1-- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997) 2Lightweight-Directory-Access-Protocol-V3 3-- 4-- This is based on the ASN.1 definitions in RFC 2251, with changes made 5-- as necessary for Wireshark. 6-- Copyright (C) The Internet Society (1997). This version of 7-- this ASN.1 module is part of RFC 2251; 8-- see the RFC itself for full legal notices. 9-- 10DEFINITIONS IMPLICIT TAGS ::= 11BEGIN 12 13LDAPMessage ::= SEQUENCE { 14 messageID MessageID, 15 protocolOp ProtocolOp, 16 controls [0] Controls OPTIONAL 17} 18 19MessageID ::= INTEGER(0..maxInt) 20 21ProtocolOp ::= CHOICE { 22 bindRequest BindRequest, 23 bindResponse BindResponse, 24 unbindRequest UnbindRequest, 25 searchRequest SearchRequest, 26 searchResEntry SearchResultEntry, 27 searchResDone SearchResultDone, 28 searchResRef SearchResultReference, 29 modifyRequest ModifyRequest, 30 modifyResponse ModifyResponse, 31 addRequest AddRequest, 32 addResponse AddResponse, 33 delRequest DelRequest, 34 delResponse DelResponse, 35 modDNRequest ModifyDNRequest, 36 modDNResponse ModifyDNResponse, 37 compareRequest CompareRequest, 38 compareResponse CompareResponse, 39 abandonRequest AbandonRequest, 40 extendedReq ExtendedRequest, 41 extendedResp ExtendedResponse, 42 intermediateResponse IntermediateResponse 43 } 44 45 46maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) 47 48LDAPString ::= OCTET STRING 49 50LDAPOID ::= OCTET STRING 51 52LDAPDN ::= LDAPString 53 54RelativeLDAPDN ::= LDAPString 55 56AttributeType ::= LDAPString 57 58AttributeDescription ::= LDAPString 59 60AttributeDescriptionList ::= SEQUENCE OF AttributeDescription 61 62AttributeValue ::= OCTET STRING 63 64AttributeValueAssertion ::= SEQUENCE { 65 attributeDesc AttributeDescription, 66 assertionValue AssertionValue 67} 68 69AssertionValue ::= OCTET STRING 70 71Attribute ::= SEQUENCE {type AttributeDescription, 72 vals SET OF AttributeValue 73} 74 75MatchingRuleId ::= LDAPString 76 77LDAPResult ::= SEQUENCE { 78 resultCode 79 ENUMERATED {success(0), operationsError(1), protocolError(2), 80 timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), 81 compareTrue(6), authMethodNotSupported(7), 82 strongAuthRequired(8), 83 -- 9 reserved 84 referral(10),-- new-- adminLimitExceeded(11),-- new-- 85 unavailableCriticalExtension(12),-- new-- 86 confidentialityRequired(13),-- new-- 87 saslBindInProgress(14),-- new-- noSuchAttribute(16), 88 undefinedAttributeType(17), inappropriateMatching(18), 89 constraintViolation(19), attributeOrValueExists(20), 90 invalidAttributeSyntax(21), 91 -- 22-31 unused 92 noSuchObject(32), aliasProblem(33), 93 invalidDNSyntax(34), 94 -- 35 reserved for undefined isLeaf 95 aliasDereferencingProblem(36), 96 -- 37-47 unused 97 inappropriateAuthentication(48), invalidCredentials(49), 98 insufficientAccessRights(50), busy(51), unavailable(52), 99 unwillingToPerform(53), 100 loopDetect(54), 101 -- 55-63 unused 102 namingViolation(64), objectClassViolation(65), 103 notAllowedOnNonLeaf(66), notAllowedOnRDN(67), 104 entryAlreadyExists(68), 105 objectClassModsProhibited(69), 106 -- 70 reserved for CLDAP 107 affectsMultipleDSAs(71),-- new-- 108 -- 72-79 unused 109 other(80), 110 canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909 111 }, 112 -- 81-90 reserved for APIs 113 matchedDN LDAPDN, 114 errorMessage ErrorMessage, 115 referral [3] Referral OPTIONAL 116} 117 118Referral ::= SEQUENCE OF LDAPURL 119 120LDAPURL ::= OCTET STRING -- LDAPString - - limited to characters permitted in URLs 121 122Controls ::= SEQUENCE OF Control 123 124Control ::= SEQUENCE { 125 controlType ControlType, 126 criticality BOOLEAN DEFAULT FALSE, 127 controlValue OCTET STRING OPTIONAL 128} 129 130ControlType ::= LDAPOID 131 132BindRequest ::= [APPLICATION 0] SEQUENCE { 133 version INTEGER(1..127), 134 name LDAPDN, 135 authentication AuthenticationChoice 136} 137 138AuthenticationChoice ::= CHOICE { 139 simple [0] Simple, 140 -- 1 and 2 reserved 141 sasl [3] SaslCredentials, 142 -- 10,11 from bug 1148 143 ntlmsspNegotiate [10] IMPLICIT OCTET STRING, 144 ntlmsspAuth [11] IMPLICIT OCTET STRING 145} 146 147Simple ::= OCTET STRING 148 149SaslCredentials ::= SEQUENCE { 150 mechanism Mechanism, 151 credentials Credentials OPTIONAL 152} 153 154--4.1.2. String Types 155-- 156-- The LDAPString is a notational convenience to indicate that, although 157-- strings of LDAPString type encode as OCTET STRING types, the ISO 158-- 10646 [13] character set (a superset of Unicode) is used, encoded 159-- following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm 160-- characters which are the same as ASCII (0x0000 through 0x007F) are 161-- represented as that same ASCII character in a single byte. The other 162-- byte values are used to form a variable-length encoding of an 163-- arbitrary character. 164 165-- Mechanism ::= LDAPString 166Mechanism ::= OCTET STRING 167 168Credentials ::= OCTET STRING 169 170BindResponse ::= [APPLICATION 1] SEQUENCE { 171-- COMPONENTS OF LDAPResult, 172 resultCode 173 ENUMERATED {success(0), operationsError(1), protocolError(2), 174 timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), 175 compareTrue(6), authMethodNotSupported(7), 176 strongAuthRequired(8), 177 -- 9 reserved 178 referral(10),-- new-- adminLimitExceeded(11),-- new-- 179 unavailableCriticalExtension(12),-- new-- 180 confidentialityRequired(13),-- new-- 181 saslBindInProgress(14),-- new-- noSuchAttribute(16), 182 undefinedAttributeType(17), inappropriateMatching(18), 183 constraintViolation(19), attributeOrValueExists(20), 184 invalidAttributeSyntax(21), 185 -- 22-31 unused 186 noSuchObject(32), aliasProblem(33), 187 invalidDNSyntax(34), 188 -- 35 reserved for undefined isLeaf 189 aliasDereferencingProblem(36), 190 -- 37-47 unused 191 inappropriateAuthentication(48), invalidCredentials(49), 192 insufficientAccessRights(50), busy(51), unavailable(52), 193 unwillingToPerform(53), 194 loopDetect(54), 195 -- 55-63 unused 196 namingViolation(64), objectClassViolation(65), 197 notAllowedOnNonLeaf(66), notAllowedOnRDN(67), 198 entryAlreadyExists(68), 199 objectClassModsProhibited(69), 200 -- 70 reserved for CLDAP 201 affectsMultipleDSAs(71),-- new-- 202 -- 72-79 unused 203 other(80), 204 canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909 205 }, 206 -- 81-90 reserved for APIs 207 matchedDN LDAPDN, 208 errorMessage ErrorMessage, 209 referral [3] Referral OPTIONAL, 210 211-- end of components 212 serverSaslCreds [7] ServerSaslCreds OPTIONAL 213} 214 215ServerSaslCreds ::= OCTET STRING 216 217ErrorMessage ::= LDAPString 218 219UnbindRequest ::= [APPLICATION 2] NULL 220 221SearchRequest ::= [APPLICATION 3] SEQUENCE { 222 baseObject LDAPDN, 223 scope ENUMERATED {baseObject(0), singleLevel(1), wholeSubtree(2)}, 224 derefAliases 225 ENUMERATED {neverDerefAliases(0), derefInSearching(1), 226 derefFindingBaseObj(2), derefAlways(3)}, 227 sizeLimit INTEGER(0..maxInt), 228 timeLimit INTEGER(0..maxInt), 229 typesOnly BOOLEAN, 230 filter Filter, 231 attributes AttributeDescriptionList 232} 233 234Filter ::= CHOICE { 235 and [0] SET OF Filter, 236 or [1] SET OF Filter, 237 not [2] Filter, 238 equalityMatch [3] AttributeValueAssertion, 239 substrings [4] SubstringFilter, 240 greaterOrEqual [5] AttributeValueAssertion, 241 lessOrEqual [6] AttributeValueAssertion, 242 present [7] AttributeDescription, 243 approxMatch [8] AttributeValueAssertion, 244 extensibleMatch [9] MatchingRuleAssertion 245} 246 247SubstringFilter ::= SEQUENCE { 248 type AttributeDescription, 249 -- at least one must be present 250 substrings 251 SEQUENCE OF 252 CHOICE {initial [0] LDAPString, 253 any [1] LDAPString, 254 final [2] LDAPString} 255} 256 257MatchingRuleAssertion ::= SEQUENCE { 258 matchingRule [1] MatchingRuleId OPTIONAL, 259 type [2] AttributeDescription OPTIONAL, 260 matchValue [3] AssertionValue, 261 dnAttributes [4] BOOLEAN DEFAULT FALSE 262} 263 264SearchResultEntry ::= [APPLICATION 4] SEQUENCE { 265 objectName LDAPDN, 266 attributes PartialAttributeList 267} 268 269PartialAttributeList ::= 270 SEQUENCE OF SEQUENCE {type AttributeDescription, 271 vals SET OF AttributeValue} 272 273SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL 274 275SearchResultDone ::= [APPLICATION 5] LDAPResult 276 277ModifyRequest ::= [APPLICATION 6] SEQUENCE { 278 object LDAPDN, 279 modification 280 SEQUENCE OF 281 SEQUENCE {operation ENUMERATED {add(0), delete(1), replace(2), increment(3)}, 282 modification AttributeTypeAndValues} 283} 284 285AttributeTypeAndValues ::= SEQUENCE { 286 type AttributeDescription, 287 vals SET OF AttributeValue 288} 289 290ModifyResponse ::= [APPLICATION 7] LDAPResult 291 292AddRequest ::= [APPLICATION 8] SEQUENCE { 293 entry LDAPDN, 294 attributes AttributeList 295} 296 297AttributeList ::= 298 SEQUENCE OF SEQUENCE {type AttributeDescription, 299 vals SET OF AttributeValue} 300 301AddResponse ::= [APPLICATION 9] LDAPResult 302 303DelRequest ::= [APPLICATION 10] LDAPDN 304 305DelResponse ::= [APPLICATION 11] LDAPResult 306 307ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { 308 entry LDAPDN, 309 newrdn RelativeLDAPDN, 310 deleteoldrdn BOOLEAN, 311 newSuperior [0] LDAPDN OPTIONAL 312} 313 314ModifyDNResponse ::= [APPLICATION 13] LDAPResult 315 316CompareRequest ::= [APPLICATION 14] SEQUENCE { 317 entry LDAPDN, 318 ava AttributeValueAssertion 319} 320 321CompareResponse ::= [APPLICATION 15] LDAPResult 322 323AbandonRequest ::= [APPLICATION 16] MessageID 324 325ExtendedRequest ::= [APPLICATION 23] SEQUENCE { 326 requestName [0] LDAPOID, 327 requestValue [1] OCTET STRING OPTIONAL 328} 329 330ExtendedResponse ::= [APPLICATION 24] SEQUENCE { 331-- COMPONENTS OF LDAPResult, 332 resultCode 333 ENUMERATED {success(0), operationsError(1), protocolError(2), 334 timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), 335 compareTrue(6), authMethodNotSupported(7), 336 strongAuthRequired(8), 337 -- 9 reserved 338 referral(10),-- new-- adminLimitExceeded(11),-- new-- 339 unavailableCriticalExtension(12),-- new-- 340 confidentialityRequired(13),-- new-- 341 saslBindInProgress(14),-- new-- noSuchAttribute(16), 342 undefinedAttributeType(17), inappropriateMatching(18), 343 constraintViolation(19), attributeOrValueExists(20), 344 invalidAttributeSyntax(21), 345 -- 22-31 unused 346 noSuchObject(32), aliasProblem(33), 347 invalidDNSyntax(34), 348 -- 35 reserved for undefined isLeaf 349 aliasDereferencingProblem(36), 350 -- 37-47 unused 351 inappropriateAuthentication(48), invalidCredentials(49), 352 insufficientAccessRights(50), busy(51), unavailable(52), 353 unwillingToPerform(53), 354 loopDetect(54), 355 -- 55-63 unused 356 namingViolation(64), objectClassViolation(65), 357 notAllowedOnNonLeaf(66), notAllowedOnRDN(67), 358 entryAlreadyExists(68), 359 objectClassModsProhibited(69), 360 -- 70 reserved for CLDAP 361 affectsMultipleDSAs(71),-- new-- 362 -- 72-79 unused 363 other(80), 364 canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909 365 }, 366 -- 81-90 reserved for APIs 367 matchedDN LDAPDN, 368 errorMessage ErrorMessage, 369 referral [3] Referral OPTIONAL, 370-- end of COMPONENTS 371 responseName [10] ResponseName OPTIONAL, 372 response [11] OCTET STRING OPTIONAL 373} 374 375IntermediateResponse ::= [APPLICATION 25] SEQUENCE { 376 responseName [0] ResponseName OPTIONAL, 377 responseValue [1] OCTET STRING OPTIONAL 378} 379 380ResponseName ::= LDAPOID 381 382-- RFC 2696 - Simple Paged Results Manipulation 383 384SearchControlValue ::= SEQUENCE { 385 size INTEGER --(0..maxInt)--, 386 -- requested page size from client 387 -- result set size estimate from server 388 cookie OCTET STRING 389} 390 391-- RFC 2891 - Server Side Sorting of Search Results 392 393SortKeyList ::= SEQUENCE OF SEQUENCE { 394 attributeType AttributeDescription, 395 orderingRule [0] MatchingRuleId OPTIONAL, 396 reverseOrder [1] BOOLEAN DEFAULT FALSE } 397 398SortResult ::= SEQUENCE { 399 sortResult ENUMERATED { 400 success (0), -- results are sorted 401 operationsError (1), -- server internal failure 402 timeLimitExceeded (3), -- timelimit reached before 403 -- sorting was completed 404 strongAuthRequired (8), -- refused to return sorted 405 -- results via insecure 406 -- protocol 407 adminLimitExceeded (11), -- too many matching entries 408 -- for the server to sort 409 noSuchAttribute (16), -- unrecognized attribute 410 -- type in sort key 411 inappropriateMatching (18), -- unrecognized or 412 -- inappropriate matching 413 -- rule in sort key 414 insufficientAccessRights (50), -- refused to return sorted 415 -- results to this client 416 busy (51), -- too busy to process 417 unwillingToPerform (53), -- unable to sort 418 other (80) 419 }, 420 attributeType [0] AttributeDescription OPTIONAL } 421 422 423-- Draft RFC - but used in some implementations 424-- Normaly it's an integer but we want to generate a subitem 425DirSyncFlagsSubEntry ::= SEQUENCE { 426 value [0] INTEGER 427} 428 429DirSyncFlags ::= INTEGER 430 431DirSyncControlValue ::= SEQUENCE { 432 flags DirSyncFlags, 433 maxBytes INTEGER, 434 cookie OCTET STRING 435} 436 437-- RFC 3062 438 439--passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1 440 441PasswdModifyRequestValue ::= SEQUENCE { 442 userIdentity [0] OCTET STRING OPTIONAL, 443 oldPasswd [1] OCTET STRING OPTIONAL, 444 newPasswd [2] OCTET STRING OPTIONAL 445} 446 447PasswdModifyResponseValue ::= SEQUENCE { 448 genPasswd [0] OCTET STRING OPTIONAL 449} 450 451-- RFC 3909 452 453--cancelRequestOID OBJECT IDENTIFIER ::= 1.3.6.1.1.8 454 455CancelRequestValue ::= SEQUENCE { 456 cancelID MessageID 457} 458 459-- RFC 4533 460 461--syncRequestOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.1 462 463SyncRequestValue ::= SEQUENCE { 464 mode ENUMERATED { 465 -- 0 unused 466 refreshOnly (1), 467 -- 2 reserved 468 refreshAndPersist (3) 469 }, 470 cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL 471 reloadHint BOOLEAN DEFAULT FALSE 472} 473 474--syncStateOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.2 475 476SyncStateValue ::= SEQUENCE { 477 state ENUMERATED { 478 present (0), 479 add (1), 480 modify (2), 481 delete (3) 482 }, 483 entryUUID SyncUUID, 484 cookie OCTET STRING OPTIONAL -- SyncCookie OPTIONAL 485} 486 487--syncDoneOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.3 488 489SyncDoneValue ::= SEQUENCE { 490 cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL 491 refreshDeletes BOOLEAN DEFAULT FALSE 492} 493 494--syncInfoOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.4 495 496SyncInfoValue ::= CHOICE { 497 newcookie [0] OCTET STRING, -- SyncCookie 498 refreshDelete [1] SEQUENCE { 499 cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL 500 refreshDone BOOLEAN DEFAULT TRUE 501 }, 502 refreshPresent [2] SEQUENCE { 503 cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL 504 refreshDone BOOLEAN DEFAULT TRUE 505 }, 506 syncIdSet [3] SEQUENCE { 507 cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL 508 refreshDeletes BOOLEAN DEFAULT FALSE, 509 syncUUIDs SET OF SyncUUID 510 } 511} 512 513SyncUUID ::= OCTET STRING(SIZE(16)) 514 515-- SyncCookie ::= OCTET STRING 516 517-- 518 519-- Draft RFC - Password Policy for LDAP Directories 520-- https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt 521 522PasswordPolicyResponseValue ::= SEQUENCE { 523 warning [0] CHOICE { 524 timeBeforeExpiration [0] INTEGER (0 .. maxInt), 525 graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, 526 error [1] ENUMERATED { 527 passwordExpired (0), 528 accountLocked (1), 529 changeAfterReset (2), 530 passwordModNotAllowed (3), 531 mustSupplyOldPassword (4), 532 insufficientPasswordQuality (5), 533 passwordTooShort (6), 534 passwordTooYoung (7), 535 passwordInHistory (8) } OPTIONAL } 536 537END 538 539-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D 540 541