Appendix A:LDAP - Quick ASN.1
This section contains a brief and very superficial overview of ASN.1 SYNTAX sufficient to allow understanding of component expressions. In general, there is little need to drop down to this level of detail unless one is genetically pre-disposed to do so. There are many excellent and free resources ASN.1 resources which a dedicated reader will find endlessly fascinating and jolly good fun. Less dedicated readers may have to lie down after even a casual glance at this stuff.
If you need, or even want, to know more about ASN.1 (and DER) then try this Survival Guide. Be warned - it's not fun stuff.
An ASN.1 OID when traced to its authoritative definition will contain a textual description and some ASN.1 SYNTAX (or gobblydegook) which formally defines the object. ASN.1 syntax is brutally complex and this overview focuses on only 5 types SEQUENCE OF, SEQUENCE, SET OF, SET and CHOICE which figure significantly in component matching. The quick, working definition of these elements is:
| SEQUENCE OF |
An ordered list of instances of the same type. The order is fixed and only contains one type (or attribute in the LDAP context) |
| SET OF |
An unordered list of instances of the same types. The order is not fixed (only fixed at run-time) but only contains one type (or attribute in the LDAP context) |
| SEQUENCE |
An ordered list of instances of different types. The order is fixed and contains multiple types (or attributes in the LDAP context) |
| SET |
An unordered list of instances of different types. The order is not fixed (only fixed at run-time) and contains multiple types (or attributes in the LDAP context) |
| CHOICE |
Defines a single instance which may be any one of the types defined in the ordered list. |
This guide separates component matching into simple and complex categories. Simple component matching, as defined by this guide, is only used with attributes defined by SEQUENCE OF and SET OF constructs - essentially these constructs define multiple instances each of which is of the same type. For example DistinguishedName is a SEQUENCE OF and has, according to X.501, the following ASN.1 definition:
Note: The capitalization is visually significant when used for ASN.1 definitions, thus, distinguishedName is the name of the attribute and DistinguishedName is the name of the attribute definition.
# definition from X.501
DistinguishedName ::= RDNSequence
# DistinguishedName aliased to RDNSequence
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
# defines RDNSequence as an ordered list (SEQUENCE OF)
# of instances of RelativeDistinguishedName
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
AttributeTypeAndValue
# this defines the composition of each
# RelativeDistinguishedName as a SET (unordered list) of
# AttributeTypeAndValue each of which is comprised of a
# SEQUENCE (ordered list) of type and value entries as
# defined below
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType ({SupportedAttributes}),
value AttributeValue ({SupportedAttributes}{@type}) }
AttributeType ::= ATTRIBUTE.&id
AttributeValue ::= ATTRIBUTE.&Type
Since all the instances are of the same type it is enough in any component matching to identify the number of the instance, for example instance "1" which using component matching's positive number selection would be the first item in the list (in the case of a DN positive numbers start from the RIGHT). Examples of attributes using DistinguishedName are DistinguishedName (2.5.4.49), member ( 2.5.4.31 ), seeAlso (2.5.4.34), owner (2.5.4.32), roleOccupant (2.5.4.33).
Complex component matching is applied to SEQUENCE and SET syntaxes and these constructs define multiple values each of which may be of a different type. For example uniqueMember (2.5.4.50) has the following ASN.1 notation:
# definition from X.520
uniqueMember ATTRIBUTE ::= {
WITH SYNTAX NameAndOptionalUID
EQUALITY MATCHING RULE uniqueMemberMatch
ID id-at-uniqueMember }
# points to the ASN.1 definition of NameAndOptionalUID
# which is a SEQUENCE
NameAndOptionalUID ::= SEQUENCE {
dn DistinguishedName,
uid UniqueIdentifier OPTIONAL }
# in turn UniqueIdentifier is defined in X.520 as
uniqueIdentifier ATTRIBUTE ::= {
WITH SYNTAX UniqueIdentifier
EQUALITY MATCHING RULE bitStringMatch
ID id-at-uniqueIdentifier }
UniqueIdentifier ::= BIT STRING
# DistinguishedName is defined in previous example
Since each instance in the attribute is different, and since SET allows the instances to appear in any order, any componet extraction must reference the instance by, say, its left-hand name or some other characteristic.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
