Subentries in the Lightweight Directory Access Protocol (LDAP)
RFC 3672

Document Type RFC - Proposed Standard (December 2003; No errata)
Was draft-zeilenga-ldap-subentry (individual in app area)
Author Kurt Zeilenga 
Last updated 2018-07-18
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3672 (Proposed Standard)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Ted Hardie
IESG note New versions exists which is verified with IESG
Responsible: Patrik
Send notices to (None)
Network Working Group                                        K. Zeilenga
Request for Comments: 3672                           OpenLDAP Foundation
Category: Standards Track                                        S. Legg
                                                     Adacel Technologies
                                                           December 2003

     Subentries in the Lightweight Directory Access Protocol (LDAP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.


   In X.500 directories, subentries are special entries used to hold
   information associated with a subtree or subtree refinement.  This
   document adapts X.500 subentries mechanisms for use with the
   Lightweight Directory Access Protocol (LDAP).

1.  Overview

   From [X.501]:

       A subentry is a special kind of entry immediately subordinate to
       an administrative point.  It contains attributes that pertain to
       a subtree (or subtree refinement) associated with its
       administrative point.  The subentries and their administrative
       point are part of the same naming context.

       A single subentry may serve all or several aspects of
       administrative authority.  Alternatively, a specific aspect of
       administrative authority may be handled through one or more of
       its own subentries.

   Subentries in the Lightweight Directory Access Protocol (LDAP)
   [RFC3377] SHALL behave in accordance with X.501 unless noted
   otherwise in this specification.

Zeilenga & Legg             Standards Track                     [Page 1]
RFC 3672                   Subentries in LDAP              December 2003

   In absence of the subentries control (detailed in Section 3),
   subentries SHALL NOT be considered in one-level and subtree scope
   search operations.  For all other operations, including base scope
   search operations, subentries SHALL be considered.

1.1.  Conventions

   Schema definitions are provided using LDAP description formats
   [RFC2252].  Definitions provided here are formatted (line wrapped)
   for readability.

   Protocol elements are described using ASN.1 [X.680].  The term "BER-
   encoded" means the element is to be encoded using the Basic Encoding
   Rules [X.690] under the restrictions detailed in Section 5.1 of

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in BCP 14 [RFC2119].

2.  Subentry Schema

2.1.  Subtree Specification Syntax

   The Subtree Specification syntax provides a general purpose mechanism
   for the specification of a subset of entries in a subtree of the
   Directory Information Tree (DIT).  A subtree begins at some base
   entry and includes the subordinates of that entry down to some
   identified lower boundary, possibly extending to the leaf entries.  A
   subtree specification is always used within a context or scope which
   implicitly determines the bounds of the subtree.  For example, the
   scope of a subtree specification for a subschema administrative area
   does not include the subtrees of any subordinate administrative point
   entries for subschema administration.  Where a subtree specification
   does not identify a contiguous subset of the entries within a single
   subtree the collection is termed a subtree refinement.

   This syntax corresponds to the SubtreeSpecification ASN.1 type
   described in [X.501], Section 11.3.  This ASN.1 data type definition
   is reproduced here for completeness.

     SubtreeSpecification ::= SEQUENCE {
         base                [0] LocalName DEFAULT { },
                                 COMPONENTS OF ChopSpecification,
         specificationFilter [4] Refinement OPTIONAL }

     LocalName ::= RDNSequence

Zeilenga & Legg             Standards Track                     [Page 2]
RFC 3672                   Subentries in LDAP              December 2003

     ChopSpecification ::= SEQUENCE {
         specificExclusions  [1] SET OF CHOICE {
                                 chopBefore [0] LocalName,
                                 chopAfter [1] LocalName } OPTIONAL,
         minimum             [2] BaseDistance DEFAULT 0,
         maximum             [3] BaseDistance OPTIONAL }

     BaseDistance ::= INTEGER (0 .. MAX)

     Refinement ::= CHOICE {
         item                [0] OBJECT-CLASS.&id,
         and                 [1] SET OF Refinement,
         or                  [2] SET OF Refinement,
         not                 [3] Refinement }
Show full document text