[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Updated ID: draft-greenblatt-ldapext-sos-01
Updated Internet draft on simple subtree operations. See attached... Note
to readers that it now includes a "requirements section"...
Bruce
Application Working Group Bruce Greenblatt
Internet Draft
<draft-greenblatt-ldapext-sos-01>
Expires in six months
Simple Operations on Subtrees (for LDAP)
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
andits working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or made obsolete by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a "working
draft" or "work in progress".
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow Direc-
tories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
Distribution of this document is unlimited.
Abstract
This draft defines several new LDAP extensions. These extensions
are operations that can manipulate an entire portion of Directory Infor-
mation Tree at once (DIT). This draft does not presume any specific DIT
structure or schema modifications.
1. Requirements
Here are some requirements that for building real world LDAP appli-
cations that try to operate on an entire subtree.
- Provide user feedback as to the progress of the long lived opera-
tion. In many scenarios, a subtree operation (e.g. subtree copy)
may take a long period of time (many hours for large subtrees). It
Greenblatt [Page 1]
Internet Draft July 2000
is essential to have a progress bar move across the screen as the
entries are deleted.
- As the delete subtree crosses containers into other LDAP servers,
additional authentication credentials may be required to be
retrieved from the LDAP client, in order to allow the operation to
proceed.
- If the authenticated user has access to only a portion of the sub-
tree to be deleted, it should be possible for the part of the sub-
tree that is possible to delete, to in fact be deleted. It should
also be possible to submit the operation in such a way that no
entries from the subtree are deleted unless it is possible to
delete all entries from the subtree.
- The list of entries that has been deleted by the operation should
be returned to the client. An incremental list of deleted entries
could be returned with the progress indication above.
- It should be possible to "cancel" the delete subtree operation,
just as the long lived Search operation can be "abandoned".
- It should be possible to delete only certain types of entries from
the subtree. For example, delete all printer objects from the sub-
tree.
Note that this current draft does not necessarily address all of
the requirements above.
2. Mechanism
Operations that make changes to the Directory Information Tree
(DIT) via that are part of the standard set of protocol operations oper-
ate on a single object. This document defines three new LDAP operations
that manipulate an entire DIT subtree. These three operations are:
- Copy Subtree
- Delete Subtree
- Update Subtree
The syntax that is used in any LDAP extended request is:
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
requestName [0] LDAPOID,
requestValue [1] OCTET STRING OPTIONAL }
Greenblatt [Page 2]
Internet Draft July 2000
The corresponding response syntax is:
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }
The extensions defined in this draft obey this syntax. All OIDs
defined in this draft are rooted from:
1.3.6.1.4.1.5515
1.3.6.1.4.1 has been assigned as IANA-registered Private Enterprises,
and IANA has assigned 5515 to Directory Tools and Application Services,
Inc. (DTASI). 1.3.6.1.4.1.5515.3 is the root OID for LDAP extended
operations, and 1.3.6.1.4.1.5515.4 is the root OID for LDAP control
extensions (none of which are currently defined in this draft). Thus,
the OIDs for these extended operations are:
- 1.3.6.1.4.1.5515.3.1 - Copy Subtree Request
- 1.3.6.1.4.1.5515.3.2 - Copy Subtree Response
- 1.3.6.1.4.1.5515.3.3 - Delete Subtree Request
- 1.3.6.1.4.1.5515.3.4 - Delete Subtree Response
- 1.3.6.1.4.1.5515.3.5 - Update Subtree Request
- 1.3.6.1.4.1.5515.3.6 - Update Subtree Response
2.1. Copy Subtree
The Copy Subtree operation makes a replica of all objects from one
subtree (the source) in the DIT in another part (the target) in the DIT.
Note that if the LDAP client submitting the operation does not have
access to some objects in the source subtree, then objects corresponding
to them will not be created in the target subtree. Similarly, if the
LDAP client submitting the operation does not have access to some object
attributes in the source subtree, then the corresponding object in the
target subtree will be missing those attributes. The Copy Subtree
Request names the source and target of the operation:
CopySubtreeRequest ::= SEQUENCE {
source LDAPDN,
target LDAPDN,
filter Filter OPTIONAL}
Greenblatt [Page 3]
Internet Draft July 2000
If the filter is present in the request, only those objects in the
source subtree that match the filter are copied to the target subtree.
2.2. Delete Subtree
The Delete Subtree operation removes all objects from a specified
part (the target) in the DIT. Note that if the LDAP client submitting
the operation does not have access to some objects in the target sub-
tree, then those objects will not be deleted, and neither will any
objects betwween the target and the inaccessible object. The Delete
Subtree Request names the target:
DeleteSubtreeRequest ::= SEQUENCE {
source LDAPDN,
filter Filter OPTIONAL}
If the filter is present in the request, only those objects in the
source subtree that match the filter are deleted.
2.3. Update Subtree
The Update Subtree operation makes the same change to all objects
in a subtree (the target) in the DIT. Note that if the LDAP client sub-
mitting the operation does not have access to some objects in the source
subtree, then objects corresponding to them will not be modified. Simi-
larly, if the LDAP client submitting the operation does not have access
to some object attributes in the target subtree that are to be modified,
then the update operation fails on those objects. The format of the
Update Subtree request is identical to the Modify Operation:
UpdateSubtreeRequest ::= SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1),
replace (2) },
modification AttributeTypeAndValues }
filter Filter OPTIONAL}
If the filter is present in the request, only those objects in the
source subtree that match the filter are updated.
3. References
[1] M. Wahl, et. al., "Lightweight Directory Access Protocol (v3)," RFC
2251, July 1997.
Greenblatt [Page 4]
Internet Draft July 2000
4. Author's Address
Bruce Greenblatt
DTASI
6841 Heaton Moor Drive
San Jose, CA 95119
USA
Phone: +1-408-390-4776
Email: bgreenblatt@dtasi.com
Greenblatt [Page 5]
==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com
See my new Book on Internet Directories:
http://www.phptr.com/ptrbooks/ptr_0139744525.html