Footnotes

Not counting operational attributes such as modification time.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Carter'')^2.2

The standard allows for multi-valued RDNs such as ``cn=`Sam Carter' + uid=scarter''; however these are rarely used and sometimes not supported by a directory server, e.g. in Active Directory.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... )''^2.3

A search with this filter will return all person entries with a first name of Sam or Ted that have been modified since January 1st, 2001.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... .^3.1

These thoughts were prelevant at a time when the notion of privatisation and de-regulation in the communications sector were still distant in the future. But with the advent of the World Wide Web, which first developed as little information islands then later becoming the true globally interlinked service, the hopes of X.500's founding fathers were destroyed. Not at least because the idea of a centrally controlled system did not appeal to the ``Internet community''.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... implementation ^3.2

The Quipu software package from ISODE

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... BER ^3.3

The Basic Encoding Rules (BER) define how ASN.1 structures are encoded for storage or transmission in computer systems.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... queries ^3.4

99% at UMich according to [30]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... set.^3.5

In West-European countries mostly ISO-8859-1, also known as Latin-1, was used.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... (LDUP ^3.6

http://www.ietf.org/html.charters/ldup-charter.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... (LDAPext ^3.7

http://www.ietf.org/html.charters/ldapext-charter.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... IESG ^3.8

Internet Engeneering Steering Group

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... (LDAPbis ^3.9

http://www.ietf.org/html.charters/ldapbis-charter.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... access ^3.10

http://www.ldap.research.netsol.com

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... attacks ^4.1

An average PC (AMD 750 MHz Athlon) can compute the crypt(3) hash value of about 100,000 passwords per second. An exhaustive search of passwords consisting of five lower-case characters can thus be performed in about two minutes. [19]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... attacks ^4.2

In a chosen plaintext attack, the attacker has the opportunity to provide the encryption system with arbitrary plain text and then examine the resulting crypt text.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... period ^4.3

The default ticket lifetime in Kerberos 5 is ten hours.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... standard.^4.4

Free implementations for Unix systems are available form the Massachusetts Institute of Technology, http://web.mit.edu/kerberos/www/, and from the Royal Institute of Technology, Stockholm, Sweden, http://www.pdc.kth.se/heimdal/. In Windows 2000, Microsoft has adopted Kerberos as primary authentication mechanism. [63]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... (LDAPS ^4.5

LDAPS uses the well-known TCP port 636.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... languages ^5.1

[102] gives examples for nine different languages.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...PerLDAP ^5.2

http://www.perldap.org

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...Perl-LDAP ^5.3

http://perl-ldap.sourceforge.net

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... LDIF ^5.4

LDAP Data Interchange Format [15]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... (DSML ^5.5

http://www.dsml.org

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... project ^5.6

http://www.mozilla.org/directory

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... PHP ^5.7

http://www.php.net

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... language''^5.8

http://www.python.org/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Python ^5.9

http://python-ldap.sourceforge.net/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... tools.''^6.1

OpenLDAP Project Overview, http://www.openldap.org/project/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... distribution ^6.2

http://www.umich.edu/~dirsvcs/ldap/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... licence ^6.3

This kind of license basically means that distribution, use and modification of the software is allowed as long as the original copyright holder is properly credited and all warranties regarding the functionality of the software are disclaimed.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... architecture.^6.4

An experimental multi-master implementation exists in the head branch.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Sleepycat.^6.5

http://www.sleepycat.com/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... information.^6.6

http://www.usrlocalsrc.org/BACK-WHOIS/index.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... OpenSSL ^6.7

http://www.openssl.org

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... SASL ^6.8

http://asg.web.cmu.edu/sasl/sasl-library.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... cost''^6.9

http://www-4.ibm.com/software/network/directory/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... M-Vault ^6.10

http://www.messagingdirect.com/products/IC-6097.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... available ^6.11

http://www.directory.dfn.de/isode/isode-frei.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...lbe ^6.12

http://www.iit.edu/~gawojar/ldap/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...gq ^6.13

http://biot.com/gq/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...nss_ldap ^6.14

http://www.padl.com/nss_ldap.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...pam_ldap ^6.15

http://www.padl.com/nss_ldap.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Sendmail ^6.16

http://www.sendmail.org

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Apache ^6.17

http://www.apache.org

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Internet ^6.18

http://www.netcraft.com/survey/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...auth_ldap ^6.19

http://www.rudedog.org/auth_ldap/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... hardware ^8.1

A Compaq Proliant 8500 8-way PIII Xeon with 2GB RAM and an ESA 12000 (Fibre channel) RAID controller with 48 18GB hard disks

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Directory.^8.2

The ``organizationalUnit'' object class is retained to group entries within a Windows 2000 domain.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... relationship.^8.3

These trust relationships allow that objects from one domain might be granted access to ressources in another domain. For example, the administrator of domain ``campusA'' can allow users from ``campusB'' to use printers located in ``campusA''.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Directory.^8.4

It is possible to use an existing name server with support for DNS SRV records, e.g. bind8. However, this requires the manual addition of the Windows 2000 specific records to the zone file. Another issue arises from the fact, that a Windows 2000 client will try to register itself with the DNS server using dynamic DNS [91] by default.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... connectivity.^9.1

Support for user accounts in case of a network failure is not necessary, as under such circumstances the users' home directories, which would be located on a central file server in the outlined environment, would also become unavailable. This will generally preclude any further work to be done on a Unix workstation.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Cluster ^9.2

http://www.linux-ha.org/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Server ^9.3

http://www.linuxvirtualserver.org/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... one.^9.4

A connection attempt to a non-reachable host will generally timeout after 60 seconds. Such a delay will lead to unreasonably long response time. The current Netscape SDK therefore introduced a so-called parallel connect feature. The SDK tries to connect to all servers at the same time and abandons all outstanding attempts once a connection has been established.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... module.^9.5

By default, the used SuSE Linux distribution is set up to use the pam_unix module. However, that module makes use of NSS, which in turn will access LDAP. This leads to undesired results. Instead, the recommended pam_pwdb module can be configured to only look at the local files.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... required ^9.6

http://www.sxw.org.uk/computing/patches/openssh.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...Mulberry ^9.7

http://www.cyrusoft.com/mulberry/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... ways.^10.1

The IETF takes a very practical approach to quality assurance of its standards. A standard can only be ``promoted'' from Proposed to Draft Standard, if two interoperable implementations exist, which were developed independantly.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Forum ^10.2

http://www.opengroup.org/directory/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... (BLITS)^10.3

The first version of BLITS was edited by Chris Apple, AT&T. Revisions were made for the Connectathon interoperability events. Later versions, the latest being 2.5 Draft 1 [90], were made by the Open Group.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Canada ^10.4

http://cagc.srv.gc.ca/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... AMBIX ^10.5

``Aufnahme von Mail Benutzern in das X.500-Verzeichnis'', German for ``Incorporation of Mail Users into the X.500 Directory''. AMBIX provides a white-pages service for the German academic community. http://www.directory.dfn.de/ambix/ [14]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... syntaxes.^10.6

Attributes for fax numbers did e.g. contain the organization's name in addtion to the number. Even more common was the use of ISO-Latin-1 characters to represend German Umlauts.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... characters.^10.7

According to an email from IBM support, it should be possible to extend the field lengths. This would be done by editing the schema files before creating the tables for the directory server in the DB2 back-end.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... class.^10.8

http://www.novell.com/products/nds/schema/index.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... mechanism ^10.9

http://security.dstc.edu.au/projects/java/java-sec/msg00290.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... toolkit ^10.10

http://security.dstc.edu.au/projects/java/jcsi.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... identified:^10.11

In LDAP, GSSAPI and Kerberos elements of protocol are specified in ASN.1. The SASL GSSAPI mechanism uses a plain binary encoding, and GSS-KRB5 uses mixture of plain and ASN.1 elements. This complicated the analysis of network traces, as recursive ASN.1 parsers could not be employed.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...serverSaslCreds ^10.12

SASL specific information that the server wishes to send to the client is carried in the serverSaslCreds field of an LDAP response.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... inclusion.^10.13

http://www.OpenLDAP.org/its/index.cgi/Software%20Bugs?id=884

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... list.^10.14

http://www.openldap.org/lists/openldap-devel/200101/msg00041.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Windows ^10.15

http://security.dstc.edu.au/projects/java/java-sec/msg00290.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... DirectoryMark ^11.1

http://www.mindcraft.com/directorymark/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... entries.^11.2

As a side effect, this allows for an organizational chart to be drawn from the test data. [101]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... package ^12.1

http://mbdyn.aero.polimi.it/~masarati/ldap2bibtex.html

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... tag ^12.2

Language subtypes in LDAP have been specified in [95]. This standard allows for private extensions in the form of lang-x-*.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...rfc-parse2ldif.pl ^12.3

Based on a script by the http://rfc.net/RFC.net web site.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... file ^12.4

ftp://ftp.isi.edu/in-notes/rfc-index.txt

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... source ^12.5

ftp://ftp.isi.edu/internet-drafts/1id-abstracts.txt

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... hash ^12.6

A Perl hash is used as data-structure instead of an array because this way duplicate citations will be included only once.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... initiative ^12.7

http://dublincore.org/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... feasible ^13.1

Windows 2000 Professional systems can also be configured to use a non-Windows 2000 Server KDC. However, this will only provide authentication services. Advanced management options as they can be implemented with GPOs in a native Windows 2000 network will not be available.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... SDK ^14.1

To make LDAPS connections work in the OpenLDAP SDK, an additional patch had been written to fix a bug in OpenLDAP. http://www.OpenLDAP.org/its/index.cgi/Software%20Bugs?id=889

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... ``pwdump''^15.1

http://www.webspan.net/~tas/pwdump2/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... passwords ^15.2

[92, Section 5.36]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... passwords.^15.3

Since this is in conflict with the core LDAP RFCs, a proposal has been made to use an ``authPassword'' attribute instead. [107]

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... branch.^15.4

http://www.openldap.org/its/index.cgi/Contrib?id=899

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.