-- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997) Lightweight-Directory-Access-Protocol-V3 -- -- This is based on the ASN.1 definitions in RFC 2251, with changes made -- as necessary for Wireshark. -- Copyright (C) The Internet Society (1997). This version of -- this ASN.1 module is part of RFC 2251; -- see the RFC itself for full legal notices. -- DEFINITIONS IMPLICIT TAGS ::= BEGIN LDAPMessage ::= SEQUENCE { messageID MessageID, protocolOp ProtocolOp, controls [0] Controls OPTIONAL } MessageID ::= INTEGER(0..maxInt) ProtocolOp ::= CHOICE { bindRequest BindRequest, bindResponse BindResponse, unbindRequest UnbindRequest, searchRequest SearchRequest, searchResEntry SearchResultEntry, searchResDone SearchResultDone, searchResRef SearchResultReference, modifyRequest ModifyRequest, modifyResponse ModifyResponse, addRequest AddRequest, addResponse AddResponse, delRequest DelRequest, delResponse DelResponse, modDNRequest ModifyDNRequest, modDNResponse ModifyDNResponse, compareRequest CompareRequest, compareResponse CompareResponse, abandonRequest AbandonRequest, extendedReq ExtendedRequest, extendedResp ExtendedResponse, intermediateResponse IntermediateResponse } maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) LDAPString ::= OCTET STRING LDAPOID ::= OCTET STRING LDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString AttributeType ::= LDAPString AttributeDescription ::= LDAPString AttributeDescriptionList ::= SEQUENCE OF AttributeDescription AttributeValue ::= OCTET STRING AttributeValueAssertion ::= SEQUENCE { attributeDesc AttributeDescription, assertionValue AssertionValue } AssertionValue ::= OCTET STRING Attribute ::= SEQUENCE {type AttributeDescription, vals SET OF AttributeValue } MatchingRuleId ::= LDAPString LDAPResult ::= SEQUENCE { resultCode ENUMERATED {success(0), operationsError(1), protocolError(2), timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), compareTrue(6), authMethodNotSupported(7), strongAuthRequired(8), -- 9 reserved referral(10),-- new-- adminLimitExceeded(11),-- new-- unavailableCriticalExtension(12),-- new-- confidentialityRequired(13),-- new-- saslBindInProgress(14),-- new-- noSuchAttribute(16), undefinedAttributeType(17), inappropriateMatching(18), constraintViolation(19), attributeOrValueExists(20), invalidAttributeSyntax(21), -- 22-31 unused noSuchObject(32), aliasProblem(33), invalidDNSyntax(34), -- 35 reserved for undefined isLeaf aliasDereferencingProblem(36), -- 37-47 unused inappropriateAuthentication(48), invalidCredentials(49), insufficientAccessRights(50), busy(51), unavailable(52), unwillingToPerform(53), loopDetect(54), -- 55-63 unused namingViolation(64), objectClassViolation(65), notAllowedOnNonLeaf(66), notAllowedOnRDN(67), entryAlreadyExists(68), objectClassModsProhibited(69), -- 70 reserved for CLDAP affectsMultipleDSAs(71),-- new-- -- 72-79 unused other(80), canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909 }, -- 81-90 reserved for APIs matchedDN LDAPDN, errorMessage ErrorMessage, referral [3] Referral OPTIONAL } Referral ::= SEQUENCE OF LDAPURL LDAPURL ::= OCTET STRING -- LDAPString - - limited to characters permitted in URLs Controls ::= SEQUENCE OF Control Control ::= SEQUENCE { controlType ControlType, criticality BOOLEAN DEFAULT FALSE, controlValue OCTET STRING OPTIONAL } ControlType ::= LDAPOID BindRequest ::= [APPLICATION 0] SEQUENCE { version INTEGER(1..127), name LDAPDN, authentication AuthenticationChoice } AuthenticationChoice ::= CHOICE { simple [0] Simple, -- 1 and 2 reserved sasl [3] SaslCredentials, -- 10,11 from bug 1148 ntlmsspNegotiate [10] IMPLICIT OCTET STRING, ntlmsspAuth [11] IMPLICIT OCTET STRING } Simple ::= OCTET STRING SaslCredentials ::= SEQUENCE { mechanism Mechanism, credentials Credentials OPTIONAL } --4.1.2. String Types -- -- The LDAPString is a notational convenience to indicate that, although -- strings of LDAPString type encode as OCTET STRING types, the ISO -- 10646 [13] character set (a superset of Unicode) is used, encoded -- following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm -- characters which are the same as ASCII (0x0000 through 0x007F) are -- represented as that same ASCII character in a single byte. The other -- byte values are used to form a variable-length encoding of an -- arbitrary character. -- Mechanism ::= LDAPString Mechanism ::= OCTET STRING Credentials ::= OCTET STRING BindResponse ::= [APPLICATION 1] SEQUENCE { -- COMPONENTS OF LDAPResult, resultCode ENUMERATED {success(0), operationsError(1), protocolError(2), timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), compareTrue(6), authMethodNotSupported(7), strongAuthRequired(8), -- 9 reserved referral(10),-- new-- adminLimitExceeded(11),-- new-- unavailableCriticalExtension(12),-- new-- confidentialityRequired(13),-- new-- saslBindInProgress(14),-- new-- noSuchAttribute(16), undefinedAttributeType(17), inappropriateMatching(18), constraintViolation(19), attributeOrValueExists(20), invalidAttributeSyntax(21), -- 22-31 unused noSuchObject(32), aliasProblem(33), invalidDNSyntax(34), -- 35 reserved for undefined isLeaf aliasDereferencingProblem(36), -- 37-47 unused inappropriateAuthentication(48), invalidCredentials(49), insufficientAccessRights(50), busy(51), unavailable(52), unwillingToPerform(53), loopDetect(54), -- 55-63 unused namingViolation(64), objectClassViolation(65), notAllowedOnNonLeaf(66), notAllowedOnRDN(67), entryAlreadyExists(68), objectClassModsProhibited(69), -- 70 reserved for CLDAP affectsMultipleDSAs(71),-- new-- -- 72-79 unused other(80), canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909 }, -- 81-90 reserved for APIs matchedDN LDAPDN, errorMessage ErrorMessage, referral [3] Referral OPTIONAL, -- end of components serverSaslCreds [7] ServerSaslCreds OPTIONAL } ServerSaslCreds ::= OCTET STRING ErrorMessage ::= LDAPString UnbindRequest ::= [APPLICATION 2] NULL SearchRequest ::= [APPLICATION 3] SEQUENCE { baseObject LDAPDN, scope ENUMERATED {baseObject(0), singleLevel(1), wholeSubtree(2)}, derefAliases ENUMERATED {neverDerefAliases(0), derefInSearching(1), derefFindingBaseObj(2), derefAlways(3)}, sizeLimit INTEGER(0..maxInt), timeLimit INTEGER(0..maxInt), typesOnly BOOLEAN, filter Filter, attributes AttributeDescriptionList } Filter ::= CHOICE { and [0] SET OF Filter, or [1] SET OF Filter, not [2] Filter, equalityMatch [3] AttributeValueAssertion, substrings [4] SubstringFilter, greaterOrEqual [5] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion, present [7] AttributeDescription, approxMatch [8] AttributeValueAssertion, extensibleMatch [9] MatchingRuleAssertion } SubstringFilter ::= SEQUENCE { type AttributeDescription, -- at least one must be present substrings SEQUENCE OF CHOICE {initial [0] LDAPString, any [1] LDAPString, final [2] LDAPString} } MatchingRuleAssertion ::= SEQUENCE { matchingRule [1] MatchingRuleId OPTIONAL, type [2] AttributeDescription OPTIONAL, matchValue [3] AssertionValue, dnAttributes [4] BOOLEAN DEFAULT FALSE } SearchResultEntry ::= [APPLICATION 4] SEQUENCE { objectName LDAPDN, attributes PartialAttributeList } PartialAttributeList ::= SEQUENCE OF SEQUENCE {type AttributeDescription, vals SET OF AttributeValue} SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL SearchResultDone ::= [APPLICATION 5] LDAPResult ModifyRequest ::= [APPLICATION 6] SEQUENCE { object LDAPDN, modification SEQUENCE OF SEQUENCE {operation ENUMERATED {add(0), delete(1), replace(2)}, modification AttributeTypeAndValues} } AttributeTypeAndValues ::= SEQUENCE { type AttributeDescription, vals SET OF AttributeValue } ModifyResponse ::= [APPLICATION 7] LDAPResult AddRequest ::= [APPLICATION 8] SEQUENCE { entry LDAPDN, attributes AttributeList } AttributeList ::= SEQUENCE OF SEQUENCE {type AttributeDescription, vals SET OF AttributeValue} AddResponse ::= [APPLICATION 9] LDAPResult DelRequest ::= [APPLICATION 10] LDAPDN DelResponse ::= [APPLICATION 11] LDAPResult ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { entry LDAPDN, newrdn RelativeLDAPDN, deleteoldrdn BOOLEAN, newSuperior [0] LDAPDN OPTIONAL } ModifyDNResponse ::= [APPLICATION 13] LDAPResult CompareRequest ::= [APPLICATION 14] SEQUENCE { entry LDAPDN, ava AttributeValueAssertion } CompareResponse ::= [APPLICATION 15] LDAPResult AbandonRequest ::= [APPLICATION 16] MessageID ExtendedRequest ::= [APPLICATION 23] SEQUENCE { requestName [0] LDAPOID, requestValue [1] OCTET STRING OPTIONAL } ExtendedResponse ::= [APPLICATION 24] SEQUENCE { -- COMPONENTS OF LDAPResult, resultCode ENUMERATED {success(0), operationsError(1), protocolError(2), timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), compareTrue(6), authMethodNotSupported(7), strongAuthRequired(8), -- 9 reserved referral(10),-- new-- adminLimitExceeded(11),-- new-- unavailableCriticalExtension(12),-- new-- confidentialityRequired(13),-- new-- saslBindInProgress(14),-- new-- noSuchAttribute(16), undefinedAttributeType(17), inappropriateMatching(18), constraintViolation(19), attributeOrValueExists(20), invalidAttributeSyntax(21), -- 22-31 unused noSuchObject(32), aliasProblem(33), invalidDNSyntax(34), -- 35 reserved for undefined isLeaf aliasDereferencingProblem(36), -- 37-47 unused inappropriateAuthentication(48), invalidCredentials(49), insufficientAccessRights(50), busy(51), unavailable(52), unwillingToPerform(53), loopDetect(54), -- 55-63 unused namingViolation(64), objectClassViolation(65), notAllowedOnNonLeaf(66), notAllowedOnRDN(67), entryAlreadyExists(68), objectClassModsProhibited(69), -- 70 reserved for CLDAP affectsMultipleDSAs(71),-- new-- -- 72-79 unused other(80), canceled(118), noSuchOperation(119), tooLate(120), cannotCancel(121) -- RFC 3909 }, -- 81-90 reserved for APIs matchedDN LDAPDN, errorMessage ErrorMessage, referral [3] Referral OPTIONAL, -- end of COMPONENTS responseName [10] ResponseName OPTIONAL, response [11] OCTET STRING OPTIONAL } IntermediateResponse ::= [APPLICATION 25] SEQUENCE { responseName [0] ResponseName OPTIONAL, responseValue [1] OCTET STRING OPTIONAL } ResponseName ::= LDAPOID -- RFC 2696 - Simple Paged Results Manipulation SearchControlValue ::= SEQUENCE { size INTEGER --(0..maxInt)--, -- requested page size from client -- result set size estimate from server cookie OCTET STRING } -- RFC 2891 - Server Side Sorting of Search Results SortKeyList ::= SEQUENCE OF SEQUENCE { attributeType AttributeDescription, orderingRule [0] MatchingRuleId OPTIONAL, reverseOrder [1] BOOLEAN DEFAULT FALSE } SortResult ::= SEQUENCE { sortResult ENUMERATED { success (0), -- results are sorted operationsError (1), -- server internal failure timeLimitExceeded (3), -- timelimit reached before -- sorting was completed strongAuthRequired (8), -- refused to return sorted -- results via insecure -- protocol adminLimitExceeded (11), -- too many matching entries -- for the server to sort noSuchAttribute (16), -- unrecognized attribute -- type in sort key inappropriateMatching (18), -- unrecognized or -- inappropriate matching -- rule in sort key insufficientAccessRights (50), -- refused to return sorted -- results to this client busy (51), -- too busy to process unwillingToPerform (53), -- unable to sort other (80) }, attributeType [0] AttributeDescription OPTIONAL } -- Draft RFC - but used in some implementations -- Normaly it's an integer but we want to generate a subitem DirSyncFlagsSubEntry ::= SEQUENCE { value [0] INTEGER } DirSyncFlags ::= INTEGER DirSyncControlValue ::= SEQUENCE { flags DirSyncFlags, maxBytes INTEGER, cookie OCTET STRING } -- RFC 3062 --passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1 PasswdModifyRequestValue ::= SEQUENCE { userIdentity [0] OCTET STRING OPTIONAL, oldPasswd [1] OCTET STRING OPTIONAL, newPasswd [2] OCTET STRING OPTIONAL } PasswdModifyResponseValue ::= SEQUENCE { genPasswd [0] OCTET STRING OPTIONAL } -- RFC 3909 --cancelRequestOID OBJECT IDENTIFIER ::= 1.3.6.1.1.8 CancelRequestValue ::= SEQUENCE { cancelID MessageID } -- RFC 4533 --syncRequestOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.1 SyncRequestValue ::= SEQUENCE { mode ENUMERATED { -- 0 unused refreshOnly (1), -- 2 reserved refreshAndPersist (3) }, cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL reloadHint BOOLEAN DEFAULT FALSE } --syncStateOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.2 SyncStateValue ::= SEQUENCE { state ENUMERATED { present (0), add (1), modify (2), delete (3) }, entryUUID SyncUUID, cookie OCTET STRING OPTIONAL -- SyncCookie OPTIONAL } --syncDoneOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.3 SyncDoneValue ::= SEQUENCE { cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL refreshDeletes BOOLEAN DEFAULT FALSE } --syncInfoOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.9.1.4 SyncInfoValue ::= CHOICE { newcookie [0] OCTET STRING, -- SyncCookie refreshDelete [1] SEQUENCE { cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL refreshDone BOOLEAN DEFAULT TRUE }, refreshPresent [2] SEQUENCE { cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL refreshDone BOOLEAN DEFAULT TRUE }, syncIdSet [3] SEQUENCE { cookie OCTET STRING OPTIONAL, -- SyncCookie OPTIONAL refreshDeletes BOOLEAN DEFAULT FALSE, syncUUIDs SET OF SyncUUID } } SyncUUID ::= OCTET STRING(SIZE(16)) -- SyncCookie ::= OCTET STRING -- -- Draft RFC - Password Policy for LDAP Directories -- https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt PasswordPolicyResponseValue ::= SEQUENCE { warning [0] CHOICE { timeBeforeExpiration [0] INTEGER (0 .. maxInt), graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, error [1] ENUMERATED { passwordExpired (0), accountLocked (1), changeAfterReset (2), passwordModNotAllowed (3), mustSupplyOldPassword (4), insufficientPasswordQuality (5), passwordTooShort (6), passwordTooYoung (7), passwordInHistory (8) } OPTIONAL } END -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D