ldapv3协议解读

2023年6月21日发(作者：)

ldapv3协议解读PDU (Protocol Data Unit)协议数据单元运⾏在TCP/IP之上的访问协议—LDAPldap协议使⽤asn.1编码描述LDAP协议封装于如下结构的信封中LDAPMessage ::= SEQUENCE { messageID MessageID,//唯⼀标识,客户端在⼀次连接中不会重复发送相同表⽰的数据包//基本上客户端会对发送的数据包进⾏计数 protocolOp CHOICE { bindRequest BindRequest, bindResponse BindResponse, unbindRequest UnbindRequest, searchRequest SearchRequest, searchResEntry SearchResultEntry, searchResDone SearchResultDone, searchResRef SearchResultReference, modifyRequest ModifyRequest, modifyResponse ModifyResponse, addRequest AddRequest, addResponse AddResponse, delRequest DelRequest, delResponse DelResponse, modDNRequest ModifyDNRequest, modDNResponse ModifyDNResponse, compareRequest CompareRequest, compareResponse CompareResponse, abandonRequest AbandonRequest, extendedReq ExtendedRequest, extendedResp ExtendedResponse }, controls [0] Controls OPTIONAL } MessageID ::= INTEGER (0 .. maxInt) maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --所有的LDAP数据包必须要被LDAPMESSAGE所包含。如果服务器端接受到不能解析的ldap协议包将会断开连接，返回protocolError的结果，并且⽴即关闭连接客户端会抛弃从服务器下发的不能解析的PDU。或者突然断开连接

LDAPString 以OCTET String作为编码类型，使⽤UTF8⽅式.

Distinguished Name(可分辨名称) and Relative Distinguished Name(相对可分辨名称) ::= ::= where and are as defined in [4]. LDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString

属性类型AttributeType ::= LDAPString每个属性都拥有⼀个对象唯⼀标识，如果属性拥有字符串标识必须使⽤字符串标识，如果没有则使⽤对象唯⼀标识(OBJECT IDENTIFIER )属性结构Attribute ::= SEQUENCE { type AttributeDescription, vals SET OF AttributeValue }

AttributeDescription ::= LDAPString ::= [ ";" ] ::= | ";" ::= * ::= ASCII-equivalent letters, numbers and hyphen

Result Message：⽤于返回服务器端/客户端响应成功失败的结果 LDAPResult ::= SEQUENCE { resultCode ENUMERATED { success (0), operationsError (1), protocolError (2), timeLimitExceeded (3), sizeLimitExceeded (4), compareFalse (5), compareTrue (6), authMethodNotSupported (7), strongAuthRequired (8), -- 9 reserved -- referral (10), -- new adminLimitExceeded (11), -- new unavailableCriticalExtension (12), -- new confidentialityRequired (13), -- new saslBindInProgress (14), -- new noSuchAttribute (16), undefinedAttributeType (17), inappropriateMatching (18), constraintViolation (19), attributeOrValueExists (20), invalidAttributeSyntax (21), -- 22-31 unused -- noSuchObject (32), aliasProblem (33), invalidDNSyntax (34), -- 35 reserved for undefined isLeaf -- aliasDereferencingProblem (36), -- 37-47 unused -- inappropriateAuthentication (48), invalidCredentials (49), insufficientAccessRights (50), busy (51), unavailable (52), unwillingToPerform (53), loopDetect (54), -- 55-63 unused -- namingViolation (64), objectClassViolation (65), notAllowedOnNonLeaf (66), notAllowedOnRDN (67), entryAlreadyExists (68), objectClassModsProhibited (69), -- 70 reserved for CLDAP -- affectsMultipleDSAs (71), -- new -- 72-79 unused -- other (80) }, -- 81-90 reserved for APIs -- matchedDN LDAPDN, errorMessage LDAPString, referral [3] Referral OPTIONAL }结果中除了success, compareFalse，compareTrue 之外都将被认为操作不能完成，绝⼤多数的结果依赖于x.511的错误类型。没有列出来的返回结果被认为未知错误,返回结果中16-2132, 33, 34和3648, 49和5051-5464 ,69 ,71属性有问题名称有问题安全有问题服务有问题更新有问题

referral错误表明服务器中不存在⽬标请求的节点 Referral ::= SEQUENCE OF LDAPURL -- one or moreLDAPURL ::= LDAPString -- limited to characters permitted in URLs

ControlsControls ::= SEQUENCE OF Control

Control ::= SEQUENCE { controlType LDAPOID, criticality BOOLEAN DEFAULT FALSE, controlValue OCTET STRING OPTIONAL }绑定操作绑定操作的功能是允许认证信息在客户端和服务器端之间进⾏传输绑定请求的定义如下: BindRequest ::= [APPLICATION 0] SEQUENCE { version INTEGER (1 .. 127),//版本，没有通过协商确认，⽽是由客户端⾃⼰来设想 name LDAPDN,//客户端期待绑定的DN authentication AuthenticationChoice }//认证信息

AuthenticationChoice ::= CHOICE { simple [0] OCTET STRING, -- 1 and 2 reserved sasl [3] SaslCredentials }

SaslCredentials ::= SEQUENCE { mechanism LDAPString, credentials OCTET STRING OPTIONAL }

绑定请求序列对于⼀些SASL认证机制，可能要求发送多次BindRequest，如果期间客户端想要推出绑定操作，都将抛弃已经建⽴的连接，客户端不能在两次绑定请求间插⼊如何操作。客户端通过在绑定请求中发送⼀个不同的认证凭据来取消绑定SASL协商操作

绑定响应 BindResponse ::= [APPLICATION 1] SEQUENCE { COMPONENTS OF LDAPResult, serverSaslCreds [7] OCTET STRING OPTIONAL }如果绑定成功则resultCode为SUCCESS,否则为以下之⼀: - operationsError: server encountered an internal error, - protocolError: unrecognized version number or incorrect PDU structure, - authMethodNotSupported: unrecognized SASL mechanism name, - strongAuthRequired: the server requires authentication be performed with a SASL mechanism, - referral: this server cannot accept this bind and the client should try another, - saslBindInProgress: the server requires the client to send a new bind request, with the same sasl mechanism, to continue the authentication process, - inappropriateAuthentication: the server requires the client which had attempted to bind anonymously or without supplying credentials to provide some form of credentials, - invalidCredentials: the wrong password was supplied or the SASL credentials could not be processed, - unavailable: the server is shutting down.

取消绑定操作:结束协议session UnbindRequest ::= [APPLICATION 2] NULL

断开通知:服务器向客户端发送连接关闭信息

查询操作SearchRequest ::= [APPLICATION 3] SEQUENCE { baseObject LDAPDN,//baseDN scope ENUMERATED { baseObject (0), singleLevel (1), wholeSubtree (2) }, derefAliases ENUMERATED { neverDerefAliases (0), derefInSearching (1), derefFindingBaseObj (2), derefAlways (3) }, sizeLimit INTEGER (0 .. maxInt), timeLimit INTEGER (0 .. maxInt), typesOnly BOOLEAN, filter Filter, attributes AttributeDescriptionList }

Filter ::= CHOICE {//过滤条件 and [0] SET OF Filter, or [1] SET OF Filter, not [2] Filter, equalityMatch [3] AttributeValueAssertion, substrings [4] SubstringFilter, greaterOrEqual [5] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion, present [7] AttributeDescription, approxMatch [8] AttributeValueAssertion, extensibleMatch [9] MatchingRuleAssertion }

SubstringFilter ::= SEQUENCE {//过滤⼦条件 type AttributeDescription, -- at least one must be present substrings SEQUENCE OF CHOICE { initial [0] LDAPString, any [1] LDAPString, final [2] LDAPString } }

MatchingRuleAssertion ::= SEQUENCE { matchingRule [1] MatchingRuleId OPTIONAL, type [2] AttributeDescription OPTIONAL, matchValue [3] AssertionValue, dnAttributes [4] BOOLEAN DEFAULT FALSE }

Search ResultSearchResultEntry ::= [APPLICATION 4] SEQUENCE { objectName LDAPDN, attributes PartialAttributeList }

PartialAttributeList ::= SEQUENCE OF SEQUENCE { type AttributeDescription, vals SET OF AttributeValue } SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL

SearchResultDone ::= [APPLICATION 5] LDAPResult

Modify OperationModifyRequest ::= [APPLICATION 6] SEQUENCE { object LDAPDN, modification SEQUENCE OF SEQUENCE { operation ENUMERATED { add (0), delete (1), replace (2) }, modification AttributeTypeAndValues } }

AttributeTypeAndValues ::= SEQUENCE { type AttributeDescription, vals SET OF AttributeValue }

Add OperationAddRequest ::= [APPLICATION 8] SEQUENCE { entry LDAPDN, attributes AttributeList }

AttributeList ::= SEQUENCE OF SEQUENCE { type AttributeDescription, vals SET OF AttributeValue }

AddResponse ::= [APPLICATION 9] LDAPResult

Delete OperationDelRequest ::= [APPLICATION 10] LDAPDNDelResponse ::= [APPLICATION 11] LDAPResult

Modify DN OperationModifyDNRequest ::= [APPLICATION 12] SEQUENCE { entry LDAPDN, newrdn RelativeLDAPDN, deleteoldrdn BOOLEAN, newSuperior [0] LDAPDN OPTIONAL }

ModifyDNResponse ::= [APPLICATION 13] LDAPResult

Compare OperationCompareRequest ::= [APPLICATION 14] SEQUENCE { entry LDAPDN, ava AttributeValueAssertion }

CompareResponse ::= [APPLICATION 15] LDAPResult

Abandon OperationAbandonRequest ::= [APPLICATION 16] MessageID

Extended Operation ExtendedRequest ::= [APPLICATION 23] SEQUENCE { requestName [0] LDAPOID, requestValue [1] OCTET STRING OPTIONAL }

ExtendedResponse ::= [APPLICATION 24] SEQUENCE { COMPONENTS OF LDAPResult, responseName [10] LDAPOID OPTIONAL, response [11] OCTET STRING OPTIONAL }

2023年6月21日发(作者：)

ldapv3协议解读PDU (Protocol Data Unit)协议数据单元运⾏在TCP/IP之上的访问协议—LDAPldap协议使⽤asn.1编码描述LDAP协议封装于如下结构的信封中LDAPMessage ::= SEQUENCE { messageID MessageID,//唯⼀标识,客户端在⼀次连接中不会重复发送相同表⽰的数据包//基本上客户端会对发送的数据包进⾏计数 protocolOp CHOICE { bindRequest BindRequest, bindResponse BindResponse, unbindRequest UnbindRequest, searchRequest SearchRequest, searchResEntry SearchResultEntry, searchResDone SearchResultDone, searchResRef SearchResultReference, modifyRequest ModifyRequest, modifyResponse ModifyResponse, addRequest AddRequest, addResponse AddResponse, delRequest DelRequest, delResponse DelResponse, modDNRequest ModifyDNRequest, modDNResponse ModifyDNResponse, compareRequest CompareRequest, compareResponse CompareResponse, abandonRequest AbandonRequest, extendedReq ExtendedRequest, extendedResp ExtendedResponse }, controls [0] Controls OPTIONAL } MessageID ::= INTEGER (0 .. maxInt) maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --所有的LDAP数据包必须要被LDAPMESSAGE所包含。如果服务器端接受到不能解析的ldap协议包将会断开连接，返回protocolError的结果，并且⽴即关闭连接客户端会抛弃从服务器下发的不能解析的PDU。或者突然断开连接

LDAPString 以OCTET String作为编码类型，使⽤UTF8⽅式.

Distinguished Name(可分辨名称) and Relative Distinguished Name(相对可分辨名称) ::= ::= where and are as defined in [4]. LDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString

属性类型AttributeType ::= LDAPString每个属性都拥有⼀个对象唯⼀标识，如果属性拥有字符串标识必须使⽤字符串标识，如果没有则使⽤对象唯⼀标识(OBJECT IDENTIFIER )属性结构Attribute ::= SEQUENCE { type AttributeDescription, vals SET OF AttributeValue }

AttributeDescription ::= LDAPString ::= [ ";" ] ::= | ";" ::= * ::= ASCII-equivalent letters, numbers and hyphen

Result Message：⽤于返回服务器端/客户端响应成功失败的结果 LDAPResult ::= SEQUENCE { resultCode ENUMERATED { success (0), operationsError (1), protocolError (2), timeLimitExceeded (3), sizeLimitExceeded (4), compareFalse (5), compareTrue (6), authMethodNotSupported (7), strongAuthRequired (8), -- 9 reserved -- referral (10), -- new adminLimitExceeded (11), -- new unavailableCriticalExtension (12), -- new confidentialityRequired (13), -- new saslBindInProgress (14), -- new noSuchAttribute (16), undefinedAttributeType (17), inappropriateMatching (18), constraintViolation (19), attributeOrValueExists (20), invalidAttributeSyntax (21), -- 22-31 unused -- noSuchObject (32), aliasProblem (33), invalidDNSyntax (34), -- 35 reserved for undefined isLeaf -- aliasDereferencingProblem (36), -- 37-47 unused -- inappropriateAuthentication (48), invalidCredentials (49), insufficientAccessRights (50), busy (51), unavailable (52), unwillingToPerform (53), loopDetect (54), -- 55-63 unused -- namingViolation (64), objectClassViolation (65), notAllowedOnNonLeaf (66), notAllowedOnRDN (67), entryAlreadyExists (68), objectClassModsProhibited (69), -- 70 reserved for CLDAP -- affectsMultipleDSAs (71), -- new -- 72-79 unused -- other (80) }, -- 81-90 reserved for APIs -- matchedDN LDAPDN, errorMessage LDAPString, referral [3] Referral OPTIONAL }结果中除了success, compareFalse，compareTrue 之外都将被认为操作不能完成，绝⼤多数的结果依赖于x.511的错误类型。没有列出来的返回结果被认为未知错误,返回结果中16-2132, 33, 34和3648, 49和5051-5464 ,69 ,71属性有问题名称有问题安全有问题服务有问题更新有问题

referral错误表明服务器中不存在⽬标请求的节点 Referral ::= SEQUENCE OF LDAPURL -- one or moreLDAPURL ::= LDAPString -- limited to characters permitted in URLs

ControlsControls ::= SEQUENCE OF Control

Control ::= SEQUENCE { controlType LDAPOID, criticality BOOLEAN DEFAULT FALSE, controlValue OCTET STRING OPTIONAL }绑定操作绑定操作的功能是允许认证信息在客户端和服务器端之间进⾏传输绑定请求的定义如下: BindRequest ::= [APPLICATION 0] SEQUENCE { version INTEGER (1 .. 127),//版本，没有通过协商确认，⽽是由客户端⾃⼰来设想 name LDAPDN,//客户端期待绑定的DN authentication AuthenticationChoice }//认证信息

AuthenticationChoice ::= CHOICE { simple [0] OCTET STRING, -- 1 and 2 reserved sasl [3] SaslCredentials }

SaslCredentials ::= SEQUENCE { mechanism LDAPString, credentials OCTET STRING OPTIONAL }

绑定请求序列对于⼀些SASL认证机制，可能要求发送多次BindRequest，如果期间客户端想要推出绑定操作，都将抛弃已经建⽴的连接，客户端不能在两次绑定请求间插⼊如何操作。客户端通过在绑定请求中发送⼀个不同的认证凭据来取消绑定SASL协商操作

绑定响应 BindResponse ::= [APPLICATION 1] SEQUENCE { COMPONENTS OF LDAPResult, serverSaslCreds [7] OCTET STRING OPTIONAL }如果绑定成功则resultCode为SUCCESS,否则为以下之⼀: - operationsError: server encountered an internal error, - protocolError: unrecognized version number or incorrect PDU structure, - authMethodNotSupported: unrecognized SASL mechanism name, - strongAuthRequired: the server requires authentication be performed with a SASL mechanism, - referral: this server cannot accept this bind and the client should try another, - saslBindInProgress: the server requires the client to send a new bind request, with the same sasl mechanism, to continue the authentication process, - inappropriateAuthentication: the server requires the client which had attempted to bind anonymously or without supplying credentials to provide some form of credentials, - invalidCredentials: the wrong password was supplied or the SASL credentials could not be processed, - unavailable: the server is shutting down.

取消绑定操作:结束协议session UnbindRequest ::= [APPLICATION 2] NULL

断开通知:服务器向客户端发送连接关闭信息

查询操作SearchRequest ::= [APPLICATION 3] SEQUENCE { baseObject LDAPDN,//baseDN scope ENUMERATED { baseObject (0), singleLevel (1), wholeSubtree (2) }, derefAliases ENUMERATED { neverDerefAliases (0), derefInSearching (1), derefFindingBaseObj (2), derefAlways (3) }, sizeLimit INTEGER (0 .. maxInt), timeLimit INTEGER (0 .. maxInt), typesOnly BOOLEAN, filter Filter, attributes AttributeDescriptionList }

Filter ::= CHOICE {//过滤条件 and [0] SET OF Filter, or [1] SET OF Filter, not [2] Filter, equalityMatch [3] AttributeValueAssertion, substrings [4] SubstringFilter, greaterOrEqual [5] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion, present [7] AttributeDescription, approxMatch [8] AttributeValueAssertion, extensibleMatch [9] MatchingRuleAssertion }

SubstringFilter ::= SEQUENCE {//过滤⼦条件 type AttributeDescription, -- at least one must be present substrings SEQUENCE OF CHOICE { initial [0] LDAPString, any [1] LDAPString, final [2] LDAPString } }

MatchingRuleAssertion ::= SEQUENCE { matchingRule [1] MatchingRuleId OPTIONAL, type [2] AttributeDescription OPTIONAL, matchValue [3] AssertionValue, dnAttributes [4] BOOLEAN DEFAULT FALSE }

Search ResultSearchResultEntry ::= [APPLICATION 4] SEQUENCE { objectName LDAPDN, attributes PartialAttributeList }

PartialAttributeList ::= SEQUENCE OF SEQUENCE { type AttributeDescription, vals SET OF AttributeValue } SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL

SearchResultDone ::= [APPLICATION 5] LDAPResult

Modify OperationModifyRequest ::= [APPLICATION 6] SEQUENCE { object LDAPDN, modification SEQUENCE OF SEQUENCE { operation ENUMERATED { add (0), delete (1), replace (2) }, modification AttributeTypeAndValues } }

AttributeTypeAndValues ::= SEQUENCE { type AttributeDescription, vals SET OF AttributeValue }

Add OperationAddRequest ::= [APPLICATION 8] SEQUENCE { entry LDAPDN, attributes AttributeList }

AttributeList ::= SEQUENCE OF SEQUENCE { type AttributeDescription, vals SET OF AttributeValue }

AddResponse ::= [APPLICATION 9] LDAPResult

Delete OperationDelRequest ::= [APPLICATION 10] LDAPDNDelResponse ::= [APPLICATION 11] LDAPResult

Modify DN OperationModifyDNRequest ::= [APPLICATION 12] SEQUENCE { entry LDAPDN, newrdn RelativeLDAPDN, deleteoldrdn BOOLEAN, newSuperior [0] LDAPDN OPTIONAL }

ModifyDNResponse ::= [APPLICATION 13] LDAPResult

Compare OperationCompareRequest ::= [APPLICATION 14] SEQUENCE { entry LDAPDN, ava AttributeValueAssertion }

CompareResponse ::= [APPLICATION 15] LDAPResult

Abandon OperationAbandonRequest ::= [APPLICATION 16] MessageID

Extended Operation ExtendedRequest ::= [APPLICATION 23] SEQUENCE { requestName [0] LDAPOID, requestValue [1] OCTET STRING OPTIONAL }

ExtendedResponse ::= [APPLICATION 24] SEQUENCE { COMPONENTS OF LDAPResult, responseName [10] LDAPOID OPTIONAL, response [11] OCTET STRING OPTIONAL }