1*2de962bdSlukem 2*2de962bdSlukem 3*2de962bdSlukem 4*2de962bdSlukem 5*2de962bdSlukem 6*2de962bdSlukem 7*2de962bdSlukemNetwork Working Group C. Weider 8*2de962bdSlukemRequest for Comments: 2696 A. Herron 9*2de962bdSlukemCategory: Informational A. Anantha 10*2de962bdSlukem Microsoft 11*2de962bdSlukem T. Howes 12*2de962bdSlukem Netscape 13*2de962bdSlukem September 1999 14*2de962bdSlukem 15*2de962bdSlukem 16*2de962bdSlukem LDAP Control Extension for Simple Paged Results Manipulation 17*2de962bdSlukem 18*2de962bdSlukemStatus of this Memo 19*2de962bdSlukem 20*2de962bdSlukem This memo provides information for the Internet community. It does 21*2de962bdSlukem not specify an Internet standard of any kind. Distribution of this 22*2de962bdSlukem memo is unlimited. 23*2de962bdSlukem 24*2de962bdSlukemCopyright Notice 25*2de962bdSlukem 26*2de962bdSlukem Copyright (C) The Internet Society (1999). All Rights Reserved. 27*2de962bdSlukem 28*2de962bdSlukem1. Abstract 29*2de962bdSlukem 30*2de962bdSlukem This document describes an LDAPv3 control extension for simple paging 31*2de962bdSlukem of search results. This control extension allows a client to control 32*2de962bdSlukem the rate at which an LDAP server returns the results of an LDAP 33*2de962bdSlukem search operation. This control may be useful when the LDAP client has 34*2de962bdSlukem limited resources and may not be able to process the entire result 35*2de962bdSlukem set from a given LDAP query, or when the LDAP client is connected 36*2de962bdSlukem over a low-bandwidth connection. Other operations on the result set 37*2de962bdSlukem are not defined in this extension. This extension is not designed to 38*2de962bdSlukem provide more sophisticated result set management. 39*2de962bdSlukem 40*2de962bdSlukem The key words "MUST", "SHOULD", and "MAY" used in this document are 41*2de962bdSlukem to be interpreted as described in [bradner97]. 42*2de962bdSlukem 43*2de962bdSlukem2. The Control 44*2de962bdSlukem 45*2de962bdSlukem This control is included in the searchRequest and searchResultDone 46*2de962bdSlukem messages as part of the controls field of the LDAPMessage, as defined 47*2de962bdSlukem in Section 4.1.12 of [LDAPv3]. The structure of this control is as 48*2de962bdSlukem follows: 49*2de962bdSlukem 50*2de962bdSlukem 51*2de962bdSlukem 52*2de962bdSlukem 53*2de962bdSlukem 54*2de962bdSlukem 55*2de962bdSlukem 56*2de962bdSlukem 57*2de962bdSlukem 58*2de962bdSlukemWeider, et al. Informational [Page 1] 59*2de962bdSlukem 60*2de962bdSlukemRFC 2696 LDAP Control Ext. for Simple Paged Results September 1999 61*2de962bdSlukem 62*2de962bdSlukem 63*2de962bdSlukempagedResultsControl ::= SEQUENCE { 64*2de962bdSlukem controlType 1.2.840.113556.1.4.319, 65*2de962bdSlukem criticality BOOLEAN DEFAULT FALSE, 66*2de962bdSlukem controlValue searchControlValue 67*2de962bdSlukem} 68*2de962bdSlukem 69*2de962bdSlukemThe searchControlValue is an OCTET STRING wrapping the BER-encoded 70*2de962bdSlukemversion of the following SEQUENCE: 71*2de962bdSlukem 72*2de962bdSlukemrealSearchControlValue ::= SEQUENCE { 73*2de962bdSlukem size INTEGER (0..maxInt), 74*2de962bdSlukem -- requested page size from client 75*2de962bdSlukem -- result set size estimate from server 76*2de962bdSlukem cookie OCTET STRING 77*2de962bdSlukem} 78*2de962bdSlukem 79*2de962bdSlukem3. Client-Server Interaction 80*2de962bdSlukem 81*2de962bdSlukem An LDAP client application that needs to control the rate at which 82*2de962bdSlukem results are returned MAY specify on the searchRequest a 83*2de962bdSlukem pagedResultsControl with size set to the desired page size and cookie 84*2de962bdSlukem set to the zero-length string. The page size specified MAY be greater 85*2de962bdSlukem than zero and less than the sizeLimit value specified in the 86*2de962bdSlukem searchRequest. 87*2de962bdSlukem 88*2de962bdSlukem If the page size is greater than or equal to the sizeLimit value, the 89*2de962bdSlukem server should ignore the control as the request can be satisfied in a 90*2de962bdSlukem single page. If the server does not support this control, the server 91*2de962bdSlukem MUST return an error of unsupportedCriticalExtension if the client 92*2de962bdSlukem requested it as critical, otherwise the server SHOULD ignore the 93*2de962bdSlukem control. The remainder of this section assumes the server does not 94*2de962bdSlukem ignore the client's pagedResultsControl. 95*2de962bdSlukem 96*2de962bdSlukem Each time the server returns a set of results to the client when 97*2de962bdSlukem processing a search request containing the pagedResultsControl, the 98*2de962bdSlukem server includes the pagedResultsControl control in the 99*2de962bdSlukem searchResultDone message. In the control returned to the client, the 100*2de962bdSlukem size MAY be set to the server's estimate of the total number of 101*2de962bdSlukem entries in the entire result set. Servers that cannot provide such an 102*2de962bdSlukem estimate MAY set this size to zero (0). The cookie MUST be set to an 103*2de962bdSlukem empty value if there are no more entries to return (i.e., the page of 104*2de962bdSlukem search results returned was the last), or, if there are more entries 105*2de962bdSlukem to return, to an octet string of the server's choosing,used to resume 106*2de962bdSlukem the search. 107*2de962bdSlukem 108*2de962bdSlukem The client MUST consider the cookie to be an opaque structure and 109*2de962bdSlukem make no assumptions about its internal organization or value. When 110*2de962bdSlukem the client wants to retrieve more entries for the result set, it MUST 111*2de962bdSlukem 112*2de962bdSlukem 113*2de962bdSlukem 114*2de962bdSlukemWeider, et al. Informational [Page 2] 115*2de962bdSlukem 116*2de962bdSlukemRFC 2696 LDAP Control Ext. for Simple Paged Results September 1999 117*2de962bdSlukem 118*2de962bdSlukem 119*2de962bdSlukem send to the server a searchRequest with all values identical to the 120*2de962bdSlukem initial request with the exception of the messageID, the cookie, and 121*2de962bdSlukem optionally a modified pageSize. The cookie MUST be the octet string 122*2de962bdSlukem on the last searchResultDone response returned by the server. 123*2de962bdSlukem Returning cookies from previous searchResultDone responses besides 124*2de962bdSlukem the last one is undefined, as the server implementation may restrict 125*2de962bdSlukem cookies from being reused. 126*2de962bdSlukem 127*2de962bdSlukem The server will then return the next set of results from the whole 128*2de962bdSlukem result set. This interaction will continue until the client has 129*2de962bdSlukem retrieved all the results, in which case the cookie in the 130*2de962bdSlukem searchResultDone field will be empty, or until the client abandons 131*2de962bdSlukem the search sequence as described below. Once the paged search 132*2de962bdSlukem sequence has been completed, the cookie is no longer valid and MUST 133*2de962bdSlukem NOT be used. 134*2de962bdSlukem 135*2de962bdSlukem A sequence of paged search requests is abandoned by the client 136*2de962bdSlukem sending a search request containing a pagedResultsControl with the 137*2de962bdSlukem size set to zero (0) and the cookie set to the last cookie returned 138*2de962bdSlukem by the server. A client MAY use the LDAP Abandon operation to 139*2de962bdSlukem abandon one paged search request in progress, but this is discouraged 140*2de962bdSlukem as it MAY invalidate the client's cookie. 141*2de962bdSlukem 142*2de962bdSlukem If, for any reason, the server cannot resume a paged search operation 143*2de962bdSlukem for a client, then it SHOULD return the appropriate error in a 144*2de962bdSlukem searchResultDone entry. If this occurs, both client and server should 145*2de962bdSlukem assume the paged result set is closed and no longer resumable. 146*2de962bdSlukem 147*2de962bdSlukem A client may have any number of outstanding search requests pending, 148*2de962bdSlukem any of which may have used the pagedResultsControl. A server 149*2de962bdSlukem implementation which requires a limit on the number of outstanding 150*2de962bdSlukem paged search requests from a given client MAY either return 151*2de962bdSlukem unwillingToPerform when the client attempts to create a new paged 152*2de962bdSlukem search request, or age out an older result set. If the server 153*2de962bdSlukem implementation ages out an older paged search request, it SHOULD 154*2de962bdSlukem return "unwilling to perform" if the client attempts to resume the 155*2de962bdSlukem paged search that was aged out. 156*2de962bdSlukem 157*2de962bdSlukem A client may safely assume that all entries that satisfy a given 158*2de962bdSlukem search query are returned once and only once during the set of paged 159*2de962bdSlukem search requests/responses necessary to enumerate the entire result 160*2de962bdSlukem set, unless the result set for that query has changed since the 161*2de962bdSlukem searchRequest starting the request/response sequence was processed. 162*2de962bdSlukem In that case, the client may receive a given entry multiple times 163*2de962bdSlukem and/or may not receive all entries matching the given search 164*2de962bdSlukem criteria. 165*2de962bdSlukem 166*2de962bdSlukem 167*2de962bdSlukem 168*2de962bdSlukem 169*2de962bdSlukem 170*2de962bdSlukemWeider, et al. Informational [Page 3] 171*2de962bdSlukem 172*2de962bdSlukemRFC 2696 LDAP Control Ext. for Simple Paged Results September 1999 173*2de962bdSlukem 174*2de962bdSlukem 175*2de962bdSlukem4. Example 176*2de962bdSlukem 177*2de962bdSlukem The following example illustrates the client-server interaction 178*2de962bdSlukem between a client doing a search requesting a page size limit of 3. 179*2de962bdSlukem The entire result set returned by the server contains 5 entries. 180*2de962bdSlukem 181*2de962bdSlukem Lines beginning with "C:" indicate requests sent from client to 182*2de962bdSlukem server. Lines beginning with "S:" indicate responses sent from server 183*2de962bdSlukem to client. Lines beginning with "--" are comments to help explain the 184*2de962bdSlukem example. 185*2de962bdSlukem 186*2de962bdSlukem -- Client sends a search request asking for paged results 187*2de962bdSlukem -- with a page size of 3. 188*2de962bdSlukem C: SearchRequest + pagedResultsControl(3,"") 189*2de962bdSlukem -- Server responds with three entries plus an indication 190*2de962bdSlukem -- of 5 total entries in the search result and an opaque 191*2de962bdSlukem -- cooking to be used by the client when retrieving subsequent 192*2de962bdSlukem -- pages. 193*2de962bdSlukem S: SearchResultEntry 194*2de962bdSlukem S: SearchResultEntry 195*2de962bdSlukem S: SearchResultEntry 196*2de962bdSlukem S: SearchResultDone + pagedResultsControl(5, "opaque") 197*2de962bdSlukem -- Client sends an identical search request (except for 198*2de962bdSlukem -- message id), returning the opaque cooking, asking for 199*2de962bdSlukem -- the next page. 200*2de962bdSlukem C: SearchRequest + PagedResultsControl(3, "opaque") 201*2de962bdSlukem -- Server responds with two entries plus an indication 202*2de962bdSlukem -- that there are no more entries (null cookie). 203*2de962bdSlukem S: SearchResultEntry 204*2de962bdSlukem S: SearchResultEntry 205*2de962bdSlukem S: SearchResultDone + pagedResultsControl(5,"") 206*2de962bdSlukem 207*2de962bdSlukem5. Relationship to X.500 208*2de962bdSlukem 209*2de962bdSlukem For LDAP servers providing a front end to X.500 (93) directories, the 210*2de962bdSlukem paged results control defined in this document may be mapped directly 211*2de962bdSlukem onto the X.500 (93) PagedResultsRequest defined in X.511 [x500]. The 212*2de962bdSlukem size parameter may be mapped onto pageSize. The cookie parameter may 213*2de962bdSlukem be mapped onto queryReference. The sortKeys and reverse fields in 214*2de962bdSlukem the X.500 PagedResultsRequest are excluded. 215*2de962bdSlukem 216*2de962bdSlukem 217*2de962bdSlukem 218*2de962bdSlukem 219*2de962bdSlukem 220*2de962bdSlukem 221*2de962bdSlukem 222*2de962bdSlukem 223*2de962bdSlukem 224*2de962bdSlukem 225*2de962bdSlukem 226*2de962bdSlukemWeider, et al. Informational [Page 4] 227*2de962bdSlukem 228*2de962bdSlukemRFC 2696 LDAP Control Ext. for Simple Paged Results September 1999 229*2de962bdSlukem 230*2de962bdSlukem 231*2de962bdSlukem6. Security Considerations 232*2de962bdSlukem 233*2de962bdSlukem Server implementors should consider the resources used when clients 234*2de962bdSlukem send searches with the simple paged control, to ensure that a 235*2de962bdSlukem client's misuse of this control does not lock out other legitimate 236*2de962bdSlukem operations. 237*2de962bdSlukem 238*2de962bdSlukem Servers implementations may enforce an overriding sizelimit, to 239*2de962bdSlukem prevent the retrieval of large portions of a publically-accessible 240*2de962bdSlukem directory. 241*2de962bdSlukem 242*2de962bdSlukem Clients can, using this control, determine how many entries match a 243*2de962bdSlukem particular filter, before the entries are returned to the client. 244*2de962bdSlukem This may require special processing in servers which perform access 245*2de962bdSlukem control checks on entries to determine whether the existence of the 246*2de962bdSlukem entry can be disclosed to the client. 247*2de962bdSlukem 248*2de962bdSlukem7. References 249*2de962bdSlukem 250*2de962bdSlukem [LDAPv3] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory 251*2de962bdSlukem Access Protocol (v3)", RFC 2251, December 1997. 252*2de962bdSlukem 253*2de962bdSlukem [Bradner97] Bradner, S., "Key Words for use in RFCs to Indicate 254*2de962bdSlukem Requirement Levels", BCP 14, RFC 2119, March 1997. 255*2de962bdSlukem 256*2de962bdSlukem 257*2de962bdSlukem 258*2de962bdSlukem 259*2de962bdSlukem 260*2de962bdSlukem 261*2de962bdSlukem 262*2de962bdSlukem 263*2de962bdSlukem 264*2de962bdSlukem 265*2de962bdSlukem 266*2de962bdSlukem 267*2de962bdSlukem 268*2de962bdSlukem 269*2de962bdSlukem 270*2de962bdSlukem 271*2de962bdSlukem 272*2de962bdSlukem 273*2de962bdSlukem 274*2de962bdSlukem 275*2de962bdSlukem 276*2de962bdSlukem 277*2de962bdSlukem 278*2de962bdSlukem 279*2de962bdSlukem 280*2de962bdSlukem 281*2de962bdSlukem 282*2de962bdSlukemWeider, et al. Informational [Page 5] 283*2de962bdSlukem 284*2de962bdSlukemRFC 2696 LDAP Control Ext. for Simple Paged Results September 1999 285*2de962bdSlukem 286*2de962bdSlukem 287*2de962bdSlukem8. Authors' Addresses 288*2de962bdSlukem 289*2de962bdSlukem Chris Weider 290*2de962bdSlukem Microsoft Corp. 291*2de962bdSlukem 1 Microsoft Way 292*2de962bdSlukem Redmond, WA 98052 293*2de962bdSlukem USA 294*2de962bdSlukem 295*2de962bdSlukem Phone: +1 425 882-8080 296*2de962bdSlukem EMail: cweider@microsoft.com 297*2de962bdSlukem 298*2de962bdSlukem 299*2de962bdSlukem Andy Herron 300*2de962bdSlukem Microsoft Corp. 301*2de962bdSlukem 1 Microsoft Way 302*2de962bdSlukem Redmond, WA 98052 303*2de962bdSlukem USA 304*2de962bdSlukem 305*2de962bdSlukem Phone: +1 425 882-8080 306*2de962bdSlukem EMail: andyhe@microsoft.com 307*2de962bdSlukem 308*2de962bdSlukem 309*2de962bdSlukem Anoop Anantha 310*2de962bdSlukem Microsoft Corp. 311*2de962bdSlukem 1 Microsoft Way 312*2de962bdSlukem Redmond, WA 98052 313*2de962bdSlukem USA 314*2de962bdSlukem 315*2de962bdSlukem Phone: +1 425 882-8080 316*2de962bdSlukem EMail: anoopa@microsoft.com 317*2de962bdSlukem 318*2de962bdSlukem 319*2de962bdSlukem Tim Howes 320*2de962bdSlukem Netscape Communications Corp. 321*2de962bdSlukem 501 E. Middlefield Road 322*2de962bdSlukem Mountain View, CA 94043 323*2de962bdSlukem USA 324*2de962bdSlukem 325*2de962bdSlukem Phone: +1 415 937-2600 326*2de962bdSlukem EMail: howes@netscape.com 327*2de962bdSlukem 328*2de962bdSlukem 329*2de962bdSlukem 330*2de962bdSlukem 331*2de962bdSlukem 332*2de962bdSlukem 333*2de962bdSlukem 334*2de962bdSlukem 335*2de962bdSlukem 336*2de962bdSlukem 337*2de962bdSlukem 338*2de962bdSlukemWeider, et al. Informational [Page 6] 339*2de962bdSlukem 340*2de962bdSlukemRFC 2696 LDAP Control Ext. for Simple Paged Results September 1999 341*2de962bdSlukem 342*2de962bdSlukem 343*2de962bdSlukem9. Full Copyright Statement 344*2de962bdSlukem 345*2de962bdSlukem Copyright (C) The Internet Society (1999). All Rights Reserved. 346*2de962bdSlukem 347*2de962bdSlukem This document and translations of it may be copied and furnished to 348*2de962bdSlukem others, and derivative works that comment on or otherwise explain it 349*2de962bdSlukem or assist in its implementation may be prepared, copied, published 350*2de962bdSlukem and distributed, in whole or in part, without restriction of any 351*2de962bdSlukem kind, provided that the above copyright notice and this paragraph are 352*2de962bdSlukem included on all such copies and derivative works. However, this 353*2de962bdSlukem document itself may not be modified in any way, such as by removing 354*2de962bdSlukem the copyright notice or references to the Internet Society or other 355*2de962bdSlukem Internet organizations, except as needed for the purpose of 356*2de962bdSlukem developing Internet standards in which case the procedures for 357*2de962bdSlukem copyrights defined in the Internet Standards process must be 358*2de962bdSlukem followed, or as required to translate it into languages other than 359*2de962bdSlukem English. 360*2de962bdSlukem 361*2de962bdSlukem The limited permissions granted above are perpetual and will not be 362*2de962bdSlukem revoked by the Internet Society or its successors or assigns. 363*2de962bdSlukem 364*2de962bdSlukem This document and the information contained herein is provided on an 365*2de962bdSlukem "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 366*2de962bdSlukem TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 367*2de962bdSlukem BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 368*2de962bdSlukem HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 369*2de962bdSlukem MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 370*2de962bdSlukem 371*2de962bdSlukemAcknowledgement 372*2de962bdSlukem 373*2de962bdSlukem Funding for the RFC Editor function is currently provided by the 374*2de962bdSlukem Internet Society. 375*2de962bdSlukem 376*2de962bdSlukem 377*2de962bdSlukem 378*2de962bdSlukem 379*2de962bdSlukem 380*2de962bdSlukem 381*2de962bdSlukem 382*2de962bdSlukem 383*2de962bdSlukem 384*2de962bdSlukem 385*2de962bdSlukem 386*2de962bdSlukem 387*2de962bdSlukem 388*2de962bdSlukem 389*2de962bdSlukem 390*2de962bdSlukem 391*2de962bdSlukem 392*2de962bdSlukem 393*2de962bdSlukem 394*2de962bdSlukemWeider, et al. Informational [Page 7] 395*2de962bdSlukem 396