mail us  |  mail this page

products  |  company  |  support  |  downloads  |  isp services  |  contact us

Appendix A:LDAP - Survival ASN.1

This section contains a brief and superficial overview of ASN.1 SYNTAX sufficient to allow understanding of component expressions. In general there is little need to drop down to this level of detail unless one is genetically pre-disposed to do so. There are many excellent and free resources ASN.1 resources which a dedicated reader will find endlessly fascinating and jolly good fun. Less dedicated readers may have to lie down after even a casual glance at this stuff.

An ASN.1 OID when traced to its authoritative definition will contain a textual description and some ASN.1 SYNTAX (or gobblydegook) which formally defines the object. ASN.1 syntax is brutally complex and this survival guide focuses on only 5 types SEQUENCE OF, SEQUENCE, SET OF, SET and CHOICE which figure significantly in component matching. The quick, working definition of these elements is:

SEQUENCE OF - an ordered list of instances of the same type
              The order is fixed and only contains one
              type (or attribute in the LDAP context)
SET OF      - an unordered list of instances of the same types
              The order is not fixed (only fixed at run-time)
              but only contains one type (or attribute 
              in the LDAP context)
SEQUENCE    - an ordered list of instances of different types
              The order is fixed and contains multiple
              types (or attributes in the LDAP context)
SET        - an unordered list of instances of different types
              The order is not fixed (only fixed at run-time)
              and contains multiple types (or attributes 
              in the LDAP context)
CHOICE      - Defines a single instance which may be any one of the types
              defined in the ordered list

This guide separates component matching into simple and complex. Simple component matching, as defined by this guide, is only used with attributes defined by SEQUENCE OF and SET OF constructs - essentially these constructs define multiple instances each of which is of the same type. For example DistinguishedName is a SEQUENCE OF and has, according to X.501, the following ASN.1 definition:

Note: The capitalization is visually significant when used for ASN.1 definitions, thus, distinguishedName is the name of the attribute and DistinguishedName is the name of the attribute definition.

# definition from X.501
DistinguishedName   ::= RDNSequence
# DistinguishedName aliased to RDNSequence
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
# defines RDNSequence as an ordered list (SEQUENCE OF)
# of instances of RelativeDistinguishedName

RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
          AttributeTypeAndValue
# this defines the composition of each 
# RelativeDistinguishedName as a SET (unordered list) of
# AttributeTypeAndValue each of which is comprised of a
# SEQUENCE (ordered list) of type and value entries as 
# defined below
AttributeTypeAndValue ::= SEQUENCE {
  type        AttributeType ({SupportedAttributes}),
  value       AttributeValue ({SupportedAttributes}{@type}) }

  AttributeType ::= ATTRIBUTE.&id
  AttributeValue ::= ATTRIBUTE.&Type

Since all the instances are of the same type it is enough in any component matching to identify the number of the instance, for example instance "1" which using component matching's positive number selection would be the first item in the list (in the case of a DN positive numbers start from the RIGHT). Examples of attributes using DistinguishedName are DistinguishedName (2.5.4.49), member ( 2.5.4.31 ), seeAlso (2.5.4.34), owner (2.5.4.32), roleOccupant (2.5.4.33).

Complex component matching is applied to SEQUENCE and SET syntaxes which essentially these constructs define multiple values each of which is of a different type. For example uniqueMember (2.5.4.50) has the following ASN.1 notation:

# definition from X.520
uniqueMember ATTRIBUTE ::= {
 WITH SYNTAX NameAndOptionalUID
 EQUALITY MATCHING RULE uniqueMemberMatch
 ID id-at-uniqueMember }

# points to the ASN.1 definition of NameAndOptionalUID
# which is a SEQUENCE
NameAndOptionalUID ::= SEQUENCE {
 dn DistinguishedName,
 uid UniqueIdentifier OPTIONAL }

# in turn UniqueIdentifier is defined in X.520 as
uniqueIdentifier ATTRIBUTE ::= {
 WITH SYNTAX UniqueIdentifier
 EQUALITY MATCHING RULE bitStringMatch
 ID id-at-uniqueIdentifier }
UniqueIdentifier ::= BIT STRING

# Distinguished name is as defined above

Since each instance in the attribute is different, and since SET allows the instances to appear in any order, any componet extraction must reference the instance, by say, its left-hand name or some other characteristic.

Copyright © 1994 - 2008 ZyTrax, Inc.
All rights reserved. Legal and Privacy 		site by zytrax
Hosted by super.net.sg		 web-master at zytrax
Page modified: September 22 2008.

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 config files
7 replicate & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

web zytrax.com
add page to facebook add page to technorati.com add page to digg.com add page to del.icio.us add page to furl.net add page to stumbleupon add page to reddit.com mail this page feature print this page

RSS Feed Icon RSS Feed

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux

Applications

OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation

Organisations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

printer friendly

Print Page

SPF Record Conformant Domain Logo