Directory: LDAP 2000 - Conformance Statement Questionnaire


Conformance Statement Questionnaire

Directory: LDAP 2000


Question 1
==========
Does the product support Extensible Matching?

References
----------
IETF RFC 2251, Section 4.1.9, and IETF RFC 2252, Sections 4.5 and 8.

Rationale
---------
IETF RFC 2251, Section 4.1.9 says that servers which support matching
rules for use in the extensibleMatch search filter MUST list the
matching rules they implement in subschema entries, using the
matchingRules attributes.

IETF RFC 2252, Section 4.5 says that if the server supports the
extensibleMatch, then the server MUST publish the relationship between
the matching rules and attributes in the matchingRuleUse attribute.

IETF RFC 2252, Section 8 says that servers which implement the
extensibleMatch filter SHOULD allow all the matching rules listed in
this section to be used in the extensibleMatch.

The wording of these sections imply that support for Extensible Match
is not mandatory.


Question 2
==========
Does the server send Notices of Disconnection?

References
----------
IETF RFC 2251, Section 4.4.1.

Rationale
---------
IETF RFC 2251, Section 4.4.1 states that a notification of
disconnection may be used by a server to advise a client that the
server is about to close the connection due to an error condition.

This wording implies that servers need not send notices of
disconnection.


Question 3
==========
Does the server allow modification of subschema entries by clients?

References
----------
IETF RFC 2252, Section 8.4.

Rationale
---------
IETF RFC 2252, Section 8.4 says that servers which allow subschema
entries to be modified by clients MUST support certain matching rules,
which are the equality matching rules for several of the subschema
attributes.

This wording implies that whether a server allows clients to modify
subschema entries is an option, and that there is a requirement to
support certain matching rules that is contingent on that option.


Question 4
==========
Does the server support validation of client certificates?

References
----------
SSL Version 3 Specification, Section 7.6.4.

Rationale
---------
The SSL Version 3 specification, Section 7.6.4, says that a
non-anonymous server can optionally request a certificate from the
client, if appropriate, for the selected cipher suite.

This wording implies that whether a server can request (and by
implication whether it can validate) client certificates is optional.


Question 5
==========
Does the server support access to SSL Credentials via SASL EXTERNAL?

References
----------
IETF RFC 2251, Section 4.2.2.

Rationale
---------
IETF RFC 2251, Section 4.2.2 says that the client can request that the
server use authentication information from a lower layer protocol by
using the SASL EXTERNAL mechanism. However, it is not clear whether
this applies in the case where SSL is used in conjunction with the Port
636 mechanism.

In this situation, it seems best to make it optional for the server to
allow the client to connect using SSL on port 636 (or another port
dedicated by the server to LDAP over SSL) and then to authenticate
using its SSL credentials via the SASL EXTERNAL mechanism.