResponse message is described by this part of the LDAP grammar:
IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
responseName [0] LDAPOID OPTIONAL,
responseValue [1] OCTET STRING OPTIONAL }
The associated state machine is shown below:
There are no mandatory state.
ModifyRequest operation
The ModifyRequest message is described by this part of the LDAP grammar:
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
object OCTET STRING,
changes SEQUENCE OF change SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2),
increment (3),
... },
modification PartialAttribute } }
With this common element, PartialAttribute:
PartialAttribute ::= SEQUENCE {
type OCTET STRING,
vals SET OF value OCTET STRING }
(Note: the PartialAttribute sub-element is shared with the AddRequest and SearchResultEntry messages)
The associated state machine is shown below:
Two states are mandatory:
- CHANGES_STATE
- MODIFICATION_STATE
ModifyResponse operation
The ModifyResponse message is described by this part of the LDAP grammar:
ModifyResponse ::= [APPLICATION 7] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
ModifyDNRequest operation
The ModifyDNRequest message grammar is the following:
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
entry OCTET STRING,
newrdn OCTET STRING,
deleteoldrdn BOOLEAN,
newSuperior [0] OCTET STRING OPTIONAL }
Its state machine is shown in this picture:
For a ModifyRequest, one state is mandatory and must be followed by another state:
- ENTRY_MOD_DN_STATE
ModifyDNResponse operation
The ModifyDNResponse message is described by this part of the LDAP grammar:
ModifyResponse ::= [APPLICATION 13] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
SearchRequest
The SearchRequest message is described by this part of the LDAP grammar:
SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject OCTET STRING,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2),
... },
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeSelection }
AttributeSelection ::= SEQUENCE OF selector OCTET STRING
It uses a set of elements (Filter, SubstringFilter, MatchingRuleAssertion, AttributeValueAssertion) that are described below.
The associated state machine is shown below:
There are six mandatory states:
- BASE_OBJECT_STATE
- SCOPE_STATE
- DEREF_ALIAS_STATE
- SIZE_LIMIT_STATE
- TIME_LIMIT_STATE
- TYPES_ONLY_STATE
Filter
The Filter grammar part is given below:
Filter ::= CHOICE {
and [0] SET SIZE (1..MAX) OF filter Filter,
or [1] SET SIZE (1..MAX) OF filter Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] OCTET STRING,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion,
... }
AttributeValueAssertion ::= SEQUENCE {
attributeDesc OCTET STRING,
assertionValue OCTET STRING }
The associated state machine is shown below:
There are six mandatory states:
- APPROX_MATCH_STATE
- EQUALITY_MATCH_STATE
- EXTENSIBLE_MATCH_STATE
- GREATER_OR_EQUAL_STATE
- LESS_OR_EQUAL_STATE
- SUBSTRINGS_FILTER_STATE
MatchingRuleAssertion
The MatchingRuleAssertion grammar part is given below:
MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] OCTET STRING OPTIONAL,
type [2] OCTET STRING OPTIONAL,
matchValue [3] OCTET STRING,
dnAttributes [4] BOOLEAN DEFAULT FALSE }
The associated state machine is shown below:
There are two mandatory states:
- MRA_MATCHING_RULE_STATE
- MRA_TYPE_STATE
SubstringFilter
The SubstringFilter grammar part is given below:
SubstringFilter ::= SEQUENCE {
type OCTET STRING,
substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
initial [0] OCTET STRING,
any [1] OCTET STRING,
final [2] OCTET STRING }
}
The associated state machine is shown below:
There is no mandatory transition
SearchResultDone
The SearchResultDone message is described by this part of the LDAP grammar:
SearchResultDone ::= [APPLICATION 5] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
SearchResultEntry
The SearchResultEntry message is described by this part of the LDAP grammar:
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName OCTET STRING,
attributes PartialAttributeList }
PartialAttributeList ::= SEQUENCE OF
partialAttribute PartialAttribute
PartialAttribute ::= SEQUENCE {
type OCTET STRING,
vals SET OF value OCTET STRING }
The associated state machine is shown below:
There are two mandatory transitions:
- OBJECT_NAME_STATE
- PARTIAL_ATTRIBUTE_LIST_STATE
SearchResultReference
The SearchResultReference message is described by this part of the LDAP grammar:
SearchResultDone ::= [APPLICATION 5] LDAPResult
The associated state machine is shown below:
There are no mandatory state.
UnbindRequest operation
This is the simplest operation. Its PDU contains only 2 bytes: 0x42 0x00.
UnbindRequest ::= [APPLICATION 2] NULL
Its state machine is already fully contained in the LDAPMEssage state machine, as it’s encoded directly.
State transitions
State followers
This list gives all the possible tags for each of the state machine elements:
- ABANDON_REQUEST_STATE: {Controls tag (0xA0), #}
- ADD_REQUEST_STATE: {Controls tag (0xA0), #}
- ADD_RESPONSE_STATE: {Controls tag (0xA0), #}
- AND_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- ANY_STATE:
- any tag (0x81)
- final tag (0x82)}
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- APPROX_MATCH_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- ASSERTION_VALUE_FILTER_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- ASSERTION_VALUE_COMP_STATE: {Controls tag (0xA0), #}
- ATTRIBUTES_SR_STATE: {PartialAttributeList tag (0x30)}
- ATTRIBUTES_STATE: {AttributeList tag (0x30)}
- ATTRIBUTE_SELECTION_STATE: {Controls tag (0xA0), #}
- ATTRIBUTE_DESC_COMP_STATE: {AssertionValue tag (0x04)}
- ATTRIBUTE_DESC_FILTER_STATE: {AssertionValue tag (0x04)}
- ATTRIBUTE_STATE: {type tag (0x04)}
- ATTRIBUTE_VALUE_STATE: {change tags (0x30), vals tag (0x04), Controls tag (0xA0), #}
- AVA_COMP_STATE: {AttributeDesc tag (0x04)}
- BASE_OBJECT_STATE: {scope tag (0x0A)}
- BIND_REQUEST_STATE: {Controls tag (0xA0), #}
- BIND_RESPONSE_STATE: {Controls tag (0xA0), #}
- CHANGES_STATE: {change tag (0x30)}
- CHANGE_STATE: {operation tag (0x30)}
- COMPARE_REQUEST_STATE: {Controls tag (0xA0), #}
- COMPARE_RESPONSE_STATE: {Controls tag (0xA0), #}
- CONTROLS_STATE: {Control tag (0x30)}
- CONTROL_STATE: {controlType tag (0x04)}
- CONTROL_TYPE_STATE: {criticality tag (0x01), controlValue tag (0x04), Control tag (0x30), #}
- CONTROL_VALUE_STATE: {Control tag (0x30), #}
- CREDENTIALS_STATE: {Controls tag (0xA0), #}
- CRITICALITY_STATE: {controlValue tag (0x04), Control tag (0x30), #}
- DELETE_OLD_RDN_STATE: {nowSuperior tag (0x80), Control tag (0x30), #}
- DEL_REQUEST_STATE: {Controls tag (0xA0), #}
- DEL_RESPONSE_STATE: {Controls tag (0xA0), #}
- DEREF_ALIAS_STATE: {sizeLimit tag (0x02)}
- DIAGNOSTIC_MESSAGE_BR_STATE: {serverSaslCreds tag (0x87), Control tag (0x30), #}
- DIAGNOSTIC_MESSAGE_ER_STATE: {responseName tag (0x8A), responseValue tag (0x8B), Control tag (0x30), #}
- DIAGNOSTIC_MESSAGE_STATE: {Control tag (0x30), #}
- ENTRY_COMP_STATE: {ava tag (0x30)}
- ENTRY_MOD_DN_STATE: {newRdn tag (0x04)}
- ENTRY_STATE: {attributes tag (0x30)}
- EQUALITY_MATCH_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- EXTENDED_REQUEST_STATE: {Controls tag (0xA0), #}
- EXTENDED_RESPONSE_STATE: {Controls tag (0xA0), #}
- EXTENSIBLE_MATCH_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- FINAL_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- GREATER_OR_EQUAL_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- INITIAL_STATE:
- any tag (0x81)
- final tag (0x82)
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- INTERMEDIATE_RESPONSE_NAME_STATE: {responseValue tag (0x81), Controls tag (0xA0), #}
- INTERMEDIATE_RESPONSE_STATE: {Controls tag (0xA0), #}
- INTERMEDIATE_RESPONSE_VALUE_STATE: {Controls tag (0xA0), #}
- LDAP_MESSAGE_STATE: {messageId (0x02)}
- LESS_OR_EQUAL_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- MATCHED_DN_BR_STATE: {matchedDN tag (0x04)}
- MATCHED_DN_ER_STATE: {matchedDN tag (0x04)}
- MATCHED_DN_STATE: {matchedDN tag (0x04)}
- MECHANISM_STATE: {credentials tag (0x04), Controls tag (0xA0), #}
- MESSAGE_ID_STATE: protocolOp :
- UnbindRequest tag (0x42)
- DelRequest tag (0x4A)
- AbandonRequest tag (0x50)
- BindRequest tag (0x60)
- BindResponse tag (0x61)
- SearchRequest (0x63)
- SearchResultEntry(0x64)
- SearchResultDone(0x65)
- ModifyRequest (0x66)
- ModifyResponse (0x67)
- AddRequest (0x68)
- AddResponse (0x69)
- DelResponse (0x6B)
- ModifyDnRequest(0x6C)
- ModifyDnResponse(0x6D)
- CompareRequest (0x6E)
- CompareResponse (0x6F)
- SearchSearchResultReference (0x73)
- ExtendedRequesrv (0x77)
- ExtendedResponse (0x78)
- IntermediateResponse (0x79)
- MODIFICATION_STATE: {type tag (0x04)}
- MODIFY_DN_REQUEST_STATE: {Controls tag (0xA0), #}
- MODIFY_DN_RESPONSE_STATE: {Controls tag (0xA0), #}
- MODIFY_REQUEST_STATE: {Controls tag (0xA0), #}
- MODIFY_RESPONSE_STATE: {Controls tag (0xA0), #}
- MRA_DN_ATTRIBUTES_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- MRA_MATCHING_RULE_STATE: {type tag (0x82), matchValue tag (0x83)}
- MRA_TYPE_STATE: {matchValue tag (0x83)}
- MRA_MATCH_VALUE_STATE:
- dnAttributes tag (0x84)
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- NAME_STATE: {simple tag (0x80), sasl tag (0xA3)}
- NEW_RDN_STATE: {deleteOldrdn tag (0x01)}
- NEW_SUPERIOR_STATE: {Controls tag (0xA0), #}
- NOT_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- OBJECT_NAME_STATE: {attributes tag (0x30)}
- OBJECT_STATE: {changes tag (0x30)}
- OPERATION_STATE: {modification tag (0x30)}
- OR_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- PARTIAL_ATTRIBUTES_LIST_STATE: {type tag (0x04)}
- PRESENT_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- REFERENCE_STATE: {reference tag (0x04), Controls tag (0xA0), #}
- REFERRAL_BR_STATE: {uri tag (0x04), saslCredentials state (0x87), Controls tag (0xA0), #}
- REFERRAL_ER_STATE: {uri tag (0x04), responseName tag (0x8A), responseValue tag (0x8B), Controls tag (0xA0), #}
- REFERRAL_STATE: {uri tag (0x04), Controls tag (0xA0), #}
- REQUEST_NAME_STATE: {requestValue tag (0x81), Controls tag (0xA0), #}
- REQUEST_VALUE_STATE: {Controls tag (0xA0), #}
- RESPONSE_NAME_STATE: {responseValue tag (0x8B), Controls tag (0xA0), #}
- RESPONSE_VALUE_STATE: {Controls tag (0xA0), #}
- RESULT_CODE_BR_STATE: {matchedDn tag (0x04)}
- RESULT_CODE_ER_STATE: {matchedDn tag (0x04), responseName tag (0x8A), responseValue tag (0x8B), Controls tag (0xA0), #}
- RESULT_CODE_STATE: {matchedDn tag (0x04)}
- SASL_STATE {mechanism tag (0x04)}
- SCOPE_STATE: {derefAlias tag (0x0A)}
- SEARCH_REQUEST_STATE: {Controls tag (0xA0), #}
- SEARCH_RESULT_DONE_STATE: {Controls tag (0xA0), #}
- SEARCH_RESULT_ENTRY_STATE: {Controls tag (0xA0), #}
- SEARCH_RESULT_REFERENCE_STATE: {Controls tag (0xA0), #}
- SELECTOR_STATE: {selector tag (0x04), Controls tag (0xA0), #}
- SERVER_SASL_CREDENTIALS_STATE_: {Controls tag (0xA0), #}
- SIMPLE_STATE: {Controls tag (0xA0), #}
- SIZE_LIMIT_STATE: {timeLimit tag (0x02)}
- START_STATE: {LdapMessage tag 0x30}
- SUBSTRINGS_STATE: {initial tag (0x80), any tag (0x81), final tag (0x82)}
- SUBSTRINGS_FILTER_STATE:
- present tag (0x87)
- AttributeSelection tag (0x30)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- TIME_LIMIT_STATE: {typesOnly tag (0x01)}
- TYPES_ONLY_STATE:
- present tag (0x87)
- and tag (0xA0)
- or tag (0xA1)
- not tag (0xA2)
- equality tag (0xA3)
- substrings tag (0xA4)
- equality match tag (0xA5)
- less or equal tag (0xA6)
- approxMatch tag (0xA8)
- extensible match tag (0xA9)
- TYPE_MOD_STATE: {vals tag (0x31)}
- TYPE_SR_STATE: {vals tag (0x31)}
- TYPE_STATE: {values tag (0x31)}
- TYPE_SUBSTRING_STATE: {substrings tag (0x30)}
- UNBIND_REQUEST_STATE: {Controls tag (0xA0), #}
- URI_BR_STATE: {serverSaslCreds tag (0x87), Controls tag (0xA0), #}
- URI_ER_STATE: {responseName tag (0x8A), responseValue tag (0x8B), Controls tag (0xA0), #}
- URI_STATE: {Controls tag (0xA0), #}
- VALS_SR_STATE: {partialAttribute tag (0x30), value tag (0x04), Controls tag (0xA0), #}
- VALS_STATE: {partialAttribute tag (0x30), value tag (0x04), Controls tag (0xA0), #}
- VALUES_STATE: {value tag (0x04)}
- VALUE_STATE: {attribute tag (0x30), value tag (0x04), Controls tag (0xA0), #}
- VALUE_SR_STATE: {value tag (0x04), Controls tag (0xA0), #}
- VERSION_STATE: {name tag (0x04)}