[Pkg-samba-maint] r3240 - in branches/samba/upstream: . docs docs/htmldocs/manpages docs/manpages docs-xml/manpages-3 packaging/RHEL packaging/RHEL-CTDB source3 source3/include source3/libsmb source3/modules source3/rpc_server source3/smbd source3/utils source4/heimdal/lib/wind source4/ldap_server/devdocs
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Wed Jan 20 19:20:20 UTC 2010
Author: bubulle
Date: 2010-01-20 19:20:07 +0000 (Wed, 20 Jan 2010)
New Revision: 3240
Removed:
branches/samba/upstream/source4/heimdal/lib/wind/rfc3454.txt
branches/samba/upstream/source4/heimdal/lib/wind/rfc3490.txt
branches/samba/upstream/source4/heimdal/lib/wind/rfc3491.txt
branches/samba/upstream/source4/heimdal/lib/wind/rfc3492.txt
branches/samba/upstream/source4/heimdal/lib/wind/rfc4013.txt
branches/samba/upstream/source4/heimdal/lib/wind/rfc4518.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc2307.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc2696.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc2849.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc2891.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc3296.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4510.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4511.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4512.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4513.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4514.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4515.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4516.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4517.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4518.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4519.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4520.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4521.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4522.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4523.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4524.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4525.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4526.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4527.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4528.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4529.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4530.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4531.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4532.txt
branches/samba/upstream/source4/ldap_server/devdocs/rfc4533.txt
Modified:
branches/samba/upstream/WHATSNEW.txt
branches/samba/upstream/docs-xml/manpages-3/pdbedit.8.xml
branches/samba/upstream/docs/Samba3-ByExample.pdf
branches/samba/upstream/docs/Samba3-Developers-Guide.pdf
branches/samba/upstream/docs/Samba3-HOWTO.pdf
branches/samba/upstream/docs/htmldocs/manpages/pdbedit.8.html
branches/samba/upstream/docs/manpages/cifs.upcall.8
branches/samba/upstream/docs/manpages/eventlogadm.8
branches/samba/upstream/docs/manpages/findsmb.1
branches/samba/upstream/docs/manpages/idmap_ad.8
branches/samba/upstream/docs/manpages/idmap_adex.8
branches/samba/upstream/docs/manpages/idmap_hash.8
branches/samba/upstream/docs/manpages/idmap_ldap.8
branches/samba/upstream/docs/manpages/idmap_nss.8
branches/samba/upstream/docs/manpages/idmap_rid.8
branches/samba/upstream/docs/manpages/idmap_tdb.8
branches/samba/upstream/docs/manpages/idmap_tdb2.8
branches/samba/upstream/docs/manpages/ldb.3
branches/samba/upstream/docs/manpages/ldbadd.1
branches/samba/upstream/docs/manpages/ldbdel.1
branches/samba/upstream/docs/manpages/ldbedit.1
branches/samba/upstream/docs/manpages/ldbmodify.1
branches/samba/upstream/docs/manpages/ldbrename.1
branches/samba/upstream/docs/manpages/ldbsearch.1
branches/samba/upstream/docs/manpages/libsmbclient.7
branches/samba/upstream/docs/manpages/lmhosts.5
branches/samba/upstream/docs/manpages/log2pcap.1
branches/samba/upstream/docs/manpages/mount.cifs.8
branches/samba/upstream/docs/manpages/net.8
branches/samba/upstream/docs/manpages/nmbd.8
branches/samba/upstream/docs/manpages/nmblookup.1
branches/samba/upstream/docs/manpages/ntlm_auth.1
branches/samba/upstream/docs/manpages/pam_winbind.8
branches/samba/upstream/docs/manpages/pdbedit.8
branches/samba/upstream/docs/manpages/profiles.1
branches/samba/upstream/docs/manpages/rpcclient.1
branches/samba/upstream/docs/manpages/samba.7
branches/samba/upstream/docs/manpages/sharesec.1
branches/samba/upstream/docs/manpages/smb.conf.5
branches/samba/upstream/docs/manpages/smbcacls.1
branches/samba/upstream/docs/manpages/smbclient.1
branches/samba/upstream/docs/manpages/smbcontrol.1
branches/samba/upstream/docs/manpages/smbcquotas.1
branches/samba/upstream/docs/manpages/smbd.8
branches/samba/upstream/docs/manpages/smbget.1
branches/samba/upstream/docs/manpages/smbgetrc.5
branches/samba/upstream/docs/manpages/smbpasswd.5
branches/samba/upstream/docs/manpages/smbpasswd.8
branches/samba/upstream/docs/manpages/smbspool.8
branches/samba/upstream/docs/manpages/smbstatus.1
branches/samba/upstream/docs/manpages/smbtar.1
branches/samba/upstream/docs/manpages/smbtree.1
branches/samba/upstream/docs/manpages/swat.8
branches/samba/upstream/docs/manpages/tdbbackup.8
branches/samba/upstream/docs/manpages/tdbdump.8
branches/samba/upstream/docs/manpages/tdbtool.8
branches/samba/upstream/docs/manpages/testparm.1
branches/samba/upstream/docs/manpages/umount.cifs.8
branches/samba/upstream/docs/manpages/vfs_acl_tdb.8
branches/samba/upstream/docs/manpages/vfs_acl_xattr.8
branches/samba/upstream/docs/manpages/vfs_audit.8
branches/samba/upstream/docs/manpages/vfs_cacheprime.8
branches/samba/upstream/docs/manpages/vfs_cap.8
branches/samba/upstream/docs/manpages/vfs_catia.8
branches/samba/upstream/docs/manpages/vfs_commit.8
branches/samba/upstream/docs/manpages/vfs_default_quota.8
branches/samba/upstream/docs/manpages/vfs_dirsort.8
branches/samba/upstream/docs/manpages/vfs_extd_audit.8
branches/samba/upstream/docs/manpages/vfs_fake_perms.8
branches/samba/upstream/docs/manpages/vfs_fileid.8
branches/samba/upstream/docs/manpages/vfs_full_audit.8
branches/samba/upstream/docs/manpages/vfs_gpfs.8
branches/samba/upstream/docs/manpages/vfs_netatalk.8
branches/samba/upstream/docs/manpages/vfs_notify_fam.8
branches/samba/upstream/docs/manpages/vfs_prealloc.8
branches/samba/upstream/docs/manpages/vfs_preopen.8
branches/samba/upstream/docs/manpages/vfs_readahead.8
branches/samba/upstream/docs/manpages/vfs_readonly.8
branches/samba/upstream/docs/manpages/vfs_recycle.8
branches/samba/upstream/docs/manpages/vfs_shadow_copy.8
branches/samba/upstream/docs/manpages/vfs_shadow_copy2.8
branches/samba/upstream/docs/manpages/vfs_smb_traffic_analyzer.8
branches/samba/upstream/docs/manpages/vfs_streams_depot.8
branches/samba/upstream/docs/manpages/vfs_streams_xattr.8
branches/samba/upstream/docs/manpages/vfs_xattr_tdb.8
branches/samba/upstream/docs/manpages/vfstest.1
branches/samba/upstream/docs/manpages/wbinfo.1
branches/samba/upstream/docs/manpages/winbind_krb5_locator.7
branches/samba/upstream/docs/manpages/winbindd.8
branches/samba/upstream/packaging/RHEL-CTDB/samba.spec
branches/samba/upstream/packaging/RHEL/makerpms.sh
branches/samba/upstream/packaging/RHEL/samba.spec
branches/samba/upstream/source3/VERSION
branches/samba/upstream/source3/include/version.h
branches/samba/upstream/source3/libsmb/libsmb_context.c
branches/samba/upstream/source3/libsmb/libsmb_dir.c
branches/samba/upstream/source3/libsmb/libsmb_path.c
branches/samba/upstream/source3/libsmb/libsmb_setget.c
branches/samba/upstream/source3/modules/vfs_cap.c
branches/samba/upstream/source3/rpc_server/srv_pipe_hnd.c
branches/samba/upstream/source3/smbd/pipes.c
branches/samba/upstream/source3/smbd/posix_acls.c
branches/samba/upstream/source3/smbd/reply.c
branches/samba/upstream/source3/utils/net_rpc.c
Log:
Load samba-3.4.5 into branches/samba/upstream.
Modified: branches/samba/upstream/WHATSNEW.txt
===================================================================
--- branches/samba/upstream/WHATSNEW.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/WHATSNEW.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,4 +1,74 @@
=============================
+ Release Notes for Samba 3.4.5
+ January 19, 2010
+ =============================
+
+
+This is the latest stable release of Samba 3.4.
+
+Major enhancements in Samba 3.4.5 include:
+
+ o Fix memory in leak in smbd (bug #7020).
+ o Fix changing of ACLs on writable files with "dos filemode=yes" (bug #5202).
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.4.4
+-------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 5202: Fix changing of ACLs on writable files with "dos filemode=yes".
+ * BUG 7020: Fix memory leak in smbd.
+ * BUG 7036: Fix 'net rpc getsid' in hardened Windows environments.
+ * BUG 7045: Fix bad (non memory copying) interfaces in smbc_setXXXX calls.
+
+
+o Günther Deschner <gd at samba.org>
+ * BUG 7043: Fix crash bug in "SMBC_parse_path".
+
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 7046: Fix a crash in libsmbclient used against the OpenSolaris CIFS
+ server.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 6642: Fix opening the quota magic file.
+ * BUG 6919: Fix remote quota management.
+
+
+o SASAJIMA Toshihiro <sasajima_t at jp.fujitsu.com>
+ * BUG 7034: Fix internal error caused by vfs_cap.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.4.4
January 7, 2009
=============================
@@ -94,9 +164,9 @@
======================================================================
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 3.4.3
October 29, 2009
Modified: branches/samba/upstream/docs/Samba3-ByExample.pdf
===================================================================
--- branches/samba/upstream/docs/Samba3-ByExample.pdf 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/Samba3-ByExample.pdf 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1672,14 +1672,14 @@
<< /S /GoTo /D [1118 0 R /Fit ] >>
endobj
1120 0 obj <<
-/Length 252
+/Length 254
/Filter /FlateDecode
>>
stream
-xÚ…=oà �E÷üŠ7‚T¿>¾�^«º2UŠ·ª�qIkÉv,HÉ¿/„l�:��ï^��|�ÁëŽþáS³{|‘�„E)Œ†æ�¢"´¥�]*tFBó��ìà�®�;úBñBYÃŽ\IvÍëú⇩�ü³ÙÇ2�‚°¢J¤²Âh,…„B�4¤sÙûìÛµk}�ãN±š�‚]ÂÜvKXòV7f�¶¶
-ËrÚn£:kȨ‘ŸÃÔŸo"C��×»C�B`e’}|��’qÑE¡6YaþIWÈ’½a¢e
-w’…yZÖÙ§�P(]�W�É•÷”�y�Ýü|Íaý)IP
-ýùߺÙý�íÿ^“
+xÚ…»nÃ0�E÷|�G ¨UR�[^‹º-2�ˆ¶¢ƒâ*�Û1ü ’¿¯�eëÐé��ïÕ!�¾�áu‡ÿè“Û=¾È
+¨�’Œ�w�ªQT¥�]*a�÷��ìà�®ˆ�}¡x¡*ÃŽ\IvÍusñÃÔ�þéö1Ì�¡¨±¦�V�-J’PH#�ê�ö>ûvíZßG»U¬á�±K˜Ûn KnucÖÃÖ¶aYNÛmTg��1òós˜úó
+d�cÒõÎP�‘¨M¢�!
+46²(¡MFØŸÒ�²do"iÅ�·’…yZÖÙ§�@¡L qA¶¼»üÈãèæçk6“}È…DÂäúsàÆí~�L÷^Ç
endstream
endobj
1118 0 obj <<
@@ -6954,8 +6954,8 @@
2061 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145338+01'00')
-/ModDate (D:20100104145338+01'00')
+/CreationDate (D:20100118125438+01'00')
+/ModDate (D:20100118125438+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -8021,8 +8021,8 @@
2229 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145340+01'00')
-/ModDate (D:20100104145340+01'00')
+/CreationDate (D:20100118125439+01'00')
+/ModDate (D:20100118125439+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -8915,8 +8915,8 @@
2332 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/note.eps)
>>
@@ -9121,8 +9121,8 @@
2356 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145340+01'00')
-/ModDate (D:20100104145340+01'00')
+/CreationDate (D:20100118125440+01'00')
+/ModDate (D:20100118125440+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -10683,8 +10683,8 @@
2572 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145341+01'00')
-/ModDate (D:20100104145341+01'00')
+/CreationDate (D:20100118125441+01'00')
+/ModDate (D:20100118125441+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -13974,8 +13974,8 @@
3078 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145342+01'00')
-/ModDate (D:20100104145342+01'00')
+/CreationDate (D:20100118125441+01'00')
+/ModDate (D:20100118125441+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -16278,8 +16278,8 @@
3431 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145319+01'00')
-/ModDate (D:20100104145319+01'00')
+/CreationDate (D:20100118125421+01'00')
+/ModDate (D:20100118125421+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/caution.eps)
>>
@@ -16814,8 +16814,8 @@
3496 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145342+01'00')
-/ModDate (D:20100104145342+01'00')
+/CreationDate (D:20100118125442+01'00')
+/ModDate (D:20100118125442+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -17411,8 +17411,8 @@
3543 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/w2.eps)
>>
@@ -17906,8 +17906,8 @@
3621 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145343+01'00')
-/ModDate (D:20100104145343+01'00')
+/CreationDate (D:20100118125442+01'00')
+/ModDate (D:20100118125442+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -22541,8 +22541,8 @@
4337 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145344+01'00')
-/ModDate (D:20100104145344+01'00')
+/CreationDate (D:20100118125443+01'00')
+/ModDate (D:20100118125443+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -22841,8 +22841,8 @@
4353 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145344+01'00')
-/ModDate (D:20100104145344+01'00')
+/CreationDate (D:20100118125443+01'00')
+/ModDate (D:20100118125443+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -23055,8 +23055,8 @@
4358 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145345+01'00')
-/ModDate (D:20100104145345+01'00')
+/CreationDate (D:20100118125444+01'00')
+/ModDate (D:20100118125444+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -23357,8 +23357,8 @@
4375 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145345+01'00')
-/ModDate (D:20100104145345+01'00')
+/CreationDate (D:20100118125444+01'00')
+/ModDate (D:20100118125444+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -23650,8 +23650,8 @@
4382 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145346+01'00')
-/ModDate (D:20100104145346+01'00')
+/CreationDate (D:20100118125445+01'00')
+/ModDate (D:20100118125445+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -27474,8 +27474,8 @@
4752 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145346+01'00')
-/ModDate (D:20100104145346+01'00')
+/CreationDate (D:20100118125445+01'00')
+/ModDate (D:20100118125445+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -28234,8 +28234,8 @@
4831 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145347+01'00')
-/ModDate (D:20100104145347+01'00')
+/CreationDate (D:20100118125446+01'00')
+/ModDate (D:20100118125446+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -32108,8 +32108,8 @@
5443 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145348+01'00')
-/ModDate (D:20100104145348+01'00')
+/CreationDate (D:20100118125447+01'00')
+/ModDate (D:20100118125447+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -65480,62 +65480,51 @@
/FontFile 9329 0 R
>> endobj
9331 0 obj <<
-/Length1 1030
-/Length2 3840
+/Length1 1031
+/Length2 3885
/Length3 0
-/Length 4501
+/Length 4541
/Filter /FlateDecode
>>
stream
-xÚSgXS‹²•.M��Eá°�é5!tTŠ4éE:B A�!�z@št)‚Ò¥*JSzï½Kh"M@:‚R��áÅã»G߹߷ÿì5kfÍÚ3³¹Øu
-„�`h�¸
-�…�� ƒd %-}�� ‹Rqq)aàP,�º�ÅÂe ´4�Pp{ €E�„Œ˜”Œ¨8�� „vö �Øc�^%¾ŸI’€‚��ƒ°…¢ -(Ö�îDа…"��´-�Žõ���H@ÿg…+ �w…cÜá0a*��€!l±€
-ü��E%òÓ:Ê�
-Hþ
-ÃÜœÿC¹Ã1®�S /Á$�@°�C£^ �nG%¢&ô‚�œü˜ú·¸Š��©
-uú)ÿsHÿEC�H¯ÿM@;9»aá�@�
-ƒcPÿN5†ÿò¦�‡!Üœþͪc¡H„�ê���ˆþ
-!\U�žp˜.�kk�ØA‘®ð¿ãp�ìß&�sûÛ‚ˆ™®²¡®ŽÀ¯}þÍéB�(¬¡—ó?ª?“ÿÆ ß˜0��Â�0������� ÏÞ,ÿÕK�e‹†!P„ƒ�— ��Ô‹Šp��$�ø€ �
-�÷�àž�Ã"Â(4–P��fâ�Ø¡1T?×) �DÔ~†~!� r÷�$E@†ÿ ÂöD ÿ �³E;9ýŽ€�þDàÿ@q‚°�Ú
-ó�O(±ÿ
-A¢€�ê�H¨Fÿ–—& �ü�š çü›– Â%¡ad�äÿè���D\ÿ€„
-ìos„ÞX�ô�4áãÜ~C0ÁŒ×ïnR€ˆ7�ó+ý¿7¨ˆöô��ƒ B`q� -%�HŠ‹úþŸ<[7��ŽÂþý��Îå?Ø�A8.8Ü�nK59Ž¶•
-vH¬�yí§œó.ŸŒŸHñAU¬vYóH�uÐû8"äË^
-�þÙR“£‚�†�ËdËl�'×]#êqz�*Û�.±Ic§ËîÖË)Þ5×MvR´¼–œ9�‚6èê*G÷6ʼntð³}¯�Ls;Ò¿tndéòÞ1\¡˜f?×bî^Þ’�,!i¢’‚¼�ú¨”[Œ]ÿb’Ëë0HèŒÇÅ„'¤3CA~�¡ç«�¦¾¢ëÝèrÎgÆŸZìáåÍ™ÒÆ$,Qƒc�öãNH{hd”š „-*':µ¦öä¨(Mäö;±JîØ$ÔèÍ´x¨„r5瓱Þùk¸òt?áÀéÑG}™š�`áÒå¼t×ifmÓ� ûC]ê°àŽÑ�ªB{³Ö$€¨`R¬�·š“9ìÈ«7¡®ãJé´/;mWwø¬"tî™�È×
-J3y>&I�Í9óQô Ôc&™Ì"òRZqZòåˆöyÝ�A»ÏO6Êû)ùó)¢æmT³ÄÌFÀ�^ëâIžæIiŠaÖs®™‡»£l”Û›í‹üV�HÇ�¼ÅÕ�s¾Á_ÑØ�˜�lÌF‘n?hº>%G5�q—(A2:ðcžšƒPÿÕ°Í(Ê�œq‰í6ž$PwÂXÐÈÿ€¨kåݸã¬P„�%F*µ™”õ€ÍÿU’ܹ·ùÜœ„7±×b�ó‘=ý�Û����UêĈ£�Ûõª(ïÜV±,¦§,|ô½Ärƒ�j?Å"oŸñ9¦}5Á7±:õÝ�ÕƇçxxH–Å«±Çh˜<r9‰8þΉßô'êV‹¬¿¬Hó‹‰�‚<'¡ÏGSÊ–.Ù»¥¿Ü4]c.õé/ �íÆùú2 vçö>ÎM�”E�_õŽˆ_ð? ¥õO=÷-�Ù��øã‘6‰Ý¥Ã£�CcÈŒ»·¿±XØy�ižèmìW�™�OÝØï‡!ð�m>
-7,ò9C¦WM‡_x–Ô’-‚©õYs¸ž¹Kݧ¯[-×DØáy¥
-*‘¢#¹34E´–Ms=/�ãÈËK�áÔ;õ[´â´Ï²©z„ÂA6ó7¬´aêµ�ydÓûǯ-’CK´��¬±ÕÙØì%P¶þ2Ýæ¹·×¾|(=l[c˧`ܶùJ®N
-ßDX…85õÕ=}$ÙuóÊ‹Þl•œÛTü9±Æ
-E�²ã’àï�;ÖÙ>R
-dÕ�j úÈ
-÷Å;{Aºo©�W™yP›œ0<û�U•ÊÖÌ�7:‹�«í¢gä½–©C·æ”ôE�Q}T8=ð<¾ð{àzû MW%ót#¸^oî~Ý€“'Éš�ö«T#��«�û[™'Û6º¢XœÕ
-l9Äš��ux3ÖRJ;ÔYó�ª@ªS.�“0AÐÉ-É$‰�¡§Yé®®]Q�7Âù¼˜‘�.[»�ŒÒki�Ö¸Œ�ê
-�ÉËöåœU½ò2D�¯µK¬�'‰ ¹$ûŠw¼ªúÇ�—N�Â%è’Q�ÞC\®‘£�Œ9_D¾»‘CññsA�ˆfÈB´Á䤙Ôr±w‡Q]¼¹‚
-Õàï{çîªk�ïdëú·]Én½¾ëÙzÝ��/“A�}ÐÁ½�Í{àxZ€™Ð¡AêcÎW�Š‰¾³ðÓ�Ä©\�œI�Ö”Ú2}³Æ¡�á—¾3�ÄÂ��Käa S3§ Ë�ò.�³�æhßvâ6/„·™£Šµ�Ë–�©{e%›[)Ü�²K�µ%Àò/ab�Ùf®ŒV‹ÕmÖ�ÑâNÞ���ýôß'ç6ø•�2®ëÕÅP.ß1gâ¨n'qÃ5Zî‘~C•Ÿò�i3cŒ˜Ö}¬ö+�í¦gtÓ|:ua�>°¾DÑb�1½'t�¦ø§f‰=qjy�µöŽÜÁV…@@5GËeÆhávð�åàTÕ�ÅBé4ÇsgGÕâË×=»²X”€Ê2¢Æ+�žÒ·”6ML�Ñ?�{u.NPÉ0¥‹\�!Ÿ– �˜ÂœB¿s±�œ¶°‹ö‡-m÷0jóº_ŹîŒK»|Ï•�‰ùT˜AE¡�ÙÌ®eÐvï0O¦+èõm-Ž¶ï�}sO+bÑ�ó3&×,¥ã�n¸Ígo²<VzÃd»pS?��”¬¯tA—û2Û�·U�Sø·ü�\Ï��É�z�<&Ž}w©°@(yÖnVå™Âþ` {$]õ`†‡<GöÝ��ùÊ[ø�ž-Ž�ñÅCnöN�#üŒ0$´Bd´×ä�k��¿—O�òJ'ÅÌK�ÈÉço×1¬ªaØûZD�c£&Ú£³˜«Ë1sìjÒ_³†¨�œwS%s‰/²à#3ïuºÔ�ƒT‹}œ†G?s„Éš^;,ýj�~�:òQ§e�¬D�ç�BB)˜Ý“
-Äžg‰A
-N�Xóˆd.�}�R·Õî5>5p ìëhsS�ðª(‡êF�Gš—6•ß�›Z�wêÐá¹25 Òµˆ‰k»©��åuT±d£ÁÞy�Yõ;��§ê/\Ž�PR¢?-÷ç �%
-�œ\ž‘`žé¶Ôrã˜f¹Ê4¦H71�9Tbd¡÷#¥$
-&�߯Åcõ”�hTܦˆ�ˆÊÜNï(ÉÔ¯1N_–Âöšéì/îÆó‘/fÞ£àÓWz¯t…2f�Û HÛ\XåçMC~p�ñ�,‚#ã8×-ÌεZ†ûÎ$»œ�Ÿá‹‚—»�i¿Dl¬=‹rŽ¬…ãOž �„��Å¡ÔOÙL��Iä׺¡OÃþòÀ5b{¥{G9ŽËöI�lDŸqÏ»ðõO—"í/¯‘ ×€I1ÞVœŸ¸š]ï½£ØK/¾ëA�^úz‘Þžè+졲þJ8èD`�ÆÎËöUÊ$x|øavyš��®C�ó,y~ùÒ�C at N¢cz|pkÒù7…”ö�³W-!à³Íì€Dïv*XØ+q©�ïSÝ¿=º#ÈQ@‘ñœU§�Ç3¤l§’‚�Z1Yéž•w„߯µc<�l~|"ÛLáð�¿sÖvÇ‘8®¶TÐêj°°’Xÿ5—ˆüm&š«ðcM�4ÉŸÈTë5�Ï0œ®†~øB̆î"�$>®ÛƒOnòz6‚"Jjf�fôf©å&=�2ñ‘¼†d:}š_®»º©â�ŽÞ†æ~¿ÁYØçÅp|ƒ³�oå�^•4ró[�í�‰_\N?�-ðmê„Ù—ì2Ð{¿¬Â7·[yE`KM«µs†@�¯¦Ñh+��ÝõcÂ3ÔöÃPàé��Õ«
-�@§Ñ{„Í«û©£ZYæ—�¾‡ht2Š6’ºÖ ³�ùly3òE‚e¾‰�…ðt©„ïZ¾”~¸»8›îl¼¶µTåú±Ìú콕|Ó2±—À5Ý6+-Ì£+ëo�éRUý±ë•äúxóç:û�õ¦ F±x0[uàùך�ƒ��=#(Ɖ�YIË0�À¾LÎÃjôE×WdÞ·�ÎZ9çŠ�\«'HbÌR8�¨¿Rô±!#ý·–]=j»RgÆ…† �œ2O�³`…Ú�GOš�£ì�•ŒÛ4häñ�gtyu�$Úâ�šÇ¸b2{Õ�Œ€â-–g$ùmv_k–˜�êY
-æx�˜±_>ø–~&áÉ�YÏ;ŒŽ©5p7�¸j–U~|ª�ýÚÔÙ›‡8·!_í[³ØÛò�ÁhÓ×?�Mü×’m‘w.°öý²zñQ±•E�e��‹•F½ÚeaÜw¢T™”ã ÖêMˆ7*/ö¥åóž:ëÒš¾ÆÀ}nÃô½ÍÀT¹ëó�šŽ]Ù—ô�"Α9�@˜‹¼{é‹5,¨�ÒALž§fáö&mÜa‰tI£�Ý�¬ÅÔqÁˆ¤ª�Ÿë3L‹ZúÄÓ™¼Îªn£�ϪQT�MŽˆXž�]UphX
-RšDÇ€éî�P=ò`�/8ìar‡—D™ø
-g5ƒpM4µs�ï=ù†okl÷L}i¯•ÕÑ”
-ˆ�è¨á†O3O“>z—c…�'ZÉa)W�í‹»HÆ�VxÄU¹â9züáÖÁ�CíhÌû±H¹ù#it�t‡…ïÝÙˆÄÍõ�´TDˆþ2�uÐUØ
-*p;�’‰Ó«?
-÷=•Y‹TÖ£${�)¹·@
-å“6Nk™”ÏP�»¹%éZHTîÇ‹�)‰¬}ô"²`‚L±kì%)“†uR’ŽCÛ’Àúöjs+æ£\‚RQ%?$Lµt#A3£ð�ß�nóí&•€Ä�glÊá�½èí|è�Žâaoªã¨™;1m¥×�8e{\Ý”¥ªWg`V!J{h¼g ?¿Há¹ÍäÃúüô B3õÌb=�.ŒÆ†ÑD='Öï:ààï•���ΉŠÚÅñ@ÔŒ…NOÞ �5N.ÜwºBíÐ*ÒÙÔ/
-�¨y—8°«©o�º‰Tç׶ž)>�&f•õn|èH�¥¨ñw‰Ü4ñ_¹Nsžœ¢h�Kö•ëÌÊ—”Sý®õ�5TçzêÌmMñ�iCÇ9ûÇÙ-i}—Âät>�2+2Ý
-Ϋ8kR¥tµN�ÿÈoZð¶`yêí^¤ÿ‰ó�a�ÞÞ£ãK�¨�÷¹|EdÝÁÄ�Se–5�ôÑ
-+¯|¹J48;<�R�ç“^v�³��¯‹áî³È˜Í&`Þ�`�ܘ�L�pmUÛHjS’ÕÉ�¢¹s¶�µ|¨oN¼<1�éd"µ5ª���`UIØ
- ô~ñ¦KF_[ZMâ$©veéÔÎhDÜæîY}}ô¤�¾Ù+–í¶Ç�öó¬z¦p©dÿ.Œš�â]ô•}{¯±œÓ�ãÚ“4�X÷ÞÁ˜Þú‡ÍI§ë¼Ík)ÃYç;uíÚ›û÷=S·�Ð3¯�äÇû`ê¡�Õ--Æع�rƒ�Ú%���;;�ñx�ØT§ôУ·X•!…Ö'‡¦cø±Ü�O^rís“å¡”i3?�®`êî#R_©� ê�>Ø}�]wþ½Ô~F -4<häÖ�þ™“î-¿3uˆ™*}o
-„&J^7åZ"NœMÓZ%˨SlpsßÊ(JõÁLD�ÒX»Î¬�´•vç/ç-Îø´çË)xEHc�«g‘|"Ÿ¾Juüì`¡ua2ì8Q¯á…¥ç�ÓµÛGQìB˜©�Û‰&²¬
-ËÅŒ�#µÖlÜ=C/B^ôô��CÖ¤±Dð�'k»7Î��YÅ"���Xc¤a ,uY�ë�s®��ÞJg¦Ï�á¤ö!C[c�{±÷H>¿_jÔ�ý+!ÙCjuÅÞâ kÐÛ�Dê�’§S1Üðú™�Ô�ê²ã˧«áŠÖÒ�òk��áSg†Ã³‰†4–ÖkR{û¯{nµ†[úWù’ÛD±M¾es,Ï㕹Ü3š£±‘¸û ÿ
-Ž×Z
+xÚSu\T�·�‘���)åÐ�C‡H—ÒÂÀ�0:�0�%]¢tƒ¤€Ò
+2tIH�ÒÒ¡t·�Â�¯ï»Þw¿ßïüsÖ^kï½ÎÞû°0héòÈB�¬ J����ˆ�$�È«ë€� �/?��‹<�
+FÁ��
+`�T� ‰‹ƒ Y�[@€� ‰H�ŠIð��± ò�Ž�H˜�
+`—çø%��dí¡H˜5��¨ƒQvP{L
+k0�Ðu°†AQ�¼€,��èüÊp�t ÎP¤+�ÂK����˜5
+°‚ÚÂ�D|¿�©"l� Ñßaˆ‹ã(W(Ò�c
+`ǘä 0�!��¸� Ú�ñi8`zA1Nþ?Lý»¸’��®�¶ÿUþ×þ‹�ÛÃà�ÿ+p°wtAA‘€º��ŠDü[j�ýíM�
+¹Øÿ›UEá0kY„-�
+ðÿ�Áœ•`îPˆ��em�Ø€áÎпâP�äß&0sûË�Ÿª¦¬¦‰�×ï}þÅia�”ž‡ãßU‰ÿ ?�3�$Ì�0åçåç�a„˜ç?oæÿꥈ°v€À�˜ƒ���ÀH$؃�s��$�x‚ ���u� î�Ã|¼���&�ÀÌÄ�°q@�ýZ§¨ À§ò+ô� �|þFb�¤÷7Âl�ü7�ÂpÖ�öö" Œ?>èß�ã†ï÷€ÿ�09v ˆ�àCü�bÒ�þÔ�Ç �ô�4ƨã��SÝ�sJ�(0å‘ÿ€Â Ÿó? &ã�aLo”›Ã?hÌ×¹ü��3�º‰�|Ï¡Èßòÿ^µœœƒ»' �À# ��ÄÅÄ Qa~ïÿ£³vA"¡�Ô_�æ^þƒm`˜ë‚BÝ¡ÖD“ã�Ö’AO“j^�ø(æ|.ÄåÄ–³EGkTµŽ4��~‰Á†çö>v✫4:+J!¿±‚»BïvAë�Úè¥ýIi×ß):yìrÅÕr%åy�ÑAŠºÇ²#ãiàæ͆šÑ£-alÍá¹¾‚xã·é{]›YZì
+z«ø3�Xm¦®Õm©A"¢FJ)pýàJVA�[ÉN�/…BfÝnÅÇ^Ÿ��ôy�BPË5½ïÐèBv–Cð&îÒìh}XÆ”2mLÄ�106a7n�·�‡…«p чçD¦ÖÕ_œ•¤ñI�¬aNFŒJ¥ÅE�k™bÇz�i¼ªÓ}x�fFƒûÞ¨¹ ðV®ä¥;ÏPk�·�ÙS
+©§¼Ü��³ˆ÷�[õFþØE“‚ï½ÖrÞ�=cמPÕt&´?–œ±iøžø>d>Q�äm�&™$ˆJV%s`š]à?t›}k�v;4íõÐŽEO�Ü6Û±›Õý„œ…øá‹VÊY‚&#�S�ZÃ8 ybj‚WÈ��ÓW®�k�ÅŽV»�Ÿ5[ñ(�ÿr¯:C¦²á»·¸&�š³�×wm[h§��„>ÂŽ��XÈSyÊSçGõr+œ°ÓË°Âzw�'@kÂÛÀï�»{õóø³9žPk�B¤Xj�õõ{§ôO9ó“�`•�²
+åÄ—EÓD��Â{úÉw'„d!D©�#ÏìéiÑáÏ߶�fQ&Ðqõ^{00Uÿ-�.}Åá¸Mš?Á1±6ýÃ�ñc˜Ñ÷;n�ûã#
+½×#w’¯Å)\øÌ|#n7˺oq½°ô�Œ›í"$c4¥jù¶Kzî–ñ:u¥g…ÿèG/oorØáüÑÂü´U¤!Õóи%¿‹�R¿T¬“´zxSxÀÏ`
+�›ÛßϦ�Çà™¤OèÌl<�Ô.´7k�M
+§™û!°a‘�žMÌf…L/fÖŒ‡Þ¹WàÔã~…��ëÜËaIt�{BÖ°V¹¨�³�f�×ó¼%)!5o™ïy—�ƒW]ñ�JÜ|иC*Lš˜MÔÃó
+dµÈl¡�Q_ÊÃ9>/0{�R¡Á-k‰ªÍFe/»…ÐïôWiµÎ—ÓìMU~ooX§/ħصÚÇS½�Ý‚Y¼°oékHˆ��í–ºû®7[)Gšˆ3'Ú°©�_r\Tà�y«·e¶§X�ní:€,lS¯¼ôà(P«œ(�mâFltAž¸ V�ËV+|ep�5VßMFÁNóFóæº}òž�¬ö¬xæSF\ñ€Ž�«z�ê™fFíù'
+�ý/b_«Ù�£•Cõ’ÐÜýíÔ“�6»Ãé�UŠ¬��[š¹5Ù3×S*;Uï�>Eƒ”§�'!Ü ‹‡¢É"�< YéÎÎÝáø̯8<¨áÍ"N;‡B«Hù�qÝ{1™EÄï5EïØU3¡{e$°�h:DÖ
+�pBInKæ³£kž²h6Áœ�o�„�» ?hfì�@�”à�næà/l�…ƒH�Íø›Œ.Z¯›í= P�n}O„hòóVx´æœÅ>Ù¾qr(úQ»6[ûcèÓÜ× Æ>ðÀ�së‘Àf�©ºÿlÈà€�úœ)ßL.É{�zù vù J©�iIm›‘úP÷´�æ“~0�HÇ��í¦«Y7/�À«¹òn�ÞÓËѶg5-†~0E”j|Z VõÈzmj!« dWpkˆ�ÈäB�—²Mœ),�¾Ö~°|�)l?äÎåfÖOöcr~“SÞ?“V»!ŠpEÁ”’ÓWÕF„Ù9òA°N�ÚGqJÜÄP33ªý�¥ñóîR‡ñÕÍ��͆—ž¾$þR%AíØ›ŒÆà &I=1*y0•ŽÎ·�í²�€rŽºÓ¬Á’tÐ�áÀ4zJ®X<í�ÖÕYð
+{w�<PS…Ý|w�˜>"
+h2Ä΃…Ó�öµ1èœfष½b¬úlÑ"mô�)WCíÑÑ"53,T^fDP�Æ4Z)â5�pG§.¾ø3�‹Ï|Ì«¤5½ñø—Aˆ›"ÚLº®
+U.á]�
+-œ«&ö;Íl>bÞùµ7‹"Pñ%1§"p}ÁúÖÁ�sº+N9ã"©(âÔù’“Swþ€ñL»Y†ÛlÈÔ¾ÜF
+3™Û!�¯"æ~’Y¯^‹$#�øüüSm»Úù;!2Ó7º’Å 1^ç{)2��Ýš0ÚË;½~¡¼û�ä�k†$�(NŽG
+Œ¥%n�n�Y{·ÜÞõÙ±/æîJ4»žËl�YÎ\)4[4â Äõ� ;�æ�³‡-Ö¦„sz¾ïm7 ïéûXâBo©0þ‰Òƒ‘Æ›�üb×7_>l«I‡‘M}eº2ţܧ<Ír—«GÞ*YÓŠºaß²¶�5ï‡÷,ß²ó£�#y§œÄƒÎaôÃO“•˜K"Þž5ðšˆ| �«�áÞp�Í®¥|0@š��žCÔÚ�éŸc«ø�ú'…/�}Ôªí0��BU�E±TæD°”Û’OJåøhèGþBV?Únr�·±½¬Z»r7Œûù(¹ØòZ=þT�AÖ4™øj=½xÊÂ�§²›¾…øœm¡.ªxÊ{8ú�Ìúg‡·Ñ¢E•Xs�±Ð[SÔ?r��B
+·+«;‡§I ×�O±�J‰«åMN'B‹Ïæ˜ÓYtirœÊpï÷XÏ<=}E•�,mß*é¨õ1‚ìNØ i�OJ†-�7¸Vö†)þš(�øèP�¿«æˆ§"ËWe�rƒµsg'Ít8A�]�#ßGþ}@ßfÿ¥ý�á�„èÝŠ«^qéãÂ�'?
+äßíìSç%�Ö9©�»ˆlûÉx
+tj<�¼�ù&Tïx0;¸”¿ïSÁt�Kæ;eKtI©¹é�^V Ù!�rÔ1»¦ÞT4qUÍ%›�k†˜¿®�Gxƒ�½{ï�ë�׋�õZ±»=‡2gâ�g�ªHõpVç8Åzc_Þ}þu¨ó�Ö¤gͳ�q+ËòûÍžAQekŒaö±ý +yƼ�RYY·ý²îOû�rdœ€‘Sûî��Ï�–œÆÒ»Óž�ÞZ†ÚÅÐsaËËé�+¤oPp=€o«8òÆR�}—Î.]·ß½Í�GòÄ(²Ì6vÉürïÔQhc°�Ç·B¸ì•s1þyt‚âõ�ú&)FÉ%�ï¶1ÖÈ�œ‚Jæ�“'/ÒOâЄÎS�²F�zýó.Z}&×�SÏÞZY©¢õÀß�5«ðh@
+½=øEÜA¤IÔ$jz¿P¸Ì<„Éß�z\:v¾ãõ™ç†l>E)Ç‹£z2+¹�ì:¯B:âàjJ7�Z'�µ_Ó�Àµ™�ǽʚ}‹,ø�XP+OO#†nú“b�+³}¡åÉ�§°z÷QŸ÷3ŒMë¼=·©H#ÊoÀ|¿xwRaùåÚdïÖ´¬kÞ�9��Rˆç�x�ÉÏ_Ò§����âutÌM�OzxZ „�t¥•¯¾ÉOR.=Ó†\,Œ`$P<i%dZ–(zÍÌ4RôvØ>Ejë|?&�Ë Òƒ
+›�¥Þùµl²ÏBžm~˜¹
+�׋L’ΧÓE¦�9��¡ë�Y˜�¸fV–8%¡è%¸wئ,5Ê}‰��+å²”Ö±&°}2Žÿ†ÜO‰šd–:êX¹á]NæÍO¹;d�ueH%‚4Zlë�MZQŠû–-�¦¬Tx�I{�kdjä!U'ó6�!ò�35×�Å…ºm´L4鶗v¸Ø(ݤ¥a�vkPjŒtFcÍl…œ§hlV̤˜"oð�”îf2¯L‰�»*Om¡`��uWžlA½,~IbÄÃéæc�Ã�ÛoC�õ��”’?ÏP#k_¿y¡p'“>%=òn‚KÞ�Lx[ái#%¦¬e©[ÜYPdarŸPxR�çþQ�ÝùÛ&mð–zñd6g�Ü–Öƒ6Âw÷
+ä0vÅŽ�è):—;ÓÖ¤ÕÌ%+½NÑ*'÷,Šba]�½�ŸÏ�•ø¢#Ð+�¹Ç¢¿NÄŸÌEÊóÒ?–¶Z=c‰£ÀZ0‹�%5øF�a àÕYΧÍ�9�2Æê¢ævÈM¼D㊶Ö�!)yS�lXñ;d�yl�D¹üCãOó�¡_Ö^�ûqÍó¢´��ÜG›�í÷yâ�Ò¹‰î+‚ýz›WÔŽn³ªg°9tŸeÍ2Ë;²€�ì">zòë(�›ÞH¾ïÇE�u)FójË��ÍÕgU»�ÍèÍJ®ªcï–©Õó�™@ü‚Áyæ6¦uþõ1¥Ù�ð�"gšPFyÛ�Ûª�Ò;‚¬—�ó‰�úI¨¿½�´ sëëÞ^]£›‹ ‹dä#–fœ]�¿Æ©IŸDaìb í=¨îû!;ˆ¥@�ÆK÷@�—?4‰ZÌVË49êlûÖ _�ÕGò†û�fæ#�Í-/·:˜’Í�"x�…ËÝ�*ñÜÀ[èF?�]<+ê.�A+ÕËJónÀ�Ý£\+ZUøø3!ÇÊÆeH›�j-ÈŒÛ�ßNkt¦S�Ž�Ã
+Y���É ó>쎒˜/é/€¯~Œ#‰ƒ<��3|k¸BUÖ�-šzÔË´Ãï‹?.ï9�FÄõ™§Šö�¯;P‰/xùÚ7ƒ}–<;Óéém]±Žû‡Iþí��"W¢Ñ÷r /âHh�¡Vmõ�;k�¾T«&CÌX*„G¬Ë™jfþf¤]~£W¤uâ*›�kª�«²…G1g2;Æ{F0óŒÎ¤‡Åº�{ò÷xz£¤P��”Ù]dGæÇQäO�ÔFA‚‰ïieè³ÞÇkR$\X2Š§;³AÁôú1Ÿâ�ŸáTq�F·!ÅR´”‰ý�Ü•×7.‰¶MÇ¿�˜]� �…Ä4�›ÑÏ�<¤‹HsYײ��Yv@ºŸV��®uk&”ð�üÁËƃ�—ô#�Û™@™)-ZœþôŒ‡y�[ï+¬®Uö}ƒ�sMªw�tQXÞ…v6à†Z��ɳ¶¨td['½��¦�–ûºL8tD6Ã�…;ˆÿ혱,‹ˆCg±?r»oÆgx«G5n�Òå“YUË{@ÊûÎd·l"è°yR�VÅ| >PØŸÊ6�[S{"�öq©÷»Åáö�«ÿ�¼Ÿi•Õ_¯«ê{í�ò/}Dë#Sn�ˆ&¬¨¢~ÿ°ýüã V¼�‹ÀƒPÑŸúÞ`ÂÌq@À\�o[�?��ü±)·Dª•Å€Y�È�.(÷-´¾S7-ÑÆÀÄÅàé«{ũƦ�Å3ÇW™¢��ÿpwŽ�û„í½ŒIWðËgO�¥…�ZÜõÊÙhî¤ÙJ�æ�ÐkýœÞܧL1ûqmj÷i�E%€ª�_£Œª�:×�îÝ5D\½Ìa˜ŸØ+5þ�Á¼ú˜67ç Iµí«
endstream
endobj
9332 0 obj <<
/Type /FontDescriptor
-/FontName /ZPETPO+CMR12
+/FontName /IOAOZR+CMR12
/Flags 4
/FontBBox [-34 -251 988 750]
/Ascent 694
@@ -65544,7 +65533,7 @@
/ItalicAngle 0
/StemV 65
/XHeight 431
-/CharSet (/H/J/T/a/comma/e/four/h/n/o/one/p/period/r/s/t/two/u/y/zero)
+/CharSet (/H/J/T/a/comma/e/eight/h/n/o/one/p/period/r/s/t/two/u/y/zero)
/FontFile 9331 0 R
>> endobj
9333 0 obj <<
@@ -66919,7 +66908,7 @@
1125 0 obj <<
/Type /Font
/Subtype /Type1
-/BaseFont /ZPETPO+CMR12
+/BaseFont /IOAOZR+CMR12
/FontDescriptor 9332 0 R
/FirstChar 44
/LastChar 121
@@ -72605,8 +72594,8 @@
>> endobj
10068 0 obj <<
/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfTeX-1.40.9)/Keywords()
-/CreationDate (D:20100104145546+01'00')
-/ModDate (D:20100104145546+01'00')
+/CreationDate (D:20100118125641+01'00')
+/ModDate (D:20100118125641+01'00')
/Trapped /False
/PTEX.Fullbanner (This is pdfTeX using libpoppler, Version 3.1415926-1.40.9-2.2 (Web2C 7.5.7) kpathsea version 3.5.7)
>> endobj
@@ -72618,10074 +72607,10074 @@
0000000004 00000 f
0000000000 00000 f
0000000015 00000 n
-0000032186 00000 n
-0003705478 00000 n
+0000032188 00000 n
+0003705521 00000 n
0000000061 00000 n
0000000102 00000 n
-0000032246 00000 n
-0003705391 00000 n
+0000032248 00000 n
+0003705434 00000 n
0000000148 00000 n
0000000182 00000 n
-0003443965 00000 n
-0003705302 00000 n
+0003443967 00000 n
+0003705345 00000 n
0000000228 00000 n
0000000255 00000 n
-0000034774 00000 n
-0003705213 00000 n
+0000034776 00000 n
+0003705256 00000 n
0000000302 00000 n
0000000337 00000 n
-0000101693 00000 n
-0003705124 00000 n
+0000101695 00000 n
+0003705167 00000 n
0000000384 00000 n
0000000418 00000 n
-0000128485 00000 n
-0003705035 00000 n
+0000128487 00000 n
+0003705078 00000 n
0000000465 00000 n
0000000498 00000 n
-0000139458 00000 n
-0003704946 00000 n
+0000139460 00000 n
+0003704989 00000 n
0000000545 00000 n
0000000572 00000 n
-0000142143 00000 n
-0003704857 00000 n
+0000142145 00000 n
+0003704900 00000 n
0000000619 00000 n
0000000645 00000 n
-0000175681 00000 n
-0003704729 00000 n
+0000175683 00000 n
+0003704772 00000 n
0000000688 00000 n
0000000744 00000 n
-0000178198 00000 n
-0003704655 00000 n
+0000178200 00000 n
+0003704698 00000 n
0000000792 00000 n
0000000841 00000 n
-0000180911 00000 n
-0003704529 00000 n
+0000180913 00000 n
+0003704572 00000 n
0000000887 00000 n
0000000939 00000 n
-0000181037 00000 n
-0003704455 00000 n
+0000181039 00000 n
+0003704498 00000 n
0000000987 00000 n
0000001022 00000 n
-0000183565 00000 n
-0003704330 00000 n
+0000183567 00000 n
+0003704373 00000 n
0000001070 00000 n
0000001109 00000 n
-0000183691 00000 n
-0003704219 00000 n
+0000183693 00000 n
+0003704262 00000 n
0000001162 00000 n
0000001202 00000 n
-0000186965 00000 n
-0003704145 00000 n
+0000186967 00000 n
+0003704188 00000 n
0000001260 00000 n
0000001312 00000 n
-0000189598 00000 n
-0003704058 00000 n
+0000189600 00000 n
+0003704101 00000 n
0000001370 00000 n
0000001411 00000 n
-0000193820 00000 n
-0003703984 00000 n
+0000193822 00000 n
+0003704027 00000 n
0000001469 00000 n
0000001506 00000 n
-0000199114 00000 n
-0003703860 00000 n
+0000199116 00000 n
+0003703903 00000 n
0000001559 00000 n
0000001613 00000 n
-0000202490 00000 n
-0003703786 00000 n
+0000202492 00000 n
+0003703829 00000 n
0000001671 00000 n
0000001723 00000 n
-0000205212 00000 n
-0003703699 00000 n
+0000205214 00000 n
+0003703742 00000 n
0000001781 00000 n
0000001822 00000 n
-0000262541 00000 n
-0003703625 00000 n
+0000262543 00000 n
+0003703668 00000 n
0000001880 00000 n
0000001917 00000 n
-0000262667 00000 n
-0003703514 00000 n
+0000262669 00000 n
+0003703557 00000 n
0000001970 00000 n
0000002012 00000 n
-0000265567 00000 n
-0003703440 00000 n
+0000265569 00000 n
+0003703483 00000 n
0000002070 00000 n
0000002122 00000 n
-0000265693 00000 n
-0003703365 00000 n
+0000265695 00000 n
+0003703408 00000 n
0000002180 00000 n
0000002222 00000 n
-0000310217 00000 n
-0003703288 00000 n
+0000310219 00000 n
+0003703331 00000 n
0000002271 00000 n
0000002316 00000 n
-0000319976 00000 n
-0003703158 00000 n
+0000319978 00000 n
+0003703201 00000 n
0000002363 00000 n
0000002416 00000 n
-0000322722 00000 n
-0003703040 00000 n
+0000322724 00000 n
+0003703083 00000 n
0000002465 00000 n
0000002501 00000 n
-0000322849 00000 n
-0003702975 00000 n
+0000322851 00000 n
+0003703018 00000 n
0000002555 00000 n
0000002597 00000 n
-0000325384 00000 n
-0003702843 00000 n
+0000325386 00000 n
+0003702886 00000 n
0000002646 00000 n
0000002695 00000 n
-0000325511 00000 n
-0003702764 00000 n
+0000325513 00000 n
+0003702807 00000 n
0000002749 00000 n
0000002791 00000 n
-0000332612 00000 n
-0003702685 00000 n
+0000332614 00000 n
+0003702728 00000 n
0000002845 00000 n
0000002887 00000 n
-0000332739 00000 n
-0003702553 00000 n
+0000332741 00000 n
+0003702596 00000 n
0000002936 00000 n
0000002974 00000 n
-0000376797 00000 n
-0003702474 00000 n
+0000376799 00000 n
+0003702517 00000 n
0000003028 00000 n
0000003064 00000 n
-0000388619 00000 n
-0003702381 00000 n
+0000388621 00000 n
+0003702424 00000 n
0000003118 00000 n
0000003178 00000 n
-0000388746 00000 n
-0003702302 00000 n
+0000388748 00000 n
+0003702345 00000 n
0000003232 00000 n
0000003276 00000 n
-0000391188 00000 n
-0003702223 00000 n
+0000391190 00000 n
+0003702266 00000 n
0000003325 00000 n
0000003370 00000 n
-0000412456 00000 n
-0003702092 00000 n
+0000412458 00000 n
+0003702135 00000 n
0000003417 00000 n
0000003471 00000 n
-0000412583 00000 n
-0003701974 00000 n
+0000412585 00000 n
+0003702017 00000 n
0000003520 00000 n
0000003556 00000 n
-0000415478 00000 n
-0003701909 00000 n
+0000415480 00000 n
+0003701952 00000 n
0000003610 00000 n
0000003652 00000 n
-0000454227 00000 n
-0003701777 00000 n
+0000454229 00000 n
+0003701820 00000 n
0000003701 00000 n
0000003750 00000 n
-0000454354 00000 n
-0003701659 00000 n
+0000454356 00000 n
+0003701702 00000 n
0000003804 00000 n
0000003846 00000 n
-0000462755 00000 n
-0003701594 00000 n
+0000462757 00000 n
+0003701637 00000 n
0000003905 00000 n
0000003954 00000 n
-0000468003 00000 n
-0003701515 00000 n
+0000468005 00000 n
+0003701558 00000 n
0000004008 00000 n
0000004050 00000 n
-0000468130 00000 n
-0003701383 00000 n
+0000468132 00000 n
+0003701426 00000 n
0000004099 00000 n
0000004137 00000 n
-0000474114 00000 n
-0003701304 00000 n
+0000474116 00000 n
+0003701347 00000 n
0000004191 00000 n
0000004243 00000 n
-0000481229 00000 n
-0003701211 00000 n
+0000481231 00000 n
+0003701254 00000 n
0000004297 00000 n
0000004342 00000 n
-0000494100 00000 n
-0003701118 00000 n
+0000494102 00000 n
+0003701161 00000 n
0000004396 00000 n
0000004459 00000 n
-0000497047 00000 n
-0003701025 00000 n
+0000497049 00000 n
+0003701068 00000 n
0000004513 00000 n
0000004560 00000 n
-0000501309 00000 n
-0003700932 00000 n
+0000501311 00000 n
+0003700975 00000 n
0000004614 00000 n
0000004669 00000 n
-0000503795 00000 n
-0003700839 00000 n
+0000503797 00000 n
+0003700882 00000 n
0000004723 00000 n
0000004759 00000 n
-0000520572 00000 n
-0003700707 00000 n
+0000520574 00000 n
+0003700750 00000 n
0000004813 00000 n
0000004870 00000 n
-0000523247 00000 n
-0003700642 00000 n
+0000523249 00000 n
+0003700685 00000 n
0000004929 00000 n
0000004997 00000 n
-0000526018 00000 n
-0003700549 00000 n
+0000526020 00000 n
+0003700592 00000 n
0000005051 00000 n
0000005105 00000 n
-0000533556 00000 n
-0003700470 00000 n
+0000533558 00000 n
+0003700513 00000 n
0000005159 00000 n
0000005203 00000 n
-0000536253 00000 n
-0003700391 00000 n
+0000536255 00000 n
+0003700434 00000 n
0000005252 00000 n
0000005297 00000 n
-0000573791 00000 n
-0003700260 00000 n
+0000573793 00000 n
+0003700303 00000 n
0000005344 00000 n
0000005393 00000 n
-0000576580 00000 n
-0003700142 00000 n
+0000576582 00000 n
+0003700185 00000 n
0000005442 00000 n
0000005478 00000 n
-0000579323 00000 n
-0003700077 00000 n
+0000579325 00000 n
+0003700120 00000 n
0000005532 00000 n
0000005574 00000 n
-0000582258 00000 n
-0003699945 00000 n
+0000582260 00000 n
+0003699988 00000 n
0000005623 00000 n
0000005672 00000 n
-0000582385 00000 n
-0003699866 00000 n
+0000582387 00000 n
+0003699909 00000 n
0000005726 00000 n
0000005768 00000 n
-0000588312 00000 n
-0003699787 00000 n
+0000588314 00000 n
+0003699830 00000 n
0000005822 00000 n
0000005864 00000 n
-0000588438 00000 n
-0003699655 00000 n
+0000588440 00000 n
+0003699698 00000 n
0000005913 00000 n
0000005951 00000 n
-0000588564 00000 n
-0003699576 00000 n
+0000588566 00000 n
+0003699619 00000 n
0000006005 00000 n
0000006081 00000 n
-0000588691 00000 n
-0003699483 00000 n
+0000588693 00000 n
+0003699526 00000 n
0000006135 00000 n
0000006192 00000 n
-0000641063 00000 n
-0003699351 00000 n
+0000641065 00000 n
+0003699394 00000 n
0000006246 00000 n
0000006299 00000 n
-0000643532 00000 n
-0003699272 00000 n
+0000643534 00000 n
+0003699315 00000 n
0000006358 00000 n
0000006419 00000 n
-0000653947 00000 n
-0003699193 00000 n
+0000653949 00000 n
+0003699236 00000 n
0000006478 00000 n
0000006567 00000 n
-0000660667 00000 n
-0003699100 00000 n
+0000660669 00000 n
+0003699143 00000 n
0000006621 00000 n
0000006676 00000 n
-0000680876 00000 n
-0003699007 00000 n
+0000680878 00000 n
+0003699050 00000 n
0000006730 00000 n
0000006784 00000 n
-0000687974 00000 n
-0003698928 00000 n
+0000687976 00000 n
+0003698971 00000 n
0000006838 00000 n
0000006882 00000 n
-0000690392 00000 n
-0003698849 00000 n
+0000690394 00000 n
+0003698892 00000 n
0000006931 00000 n
0000006976 00000 n
-0000708863 00000 n
-0003698718 00000 n
+0000708865 00000 n
+0003698761 00000 n
0000007023 00000 n
0000007071 00000 n
-0000719948 00000 n
-0003698639 00000 n
+0000719950 00000 n
+0003698682 00000 n
0000007120 00000 n
0000007200 00000 n
-0000720074 00000 n
-0003698507 00000 n
+0000720076 00000 n
+0003698550 00000 n
0000007249 00000 n
0000007285 00000 n
-0000725444 00000 n
-0003698442 00000 n
+0000725446 00000 n
+0003698485 00000 n
0000007339 00000 n
0000007381 00000 n
-0000725699 00000 n
-0003698310 00000 n
+0000725701 00000 n
+0003698353 00000 n
0000007430 00000 n
0000007479 00000 n
-0000736613 00000 n
-0003698192 00000 n
+0000736615 00000 n
+0003698235 00000 n
0000007533 00000 n
0000007575 00000 n
-0000767356 00000 n
-0003698113 00000 n
+0000767358 00000 n
+0003698156 00000 n
0000007634 00000 n
0000007696 00000 n
-0000770604 00000 n
-0003698020 00000 n
+0000770606 00000 n
+0003698063 00000 n
0000007755 00000 n
0000007809 00000 n
-0000773796 00000 n
-0003697927 00000 n
+0000773798 00000 n
+0003697970 00000 n
0000007868 00000 n
0000007918 00000 n
-0000773923 00000 n
-0003697834 00000 n
+0000773925 00000 n
+0003697877 00000 n
0000007977 00000 n
0000008020 00000 n
-0000774050 00000 n
-0003697741 00000 n
+0000774052 00000 n
+0003697784 00000 n
0000008079 00000 n
0000008143 00000 n
-0000777389 00000 n
-0003697648 00000 n
+0000777391 00000 n
+0003697691 00000 n
0000008202 00000 n
0000008274 00000 n
-0000779632 00000 n
-0003697569 00000 n
+0000779634 00000 n
+0003697612 00000 n
0000008333 00000 n
0000008415 00000 n
-0000794700 00000 n
-0003697476 00000 n
+0000794702 00000 n
+0003697519 00000 n
0000008469 00000 n
0000008511 00000 n
-0000794827 00000 n
-0003697397 00000 n
+0000794829 00000 n
+0003697440 00000 n
0000008565 00000 n
0000008613 00000 n
-0000836786 00000 n
-0003697265 00000 n
+0000836788 00000 n
+0003697308 00000 n
0000008662 00000 n
0000008713 00000 n
-0000840216 00000 n
-0003697186 00000 n
+0000840218 00000 n
+0003697229 00000 n
0000008767 00000 n
0000008822 00000 n
-0000846112 00000 n
-0003697093 00000 n
+0000846114 00000 n
+0003697136 00000 n
0000008876 00000 n
0000008934 00000 n
-0000853583 00000 n
-0003697000 00000 n
+0000853585 00000 n
+0003697043 00000 n
0000008988 00000 n
0000009039 00000 n
-0000860525 00000 n
-0003696868 00000 n
+0000860527 00000 n
+0003696911 00000 n
0000009093 00000 n
0000009169 00000 n
-0000862656 00000 n
-0003696789 00000 n
+0000862658 00000 n
+0003696832 00000 n
0000009228 00000 n
0000009302 00000 n
-0000864990 00000 n
-0003696696 00000 n
+0000864992 00000 n
+0003696739 00000 n
0000009361 00000 n
0000009434 00000 n
-0000868702 00000 n
-0003696617 00000 n
+0000868704 00000 n
+0003696660 00000 n
0000009493 00000 n
0000009551 00000 n
-0000875110 00000 n
-0003696524 00000 n
+0000875112 00000 n
+0003696567 00000 n
0000009605 00000 n
0000009690 00000 n
-0000900177 00000 n
-0003696445 00000 n
+0000900179 00000 n
+0003696488 00000 n
0000009744 00000 n
0000009791 00000 n
-0000905528 00000 n
-0003696352 00000 n
+0000905530 00000 n
+0003696395 00000 n
0000009840 00000 n
0000009889 00000 n
-0000916154 00000 n
-0003696220 00000 n
+0000916156 00000 n
+0003696263 00000 n
0000009938 00000 n
0000010000 00000 n
-0000916280 00000 n
-0003696141 00000 n
+0000916282 00000 n
+0003696184 00000 n
0000010054 00000 n
0000010119 00000 n
-0000917959 00000 n
-0003696048 00000 n
+0000917961 00000 n
+0003696091 00000 n
0000010173 00000 n
0000010230 00000 n
-0000920489 00000 n
-0003695955 00000 n
+0000920491 00000 n
+0003695998 00000 n
0000010284 00000 n
0000010338 00000 n
-0000923480 00000 n
-0003695876 00000 n
+0000923482 00000 n
+0003695919 00000 n
0000010392 00000 n
0000010454 00000 n
-0000927357 00000 n
-0003695744 00000 n
+0000927359 00000 n
+0003695787 00000 n
0000010503 00000 n
0000010555 00000 n
-0000930300 00000 n
-0003695665 00000 n
+0000930302 00000 n
+0003695708 00000 n
0000010609 00000 n
0000010691 00000 n
-0000934287 00000 n
-0003695572 00000 n
+0000934289 00000 n
+0003695615 00000 n
0000010745 00000 n
0000010819 00000 n
-0000959271 00000 n
-0003695479 00000 n
+0000959273 00000 n
+0003695522 00000 n
0000010873 00000 n
0000010941 00000 n
-0000959398 00000 n
-0003695386 00000 n
+0000959400 00000 n
+0003695429 00000 n
0000010995 00000 n
0000011063 00000 n
-0000966457 00000 n
-0003695293 00000 n
+0000966459 00000 n
+0003695336 00000 n
0000011117 00000 n
0000011164 00000 n
-0000968859 00000 n
-0003695214 00000 n
+0000968861 00000 n
+0003695257 00000 n
0000011218 00000 n
0000011267 00000 n
-0000968986 00000 n
-0003695121 00000 n
+0000968988 00000 n
+0003695164 00000 n
0000011316 00000 n
0000011358 00000 n
-0000971688 00000 n
-0003695042 00000 n
+0000971690 00000 n
+0003695085 00000 n
0000011407 00000 n
0000011452 00000 n
-0001019548 00000 n
-0003694925 00000 n
+0001019550 00000 n
+0003694968 00000 n
0000011499 00000 n
0000011560 00000 n
-0001022221 00000 n
-0003694807 00000 n
+0001022223 00000 n
+0003694850 00000 n
0000011609 00000 n
0000011645 00000 n
-0001022348 00000 n
-0003694742 00000 n
+0001022350 00000 n
+0003694785 00000 n
0000011699 00000 n
0000011741 00000 n
-0001025346 00000 n
-0003694610 00000 n
+0001025348 00000 n
+0003694653 00000 n
0000011790 00000 n
0000011839 00000 n
-0001028045 00000 n
-0003694492 00000 n
+0001028047 00000 n
+0003694535 00000 n
0000011893 00000 n
0000011935 00000 n
-0001030637 00000 n
-0003694413 00000 n
+0001030639 00000 n
+0003694456 00000 n
0000011994 00000 n
0000012032 00000 n
-0001033361 00000 n
-0003694320 00000 n
+0001033363 00000 n
+0003694363 00000 n
0000012091 00000 n
0000012161 00000 n
-0001038722 00000 n
-0003694241 00000 n
+0001038724 00000 n
+0003694284 00000 n
0000012220 00000 n
0000012273 00000 n
-0001073245 00000 n
-0003694162 00000 n
+0001073247 00000 n
+0003694205 00000 n
0000012327 00000 n
0000012369 00000 n
-0001073371 00000 n
-0003694030 00000 n
+0001073373 00000 n
+0003694073 00000 n
0000012418 00000 n
0000012456 00000 n
-0001172157 00000 n
-0003693965 00000 n
+0001172159 00000 n
+0003694008 00000 n
0000012510 00000 n
0000012554 00000 n
-0001172284 00000 n
-0003693886 00000 n
+0001172286 00000 n
+0003693929 00000 n
0000012603 00000 n
0000012648 00000 n
-0001415660 00000 n
-0003693754 00000 n
+0001415662 00000 n
+0003693797 00000 n
0000012692 00000 n
0000012764 00000 n
-0001417220 00000 n
-0003693675 00000 n
+0001417222 00000 n
+0003693718 00000 n
0000012813 00000 n
0000012877 00000 n
-0001420326 00000 n
-0003693543 00000 n
+0001420328 00000 n
+0003693586 00000 n
0000012924 00000 n
0000012994 00000 n
-0001420453 00000 n
-0003693425 00000 n
+0001420455 00000 n
+0003693468 00000 n
0000013043 00000 n
0000013079 00000 n
-0001440656 00000 n
-0003693360 00000 n
+0001440658 00000 n
+0003693403 00000 n
0000013133 00000 n
0000013175 00000 n
-0001443179 00000 n
-0003693228 00000 n
+0001443181 00000 n
+0003693271 00000 n
0000013224 00000 n
0000013273 00000 n
-0001443306 00000 n
-0003693149 00000 n
+0001443308 00000 n
+0003693192 00000 n
0000013327 00000 n
0000013369 00000 n
-0001451502 00000 n
-0003693070 00000 n
+0001451504 00000 n
+0003693113 00000 n
0000013423 00000 n
0000013465 00000 n
-0001451629 00000 n
-0003692938 00000 n
+0001451631 00000 n
+0003692981 00000 n
0000013514 00000 n
0000013552 00000 n
-0001454464 00000 n
-0003692859 00000 n
+0001454466 00000 n
+0003692902 00000 n
0000013606 00000 n
0000013695 00000 n
-0001498057 00000 n
-0003692766 00000 n
+0001498059 00000 n
+0003692809 00000 n
0000013749 00000 n
0000013846 00000 n
-0001505873 00000 n
-0003692673 00000 n
+0001505875 00000 n
+0003692716 00000 n
0000013900 00000 n
0000013994 00000 n
-0001509039 00000 n
-0003692541 00000 n
+0001509041 00000 n
+0003692584 00000 n
0000014048 00000 n
0000014129 00000 n
-0001561362 00000 n
-0003692462 00000 n
+0001561364 00000 n
+0003692505 00000 n
0000014188 00000 n
0000014241 00000 n
-0001565567 00000 n
-0003692369 00000 n
+0001565569 00000 n
+0003692412 00000 n
0000014300 00000 n
0000014363 00000 n
-0001573225 00000 n
-0003692290 00000 n
+0001573227 00000 n
+0003692333 00000 n
0000014422 00000 n
0000014516 00000 n
-0001576727 00000 n
-0003692158 00000 n
+0001576729 00000 n
+0003692201 00000 n
0000014570 00000 n
0000014627 00000 n
-0001582373 00000 n
-0003692079 00000 n
+0001582375 00000 n
+0003692122 00000 n
0000014686 00000 n
0000014731 00000 n
-0001582882 00000 n
-0003692000 00000 n
+0001582884 00000 n
+0003692043 00000 n
0000014790 00000 n
0000014835 00000 n
-0001586061 00000 n
-0003691921 00000 n
+0001586063 00000 n
+0003691964 00000 n
0000014889 00000 n
0000014933 00000 n
-0001588348 00000 n
-0003691842 00000 n
+0001588350 00000 n
+0003691885 00000 n
0000014982 00000 n
0000015027 00000 n
-0001640849 00000 n
-0003691710 00000 n
+0001640851 00000 n
+0003691753 00000 n
0000015074 00000 n
0000015120 00000 n
-0001643093 00000 n
-0003691592 00000 n
+0001643095 00000 n
+0003691635 00000 n
0000015169 00000 n
0000015205 00000 n
-0001645579 00000 n
-0003691488 00000 n
+0001645581 00000 n
+0003691531 00000 n
0000015259 00000 n
0000015303 00000 n
-0001645706 00000 n
-0003691409 00000 n
+0001645708 00000 n
+0003691452 00000 n
0000015362 00000 n
0000015419 00000 n
-0001654102 00000 n
-0003691316 00000 n
+0001654104 00000 n
+0003691359 00000 n
0000015478 00000 n
0000015524 00000 n
-0001656375 00000 n
-0003691223 00000 n
+0001656377 00000 n
+0003691266 00000 n
0000015583 00000 n
0000015646 00000 n
-0001656501 00000 n
-0003691130 00000 n
+0001656503 00000 n
+0003691173 00000 n
0000015705 00000 n
0000015757 00000 n
-0001660820 00000 n
-0003691037 00000 n
+0001660822 00000 n
+0003691080 00000 n
0000015816 00000 n
0000015874 00000 n
-0001660947 00000 n
-0003690958 00000 n
+0001660949 00000 n
+0003691001 00000 n
0000015933 00000 n
0000016004 00000 n
-0001663584 00000 n
-0003690826 00000 n
+0001663586 00000 n
+0003690869 00000 n
0000016053 00000 n
0000016120 00000 n
-0001663711 00000 n
-0003690747 00000 n
+0001663713 00000 n
+0003690790 00000 n
0000016174 00000 n
0000016241 00000 n
-0001669791 00000 n
-0003690654 00000 n
+0001669793 00000 n
+0003690697 00000 n
0000016295 00000 n
0000016368 00000 n
-0001672266 00000 n
-0003690575 00000 n
+0001672268 00000 n
+0003690618 00000 n
0000016422 00000 n
0000016475 00000 n
-0001679429 00000 n
-0003690457 00000 n
+0001679431 00000 n
+0003690500 00000 n
0000016524 00000 n
0000016579 00000 n
-0001681774 00000 n
-0003690339 00000 n
+0001681776 00000 n
+0003690382 00000 n
0000016633 00000 n
0000016704 00000 n
-0001681901 00000 n
-0003690260 00000 n
+0001681903 00000 n
+0003690303 00000 n
0000016763 00000 n
0000016838 00000 n
-0001682028 00000 n
-0003690167 00000 n
+0001682030 00000 n
+0003690210 00000 n
0000016897 00000 n
0000016978 00000 n
-0001684311 00000 n
-0003690088 00000 n
+0001684313 00000 n
+0003690131 00000 n
0000017037 00000 n
0000017126 00000 n
-0001684438 00000 n
-0003689956 00000 n
+0001684440 00000 n
+0003689999 00000 n
0000017180 00000 n
0000017239 00000 n
-0001687404 00000 n
-0003689877 00000 n
+0001687406 00000 n
+0003689920 00000 n
0000017298 00000 n
0000017358 00000 n
-0001687531 00000 n
-0003689798 00000 n
+0001687533 00000 n
+0003689841 00000 n
0000017417 00000 n
0000017474 00000 n
-0001692834 00000 n
-0003689719 00000 n
+0001692836 00000 n
+0003689762 00000 n
0000017528 00000 n
0000017601 00000 n
-0001696932 00000 n
-0003689587 00000 n
+0001696934 00000 n
+0003689630 00000 n
0000017648 00000 n
0000017709 00000 n
-0001697059 00000 n
-0003689469 00000 n
+0001697061 00000 n
+0003689512 00000 n
0000017758 00000 n
0000017794 00000 n
-0001699246 00000 n
-0003689404 00000 n
+0001699248 00000 n
+0003689447 00000 n
0000017848 00000 n
0000017890 00000 n
-0001699372 00000 n
-0003689272 00000 n
+0001699374 00000 n
+0003689315 00000 n
0000017939 00000 n
0000017988 00000 n
-0001702286 00000 n
-0003689193 00000 n
+0001702288 00000 n
+0003689236 00000 n
0000018042 00000 n
0000018084 00000 n
-0001762674 00000 n
-0003689114 00000 n
+0001762676 00000 n
+0003689157 00000 n
0000018138 00000 n
0000018180 00000 n
-0001766230 00000 n
-0003688982 00000 n
+0001766232 00000 n
+0003689025 00000 n
0000018229 00000 n
0000018267 00000 n
-0001768586 00000 n
-0003688864 00000 n
+0001768588 00000 n
+0003688907 00000 n
0000018321 00000 n
0000018379 00000 n
-0001794092 00000 n
-0003688799 00000 n
+0001794094 00000 n
+0003688842 00000 n
0000018438 00000 n
0000018490 00000 n
-0001797422 00000 n
-0003688706 00000 n
+0001797424 00000 n
+0003688749 00000 n
0000018544 00000 n
0000018604 00000 n
-0001804571 00000 n
-0003688627 00000 n
+0001804573 00000 n
+0003688670 00000 n
0000018658 00000 n
0000018702 00000 n
-0001804698 00000 n
-0003688548 00000 n
+0001804700 00000 n
+0003688591 00000 n
0000018751 00000 n
0000018796 00000 n
-0001835278 00000 n
-0003688430 00000 n
+0001835280 00000 n
+0003688473 00000 n
0000018844 00000 n
0000018910 00000 n
-0001837696 00000 n
-0003688312 00000 n
+0001837698 00000 n
+0003688355 00000 n
0000018960 00000 n
0000018997 00000 n
-0001840504 00000 n
-0003688247 00000 n
+0001840506 00000 n
+0003688290 00000 n
0000019052 00000 n
0000019095 00000 n
-0001842772 00000 n
-0003688115 00000 n
+0001842774 00000 n
+0003688158 00000 n
0000019145 00000 n
0000019195 00000 n
-0001842899 00000 n
-0003688050 00000 n
+0001842901 00000 n
+0003688093 00000 n
0000019250 00000 n
0000019293 00000 n
-0001847254 00000 n
-0003687932 00000 n
+0001847256 00000 n
+0003687975 00000 n
0000019343 00000 n
0000019382 00000 n
-0001847381 00000 n
-0003687828 00000 n
+0001847383 00000 n
+0003687871 00000 n
0000019437 00000 n
0000019500 00000 n
-0001848880 00000 n
-0003687763 00000 n
+0001848882 00000 n
+0003687806 00000 n
0000019560 00000 n
0000019614 00000 n
-0001928041 00000 n
-0003687642 00000 n
+0001928043 00000 n
+0003687685 00000 n
0000019658 00000 n
0000019704 00000 n
-0001929304 00000 n
-0003687563 00000 n
+0001929306 00000 n
+0003687606 00000 n
0000019753 00000 n
0000019790 00000 n
-0001931696 00000 n
-0003687431 00000 n
+0001931698 00000 n
+0003687474 00000 n
0000019838 00000 n
0000019909 00000 n
-0001934346 00000 n
-0003687313 00000 n
+0001934348 00000 n
+0003687356 00000 n
0000019959 00000 n
0000019996 00000 n
-0001941150 00000 n
-0003687248 00000 n
+0001941152 00000 n
+0003687291 00000 n
0000020051 00000 n
0000020094 00000 n
-0001943811 00000 n
-0003687116 00000 n
+0001943813 00000 n
+0003687159 00000 n
0000020144 00000 n
0000020194 00000 n
-0001946131 00000 n
-0003687012 00000 n
+0001946133 00000 n
+0003687055 00000 n
0000020249 00000 n
0000020292 00000 n
-0001958913 00000 n
-0003686947 00000 n
+0001958915 00000 n
+0003686990 00000 n
0000020352 00000 n
0000020397 00000 n
-0001965356 00000 n
-0003686815 00000 n
+0001965358 00000 n
+0003686858 00000 n
0000020447 00000 n
0000020486 00000 n
-0001965483 00000 n
-0003686736 00000 n
+0001965485 00000 n
+0003686779 00000 n
0000020541 00000 n
0000020589 00000 n
-0001968650 00000 n
-0003686604 00000 n
+0001968652 00000 n
+0003686647 00000 n
0000020644 00000 n
0000020696 00000 n
-0001970922 00000 n
-0003686525 00000 n
+0001970924 00000 n
+0003686568 00000 n
0000020756 00000 n
0000020804 00000 n
-0001977723 00000 n
-0003686446 00000 n
+0001977725 00000 n
+0003686489 00000 n
0000020864 00000 n
0000020910 00000 n
-0001980402 00000 n
-0003686353 00000 n
+0001980404 00000 n
+0003686396 00000 n
0000020965 00000 n
0000021034 00000 n
-0001985336 00000 n
-0003686221 00000 n
+0001985338 00000 n
+0003686264 00000 n
0000021089 00000 n
0000021142 00000 n
-0001988077 00000 n
-0003686142 00000 n
+0001988079 00000 n
+0003686185 00000 n
0000021202 00000 n
0000021274 00000 n
-0001991206 00000 n
-0003686049 00000 n
+0001991208 00000 n
+0003686092 00000 n
0000021334 00000 n
0000021405 00000 n
-0001991524 00000 n
-0003685970 00000 n
+0001991526 00000 n
+0003686013 00000 n
0000021465 00000 n
0000021526 00000 n
-0001995625 00000 n
-0003685891 00000 n
+0001995627 00000 n
+0003685934 00000 n
0000021581 00000 n
0000021626 00000 n
-0001997855 00000 n
-0003685812 00000 n
+0001997857 00000 n
+0003685855 00000 n
0000021676 00000 n
0000021722 00000 n
-0002004306 00000 n
-0003685680 00000 n
+0002004308 00000 n
+0003685723 00000 n
0000021770 00000 n
0000021832 00000 n
-0002004433 00000 n
-0003685562 00000 n
+0002004435 00000 n
+0003685605 00000 n
0000021882 00000 n
0000021919 00000 n
-0002006914 00000 n
-0003685497 00000 n
+0002006916 00000 n
+0003685540 00000 n
0000021974 00000 n
0000022017 00000 n
-0002009055 00000 n
-0003685365 00000 n
+0002009057 00000 n
+0003685408 00000 n
0000022067 00000 n
0000022117 00000 n
-0002009182 00000 n
-0003685286 00000 n
+0002009184 00000 n
+0003685329 00000 n
0000022172 00000 n
0000022215 00000 n
-0002011128 00000 n
-0003685207 00000 n
+0002011130 00000 n
+0003685250 00000 n
0000022270 00000 n
0000022313 00000 n
-0002011255 00000 n
-0003685075 00000 n
+0002011257 00000 n
+0003685118 00000 n
0000022363 00000 n
0000022402 00000 n
-0002012944 00000 n
-0003684996 00000 n
+0002012946 00000 n
+0003685039 00000 n
0000022457 00000 n
0000022524 00000 n
-0002016100 00000 n
-0003684864 00000 n
+0002016102 00000 n
+0003684907 00000 n
0000022579 00000 n
0000022628 00000 n
-0002018064 00000 n
-0003684785 00000 n
+0002018066 00000 n
+0003684828 00000 n
0000022688 00000 n
0000022736 00000 n
-0002024778 00000 n
-0003684692 00000 n
+0002024780 00000 n
+0003684735 00000 n
0000022796 00000 n
0000022842 00000 n
-0002029580 00000 n
-0003684613 00000 n
+0002029582 00000 n
+0003684656 00000 n
0000022902 00000 n
0000022950 00000 n
-0002029707 00000 n
-0003684520 00000 n
+0002029709 00000 n
+0003684563 00000 n
0000023005 00000 n
0000023045 00000 n
-0002034468 00000 n
-0003684441 00000 n
+0002034470 00000 n
+0003684484 00000 n
0000023100 00000 n
0000023145 00000 n
-0002037149 00000 n
-0003684362 00000 n
+0002037151 00000 n
+0003684405 00000 n
0000023195 00000 n
0000023241 00000 n
-0002042650 00000 n
-0003684230 00000 n
+0002042652 00000 n
+0003684273 00000 n
0000023289 00000 n
0000023362 00000 n
-0002042776 00000 n
-0003684151 00000 n
+0002042778 00000 n
+0003684194 00000 n
0000023412 00000 n
0000023449 00000 n
-0002045922 00000 n
-0003684058 00000 n
+0002045924 00000 n
+0003684101 00000 n
0000023499 00000 n
0000023549 00000 n
-0002051442 00000 n
-0003683926 00000 n
+0002051444 00000 n
+0003683969 00000 n
0000023599 00000 n
0000023663 00000 n
-0002051569 00000 n
-0003683808 00000 n
+0002051571 00000 n
+0003683851 00000 n
0000023718 00000 n
0000023760 00000 n
-0002051696 00000 n
-0003683729 00000 n
+0002051698 00000 n
+0003683772 00000 n
0000023820 00000 n
0000023862 00000 n
-0002054195 00000 n
-0003683636 00000 n
+0002054197 00000 n
+0003683679 00000 n
0000023922 00000 n
0000023966 00000 n
-0002056844 00000 n
-0003683557 00000 n
+0002056846 00000 n
+0003683600 00000 n
0000024026 00000 n
0000024073 00000 n
-0002056969 00000 n
-0003683464 00000 n
+0002056971 00000 n
+0003683507 00000 n
0000024128 00000 n
0000024174 00000 n
-0002063677 00000 n
-0003683371 00000 n
+0002063679 00000 n
+0003683414 00000 n
0000024229 00000 n
0000024280 00000 n
-0002063804 00000 n
-0003683278 00000 n
+0002063806 00000 n
+0003683321 00000 n
0000024335 00000 n
0000024409 00000 n
-0002063931 00000 n
-0003683185 00000 n
+0002063933 00000 n
+0003683228 00000 n
0000024464 00000 n
0000024546 00000 n
-0002066357 00000 n
-0003683092 00000 n
+0002066359 00000 n
+0003683135 00000 n
0000024601 00000 n
0000024662 00000 n
-0002066484 00000 n
-0003682999 00000 n
+0002066486 00000 n
+0003683042 00000 n
0000024717 00000 n
0000024802 00000 n
-0002066611 00000 n
-0003682906 00000 n
+0002066613 00000 n
+0003682949 00000 n
0000024857 00000 n
0000024901 00000 n
-0002069307 00000 n
-0003682827 00000 n
+0002069309 00000 n
+0003682870 00000 n
0000024956 00000 n
0000025000 00000 n
-0002071629 00000 n
-0003682748 00000 n
+0002071631 00000 n
+0003682791 00000 n
0000025050 00000 n
0000025093 00000 n
-0002075121 00000 n
-0003682616 00000 n
+0002075123 00000 n
+0003682659 00000 n
0000025141 00000 n
0000025185 00000 n
-0002078409 00000 n
-0003682537 00000 n
+0002078411 00000 n
+0003682580 00000 n
0000025235 00000 n
0000025272 00000 n
-0002080992 00000 n
-0003682458 00000 n
+0002080994 00000 n
+0003682501 00000 n
0000025322 00000 n
0000025365 00000 n
-0002084203 00000 n
-0003682324 00000 n
+0002084205 00000 n
+0003682367 00000 n
0000025413 00000 n
0000025474 00000 n
-0002084330 00000 n
-0003682245 00000 n
+0002084332 00000 n
+0003682288 00000 n
0000025524 00000 n
0000025595 00000 n
-0002200498 00000 n
-0003682152 00000 n
+0002200500 00000 n
+0003682195 00000 n
0000025645 00000 n
0000025696 00000 n
-0002206660 00000 n
-0003682059 00000 n
+0002206662 00000 n
+0003682102 00000 n
0000025746 00000 n
0000025785 00000 n
-0002209765 00000 n
-0003681926 00000 n
+0002209767 00000 n
+0003681969 00000 n
0000025835 00000 n
0000025883 00000 n
-0002209892 00000 n
-0003681847 00000 n
+0002209894 00000 n
+0003681890 00000 n
0000025938 00000 n
0000026011 00000 n
-0002210019 00000 n
-0003681754 00000 n
+0002210021 00000 n
+0003681797 00000 n
0000026066 00000 n
0000026139 00000 n
-0002210146 00000 n
-0003681674 00000 n
+0002210148 00000 n
+0003681717 00000 n
0000026194 00000 n
0000026247 00000 n
-0002213065 00000 n
-0003681536 00000 n
+0002213067 00000 n
+0003681579 00000 n
0000026298 00000 n
0000026364 00000 n
-0002213193 00000 n
-0003681467 00000 n
+0002213195 00000 n
+0003681510 00000 n
0000026420 00000 n
0000026483 00000 n
-0002219796 00000 n
-0003681369 00000 n
+0002219798 00000 n
+0003681412 00000 n
0000026534 00000 n
0000026584 00000 n
-0002477056 00000 n
-0003681271 00000 n
+0002477058 00000 n
+0003681314 00000 n
0000026635 00000 n
0000026686 00000 n
-0002641121 00000 n
-0003681173 00000 n
+0002641123 00000 n
+0003681216 00000 n
0000026737 00000 n
0000026831 00000 n
-0002815802 00000 n
-0003681049 00000 n
+0002815804 00000 n
+0003681092 00000 n
0000026882 00000 n
0000026929 00000 n
-0002818070 00000 n
-0003680965 00000 n
+0002818072 00000 n
+0003681008 00000 n
0000026985 00000 n
0000027029 00000 n
-0002821506 00000 n
-0003680866 00000 n
+0002821508 00000 n
+0003680909 00000 n
0000027085 00000 n
0000027134 00000 n
-0002821634 00000 n
-0003680782 00000 n
+0002821636 00000 n
+0003680825 00000 n
0000027190 00000 n
0000027248 00000 n
-0002838754 00000 n
-0003680644 00000 n
+0002838756 00000 n
+0003680687 00000 n
0000027297 00000 n
0000027346 00000 n
-0002838882 00000 n
-0003680560 00000 n
+0002838884 00000 n
+0003680603 00000 n
0000027397 00000 n
0000027445 00000 n
-0002844508 00000 n
-0003680420 00000 n
+0002844510 00000 n
+0003680463 00000 n
0000027496 00000 n
0000027534 00000 n
-0002846868 00000 n
-0003680351 00000 n
+0002846870 00000 n
+0003680394 00000 n
0000027590 00000 n
0000027634 00000 n
-0002847252 00000 n
-0003680211 00000 n
+0002847254 00000 n
+0003680254 00000 n
0000027685 00000 n
0000027720 00000 n
-0002849690 00000 n
-0003680086 00000 n
+0002849692 00000 n
+0003680129 00000 n
0000027776 00000 n
0000027837 00000 n
-0002853455 00000 n
-0003680017 00000 n
+0002853457 00000 n
+0003680060 00000 n
0000027898 00000 n
0000027936 00000 n
-0002908778 00000 n
-0003679877 00000 n
+0002908780 00000 n
+0003679920 00000 n
0000027992 00000 n
0000028064 00000 n
-0002914843 00000 n
-0003679808 00000 n
+0002914845 00000 n
+0003679851 00000 n
0000028125 00000 n
0000028163 00000 n
-0002914971 00000 n
-0003679668 00000 n
+0002914973 00000 n
+0003679711 00000 n
0000028219 00000 n
0000028295 00000 n
-0002945954 00000 n
-0003679599 00000 n
+0002945956 00000 n
+0003679642 00000 n
0000028356 00000 n
0000028407 00000 n
-0002978573 00000 n
-0003679459 00000 n
+0002978575 00000 n
+0003679502 00000 n
0000028463 00000 n
0000028538 00000 n
-0003001243 00000 n
-0003679390 00000 n
+0003001245 00000 n
+0003679433 00000 n
0000028599 00000 n
0000028639 00000 n
-0003018423 00000 n
-0003679306 00000 n
+0003018425 00000 n
+0003679349 00000 n
0000028695 00000 n
0000028747 00000 n
-0003021066 00000 n
-0003679166 00000 n
+0003021068 00000 n
+0003679209 00000 n
0000028798 00000 n
0000028849 00000 n
-0003021194 00000 n
-0003679097 00000 n
+0003021196 00000 n
+0003679140 00000 n
0000028905 00000 n
0000028949 00000 n
-0003023326 00000 n
-0003679013 00000 n
+0003023328 00000 n
+0003679056 00000 n
0000029000 00000 n
0000029047 00000 n
-0003032748 00000 n
-0003678915 00000 n
+0003032750 00000 n
+0003678958 00000 n
0000029096 00000 n
0000029163 00000 n
-0003072784 00000 n
-0003678817 00000 n
+0003072786 00000 n
+0003678860 00000 n
0000029213 00000 n
0000029242 00000 n
-0003077889 00000 n
-0003678734 00000 n
+0003077891 00000 n
+0003678777 00000 n
0000029293 00000 n
0000029327 00000 n
-0000029715 00000 n
-0000029958 00000 n
+0000029717 00000 n
+0000029960 00000 n
0000029381 00000 n
-0000029831 00000 n
-0000029894 00000 n
-0003658641 00000 n
-0003658494 00000 n
-0003659962 00000 n
-0003662595 00000 n
-0000032370 00000 n
-0000032007 00000 n
-0000030060 00000 n
-0000032123 00000 n
-0003661130 00000 n
-0000032307 00000 n
-0003659816 00000 n
-0003661573 00000 n
-0000034900 00000 n
-0000034594 00000 n
-0000032486 00000 n
-0000034710 00000 n
-0000034836 00000 n
-0000036294 00000 n
-0000036445 00000 n
-0000036599 00000 n
-0000036753 00000 n
-0000036907 00000 n
-0000037060 00000 n
-0000037214 00000 n
-0000037368 00000 n
-0000037517 00000 n
-0000037672 00000 n
-0000037825 00000 n
-0000037979 00000 n
-0000038134 00000 n
-0000038294 00000 n
-0000038459 00000 n
-0000038624 00000 n
-0000038788 00000 n
-0000038948 00000 n
-0000039113 00000 n
-0000039278 00000 n
-0000039443 00000 n
-0000039602 00000 n
-0000039767 00000 n
-0000039932 00000 n
-0000041919 00000 n
-0000040150 00000 n
-0000035950 00000 n
-0000035016 00000 n
-0000040087 00000 n
-0000042071 00000 n
-0000042226 00000 n
-0000042386 00000 n
-0000042541 00000 n
-0000042701 00000 n
-0000042861 00000 n
-0000043016 00000 n
-0000043176 00000 n
-0000043336 00000 n
-0000043496 00000 n
-0000043651 00000 n
-0000043803 00000 n
-0000043958 00000 n
-0000044118 00000 n
-0000044272 00000 n
-0000044432 00000 n
-0000044597 00000 n
-0000044757 00000 n
-0000044912 00000 n
-0000045072 00000 n
-0000045232 00000 n
-0000045392 00000 n
-0000045552 00000 n
-0000045712 00000 n
-0000045872 00000 n
-0000046032 00000 n
-0000046197 00000 n
-0000046357 00000 n
-0000046517 00000 n
-0000046671 00000 n
-0000046824 00000 n
-0000046979 00000 n
-0000047139 00000 n
-0000047294 00000 n
-0000047454 00000 n
-0000047614 00000 n
-0000047769 00000 n
-0000050139 00000 n
-0000047993 00000 n
-0000041449 00000 n
-0000040266 00000 n
-0000047929 00000 n
-0003660984 00000 n
-0000050298 00000 n
-0000050458 00000 n
-0000050622 00000 n
-0000050787 00000 n
-0000050947 00000 n
-0000051107 00000 n
-0000051267 00000 n
-0000051421 00000 n
-0000051574 00000 n
-0000051729 00000 n
-0000051884 00000 n
-0000052044 00000 n
-0000052198 00000 n
-0000052358 00000 n
-0000052522 00000 n
-0000052687 00000 n
-0000052852 00000 n
-0000053017 00000 n
-0000053182 00000 n
-0000053347 00000 n
-0000053512 00000 n
-0000053671 00000 n
-0000053831 00000 n
-0000053986 00000 n
-0000054146 00000 n
-0000054306 00000 n
-0000054466 00000 n
-0000054626 00000 n
-0000054791 00000 n
-0000054956 00000 n
-0000055121 00000 n
-0000055281 00000 n
-0000055441 00000 n
-0000055595 00000 n
-0000057776 00000 n
-0000055813 00000 n
-0000049696 00000 n
-0000048095 00000 n
-0000055750 00000 n
-0000057935 00000 n
-0000058095 00000 n
-0000058255 00000 n
-0000058415 00000 n
-0000058570 00000 n
-0000058729 00000 n
-0000058889 00000 n
-0000059049 00000 n
-0000059209 00000 n
-0000059369 00000 n
-0000059528 00000 n
-0000059683 00000 n
-0000059838 00000 n
-0000059991 00000 n
-0000060146 00000 n
-0000060306 00000 n
-0000060461 00000 n
-0000060621 00000 n
-0000060786 00000 n
-0000060951 00000 n
-0000061116 00000 n
-0000061276 00000 n
-0000061431 00000 n
-0000061590 00000 n
-0000061745 00000 n
-0000061894 00000 n
-0000062049 00000 n
-0000062201 00000 n
-0000062356 00000 n
-0000062516 00000 n
-0000062671 00000 n
-0000065071 00000 n
-0000062895 00000 n
-0000057360 00000 n
-0000055915 00000 n
-0000062831 00000 n
-0003662720 00000 n
-0000065230 00000 n
-0000065385 00000 n
-0000065544 00000 n
-0000065704 00000 n
-0000065864 00000 n
-0000066024 00000 n
-0000066189 00000 n
-0000066354 00000 n
-0000066519 00000 n
-0000066679 00000 n
-0000066844 00000 n
-0000067009 00000 n
-0000067168 00000 n
-0000067323 00000 n
-0000067476 00000 n
-0000067630 00000 n
-0000067790 00000 n
-0000067953 00000 n
-0000068118 00000 n
-0000068283 00000 n
-0000068448 00000 n
-0000068613 00000 n
-0000068777 00000 n
-0000068932 00000 n
-0000069092 00000 n
-0000069252 00000 n
-0000069412 00000 n
-0000069567 00000 n
-0000069727 00000 n
-0000069892 00000 n
-0000071985 00000 n
-0000070120 00000 n
-0000064664 00000 n
-0000063011 00000 n
-0000070057 00000 n
-0000072150 00000 n
-0000072309 00000 n
-0000072474 00000 n
-0000072639 00000 n
-0000072799 00000 n
-0000072952 00000 n
-0000073107 00000 n
-0000073266 00000 n
-0000073421 00000 n
-0000073580 00000 n
-0000073740 00000 n
-0000073895 00000 n
-0000074055 00000 n
-0000074220 00000 n
-0000074378 00000 n
-0000074538 00000 n
-0000074691 00000 n
-0000074845 00000 n
-0000075001 00000 n
-0000075162 00000 n
-0000075318 00000 n
-0000075479 00000 n
-0000075635 00000 n
-0000075796 00000 n
-0000075962 00000 n
-0000076112 00000 n
-0000076267 00000 n
-0000076421 00000 n
-0000076577 00000 n
-0000076737 00000 n
-0000078903 00000 n
-0000076957 00000 n
-0000071578 00000 n
-0000070222 00000 n
-0000076893 00000 n
-0000079063 00000 n
-0000079229 00000 n
-0000079385 00000 n
-0000079546 00000 n
-0000079706 00000 n
-0000079871 00000 n
-0000080037 00000 n
-0000080198 00000 n
-0000080359 00000 n
-0000080524 00000 n
-0000080690 00000 n
-0000080856 00000 n
-0000081017 00000 n
-0000081173 00000 n
-0000081326 00000 n
-0000081482 00000 n
-0000081643 00000 n
-0000081799 00000 n
-0000081960 00000 n
-0000082120 00000 n
-0000082276 00000 n
-0000082437 00000 n
-0000082598 00000 n
-0000082764 00000 n
-0000082929 00000 n
-0000083095 00000 n
-0000083256 00000 n
-0000083417 00000 n
-0000083573 00000 n
-0000083727 00000 n
-0000083883 00000 n
-0000084038 00000 n
-0000084194 00000 n
-0000084355 00000 n
-0000084521 00000 n
-0000086912 00000 n
-0000084750 00000 n
-0000078451 00000 n
-0000077073 00000 n
-0000084687 00000 n
-0000087077 00000 n
-0000087238 00000 n
-0000087398 00000 n
-0000087559 00000 n
-0000087719 00000 n
-0000087880 00000 n
-0000088041 00000 n
-0000088202 00000 n
-0000088362 00000 n
-0000088518 00000 n
-0000088672 00000 n
-0000088828 00000 n
-0000088984 00000 n
-0000089138 00000 n
-0000089293 00000 n
-0000089449 00000 n
-0000089604 00000 n
-0000089760 00000 n
-0000089921 00000 n
-0000090082 00000 n
-0000090243 00000 n
-0000090399 00000 n
-0000090560 00000 n
-0000090716 00000 n
-0000090872 00000 n
-0000091028 00000 n
-0000091184 00000 n
-0000091345 00000 n
-0000091506 00000 n
-0000091667 00000 n
-0000091821 00000 n
-0000091977 00000 n
-0000092133 00000 n
-0000093552 00000 n
-0000092358 00000 n
-0000086478 00000 n
-0000084852 00000 n
-0000092294 00000 n
-0000093707 00000 n
-0000093868 00000 n
-0000094034 00000 n
-0000094194 00000 n
-0000094360 00000 n
-0000094521 00000 n
-0000094687 00000 n
-0000094848 00000 n
-0000095014 00000 n
-0000095175 00000 n
-0000095331 00000 n
-0000095492 00000 n
-0000095646 00000 n
-0000095799 00000 n
-0000095954 00000 n
-0000096173 00000 n
-0000093280 00000 n
-0000092460 00000 n
-0000096110 00000 n
-0000096556 00000 n
-0000096376 00000 n
-0000096275 00000 n
-0000096492 00000 n
-0003662845 00000 n
-0000098204 00000 n
-0000098360 00000 n
-0000098516 00000 n
-0000098672 00000 n
-0000098824 00000 n
-0000098980 00000 n
-0000099135 00000 n
-0000099291 00000 n
-0000099447 00000 n
-0000099602 00000 n
-0000099758 00000 n
-0000099913 00000 n
-0000100069 00000 n
-0000100225 00000 n
-0000100381 00000 n
-0000100537 00000 n
-0000100693 00000 n
-0000100849 00000 n
-0000101005 00000 n
-0000101160 00000 n
-0000101316 00000 n
-0000101473 00000 n
-0000103539 00000 n
-0000101755 00000 n
-0000097878 00000 n
-0000096598 00000 n
-0000101630 00000 n
-0000192798 00000 n
-0000244625 00000 n
-0000250728 00000 n
-0000255978 00000 n
-0000306339 00000 n
-0000371676 00000 n
-0000399619 00000 n
-0000403280 00000 n
-0000407670 00000 n
-0000462882 00000 n
-0000465266 00000 n
-0000545784 00000 n
-0000551234 00000 n
-0000556993 00000 n
-0000561243 00000 n
-0000562266 00000 n
-0000563669 00000 n
-0000564864 00000 n
-0000565924 00000 n
-0000566972 00000 n
-0000568158 00000 n
-0000568284 00000 n
-0000103695 00000 n
-0000103852 00000 n
-0000104008 00000 n
-0000104162 00000 n
-0000104316 00000 n
-0000104472 00000 n
-0000104628 00000 n
-0000104783 00000 n
-0000104939 00000 n
-0000105095 00000 n
-0000105251 00000 n
-0000105408 00000 n
-0000105565 00000 n
-0000105722 00000 n
-0000105879 00000 n
-0000106036 00000 n
-0000106191 00000 n
-0000106344 00000 n
-0000106501 00000 n
-0000106656 00000 n
-0000106812 00000 n
-0000106968 00000 n
-0000107124 00000 n
-0000107280 00000 n
-0000107436 00000 n
-0000107591 00000 n
-0000107747 00000 n
-0000107903 00000 n
-0000109960 00000 n
-0000108123 00000 n
-0000103150 00000 n
-0000101871 00000 n
-0000108059 00000 n
-0000569442 00000 n
-0000570578 00000 n
-0000658622 00000 n
-0000664695 00000 n
-0000670811 00000 n
-0000676119 00000 n
-0000676631 00000 n
-0000677142 00000 n
-0000696054 00000 n
-0000697197 00000 n
-0000698333 00000 n
-0000699521 00000 n
-0000700555 00000 n
-0000701576 00000 n
-0000702714 00000 n
-0000703831 00000 n
-0000705038 00000 n
-0000706070 00000 n
-0000707180 00000 n
-0000845984 00000 n
-0000982403 00000 n
-0000983442 00000 n
-0000984497 00000 n
-0000985549 00000 n
-0000989757 00000 n
-0000994344 00000 n
-0000999663 00000 n
-0001005946 00000 n
-0001010769 00000 n
-0000110115 00000 n
-0000110272 00000 n
-0000110428 00000 n
-0000110584 00000 n
-0000110740 00000 n
-0000110896 00000 n
-0000111051 00000 n
-0000111207 00000 n
-0000111362 00000 n
-0000111518 00000 n
-0000111675 00000 n
-0000111831 00000 n
-0000111987 00000 n
-0000112143 00000 n
-0000112299 00000 n
-0000112454 00000 n
-0000112610 00000 n
-0000112764 00000 n
-0000112921 00000 n
-0000113078 00000 n
-0000113234 00000 n
-0000115213 00000 n
-0000113454 00000 n
-0000109634 00000 n
-0000108225 00000 n
-0000113391 00000 n
-0001015392 00000 n
-0001017307 00000 n
-0001183933 00000 n
-0001185293 00000 n
-0001190738 00000 n
-0001196167 00000 n
-0001200632 00000 n
-0001206936 00000 n
-0001212988 00000 n
-0001602303 00000 n
-0001606306 00000 n
-0001606433 00000 n
-0001607492 00000 n
-0001611770 00000 n
-0001618506 00000 n
-0001625019 00000 n
-0001631336 00000 n
-0001632613 00000 n
-0001636339 00000 n
-0001637362 00000 n
-0001638819 00000 n
-0001638945 00000 n
-0000115368 00000 n
-0000115524 00000 n
-0000115680 00000 n
-0000115836 00000 n
-0000115992 00000 n
-0000116148 00000 n
-0000116304 00000 n
-0000116461 00000 n
-0000116618 00000 n
-0000116775 00000 n
-0000116932 00000 n
-0000117089 00000 n
-0000117246 00000 n
-0000117403 00000 n
-0000117560 00000 n
-0000117716 00000 n
-0000117872 00000 n
-0000118030 00000 n
-0000118188 00000 n
-0000118346 00000 n
-0000118503 00000 n
-0000118661 00000 n
-0000118819 00000 n
-0000118977 00000 n
-0000119135 00000 n
-0000119293 00000 n
-0000119450 00000 n
-0000119607 00000 n
-0000121208 00000 n
-0000119828 00000 n
-0000114824 00000 n
-0000113556 00000 n
-0000119764 00000 n
-0001818879 00000 n
-0001825001 00000 n
-0001828413 00000 n
-0001829715 00000 n
-0001830730 00000 n
-0001831800 00000 n
-0001832879 00000 n
-0001847126 00000 n
-0001881919 00000 n
-0001883303 00000 n
-0001888443 00000 n
-0001894523 00000 n
-0001900453 00000 n
-0001906161 00000 n
-0001910749 00000 n
-0001913698 00000 n
-0001914623 00000 n
-0001916180 00000 n
-0001917488 00000 n
-0001918933 00000 n
-0001920463 00000 n
-0001921707 00000 n
-0001923019 00000 n
-0001924822 00000 n
-0001926242 00000 n
-0001927467 00000 n
-0002017936 00000 n
-0002028172 00000 n
-0002029452 00000 n
-0000121365 00000 n
-0000121521 00000 n
-0000121677 00000 n
-0000121834 00000 n
-0000121991 00000 n
-0000122147 00000 n
-0000122304 00000 n
-0000122461 00000 n
-0000122618 00000 n
-0000122775 00000 n
-0000122932 00000 n
-0000123088 00000 n
-0000123245 00000 n
-0000123465 00000 n
-0000120954 00000 n
-0000119930 00000 n
-0000123402 00000 n
-0002034213 00000 n
-0002034340 00000 n
-0002824356 00000 n
-0002825854 00000 n
-0002827044 00000 n
-0002827172 00000 n
-0002828636 00000 n
-0002830007 00000 n
-0002831372 00000 n
-0002832870 00000 n
-0002834048 00000 n
-0002835166 00000 n
-0002836528 00000 n
-0002836654 00000 n
-0000123848 00000 n
-0000123668 00000 n
-0000123567 00000 n
-0000123784 00000 n
-0003662970 00000 n
-0000125409 00000 n
-0000125553 00000 n
-0000125706 00000 n
-0000125859 00000 n
-0000126003 00000 n
-0000126156 00000 n
-0000126301 00000 n
-0000126454 00000 n
-0000126600 00000 n
-0000126753 00000 n
-0000126899 00000 n
-0000127052 00000 n
-0000127205 00000 n
-0000127358 00000 n
-0000127504 00000 n
-0000127657 00000 n
-0000127810 00000 n
-0000127963 00000 n
-0000128116 00000 n
-0000128269 00000 n
-0000130399 00000 n
-0000128547 00000 n
-0000125101 00000 n
-0000123890 00000 n
-0000128422 00000 n
-0003443931 00000 n
-0000235307 00000 n
-0000298531 00000 n
-0003443897 00000 n
-0000365459 00000 n
-0003443863 00000 n
-0000454099 00000 n
-0003443829 00000 n
-0000627245 00000 n
-0003443795 00000 n
-0000764429 00000 n
-0000836913 00000 n
-0000950689 00000 n
-0003443761 00000 n
-0001073497 00000 n
-0001115197 00000 n
-0001115325 00000 n
-0001161304 00000 n
-0001161432 00000 n
-0001314081 00000 n
-0000130551 00000 n
-0000130697 00000 n
-0000130849 00000 n
-0000131002 00000 n
-0000131155 00000 n
-0000131301 00000 n
-0000131454 00000 n
-0000131606 00000 n
-0000131752 00000 n
-0000131906 00000 n
-0000132059 00000 n
-0000132213 00000 n
-0000132367 00000 n
-0000132521 00000 n
-0000132675 00000 n
-0000132829 00000 n
-0000132983 00000 n
-0000133137 00000 n
-0000133291 00000 n
-0000133445 00000 n
-0000133600 00000 n
-0000133745 00000 n
-0000133899 00000 n
-0000134053 00000 n
-0000134203 00000 n
-0000134357 00000 n
-0000134511 00000 n
-0000134665 00000 n
-0000134883 00000 n
-0000130010 00000 n
-0000128649 00000 n
-0000134819 00000 n
-0001414692 00000 n
-0003443727 00000 n
-0001440528 00000 n
-0001488442 00000 n
-0001540614 00000 n
-0003443693 00000 n
-0001729927 00000 n
-0001762546 00000 n
-0003443659 00000 n
-0002118862 00000 n
-0002151180 00000 n
-0002178338 00000 n
-0002178466 00000 n
-0002200370 00000 n
-0002307379 00000 n
-0002383415 00000 n
-0002476928 00000 n
-0002563536 00000 n
-0002640993 00000 n
-0002721386 00000 n
-0002813835 00000 n
-0003443625 00000 n
-0002882300 00000 n
-0002908650 00000 n
-0002942630 00000 n
-0002962084 00000 n
-0002978445 00000 n
-0003001115 00000 n
-0003018295 00000 n
-0000136397 00000 n
-0000136549 00000 n
-0000136693 00000 n
-0000136845 00000 n
-0000136990 00000 n
-0000137142 00000 n
-0000137294 00000 n
-0000137440 00000 n
-0000137592 00000 n
-0000137738 00000 n
-0000137890 00000 n
-0000138042 00000 n
-0000138194 00000 n
-0000138346 00000 n
-0000138492 00000 n
-0000138644 00000 n
-0000138790 00000 n
-0000138943 00000 n
-0000139089 00000 n
-0000139242 00000 n
-0000139520 00000 n
-0000136089 00000 n
-0000134985 00000 n
-0000139395 00000 n
-0000175068 00000 n
-0000298659 00000 n
-0000418609 00000 n
-0000494419 00000 n
-0000633488 00000 n
-0000767483 00000 n
-0000840343 00000 n
-0000879881 00000 n
-0000950817 00000 n
-0001771017 00000 n
-0003443591 00000 n
-0002048804 00000 n
-0002911653 00000 n
-0002917819 00000 n
-0000139903 00000 n
-0000139723 00000 n
-0000139622 00000 n
-0000139839 00000 n
-0000142269 00000 n
-0000141836 00000 n
-0000139945 00000 n
-0000141952 00000 n
-0000142015 00000 n
-0000142079 00000 n
-0000142205 00000 n
-0000144856 00000 n
-0000144676 00000 n
-0000142371 00000 n
-0000144792 00000 n
-0003663095 00000 n
-0000145731 00000 n
-0000145552 00000 n
-0000144972 00000 n
-0000145668 00000 n
-0000148348 00000 n
-0000148040 00000 n
-0000145833 00000 n
-0000148156 00000 n
-0000148220 00000 n
-0000148284 00000 n
-0000150536 00000 n
-0000151007 00000 n
-0000150399 00000 n
-0000148450 00000 n
-0000150688 00000 n
-0000150751 00000 n
-0000150815 00000 n
-0000150879 00000 n
-0000150943 00000 n
-0000175132 00000 n
-0000153909 00000 n
-0000153473 00000 n
-0000151137 00000 n
-0000153589 00000 n
-0000153653 00000 n
-0000153717 00000 n
-0000153781 00000 n
-0000153845 00000 n
-0003662155 00000 n
-0000156547 00000 n
-0000156240 00000 n
-0000154053 00000 n
-0000156356 00000 n
-0000156419 00000 n
-0000156483 00000 n
-0003661427 00000 n
-0000159061 00000 n
-0000158881 00000 n
-0000156705 00000 n
-0000158997 00000 n
-0003659231 00000 n
-0003663220 00000 n
-0000161951 00000 n
-0000161772 00000 n
-0000159219 00000 n
-0000161888 00000 n
-0000164578 00000 n
-0000164823 00000 n
-0000164441 00000 n
-0000162081 00000 n
-0000164759 00000 n
-0003660252 00000 n
-0003660108 00000 n
-0003659671 00000 n
-0003662302 00000 n
-0000167292 00000 n
-0000167113 00000 n
-0000164995 00000 n
-0000167229 00000 n
-0000169981 00000 n
-0000169801 00000 n
-0000167408 00000 n
-0000169917 00000 n
-0000172453 00000 n
-0000172146 00000 n
-0000170097 00000 n
-0000172262 00000 n
-0000172325 00000 n
-0000172389 00000 n
-0000175196 00000 n
-0000174888 00000 n
-0000172597 00000 n
-0000175004 00000 n
-0003663345 00000 n
-0000175743 00000 n
-0000175565 00000 n
-0000175326 00000 n
-0000176034 00000 n
-0000175918 00000 n
-0000175817 00000 n
-0000177887 00000 n
-0000178388 00000 n
-0000177750 00000 n
-0000176076 00000 n
-0000178071 00000 n
-0000178134 00000 n
-0000178260 00000 n
-0000178324 00000 n
-0000178841 00000 n
-0000178661 00000 n
-0000178560 00000 n
-0000178777 00000 n
-0000181163 00000 n
-0000180732 00000 n
-0000178883 00000 n
-0000180848 00000 n
-0003660837 00000 n
-0000180973 00000 n
-0000181099 00000 n
-0003660397 00000 n
-0000186733 00000 n
-0000183816 00000 n
-0000183385 00000 n
-0000181321 00000 n
-0000183501 00000 n
-0000183627 00000 n
-0000183753 00000 n
-0003663470 00000 n
-0000187091 00000 n
-0000186596 00000 n
-0000183960 00000 n
-0000186902 00000 n
-0000187027 00000 n
-0000189366 00000 n
-0000189210 00000 n
-0000190042 00000 n
-0000189064 00000 n
-0000187291 00000 n
-0000189534 00000 n
-0000189660 00000 n
-0000189724 00000 n
-0000189788 00000 n
-0000189852 00000 n
-0000189915 00000 n
-0000189978 00000 n
-0000192862 00000 n
-0000193946 00000 n
-0000192619 00000 n
-0000190228 00000 n
-0000192735 00000 n
-0000192926 00000 n
-0003662448 00000 n
-0000192990 00000 n
-0000193054 00000 n
-0000193118 00000 n
-0000193182 00000 n
-0000193246 00000 n
-0000193310 00000 n
-0000193374 00000 n
-0000193437 00000 n
-0000193501 00000 n
-0000193564 00000 n
-0000193628 00000 n
-0000193692 00000 n
-0000193756 00000 n
-0000193882 00000 n
-0000196073 00000 n
-0000195701 00000 n
-0000194103 00000 n
-0000195817 00000 n
-0000195881 00000 n
-0000195945 00000 n
-0000196009 00000 n
-0000199240 00000 n
-0000198935 00000 n
-0000196231 00000 n
-0000199051 00000 n
-0000199176 00000 n
-0000202117 00000 n
-0000202269 00000 n
-0000202616 00000 n
-0000201971 00000 n
-0000199384 00000 n
-0000202426 00000 n
-0000202552 00000 n
-0003663595 00000 n
-0002084266 00000 n
-0002641185 00000 n
-0000204995 00000 n
-0000206803 00000 n
-0000205465 00000 n
-0000204858 00000 n
-0000202746 00000 n
-0000205149 00000 n
-0000205274 00000 n
-0000205338 00000 n
-0000205401 00000 n
-0000235371 00000 n
-0000235563 00000 n
-0000206687 00000 n
-0000205595 00000 n
-0000235243 00000 n
-0000235435 00000 n
-0000235499 00000 n
-0000210943 00000 n
-0000211100 00000 n
-0000211148 00000 n
-0000211576 00000 n
-0000211805 00000 n
-0000237972 00000 n
-0000237665 00000 n
-0000235708 00000 n
-0000237781 00000 n
-0000237844 00000 n
-0000237908 00000 n
-0000239943 00000 n
-0000240104 00000 n
-0000240263 00000 n
-0000240927 00000 n
-0000239788 00000 n
-0000238130 00000 n
-0000240417 00000 n
-0000240481 00000 n
-0000240545 00000 n
-0000240609 00000 n
-0000240671 00000 n
-0000240735 00000 n
-0000240799 00000 n
-0000240863 00000 n
-0000244689 00000 n
-0000250792 00000 n
-0000244408 00000 n
-0000246862 00000 n
-0000244271 00000 n
-0000241043 00000 n
-0000244562 00000 n
-0000244753 00000 n
-0000244817 00000 n
-0000244881 00000 n
-0000244945 00000 n
-0000245009 00000 n
-0000245073 00000 n
-0000245137 00000 n
-0000245201 00000 n
-0000245265 00000 n
-0000245329 00000 n
-0000245393 00000 n
-0000245457 00000 n
-0000245520 00000 n
-0000245584 00000 n
-0000245647 00000 n
-0000245711 00000 n
-0000245774 00000 n
-0000245838 00000 n
-0000245902 00000 n
-0000245966 00000 n
-0000246030 00000 n
-0000246094 00000 n
-0000246158 00000 n
-0000246222 00000 n
-0000246286 00000 n
-0000246350 00000 n
-0000246414 00000 n
-0000246478 00000 n
-0000246542 00000 n
-0000246606 00000 n
-0000246670 00000 n
-0000246734 00000 n
-0000246798 00000 n
-0000253219 00000 n
-0000250548 00000 n
-0000247019 00000 n
-0000250664 00000 n
-0000250856 00000 n
-0000250920 00000 n
-0000250984 00000 n
-0000251048 00000 n
-0000251112 00000 n
-0000251176 00000 n
-0000251240 00000 n
-0000251304 00000 n
-0000251367 00000 n
-0000251431 00000 n
-0000251494 00000 n
-0000251558 00000 n
-0000251620 00000 n
-0000251684 00000 n
-0000251748 00000 n
-0000251812 00000 n
-0000251876 00000 n
-0000251940 00000 n
-0000252004 00000 n
-0000252068 00000 n
-0000252132 00000 n
-0000252196 00000 n
-0000252260 00000 n
-0000252324 00000 n
-0000252388 00000 n
-0000252452 00000 n
-0000252516 00000 n
-0000252580 00000 n
-0000252644 00000 n
-0000252708 00000 n
-0000252772 00000 n
-0000252836 00000 n
-0000252900 00000 n
-0000252964 00000 n
-0000253028 00000 n
-0000253092 00000 n
-0000253155 00000 n
-0003663720 00000 n
-0000255575 00000 n
-0000256426 00000 n
-0000255438 00000 n
-0000253376 00000 n
-0000255723 00000 n
-0000255786 00000 n
-0000255850 00000 n
-0000255914 00000 n
-0000256042 00000 n
-0000256106 00000 n
-0000256170 00000 n
-0000256234 00000 n
-0000256298 00000 n
-0000256362 00000 n
-0000262325 00000 n
-0000259955 00000 n
-0000258945 00000 n
-0000256570 00000 n
-0000259061 00000 n
-0000259125 00000 n
-0000259189 00000 n
-0000259253 00000 n
-0000259317 00000 n
-0000259381 00000 n
-0000259445 00000 n
-0000259509 00000 n
-0000259572 00000 n
-0000259636 00000 n
-0000259700 00000 n
-0000259764 00000 n
-0000259828 00000 n
-0000259892 00000 n
-0000262793 00000 n
-0000262188 00000 n
-0000260099 00000 n
-0000262478 00000 n
-0000262603 00000 n
-0000262729 00000 n
-0000265196 00000 n
-0000265348 00000 n
-0000268462 00000 n
-0000266075 00000 n
-0000265050 00000 n
-0000262909 00000 n
-0000265503 00000 n
-0000265629 00000 n
-0000265755 00000 n
-0000265819 00000 n
-0000265883 00000 n
-0000265947 00000 n
-0000266011 00000 n
-0000298723 00000 n
-0000298595 00000 n
-0000298164 00000 n
-0000298315 00000 n
-0000298915 00000 n
-0000268316 00000 n
-0000266205 00000 n
-0000298468 00000 n
-0000298787 00000 n
-0000298851 00000 n
-0000272091 00000 n
-0000272248 00000 n
-0000272296 00000 n
-0000272756 00000 n
-0000272985 00000 n
-0000273351 00000 n
-0000273447 00000 n
-0000306403 00000 n
-0000300511 00000 n
-0000300139 00000 n
-0000299130 00000 n
-0000300255 00000 n
-0000300319 00000 n
-0000300383 00000 n
-0000300447 00000 n
-0003663845 00000 n
-0000303079 00000 n
-0000302388 00000 n
-0000300627 00000 n
-0000302504 00000 n
-0000302567 00000 n
-0000302631 00000 n
-0000302695 00000 n
-0000302759 00000 n
-0000302823 00000 n
-0000302887 00000 n
-0000302951 00000 n
-0000303015 00000 n
-0000308001 00000 n
-0000306096 00000 n
-0000303209 00000 n
-0000306212 00000 n
-0000306276 00000 n
-0000306467 00000 n
-0000306531 00000 n
-0000306595 00000 n
-0000306659 00000 n
-0000306723 00000 n
-0000306787 00000 n
-0000306851 00000 n
-0000306915 00000 n
-0000306979 00000 n
-0000307043 00000 n
-0000307107 00000 n
-0000307171 00000 n
-0000307235 00000 n
-0000307299 00000 n
-0000307363 00000 n
-0000307427 00000 n
-0000307491 00000 n
-0000307555 00000 n
-0000307619 00000 n
-0000307683 00000 n
-0000307747 00000 n
-0000307811 00000 n
-0000307874 00000 n
-0000307938 00000 n
-0000310408 00000 n
-0000310038 00000 n
-0000308144 00000 n
-0000310154 00000 n
-0000310280 00000 n
-0000310344 00000 n
-0000313100 00000 n
-0000312920 00000 n
-0000310566 00000 n
-0000313036 00000 n
-0000315902 00000 n
-0000315723 00000 n
-0000313216 00000 n
-0000315839 00000 n
-0000317621 00000 n
-0000317441 00000 n
-0000316046 00000 n
-0000317557 00000 n
-0003663970 00000 n
-0000319764 00000 n
-0000320103 00000 n
-0000319627 00000 n
-0000317737 00000 n
-0000319913 00000 n
-0000320039 00000 n
-0000322976 00000 n
-0000322542 00000 n
-0000320219 00000 n
-0000322658 00000 n
-0000322785 00000 n
-0000322912 00000 n
-0000325162 00000 n
-0000329269 00000 n
-0000325637 00000 n
-0000325025 00000 n
-0000323092 00000 n
-0000325321 00000 n
-0000325447 00000 n
-0000325574 00000 n
-0000328074 00000 n
-0000329483 00000 n
-0000327937 00000 n
-0000325781 00000 n
-0000329419 00000 n
-0003659083 00000 n
-0003660690 00000 n
-0000328451 00000 n
-0000328713 00000 n
-0000328761 00000 n
-0000399683 00000 n
-0000332092 00000 n
-0000332244 00000 n
-0000332865 00000 n
-0000331937 00000 n
-0000329656 00000 n
-0000332549 00000 n
-0000332675 00000 n
-0000332802 00000 n
-0000332396 00000 n
-0001696995 00000 n
-0000334516 00000 n
-0000365777 00000 n
-0000334400 00000 n
-0000333009 00000 n
-0000365395 00000 n
-0000365522 00000 n
-0000365585 00000 n
-0000365649 00000 n
-0000365713 00000 n
-0003664095 00000 n
-0000340767 00000 n
-0000340924 00000 n
-0000340972 00000 n
-0000341410 00000 n
-0000341639 00000 n
-0000367740 00000 n
-0000367891 00000 n
-0000368427 00000 n
-0000367594 00000 n
-0000365922 00000 n
-0000368044 00000 n
-0000368107 00000 n
-0000368171 00000 n
-0000368235 00000 n
-0000368299 00000 n
-0000368363 00000 n
-0000403344 00000 n
-0000407734 00000 n
-0000369856 00000 n
-0000370136 00000 n
-0000369719 00000 n
-0000368543 00000 n
-0000370008 00000 n
-0000370072 00000 n
-0000371740 00000 n
-0000371868 00000 n
-0000371497 00000 n
-0000370252 00000 n
-0000371613 00000 n
-0000371804 00000 n
-0000374027 00000 n
-0000374627 00000 n
-0000373890 00000 n
-0000371984 00000 n
-0000374179 00000 n
-0000374243 00000 n
-0000374307 00000 n
-0000374371 00000 n
-0000374435 00000 n
-0000374499 00000 n
-0000374563 00000 n
-0000376328 00000 n
-0000376988 00000 n
-0000376191 00000 n
-0000374743 00000 n
-0000376478 00000 n
-0000376541 00000 n
-0000376605 00000 n
-0000376669 00000 n
-0000376733 00000 n
-0000376860 00000 n
-0000376924 00000 n
-0000378368 00000 n
-0000378188 00000 n
-0000377118 00000 n
-0000378304 00000 n
-0003664220 00000 n
-0000380058 00000 n
-0000379753 00000 n
-0000378484 00000 n
-0000379869 00000 n
-0000379932 00000 n
-0000379995 00000 n
-0000382218 00000 n
-0000381910 00000 n
-0000380188 00000 n
-0000382026 00000 n
-0000382090 00000 n
-0000382154 00000 n
-0000384737 00000 n
-0000384888 00000 n
-0000385191 00000 n
-0000385916 00000 n
-0000384573 00000 n
-0000382334 00000 n
-0000385342 00000 n
-0000385405 00000 n
-0000385469 00000 n
-0000385039 00000 n
-0000385533 00000 n
-0000385597 00000 n
-0000385661 00000 n
-0000385725 00000 n
-0000385789 00000 n
-0000385853 00000 n
-0002084393 00000 n
-0000388873 00000 n
-0000388248 00000 n
-0000386060 00000 n
-0000388364 00000 n
-0000388428 00000 n
-0000388492 00000 n
-0000388556 00000 n
-0000388682 00000 n
-0000388809 00000 n
-0000391379 00000 n
-0000391009 00000 n
-0000389017 00000 n
-0000391125 00000 n
-0000391251 00000 n
-0000391315 00000 n
-0000393997 00000 n
-0000393817 00000 n
-0000391537 00000 n
-0000393933 00000 n
-0003664345 00000 n
-0000396902 00000 n
-0000396467 00000 n
-0000394155 00000 n
-0000396583 00000 n
-0000396646 00000 n
-0000396710 00000 n
-0000396774 00000 n
-0000396838 00000 n
-0003658934 00000 n
-0000398314 00000 n
-0000398134 00000 n
-0000397074 00000 n
-0000398250 00000 n
-0000399747 00000 n
-0000399440 00000 n
-0000398458 00000 n
-0000399556 00000 n
-0000404879 00000 n
-0000403100 00000 n
-0000399863 00000 n
-0000403216 00000 n
-0000403408 00000 n
-0000403472 00000 n
-0000403536 00000 n
-0000403600 00000 n
-0000403664 00000 n
-0003659379 00000 n
-0000403728 00000 n
-0000403792 00000 n
-0000403856 00000 n
-0000403920 00000 n
-0000403984 00000 n
-0000404048 00000 n
-0000404112 00000 n
-0000404176 00000 n
-0000404240 00000 n
-0000404304 00000 n
-0000404368 00000 n
-0000404432 00000 n
-0000404496 00000 n
-0000404559 00000 n
-0000404623 00000 n
-0000404687 00000 n
-0000404751 00000 n
-0000404815 00000 n
-0000409586 00000 n
-0000407491 00000 n
-0000405036 00000 n
-0000407607 00000 n
-0000407798 00000 n
-0000407862 00000 n
-0000407926 00000 n
-0000407990 00000 n
-0000408054 00000 n
-0000408118 00000 n
-0000408182 00000 n
-0000408246 00000 n
-0000408310 00000 n
-0000408374 00000 n
-0000408438 00000 n
-0000408502 00000 n
-0000408566 00000 n
-0000408630 00000 n
-0000408694 00000 n
-0000408758 00000 n
-0000408822 00000 n
-0000408886 00000 n
-0000408950 00000 n
-0000409014 00000 n
-0000409078 00000 n
-0000409142 00000 n
-0000409205 00000 n
-0000409269 00000 n
-0000409332 00000 n
-0000409396 00000 n
-0000409458 00000 n
-0000409522 00000 n
-0000409982 00000 n
-0000409802 00000 n
-0000409701 00000 n
-0000409918 00000 n
-0003664470 00000 n
-0000411946 00000 n
-0000412244 00000 n
-0000412710 00000 n
-0000411791 00000 n
-0000410024 00000 n
-0000412393 00000 n
-0000412519 00000 n
-0000412095 00000 n
-0000412646 00000 n
-0000415605 00000 n
-0000415298 00000 n
-0000412826 00000 n
-0000415414 00000 n
-0000415541 00000 n
-0000418392 00000 n
-0000420312 00000 n
-0000418735 00000 n
-0000418255 00000 n
-0000415721 00000 n
-0000418546 00000 n
-0000418673 00000 n
-0000454481 00000 n
-0000420196 00000 n
-0000418851 00000 n
-0000454035 00000 n
-0000454163 00000 n
-0000454290 00000 n
-0000454417 00000 n
-0000428545 00000 n
-0000428702 00000 n
-0000428750 00000 n
-0000429190 00000 n
-0000429419 00000 n
-0000457479 00000 n
-0000457300 00000 n
-0000454626 00000 n
-0000457416 00000 n
-0000459887 00000 n
-0000460185 00000 n
-0000462539 00000 n
-0000460399 00000 n
-0000459732 00000 n
-0000457595 00000 n
-0000460335 00000 n
-0000460036 00000 n
-0003664595 00000 n
-0000463010 00000 n
-0000462402 00000 n
-0000460515 00000 n
-0000462692 00000 n
-0000462818 00000 n
-0000462946 00000 n
-0000465048 00000 n
-0000465394 00000 n
-0000464911 00000 n
-0000463140 00000 n
-0000465202 00000 n
-0000465330 00000 n
-0000467790 00000 n
-0000468257 00000 n
-0000467653 00000 n
-0000465510 00000 n
-0000467940 00000 n
-0000468066 00000 n
-0000468193 00000 n
-0000471193 00000 n
-0000471457 00000 n
-0000471056 00000 n
-0000468415 00000 n
-0000471393 00000 n
-0003662010 00000 n
-0000473389 00000 n
-0000474305 00000 n
-0000473252 00000 n
-0000471699 00000 n
-0000473540 00000 n
-0000473603 00000 n
-0000473667 00000 n
-0000473730 00000 n
-0000473794 00000 n
-0000473858 00000 n
-0000473922 00000 n
-0000473986 00000 n
-0000474050 00000 n
-0000474177 00000 n
-0000474241 00000 n
-0000476249 00000 n
-0000475941 00000 n
-0000474449 00000 n
-0000476057 00000 n
-0000476121 00000 n
-0000476185 00000 n
-0003664720 00000 n
-0000478224 00000 n
-0000478567 00000 n
-0000478087 00000 n
-0000476365 00000 n
-0000478376 00000 n
-0000478439 00000 n
-0000478503 00000 n
-0000545848 00000 n
-0000480698 00000 n
-0000480851 00000 n
-0000481008 00000 n
-0000481548 00000 n
-0000480543 00000 n
-0000478725 00000 n
-0000481165 00000 n
-0000481292 00000 n
-0000481356 00000 n
-0000481420 00000 n
-0000481484 00000 n
-0000551298 00000 n
-0000557057 00000 n
-0000561307 00000 n
-0000483181 00000 n
-0000483330 00000 n
-0000483824 00000 n
-0000483026 00000 n
-0000481678 00000 n
-0000483634 00000 n
-0000483697 00000 n
-0000483761 00000 n
-0000483482 00000 n
-0000485711 00000 n
-0000485467 00000 n
-0000483940 00000 n
-0000485583 00000 n
-0000485647 00000 n
-0000488151 00000 n
-0000487716 00000 n
-0000485827 00000 n
-0000487832 00000 n
-0000487895 00000 n
-0000487959 00000 n
-0000488023 00000 n
-0000488087 00000 n
-0000489684 00000 n
-0000489440 00000 n
-0000488281 00000 n
-0000489556 00000 n
-0000489620 00000 n
-0003664845 00000 n
-0000492041 00000 n
-0000492193 00000 n
-0000492348 00000 n
-0000492506 00000 n
-0000492664 00000 n
-0000492977 00000 n
-0000493128 00000 n
-0000493279 00000 n
-0000493431 00000 n
-0000493583 00000 n
-0000493734 00000 n
-0000493885 00000 n
-0000494610 00000 n
-0000491796 00000 n
-0000489800 00000 n
-0000494037 00000 n
-0000494163 00000 n
-0000494227 00000 n
-0000494291 00000 n
-0000494355 00000 n
-0000492820 00000 n
-0000494483 00000 n
-0000494546 00000 n
-0000563733 00000 n
-0000564928 00000 n
-0000565988 00000 n
-0000567036 00000 n
-0002827108 00000 n
-0002827236 00000 n
-0002828700 00000 n
-0000569506 00000 n
-0000570642 00000 n
-0000568221 00000 n
-0000568348 00000 n
-0000497366 00000 n
-0000496803 00000 n
-0000494740 00000 n
-0000496919 00000 n
-0000496983 00000 n
-0000497110 00000 n
-0000497174 00000 n
-0000497238 00000 n
-0000497302 00000 n
-0000499208 00000 n
-0000498711 00000 n
-0000497496 00000 n
-0000498827 00000 n
-0000498890 00000 n
-0000498954 00000 n
-0000499017 00000 n
-0000499080 00000 n
-0000499144 00000 n
-0000501561 00000 n
-0000501129 00000 n
-0000499324 00000 n
-0000501245 00000 n
-0000501371 00000 n
-0000501435 00000 n
-0000501499 00000 n
-0000503986 00000 n
-0000503616 00000 n
-0000501705 00000 n
-0000503732 00000 n
-0000503858 00000 n
-0000503922 00000 n
-0000505726 00000 n
-0000505418 00000 n
-0000504116 00000 n
-0000505534 00000 n
-0000505598 00000 n
-0000505662 00000 n
-0003664970 00000 n
-0000507779 00000 n
-0000508120 00000 n
-0000507642 00000 n
-0000505842 00000 n
-0000507930 00000 n
-0000507993 00000 n
-0000508057 00000 n
-0000509843 00000 n
-0000509599 00000 n
-0000508264 00000 n
-0000509715 00000 n
-0000509779 00000 n
-0000511072 00000 n
-0000510893 00000 n
-0000509959 00000 n
-0000511009 00000 n
-0000512855 00000 n
-0000512547 00000 n
-0000511174 00000 n
-0000512663 00000 n
-0000512727 00000 n
-0000512791 00000 n
-0003658788 00000 n
-0000515075 00000 n
-0000514768 00000 n
-0000513041 00000 n
-0000514884 00000 n
-0000514947 00000 n
-0000515011 00000 n
-0000516765 00000 n
-0000517071 00000 n
-0000516628 00000 n
-0000515191 00000 n
-0000516943 00000 n
-0000517007 00000 n
-0003665095 00000 n
-0000518524 00000 n
-0000518345 00000 n
-0000517243 00000 n
-0000518461 00000 n
-0000520699 00000 n
-0000520392 00000 n
-0000518640 00000 n
-0000520508 00000 n
-0000520635 00000 n
-0000523373 00000 n
-0000523068 00000 n
-0000520843 00000 n
-0000523184 00000 n
-0000523309 00000 n
-0000528953 00000 n
-0000529257 00000 n
-0000526272 00000 n
-0000525838 00000 n
-0000523489 00000 n
-0000525954 00000 n
-0000526081 00000 n
-0000526144 00000 n
-0000526208 00000 n
-0000532677 00000 n
-0000532829 00000 n
-0000529982 00000 n
-0000528798 00000 n
-0000526402 00000 n
-0000529408 00000 n
-0000529105 00000 n
-0000529471 00000 n
-0000529534 00000 n
-0000529598 00000 n
-0000529662 00000 n
-0000529726 00000 n
-0000529790 00000 n
-0000529854 00000 n
-0000529918 00000 n
-0000533683 00000 n
-0000532531 00000 n
-0000530112 00000 n
-0000532980 00000 n
-0000533044 00000 n
-0000533108 00000 n
-0000533172 00000 n
-0000533236 00000 n
-0000533300 00000 n
-0000533364 00000 n
-0000533428 00000 n
-0000533492 00000 n
-0000533619 00000 n
-0003665220 00000 n
-0000536444 00000 n
-0000536074 00000 n
-0000533827 00000 n
-0000536190 00000 n
-0000536316 00000 n
-0000536380 00000 n
-0000539156 00000 n
-0000538976 00000 n
-0000536616 00000 n
-0000539092 00000 n
-0003660542 00000 n
-0000541648 00000 n
-0000541469 00000 n
-0000539342 00000 n
-0000541585 00000 n
-0000544326 00000 n
-0000544146 00000 n
-0000541764 00000 n
-0000544262 00000 n
-0000545912 00000 n
-0000545605 00000 n
-0000544526 00000 n
-0000545721 00000 n
-0000554112 00000 n
-0000551054 00000 n
-0000546028 00000 n
-0000551170 00000 n
-0000551362 00000 n
-0000551426 00000 n
-0000551490 00000 n
-0000551554 00000 n
-0000551618 00000 n
-0000551682 00000 n
-0000551746 00000 n
-0000551810 00000 n
-0000551874 00000 n
-0000551938 00000 n
-0000552002 00000 n
-0000552066 00000 n
-0000552130 00000 n
-0000552194 00000 n
-0000552258 00000 n
-0000552322 00000 n
-0000552386 00000 n
-0000552450 00000 n
-0000552514 00000 n
-0000552578 00000 n
-0000552642 00000 n
-0000552706 00000 n
-0000552770 00000 n
-0000552834 00000 n
-0000552897 00000 n
-0000552961 00000 n
-0000553024 00000 n
-0000553088 00000 n
-0000553152 00000 n
-0000553216 00000 n
-0000553280 00000 n
-0000553344 00000 n
-0000553408 00000 n
-0000553472 00000 n
-0000553536 00000 n
-0000553600 00000 n
-0000553664 00000 n
-0000553728 00000 n
-0000553792 00000 n
-0000553856 00000 n
-0000553920 00000 n
-0000553984 00000 n
-0000554048 00000 n
-0003665345 00000 n
-0000558909 00000 n
-0000556814 00000 n
-0000554269 00000 n
-0000556930 00000 n
-0000557121 00000 n
-0000557185 00000 n
-0000557249 00000 n
-0000557313 00000 n
-0000557377 00000 n
-0000557441 00000 n
-0000557505 00000 n
-0000557569 00000 n
-0000557633 00000 n
-0000557697 00000 n
-0000557761 00000 n
-0000557825 00000 n
-0000557889 00000 n
-0000557953 00000 n
-0000558017 00000 n
-0000558080 00000 n
-0000558144 00000 n
-0000558207 00000 n
-0000558271 00000 n
-0000558333 00000 n
-0000558397 00000 n
-0000558461 00000 n
-0000558525 00000 n
-0000558589 00000 n
-0000558653 00000 n
-0000558717 00000 n
-0000558781 00000 n
-0000558845 00000 n
-0000562394 00000 n
-0000561063 00000 n
-0000559038 00000 n
-0000561179 00000 n
-0000561371 00000 n
-0000561435 00000 n
-0000561499 00000 n
-0000561563 00000 n
-0000561627 00000 n
-0000561691 00000 n
-0000561755 00000 n
-0000561819 00000 n
-0000561883 00000 n
-0000561947 00000 n
-0000562011 00000 n
-0000562075 00000 n
-0000562139 00000 n
-0000562202 00000 n
-0000562330 00000 n
-0000563797 00000 n
-0000563490 00000 n
-0000562537 00000 n
-0000563606 00000 n
-0000564992 00000 n
-0000564684 00000 n
-0000563913 00000 n
-0000564800 00000 n
-0000566052 00000 n
-0000565745 00000 n
-0000565108 00000 n
-0000565861 00000 n
-0000567100 00000 n
-0000566792 00000 n
-0000566168 00000 n
-0000566908 00000 n
-0003665470 00000 n
-0000568412 00000 n
-0000567979 00000 n
-0000567216 00000 n
-0000568095 00000 n
-0000569570 00000 n
-0000569262 00000 n
-0000568528 00000 n
-0000569378 00000 n
-0000570706 00000 n
-0000570399 00000 n
-0000569686 00000 n
-0000570515 00000 n
-0000571103 00000 n
-0000570923 00000 n
-0000570822 00000 n
-0000571039 00000 n
-0000572985 00000 n
-0000573284 00000 n
-0000573581 00000 n
-0000573917 00000 n
-0000572812 00000 n
-0000571145 00000 n
-0000573728 00000 n
-0000573854 00000 n
-0000573135 00000 n
-0000573433 00000 n
-0000708926 00000 n
-0000576707 00000 n
-0000576400 00000 n
-0000574061 00000 n
-0000576516 00000 n
-0000576643 00000 n
-0003665595 00000 n
-0000579450 00000 n
-0000579144 00000 n
-0000576823 00000 n
-0000579260 00000 n
-0000579386 00000 n
-0000581898 00000 n
-0000582512 00000 n
-0000581752 00000 n
-0000579566 00000 n
-0000582194 00000 n
-0000582321 00000 n
-0000582047 00000 n
-0000582448 00000 n
-0000585240 00000 n
-0000585061 00000 n
-0000582656 00000 n
-0000585177 00000 n
-0000587483 00000 n
-0000587781 00000 n
-0000590197 00000 n
-0000587934 00000 n
-0000630473 00000 n
-0000630631 00000 n
-0000630788 00000 n
-0000630945 00000 n
-0000631102 00000 n
-0000631259 00000 n
-0000631416 00000 n
-0000631572 00000 n
-0000631725 00000 n
-0000631878 00000 n
-0000632035 00000 n
-0000632192 00000 n
-0000632350 00000 n
-0000632505 00000 n
-0000632659 00000 n
-0000632814 00000 n
-0000632970 00000 n
-0000633122 00000 n
-0000633274 00000 n
-0000588095 00000 n
-0000588881 00000 n
-0000587310 00000 n
-0000585370 00000 n
-0000588248 00000 n
-0000588375 00000 n
-0000587632 00000 n
-0000588500 00000 n
-0000588627 00000 n
-0000588754 00000 n
-0000588818 00000 n
-0000627309 00000 n
-0000633552 00000 n
-0000627501 00000 n
-0000590081 00000 n
-0000589025 00000 n
-0000627182 00000 n
-0000627373 00000 n
-0000627437 00000 n
-0000600705 00000 n
-0000600862 00000 n
-0000600910 00000 n
-0000601364 00000 n
-0000601591 00000 n
-0000633680 00000 n
-0000630174 00000 n
-0000627646 00000 n
-0000633424 00000 n
-0000633616 00000 n
-0003665720 00000 n
-0000658686 00000 n
-0000664759 00000 n
-0000670875 00000 n
-0000676183 00000 n
-0000676695 00000 n
-0000677206 00000 n
-0000696118 00000 n
-0000697261 00000 n
-0000698396 00000 n
-0000699585 00000 n
-0000700619 00000 n
-0000701640 00000 n
-0000702778 00000 n
-0000703895 00000 n
-0000705102 00000 n
-0000706134 00000 n
-0000637738 00000 n
-0000637888 00000 n
-0000638040 00000 n
-0000635574 00000 n
-0000635203 00000 n
-0000633796 00000 n
-0000635319 00000 n
-0000635382 00000 n
-0000635446 00000 n
-0000635510 00000 n
-0000638576 00000 n
-0000637583 00000 n
-0000635690 00000 n
-0000638192 00000 n
-0000638256 00000 n
-0000638320 00000 n
-0000638384 00000 n
-0000638448 00000 n
-0000638512 00000 n
-0000640655 00000 n
-0000641190 00000 n
-0000640518 00000 n
-0000638720 00000 n
-0000640809 00000 n
-0000640872 00000 n
-0000640936 00000 n
-0000641000 00000 n
-0000641126 00000 n
-0000643787 00000 n
-0000643352 00000 n
-0000641377 00000 n
-0000643468 00000 n
-0000643595 00000 n
-0000643659 00000 n
-0000643723 00000 n
-0000646273 00000 n
-0000646875 00000 n
-0000646136 00000 n
-0000643917 00000 n
-0000646428 00000 n
-0000646491 00000 n
-0000646555 00000 n
-0000646619 00000 n
-0000646683 00000 n
-0000646747 00000 n
-0000646811 00000 n
-0000707244 00000 n
-0000648657 00000 n
-0000648413 00000 n
-0000646991 00000 n
-0000648529 00000 n
-0000648593 00000 n
-0003665845 00000 n
-0000650384 00000 n
-0000650540 00000 n
-0000652966 00000 n
-0000653265 00000 n
-0000651016 00000 n
-0000650238 00000 n
-0000648773 00000 n
-0000650698 00000 n
-0000650761 00000 n
-0000650825 00000 n
-0000650888 00000 n
-0000650952 00000 n
-0000660730 00000 n
-0000654010 00000 n
-0000653417 00000 n
-0000653573 00000 n
-0000653731 00000 n
-0000654394 00000 n
-0000652784 00000 n
-0000651146 00000 n
-0000653883 00000 n
-0000653116 00000 n
-0000654074 00000 n
-0000654138 00000 n
-0000654202 00000 n
-0000654266 00000 n
-0000654330 00000 n
-0000660794 00000 n
-0000658443 00000 n
-0000654524 00000 n
-0000658559 00000 n
-0000658750 00000 n
-0000658814 00000 n
-0000658878 00000 n
-0000658942 00000 n
-0000659006 00000 n
-0000659070 00000 n
-0000659134 00000 n
-0000659198 00000 n
-0000659262 00000 n
-0000659326 00000 n
-0000659390 00000 n
-0000659454 00000 n
-0000659518 00000 n
-0000659582 00000 n
-0000659646 00000 n
-0000659710 00000 n
-0000659774 00000 n
-0000659838 00000 n
-0000659902 00000 n
-0000659966 00000 n
-0000660030 00000 n
-0000660094 00000 n
-0000660158 00000 n
-0000660221 00000 n
-0000660285 00000 n
-0000660348 00000 n
-0000660412 00000 n
-0000660475 00000 n
-0000660539 00000 n
-0000660603 00000 n
-0000666547 00000 n
-0000664515 00000 n
-0000660979 00000 n
-0000664631 00000 n
-0000664823 00000 n
-0000664887 00000 n
-0000664951 00000 n
-0000665015 00000 n
-0000665079 00000 n
-0000665143 00000 n
-0000665207 00000 n
-0000665271 00000 n
-0000665335 00000 n
-0000665399 00000 n
-0000665463 00000 n
-0000665527 00000 n
-0000665591 00000 n
-0000665655 00000 n
-0000665717 00000 n
-0000665781 00000 n
-0000665844 00000 n
-0000665908 00000 n
-0000665971 00000 n
-0000666035 00000 n
-0000666099 00000 n
-0000666163 00000 n
-0000666227 00000 n
-0000666291 00000 n
-0000666355 00000 n
-0000666419 00000 n
-0000666483 00000 n
-0000673175 00000 n
-0000670632 00000 n
-0000666718 00000 n
-0000670748 00000 n
-0000670939 00000 n
-0000671003 00000 n
-0000671067 00000 n
-0000671131 00000 n
-0000671195 00000 n
-0000671259 00000 n
-0000671323 00000 n
-0000671387 00000 n
-0000671451 00000 n
-0000671515 00000 n
-0000671579 00000 n
-0000671643 00000 n
-0000671707 00000 n
-0000671771 00000 n
-0000671833 00000 n
-0000671897 00000 n
-0000671960 00000 n
-0000672024 00000 n
-0000672087 00000 n
-0000672151 00000 n
-0000672215 00000 n
-0000672279 00000 n
-0000672343 00000 n
-0000672407 00000 n
-0000672471 00000 n
-0000672535 00000 n
-0000672599 00000 n
-0000672663 00000 n
-0000672727 00000 n
-0000672791 00000 n
-0000672855 00000 n
-0000672919 00000 n
-0000672983 00000 n
-0000673047 00000 n
-0000673111 00000 n
-0000677971 00000 n
-0000675939 00000 n
-0000673332 00000 n
-0000676055 00000 n
-0000676247 00000 n
-0000676311 00000 n
-0000676375 00000 n
-0000676439 00000 n
-0000676503 00000 n
-0000676567 00000 n
-0000676758 00000 n
-0000676822 00000 n
-0000676886 00000 n
-0000676950 00000 n
-0000677014 00000 n
-0000677078 00000 n
-0000677270 00000 n
-0000677334 00000 n
-0000677398 00000 n
-0000677462 00000 n
-0000677526 00000 n
-0000677590 00000 n
-0000677654 00000 n
-0000677716 00000 n
-0000677780 00000 n
-0000677843 00000 n
-0000677907 00000 n
-0003665970 00000 n
-0000680358 00000 n
-0000680662 00000 n
-0000681323 00000 n
-0000680203 00000 n
-0000678142 00000 n
-0000680813 00000 n
-0000680939 00000 n
-0000681003 00000 n
-0000681067 00000 n
-0000680510 00000 n
-0000681131 00000 n
-0000681195 00000 n
-0000681259 00000 n
-0000684879 00000 n
-0000684124 00000 n
-0000681453 00000 n
-0000684240 00000 n
-0000684304 00000 n
-0000684368 00000 n
-0000684432 00000 n
-0000684496 00000 n
-0000684560 00000 n
-0000684623 00000 n
-0000684687 00000 n
-0000684751 00000 n
-0000684815 00000 n
-0000687203 00000 n
-0000687355 00000 n
-0000687506 00000 n
-0000688101 00000 n
-0000687048 00000 n
-0000685023 00000 n
-0000687655 00000 n
-0000687718 00000 n
-0000687782 00000 n
-0000687846 00000 n
-0000687910 00000 n
-0000688037 00000 n
-0000690583 00000 n
-0000690212 00000 n
-0000688245 00000 n
-0000690328 00000 n
-0000690455 00000 n
-0000690519 00000 n
-0000693190 00000 n
-0000693011 00000 n
-0000690755 00000 n
-0000693127 00000 n
-0000694957 00000 n
-0000694777 00000 n
-0000693334 00000 n
-0000694893 00000 n
-0003666095 00000 n
-0000696182 00000 n
-0000695875 00000 n
-0000695101 00000 n
-0000695991 00000 n
-0000697325 00000 n
-0000697017 00000 n
-0000696298 00000 n
-0000697133 00000 n
-0000698459 00000 n
-0000698154 00000 n
-0000697441 00000 n
-0000698270 00000 n
-0000699649 00000 n
-0000699341 00000 n
-0000698575 00000 n
-0000699457 00000 n
-0000700683 00000 n
-0000700376 00000 n
-0000699765 00000 n
-0000700492 00000 n
-0000701704 00000 n
-0000701396 00000 n
-0000700799 00000 n
-0000701512 00000 n
-0003666220 00000 n
-0000702842 00000 n
-0000702535 00000 n
-0000701820 00000 n
-0000702651 00000 n
-0000703959 00000 n
-0000703651 00000 n
-0000702958 00000 n
-0000703767 00000 n
-0000705166 00000 n
-0000704859 00000 n
-0000704075 00000 n
-0000704975 00000 n
-0000706198 00000 n
-0000705890 00000 n
-0000705282 00000 n
-0000706006 00000 n
-0000707308 00000 n
-0000707001 00000 n
-0000706314 00000 n
-0000707117 00000 n
-0000707705 00000 n
-0000707525 00000 n
-0000707424 00000 n
-0000707641 00000 n
-0003666345 00000 n
-0000708646 00000 n
-0000711507 00000 n
-0000708990 00000 n
-0000708509 00000 n
-0000707747 00000 n
-0000708800 00000 n
-0000712723 00000 n
-0000711391 00000 n
-0000709106 00000 n
-0000712659 00000 n
-0003661279 00000 n
-0000711881 00000 n
-0000712146 00000 n
-0000712194 00000 n
-0000715197 00000 n
-0000715018 00000 n
-0000712896 00000 n
-0000715134 00000 n
-0000717334 00000 n
-0000717154 00000 n
-0000715299 00000 n
-0000717270 00000 n
-0000720201 00000 n
-0000719769 00000 n
-0000717450 00000 n
-0000719885 00000 n
-0000720011 00000 n
-0000720137 00000 n
-0000722775 00000 n
-0000722595 00000 n
-0000720317 00000 n
-0000722711 00000 n
-0003666470 00000 n
-0000725190 00000 n
-0000728720 00000 n
-0000725826 00000 n
-0000725053 00000 n
-0000722877 00000 n
-0000725381 00000 n
-0000725507 00000 n
-0000725571 00000 n
-0000725635 00000 n
-0000725762 00000 n
-0000728932 00000 n
-0000731981 00000 n
-0000729447 00000 n
-0000728565 00000 n
-0000726026 00000 n
-0000729383 00000 n
-0000729157 00000 n
-0000732190 00000 n
-0000732365 00000 n
-0000732535 00000 n
-0000732721 00000 n
-0000732888 00000 n
-0000733069 00000 n
-0000733241 00000 n
-0000733489 00000 n
-0000731781 00000 n
-0000729633 00000 n
-0000733426 00000 n
-0000736178 00000 n
-0000736353 00000 n
-0000736740 00000 n
-0000736032 00000 n
-0000733647 00000 n
-0000736549 00000 n
-0000736676 00000 n
-0000764165 00000 n
-0000764007 00000 n
-0000738924 00000 n
-0000764557 00000 n
-0000738778 00000 n
-0000736983 00000 n
-0000764366 00000 n
-0000764493 00000 n
-0000740182 00000 n
-0000740339 00000 n
-0000740387 00000 n
-0000740813 00000 n
-0000741042 00000 n
-0000767611 00000 n
-0000767176 00000 n
-0000764772 00000 n
-0000767292 00000 n
-0000767419 00000 n
-0000767547 00000 n
-0003666595 00000 n
-0000770731 00000 n
-0000770425 00000 n
-0000767741 00000 n
-0000770541 00000 n
-0000770667 00000 n
-0000773381 00000 n
-0000773532 00000 n
-0000774177 00000 n
-0000773235 00000 n
-0000770861 00000 n
-0000773732 00000 n
-0000773859 00000 n
-0000773986 00000 n
-0000774113 00000 n
-0000930363 00000 n
-0000777156 00000 n
-0000777516 00000 n
-0000777019 00000 n
-0000774391 00000 n
-0000777326 00000 n
-0000777452 00000 n
-0000781804 00000 n
-0000779887 00000 n
-0000779452 00000 n
-0000777688 00000 n
-0000779568 00000 n
-0000779695 00000 n
-0000779759 00000 n
-0000779823 00000 n
-0000782773 00000 n
-0000781688 00000 n
-0000780017 00000 n
-0000782584 00000 n
-0000782647 00000 n
-0000782710 00000 n
-0000782304 00000 n
-0000782536 00000 n
-0000786213 00000 n
-0000784362 00000 n
-0000784054 00000 n
-0000782960 00000 n
-0000784170 00000 n
-0000784234 00000 n
-0000784298 00000 n
-0003666720 00000 n
-0000786561 00000 n
-0000786076 00000 n
-0000784478 00000 n
-0000786370 00000 n
-0000786433 00000 n
-0000786497 00000 n
-0000846048 00000 n
-0000788709 00000 n
-0000788529 00000 n
-0000786691 00000 n
-0000788645 00000 n
-0003659526 00000 n
-0000790540 00000 n
-0000790361 00000 n
-0000788853 00000 n
-0000790477 00000 n
-0000792302 00000 n
-0000791994 00000 n
-0000790670 00000 n
-0000792110 00000 n
-0000792174 00000 n
-0000792238 00000 n
-0000794199 00000 n
-0000794953 00000 n
-0000794053 00000 n
-0000792432 00000 n
-0000794509 00000 n
-0000794572 00000 n
-0000794636 00000 n
-0000794763 00000 n
-0000794890 00000 n
-0000794354 00000 n
-0000797681 00000 n
-0000796158 00000 n
-0000795097 00000 n
-0000796274 00000 n
-0000796338 00000 n
-0000796402 00000 n
-0000796466 00000 n
-0000796530 00000 n
-0000796594 00000 n
-0000796658 00000 n
-0000796722 00000 n
-0000796785 00000 n
-0000796849 00000 n
-0000796913 00000 n
-0000796977 00000 n
-0000797041 00000 n
-0000797105 00000 n
-0000797169 00000 n
-0000797233 00000 n
-0000797297 00000 n
-0000797361 00000 n
-0000797425 00000 n
-0000797489 00000 n
-0000797553 00000 n
-0000797617 00000 n
-0003666845 00000 n
-0000836444 00000 n
-0000798954 00000 n
-0000837041 00000 n
-0000798817 00000 n
-0000797797 00000 n
-0000836595 00000 n
-0000836658 00000 n
-0000836722 00000 n
-0000836849 00000 n
-0000836977 00000 n
-0000809692 00000 n
-0000809849 00000 n
-0000809897 00000 n
-0000810363 00000 n
-0000810590 00000 n
-0000810920 00000 n
-0000811016 00000 n
-0000839532 00000 n
-0000839687 00000 n
-0000839847 00000 n
-0000840000 00000 n
-0000840471 00000 n
-0000839368 00000 n
-0000837187 00000 n
-0000840152 00000 n
-0000840279 00000 n
-0000840407 00000 n
-0000842701 00000 n
-0000842860 00000 n
-0000843334 00000 n
-0000842555 00000 n
-0000840658 00000 n
-0000843017 00000 n
-0000843080 00000 n
-0000843144 00000 n
-0000843207 00000 n
-0000843271 00000 n
-0000982467 00000 n
-0000845764 00000 n
-0000848746 00000 n
-0000846367 00000 n
-0000845627 00000 n
-0000843450 00000 n
-0000845920 00000 n
-0000846175 00000 n
-0000846239 00000 n
-0000846303 00000 n
-0000984561 00000 n
-0000849249 00000 n
-0000848600 00000 n
-0000846511 00000 n
-0000849058 00000 n
-0000848902 00000 n
-0000849121 00000 n
-0000849185 00000 n
-0000985613 00000 n
-0000850790 00000 n
-0000850610 00000 n
-0000849422 00000 n
-0000850726 00000 n
-0003666970 00000 n
-0000852865 00000 n
-0000853032 00000 n
-0000853199 00000 n
-0000853360 00000 n
-0000853837 00000 n
-0000852701 00000 n
-0000850906 00000 n
-0000853520 00000 n
-0000853646 00000 n
-0000853710 00000 n
-0000853773 00000 n
-0000989821 00000 n
-0000994408 00000 n
-0001010833 00000 n
-0001015454 00000 n
-0000855561 00000 n
-0000855189 00000 n
-0000853967 00000 n
-0000855305 00000 n
-0000855369 00000 n
-0000855433 00000 n
-0000855497 00000 n
-0000857782 00000 n
-0000857475 00000 n
-0000855677 00000 n
-0000857591 00000 n
-0000857654 00000 n
-0000857718 00000 n
-0000859873 00000 n
-0000860057 00000 n
-0000860256 00000 n
-0000860650 00000 n
-0000859718 00000 n
-0000857898 00000 n
-0000860461 00000 n
-0000860588 00000 n
-0000862974 00000 n
-0000862477 00000 n
-0000860836 00000 n
-0000862593 00000 n
-0000862719 00000 n
-0000862782 00000 n
-0000862846 00000 n
-0000862910 00000 n
-0000864642 00000 n
-0000865180 00000 n
-0000864505 00000 n
-0000863161 00000 n
-0000864798 00000 n
-0000864862 00000 n
-0000864926 00000 n
-0000865053 00000 n
-0000865117 00000 n
-0003667095 00000 n
-0000868765 00000 n
-0000866548 00000 n
-0000867022 00000 n
-0000866411 00000 n
-0000865310 00000 n
-0000866704 00000 n
-0000866767 00000 n
-0000866831 00000 n
-0000866895 00000 n
-0000866959 00000 n
-0000868957 00000 n
-0000868522 00000 n
-0000867138 00000 n
-0000868638 00000 n
-0000868829 00000 n
-0000868893 00000 n
-0000870587 00000 n
-0000870408 00000 n
-0000869087 00000 n
-0000870524 00000 n
-0000872237 00000 n
-0000871994 00000 n
-0000870689 00000 n
-0000872110 00000 n
-0000872174 00000 n
-0000874741 00000 n
-0000874893 00000 n
-0000877632 00000 n
-0000875237 00000 n
-0000874595 00000 n
-0000872353 00000 n
-0000875047 00000 n
-0000875173 00000 n
-0002213129 00000 n
-0000877852 00000 n
-0000877495 00000 n
-0000875381 00000 n
-0000877788 00000 n
-0003667220 00000 n
-0000879945 00000 n
-0000880201 00000 n
-0000879702 00000 n
-0000878025 00000 n
-0000879818 00000 n
-0000880009 00000 n
-0000880073 00000 n
-0000880137 00000 n
-0000881830 00000 n
-0000881458 00000 n
-0000880317 00000 n
-0000881574 00000 n
-0000881638 00000 n
-0000881702 00000 n
-0000881766 00000 n
-0000883360 00000 n
-0000883644 00000 n
-0000883223 00000 n
-0000881946 00000 n
-0000883517 00000 n
-0000883580 00000 n
-0001017371 00000 n
-0000885018 00000 n
-0000884774 00000 n
-0000883760 00000 n
-0000884890 00000 n
-0000884954 00000 n
-0000886642 00000 n
-0000886985 00000 n
-0000886505 00000 n
-0000885134 00000 n
-0000886794 00000 n
-0000886857 00000 n
-0000886921 00000 n
-0000888543 00000 n
-0000888235 00000 n
-0000887101 00000 n
-0000888351 00000 n
-0000888415 00000 n
-0000888479 00000 n
-0003667345 00000 n
-0000890546 00000 n
-0000890175 00000 n
-0000888659 00000 n
-0000890291 00000 n
-0000890354 00000 n
-0000890418 00000 n
-0000890482 00000 n
-0000892206 00000 n
-0000891898 00000 n
-0000890662 00000 n
-0000892014 00000 n
-0000892078 00000 n
-0000892142 00000 n
-0000893968 00000 n
-0000893661 00000 n
-0000892322 00000 n
-0000893777 00000 n
-0000893840 00000 n
-0000893904 00000 n
-0000896003 00000 n
-0000895631 00000 n
-0000894084 00000 n
-0000895747 00000 n
-0000895811 00000 n
-0000895875 00000 n
-0000895939 00000 n
-0000897473 00000 n
-0000897166 00000 n
-0000896119 00000 n
-0000897282 00000 n
-0000897345 00000 n
-0000897409 00000 n
-0000899517 00000 n
-0000899814 00000 n
-0000899964 00000 n
-0000900560 00000 n
-0000899353 00000 n
-0000897589 00000 n
-0000900113 00000 n
-0000900240 00000 n
-0000900304 00000 n
-0000900368 00000 n
-0000899667 00000 n
-0000900432 00000 n
-0000900496 00000 n
-0003667470 00000 n
-0000902820 00000 n
-0000902257 00000 n
-0000900690 00000 n
-0000902373 00000 n
-0000902436 00000 n
-0000902500 00000 n
-0000902564 00000 n
-0000902628 00000 n
-0000902692 00000 n
-0000902756 00000 n
-0000904502 00000 n
-0000904666 00000 n
-0000904827 00000 n
-0000905148 00000 n
-0000905306 00000 n
-0000905911 00000 n
-0000904320 00000 n
-0000902950 00000 n
-0000905464 00000 n
-0000905591 00000 n
-0000905655 00000 n
-0000904988 00000 n
-0000905719 00000 n
-0000905783 00000 n
-0000905847 00000 n
-0000999727 00000 n
-0000907321 00000 n
-0000907078 00000 n
-0000906041 00000 n
-0000907194 00000 n
-0000907257 00000 n
-0000909449 00000 n
-0000909077 00000 n
-0000907437 00000 n
-0000909193 00000 n
-0000909257 00000 n
-0000909321 00000 n
-0000909385 00000 n
-0000911066 00000 n
-0000910759 00000 n
-0000909565 00000 n
-0000910875 00000 n
-0000910938 00000 n
-0000911002 00000 n
-0000912949 00000 n
-0000912641 00000 n
-0000911182 00000 n
-0000912757 00000 n
-0000912821 00000 n
-0000912885 00000 n
-0003667595 00000 n
-0000915161 00000 n
-0000915325 00000 n
-0000915486 00000 n
-0000915808 00000 n
-0000916407 00000 n
-0000914988 00000 n
-0000913065 00000 n
-0000915963 00000 n
-0000916026 00000 n
-0000915647 00000 n
-0000916090 00000 n
-0000916216 00000 n
-0000916343 00000 n
-0001006010 00000 n
-0000918086 00000 n
-0000917779 00000 n
-0000916551 00000 n
-0000917895 00000 n
-0000918022 00000 n
-0000920225 00000 n
-0000920616 00000 n
-0000920088 00000 n
-0000918216 00000 n
-0000920426 00000 n
-0000920552 00000 n
-0000923246 00000 n
-0000923607 00000 n
-0000923109 00000 n
-0000920816 00000 n
-0000923416 00000 n
-0000923543 00000 n
-0000925509 00000 n
-0000925074 00000 n
-0000923807 00000 n
-0000925190 00000 n
-0000925253 00000 n
-0000925317 00000 n
-0000925381 00000 n
-0000925445 00000 n
-0000927083 00000 n
-0000927484 00000 n
-0000926946 00000 n
-0000925625 00000 n
-0000927293 00000 n
-0000927420 00000 n
-0003667720 00000 n
-0000929930 00000 n
-0000930085 00000 n
-0000930810 00000 n
-0000929784 00000 n
-0000927670 00000 n
-0000930237 00000 n
-0000930427 00000 n
-0000930491 00000 n
-0000930555 00000 n
-0000930619 00000 n
-0000930682 00000 n
-0000930746 00000 n
-0000950753 00000 n
-0000950881 00000 n
-0000933744 00000 n
-0000936162 00000 n
-0000934414 00000 n
-0000933607 00000 n
-0000930954 00000 n
-0000933904 00000 n
-0000933968 00000 n
-0000934032 00000 n
-0000934096 00000 n
-0000934160 00000 n
-0000934223 00000 n
-0000934350 00000 n
-0000951073 00000 n
-0000936046 00000 n
-0000934614 00000 n
-0000950626 00000 n
-0000950945 00000 n
-0000951009 00000 n
-0000953701 00000 n
-0000953073 00000 n
-0000951241 00000 n
-0000953189 00000 n
-0000953253 00000 n
-0000953317 00000 n
-0000953381 00000 n
-0000953445 00000 n
-0000953509 00000 n
-0000953573 00000 n
-0000953637 00000 n
-0000956171 00000 n
-0000956358 00000 n
-0000956858 00000 n
-0000956016 00000 n
-0000953888 00000 n
-0000956795 00000 n
-0000956577 00000 n
-0000962512 00000 n
-0000962816 00000 n
-0000959524 00000 n
-0000959091 00000 n
-0000957087 00000 n
-0000959207 00000 n
-0000959334 00000 n
-0000959461 00000 n
-0003667845 00000 n
-0000963478 00000 n
-0000962357 00000 n
-0000959668 00000 n
-0000962967 00000 n
-0000963030 00000 n
-0000962664 00000 n
-0000963094 00000 n
-0000963158 00000 n
-0000963222 00000 n
-0000963286 00000 n
-0000963350 00000 n
-0000963414 00000 n
-0000966584 00000 n
-0000966021 00000 n
-0000963622 00000 n
-0000966137 00000 n
-0000966201 00000 n
-0000966265 00000 n
-0000966329 00000 n
-0000966393 00000 n
-0000966520 00000 n
-0000971419 00000 n
-0000969113 00000 n
-0000968680 00000 n
-0000966714 00000 n
-0000968796 00000 n
-0000968922 00000 n
-0000969049 00000 n
-0000971815 00000 n
-0000971282 00000 n
-0000969229 00000 n
-0000971624 00000 n
-0000971751 00000 n
-0000974536 00000 n
-0000974293 00000 n
-0000972015 00000 n
-0000974409 00000 n
-0000974472 00000 n
-0000977095 00000 n
-0000976915 00000 n
-0000974666 00000 n
-0000977031 00000 n
-0003667970 00000 n
-0000979646 00000 n
-0000979467 00000 n
-0000977225 00000 n
-0000979583 00000 n
-0000981201 00000 n
-0000981021 00000 n
-0000979790 00000 n
-0000981137 00000 n
-0000982531 00000 n
-0000982224 00000 n
-0000981317 00000 n
-0000982340 00000 n
-0000983570 00000 n
-0000983262 00000 n
-0000982647 00000 n
-0000983378 00000 n
-0000983506 00000 n
-0000984625 00000 n
-0000984318 00000 n
-0000983686 00000 n
-0000984434 00000 n
-0000985677 00000 n
-0000985369 00000 n
-0000984741 00000 n
-0000985485 00000 n
-0003668095 00000 n
-0000991677 00000 n
-0000989578 00000 n
-0000985793 00000 n
-0000989694 00000 n
-0000989885 00000 n
-0000989949 00000 n
-0000990013 00000 n
-0000990077 00000 n
-0000990141 00000 n
-0000990205 00000 n
-0000990269 00000 n
-0000990333 00000 n
-0000990397 00000 n
-0000990461 00000 n
-0000990525 00000 n
-0000990589 00000 n
-0000990653 00000 n
-0000990717 00000 n
-0000990781 00000 n
-0000990845 00000 n
-0000990909 00000 n
-0000990973 00000 n
-0000991037 00000 n
-0000991101 00000 n
-0000991165 00000 n
-0000991229 00000 n
-0000991293 00000 n
-0000991357 00000 n
-0000991421 00000 n
-0000991485 00000 n
-0000991549 00000 n
-0000991613 00000 n
-0000995685 00000 n
-0000994164 00000 n
-0000991834 00000 n
-0000994280 00000 n
-0000994472 00000 n
-0000994536 00000 n
-0000994600 00000 n
-0000994663 00000 n
-0000994727 00000 n
-0000994790 00000 n
-0000994854 00000 n
-0000994917 00000 n
-0000994981 00000 n
-0000995045 00000 n
-0000995109 00000 n
-0000995173 00000 n
-0000995237 00000 n
-0000995301 00000 n
-0000995365 00000 n
-0000995429 00000 n
-0000995493 00000 n
-0000995557 00000 n
-0000995621 00000 n
-0001001963 00000 n
-0000999484 00000 n
-0000995814 00000 n
-0000999600 00000 n
-0000999791 00000 n
-0000999855 00000 n
-0000999919 00000 n
-0000999983 00000 n
-0001000047 00000 n
-0001000111 00000 n
-0001000175 00000 n
-0001000239 00000 n
-0001000303 00000 n
-0001000367 00000 n
-0001000431 00000 n
-0001000495 00000 n
-0001000559 00000 n
-0001000623 00000 n
-0001000687 00000 n
-0001000751 00000 n
-0001000815 00000 n
-0001000879 00000 n
-0001000942 00000 n
-0001001006 00000 n
-0001001069 00000 n
-0001001133 00000 n
-0001001195 00000 n
-0001001259 00000 n
-0001001323 00000 n
-0001001387 00000 n
-0001001451 00000 n
-0001001515 00000 n
-0001001579 00000 n
-0001001643 00000 n
-0001001707 00000 n
-0001001771 00000 n
-0001001835 00000 n
-0001001899 00000 n
-0001008246 00000 n
-0001005766 00000 n
-0001002106 00000 n
-0001005882 00000 n
-0001006074 00000 n
-0001006138 00000 n
-0001006202 00000 n
-0001006266 00000 n
-0001006330 00000 n
-0001006394 00000 n
-0001006458 00000 n
-0001006522 00000 n
-0001006586 00000 n
-0001006650 00000 n
-0001006714 00000 n
-0001006778 00000 n
-0001006842 00000 n
-0001006906 00000 n
-0001006970 00000 n
-0001007034 00000 n
-0001007098 00000 n
-0001007162 00000 n
-0001007225 00000 n
-0001007289 00000 n
-0001007352 00000 n
-0001007416 00000 n
-0001007478 00000 n
-0001007542 00000 n
-0001007606 00000 n
-0001007670 00000 n
-0001007734 00000 n
-0001007798 00000 n
-0001007862 00000 n
-0001007926 00000 n
-0001007990 00000 n
-0001008054 00000 n
-0001008118 00000 n
-0001008182 00000 n
-0001012429 00000 n
-0001010590 00000 n
-0001008389 00000 n
-0001010706 00000 n
-0001010897 00000 n
-0001010961 00000 n
-0001011025 00000 n
-0001011089 00000 n
-0001011153 00000 n
-0001011217 00000 n
-0001011281 00000 n
-0001011345 00000 n
-0001011409 00000 n
-0001011473 00000 n
-0001011537 00000 n
-0001011601 00000 n
-0001011665 00000 n
-0001011728 00000 n
-0001011792 00000 n
-0001011855 00000 n
-0001011919 00000 n
-0001011981 00000 n
-0001012045 00000 n
-0001012109 00000 n
-0001012173 00000 n
-0001012237 00000 n
-0001012301 00000 n
-0001012365 00000 n
-0001017435 00000 n
-0001015212 00000 n
-0001012544 00000 n
-0001015328 00000 n
-0001015517 00000 n
-0001015581 00000 n
-0001015645 00000 n
-0001015709 00000 n
-0001015773 00000 n
-0001015837 00000 n
-0001015901 00000 n
-0001015965 00000 n
-0001016029 00000 n
-0001016093 00000 n
-0001016157 00000 n
-0001016221 00000 n
-0001016285 00000 n
-0001016349 00000 n
-0001016413 00000 n
-0001016477 00000 n
-0001016541 00000 n
-0001016605 00000 n
-0001016669 00000 n
-0001016733 00000 n
-0001016797 00000 n
-0001016861 00000 n
-0001016925 00000 n
-0001016989 00000 n
-0001017053 00000 n
-0001017116 00000 n
-0001017180 00000 n
-0001017243 00000 n
-0003668220 00000 n
-0001019675 00000 n
-0001019369 00000 n
-0001017564 00000 n
-0001019485 00000 n
-0001019611 00000 n
-0001022008 00000 n
-0001022474 00000 n
-0001021871 00000 n
-0001019791 00000 n
-0001022157 00000 n
-0001022284 00000 n
-0001022410 00000 n
-0001025136 00000 n
-0001025473 00000 n
-0001024999 00000 n
-0001022604 00000 n
-0001025283 00000 n
-0001025409 00000 n
-0001027833 00000 n
-0001028172 00000 n
-0001027696 00000 n
-0001025617 00000 n
-0001027981 00000 n
-0001028108 00000 n
-0001030764 00000 n
-0001030458 00000 n
-0001028302 00000 n
-0001030574 00000 n
-0001030700 00000 n
-0001033148 00000 n
-0001033488 00000 n
-0001033011 00000 n
-0001030880 00000 n
-0001033297 00000 n
-0001033424 00000 n
-0003668345 00000 n
-0001036099 00000 n
-0001035920 00000 n
-0001033618 00000 n
-0001036036 00000 n
-0001038849 00000 n
-0001038542 00000 n
-0001036215 00000 n
-0001038658 00000 n
-0001038785 00000 n
-0001041478 00000 n
-0001041625 00000 n
-0001041928 00000 n
-0001042144 00000 n
-0001041314 00000 n
-0001038979 00000 n
-0001042081 00000 n
-0001041777 00000 n
-0001314145 00000 n
-0001414756 00000 n
-0001044820 00000 n
-0001044640 00000 n
-0001042246 00000 n
-0001044756 00000 n
-0001073028 00000 n
-0001046930 00000 n
-0001073625 00000 n
-0001046793 00000 n
-0001044936 00000 n
-0001073182 00000 n
-0001073307 00000 n
-0001073433 00000 n
-0001073561 00000 n
-0001049239 00000 n
-0001049396 00000 n
-0001049444 00000 n
-0001049846 00000 n
-0001050073 00000 n
-0001114821 00000 n
-0001075328 00000 n
-0001114978 00000 n
-0001094388 00000 n
-0001115453 00000 n
-0001075182 00000 n
-0001073785 00000 n
-0001115133 00000 n
-0001115261 00000 n
-0001115389 00000 n
-0003668470 00000 n
-0001075963 00000 n
-0001076120 00000 n
-0001076168 00000 n
-0001076542 00000 n
-0001076772 00000 n
-0001095192 00000 n
-0001095349 00000 n
-0001095397 00000 n
-0001095793 00000 n
-0001096023 00000 n
-0001096348 00000 n
-0001096444 00000 n
-0001160934 00000 n
-0001117014 00000 n
-0001161088 00000 n
-0001140027 00000 n
-0001161559 00000 n
-0001116868 00000 n
-0001115628 00000 n
-0001161241 00000 n
-0001161368 00000 n
-0001161496 00000 n
-0001117958 00000 n
-0001118115 00000 n
-0001118163 00000 n
-0001118581 00000 n
-0001118808 00000 n
-0001119123 00000 n
-0001119219 00000 n
-0001140872 00000 n
-0001141029 00000 n
-0001141077 00000 n
-0001141471 00000 n
-0001141698 00000 n
-0001163535 00000 n
-0001163684 00000 n
-0001164099 00000 n
-0001163389 00000 n
-0001161720 00000 n
-0001163843 00000 n
-0001163907 00000 n
-0001163971 00000 n
-0001164035 00000 n
-0001183997 00000 n
-0001165779 00000 n
-0001166319 00000 n
-0001165642 00000 n
-0001164272 00000 n
-0001165937 00000 n
-0001166000 00000 n
-0001166064 00000 n
-0001166128 00000 n
-0001166192 00000 n
-0001166255 00000 n
-0001185357 00000 n
-0001167728 00000 n
-0001167422 00000 n
-0001166435 00000 n
-0001167538 00000 n
-0001167602 00000 n
-0001167665 00000 n
-0001169276 00000 n
-0001171711 00000 n
-0001171870 00000 n
-0001169680 00000 n
-0001169139 00000 n
-0001167844 00000 n
-0001169425 00000 n
-0001169488 00000 n
-0001169552 00000 n
-0001169616 00000 n
-0001216073 00000 n
-0001314901 00000 n
-0001172474 00000 n
-0001171565 00000 n
-0001169796 00000 n
-0001172029 00000 n
-0001172093 00000 n
-0001172220 00000 n
-0001172346 00000 n
-0001172410 00000 n
-0003668595 00000 n
-0001190802 00000 n
-0001207000 00000 n
-0001174850 00000 n
-0001174671 00000 n
-0001172632 00000 n
-0001174787 00000 n
-0001177508 00000 n
-0001177657 00000 n
-0001177812 00000 n
-0001178029 00000 n
-0001177353 00000 n
-0001174980 00000 n
-0001177965 00000 n
-0001180610 00000 n
-0001180825 00000 n
-0001180473 00000 n
-0001178173 00000 n
-0001180762 00000 n
-0001182617 00000 n
-0001182437 00000 n
-0001180983 00000 n
-0001182553 00000 n
-0001184061 00000 n
-0001183754 00000 n
-0001182733 00000 n
-0001183870 00000 n
-0001185421 00000 n
-0001185113 00000 n
-0001184177 00000 n
-0001185229 00000 n
-0003668720 00000 n
-0001193542 00000 n
-0001190559 00000 n
-0001185537 00000 n
-0001190675 00000 n
-0001190866 00000 n
-0001190930 00000 n
-0001190994 00000 n
-0001191058 00000 n
-0001191122 00000 n
-0001191186 00000 n
-0001191250 00000 n
-0001191314 00000 n
-0001191377 00000 n
-0001191441 00000 n
-0001191504 00000 n
-0001191568 00000 n
-0001191630 00000 n
-0001191694 00000 n
-0001191758 00000 n
-0001191822 00000 n
-0001191886 00000 n
-0001191950 00000 n
-0001192014 00000 n
-0001192078 00000 n
-0001192142 00000 n
-0001192206 00000 n
-0001192270 00000 n
-0001192334 00000 n
-0001192398 00000 n
-0001192462 00000 n
-0001192526 00000 n
-0001192590 00000 n
-0001192654 00000 n
-0001192718 00000 n
-0001192781 00000 n
-0001192845 00000 n
-0001192907 00000 n
-0001192971 00000 n
-0001193034 00000 n
-0001193098 00000 n
-0001193162 00000 n
-0001193226 00000 n
-0001193290 00000 n
-0001193353 00000 n
-0001193416 00000 n
-0001193479 00000 n
-0001197955 00000 n
-0001195987 00000 n
-0001193699 00000 n
-0001196103 00000 n
-0001196231 00000 n
-0001196295 00000 n
-0001196359 00000 n
-0001196423 00000 n
-0001196487 00000 n
-0001196551 00000 n
-0001196615 00000 n
-0001196679 00000 n
-0001196743 00000 n
-0001196807 00000 n
-0001196871 00000 n
-0001196935 00000 n
-0001196999 00000 n
-0001197063 00000 n
-0001197127 00000 n
-0001197190 00000 n
-0001197254 00000 n
-0001197317 00000 n
-0001197381 00000 n
-0001197443 00000 n
-0001197507 00000 n
-0001197571 00000 n
-0001197635 00000 n
-0001197699 00000 n
-0001197763 00000 n
-0001197827 00000 n
-0001197891 00000 n
-0001202486 00000 n
-0001200453 00000 n
-0001198070 00000 n
-0001200569 00000 n
-0001200696 00000 n
-0001200760 00000 n
-0001200824 00000 n
-0001200887 00000 n
-0001200951 00000 n
-0001201014 00000 n
-0001201078 00000 n
-0001201142 00000 n
-0001201206 00000 n
-0001201270 00000 n
-0001201334 00000 n
-0001201398 00000 n
-0001201462 00000 n
-0001201526 00000 n
-0001201590 00000 n
-0001201654 00000 n
-0001201718 00000 n
-0001201782 00000 n
-0001201846 00000 n
-0001201910 00000 n
-0001201974 00000 n
-0001202038 00000 n
-0001202102 00000 n
-0001202166 00000 n
-0001202230 00000 n
-0001202294 00000 n
-0001202358 00000 n
-0001202422 00000 n
-0001209748 00000 n
-0001206756 00000 n
-0001202601 00000 n
-0001206872 00000 n
-0001207064 00000 n
-0001207128 00000 n
-0001207192 00000 n
-0001207256 00000 n
-0001207320 00000 n
-0001207384 00000 n
-0001207448 00000 n
-0001207512 00000 n
-0001207576 00000 n
-0001207640 00000 n
-0001207704 00000 n
-0001207768 00000 n
-0001207832 00000 n
-0001207896 00000 n
-0001207960 00000 n
-0001208024 00000 n
-0001208088 00000 n
-0001208152 00000 n
-0001208216 00000 n
-0001208280 00000 n
-0001208344 00000 n
-0001208408 00000 n
-0001208471 00000 n
-0001208535 00000 n
-0001208598 00000 n
-0001208662 00000 n
-0001208724 00000 n
-0001208788 00000 n
-0001208852 00000 n
-0001208916 00000 n
-0001208980 00000 n
-0001209044 00000 n
-0001209108 00000 n
-0001209172 00000 n
-0001209236 00000 n
-0001209300 00000 n
-0001209364 00000 n
-0001209428 00000 n
-0001209492 00000 n
-0001209556 00000 n
-0001209620 00000 n
-0001209684 00000 n
-0001215414 00000 n
-0001212809 00000 n
-0001209891 00000 n
-0001212925 00000 n
-0001213051 00000 n
-0001213114 00000 n
-0001213178 00000 n
-0001213242 00000 n
-0001213306 00000 n
-0001213370 00000 n
-0001213434 00000 n
-0001213498 00000 n
-0001213562 00000 n
-0001213626 00000 n
-0001213690 00000 n
-0001213754 00000 n
-0001213818 00000 n
-0001213882 00000 n
-0001213946 00000 n
-0001214010 00000 n
-0001214074 00000 n
-0001214138 00000 n
-0001214202 00000 n
-0001214266 00000 n
-0001214329 00000 n
-0001214393 00000 n
-0001214456 00000 n
-0001214520 00000 n
-0001214582 00000 n
-0001214646 00000 n
-0001214710 00000 n
-0001214774 00000 n
-0001214838 00000 n
-0001214902 00000 n
-0001214966 00000 n
-0001215030 00000 n
-0001215094 00000 n
-0001215158 00000 n
-0001215222 00000 n
-0001215286 00000 n
-0001215350 00000 n
-0001314209 00000 n
-0001215957 00000 n
-0001215529 00000 n
-0001314017 00000 n
-0003668845 00000 n
-0001414820 00000 n
-0001314785 00000 n
-0001314349 00000 n
-0001414629 00000 n
-0001415241 00000 n
-0001415061 00000 n
-0001414960 00000 n
-0001415177 00000 n
-0001415723 00000 n
-0001415544 00000 n
-0001415283 00000 n
-0001416014 00000 n
-0001415898 00000 n
-0001415797 00000 n
-0001417411 00000 n
-0001416977 00000 n
-0001416056 00000 n
-0001417093 00000 n
-0001417156 00000 n
-0001417283 00000 n
-0001417347 00000 n
-0001417808 00000 n
-0001417628 00000 n
-0001417527 00000 n
-0001417744 00000 n
-0003668970 00000 n
-0001419814 00000 n
-0001419659 00000 n
-0001422214 00000 n
-0001420580 00000 n
-0001419504 00000 n
-0001417850 00000 n
-0001420263 00000 n
-0001420389 00000 n
-0001420516 00000 n
-0001420039 00000 n
-0001440592 00000 n
-0001440783 00000 n
-0001422098 00000 n
-0001420766 00000 n
-0001440464 00000 n
-0001440719 00000 n
-0001443433 00000 n
-0001443000 00000 n
-0001440937 00000 n
-0001443116 00000 n
-0001443242 00000 n
-0001443369 00000 n
-0001446231 00000 n
-0001446051 00000 n
-0001443563 00000 n
-0001446167 00000 n
-0001448970 00000 n
-0001448791 00000 n
-0001446375 00000 n
-0001448907 00000 n
-0001451756 00000 n
-0001451322 00000 n
-0001449100 00000 n
-0001451438 00000 n
-0001451565 00000 n
-0001451692 00000 n
-0003669095 00000 n
-0001454591 00000 n
-0001454285 00000 n
-0001451886 00000 n
-0001454401 00000 n
-0001454527 00000 n
-0001457129 00000 n
-0001459371 00000 n
-0001457347 00000 n
-0001456992 00000 n
-0001454735 00000 n
-0001457283 00000 n
-0001488506 00000 n
-0001487624 00000 n
-0001487772 00000 n
-0001488077 00000 n
-0001488226 00000 n
-0001490611 00000 n
-0001488570 00000 n
-0001459198 00000 n
-0001457548 00000 n
-0001488379 00000 n
-0001487925 00000 n
-0001463683 00000 n
-0001463840 00000 n
-0001463888 00000 n
-0001464310 00000 n
-0001464539 00000 n
-0001602367 00000 n
-0001490765 00000 n
-0001490981 00000 n
-0001490465 00000 n
-0001488758 00000 n
-0001490917 00000 n
-0001606497 00000 n
-0001607556 00000 n
-0001492867 00000 n
-0001493084 00000 n
-0001492730 00000 n
-0001491097 00000 n
-0001493021 00000 n
-0001606370 00000 n
-0001495078 00000 n
-0001494898 00000 n
-0001493200 00000 n
-0001495014 00000 n
-0003669220 00000 n
-0001496764 00000 n
-0001496585 00000 n
-0001495222 00000 n
-0001496701 00000 n
-0001498184 00000 n
-0001497877 00000 n
-0001496880 00000 n
-0001497993 00000 n
-0001498120 00000 n
-0001500544 00000 n
-0001500699 00000 n
-0001501107 00000 n
-0001500398 00000 n
-0001498314 00000 n
-0001500853 00000 n
-0001500916 00000 n
-0001500979 00000 n
-0001501043 00000 n
-0001611834 00000 n
-0001502501 00000 n
-0001502193 00000 n
-0001501294 00000 n
-0001502309 00000 n
-0001502373 00000 n
-0001502437 00000 n
-0001503715 00000 n
-0001503536 00000 n
-0001502617 00000 n
-0001503652 00000 n
-0001505590 00000 n
-0001506254 00000 n
-0001505453 00000 n
-0001503831 00000 n
-0001505745 00000 n
-0001505809 00000 n
-0001505936 00000 n
-0001506000 00000 n
-0001506064 00000 n
-0001506126 00000 n
-0001506190 00000 n
-0003669345 00000 n
-0001618570 00000 n
-0001508824 00000 n
-0001509166 00000 n
-0001508687 00000 n
-0001506384 00000 n
-0001508976 00000 n
-0001509102 00000 n
-0001540678 00000 n
-0001510560 00000 n
-0001540806 00000 n
-0001510444 00000 n
-0001509296 00000 n
-0001540550 00000 n
-0001540742 00000 n
-0001514333 00000 n
-0001514490 00000 n
-0001514538 00000 n
-0001514982 00000 n
-0001515211 00000 n
-0001542081 00000 n
-0001541902 00000 n
-0001540952 00000 n
-0001542018 00000 n
-0001546177 00000 n
-0001543836 00000 n
-0001543592 00000 n
-0001542197 00000 n
-0001543708 00000 n
-0001543772 00000 n
-0001545872 00000 n
-0001546025 00000 n
-0001546792 00000 n
-0001545717 00000 n
-0001543952 00000 n
-0001546345 00000 n
-0001546408 00000 n
-0001546472 00000 n
-0001546536 00000 n
-0001546600 00000 n
-0001546664 00000 n
-0001546728 00000 n
-0001625083 00000 n
-0001549000 00000 n
-0001548756 00000 n
-0001546964 00000 n
-0001548872 00000 n
-0001548936 00000 n
-0003669470 00000 n
-0001550506 00000 n
-0001550201 00000 n
-0001549130 00000 n
-0001550317 00000 n
-0001550380 00000 n
-0001550444 00000 n
-0001551837 00000 n
-0001551593 00000 n
-0001550622 00000 n
-0001551709 00000 n
-0001551773 00000 n
-0001553557 00000 n
-0001553251 00000 n
-0001551953 00000 n
-0001553367 00000 n
-0001553430 00000 n
-0001553493 00000 n
-0001554925 00000 n
-0001554745 00000 n
-0001553673 00000 n
-0001554861 00000 n
-0001556484 00000 n
-0001556305 00000 n
-0001555027 00000 n
-0001556421 00000 n
-0001557493 00000 n
-0001557313 00000 n
-0001556600 00000 n
-0001557429 00000 n
-0003669595 00000 n
-0001558547 00000 n
-0001558368 00000 n
-0001557595 00000 n
-0001558484 00000 n
-0001561140 00000 n
-0001561489 00000 n
-0001561003 00000 n
-0001558663 00000 n
-0001561298 00000 n
-0001561425 00000 n
-0001631400 00000 n
-0001563540 00000 n
-0001563041 00000 n
-0001561633 00000 n
-0001563157 00000 n
-0001563220 00000 n
-0001563284 00000 n
-0001563348 00000 n
-0001563412 00000 n
-0001563476 00000 n
-0001565352 00000 n
-0001565694 00000 n
-0001565215 00000 n
-0001563670 00000 n
-0001565503 00000 n
-0001565630 00000 n
-0001632676 00000 n
-0001567218 00000 n
-0001567039 00000 n
-0001565838 00000 n
-0001567155 00000 n
-0001568788 00000 n
-0001569275 00000 n
-0001568651 00000 n
-0001567391 00000 n
-0001568955 00000 n
-0001569019 00000 n
-0001569083 00000 n
-0001569147 00000 n
-0001569211 00000 n
-0003669720 00000 n
-0001571134 00000 n
-0001570699 00000 n
-0001569447 00000 n
-0001570815 00000 n
-0001570878 00000 n
-0001570942 00000 n
-0001571006 00000 n
-0001571070 00000 n
-0001573005 00000 n
-0001575724 00000 n
-0001573480 00000 n
-0001572868 00000 n
-0001571250 00000 n
-0001573161 00000 n
-0001573288 00000 n
-0001573352 00000 n
-0001573416 00000 n
-0001636403 00000 n
-0001575910 00000 n
-0001576368 00000 n
-0001579256 00000 n
-0001576854 00000 n
-0001575560 00000 n
-0001573610 00000 n
-0001576536 00000 n
-0001576599 00000 n
-0001576663 00000 n
-0001576790 00000 n
-0001576140 00000 n
-0001579425 00000 n
-0001579659 00000 n
-0001579110 00000 n
-0001577040 00000 n
-0001579595 00000 n
-0001581850 00000 n
-0001582000 00000 n
-0001582160 00000 n
-0001585425 00000 n
-0001583136 00000 n
-0001581695 00000 n
-0001579845 00000 n
-0001582310 00000 n
-0001582436 00000 n
-0001582500 00000 n
-0001582563 00000 n
-0001582627 00000 n
-0001582691 00000 n
-0001582755 00000 n
-0001582818 00000 n
-0001582945 00000 n
-0001583009 00000 n
-0001583072 00000 n
-0001637426 00000 n
-0001585582 00000 n
-0001586188 00000 n
-0001585279 00000 n
-0001583266 00000 n
-0001585742 00000 n
-0001585806 00000 n
-0001585870 00000 n
-0001585934 00000 n
-0001585998 00000 n
-0001586124 00000 n
-0003669845 00000 n
-0001639009 00000 n
-0001588539 00000 n
-0001588169 00000 n
-0001586332 00000 n
-0001588285 00000 n
-0001588411 00000 n
-0001588475 00000 n
-0001591052 00000 n
-0001590872 00000 n
-0001588697 00000 n
-0001590988 00000 n
-0001593670 00000 n
-0001593491 00000 n
-0001591168 00000 n
-0001593607 00000 n
-0001596023 00000 n
-0001595843 00000 n
-0001593828 00000 n
-0001595959 00000 n
-0001597811 00000 n
-0001597632 00000 n
-0001596167 00000 n
-0001597748 00000 n
-0001605180 00000 n
-0001602123 00000 n
-0001597941 00000 n
-0001602239 00000 n
-0001602431 00000 n
-0001602495 00000 n
-0001602559 00000 n
-0001602623 00000 n
-0001602687 00000 n
-0001602751 00000 n
-0001602815 00000 n
-0001602879 00000 n
-0001602943 00000 n
-0001603007 00000 n
-0001603071 00000 n
-0001603135 00000 n
-0001603199 00000 n
-0001603263 00000 n
-0001603327 00000 n
-0001603391 00000 n
-0001603455 00000 n
-0001603519 00000 n
-0001603583 00000 n
-0001603647 00000 n
-0001603710 00000 n
-0001603774 00000 n
-0001603837 00000 n
-0001603901 00000 n
-0001603964 00000 n
-0001604028 00000 n
-0001604092 00000 n
-0001604156 00000 n
-0001604220 00000 n
-0001604284 00000 n
-0001604348 00000 n
-0001604412 00000 n
-0001604476 00000 n
-0001604540 00000 n
-0001604604 00000 n
-0001604668 00000 n
-0001604732 00000 n
-0001604796 00000 n
-0001604860 00000 n
-0001604924 00000 n
-0001604988 00000 n
-0001605052 00000 n
-0001605116 00000 n
-0003669970 00000 n
-0001606561 00000 n
-0001606127 00000 n
-0001605323 00000 n
-0001606243 00000 n
-0001607620 00000 n
-0001607312 00000 n
-0001606677 00000 n
-0001607428 00000 n
-0001614391 00000 n
-0001611591 00000 n
-0001607736 00000 n
-0001611707 00000 n
-0001611898 00000 n
-0001611962 00000 n
-0001612026 00000 n
-0001612090 00000 n
-0001612154 00000 n
-0001612218 00000 n
-0001612282 00000 n
-0001612346 00000 n
-0001612410 00000 n
-0001612474 00000 n
-0001612538 00000 n
-0001612602 00000 n
-0001612666 00000 n
-0001612729 00000 n
-0001612793 00000 n
-0001612856 00000 n
-0001612920 00000 n
-0001612983 00000 n
-0001613047 00000 n
-0001613111 00000 n
-0001613175 00000 n
-0001613239 00000 n
-0001613303 00000 n
-0001613367 00000 n
-0001613431 00000 n
-0001613495 00000 n
-0001613559 00000 n
-0001613623 00000 n
-0001613687 00000 n
-0001613751 00000 n
-0001613815 00000 n
-0001613879 00000 n
-0001613943 00000 n
-0001614007 00000 n
-0001614071 00000 n
-0001614135 00000 n
-0001614199 00000 n
-0001614263 00000 n
-0001614327 00000 n
-0001621062 00000 n
-0001618326 00000 n
-0001614534 00000 n
-0001618442 00000 n
-0001618634 00000 n
-0001618698 00000 n
-0001618762 00000 n
-0001618826 00000 n
-0001618890 00000 n
-0001618954 00000 n
-0001619018 00000 n
-0001619082 00000 n
-0001619146 00000 n
-0001619210 00000 n
-0001619274 00000 n
-0001619338 00000 n
-0001619402 00000 n
-0001619466 00000 n
-0001619530 00000 n
-0001619594 00000 n
-0001619658 00000 n
-0001619722 00000 n
-0001619786 00000 n
-0001619850 00000 n
-0001619914 00000 n
-0001619978 00000 n
-0001620042 00000 n
-0001620106 00000 n
-0001620170 00000 n
-0001620234 00000 n
-0001620298 00000 n
-0001620361 00000 n
-0001620425 00000 n
-0001620488 00000 n
-0001620552 00000 n
-0001620614 00000 n
-0001620678 00000 n
-0001620742 00000 n
-0001620806 00000 n
-0001620870 00000 n
-0001620934 00000 n
-0001620998 00000 n
-0001627511 00000 n
-0001624840 00000 n
-0001621205 00000 n
-0001624956 00000 n
-0001625147 00000 n
-0001625211 00000 n
-0001625275 00000 n
-0001625339 00000 n
-0001625403 00000 n
-0001625467 00000 n
-0001625531 00000 n
-0001625595 00000 n
-0001625658 00000 n
-0001625722 00000 n
-0001625785 00000 n
-0001625849 00000 n
-0001625912 00000 n
-0001625976 00000 n
-0001626040 00000 n
-0001626104 00000 n
-0001626168 00000 n
-0001626232 00000 n
-0001626296 00000 n
-0001626360 00000 n
-0001626424 00000 n
-0001626488 00000 n
-0001626552 00000 n
-0001626616 00000 n
-0001626680 00000 n
-0001626744 00000 n
-0001626808 00000 n
-0001626872 00000 n
-0001626936 00000 n
-0001627000 00000 n
-0001627064 00000 n
-0001627128 00000 n
-0001627192 00000 n
-0001627256 00000 n
-0001627320 00000 n
-0001627384 00000 n
-0001627448 00000 n
-0001633827 00000 n
-0001631156 00000 n
-0001627654 00000 n
-0001631272 00000 n
-0001631464 00000 n
-0001631528 00000 n
-0001631591 00000 n
-0001631655 00000 n
-0001631717 00000 n
-0001631781 00000 n
-0001631845 00000 n
-0001631909 00000 n
-0001631973 00000 n
-0001632037 00000 n
-0001632101 00000 n
-0001632165 00000 n
-0001632229 00000 n
-0001632293 00000 n
-0001632357 00000 n
-0001632421 00000 n
-0001632485 00000 n
-0001632549 00000 n
-0001632739 00000 n
-0001632803 00000 n
-0001632867 00000 n
-0001632931 00000 n
-0001632995 00000 n
-0001633059 00000 n
-0001633123 00000 n
-0001633187 00000 n
-0001633251 00000 n
-0001633315 00000 n
-0001633379 00000 n
-0001633443 00000 n
-0001633507 00000 n
-0001633571 00000 n
-0001633635 00000 n
-0001633699 00000 n
-0001633763 00000 n
-0003670095 00000 n
-0001637490 00000 n
-0001636160 00000 n
-0001633970 00000 n
-0001636276 00000 n
-0001636467 00000 n
-0001636531 00000 n
-0001636594 00000 n
-0001636658 00000 n
-0001636722 00000 n
-0001636786 00000 n
-0001636850 00000 n
-0001636914 00000 n
-0001636978 00000 n
-0001637042 00000 n
-0001637106 00000 n
-0001637170 00000 n
-0001637234 00000 n
-0001637298 00000 n
-0001639073 00000 n
-0001638639 00000 n
-0001637647 00000 n
-0001638755 00000 n
-0001638882 00000 n
-0001640976 00000 n
-0001640670 00000 n
-0001639189 00000 n
-0001640786 00000 n
-0001640912 00000 n
-0001643220 00000 n
-0001642913 00000 n
-0001641092 00000 n
-0001643029 00000 n
-0001643156 00000 n
-0001645832 00000 n
-0001645400 00000 n
-0001643393 00000 n
-0001645516 00000 n
-0001645642 00000 n
-0001645768 00000 n
-0001648293 00000 n
-0001648113 00000 n
-0001645962 00000 n
-0001648229 00000 n
-0003670220 00000 n
-0001650211 00000 n
-0001650032 00000 n
-0001648409 00000 n
-0001650148 00000 n
-0001651707 00000 n
-0001651527 00000 n
-0001650384 00000 n
-0001651643 00000 n
-0001654229 00000 n
-0001653923 00000 n
-0001651823 00000 n
-0001654039 00000 n
-0001654165 00000 n
-0001656627 00000 n
-0001656195 00000 n
-0001654373 00000 n
-0001656311 00000 n
-0001656437 00000 n
-0001656564 00000 n
-0001658319 00000 n
-0001658140 00000 n
-0001656828 00000 n
-0001658256 00000 n
-0001660582 00000 n
-0001661074 00000 n
-0001660445 00000 n
-0001658435 00000 n
-0001660756 00000 n
-0001660883 00000 n
-0001661010 00000 n
-0003670345 00000 n
-0001663902 00000 n
-0001663405 00000 n
-0001661260 00000 n
-0001663521 00000 n
-0001663647 00000 n
-0001663774 00000 n
-0001663838 00000 n
-0001666149 00000 n
-0001666939 00000 n
-0001666012 00000 n
-0001664032 00000 n
-0001666299 00000 n
-0001666363 00000 n
-0001666427 00000 n
-0001666491 00000 n
-0001666555 00000 n
-0001666619 00000 n
-0001666683 00000 n
-0001666747 00000 n
-0001666811 00000 n
-0001666875 00000 n
-0001669058 00000 n
-0001669358 00000 n
-0001669918 00000 n
-0001668894 00000 n
-0001667055 00000 n
-0001669664 00000 n
-0001669727 00000 n
-0001669854 00000 n
-0001669208 00000 n
-0001669511 00000 n
-0001672052 00000 n
-0001672393 00000 n
-0001671915 00000 n
-0001670062 00000 n
-0001672202 00000 n
-0001672329 00000 n
-0001674140 00000 n
-0001673961 00000 n
-0001672537 00000 n
-0001674077 00000 n
-0001675614 00000 n
-0001675434 00000 n
-0001674242 00000 n
-0001675550 00000 n
-0003670470 00000 n
-0001677124 00000 n
-0001676945 00000 n
-0001675716 00000 n
-0001677061 00000 n
-0001679215 00000 n
-0001679556 00000 n
-0001679078 00000 n
-0001677226 00000 n
-0001679365 00000 n
-0001679492 00000 n
-0001682153 00000 n
-0001681595 00000 n
-0001679686 00000 n
-0001681711 00000 n
-0001681837 00000 n
-0001681964 00000 n
-0001682091 00000 n
-0001684094 00000 n
-0001687031 00000 n
-0001684564 00000 n
-0001683957 00000 n
-0001682311 00000 n
-0001684247 00000 n
-0001684374 00000 n
-0001684501 00000 n
-0001687658 00000 n
-0001686885 00000 n
-0001684708 00000 n
-0001687341 00000 n
-0001687467 00000 n
-0001687186 00000 n
-0001687594 00000 n
-0001690186 00000 n
-0001690399 00000 n
-0001690049 00000 n
-0001687802 00000 n
-0001690335 00000 n
-0003670595 00000 n
-0001693217 00000 n
-0001692655 00000 n
-0001690529 00000 n
-0001692771 00000 n
-0001692897 00000 n
-0001692961 00000 n
-0001693025 00000 n
-0001693089 00000 n
-0001693153 00000 n
-0001695231 00000 n
-0001694987 00000 n
-0001693361 00000 n
-0001695103 00000 n
-0001695167 00000 n
-0001697186 00000 n
-0001696753 00000 n
-0001695347 00000 n
-0001696869 00000 n
-0001697122 00000 n
-0001699499 00000 n
-0001699066 00000 n
-0001697302 00000 n
-0001699182 00000 n
-0001699309 00000 n
-0001699435 00000 n
-0001702066 00000 n
-0001704364 00000 n
-0001702412 00000 n
-0001701929 00000 n
-0001699700 00000 n
-0001702223 00000 n
-0001702348 00000 n
-0001729991 00000 n
-0001731259 00000 n
-0001730055 00000 n
-0001704248 00000 n
-0001702542 00000 n
-0001729863 00000 n
-0003670720 00000 n
-0001706734 00000 n
-0001706891 00000 n
-0001706939 00000 n
-0001707361 00000 n
-0001707588 00000 n
-0001762801 00000 n
-0001731143 00000 n
-0001730201 00000 n
-0001762483 00000 n
-0001762610 00000 n
-0001762737 00000 n
-0001765257 00000 n
-0001765555 00000 n
-0001765710 00000 n
-0001766007 00000 n
-0001766357 00000 n
-0001765075 00000 n
-0001762955 00000 n
-0001766166 00000 n
-0001766293 00000 n
-0001765406 00000 n
-0001765859 00000 n
-0001768219 00000 n
-0001768369 00000 n
-0001768713 00000 n
-0001768073 00000 n
-0001766515 00000 n
-0001768523 00000 n
-0001768649 00000 n
-0001771081 00000 n
-0001771145 00000 n
-0001770837 00000 n
-0001768857 00000 n
-0001770953 00000 n
-0001773709 00000 n
-0001773862 00000 n
-0001774016 00000 n
-0001774173 00000 n
-0001774707 00000 n
-0001773545 00000 n
-0001771346 00000 n
-0001774324 00000 n
-0001774387 00000 n
-0001774451 00000 n
-0001774515 00000 n
-0001774579 00000 n
-0001774643 00000 n
-0001818943 00000 n
-0001828476 00000 n
-0001830794 00000 n
-0001831864 00000 n
-0001776412 00000 n
-0001776757 00000 n
-0001776275 00000 n
-0001774894 00000 n
-0001776565 00000 n
-0001776629 00000 n
-0001776693 00000 n
-0003670845 00000 n
-0001778443 00000 n
-0001778264 00000 n
-0001776873 00000 n
-0001778380 00000 n
-0001780024 00000 n
-0001779844 00000 n
-0001778559 00000 n
-0001779960 00000 n
-0001781798 00000 n
-0001782205 00000 n
-0001781661 00000 n
-0001780126 00000 n
-0001781950 00000 n
-0001782013 00000 n
-0001782077 00000 n
-0001782141 00000 n
-0001832943 00000 n
-0001783769 00000 n
-0001783461 00000 n
-0001782321 00000 n
-0001783577 00000 n
-0001783641 00000 n
-0001783705 00000 n
-0001785307 00000 n
-0001785000 00000 n
-0001783885 00000 n
-0001785116 00000 n
-0001785179 00000 n
-0001785243 00000 n
-0001786948 00000 n
-0001786640 00000 n
-0001785423 00000 n
-0001786756 00000 n
-0001786820 00000 n
-0001786884 00000 n
-0003670970 00000 n
-0001788565 00000 n
-0001788907 00000 n
-0001788428 00000 n
-0001787064 00000 n
-0001788716 00000 n
-0001788779 00000 n
-0001788843 00000 n
-0001794154 00000 n
-0001790374 00000 n
-0001790130 00000 n
-0001789023 00000 n
-0001790246 00000 n
-0001790310 00000 n
-0001793809 00000 n
-0001792507 00000 n
-0001792072 00000 n
-0001790490 00000 n
-0001792188 00000 n
-0001792251 00000 n
-0001792315 00000 n
-0001792379 00000 n
-0001792443 00000 n
-0001794218 00000 n
-0001793672 00000 n
-0001792651 00000 n
-0001793964 00000 n
-0001794028 00000 n
-0001795252 00000 n
-0001795073 00000 n
-0001794348 00000 n
-0001795189 00000 n
-0001797203 00000 n
-0001797676 00000 n
-0001797066 00000 n
-0001795354 00000 n
-0001797358 00000 n
-0001797485 00000 n
-0001797549 00000 n
-0001797613 00000 n
-0003671095 00000 n
-0001799070 00000 n
-0001798699 00000 n
-0001797820 00000 n
-0001798815 00000 n
-0001798878 00000 n
-0001798942 00000 n
-0001799006 00000 n
-0001800912 00000 n
-0001800668 00000 n
-0001799186 00000 n
-0001800784 00000 n
-0001800848 00000 n
-0001802553 00000 n
-0001802246 00000 n
-0001801028 00000 n
-0001802362 00000 n
-0001802425 00000 n
-0001802489 00000 n
-0001804889 00000 n
-0001804328 00000 n
-0001802669 00000 n
-0001804444 00000 n
-0001804508 00000 n
-0001804634 00000 n
-0001804761 00000 n
-0001804825 00000 n
-0001807196 00000 n
-0001807017 00000 n
-0001805047 00000 n
-0001807133 00000 n
-0001809751 00000 n
-0001809571 00000 n
-0001807340 00000 n
-0001809687 00000 n
-0003671220 00000 n
-0001812197 00000 n
-0001812018 00000 n
-0001809867 00000 n
-0001812134 00000 n
-0001813423 00000 n
-0001813243 00000 n
-0001812327 00000 n
-0001813359 00000 n
-0001821683 00000 n
-0001818700 00000 n
-0001813525 00000 n
-0001818816 00000 n
-0001819007 00000 n
-0001819071 00000 n
-0001819135 00000 n
-0001819199 00000 n
-0001819263 00000 n
-0001819327 00000 n
-0001819391 00000 n
-0001819455 00000 n
-0001819518 00000 n
-0001819582 00000 n
-0001819645 00000 n
-0001819709 00000 n
-0001819771 00000 n
-0001819835 00000 n
-0001819899 00000 n
-0001819963 00000 n
-0001820027 00000 n
-0001820091 00000 n
-0001820155 00000 n
-0001820219 00000 n
-0001820283 00000 n
-0001820347 00000 n
-0001820411 00000 n
-0001820475 00000 n
-0001820539 00000 n
-0001820603 00000 n
-0001820667 00000 n
-0001820731 00000 n
-0001820795 00000 n
-0001820859 00000 n
-0001820922 00000 n
-0001820986 00000 n
-0001821048 00000 n
-0001821112 00000 n
-0001821175 00000 n
-0001821239 00000 n
-0001821303 00000 n
-0001821367 00000 n
-0001821431 00000 n
-0001821494 00000 n
-0001821557 00000 n
-0001821620 00000 n
-0001827427 00000 n
-0001824821 00000 n
-0001821840 00000 n
-0001824937 00000 n
-0001825064 00000 n
-0001825127 00000 n
-0001825191 00000 n
-0001825255 00000 n
-0001825319 00000 n
-0001825383 00000 n
-0001825447 00000 n
-0001825511 00000 n
-0001825575 00000 n
-0001825639 00000 n
-0001825703 00000 n
-0001825767 00000 n
-0001825831 00000 n
-0001825895 00000 n
-0001825959 00000 n
-0001826023 00000 n
-0001826087 00000 n
-0001826151 00000 n
-0001826215 00000 n
-0001826279 00000 n
-0001826342 00000 n
-0001826406 00000 n
-0001826469 00000 n
-0001826533 00000 n
-0001826595 00000 n
-0001826659 00000 n
-0001826723 00000 n
-0001826787 00000 n
-0001826851 00000 n
-0001826915 00000 n
-0001826979 00000 n
-0001827043 00000 n
-0001827107 00000 n
-0001827171 00000 n
-0001827235 00000 n
-0001827299 00000 n
-0001827363 00000 n
-0001828540 00000 n
-0001828234 00000 n
-0001827542 00000 n
-0001828350 00000 n
-0001829843 00000 n
-0001829535 00000 n
-0001828656 00000 n
-0001829651 00000 n
-0001829779 00000 n
-0003671345 00000 n
-0001830858 00000 n
-0001830551 00000 n
-0001829959 00000 n
-0001830667 00000 n
-0001831927 00000 n
-0001831620 00000 n
-0001830974 00000 n
-0001831736 00000 n
-0001833006 00000 n
-0001832700 00000 n
-0001832043 00000 n
-0001832816 00000 n
-0001833403 00000 n
-0001833223 00000 n
-0001833122 00000 n
-0001833339 00000 n
-0001835405 00000 n
-0001835099 00000 n
-0001833445 00000 n
-0001835215 00000 n
-0001835341 00000 n
-0001837823 00000 n
-0001837516 00000 n
-0001835521 00000 n
-0001837632 00000 n
-0001837759 00000 n
-0003671470 00000 n
-0001840144 00000 n
-0001840631 00000 n
-0001839998 00000 n
-0001837939 00000 n
-0001840441 00000 n
-0001840567 00000 n
-0001840292 00000 n
-0001843025 00000 n
-0001842592 00000 n
-0001840761 00000 n
-0001842708 00000 n
-0001842835 00000 n
-0001842962 00000 n
-0001845328 00000 n
-0001845478 00000 n
-0001845709 00000 n
-0001845182 00000 n
-0001843155 00000 n
-0001845646 00000 n
-0003661865 00000 n
-0003661720 00000 n
-0001847190 00000 n
-0001847508 00000 n
-0001846946 00000 n
-0001845938 00000 n
-0001847062 00000 n
-0001847317 00000 n
-0001847444 00000 n
-0001849007 00000 n
-0001848701 00000 n
-0001847638 00000 n
-0001848817 00000 n
-0001848943 00000 n
-0001850261 00000 n
-0001850081 00000 n
-0001849137 00000 n
-0001850197 00000 n
-0003671595 00000 n
-0001851435 00000 n
-0001851256 00000 n
-0001850363 00000 n
-0001851372 00000 n
-0001852599 00000 n
-0001852419 00000 n
-0001851537 00000 n
-0001852535 00000 n
-0001854068 00000 n
-0001856988 00000 n
-0001854280 00000 n
-0001853931 00000 n
-0001852701 00000 n
-0001854217 00000 n
-0001881983 00000 n
-0001858047 00000 n
-0001857137 00000 n
-0001857444 00000 n
-0001857746 00000 n
-0001858426 00000 n
-0001856779 00000 n
-0001854396 00000 n
-0001858362 00000 n
-0001857291 00000 n
-0001857596 00000 n
-0001857896 00000 n
-0001858212 00000 n
-0001883367 00000 n
-0001888507 00000 n
-0001913762 00000 n
-0001914686 00000 n
-0001861168 00000 n
-0001861316 00000 n
-0001861531 00000 n
-0001860703 00000 n
-0001858612 00000 n
-0001861468 00000 n
-0001860867 00000 n
-0001861017 00000 n
-0001916244 00000 n
-0001863474 00000 n
-0001863294 00000 n
-0001861718 00000 n
-0001863410 00000 n
-0003671720 00000 n
-0001864721 00000 n
-0001864542 00000 n
-0001863590 00000 n
-0001864658 00000 n
-0001866542 00000 n
-0001866362 00000 n
-0001864837 00000 n
-0001866478 00000 n
-0001867795 00000 n
-0001867616 00000 n
-0001866658 00000 n
-0001867732 00000 n
-0001869599 00000 n
-0001869833 00000 n
-0001869462 00000 n
-0001867911 00000 n
-0001869769 00000 n
-0001872087 00000 n
-0001872296 00000 n
-0001871950 00000 n
-0001870005 00000 n
-0001872233 00000 n
-0001921771 00000 n
-0001875322 00000 n
-0001874694 00000 n
-0001872412 00000 n
-0001874810 00000 n
-0001874874 00000 n
-0001874938 00000 n
-0001875002 00000 n
-0001875066 00000 n
-0001875130 00000 n
-0001875194 00000 n
-0001875258 00000 n
-0003671845 00000 n
-0001877796 00000 n
-0001877617 00000 n
-0001875466 00000 n
-0001877733 00000 n
-0001880227 00000 n
-0001880460 00000 n
-0001880090 00000 n
-0001877926 00000 n
-0001880396 00000 n
-0001882047 00000 n
-0001881740 00000 n
-0001880618 00000 n
-0001881856 00000 n
-0001883431 00000 n
-0001883123 00000 n
-0001882163 00000 n
-0001883239 00000 n
-0001891059 00000 n
-0001888264 00000 n
-0001883547 00000 n
-0001888380 00000 n
-0001888571 00000 n
-0001888635 00000 n
-0001888699 00000 n
-0001888763 00000 n
-0001888827 00000 n
-0001888891 00000 n
-0001888955 00000 n
-0001889019 00000 n
-0001889082 00000 n
-0001889146 00000 n
-0001889209 00000 n
-0001889273 00000 n
-0001889335 00000 n
-0001889399 00000 n
-0001889463 00000 n
-0001889527 00000 n
-0001889591 00000 n
-0001889655 00000 n
-0001889719 00000 n
-0001889783 00000 n
-0001889847 00000 n
-0001889911 00000 n
-0001889975 00000 n
-0001890039 00000 n
-0001890103 00000 n
-0001890167 00000 n
-0001890231 00000 n
-0001890295 00000 n
-0001890359 00000 n
-0001890423 00000 n
-0001890487 00000 n
-0001890551 00000 n
-0001890615 00000 n
-0001890678 00000 n
-0001890742 00000 n
-0001890804 00000 n
-0001890868 00000 n
-0001890931 00000 n
-0001890995 00000 n
-0001896823 00000 n
-0001894343 00000 n
-0001891216 00000 n
-0001894459 00000 n
-0001894587 00000 n
-0001894651 00000 n
-0001894715 00000 n
-0001894779 00000 n
-0001894843 00000 n
-0001894906 00000 n
-0001894970 00000 n
-0001895033 00000 n
-0001895097 00000 n
-0001895160 00000 n
-0001895224 00000 n
-0001895288 00000 n
-0001895352 00000 n
-0001895416 00000 n
-0001895480 00000 n
-0001895544 00000 n
-0001895608 00000 n
-0001895672 00000 n
-0001895736 00000 n
-0001895800 00000 n
-0001895864 00000 n
-0001895928 00000 n
-0001895992 00000 n
-0001896056 00000 n
-0001896120 00000 n
-0001896184 00000 n
-0001896248 00000 n
-0001896312 00000 n
-0001896376 00000 n
-0001896440 00000 n
-0001896504 00000 n
-0001896568 00000 n
-0001896632 00000 n
-0001896696 00000 n
-0001896760 00000 n
-0003671970 00000 n
-0001902816 00000 n
-0001900274 00000 n
-0001896966 00000 n
-0001900390 00000 n
-0001900517 00000 n
-0001900581 00000 n
-0001900644 00000 n
-0001900708 00000 n
-0001900772 00000 n
-0001900836 00000 n
-0001900899 00000 n
-0001900963 00000 n
-0001901026 00000 n
-0001901090 00000 n
-0001901153 00000 n
-0001901217 00000 n
-0001901281 00000 n
-0001901345 00000 n
-0001901409 00000 n
-0001901473 00000 n
-0001901537 00000 n
-0001901601 00000 n
-0001901665 00000 n
-0001901729 00000 n
-0001901793 00000 n
-0001901857 00000 n
-0001901921 00000 n
-0001901985 00000 n
-0001902049 00000 n
-0001902113 00000 n
-0001902177 00000 n
-0001902241 00000 n
-0001902305 00000 n
-0001902369 00000 n
-0001902433 00000 n
-0001902497 00000 n
-0001902561 00000 n
-0001902625 00000 n
-0001902689 00000 n
-0001902752 00000 n
-0001908397 00000 n
-0001905981 00000 n
-0001902959 00000 n
-0001906097 00000 n
-0001906225 00000 n
-0001906289 00000 n
-0001906353 00000 n
-0001906417 00000 n
-0001906481 00000 n
-0001906544 00000 n
-0001906608 00000 n
-0001906671 00000 n
-0001906735 00000 n
-0001906798 00000 n
-0001906862 00000 n
-0001906926 00000 n
-0001906990 00000 n
-0001907054 00000 n
-0001907118 00000 n
-0001907182 00000 n
-0001907246 00000 n
-0001907310 00000 n
-0001907374 00000 n
-0001907438 00000 n
-0001907502 00000 n
-0001907566 00000 n
-0001907630 00000 n
-0001907694 00000 n
-0001907758 00000 n
-0001907822 00000 n
-0001907886 00000 n
-0001907950 00000 n
-0001908014 00000 n
-0001908078 00000 n
-0001908142 00000 n
-0001908206 00000 n
-0001908270 00000 n
-0001908334 00000 n
-0001912281 00000 n
-0001910570 00000 n
-0001908554 00000 n
-0001910686 00000 n
-0001910813 00000 n
-0001910877 00000 n
-0001910941 00000 n
-0001911005 00000 n
-0001911069 00000 n
-0001911133 00000 n
-0001911197 00000 n
-0001911261 00000 n
-0001911325 00000 n
-0001911389 00000 n
-0001911453 00000 n
-0001911517 00000 n
-0001911581 00000 n
-0001911644 00000 n
-0001911708 00000 n
-0001911771 00000 n
-0001911835 00000 n
-0001911897 00000 n
-0001911961 00000 n
-0001912025 00000 n
-0001912089 00000 n
-0001912153 00000 n
-0001912217 00000 n
-0001913826 00000 n
-0001913518 00000 n
-0001912396 00000 n
-0001913634 00000 n
-0001914750 00000 n
-0001914444 00000 n
-0001913942 00000 n
-0001914560 00000 n
-0001916308 00000 n
-0001916000 00000 n
-0001914866 00000 n
-0001916116 00000 n
-0003672095 00000 n
-0001917616 00000 n
-0001917309 00000 n
-0001916424 00000 n
-0001917425 00000 n
-0001917552 00000 n
-0001919061 00000 n
-0001918753 00000 n
-0001917732 00000 n
-0001918869 00000 n
-0001918997 00000 n
-0001920591 00000 n
-0001920284 00000 n
-0001919177 00000 n
-0001920400 00000 n
-0001920527 00000 n
-0001921835 00000 n
-0001921527 00000 n
-0001920707 00000 n
-0001921643 00000 n
-0001923147 00000 n
-0001922840 00000 n
-0001921951 00000 n
-0001922956 00000 n
-0001923083 00000 n
-0001924950 00000 n
-0001924642 00000 n
-0001923263 00000 n
-0001924758 00000 n
-0001924886 00000 n
-0003672220 00000 n
-0001926370 00000 n
-0001926063 00000 n
-0001925066 00000 n
-0001926179 00000 n
-0001926306 00000 n
-0001927595 00000 n
-0001927287 00000 n
-0001926486 00000 n
-0001927403 00000 n
-0001927531 00000 n
-0001928104 00000 n
-0001927925 00000 n
-0001927711 00000 n
-0001928395 00000 n
-0001928279 00000 n
-0001928178 00000 n
-0001929495 00000 n
-0001929061 00000 n
-0001928437 00000 n
-0001929177 00000 n
-0001929240 00000 n
-0001929367 00000 n
-0001929431 00000 n
-0001929892 00000 n
-0001929712 00000 n
-0001929611 00000 n
-0001929828 00000 n
-0003672345 00000 n
-0001931823 00000 n
-0001931517 00000 n
-0001929934 00000 n
-0001931633 00000 n
-0001931759 00000 n
-0001934473 00000 n
-0001934166 00000 n
-0001931939 00000 n
-0001934282 00000 n
-0001934409 00000 n
-0001936742 00000 n
-0001936563 00000 n
-0001934631 00000 n
-0001936679 00000 n
-0001938959 00000 n
-0001938779 00000 n
-0001936844 00000 n
-0001938895 00000 n
-0001941277 00000 n
-0001940971 00000 n
-0001939061 00000 n
-0001941087 00000 n
-0001941213 00000 n
-0001943936 00000 n
-0001943631 00000 n
-0001941393 00000 n
-0001943747 00000 n
-0001943874 00000 n
-0003672470 00000 n
-0001946258 00000 n
-0001945952 00000 n
-0001944052 00000 n
-0001946068 00000 n
-0001946194 00000 n
-0001948489 00000 n
-0001948705 00000 n
-0001948352 00000 n
-0001946374 00000 n
-0001948641 00000 n
-0001965419 00000 n
-0001951113 00000 n
-0001950934 00000 n
-0001948835 00000 n
-0001951050 00000 n
-0001953708 00000 n
-0001953908 00000 n
-0001954176 00000 n
-0001953562 00000 n
-0001951215 00000 n
-0001954112 00000 n
-0001956589 00000 n
-0001956410 00000 n
-0001954348 00000 n
-0001956526 00000 n
-0001961705 00000 n
-0001959039 00000 n
-0001958733 00000 n
-0001956691 00000 n
-0001958849 00000 n
-0001958976 00000 n
-0003672595 00000 n
-0001961884 00000 n
-0001962341 00000 n
-0001962597 00000 n
-0001961541 00000 n
-0001959155 00000 n
-0001962534 00000 n
-0001962113 00000 n
-0001964855 00000 n
-0001965610 00000 n
-0001964709 00000 n
-0001962783 00000 n
-0001965292 00000 n
-0001965546 00000 n
-0001965073 00000 n
-0001968777 00000 n
-0001968024 00000 n
-0001965782 00000 n
-0001968140 00000 n
-0001968203 00000 n
-0001968267 00000 n
-0001968330 00000 n
-0001968394 00000 n
-0001968458 00000 n
-0001968522 00000 n
-0001968586 00000 n
-0001968713 00000 n
-0001971049 00000 n
-0001970486 00000 n
-0001968921 00000 n
-0001970602 00000 n
-0001970666 00000 n
-0001970730 00000 n
-0001970794 00000 n
-0001970858 00000 n
-0001970985 00000 n
-0001973313 00000 n
-0001973134 00000 n
-0001971179 00000 n
-0001973250 00000 n
-0001975315 00000 n
-0001975135 00000 n
-0001973528 00000 n
-0001975251 00000 n
-0003672720 00000 n
-0001977850 00000 n
-0001977544 00000 n
-0001975431 00000 n
-0001977660 00000 n
-0001977786 00000 n
-0001980847 00000 n
-0001980222 00000 n
-0001977994 00000 n
-0001980338 00000 n
-0001980465 00000 n
-0001980529 00000 n
-0001980593 00000 n
-0001980657 00000 n
-0001980720 00000 n
-0001980783 00000 n
-0001983069 00000 n
-0001982763 00000 n
-0001980977 00000 n
-0001982879 00000 n
-0001982942 00000 n
-0001983006 00000 n
-0001985463 00000 n
-0001984965 00000 n
-0001983185 00000 n
-0001985081 00000 n
-0001985145 00000 n
-0001985209 00000 n
-0001985272 00000 n
-0001985399 00000 n
-0001988650 00000 n
-0001987898 00000 n
-0001985593 00000 n
-0001988014 00000 n
-0001988140 00000 n
-0001988204 00000 n
-0001988268 00000 n
-0001988332 00000 n
-0001988394 00000 n
-0001988458 00000 n
-0001988522 00000 n
-0001988586 00000 n
-0001991779 00000 n
-0001991026 00000 n
-0001988794 00000 n
-0001991142 00000 n
-0001991269 00000 n
-0001991333 00000 n
-0001991397 00000 n
-0001991460 00000 n
-0001991587 00000 n
-0001991651 00000 n
-0001991715 00000 n
-0003672845 00000 n
-0001993147 00000 n
-0001992904 00000 n
-0001991923 00000 n
-0001993020 00000 n
-0001993083 00000 n
-0001995752 00000 n
-0001995381 00000 n
-0001993263 00000 n
-0001995497 00000 n
-0001995561 00000 n
-0001995688 00000 n
-0001998046 00000 n
-0001997676 00000 n
-0001995896 00000 n
-0001997792 00000 n
-0001997918 00000 n
-0001997982 00000 n
-0002000511 00000 n
-0002000331 00000 n
-0001998204 00000 n
-0002000447 00000 n
-0002002090 00000 n
-0002001911 00000 n
-0002000655 00000 n
-0002002027 00000 n
-0002002529 00000 n
-0002002349 00000 n
-0002002248 00000 n
-0002002465 00000 n
-0003672970 00000 n
-0002004560 00000 n
-0002004127 00000 n
-0002002571 00000 n
-0002004243 00000 n
-0002004369 00000 n
-0002004496 00000 n
-0002007041 00000 n
-0002006734 00000 n
-0002004676 00000 n
-0002006850 00000 n
-0002006977 00000 n
-0002009309 00000 n
-0002008876 00000 n
-0002007157 00000 n
-0002008992 00000 n
-0002009118 00000 n
-0002009245 00000 n
-0002011381 00000 n
-0002010948 00000 n
-0002009439 00000 n
-0002011064 00000 n
-0002011191 00000 n
-0002011317 00000 n
-0002013071 00000 n
-0002012765 00000 n
-0002011511 00000 n
-0002012881 00000 n
-0002013007 00000 n
-0002015723 00000 n
-0002016355 00000 n
-0002015577 00000 n
-0002013258 00000 n
-0002016036 00000 n
-0002016163 00000 n
-0002016227 00000 n
-0002015880 00000 n
-0002016291 00000 n
-0003673095 00000 n
-0002018000 00000 n
-0002018191 00000 n
-0002017693 00000 n
-0002016485 00000 n
-0002017809 00000 n
-0002017872 00000 n
-0002018127 00000 n
-0002020535 00000 n
-0002020702 00000 n
-0002020380 00000 n
-0002021199 00000 n
-0002020225 00000 n
-0002018321 00000 n
-0002020879 00000 n
-0002020943 00000 n
-0002021007 00000 n
-0002021071 00000 n
-0002021135 00000 n
-0002028236 00000 n
-0002022788 00000 n
-0002022481 00000 n
-0002021371 00000 n
-0002022597 00000 n
-0002022660 00000 n
-0002022724 00000 n
-0002024492 00000 n
-0002024905 00000 n
-0002024355 00000 n
-0002022904 00000 n
-0002024650 00000 n
-0002024714 00000 n
-0002024841 00000 n
-0002029516 00000 n
-0002029898 00000 n
-0002027993 00000 n
-0002025035 00000 n
-0002028109 00000 n
-0002028300 00000 n
-0002028364 00000 n
-0002028428 00000 n
-0002028492 00000 n
-0002028556 00000 n
-0002028620 00000 n
-0002028684 00000 n
-0002028748 00000 n
-0002028812 00000 n
-0002028876 00000 n
-0002028940 00000 n
-0002029004 00000 n
-0002029068 00000 n
-0002029132 00000 n
-0002029196 00000 n
-0002029260 00000 n
-0002029324 00000 n
-0002029388 00000 n
-0002029643 00000 n
-0002029770 00000 n
-0002029834 00000 n
-0002031598 00000 n
-0002031751 00000 n
-0002032414 00000 n
-0002031452 00000 n
-0002030083 00000 n
-0002031902 00000 n
-0002031966 00000 n
-0002032030 00000 n
-0002032094 00000 n
-0002032158 00000 n
-0002032222 00000 n
-0002032286 00000 n
-0002032350 00000 n
-0003673220 00000 n
-0002034277 00000 n
-0002034404 00000 n
-0002034594 00000 n
-0002034034 00000 n
-0002032530 00000 n
-0002034150 00000 n
-0002034530 00000 n
-0002037339 00000 n
-0002036969 00000 n
-0002034724 00000 n
-0002037085 00000 n
-0002037212 00000 n
-0002037276 00000 n
-0002039809 00000 n
-0002039630 00000 n
-0002037469 00000 n
-0002039746 00000 n
-0002040997 00000 n
-0002040817 00000 n
-0002039939 00000 n
-0002040933 00000 n
-0002042903 00000 n
-0002042471 00000 n
-0002041099 00000 n
-0002042587 00000 n
-0002042713 00000 n
-0002042839 00000 n
-0002045387 00000 n
-0002046049 00000 n
-0002045241 00000 n
-0002043019 00000 n
-0002045858 00000 n
-0002045985 00000 n
-0002045622 00000 n
-0003673345 00000 n
-0002048932 00000 n
-0002048625 00000 n
-0002046235 00000 n
-0002048741 00000 n
-0002048868 00000 n
-0002051823 00000 n
-0002051262 00000 n
-0002049048 00000 n
-0002051378 00000 n
-0002051505 00000 n
-0002051632 00000 n
-0002051759 00000 n
-0002053833 00000 n
-0002054321 00000 n
-0002053687 00000 n
-0002051967 00000 n
-0002054132 00000 n
-0002054258 00000 n
-0002053982 00000 n
-0002838818 00000 n
-0002056630 00000 n
-0002057096 00000 n
-0002056493 00000 n
-0002054536 00000 n
-0002056780 00000 n
-0002056905 00000 n
-0002057032 00000 n
-0002059009 00000 n
-0002058830 00000 n
-0002057283 00000 n
-0002058946 00000 n
-0002061298 00000 n
-0002061515 00000 n
-0002061161 00000 n
-0002059125 00000 n
-0002061451 00000 n
-0003673470 00000 n
-0002815866 00000 n
-0002064057 00000 n
-0002063498 00000 n
-0002061645 00000 n
-0002063614 00000 n
-0002063740 00000 n
-0002063867 00000 n
-0002063993 00000 n
-0002066738 00000 n
-0002066177 00000 n
-0002064173 00000 n
-0002066293 00000 n
-0002066420 00000 n
-0002066547 00000 n
-0002066674 00000 n
-0002069434 00000 n
-0002069128 00000 n
-0002066868 00000 n
-0002069244 00000 n
-0002069370 00000 n
-0002071756 00000 n
-0002071449 00000 n
-0002069550 00000 n
-0002071565 00000 n
-0002071692 00000 n
-0002072937 00000 n
-0002072758 00000 n
-0002071914 00000 n
-0002072874 00000 n
-0002073320 00000 n
-0002073140 00000 n
-0002073039 00000 n
-0002073256 00000 n
-0003673595 00000 n
-0002075248 00000 n
-0002074942 00000 n
-0002073362 00000 n
-0002075058 00000 n
-0002075184 00000 n
-0002077810 00000 n
-0002077989 00000 n
-0002078171 00000 n
-0002078535 00000 n
-0002077655 00000 n
-0002075364 00000 n
-0002078345 00000 n
-0002078472 00000 n
-0002080741 00000 n
-0002081119 00000 n
-0002080604 00000 n
-0002078721 00000 n
-0002080929 00000 n
-0002081055 00000 n
-0002082280 00000 n
-0002082100 00000 n
-0002081305 00000 n
-0002082216 00000 n
-0002083989 00000 n
-0002086328 00000 n
-0002118190 00000 n
-0002120969 00000 n
-0002084648 00000 n
-0002083852 00000 n
-0002082382 00000 n
-0002084140 00000 n
-0002084457 00000 n
-0002084520 00000 n
-0002084584 00000 n
-0002118926 00000 n
-0002118342 00000 n
-0002152494 00000 n
-0002118646 00000 n
-0002165319 00000 n
-0002150813 00000 n
-0002180595 00000 n
-0002119245 00000 n
-0002086164 00000 n
-0002084764 00000 n
-0002118798 00000 n
-0002118990 00000 n
-0002119054 00000 n
-0002118494 00000 n
-0002119118 00000 n
-0002119181 00000 n
-0003673720 00000 n
-0002151244 00000 n
-0002178402 00000 n
-0002178530 00000 n
-0002150965 00000 n
-0002151372 00000 n
-0002120823 00000 n
-0002119399 00000 n
-0002151117 00000 n
-0002151308 00000 n
-0002200434 00000 n
-0002178594 00000 n
-0002152378 00000 n
-0002151526 00000 n
-0002178274 00000 n
-0002200625 00000 n
-0002180479 00000 n
-0002178749 00000 n
-0002200307 00000 n
-0002200561 00000 n
-0002202788 00000 n
-0002202608 00000 n
-0002200793 00000 n
-0002202724 00000 n
-0002204109 00000 n
-0002203930 00000 n
-0002202904 00000 n
-0002204046 00000 n
-0002206446 00000 n
-0002206787 00000 n
-0002206309 00000 n
-0002204225 00000 n
-0002206596 00000 n
-0002206723 00000 n
-0003673845 00000 n
-0002824420 00000 n
-0002208938 00000 n
-0002209094 00000 n
-0002209246 00000 n
-0002209550 00000 n
-0002210273 00000 n
-0002208765 00000 n
-0002206931 00000 n
-0002209702 00000 n
-0002209828 00000 n
-0002209955 00000 n
-0002210082 00000 n
-0002209398 00000 n
-0002210209 00000 n
-0002825918 00000 n
-0002212197 00000 n
-0002212359 00000 n
-0002212521 00000 n
-0002212683 00000 n
-0002212842 00000 n
-0002213513 00000 n
-0002212024 00000 n
-0002210403 00000 n
-0002213001 00000 n
-0002213257 00000 n
-0002213321 00000 n
-0002213385 00000 n
-0002213449 00000 n
-0002830071 00000 n
-0002831436 00000 n
-0002832934 00000 n
-0002834112 00000 n
-0002835230 00000 n
-0002215108 00000 n
-0002214866 00000 n
-0002213643 00000 n
-0002214982 00000 n
-0002215045 00000 n
-0002216461 00000 n
-0002216217 00000 n
-0002215224 00000 n
-0002216333 00000 n
-0002216397 00000 n
-0002218006 00000 n
-0002217699 00000 n
-0002216577 00000 n
-0002217815 00000 n
-0002217878 00000 n
-0002217942 00000 n
-0002219548 00000 n
-0002219924 00000 n
-0002219411 00000 n
-0002218122 00000 n
-0002219732 00000 n
-0002219860 00000 n
-0003673970 00000 n
-0002221802 00000 n
-0002222033 00000 n
-0002221665 00000 n
-0002220110 00000 n
-0002221970 00000 n
-0002223605 00000 n
-0002227376 00000 n
-0002224073 00000 n
-0002223468 00000 n
-0002222205 00000 n
-0002223754 00000 n
-0002223818 00000 n
-0002223882 00000 n
-0002223946 00000 n
-0002224010 00000 n
-0002836591 00000 n
-0002226769 00000 n
-0002226917 00000 n
-0002229305 00000 n
-0002306934 00000 n
-0002227070 00000 n
-0002309272 00000 n
-0002227224 00000 n
-0002227672 00000 n
-0002226580 00000 n
-0002224189 00000 n
-0002227545 00000 n
-0002227608 00000 n
-0002836718 00000 n
-0002307443 00000 n
-0002383479 00000 n
-0002476992 00000 n
-0002384746 00000 n
-0002307006 00000 n
-0002307158 00000 n
-0002478598 00000 n
-0002565441 00000 n
-0002383050 00000 n
-0002307507 00000 n
-0002229143 00000 n
-0002227858 00000 n
-0002307315 00000 n
-0002306002 00000 n
-0002563600 00000 n
-0002641057 00000 n
-0002642588 00000 n
-0002383543 00000 n
-0002309110 00000 n
-0002307661 00000 n
-0002383352 00000 n
-0002383202 00000 n
-0002721450 00000 n
-0002562957 00000 n
-0002477184 00000 n
-0002384614 00000 n
-0002383683 00000 n
-0002476864 00000 n
-0002477120 00000 n
-0003674095 00000 n
-0002475857 00000 n
-0002722606 00000 n
-0002563110 00000 n
-0002563284 00000 n
-0002563664 00000 n
-0002478427 00000 n
-0002477338 00000 n
-0002563473 00000 n
-0002562102 00000 n
-0002813899 00000 n
-0002641249 00000 n
-0002565309 00000 n
-0002563860 00000 n
-0002640929 00000 n
-0002640183 00000 n
-0002721514 00000 n
-0002642456 00000 n
-0002641417 00000 n
-0002721323 00000 n
-0002720597 00000 n
-0002813963 00000 n
-0002722490 00000 n
-0002721668 00000 n
-0002813771 00000 n
-0002815930 00000 n
-0002815623 00000 n
-0002814117 00000 n
-0002815739 00000 n
-0002820837 00000 n
-0002821044 00000 n
-0002818198 00000 n
-0002817890 00000 n
-0002816060 00000 n
-0002818006 00000 n
-0002818134 00000 n
-0003674220 00000 n
-0002821250 00000 n
-0002821761 00000 n
-0002820682 00000 n
-0002818342 00000 n
-0002821443 00000 n
-0002821570 00000 n
-0002821697 00000 n
-0002823328 00000 n
-0002823148 00000 n
-0002821947 00000 n
-0002823264 00000 n
-0002824484 00000 n
-0002824177 00000 n
-0002823444 00000 n
-0002824293 00000 n
-0002825982 00000 n
-0002825674 00000 n
-0002824600 00000 n
-0002825790 00000 n
-0002827300 00000 n
-0002826865 00000 n
-0002826098 00000 n
-0002826981 00000 n
-0002828764 00000 n
-0002828456 00000 n
-0002827416 00000 n
-0002828572 00000 n
-0003674345 00000 n
-0002830135 00000 n
-0002829828 00000 n
-0002828880 00000 n
-0002829944 00000 n
-0002831500 00000 n
-0002831192 00000 n
-0002830251 00000 n
-0002831308 00000 n
-0002832997 00000 n
-0002832691 00000 n
-0002831616 00000 n
-0002832807 00000 n
-0002834176 00000 n
-0002833868 00000 n
-0002833113 00000 n
-0002833984 00000 n
-0002835294 00000 n
-0002834987 00000 n
-0002834292 00000 n
-0002835103 00000 n
-0002836782 00000 n
-0002836348 00000 n
-0002835410 00000 n
-0002836464 00000 n
-0003674470 00000 n
-0002841390 00000 n
-0002839010 00000 n
-0002838575 00000 n
-0002836898 00000 n
-0002838691 00000 n
-0002838946 00000 n
-0002841561 00000 n
-0002841810 00000 n
-0002841244 00000 n
-0002839126 00000 n
-0002841746 00000 n
-0002844140 00000 n
-0002844293 00000 n
-0002844636 00000 n
-0002843994 00000 n
-0002842039 00000 n
-0002844445 00000 n
-0002844572 00000 n
-0003021130 00000 n
-0003023390 00000 n
-0002847380 00000 n
-0002846688 00000 n
-0002844766 00000 n
-0002846804 00000 n
-0002846932 00000 n
-0002846996 00000 n
-0002847060 00000 n
-0002847124 00000 n
-0002847188 00000 n
-0002847316 00000 n
-0002850074 00000 n
-0002849511 00000 n
-0002847524 00000 n
-0002849627 00000 n
-0002849754 00000 n
-0002849818 00000 n
-0002849882 00000 n
-0002849946 00000 n
-0002850010 00000 n
-0002852301 00000 n
-0002852615 00000 n
-0002852767 00000 n
-0002854389 00000 n
-0002883722 00000 n
-0002852919 00000 n
-0002853583 00000 n
-0002852128 00000 n
-0002850218 00000 n
-0002853073 00000 n
-0002853137 00000 n
-0002853201 00000 n
-0002853265 00000 n
-0002853328 00000 n
-0002852458 00000 n
-0002853391 00000 n
-0002853519 00000 n
-0003674595 00000 n
-0002908842 00000 n
-0002882364 00000 n
-0002908714 00000 n
-0002911717 00000 n
-0002882428 00000 n
-0002854273 00000 n
-0002853699 00000 n
-0002882237 00000 n
-0002909033 00000 n
-0002883606 00000 n
-0002882568 00000 n
-0002908586 00000 n
-0002908906 00000 n
-0002908969 00000 n
-0002912100 00000 n
-0002911474 00000 n
-0002909201 00000 n
-0002911590 00000 n
-0002911781 00000 n
-0002911845 00000 n
-0002911909 00000 n
-0002911973 00000 n
-0002912037 00000 n
-0002914187 00000 n
-0002914340 00000 n
-0002919420 00000 n
-0002915098 00000 n
-0002914032 00000 n
-0002912230 00000 n
-0002914651 00000 n
-0002914715 00000 n
-0002914779 00000 n
-0002914907 00000 n
-0002914496 00000 n
-0002915035 00000 n
-0002917883 00000 n
-0002942694 00000 n
-0002918266 00000 n
-0002917640 00000 n
-0002915214 00000 n
-0002917756 00000 n
-0002917947 00000 n
-0002918011 00000 n
-0002918075 00000 n
-0002918138 00000 n
-0002918202 00000 n
-0002942950 00000 n
-0002919304 00000 n
-0002918438 00000 n
-0002942566 00000 n
-0002942758 00000 n
-0002942822 00000 n
-0002942886 00000 n
-0003674720 00000 n
-0002945611 00000 n
-0002947539 00000 n
-0002961865 00000 n
-0002946082 00000 n
-0002945474 00000 n
-0002943118 00000 n
-0002945763 00000 n
-0002945826 00000 n
-0002945890 00000 n
-0002946018 00000 n
-0002962148 00000 n
-0002963674 00000 n
-0002962212 00000 n
-0002947402 00000 n
-0002946282 00000 n
-0002962020 00000 n
-0002978509 00000 n
-0002978701 00000 n
-0002963558 00000 n
-0002962366 00000 n
-0002978382 00000 n
-0002978637 00000 n
-0002981838 00000 n
-0002980954 00000 n
-0002978869 00000 n
-0002981070 00000 n
-0002981134 00000 n
-0002981198 00000 n
-0002981262 00000 n
-0002981326 00000 n
-0002981390 00000 n
-0002981454 00000 n
-0002981518 00000 n
-0002981582 00000 n
-0002981646 00000 n
-0002981710 00000 n
-0002981774 00000 n
-0002984091 00000 n
-0002984241 00000 n
-0002986257 00000 n
-0003002583 00000 n
-0002984990 00000 n
-0002983936 00000 n
-0002981982 00000 n
-0002984543 00000 n
-0002984606 00000 n
-0002984670 00000 n
-0002984734 00000 n
-0002984798 00000 n
-0002984862 00000 n
-0002984392 00000 n
-0002984926 00000 n
-0003001179 00000 n
-0003018359 00000 n
-0003001371 00000 n
-0002986141 00000 n
-0002985120 00000 n
-0003001051 00000 n
-0003001307 00000 n
-0003674845 00000 n
-0003018551 00000 n
-0003002467 00000 n
-0003001539 00000 n
-0003018232 00000 n
-0003018487 00000 n
-0003020792 00000 n
-0003021322 00000 n
-0003020655 00000 n
-0003018719 00000 n
-0003021002 00000 n
-0003021258 00000 n
-0003023518 00000 n
-0003023147 00000 n
-0003021550 00000 n
-0003023263 00000 n
-0003023454 00000 n
-0003026163 00000 n
-0003025983 00000 n
-0003023676 00000 n
-0003026099 00000 n
-0003028560 00000 n
-0003028381 00000 n
-0003026321 00000 n
-0003028497 00000 n
-0003030684 00000 n
-0003030504 00000 n
-0003028761 00000 n
-0003030620 00000 n
-0003674970 00000 n
-0003032358 00000 n
-0003032939 00000 n
-0003032212 00000 n
-0003030828 00000 n
-0003032685 00000 n
-0003032812 00000 n
-0003032521 00000 n
-0003032875 00000 n
-0003035463 00000 n
-0003035283 00000 n
-0003033097 00000 n
-0003035399 00000 n
-0003037538 00000 n
-0003037231 00000 n
-0003035565 00000 n
-0003037347 00000 n
-0003037410 00000 n
-0003037474 00000 n
-0003039934 00000 n
-0003039691 00000 n
-0003037640 00000 n
-0003039807 00000 n
-0003039871 00000 n
-0003042220 00000 n
-0003041977 00000 n
-0003040050 00000 n
-0003042093 00000 n
-0003042156 00000 n
-0003044355 00000 n
-0003044048 00000 n
-0003042322 00000 n
-0003044164 00000 n
-0003044228 00000 n
-0003044291 00000 n
-0003675095 00000 n
-0003046863 00000 n
-0003046365 00000 n
-0003044471 00000 n
-0003046481 00000 n
-0003046544 00000 n
-0003046608 00000 n
-0003046672 00000 n
-0003046736 00000 n
-0003046800 00000 n
-0003049558 00000 n
-0003049058 00000 n
-0003046965 00000 n
-0003049174 00000 n
-0003049238 00000 n
-0003049302 00000 n
-0003049366 00000 n
-0003049430 00000 n
-0003049494 00000 n
-0003052053 00000 n
-0003051810 00000 n
-0003049674 00000 n
-0003051926 00000 n
-0003051989 00000 n
-0003054394 00000 n
-0003054150 00000 n
-0003052141 00000 n
-0003054266 00000 n
-0003054330 00000 n
-0003057000 00000 n
-0003056438 00000 n
-0003054510 00000 n
-0003056554 00000 n
-0003056617 00000 n
-0003056681 00000 n
-0003056745 00000 n
-0003056809 00000 n
-0003056873 00000 n
-0003056936 00000 n
-0003059320 00000 n
-0003059012 00000 n
-0003057088 00000 n
-0003059128 00000 n
-0003059192 00000 n
-0003059256 00000 n
-0003675220 00000 n
-0003061554 00000 n
-0003061247 00000 n
-0003059436 00000 n
-0003061363 00000 n
-0003061426 00000 n
-0003061490 00000 n
-0003064102 00000 n
-0003063922 00000 n
-0003061656 00000 n
-0003064038 00000 n
-0003066432 00000 n
-0003066189 00000 n
-0003064204 00000 n
-0003066305 00000 n
-0003066368 00000 n
-0003068691 00000 n
-0003068384 00000 n
-0003066534 00000 n
-0003068500 00000 n
-0003068564 00000 n
-0003068627 00000 n
-0003070718 00000 n
-0003070347 00000 n
-0003068807 00000 n
-0003070463 00000 n
-0003070526 00000 n
-0003070590 00000 n
-0003070654 00000 n
-0003072848 00000 n
-0003072541 00000 n
-0003070820 00000 n
-0003072657 00000 n
-0003072721 00000 n
-0003675345 00000 n
-0003074665 00000 n
-0003074842 00000 n
-0003075297 00000 n
-0003074510 00000 n
-0003072978 00000 n
-0003075234 00000 n
-0003075038 00000 n
-0003075694 00000 n
-0003075514 00000 n
-0003075413 00000 n
-0003075630 00000 n
-0003077655 00000 n
-0003078017 00000 n
-0003077518 00000 n
-0003075736 00000 n
-0003077826 00000 n
-0003077953 00000 n
-0003080258 00000 n
-0003080078 00000 n
-0003078189 00000 n
-0003080194 00000 n
-0003082565 00000 n
-0003082386 00000 n
-0003080374 00000 n
-0003082502 00000 n
-0003084751 00000 n
-0003084571 00000 n
-0003082681 00000 n
-0003084687 00000 n
-0003675470 00000 n
-0003086414 00000 n
-0003086650 00000 n
-0003086277 00000 n
-0003084867 00000 n
-0003086587 00000 n
-0003087103 00000 n
-0003086923 00000 n
-0003086822 00000 n
-0003087039 00000 n
-0003090148 00000 n
-0003090300 00000 n
-0003090451 00000 n
-0003090602 00000 n
-0003090753 00000 n
-0003090904 00000 n
-0003091055 00000 n
-0003091206 00000 n
-0003091357 00000 n
-0003091508 00000 n
-0003091659 00000 n
-0003091810 00000 n
-0003091960 00000 n
-0003092110 00000 n
-0003092260 00000 n
-0003092410 00000 n
-0003092561 00000 n
-0003092710 00000 n
-0003092861 00000 n
-0003093012 00000 n
-0003093163 00000 n
-0003093313 00000 n
-0003093463 00000 n
-0003093615 00000 n
-0003093767 00000 n
-0003093919 00000 n
-0003094071 00000 n
-0003094223 00000 n
-0003094374 00000 n
-0003094525 00000 n
-0003094676 00000 n
-0003094827 00000 n
-0003094979 00000 n
-0003095129 00000 n
-0003095280 00000 n
-0003095431 00000 n
-0003095582 00000 n
-0003095733 00000 n
-0003095884 00000 n
-0003096036 00000 n
-0003096188 00000 n
-0003096337 00000 n
-0003096488 00000 n
-0003096639 00000 n
-0003096790 00000 n
-0003096941 00000 n
-0003097091 00000 n
-0003097243 00000 n
-0003097395 00000 n
-0003097546 00000 n
-0003097698 00000 n
-0003097850 00000 n
-0003098002 00000 n
-0003098154 00000 n
-0003098306 00000 n
-0003098457 00000 n
-0003098608 00000 n
-0003098758 00000 n
-0003098908 00000 n
-0003099058 00000 n
-0003099209 00000 n
-0003099360 00000 n
-0003099510 00000 n
-0003099661 00000 n
-0003099812 00000 n
-0003099963 00000 n
-0003100114 00000 n
-0003100265 00000 n
-0003100416 00000 n
-0003100568 00000 n
-0003100720 00000 n
-0003100872 00000 n
-0003101024 00000 n
-0003101175 00000 n
-0003101327 00000 n
-0003101478 00000 n
-0003101628 00000 n
-0003101780 00000 n
-0003101932 00000 n
-0003102084 00000 n
-0003102236 00000 n
-0003102388 00000 n
-0003102539 00000 n
-0003102690 00000 n
-0003102841 00000 n
-0003102993 00000 n
-0003103144 00000 n
-0003103296 00000 n
-0003103448 00000 n
-0003103600 00000 n
-0003103751 00000 n
-0003103902 00000 n
-0003104054 00000 n
-0003104205 00000 n
-0003104355 00000 n
-0003104506 00000 n
-0003104658 00000 n
-0003104810 00000 n
-0003104962 00000 n
-0003105111 00000 n
-0003105263 00000 n
-0003105414 00000 n
-0003105565 00000 n
-0003105717 00000 n
-0003105867 00000 n
-0003106019 00000 n
-0003106171 00000 n
-0003106322 00000 n
-0003106473 00000 n
-0003106625 00000 n
-0003106776 00000 n
-0003106927 00000 n
-0003107078 00000 n
-0003107228 00000 n
-0003107380 00000 n
-0003107532 00000 n
-0003107684 00000 n
-0003107836 00000 n
-0003107987 00000 n
-0003108139 00000 n
-0003108291 00000 n
-0003108443 00000 n
-0003108595 00000 n
-0003108746 00000 n
-0003108897 00000 n
-0003109048 00000 n
-0003109199 00000 n
-0003109351 00000 n
-0003109502 00000 n
-0003109654 00000 n
-0003109805 00000 n
-0003109957 00000 n
-0003110105 00000 n
-0003110257 00000 n
-0003110408 00000 n
-0003110560 00000 n
-0003110712 00000 n
-0003110864 00000 n
-0003111016 00000 n
-0003111168 00000 n
-0003111319 00000 n
-0003111470 00000 n
-0003111621 00000 n
-0003111773 00000 n
-0003111925 00000 n
-0003115200 00000 n
-0003115352 00000 n
-0003115504 00000 n
-0003112140 00000 n
-0003088715 00000 n
-0003087145 00000 n
-0003112077 00000 n
-0003115656 00000 n
-0003115808 00000 n
-0003115959 00000 n
-0003116111 00000 n
-0003116262 00000 n
-0003116412 00000 n
-0003116561 00000 n
-0003116711 00000 n
-0003116861 00000 n
-0003117011 00000 n
-0003117161 00000 n
-0003117311 00000 n
-0003117461 00000 n
-0003117611 00000 n
-0003117761 00000 n
-0003117912 00000 n
-0003118064 00000 n
-0003118216 00000 n
-0003118368 00000 n
-0003118519 00000 n
-0003118670 00000 n
-0003118821 00000 n
-0003118972 00000 n
-0003119123 00000 n
-0003119275 00000 n
-0003119426 00000 n
-0003119578 00000 n
-0003119728 00000 n
-0003119880 00000 n
-0003120032 00000 n
-0003120184 00000 n
-0003120336 00000 n
-0003120488 00000 n
-0003120639 00000 n
-0003120790 00000 n
-0003120941 00000 n
-0003121092 00000 n
-0003121244 00000 n
-0003121396 00000 n
-0003121548 00000 n
-0003121699 00000 n
-0003121850 00000 n
-0003122002 00000 n
-0003122154 00000 n
-0003122305 00000 n
-0003122456 00000 n
-0003122607 00000 n
-0003122758 00000 n
-0003122910 00000 n
-0003123061 00000 n
-0003123212 00000 n
-0003123363 00000 n
-0003123513 00000 n
-0003123663 00000 n
-0003123815 00000 n
-0003123965 00000 n
-0003124117 00000 n
-0003124268 00000 n
-0003124420 00000 n
-0003124571 00000 n
-0003124723 00000 n
-0003124875 00000 n
-0003125026 00000 n
-0003125177 00000 n
-0003125329 00000 n
-0003125479 00000 n
-0003125630 00000 n
-0003125780 00000 n
-0003125932 00000 n
-0003126083 00000 n
-0003126234 00000 n
-0003126385 00000 n
-0003126536 00000 n
-0003126688 00000 n
-0003126840 00000 n
-0003126992 00000 n
-0003127142 00000 n
-0003127293 00000 n
-0003127445 00000 n
-0003127597 00000 n
-0003127749 00000 n
-0003127899 00000 n
-0003128050 00000 n
-0003128202 00000 n
-0003128353 00000 n
-0003128504 00000 n
-0003128656 00000 n
-0003128808 00000 n
-0003128960 00000 n
-0003129112 00000 n
-0003129264 00000 n
-0003129416 00000 n
-0003129568 00000 n
-0003129720 00000 n
-0003129872 00000 n
-0003130023 00000 n
-0003130175 00000 n
-0003130327 00000 n
-0003130479 00000 n
-0003130631 00000 n
-0003130781 00000 n
-0003130933 00000 n
-0003131085 00000 n
-0003131237 00000 n
-0003131389 00000 n
-0003131541 00000 n
-0003131693 00000 n
-0003131844 00000 n
-0003131996 00000 n
-0003132148 00000 n
-0003132299 00000 n
-0003132451 00000 n
-0003132603 00000 n
-0003132755 00000 n
-0003132907 00000 n
-0003133057 00000 n
-0003133208 00000 n
-0003133360 00000 n
-0003133512 00000 n
-0003133664 00000 n
-0003133815 00000 n
-0003133966 00000 n
-0003134117 00000 n
-0003134268 00000 n
-0003134420 00000 n
-0003134572 00000 n
-0003134723 00000 n
-0003134874 00000 n
-0003135026 00000 n
-0003137888 00000 n
-0003138040 00000 n
-0003135241 00000 n
-0003113884 00000 n
-0003112256 00000 n
-0003135177 00000 n
-0003138191 00000 n
-0003138343 00000 n
-0003138495 00000 n
-0003138646 00000 n
-0003138798 00000 n
-0003138950 00000 n
-0003139102 00000 n
-0003139254 00000 n
-0003139406 00000 n
-0003139558 00000 n
-0003139710 00000 n
-0003139862 00000 n
-0003140013 00000 n
-0003140164 00000 n
-0003140315 00000 n
-0003140467 00000 n
-0003140619 00000 n
-0003140771 00000 n
-0003140923 00000 n
-0003141074 00000 n
-0003141226 00000 n
-0003141377 00000 n
-0003141528 00000 n
-0003141680 00000 n
-0003141832 00000 n
-0003141982 00000 n
-0003142132 00000 n
-0003142283 00000 n
-0003142432 00000 n
-0003142584 00000 n
-0003142734 00000 n
-0003142884 00000 n
-0003143034 00000 n
-0003143185 00000 n
-0003143335 00000 n
-0003143486 00000 n
-0003143638 00000 n
-0003143790 00000 n
-0003143942 00000 n
-0003144093 00000 n
-0003144245 00000 n
-0003144397 00000 n
-0003144549 00000 n
-0003144701 00000 n
-0003144853 00000 n
-0003145005 00000 n
-0003145157 00000 n
-0003145309 00000 n
-0003145461 00000 n
-0003145612 00000 n
-0003145764 00000 n
-0003145915 00000 n
-0003146066 00000 n
-0003146218 00000 n
-0003146369 00000 n
-0003146520 00000 n
-0003146671 00000 n
-0003146822 00000 n
-0003146970 00000 n
-0003147118 00000 n
-0003147270 00000 n
-0003147422 00000 n
-0003147574 00000 n
-0003147726 00000 n
-0003147878 00000 n
-0003148030 00000 n
-0003148182 00000 n
-0003148334 00000 n
-0003148486 00000 n
-0003148638 00000 n
-0003148790 00000 n
-0003148941 00000 n
-0003149092 00000 n
-0003149243 00000 n
-0003149395 00000 n
-0003149547 00000 n
-0003149699 00000 n
-0003149850 00000 n
-0003150002 00000 n
-0003150152 00000 n
-0003150304 00000 n
-0003150456 00000 n
-0003150608 00000 n
-0003150759 00000 n
-0003150909 00000 n
-0003151061 00000 n
-0003151213 00000 n
-0003151365 00000 n
-0003151516 00000 n
-0003151666 00000 n
-0003151818 00000 n
-0003151970 00000 n
-0003152122 00000 n
-0003152274 00000 n
-0003152426 00000 n
-0003152578 00000 n
-0003152729 00000 n
-0003152881 00000 n
-0003153033 00000 n
-0003156118 00000 n
-0003156269 00000 n
-0003153248 00000 n
-0003136851 00000 n
-0003135357 00000 n
-0003153185 00000 n
-0003156421 00000 n
-0003156571 00000 n
-0003156723 00000 n
-0003156873 00000 n
-0003157022 00000 n
-0003157172 00000 n
-0003157321 00000 n
-0003157471 00000 n
-0003157621 00000 n
-0003157772 00000 n
-0003157923 00000 n
-0003158074 00000 n
-0003158225 00000 n
-0003158375 00000 n
-0003158526 00000 n
-0003158677 00000 n
-0003158827 00000 n
-0003158977 00000 n
-0003159129 00000 n
-0003159281 00000 n
-0003159431 00000 n
-0003159581 00000 n
-0003159732 00000 n
-0003159883 00000 n
-0003160035 00000 n
-0003160187 00000 n
-0003160338 00000 n
-0003160488 00000 n
-0003160640 00000 n
-0003160792 00000 n
-0003160943 00000 n
-0003161094 00000 n
-0003161245 00000 n
-0003161396 00000 n
-0003161548 00000 n
-0003161700 00000 n
-0003161852 00000 n
-0003162004 00000 n
-0003162156 00000 n
-0003162307 00000 n
-0003162459 00000 n
-0003162611 00000 n
-0003162762 00000 n
-0003162914 00000 n
-0003163066 00000 n
-0003163216 00000 n
-0003163366 00000 n
-0003163516 00000 n
-0003163668 00000 n
-0003163819 00000 n
-0003163971 00000 n
-0003164122 00000 n
-0003164273 00000 n
-0003164425 00000 n
-0003164577 00000 n
-0003164729 00000 n
-0003164880 00000 n
-0003165032 00000 n
-0003165184 00000 n
-0003165336 00000 n
-0003165486 00000 n
-0003165637 00000 n
-0003165787 00000 n
-0003165938 00000 n
-0003166090 00000 n
-0003166242 00000 n
-0003166394 00000 n
-0003166546 00000 n
-0003166698 00000 n
-0003166850 00000 n
-0003166999 00000 n
-0003167149 00000 n
-0003167301 00000 n
-0003167453 00000 n
-0003167604 00000 n
-0003167754 00000 n
-0003167905 00000 n
-0003168056 00000 n
-0003168207 00000 n
-0003168359 00000 n
-0003168511 00000 n
-0003168663 00000 n
-0003168815 00000 n
-0003168965 00000 n
-0003169116 00000 n
-0003169267 00000 n
-0003169418 00000 n
-0003169569 00000 n
-0003169720 00000 n
-0003169872 00000 n
-0003170023 00000 n
-0003170175 00000 n
-0003170327 00000 n
-0003170479 00000 n
-0003170630 00000 n
-0003170782 00000 n
-0003170934 00000 n
-0003171086 00000 n
-0003171238 00000 n
-0003171389 00000 n
-0003171539 00000 n
-0003171691 00000 n
-0003171843 00000 n
-0003171995 00000 n
-0003172147 00000 n
-0003172299 00000 n
-0003172450 00000 n
-0003172602 00000 n
-0003172753 00000 n
-0003172904 00000 n
-0003173055 00000 n
-0003173206 00000 n
-0003173358 00000 n
-0003173510 00000 n
-0003173662 00000 n
-0003173814 00000 n
-0003173965 00000 n
-0003174117 00000 n
-0003174268 00000 n
-0003174420 00000 n
-0003174572 00000 n
-0003177301 00000 n
-0003174788 00000 n
-0003154883 00000 n
-0003153364 00000 n
-0003174724 00000 n
-0003675595 00000 n
-0003177453 00000 n
-0003177605 00000 n
-0003177757 00000 n
-0003177907 00000 n
-0003178058 00000 n
-0003178208 00000 n
-0003178357 00000 n
-0003178506 00000 n
-0003178657 00000 n
-0003178807 00000 n
-0003178958 00000 n
-0003179110 00000 n
-0003179262 00000 n
-0003179414 00000 n
-0003179566 00000 n
-0003179718 00000 n
-0003179870 00000 n
-0003180021 00000 n
-0003180173 00000 n
-0003180325 00000 n
-0003180477 00000 n
-0003180629 00000 n
-0003180780 00000 n
-0003180931 00000 n
-0003181082 00000 n
-0003181233 00000 n
-0003181385 00000 n
-0003181537 00000 n
-0003181689 00000 n
-0003181841 00000 n
-0003181993 00000 n
-0003182145 00000 n
-0003182296 00000 n
-0003182448 00000 n
-0003182598 00000 n
-0003182747 00000 n
-0003182899 00000 n
-0003183051 00000 n
-0003183202 00000 n
-0003183353 00000 n
-0003183505 00000 n
-0003183657 00000 n
-0003183809 00000 n
-0003183961 00000 n
-0003184113 00000 n
-0003184265 00000 n
-0003184417 00000 n
-0003184569 00000 n
-0003184721 00000 n
-0003184873 00000 n
-0003185022 00000 n
-0003185171 00000 n
-0003185323 00000 n
-0003185474 00000 n
-0003185626 00000 n
-0003185778 00000 n
-0003185930 00000 n
-0003186081 00000 n
-0003186233 00000 n
-0003186385 00000 n
-0003186537 00000 n
-0003186689 00000 n
-0003186841 00000 n
-0003186993 00000 n
-0003187145 00000 n
-0003187297 00000 n
-0003187448 00000 n
-0003187600 00000 n
-0003187752 00000 n
-0003187903 00000 n
-0003188054 00000 n
-0003188205 00000 n
-0003188356 00000 n
-0003188508 00000 n
-0003188660 00000 n
-0003188811 00000 n
-0003188962 00000 n
-0003189113 00000 n
-0003189263 00000 n
-0003189414 00000 n
-0003189566 00000 n
-0003189718 00000 n
-0003189869 00000 n
-0003190021 00000 n
-0003190172 00000 n
-0003190324 00000 n
-0003190475 00000 n
-0003190627 00000 n
-0003190779 00000 n
-0003190931 00000 n
-0003191082 00000 n
-0003193929 00000 n
-0003191297 00000 n
-0003176345 00000 n
-0003174904 00000 n
-0003191234 00000 n
-0003194079 00000 n
-0003194231 00000 n
-0003194383 00000 n
-0003194535 00000 n
-0003194686 00000 n
-0003194836 00000 n
-0003194988 00000 n
-0003195139 00000 n
-0003195290 00000 n
-0003195442 00000 n
-0003195594 00000 n
-0003195745 00000 n
-0003195897 00000 n
-0003196049 00000 n
-0003196201 00000 n
-0003196350 00000 n
-0003196502 00000 n
-0003196654 00000 n
-0003196805 00000 n
-0003196957 00000 n
-0003197109 00000 n
-0003197261 00000 n
-0003197412 00000 n
-0003197562 00000 n
-0003197714 00000 n
-0003197865 00000 n
-0003198016 00000 n
-0003198165 00000 n
-0003198316 00000 n
-0003198468 00000 n
-0003198618 00000 n
-0003198770 00000 n
-0003198921 00000 n
-0003199071 00000 n
-0003199222 00000 n
-0003199374 00000 n
-0003199526 00000 n
-0003199678 00000 n
-0003199830 00000 n
-0003199981 00000 n
-0003200133 00000 n
-0003200285 00000 n
-0003200436 00000 n
-0003200587 00000 n
-0003200738 00000 n
-0003200890 00000 n
-0003201041 00000 n
-0003201193 00000 n
-0003201345 00000 n
-0003201497 00000 n
-0003201648 00000 n
-0003201799 00000 n
-0003201951 00000 n
-0003202103 00000 n
-0003202255 00000 n
-0003202407 00000 n
-0003202559 00000 n
-0003202711 00000 n
-0003202863 00000 n
-0003203015 00000 n
-0003203167 00000 n
-0003203319 00000 n
-0003203471 00000 n
-0003203623 00000 n
-0003203775 00000 n
-0003203925 00000 n
-0003204077 00000 n
-0003204228 00000 n
-0003204379 00000 n
-0003204530 00000 n
-0003204682 00000 n
-0003204834 00000 n
-0003204986 00000 n
-0003205138 00000 n
-0003205290 00000 n
-0003205442 00000 n
-0003205594 00000 n
-0003205746 00000 n
-0003205898 00000 n
-0003206049 00000 n
-0003206200 00000 n
-0003206351 00000 n
-0003206502 00000 n
-0003206652 00000 n
-0003206804 00000 n
-0003206955 00000 n
-0003207106 00000 n
-0003207256 00000 n
-0003207407 00000 n
-0003207557 00000 n
-0003207708 00000 n
-0003207859 00000 n
-0003208010 00000 n
-0003208162 00000 n
-0003208314 00000 n
-0003208466 00000 n
-0003208618 00000 n
-0003208770 00000 n
-0003208922 00000 n
-0003209074 00000 n
-0003209224 00000 n
-0003209375 00000 n
-0003209526 00000 n
-0003209677 00000 n
-0003209829 00000 n
-0003209981 00000 n
-0003213066 00000 n
-0003213217 00000 n
-0003210197 00000 n
-0003192838 00000 n
-0003191413 00000 n
-0003210133 00000 n
-0003213368 00000 n
-0003213520 00000 n
-0003213671 00000 n
-0003213822 00000 n
-0003213973 00000 n
-0003214125 00000 n
-0003214275 00000 n
-0003214427 00000 n
-0003214579 00000 n
-0003214731 00000 n
-0003214883 00000 n
-0003215034 00000 n
-0003215185 00000 n
-0003215337 00000 n
-0003215489 00000 n
-0003215641 00000 n
-0003215792 00000 n
-0003215943 00000 n
-0003216095 00000 n
-0003216246 00000 n
-0003216398 00000 n
-0003216550 00000 n
-0003216701 00000 n
-0003216853 00000 n
-0003217005 00000 n
-0003217156 00000 n
-0003217308 00000 n
-0003217460 00000 n
-0003217610 00000 n
-0003217762 00000 n
-0003217914 00000 n
-0003218066 00000 n
-0003218218 00000 n
-0003218370 00000 n
-0003218522 00000 n
-0003218674 00000 n
-0003218825 00000 n
-0003218977 00000 n
-0003219129 00000 n
-0003219281 00000 n
-0003219433 00000 n
-0003219585 00000 n
-0003219737 00000 n
-0003219888 00000 n
-0003220038 00000 n
-0003220190 00000 n
-0003220342 00000 n
-0003220494 00000 n
-0003220646 00000 n
-0003220798 00000 n
-0003220950 00000 n
-0003221102 00000 n
-0003221254 00000 n
-0003221406 00000 n
-0003221558 00000 n
-0003221710 00000 n
-0003221861 00000 n
-0003222013 00000 n
-0003222165 00000 n
-0003222317 00000 n
-0003222469 00000 n
-0003222621 00000 n
-0003222773 00000 n
-0003222925 00000 n
-0003223075 00000 n
-0003223226 00000 n
-0003223378 00000 n
-0003223530 00000 n
-0003223681 00000 n
-0003223830 00000 n
-0003223981 00000 n
-0003224132 00000 n
-0003224284 00000 n
-0003224436 00000 n
-0003224587 00000 n
-0003224739 00000 n
-0003224889 00000 n
-0003225040 00000 n
-0003225191 00000 n
-0003225343 00000 n
-0003225495 00000 n
-0003225647 00000 n
-0003225799 00000 n
-0003225951 00000 n
-0003226103 00000 n
-0003226255 00000 n
-0003226407 00000 n
-0003226558 00000 n
-0003226709 00000 n
-0003226861 00000 n
-0003227011 00000 n
-0003227162 00000 n
-0003227314 00000 n
-0003227466 00000 n
-0003227616 00000 n
-0003227767 00000 n
-0003227919 00000 n
-0003228070 00000 n
-0003228219 00000 n
-0003228370 00000 n
-0003228519 00000 n
-0003228670 00000 n
-0003228822 00000 n
-0003228974 00000 n
-0003229126 00000 n
-0003229277 00000 n
-0003229428 00000 n
-0003229579 00000 n
-0003229730 00000 n
-0003229880 00000 n
-0003230030 00000 n
-0003230179 00000 n
-0003230330 00000 n
-0003230481 00000 n
-0003230632 00000 n
-0003230784 00000 n
-0003233896 00000 n
-0003230998 00000 n
-0003211876 00000 n
-0003210313 00000 n
-0003230935 00000 n
-0003234048 00000 n
-0003234199 00000 n
-0003234351 00000 n
-0003234503 00000 n
-0003234655 00000 n
-0003234807 00000 n
-0003234957 00000 n
-0003235109 00000 n
-0003235261 00000 n
-0003235413 00000 n
-0003235564 00000 n
-0003235716 00000 n
-0003235868 00000 n
-0003236020 00000 n
-0003236172 00000 n
-0003236324 00000 n
-0003236475 00000 n
-0003236626 00000 n
-0003236778 00000 n
-0003236930 00000 n
-0003237081 00000 n
-0003237233 00000 n
-0003237385 00000 n
-0003237537 00000 n
-0003237688 00000 n
-0003237839 00000 n
-0003237991 00000 n
-0003238143 00000 n
-0003238295 00000 n
-0003238446 00000 n
-0003238597 00000 n
-0003238749 00000 n
-0003238899 00000 n
-0003239050 00000 n
-0003239201 00000 n
-0003239352 00000 n
-0003239502 00000 n
-0003239652 00000 n
-0003239802 00000 n
-0003239953 00000 n
-0003240104 00000 n
-0003240255 00000 n
-0003240406 00000 n
-0003240557 00000 n
-0003240708 00000 n
-0003240857 00000 n
-0003241009 00000 n
-0003241161 00000 n
-0003241313 00000 n
-0003241465 00000 n
-0003241617 00000 n
-0003241769 00000 n
-0003241921 00000 n
-0003242073 00000 n
-0003242224 00000 n
-0003242376 00000 n
-0003242527 00000 n
-0003242679 00000 n
-0003242829 00000 n
-0003242981 00000 n
-0003243132 00000 n
-0003243284 00000 n
-0003243436 00000 n
-0003243588 00000 n
-0003243740 00000 n
-0003243891 00000 n
-0003244043 00000 n
-0003244195 00000 n
-0003244346 00000 n
-0003244497 00000 n
-0003244645 00000 n
-0003244793 00000 n
-0003244942 00000 n
-0003245091 00000 n
-0003245240 00000 n
-0003245389 00000 n
-0003245538 00000 n
-0003245690 00000 n
-0003245841 00000 n
-0003245993 00000 n
-0003246145 00000 n
-0003246297 00000 n
-0003246449 00000 n
-0003246601 00000 n
-0003246753 00000 n
-0003246904 00000 n
-0003247056 00000 n
-0003247208 00000 n
-0003247360 00000 n
-0003247511 00000 n
-0003247662 00000 n
-0003247813 00000 n
-0003247963 00000 n
-0003248115 00000 n
-0003248266 00000 n
-0003248418 00000 n
-0003248570 00000 n
-0003248722 00000 n
-0003248874 00000 n
-0003249026 00000 n
-0003249178 00000 n
-0003249328 00000 n
-0003249479 00000 n
-0003249629 00000 n
-0003249781 00000 n
-0003249933 00000 n
-0003250084 00000 n
-0003250234 00000 n
-0003250385 00000 n
-0003250536 00000 n
-0003250687 00000 n
-0003250838 00000 n
-0003250989 00000 n
-0003251140 00000 n
-0003251291 00000 n
-0003251442 00000 n
-0003254331 00000 n
-0003251658 00000 n
-0003232715 00000 n
-0003231100 00000 n
-0003251594 00000 n
-0003254483 00000 n
-0003254635 00000 n
-0003254785 00000 n
-0003254937 00000 n
-0003255089 00000 n
-0003255240 00000 n
-0003255391 00000 n
-0003255542 00000 n
-0003255693 00000 n
-0003255845 00000 n
-0003255996 00000 n
-0003256148 00000 n
-0003256300 00000 n
-0003256452 00000 n
-0003256603 00000 n
-0003256755 00000 n
-0003256907 00000 n
-0003257059 00000 n
-0003257211 00000 n
-0003257363 00000 n
-0003257515 00000 n
-0003257667 00000 n
-0003257819 00000 n
-0003257970 00000 n
-0003258121 00000 n
-0003258272 00000 n
-0003258424 00000 n
-0003258575 00000 n
-0003258726 00000 n
-0003258877 00000 n
-0003259028 00000 n
-0003259178 00000 n
-0003259329 00000 n
-0003259479 00000 n
-0003259631 00000 n
-0003259780 00000 n
-0003259931 00000 n
-0003260082 00000 n
-0003260232 00000 n
-0003260384 00000 n
-0003260535 00000 n
-0003260687 00000 n
-0003260839 00000 n
-0003260991 00000 n
-0003261142 00000 n
-0003261294 00000 n
-0003261446 00000 n
-0003261597 00000 n
-0003261748 00000 n
-0003261899 00000 n
-0003262050 00000 n
-0003262202 00000 n
-0003262354 00000 n
-0003262506 00000 n
-0003262658 00000 n
-0003262810 00000 n
-0003262961 00000 n
-0003263112 00000 n
-0003263263 00000 n
-0003263414 00000 n
-0003263566 00000 n
-0003263717 00000 n
-0003263868 00000 n
-0003264020 00000 n
-0003264172 00000 n
-0003264324 00000 n
-0003264476 00000 n
-0003264628 00000 n
-0003264780 00000 n
-0003264932 00000 n
-0003265084 00000 n
-0003265236 00000 n
-0003265388 00000 n
-0003265540 00000 n
-0003265692 00000 n
-0003265843 00000 n
-0003265995 00000 n
-0003266147 00000 n
-0003266299 00000 n
-0003266451 00000 n
-0003266601 00000 n
-0003266753 00000 n
-0003266904 00000 n
-0003267056 00000 n
-0003267207 00000 n
-0003267359 00000 n
-0003267510 00000 n
-0003267662 00000 n
-0003267813 00000 n
-0003267965 00000 n
-0003268115 00000 n
-0003268267 00000 n
-0003268419 00000 n
-0003268571 00000 n
-0003268721 00000 n
-0003268873 00000 n
-0003269023 00000 n
-0003269174 00000 n
-0003269326 00000 n
-0003272027 00000 n
-0003272178 00000 n
-0003269541 00000 n
-0003253303 00000 n
-0003251774 00000 n
-0003269478 00000 n
-0003272330 00000 n
-0003272481 00000 n
-0003272632 00000 n
-0003272782 00000 n
-0003272933 00000 n
-0003273083 00000 n
-0003273234 00000 n
-0003273385 00000 n
-0003273536 00000 n
-0003273687 00000 n
-0003273839 00000 n
-0003273991 00000 n
-0003274143 00000 n
-0003274294 00000 n
-0003274446 00000 n
-0003274597 00000 n
-0003274748 00000 n
-0003274900 00000 n
-0003275051 00000 n
-0003275201 00000 n
-0003275351 00000 n
-0003275501 00000 n
-0003275652 00000 n
-0003275803 00000 n
-0003275954 00000 n
-0003276105 00000 n
-0003276256 00000 n
-0003276407 00000 n
-0003276559 00000 n
-0003276711 00000 n
-0003276863 00000 n
-0003277015 00000 n
-0003277167 00000 n
-0003277319 00000 n
-0003277471 00000 n
-0003277623 00000 n
-0003277775 00000 n
-0003277927 00000 n
-0003278078 00000 n
-0003278230 00000 n
-0003278381 00000 n
-0003278531 00000 n
-0003278683 00000 n
-0003278835 00000 n
-0003278987 00000 n
-0003279138 00000 n
-0003279289 00000 n
-0003279441 00000 n
-0003279593 00000 n
-0003279744 00000 n
-0003279894 00000 n
-0003280046 00000 n
-0003280198 00000 n
-0003280348 00000 n
-0003280500 00000 n
-0003280652 00000 n
-0003280803 00000 n
-0003280953 00000 n
-0003281105 00000 n
-0003281257 00000 n
-0003281409 00000 n
-0003281559 00000 n
-0003281708 00000 n
-0003281860 00000 n
-0003282012 00000 n
-0003282164 00000 n
-0003282316 00000 n
-0003282468 00000 n
-0003282620 00000 n
-0003282770 00000 n
-0003282922 00000 n
-0003283073 00000 n
-0003283225 00000 n
-0003283376 00000 n
-0003283526 00000 n
-0003283677 00000 n
-0003283829 00000 n
-0003283981 00000 n
-0003284133 00000 n
-0003284284 00000 n
-0003284436 00000 n
-0003284588 00000 n
-0003284740 00000 n
-0003284889 00000 n
-0003285041 00000 n
-0003285193 00000 n
-0003285344 00000 n
-0003285494 00000 n
-0003285646 00000 n
-0003285797 00000 n
-0003285948 00000 n
-0003286099 00000 n
-0003286315 00000 n
-0003271053 00000 n
-0003269657 00000 n
-0003286251 00000 n
-0003675720 00000 n
-0003289639 00000 n
-0003289789 00000 n
-0003289941 00000 n
-0003290092 00000 n
-0003290243 00000 n
-0003290395 00000 n
-0003290546 00000 n
-0003290698 00000 n
-0003290849 00000 n
-0003291000 00000 n
-0003291151 00000 n
-0003291303 00000 n
-0003291455 00000 n
-0003291607 00000 n
-0003291759 00000 n
-0003291911 00000 n
-0003292063 00000 n
-0003292214 00000 n
-0003292366 00000 n
-0003292518 00000 n
-0003292669 00000 n
-0003292819 00000 n
-0003292970 00000 n
-0003293122 00000 n
-0003293274 00000 n
-0003293426 00000 n
-0003293578 00000 n
-0003293729 00000 n
-0003293879 00000 n
-0003294031 00000 n
-0003294183 00000 n
-0003294335 00000 n
-0003294487 00000 n
-0003294639 00000 n
-0003294791 00000 n
-0003294943 00000 n
-0003295095 00000 n
-0003295247 00000 n
-0003295399 00000 n
-0003295551 00000 n
-0003295703 00000 n
-0003295855 00000 n
-0003296007 00000 n
-0003296159 00000 n
-0003296311 00000 n
-0003296463 00000 n
-0003296615 00000 n
-0003296767 00000 n
-0003296919 00000 n
-0003297070 00000 n
-0003297221 00000 n
-0003297372 00000 n
-0003297524 00000 n
-0003297676 00000 n
-0003297826 00000 n
-0003297978 00000 n
-0003298130 00000 n
-0003298282 00000 n
-0003298434 00000 n
-0003298586 00000 n
-0003298738 00000 n
-0003298889 00000 n
-0003299040 00000 n
-0003299190 00000 n
-0003299341 00000 n
-0003299492 00000 n
-0003299644 00000 n
-0003299796 00000 n
-0003299948 00000 n
-0003300096 00000 n
-0003300246 00000 n
-0003300398 00000 n
-0003300550 00000 n
-0003300702 00000 n
-0003300853 00000 n
-0003301005 00000 n
-0003301157 00000 n
-0003301309 00000 n
-0003301461 00000 n
-0003301613 00000 n
-0003301765 00000 n
-0003301917 00000 n
-0003302069 00000 n
-0003302221 00000 n
-0003302373 00000 n
-0003302524 00000 n
-0003302676 00000 n
-0003302823 00000 n
-0003302975 00000 n
-0003303127 00000 n
-0003303275 00000 n
-0003303425 00000 n
-0003303577 00000 n
-0003303728 00000 n
-0003303880 00000 n
-0003304032 00000 n
-0003304184 00000 n
-0003304335 00000 n
-0003304486 00000 n
-0003304637 00000 n
-0003304789 00000 n
-0003304939 00000 n
-0003305089 00000 n
-0003305241 00000 n
-0003305393 00000 n
-0003305545 00000 n
-0003305697 00000 n
-0003305849 00000 n
-0003306000 00000 n
-0003306150 00000 n
-0003306301 00000 n
-0003306453 00000 n
-0003306605 00000 n
-0003306757 00000 n
-0003306908 00000 n
-0003307059 00000 n
-0003307211 00000 n
-0003307363 00000 n
-0003307515 00000 n
-0003307667 00000 n
-0003307819 00000 n
-0003307971 00000 n
-0003308123 00000 n
-0003308274 00000 n
-0003308426 00000 n
-0003308577 00000 n
-0003308729 00000 n
-0003308881 00000 n
-0003309031 00000 n
-0003309183 00000 n
-0003309335 00000 n
-0003309487 00000 n
-0003309639 00000 n
-0003309791 00000 n
-0003309943 00000 n
-0003310094 00000 n
-0003310244 00000 n
-0003310394 00000 n
-0003310544 00000 n
-0003310696 00000 n
-0003310848 00000 n
-0003310998 00000 n
-0003311149 00000 n
-0003311363 00000 n
-0003288224 00000 n
-0003286431 00000 n
-0003311300 00000 n
-0003314287 00000 n
-0003314438 00000 n
-0003314589 00000 n
-0003314741 00000 n
-0003314892 00000 n
-0003315044 00000 n
-0003315195 00000 n
-0003315346 00000 n
-0003315495 00000 n
-0003315647 00000 n
-0003315799 00000 n
-0003315951 00000 n
-0003316103 00000 n
-0003316255 00000 n
-0003316407 00000 n
-0003316558 00000 n
-0003316709 00000 n
-0003316859 00000 n
-0003317010 00000 n
-0003317160 00000 n
-0003317311 00000 n
-0003317462 00000 n
-0003317613 00000 n
-0003317764 00000 n
-0003317915 00000 n
-0003318064 00000 n
-0003318215 00000 n
-0003318366 00000 n
-0003318518 00000 n
-0003318670 00000 n
-0003318822 00000 n
-0003318974 00000 n
-0003319126 00000 n
-0003319278 00000 n
-0003319430 00000 n
-0003319582 00000 n
-0003319734 00000 n
-0003319886 00000 n
-0003320038 00000 n
-0003320189 00000 n
-0003320340 00000 n
-0003320492 00000 n
-0003320644 00000 n
-0003320795 00000 n
-0003320946 00000 n
-0003321097 00000 n
-0003321248 00000 n
-0003321400 00000 n
-0003321552 00000 n
-0003321703 00000 n
-0003321855 00000 n
-0003322007 00000 n
-0003322159 00000 n
-0003322311 00000 n
-0003322463 00000 n
-0003322615 00000 n
-0003322767 00000 n
-0003322918 00000 n
-0003323069 00000 n
-0003323221 00000 n
-0003323373 00000 n
-0003323524 00000 n
-0003323675 00000 n
-0003323825 00000 n
-0003323977 00000 n
-0003324128 00000 n
-0003324279 00000 n
-0003324430 00000 n
-0003324581 00000 n
-0003324732 00000 n
-0003324883 00000 n
-0003325035 00000 n
-0003325187 00000 n
-0003325338 00000 n
-0003325489 00000 n
-0003325641 00000 n
-0003325793 00000 n
-0003325944 00000 n
-0003326096 00000 n
-0003326248 00000 n
-0003326399 00000 n
-0003326551 00000 n
-0003326703 00000 n
-0003326855 00000 n
-0003327006 00000 n
-0003327154 00000 n
-0003327302 00000 n
-0003327454 00000 n
-0003327605 00000 n
-0003327755 00000 n
-0003327907 00000 n
-0003328059 00000 n
-0003328209 00000 n
-0003328360 00000 n
-0003328509 00000 n
-0003328661 00000 n
-0003328812 00000 n
-0003328962 00000 n
-0003329113 00000 n
-0003329265 00000 n
-0003329417 00000 n
-0003329568 00000 n
-0003329719 00000 n
-0003329870 00000 n
-0003330022 00000 n
-0003330172 00000 n
-0003330322 00000 n
-0003330473 00000 n
-0003330624 00000 n
-0003330776 00000 n
-0003330926 00000 n
-0003331078 00000 n
-0003331230 00000 n
-0003331382 00000 n
-0003331533 00000 n
-0003331684 00000 n
-0003331835 00000 n
-0003331986 00000 n
-0003332136 00000 n
-0003332288 00000 n
-0003332439 00000 n
-0003332591 00000 n
-0003332743 00000 n
-0003332893 00000 n
-0003333045 00000 n
-0003333197 00000 n
-0003336093 00000 n
-0003333412 00000 n
-0003313025 00000 n
-0003311479 00000 n
-0003333348 00000 n
-0003336245 00000 n
-0003336396 00000 n
-0003336547 00000 n
-0003336699 00000 n
-0003336851 00000 n
-0003337002 00000 n
-0003337154 00000 n
-0003337306 00000 n
-0003337458 00000 n
-0003337610 00000 n
-0003337762 00000 n
-0003337914 00000 n
-0003338066 00000 n
-0003338217 00000 n
-0003338368 00000 n
-0003338519 00000 n
-0003338671 00000 n
-0003338822 00000 n
-0003338974 00000 n
-0003339126 00000 n
-0003339278 00000 n
-0003339429 00000 n
-0003339579 00000 n
-0003339731 00000 n
-0003339882 00000 n
-0003340033 00000 n
-0003340185 00000 n
-0003340337 00000 n
-0003340489 00000 n
-0003340641 00000 n
-0003340792 00000 n
-0003340943 00000 n
-0003341094 00000 n
-0003341246 00000 n
-0003341398 00000 n
-0003341550 00000 n
-0003341700 00000 n
-0003341851 00000 n
-0003342003 00000 n
-0003342154 00000 n
-0003342303 00000 n
-0003342455 00000 n
-0003342607 00000 n
-0003342759 00000 n
-0003342911 00000 n
-0003343063 00000 n
-0003343215 00000 n
-0003343366 00000 n
-0003343518 00000 n
-0003343669 00000 n
-0003343819 00000 n
-0003343969 00000 n
-0003344121 00000 n
-0003344272 00000 n
-0003344420 00000 n
-0003344571 00000 n
-0003344723 00000 n
-0003344873 00000 n
-0003345022 00000 n
-0003345174 00000 n
-0003345326 00000 n
-0003345478 00000 n
-0003345630 00000 n
-0003345781 00000 n
-0003345933 00000 n
-0003346085 00000 n
-0003346237 00000 n
-0003346389 00000 n
-0003346541 00000 n
-0003346693 00000 n
-0003346844 00000 n
-0003346995 00000 n
-0003347146 00000 n
-0003347297 00000 n
-0003347448 00000 n
-0003347600 00000 n
-0003347752 00000 n
-0003347904 00000 n
-0003348056 00000 n
-0003348208 00000 n
-0003348360 00000 n
-0003348511 00000 n
-0003348663 00000 n
-0003348815 00000 n
-0003348967 00000 n
-0003349118 00000 n
-0003349270 00000 n
-0003349421 00000 n
-0003349572 00000 n
-0003349722 00000 n
-0003349873 00000 n
-0003350022 00000 n
-0003350174 00000 n
-0003350326 00000 n
-0003350478 00000 n
-0003350630 00000 n
-0003350782 00000 n
-0003350933 00000 n
-0003351083 00000 n
-0003351235 00000 n
-0003351387 00000 n
-0003351538 00000 n
-0003351690 00000 n
-0003351842 00000 n
-0003351994 00000 n
-0003352145 00000 n
-0003352296 00000 n
-0003352448 00000 n
-0003352600 00000 n
-0003352752 00000 n
-0003355607 00000 n
-0003352967 00000 n
-0003334966 00000 n
-0003333528 00000 n
-0003352904 00000 n
-0003355757 00000 n
-0003355909 00000 n
-0003356061 00000 n
-0003356213 00000 n
-0003356365 00000 n
-0003356516 00000 n
-0003356667 00000 n
-0003356818 00000 n
-0003356970 00000 n
-0003357122 00000 n
-0003357274 00000 n
-0003357426 00000 n
-0003357576 00000 n
-0003357728 00000 n
-0003357880 00000 n
-0003358028 00000 n
-0003358180 00000 n
-0003358331 00000 n
-0003358483 00000 n
-0003358635 00000 n
-0003358787 00000 n
-0003358939 00000 n
-0003359091 00000 n
-0003359243 00000 n
-0003359395 00000 n
-0003359547 00000 n
-0003359699 00000 n
-0003359851 00000 n
-0003360002 00000 n
-0003360154 00000 n
-0003360305 00000 n
-0003360456 00000 n
-0003360607 00000 n
-0003360757 00000 n
-0003360909 00000 n
-0003361060 00000 n
-0003361211 00000 n
-0003361362 00000 n
-0003361513 00000 n
-0003361664 00000 n
-0003361816 00000 n
-0003361968 00000 n
-0003362120 00000 n
-0003362272 00000 n
-0003362424 00000 n
-0003362576 00000 n
-0003362728 00000 n
-0003362880 00000 n
-0003363032 00000 n
-0003363184 00000 n
-0003363336 00000 n
-0003363488 00000 n
-0003363639 00000 n
-0003363791 00000 n
-0003363943 00000 n
-0003364095 00000 n
-0003364247 00000 n
-0003364399 00000 n
-0003364551 00000 n
-0003364703 00000 n
-0003364855 00000 n
-0003365007 00000 n
-0003365159 00000 n
-0003365311 00000 n
-0003365463 00000 n
-0003365612 00000 n
-0003365760 00000 n
-0003365911 00000 n
-0003366063 00000 n
-0003366215 00000 n
-0003366366 00000 n
-0003366517 00000 n
-0003366668 00000 n
-0003366820 00000 n
-0003366972 00000 n
-0003367124 00000 n
-0003367275 00000 n
-0003367425 00000 n
-0003367577 00000 n
-0003367728 00000 n
-0003367880 00000 n
-0003368031 00000 n
-0003368182 00000 n
-0003368334 00000 n
-0003368486 00000 n
-0003368637 00000 n
-0003368789 00000 n
-0003368941 00000 n
-0003369092 00000 n
-0003369244 00000 n
-0003369396 00000 n
-0003369547 00000 n
-0003369697 00000 n
-0003369848 00000 n
-0003370000 00000 n
-0003370151 00000 n
-0003370302 00000 n
-0003370453 00000 n
-0003370604 00000 n
-0003370756 00000 n
-0003370907 00000 n
-0003371059 00000 n
-0003371211 00000 n
-0003371363 00000 n
-0003374948 00000 n
-0003371579 00000 n
-0003354534 00000 n
-0003353069 00000 n
-0003371515 00000 n
-0003375099 00000 n
-0003375250 00000 n
-0003375402 00000 n
-0003375554 00000 n
-0003375706 00000 n
-0003375858 00000 n
-0003376010 00000 n
-0003376162 00000 n
-0003376314 00000 n
-0003376466 00000 n
-0003376618 00000 n
-0003376770 00000 n
-0003376922 00000 n
-0003377072 00000 n
-0003377221 00000 n
-0003377373 00000 n
-0003377525 00000 n
-0003377677 00000 n
-0003377829 00000 n
-0003377980 00000 n
-0003378132 00000 n
-0003378284 00000 n
-0003378436 00000 n
-0003378588 00000 n
-0003378740 00000 n
-0003378892 00000 n
-0003379044 00000 n
-0003379196 00000 n
-0003379347 00000 n
-0003379497 00000 n
-0003379648 00000 n
-0003379797 00000 n
-0003379948 00000 n
-0003380100 00000 n
-0003380252 00000 n
-0003380402 00000 n
-0003380553 00000 n
-0003380704 00000 n
-0003380855 00000 n
-0003381007 00000 n
-0003381159 00000 n
-0003381311 00000 n
-0003381463 00000 n
-0003381615 00000 n
-0003381767 00000 n
-0003381919 00000 n
-0003382071 00000 n
-0003382223 00000 n
-0003382375 00000 n
-0003382527 00000 n
-0003382679 00000 n
-0003382830 00000 n
-0003382982 00000 n
-0003383133 00000 n
-0003383285 00000 n
-0003383437 00000 n
-0003383588 00000 n
-0003383739 00000 n
-0003383890 00000 n
-0003384041 00000 n
-0003384192 00000 n
-0003384342 00000 n
-0003384492 00000 n
-0003384644 00000 n
-0003384796 00000 n
-0003384947 00000 n
-0003385099 00000 n
-0003385250 00000 n
-0003385400 00000 n
-0003385551 00000 n
-0003385702 00000 n
-0003385852 00000 n
-0003386003 00000 n
-0003386154 00000 n
-0003386306 00000 n
-0003386454 00000 n
-0003386606 00000 n
-0003386758 00000 n
-0003386910 00000 n
-0003387062 00000 n
-0003387214 00000 n
-0003387366 00000 n
-0003387518 00000 n
-0003387670 00000 n
-0003387822 00000 n
-0003387974 00000 n
-0003388126 00000 n
-0003388277 00000 n
-0003388428 00000 n
-0003388580 00000 n
-0003388732 00000 n
-0003388884 00000 n
-0003389035 00000 n
-0003389187 00000 n
-0003389338 00000 n
-0003389490 00000 n
-0003389642 00000 n
-0003389793 00000 n
-0003389943 00000 n
-0003390094 00000 n
-0003390245 00000 n
-0003390397 00000 n
-0003390548 00000 n
-0003390698 00000 n
-0003390849 00000 n
-0003391001 00000 n
-0003391153 00000 n
-0003391305 00000 n
-0003391457 00000 n
-0003391609 00000 n
-0003391759 00000 n
-0003391910 00000 n
-0003392062 00000 n
-0003392214 00000 n
-0003392366 00000 n
-0003392517 00000 n
-0003392669 00000 n
-0003392820 00000 n
-0003392970 00000 n
-0003393121 00000 n
-0003393272 00000 n
-0003393423 00000 n
-0003393574 00000 n
-0003393726 00000 n
-0003393876 00000 n
-0003394026 00000 n
-0003394177 00000 n
-0003394326 00000 n
-0003394477 00000 n
-0003394629 00000 n
-0003394781 00000 n
-0003394931 00000 n
-0003395082 00000 n
-0003395232 00000 n
-0003395382 00000 n
-0003395533 00000 n
-0003395684 00000 n
-0003395836 00000 n
-0003395987 00000 n
-0003396138 00000 n
-0003396290 00000 n
-0003396442 00000 n
-0003396594 00000 n
-0003396745 00000 n
-0003396895 00000 n
-0003397046 00000 n
-0003397197 00000 n
-0003397349 00000 n
-0003397500 00000 n
-0003397652 00000 n
-0003397804 00000 n
-0003397956 00000 n
-0003398108 00000 n
-0003398258 00000 n
-0003398408 00000 n
-0003398560 00000 n
-0003398711 00000 n
-0003398862 00000 n
-0003399013 00000 n
-0003399164 00000 n
-0003399316 00000 n
-0003399468 00000 n
-0003399620 00000 n
-0003399772 00000 n
-0003402889 00000 n
-0003403040 00000 n
-0003399987 00000 n
-0003373335 00000 n
-0003371695 00000 n
-0003399924 00000 n
-0003403191 00000 n
-0003403342 00000 n
-0003403493 00000 n
-0003403643 00000 n
-0003403794 00000 n
-0003403946 00000 n
-0003404097 00000 n
-0003404249 00000 n
-0003404401 00000 n
-0003404553 00000 n
-0003404705 00000 n
-0003404857 00000 n
-0003405008 00000 n
-0003405159 00000 n
-0003405310 00000 n
-0003405462 00000 n
-0003405614 00000 n
-0003405766 00000 n
-0003405918 00000 n
-0003406070 00000 n
-0003406222 00000 n
-0003406374 00000 n
-0003406526 00000 n
-0003406678 00000 n
-0003406828 00000 n
-0003406979 00000 n
-0003407129 00000 n
-0003407280 00000 n
-0003407431 00000 n
-0003407583 00000 n
-0003407735 00000 n
-0003407886 00000 n
-0003408037 00000 n
-0003408189 00000 n
-0003408341 00000 n
-0003408491 00000 n
-0003408643 00000 n
-0003408795 00000 n
-0003408946 00000 n
-0003409097 00000 n
-0003409248 00000 n
-0003409400 00000 n
-0003409552 00000 n
-0003409704 00000 n
-0003409856 00000 n
-0003410007 00000 n
-0003410159 00000 n
-0003410311 00000 n
-0003410463 00000 n
-0003410615 00000 n
-0003410767 00000 n
-0003410918 00000 n
-0003411070 00000 n
-0003411221 00000 n
-0003411373 00000 n
-0003411522 00000 n
-0003411673 00000 n
-0003411825 00000 n
-0003411977 00000 n
-0003412129 00000 n
-0003412281 00000 n
-0003412433 00000 n
-0003412585 00000 n
-0003412737 00000 n
-0003412889 00000 n
-0003413041 00000 n
-0003413193 00000 n
-0003413343 00000 n
-0003413495 00000 n
-0003413646 00000 n
-0003413797 00000 n
-0003413948 00000 n
-0003414099 00000 n
-0003414251 00000 n
-0003414402 00000 n
-0003414554 00000 n
-0003414705 00000 n
-0003414857 00000 n
-0003415008 00000 n
-0003415159 00000 n
-0003415311 00000 n
-0003415463 00000 n
-0003415615 00000 n
-0003415767 00000 n
-0003415919 00000 n
-0003416071 00000 n
-0003416221 00000 n
-0003416371 00000 n
-0003416521 00000 n
-0003416672 00000 n
-0003416824 00000 n
-0003416976 00000 n
-0003417127 00000 n
-0003417279 00000 n
-0003417431 00000 n
-0003417583 00000 n
-0003417734 00000 n
-0003417886 00000 n
-0003418037 00000 n
-0003418188 00000 n
-0003418340 00000 n
-0003418490 00000 n
-0003418641 00000 n
-0003418793 00000 n
-0003418943 00000 n
-0003419094 00000 n
-0003419245 00000 n
-0003419396 00000 n
-0003419548 00000 n
-0003419700 00000 n
-0003419851 00000 n
-0003420003 00000 n
-0003420154 00000 n
-0003420306 00000 n
-0003420457 00000 n
-0003420608 00000 n
-0003420760 00000 n
-0003420912 00000 n
-0003421064 00000 n
-0003421216 00000 n
-0003421368 00000 n
-0003421520 00000 n
-0003424645 00000 n
-0003424796 00000 n
-0003421736 00000 n
-0003401645 00000 n
-0003400103 00000 n
-0003421672 00000 n
-0003675845 00000 n
-0003424948 00000 n
-0003425098 00000 n
-0003425248 00000 n
-0003425398 00000 n
-0003425548 00000 n
-0003425697 00000 n
-0003425849 00000 n
-0003426001 00000 n
-0003426153 00000 n
-0003426305 00000 n
-0003426455 00000 n
-0003426606 00000 n
-0003426758 00000 n
-0003426910 00000 n
-0003427061 00000 n
-0003427212 00000 n
-0003427363 00000 n
-0003427514 00000 n
-0003427666 00000 n
-0003427817 00000 n
-0003427969 00000 n
-0003428121 00000 n
-0003428273 00000 n
-0003428425 00000 n
-0003428577 00000 n
-0003428729 00000 n
-0003428881 00000 n
-0003429033 00000 n
-0003429185 00000 n
-0003429337 00000 n
-0003429489 00000 n
-0003429640 00000 n
-0003429791 00000 n
-0003429943 00000 n
-0003430095 00000 n
-0003430246 00000 n
-0003430397 00000 n
-0003430548 00000 n
-0003430700 00000 n
-0003430852 00000 n
-0003431004 00000 n
-0003431156 00000 n
-0003431308 00000 n
-0003431460 00000 n
-0003431612 00000 n
-0003431764 00000 n
-0003431916 00000 n
-0003432068 00000 n
-0003432220 00000 n
-0003432372 00000 n
-0003432524 00000 n
-0003432675 00000 n
-0003432826 00000 n
-0003432977 00000 n
-0003433129 00000 n
-0003433281 00000 n
-0003433432 00000 n
-0003433584 00000 n
-0003433735 00000 n
-0003433887 00000 n
-0003434039 00000 n
-0003434191 00000 n
-0003434343 00000 n
-0003434495 00000 n
-0003434647 00000 n
-0003434799 00000 n
-0003434951 00000 n
-0003435103 00000 n
-0003435254 00000 n
-0003435406 00000 n
-0003435557 00000 n
-0003435707 00000 n
-0003435859 00000 n
-0003436009 00000 n
-0003436161 00000 n
-0003436313 00000 n
-0003436465 00000 n
-0003436617 00000 n
-0003436768 00000 n
-0003436919 00000 n
-0003437068 00000 n
-0003437217 00000 n
-0003437368 00000 n
-0003437517 00000 n
-0003437668 00000 n
-0003437818 00000 n
-0003437969 00000 n
-0003438120 00000 n
-0003438271 00000 n
-0003438423 00000 n
-0003438575 00000 n
-0003438727 00000 n
-0003438878 00000 n
-0003439029 00000 n
-0003439180 00000 n
-0003439332 00000 n
-0003439484 00000 n
-0003439632 00000 n
-0003439784 00000 n
-0003439936 00000 n
-0003440086 00000 n
-0003440237 00000 n
-0003440388 00000 n
-0003440539 00000 n
-0003440690 00000 n
-0003440840 00000 n
-0003440991 00000 n
-0003441142 00000 n
-0003441294 00000 n
-0003441446 00000 n
-0003441596 00000 n
-0003441748 00000 n
-0003441900 00000 n
-0003442052 00000 n
-0003442204 00000 n
-0003442355 00000 n
-0003442506 00000 n
-0003442657 00000 n
-0003442807 00000 n
-0003442958 00000 n
-0003443110 00000 n
-0003443262 00000 n
-0003443475 00000 n
-0003423401 00000 n
-0003421852 00000 n
-0003443412 00000 n
-0003443997 00000 n
-0003444023 00000 n
-0003444049 00000 n
-0003444075 00000 n
-0003444507 00000 n
-0003444531 00000 n
-0003444657 00000 n
-0003444871 00000 n
-0003445315 00000 n
-0003445479 00000 n
-0003446130 00000 n
-0003446451 00000 n
-0003446487 00000 n
-0003447141 00000 n
-0003447591 00000 n
-0003447967 00000 n
-0003448005 00000 n
-0003448085 00000 n
-0003448518 00000 n
-0003448890 00000 n
-0003449527 00000 n
-0003449923 00000 n
-0003450603 00000 n
-0003451273 00000 n
-0003451906 00000 n
-0003452558 00000 n
-0003452989 00000 n
-0003453638 00000 n
-0003454276 00000 n
-0003468828 00000 n
-0003469293 00000 n
-0003476930 00000 n
-0003477248 00000 n
-0003479515 00000 n
-0003479743 00000 n
-0003484376 00000 n
-0003484633 00000 n
-0003488222 00000 n
-0003488463 00000 n
-0003499080 00000 n
-0003499475 00000 n
-0003505692 00000 n
-0003505984 00000 n
-0003507702 00000 n
-0003507925 00000 n
-0003509719 00000 n
-0003509953 00000 n
-0003528602 00000 n
-0003529224 00000 n
-0003533846 00000 n
-0003534123 00000 n
-0003537436 00000 n
-0003537704 00000 n
-0003541649 00000 n
-0003541925 00000 n
-0003553937 00000 n
-0003554371 00000 n
-0003556147 00000 n
-0003556376 00000 n
-0003566330 00000 n
-0003566816 00000 n
-0003571122 00000 n
-0003571415 00000 n
-0003580598 00000 n
-0003581007 00000 n
-0003594253 00000 n
-0003594758 00000 n
-0003597874 00000 n
-0003598130 00000 n
-0003600638 00000 n
-0003600955 00000 n
-0003618595 00000 n
-0003619116 00000 n
-0003620856 00000 n
-0003621079 00000 n
-0003622804 00000 n
-0003623027 00000 n
-0003626531 00000 n
-0003626770 00000 n
-0003643352 00000 n
-0003643999 00000 n
-0003655978 00000 n
-0003656430 00000 n
-0003658264 00000 n
-0003675934 00000 n
-0003676060 00000 n
-0003676186 00000 n
-0003676312 00000 n
-0003676438 00000 n
-0003676564 00000 n
-0003676690 00000 n
-0003676816 00000 n
-0003676942 00000 n
-0003677068 00000 n
-0003677194 00000 n
-0003677320 00000 n
-0003677446 00000 n
-0003677572 00000 n
-0003677698 00000 n
-0003677824 00000 n
-0003677950 00000 n
-0003678076 00000 n
-0003678193 00000 n
-0003678320 00000 n
-0003678447 00000 n
-0003678574 00000 n
-0003678657 00000 n
-0003705551 00000 n
-0003705700 00000 n
-0003705839 00000 n
-0003706040 00000 n
-0003706220 00000 n
-0003706405 00000 n
-0003706589 00000 n
-0003706774 00000 n
-0003706958 00000 n
-0003707143 00000 n
-0003707326 00000 n
-0003707509 00000 n
-0003707694 00000 n
-0003707878 00000 n
-0003708063 00000 n
-0003708247 00000 n
-0003708432 00000 n
-0003708616 00000 n
-0003708801 00000 n
-0003708985 00000 n
-0003709170 00000 n
-0003709353 00000 n
-0003709534 00000 n
-0003709717 00000 n
-0003709900 00000 n
-0003710085 00000 n
-0003710269 00000 n
-0003710454 00000 n
-0003710638 00000 n
-0003710823 00000 n
-0003711007 00000 n
-0003711192 00000 n
-0003711376 00000 n
-0003711561 00000 n
-0003711744 00000 n
-0003711927 00000 n
-0003712112 00000 n
-0003712296 00000 n
-0003712481 00000 n
-0003712665 00000 n
-0003712850 00000 n
-0003713032 00000 n
-0003713217 00000 n
-0003713401 00000 n
-0003713586 00000 n
-0003713770 00000 n
-0003713955 00000 n
-0003714138 00000 n
-0003714321 00000 n
-0003714506 00000 n
-0003714690 00000 n
-0003714875 00000 n
-0003715059 00000 n
-0003715244 00000 n
-0003715428 00000 n
-0003715613 00000 n
-0003715797 00000 n
-0003715982 00000 n
-0003716165 00000 n
-0003716346 00000 n
-0003716529 00000 n
-0003716712 00000 n
-0003716897 00000 n
-0003717081 00000 n
-0003717266 00000 n
-0003717450 00000 n
-0003717635 00000 n
-0003717819 00000 n
-0003718004 00000 n
-0003718188 00000 n
-0003718373 00000 n
-0003718556 00000 n
-0003718739 00000 n
-0003718924 00000 n
-0003719108 00000 n
-0003719293 00000 n
-0003719477 00000 n
-0003719662 00000 n
-0003719844 00000 n
-0003720029 00000 n
-0003720213 00000 n
-0003720398 00000 n
-0003720582 00000 n
-0003720767 00000 n
-0003720950 00000 n
-0003721133 00000 n
-0003721318 00000 n
-0003721502 00000 n
-0003721687 00000 n
-0003721871 00000 n
-0003722056 00000 n
-0003722240 00000 n
-0003722425 00000 n
-0003722609 00000 n
-0003722794 00000 n
-0003722977 00000 n
-0003723158 00000 n
-0003723341 00000 n
-0003723524 00000 n
-0003723709 00000 n
-0003723893 00000 n
-0003724074 00000 n
-0003724250 00000 n
-0003724427 00000 n
-0003724603 00000 n
-0003724780 00000 n
-0003724956 00000 n
-0003725133 00000 n
-0003725321 00000 n
-0003725509 00000 n
-0003725705 00000 n
-0003725902 00000 n
-0003726109 00000 n
-0003726313 00000 n
-0003726515 00000 n
-0003726717 00000 n
-0003726921 00000 n
-0003727144 00000 n
-0003727376 00000 n
-0003727604 00000 n
-0003727826 00000 n
-0003728028 00000 n
-0003728204 00000 n
-0003728407 00000 n
-0003728624 00000 n
-0003728823 00000 n
-0003729021 00000 n
-0003729216 00000 n
-0003729410 00000 n
-0003729604 00000 n
-0003729791 00000 n
-0003729991 00000 n
-0003730184 00000 n
-0003730399 00000 n
-0003730637 00000 n
-0003730876 00000 n
-0003731109 00000 n
-0003731342 00000 n
-0003731575 00000 n
-0003731808 00000 n
-0003732033 00000 n
-0003732262 00000 n
-0003732487 00000 n
-0003732717 00000 n
-0003732947 00000 n
-0003733172 00000 n
-0003733397 00000 n
-0003733622 00000 n
-0003733847 00000 n
-0003734077 00000 n
-0003734302 00000 n
-0003734527 00000 n
-0003734742 00000 n
-0003734955 00000 n
-0003735164 00000 n
-0003735373 00000 n
-0003735574 00000 n
-0003735775 00000 n
-0003735976 00000 n
-0003736162 00000 n
-0003736355 00000 n
-0003736548 00000 n
-0003736741 00000 n
-0003736934 00000 n
-0003737127 00000 n
-0003737320 00000 n
-0003737513 00000 n
-0003737706 00000 n
-0003737899 00000 n
-0003738092 00000 n
-0003738285 00000 n
-0003738478 00000 n
-0003738671 00000 n
-0003738864 00000 n
-0003739057 00000 n
-0003739250 00000 n
-0003739443 00000 n
-0003739636 00000 n
-0003739829 00000 n
-0003740022 00000 n
-0003740215 00000 n
-0003740408 00000 n
-0003740601 00000 n
-0003740794 00000 n
-0003740987 00000 n
-0003741180 00000 n
-0003741373 00000 n
-0003741566 00000 n
-0003741759 00000 n
-0003741952 00000 n
-0003742145 00000 n
-0003742338 00000 n
-0003742531 00000 n
-0003742724 00000 n
-0003742917 00000 n
-0003743110 00000 n
-0003743303 00000 n
-0003743493 00000 n
-0003743689 00000 n
-0003743891 00000 n
-0003744142 00000 n
-0003744389 00000 n
-0003744636 00000 n
-0003744885 00000 n
-0003745134 00000 n
-0003745383 00000 n
-0003745624 00000 n
-0003745859 00000 n
-0003746108 00000 n
-0003746356 00000 n
-0003746605 00000 n
-0003746850 00000 n
-0003747093 00000 n
-0003747342 00000 n
-0003747590 00000 n
-0003747837 00000 n
-0003748078 00000 n
-0003748325 00000 n
-0003748572 00000 n
-0003748821 00000 n
-0003749069 00000 n
-0003749314 00000 n
-0003749555 00000 n
-0003749796 00000 n
-0003750037 00000 n
-0003750280 00000 n
-0003750529 00000 n
-0003750777 00000 n
-0003751026 00000 n
-0003751267 00000 n
-0003751513 00000 n
-0003751760 00000 n
-0003752001 00000 n
-0003752247 00000 n
-0003752496 00000 n
-0003752743 00000 n
-0003752990 00000 n
-0003753236 00000 n
-0003753479 00000 n
-0003753728 00000 n
-0003753976 00000 n
-0003754225 00000 n
-0003754473 00000 n
-0003754716 00000 n
-0003754956 00000 n
-0003755197 00000 n
-0003755436 00000 n
-0003755675 00000 n
-0003755911 00000 n
-0003756153 00000 n
-0003756402 00000 n
-0003756650 00000 n
-0003756891 00000 n
-0003757137 00000 n
-0003757386 00000 n
-0003757633 00000 n
-0003757878 00000 n
-0003758121 00000 n
-0003758370 00000 n
-0003758618 00000 n
-0003758867 00000 n
-0003759115 00000 n
-0003759364 00000 n
-0003759609 00000 n
-0003759853 00000 n
-0003760102 00000 n
-0003760350 00000 n
-0003760595 00000 n
-0003760838 00000 n
-0003761087 00000 n
-0003761335 00000 n
-0003761582 00000 n
-0003761823 00000 n
-0003762070 00000 n
-0003762317 00000 n
-0003762566 00000 n
-0003762814 00000 n
-0003763063 00000 n
-0003763311 00000 n
-0003763552 00000 n
-0003763801 00000 n
-0003764049 00000 n
-0003764298 00000 n
-0003764546 00000 n
-0003764792 00000 n
-0003765035 00000 n
-0003765284 00000 n
-0003765532 00000 n
-0003765781 00000 n
-0003766029 00000 n
-0003766278 00000 n
-0003766524 00000 n
-0003766767 00000 n
-0003767016 00000 n
-0003767264 00000 n
-0003767513 00000 n
-0003767761 00000 n
-0003768010 00000 n
-0003768251 00000 n
-0003768498 00000 n
-0003768745 00000 n
-0003768994 00000 n
-0003769242 00000 n
-0003769491 00000 n
-0003769734 00000 n
-0003769974 00000 n
-0003770215 00000 n
-0003770454 00000 n
-0003770693 00000 n
-0003770930 00000 n
-0003771170 00000 n
-0003771419 00000 n
-0003771667 00000 n
-0003771916 00000 n
-0003772164 00000 n
-0003772409 00000 n
-0003772653 00000 n
-0003772902 00000 n
-0003773143 00000 n
-0003773388 00000 n
-0003773634 00000 n
-0003773875 00000 n
-0003774120 00000 n
-0003774361 00000 n
-0003774607 00000 n
-0003774856 00000 n
-0003775103 00000 n
-0003775350 00000 n
-0003775599 00000 n
-0003775847 00000 n
-0003776090 00000 n
-0003776337 00000 n
-0003776584 00000 n
-0003776833 00000 n
-0003777081 00000 n
-0003777328 00000 n
-0003777569 00000 n
-0003777818 00000 n
-0003778066 00000 n
-0003778315 00000 n
-0003778563 00000 n
-0003778812 00000 n
-0003779055 00000 n
-0003779301 00000 n
-0003779550 00000 n
-0003779797 00000 n
-0003780044 00000 n
-0003780290 00000 n
-0003780533 00000 n
-0003780782 00000 n
-0003781030 00000 n
-0003781279 00000 n
-0003781527 00000 n
-0003781771 00000 n
-0003782016 00000 n
-0003782265 00000 n
-0003782513 00000 n
-0003782762 00000 n
-0003783006 00000 n
-0003783246 00000 n
-0003783487 00000 n
-0003783727 00000 n
-0003783963 00000 n
-0003784203 00000 n
-0003784452 00000 n
-0003784698 00000 n
-0003784939 00000 n
-0003785186 00000 n
-0003785431 00000 n
-0003785670 00000 n
-0003785911 00000 n
-0003786151 00000 n
-0003786387 00000 n
-0003786623 00000 n
-0003786864 00000 n
-0003787104 00000 n
-0003787343 00000 n
-0003787576 00000 n
-0003787815 00000 n
-0003788054 00000 n
-0003788295 00000 n
-0003788535 00000 n
-0003788776 00000 n
-0003789016 00000 n
-0003789251 00000 n
-0003789490 00000 n
-0003789729 00000 n
-0003789970 00000 n
-0003790206 00000 n
-0003790442 00000 n
-0003790678 00000 n
-0003790909 00000 n
-0003791131 00000 n
-0003791313 00000 n
-0003791498 00000 n
-0003791682 00000 n
-0003791867 00000 n
-0003792050 00000 n
-0003792233 00000 n
-0003792418 00000 n
-0003792602 00000 n
-0003792787 00000 n
-0003792971 00000 n
-0003793156 00000 n
-0003793340 00000 n
-0003793525 00000 n
-0003793709 00000 n
-0003793894 00000 n
-0003794077 00000 n
-0003794260 00000 n
-0003794445 00000 n
-0003794626 00000 n
-0003794811 00000 n
-0003794995 00000 n
-0003795180 00000 n
-0003795364 00000 n
-0003795549 00000 n
-0003795733 00000 n
-0003795918 00000 n
-0003796102 00000 n
-0003796287 00000 n
-0003796470 00000 n
-0003796653 00000 n
-0003796838 00000 n
-0003797022 00000 n
-0003797207 00000 n
-0003797391 00000 n
-0003797576 00000 n
-0003797760 00000 n
-0003797945 00000 n
-0003798127 00000 n
-0003798312 00000 n
-0003798496 00000 n
-0003798681 00000 n
-0003798864 00000 n
-0003799047 00000 n
-0003799232 00000 n
-0003799416 00000 n
-0003799601 00000 n
-0003799785 00000 n
-0003799970 00000 n
-0003800154 00000 n
-0003800339 00000 n
-0003800523 00000 n
-0003800708 00000 n
-0003800891 00000 n
-0003801074 00000 n
-0003801259 00000 n
-0003801440 00000 n
-0003801625 00000 n
-0003801809 00000 n
-0003801994 00000 n
-0003802178 00000 n
-0003802363 00000 n
-0003802547 00000 n
-0003802732 00000 n
-0003802916 00000 n
-0003803101 00000 n
-0003803284 00000 n
-0003803467 00000 n
-0003803652 00000 n
-0003803836 00000 n
-0003804021 00000 n
-0003804205 00000 n
-0003804390 00000 n
-0003804574 00000 n
-0003804759 00000 n
-0003804941 00000 n
-0003805126 00000 n
-0003805310 00000 n
-0003805495 00000 n
-0003805678 00000 n
-0003805861 00000 n
-0003806046 00000 n
-0003806230 00000 n
-0003806415 00000 n
-0003806599 00000 n
-0003806784 00000 n
-0003806968 00000 n
-0003807153 00000 n
-0003807337 00000 n
-0003807522 00000 n
-0003807705 00000 n
-0003807888 00000 n
-0003808073 00000 n
-0003808248 00000 n
-0003808423 00000 n
-0003808600 00000 n
-0003808776 00000 n
-0003808953 00000 n
-0003809129 00000 n
-0003809306 00000 n
-0003809487 00000 n
-0003809668 00000 n
-0003809853 00000 n
-0003810046 00000 n
-0003810239 00000 n
-0003810437 00000 n
-0003810621 00000 n
-0003810805 00000 n
-0003811004 00000 n
-0003811212 00000 n
-0003811462 00000 n
-0003811713 00000 n
-0003811952 00000 n
-0003812194 00000 n
-0003812389 00000 n
-0003812572 00000 n
-0003812775 00000 n
-0003812979 00000 n
-0003813186 00000 n
-0003813395 00000 n
-0003813603 00000 n
-0003813811 00000 n
-0003814020 00000 n
-0003814229 00000 n
-0003814438 00000 n
-0003814640 00000 n
-0003814849 00000 n
-0003815060 00000 n
-0003815271 00000 n
-0003815484 00000 n
-0003815701 00000 n
-0003815909 00000 n
-0003816112 00000 n
-0003816315 00000 n
-0003816518 00000 n
-0003816721 00000 n
-0003816924 00000 n
-0003817117 00000 n
-0003817361 00000 n
-0003817612 00000 n
-0003817863 00000 n
-0003818114 00000 n
-0003818365 00000 n
-0003818620 00000 n
-0003818877 00000 n
-0003819123 00000 n
-0003819366 00000 n
-0003819609 00000 n
-0003819852 00000 n
-0003820095 00000 n
-0003820338 00000 n
-0003820581 00000 n
-0003820824 00000 n
-0003821067 00000 n
-0003821310 00000 n
-0003821553 00000 n
-0003821796 00000 n
-0003822060 00000 n
-0003822342 00000 n
-0003822633 00000 n
-0003822925 00000 n
-0003823215 00000 n
-0003823498 00000 n
-0003823781 00000 n
-0003824064 00000 n
-0003824347 00000 n
-0003824630 00000 n
-0003824840 00000 n
-0003825036 00000 n
-0003825229 00000 n
-0003825419 00000 n
-0003825532 00000 n
-0003825650 00000 n
-0003825768 00000 n
-0003825885 00000 n
-0003826003 00000 n
-0003826121 00000 n
-0003826239 00000 n
-0003826356 00000 n
-0003826474 00000 n
-0003826592 00000 n
-0003826710 00000 n
-0003826827 00000 n
-0003826945 00000 n
-0003827063 00000 n
-0003827181 00000 n
-0003827297 00000 n
-0003827413 00000 n
-0003827534 00000 n
-0003827652 00000 n
-0003827777 00000 n
-0003827903 00000 n
-0003828023 00000 n
-0003828147 00000 n
-0003828276 00000 n
-0003828404 00000 n
-0003828529 00000 n
-0003828650 00000 n
-0003828770 00000 n
-0003828890 00000 n
-0003829010 00000 n
-0003829130 00000 n
-0003829250 00000 n
-0003829369 00000 n
-0003829493 00000 n
-0003829627 00000 n
-0003829760 00000 n
-0003829892 00000 n
-0003830025 00000 n
-0003830158 00000 n
-0003830291 00000 n
-0003830424 00000 n
-0003830556 00000 n
-0003830689 00000 n
-0003830823 00000 n
-0003830957 00000 n
-0003831091 00000 n
-0003831225 00000 n
-0003831359 00000 n
-0003831494 00000 n
-0003831628 00000 n
-0003831762 00000 n
-0003831895 00000 n
-0003832029 00000 n
-0003832163 00000 n
-0003832297 00000 n
-0003832430 00000 n
-0003832564 00000 n
-0003832698 00000 n
-0003832833 00000 n
-0003832967 00000 n
-0003833100 00000 n
-0003833232 00000 n
-0003833364 00000 n
-0003833496 00000 n
-0003833627 00000 n
-0003833752 00000 n
-0003833870 00000 n
-0003833989 00000 n
-0003834108 00000 n
-0003834227 00000 n
-0003834345 00000 n
-0003834464 00000 n
-0003834583 00000 n
-0003834702 00000 n
-0003834820 00000 n
-0003834939 00000 n
-0003835058 00000 n
-0003835177 00000 n
-0003835296 00000 n
-0003835415 00000 n
-0003835532 00000 n
-0003835651 00000 n
-0003835766 00000 n
-0003835887 00000 n
-0003836013 00000 n
-0003836138 00000 n
-0003836264 00000 n
-0003836390 00000 n
-0003836521 00000 n
-0003836657 00000 n
-0003836792 00000 n
-0003836933 00000 n
-0003837079 00000 n
-0003837191 00000 n
-0003837305 00000 n
-0003837423 00000 n
-0003837546 00000 n
-0003837669 00000 n
-0003837794 00000 n
-0003837921 00000 n
-0003838054 00000 n
-0003838188 00000 n
-0003838329 00000 n
-0003838469 00000 n
-0003838601 00000 n
-0003838725 00000 n
-0003838850 00000 n
-0003838977 00000 n
-0003839114 00000 n
-0003839225 00000 n
-0003839352 00000 n
-0003839484 00000 n
-0003839587 00000 n
-0003839675 00000 n
-0003839717 00000 n
-0003839963 00000 n
+0000029833 00000 n
+0000029896 00000 n
+0003658684 00000 n
+0003658537 00000 n
+0003660005 00000 n
+0003662638 00000 n
+0000032372 00000 n
+0000032009 00000 n
+0000030062 00000 n
+0000032125 00000 n
+0003661173 00000 n
+0000032309 00000 n
+0003659859 00000 n
+0003661616 00000 n
+0000034902 00000 n
+0000034596 00000 n
+0000032488 00000 n
+0000034712 00000 n
+0000034838 00000 n
+0000036296 00000 n
+0000036447 00000 n
+0000036601 00000 n
+0000036755 00000 n
+0000036909 00000 n
+0000037062 00000 n
+0000037216 00000 n
+0000037370 00000 n
+0000037519 00000 n
+0000037674 00000 n
+0000037827 00000 n
+0000037981 00000 n
+0000038136 00000 n
+0000038296 00000 n
+0000038461 00000 n
+0000038626 00000 n
+0000038790 00000 n
+0000038950 00000 n
+0000039115 00000 n
+0000039280 00000 n
+0000039445 00000 n
+0000039604 00000 n
+0000039769 00000 n
+0000039934 00000 n
+0000041921 00000 n
+0000040152 00000 n
+0000035952 00000 n
+0000035018 00000 n
+0000040089 00000 n
+0000042073 00000 n
+0000042228 00000 n
+0000042388 00000 n
+0000042543 00000 n
+0000042703 00000 n
+0000042863 00000 n
+0000043018 00000 n
+0000043178 00000 n
+0000043338 00000 n
+0000043498 00000 n
+0000043653 00000 n
+0000043805 00000 n
+0000043960 00000 n
+0000044120 00000 n
+0000044274 00000 n
+0000044434 00000 n
+0000044599 00000 n
+0000044759 00000 n
+0000044914 00000 n
+0000045074 00000 n
+0000045234 00000 n
+0000045394 00000 n
+0000045554 00000 n
+0000045714 00000 n
+0000045874 00000 n
+0000046034 00000 n
+0000046199 00000 n
+0000046359 00000 n
+0000046519 00000 n
+0000046673 00000 n
+0000046826 00000 n
+0000046981 00000 n
+0000047141 00000 n
+0000047296 00000 n
+0000047456 00000 n
+0000047616 00000 n
+0000047771 00000 n
+0000050141 00000 n
+0000047995 00000 n
+0000041451 00000 n
+0000040268 00000 n
+0000047931 00000 n
+0003661027 00000 n
+0000050300 00000 n
+0000050460 00000 n
+0000050624 00000 n
+0000050789 00000 n
+0000050949 00000 n
+0000051109 00000 n
+0000051269 00000 n
+0000051423 00000 n
+0000051576 00000 n
+0000051731 00000 n
+0000051886 00000 n
+0000052046 00000 n
+0000052200 00000 n
+0000052360 00000 n
+0000052524 00000 n
+0000052689 00000 n
+0000052854 00000 n
+0000053019 00000 n
+0000053184 00000 n
+0000053349 00000 n
+0000053514 00000 n
+0000053673 00000 n
+0000053833 00000 n
+0000053988 00000 n
+0000054148 00000 n
+0000054308 00000 n
+0000054468 00000 n
+0000054628 00000 n
+0000054793 00000 n
+0000054958 00000 n
+0000055123 00000 n
+0000055283 00000 n
+0000055443 00000 n
+0000055597 00000 n
+0000057778 00000 n
+0000055815 00000 n
+0000049698 00000 n
+0000048097 00000 n
+0000055752 00000 n
+0000057937 00000 n
+0000058097 00000 n
+0000058257 00000 n
+0000058417 00000 n
+0000058572 00000 n
+0000058731 00000 n
+0000058891 00000 n
+0000059051 00000 n
+0000059211 00000 n
+0000059371 00000 n
+0000059530 00000 n
+0000059685 00000 n
+0000059840 00000 n
+0000059993 00000 n
+0000060148 00000 n
+0000060308 00000 n
+0000060463 00000 n
+0000060623 00000 n
+0000060788 00000 n
+0000060953 00000 n
+0000061118 00000 n
+0000061278 00000 n
+0000061433 00000 n
+0000061592 00000 n
+0000061747 00000 n
+0000061896 00000 n
+0000062051 00000 n
+0000062203 00000 n
+0000062358 00000 n
+0000062518 00000 n
+0000062673 00000 n
+0000065073 00000 n
+0000062897 00000 n
+0000057362 00000 n
+0000055917 00000 n
+0000062833 00000 n
+0003662763 00000 n
+0000065232 00000 n
+0000065387 00000 n
+0000065546 00000 n
+0000065706 00000 n
+0000065866 00000 n
+0000066026 00000 n
+0000066191 00000 n
+0000066356 00000 n
+0000066521 00000 n
+0000066681 00000 n
+0000066846 00000 n
+0000067011 00000 n
+0000067170 00000 n
+0000067325 00000 n
+0000067478 00000 n
+0000067632 00000 n
+0000067792 00000 n
+0000067955 00000 n
+0000068120 00000 n
+0000068285 00000 n
+0000068450 00000 n
+0000068615 00000 n
+0000068779 00000 n
+0000068934 00000 n
+0000069094 00000 n
+0000069254 00000 n
+0000069414 00000 n
+0000069569 00000 n
+0000069729 00000 n
+0000069894 00000 n
+0000071987 00000 n
+0000070122 00000 n
+0000064666 00000 n
+0000063013 00000 n
+0000070059 00000 n
+0000072152 00000 n
+0000072311 00000 n
+0000072476 00000 n
+0000072641 00000 n
+0000072801 00000 n
+0000072954 00000 n
+0000073109 00000 n
+0000073268 00000 n
+0000073423 00000 n
+0000073582 00000 n
+0000073742 00000 n
+0000073897 00000 n
+0000074057 00000 n
+0000074222 00000 n
+0000074380 00000 n
+0000074540 00000 n
+0000074693 00000 n
+0000074847 00000 n
+0000075003 00000 n
+0000075164 00000 n
+0000075320 00000 n
+0000075481 00000 n
+0000075637 00000 n
+0000075798 00000 n
+0000075964 00000 n
+0000076114 00000 n
+0000076269 00000 n
+0000076423 00000 n
+0000076579 00000 n
+0000076739 00000 n
+0000078905 00000 n
+0000076959 00000 n
+0000071580 00000 n
+0000070224 00000 n
+0000076895 00000 n
+0000079065 00000 n
+0000079231 00000 n
+0000079387 00000 n
+0000079548 00000 n
+0000079708 00000 n
+0000079873 00000 n
+0000080039 00000 n
+0000080200 00000 n
+0000080361 00000 n
+0000080526 00000 n
+0000080692 00000 n
+0000080858 00000 n
+0000081019 00000 n
+0000081175 00000 n
+0000081328 00000 n
+0000081484 00000 n
+0000081645 00000 n
+0000081801 00000 n
+0000081962 00000 n
+0000082122 00000 n
+0000082278 00000 n
+0000082439 00000 n
+0000082600 00000 n
+0000082766 00000 n
+0000082931 00000 n
+0000083097 00000 n
+0000083258 00000 n
+0000083419 00000 n
+0000083575 00000 n
+0000083729 00000 n
+0000083885 00000 n
+0000084040 00000 n
+0000084196 00000 n
+0000084357 00000 n
+0000084523 00000 n
+0000086914 00000 n
+0000084752 00000 n
+0000078453 00000 n
+0000077075 00000 n
+0000084689 00000 n
+0000087079 00000 n
+0000087240 00000 n
+0000087400 00000 n
+0000087561 00000 n
+0000087721 00000 n
+0000087882 00000 n
+0000088043 00000 n
+0000088204 00000 n
+0000088364 00000 n
+0000088520 00000 n
+0000088674 00000 n
+0000088830 00000 n
+0000088986 00000 n
+0000089140 00000 n
+0000089295 00000 n
+0000089451 00000 n
+0000089606 00000 n
+0000089762 00000 n
+0000089923 00000 n
+0000090084 00000 n
+0000090245 00000 n
+0000090401 00000 n
+0000090562 00000 n
+0000090718 00000 n
+0000090874 00000 n
+0000091030 00000 n
+0000091186 00000 n
+0000091347 00000 n
+0000091508 00000 n
+0000091669 00000 n
+0000091823 00000 n
+0000091979 00000 n
+0000092135 00000 n
+0000093554 00000 n
+0000092360 00000 n
+0000086480 00000 n
+0000084854 00000 n
+0000092296 00000 n
+0000093709 00000 n
+0000093870 00000 n
+0000094036 00000 n
+0000094196 00000 n
+0000094362 00000 n
+0000094523 00000 n
+0000094689 00000 n
+0000094850 00000 n
+0000095016 00000 n
+0000095177 00000 n
+0000095333 00000 n
+0000095494 00000 n
+0000095648 00000 n
+0000095801 00000 n
+0000095956 00000 n
+0000096175 00000 n
+0000093282 00000 n
+0000092462 00000 n
+0000096112 00000 n
+0000096558 00000 n
+0000096378 00000 n
+0000096277 00000 n
+0000096494 00000 n
+0003662888 00000 n
+0000098206 00000 n
+0000098362 00000 n
+0000098518 00000 n
+0000098674 00000 n
+0000098826 00000 n
+0000098982 00000 n
+0000099137 00000 n
+0000099293 00000 n
+0000099449 00000 n
+0000099604 00000 n
+0000099760 00000 n
+0000099915 00000 n
+0000100071 00000 n
+0000100227 00000 n
+0000100383 00000 n
+0000100539 00000 n
+0000100695 00000 n
+0000100851 00000 n
+0000101007 00000 n
+0000101162 00000 n
+0000101318 00000 n
+0000101475 00000 n
+0000103541 00000 n
+0000101757 00000 n
+0000097880 00000 n
+0000096600 00000 n
+0000101632 00000 n
+0000192800 00000 n
+0000244627 00000 n
+0000250730 00000 n
+0000255980 00000 n
+0000306341 00000 n
+0000371678 00000 n
+0000399621 00000 n
+0000403282 00000 n
+0000407672 00000 n
+0000462884 00000 n
+0000465268 00000 n
+0000545786 00000 n
+0000551236 00000 n
+0000556995 00000 n
+0000561245 00000 n
+0000562268 00000 n
+0000563671 00000 n
+0000564866 00000 n
+0000565926 00000 n
+0000566974 00000 n
+0000568160 00000 n
+0000568286 00000 n
+0000103697 00000 n
+0000103854 00000 n
+0000104010 00000 n
+0000104164 00000 n
+0000104318 00000 n
+0000104474 00000 n
+0000104630 00000 n
+0000104785 00000 n
+0000104941 00000 n
+0000105097 00000 n
+0000105253 00000 n
+0000105410 00000 n
+0000105567 00000 n
+0000105724 00000 n
+0000105881 00000 n
+0000106038 00000 n
+0000106193 00000 n
+0000106346 00000 n
+0000106503 00000 n
+0000106658 00000 n
+0000106814 00000 n
+0000106970 00000 n
+0000107126 00000 n
+0000107282 00000 n
+0000107438 00000 n
+0000107593 00000 n
+0000107749 00000 n
+0000107905 00000 n
+0000109962 00000 n
+0000108125 00000 n
+0000103152 00000 n
+0000101873 00000 n
+0000108061 00000 n
+0000569444 00000 n
+0000570580 00000 n
+0000658624 00000 n
+0000664697 00000 n
+0000670813 00000 n
+0000676121 00000 n
+0000676633 00000 n
+0000677144 00000 n
+0000696056 00000 n
+0000697199 00000 n
+0000698335 00000 n
+0000699523 00000 n
+0000700557 00000 n
+0000701578 00000 n
+0000702716 00000 n
+0000703833 00000 n
+0000705040 00000 n
+0000706072 00000 n
+0000707182 00000 n
+0000845986 00000 n
+0000982405 00000 n
+0000983444 00000 n
+0000984499 00000 n
+0000985551 00000 n
+0000989759 00000 n
+0000994346 00000 n
+0000999665 00000 n
+0001005948 00000 n
+0001010771 00000 n
+0000110117 00000 n
+0000110274 00000 n
+0000110430 00000 n
+0000110586 00000 n
+0000110742 00000 n
+0000110898 00000 n
+0000111053 00000 n
+0000111209 00000 n
+0000111364 00000 n
+0000111520 00000 n
+0000111677 00000 n
+0000111833 00000 n
+0000111989 00000 n
+0000112145 00000 n
+0000112301 00000 n
+0000112456 00000 n
+0000112612 00000 n
+0000112766 00000 n
+0000112923 00000 n
+0000113080 00000 n
+0000113236 00000 n
+0000115215 00000 n
+0000113456 00000 n
+0000109636 00000 n
+0000108227 00000 n
+0000113393 00000 n
+0001015394 00000 n
+0001017309 00000 n
+0001183935 00000 n
+0001185295 00000 n
+0001190740 00000 n
+0001196169 00000 n
+0001200634 00000 n
+0001206938 00000 n
+0001212990 00000 n
+0001602305 00000 n
+0001606308 00000 n
+0001606435 00000 n
+0001607494 00000 n
+0001611772 00000 n
+0001618508 00000 n
+0001625021 00000 n
+0001631338 00000 n
+0001632615 00000 n
+0001636341 00000 n
+0001637364 00000 n
+0001638821 00000 n
+0001638947 00000 n
+0000115370 00000 n
+0000115526 00000 n
+0000115682 00000 n
+0000115838 00000 n
+0000115994 00000 n
+0000116150 00000 n
+0000116306 00000 n
+0000116463 00000 n
+0000116620 00000 n
+0000116777 00000 n
+0000116934 00000 n
+0000117091 00000 n
+0000117248 00000 n
+0000117405 00000 n
+0000117562 00000 n
+0000117718 00000 n
+0000117874 00000 n
+0000118032 00000 n
+0000118190 00000 n
+0000118348 00000 n
+0000118505 00000 n
+0000118663 00000 n
+0000118821 00000 n
+0000118979 00000 n
+0000119137 00000 n
+0000119295 00000 n
+0000119452 00000 n
+0000119609 00000 n
+0000121210 00000 n
+0000119830 00000 n
+0000114826 00000 n
+0000113558 00000 n
+0000119766 00000 n
+0001818881 00000 n
+0001825003 00000 n
+0001828415 00000 n
+0001829717 00000 n
+0001830732 00000 n
+0001831802 00000 n
+0001832881 00000 n
+0001847128 00000 n
+0001881921 00000 n
+0001883305 00000 n
+0001888445 00000 n
+0001894525 00000 n
+0001900455 00000 n
+0001906163 00000 n
+0001910751 00000 n
+0001913700 00000 n
+0001914625 00000 n
+0001916182 00000 n
+0001917490 00000 n
+0001918935 00000 n
+0001920465 00000 n
+0001921709 00000 n
+0001923021 00000 n
+0001924824 00000 n
+0001926244 00000 n
+0001927469 00000 n
+0002017938 00000 n
+0002028174 00000 n
+0002029454 00000 n
+0000121367 00000 n
+0000121523 00000 n
+0000121679 00000 n
+0000121836 00000 n
+0000121993 00000 n
+0000122149 00000 n
+0000122306 00000 n
+0000122463 00000 n
+0000122620 00000 n
+0000122777 00000 n
+0000122934 00000 n
+0000123090 00000 n
+0000123247 00000 n
+0000123467 00000 n
+0000120956 00000 n
+0000119932 00000 n
+0000123404 00000 n
+0002034215 00000 n
+0002034342 00000 n
+0002824358 00000 n
+0002825856 00000 n
+0002827046 00000 n
+0002827174 00000 n
+0002828638 00000 n
+0002830009 00000 n
+0002831374 00000 n
+0002832872 00000 n
+0002834050 00000 n
+0002835168 00000 n
+0002836530 00000 n
+0002836656 00000 n
+0000123850 00000 n
+0000123670 00000 n
+0000123569 00000 n
+0000123786 00000 n
+0003663013 00000 n
+0000125411 00000 n
+0000125555 00000 n
+0000125708 00000 n
+0000125861 00000 n
+0000126005 00000 n
+0000126158 00000 n
+0000126303 00000 n
+0000126456 00000 n
+0000126602 00000 n
+0000126755 00000 n
+0000126901 00000 n
+0000127054 00000 n
+0000127207 00000 n
+0000127360 00000 n
+0000127506 00000 n
+0000127659 00000 n
+0000127812 00000 n
+0000127965 00000 n
+0000128118 00000 n
+0000128271 00000 n
+0000130401 00000 n
+0000128549 00000 n
+0000125103 00000 n
+0000123892 00000 n
+0000128424 00000 n
+0003443933 00000 n
+0000235309 00000 n
+0000298533 00000 n
+0003443899 00000 n
+0000365461 00000 n
+0003443865 00000 n
+0000454101 00000 n
+0003443831 00000 n
+0000627247 00000 n
+0003443797 00000 n
+0000764431 00000 n
+0000836915 00000 n
+0000950691 00000 n
+0003443763 00000 n
+0001073499 00000 n
+0001115199 00000 n
+0001115327 00000 n
+0001161306 00000 n
+0001161434 00000 n
+0001314083 00000 n
+0000130553 00000 n
+0000130699 00000 n
+0000130851 00000 n
+0000131004 00000 n
+0000131157 00000 n
+0000131303 00000 n
+0000131456 00000 n
+0000131608 00000 n
+0000131754 00000 n
+0000131908 00000 n
+0000132061 00000 n
+0000132215 00000 n
+0000132369 00000 n
+0000132523 00000 n
+0000132677 00000 n
+0000132831 00000 n
+0000132985 00000 n
+0000133139 00000 n
+0000133293 00000 n
+0000133447 00000 n
+0000133602 00000 n
+0000133747 00000 n
+0000133901 00000 n
+0000134055 00000 n
+0000134205 00000 n
+0000134359 00000 n
+0000134513 00000 n
+0000134667 00000 n
+0000134885 00000 n
+0000130012 00000 n
+0000128651 00000 n
+0000134821 00000 n
+0001414694 00000 n
+0003443729 00000 n
+0001440530 00000 n
+0001488444 00000 n
+0001540616 00000 n
+0003443695 00000 n
+0001729929 00000 n
+0001762548 00000 n
+0003443661 00000 n
+0002118864 00000 n
+0002151182 00000 n
+0002178340 00000 n
+0002178468 00000 n
+0002200372 00000 n
+0002307381 00000 n
+0002383417 00000 n
+0002476930 00000 n
+0002563538 00000 n
+0002640995 00000 n
+0002721388 00000 n
+0002813837 00000 n
+0003443627 00000 n
+0002882302 00000 n
+0002908652 00000 n
+0002942632 00000 n
+0002962086 00000 n
+0002978447 00000 n
+0003001117 00000 n
+0003018297 00000 n
+0000136399 00000 n
+0000136551 00000 n
+0000136695 00000 n
+0000136847 00000 n
+0000136992 00000 n
+0000137144 00000 n
+0000137296 00000 n
+0000137442 00000 n
+0000137594 00000 n
+0000137740 00000 n
+0000137892 00000 n
+0000138044 00000 n
+0000138196 00000 n
+0000138348 00000 n
+0000138494 00000 n
+0000138646 00000 n
+0000138792 00000 n
+0000138945 00000 n
+0000139091 00000 n
+0000139244 00000 n
+0000139522 00000 n
+0000136091 00000 n
+0000134987 00000 n
+0000139397 00000 n
+0000175070 00000 n
+0000298661 00000 n
+0000418611 00000 n
+0000494421 00000 n
+0000633490 00000 n
+0000767485 00000 n
+0000840345 00000 n
+0000879883 00000 n
+0000950819 00000 n
+0001771019 00000 n
+0003443593 00000 n
+0002048806 00000 n
+0002911655 00000 n
+0002917821 00000 n
+0000139905 00000 n
+0000139725 00000 n
+0000139624 00000 n
+0000139841 00000 n
+0000142271 00000 n
+0000141838 00000 n
+0000139947 00000 n
+0000141954 00000 n
+0000142017 00000 n
+0000142081 00000 n
+0000142207 00000 n
+0000144858 00000 n
+0000144678 00000 n
+0000142373 00000 n
+0000144794 00000 n
+0003663138 00000 n
+0000145733 00000 n
+0000145554 00000 n
+0000144974 00000 n
+0000145670 00000 n
+0000148350 00000 n
+0000148042 00000 n
+0000145835 00000 n
+0000148158 00000 n
+0000148222 00000 n
+0000148286 00000 n
+0000150538 00000 n
+0000151009 00000 n
+0000150401 00000 n
+0000148452 00000 n
+0000150690 00000 n
+0000150753 00000 n
+0000150817 00000 n
+0000150881 00000 n
+0000150945 00000 n
+0000175134 00000 n
+0000153911 00000 n
+0000153475 00000 n
+0000151139 00000 n
+0000153591 00000 n
+0000153655 00000 n
+0000153719 00000 n
+0000153783 00000 n
+0000153847 00000 n
+0003662198 00000 n
+0000156549 00000 n
+0000156242 00000 n
+0000154055 00000 n
+0000156358 00000 n
+0000156421 00000 n
+0000156485 00000 n
+0003661470 00000 n
+0000159063 00000 n
+0000158883 00000 n
+0000156707 00000 n
+0000158999 00000 n
+0003659274 00000 n
+0003663263 00000 n
+0000161953 00000 n
+0000161774 00000 n
+0000159221 00000 n
+0000161890 00000 n
+0000164580 00000 n
+0000164825 00000 n
+0000164443 00000 n
+0000162083 00000 n
+0000164761 00000 n
+0003660295 00000 n
+0003660151 00000 n
+0003659714 00000 n
+0003662345 00000 n
+0000167294 00000 n
+0000167115 00000 n
+0000164997 00000 n
+0000167231 00000 n
+0000169983 00000 n
+0000169803 00000 n
+0000167410 00000 n
+0000169919 00000 n
+0000172455 00000 n
+0000172148 00000 n
+0000170099 00000 n
+0000172264 00000 n
+0000172327 00000 n
+0000172391 00000 n
+0000175198 00000 n
+0000174890 00000 n
+0000172599 00000 n
+0000175006 00000 n
+0003663388 00000 n
+0000175745 00000 n
+0000175567 00000 n
+0000175328 00000 n
+0000176036 00000 n
+0000175920 00000 n
+0000175819 00000 n
+0000177889 00000 n
+0000178390 00000 n
+0000177752 00000 n
+0000176078 00000 n
+0000178073 00000 n
+0000178136 00000 n
+0000178262 00000 n
+0000178326 00000 n
+0000178843 00000 n
+0000178663 00000 n
+0000178562 00000 n
+0000178779 00000 n
+0000181165 00000 n
+0000180734 00000 n
+0000178885 00000 n
+0000180850 00000 n
+0003660880 00000 n
+0000180975 00000 n
+0000181101 00000 n
+0003660440 00000 n
+0000186735 00000 n
+0000183818 00000 n
+0000183387 00000 n
+0000181323 00000 n
+0000183503 00000 n
+0000183629 00000 n
+0000183755 00000 n
+0003663513 00000 n
+0000187093 00000 n
+0000186598 00000 n
+0000183962 00000 n
+0000186904 00000 n
+0000187029 00000 n
+0000189368 00000 n
+0000189212 00000 n
+0000190044 00000 n
+0000189066 00000 n
+0000187293 00000 n
+0000189536 00000 n
+0000189662 00000 n
+0000189726 00000 n
+0000189790 00000 n
+0000189854 00000 n
+0000189917 00000 n
+0000189980 00000 n
+0000192864 00000 n
+0000193948 00000 n
+0000192621 00000 n
+0000190230 00000 n
+0000192737 00000 n
+0000192928 00000 n
+0003662491 00000 n
+0000192992 00000 n
+0000193056 00000 n
+0000193120 00000 n
+0000193184 00000 n
+0000193248 00000 n
+0000193312 00000 n
+0000193376 00000 n
+0000193439 00000 n
+0000193503 00000 n
+0000193566 00000 n
+0000193630 00000 n
+0000193694 00000 n
+0000193758 00000 n
+0000193884 00000 n
+0000196075 00000 n
+0000195703 00000 n
+0000194105 00000 n
+0000195819 00000 n
+0000195883 00000 n
+0000195947 00000 n
+0000196011 00000 n
+0000199242 00000 n
+0000198937 00000 n
+0000196233 00000 n
+0000199053 00000 n
+0000199178 00000 n
+0000202119 00000 n
+0000202271 00000 n
+0000202618 00000 n
+0000201973 00000 n
+0000199386 00000 n
+0000202428 00000 n
+0000202554 00000 n
+0003663638 00000 n
+0002084268 00000 n
+0002641187 00000 n
+0000204997 00000 n
+0000206805 00000 n
+0000205467 00000 n
+0000204860 00000 n
+0000202748 00000 n
+0000205151 00000 n
+0000205276 00000 n
+0000205340 00000 n
+0000205403 00000 n
+0000235373 00000 n
+0000235565 00000 n
+0000206689 00000 n
+0000205597 00000 n
+0000235245 00000 n
+0000235437 00000 n
+0000235501 00000 n
+0000210945 00000 n
+0000211102 00000 n
+0000211150 00000 n
+0000211578 00000 n
+0000211807 00000 n
+0000237974 00000 n
+0000237667 00000 n
+0000235710 00000 n
+0000237783 00000 n
+0000237846 00000 n
+0000237910 00000 n
+0000239945 00000 n
+0000240106 00000 n
+0000240265 00000 n
+0000240929 00000 n
+0000239790 00000 n
+0000238132 00000 n
+0000240419 00000 n
+0000240483 00000 n
+0000240547 00000 n
+0000240611 00000 n
+0000240673 00000 n
+0000240737 00000 n
+0000240801 00000 n
+0000240865 00000 n
+0000244691 00000 n
+0000250794 00000 n
+0000244410 00000 n
+0000246864 00000 n
+0000244273 00000 n
+0000241045 00000 n
+0000244564 00000 n
+0000244755 00000 n
+0000244819 00000 n
+0000244883 00000 n
+0000244947 00000 n
+0000245011 00000 n
+0000245075 00000 n
+0000245139 00000 n
+0000245203 00000 n
+0000245267 00000 n
+0000245331 00000 n
+0000245395 00000 n
+0000245459 00000 n
+0000245522 00000 n
+0000245586 00000 n
+0000245649 00000 n
+0000245713 00000 n
+0000245776 00000 n
+0000245840 00000 n
+0000245904 00000 n
+0000245968 00000 n
+0000246032 00000 n
+0000246096 00000 n
+0000246160 00000 n
+0000246224 00000 n
+0000246288 00000 n
+0000246352 00000 n
+0000246416 00000 n
+0000246480 00000 n
+0000246544 00000 n
+0000246608 00000 n
+0000246672 00000 n
+0000246736 00000 n
+0000246800 00000 n
+0000253221 00000 n
+0000250550 00000 n
+0000247021 00000 n
+0000250666 00000 n
+0000250858 00000 n
+0000250922 00000 n
+0000250986 00000 n
+0000251050 00000 n
+0000251114 00000 n
+0000251178 00000 n
+0000251242 00000 n
+0000251306 00000 n
+0000251369 00000 n
+0000251433 00000 n
+0000251496 00000 n
+0000251560 00000 n
+0000251622 00000 n
+0000251686 00000 n
+0000251750 00000 n
+0000251814 00000 n
+0000251878 00000 n
+0000251942 00000 n
+0000252006 00000 n
+0000252070 00000 n
+0000252134 00000 n
+0000252198 00000 n
+0000252262 00000 n
+0000252326 00000 n
+0000252390 00000 n
+0000252454 00000 n
+0000252518 00000 n
+0000252582 00000 n
+0000252646 00000 n
+0000252710 00000 n
+0000252774 00000 n
+0000252838 00000 n
+0000252902 00000 n
+0000252966 00000 n
+0000253030 00000 n
+0000253094 00000 n
+0000253157 00000 n
+0003663763 00000 n
+0000255577 00000 n
+0000256428 00000 n
+0000255440 00000 n
+0000253378 00000 n
+0000255725 00000 n
+0000255788 00000 n
+0000255852 00000 n
+0000255916 00000 n
+0000256044 00000 n
+0000256108 00000 n
+0000256172 00000 n
+0000256236 00000 n
+0000256300 00000 n
+0000256364 00000 n
+0000262327 00000 n
+0000259957 00000 n
+0000258947 00000 n
+0000256572 00000 n
+0000259063 00000 n
+0000259127 00000 n
+0000259191 00000 n
+0000259255 00000 n
+0000259319 00000 n
+0000259383 00000 n
+0000259447 00000 n
+0000259511 00000 n
+0000259574 00000 n
+0000259638 00000 n
+0000259702 00000 n
+0000259766 00000 n
+0000259830 00000 n
+0000259894 00000 n
+0000262795 00000 n
+0000262190 00000 n
+0000260101 00000 n
+0000262480 00000 n
+0000262605 00000 n
+0000262731 00000 n
+0000265198 00000 n
+0000265350 00000 n
+0000268464 00000 n
+0000266077 00000 n
+0000265052 00000 n
+0000262911 00000 n
+0000265505 00000 n
+0000265631 00000 n
+0000265757 00000 n
+0000265821 00000 n
+0000265885 00000 n
+0000265949 00000 n
+0000266013 00000 n
+0000298725 00000 n
+0000298597 00000 n
+0000298166 00000 n
+0000298317 00000 n
+0000298917 00000 n
+0000268318 00000 n
+0000266207 00000 n
+0000298470 00000 n
+0000298789 00000 n
+0000298853 00000 n
+0000272093 00000 n
+0000272250 00000 n
+0000272298 00000 n
+0000272758 00000 n
+0000272987 00000 n
+0000273353 00000 n
+0000273449 00000 n
+0000306405 00000 n
+0000300513 00000 n
+0000300141 00000 n
+0000299132 00000 n
+0000300257 00000 n
+0000300321 00000 n
+0000300385 00000 n
+0000300449 00000 n
+0003663888 00000 n
+0000303081 00000 n
+0000302390 00000 n
+0000300629 00000 n
+0000302506 00000 n
+0000302569 00000 n
+0000302633 00000 n
+0000302697 00000 n
+0000302761 00000 n
+0000302825 00000 n
+0000302889 00000 n
+0000302953 00000 n
+0000303017 00000 n
+0000308003 00000 n
+0000306098 00000 n
+0000303211 00000 n
+0000306214 00000 n
+0000306278 00000 n
+0000306469 00000 n
+0000306533 00000 n
+0000306597 00000 n
+0000306661 00000 n
+0000306725 00000 n
+0000306789 00000 n
+0000306853 00000 n
+0000306917 00000 n
+0000306981 00000 n
+0000307045 00000 n
+0000307109 00000 n
+0000307173 00000 n
+0000307237 00000 n
+0000307301 00000 n
+0000307365 00000 n
+0000307429 00000 n
+0000307493 00000 n
+0000307557 00000 n
+0000307621 00000 n
+0000307685 00000 n
+0000307749 00000 n
+0000307813 00000 n
+0000307876 00000 n
+0000307940 00000 n
+0000310410 00000 n
+0000310040 00000 n
+0000308146 00000 n
+0000310156 00000 n
+0000310282 00000 n
+0000310346 00000 n
+0000313102 00000 n
+0000312922 00000 n
+0000310568 00000 n
+0000313038 00000 n
+0000315904 00000 n
+0000315725 00000 n
+0000313218 00000 n
+0000315841 00000 n
+0000317623 00000 n
+0000317443 00000 n
+0000316048 00000 n
+0000317559 00000 n
+0003664013 00000 n
+0000319766 00000 n
+0000320105 00000 n
+0000319629 00000 n
+0000317739 00000 n
+0000319915 00000 n
+0000320041 00000 n
+0000322978 00000 n
+0000322544 00000 n
+0000320221 00000 n
+0000322660 00000 n
+0000322787 00000 n
+0000322914 00000 n
+0000325164 00000 n
+0000329271 00000 n
+0000325639 00000 n
+0000325027 00000 n
+0000323094 00000 n
+0000325323 00000 n
+0000325449 00000 n
+0000325576 00000 n
+0000328076 00000 n
+0000329485 00000 n
+0000327939 00000 n
+0000325783 00000 n
+0000329421 00000 n
+0003659126 00000 n
+0003660733 00000 n
+0000328453 00000 n
+0000328715 00000 n
+0000328763 00000 n
+0000399685 00000 n
+0000332094 00000 n
+0000332246 00000 n
+0000332867 00000 n
+0000331939 00000 n
+0000329658 00000 n
+0000332551 00000 n
+0000332677 00000 n
+0000332804 00000 n
+0000332398 00000 n
+0001696997 00000 n
+0000334518 00000 n
+0000365779 00000 n
+0000334402 00000 n
+0000333011 00000 n
+0000365397 00000 n
+0000365524 00000 n
+0000365587 00000 n
+0000365651 00000 n
+0000365715 00000 n
+0003664138 00000 n
+0000340769 00000 n
+0000340926 00000 n
+0000340974 00000 n
+0000341412 00000 n
+0000341641 00000 n
+0000367742 00000 n
+0000367893 00000 n
+0000368429 00000 n
+0000367596 00000 n
+0000365924 00000 n
+0000368046 00000 n
+0000368109 00000 n
+0000368173 00000 n
+0000368237 00000 n
+0000368301 00000 n
+0000368365 00000 n
+0000403346 00000 n
+0000407736 00000 n
+0000369858 00000 n
+0000370138 00000 n
+0000369721 00000 n
+0000368545 00000 n
+0000370010 00000 n
+0000370074 00000 n
+0000371742 00000 n
+0000371870 00000 n
+0000371499 00000 n
+0000370254 00000 n
+0000371615 00000 n
+0000371806 00000 n
+0000374029 00000 n
+0000374629 00000 n
+0000373892 00000 n
+0000371986 00000 n
+0000374181 00000 n
+0000374245 00000 n
+0000374309 00000 n
+0000374373 00000 n
+0000374437 00000 n
+0000374501 00000 n
+0000374565 00000 n
+0000376330 00000 n
+0000376990 00000 n
+0000376193 00000 n
+0000374745 00000 n
+0000376480 00000 n
+0000376543 00000 n
+0000376607 00000 n
+0000376671 00000 n
+0000376735 00000 n
+0000376862 00000 n
+0000376926 00000 n
+0000378370 00000 n
+0000378190 00000 n
+0000377120 00000 n
+0000378306 00000 n
+0003664263 00000 n
+0000380060 00000 n
+0000379755 00000 n
+0000378486 00000 n
+0000379871 00000 n
+0000379934 00000 n
+0000379997 00000 n
+0000382220 00000 n
+0000381912 00000 n
+0000380190 00000 n
+0000382028 00000 n
+0000382092 00000 n
+0000382156 00000 n
+0000384739 00000 n
+0000384890 00000 n
+0000385193 00000 n
+0000385918 00000 n
+0000384575 00000 n
+0000382336 00000 n
+0000385344 00000 n
+0000385407 00000 n
+0000385471 00000 n
+0000385041 00000 n
+0000385535 00000 n
+0000385599 00000 n
+0000385663 00000 n
+0000385727 00000 n
+0000385791 00000 n
+0000385855 00000 n
+0002084395 00000 n
+0000388875 00000 n
+0000388250 00000 n
+0000386062 00000 n
+0000388366 00000 n
+0000388430 00000 n
+0000388494 00000 n
+0000388558 00000 n
+0000388684 00000 n
+0000388811 00000 n
+0000391381 00000 n
+0000391011 00000 n
+0000389019 00000 n
+0000391127 00000 n
+0000391253 00000 n
+0000391317 00000 n
+0000393999 00000 n
+0000393819 00000 n
+0000391539 00000 n
+0000393935 00000 n
+0003664388 00000 n
+0000396904 00000 n
+0000396469 00000 n
+0000394157 00000 n
+0000396585 00000 n
+0000396648 00000 n
+0000396712 00000 n
+0000396776 00000 n
+0000396840 00000 n
+0003658977 00000 n
+0000398316 00000 n
+0000398136 00000 n
+0000397076 00000 n
+0000398252 00000 n
+0000399749 00000 n
+0000399442 00000 n
+0000398460 00000 n
+0000399558 00000 n
+0000404881 00000 n
+0000403102 00000 n
+0000399865 00000 n
+0000403218 00000 n
+0000403410 00000 n
+0000403474 00000 n
+0000403538 00000 n
+0000403602 00000 n
+0000403666 00000 n
+0003659422 00000 n
+0000403730 00000 n
+0000403794 00000 n
+0000403858 00000 n
+0000403922 00000 n
+0000403986 00000 n
+0000404050 00000 n
+0000404114 00000 n
+0000404178 00000 n
+0000404242 00000 n
+0000404306 00000 n
+0000404370 00000 n
+0000404434 00000 n
+0000404498 00000 n
+0000404561 00000 n
+0000404625 00000 n
+0000404689 00000 n
+0000404753 00000 n
+0000404817 00000 n
+0000409588 00000 n
+0000407493 00000 n
+0000405038 00000 n
+0000407609 00000 n
+0000407800 00000 n
+0000407864 00000 n
+0000407928 00000 n
+0000407992 00000 n
+0000408056 00000 n
+0000408120 00000 n
+0000408184 00000 n
+0000408248 00000 n
+0000408312 00000 n
+0000408376 00000 n
+0000408440 00000 n
+0000408504 00000 n
+0000408568 00000 n
+0000408632 00000 n
+0000408696 00000 n
+0000408760 00000 n
+0000408824 00000 n
+0000408888 00000 n
+0000408952 00000 n
+0000409016 00000 n
+0000409080 00000 n
+0000409144 00000 n
+0000409207 00000 n
+0000409271 00000 n
+0000409334 00000 n
+0000409398 00000 n
+0000409460 00000 n
+0000409524 00000 n
+0000409984 00000 n
+0000409804 00000 n
+0000409703 00000 n
+0000409920 00000 n
+0003664513 00000 n
+0000411948 00000 n
+0000412246 00000 n
+0000412712 00000 n
+0000411793 00000 n
+0000410026 00000 n
+0000412395 00000 n
+0000412521 00000 n
+0000412097 00000 n
+0000412648 00000 n
+0000415607 00000 n
+0000415300 00000 n
+0000412828 00000 n
+0000415416 00000 n
+0000415543 00000 n
+0000418394 00000 n
+0000420314 00000 n
+0000418737 00000 n
+0000418257 00000 n
+0000415723 00000 n
+0000418548 00000 n
+0000418675 00000 n
+0000454483 00000 n
+0000420198 00000 n
+0000418853 00000 n
+0000454037 00000 n
+0000454165 00000 n
+0000454292 00000 n
+0000454419 00000 n
+0000428547 00000 n
+0000428704 00000 n
+0000428752 00000 n
+0000429192 00000 n
+0000429421 00000 n
+0000457481 00000 n
+0000457302 00000 n
+0000454628 00000 n
+0000457418 00000 n
+0000459889 00000 n
+0000460187 00000 n
+0000462541 00000 n
+0000460401 00000 n
+0000459734 00000 n
+0000457597 00000 n
+0000460337 00000 n
+0000460038 00000 n
+0003664638 00000 n
+0000463012 00000 n
+0000462404 00000 n
+0000460517 00000 n
+0000462694 00000 n
+0000462820 00000 n
+0000462948 00000 n
+0000465050 00000 n
+0000465396 00000 n
+0000464913 00000 n
+0000463142 00000 n
+0000465204 00000 n
+0000465332 00000 n
+0000467792 00000 n
+0000468259 00000 n
+0000467655 00000 n
+0000465512 00000 n
+0000467942 00000 n
+0000468068 00000 n
+0000468195 00000 n
+0000471195 00000 n
+0000471459 00000 n
+0000471058 00000 n
+0000468417 00000 n
+0000471395 00000 n
+0003662053 00000 n
+0000473391 00000 n
+0000474307 00000 n
+0000473254 00000 n
+0000471701 00000 n
+0000473542 00000 n
+0000473605 00000 n
+0000473669 00000 n
+0000473732 00000 n
+0000473796 00000 n
+0000473860 00000 n
+0000473924 00000 n
+0000473988 00000 n
+0000474052 00000 n
+0000474179 00000 n
+0000474243 00000 n
+0000476251 00000 n
+0000475943 00000 n
+0000474451 00000 n
+0000476059 00000 n
+0000476123 00000 n
+0000476187 00000 n
+0003664763 00000 n
+0000478226 00000 n
+0000478569 00000 n
+0000478089 00000 n
+0000476367 00000 n
+0000478378 00000 n
+0000478441 00000 n
+0000478505 00000 n
+0000545850 00000 n
+0000480700 00000 n
+0000480853 00000 n
+0000481010 00000 n
+0000481550 00000 n
+0000480545 00000 n
+0000478727 00000 n
+0000481167 00000 n
+0000481294 00000 n
+0000481358 00000 n
+0000481422 00000 n
+0000481486 00000 n
+0000551300 00000 n
+0000557059 00000 n
+0000561309 00000 n
+0000483183 00000 n
+0000483332 00000 n
+0000483826 00000 n
+0000483028 00000 n
+0000481680 00000 n
+0000483636 00000 n
+0000483699 00000 n
+0000483763 00000 n
+0000483484 00000 n
+0000485713 00000 n
+0000485469 00000 n
+0000483942 00000 n
+0000485585 00000 n
+0000485649 00000 n
+0000488153 00000 n
+0000487718 00000 n
+0000485829 00000 n
+0000487834 00000 n
+0000487897 00000 n
+0000487961 00000 n
+0000488025 00000 n
+0000488089 00000 n
+0000489686 00000 n
+0000489442 00000 n
+0000488283 00000 n
+0000489558 00000 n
+0000489622 00000 n
+0003664888 00000 n
+0000492043 00000 n
+0000492195 00000 n
+0000492350 00000 n
+0000492508 00000 n
+0000492666 00000 n
+0000492979 00000 n
+0000493130 00000 n
+0000493281 00000 n
+0000493433 00000 n
+0000493585 00000 n
+0000493736 00000 n
+0000493887 00000 n
+0000494612 00000 n
+0000491798 00000 n
+0000489802 00000 n
+0000494039 00000 n
+0000494165 00000 n
+0000494229 00000 n
+0000494293 00000 n
+0000494357 00000 n
+0000492822 00000 n
+0000494485 00000 n
+0000494548 00000 n
+0000563735 00000 n
+0000564930 00000 n
+0000565990 00000 n
+0000567038 00000 n
+0002827110 00000 n
+0002827238 00000 n
+0002828702 00000 n
+0000569508 00000 n
+0000570644 00000 n
+0000568223 00000 n
+0000568350 00000 n
+0000497368 00000 n
+0000496805 00000 n
+0000494742 00000 n
+0000496921 00000 n
+0000496985 00000 n
+0000497112 00000 n
+0000497176 00000 n
+0000497240 00000 n
+0000497304 00000 n
+0000499210 00000 n
+0000498713 00000 n
+0000497498 00000 n
+0000498829 00000 n
+0000498892 00000 n
+0000498956 00000 n
+0000499019 00000 n
+0000499082 00000 n
+0000499146 00000 n
+0000501563 00000 n
+0000501131 00000 n
+0000499326 00000 n
+0000501247 00000 n
+0000501373 00000 n
+0000501437 00000 n
+0000501501 00000 n
+0000503988 00000 n
+0000503618 00000 n
+0000501707 00000 n
+0000503734 00000 n
+0000503860 00000 n
+0000503924 00000 n
+0000505728 00000 n
+0000505420 00000 n
+0000504118 00000 n
+0000505536 00000 n
+0000505600 00000 n
+0000505664 00000 n
+0003665013 00000 n
+0000507781 00000 n
+0000508122 00000 n
+0000507644 00000 n
+0000505844 00000 n
+0000507932 00000 n
+0000507995 00000 n
+0000508059 00000 n
+0000509845 00000 n
+0000509601 00000 n
+0000508266 00000 n
+0000509717 00000 n
+0000509781 00000 n
+0000511074 00000 n
+0000510895 00000 n
+0000509961 00000 n
+0000511011 00000 n
+0000512857 00000 n
+0000512549 00000 n
+0000511176 00000 n
+0000512665 00000 n
+0000512729 00000 n
+0000512793 00000 n
+0003658831 00000 n
+0000515077 00000 n
+0000514770 00000 n
+0000513043 00000 n
+0000514886 00000 n
+0000514949 00000 n
+0000515013 00000 n
+0000516767 00000 n
+0000517073 00000 n
+0000516630 00000 n
+0000515193 00000 n
+0000516945 00000 n
+0000517009 00000 n
+0003665138 00000 n
+0000518526 00000 n
+0000518347 00000 n
+0000517245 00000 n
+0000518463 00000 n
+0000520701 00000 n
+0000520394 00000 n
+0000518642 00000 n
+0000520510 00000 n
+0000520637 00000 n
+0000523375 00000 n
+0000523070 00000 n
+0000520845 00000 n
+0000523186 00000 n
+0000523311 00000 n
+0000528955 00000 n
+0000529259 00000 n
+0000526274 00000 n
+0000525840 00000 n
+0000523491 00000 n
+0000525956 00000 n
+0000526083 00000 n
+0000526146 00000 n
+0000526210 00000 n
+0000532679 00000 n
+0000532831 00000 n
+0000529984 00000 n
+0000528800 00000 n
+0000526404 00000 n
+0000529410 00000 n
+0000529107 00000 n
+0000529473 00000 n
+0000529536 00000 n
+0000529600 00000 n
+0000529664 00000 n
+0000529728 00000 n
+0000529792 00000 n
+0000529856 00000 n
+0000529920 00000 n
+0000533685 00000 n
+0000532533 00000 n
+0000530114 00000 n
+0000532982 00000 n
+0000533046 00000 n
+0000533110 00000 n
+0000533174 00000 n
+0000533238 00000 n
+0000533302 00000 n
+0000533366 00000 n
+0000533430 00000 n
+0000533494 00000 n
+0000533621 00000 n
+0003665263 00000 n
+0000536446 00000 n
+0000536076 00000 n
+0000533829 00000 n
+0000536192 00000 n
+0000536318 00000 n
+0000536382 00000 n
+0000539158 00000 n
+0000538978 00000 n
+0000536618 00000 n
+0000539094 00000 n
+0003660585 00000 n
+0000541650 00000 n
+0000541471 00000 n
+0000539344 00000 n
+0000541587 00000 n
+0000544328 00000 n
+0000544148 00000 n
+0000541766 00000 n
+0000544264 00000 n
+0000545914 00000 n
+0000545607 00000 n
+0000544528 00000 n
+0000545723 00000 n
+0000554114 00000 n
+0000551056 00000 n
+0000546030 00000 n
+0000551172 00000 n
+0000551364 00000 n
+0000551428 00000 n
+0000551492 00000 n
+0000551556 00000 n
+0000551620 00000 n
+0000551684 00000 n
+0000551748 00000 n
+0000551812 00000 n
+0000551876 00000 n
+0000551940 00000 n
+0000552004 00000 n
+0000552068 00000 n
+0000552132 00000 n
+0000552196 00000 n
+0000552260 00000 n
+0000552324 00000 n
+0000552388 00000 n
+0000552452 00000 n
+0000552516 00000 n
+0000552580 00000 n
+0000552644 00000 n
+0000552708 00000 n
+0000552772 00000 n
+0000552836 00000 n
+0000552899 00000 n
+0000552963 00000 n
+0000553026 00000 n
+0000553090 00000 n
+0000553154 00000 n
+0000553218 00000 n
+0000553282 00000 n
+0000553346 00000 n
+0000553410 00000 n
+0000553474 00000 n
+0000553538 00000 n
+0000553602 00000 n
+0000553666 00000 n
+0000553730 00000 n
+0000553794 00000 n
+0000553858 00000 n
+0000553922 00000 n
+0000553986 00000 n
+0000554050 00000 n
+0003665388 00000 n
+0000558911 00000 n
+0000556816 00000 n
+0000554271 00000 n
+0000556932 00000 n
+0000557123 00000 n
+0000557187 00000 n
+0000557251 00000 n
+0000557315 00000 n
+0000557379 00000 n
+0000557443 00000 n
+0000557507 00000 n
+0000557571 00000 n
+0000557635 00000 n
+0000557699 00000 n
+0000557763 00000 n
+0000557827 00000 n
+0000557891 00000 n
+0000557955 00000 n
+0000558019 00000 n
+0000558082 00000 n
+0000558146 00000 n
+0000558209 00000 n
+0000558273 00000 n
+0000558335 00000 n
+0000558399 00000 n
+0000558463 00000 n
+0000558527 00000 n
+0000558591 00000 n
+0000558655 00000 n
+0000558719 00000 n
+0000558783 00000 n
+0000558847 00000 n
+0000562396 00000 n
+0000561065 00000 n
+0000559040 00000 n
+0000561181 00000 n
+0000561373 00000 n
+0000561437 00000 n
+0000561501 00000 n
+0000561565 00000 n
+0000561629 00000 n
+0000561693 00000 n
+0000561757 00000 n
+0000561821 00000 n
+0000561885 00000 n
+0000561949 00000 n
+0000562013 00000 n
+0000562077 00000 n
+0000562141 00000 n
+0000562204 00000 n
+0000562332 00000 n
+0000563799 00000 n
+0000563492 00000 n
+0000562539 00000 n
+0000563608 00000 n
+0000564994 00000 n
+0000564686 00000 n
+0000563915 00000 n
+0000564802 00000 n
+0000566054 00000 n
+0000565747 00000 n
+0000565110 00000 n
+0000565863 00000 n
+0000567102 00000 n
+0000566794 00000 n
+0000566170 00000 n
+0000566910 00000 n
+0003665513 00000 n
+0000568414 00000 n
+0000567981 00000 n
+0000567218 00000 n
+0000568097 00000 n
+0000569572 00000 n
+0000569264 00000 n
+0000568530 00000 n
+0000569380 00000 n
+0000570708 00000 n
+0000570401 00000 n
+0000569688 00000 n
+0000570517 00000 n
+0000571105 00000 n
+0000570925 00000 n
+0000570824 00000 n
+0000571041 00000 n
+0000572987 00000 n
+0000573286 00000 n
+0000573583 00000 n
+0000573919 00000 n
+0000572814 00000 n
+0000571147 00000 n
+0000573730 00000 n
+0000573856 00000 n
+0000573137 00000 n
+0000573435 00000 n
+0000708928 00000 n
+0000576709 00000 n
+0000576402 00000 n
+0000574063 00000 n
+0000576518 00000 n
+0000576645 00000 n
+0003665638 00000 n
+0000579452 00000 n
+0000579146 00000 n
+0000576825 00000 n
+0000579262 00000 n
+0000579388 00000 n
+0000581900 00000 n
+0000582514 00000 n
+0000581754 00000 n
+0000579568 00000 n
+0000582196 00000 n
+0000582323 00000 n
+0000582049 00000 n
+0000582450 00000 n
+0000585242 00000 n
+0000585063 00000 n
+0000582658 00000 n
+0000585179 00000 n
+0000587485 00000 n
+0000587783 00000 n
+0000590199 00000 n
+0000587936 00000 n
+0000630475 00000 n
+0000630633 00000 n
+0000630790 00000 n
+0000630947 00000 n
+0000631104 00000 n
+0000631261 00000 n
+0000631418 00000 n
+0000631574 00000 n
+0000631727 00000 n
+0000631880 00000 n
+0000632037 00000 n
+0000632194 00000 n
+0000632352 00000 n
+0000632507 00000 n
+0000632661 00000 n
+0000632816 00000 n
+0000632972 00000 n
+0000633124 00000 n
+0000633276 00000 n
+0000588097 00000 n
+0000588883 00000 n
+0000587312 00000 n
+0000585372 00000 n
+0000588250 00000 n
+0000588377 00000 n
+0000587634 00000 n
+0000588502 00000 n
+0000588629 00000 n
+0000588756 00000 n
+0000588820 00000 n
+0000627311 00000 n
+0000633554 00000 n
+0000627503 00000 n
+0000590083 00000 n
+0000589027 00000 n
+0000627184 00000 n
+0000627375 00000 n
+0000627439 00000 n
+0000600707 00000 n
+0000600864 00000 n
+0000600912 00000 n
+0000601366 00000 n
+0000601593 00000 n
+0000633682 00000 n
+0000630176 00000 n
+0000627648 00000 n
+0000633426 00000 n
+0000633618 00000 n
+0003665763 00000 n
+0000658688 00000 n
+0000664761 00000 n
+0000670877 00000 n
+0000676185 00000 n
+0000676697 00000 n
+0000677208 00000 n
+0000696120 00000 n
+0000697263 00000 n
+0000698398 00000 n
+0000699587 00000 n
+0000700621 00000 n
+0000701642 00000 n
+0000702780 00000 n
+0000703897 00000 n
+0000705104 00000 n
+0000706136 00000 n
+0000637740 00000 n
+0000637890 00000 n
+0000638042 00000 n
+0000635576 00000 n
+0000635205 00000 n
+0000633798 00000 n
+0000635321 00000 n
+0000635384 00000 n
+0000635448 00000 n
+0000635512 00000 n
+0000638578 00000 n
+0000637585 00000 n
+0000635692 00000 n
+0000638194 00000 n
+0000638258 00000 n
+0000638322 00000 n
+0000638386 00000 n
+0000638450 00000 n
+0000638514 00000 n
+0000640657 00000 n
+0000641192 00000 n
+0000640520 00000 n
+0000638722 00000 n
+0000640811 00000 n
+0000640874 00000 n
+0000640938 00000 n
+0000641002 00000 n
+0000641128 00000 n
+0000643789 00000 n
+0000643354 00000 n
+0000641379 00000 n
+0000643470 00000 n
+0000643597 00000 n
+0000643661 00000 n
+0000643725 00000 n
+0000646275 00000 n
+0000646877 00000 n
+0000646138 00000 n
+0000643919 00000 n
+0000646430 00000 n
+0000646493 00000 n
+0000646557 00000 n
+0000646621 00000 n
+0000646685 00000 n
+0000646749 00000 n
+0000646813 00000 n
+0000707246 00000 n
+0000648659 00000 n
+0000648415 00000 n
+0000646993 00000 n
+0000648531 00000 n
+0000648595 00000 n
+0003665888 00000 n
+0000650386 00000 n
+0000650542 00000 n
+0000652968 00000 n
+0000653267 00000 n
+0000651018 00000 n
+0000650240 00000 n
+0000648775 00000 n
+0000650700 00000 n
+0000650763 00000 n
+0000650827 00000 n
+0000650890 00000 n
+0000650954 00000 n
+0000660732 00000 n
+0000654012 00000 n
+0000653419 00000 n
+0000653575 00000 n
+0000653733 00000 n
+0000654396 00000 n
+0000652786 00000 n
+0000651148 00000 n
+0000653885 00000 n
+0000653118 00000 n
+0000654076 00000 n
+0000654140 00000 n
+0000654204 00000 n
+0000654268 00000 n
+0000654332 00000 n
+0000660796 00000 n
+0000658445 00000 n
+0000654526 00000 n
+0000658561 00000 n
+0000658752 00000 n
+0000658816 00000 n
+0000658880 00000 n
+0000658944 00000 n
+0000659008 00000 n
+0000659072 00000 n
+0000659136 00000 n
+0000659200 00000 n
+0000659264 00000 n
+0000659328 00000 n
+0000659392 00000 n
+0000659456 00000 n
+0000659520 00000 n
+0000659584 00000 n
+0000659648 00000 n
+0000659712 00000 n
+0000659776 00000 n
+0000659840 00000 n
+0000659904 00000 n
+0000659968 00000 n
+0000660032 00000 n
+0000660096 00000 n
+0000660160 00000 n
+0000660223 00000 n
+0000660287 00000 n
+0000660350 00000 n
+0000660414 00000 n
+0000660477 00000 n
+0000660541 00000 n
+0000660605 00000 n
+0000666549 00000 n
+0000664517 00000 n
+0000660981 00000 n
+0000664633 00000 n
+0000664825 00000 n
+0000664889 00000 n
+0000664953 00000 n
+0000665017 00000 n
+0000665081 00000 n
+0000665145 00000 n
+0000665209 00000 n
+0000665273 00000 n
+0000665337 00000 n
+0000665401 00000 n
+0000665465 00000 n
+0000665529 00000 n
+0000665593 00000 n
+0000665657 00000 n
+0000665719 00000 n
+0000665783 00000 n
+0000665846 00000 n
+0000665910 00000 n
+0000665973 00000 n
+0000666037 00000 n
+0000666101 00000 n
+0000666165 00000 n
+0000666229 00000 n
+0000666293 00000 n
+0000666357 00000 n
+0000666421 00000 n
+0000666485 00000 n
+0000673177 00000 n
+0000670634 00000 n
+0000666720 00000 n
+0000670750 00000 n
+0000670941 00000 n
+0000671005 00000 n
+0000671069 00000 n
+0000671133 00000 n
+0000671197 00000 n
+0000671261 00000 n
+0000671325 00000 n
+0000671389 00000 n
+0000671453 00000 n
+0000671517 00000 n
+0000671581 00000 n
+0000671645 00000 n
+0000671709 00000 n
+0000671773 00000 n
+0000671835 00000 n
+0000671899 00000 n
+0000671962 00000 n
+0000672026 00000 n
+0000672089 00000 n
+0000672153 00000 n
+0000672217 00000 n
+0000672281 00000 n
+0000672345 00000 n
+0000672409 00000 n
+0000672473 00000 n
+0000672537 00000 n
+0000672601 00000 n
+0000672665 00000 n
+0000672729 00000 n
+0000672793 00000 n
+0000672857 00000 n
+0000672921 00000 n
+0000672985 00000 n
+0000673049 00000 n
+0000673113 00000 n
+0000677973 00000 n
+0000675941 00000 n
+0000673334 00000 n
+0000676057 00000 n
+0000676249 00000 n
+0000676313 00000 n
+0000676377 00000 n
+0000676441 00000 n
+0000676505 00000 n
+0000676569 00000 n
+0000676760 00000 n
+0000676824 00000 n
+0000676888 00000 n
+0000676952 00000 n
+0000677016 00000 n
+0000677080 00000 n
+0000677272 00000 n
+0000677336 00000 n
+0000677400 00000 n
+0000677464 00000 n
+0000677528 00000 n
+0000677592 00000 n
+0000677656 00000 n
+0000677718 00000 n
+0000677782 00000 n
+0000677845 00000 n
+0000677909 00000 n
+0003666013 00000 n
+0000680360 00000 n
+0000680664 00000 n
+0000681325 00000 n
+0000680205 00000 n
+0000678144 00000 n
+0000680815 00000 n
+0000680941 00000 n
+0000681005 00000 n
+0000681069 00000 n
+0000680512 00000 n
+0000681133 00000 n
+0000681197 00000 n
+0000681261 00000 n
+0000684881 00000 n
+0000684126 00000 n
+0000681455 00000 n
+0000684242 00000 n
+0000684306 00000 n
+0000684370 00000 n
+0000684434 00000 n
+0000684498 00000 n
+0000684562 00000 n
+0000684625 00000 n
+0000684689 00000 n
+0000684753 00000 n
+0000684817 00000 n
+0000687205 00000 n
+0000687357 00000 n
+0000687508 00000 n
+0000688103 00000 n
+0000687050 00000 n
+0000685025 00000 n
+0000687657 00000 n
+0000687720 00000 n
+0000687784 00000 n
+0000687848 00000 n
+0000687912 00000 n
+0000688039 00000 n
+0000690585 00000 n
+0000690214 00000 n
+0000688247 00000 n
+0000690330 00000 n
+0000690457 00000 n
+0000690521 00000 n
+0000693192 00000 n
+0000693013 00000 n
+0000690757 00000 n
+0000693129 00000 n
+0000694959 00000 n
+0000694779 00000 n
+0000693336 00000 n
+0000694895 00000 n
+0003666138 00000 n
+0000696184 00000 n
+0000695877 00000 n
+0000695103 00000 n
+0000695993 00000 n
+0000697327 00000 n
+0000697019 00000 n
+0000696300 00000 n
+0000697135 00000 n
+0000698461 00000 n
+0000698156 00000 n
+0000697443 00000 n
+0000698272 00000 n
+0000699651 00000 n
+0000699343 00000 n
+0000698577 00000 n
+0000699459 00000 n
+0000700685 00000 n
+0000700378 00000 n
+0000699767 00000 n
+0000700494 00000 n
+0000701706 00000 n
+0000701398 00000 n
+0000700801 00000 n
+0000701514 00000 n
+0003666263 00000 n
+0000702844 00000 n
+0000702537 00000 n
+0000701822 00000 n
+0000702653 00000 n
+0000703961 00000 n
+0000703653 00000 n
+0000702960 00000 n
+0000703769 00000 n
+0000705168 00000 n
+0000704861 00000 n
+0000704077 00000 n
+0000704977 00000 n
+0000706200 00000 n
+0000705892 00000 n
+0000705284 00000 n
+0000706008 00000 n
+0000707310 00000 n
+0000707003 00000 n
+0000706316 00000 n
+0000707119 00000 n
+0000707707 00000 n
+0000707527 00000 n
+0000707426 00000 n
+0000707643 00000 n
+0003666388 00000 n
+0000708648 00000 n
+0000711509 00000 n
+0000708992 00000 n
+0000708511 00000 n
+0000707749 00000 n
+0000708802 00000 n
+0000712725 00000 n
+0000711393 00000 n
+0000709108 00000 n
+0000712661 00000 n
+0003661322 00000 n
+0000711883 00000 n
+0000712148 00000 n
+0000712196 00000 n
+0000715199 00000 n
+0000715020 00000 n
+0000712898 00000 n
+0000715136 00000 n
+0000717336 00000 n
+0000717156 00000 n
+0000715301 00000 n
+0000717272 00000 n
+0000720203 00000 n
+0000719771 00000 n
+0000717452 00000 n
+0000719887 00000 n
+0000720013 00000 n
+0000720139 00000 n
+0000722777 00000 n
+0000722597 00000 n
+0000720319 00000 n
+0000722713 00000 n
+0003666513 00000 n
+0000725192 00000 n
+0000728722 00000 n
+0000725828 00000 n
+0000725055 00000 n
+0000722879 00000 n
+0000725383 00000 n
+0000725509 00000 n
+0000725573 00000 n
+0000725637 00000 n
+0000725764 00000 n
+0000728934 00000 n
+0000731983 00000 n
+0000729449 00000 n
+0000728567 00000 n
+0000726028 00000 n
+0000729385 00000 n
+0000729159 00000 n
+0000732192 00000 n
+0000732367 00000 n
+0000732537 00000 n
+0000732723 00000 n
+0000732890 00000 n
+0000733071 00000 n
+0000733243 00000 n
+0000733491 00000 n
+0000731783 00000 n
+0000729635 00000 n
+0000733428 00000 n
+0000736180 00000 n
+0000736355 00000 n
+0000736742 00000 n
+0000736034 00000 n
+0000733649 00000 n
+0000736551 00000 n
+0000736678 00000 n
+0000764167 00000 n
+0000764009 00000 n
+0000738926 00000 n
+0000764559 00000 n
+0000738780 00000 n
+0000736985 00000 n
+0000764368 00000 n
+0000764495 00000 n
+0000740184 00000 n
+0000740341 00000 n
+0000740389 00000 n
+0000740815 00000 n
+0000741044 00000 n
+0000767613 00000 n
+0000767178 00000 n
+0000764774 00000 n
+0000767294 00000 n
+0000767421 00000 n
+0000767549 00000 n
+0003666638 00000 n
+0000770733 00000 n
+0000770427 00000 n
+0000767743 00000 n
+0000770543 00000 n
+0000770669 00000 n
+0000773383 00000 n
+0000773534 00000 n
+0000774179 00000 n
+0000773237 00000 n
+0000770863 00000 n
+0000773734 00000 n
+0000773861 00000 n
+0000773988 00000 n
+0000774115 00000 n
+0000930365 00000 n
+0000777158 00000 n
+0000777518 00000 n
+0000777021 00000 n
+0000774393 00000 n
+0000777328 00000 n
+0000777454 00000 n
+0000781806 00000 n
+0000779889 00000 n
+0000779454 00000 n
+0000777690 00000 n
+0000779570 00000 n
+0000779697 00000 n
+0000779761 00000 n
+0000779825 00000 n
+0000782775 00000 n
+0000781690 00000 n
+0000780019 00000 n
+0000782586 00000 n
+0000782649 00000 n
+0000782712 00000 n
+0000782306 00000 n
+0000782538 00000 n
+0000786215 00000 n
+0000784364 00000 n
+0000784056 00000 n
+0000782962 00000 n
+0000784172 00000 n
+0000784236 00000 n
+0000784300 00000 n
+0003666763 00000 n
+0000786563 00000 n
+0000786078 00000 n
+0000784480 00000 n
+0000786372 00000 n
+0000786435 00000 n
+0000786499 00000 n
+0000846050 00000 n
+0000788711 00000 n
+0000788531 00000 n
+0000786693 00000 n
+0000788647 00000 n
+0003659569 00000 n
+0000790542 00000 n
+0000790363 00000 n
+0000788855 00000 n
+0000790479 00000 n
+0000792304 00000 n
+0000791996 00000 n
+0000790672 00000 n
+0000792112 00000 n
+0000792176 00000 n
+0000792240 00000 n
+0000794201 00000 n
+0000794955 00000 n
+0000794055 00000 n
+0000792434 00000 n
+0000794511 00000 n
+0000794574 00000 n
+0000794638 00000 n
+0000794765 00000 n
+0000794892 00000 n
+0000794356 00000 n
+0000797683 00000 n
+0000796160 00000 n
+0000795099 00000 n
+0000796276 00000 n
+0000796340 00000 n
+0000796404 00000 n
+0000796468 00000 n
+0000796532 00000 n
+0000796596 00000 n
+0000796660 00000 n
+0000796724 00000 n
+0000796787 00000 n
+0000796851 00000 n
+0000796915 00000 n
+0000796979 00000 n
+0000797043 00000 n
+0000797107 00000 n
+0000797171 00000 n
+0000797235 00000 n
+0000797299 00000 n
+0000797363 00000 n
+0000797427 00000 n
+0000797491 00000 n
+0000797555 00000 n
+0000797619 00000 n
+0003666888 00000 n
+0000836446 00000 n
+0000798956 00000 n
+0000837043 00000 n
+0000798819 00000 n
+0000797799 00000 n
+0000836597 00000 n
+0000836660 00000 n
+0000836724 00000 n
+0000836851 00000 n
+0000836979 00000 n
+0000809694 00000 n
+0000809851 00000 n
+0000809899 00000 n
+0000810365 00000 n
+0000810592 00000 n
+0000810922 00000 n
+0000811018 00000 n
+0000839534 00000 n
+0000839689 00000 n
+0000839849 00000 n
+0000840002 00000 n
+0000840473 00000 n
+0000839370 00000 n
+0000837189 00000 n
+0000840154 00000 n
+0000840281 00000 n
+0000840409 00000 n
+0000842703 00000 n
+0000842862 00000 n
+0000843336 00000 n
+0000842557 00000 n
+0000840660 00000 n
+0000843019 00000 n
+0000843082 00000 n
+0000843146 00000 n
+0000843209 00000 n
+0000843273 00000 n
+0000982469 00000 n
+0000845766 00000 n
+0000848748 00000 n
+0000846369 00000 n
+0000845629 00000 n
+0000843452 00000 n
+0000845922 00000 n
+0000846177 00000 n
+0000846241 00000 n
+0000846305 00000 n
+0000984563 00000 n
+0000849251 00000 n
+0000848602 00000 n
+0000846513 00000 n
+0000849060 00000 n
+0000848904 00000 n
+0000849123 00000 n
+0000849187 00000 n
+0000985615 00000 n
+0000850792 00000 n
+0000850612 00000 n
+0000849424 00000 n
+0000850728 00000 n
+0003667013 00000 n
+0000852867 00000 n
+0000853034 00000 n
+0000853201 00000 n
+0000853362 00000 n
+0000853839 00000 n
+0000852703 00000 n
+0000850908 00000 n
+0000853522 00000 n
+0000853648 00000 n
+0000853712 00000 n
+0000853775 00000 n
+0000989823 00000 n
+0000994410 00000 n
+0001010835 00000 n
+0001015456 00000 n
+0000855563 00000 n
+0000855191 00000 n
+0000853969 00000 n
+0000855307 00000 n
+0000855371 00000 n
+0000855435 00000 n
+0000855499 00000 n
+0000857784 00000 n
+0000857477 00000 n
+0000855679 00000 n
+0000857593 00000 n
+0000857656 00000 n
+0000857720 00000 n
+0000859875 00000 n
+0000860059 00000 n
+0000860258 00000 n
+0000860652 00000 n
+0000859720 00000 n
+0000857900 00000 n
+0000860463 00000 n
+0000860590 00000 n
+0000862976 00000 n
+0000862479 00000 n
+0000860838 00000 n
+0000862595 00000 n
+0000862721 00000 n
+0000862784 00000 n
+0000862848 00000 n
+0000862912 00000 n
+0000864644 00000 n
+0000865182 00000 n
+0000864507 00000 n
+0000863163 00000 n
+0000864800 00000 n
+0000864864 00000 n
+0000864928 00000 n
+0000865055 00000 n
+0000865119 00000 n
+0003667138 00000 n
+0000868767 00000 n
+0000866550 00000 n
+0000867024 00000 n
+0000866413 00000 n
+0000865312 00000 n
+0000866706 00000 n
+0000866769 00000 n
+0000866833 00000 n
+0000866897 00000 n
+0000866961 00000 n
+0000868959 00000 n
+0000868524 00000 n
+0000867140 00000 n
+0000868640 00000 n
+0000868831 00000 n
+0000868895 00000 n
+0000870589 00000 n
+0000870410 00000 n
+0000869089 00000 n
+0000870526 00000 n
+0000872239 00000 n
+0000871996 00000 n
+0000870691 00000 n
+0000872112 00000 n
+0000872176 00000 n
+0000874743 00000 n
+0000874895 00000 n
+0000877634 00000 n
+0000875239 00000 n
+0000874597 00000 n
+0000872355 00000 n
+0000875049 00000 n
+0000875175 00000 n
+0002213131 00000 n
+0000877854 00000 n
+0000877497 00000 n
+0000875383 00000 n
+0000877790 00000 n
+0003667263 00000 n
+0000879947 00000 n
+0000880203 00000 n
+0000879704 00000 n
+0000878027 00000 n
+0000879820 00000 n
+0000880011 00000 n
+0000880075 00000 n
+0000880139 00000 n
+0000881832 00000 n
+0000881460 00000 n
+0000880319 00000 n
+0000881576 00000 n
+0000881640 00000 n
+0000881704 00000 n
+0000881768 00000 n
+0000883362 00000 n
+0000883646 00000 n
+0000883225 00000 n
+0000881948 00000 n
+0000883519 00000 n
+0000883582 00000 n
+0001017373 00000 n
+0000885020 00000 n
+0000884776 00000 n
+0000883762 00000 n
+0000884892 00000 n
+0000884956 00000 n
+0000886644 00000 n
+0000886987 00000 n
+0000886507 00000 n
+0000885136 00000 n
+0000886796 00000 n
+0000886859 00000 n
+0000886923 00000 n
+0000888545 00000 n
+0000888237 00000 n
+0000887103 00000 n
+0000888353 00000 n
+0000888417 00000 n
+0000888481 00000 n
+0003667388 00000 n
+0000890548 00000 n
+0000890177 00000 n
+0000888661 00000 n
+0000890293 00000 n
+0000890356 00000 n
+0000890420 00000 n
+0000890484 00000 n
+0000892208 00000 n
+0000891900 00000 n
+0000890664 00000 n
+0000892016 00000 n
+0000892080 00000 n
+0000892144 00000 n
+0000893970 00000 n
+0000893663 00000 n
+0000892324 00000 n
+0000893779 00000 n
+0000893842 00000 n
+0000893906 00000 n
+0000896005 00000 n
+0000895633 00000 n
+0000894086 00000 n
+0000895749 00000 n
+0000895813 00000 n
+0000895877 00000 n
+0000895941 00000 n
+0000897475 00000 n
+0000897168 00000 n
+0000896121 00000 n
+0000897284 00000 n
+0000897347 00000 n
+0000897411 00000 n
+0000899519 00000 n
+0000899816 00000 n
+0000899966 00000 n
+0000900562 00000 n
+0000899355 00000 n
+0000897591 00000 n
+0000900115 00000 n
+0000900242 00000 n
+0000900306 00000 n
+0000900370 00000 n
+0000899669 00000 n
+0000900434 00000 n
+0000900498 00000 n
+0003667513 00000 n
+0000902822 00000 n
+0000902259 00000 n
+0000900692 00000 n
+0000902375 00000 n
+0000902438 00000 n
+0000902502 00000 n
+0000902566 00000 n
+0000902630 00000 n
+0000902694 00000 n
+0000902758 00000 n
+0000904504 00000 n
+0000904668 00000 n
+0000904829 00000 n
+0000905150 00000 n
+0000905308 00000 n
+0000905913 00000 n
+0000904322 00000 n
+0000902952 00000 n
+0000905466 00000 n
+0000905593 00000 n
+0000905657 00000 n
+0000904990 00000 n
+0000905721 00000 n
+0000905785 00000 n
+0000905849 00000 n
+0000999729 00000 n
+0000907323 00000 n
+0000907080 00000 n
+0000906043 00000 n
+0000907196 00000 n
+0000907259 00000 n
+0000909451 00000 n
+0000909079 00000 n
+0000907439 00000 n
+0000909195 00000 n
+0000909259 00000 n
+0000909323 00000 n
+0000909387 00000 n
+0000911068 00000 n
+0000910761 00000 n
+0000909567 00000 n
+0000910877 00000 n
+0000910940 00000 n
+0000911004 00000 n
+0000912951 00000 n
+0000912643 00000 n
+0000911184 00000 n
+0000912759 00000 n
+0000912823 00000 n
+0000912887 00000 n
+0003667638 00000 n
+0000915163 00000 n
+0000915327 00000 n
+0000915488 00000 n
+0000915810 00000 n
+0000916409 00000 n
+0000914990 00000 n
+0000913067 00000 n
+0000915965 00000 n
+0000916028 00000 n
+0000915649 00000 n
+0000916092 00000 n
+0000916218 00000 n
+0000916345 00000 n
+0001006012 00000 n
+0000918088 00000 n
+0000917781 00000 n
+0000916553 00000 n
+0000917897 00000 n
+0000918024 00000 n
+0000920227 00000 n
+0000920618 00000 n
+0000920090 00000 n
+0000918218 00000 n
+0000920428 00000 n
+0000920554 00000 n
+0000923248 00000 n
+0000923609 00000 n
+0000923111 00000 n
+0000920818 00000 n
+0000923418 00000 n
+0000923545 00000 n
+0000925511 00000 n
+0000925076 00000 n
+0000923809 00000 n
+0000925192 00000 n
+0000925255 00000 n
+0000925319 00000 n
+0000925383 00000 n
+0000925447 00000 n
+0000927085 00000 n
+0000927486 00000 n
+0000926948 00000 n
+0000925627 00000 n
+0000927295 00000 n
+0000927422 00000 n
+0003667763 00000 n
+0000929932 00000 n
+0000930087 00000 n
+0000930812 00000 n
+0000929786 00000 n
+0000927672 00000 n
+0000930239 00000 n
+0000930429 00000 n
+0000930493 00000 n
+0000930557 00000 n
+0000930621 00000 n
+0000930684 00000 n
+0000930748 00000 n
+0000950755 00000 n
+0000950883 00000 n
+0000933746 00000 n
+0000936164 00000 n
+0000934416 00000 n
+0000933609 00000 n
+0000930956 00000 n
+0000933906 00000 n
+0000933970 00000 n
+0000934034 00000 n
+0000934098 00000 n
+0000934162 00000 n
+0000934225 00000 n
+0000934352 00000 n
+0000951075 00000 n
+0000936048 00000 n
+0000934616 00000 n
+0000950628 00000 n
+0000950947 00000 n
+0000951011 00000 n
+0000953703 00000 n
+0000953075 00000 n
+0000951243 00000 n
+0000953191 00000 n
+0000953255 00000 n
+0000953319 00000 n
+0000953383 00000 n
+0000953447 00000 n
+0000953511 00000 n
+0000953575 00000 n
+0000953639 00000 n
+0000956173 00000 n
+0000956360 00000 n
+0000956860 00000 n
+0000956018 00000 n
+0000953890 00000 n
+0000956797 00000 n
+0000956579 00000 n
+0000962514 00000 n
+0000962818 00000 n
+0000959526 00000 n
+0000959093 00000 n
+0000957089 00000 n
+0000959209 00000 n
+0000959336 00000 n
+0000959463 00000 n
+0003667888 00000 n
+0000963480 00000 n
+0000962359 00000 n
+0000959670 00000 n
+0000962969 00000 n
+0000963032 00000 n
+0000962666 00000 n
+0000963096 00000 n
+0000963160 00000 n
+0000963224 00000 n
+0000963288 00000 n
+0000963352 00000 n
+0000963416 00000 n
+0000966586 00000 n
+0000966023 00000 n
+0000963624 00000 n
+0000966139 00000 n
+0000966203 00000 n
+0000966267 00000 n
+0000966331 00000 n
+0000966395 00000 n
+0000966522 00000 n
+0000971421 00000 n
+0000969115 00000 n
+0000968682 00000 n
+0000966716 00000 n
+0000968798 00000 n
+0000968924 00000 n
+0000969051 00000 n
+0000971817 00000 n
+0000971284 00000 n
+0000969231 00000 n
+0000971626 00000 n
+0000971753 00000 n
+0000974538 00000 n
+0000974295 00000 n
+0000972017 00000 n
+0000974411 00000 n
+0000974474 00000 n
+0000977097 00000 n
+0000976917 00000 n
+0000974668 00000 n
+0000977033 00000 n
+0003668013 00000 n
+0000979648 00000 n
+0000979469 00000 n
+0000977227 00000 n
+0000979585 00000 n
+0000981203 00000 n
+0000981023 00000 n
+0000979792 00000 n
+0000981139 00000 n
+0000982533 00000 n
+0000982226 00000 n
+0000981319 00000 n
+0000982342 00000 n
+0000983572 00000 n
+0000983264 00000 n
+0000982649 00000 n
+0000983380 00000 n
+0000983508 00000 n
+0000984627 00000 n
+0000984320 00000 n
+0000983688 00000 n
+0000984436 00000 n
+0000985679 00000 n
+0000985371 00000 n
+0000984743 00000 n
+0000985487 00000 n
+0003668138 00000 n
+0000991679 00000 n
+0000989580 00000 n
+0000985795 00000 n
+0000989696 00000 n
+0000989887 00000 n
+0000989951 00000 n
+0000990015 00000 n
+0000990079 00000 n
+0000990143 00000 n
+0000990207 00000 n
+0000990271 00000 n
+0000990335 00000 n
+0000990399 00000 n
+0000990463 00000 n
+0000990527 00000 n
+0000990591 00000 n
+0000990655 00000 n
+0000990719 00000 n
+0000990783 00000 n
+0000990847 00000 n
+0000990911 00000 n
+0000990975 00000 n
+0000991039 00000 n
+0000991103 00000 n
+0000991167 00000 n
+0000991231 00000 n
+0000991295 00000 n
+0000991359 00000 n
+0000991423 00000 n
+0000991487 00000 n
+0000991551 00000 n
+0000991615 00000 n
+0000995687 00000 n
+0000994166 00000 n
+0000991836 00000 n
+0000994282 00000 n
+0000994474 00000 n
+0000994538 00000 n
+0000994602 00000 n
+0000994665 00000 n
+0000994729 00000 n
+0000994792 00000 n
+0000994856 00000 n
+0000994919 00000 n
+0000994983 00000 n
+0000995047 00000 n
+0000995111 00000 n
+0000995175 00000 n
+0000995239 00000 n
+0000995303 00000 n
+0000995367 00000 n
+0000995431 00000 n
+0000995495 00000 n
+0000995559 00000 n
+0000995623 00000 n
+0001001965 00000 n
+0000999486 00000 n
+0000995816 00000 n
+0000999602 00000 n
+0000999793 00000 n
+0000999857 00000 n
+0000999921 00000 n
+0000999985 00000 n
+0001000049 00000 n
+0001000113 00000 n
+0001000177 00000 n
+0001000241 00000 n
+0001000305 00000 n
+0001000369 00000 n
+0001000433 00000 n
+0001000497 00000 n
+0001000561 00000 n
+0001000625 00000 n
+0001000689 00000 n
+0001000753 00000 n
+0001000817 00000 n
+0001000881 00000 n
+0001000944 00000 n
+0001001008 00000 n
+0001001071 00000 n
+0001001135 00000 n
+0001001197 00000 n
+0001001261 00000 n
+0001001325 00000 n
+0001001389 00000 n
+0001001453 00000 n
+0001001517 00000 n
+0001001581 00000 n
+0001001645 00000 n
+0001001709 00000 n
+0001001773 00000 n
+0001001837 00000 n
+0001001901 00000 n
+0001008248 00000 n
+0001005768 00000 n
+0001002108 00000 n
+0001005884 00000 n
+0001006076 00000 n
+0001006140 00000 n
+0001006204 00000 n
+0001006268 00000 n
+0001006332 00000 n
+0001006396 00000 n
+0001006460 00000 n
+0001006524 00000 n
+0001006588 00000 n
+0001006652 00000 n
+0001006716 00000 n
+0001006780 00000 n
+0001006844 00000 n
+0001006908 00000 n
+0001006972 00000 n
+0001007036 00000 n
+0001007100 00000 n
+0001007164 00000 n
+0001007227 00000 n
+0001007291 00000 n
+0001007354 00000 n
+0001007418 00000 n
+0001007480 00000 n
+0001007544 00000 n
+0001007608 00000 n
+0001007672 00000 n
+0001007736 00000 n
+0001007800 00000 n
+0001007864 00000 n
+0001007928 00000 n
+0001007992 00000 n
+0001008056 00000 n
+0001008120 00000 n
+0001008184 00000 n
+0001012431 00000 n
+0001010592 00000 n
+0001008391 00000 n
+0001010708 00000 n
+0001010899 00000 n
+0001010963 00000 n
+0001011027 00000 n
+0001011091 00000 n
+0001011155 00000 n
+0001011219 00000 n
+0001011283 00000 n
+0001011347 00000 n
+0001011411 00000 n
+0001011475 00000 n
+0001011539 00000 n
+0001011603 00000 n
+0001011667 00000 n
+0001011730 00000 n
+0001011794 00000 n
+0001011857 00000 n
+0001011921 00000 n
+0001011983 00000 n
+0001012047 00000 n
+0001012111 00000 n
+0001012175 00000 n
+0001012239 00000 n
+0001012303 00000 n
+0001012367 00000 n
+0001017437 00000 n
+0001015214 00000 n
+0001012546 00000 n
+0001015330 00000 n
+0001015519 00000 n
+0001015583 00000 n
+0001015647 00000 n
+0001015711 00000 n
+0001015775 00000 n
+0001015839 00000 n
+0001015903 00000 n
+0001015967 00000 n
+0001016031 00000 n
+0001016095 00000 n
+0001016159 00000 n
+0001016223 00000 n
+0001016287 00000 n
+0001016351 00000 n
+0001016415 00000 n
+0001016479 00000 n
+0001016543 00000 n
+0001016607 00000 n
+0001016671 00000 n
+0001016735 00000 n
+0001016799 00000 n
+0001016863 00000 n
+0001016927 00000 n
+0001016991 00000 n
+0001017055 00000 n
+0001017118 00000 n
+0001017182 00000 n
+0001017245 00000 n
+0003668263 00000 n
+0001019677 00000 n
+0001019371 00000 n
+0001017566 00000 n
+0001019487 00000 n
+0001019613 00000 n
+0001022010 00000 n
+0001022476 00000 n
+0001021873 00000 n
+0001019793 00000 n
+0001022159 00000 n
+0001022286 00000 n
+0001022412 00000 n
+0001025138 00000 n
+0001025475 00000 n
+0001025001 00000 n
+0001022606 00000 n
+0001025285 00000 n
+0001025411 00000 n
+0001027835 00000 n
+0001028174 00000 n
+0001027698 00000 n
+0001025619 00000 n
+0001027983 00000 n
+0001028110 00000 n
+0001030766 00000 n
+0001030460 00000 n
+0001028304 00000 n
+0001030576 00000 n
+0001030702 00000 n
+0001033150 00000 n
+0001033490 00000 n
+0001033013 00000 n
+0001030882 00000 n
+0001033299 00000 n
+0001033426 00000 n
+0003668388 00000 n
+0001036101 00000 n
+0001035922 00000 n
+0001033620 00000 n
+0001036038 00000 n
+0001038851 00000 n
+0001038544 00000 n
+0001036217 00000 n
+0001038660 00000 n
+0001038787 00000 n
+0001041480 00000 n
+0001041627 00000 n
+0001041930 00000 n
+0001042146 00000 n
+0001041316 00000 n
+0001038981 00000 n
+0001042083 00000 n
+0001041779 00000 n
+0001314147 00000 n
+0001414758 00000 n
+0001044822 00000 n
+0001044642 00000 n
+0001042248 00000 n
+0001044758 00000 n
+0001073030 00000 n
+0001046932 00000 n
+0001073627 00000 n
+0001046795 00000 n
+0001044938 00000 n
+0001073184 00000 n
+0001073309 00000 n
+0001073435 00000 n
+0001073563 00000 n
+0001049241 00000 n
+0001049398 00000 n
+0001049446 00000 n
+0001049848 00000 n
+0001050075 00000 n
+0001114823 00000 n
+0001075330 00000 n
+0001114980 00000 n
+0001094390 00000 n
+0001115455 00000 n
+0001075184 00000 n
+0001073787 00000 n
+0001115135 00000 n
+0001115263 00000 n
+0001115391 00000 n
+0003668513 00000 n
+0001075965 00000 n
+0001076122 00000 n
+0001076170 00000 n
+0001076544 00000 n
+0001076774 00000 n
+0001095194 00000 n
+0001095351 00000 n
+0001095399 00000 n
+0001095795 00000 n
+0001096025 00000 n
+0001096350 00000 n
+0001096446 00000 n
+0001160936 00000 n
+0001117016 00000 n
+0001161090 00000 n
+0001140029 00000 n
+0001161561 00000 n
+0001116870 00000 n
+0001115630 00000 n
+0001161243 00000 n
+0001161370 00000 n
+0001161498 00000 n
+0001117960 00000 n
+0001118117 00000 n
+0001118165 00000 n
+0001118583 00000 n
+0001118810 00000 n
+0001119125 00000 n
+0001119221 00000 n
+0001140874 00000 n
+0001141031 00000 n
+0001141079 00000 n
+0001141473 00000 n
+0001141700 00000 n
+0001163537 00000 n
+0001163686 00000 n
+0001164101 00000 n
+0001163391 00000 n
+0001161722 00000 n
+0001163845 00000 n
+0001163909 00000 n
+0001163973 00000 n
+0001164037 00000 n
+0001183999 00000 n
+0001165781 00000 n
+0001166321 00000 n
+0001165644 00000 n
+0001164274 00000 n
+0001165939 00000 n
+0001166002 00000 n
+0001166066 00000 n
+0001166130 00000 n
+0001166194 00000 n
+0001166257 00000 n
+0001185359 00000 n
+0001167730 00000 n
+0001167424 00000 n
+0001166437 00000 n
+0001167540 00000 n
+0001167604 00000 n
+0001167667 00000 n
+0001169278 00000 n
+0001171713 00000 n
+0001171872 00000 n
+0001169682 00000 n
+0001169141 00000 n
+0001167846 00000 n
+0001169427 00000 n
+0001169490 00000 n
+0001169554 00000 n
+0001169618 00000 n
+0001216075 00000 n
+0001314903 00000 n
+0001172476 00000 n
+0001171567 00000 n
+0001169798 00000 n
+0001172031 00000 n
+0001172095 00000 n
+0001172222 00000 n
+0001172348 00000 n
+0001172412 00000 n
+0003668638 00000 n
+0001190804 00000 n
+0001207002 00000 n
+0001174852 00000 n
+0001174673 00000 n
+0001172634 00000 n
+0001174789 00000 n
+0001177510 00000 n
+0001177659 00000 n
+0001177814 00000 n
+0001178031 00000 n
+0001177355 00000 n
+0001174982 00000 n
+0001177967 00000 n
+0001180612 00000 n
+0001180827 00000 n
+0001180475 00000 n
+0001178175 00000 n
+0001180764 00000 n
+0001182619 00000 n
+0001182439 00000 n
+0001180985 00000 n
+0001182555 00000 n
+0001184063 00000 n
+0001183756 00000 n
+0001182735 00000 n
+0001183872 00000 n
+0001185423 00000 n
+0001185115 00000 n
+0001184179 00000 n
+0001185231 00000 n
+0003668763 00000 n
+0001193544 00000 n
+0001190561 00000 n
+0001185539 00000 n
+0001190677 00000 n
+0001190868 00000 n
+0001190932 00000 n
+0001190996 00000 n
+0001191060 00000 n
+0001191124 00000 n
+0001191188 00000 n
+0001191252 00000 n
+0001191316 00000 n
+0001191379 00000 n
+0001191443 00000 n
+0001191506 00000 n
+0001191570 00000 n
+0001191632 00000 n
+0001191696 00000 n
+0001191760 00000 n
+0001191824 00000 n
+0001191888 00000 n
+0001191952 00000 n
+0001192016 00000 n
+0001192080 00000 n
+0001192144 00000 n
+0001192208 00000 n
+0001192272 00000 n
+0001192336 00000 n
+0001192400 00000 n
+0001192464 00000 n
+0001192528 00000 n
+0001192592 00000 n
+0001192656 00000 n
+0001192720 00000 n
+0001192783 00000 n
+0001192847 00000 n
+0001192909 00000 n
+0001192973 00000 n
+0001193036 00000 n
+0001193100 00000 n
+0001193164 00000 n
+0001193228 00000 n
+0001193292 00000 n
+0001193355 00000 n
+0001193418 00000 n
+0001193481 00000 n
+0001197957 00000 n
+0001195989 00000 n
+0001193701 00000 n
+0001196105 00000 n
+0001196233 00000 n
+0001196297 00000 n
+0001196361 00000 n
+0001196425 00000 n
+0001196489 00000 n
+0001196553 00000 n
+0001196617 00000 n
+0001196681 00000 n
+0001196745 00000 n
+0001196809 00000 n
+0001196873 00000 n
+0001196937 00000 n
+0001197001 00000 n
+0001197065 00000 n
+0001197129 00000 n
+0001197192 00000 n
+0001197256 00000 n
+0001197319 00000 n
+0001197383 00000 n
+0001197445 00000 n
+0001197509 00000 n
+0001197573 00000 n
+0001197637 00000 n
+0001197701 00000 n
+0001197765 00000 n
+0001197829 00000 n
+0001197893 00000 n
+0001202488 00000 n
+0001200455 00000 n
+0001198072 00000 n
+0001200571 00000 n
+0001200698 00000 n
+0001200762 00000 n
+0001200826 00000 n
+0001200889 00000 n
+0001200953 00000 n
+0001201016 00000 n
+0001201080 00000 n
+0001201144 00000 n
+0001201208 00000 n
+0001201272 00000 n
+0001201336 00000 n
+0001201400 00000 n
+0001201464 00000 n
+0001201528 00000 n
+0001201592 00000 n
+0001201656 00000 n
+0001201720 00000 n
+0001201784 00000 n
+0001201848 00000 n
+0001201912 00000 n
+0001201976 00000 n
+0001202040 00000 n
+0001202104 00000 n
+0001202168 00000 n
+0001202232 00000 n
+0001202296 00000 n
+0001202360 00000 n
+0001202424 00000 n
+0001209750 00000 n
+0001206758 00000 n
+0001202603 00000 n
+0001206874 00000 n
+0001207066 00000 n
+0001207130 00000 n
+0001207194 00000 n
+0001207258 00000 n
+0001207322 00000 n
+0001207386 00000 n
+0001207450 00000 n
+0001207514 00000 n
+0001207578 00000 n
+0001207642 00000 n
+0001207706 00000 n
+0001207770 00000 n
+0001207834 00000 n
+0001207898 00000 n
+0001207962 00000 n
+0001208026 00000 n
+0001208090 00000 n
+0001208154 00000 n
+0001208218 00000 n
+0001208282 00000 n
+0001208346 00000 n
+0001208410 00000 n
+0001208473 00000 n
+0001208537 00000 n
+0001208600 00000 n
+0001208664 00000 n
+0001208726 00000 n
+0001208790 00000 n
+0001208854 00000 n
+0001208918 00000 n
+0001208982 00000 n
+0001209046 00000 n
+0001209110 00000 n
+0001209174 00000 n
+0001209238 00000 n
+0001209302 00000 n
+0001209366 00000 n
+0001209430 00000 n
+0001209494 00000 n
+0001209558 00000 n
+0001209622 00000 n
+0001209686 00000 n
+0001215416 00000 n
+0001212811 00000 n
+0001209893 00000 n
+0001212927 00000 n
+0001213053 00000 n
+0001213116 00000 n
+0001213180 00000 n
+0001213244 00000 n
+0001213308 00000 n
+0001213372 00000 n
+0001213436 00000 n
+0001213500 00000 n
+0001213564 00000 n
+0001213628 00000 n
+0001213692 00000 n
+0001213756 00000 n
+0001213820 00000 n
+0001213884 00000 n
+0001213948 00000 n
+0001214012 00000 n
+0001214076 00000 n
+0001214140 00000 n
+0001214204 00000 n
+0001214268 00000 n
+0001214331 00000 n
+0001214395 00000 n
+0001214458 00000 n
+0001214522 00000 n
+0001214584 00000 n
+0001214648 00000 n
+0001214712 00000 n
+0001214776 00000 n
+0001214840 00000 n
+0001214904 00000 n
+0001214968 00000 n
+0001215032 00000 n
+0001215096 00000 n
+0001215160 00000 n
+0001215224 00000 n
+0001215288 00000 n
+0001215352 00000 n
+0001314211 00000 n
+0001215959 00000 n
+0001215531 00000 n
+0001314019 00000 n
+0003668888 00000 n
+0001414822 00000 n
+0001314787 00000 n
+0001314351 00000 n
+0001414631 00000 n
+0001415243 00000 n
+0001415063 00000 n
+0001414962 00000 n
+0001415179 00000 n
+0001415725 00000 n
+0001415546 00000 n
+0001415285 00000 n
+0001416016 00000 n
+0001415900 00000 n
+0001415799 00000 n
+0001417413 00000 n
+0001416979 00000 n
+0001416058 00000 n
+0001417095 00000 n
+0001417158 00000 n
+0001417285 00000 n
+0001417349 00000 n
+0001417810 00000 n
+0001417630 00000 n
+0001417529 00000 n
+0001417746 00000 n
+0003669013 00000 n
+0001419816 00000 n
+0001419661 00000 n
+0001422216 00000 n
+0001420582 00000 n
+0001419506 00000 n
+0001417852 00000 n
+0001420265 00000 n
+0001420391 00000 n
+0001420518 00000 n
+0001420041 00000 n
+0001440594 00000 n
+0001440785 00000 n
+0001422100 00000 n
+0001420768 00000 n
+0001440466 00000 n
+0001440721 00000 n
+0001443435 00000 n
+0001443002 00000 n
+0001440939 00000 n
+0001443118 00000 n
+0001443244 00000 n
+0001443371 00000 n
+0001446233 00000 n
+0001446053 00000 n
+0001443565 00000 n
+0001446169 00000 n
+0001448972 00000 n
+0001448793 00000 n
+0001446377 00000 n
+0001448909 00000 n
+0001451758 00000 n
+0001451324 00000 n
+0001449102 00000 n
+0001451440 00000 n
+0001451567 00000 n
+0001451694 00000 n
+0003669138 00000 n
+0001454593 00000 n
+0001454287 00000 n
+0001451888 00000 n
+0001454403 00000 n
+0001454529 00000 n
+0001457131 00000 n
+0001459373 00000 n
+0001457349 00000 n
+0001456994 00000 n
+0001454737 00000 n
+0001457285 00000 n
+0001488508 00000 n
+0001487626 00000 n
+0001487774 00000 n
+0001488079 00000 n
+0001488228 00000 n
+0001490613 00000 n
+0001488572 00000 n
+0001459200 00000 n
+0001457550 00000 n
+0001488381 00000 n
+0001487927 00000 n
+0001463685 00000 n
+0001463842 00000 n
+0001463890 00000 n
+0001464312 00000 n
+0001464541 00000 n
+0001602369 00000 n
+0001490767 00000 n
+0001490983 00000 n
+0001490467 00000 n
+0001488760 00000 n
+0001490919 00000 n
+0001606499 00000 n
+0001607558 00000 n
+0001492869 00000 n
+0001493086 00000 n
+0001492732 00000 n
+0001491099 00000 n
+0001493023 00000 n
+0001606372 00000 n
+0001495080 00000 n
+0001494900 00000 n
+0001493202 00000 n
+0001495016 00000 n
+0003669263 00000 n
+0001496766 00000 n
+0001496587 00000 n
+0001495224 00000 n
+0001496703 00000 n
+0001498186 00000 n
+0001497879 00000 n
+0001496882 00000 n
+0001497995 00000 n
+0001498122 00000 n
+0001500546 00000 n
+0001500701 00000 n
+0001501109 00000 n
+0001500400 00000 n
+0001498316 00000 n
+0001500855 00000 n
+0001500918 00000 n
+0001500981 00000 n
+0001501045 00000 n
+0001611836 00000 n
+0001502503 00000 n
+0001502195 00000 n
+0001501296 00000 n
+0001502311 00000 n
+0001502375 00000 n
+0001502439 00000 n
+0001503717 00000 n
+0001503538 00000 n
+0001502619 00000 n
+0001503654 00000 n
+0001505592 00000 n
+0001506256 00000 n
+0001505455 00000 n
+0001503833 00000 n
+0001505747 00000 n
+0001505811 00000 n
+0001505938 00000 n
+0001506002 00000 n
+0001506066 00000 n
+0001506128 00000 n
+0001506192 00000 n
+0003669388 00000 n
+0001618572 00000 n
+0001508826 00000 n
+0001509168 00000 n
+0001508689 00000 n
+0001506386 00000 n
+0001508978 00000 n
+0001509104 00000 n
+0001540680 00000 n
+0001510562 00000 n
+0001540808 00000 n
+0001510446 00000 n
+0001509298 00000 n
+0001540552 00000 n
+0001540744 00000 n
+0001514335 00000 n
+0001514492 00000 n
+0001514540 00000 n
+0001514984 00000 n
+0001515213 00000 n
+0001542083 00000 n
+0001541904 00000 n
+0001540954 00000 n
+0001542020 00000 n
+0001546179 00000 n
+0001543838 00000 n
+0001543594 00000 n
+0001542199 00000 n
+0001543710 00000 n
+0001543774 00000 n
+0001545874 00000 n
+0001546027 00000 n
+0001546794 00000 n
+0001545719 00000 n
+0001543954 00000 n
+0001546347 00000 n
+0001546410 00000 n
+0001546474 00000 n
+0001546538 00000 n
+0001546602 00000 n
+0001546666 00000 n
+0001546730 00000 n
+0001625085 00000 n
+0001549002 00000 n
+0001548758 00000 n
+0001546966 00000 n
+0001548874 00000 n
+0001548938 00000 n
+0003669513 00000 n
+0001550508 00000 n
+0001550203 00000 n
+0001549132 00000 n
+0001550319 00000 n
+0001550382 00000 n
+0001550446 00000 n
+0001551839 00000 n
+0001551595 00000 n
+0001550624 00000 n
+0001551711 00000 n
+0001551775 00000 n
+0001553559 00000 n
+0001553253 00000 n
+0001551955 00000 n
+0001553369 00000 n
+0001553432 00000 n
+0001553495 00000 n
+0001554927 00000 n
+0001554747 00000 n
+0001553675 00000 n
+0001554863 00000 n
+0001556486 00000 n
+0001556307 00000 n
+0001555029 00000 n
+0001556423 00000 n
+0001557495 00000 n
+0001557315 00000 n
+0001556602 00000 n
+0001557431 00000 n
+0003669638 00000 n
+0001558549 00000 n
+0001558370 00000 n
+0001557597 00000 n
+0001558486 00000 n
+0001561142 00000 n
+0001561491 00000 n
+0001561005 00000 n
+0001558665 00000 n
+0001561300 00000 n
+0001561427 00000 n
+0001631402 00000 n
+0001563542 00000 n
+0001563043 00000 n
+0001561635 00000 n
+0001563159 00000 n
+0001563222 00000 n
+0001563286 00000 n
+0001563350 00000 n
+0001563414 00000 n
+0001563478 00000 n
+0001565354 00000 n
+0001565696 00000 n
+0001565217 00000 n
+0001563672 00000 n
+0001565505 00000 n
+0001565632 00000 n
+0001632678 00000 n
+0001567220 00000 n
+0001567041 00000 n
+0001565840 00000 n
+0001567157 00000 n
+0001568790 00000 n
+0001569277 00000 n
+0001568653 00000 n
+0001567393 00000 n
+0001568957 00000 n
+0001569021 00000 n
+0001569085 00000 n
+0001569149 00000 n
+0001569213 00000 n
+0003669763 00000 n
+0001571136 00000 n
+0001570701 00000 n
+0001569449 00000 n
+0001570817 00000 n
+0001570880 00000 n
+0001570944 00000 n
+0001571008 00000 n
+0001571072 00000 n
+0001573007 00000 n
+0001575726 00000 n
+0001573482 00000 n
+0001572870 00000 n
+0001571252 00000 n
+0001573163 00000 n
+0001573290 00000 n
+0001573354 00000 n
+0001573418 00000 n
+0001636405 00000 n
+0001575912 00000 n
+0001576370 00000 n
+0001579258 00000 n
+0001576856 00000 n
+0001575562 00000 n
+0001573612 00000 n
+0001576538 00000 n
+0001576601 00000 n
+0001576665 00000 n
+0001576792 00000 n
+0001576142 00000 n
+0001579427 00000 n
+0001579661 00000 n
+0001579112 00000 n
+0001577042 00000 n
+0001579597 00000 n
+0001581852 00000 n
+0001582002 00000 n
+0001582162 00000 n
+0001585427 00000 n
+0001583138 00000 n
+0001581697 00000 n
+0001579847 00000 n
+0001582312 00000 n
+0001582438 00000 n
+0001582502 00000 n
+0001582565 00000 n
+0001582629 00000 n
+0001582693 00000 n
+0001582757 00000 n
+0001582820 00000 n
+0001582947 00000 n
+0001583011 00000 n
+0001583074 00000 n
+0001637428 00000 n
+0001585584 00000 n
+0001586190 00000 n
+0001585281 00000 n
+0001583268 00000 n
+0001585744 00000 n
+0001585808 00000 n
+0001585872 00000 n
+0001585936 00000 n
+0001586000 00000 n
+0001586126 00000 n
+0003669888 00000 n
+0001639011 00000 n
+0001588541 00000 n
+0001588171 00000 n
+0001586334 00000 n
+0001588287 00000 n
+0001588413 00000 n
+0001588477 00000 n
+0001591054 00000 n
+0001590874 00000 n
+0001588699 00000 n
+0001590990 00000 n
+0001593672 00000 n
+0001593493 00000 n
+0001591170 00000 n
+0001593609 00000 n
+0001596025 00000 n
+0001595845 00000 n
+0001593830 00000 n
+0001595961 00000 n
+0001597813 00000 n
+0001597634 00000 n
+0001596169 00000 n
+0001597750 00000 n
+0001605182 00000 n
+0001602125 00000 n
+0001597943 00000 n
+0001602241 00000 n
+0001602433 00000 n
+0001602497 00000 n
+0001602561 00000 n
+0001602625 00000 n
+0001602689 00000 n
+0001602753 00000 n
+0001602817 00000 n
+0001602881 00000 n
+0001602945 00000 n
+0001603009 00000 n
+0001603073 00000 n
+0001603137 00000 n
+0001603201 00000 n
+0001603265 00000 n
+0001603329 00000 n
+0001603393 00000 n
+0001603457 00000 n
+0001603521 00000 n
+0001603585 00000 n
+0001603649 00000 n
+0001603712 00000 n
+0001603776 00000 n
+0001603839 00000 n
+0001603903 00000 n
+0001603966 00000 n
+0001604030 00000 n
+0001604094 00000 n
+0001604158 00000 n
+0001604222 00000 n
+0001604286 00000 n
+0001604350 00000 n
+0001604414 00000 n
+0001604478 00000 n
+0001604542 00000 n
+0001604606 00000 n
+0001604670 00000 n
+0001604734 00000 n
+0001604798 00000 n
+0001604862 00000 n
+0001604926 00000 n
+0001604990 00000 n
+0001605054 00000 n
+0001605118 00000 n
+0003670013 00000 n
+0001606563 00000 n
+0001606129 00000 n
+0001605325 00000 n
+0001606245 00000 n
+0001607622 00000 n
+0001607314 00000 n
+0001606679 00000 n
+0001607430 00000 n
+0001614393 00000 n
+0001611593 00000 n
+0001607738 00000 n
+0001611709 00000 n
+0001611900 00000 n
+0001611964 00000 n
+0001612028 00000 n
+0001612092 00000 n
+0001612156 00000 n
+0001612220 00000 n
+0001612284 00000 n
+0001612348 00000 n
+0001612412 00000 n
+0001612476 00000 n
+0001612540 00000 n
+0001612604 00000 n
+0001612668 00000 n
+0001612731 00000 n
+0001612795 00000 n
+0001612858 00000 n
+0001612922 00000 n
+0001612985 00000 n
+0001613049 00000 n
+0001613113 00000 n
+0001613177 00000 n
+0001613241 00000 n
+0001613305 00000 n
+0001613369 00000 n
+0001613433 00000 n
+0001613497 00000 n
+0001613561 00000 n
+0001613625 00000 n
+0001613689 00000 n
+0001613753 00000 n
+0001613817 00000 n
+0001613881 00000 n
+0001613945 00000 n
+0001614009 00000 n
+0001614073 00000 n
+0001614137 00000 n
+0001614201 00000 n
+0001614265 00000 n
+0001614329 00000 n
+0001621064 00000 n
+0001618328 00000 n
+0001614536 00000 n
+0001618444 00000 n
+0001618636 00000 n
+0001618700 00000 n
+0001618764 00000 n
+0001618828 00000 n
+0001618892 00000 n
+0001618956 00000 n
+0001619020 00000 n
+0001619084 00000 n
+0001619148 00000 n
+0001619212 00000 n
+0001619276 00000 n
+0001619340 00000 n
+0001619404 00000 n
+0001619468 00000 n
+0001619532 00000 n
+0001619596 00000 n
+0001619660 00000 n
+0001619724 00000 n
+0001619788 00000 n
+0001619852 00000 n
+0001619916 00000 n
+0001619980 00000 n
+0001620044 00000 n
+0001620108 00000 n
+0001620172 00000 n
+0001620236 00000 n
+0001620300 00000 n
+0001620363 00000 n
+0001620427 00000 n
+0001620490 00000 n
+0001620554 00000 n
+0001620616 00000 n
+0001620680 00000 n
+0001620744 00000 n
+0001620808 00000 n
+0001620872 00000 n
+0001620936 00000 n
+0001621000 00000 n
+0001627513 00000 n
+0001624842 00000 n
+0001621207 00000 n
+0001624958 00000 n
+0001625149 00000 n
+0001625213 00000 n
+0001625277 00000 n
+0001625341 00000 n
+0001625405 00000 n
+0001625469 00000 n
+0001625533 00000 n
+0001625597 00000 n
+0001625660 00000 n
+0001625724 00000 n
+0001625787 00000 n
+0001625851 00000 n
+0001625914 00000 n
+0001625978 00000 n
+0001626042 00000 n
+0001626106 00000 n
+0001626170 00000 n
+0001626234 00000 n
+0001626298 00000 n
+0001626362 00000 n
+0001626426 00000 n
+0001626490 00000 n
+0001626554 00000 n
+0001626618 00000 n
+0001626682 00000 n
+0001626746 00000 n
+0001626810 00000 n
+0001626874 00000 n
+0001626938 00000 n
+0001627002 00000 n
+0001627066 00000 n
+0001627130 00000 n
+0001627194 00000 n
+0001627258 00000 n
+0001627322 00000 n
+0001627386 00000 n
+0001627450 00000 n
+0001633829 00000 n
+0001631158 00000 n
+0001627656 00000 n
+0001631274 00000 n
+0001631466 00000 n
+0001631530 00000 n
+0001631593 00000 n
+0001631657 00000 n
+0001631719 00000 n
+0001631783 00000 n
+0001631847 00000 n
+0001631911 00000 n
+0001631975 00000 n
+0001632039 00000 n
+0001632103 00000 n
+0001632167 00000 n
+0001632231 00000 n
+0001632295 00000 n
+0001632359 00000 n
+0001632423 00000 n
+0001632487 00000 n
+0001632551 00000 n
+0001632741 00000 n
+0001632805 00000 n
+0001632869 00000 n
+0001632933 00000 n
+0001632997 00000 n
+0001633061 00000 n
+0001633125 00000 n
+0001633189 00000 n
+0001633253 00000 n
+0001633317 00000 n
+0001633381 00000 n
+0001633445 00000 n
+0001633509 00000 n
+0001633573 00000 n
+0001633637 00000 n
+0001633701 00000 n
+0001633765 00000 n
+0003670138 00000 n
+0001637492 00000 n
+0001636162 00000 n
+0001633972 00000 n
+0001636278 00000 n
+0001636469 00000 n
+0001636533 00000 n
+0001636596 00000 n
+0001636660 00000 n
+0001636724 00000 n
+0001636788 00000 n
+0001636852 00000 n
+0001636916 00000 n
+0001636980 00000 n
+0001637044 00000 n
+0001637108 00000 n
+0001637172 00000 n
+0001637236 00000 n
+0001637300 00000 n
+0001639075 00000 n
+0001638641 00000 n
+0001637649 00000 n
+0001638757 00000 n
+0001638884 00000 n
+0001640978 00000 n
+0001640672 00000 n
+0001639191 00000 n
+0001640788 00000 n
+0001640914 00000 n
+0001643222 00000 n
+0001642915 00000 n
+0001641094 00000 n
+0001643031 00000 n
+0001643158 00000 n
+0001645834 00000 n
+0001645402 00000 n
+0001643395 00000 n
+0001645518 00000 n
+0001645644 00000 n
+0001645770 00000 n
+0001648295 00000 n
+0001648115 00000 n
+0001645964 00000 n
+0001648231 00000 n
+0003670263 00000 n
+0001650213 00000 n
+0001650034 00000 n
+0001648411 00000 n
+0001650150 00000 n
+0001651709 00000 n
+0001651529 00000 n
+0001650386 00000 n
+0001651645 00000 n
+0001654231 00000 n
+0001653925 00000 n
+0001651825 00000 n
+0001654041 00000 n
+0001654167 00000 n
+0001656629 00000 n
+0001656197 00000 n
+0001654375 00000 n
+0001656313 00000 n
+0001656439 00000 n
+0001656566 00000 n
+0001658321 00000 n
+0001658142 00000 n
+0001656830 00000 n
+0001658258 00000 n
+0001660584 00000 n
+0001661076 00000 n
+0001660447 00000 n
+0001658437 00000 n
+0001660758 00000 n
+0001660885 00000 n
+0001661012 00000 n
+0003670388 00000 n
+0001663904 00000 n
+0001663407 00000 n
+0001661262 00000 n
+0001663523 00000 n
+0001663649 00000 n
+0001663776 00000 n
+0001663840 00000 n
+0001666151 00000 n
+0001666941 00000 n
+0001666014 00000 n
+0001664034 00000 n
+0001666301 00000 n
+0001666365 00000 n
+0001666429 00000 n
+0001666493 00000 n
+0001666557 00000 n
+0001666621 00000 n
+0001666685 00000 n
+0001666749 00000 n
+0001666813 00000 n
+0001666877 00000 n
+0001669060 00000 n
+0001669360 00000 n
+0001669920 00000 n
+0001668896 00000 n
+0001667057 00000 n
+0001669666 00000 n
+0001669729 00000 n
+0001669856 00000 n
+0001669210 00000 n
+0001669513 00000 n
+0001672054 00000 n
+0001672395 00000 n
+0001671917 00000 n
+0001670064 00000 n
+0001672204 00000 n
+0001672331 00000 n
+0001674142 00000 n
+0001673963 00000 n
+0001672539 00000 n
+0001674079 00000 n
+0001675616 00000 n
+0001675436 00000 n
+0001674244 00000 n
+0001675552 00000 n
+0003670513 00000 n
+0001677126 00000 n
+0001676947 00000 n
+0001675718 00000 n
+0001677063 00000 n
+0001679217 00000 n
+0001679558 00000 n
+0001679080 00000 n
+0001677228 00000 n
+0001679367 00000 n
+0001679494 00000 n
+0001682155 00000 n
+0001681597 00000 n
+0001679688 00000 n
+0001681713 00000 n
+0001681839 00000 n
+0001681966 00000 n
+0001682093 00000 n
+0001684096 00000 n
+0001687033 00000 n
+0001684566 00000 n
+0001683959 00000 n
+0001682313 00000 n
+0001684249 00000 n
+0001684376 00000 n
+0001684503 00000 n
+0001687660 00000 n
+0001686887 00000 n
+0001684710 00000 n
+0001687343 00000 n
+0001687469 00000 n
+0001687188 00000 n
+0001687596 00000 n
+0001690188 00000 n
+0001690401 00000 n
+0001690051 00000 n
+0001687804 00000 n
+0001690337 00000 n
+0003670638 00000 n
+0001693219 00000 n
+0001692657 00000 n
+0001690531 00000 n
+0001692773 00000 n
+0001692899 00000 n
+0001692963 00000 n
+0001693027 00000 n
+0001693091 00000 n
+0001693155 00000 n
+0001695233 00000 n
+0001694989 00000 n
+0001693363 00000 n
+0001695105 00000 n
+0001695169 00000 n
+0001697188 00000 n
+0001696755 00000 n
+0001695349 00000 n
+0001696871 00000 n
+0001697124 00000 n
+0001699501 00000 n
+0001699068 00000 n
+0001697304 00000 n
+0001699184 00000 n
+0001699311 00000 n
+0001699437 00000 n
+0001702068 00000 n
+0001704366 00000 n
+0001702414 00000 n
+0001701931 00000 n
+0001699702 00000 n
+0001702225 00000 n
+0001702350 00000 n
+0001729993 00000 n
+0001731261 00000 n
+0001730057 00000 n
+0001704250 00000 n
+0001702544 00000 n
+0001729865 00000 n
+0003670763 00000 n
+0001706736 00000 n
+0001706893 00000 n
+0001706941 00000 n
+0001707363 00000 n
+0001707590 00000 n
+0001762803 00000 n
+0001731145 00000 n
+0001730203 00000 n
+0001762485 00000 n
+0001762612 00000 n
+0001762739 00000 n
+0001765259 00000 n
+0001765557 00000 n
+0001765712 00000 n
+0001766009 00000 n
+0001766359 00000 n
+0001765077 00000 n
+0001762957 00000 n
+0001766168 00000 n
+0001766295 00000 n
+0001765408 00000 n
+0001765861 00000 n
+0001768221 00000 n
+0001768371 00000 n
+0001768715 00000 n
+0001768075 00000 n
+0001766517 00000 n
+0001768525 00000 n
+0001768651 00000 n
+0001771083 00000 n
+0001771147 00000 n
+0001770839 00000 n
+0001768859 00000 n
+0001770955 00000 n
+0001773711 00000 n
+0001773864 00000 n
+0001774018 00000 n
+0001774175 00000 n
+0001774709 00000 n
+0001773547 00000 n
+0001771348 00000 n
+0001774326 00000 n
+0001774389 00000 n
+0001774453 00000 n
+0001774517 00000 n
+0001774581 00000 n
+0001774645 00000 n
+0001818945 00000 n
+0001828478 00000 n
+0001830796 00000 n
+0001831866 00000 n
+0001776414 00000 n
+0001776759 00000 n
+0001776277 00000 n
+0001774896 00000 n
+0001776567 00000 n
+0001776631 00000 n
+0001776695 00000 n
+0003670888 00000 n
+0001778445 00000 n
+0001778266 00000 n
+0001776875 00000 n
+0001778382 00000 n
+0001780026 00000 n
+0001779846 00000 n
+0001778561 00000 n
+0001779962 00000 n
+0001781800 00000 n
+0001782207 00000 n
+0001781663 00000 n
+0001780128 00000 n
+0001781952 00000 n
+0001782015 00000 n
+0001782079 00000 n
+0001782143 00000 n
+0001832945 00000 n
+0001783771 00000 n
+0001783463 00000 n
+0001782323 00000 n
+0001783579 00000 n
+0001783643 00000 n
+0001783707 00000 n
+0001785309 00000 n
+0001785002 00000 n
+0001783887 00000 n
+0001785118 00000 n
+0001785181 00000 n
+0001785245 00000 n
+0001786950 00000 n
+0001786642 00000 n
+0001785425 00000 n
+0001786758 00000 n
+0001786822 00000 n
+0001786886 00000 n
+0003671013 00000 n
+0001788567 00000 n
+0001788909 00000 n
+0001788430 00000 n
+0001787066 00000 n
+0001788718 00000 n
+0001788781 00000 n
+0001788845 00000 n
+0001794156 00000 n
+0001790376 00000 n
+0001790132 00000 n
+0001789025 00000 n
+0001790248 00000 n
+0001790312 00000 n
+0001793811 00000 n
+0001792509 00000 n
+0001792074 00000 n
+0001790492 00000 n
+0001792190 00000 n
+0001792253 00000 n
+0001792317 00000 n
+0001792381 00000 n
+0001792445 00000 n
+0001794220 00000 n
+0001793674 00000 n
+0001792653 00000 n
+0001793966 00000 n
+0001794030 00000 n
+0001795254 00000 n
+0001795075 00000 n
+0001794350 00000 n
+0001795191 00000 n
+0001797205 00000 n
+0001797678 00000 n
+0001797068 00000 n
+0001795356 00000 n
+0001797360 00000 n
+0001797487 00000 n
+0001797551 00000 n
+0001797615 00000 n
+0003671138 00000 n
+0001799072 00000 n
+0001798701 00000 n
+0001797822 00000 n
+0001798817 00000 n
+0001798880 00000 n
+0001798944 00000 n
+0001799008 00000 n
+0001800914 00000 n
+0001800670 00000 n
+0001799188 00000 n
+0001800786 00000 n
+0001800850 00000 n
+0001802555 00000 n
+0001802248 00000 n
+0001801030 00000 n
+0001802364 00000 n
+0001802427 00000 n
+0001802491 00000 n
+0001804891 00000 n
+0001804330 00000 n
+0001802671 00000 n
+0001804446 00000 n
+0001804510 00000 n
+0001804636 00000 n
+0001804763 00000 n
+0001804827 00000 n
+0001807198 00000 n
+0001807019 00000 n
+0001805049 00000 n
+0001807135 00000 n
+0001809753 00000 n
+0001809573 00000 n
+0001807342 00000 n
+0001809689 00000 n
+0003671263 00000 n
+0001812199 00000 n
+0001812020 00000 n
+0001809869 00000 n
+0001812136 00000 n
+0001813425 00000 n
+0001813245 00000 n
+0001812329 00000 n
+0001813361 00000 n
+0001821685 00000 n
+0001818702 00000 n
+0001813527 00000 n
+0001818818 00000 n
+0001819009 00000 n
+0001819073 00000 n
+0001819137 00000 n
+0001819201 00000 n
+0001819265 00000 n
+0001819329 00000 n
+0001819393 00000 n
+0001819457 00000 n
+0001819520 00000 n
+0001819584 00000 n
+0001819647 00000 n
+0001819711 00000 n
+0001819773 00000 n
+0001819837 00000 n
+0001819901 00000 n
+0001819965 00000 n
+0001820029 00000 n
+0001820093 00000 n
+0001820157 00000 n
+0001820221 00000 n
+0001820285 00000 n
+0001820349 00000 n
+0001820413 00000 n
+0001820477 00000 n
+0001820541 00000 n
+0001820605 00000 n
+0001820669 00000 n
+0001820733 00000 n
+0001820797 00000 n
+0001820861 00000 n
+0001820924 00000 n
+0001820988 00000 n
+0001821050 00000 n
+0001821114 00000 n
+0001821177 00000 n
+0001821241 00000 n
+0001821305 00000 n
+0001821369 00000 n
+0001821433 00000 n
+0001821496 00000 n
+0001821559 00000 n
+0001821622 00000 n
+0001827429 00000 n
+0001824823 00000 n
+0001821842 00000 n
+0001824939 00000 n
+0001825066 00000 n
+0001825129 00000 n
+0001825193 00000 n
+0001825257 00000 n
+0001825321 00000 n
+0001825385 00000 n
+0001825449 00000 n
+0001825513 00000 n
+0001825577 00000 n
+0001825641 00000 n
+0001825705 00000 n
+0001825769 00000 n
+0001825833 00000 n
+0001825897 00000 n
+0001825961 00000 n
+0001826025 00000 n
+0001826089 00000 n
+0001826153 00000 n
+0001826217 00000 n
+0001826281 00000 n
+0001826344 00000 n
+0001826408 00000 n
+0001826471 00000 n
+0001826535 00000 n
+0001826597 00000 n
+0001826661 00000 n
+0001826725 00000 n
+0001826789 00000 n
+0001826853 00000 n
+0001826917 00000 n
+0001826981 00000 n
+0001827045 00000 n
+0001827109 00000 n
+0001827173 00000 n
+0001827237 00000 n
+0001827301 00000 n
+0001827365 00000 n
+0001828542 00000 n
+0001828236 00000 n
+0001827544 00000 n
+0001828352 00000 n
+0001829845 00000 n
+0001829537 00000 n
+0001828658 00000 n
+0001829653 00000 n
+0001829781 00000 n
+0003671388 00000 n
+0001830860 00000 n
+0001830553 00000 n
+0001829961 00000 n
+0001830669 00000 n
+0001831929 00000 n
+0001831622 00000 n
+0001830976 00000 n
+0001831738 00000 n
+0001833008 00000 n
+0001832702 00000 n
+0001832045 00000 n
+0001832818 00000 n
+0001833405 00000 n
+0001833225 00000 n
+0001833124 00000 n
+0001833341 00000 n
+0001835407 00000 n
+0001835101 00000 n
+0001833447 00000 n
+0001835217 00000 n
+0001835343 00000 n
+0001837825 00000 n
+0001837518 00000 n
+0001835523 00000 n
+0001837634 00000 n
+0001837761 00000 n
+0003671513 00000 n
+0001840146 00000 n
+0001840633 00000 n
+0001840000 00000 n
+0001837941 00000 n
+0001840443 00000 n
+0001840569 00000 n
+0001840294 00000 n
+0001843027 00000 n
+0001842594 00000 n
+0001840763 00000 n
+0001842710 00000 n
+0001842837 00000 n
+0001842964 00000 n
+0001845330 00000 n
+0001845480 00000 n
+0001845711 00000 n
+0001845184 00000 n
+0001843157 00000 n
+0001845648 00000 n
+0003661908 00000 n
+0003661763 00000 n
+0001847192 00000 n
+0001847510 00000 n
+0001846948 00000 n
+0001845940 00000 n
+0001847064 00000 n
+0001847319 00000 n
+0001847446 00000 n
+0001849009 00000 n
+0001848703 00000 n
+0001847640 00000 n
+0001848819 00000 n
+0001848945 00000 n
+0001850263 00000 n
+0001850083 00000 n
+0001849139 00000 n
+0001850199 00000 n
+0003671638 00000 n
+0001851437 00000 n
+0001851258 00000 n
+0001850365 00000 n
+0001851374 00000 n
+0001852601 00000 n
+0001852421 00000 n
+0001851539 00000 n
+0001852537 00000 n
+0001854070 00000 n
+0001856990 00000 n
+0001854282 00000 n
+0001853933 00000 n
+0001852703 00000 n
+0001854219 00000 n
+0001881985 00000 n
+0001858049 00000 n
+0001857139 00000 n
+0001857446 00000 n
+0001857748 00000 n
+0001858428 00000 n
+0001856781 00000 n
+0001854398 00000 n
+0001858364 00000 n
+0001857293 00000 n
+0001857598 00000 n
+0001857898 00000 n
+0001858214 00000 n
+0001883369 00000 n
+0001888509 00000 n
+0001913764 00000 n
+0001914688 00000 n
+0001861170 00000 n
+0001861318 00000 n
+0001861533 00000 n
+0001860705 00000 n
+0001858614 00000 n
+0001861470 00000 n
+0001860869 00000 n
+0001861019 00000 n
+0001916246 00000 n
+0001863476 00000 n
+0001863296 00000 n
+0001861720 00000 n
+0001863412 00000 n
+0003671763 00000 n
+0001864723 00000 n
+0001864544 00000 n
+0001863592 00000 n
+0001864660 00000 n
+0001866544 00000 n
+0001866364 00000 n
+0001864839 00000 n
+0001866480 00000 n
+0001867797 00000 n
+0001867618 00000 n
+0001866660 00000 n
+0001867734 00000 n
+0001869601 00000 n
+0001869835 00000 n
+0001869464 00000 n
+0001867913 00000 n
+0001869771 00000 n
+0001872089 00000 n
+0001872298 00000 n
+0001871952 00000 n
+0001870007 00000 n
+0001872235 00000 n
+0001921773 00000 n
+0001875324 00000 n
+0001874696 00000 n
+0001872414 00000 n
+0001874812 00000 n
+0001874876 00000 n
+0001874940 00000 n
+0001875004 00000 n
+0001875068 00000 n
+0001875132 00000 n
+0001875196 00000 n
+0001875260 00000 n
+0003671888 00000 n
+0001877798 00000 n
+0001877619 00000 n
+0001875468 00000 n
+0001877735 00000 n
+0001880229 00000 n
+0001880462 00000 n
+0001880092 00000 n
+0001877928 00000 n
+0001880398 00000 n
+0001882049 00000 n
+0001881742 00000 n
+0001880620 00000 n
+0001881858 00000 n
+0001883433 00000 n
+0001883125 00000 n
+0001882165 00000 n
+0001883241 00000 n
+0001891061 00000 n
+0001888266 00000 n
+0001883549 00000 n
+0001888382 00000 n
+0001888573 00000 n
+0001888637 00000 n
+0001888701 00000 n
+0001888765 00000 n
+0001888829 00000 n
+0001888893 00000 n
+0001888957 00000 n
+0001889021 00000 n
+0001889084 00000 n
+0001889148 00000 n
+0001889211 00000 n
+0001889275 00000 n
+0001889337 00000 n
+0001889401 00000 n
+0001889465 00000 n
+0001889529 00000 n
+0001889593 00000 n
+0001889657 00000 n
+0001889721 00000 n
+0001889785 00000 n
+0001889849 00000 n
+0001889913 00000 n
+0001889977 00000 n
+0001890041 00000 n
+0001890105 00000 n
+0001890169 00000 n
+0001890233 00000 n
+0001890297 00000 n
+0001890361 00000 n
+0001890425 00000 n
+0001890489 00000 n
+0001890553 00000 n
+0001890617 00000 n
+0001890680 00000 n
+0001890744 00000 n
+0001890806 00000 n
+0001890870 00000 n
+0001890933 00000 n
+0001890997 00000 n
+0001896825 00000 n
+0001894345 00000 n
+0001891218 00000 n
+0001894461 00000 n
+0001894589 00000 n
+0001894653 00000 n
+0001894717 00000 n
+0001894781 00000 n
+0001894845 00000 n
+0001894908 00000 n
+0001894972 00000 n
+0001895035 00000 n
+0001895099 00000 n
+0001895162 00000 n
+0001895226 00000 n
+0001895290 00000 n
+0001895354 00000 n
+0001895418 00000 n
+0001895482 00000 n
+0001895546 00000 n
+0001895610 00000 n
+0001895674 00000 n
+0001895738 00000 n
+0001895802 00000 n
+0001895866 00000 n
+0001895930 00000 n
+0001895994 00000 n
+0001896058 00000 n
+0001896122 00000 n
+0001896186 00000 n
+0001896250 00000 n
+0001896314 00000 n
+0001896378 00000 n
+0001896442 00000 n
+0001896506 00000 n
+0001896570 00000 n
+0001896634 00000 n
+0001896698 00000 n
+0001896762 00000 n
+0003672013 00000 n
+0001902818 00000 n
+0001900276 00000 n
+0001896968 00000 n
+0001900392 00000 n
+0001900519 00000 n
+0001900583 00000 n
+0001900646 00000 n
+0001900710 00000 n
+0001900774 00000 n
+0001900838 00000 n
+0001900901 00000 n
+0001900965 00000 n
+0001901028 00000 n
+0001901092 00000 n
+0001901155 00000 n
+0001901219 00000 n
+0001901283 00000 n
+0001901347 00000 n
+0001901411 00000 n
+0001901475 00000 n
+0001901539 00000 n
+0001901603 00000 n
+0001901667 00000 n
+0001901731 00000 n
+0001901795 00000 n
+0001901859 00000 n
+0001901923 00000 n
+0001901987 00000 n
+0001902051 00000 n
+0001902115 00000 n
+0001902179 00000 n
+0001902243 00000 n
+0001902307 00000 n
+0001902371 00000 n
+0001902435 00000 n
+0001902499 00000 n
+0001902563 00000 n
+0001902627 00000 n
+0001902691 00000 n
+0001902754 00000 n
+0001908399 00000 n
+0001905983 00000 n
+0001902961 00000 n
+0001906099 00000 n
+0001906227 00000 n
+0001906291 00000 n
+0001906355 00000 n
+0001906419 00000 n
+0001906483 00000 n
+0001906546 00000 n
+0001906610 00000 n
+0001906673 00000 n
+0001906737 00000 n
+0001906800 00000 n
+0001906864 00000 n
+0001906928 00000 n
+0001906992 00000 n
+0001907056 00000 n
+0001907120 00000 n
+0001907184 00000 n
+0001907248 00000 n
+0001907312 00000 n
+0001907376 00000 n
+0001907440 00000 n
+0001907504 00000 n
+0001907568 00000 n
+0001907632 00000 n
+0001907696 00000 n
+0001907760 00000 n
+0001907824 00000 n
+0001907888 00000 n
+0001907952 00000 n
+0001908016 00000 n
+0001908080 00000 n
+0001908144 00000 n
+0001908208 00000 n
+0001908272 00000 n
+0001908336 00000 n
+0001912283 00000 n
+0001910572 00000 n
+0001908556 00000 n
+0001910688 00000 n
+0001910815 00000 n
+0001910879 00000 n
+0001910943 00000 n
+0001911007 00000 n
+0001911071 00000 n
+0001911135 00000 n
+0001911199 00000 n
+0001911263 00000 n
+0001911327 00000 n
+0001911391 00000 n
+0001911455 00000 n
+0001911519 00000 n
+0001911583 00000 n
+0001911646 00000 n
+0001911710 00000 n
+0001911773 00000 n
+0001911837 00000 n
+0001911899 00000 n
+0001911963 00000 n
+0001912027 00000 n
+0001912091 00000 n
+0001912155 00000 n
+0001912219 00000 n
+0001913828 00000 n
+0001913520 00000 n
+0001912398 00000 n
+0001913636 00000 n
+0001914752 00000 n
+0001914446 00000 n
+0001913944 00000 n
+0001914562 00000 n
+0001916310 00000 n
+0001916002 00000 n
+0001914868 00000 n
+0001916118 00000 n
+0003672138 00000 n
+0001917618 00000 n
+0001917311 00000 n
+0001916426 00000 n
+0001917427 00000 n
+0001917554 00000 n
+0001919063 00000 n
+0001918755 00000 n
+0001917734 00000 n
+0001918871 00000 n
+0001918999 00000 n
+0001920593 00000 n
+0001920286 00000 n
+0001919179 00000 n
+0001920402 00000 n
+0001920529 00000 n
+0001921837 00000 n
+0001921529 00000 n
+0001920709 00000 n
+0001921645 00000 n
+0001923149 00000 n
+0001922842 00000 n
+0001921953 00000 n
+0001922958 00000 n
+0001923085 00000 n
+0001924952 00000 n
+0001924644 00000 n
+0001923265 00000 n
+0001924760 00000 n
+0001924888 00000 n
+0003672263 00000 n
+0001926372 00000 n
+0001926065 00000 n
+0001925068 00000 n
+0001926181 00000 n
+0001926308 00000 n
+0001927597 00000 n
+0001927289 00000 n
+0001926488 00000 n
+0001927405 00000 n
+0001927533 00000 n
+0001928106 00000 n
+0001927927 00000 n
+0001927713 00000 n
+0001928397 00000 n
+0001928281 00000 n
+0001928180 00000 n
+0001929497 00000 n
+0001929063 00000 n
+0001928439 00000 n
+0001929179 00000 n
+0001929242 00000 n
+0001929369 00000 n
+0001929433 00000 n
+0001929894 00000 n
+0001929714 00000 n
+0001929613 00000 n
+0001929830 00000 n
+0003672388 00000 n
+0001931825 00000 n
+0001931519 00000 n
+0001929936 00000 n
+0001931635 00000 n
+0001931761 00000 n
+0001934475 00000 n
+0001934168 00000 n
+0001931941 00000 n
+0001934284 00000 n
+0001934411 00000 n
+0001936744 00000 n
+0001936565 00000 n
+0001934633 00000 n
+0001936681 00000 n
+0001938961 00000 n
+0001938781 00000 n
+0001936846 00000 n
+0001938897 00000 n
+0001941279 00000 n
+0001940973 00000 n
+0001939063 00000 n
+0001941089 00000 n
+0001941215 00000 n
+0001943938 00000 n
+0001943633 00000 n
+0001941395 00000 n
+0001943749 00000 n
+0001943876 00000 n
+0003672513 00000 n
+0001946260 00000 n
+0001945954 00000 n
+0001944054 00000 n
+0001946070 00000 n
+0001946196 00000 n
+0001948491 00000 n
+0001948707 00000 n
+0001948354 00000 n
+0001946376 00000 n
+0001948643 00000 n
+0001965421 00000 n
+0001951115 00000 n
+0001950936 00000 n
+0001948837 00000 n
+0001951052 00000 n
+0001953710 00000 n
+0001953910 00000 n
+0001954178 00000 n
+0001953564 00000 n
+0001951217 00000 n
+0001954114 00000 n
+0001956591 00000 n
+0001956412 00000 n
+0001954350 00000 n
+0001956528 00000 n
+0001961707 00000 n
+0001959041 00000 n
+0001958735 00000 n
+0001956693 00000 n
+0001958851 00000 n
+0001958978 00000 n
+0003672638 00000 n
+0001961886 00000 n
+0001962343 00000 n
+0001962599 00000 n
+0001961543 00000 n
+0001959157 00000 n
+0001962536 00000 n
+0001962115 00000 n
+0001964857 00000 n
+0001965612 00000 n
+0001964711 00000 n
+0001962785 00000 n
+0001965294 00000 n
+0001965548 00000 n
+0001965075 00000 n
+0001968779 00000 n
+0001968026 00000 n
+0001965784 00000 n
+0001968142 00000 n
+0001968205 00000 n
+0001968269 00000 n
+0001968332 00000 n
+0001968396 00000 n
+0001968460 00000 n
+0001968524 00000 n
+0001968588 00000 n
+0001968715 00000 n
+0001971051 00000 n
+0001970488 00000 n
+0001968923 00000 n
+0001970604 00000 n
+0001970668 00000 n
+0001970732 00000 n
+0001970796 00000 n
+0001970860 00000 n
+0001970987 00000 n
+0001973315 00000 n
+0001973136 00000 n
+0001971181 00000 n
+0001973252 00000 n
+0001975317 00000 n
+0001975137 00000 n
+0001973530 00000 n
+0001975253 00000 n
+0003672763 00000 n
+0001977852 00000 n
+0001977546 00000 n
+0001975433 00000 n
+0001977662 00000 n
+0001977788 00000 n
+0001980849 00000 n
+0001980224 00000 n
+0001977996 00000 n
+0001980340 00000 n
+0001980467 00000 n
+0001980531 00000 n
+0001980595 00000 n
+0001980659 00000 n
+0001980722 00000 n
+0001980785 00000 n
+0001983071 00000 n
+0001982765 00000 n
+0001980979 00000 n
+0001982881 00000 n
+0001982944 00000 n
+0001983008 00000 n
+0001985465 00000 n
+0001984967 00000 n
+0001983187 00000 n
+0001985083 00000 n
+0001985147 00000 n
+0001985211 00000 n
+0001985274 00000 n
+0001985401 00000 n
+0001988652 00000 n
+0001987900 00000 n
+0001985595 00000 n
+0001988016 00000 n
+0001988142 00000 n
+0001988206 00000 n
+0001988270 00000 n
+0001988334 00000 n
+0001988396 00000 n
+0001988460 00000 n
+0001988524 00000 n
+0001988588 00000 n
+0001991781 00000 n
+0001991028 00000 n
+0001988796 00000 n
+0001991144 00000 n
+0001991271 00000 n
+0001991335 00000 n
+0001991399 00000 n
+0001991462 00000 n
+0001991589 00000 n
+0001991653 00000 n
+0001991717 00000 n
+0003672888 00000 n
+0001993149 00000 n
+0001992906 00000 n
+0001991925 00000 n
+0001993022 00000 n
+0001993085 00000 n
+0001995754 00000 n
+0001995383 00000 n
+0001993265 00000 n
+0001995499 00000 n
+0001995563 00000 n
+0001995690 00000 n
+0001998048 00000 n
+0001997678 00000 n
+0001995898 00000 n
+0001997794 00000 n
+0001997920 00000 n
+0001997984 00000 n
+0002000513 00000 n
+0002000333 00000 n
+0001998206 00000 n
+0002000449 00000 n
+0002002092 00000 n
+0002001913 00000 n
+0002000657 00000 n
+0002002029 00000 n
+0002002531 00000 n
+0002002351 00000 n
+0002002250 00000 n
+0002002467 00000 n
+0003673013 00000 n
+0002004562 00000 n
+0002004129 00000 n
+0002002573 00000 n
+0002004245 00000 n
+0002004371 00000 n
+0002004498 00000 n
+0002007043 00000 n
+0002006736 00000 n
+0002004678 00000 n
+0002006852 00000 n
+0002006979 00000 n
+0002009311 00000 n
+0002008878 00000 n
+0002007159 00000 n
+0002008994 00000 n
+0002009120 00000 n
+0002009247 00000 n
+0002011383 00000 n
+0002010950 00000 n
+0002009441 00000 n
+0002011066 00000 n
+0002011193 00000 n
+0002011319 00000 n
+0002013073 00000 n
+0002012767 00000 n
+0002011513 00000 n
+0002012883 00000 n
+0002013009 00000 n
+0002015725 00000 n
+0002016357 00000 n
+0002015579 00000 n
+0002013260 00000 n
+0002016038 00000 n
+0002016165 00000 n
+0002016229 00000 n
+0002015882 00000 n
+0002016293 00000 n
+0003673138 00000 n
+0002018002 00000 n
+0002018193 00000 n
+0002017695 00000 n
+0002016487 00000 n
+0002017811 00000 n
+0002017874 00000 n
+0002018129 00000 n
+0002020537 00000 n
+0002020704 00000 n
+0002020382 00000 n
+0002021201 00000 n
+0002020227 00000 n
+0002018323 00000 n
+0002020881 00000 n
+0002020945 00000 n
+0002021009 00000 n
+0002021073 00000 n
+0002021137 00000 n
+0002028238 00000 n
+0002022790 00000 n
+0002022483 00000 n
+0002021373 00000 n
+0002022599 00000 n
+0002022662 00000 n
+0002022726 00000 n
+0002024494 00000 n
+0002024907 00000 n
+0002024357 00000 n
+0002022906 00000 n
+0002024652 00000 n
+0002024716 00000 n
+0002024843 00000 n
+0002029518 00000 n
+0002029900 00000 n
+0002027995 00000 n
+0002025037 00000 n
+0002028111 00000 n
+0002028302 00000 n
+0002028366 00000 n
+0002028430 00000 n
+0002028494 00000 n
+0002028558 00000 n
+0002028622 00000 n
+0002028686 00000 n
+0002028750 00000 n
+0002028814 00000 n
+0002028878 00000 n
+0002028942 00000 n
+0002029006 00000 n
+0002029070 00000 n
+0002029134 00000 n
+0002029198 00000 n
+0002029262 00000 n
+0002029326 00000 n
+0002029390 00000 n
+0002029645 00000 n
+0002029772 00000 n
+0002029836 00000 n
+0002031600 00000 n
+0002031753 00000 n
+0002032416 00000 n
+0002031454 00000 n
+0002030085 00000 n
+0002031904 00000 n
+0002031968 00000 n
+0002032032 00000 n
+0002032096 00000 n
+0002032160 00000 n
+0002032224 00000 n
+0002032288 00000 n
+0002032352 00000 n
+0003673263 00000 n
+0002034279 00000 n
+0002034406 00000 n
+0002034596 00000 n
+0002034036 00000 n
+0002032532 00000 n
+0002034152 00000 n
+0002034532 00000 n
+0002037341 00000 n
+0002036971 00000 n
+0002034726 00000 n
+0002037087 00000 n
+0002037214 00000 n
+0002037278 00000 n
+0002039811 00000 n
+0002039632 00000 n
+0002037471 00000 n
+0002039748 00000 n
+0002040999 00000 n
+0002040819 00000 n
+0002039941 00000 n
+0002040935 00000 n
+0002042905 00000 n
+0002042473 00000 n
+0002041101 00000 n
+0002042589 00000 n
+0002042715 00000 n
+0002042841 00000 n
+0002045389 00000 n
+0002046051 00000 n
+0002045243 00000 n
+0002043021 00000 n
+0002045860 00000 n
+0002045987 00000 n
+0002045624 00000 n
+0003673388 00000 n
+0002048934 00000 n
+0002048627 00000 n
+0002046237 00000 n
+0002048743 00000 n
+0002048870 00000 n
+0002051825 00000 n
+0002051264 00000 n
+0002049050 00000 n
+0002051380 00000 n
+0002051507 00000 n
+0002051634 00000 n
+0002051761 00000 n
+0002053835 00000 n
+0002054323 00000 n
+0002053689 00000 n
+0002051969 00000 n
+0002054134 00000 n
+0002054260 00000 n
+0002053984 00000 n
+0002838820 00000 n
+0002056632 00000 n
+0002057098 00000 n
+0002056495 00000 n
+0002054538 00000 n
+0002056782 00000 n
+0002056907 00000 n
+0002057034 00000 n
+0002059011 00000 n
+0002058832 00000 n
+0002057285 00000 n
+0002058948 00000 n
+0002061300 00000 n
+0002061517 00000 n
+0002061163 00000 n
+0002059127 00000 n
+0002061453 00000 n
+0003673513 00000 n
+0002815868 00000 n
+0002064059 00000 n
+0002063500 00000 n
+0002061647 00000 n
+0002063616 00000 n
+0002063742 00000 n
+0002063869 00000 n
+0002063995 00000 n
+0002066740 00000 n
+0002066179 00000 n
+0002064175 00000 n
+0002066295 00000 n
+0002066422 00000 n
+0002066549 00000 n
+0002066676 00000 n
+0002069436 00000 n
+0002069130 00000 n
+0002066870 00000 n
+0002069246 00000 n
+0002069372 00000 n
+0002071758 00000 n
+0002071451 00000 n
+0002069552 00000 n
+0002071567 00000 n
+0002071694 00000 n
+0002072939 00000 n
+0002072760 00000 n
+0002071916 00000 n
+0002072876 00000 n
+0002073322 00000 n
+0002073142 00000 n
+0002073041 00000 n
+0002073258 00000 n
+0003673638 00000 n
+0002075250 00000 n
+0002074944 00000 n
+0002073364 00000 n
+0002075060 00000 n
+0002075186 00000 n
+0002077812 00000 n
+0002077991 00000 n
+0002078173 00000 n
+0002078537 00000 n
+0002077657 00000 n
+0002075366 00000 n
+0002078347 00000 n
+0002078474 00000 n
+0002080743 00000 n
+0002081121 00000 n
+0002080606 00000 n
+0002078723 00000 n
+0002080931 00000 n
+0002081057 00000 n
+0002082282 00000 n
+0002082102 00000 n
+0002081307 00000 n
+0002082218 00000 n
+0002083991 00000 n
+0002086330 00000 n
+0002118192 00000 n
+0002120971 00000 n
+0002084650 00000 n
+0002083854 00000 n
+0002082384 00000 n
+0002084142 00000 n
+0002084459 00000 n
+0002084522 00000 n
+0002084586 00000 n
+0002118928 00000 n
+0002118344 00000 n
+0002152496 00000 n
+0002118648 00000 n
+0002165321 00000 n
+0002150815 00000 n
+0002180597 00000 n
+0002119247 00000 n
+0002086166 00000 n
+0002084766 00000 n
+0002118800 00000 n
+0002118992 00000 n
+0002119056 00000 n
+0002118496 00000 n
+0002119120 00000 n
+0002119183 00000 n
+0003673763 00000 n
+0002151246 00000 n
+0002178404 00000 n
+0002178532 00000 n
+0002150967 00000 n
+0002151374 00000 n
+0002120825 00000 n
+0002119401 00000 n
+0002151119 00000 n
+0002151310 00000 n
+0002200436 00000 n
+0002178596 00000 n
+0002152380 00000 n
+0002151528 00000 n
+0002178276 00000 n
+0002200627 00000 n
+0002180481 00000 n
+0002178751 00000 n
+0002200309 00000 n
+0002200563 00000 n
+0002202790 00000 n
+0002202610 00000 n
+0002200795 00000 n
+0002202726 00000 n
+0002204111 00000 n
+0002203932 00000 n
+0002202906 00000 n
+0002204048 00000 n
+0002206448 00000 n
+0002206789 00000 n
+0002206311 00000 n
+0002204227 00000 n
+0002206598 00000 n
+0002206725 00000 n
+0003673888 00000 n
+0002824422 00000 n
+0002208940 00000 n
+0002209096 00000 n
+0002209248 00000 n
+0002209552 00000 n
+0002210275 00000 n
+0002208767 00000 n
+0002206933 00000 n
+0002209704 00000 n
+0002209830 00000 n
+0002209957 00000 n
+0002210084 00000 n
+0002209400 00000 n
+0002210211 00000 n
+0002825920 00000 n
+0002212199 00000 n
+0002212361 00000 n
+0002212523 00000 n
+0002212685 00000 n
+0002212844 00000 n
+0002213515 00000 n
+0002212026 00000 n
+0002210405 00000 n
+0002213003 00000 n
+0002213259 00000 n
+0002213323 00000 n
+0002213387 00000 n
+0002213451 00000 n
+0002830073 00000 n
+0002831438 00000 n
+0002832936 00000 n
+0002834114 00000 n
+0002835232 00000 n
+0002215110 00000 n
+0002214868 00000 n
+0002213645 00000 n
+0002214984 00000 n
+0002215047 00000 n
+0002216463 00000 n
+0002216219 00000 n
+0002215226 00000 n
+0002216335 00000 n
+0002216399 00000 n
+0002218008 00000 n
+0002217701 00000 n
+0002216579 00000 n
+0002217817 00000 n
+0002217880 00000 n
+0002217944 00000 n
+0002219550 00000 n
+0002219926 00000 n
+0002219413 00000 n
+0002218124 00000 n
+0002219734 00000 n
+0002219862 00000 n
+0003674013 00000 n
+0002221804 00000 n
+0002222035 00000 n
+0002221667 00000 n
+0002220112 00000 n
+0002221972 00000 n
+0002223607 00000 n
+0002227378 00000 n
+0002224075 00000 n
+0002223470 00000 n
+0002222207 00000 n
+0002223756 00000 n
+0002223820 00000 n
+0002223884 00000 n
+0002223948 00000 n
+0002224012 00000 n
+0002836593 00000 n
+0002226771 00000 n
+0002226919 00000 n
+0002229307 00000 n
+0002306936 00000 n
+0002227072 00000 n
+0002309274 00000 n
+0002227226 00000 n
+0002227674 00000 n
+0002226582 00000 n
+0002224191 00000 n
+0002227547 00000 n
+0002227610 00000 n
+0002836720 00000 n
+0002307445 00000 n
+0002383481 00000 n
+0002476994 00000 n
+0002384748 00000 n
+0002307008 00000 n
+0002307160 00000 n
+0002478600 00000 n
+0002565443 00000 n
+0002383052 00000 n
+0002307509 00000 n
+0002229145 00000 n
+0002227860 00000 n
+0002307317 00000 n
+0002306004 00000 n
+0002563602 00000 n
+0002641059 00000 n
+0002642590 00000 n
+0002383545 00000 n
+0002309112 00000 n
+0002307663 00000 n
+0002383354 00000 n
+0002383204 00000 n
+0002721452 00000 n
+0002562959 00000 n
+0002477186 00000 n
+0002384616 00000 n
+0002383685 00000 n
+0002476866 00000 n
+0002477122 00000 n
+0003674138 00000 n
+0002475859 00000 n
+0002722608 00000 n
+0002563112 00000 n
+0002563286 00000 n
+0002563666 00000 n
+0002478429 00000 n
+0002477340 00000 n
+0002563475 00000 n
+0002562104 00000 n
+0002813901 00000 n
+0002641251 00000 n
+0002565311 00000 n
+0002563862 00000 n
+0002640931 00000 n
+0002640185 00000 n
+0002721516 00000 n
+0002642458 00000 n
+0002641419 00000 n
+0002721325 00000 n
+0002720599 00000 n
+0002813965 00000 n
+0002722492 00000 n
+0002721670 00000 n
+0002813773 00000 n
+0002815932 00000 n
+0002815625 00000 n
+0002814119 00000 n
+0002815741 00000 n
+0002820839 00000 n
+0002821046 00000 n
+0002818200 00000 n
+0002817892 00000 n
+0002816062 00000 n
+0002818008 00000 n
+0002818136 00000 n
+0003674263 00000 n
+0002821252 00000 n
+0002821763 00000 n
+0002820684 00000 n
+0002818344 00000 n
+0002821445 00000 n
+0002821572 00000 n
+0002821699 00000 n
+0002823330 00000 n
+0002823150 00000 n
+0002821949 00000 n
+0002823266 00000 n
+0002824486 00000 n
+0002824179 00000 n
+0002823446 00000 n
+0002824295 00000 n
+0002825984 00000 n
+0002825676 00000 n
+0002824602 00000 n
+0002825792 00000 n
+0002827302 00000 n
+0002826867 00000 n
+0002826100 00000 n
+0002826983 00000 n
+0002828766 00000 n
+0002828458 00000 n
+0002827418 00000 n
+0002828574 00000 n
+0003674388 00000 n
+0002830137 00000 n
+0002829830 00000 n
+0002828882 00000 n
+0002829946 00000 n
+0002831502 00000 n
+0002831194 00000 n
+0002830253 00000 n
+0002831310 00000 n
+0002832999 00000 n
+0002832693 00000 n
+0002831618 00000 n
+0002832809 00000 n
+0002834178 00000 n
+0002833870 00000 n
+0002833115 00000 n
+0002833986 00000 n
+0002835296 00000 n
+0002834989 00000 n
+0002834294 00000 n
+0002835105 00000 n
+0002836784 00000 n
+0002836350 00000 n
+0002835412 00000 n
+0002836466 00000 n
+0003674513 00000 n
+0002841392 00000 n
+0002839012 00000 n
+0002838577 00000 n
+0002836900 00000 n
+0002838693 00000 n
+0002838948 00000 n
+0002841563 00000 n
+0002841812 00000 n
+0002841246 00000 n
+0002839128 00000 n
+0002841748 00000 n
+0002844142 00000 n
+0002844295 00000 n
+0002844638 00000 n
+0002843996 00000 n
+0002842041 00000 n
+0002844447 00000 n
+0002844574 00000 n
+0003021132 00000 n
+0003023392 00000 n
+0002847382 00000 n
+0002846690 00000 n
+0002844768 00000 n
+0002846806 00000 n
+0002846934 00000 n
+0002846998 00000 n
+0002847062 00000 n
+0002847126 00000 n
+0002847190 00000 n
+0002847318 00000 n
+0002850076 00000 n
+0002849513 00000 n
+0002847526 00000 n
+0002849629 00000 n
+0002849756 00000 n
+0002849820 00000 n
+0002849884 00000 n
+0002849948 00000 n
+0002850012 00000 n
+0002852303 00000 n
+0002852617 00000 n
+0002852769 00000 n
+0002854391 00000 n
+0002883724 00000 n
+0002852921 00000 n
+0002853585 00000 n
+0002852130 00000 n
+0002850220 00000 n
+0002853075 00000 n
+0002853139 00000 n
+0002853203 00000 n
+0002853267 00000 n
+0002853330 00000 n
+0002852460 00000 n
+0002853393 00000 n
+0002853521 00000 n
+0003674638 00000 n
+0002908844 00000 n
+0002882366 00000 n
+0002908716 00000 n
+0002911719 00000 n
+0002882430 00000 n
+0002854275 00000 n
+0002853701 00000 n
+0002882239 00000 n
+0002909035 00000 n
+0002883608 00000 n
+0002882570 00000 n
+0002908588 00000 n
+0002908908 00000 n
+0002908971 00000 n
+0002912102 00000 n
+0002911476 00000 n
+0002909203 00000 n
+0002911592 00000 n
+0002911783 00000 n
+0002911847 00000 n
+0002911911 00000 n
+0002911975 00000 n
+0002912039 00000 n
+0002914189 00000 n
+0002914342 00000 n
+0002919422 00000 n
+0002915100 00000 n
+0002914034 00000 n
+0002912232 00000 n
+0002914653 00000 n
+0002914717 00000 n
+0002914781 00000 n
+0002914909 00000 n
+0002914498 00000 n
+0002915037 00000 n
+0002917885 00000 n
+0002942696 00000 n
+0002918268 00000 n
+0002917642 00000 n
+0002915216 00000 n
+0002917758 00000 n
+0002917949 00000 n
+0002918013 00000 n
+0002918077 00000 n
+0002918140 00000 n
+0002918204 00000 n
+0002942952 00000 n
+0002919306 00000 n
+0002918440 00000 n
+0002942568 00000 n
+0002942760 00000 n
+0002942824 00000 n
+0002942888 00000 n
+0003674763 00000 n
+0002945613 00000 n
+0002947541 00000 n
+0002961867 00000 n
+0002946084 00000 n
+0002945476 00000 n
+0002943120 00000 n
+0002945765 00000 n
+0002945828 00000 n
+0002945892 00000 n
+0002946020 00000 n
+0002962150 00000 n
+0002963676 00000 n
+0002962214 00000 n
+0002947404 00000 n
+0002946284 00000 n
+0002962022 00000 n
+0002978511 00000 n
+0002978703 00000 n
+0002963560 00000 n
+0002962368 00000 n
+0002978384 00000 n
+0002978639 00000 n
+0002981840 00000 n
+0002980956 00000 n
+0002978871 00000 n
+0002981072 00000 n
+0002981136 00000 n
+0002981200 00000 n
+0002981264 00000 n
+0002981328 00000 n
+0002981392 00000 n
+0002981456 00000 n
+0002981520 00000 n
+0002981584 00000 n
+0002981648 00000 n
+0002981712 00000 n
+0002981776 00000 n
+0002984093 00000 n
+0002984243 00000 n
+0002986259 00000 n
+0003002585 00000 n
+0002984992 00000 n
+0002983938 00000 n
+0002981984 00000 n
+0002984545 00000 n
+0002984608 00000 n
+0002984672 00000 n
+0002984736 00000 n
+0002984800 00000 n
+0002984864 00000 n
+0002984394 00000 n
+0002984928 00000 n
+0003001181 00000 n
+0003018361 00000 n
+0003001373 00000 n
+0002986143 00000 n
+0002985122 00000 n
+0003001053 00000 n
+0003001309 00000 n
+0003674888 00000 n
+0003018553 00000 n
+0003002469 00000 n
+0003001541 00000 n
+0003018234 00000 n
+0003018489 00000 n
+0003020794 00000 n
+0003021324 00000 n
+0003020657 00000 n
+0003018721 00000 n
+0003021004 00000 n
+0003021260 00000 n
+0003023520 00000 n
+0003023149 00000 n
+0003021552 00000 n
+0003023265 00000 n
+0003023456 00000 n
+0003026165 00000 n
+0003025985 00000 n
+0003023678 00000 n
+0003026101 00000 n
+0003028562 00000 n
+0003028383 00000 n
+0003026323 00000 n
+0003028499 00000 n
+0003030686 00000 n
+0003030506 00000 n
+0003028763 00000 n
+0003030622 00000 n
+0003675013 00000 n
+0003032360 00000 n
+0003032941 00000 n
+0003032214 00000 n
+0003030830 00000 n
+0003032687 00000 n
+0003032814 00000 n
+0003032523 00000 n
+0003032877 00000 n
+0003035465 00000 n
+0003035285 00000 n
+0003033099 00000 n
+0003035401 00000 n
+0003037540 00000 n
+0003037233 00000 n
+0003035567 00000 n
+0003037349 00000 n
+0003037412 00000 n
+0003037476 00000 n
+0003039936 00000 n
+0003039693 00000 n
+0003037642 00000 n
+0003039809 00000 n
+0003039873 00000 n
+0003042222 00000 n
+0003041979 00000 n
+0003040052 00000 n
+0003042095 00000 n
+0003042158 00000 n
+0003044357 00000 n
+0003044050 00000 n
+0003042324 00000 n
+0003044166 00000 n
+0003044230 00000 n
+0003044293 00000 n
+0003675138 00000 n
+0003046865 00000 n
+0003046367 00000 n
+0003044473 00000 n
+0003046483 00000 n
+0003046546 00000 n
+0003046610 00000 n
+0003046674 00000 n
+0003046738 00000 n
+0003046802 00000 n
+0003049560 00000 n
+0003049060 00000 n
+0003046967 00000 n
+0003049176 00000 n
+0003049240 00000 n
+0003049304 00000 n
+0003049368 00000 n
+0003049432 00000 n
+0003049496 00000 n
+0003052055 00000 n
+0003051812 00000 n
+0003049676 00000 n
+0003051928 00000 n
+0003051991 00000 n
+0003054396 00000 n
+0003054152 00000 n
+0003052143 00000 n
+0003054268 00000 n
+0003054332 00000 n
+0003057002 00000 n
+0003056440 00000 n
+0003054512 00000 n
+0003056556 00000 n
+0003056619 00000 n
+0003056683 00000 n
+0003056747 00000 n
+0003056811 00000 n
+0003056875 00000 n
+0003056938 00000 n
+0003059322 00000 n
+0003059014 00000 n
+0003057090 00000 n
+0003059130 00000 n
+0003059194 00000 n
+0003059258 00000 n
+0003675263 00000 n
+0003061556 00000 n
+0003061249 00000 n
+0003059438 00000 n
+0003061365 00000 n
+0003061428 00000 n
+0003061492 00000 n
+0003064104 00000 n
+0003063924 00000 n
+0003061658 00000 n
+0003064040 00000 n
+0003066434 00000 n
+0003066191 00000 n
+0003064206 00000 n
+0003066307 00000 n
+0003066370 00000 n
+0003068693 00000 n
+0003068386 00000 n
+0003066536 00000 n
+0003068502 00000 n
+0003068566 00000 n
+0003068629 00000 n
+0003070720 00000 n
+0003070349 00000 n
+0003068809 00000 n
+0003070465 00000 n
+0003070528 00000 n
+0003070592 00000 n
+0003070656 00000 n
+0003072850 00000 n
+0003072543 00000 n
+0003070822 00000 n
+0003072659 00000 n
+0003072723 00000 n
+0003675388 00000 n
+0003074667 00000 n
+0003074844 00000 n
+0003075299 00000 n
+0003074512 00000 n
+0003072980 00000 n
+0003075236 00000 n
+0003075040 00000 n
+0003075696 00000 n
+0003075516 00000 n
+0003075415 00000 n
+0003075632 00000 n
+0003077657 00000 n
+0003078019 00000 n
+0003077520 00000 n
+0003075738 00000 n
+0003077828 00000 n
+0003077955 00000 n
+0003080260 00000 n
+0003080080 00000 n
+0003078191 00000 n
+0003080196 00000 n
+0003082567 00000 n
+0003082388 00000 n
+0003080376 00000 n
+0003082504 00000 n
+0003084753 00000 n
+0003084573 00000 n
+0003082683 00000 n
+0003084689 00000 n
+0003675513 00000 n
+0003086416 00000 n
+0003086652 00000 n
+0003086279 00000 n
+0003084869 00000 n
+0003086589 00000 n
+0003087105 00000 n
+0003086925 00000 n
+0003086824 00000 n
+0003087041 00000 n
+0003090150 00000 n
+0003090302 00000 n
+0003090453 00000 n
+0003090604 00000 n
+0003090755 00000 n
+0003090906 00000 n
+0003091057 00000 n
+0003091208 00000 n
+0003091359 00000 n
+0003091510 00000 n
+0003091661 00000 n
+0003091812 00000 n
+0003091962 00000 n
+0003092112 00000 n
+0003092262 00000 n
+0003092412 00000 n
+0003092563 00000 n
+0003092712 00000 n
+0003092863 00000 n
+0003093014 00000 n
+0003093165 00000 n
+0003093315 00000 n
+0003093465 00000 n
+0003093617 00000 n
+0003093769 00000 n
+0003093921 00000 n
+0003094073 00000 n
+0003094225 00000 n
+0003094376 00000 n
+0003094527 00000 n
+0003094678 00000 n
+0003094829 00000 n
+0003094981 00000 n
+0003095131 00000 n
+0003095282 00000 n
+0003095433 00000 n
+0003095584 00000 n
+0003095735 00000 n
+0003095886 00000 n
+0003096038 00000 n
+0003096190 00000 n
+0003096339 00000 n
+0003096490 00000 n
+0003096641 00000 n
+0003096792 00000 n
+0003096943 00000 n
+0003097093 00000 n
+0003097245 00000 n
+0003097397 00000 n
+0003097548 00000 n
+0003097700 00000 n
+0003097852 00000 n
+0003098004 00000 n
+0003098156 00000 n
+0003098308 00000 n
+0003098459 00000 n
+0003098610 00000 n
+0003098760 00000 n
+0003098910 00000 n
+0003099060 00000 n
+0003099211 00000 n
+0003099362 00000 n
+0003099512 00000 n
+0003099663 00000 n
+0003099814 00000 n
+0003099965 00000 n
+0003100116 00000 n
+0003100267 00000 n
+0003100418 00000 n
+0003100570 00000 n
+0003100722 00000 n
+0003100874 00000 n
+0003101026 00000 n
+0003101177 00000 n
+0003101329 00000 n
+0003101480 00000 n
+0003101630 00000 n
+0003101782 00000 n
+0003101934 00000 n
+0003102086 00000 n
+0003102238 00000 n
+0003102390 00000 n
+0003102541 00000 n
+0003102692 00000 n
+0003102843 00000 n
+0003102995 00000 n
+0003103146 00000 n
+0003103298 00000 n
+0003103450 00000 n
+0003103602 00000 n
+0003103753 00000 n
+0003103904 00000 n
+0003104056 00000 n
+0003104207 00000 n
+0003104357 00000 n
+0003104508 00000 n
+0003104660 00000 n
+0003104812 00000 n
+0003104964 00000 n
+0003105113 00000 n
+0003105265 00000 n
+0003105416 00000 n
+0003105567 00000 n
+0003105719 00000 n
+0003105869 00000 n
+0003106021 00000 n
+0003106173 00000 n
+0003106324 00000 n
+0003106475 00000 n
+0003106627 00000 n
+0003106778 00000 n
+0003106929 00000 n
+0003107080 00000 n
+0003107230 00000 n
+0003107382 00000 n
+0003107534 00000 n
+0003107686 00000 n
+0003107838 00000 n
+0003107989 00000 n
+0003108141 00000 n
+0003108293 00000 n
+0003108445 00000 n
+0003108597 00000 n
+0003108748 00000 n
+0003108899 00000 n
+0003109050 00000 n
+0003109201 00000 n
+0003109353 00000 n
+0003109504 00000 n
+0003109656 00000 n
+0003109807 00000 n
+0003109959 00000 n
+0003110107 00000 n
+0003110259 00000 n
+0003110410 00000 n
+0003110562 00000 n
+0003110714 00000 n
+0003110866 00000 n
+0003111018 00000 n
+0003111170 00000 n
+0003111321 00000 n
+0003111472 00000 n
+0003111623 00000 n
+0003111775 00000 n
+0003111927 00000 n
+0003115202 00000 n
+0003115354 00000 n
+0003115506 00000 n
+0003112142 00000 n
+0003088717 00000 n
+0003087147 00000 n
+0003112079 00000 n
+0003115658 00000 n
+0003115810 00000 n
+0003115961 00000 n
+0003116113 00000 n
+0003116264 00000 n
+0003116414 00000 n
+0003116563 00000 n
+0003116713 00000 n
+0003116863 00000 n
+0003117013 00000 n
+0003117163 00000 n
+0003117313 00000 n
+0003117463 00000 n
+0003117613 00000 n
+0003117763 00000 n
+0003117914 00000 n
+0003118066 00000 n
+0003118218 00000 n
+0003118370 00000 n
+0003118521 00000 n
+0003118672 00000 n
+0003118823 00000 n
+0003118974 00000 n
+0003119125 00000 n
+0003119277 00000 n
+0003119428 00000 n
+0003119580 00000 n
+0003119730 00000 n
+0003119882 00000 n
+0003120034 00000 n
+0003120186 00000 n
+0003120338 00000 n
+0003120490 00000 n
+0003120641 00000 n
+0003120792 00000 n
+0003120943 00000 n
+0003121094 00000 n
+0003121246 00000 n
+0003121398 00000 n
+0003121550 00000 n
+0003121701 00000 n
+0003121852 00000 n
+0003122004 00000 n
+0003122156 00000 n
+0003122307 00000 n
+0003122458 00000 n
+0003122609 00000 n
+0003122760 00000 n
+0003122912 00000 n
+0003123063 00000 n
+0003123214 00000 n
+0003123365 00000 n
+0003123515 00000 n
+0003123665 00000 n
+0003123817 00000 n
+0003123967 00000 n
+0003124119 00000 n
+0003124270 00000 n
+0003124422 00000 n
+0003124573 00000 n
+0003124725 00000 n
+0003124877 00000 n
+0003125028 00000 n
+0003125179 00000 n
+0003125331 00000 n
+0003125481 00000 n
+0003125632 00000 n
+0003125782 00000 n
+0003125934 00000 n
+0003126085 00000 n
+0003126236 00000 n
+0003126387 00000 n
+0003126538 00000 n
+0003126690 00000 n
+0003126842 00000 n
+0003126994 00000 n
+0003127144 00000 n
+0003127295 00000 n
+0003127447 00000 n
+0003127599 00000 n
+0003127751 00000 n
+0003127901 00000 n
+0003128052 00000 n
+0003128204 00000 n
+0003128355 00000 n
+0003128506 00000 n
+0003128658 00000 n
+0003128810 00000 n
+0003128962 00000 n
+0003129114 00000 n
+0003129266 00000 n
+0003129418 00000 n
+0003129570 00000 n
+0003129722 00000 n
+0003129874 00000 n
+0003130025 00000 n
+0003130177 00000 n
+0003130329 00000 n
+0003130481 00000 n
+0003130633 00000 n
+0003130783 00000 n
+0003130935 00000 n
+0003131087 00000 n
+0003131239 00000 n
+0003131391 00000 n
+0003131543 00000 n
+0003131695 00000 n
+0003131846 00000 n
+0003131998 00000 n
+0003132150 00000 n
+0003132301 00000 n
+0003132453 00000 n
+0003132605 00000 n
+0003132757 00000 n
+0003132909 00000 n
+0003133059 00000 n
+0003133210 00000 n
+0003133362 00000 n
+0003133514 00000 n
+0003133666 00000 n
+0003133817 00000 n
+0003133968 00000 n
+0003134119 00000 n
+0003134270 00000 n
+0003134422 00000 n
+0003134574 00000 n
+0003134725 00000 n
+0003134876 00000 n
+0003135028 00000 n
+0003137890 00000 n
+0003138042 00000 n
+0003135243 00000 n
+0003113886 00000 n
+0003112258 00000 n
+0003135179 00000 n
+0003138193 00000 n
+0003138345 00000 n
+0003138497 00000 n
+0003138648 00000 n
+0003138800 00000 n
+0003138952 00000 n
+0003139104 00000 n
+0003139256 00000 n
+0003139408 00000 n
+0003139560 00000 n
+0003139712 00000 n
+0003139864 00000 n
+0003140015 00000 n
+0003140166 00000 n
+0003140317 00000 n
+0003140469 00000 n
+0003140621 00000 n
+0003140773 00000 n
+0003140925 00000 n
+0003141076 00000 n
+0003141228 00000 n
+0003141379 00000 n
+0003141530 00000 n
+0003141682 00000 n
+0003141834 00000 n
+0003141984 00000 n
+0003142134 00000 n
+0003142285 00000 n
+0003142434 00000 n
+0003142586 00000 n
+0003142736 00000 n
+0003142886 00000 n
+0003143036 00000 n
+0003143187 00000 n
+0003143337 00000 n
+0003143488 00000 n
+0003143640 00000 n
+0003143792 00000 n
+0003143944 00000 n
+0003144095 00000 n
+0003144247 00000 n
+0003144399 00000 n
+0003144551 00000 n
+0003144703 00000 n
+0003144855 00000 n
+0003145007 00000 n
+0003145159 00000 n
+0003145311 00000 n
+0003145463 00000 n
+0003145614 00000 n
+0003145766 00000 n
+0003145917 00000 n
+0003146068 00000 n
+0003146220 00000 n
+0003146371 00000 n
+0003146522 00000 n
+0003146673 00000 n
+0003146824 00000 n
+0003146972 00000 n
+0003147120 00000 n
+0003147272 00000 n
+0003147424 00000 n
+0003147576 00000 n
+0003147728 00000 n
+0003147880 00000 n
+0003148032 00000 n
+0003148184 00000 n
+0003148336 00000 n
+0003148488 00000 n
+0003148640 00000 n
+0003148792 00000 n
+0003148943 00000 n
+0003149094 00000 n
+0003149245 00000 n
+0003149397 00000 n
+0003149549 00000 n
+0003149701 00000 n
+0003149852 00000 n
+0003150004 00000 n
+0003150154 00000 n
+0003150306 00000 n
+0003150458 00000 n
+0003150610 00000 n
+0003150761 00000 n
+0003150911 00000 n
+0003151063 00000 n
+0003151215 00000 n
+0003151367 00000 n
+0003151518 00000 n
+0003151668 00000 n
+0003151820 00000 n
+0003151972 00000 n
+0003152124 00000 n
+0003152276 00000 n
+0003152428 00000 n
+0003152580 00000 n
+0003152731 00000 n
+0003152883 00000 n
+0003153035 00000 n
+0003156120 00000 n
+0003156271 00000 n
+0003153250 00000 n
+0003136853 00000 n
+0003135359 00000 n
+0003153187 00000 n
+0003156423 00000 n
+0003156573 00000 n
+0003156725 00000 n
+0003156875 00000 n
+0003157024 00000 n
+0003157174 00000 n
+0003157323 00000 n
+0003157473 00000 n
+0003157623 00000 n
+0003157774 00000 n
+0003157925 00000 n
+0003158076 00000 n
+0003158227 00000 n
+0003158377 00000 n
+0003158528 00000 n
+0003158679 00000 n
+0003158829 00000 n
+0003158979 00000 n
+0003159131 00000 n
+0003159283 00000 n
+0003159433 00000 n
+0003159583 00000 n
+0003159734 00000 n
+0003159885 00000 n
+0003160037 00000 n
+0003160189 00000 n
+0003160340 00000 n
+0003160490 00000 n
+0003160642 00000 n
+0003160794 00000 n
+0003160945 00000 n
+0003161096 00000 n
+0003161247 00000 n
+0003161398 00000 n
+0003161550 00000 n
+0003161702 00000 n
+0003161854 00000 n
+0003162006 00000 n
+0003162158 00000 n
+0003162309 00000 n
+0003162461 00000 n
+0003162613 00000 n
+0003162764 00000 n
+0003162916 00000 n
+0003163068 00000 n
+0003163218 00000 n
+0003163368 00000 n
+0003163518 00000 n
+0003163670 00000 n
+0003163821 00000 n
+0003163973 00000 n
+0003164124 00000 n
+0003164275 00000 n
+0003164427 00000 n
+0003164579 00000 n
+0003164731 00000 n
+0003164882 00000 n
+0003165034 00000 n
+0003165186 00000 n
+0003165338 00000 n
+0003165488 00000 n
+0003165639 00000 n
+0003165789 00000 n
+0003165940 00000 n
+0003166092 00000 n
+0003166244 00000 n
+0003166396 00000 n
+0003166548 00000 n
+0003166700 00000 n
+0003166852 00000 n
+0003167001 00000 n
+0003167151 00000 n
+0003167303 00000 n
+0003167455 00000 n
+0003167606 00000 n
+0003167756 00000 n
+0003167907 00000 n
+0003168058 00000 n
+0003168209 00000 n
+0003168361 00000 n
+0003168513 00000 n
+0003168665 00000 n
+0003168817 00000 n
+0003168967 00000 n
+0003169118 00000 n
+0003169269 00000 n
+0003169420 00000 n
+0003169571 00000 n
+0003169722 00000 n
+0003169874 00000 n
+0003170025 00000 n
+0003170177 00000 n
+0003170329 00000 n
+0003170481 00000 n
+0003170632 00000 n
+0003170784 00000 n
+0003170936 00000 n
+0003171088 00000 n
+0003171240 00000 n
+0003171391 00000 n
+0003171541 00000 n
+0003171693 00000 n
+0003171845 00000 n
+0003171997 00000 n
+0003172149 00000 n
+0003172301 00000 n
+0003172452 00000 n
+0003172604 00000 n
+0003172755 00000 n
+0003172906 00000 n
+0003173057 00000 n
+0003173208 00000 n
+0003173360 00000 n
+0003173512 00000 n
+0003173664 00000 n
+0003173816 00000 n
+0003173967 00000 n
+0003174119 00000 n
+0003174270 00000 n
+0003174422 00000 n
+0003174574 00000 n
+0003177303 00000 n
+0003174790 00000 n
+0003154885 00000 n
+0003153366 00000 n
+0003174726 00000 n
+0003675638 00000 n
+0003177455 00000 n
+0003177607 00000 n
+0003177759 00000 n
+0003177909 00000 n
+0003178060 00000 n
+0003178210 00000 n
+0003178359 00000 n
+0003178508 00000 n
+0003178659 00000 n
+0003178809 00000 n
+0003178960 00000 n
+0003179112 00000 n
+0003179264 00000 n
+0003179416 00000 n
+0003179568 00000 n
+0003179720 00000 n
+0003179872 00000 n
+0003180023 00000 n
+0003180175 00000 n
+0003180327 00000 n
+0003180479 00000 n
+0003180631 00000 n
+0003180782 00000 n
+0003180933 00000 n
+0003181084 00000 n
+0003181235 00000 n
+0003181387 00000 n
+0003181539 00000 n
+0003181691 00000 n
+0003181843 00000 n
+0003181995 00000 n
+0003182147 00000 n
+0003182298 00000 n
+0003182450 00000 n
+0003182600 00000 n
+0003182749 00000 n
+0003182901 00000 n
+0003183053 00000 n
+0003183204 00000 n
+0003183355 00000 n
+0003183507 00000 n
+0003183659 00000 n
+0003183811 00000 n
+0003183963 00000 n
+0003184115 00000 n
+0003184267 00000 n
+0003184419 00000 n
+0003184571 00000 n
+0003184723 00000 n
+0003184875 00000 n
+0003185024 00000 n
+0003185173 00000 n
+0003185325 00000 n
+0003185476 00000 n
+0003185628 00000 n
+0003185780 00000 n
+0003185932 00000 n
+0003186083 00000 n
+0003186235 00000 n
+0003186387 00000 n
+0003186539 00000 n
+0003186691 00000 n
+0003186843 00000 n
+0003186995 00000 n
+0003187147 00000 n
+0003187299 00000 n
+0003187450 00000 n
+0003187602 00000 n
+0003187754 00000 n
+0003187905 00000 n
+0003188056 00000 n
+0003188207 00000 n
+0003188358 00000 n
+0003188510 00000 n
+0003188662 00000 n
+0003188813 00000 n
+0003188964 00000 n
+0003189115 00000 n
+0003189265 00000 n
+0003189416 00000 n
+0003189568 00000 n
+0003189720 00000 n
+0003189871 00000 n
+0003190023 00000 n
+0003190174 00000 n
+0003190326 00000 n
+0003190477 00000 n
+0003190629 00000 n
+0003190781 00000 n
+0003190933 00000 n
+0003191084 00000 n
+0003193931 00000 n
+0003191299 00000 n
+0003176347 00000 n
+0003174906 00000 n
+0003191236 00000 n
+0003194081 00000 n
+0003194233 00000 n
+0003194385 00000 n
+0003194537 00000 n
+0003194688 00000 n
+0003194838 00000 n
+0003194990 00000 n
+0003195141 00000 n
+0003195292 00000 n
+0003195444 00000 n
+0003195596 00000 n
+0003195747 00000 n
+0003195899 00000 n
+0003196051 00000 n
+0003196203 00000 n
+0003196352 00000 n
+0003196504 00000 n
+0003196656 00000 n
+0003196807 00000 n
+0003196959 00000 n
+0003197111 00000 n
+0003197263 00000 n
+0003197414 00000 n
+0003197564 00000 n
+0003197716 00000 n
+0003197867 00000 n
+0003198018 00000 n
+0003198167 00000 n
+0003198318 00000 n
+0003198470 00000 n
+0003198620 00000 n
+0003198772 00000 n
+0003198923 00000 n
+0003199073 00000 n
+0003199224 00000 n
+0003199376 00000 n
+0003199528 00000 n
+0003199680 00000 n
+0003199832 00000 n
+0003199983 00000 n
+0003200135 00000 n
+0003200287 00000 n
+0003200438 00000 n
+0003200589 00000 n
+0003200740 00000 n
+0003200892 00000 n
+0003201043 00000 n
+0003201195 00000 n
+0003201347 00000 n
+0003201499 00000 n
+0003201650 00000 n
+0003201801 00000 n
+0003201953 00000 n
+0003202105 00000 n
+0003202257 00000 n
+0003202409 00000 n
+0003202561 00000 n
+0003202713 00000 n
+0003202865 00000 n
+0003203017 00000 n
+0003203169 00000 n
+0003203321 00000 n
+0003203473 00000 n
+0003203625 00000 n
+0003203777 00000 n
+0003203927 00000 n
+0003204079 00000 n
+0003204230 00000 n
+0003204381 00000 n
+0003204532 00000 n
+0003204684 00000 n
+0003204836 00000 n
+0003204988 00000 n
+0003205140 00000 n
+0003205292 00000 n
+0003205444 00000 n
+0003205596 00000 n
+0003205748 00000 n
+0003205900 00000 n
+0003206051 00000 n
+0003206202 00000 n
+0003206353 00000 n
+0003206504 00000 n
+0003206654 00000 n
+0003206806 00000 n
+0003206957 00000 n
+0003207108 00000 n
+0003207258 00000 n
+0003207409 00000 n
+0003207559 00000 n
+0003207710 00000 n
+0003207861 00000 n
+0003208012 00000 n
+0003208164 00000 n
+0003208316 00000 n
+0003208468 00000 n
+0003208620 00000 n
+0003208772 00000 n
+0003208924 00000 n
+0003209076 00000 n
+0003209226 00000 n
+0003209377 00000 n
+0003209528 00000 n
+0003209679 00000 n
+0003209831 00000 n
+0003209983 00000 n
+0003213068 00000 n
+0003213219 00000 n
+0003210199 00000 n
+0003192840 00000 n
+0003191415 00000 n
+0003210135 00000 n
+0003213370 00000 n
+0003213522 00000 n
+0003213673 00000 n
+0003213824 00000 n
+0003213975 00000 n
+0003214127 00000 n
+0003214277 00000 n
+0003214429 00000 n
+0003214581 00000 n
+0003214733 00000 n
+0003214885 00000 n
+0003215036 00000 n
+0003215187 00000 n
+0003215339 00000 n
+0003215491 00000 n
+0003215643 00000 n
+0003215794 00000 n
+0003215945 00000 n
+0003216097 00000 n
+0003216248 00000 n
+0003216400 00000 n
+0003216552 00000 n
+0003216703 00000 n
+0003216855 00000 n
+0003217007 00000 n
+0003217158 00000 n
+0003217310 00000 n
+0003217462 00000 n
+0003217612 00000 n
+0003217764 00000 n
+0003217916 00000 n
+0003218068 00000 n
+0003218220 00000 n
+0003218372 00000 n
+0003218524 00000 n
+0003218676 00000 n
+0003218827 00000 n
+0003218979 00000 n
+0003219131 00000 n
+0003219283 00000 n
+0003219435 00000 n
+0003219587 00000 n
+0003219739 00000 n
+0003219890 00000 n
+0003220040 00000 n
+0003220192 00000 n
+0003220344 00000 n
+0003220496 00000 n
+0003220648 00000 n
+0003220800 00000 n
+0003220952 00000 n
+0003221104 00000 n
+0003221256 00000 n
+0003221408 00000 n
+0003221560 00000 n
+0003221712 00000 n
+0003221863 00000 n
+0003222015 00000 n
+0003222167 00000 n
+0003222319 00000 n
+0003222471 00000 n
+0003222623 00000 n
+0003222775 00000 n
+0003222927 00000 n
+0003223077 00000 n
+0003223228 00000 n
+0003223380 00000 n
+0003223532 00000 n
+0003223683 00000 n
+0003223832 00000 n
+0003223983 00000 n
+0003224134 00000 n
+0003224286 00000 n
+0003224438 00000 n
+0003224589 00000 n
+0003224741 00000 n
+0003224891 00000 n
+0003225042 00000 n
+0003225193 00000 n
+0003225345 00000 n
+0003225497 00000 n
+0003225649 00000 n
+0003225801 00000 n
+0003225953 00000 n
+0003226105 00000 n
+0003226257 00000 n
+0003226409 00000 n
+0003226560 00000 n
+0003226711 00000 n
+0003226863 00000 n
+0003227013 00000 n
+0003227164 00000 n
+0003227316 00000 n
+0003227468 00000 n
+0003227618 00000 n
+0003227769 00000 n
+0003227921 00000 n
+0003228072 00000 n
+0003228221 00000 n
+0003228372 00000 n
+0003228521 00000 n
+0003228672 00000 n
+0003228824 00000 n
+0003228976 00000 n
+0003229128 00000 n
+0003229279 00000 n
+0003229430 00000 n
+0003229581 00000 n
+0003229732 00000 n
+0003229882 00000 n
+0003230032 00000 n
+0003230181 00000 n
+0003230332 00000 n
+0003230483 00000 n
+0003230634 00000 n
+0003230786 00000 n
+0003233898 00000 n
+0003231000 00000 n
+0003211878 00000 n
+0003210315 00000 n
+0003230937 00000 n
+0003234050 00000 n
+0003234201 00000 n
+0003234353 00000 n
+0003234505 00000 n
+0003234657 00000 n
+0003234809 00000 n
+0003234959 00000 n
+0003235111 00000 n
+0003235263 00000 n
+0003235415 00000 n
+0003235566 00000 n
+0003235718 00000 n
+0003235870 00000 n
+0003236022 00000 n
+0003236174 00000 n
+0003236326 00000 n
+0003236477 00000 n
+0003236628 00000 n
+0003236780 00000 n
+0003236932 00000 n
+0003237083 00000 n
+0003237235 00000 n
+0003237387 00000 n
+0003237539 00000 n
+0003237690 00000 n
+0003237841 00000 n
+0003237993 00000 n
+0003238145 00000 n
+0003238297 00000 n
+0003238448 00000 n
+0003238599 00000 n
+0003238751 00000 n
+0003238901 00000 n
+0003239052 00000 n
+0003239203 00000 n
+0003239354 00000 n
+0003239504 00000 n
+0003239654 00000 n
+0003239804 00000 n
+0003239955 00000 n
+0003240106 00000 n
+0003240257 00000 n
+0003240408 00000 n
+0003240559 00000 n
+0003240710 00000 n
+0003240859 00000 n
+0003241011 00000 n
+0003241163 00000 n
+0003241315 00000 n
+0003241467 00000 n
+0003241619 00000 n
+0003241771 00000 n
+0003241923 00000 n
+0003242075 00000 n
+0003242226 00000 n
+0003242378 00000 n
+0003242529 00000 n
+0003242681 00000 n
+0003242831 00000 n
+0003242983 00000 n
+0003243134 00000 n
+0003243286 00000 n
+0003243438 00000 n
+0003243590 00000 n
+0003243742 00000 n
+0003243893 00000 n
+0003244045 00000 n
+0003244197 00000 n
+0003244348 00000 n
+0003244499 00000 n
+0003244647 00000 n
+0003244795 00000 n
+0003244944 00000 n
+0003245093 00000 n
+0003245242 00000 n
+0003245391 00000 n
+0003245540 00000 n
+0003245692 00000 n
+0003245843 00000 n
+0003245995 00000 n
+0003246147 00000 n
+0003246299 00000 n
+0003246451 00000 n
+0003246603 00000 n
+0003246755 00000 n
+0003246906 00000 n
+0003247058 00000 n
+0003247210 00000 n
+0003247362 00000 n
+0003247513 00000 n
+0003247664 00000 n
+0003247815 00000 n
+0003247965 00000 n
+0003248117 00000 n
+0003248268 00000 n
+0003248420 00000 n
+0003248572 00000 n
+0003248724 00000 n
+0003248876 00000 n
+0003249028 00000 n
+0003249180 00000 n
+0003249330 00000 n
+0003249481 00000 n
+0003249631 00000 n
+0003249783 00000 n
+0003249935 00000 n
+0003250086 00000 n
+0003250236 00000 n
+0003250387 00000 n
+0003250538 00000 n
+0003250689 00000 n
+0003250840 00000 n
+0003250991 00000 n
+0003251142 00000 n
+0003251293 00000 n
+0003251444 00000 n
+0003254333 00000 n
+0003251660 00000 n
+0003232717 00000 n
+0003231102 00000 n
+0003251596 00000 n
+0003254485 00000 n
+0003254637 00000 n
+0003254787 00000 n
+0003254939 00000 n
+0003255091 00000 n
+0003255242 00000 n
+0003255393 00000 n
+0003255544 00000 n
+0003255695 00000 n
+0003255847 00000 n
+0003255998 00000 n
+0003256150 00000 n
+0003256302 00000 n
+0003256454 00000 n
+0003256605 00000 n
+0003256757 00000 n
+0003256909 00000 n
+0003257061 00000 n
+0003257213 00000 n
+0003257365 00000 n
+0003257517 00000 n
+0003257669 00000 n
+0003257821 00000 n
+0003257972 00000 n
+0003258123 00000 n
+0003258274 00000 n
+0003258426 00000 n
+0003258577 00000 n
+0003258728 00000 n
+0003258879 00000 n
+0003259030 00000 n
+0003259180 00000 n
+0003259331 00000 n
+0003259481 00000 n
+0003259633 00000 n
+0003259782 00000 n
+0003259933 00000 n
+0003260084 00000 n
+0003260234 00000 n
+0003260386 00000 n
+0003260537 00000 n
+0003260689 00000 n
+0003260841 00000 n
+0003260993 00000 n
+0003261144 00000 n
+0003261296 00000 n
+0003261448 00000 n
+0003261599 00000 n
+0003261750 00000 n
+0003261901 00000 n
+0003262052 00000 n
+0003262204 00000 n
+0003262356 00000 n
+0003262508 00000 n
+0003262660 00000 n
+0003262812 00000 n
+0003262963 00000 n
+0003263114 00000 n
+0003263265 00000 n
+0003263416 00000 n
+0003263568 00000 n
+0003263719 00000 n
+0003263870 00000 n
+0003264022 00000 n
+0003264174 00000 n
+0003264326 00000 n
+0003264478 00000 n
+0003264630 00000 n
+0003264782 00000 n
+0003264934 00000 n
+0003265086 00000 n
+0003265238 00000 n
+0003265390 00000 n
+0003265542 00000 n
+0003265694 00000 n
+0003265845 00000 n
+0003265997 00000 n
+0003266149 00000 n
+0003266301 00000 n
+0003266453 00000 n
+0003266603 00000 n
+0003266755 00000 n
+0003266906 00000 n
+0003267058 00000 n
+0003267209 00000 n
+0003267361 00000 n
+0003267512 00000 n
+0003267664 00000 n
+0003267815 00000 n
+0003267967 00000 n
+0003268117 00000 n
+0003268269 00000 n
+0003268421 00000 n
+0003268573 00000 n
+0003268723 00000 n
+0003268875 00000 n
+0003269025 00000 n
+0003269176 00000 n
+0003269328 00000 n
+0003272029 00000 n
+0003272180 00000 n
+0003269543 00000 n
+0003253305 00000 n
+0003251776 00000 n
+0003269480 00000 n
+0003272332 00000 n
+0003272483 00000 n
+0003272634 00000 n
+0003272784 00000 n
+0003272935 00000 n
+0003273085 00000 n
+0003273236 00000 n
+0003273387 00000 n
+0003273538 00000 n
+0003273689 00000 n
+0003273841 00000 n
+0003273993 00000 n
+0003274145 00000 n
+0003274296 00000 n
+0003274448 00000 n
+0003274599 00000 n
+0003274750 00000 n
+0003274902 00000 n
+0003275053 00000 n
+0003275203 00000 n
+0003275353 00000 n
+0003275503 00000 n
+0003275654 00000 n
+0003275805 00000 n
+0003275956 00000 n
+0003276107 00000 n
+0003276258 00000 n
+0003276409 00000 n
+0003276561 00000 n
+0003276713 00000 n
+0003276865 00000 n
+0003277017 00000 n
+0003277169 00000 n
+0003277321 00000 n
+0003277473 00000 n
+0003277625 00000 n
+0003277777 00000 n
+0003277929 00000 n
+0003278080 00000 n
+0003278232 00000 n
+0003278383 00000 n
+0003278533 00000 n
+0003278685 00000 n
+0003278837 00000 n
+0003278989 00000 n
+0003279140 00000 n
+0003279291 00000 n
+0003279443 00000 n
+0003279595 00000 n
+0003279746 00000 n
+0003279896 00000 n
+0003280048 00000 n
+0003280200 00000 n
+0003280350 00000 n
+0003280502 00000 n
+0003280654 00000 n
+0003280805 00000 n
+0003280955 00000 n
+0003281107 00000 n
+0003281259 00000 n
+0003281411 00000 n
+0003281561 00000 n
+0003281710 00000 n
+0003281862 00000 n
+0003282014 00000 n
+0003282166 00000 n
+0003282318 00000 n
+0003282470 00000 n
+0003282622 00000 n
+0003282772 00000 n
+0003282924 00000 n
+0003283075 00000 n
+0003283227 00000 n
+0003283378 00000 n
+0003283528 00000 n
+0003283679 00000 n
+0003283831 00000 n
+0003283983 00000 n
+0003284135 00000 n
+0003284286 00000 n
+0003284438 00000 n
+0003284590 00000 n
+0003284742 00000 n
+0003284891 00000 n
+0003285043 00000 n
+0003285195 00000 n
+0003285346 00000 n
+0003285496 00000 n
+0003285648 00000 n
+0003285799 00000 n
+0003285950 00000 n
+0003286101 00000 n
+0003286317 00000 n
+0003271055 00000 n
+0003269659 00000 n
+0003286253 00000 n
+0003675763 00000 n
+0003289641 00000 n
+0003289791 00000 n
+0003289943 00000 n
+0003290094 00000 n
+0003290245 00000 n
+0003290397 00000 n
+0003290548 00000 n
+0003290700 00000 n
+0003290851 00000 n
+0003291002 00000 n
+0003291153 00000 n
+0003291305 00000 n
+0003291457 00000 n
+0003291609 00000 n
+0003291761 00000 n
+0003291913 00000 n
+0003292065 00000 n
+0003292216 00000 n
+0003292368 00000 n
+0003292520 00000 n
+0003292671 00000 n
+0003292821 00000 n
+0003292972 00000 n
+0003293124 00000 n
+0003293276 00000 n
+0003293428 00000 n
+0003293580 00000 n
+0003293731 00000 n
+0003293881 00000 n
+0003294033 00000 n
+0003294185 00000 n
+0003294337 00000 n
+0003294489 00000 n
+0003294641 00000 n
+0003294793 00000 n
+0003294945 00000 n
+0003295097 00000 n
+0003295249 00000 n
+0003295401 00000 n
+0003295553 00000 n
+0003295705 00000 n
+0003295857 00000 n
+0003296009 00000 n
+0003296161 00000 n
+0003296313 00000 n
+0003296465 00000 n
+0003296617 00000 n
+0003296769 00000 n
+0003296921 00000 n
+0003297072 00000 n
+0003297223 00000 n
+0003297374 00000 n
+0003297526 00000 n
+0003297678 00000 n
+0003297828 00000 n
+0003297980 00000 n
+0003298132 00000 n
+0003298284 00000 n
+0003298436 00000 n
+0003298588 00000 n
+0003298740 00000 n
+0003298891 00000 n
+0003299042 00000 n
+0003299192 00000 n
+0003299343 00000 n
+0003299494 00000 n
+0003299646 00000 n
+0003299798 00000 n
+0003299950 00000 n
+0003300098 00000 n
+0003300248 00000 n
+0003300400 00000 n
+0003300552 00000 n
+0003300704 00000 n
+0003300855 00000 n
+0003301007 00000 n
+0003301159 00000 n
+0003301311 00000 n
+0003301463 00000 n
+0003301615 00000 n
+0003301767 00000 n
+0003301919 00000 n
+0003302071 00000 n
+0003302223 00000 n
+0003302375 00000 n
+0003302526 00000 n
+0003302678 00000 n
+0003302825 00000 n
+0003302977 00000 n
+0003303129 00000 n
+0003303277 00000 n
+0003303427 00000 n
+0003303579 00000 n
+0003303730 00000 n
+0003303882 00000 n
+0003304034 00000 n
+0003304186 00000 n
+0003304337 00000 n
+0003304488 00000 n
+0003304639 00000 n
+0003304791 00000 n
+0003304941 00000 n
+0003305091 00000 n
+0003305243 00000 n
+0003305395 00000 n
+0003305547 00000 n
+0003305699 00000 n
+0003305851 00000 n
+0003306002 00000 n
+0003306152 00000 n
+0003306303 00000 n
+0003306455 00000 n
+0003306607 00000 n
+0003306759 00000 n
+0003306910 00000 n
+0003307061 00000 n
+0003307213 00000 n
+0003307365 00000 n
+0003307517 00000 n
+0003307669 00000 n
+0003307821 00000 n
+0003307973 00000 n
+0003308125 00000 n
+0003308276 00000 n
+0003308428 00000 n
+0003308579 00000 n
+0003308731 00000 n
+0003308883 00000 n
+0003309033 00000 n
+0003309185 00000 n
+0003309337 00000 n
+0003309489 00000 n
+0003309641 00000 n
+0003309793 00000 n
+0003309945 00000 n
+0003310096 00000 n
+0003310246 00000 n
+0003310396 00000 n
+0003310546 00000 n
+0003310698 00000 n
+0003310850 00000 n
+0003311000 00000 n
+0003311151 00000 n
+0003311365 00000 n
+0003288226 00000 n
+0003286433 00000 n
+0003311302 00000 n
+0003314289 00000 n
+0003314440 00000 n
+0003314591 00000 n
+0003314743 00000 n
+0003314894 00000 n
+0003315046 00000 n
+0003315197 00000 n
+0003315348 00000 n
+0003315497 00000 n
+0003315649 00000 n
+0003315801 00000 n
+0003315953 00000 n
+0003316105 00000 n
+0003316257 00000 n
+0003316409 00000 n
+0003316560 00000 n
+0003316711 00000 n
+0003316861 00000 n
+0003317012 00000 n
+0003317162 00000 n
+0003317313 00000 n
+0003317464 00000 n
+0003317615 00000 n
+0003317766 00000 n
+0003317917 00000 n
+0003318066 00000 n
+0003318217 00000 n
+0003318368 00000 n
+0003318520 00000 n
+0003318672 00000 n
+0003318824 00000 n
+0003318976 00000 n
+0003319128 00000 n
+0003319280 00000 n
+0003319432 00000 n
+0003319584 00000 n
+0003319736 00000 n
+0003319888 00000 n
+0003320040 00000 n
+0003320191 00000 n
+0003320342 00000 n
+0003320494 00000 n
+0003320646 00000 n
+0003320797 00000 n
+0003320948 00000 n
+0003321099 00000 n
+0003321250 00000 n
+0003321402 00000 n
+0003321554 00000 n
+0003321705 00000 n
+0003321857 00000 n
+0003322009 00000 n
+0003322161 00000 n
+0003322313 00000 n
+0003322465 00000 n
+0003322617 00000 n
+0003322769 00000 n
+0003322920 00000 n
+0003323071 00000 n
+0003323223 00000 n
+0003323375 00000 n
+0003323526 00000 n
+0003323677 00000 n
+0003323827 00000 n
+0003323979 00000 n
+0003324130 00000 n
+0003324281 00000 n
+0003324432 00000 n
+0003324583 00000 n
+0003324734 00000 n
+0003324885 00000 n
+0003325037 00000 n
+0003325189 00000 n
+0003325340 00000 n
+0003325491 00000 n
+0003325643 00000 n
+0003325795 00000 n
+0003325946 00000 n
+0003326098 00000 n
+0003326250 00000 n
+0003326401 00000 n
+0003326553 00000 n
+0003326705 00000 n
+0003326857 00000 n
+0003327008 00000 n
+0003327156 00000 n
+0003327304 00000 n
+0003327456 00000 n
+0003327607 00000 n
+0003327757 00000 n
+0003327909 00000 n
+0003328061 00000 n
+0003328211 00000 n
+0003328362 00000 n
+0003328511 00000 n
+0003328663 00000 n
+0003328814 00000 n
+0003328964 00000 n
+0003329115 00000 n
+0003329267 00000 n
+0003329419 00000 n
+0003329570 00000 n
+0003329721 00000 n
+0003329872 00000 n
+0003330024 00000 n
+0003330174 00000 n
+0003330324 00000 n
+0003330475 00000 n
+0003330626 00000 n
+0003330778 00000 n
+0003330928 00000 n
+0003331080 00000 n
+0003331232 00000 n
+0003331384 00000 n
+0003331535 00000 n
+0003331686 00000 n
+0003331837 00000 n
+0003331988 00000 n
+0003332138 00000 n
+0003332290 00000 n
+0003332441 00000 n
+0003332593 00000 n
+0003332745 00000 n
+0003332895 00000 n
+0003333047 00000 n
+0003333199 00000 n
+0003336095 00000 n
+0003333414 00000 n
+0003313027 00000 n
+0003311481 00000 n
+0003333350 00000 n
+0003336247 00000 n
+0003336398 00000 n
+0003336549 00000 n
+0003336701 00000 n
+0003336853 00000 n
+0003337004 00000 n
+0003337156 00000 n
+0003337308 00000 n
+0003337460 00000 n
+0003337612 00000 n
+0003337764 00000 n
+0003337916 00000 n
+0003338068 00000 n
+0003338219 00000 n
+0003338370 00000 n
+0003338521 00000 n
+0003338673 00000 n
+0003338824 00000 n
+0003338976 00000 n
+0003339128 00000 n
+0003339280 00000 n
+0003339431 00000 n
+0003339581 00000 n
+0003339733 00000 n
+0003339884 00000 n
+0003340035 00000 n
+0003340187 00000 n
+0003340339 00000 n
+0003340491 00000 n
+0003340643 00000 n
+0003340794 00000 n
+0003340945 00000 n
+0003341096 00000 n
+0003341248 00000 n
+0003341400 00000 n
+0003341552 00000 n
+0003341702 00000 n
+0003341853 00000 n
+0003342005 00000 n
+0003342156 00000 n
+0003342305 00000 n
+0003342457 00000 n
+0003342609 00000 n
+0003342761 00000 n
+0003342913 00000 n
+0003343065 00000 n
+0003343217 00000 n
+0003343368 00000 n
+0003343520 00000 n
+0003343671 00000 n
+0003343821 00000 n
+0003343971 00000 n
+0003344123 00000 n
+0003344274 00000 n
+0003344422 00000 n
+0003344573 00000 n
+0003344725 00000 n
+0003344875 00000 n
+0003345024 00000 n
+0003345176 00000 n
+0003345328 00000 n
+0003345480 00000 n
+0003345632 00000 n
+0003345783 00000 n
+0003345935 00000 n
+0003346087 00000 n
+0003346239 00000 n
+0003346391 00000 n
+0003346543 00000 n
+0003346695 00000 n
+0003346846 00000 n
+0003346997 00000 n
+0003347148 00000 n
+0003347299 00000 n
+0003347450 00000 n
+0003347602 00000 n
+0003347754 00000 n
+0003347906 00000 n
+0003348058 00000 n
+0003348210 00000 n
+0003348362 00000 n
+0003348513 00000 n
+0003348665 00000 n
+0003348817 00000 n
+0003348969 00000 n
+0003349120 00000 n
+0003349272 00000 n
+0003349423 00000 n
+0003349574 00000 n
+0003349724 00000 n
+0003349875 00000 n
+0003350024 00000 n
+0003350176 00000 n
+0003350328 00000 n
+0003350480 00000 n
+0003350632 00000 n
+0003350784 00000 n
+0003350935 00000 n
+0003351085 00000 n
+0003351237 00000 n
+0003351389 00000 n
+0003351540 00000 n
+0003351692 00000 n
+0003351844 00000 n
+0003351996 00000 n
+0003352147 00000 n
+0003352298 00000 n
+0003352450 00000 n
+0003352602 00000 n
+0003352754 00000 n
+0003355609 00000 n
+0003352969 00000 n
+0003334968 00000 n
+0003333530 00000 n
+0003352906 00000 n
+0003355759 00000 n
+0003355911 00000 n
+0003356063 00000 n
+0003356215 00000 n
+0003356367 00000 n
+0003356518 00000 n
+0003356669 00000 n
+0003356820 00000 n
+0003356972 00000 n
+0003357124 00000 n
+0003357276 00000 n
+0003357428 00000 n
+0003357578 00000 n
+0003357730 00000 n
+0003357882 00000 n
+0003358030 00000 n
+0003358182 00000 n
+0003358333 00000 n
+0003358485 00000 n
+0003358637 00000 n
+0003358789 00000 n
+0003358941 00000 n
+0003359093 00000 n
+0003359245 00000 n
+0003359397 00000 n
+0003359549 00000 n
+0003359701 00000 n
+0003359853 00000 n
+0003360004 00000 n
+0003360156 00000 n
+0003360307 00000 n
+0003360458 00000 n
+0003360609 00000 n
+0003360759 00000 n
+0003360911 00000 n
+0003361062 00000 n
+0003361213 00000 n
+0003361364 00000 n
+0003361515 00000 n
+0003361666 00000 n
+0003361818 00000 n
+0003361970 00000 n
+0003362122 00000 n
+0003362274 00000 n
+0003362426 00000 n
+0003362578 00000 n
+0003362730 00000 n
+0003362882 00000 n
+0003363034 00000 n
+0003363186 00000 n
+0003363338 00000 n
+0003363490 00000 n
+0003363641 00000 n
+0003363793 00000 n
+0003363945 00000 n
+0003364097 00000 n
+0003364249 00000 n
+0003364401 00000 n
+0003364553 00000 n
+0003364705 00000 n
+0003364857 00000 n
+0003365009 00000 n
+0003365161 00000 n
+0003365313 00000 n
+0003365465 00000 n
+0003365614 00000 n
+0003365762 00000 n
+0003365913 00000 n
+0003366065 00000 n
+0003366217 00000 n
+0003366368 00000 n
+0003366519 00000 n
+0003366670 00000 n
+0003366822 00000 n
+0003366974 00000 n
+0003367126 00000 n
+0003367277 00000 n
+0003367427 00000 n
+0003367579 00000 n
+0003367730 00000 n
+0003367882 00000 n
+0003368033 00000 n
+0003368184 00000 n
+0003368336 00000 n
+0003368488 00000 n
+0003368639 00000 n
+0003368791 00000 n
+0003368943 00000 n
+0003369094 00000 n
+0003369246 00000 n
+0003369398 00000 n
+0003369549 00000 n
+0003369699 00000 n
+0003369850 00000 n
+0003370002 00000 n
+0003370153 00000 n
+0003370304 00000 n
+0003370455 00000 n
+0003370606 00000 n
+0003370758 00000 n
+0003370909 00000 n
+0003371061 00000 n
+0003371213 00000 n
+0003371365 00000 n
+0003374950 00000 n
+0003371581 00000 n
+0003354536 00000 n
+0003353071 00000 n
+0003371517 00000 n
+0003375101 00000 n
+0003375252 00000 n
+0003375404 00000 n
+0003375556 00000 n
+0003375708 00000 n
+0003375860 00000 n
+0003376012 00000 n
+0003376164 00000 n
+0003376316 00000 n
+0003376468 00000 n
+0003376620 00000 n
+0003376772 00000 n
+0003376924 00000 n
+0003377074 00000 n
+0003377223 00000 n
+0003377375 00000 n
+0003377527 00000 n
+0003377679 00000 n
+0003377831 00000 n
+0003377982 00000 n
+0003378134 00000 n
+0003378286 00000 n
+0003378438 00000 n
+0003378590 00000 n
+0003378742 00000 n
+0003378894 00000 n
+0003379046 00000 n
+0003379198 00000 n
+0003379349 00000 n
+0003379499 00000 n
+0003379650 00000 n
+0003379799 00000 n
+0003379950 00000 n
+0003380102 00000 n
+0003380254 00000 n
+0003380404 00000 n
+0003380555 00000 n
+0003380706 00000 n
+0003380857 00000 n
+0003381009 00000 n
+0003381161 00000 n
+0003381313 00000 n
+0003381465 00000 n
+0003381617 00000 n
+0003381769 00000 n
+0003381921 00000 n
+0003382073 00000 n
+0003382225 00000 n
+0003382377 00000 n
+0003382529 00000 n
+0003382681 00000 n
+0003382832 00000 n
+0003382984 00000 n
+0003383135 00000 n
+0003383287 00000 n
+0003383439 00000 n
+0003383590 00000 n
+0003383741 00000 n
+0003383892 00000 n
+0003384043 00000 n
+0003384194 00000 n
+0003384344 00000 n
+0003384494 00000 n
+0003384646 00000 n
+0003384798 00000 n
+0003384949 00000 n
+0003385101 00000 n
+0003385252 00000 n
+0003385402 00000 n
+0003385553 00000 n
+0003385704 00000 n
+0003385854 00000 n
+0003386005 00000 n
+0003386156 00000 n
+0003386308 00000 n
+0003386456 00000 n
+0003386608 00000 n
+0003386760 00000 n
+0003386912 00000 n
+0003387064 00000 n
+0003387216 00000 n
+0003387368 00000 n
+0003387520 00000 n
+0003387672 00000 n
+0003387824 00000 n
+0003387976 00000 n
+0003388128 00000 n
+0003388279 00000 n
+0003388430 00000 n
+0003388582 00000 n
+0003388734 00000 n
+0003388886 00000 n
+0003389037 00000 n
+0003389189 00000 n
+0003389340 00000 n
+0003389492 00000 n
+0003389644 00000 n
+0003389795 00000 n
+0003389945 00000 n
+0003390096 00000 n
+0003390247 00000 n
+0003390399 00000 n
+0003390550 00000 n
+0003390700 00000 n
+0003390851 00000 n
+0003391003 00000 n
+0003391155 00000 n
+0003391307 00000 n
+0003391459 00000 n
+0003391611 00000 n
+0003391761 00000 n
+0003391912 00000 n
+0003392064 00000 n
+0003392216 00000 n
+0003392368 00000 n
+0003392519 00000 n
+0003392671 00000 n
+0003392822 00000 n
+0003392972 00000 n
+0003393123 00000 n
+0003393274 00000 n
+0003393425 00000 n
+0003393576 00000 n
+0003393728 00000 n
+0003393878 00000 n
+0003394028 00000 n
+0003394179 00000 n
+0003394328 00000 n
+0003394479 00000 n
+0003394631 00000 n
+0003394783 00000 n
+0003394933 00000 n
+0003395084 00000 n
+0003395234 00000 n
+0003395384 00000 n
+0003395535 00000 n
+0003395686 00000 n
+0003395838 00000 n
+0003395989 00000 n
+0003396140 00000 n
+0003396292 00000 n
+0003396444 00000 n
+0003396596 00000 n
+0003396747 00000 n
+0003396897 00000 n
+0003397048 00000 n
+0003397199 00000 n
+0003397351 00000 n
+0003397502 00000 n
+0003397654 00000 n
+0003397806 00000 n
+0003397958 00000 n
+0003398110 00000 n
+0003398260 00000 n
+0003398410 00000 n
+0003398562 00000 n
+0003398713 00000 n
+0003398864 00000 n
+0003399015 00000 n
+0003399166 00000 n
+0003399318 00000 n
+0003399470 00000 n
+0003399622 00000 n
+0003399774 00000 n
+0003402891 00000 n
+0003403042 00000 n
+0003399989 00000 n
+0003373337 00000 n
+0003371697 00000 n
+0003399926 00000 n
+0003403193 00000 n
+0003403344 00000 n
+0003403495 00000 n
+0003403645 00000 n
+0003403796 00000 n
+0003403948 00000 n
+0003404099 00000 n
+0003404251 00000 n
+0003404403 00000 n
+0003404555 00000 n
+0003404707 00000 n
+0003404859 00000 n
+0003405010 00000 n
+0003405161 00000 n
+0003405312 00000 n
+0003405464 00000 n
+0003405616 00000 n
+0003405768 00000 n
+0003405920 00000 n
+0003406072 00000 n
+0003406224 00000 n
+0003406376 00000 n
+0003406528 00000 n
+0003406680 00000 n
+0003406830 00000 n
+0003406981 00000 n
+0003407131 00000 n
+0003407282 00000 n
+0003407433 00000 n
+0003407585 00000 n
+0003407737 00000 n
+0003407888 00000 n
+0003408039 00000 n
+0003408191 00000 n
+0003408343 00000 n
+0003408493 00000 n
+0003408645 00000 n
+0003408797 00000 n
+0003408948 00000 n
+0003409099 00000 n
+0003409250 00000 n
+0003409402 00000 n
+0003409554 00000 n
+0003409706 00000 n
+0003409858 00000 n
+0003410009 00000 n
+0003410161 00000 n
+0003410313 00000 n
+0003410465 00000 n
+0003410617 00000 n
+0003410769 00000 n
+0003410920 00000 n
+0003411072 00000 n
+0003411223 00000 n
+0003411375 00000 n
+0003411524 00000 n
+0003411675 00000 n
+0003411827 00000 n
+0003411979 00000 n
+0003412131 00000 n
+0003412283 00000 n
+0003412435 00000 n
+0003412587 00000 n
+0003412739 00000 n
+0003412891 00000 n
+0003413043 00000 n
+0003413195 00000 n
+0003413345 00000 n
+0003413497 00000 n
+0003413648 00000 n
+0003413799 00000 n
+0003413950 00000 n
+0003414101 00000 n
+0003414253 00000 n
+0003414404 00000 n
+0003414556 00000 n
+0003414707 00000 n
+0003414859 00000 n
+0003415010 00000 n
+0003415161 00000 n
+0003415313 00000 n
+0003415465 00000 n
+0003415617 00000 n
+0003415769 00000 n
+0003415921 00000 n
+0003416073 00000 n
+0003416223 00000 n
+0003416373 00000 n
+0003416523 00000 n
+0003416674 00000 n
+0003416826 00000 n
+0003416978 00000 n
+0003417129 00000 n
+0003417281 00000 n
+0003417433 00000 n
+0003417585 00000 n
+0003417736 00000 n
+0003417888 00000 n
+0003418039 00000 n
+0003418190 00000 n
+0003418342 00000 n
+0003418492 00000 n
+0003418643 00000 n
+0003418795 00000 n
+0003418945 00000 n
+0003419096 00000 n
+0003419247 00000 n
+0003419398 00000 n
+0003419550 00000 n
+0003419702 00000 n
+0003419853 00000 n
+0003420005 00000 n
+0003420156 00000 n
+0003420308 00000 n
+0003420459 00000 n
+0003420610 00000 n
+0003420762 00000 n
+0003420914 00000 n
+0003421066 00000 n
+0003421218 00000 n
+0003421370 00000 n
+0003421522 00000 n
+0003424647 00000 n
+0003424798 00000 n
+0003421738 00000 n
+0003401647 00000 n
+0003400105 00000 n
+0003421674 00000 n
+0003675888 00000 n
+0003424950 00000 n
+0003425100 00000 n
+0003425250 00000 n
+0003425400 00000 n
+0003425550 00000 n
+0003425699 00000 n
+0003425851 00000 n
+0003426003 00000 n
+0003426155 00000 n
+0003426307 00000 n
+0003426457 00000 n
+0003426608 00000 n
+0003426760 00000 n
+0003426912 00000 n
+0003427063 00000 n
+0003427214 00000 n
+0003427365 00000 n
+0003427516 00000 n
+0003427668 00000 n
+0003427819 00000 n
+0003427971 00000 n
+0003428123 00000 n
+0003428275 00000 n
+0003428427 00000 n
+0003428579 00000 n
+0003428731 00000 n
+0003428883 00000 n
+0003429035 00000 n
+0003429187 00000 n
+0003429339 00000 n
+0003429491 00000 n
+0003429642 00000 n
+0003429793 00000 n
+0003429945 00000 n
+0003430097 00000 n
+0003430248 00000 n
+0003430399 00000 n
+0003430550 00000 n
+0003430702 00000 n
+0003430854 00000 n
+0003431006 00000 n
+0003431158 00000 n
+0003431310 00000 n
+0003431462 00000 n
+0003431614 00000 n
+0003431766 00000 n
+0003431918 00000 n
+0003432070 00000 n
+0003432222 00000 n
+0003432374 00000 n
+0003432526 00000 n
+0003432677 00000 n
+0003432828 00000 n
+0003432979 00000 n
+0003433131 00000 n
+0003433283 00000 n
+0003433434 00000 n
+0003433586 00000 n
+0003433737 00000 n
+0003433889 00000 n
+0003434041 00000 n
+0003434193 00000 n
+0003434345 00000 n
+0003434497 00000 n
+0003434649 00000 n
+0003434801 00000 n
+0003434953 00000 n
+0003435105 00000 n
+0003435256 00000 n
+0003435408 00000 n
+0003435559 00000 n
+0003435709 00000 n
+0003435861 00000 n
+0003436011 00000 n
+0003436163 00000 n
+0003436315 00000 n
+0003436467 00000 n
+0003436619 00000 n
+0003436770 00000 n
+0003436921 00000 n
+0003437070 00000 n
+0003437219 00000 n
+0003437370 00000 n
+0003437519 00000 n
+0003437670 00000 n
+0003437820 00000 n
+0003437971 00000 n
+0003438122 00000 n
+0003438273 00000 n
+0003438425 00000 n
+0003438577 00000 n
+0003438729 00000 n
+0003438880 00000 n
+0003439031 00000 n
+0003439182 00000 n
+0003439334 00000 n
+0003439486 00000 n
+0003439634 00000 n
+0003439786 00000 n
+0003439938 00000 n
+0003440088 00000 n
+0003440239 00000 n
+0003440390 00000 n
+0003440541 00000 n
+0003440692 00000 n
+0003440842 00000 n
+0003440993 00000 n
+0003441144 00000 n
+0003441296 00000 n
+0003441448 00000 n
+0003441598 00000 n
+0003441750 00000 n
+0003441902 00000 n
+0003442054 00000 n
+0003442206 00000 n
+0003442357 00000 n
+0003442508 00000 n
+0003442659 00000 n
+0003442809 00000 n
+0003442960 00000 n
+0003443112 00000 n
+0003443264 00000 n
+0003443477 00000 n
+0003423403 00000 n
+0003421854 00000 n
+0003443414 00000 n
+0003443999 00000 n
+0003444025 00000 n
+0003444051 00000 n
+0003444077 00000 n
+0003444509 00000 n
+0003444533 00000 n
+0003444659 00000 n
+0003444873 00000 n
+0003445317 00000 n
+0003445481 00000 n
+0003446132 00000 n
+0003446453 00000 n
+0003446489 00000 n
+0003447143 00000 n
+0003447593 00000 n
+0003447969 00000 n
+0003448007 00000 n
+0003448087 00000 n
+0003448520 00000 n
+0003448892 00000 n
+0003449529 00000 n
+0003449925 00000 n
+0003450605 00000 n
+0003451275 00000 n
+0003451908 00000 n
+0003452560 00000 n
+0003452991 00000 n
+0003453640 00000 n
+0003454278 00000 n
+0003468830 00000 n
+0003469295 00000 n
+0003476932 00000 n
+0003477250 00000 n
+0003479517 00000 n
+0003479745 00000 n
+0003484378 00000 n
+0003484635 00000 n
+0003488224 00000 n
+0003488465 00000 n
+0003499082 00000 n
+0003499477 00000 n
+0003505694 00000 n
+0003505986 00000 n
+0003507704 00000 n
+0003507927 00000 n
+0003509721 00000 n
+0003509955 00000 n
+0003528604 00000 n
+0003529226 00000 n
+0003533888 00000 n
+0003534166 00000 n
+0003537479 00000 n
+0003537747 00000 n
+0003541692 00000 n
+0003541968 00000 n
+0003553980 00000 n
+0003554414 00000 n
+0003556190 00000 n
+0003556419 00000 n
+0003566373 00000 n
+0003566859 00000 n
+0003571165 00000 n
+0003571458 00000 n
+0003580641 00000 n
+0003581050 00000 n
+0003594296 00000 n
+0003594801 00000 n
+0003597917 00000 n
+0003598173 00000 n
+0003600681 00000 n
+0003600998 00000 n
+0003618638 00000 n
+0003619159 00000 n
+0003620899 00000 n
+0003621122 00000 n
+0003622847 00000 n
+0003623070 00000 n
+0003626574 00000 n
+0003626813 00000 n
+0003643395 00000 n
+0003644042 00000 n
+0003656021 00000 n
+0003656473 00000 n
+0003658307 00000 n
+0003675977 00000 n
+0003676103 00000 n
+0003676229 00000 n
+0003676355 00000 n
+0003676481 00000 n
+0003676607 00000 n
+0003676733 00000 n
+0003676859 00000 n
+0003676985 00000 n
+0003677111 00000 n
+0003677237 00000 n
+0003677363 00000 n
+0003677489 00000 n
+0003677615 00000 n
+0003677741 00000 n
+0003677867 00000 n
+0003677993 00000 n
+0003678119 00000 n
+0003678236 00000 n
+0003678363 00000 n
+0003678490 00000 n
+0003678617 00000 n
+0003678700 00000 n
+0003705594 00000 n
+0003705743 00000 n
+0003705882 00000 n
+0003706083 00000 n
+0003706263 00000 n
+0003706448 00000 n
+0003706632 00000 n
+0003706817 00000 n
+0003707001 00000 n
+0003707186 00000 n
+0003707369 00000 n
+0003707552 00000 n
+0003707737 00000 n
+0003707921 00000 n
+0003708106 00000 n
+0003708290 00000 n
+0003708475 00000 n
+0003708659 00000 n
+0003708844 00000 n
+0003709028 00000 n
+0003709213 00000 n
+0003709396 00000 n
+0003709577 00000 n
+0003709760 00000 n
+0003709943 00000 n
+0003710128 00000 n
+0003710312 00000 n
+0003710497 00000 n
+0003710681 00000 n
+0003710866 00000 n
+0003711050 00000 n
+0003711235 00000 n
+0003711419 00000 n
+0003711604 00000 n
+0003711787 00000 n
+0003711970 00000 n
+0003712155 00000 n
+0003712339 00000 n
+0003712524 00000 n
+0003712708 00000 n
+0003712893 00000 n
+0003713075 00000 n
+0003713260 00000 n
+0003713444 00000 n
+0003713629 00000 n
+0003713813 00000 n
+0003713998 00000 n
+0003714181 00000 n
+0003714364 00000 n
+0003714549 00000 n
+0003714733 00000 n
+0003714918 00000 n
+0003715102 00000 n
+0003715287 00000 n
+0003715471 00000 n
+0003715656 00000 n
+0003715840 00000 n
+0003716025 00000 n
+0003716208 00000 n
+0003716389 00000 n
+0003716572 00000 n
+0003716755 00000 n
+0003716940 00000 n
+0003717124 00000 n
+0003717309 00000 n
+0003717493 00000 n
+0003717678 00000 n
+0003717862 00000 n
+0003718047 00000 n
+0003718231 00000 n
+0003718416 00000 n
+0003718599 00000 n
+0003718782 00000 n
+0003718967 00000 n
+0003719151 00000 n
+0003719336 00000 n
+0003719520 00000 n
+0003719705 00000 n
+0003719887 00000 n
+0003720072 00000 n
+0003720256 00000 n
+0003720441 00000 n
+0003720625 00000 n
+0003720810 00000 n
+0003720993 00000 n
+0003721176 00000 n
+0003721361 00000 n
+0003721545 00000 n
+0003721730 00000 n
+0003721914 00000 n
+0003722099 00000 n
+0003722283 00000 n
+0003722468 00000 n
+0003722652 00000 n
+0003722837 00000 n
+0003723020 00000 n
+0003723201 00000 n
+0003723384 00000 n
+0003723567 00000 n
+0003723752 00000 n
+0003723936 00000 n
+0003724117 00000 n
+0003724293 00000 n
+0003724470 00000 n
+0003724646 00000 n
+0003724823 00000 n
+0003724999 00000 n
+0003725176 00000 n
+0003725364 00000 n
+0003725552 00000 n
+0003725748 00000 n
+0003725945 00000 n
+0003726152 00000 n
+0003726356 00000 n
+0003726558 00000 n
+0003726760 00000 n
+0003726964 00000 n
+0003727187 00000 n
+0003727419 00000 n
+0003727647 00000 n
+0003727869 00000 n
+0003728071 00000 n
+0003728247 00000 n
+0003728450 00000 n
+0003728667 00000 n
+0003728866 00000 n
+0003729064 00000 n
+0003729259 00000 n
+0003729453 00000 n
+0003729647 00000 n
+0003729834 00000 n
+0003730034 00000 n
+0003730227 00000 n
+0003730442 00000 n
+0003730680 00000 n
+0003730919 00000 n
+0003731152 00000 n
+0003731385 00000 n
+0003731618 00000 n
+0003731851 00000 n
+0003732076 00000 n
+0003732305 00000 n
+0003732530 00000 n
+0003732760 00000 n
+0003732990 00000 n
+0003733215 00000 n
+0003733440 00000 n
+0003733665 00000 n
+0003733890 00000 n
+0003734120 00000 n
+0003734345 00000 n
+0003734570 00000 n
+0003734785 00000 n
+0003734998 00000 n
+0003735207 00000 n
+0003735416 00000 n
+0003735617 00000 n
+0003735818 00000 n
+0003736019 00000 n
+0003736205 00000 n
+0003736398 00000 n
+0003736591 00000 n
+0003736784 00000 n
+0003736977 00000 n
+0003737170 00000 n
+0003737363 00000 n
+0003737556 00000 n
+0003737749 00000 n
+0003737942 00000 n
+0003738135 00000 n
+0003738328 00000 n
+0003738521 00000 n
+0003738714 00000 n
+0003738907 00000 n
+0003739100 00000 n
+0003739293 00000 n
+0003739486 00000 n
+0003739679 00000 n
+0003739872 00000 n
+0003740065 00000 n
+0003740258 00000 n
+0003740451 00000 n
+0003740644 00000 n
+0003740837 00000 n
+0003741030 00000 n
+0003741223 00000 n
+0003741416 00000 n
+0003741609 00000 n
+0003741802 00000 n
+0003741995 00000 n
+0003742188 00000 n
+0003742381 00000 n
+0003742574 00000 n
+0003742767 00000 n
+0003742960 00000 n
+0003743153 00000 n
+0003743346 00000 n
+0003743536 00000 n
+0003743732 00000 n
+0003743934 00000 n
+0003744185 00000 n
+0003744432 00000 n
+0003744679 00000 n
+0003744928 00000 n
+0003745177 00000 n
+0003745426 00000 n
+0003745667 00000 n
+0003745902 00000 n
+0003746151 00000 n
+0003746399 00000 n
+0003746648 00000 n
+0003746893 00000 n
+0003747136 00000 n
+0003747385 00000 n
+0003747633 00000 n
+0003747880 00000 n
+0003748121 00000 n
+0003748368 00000 n
+0003748615 00000 n
+0003748864 00000 n
+0003749112 00000 n
+0003749357 00000 n
+0003749598 00000 n
+0003749839 00000 n
+0003750080 00000 n
+0003750323 00000 n
+0003750572 00000 n
+0003750820 00000 n
+0003751069 00000 n
+0003751310 00000 n
+0003751556 00000 n
+0003751803 00000 n
+0003752044 00000 n
+0003752290 00000 n
+0003752539 00000 n
+0003752786 00000 n
+0003753033 00000 n
+0003753279 00000 n
+0003753522 00000 n
+0003753771 00000 n
+0003754019 00000 n
+0003754268 00000 n
+0003754516 00000 n
+0003754759 00000 n
+0003754999 00000 n
+0003755240 00000 n
+0003755479 00000 n
+0003755718 00000 n
+0003755954 00000 n
+0003756196 00000 n
+0003756445 00000 n
+0003756693 00000 n
+0003756934 00000 n
+0003757180 00000 n
+0003757429 00000 n
+0003757676 00000 n
+0003757921 00000 n
+0003758164 00000 n
+0003758413 00000 n
+0003758661 00000 n
+0003758910 00000 n
+0003759158 00000 n
+0003759407 00000 n
+0003759652 00000 n
+0003759896 00000 n
+0003760145 00000 n
+0003760393 00000 n
+0003760638 00000 n
+0003760881 00000 n
+0003761130 00000 n
+0003761378 00000 n
+0003761625 00000 n
+0003761866 00000 n
+0003762113 00000 n
+0003762360 00000 n
+0003762609 00000 n
+0003762857 00000 n
+0003763106 00000 n
+0003763354 00000 n
+0003763595 00000 n
+0003763844 00000 n
+0003764092 00000 n
+0003764341 00000 n
+0003764589 00000 n
+0003764835 00000 n
+0003765078 00000 n
+0003765327 00000 n
+0003765575 00000 n
+0003765824 00000 n
+0003766072 00000 n
+0003766321 00000 n
+0003766567 00000 n
+0003766810 00000 n
+0003767059 00000 n
+0003767307 00000 n
+0003767556 00000 n
+0003767804 00000 n
+0003768053 00000 n
+0003768294 00000 n
+0003768541 00000 n
+0003768788 00000 n
+0003769037 00000 n
+0003769285 00000 n
+0003769534 00000 n
+0003769777 00000 n
+0003770017 00000 n
+0003770258 00000 n
+0003770497 00000 n
+0003770736 00000 n
+0003770973 00000 n
+0003771213 00000 n
+0003771462 00000 n
+0003771710 00000 n
+0003771959 00000 n
+0003772207 00000 n
+0003772452 00000 n
+0003772696 00000 n
+0003772945 00000 n
+0003773186 00000 n
+0003773431 00000 n
+0003773677 00000 n
+0003773918 00000 n
+0003774163 00000 n
+0003774404 00000 n
+0003774650 00000 n
+0003774899 00000 n
+0003775146 00000 n
+0003775393 00000 n
+0003775642 00000 n
+0003775890 00000 n
+0003776133 00000 n
+0003776380 00000 n
+0003776627 00000 n
+0003776876 00000 n
+0003777124 00000 n
+0003777371 00000 n
+0003777612 00000 n
+0003777861 00000 n
+0003778109 00000 n
+0003778358 00000 n
+0003778606 00000 n
+0003778855 00000 n
+0003779098 00000 n
+0003779344 00000 n
+0003779593 00000 n
+0003779840 00000 n
+0003780087 00000 n
+0003780333 00000 n
+0003780576 00000 n
+0003780825 00000 n
+0003781073 00000 n
+0003781322 00000 n
+0003781570 00000 n
+0003781814 00000 n
+0003782059 00000 n
+0003782308 00000 n
+0003782556 00000 n
+0003782805 00000 n
+0003783049 00000 n
+0003783289 00000 n
+0003783530 00000 n
+0003783770 00000 n
+0003784006 00000 n
+0003784246 00000 n
+0003784495 00000 n
+0003784741 00000 n
+0003784982 00000 n
+0003785229 00000 n
+0003785474 00000 n
+0003785713 00000 n
+0003785954 00000 n
+0003786194 00000 n
+0003786430 00000 n
+0003786666 00000 n
+0003786907 00000 n
+0003787147 00000 n
+0003787386 00000 n
+0003787619 00000 n
+0003787858 00000 n
+0003788097 00000 n
+0003788338 00000 n
+0003788578 00000 n
+0003788819 00000 n
+0003789059 00000 n
+0003789294 00000 n
+0003789533 00000 n
+0003789772 00000 n
+0003790013 00000 n
+0003790249 00000 n
+0003790485 00000 n
+0003790721 00000 n
+0003790952 00000 n
+0003791174 00000 n
+0003791356 00000 n
+0003791541 00000 n
+0003791725 00000 n
+0003791910 00000 n
+0003792093 00000 n
+0003792276 00000 n
+0003792461 00000 n
+0003792645 00000 n
+0003792830 00000 n
+0003793014 00000 n
+0003793199 00000 n
+0003793383 00000 n
+0003793568 00000 n
+0003793752 00000 n
+0003793937 00000 n
+0003794120 00000 n
+0003794303 00000 n
+0003794488 00000 n
+0003794669 00000 n
+0003794854 00000 n
+0003795038 00000 n
+0003795223 00000 n
+0003795407 00000 n
+0003795592 00000 n
+0003795776 00000 n
+0003795961 00000 n
+0003796145 00000 n
+0003796330 00000 n
+0003796513 00000 n
+0003796696 00000 n
+0003796881 00000 n
+0003797065 00000 n
+0003797250 00000 n
+0003797434 00000 n
+0003797619 00000 n
+0003797803 00000 n
+0003797988 00000 n
+0003798170 00000 n
+0003798355 00000 n
+0003798539 00000 n
+0003798724 00000 n
+0003798907 00000 n
+0003799090 00000 n
+0003799275 00000 n
+0003799459 00000 n
+0003799644 00000 n
+0003799828 00000 n
+0003800013 00000 n
+0003800197 00000 n
+0003800382 00000 n
+0003800566 00000 n
+0003800751 00000 n
+0003800934 00000 n
+0003801117 00000 n
+0003801302 00000 n
+0003801483 00000 n
+0003801668 00000 n
+0003801852 00000 n
+0003802037 00000 n
+0003802221 00000 n
+0003802406 00000 n
+0003802590 00000 n
+0003802775 00000 n
+0003802959 00000 n
+0003803144 00000 n
+0003803327 00000 n
+0003803510 00000 n
+0003803695 00000 n
+0003803879 00000 n
+0003804064 00000 n
+0003804248 00000 n
+0003804433 00000 n
+0003804617 00000 n
+0003804802 00000 n
+0003804984 00000 n
+0003805169 00000 n
+0003805353 00000 n
+0003805538 00000 n
+0003805721 00000 n
+0003805904 00000 n
+0003806089 00000 n
+0003806273 00000 n
+0003806458 00000 n
+0003806642 00000 n
+0003806827 00000 n
+0003807011 00000 n
+0003807196 00000 n
+0003807380 00000 n
+0003807565 00000 n
+0003807748 00000 n
+0003807931 00000 n
+0003808116 00000 n
+0003808291 00000 n
+0003808466 00000 n
+0003808643 00000 n
+0003808819 00000 n
+0003808996 00000 n
+0003809172 00000 n
+0003809349 00000 n
+0003809530 00000 n
+0003809711 00000 n
+0003809896 00000 n
+0003810089 00000 n
+0003810282 00000 n
+0003810480 00000 n
+0003810664 00000 n
+0003810848 00000 n
+0003811047 00000 n
+0003811255 00000 n
+0003811505 00000 n
+0003811756 00000 n
+0003811995 00000 n
+0003812237 00000 n
+0003812432 00000 n
+0003812615 00000 n
+0003812818 00000 n
+0003813022 00000 n
+0003813229 00000 n
+0003813438 00000 n
+0003813646 00000 n
+0003813854 00000 n
+0003814063 00000 n
+0003814272 00000 n
+0003814481 00000 n
+0003814683 00000 n
+0003814892 00000 n
+0003815103 00000 n
+0003815314 00000 n
+0003815527 00000 n
+0003815744 00000 n
+0003815952 00000 n
+0003816155 00000 n
+0003816358 00000 n
+0003816561 00000 n
+0003816764 00000 n
+0003816967 00000 n
+0003817160 00000 n
+0003817404 00000 n
+0003817655 00000 n
+0003817906 00000 n
+0003818157 00000 n
+0003818408 00000 n
+0003818663 00000 n
+0003818920 00000 n
+0003819166 00000 n
+0003819409 00000 n
+0003819652 00000 n
+0003819895 00000 n
+0003820138 00000 n
+0003820381 00000 n
+0003820624 00000 n
+0003820867 00000 n
+0003821110 00000 n
+0003821353 00000 n
+0003821596 00000 n
+0003821839 00000 n
+0003822103 00000 n
+0003822385 00000 n
+0003822676 00000 n
+0003822968 00000 n
+0003823258 00000 n
+0003823541 00000 n
+0003823824 00000 n
+0003824107 00000 n
+0003824390 00000 n
+0003824673 00000 n
+0003824883 00000 n
+0003825079 00000 n
+0003825272 00000 n
+0003825462 00000 n
+0003825575 00000 n
+0003825693 00000 n
+0003825811 00000 n
+0003825928 00000 n
+0003826046 00000 n
+0003826164 00000 n
+0003826282 00000 n
+0003826399 00000 n
+0003826517 00000 n
+0003826635 00000 n
+0003826753 00000 n
+0003826870 00000 n
+0003826988 00000 n
+0003827106 00000 n
+0003827224 00000 n
+0003827340 00000 n
+0003827456 00000 n
+0003827577 00000 n
+0003827695 00000 n
+0003827820 00000 n
+0003827946 00000 n
+0003828066 00000 n
+0003828190 00000 n
+0003828319 00000 n
+0003828447 00000 n
+0003828572 00000 n
+0003828693 00000 n
+0003828813 00000 n
+0003828933 00000 n
+0003829053 00000 n
+0003829173 00000 n
+0003829293 00000 n
+0003829412 00000 n
+0003829536 00000 n
+0003829670 00000 n
+0003829803 00000 n
+0003829935 00000 n
+0003830068 00000 n
+0003830201 00000 n
+0003830334 00000 n
+0003830467 00000 n
+0003830599 00000 n
+0003830732 00000 n
+0003830866 00000 n
+0003831000 00000 n
+0003831134 00000 n
+0003831268 00000 n
+0003831402 00000 n
+0003831537 00000 n
+0003831671 00000 n
+0003831805 00000 n
+0003831938 00000 n
+0003832072 00000 n
+0003832206 00000 n
+0003832340 00000 n
+0003832473 00000 n
+0003832607 00000 n
+0003832741 00000 n
+0003832876 00000 n
+0003833010 00000 n
+0003833143 00000 n
+0003833275 00000 n
+0003833407 00000 n
+0003833539 00000 n
+0003833670 00000 n
+0003833795 00000 n
+0003833913 00000 n
+0003834032 00000 n
+0003834151 00000 n
+0003834270 00000 n
+0003834388 00000 n
+0003834507 00000 n
+0003834626 00000 n
+0003834745 00000 n
+0003834863 00000 n
+0003834982 00000 n
+0003835101 00000 n
+0003835220 00000 n
+0003835339 00000 n
+0003835458 00000 n
+0003835575 00000 n
+0003835694 00000 n
+0003835809 00000 n
+0003835930 00000 n
+0003836056 00000 n
+0003836181 00000 n
+0003836307 00000 n
+0003836433 00000 n
+0003836564 00000 n
+0003836700 00000 n
+0003836835 00000 n
+0003836976 00000 n
+0003837122 00000 n
+0003837234 00000 n
+0003837348 00000 n
+0003837466 00000 n
+0003837589 00000 n
+0003837712 00000 n
+0003837837 00000 n
+0003837964 00000 n
+0003838097 00000 n
+0003838231 00000 n
+0003838372 00000 n
+0003838512 00000 n
+0003838644 00000 n
+0003838768 00000 n
+0003838893 00000 n
+0003839020 00000 n
+0003839157 00000 n
+0003839268 00000 n
+0003839395 00000 n
+0003839527 00000 n
+0003839630 00000 n
+0003839718 00000 n
+0003839760 00000 n
+0003840006 00000 n
trailer
<< /Size 10069
/Root 10067 0 R
/Info 10068 0 R
-/ID [<5E3277AF051623B84CB480DFAC5DFC39> <5E3277AF051623B84CB480DFAC5DFC39>] >>
+/ID [<F65F941EFE32FD1F6E7EA34A8AAEF9C9> <F65F941EFE32FD1F6E7EA34A8AAEF9C9>] >>
startxref
-3840297
+3840340
%%EOF
Modified: branches/samba/upstream/docs/Samba3-Developers-Guide.pdf
===================================================================
--- branches/samba/upstream/docs/Samba3-Developers-Guide.pdf 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/Samba3-Developers-Guide.pdf 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1318,12 +1318,11 @@
<< /S /GoTo /D [882 0 R /Fit ] >>
endobj
884 0 obj <<
-/Length 185
+/Length 186
/Filter /FlateDecode
>>
stream
-xÚ…»
-Â@�Eû|Å”»`Æ}dvcið�‚.6b�È*JL$�Á¿wBì,¬î¼î¹Œ‚�(X'ê�!™®Œ�íÑhÊ œA;Bo 2"´¤!Tp�ûù¶˜ËÔz�‹ø’V‹X·��pÑ=Çź¿VQžÂ†‰9h3"3�C£4¤d1£‘·‰õ=vì3NìpP/�27LkZ™r×^o��<�yà T¹ûšËFòE_vï‘MFå�5˜~Þ\†ä�Ïç>`
+xÚ…?�Â0�Å÷~Š��°g.é%uTÔBÁEƒ‹8�FQÔJEÁo98½wÞï8�G0PeæNb6œÛ �Ð����@ž18†‚���Ä=lÔj¼˜Œuî�«iziG*]š»4Ä´~P=Oû¤·±�b D8b¶�Ñ{´† g‡�÷¼:]®©•œõj‰�µÖ¥�ÚѹTÍéܱ @ï$ë�šÒû›–ç®}÷�*�½‘3¦Kýü9‹Ù��@>‹
endstream
endobj
882 0 obj <<
@@ -1393,8 +1392,8 @@
904 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/w2.eps)
>>
@@ -7496,8 +7495,8 @@
1845 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/note.eps)
>>
@@ -10133,52 +10132,46 @@
/FontFile 2158 0 R
>> endobj
2160 0 obj <<
-/Length1 1030
-/Length2 3840
+/Length1 1031
+/Length2 3885
/Length3 0
-/Length 4508
+/Length 4550
/Filter /FlateDecode
>>
stream
-xÚSy<”
-׶†‰'�BåFd�û’}Í’5[YÇÌ`2f�û¾†dÍÒØÊ–=dß#[²$k�Ù�&[¶$¾©ç{Ÿúž÷ßïwÿs_ç\ç:×}ι¹Ø
-î�*ÃÐvp
-4Ê]PDHä& ªk$"
-ˆ� ƒ¸¸T1pˆ;�Rƒ¸Ão�"22"€²‡� *�ˆHÞ�“¾),�â�TÑ.>�„ƒ£;À£Êû“$�(;Ã1�(��èBÜ�áÎ�
-(� ÜAC�pw�!@�‰�Œ~V¸�Fp78Æ����‰ˆ 0�Ô�°ƒ; P ðOCZ({4 õw�æáòŸ”'�ãF0�ð�Lò��‹04
-é�Ààö °�šÐ�Npòÿaêßâ��H¤�Äù§üÏ!ýW�âŒ@úü/�íìâá�Ç ºh��ƒú7Õ�þ·7]8�ááüﬖ;�‰€*£�p@øï�ÂM�á
-‡� Ü¡Ž€=�é�ÿ�‡£`ÿ6A˜Û/�`U=M�M]þ¿÷ù+g A Ü}\þQýIþ…E~cÂt0�oÀBXHXX„@$<ÿy³úW/u��
-C ��!! @0�ˆ�ˆp��$�ø‰ ���î
-À½ †ÁB(´;¡� Ì$ °Gc@?×)%�€µ†~!iQ lô�I�`Ó�a{`È?HœP�E;;ÿŽˆ�üáÿ@ ‚”=Ú�óG^� #þ€�õû@i Œü�Ê `çßPD� £þ€„Vèß^�\4êwkq‚²�áÎа?*�~{‘ ȹ{¡ÿH�>Îã7�%èûüÖ#Xó…cþ¦ÿ÷¦UTÐÞ~‚b†¨„� #-
-HI��ü��Ô�ƒ£ÜýD„sù�¶G�Ž��÷†CAS�h¨løý'u�ÅêyÃ%ä|Ä*�õ zÕí£çÃ>$�#�Þê¸ò}¬2?.M§ÿk•|•Íë„Õ-ºÅßpPc+Ä5�;~ºêi»šîÛÈj¾›®ë³âÂq�¶q¡¹nl�/A¬?ò±¿8ùn~wÖvÏFŽ�šñ'
-�;Q‡…gMGF¸¤”¹F:Ò$òA�·�»�-Öµ8J<rÖ‹6ù1Ùì»°Àû‘”
-ü3;è�‹Çy”ÙI§–{k#J�Œ™ã’V¨¡ñIÇ g¤#äQŒ&¿8[L^\FcÓÉñ‹L°â°X�w��5&Ÿ™�‘Toà|<þvÅ¿&+P(�7ö ?û¶—¨PÕja–�ŽYïn�;Ýœq($°k:‹ªÕÃ7™‡�—N‰ÕúÎË~ïÄc8©¥ïFå¼/‹³o>JœKU� °POQÆcµ.¢9gç…�«¼fÓÈ-�Ñe–g¦1Dw-��ž�Øy¼Q3@ÅWB�³`w+GìÞ¨èt±Á�iJ¡ôm±3Ìz�‹ÅCO�ÔF½«ÝñEàg�™xÒJÿF3Ί�&�<ÿdh[.ŠlËá�ëŒ�h4Z›8Y*.t¾Pó¾`cðå(|�U·¿ÙKèÖ�i¨Á¤™€ið!qï§á §‚ÑP{*ŒtF+3ÙÕC¶û|EX9¢Ê�nñ¼äŠ�–„²�dß ýÖ¤¸2�”19êäÌÆZ�ã›ÿZ,‡1å
-ïÅ·$rCÓMË HÅ3^—/4E“¼“Ÿg¾y¢:yG8‚ŽÈsxtö.�§2`I’ÔN�qËç_[æ\³!+)'A�Ü8‰|:–^½Bçè‘U€¿»Æ\å7ð2dì@ =âëÜÞüÜLHuœÙeßè¤Åà“Hšà�¢ƒÌ&dkLØ£¯¬wÐ�¾ê�Ïs�‹šlËX¹iSæ�¹§˜3ö’k©KosG2Bdd?Xm�t‹eº|³Sîd¸ÕuµƒÏ÷��OùñÒõ��Ðø˘+»™Aú
-–�¿È��-«gË‘�j{x‡w«RÕÌXøqé@Ã��*§¡Ñdù†'–•HË£/ø$£æծålÂÅÜá,g‚Åú�Ûä]«M²tY®uÜ�bV4îš×çxrƒÞÄÐz9Ì´“ŽˆÔŽé>l:1ÔÓLùë7Êk6O…;oûüˆ&[dIV)_׃vÄVìÉ•ØœÎ=ϵ(Œv
-�•Ìc,€s^5½Ë6¬³Ä¦±/rZÄû> MÐz2�ó½4"ÜZš:áÞ¶—ÝwLÒÌŸ÷§Ë¹D{È7Ý?1A‘¼=ã ÔªP`…���ð0OÈpYnWÒÇ�;¾�¯Þ÷ì�xr°<Zs>»L毩q¿W9:ñœÅ5KE¬Êº�sá’�Ž:ºdqU^�µ��ŠÄ¡�{Ó “aÅw#'…kí�&
-ª,fŽñdm�‡³¬�u?_J½æ÷‰gx/¥G[¸×ò¨oªšÄ�åÊ�Ÿ1wÙð��¸|Ž*A4ÁĤ[9’t—ãH�.t†d5¬�ÔR>���›=k1‰ÙŸM]‡5�qÊ=UeÆë¹�êï±yñšñ�›5�ƒ“÷†3é(ŽÙu‚Ù�m; óæLú�æÅu…€¤b¹�šú�Òÿz�Bd+pUê²Ï®DšW¥�%r‡ì†>Ÿj4äÌýÍ‹~Ì�Qùp¨—+hTö>Å�•^8e‡»¶Û2*¶Ð ªÝ#ˆv�éÖŽ¤ç5�{‹oîÈó6Z«ôÁ(D÷�Ä^P�Zé~�£éé e‰–¶�mzbÎ,oÜ̺~®¡O�Ÿ„cDTç“Í–n0¥T��r1àØ��Û•®�ܾ«'uk0®ÃùNÓ°•Íu7 j:¤†JboéZÛ©"»«å\¾Žô©oò�y�ûê/Oo.
-^V‹×Ó’ˆ¸ú6ož¥€å‡Uó¶–þ1m€åÌ�Xö”�ô^NqWO¡œ«2í/Cî—ôÂ<�é-µ›¸©ÌÁ«Ü�²ÌÌ0&�þ¡"ùY�êÙÈ.ºüŠ¼¨�RÎÁ+÷mWäØD«�kÈ›z�‹æ‚ø}�HÎZU‡žG¬ÆÙ…ˆ�Na
-…´æul�(\‰aH>(£¸47Ë8Q¶Y`Mÿiîu¯‹3î��©à&Ù�…��å�5O+�Ù��·�ØfÅ2+n-¼`Ío�Ê-|w\ Vb�”°ÈµAÍ>ë³PÙœ�™<ºÒä q³õ�«:4� o�öÍ6ƒ«½/9ÔÙƒ•Xu?QÎîlÆG}»×´Þ�ThÑ‘î±9¸šÀ=-¡·<�Zï”�–�;¤š9øqDRψõ=áORÿPÝqnBùÂËJzé\»ƒ‚ÎîC�Æ!e÷$ÉÏCúð‡ÃFÃn‹Ÿc�_:ÒÐdäµlŒ�F4,šÔ¾õ_Öož!5S�Vkpg¿•Æ ÿú,½û,¬¤°©(ë¶Rt>¬�.™ŸòEc¤¤ï¦¿òÅ‹|5eø¼|m¾�óYóÐñõÚ�5^"ƒ{¸XŽ†øá¢åÊgwÜñÇœÖñãáQmµ¼uvçé‡g–Ìc¤*Y`# K�b*Ö�Ö£/¹)B�Î ,�ÙÂ=tcŽâ«ÍÉ÷�B�œ�[Ów„�±Ùì�¨�bU³’êÝ)xÜý�´ §Ç”�ÍI¹f±÷Ž’uêõ}�‚Ñ1±��ž—{ß�F`É�ªšT&��‡�7ï�“¢c–ûE{å”Üúví�oÞÃ<Ó–É“¾sø¸_Ò�)b7j4k�²,øƒÏ¼çö�·ÁÓ£D jÝCü’±\O‡F©´–›¡ÏØäzîâ�_fwr'} ë•�½‰£?š{ý`Ö’��ÇÖ=[ó�.†õb”�txH�8’ó`çìmú‰¾|} Œü:Û•°b¶7‰ŒU#.Oˆþ¦�¦™¾¶+ljÕ�tª�ˆvÀž4»+BWk؉†çûö�jtÖÂ7ŽšþÂö«+ZåÖEp¦\+ÚÌÕYt1 �p%1~’Ämé*ÌÍÖÔèù�<M-ÖUKÅgª|�°>¦Ø�‘‡ö=Œò,¥úšXoÒ bž%â|¡�‰¹ "âúþ'U<2]Fò9Þ¯Í][D½œš�m�ÐyÁFYçß¡Ê��ïh�Qü°£×�â央84¹Þ2ñA�’�~qˆƒáTª³zˆuAT>áDaið•³ÒÉ©Áâ÷–-¦ç�‚T|·ª�»º™ÛÁ_„í²0³Öò0=�Èu�àZlõ�£Ô�›ã®ÓGª²ì>;ôÒv:ò„fZ¢HÓ¯H·°.;Ù9`*ðiN��r�Èn^³dŒÙ�2}kÞbÞm:i�)�½Sí5>P:? ¸Qõu+]òäÓ=Q¦¤¥�¥N©w�»±×X+÷/â�¦:�¾+[PÐ(õš�._÷Üm�|ÛÓ²{�j¶�âp
-JÃJ'�?Ý€Ý*(_?�GÁD}εk[�\îÒfÁ¯ùPvâ9zÉ>oMź@ ‹ýþÞÚü“�Ó
-k¥ÚÛ´r¶�sa³²V*—ùôTµ…Q~j5-Ѷð6rɈ
-Ä”U¬ƒQ%µçÂT6�K™t1�[¢Î:PÄÑùÕ€˜Ó&GãÖ��õ»Ë1_|¢�$%Öå6]ĦÄ2�‹Ð%{ÇŸ<1~ÙÙ¢�–Á�ÄZ�Õ þ~ ?ó2+”#ê¸ÚÌÑ™:Æ_ʪÇEø!žA’ÿ|��šã”î‡ÙgëLb˜àý•›§"�a9Z�®$|TÑ•OÁ¶²Üè¸$»�M©Hj�MÙ€¹cÉsn&ŽBr%39x½a‚|§ï¥ö•û%q^oÃ!‡UÙtxLÂ�*˜B�8
-žz
-®÷fPœ%ÒàÉ�� ë4�,VÙ輟Þìu¾;ß"�Êݾ0Ïî³Íë¥ø4V[ÿœ#ï 7ä�+þ“â£�"�¥á®kc w3T÷‡5‡2�®p<zâÞ(0Å+Tó*•€rœÄ€�Öö‚Ê»KËÐïò�]Átt—1�:Y³Ít›9û��:Ó?›¼•›n�ÙÔÐÛ>�]ÜšM¼þàrLµÌ¦QQVwk7êNÿ‘$”ÔËaUu÷\b&8’Û¸Þ/ôuL帚å½�¾76��”½�øâ˜d½Žš”�͵–¯¤‹‡P~3iKµý:šøX‹.Q“çèY¼ØD³¤Ô\4Óéª!;ѳ{#ƒÉ�ˆ¹©,ç ™ÛÌk/†\úS%…Y&ßé”öɲ0,SàNÓÈò2D‰¬$ [:Tø'ßéµ¾Á¿ÁÅ]¢ž©?ß¿9²�‰·©py�̾®
-YkH˜x!Öà%ø}[„Ýj¼Äz° �K¾½Ì¯�éöîaW¹�Ô¾$¹ÁY:¥)`¦UNMá¶Yçc�œV�I™ÀèÈ[�½SV<ã›L
-–%•�bŠÀLÃGWmïíV%ß4@Š¢)¾v3ö~|�¢Íó�éÔl;–L&G�S�ìxéa�hVTL[�“swç©æ©®àÊnÿåüÓ¬Kéíáú�Û)‘ ²iů“d_ÏVÂÞW
-,�×›Ö{³SJÀi^M
-¤†�öš
-²ë’?ö›n,��Ð>�žY%™�ˆìŠ�ó8�Ð]»ÔÇׄ¥Ò}F4ÿ,IhÛců8]%›¤5*iF5¸½NxT�’ñ%Nq¬/ÞV9+á��vp�ªnz¾RßÆOœ;9¡�ú¬RÞ¸¾Š9óÇ
-v:sé½��=GEçâÙ\q2O
-*Ø'¬ý\W©
-mbâ<(Ù�?Óæ�=—ò½BEýyû‡�É�¨Â�~:�Äá!¬Öþ4�½ídx–Ä+`Á4Ô��~ñyŸ?Ÿþ�íç¿�b|‚8�BêUÁ�ÔB,ÔR Ðð�¤ìx«952šýàEáåŬ�M7›n�X—}L{åo·±Â À¦{ðAš‹H*Hõª˜»Ä6 SÆ~W��®)þàåR�b9:�x·¸ëj³…»oA�s[}s¾È'{Ôø´P›ò²�I,ñÚ
-§8Õ¤Èt±�ƒÏÝM9…ǯñ¢êo��(j½n½l�ƒòF²ì6Ò6Ô€¯^�<¬�Ø›Qˆà.+8då�¯¾ ;u�›º¡Ÿ�^!ù¦ìÑóÓkéuÔºéfi!T©��Ý¢Æ>EFÞâ�.¹î7k6aìßGB¯§²)–‰?�-ܲ·´èp±Ü:ÚµªF�:v~ËÀ,F^ªén
-�zÚ•…ò�—´˜ÛÞ��ˆ�û4¼�w¿[�c^GšQ�3º€õÖuT�X‰(}ÃLt}"Ulpâ.�uš~Ñ`iOÊ“†UH�ôHÙÅ’�¯ì¦`ð�ûâmWÀ¯š–dùyé¯÷dq�wSm”©��²>·J0%ûBæõXÕ³�ÍÑ»ÔVÁö?ü&Ó©
+xÚSy<”‹÷Æp³…B�ÂPÖ˜±ïKö¥ìkÉ2ÍŒ1ÌÂ�;ÙS’%dwIvÙMö%dÏžÈ.d/„,õ›îý}oýî÷ßßçýç}ÎyÎsž÷œóòñ�›‰ªÁq÷�Ú8,AT�,® Ò00�— ‰ƒÅhùø4ð�(�…ÃjB ��¸¼¼8HÍ� ’��‰Ë(HÊ)ˆIÓò4p®>x�Ò‰ �Ô�úI’�©a�x��Š��@ N��I��EƒÌp0�‚à��©¡Ñ ÓŸ�î S„;�ƒiÅÅAp�Œ º‡@¢°´Ÿ†ô°Ž8ìßa¸‡ëRž�¼;É�HdR�D²�ÇaÑ> 8‘�bˆ#õBœü˜ú·¸¶��m�Åü”ÿ9¤ÿJC1(´Ïÿ�p�W����2ÀÁ�xì¿©Vˆ¿½� à(�Ì¿³z�(��SÃ"Ñ�Øß!”»6Ê��7F�`N G(Ú�ñW�…ÿÛ�inY€˜YÜ´42¾þ÷>ÿÊ�CQX‚¹ë?ª?Éañ_˜4�<Ê�d#����'�IÏÞlÿÕK��ÃÁQXÒAHË€ x<Ô‡–t�$$
+ò��¡°p„7�áM2��cq�R ˆ4“ #�Oûs²R ˆþÏÐ_HN��1ý…d@�Ë�i{�è?HŠT�Ãa0¿"â$�Ä?ä�ò÷€�¤A�ÔoÄpþ
+Ê èß <�‚ù�ÅÅ@�ìoÔ�÷Ë�‰‹Ãþê-ERv%���þ[�É0þ—;’�Á�÷[šôu�¿ �Ißç—�Éš/�ÿ7ý¿W®Žóö�•”�‰JH‹ƒäåä@²Òb�ÿ‡�óÀã�XÂ_�é^þƒ�Q¤ëB ¼�0ÚÉw8˜b˜s�ñAá}œ¡"*aruä«XêÖÑ&ºÐ÷qäè¼Þ›n³•ÖÇÅ©Ì�+T+Ü^§�î‘þ&�Ú;Án±ÉãßW<�VR}ë8¬wS
+|–]y�C7��ˆcû›ÒäF#³}… ·_tf|~³‘m,¨i¾znš‡¬ÍƳº--LFÖZ;�m��^É/ÉcÊ”ìVøP*bÆ‹)á)åÌ`è}ç�êÚë�¾à�=.�çPgÅ¿»¿6rÃæRú¸Œ-öíø„Ó;�Ú ú8J÷º�wTNtZ]ýéñËtˆê$‘?6�;¦œ��•Ñª½út¼wÝ¿:ã>8dz,¼/ë–—�¸r%?Ã}�hx»
+ô|ª!í�,²k9ƒ1ܬ·�&/ž”¬ñÿ”“5ì"h2¡gäNƒùª8íØpô¬&bx€=”~’:&Yï"îê̼Øa¥×L
+ÕÝÇ�ÒKÓSX#;�Œ�NE�·žnT÷Ó��‹Z¸§“-ygTbªÐx�˜/wKò�~=‡Ýæ‘'�f¯ÕÑêôòþ'¤|� ¸Ü¿ÎêjÙ�ÛÍÍë�!Íϱ”;È�Ž�J´£‘úä ²Ñ!óùºÎ¢uA—�nFÑtú[UÀvF !Æ�V"–A‡ä]«Cï\fE#aŽ4x¹´& %ç!·³pA²�Yy�¿TNBY,{lI�º§ŸygBJ
+N›61ê‚áæx�åûâµdö¥Ä+B�{)”ÞNÕŒE«þ�rÝ:_0!4ñéÃ7Ol»Ð�oà�U¶àÍ}�ó”QÖdŠxÍÓûÓ�é^ßÍ沧,*¥@‰�œFdŽ¥V-_pòÈÈÛ¼½�¬ôë¯��ëö��`FíÍíÏÏ}�®Š¶ºì��¿�t�q>(ì ½�Ý��úxÃ�·à«u.7Û© Þ¡„ƒŸ)q^”�˜¶ŸPC_|‹?â�T^ñ½í†q§dºë·{jí¬:�œm¾føMêY–k#ê´ã�QWvÓ�Tî>ÚR,(Xû¨•¥D%ªïá�Ö©A¿§›¶pÆr m‰¥-=^—ýÛ&¹¢tJ�sÞª¼¦WëM>5�>`�FÉ"yzÔ¿Ð>‡«&þ®ëÇ�§¯@UóŽy£A§S�f��»¡–í�È ÷ØœáSq!žVj{ߨ¹ì3ÅÚoùœE�æ�Ù�ÔK×
+amOÊö•ÖJFì¿Ïå>·Ét»�¢8‘s)�q•ÓòÖt– ñnr
+ÏâU›�ßp@¬^Ò»¨“â�avrô±w�š+:Í,R¬sûR•\#=”ëO-°�½?x©õÊT8�`ccAà;y¾»ŸË™£‚\F_W}õl�H:ø8ZM—U"Ï09î×’}3æjaõR�‡šÁìs„ŒˆÓM�ÊèJ¯…š<Æ�)�ÞÑòEÿÆêàÈiþZëû ãJ›�Ç›”ÍxäŒe-?_jÆá¸�›^7�ïL¿VÆn|ÓÐ%ß(UƒúŒ��Ã��¦_ðVŠâ˜ŒßM¸—¢�»¼G`�ø�šÃ„�ÒL|�p fõg£EÔ×™gëðz²«J™�ÀMC‚‰Ñ>·—•Ð±Um!$a(ý¹cn4Q4«¬ù�íì¼5›‘‡u!1�$£Zª„£ÿ�í{ý�Jæ Â){ÙG§#î|K±M‘Ò!‰Ïjµ¶ò‘µ¿uÁÙ\ �¯V©ŠvyWæ&Y1ãw�„[«Ã%ÕÆó¨*Â�²ÝK�ÖŽäæu/u�*|Q�ª³Sد•|y.ßÖàdìü›6 {¤œD}’5PÙ¼cýÚ�•ÍøéK¨ª�”3Å�l‰•ù&|¬Ó<‡‹7¸�nÝ6”Õ�ˆnØÕ�ÙÚ_s—¦¿ �_[Nî-Wã0Yp³”Ï׉ùYwŽ‰ÐbÏ«ËSÛK�—5c�õ¤�pöæ̳籟Ù6|Ö3:fz£²Ð÷Ã�DñûyÚa%Õ]C•R¾ò”^_Öç[©ù9H¹�M…éÉô�Nþ�E �Φ"h¿N<nìÊ„OIÓÊtvñcz[|Ÿªz¤=Ys~Òë{Vƒ>íÀ‘ß`[{H颀º›ryJÖõ‡�ØyÊ“÷óJ�E7�õ.·#�_`Ò8$Å3ÐȦûgþú��p�~ðV&˜Ë�Õ9)b‚5J„ÓÍéäb�@AÔyεCÆ�(�p‹ä°�åª\4 7MÄþÒ21Öqær�ž��žôµàºæ34�Œvù дhŠj,ÿÖNAsÚ™ÅÄSÊV•»{™¼�ÁÊh§�O®Ó>XÆα™-ïµíd#øŒÁ‰�§�ˆ�ó¶^cô�²©;.~bš$Kt¨{…<ª;g:�þP©›h_nõi½�xVâã÷ÊÃ!¡�Á©Ã§ÊÑ€˜ÎRc�|äXZß•g�É�Ñ� ž¡LR[\ýôÄŸ[!¸† 4[öN1ëýðhÒËúÒòBTubMªbLº=Ýq¸qO¤çí�ïÄíÊ0�ÔÎd!k»mïÑ3¿-�H¨£%�cHS¨
+#�XƒxNÓáÊ�šEÑçè„®û�hAžmÊsºfµ�R;ýW7’y\çJ‚Th/X¶EV‡O$¬€%WÈ%øÎ9Á³OeéaÑRí�5š»"ŒÌ‹ Z{§WžÉ_š>Ö~�ªÒ���1L®®�Œ•«�ù*l¾|Xü¡‡"P9+f‘Z”2ŽÍ¾!³œBõ´i²œ]§¢�š™Ë�ñ
+ÍÍ…éàÕk
+Ò×÷\n�»°��Ë"h—`cL.d�cç뮬(V'çø.¬%DÔuØl2+UᛩQ?W¾OÍ”‰Íp(‹!�;Ã\DÜÚ£Ä{ -�T]…�
+ït�-W�q…ý�AÒæõ~fÞ�ó�Y4¿¬Wrz"‘¦bÂî€(Ü3NÀ{ÞSùÓî(÷!¹�.òÛ[Õ-ÛÜb
+½¾cJ®O�•r µVß��ã�¹A$ƒSøè&�Ìgn�Èìîsºþ©Êñ¾zPX
+g–ËKLSÏlrŸP«®™ö�&cU at N(Ö@†¢%ç†æ��j½œ��$>îYß’¹^ �Îhî±a‘9]Ôèq�pZäÀcRÙ°®åvÄ…m�:Ûá�…èÕ]E;'1™�yºÁin[]mJ‚yÕA�DWx©~@Šgöá�Äå�–ÏÈí#K�ï˯Cù��³VX �‚¿�ð\«¤.¡Û�l`‘f¥€È´G�Ú¹€�„D‹Éã¢ëEë|6ÞÃùƒ¯Í&çFÏvös®×ŸæIÚT,Ò–+j�ËCÙµ��ùÝò¯©o+|¢¼ñ²Y\³Ð—L��&ö=Õ¦±r�p#uRð�éo(X¡´ÐÍô�÷Frv„ÿ‰ütRWÊ`WˆÜpÌ#ÞžhµˆÛ Z‘m®ÈD¤xä^ÿä‘”!/ ©ÂÿÁ¶¢œÖ‹ƒ�Ë�À¡Å ö™wŒnÅè¨ãý�Ј�Ãœë
+š´héšÜòTe%�QY¥cWoõÜï|mžºQ%ÔQp6‘�\¼I/õ°&2wîÚpo¯F^œÊò´ž8¿å�ÆÆ¢� ¯ûŒ�R÷qÒrŽ©c±ÆÇ”µÃvŠõYÁJÞ�7`�fd¯•¹íÅÇ#vïQíwt%«ú<-�<§œ°)›À�ßñÂ?§»Ô¥bCTø³.1²jÒ1��|é�xµ@Ù–‘Ñn^>žh:6�*½ùtÑ`Ü0CýdXC’îpõYDf½jY‘|/Ë�¦=¶+q¶k¶X©|´‚ÞÈ•“x÷®æé ·ÕÊ � =m¾��óÛ�3J¯«gO
+�5íPÐ}
+ôì� �ïχ�dgŒª'W�sƒÛ–Úf6÷®œoݘ¿—áÇÈ—hžËѱ´Ë÷¼bXlÎ��Íz�lÆÆÉ´ö�½�Ðq´¢Ò¹Fƒ�†ëo¤fÑT)½—–ŒHѲ÷øZ”:ÞEÏ&³Í…›rƒxqGé2�Ôí�©lqÏà��Ÿ�:òò¬nšÊÉñÁ�CçÞ6ö�=ÏL�·\l`äá«SeÎi§‡��]TÃ5Åÿ¨Y*³L±«°Dd69Õ�R²?#Y_�å½ ¶ºg?ÊCMÄŽÞäÀI�‹ªÜd'@Ÿ�G�~®vÞ;¹kz’[ýåý=ÞHãÉåã4ý‚]ÛÚ¦u�J�\ìº6å+ªÉ>è²p:§™!âÄ�ZÊK¯lö ÃúûüIDΉ�²™ÄÓ§e–\æþ2Ác>.¦ìÄQêÇûÂï¿ü´¸�˜��³eÒ¨}V¦‘.‰±J.øŽë¦¿¸¿L5‹îº�/�ÕÓp�`Hcà…ßàVï
+ŸçÔ:2Ç'6�Ün^ˆ’
+5¸ LX&¬±Œ°u3�PžSª*¢J-dâÊ�“�:�`«oJÈ¿�Ò·>œ`$�§¿<s•Y�<¯c ^¿Ô�*�ÝÈ=�”]�z ~6úÑÌ®ßÚ#äÊý/2@õ[¡§Ý
+ôòi>wN—g+•ç,�Š���•+ÿ°£¥Ê†”@�e‡I;÷L�¨�>h»|˦R')*q*—úÑRnü˜§#%îäöÎCX–œÕ<û�k`„Æ«
+í/�Ê-��%=Ö�
+á¼:†Ï�w·‚JŒb5à ò��;î�\MçVxW-½Zà;®Í¤üzøè%å«ÙsD�j_°°•g“ùâ$Z¹SYÀ/måÝ&~GkÙ ���dCS9Ã̦B�ê&õ_�1]°;YQ1�œ]a�ƒÔY×&q/�ô©l–$Fsä�Š�{ž«�YQ��P�“Š�×l³(=�§�¹ƒÔ�±.aíîþÙïïs��½�¨¬èá‹Ú2�¢ìÙ'ìóD…�ý±tRö…�œºÓþZ?"öXP �ã\uÛE�+˜§íø§�W[–¿ßa�6—Ã*G�¸f´w�Þ×Ø��¸$Ê¢zá�ÖHEt˸Ó÷ã�Ž��“ÐëÀ‘šÃ�).ºÖt͘TéªóýIÕsõ•2e�+ÆÄN>]k[”ˆ¹�P7Ù³Ó\ÚóiÒ@t__¡¬(G�!Y�¾Î§‡wn‹tD<!n®Ì¸š¸£3]ÖÈJv�O8³}«QÂ1t�3��“�)-Oå*•���wºø�t3ÅnƒSƒ®`cÒ£�
+Êca=£�Ã9ï¹Æ¯{š��˜P"Üšùfð<ìçÃæ>'ÁøœØ€×$�–â‹��e¥mõì0Ñd£hƵ,(QrëES( ‰V¹š]Ûñ��DÈÎJatØ›õCò
+0œ��
+.�gäË%ý¸nŒ»e¸½7{1}Éïúz;ÅiÂ:DM�ì��Öoi¬}ÈØ�Ú�*$mÖ8h}�–á5úYTšÐdpæ‡
+¤��!ÆaVy;‡®�ïÒY�w0�9P~¨É �ÿªš�¶`
+¥G�EÆÇ�}oæ:¿W§ûì뽫+Þ–£ÍØÂ�·¬¥þ�€ãÑ
endstream
endobj
2161 0 obj <<
/Type /FontDescriptor
-/FontName /CNHUHM+CMR12
+/FontName /SUKVOP+CMR12
/Flags 4
/FontBBox [-34 -251 988 750]
/Ascent 694
@@ -10187,7 +10180,7 @@
/ItalicAngle 0
/StemV 65
/XHeight 431
-/CharSet (/J/R/V/a/comma/e/four/i/j/l/m/n/o/one/period/r/two/u/y/zero)
+/CharSet (/J/R/V/a/comma/e/eight/i/j/l/m/n/o/one/period/r/two/u/y/zero)
/FontFile 2160 0 R
>> endobj
2162 0 obj <<
@@ -11139,7 +11132,7 @@
888 0 obj <<
/Type /Font
/Subtype /Type1
-/BaseFont /CNHUHM+CMR12
+/BaseFont /SUKVOP+CMR12
/FontDescriptor 2161 0 R
/FirstChar 44
/LastChar 121
@@ -13605,8 +13598,8 @@
>> endobj
2335 0 obj <<
/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfTeX-1.40.9)/Keywords()
-/CreationDate (D:20100104145641+01'00')
-/ModDate (D:20100104145641+01'00')
+/CreationDate (D:20100118125736+01'00')
+/ModDate (D:20100118125736+01'00')
/Trapped /False
/PTEX.Fullbanner (This is pdfTeX using libpoppler, Version 3.1415926-1.40.9-2.2 (Web2C 7.5.7) kpathsea version 3.5.7)
>> endobj
@@ -13618,2341 +13611,2341 @@
0000000004 00000 f
0000000000 00000 f
0000000015 00000 n
-0000029022 00000 n
-0000511009 00000 n
+0000029023 00000 n
+0000511053 00000 n
0000000061 00000 n
0000000090 00000 n
-0000332668 00000 n
-0000510922 00000 n
+0000332669 00000 n
+0000510966 00000 n
0000000135 00000 n
0000000162 00000 n
-0000080987 00000 n
-0000510795 00000 n
+0000080988 00000 n
+0000510839 00000 n
0000000205 00000 n
0000000243 00000 n
-0000083182 00000 n
-0000510684 00000 n
+0000083183 00000 n
+0000510728 00000 n
0000000289 00000 n
0000000341 00000 n
-0000083307 00000 n
-0000510610 00000 n
+0000083308 00000 n
+0000510654 00000 n
0000000389 00000 n
0000000424 00000 n
-0000083433 00000 n
-0000510523 00000 n
+0000083434 00000 n
+0000510567 00000 n
0000000472 00000 n
0000000504 00000 n
-0000085982 00000 n
-0000510436 00000 n
+0000085983 00000 n
+0000510480 00000 n
0000000552 00000 n
0000000589 00000 n
-0000086107 00000 n
-0000510349 00000 n
+0000086108 00000 n
+0000510393 00000 n
0000000637 00000 n
0000000669 00000 n
-0000088557 00000 n
-0000510262 00000 n
+0000088558 00000 n
+0000510306 00000 n
0000000717 00000 n
0000000747 00000 n
-0000091124 00000 n
-0000510175 00000 n
+0000091125 00000 n
+0000510219 00000 n
0000000795 00000 n
0000000828 00000 n
-0000091250 00000 n
-0000510088 00000 n
+0000091251 00000 n
+0000510132 00000 n
0000000876 00000 n
0000000912 00000 n
-0000091376 00000 n
-0000510001 00000 n
+0000091377 00000 n
+0000510045 00000 n
0000000960 00000 n
0000000995 00000 n
-0000094138 00000 n
-0000509927 00000 n
+0000094139 00000 n
+0000509971 00000 n
0000001043 00000 n
0000001085 00000 n
-0000098412 00000 n
-0000509815 00000 n
+0000098413 00000 n
+0000509859 00000 n
0000001131 00000 n
0000001175 00000 n
-0000098536 00000 n
-0000509704 00000 n
+0000098537 00000 n
+0000509748 00000 n
0000001223 00000 n
0000001258 00000 n
-0000104482 00000 n
-0000509630 00000 n
+0000104483 00000 n
+0000509674 00000 n
0000001311 00000 n
0000001343 00000 n
-0000104608 00000 n
-0000509556 00000 n
+0000104609 00000 n
+0000509600 00000 n
0000001396 00000 n
0000001428 00000 n
-0000104734 00000 n
-0000509431 00000 n
+0000104735 00000 n
+0000509475 00000 n
0000001476 00000 n
0000001519 00000 n
-0000104860 00000 n
-0000509357 00000 n
+0000104861 00000 n
+0000509401 00000 n
0000001572 00000 n
0000001602 00000 n
-0000106762 00000 n
-0000509233 00000 n
+0000106763 00000 n
+0000509277 00000 n
0000001655 00000 n
0000001692 00000 n
-0000106888 00000 n
-0000509159 00000 n
+0000106889 00000 n
+0000509203 00000 n
0000001750 00000 n
0000001794 00000 n
-0000107014 00000 n
-0000509085 00000 n
+0000107015 00000 n
+0000509129 00000 n
0000001852 00000 n
0000001896 00000 n
-0000108253 00000 n
-0000508972 00000 n
+0000108254 00000 n
+0000509016 00000 n
0000001949 00000 n
0000001984 00000 n
-0000108379 00000 n
-0000508896 00000 n
+0000108380 00000 n
+0000508940 00000 n
0000002042 00000 n
0000002076 00000 n
-0000108505 00000 n
-0000508805 00000 n
+0000108506 00000 n
+0000508849 00000 n
0000002135 00000 n
0000002167 00000 n
-0000108632 00000 n
-0000508713 00000 n
+0000108633 00000 n
+0000508757 00000 n
0000002226 00000 n
0000002259 00000 n
-0000108759 00000 n
-0000508621 00000 n
+0000108760 00000 n
+0000508665 00000 n
0000002318 00000 n
0000002352 00000 n
-0000108886 00000 n
-0000508529 00000 n
+0000108887 00000 n
+0000508573 00000 n
0000002411 00000 n
0000002474 00000 n
-0000110219 00000 n
-0000508437 00000 n
+0000110220 00000 n
+0000508481 00000 n
0000002533 00000 n
0000002575 00000 n
-0000110346 00000 n
-0000508345 00000 n
+0000110347 00000 n
+0000508389 00000 n
0000002634 00000 n
0000002694 00000 n
-0000110473 00000 n
-0000508253 00000 n
+0000110474 00000 n
+0000508297 00000 n
0000002753 00000 n
0000002834 00000 n
-0000110600 00000 n
-0000508161 00000 n
+0000110601 00000 n
+0000508205 00000 n
0000002893 00000 n
0000002946 00000 n
-0000110727 00000 n
-0000508069 00000 n
+0000110728 00000 n
+0000508113 00000 n
0000003006 00000 n
0000003075 00000 n
-0000112032 00000 n
-0000507977 00000 n
+0000112033 00000 n
+0000508021 00000 n
0000003135 00000 n
0000003198 00000 n
-0000112159 00000 n
-0000507885 00000 n
+0000112160 00000 n
+0000507929 00000 n
0000003258 00000 n
0000003320 00000 n
-0000113778 00000 n
-0000507793 00000 n
+0000113779 00000 n
+0000507837 00000 n
0000003380 00000 n
0000003441 00000 n
-0000113905 00000 n
-0000507701 00000 n
+0000113906 00000 n
+0000507745 00000 n
0000003501 00000 n
0000003590 00000 n
-0000114032 00000 n
-0000507609 00000 n
+0000114033 00000 n
+0000507653 00000 n
0000003650 00000 n
0000003714 00000 n
-0000114157 00000 n
-0000507517 00000 n
+0000114158 00000 n
+0000507561 00000 n
0000003774 00000 n
0000003852 00000 n
-0000115600 00000 n
-0000507425 00000 n
+0000115601 00000 n
+0000507469 00000 n
0000003912 00000 n
0000003987 00000 n
-0000115727 00000 n
-0000507333 00000 n
+0000115728 00000 n
+0000507377 00000 n
0000004047 00000 n
0000004110 00000 n
-0000117534 00000 n
-0000507241 00000 n
+0000117535 00000 n
+0000507285 00000 n
0000004170 00000 n
0000004261 00000 n
-0000117661 00000 n
-0000507149 00000 n
+0000117662 00000 n
+0000507193 00000 n
0000004321 00000 n
0000004420 00000 n
-0000117788 00000 n
-0000507057 00000 n
+0000117789 00000 n
+0000507101 00000 n
0000004480 00000 n
0000004560 00000 n
-0000119212 00000 n
-0000506965 00000 n
+0000119213 00000 n
+0000507009 00000 n
0000004620 00000 n
0000004699 00000 n
-0000120511 00000 n
-0000506873 00000 n
+0000120512 00000 n
+0000506917 00000 n
0000004759 00000 n
0000004809 00000 n
-0000120638 00000 n
-0000506781 00000 n
+0000120639 00000 n
+0000506825 00000 n
0000004869 00000 n
0000004934 00000 n
-0000122116 00000 n
-0000506689 00000 n
+0000122117 00000 n
+0000506733 00000 n
0000004994 00000 n
0000005081 00000 n
-0000122243 00000 n
-0000506597 00000 n
+0000122244 00000 n
+0000506641 00000 n
0000005141 00000 n
0000005202 00000 n
-0000126139 00000 n
-0000506505 00000 n
+0000126140 00000 n
+0000506549 00000 n
0000005262 00000 n
0000005356 00000 n
-0000126266 00000 n
-0000506413 00000 n
+0000126267 00000 n
+0000506457 00000 n
0000005416 00000 n
0000005498 00000 n
-0000126393 00000 n
-0000506321 00000 n
+0000126394 00000 n
+0000506365 00000 n
0000005558 00000 n
0000005612 00000 n
-0000128175 00000 n
-0000506243 00000 n
+0000128176 00000 n
+0000506287 00000 n
0000005672 00000 n
0000005722 00000 n
-0000131669 00000 n
-0000506112 00000 n
+0000131670 00000 n
+0000506156 00000 n
0000005771 00000 n
0000005825 00000 n
-0000131796 00000 n
-0000506033 00000 n
+0000131797 00000 n
+0000506077 00000 n
0000005879 00000 n
0000005916 00000 n
-0000136351 00000 n
-0000505901 00000 n
+0000136352 00000 n
+0000505945 00000 n
0000005970 00000 n
0000006002 00000 n
-0000136478 00000 n
-0000505822 00000 n
+0000136479 00000 n
+0000505866 00000 n
0000006061 00000 n
0000006155 00000 n
-0000138103 00000 n
-0000505729 00000 n
+0000138104 00000 n
+0000505773 00000 n
0000006214 00000 n
0000006266 00000 n
-0000138230 00000 n
-0000505636 00000 n
+0000138231 00000 n
+0000505680 00000 n
0000006325 00000 n
0000006368 00000 n
-0000138357 00000 n
-0000505543 00000 n
+0000138358 00000 n
+0000505587 00000 n
0000006427 00000 n
0000006472 00000 n
-0000140019 00000 n
-0000505450 00000 n
+0000140020 00000 n
+0000505494 00000 n
0000006531 00000 n
0000006576 00000 n
-0000140145 00000 n
-0000505357 00000 n
+0000140146 00000 n
+0000505401 00000 n
0000006635 00000 n
0000006680 00000 n
-0000141730 00000 n
-0000505264 00000 n
+0000141731 00000 n
+0000505308 00000 n
0000006739 00000 n
0000006784 00000 n
-0000143682 00000 n
-0000505185 00000 n
+0000143683 00000 n
+0000505229 00000 n
0000006843 00000 n
0000006888 00000 n
-0000143809 00000 n
-0000505092 00000 n
+0000143810 00000 n
+0000505136 00000 n
0000006942 00000 n
0000006972 00000 n
-0000143936 00000 n
-0000504999 00000 n
+0000143937 00000 n
+0000505043 00000 n
0000007026 00000 n
0000007071 00000 n
-0000145646 00000 n
-0000504906 00000 n
+0000145647 00000 n
+0000504950 00000 n
0000007125 00000 n
0000007176 00000 n
-0000147247 00000 n
-0000504774 00000 n
+0000147248 00000 n
+0000504818 00000 n
0000007230 00000 n
0000007271 00000 n
-0000147374 00000 n
-0000504695 00000 n
+0000147375 00000 n
+0000504739 00000 n
0000007330 00000 n
0000007365 00000 n
-0000148728 00000 n
-0000504616 00000 n
+0000148729 00000 n
+0000504660 00000 n
0000007424 00000 n
0000007460 00000 n
-0000148854 00000 n
-0000504484 00000 n
+0000148855 00000 n
+0000504528 00000 n
0000007514 00000 n
0000007561 00000 n
-0000148981 00000 n
-0000504405 00000 n
+0000148982 00000 n
+0000504449 00000 n
0000007620 00000 n
0000007655 00000 n
-0000149108 00000 n
-0000504326 00000 n
+0000149109 00000 n
+0000504370 00000 n
0000007714 00000 n
0000007750 00000 n
-0000150220 00000 n
-0000504194 00000 n
+0000150221 00000 n
+0000504238 00000 n
0000007804 00000 n
0000007859 00000 n
-0000150346 00000 n
-0000504115 00000 n
+0000150347 00000 n
+0000504159 00000 n
0000007918 00000 n
0000007953 00000 n
-0000150473 00000 n
-0000504036 00000 n
+0000150474 00000 n
+0000504080 00000 n
0000008012 00000 n
0000008048 00000 n
-0000150600 00000 n
-0000503904 00000 n
+0000150601 00000 n
+0000503948 00000 n
0000008102 00000 n
0000008143 00000 n
-0000150727 00000 n
-0000503825 00000 n
+0000150728 00000 n
+0000503869 00000 n
0000008202 00000 n
0000008237 00000 n
-0000150854 00000 n
-0000503746 00000 n
+0000150855 00000 n
+0000503790 00000 n
0000008296 00000 n
0000008332 00000 n
-0000152185 00000 n
-0000503614 00000 n
+0000152186 00000 n
+0000503658 00000 n
0000008387 00000 n
0000008423 00000 n
-0000152311 00000 n
-0000503535 00000 n
+0000152312 00000 n
+0000503579 00000 n
0000008483 00000 n
0000008519 00000 n
-0000152437 00000 n
-0000503456 00000 n
+0000152438 00000 n
+0000503500 00000 n
0000008579 00000 n
0000008616 00000 n
-0000152564 00000 n
-0000503324 00000 n
+0000152565 00000 n
+0000503368 00000 n
0000008671 00000 n
0000008713 00000 n
-0000152691 00000 n
-0000503245 00000 n
+0000152692 00000 n
+0000503289 00000 n
0000008773 00000 n
0000008809 00000 n
-0000154305 00000 n
-0000503166 00000 n
+0000154306 00000 n
+0000503210 00000 n
0000008869 00000 n
0000008906 00000 n
-0000154432 00000 n
-0000503048 00000 n
+0000154433 00000 n
+0000503092 00000 n
0000008961 00000 n
0000009004 00000 n
-0000154559 00000 n
-0000502969 00000 n
+0000154560 00000 n
+0000503013 00000 n
0000009064 00000 n
0000009100 00000 n
-0000155949 00000 n
-0000502890 00000 n
+0000155950 00000 n
+0000502934 00000 n
0000009160 00000 n
0000009197 00000 n
-0000156076 00000 n
-0000502759 00000 n
+0000156077 00000 n
+0000502803 00000 n
0000009246 00000 n
0000009302 00000 n
-0000157917 00000 n
-0000502641 00000 n
+0000157918 00000 n
+0000502685 00000 n
0000009356 00000 n
0000009403 00000 n
-0000159489 00000 n
-0000502562 00000 n
+0000159490 00000 n
+0000502606 00000 n
0000009462 00000 n
0000009497 00000 n
-0000159616 00000 n
-0000502483 00000 n
+0000159617 00000 n
+0000502527 00000 n
0000009556 00000 n
0000009592 00000 n
-0000159743 00000 n
-0000502351 00000 n
+0000159744 00000 n
+0000502395 00000 n
0000009646 00000 n
0000009690 00000 n
-0000159870 00000 n
-0000502272 00000 n
+0000159871 00000 n
+0000502316 00000 n
0000009749 00000 n
0000009784 00000 n
-0000161681 00000 n
-0000502193 00000 n
+0000161682 00000 n
+0000502237 00000 n
0000009843 00000 n
0000009879 00000 n
-0000161808 00000 n
-0000502061 00000 n
+0000161809 00000 n
+0000502105 00000 n
0000009933 00000 n
0000009982 00000 n
-0000161935 00000 n
-0000501982 00000 n
+0000161936 00000 n
+0000502026 00000 n
0000010041 00000 n
0000010076 00000 n
-0000162062 00000 n
-0000501903 00000 n
+0000162063 00000 n
+0000501947 00000 n
0000010135 00000 n
0000010171 00000 n
-0000163593 00000 n
-0000501771 00000 n
+0000163594 00000 n
+0000501815 00000 n
0000010225 00000 n
0000010264 00000 n
-0000163719 00000 n
-0000501692 00000 n
+0000163720 00000 n
+0000501736 00000 n
0000010323 00000 n
0000010358 00000 n
-0000163845 00000 n
-0000501613 00000 n
+0000163846 00000 n
+0000501657 00000 n
0000010417 00000 n
0000010453 00000 n
-0000165663 00000 n
-0000501495 00000 n
+0000165664 00000 n
+0000501539 00000 n
0000010507 00000 n
0000010547 00000 n
-0000165790 00000 n
-0000501416 00000 n
+0000165791 00000 n
+0000501460 00000 n
0000010606 00000 n
0000010641 00000 n
-0000165917 00000 n
-0000501337 00000 n
+0000165918 00000 n
+0000501381 00000 n
0000010700 00000 n
0000010736 00000 n
-0000166043 00000 n
-0000501206 00000 n
+0000166044 00000 n
+0000501250 00000 n
0000010785 00000 n
0000010843 00000 n
-0000166170 00000 n
-0000501088 00000 n
+0000166171 00000 n
+0000501132 00000 n
0000010897 00000 n
0000010936 00000 n
-0000166297 00000 n
-0000501009 00000 n
+0000166298 00000 n
+0000501053 00000 n
0000010995 00000 n
0000011030 00000 n
-0000167409 00000 n
-0000500930 00000 n
+0000167410 00000 n
+0000500974 00000 n
0000011089 00000 n
0000011125 00000 n
-0000168879 00000 n
-0000500812 00000 n
+0000168880 00000 n
+0000500856 00000 n
0000011179 00000 n
0000011214 00000 n
-0000169006 00000 n
-0000500733 00000 n
+0000169007 00000 n
+0000500777 00000 n
0000011273 00000 n
0000011308 00000 n
-0000170148 00000 n
-0000500654 00000 n
+0000170149 00000 n
+0000500698 00000 n
0000011367 00000 n
0000011403 00000 n
-0000170275 00000 n
-0000500523 00000 n
+0000170276 00000 n
+0000500567 00000 n
0000011452 00000 n
0000011502 00000 n
-0000171800 00000 n
-0000500405 00000 n
+0000171801 00000 n
+0000500449 00000 n
0000011556 00000 n
0000011596 00000 n
-0000171927 00000 n
-0000500326 00000 n
+0000171928 00000 n
+0000500370 00000 n
0000011655 00000 n
0000011690 00000 n
-0000172054 00000 n
-0000500247 00000 n
+0000172055 00000 n
+0000500291 00000 n
0000011749 00000 n
0000011785 00000 n
-0000173561 00000 n
-0000500129 00000 n
+0000173562 00000 n
+0000500173 00000 n
0000011839 00000 n
0000011884 00000 n
-0000173688 00000 n
-0000500050 00000 n
+0000173689 00000 n
+0000500094 00000 n
0000011943 00000 n
0000011978 00000 n
-0000173815 00000 n
-0000499971 00000 n
+0000173816 00000 n
+0000500015 00000 n
0000012037 00000 n
0000012073 00000 n
-0000173942 00000 n
-0000499840 00000 n
+0000173943 00000 n
+0000499884 00000 n
0000012122 00000 n
0000012192 00000 n
-0000174069 00000 n
-0000499761 00000 n
+0000174070 00000 n
+0000499805 00000 n
0000012246 00000 n
0000012283 00000 n
-0000175642 00000 n
-0000499668 00000 n
+0000175643 00000 n
+0000499712 00000 n
0000012337 00000 n
0000012371 00000 n
-0000177299 00000 n
-0000499589 00000 n
+0000177300 00000 n
+0000499633 00000 n
0000012425 00000 n
0000012459 00000 n
-0000179251 00000 n
-0000499472 00000 n
+0000179252 00000 n
+0000499516 00000 n
0000012508 00000 n
0000012545 00000 n
-0000179378 00000 n
-0000499354 00000 n
+0000179379 00000 n
+0000499398 00000 n
0000012599 00000 n
0000012640 00000 n
-0000179505 00000 n
-0000499275 00000 n
+0000179506 00000 n
+0000499319 00000 n
0000012699 00000 n
0000012752 00000 n
-0000180635 00000 n
-0000499196 00000 n
+0000180636 00000 n
+0000499240 00000 n
0000012811 00000 n
0000012857 00000 n
-0000182877 00000 n
-0000499078 00000 n
+0000182878 00000 n
+0000499122 00000 n
0000012911 00000 n
0000012952 00000 n
-0000183003 00000 n
-0000498999 00000 n
+0000183004 00000 n
+0000499043 00000 n
0000013011 00000 n
0000013059 00000 n
-0000183130 00000 n
-0000498906 00000 n
+0000183131 00000 n
+0000498950 00000 n
0000013118 00000 n
0000013167 00000 n
-0000183257 00000 n
-0000498827 00000 n
+0000183258 00000 n
+0000498871 00000 n
0000013226 00000 n
0000013276 00000 n
-0000184158 00000 n
-0000498695 00000 n
+0000184159 00000 n
+0000498739 00000 n
0000013320 00000 n
0000013360 00000 n
-0000186314 00000 n
-0000498577 00000 n
+0000186315 00000 n
+0000498621 00000 n
0000013407 00000 n
0000013455 00000 n
-0000186440 00000 n
-0000498498 00000 n
+0000186441 00000 n
+0000498542 00000 n
0000013504 00000 n
0000013540 00000 n
-0000186758 00000 n
-0000498405 00000 n
+0000186759 00000 n
+0000498449 00000 n
0000013589 00000 n
0000013637 00000 n
-0000189220 00000 n
-0000498312 00000 n
+0000189221 00000 n
+0000498356 00000 n
0000013686 00000 n
0000013724 00000 n
-0000189731 00000 n
-0000498219 00000 n
+0000189732 00000 n
+0000498263 00000 n
0000013773 00000 n
0000013811 00000 n
-0000192504 00000 n
-0000498140 00000 n
+0000192505 00000 n
+0000498184 00000 n
0000013860 00000 n
0000013895 00000 n
-0000193789 00000 n
-0000498008 00000 n
+0000193790 00000 n
+0000498052 00000 n
0000013942 00000 n
0000013994 00000 n
-0000193915 00000 n
-0000497929 00000 n
+0000193916 00000 n
+0000497973 00000 n
0000014043 00000 n
0000014084 00000 n
-0000196355 00000 n
-0000497836 00000 n
+0000196356 00000 n
+0000497880 00000 n
0000014133 00000 n
0000014176 00000 n
-0000199790 00000 n
-0000497743 00000 n
+0000199791 00000 n
+0000497787 00000 n
0000014225 00000 n
0000014271 00000 n
-0000199917 00000 n
-0000497650 00000 n
+0000199918 00000 n
+0000497694 00000 n
0000014320 00000 n
0000014366 00000 n
-0000201916 00000 n
-0000497532 00000 n
+0000201917 00000 n
+0000497576 00000 n
0000014415 00000 n
0000014452 00000 n
-0000202043 00000 n
-0000497453 00000 n
+0000202044 00000 n
+0000497497 00000 n
0000014506 00000 n
0000014543 00000 n
-0000203753 00000 n
-0000497360 00000 n
+0000203754 00000 n
+0000497404 00000 n
0000014597 00000 n
0000014633 00000 n
-0000203878 00000 n
-0000497281 00000 n
+0000203879 00000 n
+0000497325 00000 n
0000014687 00000 n
0000014740 00000 n
-0000205639 00000 n
-0000497149 00000 n
+0000205640 00000 n
+0000497193 00000 n
0000014787 00000 n
0000014832 00000 n
-0000205765 00000 n
-0000497070 00000 n
+0000205766 00000 n
+0000497114 00000 n
0000014881 00000 n
0000014923 00000 n
-0000205892 00000 n
-0000496977 00000 n
+0000205893 00000 n
+0000497021 00000 n
0000014972 00000 n
0000015013 00000 n
-0000211150 00000 n
-0000496844 00000 n
+0000211151 00000 n
+0000496888 00000 n
0000015062 00000 n
0000015107 00000 n
-0000211277 00000 n
-0000496765 00000 n
+0000211278 00000 n
+0000496809 00000 n
0000015161 00000 n
0000015202 00000 n
-0000211404 00000 n
-0000496672 00000 n
+0000211405 00000 n
+0000496716 00000 n
0000015256 00000 n
0000015297 00000 n
-0000211531 00000 n
-0000496579 00000 n
+0000211532 00000 n
+0000496623 00000 n
0000015351 00000 n
0000015397 00000 n
-0000211658 00000 n
-0000496486 00000 n
+0000211659 00000 n
+0000496530 00000 n
0000015451 00000 n
0000015492 00000 n
-0000211785 00000 n
-0000496393 00000 n
+0000211786 00000 n
+0000496437 00000 n
0000015546 00000 n
0000015587 00000 n
-0000211911 00000 n
-0000496300 00000 n
+0000211912 00000 n
+0000496344 00000 n
0000015641 00000 n
0000015683 00000 n
-0000213202 00000 n
-0000496207 00000 n
+0000213203 00000 n
+0000496251 00000 n
0000015737 00000 n
0000015779 00000 n
-0000213329 00000 n
-0000496114 00000 n
+0000213330 00000 n
+0000496158 00000 n
0000015833 00000 n
0000015879 00000 n
-0000213456 00000 n
-0000496021 00000 n
+0000213457 00000 n
+0000496065 00000 n
0000015933 00000 n
0000015979 00000 n
-0000213583 00000 n
-0000495928 00000 n
+0000213584 00000 n
+0000495972 00000 n
0000016034 00000 n
0000016082 00000 n
-0000213710 00000 n
-0000495835 00000 n
+0000213711 00000 n
+0000495879 00000 n
0000016137 00000 n
0000016185 00000 n
-0000213837 00000 n
-0000495742 00000 n
+0000213838 00000 n
+0000495786 00000 n
0000016240 00000 n
0000016283 00000 n
-0000213964 00000 n
-0000495649 00000 n
+0000213965 00000 n
+0000495693 00000 n
0000016338 00000 n
0000016381 00000 n
-0000215698 00000 n
-0000495556 00000 n
+0000215699 00000 n
+0000495600 00000 n
0000016436 00000 n
0000016484 00000 n
-0000215825 00000 n
-0000495477 00000 n
+0000215826 00000 n
+0000495521 00000 n
0000016539 00000 n
0000016587 00000 n
-0000215951 00000 n
-0000495345 00000 n
+0000215952 00000 n
+0000495389 00000 n
0000016636 00000 n
0000016681 00000 n
-0000216078 00000 n
-0000495266 00000 n
+0000216079 00000 n
+0000495310 00000 n
0000016735 00000 n
0000016771 00000 n
-0000219259 00000 n
-0000495187 00000 n
+0000219260 00000 n
+0000495231 00000 n
0000016825 00000 n
0000016863 00000 n
-0000221775 00000 n
-0000495108 00000 n
+0000221776 00000 n
+0000495152 00000 n
0000016912 00000 n
0000016956 00000 n
-0000225760 00000 n
-0000495015 00000 n
+0000225761 00000 n
+0000495059 00000 n
0000017003 00000 n
0000017051 00000 n
-0000235326 00000 n
-0000494922 00000 n
+0000235327 00000 n
+0000494966 00000 n
0000017098 00000 n
0000017145 00000 n
-0000239515 00000 n
-0000494804 00000 n
+0000239516 00000 n
+0000494848 00000 n
0000017192 00000 n
0000017229 00000 n
-0000239641 00000 n
-0000494725 00000 n
+0000239642 00000 n
+0000494769 00000 n
0000017278 00000 n
0000017312 00000 n
-0000239768 00000 n
-0000494593 00000 n
+0000239769 00000 n
+0000494637 00000 n
0000017361 00000 n
0000017400 00000 n
-0000239894 00000 n
-0000494514 00000 n
+0000239895 00000 n
+0000494558 00000 n
0000017454 00000 n
0000017494 00000 n
-0000242420 00000 n
-0000494435 00000 n
+0000242421 00000 n
+0000494479 00000 n
0000017548 00000 n
0000017588 00000 n
-0000242547 00000 n
-0000494317 00000 n
+0000242548 00000 n
+0000494361 00000 n
0000017637 00000 n
0000017676 00000 n
-0000244632 00000 n
-0000494252 00000 n
+0000244633 00000 n
+0000494296 00000 n
0000017730 00000 n
0000017795 00000 n
-0000247767 00000 n
-0000494119 00000 n
+0000247768 00000 n
+0000494163 00000 n
0000017839 00000 n
0000017884 00000 n
-0000250140 00000 n
-0000494001 00000 n
+0000250141 00000 n
+0000494045 00000 n
0000017931 00000 n
0000017982 00000 n
-0000250266 00000 n
-0000493922 00000 n
+0000250267 00000 n
+0000493966 00000 n
0000018031 00000 n
0000018060 00000 n
-0000250393 00000 n
-0000493843 00000 n
+0000250394 00000 n
+0000493887 00000 n
0000018109 00000 n
0000018149 00000 n
-0000253571 00000 n
-0000493711 00000 n
+0000253572 00000 n
+0000493755 00000 n
0000018197 00000 n
0000018239 00000 n
-0000253697 00000 n
-0000493593 00000 n
+0000253698 00000 n
+0000493637 00000 n
0000018289 00000 n
0000018343 00000 n
-0000256326 00000 n
-0000493514 00000 n
+0000256327 00000 n
+0000493558 00000 n
0000018398 00000 n
0000018446 00000 n
-0000263880 00000 n
-0000493435 00000 n
+0000263881 00000 n
+0000493479 00000 n
0000018501 00000 n
0000018557 00000 n
-0000265768 00000 n
-0000493303 00000 n
+0000265769 00000 n
+0000493347 00000 n
0000018607 00000 n
0000018695 00000 n
-0000265895 00000 n
-0000493224 00000 n
+0000265896 00000 n
+0000493268 00000 n
0000018750 00000 n
0000018808 00000 n
-0000267545 00000 n
-0000493145 00000 n
+0000267546 00000 n
+0000493189 00000 n
0000018863 00000 n
0000018932 00000 n
-0000275071 00000 n
-0000493013 00000 n
+0000275072 00000 n
+0000493057 00000 n
0000018982 00000 n
0000019041 00000 n
-0000275198 00000 n
-0000492948 00000 n
+0000275199 00000 n
+0000492992 00000 n
0000019096 00000 n
0000019164 00000 n
-0000284949 00000 n
-0000492830 00000 n
+0000284950 00000 n
+0000492874 00000 n
0000019214 00000 n
0000019249 00000 n
-0000285075 00000 n
-0000492751 00000 n
+0000285076 00000 n
+0000492795 00000 n
0000019304 00000 n
0000019362 00000 n
-0000286555 00000 n
-0000492672 00000 n
+0000286556 00000 n
+0000492716 00000 n
0000019417 00000 n
0000019470 00000 n
-0000288094 00000 n
-0000492540 00000 n
+0000288095 00000 n
+0000492584 00000 n
0000019518 00000 n
0000019566 00000 n
-0000288220 00000 n
-0000492422 00000 n
+0000288221 00000 n
+0000492466 00000 n
0000019616 00000 n
0000019657 00000 n
-0000290820 00000 n
-0000492343 00000 n
+0000290821 00000 n
+0000492387 00000 n
0000019712 00000 n
0000019761 00000 n
-0000291203 00000 n
-0000492250 00000 n
+0000291204 00000 n
+0000492294 00000 n
0000019816 00000 n
0000019872 00000 n
-0000292487 00000 n
-0000492171 00000 n
+0000292488 00000 n
+0000492215 00000 n
0000019927 00000 n
0000019978 00000 n
-0000294162 00000 n
-0000492053 00000 n
+0000294163 00000 n
+0000492097 00000 n
0000020028 00000 n
0000020059 00000 n
-0000294545 00000 n
-0000491988 00000 n
+0000294546 00000 n
+0000492032 00000 n
0000020114 00000 n
0000020155 00000 n
-0000296183 00000 n
-0000491856 00000 n
+0000296184 00000 n
+0000491900 00000 n
0000020203 00000 n
0000020254 00000 n
-0000296308 00000 n
-0000491791 00000 n
+0000296309 00000 n
+0000491835 00000 n
0000020304 00000 n
0000020342 00000 n
-0000299686 00000 n
-0000491673 00000 n
+0000299687 00000 n
+0000491717 00000 n
0000020390 00000 n
0000020454 00000 n
-0000299812 00000 n
-0000491594 00000 n
+0000299813 00000 n
+0000491638 00000 n
0000020504 00000 n
0000020541 00000 n
-0000299939 00000 n
-0000491501 00000 n
+0000299940 00000 n
+0000491545 00000 n
0000020591 00000 n
0000020633 00000 n
-0000302548 00000 n
-0000491422 00000 n
+0000302549 00000 n
+0000491466 00000 n
0000020683 00000 n
0000020726 00000 n
-0000307977 00000 n
-0000491289 00000 n
+0000307978 00000 n
+0000491333 00000 n
0000020770 00000 n
0000020819 00000 n
-0000310287 00000 n
-0000491210 00000 n
+0000310288 00000 n
+0000491254 00000 n
0000020867 00000 n
0000020924 00000 n
-0000315077 00000 n
-0000491092 00000 n
+0000315078 00000 n
+0000491136 00000 n
0000020972 00000 n
0000021027 00000 n
-0000315203 00000 n
-0000491013 00000 n
+0000315204 00000 n
+0000491057 00000 n
0000021077 00000 n
0000021110 00000 n
-0000315330 00000 n
-0000490920 00000 n
+0000315331 00000 n
+0000490964 00000 n
0000021160 00000 n
0000021224 00000 n
-0000317966 00000 n
-0000490827 00000 n
+0000317967 00000 n
+0000490871 00000 n
0000021274 00000 n
0000021316 00000 n
-0000323080 00000 n
-0000490734 00000 n
+0000323081 00000 n
+0000490778 00000 n
0000021366 00000 n
0000021441 00000 n
-0000323206 00000 n
-0000490655 00000 n
+0000323207 00000 n
+0000490699 00000 n
0000021491 00000 n
0000021551 00000 n
-0000330050 00000 n
-0000490536 00000 n
+0000330051 00000 n
+0000490580 00000 n
0000021595 00000 n
0000021632 00000 n
-0000332163 00000 n
-0000490432 00000 n
+0000332164 00000 n
+0000490476 00000 n
0000021680 00000 n
0000021729 00000 n
-0000332289 00000 n
-0000490353 00000 n
+0000332290 00000 n
+0000490397 00000 n
0000021779 00000 n
0000021814 00000 n
-0000332416 00000 n
-0000490274 00000 n
+0000332417 00000 n
+0000490318 00000 n
0000021864 00000 n
0000021896 00000 n
-0000022214 00000 n
-0000022449 00000 n
+0000022215 00000 n
+0000022450 00000 n
0000021948 00000 n
-0000022326 00000 n
-0000022387 00000 n
-0000483642 00000 n
-0000484665 00000 n
-0000486414 00000 n
-0000024617 00000 n
-0000024787 00000 n
-0000023842 00000 n
-0000025151 00000 n
-0000023694 00000 n
-0000022534 00000 n
-0000483496 00000 n
-0000485976 00000 n
-0000484520 00000 n
-0000484083 00000 n
-0000486122 00000 n
-0000024969 00000 n
-0000483788 00000 n
-0000485244 00000 n
-0000024339 00000 n
-0000024570 00000 n
-0000026544 00000 n
-0000026694 00000 n
-0000026845 00000 n
-0000027020 00000 n
-0000027194 00000 n
-0000027363 00000 n
-0000027518 00000 n
-0000027666 00000 n
-0000027818 00000 n
-0000028003 00000 n
-0000028163 00000 n
-0000028316 00000 n
-0000028486 00000 n
-0000028636 00000 n
-0000028807 00000 n
-0000030396 00000 n
-0000029206 00000 n
-0000026300 00000 n
-0000025329 00000 n
-0000028960 00000 n
-0000485682 00000 n
-0000029082 00000 n
-0000029144 00000 n
-0000485830 00000 n
-0000083244 00000 n
-0000098474 00000 n
-0000186377 00000 n
-0000193852 00000 n
-0000205702 00000 n
-0000225823 00000 n
-0000235389 00000 n
-0000239578 00000 n
-0000250203 00000 n
-0000030569 00000 n
-0000030740 00000 n
-0000030885 00000 n
-0000031052 00000 n
-0000031222 00000 n
-0000031371 00000 n
-0000031516 00000 n
-0000031667 00000 n
-0000031837 00000 n
-0000031984 00000 n
-0000032135 00000 n
-0000032347 00000 n
-0000030176 00000 n
-0000029343 00000 n
-0000032286 00000 n
-0000485537 00000 n
-0000253634 00000 n
-0000288157 00000 n
-0000296246 00000 n
-0000299749 00000 n
-0000310350 00000 n
-0000315140 00000 n
-0000332226 00000 n
-0000032758 00000 n
-0000032584 00000 n
-0000032484 00000 n
-0000032696 00000 n
-0000034258 00000 n
-0000034410 00000 n
-0000034559 00000 n
-0000034711 00000 n
-0000034865 00000 n
-0000035019 00000 n
-0000035173 00000 n
-0000035327 00000 n
-0000035480 00000 n
-0000035634 00000 n
-0000035788 00000 n
-0000035942 00000 n
-0000036096 00000 n
-0000036248 00000 n
-0000036402 00000 n
-0000036561 00000 n
-0000036719 00000 n
-0000036873 00000 n
-0000037032 00000 n
-0000037191 00000 n
-0000037355 00000 n
-0000037519 00000 n
-0000037677 00000 n
-0000037841 00000 n
-0000038005 00000 n
-0000038169 00000 n
-0000038333 00000 n
-0000038496 00000 n
-0000038660 00000 n
-0000041474 00000 n
-0000038885 00000 n
-0000033902 00000 n
-0000032799 00000 n
-0000038824 00000 n
-0000041638 00000 n
-0000041803 00000 n
-0000041968 00000 n
-0000042134 00000 n
-0000042300 00000 n
-0000042466 00000 n
-0000042632 00000 n
-0000042798 00000 n
-0000042964 00000 n
-0000043130 00000 n
-0000043294 00000 n
-0000043460 00000 n
-0000043625 00000 n
-0000043791 00000 n
-0000043957 00000 n
-0000044123 00000 n
-0000044289 00000 n
-0000044455 00000 n
-0000044620 00000 n
-0000044786 00000 n
-0000044952 00000 n
-0000045117 00000 n
-0000045283 00000 n
-0000045438 00000 n
-0000045598 00000 n
-0000045758 00000 n
-0000045923 00000 n
-0000046088 00000 n
-0000046253 00000 n
-0000046417 00000 n
-0000046582 00000 n
-0000048374 00000 n
-0000046811 00000 n
-0000041059 00000 n
-0000038996 00000 n
-0000046747 00000 n
-0000486532 00000 n
-0000048538 00000 n
-0000048703 00000 n
-0000048863 00000 n
-0000049022 00000 n
-0000049182 00000 n
-0000049342 00000 n
-0000049507 00000 n
-0000049672 00000 n
-0000049832 00000 n
-0000049997 00000 n
-0000050162 00000 n
-0000050322 00000 n
-0000050485 00000 n
-0000050650 00000 n
-0000050810 00000 n
-0000050974 00000 n
-0000051138 00000 n
-0000051299 00000 n
-0000051465 00000 n
-0000051631 00000 n
-0000051792 00000 n
-0000051958 00000 n
-0000052124 00000 n
-0000052285 00000 n
-0000052450 00000 n
-0000052615 00000 n
-0000052770 00000 n
-0000052930 00000 n
-0000053094 00000 n
-0000053259 00000 n
-0000053419 00000 n
-0000053584 00000 n
-0000053749 00000 n
-0000053909 00000 n
-0000054074 00000 n
-0000054239 00000 n
-0000054399 00000 n
-0000054563 00000 n
-0000054728 00000 n
-0000056723 00000 n
-0000054951 00000 n
-0000047886 00000 n
-0000046910 00000 n
-0000054888 00000 n
-0000056887 00000 n
-0000057052 00000 n
-0000057207 00000 n
-0000057366 00000 n
-0000057531 00000 n
-0000057696 00000 n
-0000057856 00000 n
-0000058021 00000 n
-0000058186 00000 n
-0000058341 00000 n
-0000058501 00000 n
-0000058666 00000 n
-0000058829 00000 n
-0000058989 00000 n
-0000059154 00000 n
-0000059318 00000 n
-0000059473 00000 n
-0000059633 00000 n
-0000059793 00000 n
-0000059953 00000 n
-0000060107 00000 n
-0000060267 00000 n
-0000060432 00000 n
-0000060597 00000 n
-0000060756 00000 n
-0000060921 00000 n
-0000061086 00000 n
-0000061251 00000 n
-0000061400 00000 n
-0000061552 00000 n
-0000061707 00000 n
-0000061862 00000 n
-0000062017 00000 n
-0000062172 00000 n
-0000062326 00000 n
-0000064242 00000 n
-0000062543 00000 n
-0000056271 00000 n
-0000055050 00000 n
-0000062479 00000 n
-0000064396 00000 n
-0000064551 00000 n
-0000064706 00000 n
-0000064861 00000 n
-0000065016 00000 n
-0000065176 00000 n
-0000065335 00000 n
-0000065495 00000 n
-0000065647 00000 n
-0000065802 00000 n
-0000065956 00000 n
-0000066111 00000 n
-0000066271 00000 n
-0000066431 00000 n
-0000066591 00000 n
-0000066751 00000 n
-0000066910 00000 n
-0000067070 00000 n
-0000067229 00000 n
-0000067389 00000 n
-0000067549 00000 n
-0000067710 00000 n
-0000067871 00000 n
-0000068032 00000 n
-0000068192 00000 n
-0000068353 00000 n
-0000068513 00000 n
-0000068668 00000 n
-0000068828 00000 n
-0000068988 00000 n
-0000069143 00000 n
-0000069296 00000 n
-0000069449 00000 n
-0000069602 00000 n
-0000069757 00000 n
-0000071972 00000 n
-0000069975 00000 n
-0000063790 00000 n
-0000062668 00000 n
-0000069912 00000 n
-0000072131 00000 n
-0000072291 00000 n
-0000072445 00000 n
-0000072605 00000 n
-0000072753 00000 n
-0000072906 00000 n
-0000073061 00000 n
-0000073216 00000 n
-0000073370 00000 n
-0000073526 00000 n
-0000073687 00000 n
-0000073847 00000 n
-0000074002 00000 n
-0000074163 00000 n
-0000074324 00000 n
-0000074480 00000 n
-0000074641 00000 n
-0000074795 00000 n
-0000074956 00000 n
-0000075115 00000 n
-0000075269 00000 n
-0000075425 00000 n
-0000075585 00000 n
-0000075746 00000 n
-0000075906 00000 n
-0000076062 00000 n
-0000076223 00000 n
-0000076377 00000 n
-0000076532 00000 n
-0000076686 00000 n
-0000076842 00000 n
-0000076997 00000 n
-0000078311 00000 n
-0000078461 00000 n
-0000077217 00000 n
-0000071547 00000 n
-0000070074 00000 n
-0000077153 00000 n
-0000078615 00000 n
-0000078769 00000 n
-0000078925 00000 n
-0000079081 00000 n
-0000079237 00000 n
-0000079393 00000 n
-0000079549 00000 n
-0000079698 00000 n
-0000079852 00000 n
-0000080008 00000 n
-0000080227 00000 n
-0000078075 00000 n
-0000077329 00000 n
-0000080164 00000 n
-0000080620 00000 n
-0000080440 00000 n
-0000080339 00000 n
-0000080556 00000 n
-0000486657 00000 n
-0000081049 00000 n
-0000080871 00000 n
-0000080662 00000 n
-0000081339 00000 n
-0000081223 00000 n
-0000081122 00000 n
-0000083559 00000 n
-0000082939 00000 n
-0000081381 00000 n
-0000083055 00000 n
-0000083118 00000 n
-0000485390 00000 n
-0000083369 00000 n
-0000083495 00000 n
-0000086233 00000 n
-0000085802 00000 n
-0000083685 00000 n
-0000085918 00000 n
-0000086044 00000 n
-0000086169 00000 n
-0000088683 00000 n
-0000088378 00000 n
-0000086345 00000 n
-0000088494 00000 n
-0000088619 00000 n
-0000091502 00000 n
-0000090944 00000 n
-0000088795 00000 n
-0000091060 00000 n
-0000091186 00000 n
-0000091312 00000 n
-0000091438 00000 n
-0000486782 00000 n
-0000094264 00000 n
-0000093959 00000 n
-0000091627 00000 n
-0000094075 00000 n
-0000094200 00000 n
-0000095726 00000 n
-0000095546 00000 n
-0000094376 00000 n
-0000095662 00000 n
-0000097713 00000 n
-0000097906 00000 n
-0000101036 00000 n
-0000098661 00000 n
-0000097558 00000 n
-0000095825 00000 n
-0000098349 00000 n
-0000098597 00000 n
-0000098128 00000 n
-0000101618 00000 n
-0000101224 00000 n
-0000101431 00000 n
-0000102172 00000 n
-0000100872 00000 n
-0000098800 00000 n
-0000101792 00000 n
-0000484954 00000 n
-0000101856 00000 n
-0000101918 00000 n
-0000101982 00000 n
-0000102046 00000 n
-0000102110 00000 n
-0000484810 00000 n
-0000484228 00000 n
-0000486268 00000 n
-0000105241 00000 n
-0000104303 00000 n
-0000102366 00000 n
-0000104419 00000 n
-0000104544 00000 n
-0000104670 00000 n
-0000104796 00000 n
-0000104922 00000 n
-0000104986 00000 n
-0000105050 00000 n
-0000105114 00000 n
-0000105178 00000 n
-0000107140 00000 n
-0000106518 00000 n
-0000105353 00000 n
-0000106634 00000 n
-0000106698 00000 n
-0000106824 00000 n
-0000106950 00000 n
-0000107076 00000 n
-0000486907 00000 n
-0000109013 00000 n
-0000108074 00000 n
-0000107252 00000 n
-0000108190 00000 n
-0000108315 00000 n
-0000108441 00000 n
-0000108568 00000 n
-0000108695 00000 n
-0000108822 00000 n
-0000108949 00000 n
-0000110854 00000 n
-0000110039 00000 n
-0000109125 00000 n
-0000110155 00000 n
-0000110282 00000 n
-0000110409 00000 n
-0000110536 00000 n
-0000110663 00000 n
-0000110790 00000 n
-0000112286 00000 n
-0000111853 00000 n
-0000110979 00000 n
-0000111969 00000 n
-0000112095 00000 n
-0000112222 00000 n
-0000114284 00000 n
-0000113598 00000 n
-0000112398 00000 n
-0000113714 00000 n
-0000113841 00000 n
-0000113968 00000 n
-0000114094 00000 n
-0000114220 00000 n
-0000115854 00000 n
-0000115421 00000 n
-0000114422 00000 n
-0000115537 00000 n
-0000485098 00000 n
-0000115663 00000 n
-0000115790 00000 n
-0000117915 00000 n
-0000117354 00000 n
-0000116006 00000 n
-0000117470 00000 n
-0000117597 00000 n
-0000117724 00000 n
-0000117851 00000 n
-0000487032 00000 n
-0000119339 00000 n
-0000119033 00000 n
-0000118040 00000 n
-0000119149 00000 n
-0000119275 00000 n
-0000120765 00000 n
-0000120331 00000 n
-0000119464 00000 n
-0000120447 00000 n
-0000120574 00000 n
-0000120701 00000 n
-0000122370 00000 n
-0000121937 00000 n
-0000120890 00000 n
-0000122053 00000 n
-0000122179 00000 n
-0000122306 00000 n
-0000123345 00000 n
-0000123165 00000 n
-0000122495 00000 n
-0000123281 00000 n
-0000124501 00000 n
-0000124322 00000 n
-0000123444 00000 n
-0000124438 00000 n
-0000126520 00000 n
-0000125959 00000 n
-0000124600 00000 n
-0000126075 00000 n
-0000126202 00000 n
-0000126329 00000 n
-0000126456 00000 n
-0000487157 00000 n
-0000128302 00000 n
-0000127996 00000 n
-0000126658 00000 n
-0000128112 00000 n
-0000128238 00000 n
-0000129975 00000 n
-0000129795 00000 n
-0000128427 00000 n
-0000129911 00000 n
-0000131923 00000 n
-0000131490 00000 n
-0000130074 00000 n
-0000131606 00000 n
-0000131732 00000 n
-0000131859 00000 n
-0000134164 00000 n
-0000133984 00000 n
-0000132048 00000 n
-0000134100 00000 n
-0000136605 00000 n
-0000136172 00000 n
-0000134289 00000 n
-0000136288 00000 n
-0000136414 00000 n
-0000136541 00000 n
-0000138484 00000 n
-0000137923 00000 n
-0000136730 00000 n
-0000138039 00000 n
-0000138166 00000 n
-0000138293 00000 n
-0000138420 00000 n
-0000487282 00000 n
-0000140272 00000 n
-0000139840 00000 n
-0000138609 00000 n
-0000139956 00000 n
-0000140081 00000 n
-0000140208 00000 n
-0000141857 00000 n
-0000141550 00000 n
-0000140384 00000 n
-0000141666 00000 n
-0000141793 00000 n
-0000144063 00000 n
-0000143503 00000 n
-0000141969 00000 n
-0000143619 00000 n
-0000143745 00000 n
-0000143872 00000 n
-0000143999 00000 n
-0000145773 00000 n
-0000145466 00000 n
-0000144201 00000 n
-0000145582 00000 n
-0000483347 00000 n
-0000145709 00000 n
-0000147501 00000 n
-0000147068 00000 n
-0000145925 00000 n
-0000147184 00000 n
-0000147310 00000 n
-0000147437 00000 n
-0000149235 00000 n
-0000148548 00000 n
-0000147639 00000 n
-0000148664 00000 n
-0000148791 00000 n
-0000148917 00000 n
-0000149044 00000 n
-0000149171 00000 n
-0000487407 00000 n
-0000150981 00000 n
-0000150041 00000 n
-0000149373 00000 n
-0000150157 00000 n
-0000150282 00000 n
-0000150409 00000 n
-0000150536 00000 n
-0000150663 00000 n
-0000150790 00000 n
-0000150917 00000 n
-0000152818 00000 n
-0000152005 00000 n
-0000151106 00000 n
-0000152121 00000 n
-0000152248 00000 n
-0000152373 00000 n
-0000152500 00000 n
-0000152627 00000 n
-0000152754 00000 n
-0000154686 00000 n
-0000154126 00000 n
-0000152943 00000 n
-0000154242 00000 n
-0000154368 00000 n
-0000154495 00000 n
-0000154622 00000 n
-0000156203 00000 n
-0000155769 00000 n
-0000154811 00000 n
-0000155885 00000 n
-0000156012 00000 n
-0000156139 00000 n
-0000158043 00000 n
-0000157738 00000 n
-0000156315 00000 n
-0000157854 00000 n
-0000157979 00000 n
-0000159995 00000 n
-0000159309 00000 n
-0000158181 00000 n
-0000159425 00000 n
-0000159552 00000 n
-0000159679 00000 n
-0000159806 00000 n
-0000159931 00000 n
-0000487532 00000 n
-0000162189 00000 n
-0000161502 00000 n
-0000160120 00000 n
-0000161618 00000 n
-0000161744 00000 n
-0000161871 00000 n
-0000161998 00000 n
-0000162125 00000 n
-0000163972 00000 n
-0000163413 00000 n
-0000162314 00000 n
-0000163529 00000 n
-0000163656 00000 n
-0000163782 00000 n
-0000163908 00000 n
-0000166424 00000 n
-0000165484 00000 n
-0000164110 00000 n
-0000165600 00000 n
-0000165726 00000 n
-0000165853 00000 n
-0000165980 00000 n
-0000166106 00000 n
-0000166233 00000 n
-0000166360 00000 n
-0000167536 00000 n
-0000167229 00000 n
-0000166588 00000 n
-0000167345 00000 n
-0000167472 00000 n
-0000169133 00000 n
-0000168700 00000 n
-0000167648 00000 n
-0000168816 00000 n
-0000168942 00000 n
-0000169069 00000 n
-0000170402 00000 n
-0000169968 00000 n
-0000169271 00000 n
-0000170084 00000 n
-0000170211 00000 n
-0000170338 00000 n
-0000487657 00000 n
-0000172181 00000 n
-0000171621 00000 n
-0000170514 00000 n
-0000171737 00000 n
-0000171863 00000 n
-0000171990 00000 n
-0000172117 00000 n
-0000174196 00000 n
-0000173381 00000 n
-0000172306 00000 n
-0000173497 00000 n
-0000173624 00000 n
-0000173751 00000 n
-0000173878 00000 n
-0000174005 00000 n
-0000174132 00000 n
-0000175769 00000 n
-0000175463 00000 n
-0000174321 00000 n
-0000175579 00000 n
-0000175705 00000 n
-0000177426 00000 n
-0000177119 00000 n
-0000175894 00000 n
-0000177235 00000 n
-0000177362 00000 n
-0000179632 00000 n
-0000179072 00000 n
-0000177551 00000 n
-0000179188 00000 n
-0000179314 00000 n
-0000179441 00000 n
-0000179568 00000 n
-0000180762 00000 n
-0000180455 00000 n
-0000179744 00000 n
-0000180571 00000 n
-0000180698 00000 n
-0000487782 00000 n
-0000183384 00000 n
-0000182698 00000 n
-0000180874 00000 n
-0000182814 00000 n
-0000182940 00000 n
-0000183066 00000 n
-0000183193 00000 n
-0000183320 00000 n
-0000183790 00000 n
-0000183610 00000 n
-0000183509 00000 n
-0000183726 00000 n
-0000184221 00000 n
-0000184042 00000 n
-0000183832 00000 n
-0000184511 00000 n
-0000184395 00000 n
-0000184294 00000 n
-0000186884 00000 n
-0000186071 00000 n
-0000184553 00000 n
-0000186187 00000 n
-0000186250 00000 n
-0000186503 00000 n
-0000186567 00000 n
-0000186631 00000 n
-0000186694 00000 n
-0000186820 00000 n
-0000189858 00000 n
-0000189040 00000 n
-0000186997 00000 n
-0000189156 00000 n
-0000189283 00000 n
-0000189347 00000 n
-0000189411 00000 n
-0000189475 00000 n
-0000189539 00000 n
-0000189603 00000 n
-0000189667 00000 n
-0000189794 00000 n
-0000487907 00000 n
-0000192631 00000 n
-0000192325 00000 n
-0000189970 00000 n
-0000192441 00000 n
-0000192567 00000 n
-0000194042 00000 n
-0000193609 00000 n
-0000192743 00000 n
-0000193725 00000 n
-0000193978 00000 n
-0000196482 00000 n
-0000195922 00000 n
-0000194168 00000 n
-0000196038 00000 n
-0000196101 00000 n
-0000196165 00000 n
-0000196229 00000 n
-0000196293 00000 n
-0000196418 00000 n
-0000198273 00000 n
-0000198093 00000 n
-0000196607 00000 n
-0000198209 00000 n
-0000200044 00000 n
-0000199611 00000 n
-0000198398 00000 n
-0000199727 00000 n
-0000199853 00000 n
-0000199980 00000 n
-0000202170 00000 n
-0000201544 00000 n
-0000200169 00000 n
-0000201660 00000 n
-0000201724 00000 n
-0000201788 00000 n
-0000201852 00000 n
-0000201979 00000 n
-0000202106 00000 n
-0000488032 00000 n
-0000204003 00000 n
-0000203574 00000 n
-0000202295 00000 n
-0000203690 00000 n
-0000203816 00000 n
-0000203939 00000 n
-0000206275 00000 n
-0000205459 00000 n
-0000204115 00000 n
-0000205575 00000 n
-0000205828 00000 n
-0000205955 00000 n
-0000206019 00000 n
-0000206083 00000 n
-0000206147 00000 n
-0000206211 00000 n
-0000209590 00000 n
-0000209093 00000 n
-0000206388 00000 n
-0000209209 00000 n
-0000209272 00000 n
-0000209336 00000 n
-0000209400 00000 n
-0000209464 00000 n
-0000209526 00000 n
-0000212038 00000 n
-0000210842 00000 n
-0000209689 00000 n
-0000210958 00000 n
-0000211022 00000 n
-0000211086 00000 n
-0000211213 00000 n
-0000211340 00000 n
-0000211467 00000 n
-0000211594 00000 n
-0000211721 00000 n
-0000211847 00000 n
-0000211974 00000 n
-0000214090 00000 n
-0000213023 00000 n
-0000212150 00000 n
-0000213139 00000 n
-0000213265 00000 n
-0000213392 00000 n
-0000213519 00000 n
-0000213646 00000 n
-0000213773 00000 n
-0000213900 00000 n
-0000214027 00000 n
-0000216588 00000 n
-0000215518 00000 n
-0000214202 00000 n
-0000215634 00000 n
-0000215761 00000 n
-0000215888 00000 n
-0000216014 00000 n
-0000216141 00000 n
-0000216205 00000 n
-0000216269 00000 n
-0000216333 00000 n
-0000216397 00000 n
-0000216461 00000 n
-0000216525 00000 n
-0000488157 00000 n
-0000219450 00000 n
-0000218569 00000 n
-0000216713 00000 n
-0000218685 00000 n
-0000218748 00000 n
-0000218812 00000 n
-0000218876 00000 n
-0000218939 00000 n
-0000219003 00000 n
-0000219067 00000 n
-0000219131 00000 n
-0000219195 00000 n
-0000219322 00000 n
-0000219386 00000 n
-0000222286 00000 n
-0000221467 00000 n
-0000219562 00000 n
-0000221583 00000 n
-0000221647 00000 n
-0000221711 00000 n
-0000221838 00000 n
-0000221902 00000 n
-0000221966 00000 n
-0000222030 00000 n
-0000222094 00000 n
-0000222158 00000 n
-0000222222 00000 n
-0000223354 00000 n
-0000222919 00000 n
-0000222398 00000 n
-0000223035 00000 n
-0000223098 00000 n
-0000223162 00000 n
-0000223226 00000 n
-0000223290 00000 n
-0000225306 00000 n
-0000225506 00000 n
-0000225886 00000 n
-0000225160 00000 n
-0000223453 00000 n
-0000225696 00000 n
-0000229329 00000 n
-0000228320 00000 n
-0000226025 00000 n
-0000228436 00000 n
-0000228499 00000 n
-0000228563 00000 n
-0000228627 00000 n
-0000228691 00000 n
-0000228755 00000 n
-0000228819 00000 n
-0000228882 00000 n
-0000228946 00000 n
-0000229010 00000 n
-0000229074 00000 n
-0000229138 00000 n
-0000229201 00000 n
-0000229265 00000 n
-0000232710 00000 n
-0000231763 00000 n
-0000229415 00000 n
-0000231879 00000 n
-0000231943 00000 n
-0000232007 00000 n
-0000232071 00000 n
-0000232135 00000 n
-0000232199 00000 n
-0000232263 00000 n
-0000232327 00000 n
-0000232391 00000 n
-0000232454 00000 n
-0000232518 00000 n
-0000232582 00000 n
-0000232646 00000 n
-0000488282 00000 n
-0000233443 00000 n
-0000233264 00000 n
-0000232809 00000 n
-0000233380 00000 n
-0000235452 00000 n
-0000235146 00000 n
-0000233529 00000 n
-0000235262 00000 n
-0000237483 00000 n
-0000237657 00000 n
-0000237901 00000 n
-0000237337 00000 n
-0000235591 00000 n
-0000237838 00000 n
-0000240021 00000 n
-0000239335 00000 n
-0000238056 00000 n
-0000239451 00000 n
-0000239704 00000 n
-0000239830 00000 n
-0000239957 00000 n
-0000242673 00000 n
-0000242241 00000 n
-0000240147 00000 n
-0000242357 00000 n
-0000242483 00000 n
-0000242610 00000 n
-0000483935 00000 n
-0000245716 00000 n
-0000244759 00000 n
-0000244452 00000 n
-0000242812 00000 n
-0000244568 00000 n
-0000244695 00000 n
-0000488407 00000 n
-0000246974 00000 n
-0000245600 00000 n
-0000244898 00000 n
-0000246911 00000 n
-0000246093 00000 n
-0000246355 00000 n
-0000246403 00000 n
-0000247396 00000 n
-0000247216 00000 n
-0000247115 00000 n
-0000247332 00000 n
-0000247830 00000 n
-0000247651 00000 n
-0000247438 00000 n
-0000248120 00000 n
-0000248004 00000 n
-0000247903 00000 n
-0000250520 00000 n
-0000249897 00000 n
-0000248162 00000 n
-0000250013 00000 n
-0000250076 00000 n
-0000250329 00000 n
-0000250456 00000 n
-0000251596 00000 n
-0000251416 00000 n
-0000250659 00000 n
-0000251532 00000 n
-0000488532 00000 n
-0000253824 00000 n
-0000253392 00000 n
-0000251695 00000 n
-0000253508 00000 n
-0000253760 00000 n
-0000256453 00000 n
-0000256146 00000 n
-0000253937 00000 n
-0000256262 00000 n
-0000256389 00000 n
-0000259521 00000 n
-0000259342 00000 n
-0000256604 00000 n
-0000259458 00000 n
-0000260614 00000 n
-0000260434 00000 n
-0000259659 00000 n
-0000260550 00000 n
-0000261791 00000 n
-0000261612 00000 n
-0000260726 00000 n
-0000261728 00000 n
-0000264007 00000 n
-0000263700 00000 n
-0000261916 00000 n
-0000263816 00000 n
-0000263943 00000 n
-0000488657 00000 n
-0000266022 00000 n
-0000265589 00000 n
-0000264145 00000 n
-0000265705 00000 n
-0000265831 00000 n
-0000265958 00000 n
-0000267672 00000 n
-0000267365 00000 n
-0000266147 00000 n
-0000267481 00000 n
-0000267608 00000 n
-0000269852 00000 n
-0000269673 00000 n
-0000267797 00000 n
-0000269789 00000 n
-0000271265 00000 n
-0000271085 00000 n
-0000269977 00000 n
-0000271201 00000 n
-0000272664 00000 n
-0000272485 00000 n
-0000271377 00000 n
-0000272601 00000 n
-0000275645 00000 n
-0000274891 00000 n
-0000272776 00000 n
-0000275007 00000 n
-0000275134 00000 n
-0000275261 00000 n
-0000275325 00000 n
-0000275389 00000 n
-0000275453 00000 n
-0000275517 00000 n
-0000275581 00000 n
-0000488782 00000 n
-0000276584 00000 n
-0000276405 00000 n
-0000275783 00000 n
-0000276521 00000 n
-0000277915 00000 n
-0000277608 00000 n
-0000276683 00000 n
-0000277724 00000 n
-0000277788 00000 n
-0000277851 00000 n
-0000280336 00000 n
-0000280744 00000 n
-0000280199 00000 n
-0000278040 00000 n
-0000280489 00000 n
-0000280552 00000 n
-0000280616 00000 n
-0000280680 00000 n
-0000281963 00000 n
-0000281783 00000 n
-0000280869 00000 n
-0000281899 00000 n
-0000283128 00000 n
-0000282949 00000 n
-0000282075 00000 n
-0000283065 00000 n
-0000285202 00000 n
-0000284641 00000 n
-0000283227 00000 n
-0000284757 00000 n
-0000284821 00000 n
-0000284885 00000 n
-0000285011 00000 n
-0000285138 00000 n
-0000488907 00000 n
-0000286682 00000 n
-0000286376 00000 n
-0000285327 00000 n
-0000286492 00000 n
-0000286618 00000 n
-0000288793 00000 n
-0000287914 00000 n
-0000286807 00000 n
-0000288030 00000 n
-0000288283 00000 n
-0000288347 00000 n
-0000288410 00000 n
-0000288473 00000 n
-0000288537 00000 n
-0000288601 00000 n
-0000288665 00000 n
-0000288729 00000 n
-0000291330 00000 n
-0000290641 00000 n
-0000288906 00000 n
-0000290757 00000 n
-0000290883 00000 n
-0000290947 00000 n
-0000291011 00000 n
-0000291075 00000 n
-0000291139 00000 n
-0000291266 00000 n
-0000292614 00000 n
-0000292307 00000 n
-0000291468 00000 n
-0000292423 00000 n
-0000292550 00000 n
-0000294672 00000 n
-0000293983 00000 n
-0000292739 00000 n
-0000294099 00000 n
-0000294225 00000 n
-0000294289 00000 n
-0000294353 00000 n
-0000294417 00000 n
-0000294481 00000 n
-0000294608 00000 n
-0000296434 00000 n
-0000296003 00000 n
-0000294810 00000 n
-0000296119 00000 n
-0000296370 00000 n
-0000489032 00000 n
-0000297953 00000 n
-0000297774 00000 n
-0000296560 00000 n
-0000297890 00000 n
-0000300066 00000 n
-0000299506 00000 n
-0000298065 00000 n
-0000299622 00000 n
-0000299875 00000 n
-0000300002 00000 n
-0000302739 00000 n
-0000302369 00000 n
-0000300179 00000 n
-0000302485 00000 n
-0000302611 00000 n
-0000302675 00000 n
-0000305082 00000 n
-0000304902 00000 n
-0000302864 00000 n
-0000305018 00000 n
-0000307197 00000 n
-0000307018 00000 n
-0000305221 00000 n
-0000307134 00000 n
-0000307603 00000 n
-0000307423 00000 n
-0000307322 00000 n
-0000307539 00000 n
-0000489157 00000 n
-0000308040 00000 n
-0000307861 00000 n
-0000307645 00000 n
-0000308330 00000 n
-0000308214 00000 n
-0000308113 00000 n
-0000310413 00000 n
-0000310044 00000 n
-0000308372 00000 n
-0000310160 00000 n
-0000310223 00000 n
-0000312950 00000 n
-0000312770 00000 n
-0000310526 00000 n
-0000312886 00000 n
-0000484373 00000 n
-0000313752 00000 n
-0000313573 00000 n
-0000313076 00000 n
-0000313689 00000 n
-0000315457 00000 n
-0000314897 00000 n
-0000313851 00000 n
-0000315013 00000 n
-0000315266 00000 n
-0000315393 00000 n
-0000489282 00000 n
-0000318093 00000 n
-0000317787 00000 n
-0000315596 00000 n
-0000317903 00000 n
-0000318029 00000 n
-0000320635 00000 n
-0000320135 00000 n
-0000318231 00000 n
-0000320251 00000 n
-0000320315 00000 n
-0000320379 00000 n
-0000320443 00000 n
-0000320507 00000 n
-0000320571 00000 n
-0000323333 00000 n
-0000322709 00000 n
-0000320774 00000 n
-0000322825 00000 n
-0000322888 00000 n
-0000322952 00000 n
-0000323016 00000 n
-0000323143 00000 n
-0000323269 00000 n
-0000325204 00000 n
-0000325024 00000 n
-0000323458 00000 n
-0000325140 00000 n
-0000327885 00000 n
-0000327706 00000 n
-0000325329 00000 n
-0000327822 00000 n
-0000329603 00000 n
-0000329423 00000 n
-0000328010 00000 n
-0000329539 00000 n
-0000489407 00000 n
-0000330113 00000 n
-0000329934 00000 n
-0000329728 00000 n
-0000330403 00000 n
-0000330287 00000 n
-0000330186 00000 n
-0000332542 00000 n
-0000331920 00000 n
-0000330445 00000 n
-0000332036 00000 n
-0000332099 00000 n
-0000332352 00000 n
-0000332478 00000 n
-0000332699 00000 n
-0000332725 00000 n
-0000333053 00000 n
-0000333077 00000 n
-0000333101 00000 n
-0000333433 00000 n
-0000333471 00000 n
-0000333503 00000 n
-0000333535 00000 n
-0000333961 00000 n
-0000334629 00000 n
-0000335183 00000 n
-0000335826 00000 n
-0000336456 00000 n
-0000336707 00000 n
-0000337103 00000 n
-0000337139 00000 n
-0000337763 00000 n
-0000338433 00000 n
-0000339073 00000 n
-0000339504 00000 n
-0000339936 00000 n
-0000341574 00000 n
-0000341807 00000 n
-0000357450 00000 n
-0000357971 00000 n
-0000364837 00000 n
-0000365141 00000 n
-0000368417 00000 n
-0000368654 00000 n
-0000375768 00000 n
-0000376061 00000 n
-0000377854 00000 n
-0000378089 00000 n
-0000379883 00000 n
-0000380117 00000 n
-0000381759 00000 n
-0000381991 00000 n
-0000399926 00000 n
-0000400511 00000 n
-0000405140 00000 n
-0000405417 00000 n
-0000407261 00000 n
-0000407487 00000 n
-0000409321 00000 n
-0000409547 00000 n
-0000411338 00000 n
-0000411566 00000 n
-0000417525 00000 n
-0000417852 00000 n
-0000421660 00000 n
-0000421943 00000 n
-0000430463 00000 n
-0000430868 00000 n
-0000443304 00000 n
-0000443766 00000 n
-0000445059 00000 n
-0000445298 00000 n
-0000461274 00000 n
-0000461738 00000 n
-0000477852 00000 n
-0000478473 00000 n
-0000483067 00000 n
-0000489514 00000 n
-0000489639 00000 n
-0000489765 00000 n
-0000489891 00000 n
-0000490017 00000 n
-0000490097 00000 n
-0000490198 00000 n
-0000511082 00000 n
-0000511281 00000 n
-0000511466 00000 n
-0000511650 00000 n
-0000511835 00000 n
-0000512019 00000 n
-0000512198 00000 n
-0000512374 00000 n
-0000512551 00000 n
-0000512727 00000 n
-0000512904 00000 n
-0000513079 00000 n
-0000513254 00000 n
-0000513431 00000 n
-0000513607 00000 n
-0000513784 00000 n
-0000513960 00000 n
-0000514137 00000 n
-0000514313 00000 n
-0000514490 00000 n
-0000514666 00000 n
-0000514843 00000 n
-0000515046 00000 n
-0000515241 00000 n
-0000515427 00000 n
-0000515616 00000 n
-0000515809 00000 n
-0000516002 00000 n
-0000516193 00000 n
-0000516386 00000 n
-0000516579 00000 n
-0000516772 00000 n
-0000516965 00000 n
-0000517158 00000 n
-0000517351 00000 n
-0000517544 00000 n
-0000517736 00000 n
-0000517929 00000 n
-0000518122 00000 n
-0000518315 00000 n
-0000518508 00000 n
-0000518701 00000 n
-0000518894 00000 n
-0000519087 00000 n
-0000519280 00000 n
-0000519473 00000 n
-0000519666 00000 n
-0000519859 00000 n
-0000520052 00000 n
-0000520245 00000 n
-0000520438 00000 n
-0000520631 00000 n
-0000520824 00000 n
-0000521017 00000 n
-0000521210 00000 n
-0000521403 00000 n
-0000521596 00000 n
-0000521789 00000 n
-0000521982 00000 n
-0000522169 00000 n
-0000522350 00000 n
-0000522535 00000 n
-0000522719 00000 n
-0000522904 00000 n
-0000523087 00000 n
-0000523268 00000 n
-0000523444 00000 n
-0000523621 00000 n
-0000523797 00000 n
-0000523974 00000 n
-0000524150 00000 n
-0000524327 00000 n
-0000524503 00000 n
-0000524680 00000 n
-0000524855 00000 n
-0000525030 00000 n
-0000525207 00000 n
-0000525383 00000 n
-0000525560 00000 n
-0000525736 00000 n
-0000525913 00000 n
-0000526086 00000 n
-0000526262 00000 n
-0000526426 00000 n
-0000526618 00000 n
-0000526815 00000 n
-0000527026 00000 n
-0000527237 00000 n
-0000527445 00000 n
-0000527647 00000 n
-0000527850 00000 n
-0000528053 00000 n
-0000528256 00000 n
-0000528483 00000 n
-0000528734 00000 n
-0000528976 00000 n
-0000529221 00000 n
-0000529464 00000 n
-0000529707 00000 n
-0000529950 00000 n
-0000530193 00000 n
-0000530442 00000 n
-0000530687 00000 n
-0000530930 00000 n
-0000531197 00000 n
-0000531488 00000 n
-0000531778 00000 n
-0000532069 00000 n
-0000532356 00000 n
-0000532642 00000 n
-0000532930 00000 n
-0000533213 00000 n
-0000533496 00000 n
-0000533779 00000 n
-0000534062 00000 n
-0000534345 00000 n
-0000534628 00000 n
-0000534800 00000 n
-0000534926 00000 n
-0000535041 00000 n
-0000535157 00000 n
-0000535275 00000 n
-0000535395 00000 n
-0000535515 00000 n
-0000535635 00000 n
-0000535755 00000 n
-0000535875 00000 n
-0000535994 00000 n
-0000536111 00000 n
-0000536227 00000 n
-0000536343 00000 n
-0000536463 00000 n
-0000536587 00000 n
-0000536716 00000 n
-0000536850 00000 n
-0000536989 00000 n
-0000537133 00000 n
-0000537233 00000 n
-0000537361 00000 n
-0000537479 00000 n
-0000537609 00000 n
-0000537700 00000 n
-0000537805 00000 n
-0000537845 00000 n
-0000538109 00000 n
+0000022327 00000 n
+0000022388 00000 n
+0000483686 00000 n
+0000484709 00000 n
+0000486458 00000 n
+0000024618 00000 n
+0000024788 00000 n
+0000023843 00000 n
+0000025152 00000 n
+0000023695 00000 n
+0000022535 00000 n
+0000483540 00000 n
+0000486020 00000 n
+0000484564 00000 n
+0000484127 00000 n
+0000486166 00000 n
+0000024970 00000 n
+0000483832 00000 n
+0000485288 00000 n
+0000024340 00000 n
+0000024571 00000 n
+0000026545 00000 n
+0000026695 00000 n
+0000026846 00000 n
+0000027021 00000 n
+0000027195 00000 n
+0000027364 00000 n
+0000027519 00000 n
+0000027667 00000 n
+0000027819 00000 n
+0000028004 00000 n
+0000028164 00000 n
+0000028317 00000 n
+0000028487 00000 n
+0000028637 00000 n
+0000028808 00000 n
+0000030397 00000 n
+0000029207 00000 n
+0000026301 00000 n
+0000025330 00000 n
+0000028961 00000 n
+0000485726 00000 n
+0000029083 00000 n
+0000029145 00000 n
+0000485874 00000 n
+0000083245 00000 n
+0000098475 00000 n
+0000186378 00000 n
+0000193853 00000 n
+0000205703 00000 n
+0000225824 00000 n
+0000235390 00000 n
+0000239579 00000 n
+0000250204 00000 n
+0000030570 00000 n
+0000030741 00000 n
+0000030886 00000 n
+0000031053 00000 n
+0000031223 00000 n
+0000031372 00000 n
+0000031517 00000 n
+0000031668 00000 n
+0000031838 00000 n
+0000031985 00000 n
+0000032136 00000 n
+0000032348 00000 n
+0000030177 00000 n
+0000029344 00000 n
+0000032287 00000 n
+0000485581 00000 n
+0000253635 00000 n
+0000288158 00000 n
+0000296247 00000 n
+0000299750 00000 n
+0000310351 00000 n
+0000315141 00000 n
+0000332227 00000 n
+0000032759 00000 n
+0000032585 00000 n
+0000032485 00000 n
+0000032697 00000 n
+0000034259 00000 n
+0000034411 00000 n
+0000034560 00000 n
+0000034712 00000 n
+0000034866 00000 n
+0000035020 00000 n
+0000035174 00000 n
+0000035328 00000 n
+0000035481 00000 n
+0000035635 00000 n
+0000035789 00000 n
+0000035943 00000 n
+0000036097 00000 n
+0000036249 00000 n
+0000036403 00000 n
+0000036562 00000 n
+0000036720 00000 n
+0000036874 00000 n
+0000037033 00000 n
+0000037192 00000 n
+0000037356 00000 n
+0000037520 00000 n
+0000037678 00000 n
+0000037842 00000 n
+0000038006 00000 n
+0000038170 00000 n
+0000038334 00000 n
+0000038497 00000 n
+0000038661 00000 n
+0000041475 00000 n
+0000038886 00000 n
+0000033903 00000 n
+0000032800 00000 n
+0000038825 00000 n
+0000041639 00000 n
+0000041804 00000 n
+0000041969 00000 n
+0000042135 00000 n
+0000042301 00000 n
+0000042467 00000 n
+0000042633 00000 n
+0000042799 00000 n
+0000042965 00000 n
+0000043131 00000 n
+0000043295 00000 n
+0000043461 00000 n
+0000043626 00000 n
+0000043792 00000 n
+0000043958 00000 n
+0000044124 00000 n
+0000044290 00000 n
+0000044456 00000 n
+0000044621 00000 n
+0000044787 00000 n
+0000044953 00000 n
+0000045118 00000 n
+0000045284 00000 n
+0000045439 00000 n
+0000045599 00000 n
+0000045759 00000 n
+0000045924 00000 n
+0000046089 00000 n
+0000046254 00000 n
+0000046418 00000 n
+0000046583 00000 n
+0000048375 00000 n
+0000046812 00000 n
+0000041060 00000 n
+0000038997 00000 n
+0000046748 00000 n
+0000486576 00000 n
+0000048539 00000 n
+0000048704 00000 n
+0000048864 00000 n
+0000049023 00000 n
+0000049183 00000 n
+0000049343 00000 n
+0000049508 00000 n
+0000049673 00000 n
+0000049833 00000 n
+0000049998 00000 n
+0000050163 00000 n
+0000050323 00000 n
+0000050486 00000 n
+0000050651 00000 n
+0000050811 00000 n
+0000050975 00000 n
+0000051139 00000 n
+0000051300 00000 n
+0000051466 00000 n
+0000051632 00000 n
+0000051793 00000 n
+0000051959 00000 n
+0000052125 00000 n
+0000052286 00000 n
+0000052451 00000 n
+0000052616 00000 n
+0000052771 00000 n
+0000052931 00000 n
+0000053095 00000 n
+0000053260 00000 n
+0000053420 00000 n
+0000053585 00000 n
+0000053750 00000 n
+0000053910 00000 n
+0000054075 00000 n
+0000054240 00000 n
+0000054400 00000 n
+0000054564 00000 n
+0000054729 00000 n
+0000056724 00000 n
+0000054952 00000 n
+0000047887 00000 n
+0000046911 00000 n
+0000054889 00000 n
+0000056888 00000 n
+0000057053 00000 n
+0000057208 00000 n
+0000057367 00000 n
+0000057532 00000 n
+0000057697 00000 n
+0000057857 00000 n
+0000058022 00000 n
+0000058187 00000 n
+0000058342 00000 n
+0000058502 00000 n
+0000058667 00000 n
+0000058830 00000 n
+0000058990 00000 n
+0000059155 00000 n
+0000059319 00000 n
+0000059474 00000 n
+0000059634 00000 n
+0000059794 00000 n
+0000059954 00000 n
+0000060108 00000 n
+0000060268 00000 n
+0000060433 00000 n
+0000060598 00000 n
+0000060757 00000 n
+0000060922 00000 n
+0000061087 00000 n
+0000061252 00000 n
+0000061401 00000 n
+0000061553 00000 n
+0000061708 00000 n
+0000061863 00000 n
+0000062018 00000 n
+0000062173 00000 n
+0000062327 00000 n
+0000064243 00000 n
+0000062544 00000 n
+0000056272 00000 n
+0000055051 00000 n
+0000062480 00000 n
+0000064397 00000 n
+0000064552 00000 n
+0000064707 00000 n
+0000064862 00000 n
+0000065017 00000 n
+0000065177 00000 n
+0000065336 00000 n
+0000065496 00000 n
+0000065648 00000 n
+0000065803 00000 n
+0000065957 00000 n
+0000066112 00000 n
+0000066272 00000 n
+0000066432 00000 n
+0000066592 00000 n
+0000066752 00000 n
+0000066911 00000 n
+0000067071 00000 n
+0000067230 00000 n
+0000067390 00000 n
+0000067550 00000 n
+0000067711 00000 n
+0000067872 00000 n
+0000068033 00000 n
+0000068193 00000 n
+0000068354 00000 n
+0000068514 00000 n
+0000068669 00000 n
+0000068829 00000 n
+0000068989 00000 n
+0000069144 00000 n
+0000069297 00000 n
+0000069450 00000 n
+0000069603 00000 n
+0000069758 00000 n
+0000071973 00000 n
+0000069976 00000 n
+0000063791 00000 n
+0000062669 00000 n
+0000069913 00000 n
+0000072132 00000 n
+0000072292 00000 n
+0000072446 00000 n
+0000072606 00000 n
+0000072754 00000 n
+0000072907 00000 n
+0000073062 00000 n
+0000073217 00000 n
+0000073371 00000 n
+0000073527 00000 n
+0000073688 00000 n
+0000073848 00000 n
+0000074003 00000 n
+0000074164 00000 n
+0000074325 00000 n
+0000074481 00000 n
+0000074642 00000 n
+0000074796 00000 n
+0000074957 00000 n
+0000075116 00000 n
+0000075270 00000 n
+0000075426 00000 n
+0000075586 00000 n
+0000075747 00000 n
+0000075907 00000 n
+0000076063 00000 n
+0000076224 00000 n
+0000076378 00000 n
+0000076533 00000 n
+0000076687 00000 n
+0000076843 00000 n
+0000076998 00000 n
+0000078312 00000 n
+0000078462 00000 n
+0000077218 00000 n
+0000071548 00000 n
+0000070075 00000 n
+0000077154 00000 n
+0000078616 00000 n
+0000078770 00000 n
+0000078926 00000 n
+0000079082 00000 n
+0000079238 00000 n
+0000079394 00000 n
+0000079550 00000 n
+0000079699 00000 n
+0000079853 00000 n
+0000080009 00000 n
+0000080228 00000 n
+0000078076 00000 n
+0000077330 00000 n
+0000080165 00000 n
+0000080621 00000 n
+0000080441 00000 n
+0000080340 00000 n
+0000080557 00000 n
+0000486701 00000 n
+0000081050 00000 n
+0000080872 00000 n
+0000080663 00000 n
+0000081340 00000 n
+0000081224 00000 n
+0000081123 00000 n
+0000083560 00000 n
+0000082940 00000 n
+0000081382 00000 n
+0000083056 00000 n
+0000083119 00000 n
+0000485434 00000 n
+0000083370 00000 n
+0000083496 00000 n
+0000086234 00000 n
+0000085803 00000 n
+0000083686 00000 n
+0000085919 00000 n
+0000086045 00000 n
+0000086170 00000 n
+0000088684 00000 n
+0000088379 00000 n
+0000086346 00000 n
+0000088495 00000 n
+0000088620 00000 n
+0000091503 00000 n
+0000090945 00000 n
+0000088796 00000 n
+0000091061 00000 n
+0000091187 00000 n
+0000091313 00000 n
+0000091439 00000 n
+0000486826 00000 n
+0000094265 00000 n
+0000093960 00000 n
+0000091628 00000 n
+0000094076 00000 n
+0000094201 00000 n
+0000095727 00000 n
+0000095547 00000 n
+0000094377 00000 n
+0000095663 00000 n
+0000097714 00000 n
+0000097907 00000 n
+0000101037 00000 n
+0000098662 00000 n
+0000097559 00000 n
+0000095826 00000 n
+0000098350 00000 n
+0000098598 00000 n
+0000098129 00000 n
+0000101619 00000 n
+0000101225 00000 n
+0000101432 00000 n
+0000102173 00000 n
+0000100873 00000 n
+0000098801 00000 n
+0000101793 00000 n
+0000484998 00000 n
+0000101857 00000 n
+0000101919 00000 n
+0000101983 00000 n
+0000102047 00000 n
+0000102111 00000 n
+0000484854 00000 n
+0000484272 00000 n
+0000486312 00000 n
+0000105242 00000 n
+0000104304 00000 n
+0000102367 00000 n
+0000104420 00000 n
+0000104545 00000 n
+0000104671 00000 n
+0000104797 00000 n
+0000104923 00000 n
+0000104987 00000 n
+0000105051 00000 n
+0000105115 00000 n
+0000105179 00000 n
+0000107141 00000 n
+0000106519 00000 n
+0000105354 00000 n
+0000106635 00000 n
+0000106699 00000 n
+0000106825 00000 n
+0000106951 00000 n
+0000107077 00000 n
+0000486951 00000 n
+0000109014 00000 n
+0000108075 00000 n
+0000107253 00000 n
+0000108191 00000 n
+0000108316 00000 n
+0000108442 00000 n
+0000108569 00000 n
+0000108696 00000 n
+0000108823 00000 n
+0000108950 00000 n
+0000110855 00000 n
+0000110040 00000 n
+0000109126 00000 n
+0000110156 00000 n
+0000110283 00000 n
+0000110410 00000 n
+0000110537 00000 n
+0000110664 00000 n
+0000110791 00000 n
+0000112287 00000 n
+0000111854 00000 n
+0000110980 00000 n
+0000111970 00000 n
+0000112096 00000 n
+0000112223 00000 n
+0000114285 00000 n
+0000113599 00000 n
+0000112399 00000 n
+0000113715 00000 n
+0000113842 00000 n
+0000113969 00000 n
+0000114095 00000 n
+0000114221 00000 n
+0000115855 00000 n
+0000115422 00000 n
+0000114423 00000 n
+0000115538 00000 n
+0000485142 00000 n
+0000115664 00000 n
+0000115791 00000 n
+0000117916 00000 n
+0000117355 00000 n
+0000116007 00000 n
+0000117471 00000 n
+0000117598 00000 n
+0000117725 00000 n
+0000117852 00000 n
+0000487076 00000 n
+0000119340 00000 n
+0000119034 00000 n
+0000118041 00000 n
+0000119150 00000 n
+0000119276 00000 n
+0000120766 00000 n
+0000120332 00000 n
+0000119465 00000 n
+0000120448 00000 n
+0000120575 00000 n
+0000120702 00000 n
+0000122371 00000 n
+0000121938 00000 n
+0000120891 00000 n
+0000122054 00000 n
+0000122180 00000 n
+0000122307 00000 n
+0000123346 00000 n
+0000123166 00000 n
+0000122496 00000 n
+0000123282 00000 n
+0000124502 00000 n
+0000124323 00000 n
+0000123445 00000 n
+0000124439 00000 n
+0000126521 00000 n
+0000125960 00000 n
+0000124601 00000 n
+0000126076 00000 n
+0000126203 00000 n
+0000126330 00000 n
+0000126457 00000 n
+0000487201 00000 n
+0000128303 00000 n
+0000127997 00000 n
+0000126659 00000 n
+0000128113 00000 n
+0000128239 00000 n
+0000129976 00000 n
+0000129796 00000 n
+0000128428 00000 n
+0000129912 00000 n
+0000131924 00000 n
+0000131491 00000 n
+0000130075 00000 n
+0000131607 00000 n
+0000131733 00000 n
+0000131860 00000 n
+0000134165 00000 n
+0000133985 00000 n
+0000132049 00000 n
+0000134101 00000 n
+0000136606 00000 n
+0000136173 00000 n
+0000134290 00000 n
+0000136289 00000 n
+0000136415 00000 n
+0000136542 00000 n
+0000138485 00000 n
+0000137924 00000 n
+0000136731 00000 n
+0000138040 00000 n
+0000138167 00000 n
+0000138294 00000 n
+0000138421 00000 n
+0000487326 00000 n
+0000140273 00000 n
+0000139841 00000 n
+0000138610 00000 n
+0000139957 00000 n
+0000140082 00000 n
+0000140209 00000 n
+0000141858 00000 n
+0000141551 00000 n
+0000140385 00000 n
+0000141667 00000 n
+0000141794 00000 n
+0000144064 00000 n
+0000143504 00000 n
+0000141970 00000 n
+0000143620 00000 n
+0000143746 00000 n
+0000143873 00000 n
+0000144000 00000 n
+0000145774 00000 n
+0000145467 00000 n
+0000144202 00000 n
+0000145583 00000 n
+0000483391 00000 n
+0000145710 00000 n
+0000147502 00000 n
+0000147069 00000 n
+0000145926 00000 n
+0000147185 00000 n
+0000147311 00000 n
+0000147438 00000 n
+0000149236 00000 n
+0000148549 00000 n
+0000147640 00000 n
+0000148665 00000 n
+0000148792 00000 n
+0000148918 00000 n
+0000149045 00000 n
+0000149172 00000 n
+0000487451 00000 n
+0000150982 00000 n
+0000150042 00000 n
+0000149374 00000 n
+0000150158 00000 n
+0000150283 00000 n
+0000150410 00000 n
+0000150537 00000 n
+0000150664 00000 n
+0000150791 00000 n
+0000150918 00000 n
+0000152819 00000 n
+0000152006 00000 n
+0000151107 00000 n
+0000152122 00000 n
+0000152249 00000 n
+0000152374 00000 n
+0000152501 00000 n
+0000152628 00000 n
+0000152755 00000 n
+0000154687 00000 n
+0000154127 00000 n
+0000152944 00000 n
+0000154243 00000 n
+0000154369 00000 n
+0000154496 00000 n
+0000154623 00000 n
+0000156204 00000 n
+0000155770 00000 n
+0000154812 00000 n
+0000155886 00000 n
+0000156013 00000 n
+0000156140 00000 n
+0000158044 00000 n
+0000157739 00000 n
+0000156316 00000 n
+0000157855 00000 n
+0000157980 00000 n
+0000159996 00000 n
+0000159310 00000 n
+0000158182 00000 n
+0000159426 00000 n
+0000159553 00000 n
+0000159680 00000 n
+0000159807 00000 n
+0000159932 00000 n
+0000487576 00000 n
+0000162190 00000 n
+0000161503 00000 n
+0000160121 00000 n
+0000161619 00000 n
+0000161745 00000 n
+0000161872 00000 n
+0000161999 00000 n
+0000162126 00000 n
+0000163973 00000 n
+0000163414 00000 n
+0000162315 00000 n
+0000163530 00000 n
+0000163657 00000 n
+0000163783 00000 n
+0000163909 00000 n
+0000166425 00000 n
+0000165485 00000 n
+0000164111 00000 n
+0000165601 00000 n
+0000165727 00000 n
+0000165854 00000 n
+0000165981 00000 n
+0000166107 00000 n
+0000166234 00000 n
+0000166361 00000 n
+0000167537 00000 n
+0000167230 00000 n
+0000166589 00000 n
+0000167346 00000 n
+0000167473 00000 n
+0000169134 00000 n
+0000168701 00000 n
+0000167649 00000 n
+0000168817 00000 n
+0000168943 00000 n
+0000169070 00000 n
+0000170403 00000 n
+0000169969 00000 n
+0000169272 00000 n
+0000170085 00000 n
+0000170212 00000 n
+0000170339 00000 n
+0000487701 00000 n
+0000172182 00000 n
+0000171622 00000 n
+0000170515 00000 n
+0000171738 00000 n
+0000171864 00000 n
+0000171991 00000 n
+0000172118 00000 n
+0000174197 00000 n
+0000173382 00000 n
+0000172307 00000 n
+0000173498 00000 n
+0000173625 00000 n
+0000173752 00000 n
+0000173879 00000 n
+0000174006 00000 n
+0000174133 00000 n
+0000175770 00000 n
+0000175464 00000 n
+0000174322 00000 n
+0000175580 00000 n
+0000175706 00000 n
+0000177427 00000 n
+0000177120 00000 n
+0000175895 00000 n
+0000177236 00000 n
+0000177363 00000 n
+0000179633 00000 n
+0000179073 00000 n
+0000177552 00000 n
+0000179189 00000 n
+0000179315 00000 n
+0000179442 00000 n
+0000179569 00000 n
+0000180763 00000 n
+0000180456 00000 n
+0000179745 00000 n
+0000180572 00000 n
+0000180699 00000 n
+0000487826 00000 n
+0000183385 00000 n
+0000182699 00000 n
+0000180875 00000 n
+0000182815 00000 n
+0000182941 00000 n
+0000183067 00000 n
+0000183194 00000 n
+0000183321 00000 n
+0000183791 00000 n
+0000183611 00000 n
+0000183510 00000 n
+0000183727 00000 n
+0000184222 00000 n
+0000184043 00000 n
+0000183833 00000 n
+0000184512 00000 n
+0000184396 00000 n
+0000184295 00000 n
+0000186885 00000 n
+0000186072 00000 n
+0000184554 00000 n
+0000186188 00000 n
+0000186251 00000 n
+0000186504 00000 n
+0000186568 00000 n
+0000186632 00000 n
+0000186695 00000 n
+0000186821 00000 n
+0000189859 00000 n
+0000189041 00000 n
+0000186998 00000 n
+0000189157 00000 n
+0000189284 00000 n
+0000189348 00000 n
+0000189412 00000 n
+0000189476 00000 n
+0000189540 00000 n
+0000189604 00000 n
+0000189668 00000 n
+0000189795 00000 n
+0000487951 00000 n
+0000192632 00000 n
+0000192326 00000 n
+0000189971 00000 n
+0000192442 00000 n
+0000192568 00000 n
+0000194043 00000 n
+0000193610 00000 n
+0000192744 00000 n
+0000193726 00000 n
+0000193979 00000 n
+0000196483 00000 n
+0000195923 00000 n
+0000194169 00000 n
+0000196039 00000 n
+0000196102 00000 n
+0000196166 00000 n
+0000196230 00000 n
+0000196294 00000 n
+0000196419 00000 n
+0000198274 00000 n
+0000198094 00000 n
+0000196608 00000 n
+0000198210 00000 n
+0000200045 00000 n
+0000199612 00000 n
+0000198399 00000 n
+0000199728 00000 n
+0000199854 00000 n
+0000199981 00000 n
+0000202171 00000 n
+0000201545 00000 n
+0000200170 00000 n
+0000201661 00000 n
+0000201725 00000 n
+0000201789 00000 n
+0000201853 00000 n
+0000201980 00000 n
+0000202107 00000 n
+0000488076 00000 n
+0000204004 00000 n
+0000203575 00000 n
+0000202296 00000 n
+0000203691 00000 n
+0000203817 00000 n
+0000203940 00000 n
+0000206276 00000 n
+0000205460 00000 n
+0000204116 00000 n
+0000205576 00000 n
+0000205829 00000 n
+0000205956 00000 n
+0000206020 00000 n
+0000206084 00000 n
+0000206148 00000 n
+0000206212 00000 n
+0000209591 00000 n
+0000209094 00000 n
+0000206389 00000 n
+0000209210 00000 n
+0000209273 00000 n
+0000209337 00000 n
+0000209401 00000 n
+0000209465 00000 n
+0000209527 00000 n
+0000212039 00000 n
+0000210843 00000 n
+0000209690 00000 n
+0000210959 00000 n
+0000211023 00000 n
+0000211087 00000 n
+0000211214 00000 n
+0000211341 00000 n
+0000211468 00000 n
+0000211595 00000 n
+0000211722 00000 n
+0000211848 00000 n
+0000211975 00000 n
+0000214091 00000 n
+0000213024 00000 n
+0000212151 00000 n
+0000213140 00000 n
+0000213266 00000 n
+0000213393 00000 n
+0000213520 00000 n
+0000213647 00000 n
+0000213774 00000 n
+0000213901 00000 n
+0000214028 00000 n
+0000216589 00000 n
+0000215519 00000 n
+0000214203 00000 n
+0000215635 00000 n
+0000215762 00000 n
+0000215889 00000 n
+0000216015 00000 n
+0000216142 00000 n
+0000216206 00000 n
+0000216270 00000 n
+0000216334 00000 n
+0000216398 00000 n
+0000216462 00000 n
+0000216526 00000 n
+0000488201 00000 n
+0000219451 00000 n
+0000218570 00000 n
+0000216714 00000 n
+0000218686 00000 n
+0000218749 00000 n
+0000218813 00000 n
+0000218877 00000 n
+0000218940 00000 n
+0000219004 00000 n
+0000219068 00000 n
+0000219132 00000 n
+0000219196 00000 n
+0000219323 00000 n
+0000219387 00000 n
+0000222287 00000 n
+0000221468 00000 n
+0000219563 00000 n
+0000221584 00000 n
+0000221648 00000 n
+0000221712 00000 n
+0000221839 00000 n
+0000221903 00000 n
+0000221967 00000 n
+0000222031 00000 n
+0000222095 00000 n
+0000222159 00000 n
+0000222223 00000 n
+0000223355 00000 n
+0000222920 00000 n
+0000222399 00000 n
+0000223036 00000 n
+0000223099 00000 n
+0000223163 00000 n
+0000223227 00000 n
+0000223291 00000 n
+0000225307 00000 n
+0000225507 00000 n
+0000225887 00000 n
+0000225161 00000 n
+0000223454 00000 n
+0000225697 00000 n
+0000229330 00000 n
+0000228321 00000 n
+0000226026 00000 n
+0000228437 00000 n
+0000228500 00000 n
+0000228564 00000 n
+0000228628 00000 n
+0000228692 00000 n
+0000228756 00000 n
+0000228820 00000 n
+0000228883 00000 n
+0000228947 00000 n
+0000229011 00000 n
+0000229075 00000 n
+0000229139 00000 n
+0000229202 00000 n
+0000229266 00000 n
+0000232711 00000 n
+0000231764 00000 n
+0000229416 00000 n
+0000231880 00000 n
+0000231944 00000 n
+0000232008 00000 n
+0000232072 00000 n
+0000232136 00000 n
+0000232200 00000 n
+0000232264 00000 n
+0000232328 00000 n
+0000232392 00000 n
+0000232455 00000 n
+0000232519 00000 n
+0000232583 00000 n
+0000232647 00000 n
+0000488326 00000 n
+0000233444 00000 n
+0000233265 00000 n
+0000232810 00000 n
+0000233381 00000 n
+0000235453 00000 n
+0000235147 00000 n
+0000233530 00000 n
+0000235263 00000 n
+0000237484 00000 n
+0000237658 00000 n
+0000237902 00000 n
+0000237338 00000 n
+0000235592 00000 n
+0000237839 00000 n
+0000240022 00000 n
+0000239336 00000 n
+0000238057 00000 n
+0000239452 00000 n
+0000239705 00000 n
+0000239831 00000 n
+0000239958 00000 n
+0000242674 00000 n
+0000242242 00000 n
+0000240148 00000 n
+0000242358 00000 n
+0000242484 00000 n
+0000242611 00000 n
+0000483979 00000 n
+0000245717 00000 n
+0000244760 00000 n
+0000244453 00000 n
+0000242813 00000 n
+0000244569 00000 n
+0000244696 00000 n
+0000488451 00000 n
+0000246975 00000 n
+0000245601 00000 n
+0000244899 00000 n
+0000246912 00000 n
+0000246094 00000 n
+0000246356 00000 n
+0000246404 00000 n
+0000247397 00000 n
+0000247217 00000 n
+0000247116 00000 n
+0000247333 00000 n
+0000247831 00000 n
+0000247652 00000 n
+0000247439 00000 n
+0000248121 00000 n
+0000248005 00000 n
+0000247904 00000 n
+0000250521 00000 n
+0000249898 00000 n
+0000248163 00000 n
+0000250014 00000 n
+0000250077 00000 n
+0000250330 00000 n
+0000250457 00000 n
+0000251597 00000 n
+0000251417 00000 n
+0000250660 00000 n
+0000251533 00000 n
+0000488576 00000 n
+0000253825 00000 n
+0000253393 00000 n
+0000251696 00000 n
+0000253509 00000 n
+0000253761 00000 n
+0000256454 00000 n
+0000256147 00000 n
+0000253938 00000 n
+0000256263 00000 n
+0000256390 00000 n
+0000259522 00000 n
+0000259343 00000 n
+0000256605 00000 n
+0000259459 00000 n
+0000260615 00000 n
+0000260435 00000 n
+0000259660 00000 n
+0000260551 00000 n
+0000261792 00000 n
+0000261613 00000 n
+0000260727 00000 n
+0000261729 00000 n
+0000264008 00000 n
+0000263701 00000 n
+0000261917 00000 n
+0000263817 00000 n
+0000263944 00000 n
+0000488701 00000 n
+0000266023 00000 n
+0000265590 00000 n
+0000264146 00000 n
+0000265706 00000 n
+0000265832 00000 n
+0000265959 00000 n
+0000267673 00000 n
+0000267366 00000 n
+0000266148 00000 n
+0000267482 00000 n
+0000267609 00000 n
+0000269853 00000 n
+0000269674 00000 n
+0000267798 00000 n
+0000269790 00000 n
+0000271266 00000 n
+0000271086 00000 n
+0000269978 00000 n
+0000271202 00000 n
+0000272665 00000 n
+0000272486 00000 n
+0000271378 00000 n
+0000272602 00000 n
+0000275646 00000 n
+0000274892 00000 n
+0000272777 00000 n
+0000275008 00000 n
+0000275135 00000 n
+0000275262 00000 n
+0000275326 00000 n
+0000275390 00000 n
+0000275454 00000 n
+0000275518 00000 n
+0000275582 00000 n
+0000488826 00000 n
+0000276585 00000 n
+0000276406 00000 n
+0000275784 00000 n
+0000276522 00000 n
+0000277916 00000 n
+0000277609 00000 n
+0000276684 00000 n
+0000277725 00000 n
+0000277789 00000 n
+0000277852 00000 n
+0000280337 00000 n
+0000280745 00000 n
+0000280200 00000 n
+0000278041 00000 n
+0000280490 00000 n
+0000280553 00000 n
+0000280617 00000 n
+0000280681 00000 n
+0000281964 00000 n
+0000281784 00000 n
+0000280870 00000 n
+0000281900 00000 n
+0000283129 00000 n
+0000282950 00000 n
+0000282076 00000 n
+0000283066 00000 n
+0000285203 00000 n
+0000284642 00000 n
+0000283228 00000 n
+0000284758 00000 n
+0000284822 00000 n
+0000284886 00000 n
+0000285012 00000 n
+0000285139 00000 n
+0000488951 00000 n
+0000286683 00000 n
+0000286377 00000 n
+0000285328 00000 n
+0000286493 00000 n
+0000286619 00000 n
+0000288794 00000 n
+0000287915 00000 n
+0000286808 00000 n
+0000288031 00000 n
+0000288284 00000 n
+0000288348 00000 n
+0000288411 00000 n
+0000288474 00000 n
+0000288538 00000 n
+0000288602 00000 n
+0000288666 00000 n
+0000288730 00000 n
+0000291331 00000 n
+0000290642 00000 n
+0000288907 00000 n
+0000290758 00000 n
+0000290884 00000 n
+0000290948 00000 n
+0000291012 00000 n
+0000291076 00000 n
+0000291140 00000 n
+0000291267 00000 n
+0000292615 00000 n
+0000292308 00000 n
+0000291469 00000 n
+0000292424 00000 n
+0000292551 00000 n
+0000294673 00000 n
+0000293984 00000 n
+0000292740 00000 n
+0000294100 00000 n
+0000294226 00000 n
+0000294290 00000 n
+0000294354 00000 n
+0000294418 00000 n
+0000294482 00000 n
+0000294609 00000 n
+0000296435 00000 n
+0000296004 00000 n
+0000294811 00000 n
+0000296120 00000 n
+0000296371 00000 n
+0000489076 00000 n
+0000297954 00000 n
+0000297775 00000 n
+0000296561 00000 n
+0000297891 00000 n
+0000300067 00000 n
+0000299507 00000 n
+0000298066 00000 n
+0000299623 00000 n
+0000299876 00000 n
+0000300003 00000 n
+0000302740 00000 n
+0000302370 00000 n
+0000300180 00000 n
+0000302486 00000 n
+0000302612 00000 n
+0000302676 00000 n
+0000305083 00000 n
+0000304903 00000 n
+0000302865 00000 n
+0000305019 00000 n
+0000307198 00000 n
+0000307019 00000 n
+0000305222 00000 n
+0000307135 00000 n
+0000307604 00000 n
+0000307424 00000 n
+0000307323 00000 n
+0000307540 00000 n
+0000489201 00000 n
+0000308041 00000 n
+0000307862 00000 n
+0000307646 00000 n
+0000308331 00000 n
+0000308215 00000 n
+0000308114 00000 n
+0000310414 00000 n
+0000310045 00000 n
+0000308373 00000 n
+0000310161 00000 n
+0000310224 00000 n
+0000312951 00000 n
+0000312771 00000 n
+0000310527 00000 n
+0000312887 00000 n
+0000484417 00000 n
+0000313753 00000 n
+0000313574 00000 n
+0000313077 00000 n
+0000313690 00000 n
+0000315458 00000 n
+0000314898 00000 n
+0000313852 00000 n
+0000315014 00000 n
+0000315267 00000 n
+0000315394 00000 n
+0000489326 00000 n
+0000318094 00000 n
+0000317788 00000 n
+0000315597 00000 n
+0000317904 00000 n
+0000318030 00000 n
+0000320636 00000 n
+0000320136 00000 n
+0000318232 00000 n
+0000320252 00000 n
+0000320316 00000 n
+0000320380 00000 n
+0000320444 00000 n
+0000320508 00000 n
+0000320572 00000 n
+0000323334 00000 n
+0000322710 00000 n
+0000320775 00000 n
+0000322826 00000 n
+0000322889 00000 n
+0000322953 00000 n
+0000323017 00000 n
+0000323144 00000 n
+0000323270 00000 n
+0000325205 00000 n
+0000325025 00000 n
+0000323459 00000 n
+0000325141 00000 n
+0000327886 00000 n
+0000327707 00000 n
+0000325330 00000 n
+0000327823 00000 n
+0000329604 00000 n
+0000329424 00000 n
+0000328011 00000 n
+0000329540 00000 n
+0000489451 00000 n
+0000330114 00000 n
+0000329935 00000 n
+0000329729 00000 n
+0000330404 00000 n
+0000330288 00000 n
+0000330187 00000 n
+0000332543 00000 n
+0000331921 00000 n
+0000330446 00000 n
+0000332037 00000 n
+0000332100 00000 n
+0000332353 00000 n
+0000332479 00000 n
+0000332700 00000 n
+0000332726 00000 n
+0000333054 00000 n
+0000333078 00000 n
+0000333102 00000 n
+0000333434 00000 n
+0000333472 00000 n
+0000333504 00000 n
+0000333536 00000 n
+0000333962 00000 n
+0000334630 00000 n
+0000335184 00000 n
+0000335827 00000 n
+0000336457 00000 n
+0000336708 00000 n
+0000337104 00000 n
+0000337140 00000 n
+0000337764 00000 n
+0000338434 00000 n
+0000339074 00000 n
+0000339505 00000 n
+0000339937 00000 n
+0000341575 00000 n
+0000341808 00000 n
+0000357451 00000 n
+0000357972 00000 n
+0000364838 00000 n
+0000365142 00000 n
+0000368418 00000 n
+0000368655 00000 n
+0000375769 00000 n
+0000376062 00000 n
+0000377855 00000 n
+0000378090 00000 n
+0000379884 00000 n
+0000380118 00000 n
+0000381760 00000 n
+0000381992 00000 n
+0000399927 00000 n
+0000400512 00000 n
+0000405183 00000 n
+0000405461 00000 n
+0000407305 00000 n
+0000407531 00000 n
+0000409365 00000 n
+0000409591 00000 n
+0000411382 00000 n
+0000411610 00000 n
+0000417569 00000 n
+0000417896 00000 n
+0000421704 00000 n
+0000421987 00000 n
+0000430507 00000 n
+0000430912 00000 n
+0000443348 00000 n
+0000443810 00000 n
+0000445103 00000 n
+0000445342 00000 n
+0000461318 00000 n
+0000461782 00000 n
+0000477896 00000 n
+0000478517 00000 n
+0000483111 00000 n
+0000489558 00000 n
+0000489683 00000 n
+0000489809 00000 n
+0000489935 00000 n
+0000490061 00000 n
+0000490141 00000 n
+0000490242 00000 n
+0000511126 00000 n
+0000511325 00000 n
+0000511510 00000 n
+0000511694 00000 n
+0000511879 00000 n
+0000512063 00000 n
+0000512242 00000 n
+0000512418 00000 n
+0000512595 00000 n
+0000512771 00000 n
+0000512948 00000 n
+0000513123 00000 n
+0000513298 00000 n
+0000513475 00000 n
+0000513651 00000 n
+0000513828 00000 n
+0000514004 00000 n
+0000514181 00000 n
+0000514357 00000 n
+0000514534 00000 n
+0000514710 00000 n
+0000514887 00000 n
+0000515090 00000 n
+0000515285 00000 n
+0000515471 00000 n
+0000515660 00000 n
+0000515853 00000 n
+0000516046 00000 n
+0000516237 00000 n
+0000516430 00000 n
+0000516623 00000 n
+0000516816 00000 n
+0000517009 00000 n
+0000517202 00000 n
+0000517395 00000 n
+0000517588 00000 n
+0000517780 00000 n
+0000517973 00000 n
+0000518166 00000 n
+0000518359 00000 n
+0000518552 00000 n
+0000518745 00000 n
+0000518938 00000 n
+0000519131 00000 n
+0000519324 00000 n
+0000519517 00000 n
+0000519710 00000 n
+0000519903 00000 n
+0000520096 00000 n
+0000520289 00000 n
+0000520482 00000 n
+0000520675 00000 n
+0000520868 00000 n
+0000521061 00000 n
+0000521254 00000 n
+0000521447 00000 n
+0000521640 00000 n
+0000521833 00000 n
+0000522026 00000 n
+0000522213 00000 n
+0000522394 00000 n
+0000522579 00000 n
+0000522763 00000 n
+0000522948 00000 n
+0000523131 00000 n
+0000523312 00000 n
+0000523488 00000 n
+0000523665 00000 n
+0000523841 00000 n
+0000524018 00000 n
+0000524194 00000 n
+0000524371 00000 n
+0000524547 00000 n
+0000524724 00000 n
+0000524899 00000 n
+0000525074 00000 n
+0000525251 00000 n
+0000525427 00000 n
+0000525604 00000 n
+0000525780 00000 n
+0000525957 00000 n
+0000526130 00000 n
+0000526306 00000 n
+0000526470 00000 n
+0000526662 00000 n
+0000526859 00000 n
+0000527070 00000 n
+0000527281 00000 n
+0000527489 00000 n
+0000527691 00000 n
+0000527894 00000 n
+0000528097 00000 n
+0000528300 00000 n
+0000528527 00000 n
+0000528778 00000 n
+0000529020 00000 n
+0000529265 00000 n
+0000529508 00000 n
+0000529751 00000 n
+0000529994 00000 n
+0000530237 00000 n
+0000530486 00000 n
+0000530731 00000 n
+0000530974 00000 n
+0000531241 00000 n
+0000531532 00000 n
+0000531822 00000 n
+0000532113 00000 n
+0000532400 00000 n
+0000532686 00000 n
+0000532974 00000 n
+0000533257 00000 n
+0000533540 00000 n
+0000533823 00000 n
+0000534106 00000 n
+0000534389 00000 n
+0000534672 00000 n
+0000534844 00000 n
+0000534970 00000 n
+0000535085 00000 n
+0000535201 00000 n
+0000535319 00000 n
+0000535439 00000 n
+0000535559 00000 n
+0000535679 00000 n
+0000535799 00000 n
+0000535919 00000 n
+0000536038 00000 n
+0000536155 00000 n
+0000536271 00000 n
+0000536387 00000 n
+0000536507 00000 n
+0000536631 00000 n
+0000536760 00000 n
+0000536894 00000 n
+0000537033 00000 n
+0000537177 00000 n
+0000537277 00000 n
+0000537405 00000 n
+0000537523 00000 n
+0000537653 00000 n
+0000537744 00000 n
+0000537849 00000 n
+0000537889 00000 n
+0000538153 00000 n
trailer
<< /Size 2336
/Root 2334 0 R
/Info 2335 0 R
-/ID [<AC536755059BF91244AB1CCCA2C8FD05> <AC536755059BF91244AB1CCCA2C8FD05>] >>
+/ID [<71BD4028F0D7950F2733107F7862991E> <71BD4028F0D7950F2733107F7862991E>] >>
startxref
-538442
+538486
%%EOF
Modified: branches/samba/upstream/docs/Samba3-HOWTO.pdf
===================================================================
--- branches/samba/upstream/docs/Samba3-HOWTO.pdf 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/Samba3-HOWTO.pdf 2010-01-20 19:20:07 UTC (rev 3240)
@@ -5546,9 +5546,8 @@
/Filter /FlateDecode
>>
stream
-xÚ…Q±NÃ0�Ýû��m©1>Çvœ��©²D*��”Á4.
-J�dZ‰þ=gœéÞ;Ý»÷Î�ä�Ò¬Ä?õÖn�dE â�´"î@ 47 ‰2’�]�ד�êŽ�e¥i·�`öƒ�3}ô'V�}ó™–\ñï�7�+%}v]¦~êÙ«kI¸�š��x
-6/߆CˆaÚ/�ÍeèC�Æd�ãðZk™’�µá`Q¬ÑGgm�ÆSˆ(”†nyª�}bVÒ�§™�Èæácûí|d@§L6<‹�³€ÃŸ_çè×¹•²þ‚&D?.x'´hCŒW�WÜùxFït�H|4���àš%›Ÿ�Ž]|¼æ�j1�D’ýùŽ{·ú�Ýði�
+xÚ…Q=OÃ0�Üû+<ÚRóð³ã¬ H•%R±` �¦qiPš ÓJôßãàl�LïîéîÝYæäpR¯ø?óÖn�„!h@ *‰;�D���)µ �q�y¡î�X!¢íŽ£Þ÷~ÈôÑŸ˜Dúæ3•PÂw†›–IAŸ]›©�;öê�R•PrE
+P¡ÍÇ·á�b�÷KD}é»0‹S3›ê@¥”˜›�•�´É¬RŽÊÞ&�§�“Qhº…y�úĬ !Ž�+�›úuÞ7Ó‘!�3Ù@69f1‰?¿Îѯójîú�ê�ý°à�W¼ 1^�À|âÎÇsÊžŸ…B€‘©š4À^ºù‘%ÙÅÇk¾vI��ùìûó�÷nõ�GgiF
endstream
endobj
3698 0 obj <<
@@ -17762,8 +17761,8 @@
5702 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/note.eps)
>>
@@ -20477,8 +20476,8 @@
6193 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145939+01'00')
-/ModDate (D:20100104145939+01'00')
+/CreationDate (D:20100118130030+01'00')
+/ModDate (D:20100118130030+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -23201,8 +23200,8 @@
6551 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/w2.eps)
>>
@@ -29616,8 +29615,8 @@
7158 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145319+01'00')
-/ModDate (D:20100104145319+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/important.eps)
>>
@@ -30177,8 +30176,8 @@
7220 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145940+01'00')
-/ModDate (D:20100104145940+01'00')
+/CreationDate (D:20100118130031+01'00')
+/ModDate (D:20100118130031+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -31095,8 +31094,8 @@
7310 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145940+01'00')
-/ModDate (D:20100104145940+01'00')
+/CreationDate (D:20100118130031+01'00')
+/ModDate (D:20100118130031+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -31324,8 +31323,8 @@
7323 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145941+01'00')
-/ModDate (D:20100104145941+01'00')
+/CreationDate (D:20100118130032+01'00')
+/ModDate (D:20100118130032+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -33503,8 +33502,8 @@
7639 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145941+01'00')
-/ModDate (D:20100104145941+01'00')
+/CreationDate (D:20100118130032+01'00')
+/ModDate (D:20100118130032+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -33755,8 +33754,8 @@
7653 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145942+01'00')
-/ModDate (D:20100104145942+01'00')
+/CreationDate (D:20100118130033+01'00')
+/ModDate (D:20100118130033+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -33936,8 +33935,8 @@
7661 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145942+01'00')
-/ModDate (D:20100104145942+01'00')
+/CreationDate (D:20100118130033+01'00')
+/ModDate (D:20100118130033+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -38293,8 +38292,8 @@
8275 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145943+01'00')
-/ModDate (D:20100104145943+01'00')
+/CreationDate (D:20100118130034+01'00')
+/ModDate (D:20100118130034+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -41427,8 +41426,8 @@
8676 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145944+01'00')
-/ModDate (D:20100104145944+01'00')
+/CreationDate (D:20100118130034+01'00')
+/ModDate (D:20100118130034+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -42820,8 +42819,8 @@
8863 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145319+01'00')
-/ModDate (D:20100104145319+01'00')
+/CreationDate (D:20100118125421+01'00')
+/ModDate (D:20100118125421+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/caution.eps)
>>
@@ -44662,8 +44661,8 @@
9108 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145320+01'00')
-/ModDate (D:20100104145320+01'00')
+/CreationDate (D:20100118125422+01'00')
+/ModDate (D:20100118125422+01'00')
/Creator (GIMP PostScript file plugin V 1.16 by Peter Kirchgessner)
/Title (/home/users/jht/SVN/samba-docs/xslt/figures/tip.eps)
>>
@@ -49987,8 +49986,8 @@
9507 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145944+01'00')
-/ModDate (D:20100104145944+01'00')
+/CreationDate (D:20100118130035+01'00')
+/ModDate (D:20100118130035+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -50262,8 +50261,8 @@
9522 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145945+01'00')
-/ModDate (D:20100104145945+01'00')
+/CreationDate (D:20100118130035+01'00')
+/ModDate (D:20100118130035+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -54918,8 +54917,8 @@
9990 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145945+01'00')
-/ModDate (D:20100104145945+01'00')
+/CreationDate (D:20100118130036+01'00')
+/ModDate (D:20100118130036+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -55679,8 +55678,8 @@
10069 0 obj
<<
/Producer (GPL Ghostscript 8.64)
-/CreationDate (D:20100104145946+01'00')
-/ModDate (D:20100104145946+01'00')
+/CreationDate (D:20100118130037+01'00')
+/ModDate (D:20100118130037+01'00')
/Creator (inkscape 0.46)
>>
endobj
@@ -110513,59 +110512,57 @@
/FontFile 17559 0 R
>> endobj
17561 0 obj <<
-/Length1 1206
-/Length2 5601
+/Length1 1207
+/Length2 5646
/Length3 0
-/Length 6340
+/Length 6387
/Filter /FlateDecode
>>
stream
-xÚ“u\Ôy·ÇI �I)‘�é�†N¥»;…����f`�î���$%$”¥K�I¥»K:��I‰;»û<«wï¿÷5ÿÌûäçœïù±2éèóÊÚ!l J�8Š�Ä�’ Èkê� >~BVVy$�Œ‚"à
-`�D� ����d=� �ü ˆ„ ˜�¿0!+@�áê„:8¢ �òœ�‰�d] H¨-��Ð�£�!.è�¶`�@�a�… ¼ù ²0�@ïÏ�w€�Ä�‚ô„Øñ�‚@ ;¨-
-`�q€Â
-R…Û# ¢›í<\ÿëò„ ÝÑ¢ �h‘œ ´D;��æ
-°ƒØ��µ�è^�´’ÿ�Qÿ.®ä�ƒi]þ,ÿç’þ�ì�…yÿ' áâê‚ �š�;��þïPcÈßÚ4!vP�—{UQ`�ÔV�î ƒ øÿ6AÝ• ^�;�(ÊÖ�`�†¹Cþ²Càvÿ�ÞÛ_�€�†ú��êÜ¿ç_>�0�Ž2ðvý§êŸÁ1è�£·ƒ„z�ÌùùøùAè@ôï¿ÿ,ÿÕK�n‹°ƒÂÑ�!,� #‘`oBôe I�à��@áv�/ Ä�-�È�G Ð) ôNü�ö�$áŸÏ)"
- Êÿiú‹DA ò/� U~‘� ¨ö�‰¡}z¿�í3øE" Ñ?„~u ø��BGÚ"\\~Y@üü ÝoˆÖ ù�…Ñ}ì��Èßüè
-Ž¿¡0 �ý
-ѽ~C1 �ö�Š�€.¿�„î�ÿ
-Ñ�¿”¢c�pÈon´�×_nt®+� à ö¨_VЬßý?f´*Wôå#~›�„žã·±@è9ÜCtƯ|at3Ô3ÄonôR=~¡ º÷¯nè¡} È¿ÃÿïeÊÉ!¼|y�… ¼� €¸˜�@T˜ßÿÅÙz Ñ3 þúèÑçý_¶‡¢?��Ä�bK83‰°•�sJ‹(�PÌ�.Áå”s¨OЪþ4öñnèt"&¬¨WÝk±Êä²4ƒ‚d�wƒñÙ�½{L³Ÿî€ÒA°[BÚÄ͆§õF†O#½ÉQ†¦÷º+óYèî½�uã?ö„1µG�ûŠ“M�º^ïÞÍÓáP0ØÄ›gÂh3÷¬iË���5QÊ€�F†W± 2鑦¹�G E.<#M~‰³0��à�‰ßÀ=wˆhö ¿ÌÇÏMº±ø±=*c~?kBÄ�>81å8é�s�ÇÆ©p�1Æå¿Èllºº|Ÿ�|2,XÇ–��—ÎJ�‹(6<z9Ñ»LçWó:€/d~<¼/Wã™ _ÕÆÛ×îó´Z¦m€7³�2ÏøxŽŒ�àµZ{M&Á˜¥3‚µ~[ù¹#Î�ºSªÚî�.'’óö�Î_ÕF.½’�ù[‰fðãÓTÉ��¾òŸU=[Hǵˆ%Ë*ÏJ§Šé\Ö�¸â±ÿör·¦Ÿ€«�/nÙF9OÐlL`¶Xg�;嘆à-r'ŸÎ<Ú�nk¥ØùÉñ}À–ƒx<vp…_£ñ£?F©Õ÷¸§BZÞÀq��Zéç¤�ÇbÔ0“E_„|}«âÄÛ�D�µ�GÐåg\i{0Š�¢3eÌc�t†ùysxÒy‘7ÆÖž )–ù‘�‡áŒÑ‰ë]š�FE ›P~ò� t e%°ž~Šƒ)!Y;ÂÌ©1g�Fúú8Ÿ‚vÁ¼û)�8É{±¤�g›Ö�`On9]¿�¿›âœÚš»ð„wpŽ2�žãæq¨ÿ 4H�£JÃJR¸
-˜_»Ûn‘÷Ð
-§¤��ÊÃ~�™=žQ½NæèñºhÏt›¶Ê·¿2xü‹Ÿ¿?�ôxéÇ×¥¹àê�Æ4>1I+AW‘ÄA™�§YM°q¡±Çôúˆe�E¼Â<ÇwMÖeôl¤)_yÙfh3$×�•j°EÞ�‹KN[îêt f¹^ØÈvP)w2´qùè#÷ð�)YFå�'*ã��e�j?¶ˆþ&ùîÝöšb®�.¯š‡WX—<ѱJæò5å©’�œ°œ˜X…îb�SR8=Ÿ¢hS\áÙ'uVYCVÚ6�)ôù1¿b«ü‡µI�®kµŽ'´O�:¿j�9^±S�ê>]�5>J4,8–O”HW[È’ÁÇ’S¥BÍKç4¤ÅÍS–«(�Mϼ*Î�Jv0µ<
-hd�‹
-˜ÿÔdÓK˜h�Úyº¢/=|}œÝkëý˜G”£e÷<òV>-„†·½’µ€�&z÷탔ְc^`º��vÿÃ3ú�Õ˜Ÿã}Ë[O–@7,i¨†ê ¦ÐÉ”øÚÍ��ŒÁBM]Šé¢¼�™�Ñü÷í���ñÌ�Ã
-Åo£‹¤"Id �ºv 5GÕ®6ï—†adÖÅÏ7�,?Ç ˆ²çgH“ÿ1Ä]Ì�8q£2x´.°Ëä©Éç³ßÜÕÞ·j¶¶‘DZ·a_ž+tëü)/šJ›�ÛJ¿V³î4Óæzz²ãÅÀ� ßÍÒ’Œò#?²çÒO²‚sèÜ\8™\d•ÑUd-.˜F¿žl
-¼�¦�˜œ�>z�©ÿ�w?=9�´ETCÛ•4n…¹^B`©ûµufŒq—¾˜ô§Z�Iâ¦}ú�RéìÆFqe�®E[wq«&ŒJ îgðaž’ 5D)Òl=�žCôis‘{t©�ô~0}¢�·ñRi¹ÁŸn:Á,Î|ÚÖâ�ös÷íÜô–G�¦�2cÍF9ÉoÃß'ù�zΨÈÒ¹kPô½ù’·ý`a ¼ôÒ·eœ�zh›^»ÆtKãóTT›õÉà¹}œ�s’NlàxÆ“ª;F_F¥{¥Ò�7åûD��
-�™}Ü�ŠÈ"�o–™¦ ø™q¡1I7?c�‰�o]�¾=ħè �ºM�)ß=z®â@l�‹Käù�7�s�Äj÷Õ€<Åk†ávœ¥S,¢€“ûà�— ”—pŸi‹‹çÕh<æG©=2!]ƒ†k 'œ“˜VÕ¬T”à«p=•-ì4f�æ�Ž�WNÓN.ì×þ!Š�A�£7—ó-
-ÖÈ|Ý0ÔÖiãS�z�e‡¶Ü½ny�ð¡VÎâSãíKQÅ-�àTŠÒÛÓöUƒ�™T�ùòƒpßí�UžìaúÀÕ‰«%{j�Ęó�íüNb�Çwª�_²‘™‹N§f{:__ }EñO)ÕÓù4Ž¼+ËÜ”ôÙ³¹¹�î¹ÎÃï꨽ºå¦�×î`ÞÛ¡cñ®Çè°�ÔÅÃ��›6È�æ*k†‚l†¤dùY¬?§Çí<ì⪊�u,°ØŠ>�KbÂin^S'�ʃ”×�º¤^ùÊÓ�2GÕ�Œ>[èâÂú²+×öâ�bW´«{‹ï8ˆä®Qb�“wM�ýùƒ§Ñ¬¦�öÎY·!Ñö`œ)ÿ»mak÷[À¾�nWÍÊŠBùUª�ù|‘#¡-3‰¬�œï'6Z3nÇEŒÈ�šMyC�¥}ÇÕŸ§y.käõ�î�TR˜at?©ÝôK��IÙÿÀWÄi™Jš�ü¤ŽRÂ�Eæf;USa�{Š)W¦†òø>Æ”o �LX�b[sú³Ü…|�eÉ‚Ï%_òÙGaD.¡"|ªŠ”�]D��
-‡¿�²ö0¸�ò"ŸÁ|.—�ÇÊÒ£.ÑJùz¹Ù„Pxø…XÜãå„ð¢Ã*q(¡rxG¤Ì�Às—ó£€ñw5)Js_�¼Å—ušS[¢žÒ\�ÆÊ÷bæ)E,ßÕù¤ä¶9M¢�âvî<%
-£Ó¯ø�ïÆÐõÒˆî¡�e=ˆ©Ro6éñÈÑ(,ÞZéR�•D4žÌ¾býcM£³ù»ä`ÏÎ>ë®ø�“=�ó�1rÙ—¨‘¡OÊý•ˆ5�¼�À“h÷½„åpyÔl�2W‹�:�VÎ&Ì?è(¶r�¬"—Êä|ß@8C~� Fýä��Ÿ\ÇšPïð>öX6H¥Å7ÒF²_k}°"ÁIœn‘�úãÔœ��Ã��QÛ2áÀŽ~
-9 cè‹úõq"¢��z&I)å�E–ÛïN˜1�ð�8�$Ø�šz�†@§5|AäÐŽ“�¬:^ÉÜG¯ 7È‹«ù©ïÂø1mƶ�M`�ÁôŠ�ä=àˆøçoeŸ†—8Iý"£Rúù¢.³o�*Ér#€©B�ã¦Û�="u±zk÷ì�:=}J&XaoÈŠ£‚E���Ȭž�/”¼‚äPÊËÏU+p°îÆ©÷³Z¤%p.yiŒè²¥n¯{Æ6ÌD˯í6È)Ù¶µ’1ïÀ¦›ë/Y†tßwõ‡%uWb0Æ3lV�§¬WO›^šb§‰�¯Çd�›ëKî��Õ�¦ÃeãµGe÷sÅ - Ëu�wçFkójƒ™¸ª«2L»×k�K–ø#Íä�JT�V�A´Æi,ÀÊZM«À�É�ÛÌ«9óÈ´nÌ+Š �¨‡ÐÏzÐ$kg�\RKx Øÿ‰°�©ff]«�"‘*10qßQÿ}Þç�âÒiù²�ˆëYhÐ6öö%ƒ§�c�ý8±�ê��וXMÛäGjBŠ�
-æ0»��nJòþ��O²�è¿d É�ؽ
- I3¬®LŽó%ô´Mãþþ�‡�c_Ç¿Ç×ÈM|-À?« ¿ÁqÜPžè¥Á¹�SƒîíÓô×�ÞD�Ç3í!�ÏZŽ<É�P2Rt!ÚºœÏŸ¥�ª�æ�Ò2]„ŸŽ©�Õêp´¿oÞp�dHw��01Žsæ¦-Ô[á+Я"E§"„Sør„[*%Î3po�v†û��Þ%#·�rÝÜ�Üo�ÔÁÝ©]FÅ’Ïsð�%"áôÌ”>ë? £�Wr¹ãÙi�cßrÕO�–%¦+€ì=wû©‚Š�Hü5~¤9¿ïÜwéëæ9}¡µ®w¤ÖœŽ¡³�§á;ì�i¹A±¹�&‰Šöîî8úY¦w~:¼îEhˆHwîÖ
-D\Å,S?DIÇ�°Ù½Á¸cú¦M©�FÄ:!kÕãÜ(ÈüüRXÜ€_t‹Ó53u‡¿j€þ§QMèb�Gˆ™·Ö\›6Â>äH뺺�¯*䈒,º*êÁàãx ‰²2pÃEkëìñÑšR�±O•�MÅnËj�oˆ˜Ê÷ŠÌ󪥳‚N#ûXU�ª¨TdžÓÚ;äÀžÅñ&]Ù2ë'"®ÃN)��EoWÞª½Œ¥‚�Ò�…»�iJÔYÑ�ìaüˆN#YJ8T�&椚øù’ßoe_qŸòŽ��p²ã;YEeé”Ьé¡Îë&oî©47!]6
-¶¯?yÚ �ݬ�á2½®ó-w²�¸ºÞKúÐX´Éßþ�ëî¥ãÕ“[Ã�ò¯�~1÷QDµN7!þ™¯�;zJ<«—Z�jZ>7¯±î!�ªH~:?QÔS¬QV‰ƒw;çæ§Ã‹¸9‡}Óh(Ü�¾È$§%ÞI3IÓ¼ª©»¯�¬h¢™x¯úæ�»ãrž2Ž-ݲõM’�0¿ß†ÍÜL†‹è¦x²Ž©þ±�öv³ÃÊÞÎÇ�$ßk�
-Š¸¦ƒ±G�¹èÌ�Ü×^ÖÌî��£Ù~Ä—e_<ˆÅKØÓ�3Aï2÷Øy“ÝiÒë��ïãÊ�÷+Š¬SQ„‹@¯ÔàR)ŽÜ�†šóÎqQs°À‚žÈ·{¸ÅTOêÇ#¾Þ¶º*¹T�úZ·³Û=M¸¹wÉ5�y��¼gCR�ðžÛ¯›—UoF³“žc½œ£ò¤Ç�O¼Y‹²§k }¨ì:BqÕ�ÌÀç䘻ÿzjjQú]€\c@‘¶"˜‹�¶$2Vôìçè•tñºÛ¥å½ð–�-€—
-�÷ðϸã¤7VÓ²¤NY�»�÷Ä”-sŽñ8_”£ÚºƒîT®d£ŽÝ‚MÕi¾�`y��V…ùTâ�Ÿ™;!3=gÄCgú‰�–¯v?žŽ÷�-éíž°ð´àQîÁókê ùh|�¼_F%JÔPÑ°íâ(®X¨vX®7\—¡²V[�û�-‰k�XTM�z3O?ÔÄ�f�D%�ߨ�$^ß®–U6NL{PEþè�£UkÅ2å!xøªà
-LwnÆ�¯ìÄnZ�Í���N Í•ß
-4;qoç^äùã«Î ëGç‡u}Q¬˜¾þeÒº.†Ø;…òÎ'±y廾Õ
-�Ú7
-—ç�û¬ê/àß_‘7�õ�=v½”[80ï•6•%7�·(�qeܱ<û8šBùêC_YâmŠË�A27ËÑ�V˜�ñ�¢«�ÎÛ�*´�N’.Q
-{Mºe’‚Ó¡³�•ÖÙ×��”Ê“3e2fµK~^ðz)˜Ò‹ýB#-„gPÊoæ�K)§¢§ÀT¥�Ö†a�ÍÛUbÉN¥Ðá£Ú�“gJf‚ç&A2Ë��]5Z�³ú"�¨éŸÒóÓ¯‚�†—Åq�SOûöo;Y�SZªx‡LWS�YšGüÅX9gfw°#n"5gžOÛ��“°å˜\óI4�Ò�-µFlPÓqA�—A
-�)õbªu�Zï™,%²_««Õ‹Î›H÷êZ¾�SZáS€|›%�=ï¼’‰Ó#LM?-Õk1{èåc±³–³MÈ(�Á�ò„~ù½v1s�’ûP�6\½�øºïV½ãyáua�e«€âœKå�s×yÕ”ÉþÓÎðƒ€÷¥o.X±�ÍÎ:k%#�œdÄ�;yjÍ�n™Dûø�õk»5?ú²å²!©h%�˜¥)r~-G�kÄ$ÌJß’CÒJsfÓly(v;"&e òÁt‡ì¬žŠžÑ�Uþs’“�¦êÙ¢ë�aÄYÆZÐ��QT7ÓzÏiS�Ù�‡i=£Êø–Ú˜óÑ Ó'«èÍ”™äi|*åŠ]ib�wœ¶á#]°‚�I�í{jV�r�:Ãù\
-ÔðvWÎ G¹ÈÓ·1K7®ß>O�z˜g_�©ž?%í�ùž;1EBhëË&7–UÔÏÄ
-xFO"$üy°xÞýì•…»ì¯šªRuR—’ù-:à�ZX´0\#œßH;�0ÐP<tÄ,//Tšic;^^u¥Ôͯ’˜�]<1¥ž® ê��µ«nù¡D¤'°ÍiÙ��¿9»¸8•;c'LÓÿjý^eØè·�ï�‘à&{±²[1§†'dÛxÔä5}w9Ä�ĽSɦG¢³Œ¿å_4æ×}ÈÖ¨ëŒ`ó�;Vün-ÍPòôª;ì)q7�[Š©�K`€i&É�!ó®�L¦L{V¨ç4��ò*XH!Úú¨ÿBÊ›#~1›¼
-ÿmØ�íí±ËÔ×cf{«IDéÀd-˜÷à .v8G®dZúQ��B%þJ�ÃMŸèó…È£‚Ž�âŸ,nJÓXÀ…¶Ç�é�Zå·:áîœ>˜ùPðB�å®–j”�›3Á�¥�›�G¢�ÛÒ~Rg¸ðÜ�‰7SÍ�^��ÚY¶û•ìàáçÔek2„žÐz^â¼à¼5êÅ›µÁ.�üƒy!—Ëg½‚¯{‰¼"5ãÝwâ×sŽåÚÙ™#ý9ý™>�¾{Âë´�,Ë+Tï4©d gò,©Åí†X^àñ¹Ù“‚;Ÿ…æPG¸<#
-6ñ)•~De$9}Û¬ë”ªT~,ë|ÍÑOñx!A{:{Mß�‘ÆvúÈ�œ8ð=lbxúÄFLÅ&aZN¢M?P�â�ñ”$tûå½Ýfâ\¦ò�êƒÆÀCÐÒ±ØnEïH.û¯…j9Œ¾P\\oB/ð7Ìä�Ñí8ë�Aà·a°ËÀæòH&í@ÎFl!åÃä\á�:’·ñ}½¨te{ÖC5^ox�P¼ø]ã�Ê¢Ëg›BK7/«‘¤ý‚Úè£�ëSµ÷�ùí’P‹öãÁàHE:9�iKEõ$]J!õJhè~ŒÀ~‰`¹8…¬Ÿ�B¿Oñt yfœßÿyîf�Ê«Y‚º;(®òN�Í%�ÏPnÊýû‘#x´#¤R>fÅ|[Uóœ_w'í@of`l�kx�sw�"Ç»Lùºb[*Õç�qùß˺…jòÖcŠ‹úºîàE¼úY}”!÷ð¦d³ˆîÛ! ù•®†svÌŽ �ÀõC,�7�ï¤l¼�Ü4€&�cN÷�[öRDM!«ç“po„Ér¹Cç—„�§±Çqeñ�%‘SW�ÏT†¢œ�&wq�Þ=á6X›âÏp\Í�¤ÉŸÑ �¿¶ûr¼ÄÐF ñ&ç}§sŽ|°×¦“{±~ ™ûùcÚ†dwtç
-0ñb›Ú(1UI7=YÅqºÖà+"¢�Ul¥ž�â°øq…‰àÅ®¶�Å}ë.¦l+Ik8�9yÞy�é•_Z�ÁA4<�‹
-ß½Ïìþ@
-�˜¹iœ�¤/s~L@åZ;(bn§–ÇIÅz™�7Y}Tæ
-öí¨¾¼e7#”9¤w��UòOÑžìõ�Mu’�„ÚN�S‘“属1ßàÃÄ�?�{ùß«d�¿�9n§ËÐëìæ�èUS"f5Wµu†®Í>à�½ç!RBº"¹Ü—^ÍѼäKv0ÔÁ��ì`\p ‹�Ú«��›æRÓ$Tò½�t;¾Œ÷AoZ»½©Ÿø£�àFpè6.È�+s›}S%ÔÆ0<2ªQ»âøÐ�T6’Ù~ˆ9 h�^’~»1wïô�¦‘¬x
-iŒiàõ�õÏp�xSïçRN ¸ß�m�1¿æ�Ø�k?éÚö¢\¤]�ßÝ×J6z–C)oÔH˜JÌâbYU>ØèºqdãDÏàv‹«\»ð‹³\„pS‡µä´Ó–B—)Öû�ìt0�eZÙ�µ&�âx+è��êd�Â�ê��˜l³%òš�ÿ�WÍuÑ
+xÚ–g8œk·ÇÕ�ADÉÖ
+ÑÛ�½E'zï%��#�Fïè„è5º�Ñ{/Ñ‚è½E
+¢÷vfïý¾;9û|=×óåùú_뾟k†ŽZUƒMÜÜÎ�"c�sb�±ƒ��’Jê N ˆ�‹ŽN���;Aí`R`'ˆ $ �ˆ;[�89 ^A.~A��,:€¤½;�jiå�`”dú3ˆ� n�CÍÀ0€�ØÉ
+b‹¨a�¶�hØ™A!Nîì q��€úŸ�Ž uˆ#�î�1gÇ� æP3'€)Ä�
+Ã�þ)H�fa�àûÛlîlÿ_—��îˆ��`Dˆd� $šÛÁlÜ�æ��, ²�¢��¡äÿCÔ¿‹Ë8ÛØ(ƒmÿ,ÿç’þ�l�µqÿO€½³���P²3‡Àaÿ�ÕüM b�u¶ý·WÎ l�5�‡YÚ@ �› Ž2P7ˆ¹*ÔÉÌ
+`�¶q„üe‡ÀÌÿ-�±·¿$ ÕÕ�ÔTôXþ>Ï¿|ª`(ÌIÓÝþŸª�ÿÅ _ŒØ��ê�0à`çà !��ÏߌþÕK�ffg�…!.��/ �‡ƒÝ±�7�A< O�
+3‡¸� n�Á@v˜�"�€Ø‰7ÀÂ�Žõçqòò�€’šþ">� øê�q�€²¿ˆ� ”ÿ‡ø�>õ_„ðiþ"^ Pû�Bœ:�ü�q#"ÍìlmY@�� ùoˆÐ ù��C�ÿ>§_�ˆ�V¿!� �ý
+� Ö¿!? hó�
+ €¶¿�„h
+û
+�í~IEÄÚÁ ¿¹�3Ûÿr#ríÁp�Ì�bñK�7è?Vøÿ�ÍPe¸úv¿
+BÌ�ÿ
+�s8þ†ˆŒ_ù<ˆfN®v¿¹�[uþ…œˆ¶î¿º!†ö€Àÿ�ÿ¿WSBÂÎÍ“‹�ÀÆÉ���ðó�øx8¼ÿWœ™3�1ƒÓ__=â~ÿ—- ˆ¯��qƒ˜aÍNÙ™ �Y'Õ†�ûH玖 3#KXÖÅ*Wµ·< œ‰C¶)�Pp`^ªÔ½þ˜J€»‰¾IåzKæ�Þì¥öUæÀß!6yò~ÓÅd3Õ£L÷8UÉ}Þæ"p÷iSíÄé��²ÊØÒ`q‚^^OÆaïnŽ*£”æÖã�j¤��—ꎴ ^>]™T�ÐàJz.ju¼d‡â·Ü¡‹®x ïÐ�G�}¬C1êYæìšñ¯s1²ãï
+OwÆÄ�ž§Oò�Á†'§¦lm¬À�‘²,ÜT‘¹Ñi
+·×ŸÒ¢£\µô±É°‰—éñ`^éú�ï&�VI½ª3|Ø��&‚�³�]9Ù+7�3��H”õ: �æšÒ.ØYµ�a5Ê{ºþÈ�g¹j¼¶s³¿½aT›–SqÄ´=�Z°hºL¬ ]N”�y�ƒ±g1b’åðí^,®p\Tº.¦ �F<K/KO!
+ï^UýzËj±ÿn·z�“¹äqäªé«�.ýqιbÕ1Ô÷…üŠ\�ð�¹¤�a.03céîv«O>Û–�1¨þŸ½�t^”ý¡°Ç2�Ðú�†v`ÙF6/Œ5�.œÀ��°R(kÍÖàGüv/�³ÇK§Âì`�5 at uZ‡UÛï�ùËÖèÔ›%¶p3�L8Z� �Å�•5sQ²0Òç�zîÜ„òXÒØÒ�›þ!‚ƒinqs¬´éñ7¶Tdu‘�y\9Ïß“3á� ��Ï5®ÇÚˆ>0Ùïã�M3MoÏ_¹Àº˜Æh|/Ñs��N 5SƉ’Qâ¥n}�ÖŸt�æP�£•”¡@Y�nC3'R«6žY9g�ìéíTz�UøOôyy{�@O–OW–çý«¢uˆ=Âã×ünCqüÒÎÓ�mZ"�#NÈ4ìV=¤�ççX�5š”’Ñã½_a£Ÿ%I;M¨Áþ¨H�ú�, 4c´«ÚÕne*ÞEôª›¢ƒÙC�¾‡±DH;&5Y�I~œî«"b�¶/TT´³.-ŒÎ&ïì�Ô#‰}"›¶zGx.£
+Ã*ÃÁ‘%½ÚC�âIÉ%(Ø�rmW �×¢#é°�ÖJ^�÷*6Î¥¬‰7´_¯±:ó%�Õì^Q�±ºe ÐR{½�¨s�§•w"�'˜"¿˜.†"!Gä´ð2«>9r°LVJ{f6±8{$ÁRÏèܧa<Âg¡½Ñt +Î8°Wé|Mãåè�êI怙»�+�cëîeèƒdr 1[g�]�¶ÍK¹'…äïÛ‚NØ€)�ÔlkÆ*C”�dgrá7�ƒ«Û¢Ë {Úd§úªIêÀ©÷15[!�HÃùJj�3�9kb_ùr�>u�S=6h�Ê�x�+��Å�Ç:èÙÅR�“¿Ýzþ1�)6f¡�s5
+ ÀÇ›ú�¿|„¥˜�pæ@¤ùbƒs—ÚE‰ÝãgsOçàwýõÍ�ƽM‹²lî‡7í9!&D*T¨Æ�5Jµçi¦w3S]Ñ#œÇ ŒŸ�FF�ã„-�ðþk/¡ÏL#—�< ø¼ß©ìy×sHý‰5êžMƒ×À¤>SóÀ�"º¦ìÈç) i mìj’žø ��ä�L#µ•¶Ùqª]²b¼�ùRܸ-‹”=¸ÌŽ©ôÚ,L™¤öêAžÇ)�gˆÂƒfZDËIšx›|"*�»}k‰el9�ôi8e²�½áZfµ^‹ƒt&V?Ò`ÆÌ0�5Êq';¥õÅg=�±ñfí¬„ÂàOñžZ.³²â¤ŽŠ�ƒ�úrvÈ�¿–}¼ölÀ…�™¥Ô¬S?�{¼æS¡��¾´ˆ4¦‰WðH�|¤Ý7ör at 8ÙjKr—|˜sD¿es$$�k¢Yl† ó&õJEqŠtaV���Þ¾��íS¢/�t‘ÄŒ<Ä+Û=Ž’µÄѵ‰Œc]‰œ�?ñ£3_ÑÄï6Kñ0AÛÍ�’ÇÄrpÄŠŽ ʉ}N½ÍÌš8�ƒÜ"¼÷Œ[M³þNÐ�í,¼
+d<'ü–+1X]v�5™Æƒf1ÏžI¯›�5Ã;@:ÕÏpìþz¡µÞ�ž«�ä´}ÞðZ“Œâ•eGö^¯¤-øH9kéµÎÎ5Ÿô6'pú½Lá×óÎïšýb›IÄ’e�Áž;%r¬™£d¾-UqßKöä}p�0;9¬ù N�Uj%ŽÑ?3à›IÊtysw˽âÄ1-SGêÑð¨4mKÈcÏôþÊ¿ÿ.�£§«æö…`B¥‹fï�){�R—á°Úct°¿^½8`¾¢zÄÏtDXœƒÖäKòeä�Ê�æÊ°1«<Ãí°£ xj´ææu�,î�HY�—mÒ§$É0ÍÛÚ¼1×Å�f”¾]‰Žè>»í Øùø^uØñ«ØÍà‰G¶G•îôyŽd’�{Ñ�øžâ/öÁ «u(µÛYc�M9pýÇ›Z%^/
+€�ðÅé�Š•z�š}˜JPÔ;§ƒ�_“Zx”ÌŶ��H•÷z±]–�OÙ?^+fw-E…—�Hƒ‰ý…ŠÊWr˜:–¡�ò�WG–ccò™³‘ž,{ß›¸1¡Åm�â95/3^ëö$�™w$ëþ²�¢-“—ºš
+M×þ�†�’*d–Ù‹§»pŠ�>Œ-rZ›`ÃË�XÖ�lvp&êg�y�¡Y¤�“—Ϭê$èµ�·ó°“ÇI6,.nØÌuŸžõ�P‡Y~ ôŸ>XÉÎi”ê´8¿eÀ¦wΞ+-�î—Å*�ÊŸE†�|ï,)�‹bÿœG è�`ê�'×çÛ‰—u°~/çÆ·0�E�UÈ�%-º:A§ñ[î��‹_K0�ÞoKºˆG ’äY4’ü ²iص=¶vzí¨B�¶âTÛì©JÔ:ãKÜ��ãE)5ۄ˘qËbÅÚºN?3º�*öü†��GG=p·4rEWo²ØÛð8u,‰x$–Þù#Á%[bˆ í‡PàVáƒLû‡Îzxׇ¤¶Ö�ù¼é�aŸJŸ¦a>äùï£bã4vØÇ}¼³O¿Ñ€uT��}�kM\o�pÏñ¤{„±9Š»uFîùŽ&–Mé�Ÿs±½øPÍ–ÖfXûÝ‹�´‡¾�˜´MQ?=;Oýfô„Î<•?:cnÒÑ|~v%ƒU+§{ìjêå‹*¯¤»À•�¶hØ
+ë^ÛHoõì�o�¸7“wT!”íÓõ5Æ[šÁÃJŠy\'nH,�1ÒFœÅî@ŠGÒKôÂi½aéáÎa÷ íGe8ndÝþÙù…¥qt¼Š�.&/{ñùU
+‹žÓ.mÀ�ˆ¬%ÍœiÜ3¾�Ü�žØPÅ*Î.üÜûú2Ü“rþš0:þ�3
+ÅÀî@8R˜K:Àc·Ù€´��>ø��q±–¿t.æ]£ÈÑâ¹™�§:vZ¸6�¤þé£ZªÕ’ŽAÏSÓ×Åà¤ó†â"Ä™¤¾ $#ûH¾d��Ï„~�ø®©ò±y›¢��å\È�oÁîaHá–ÔT°Åy÷¬v‰}óô0æCÄ‹}ÒT‰³ÇÂkBÓØ+ƒ®«wx+�ïÝ‹~†çiìâ-p†Áôü–¸,iÌUb‹û³ C†n�„ô�
+u³¼í©ö¾¬��D'pzµÍÛn úMæPù³šß�J6i2E’¤U顳»”a—�Ify—•�rã�úX—ÆÓ¾Mx\�ß¿Öóüj ]Í£™�×t9ŠfdÙÀUÒí�Æ�1�éÃ�¡EíB—w;ݺ�{B-);CÑÉU�8Ø,…�C�„�³+SQÑ_�¨èdMT¿u:Pïç9–t�ŸØœ#Ê��kÕÆBúq�85¹ê*šk—ol½ƒ¦GhNY„ÄpOúÖsZ“àøMukb{@(dR2ãG‚Ñ2!‘fጾ[…æœZù‚§j�¹x†�^±,¡Rõx;téðŽÝFvÚsÔ{a¶pÄ2ÂÒ™Ô%SÓ Cû±°O;ùô+&®[7‰Û>#”ág䫺?åC.Ñ1�ôé�8ª³Ö©³�pÆ��2úÉTÆ!þó<��Å=£�X§·”Aý†T�KŒ¶��ä Ï9‡’i�£p›�cdµÁhéÚ��Ú$¨ô´S*¥>»|&þ2�o¥Â]iºqpbŽj£þ[0��Õfu!¤PÛ@Ðg)�SL|„.,èÉ�vô½Þ¨�Œ»�ƒzÌ{ôZ�ÛÖ–¥NÓä»·�9ÝeÞ¬C¦ú�™ä”6Ú·fr÷«jÉ‘úêΩRñ.š�Þ3Z�`¯–¤”Ë©+uøØ@²¹�¼ÈÍÔ=ÆôšUCZ�Ú�ž¾¼8R;çæ;�/snÓ…-Uélð¿/n�¶NxRHqõs‘Â~#˜üV/Ph’£ÇQV^k»+‰Ø„JÖ���GŠÎÜÄ�ã[{ 2ßg�UÇ �2”Ée–w8áj¾^Ž�H¤¹˜øZ^å—‚âëZiRú�iýŸ=w�ã¥ü7‰jñ‡õèÉ™Þ�t�~”ŠE~´c�àŸ—]ŒGö3(4ïÃ?G,�f(!à~óÓÿ“®Ên«ü�¯©�ÊÌ
+÷»§›_¦×¤¿¼³¶"�y²kò‰�4Ãå¥{óL™µp_‚i'@:‡ø©¥€:ü�± 3�yÓØ�ÀÔÏ¡óè|X1ןwݤ9¬o¶vß»KùÁh¡ ú8�³pJhâˆÞ˜’“ÿÌ�u›bˆBb�êuÆ·§¸3îÏu‰tT2„�`K$Œúþ$ ú„>w[ÕÂè•iõÇ|�.@�ì�©×|qU©ÂÂ?ÓÍ-œ�4ö”Evñg~±Èù�Ã�ÁãvyñÑás¼zBE\(�ºY�rÐðû³0Œ·�J+�îOê€kY6¹¯ÔöœCC�=<�—¢VM¶ƒý&dlç�S‹â’ˆÍaÓ
+h§„pµÀ3Í:�–ã\%ÉYq´…Å"ìÁšTF
+4ã5]#ºÄ(kcÜ—�ðƒ��Œ¶o�?/è&ûžØ½ÆÒ;�âk44V�¯ž<ëͨ$ú�£õ@îÄ\Õwa¶u1è,ÄÒÉ0¼Ü�ñ9ˆöZy�Ýã³ÑëZ��u‚R¼Kr$ã×å2SM^��Ü:Šš©y•uÉxž~¡×ètw¼Ã§ç—79É-¹"Oz�ô¨NR+8Óûo�*¿Žßù<�šÐe�å«j‡JíŽÒ†˜ƒuDS*4GëO¡¬b?�:| ʼãÖO1E¤I&5s¼1Ä—ÖvuÇç��¨·"¹yé�eé�Ÿà˜Mªr…mãF»ŒVÕ�´ÚJ‰j.Q��ÜšóøÕ3†§K�3±âÞ±®Ã�ç�Ñ2»‚
+�ÅëÓøØ¡ã©Ñþwk’ÀOµ�§�Òz¼ê‰fOÓåqÛúBM+øÉú�Œæ”ŠÎaV¸áÁoŸ°õ��c79è)ühM{03r ¶‚�~àép!}Ùn±¼U²‰€¾¼Z)å‰�ÿ„w<ª�óÍÛË�Ô±{cƒ½:Õ)ÓHtVb€'îǼ”ÛQóAø¶°òÇÌÃËhxÿÞŠÎ>„oOnä��™cçÁY8¸‡Ð—©|A;ÁˆÖž4.²ˆmyä�TÛ‡¼)Âð�Xz�©7Þ¤ð��»Õ¹ôðA£%^B†a.6�c»Ë;¹Uí]�Ï`�EñÇ„ @eÓ”3�¢ Òã©�œðÉñ¹Gº%*jÛ�¬QFIQ+Ñ•."gbX�-_‡i8�†²6Ï„ó¾'ÀO�EºÐÉÊ�:¹l�x&»žI×A‚^Hh±EêªÂÔŸ´R�V�ûÀH�®iô 0fQ2Øeˆ¥¾�Ñ's×®YñK�ù�T•a3Ö�£�£²€jô�ò»RµÓ�̪N=�ñ:b•õ¼h‚þPuhÐnTý!‚Aþ~‰5™— À?ám�EÛšò£AB�ñÑ
+Ó„¬ŸŽ�I;-ÊÕć£Ž�ª±8�ßu·Oðj¼²iå�Ó°^œˆévY�75³0#xÈiÖÀ²�°/üžò¦Å½ËÌîÕÖü»›¸„BƬ,oM–ïEYiÌÉ®ûI+üÝ��:ÇM¨â˜ËYu’�¾¹Ö��3“D‰?žä?SÊÛR|��{SÌÝ…ÙÞçX{»Â;Ê&”‹e\ºUS,vêsÿúð§�Ö™â؈–�<s÷Žé,¸µ-¬ö]=E~�Œ‹™*ž1šÞS5v²»�w~ç
+�å>g�‚©ÇÔ*Â�ùt€ÕR~{¤�ª(VÔ�rœNíxÒºhÌ�+h�bŸ�[4,³“n_O¡.ŸH:jöbìØè}�…‹)÷ÔJ�øØ&àicÅU0`Žã¼F¦mAò`Ê5���õ��(®¦¿¦xýªóòH�gcóñJÀàÒ'8ºzÂ9APVzäE¢óÇÅÜ*YÅÉG±ÅT´]ÊØ ˜w�\Fnäk�m™·ëÇã|ý"Ù3E�ÆÌк–zÔù2ó•CPÕ�ù"%ϾŒ†{|ƒRÃT>†›´å±ÜÆýƒì�4ÊÐøhm‘ò#É¥¹o|ÅdLOÇbÉÃ1Gà’
+F<$öÊ�]BïÉ€CŸ®F¤�
+Eb°�)x’©ªb8`Ξ"þRÄ�¿§ð¢ý¹8ºS�‘“Ù¸œ«êÌùäŒÝ^GôÂvÕD\JK}©ã¦òðÔÚÌë qˆ2Ÿêˆ‘�Ç6¨”�º/:$��jðvÔf¤Y�uj#WŒ}ØN<æh•jÏr»¯öúüGœƒ³2ë�¦ê�÷»�â};b×óeOnŽ
+�_´â�Xª˜µ‹oBrÈ�î8Éꋬø2Y
+ “P�É$²bq{�žÚ�™°ûõk–W {“¨Ä�F¦çã<„
+×+h.{Áb»Sj�BÒ$§��ô—ä%�ÆÒ¼ÉUÍ�HYç�-q‹-„$�Îgê<�´”å3_méÔo颺¦èÝn4®·Lô��ê®Y€ò]§•�ã_Ý�6Ôס=]�««óïT
+�}_Ë«’w�gZ2��æ>:z¿Ô¦+›=¯¹í1æ-€ý¾{[.�£oãö4*&ˆPN³;UŽª‚7†�uÙÁ± ê�G�÷éó„Ç�Þ(UñãÇ×ÛRQÒ˜:Ï{4> nãQߌ�ãiÖ^(�ë&6â„´
+h5ø�îÓ2ãn5†“qã5qRôòqºŒvHÅõáGe0�àEôÒ~j]™˜jú<QÁ{O,�Š�¸�èût+Ñwž8™è6Ÿå€�ñÂÇŸõ%ÜöÁ^Š)#÷™ôŒÁGbC®�Ÿ¥s`�Ž‹�ˆSÚœ:èÐÈUf- íg”§Y÷îsônd~ñÌê‰,Ñ(¤nȵ˜�î/e�’™hæj�¤øõ¢÷vhÔnåb»\��tÂ4>©�®�£^Ù��¾ç5“)—ýa9¢òƒÞÜLî�ê_E�Hðr×¾œ<rUâÌŸ�^?�4¥%ý@qÂDå§gž�õöaà«Úf�á±ÌDZ¦Ï,µ*xÙT«bîÍ6¡‹�]¼Ôj“š±UC™.(Çy�&�›t52
+åu¿vÌ8âHp�糯þä+ÛzZí9ûc¨OhZÎê˜1ÃHDµ@º×œ�C¹‰¯P햗芩jfIP–¨³õ';vó�è`lþ†¶Ý�`ÝqNç«�…ãTë·Æ—xB�ðÚ.Ì�¼Ùî(Nk�y¬Dø-Ø�pœ’ç6ŸŽÃï½Ú�…áci�Ú˜ª´¤ÂL)�ÂÈ�™.ж��¢8îØb¼õÑEÇ_xçž É¬°]d"°íŸ�P‰i4>bÝ•ªïÐŒ4[íÑÖyà7g™ªXe©m<çäÉ’‹º :<>cø®À�yƒ�4�Ò¥H—�×ñ��,à·RöHÏ3'-M��|d5Y‘xç�äÛdÉ�úã:Þé�Iµ�<×0º=9â«FµðO\úµ¡:éU+iU梥ÿ�Eꚟ
endstream
endobj
17562 0 obj <<
/Type /FontDescriptor
-/FontName /LUSTLK+CMR12
+/FontName /RQKQOY+CMR12
/Flags 4
/FontBBox [-34 -251 988 750]
/Ascent 694
@@ -110574,7 +110571,7 @@
/ItalicAngle 0
/StemV 65
/XHeight 431
-/CharSet (/C/G/H/J/R/T/V/a/comma/d/e/four/h/i/j/l/m/n/o/one/p/parenleft/parenright/period/r/s/t/two/u/y/zero)
+/CharSet (/C/G/H/J/R/T/V/a/comma/d/e/eight/h/i/j/l/m/n/o/one/p/parenleft/parenright/period/r/s/t/two/u/y/zero)
/FontFile 17561 0 R
>> endobj
17563 0 obj <<
@@ -112037,7 +112034,7 @@
3704 0 obj <<
/Type /Font
/Subtype /Type1
-/BaseFont /LUSTLK+CMR12
+/BaseFont /RQKQOY+CMR12
/FontDescriptor 17562 0 R
/FirstChar 40
/LastChar 121
@@ -123731,8 +123728,8 @@
>> endobj
18548 0 obj <<
/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfTeX-1.40.9)/Keywords()
-/CreationDate (D:20100104150254+01'00')
-/ModDate (D:20100104150254+01'00')
+/CreationDate (D:20100118130337+01'00')
+/ModDate (D:20100118130337+01'00')
/Trapped /False
/PTEX.Fullbanner (This is pdfTeX using libpoppler, Version 3.1415926-1.40.9-2.2 (Web2C 7.5.7) kpathsea version 3.5.7)
>> endobj
@@ -123745,3695 +123742,3695 @@
0000005425 00000 f
0000000015 00000 n
0000105464 00000 n
-0005054475 00000 n
+0005054523 00000 n
0000000061 00000 n
0000000102 00000 n
0000105525 00000 n
-0005054387 00000 n
+0005054435 00000 n
0000000148 00000 n
0000000178 00000 n
0004689493 00000 n
-0005054297 00000 n
+0005054345 00000 n
0000000224 00000 n
0000000251 00000 n
0000111782 00000 n
-0005054207 00000 n
+0005054255 00000 n
0000000298 00000 n
0000000333 00000 n
0000355432 00000 n
-0005054117 00000 n
+0005054165 00000 n
0000000380 00000 n
0000000414 00000 n
0000373402 00000 n
-0005054027 00000 n
+0005054075 00000 n
0000000461 00000 n
0000000494 00000 n
0000386618 00000 n
-0005053937 00000 n
+0005053985 00000 n
0000000541 00000 n
0000000568 00000 n
0000397246 00000 n
-0005053847 00000 n
+0005053895 00000 n
0000000615 00000 n
0000000641 00000 n
0000402333 00000 n
-0005053757 00000 n
+0005053805 00000 n
0000000688 00000 n
0000000719 00000 n
0000414469 00000 n
-0005053628 00000 n
+0005053676 00000 n
0000000762 00000 n
0000000808 00000 n
0000415597 00000 n
-0005053554 00000 n
+0005053602 00000 n
0000000856 00000 n
0000000908 00000 n
0000418416 00000 n
-0005053428 00000 n
+0005053476 00000 n
0000000954 00000 n
0000001012 00000 n
0000418542 00000 n
-0005053354 00000 n
+0005053402 00000 n
0000001060 00000 n
0000001113 00000 n
0000418668 00000 n
-0005053230 00000 n
+0005053278 00000 n
0000001161 00000 n
0000001214 00000 n
0000418794 00000 n
-0005053156 00000 n
+0005053204 00000 n
0000001267 00000 n
0000001317 00000 n
0000425614 00000 n
-0005053069 00000 n
+0005053117 00000 n
0000001370 00000 n
0000001424 00000 n
0000425740 00000 n
-0005052982 00000 n
+0005053030 00000 n
0000001477 00000 n
0000001516 00000 n
0000431754 00000 n
-0005052858 00000 n
+0005052906 00000 n
0000001569 00000 n
0000001615 00000 n
0000434942 00000 n
-0005052797 00000 n
+0005052845 00000 n
0000001673 00000 n
0000001735 00000 n
0000438103 00000 n
-0005052723 00000 n
+0005052771 00000 n
0000001788 00000 n
0000001817 00000 n
0000438229 00000 n
-0005052636 00000 n
+0005052684 00000 n
0000001865 00000 n
0000001923 00000 n
0000440262 00000 n
-0005052549 00000 n
+0005052597 00000 n
0000001971 00000 n
0000002020 00000 n
0000440387 00000 n
-0005052423 00000 n
+0005052471 00000 n
0000002068 00000 n
0000002123 00000 n
0000443192 00000 n
-0005052347 00000 n
+0005052395 00000 n
0000002176 00000 n
0000002228 00000 n
0000443318 00000 n
-0005052270 00000 n
+0005052318 00000 n
0000002282 00000 n
0000002320 00000 n
0000446003 00000 n
-0005052154 00000 n
+0005052202 00000 n
0000002369 00000 n
0000002406 00000 n
0000446130 00000 n
-0005052075 00000 n
+0005052123 00000 n
0000002460 00000 n
0000002516 00000 n
0000446256 00000 n
-0005051982 00000 n
+0005052030 00000 n
0000002570 00000 n
0000002632 00000 n
0000447436 00000 n
-0005051903 00000 n
+0005051951 00000 n
0000002686 00000 n
0000002748 00000 n
0000452839 00000 n
-0005051787 00000 n
+0005051835 00000 n
0000002795 00000 n
0000002856 00000 n
0000456544 00000 n
-0005051708 00000 n
+0005051756 00000 n
0000002905 00000 n
0000002950 00000 n
0000456671 00000 n
-0005051615 00000 n
+0005051663 00000 n
0000002999 00000 n
0000003051 00000 n
0000459118 00000 n
-0005051497 00000 n
+0005051545 00000 n
0000003100 00000 n
0000003139 00000 n
0000459245 00000 n
-0005051379 00000 n
+0005051427 00000 n
0000003193 00000 n
0000003236 00000 n
0000459372 00000 n
-0005051300 00000 n
+0005051348 00000 n
0000003295 00000 n
0000003358 00000 n
0000468419 00000 n
-0005051207 00000 n
+0005051255 00000 n
0000003417 00000 n
0000003481 00000 n
0000469506 00000 n
-0005051114 00000 n
+0005051162 00000 n
0000003540 00000 n
0000003590 00000 n
0000480359 00000 n
-0005051035 00000 n
+0005051083 00000 n
0000003649 00000 n
0000003716 00000 n
0000491656 00000 n
-0005050903 00000 n
+0005050951 00000 n
0000003770 00000 n
0000003816 00000 n
0000495293 00000 n
-0005050838 00000 n
+0005050886 00000 n
0000003875 00000 n
0000003924 00000 n
0000505599 00000 n
-0005050720 00000 n
+0005050768 00000 n
0000003978 00000 n
0000004021 00000 n
0000508094 00000 n
-0005050641 00000 n
+0005050689 00000 n
0000004080 00000 n
0000004135 00000 n
0000517138 00000 n
-0005050562 00000 n
+0005050610 00000 n
0000004194 00000 n
0000004240 00000 n
0000542539 00000 n
-0005050429 00000 n
+0005050477 00000 n
0000004284 00000 n
0000004339 00000 n
0000543715 00000 n
-0005050350 00000 n
+0005050398 00000 n
0000004388 00000 n
0000004443 00000 n
0000546199 00000 n
-0005050218 00000 n
+0005050266 00000 n
0000004490 00000 n
0000004551 00000 n
0000546326 00000 n
-0005050139 00000 n
+0005050187 00000 n
0000004600 00000 n
0000004645 00000 n
0000548490 00000 n
-0005050046 00000 n
+0005050094 00000 n
0000004694 00000 n
0000004730 00000 n
0000552016 00000 n
-0005049914 00000 n
+0005049962 00000 n
0000004779 00000 n
0000004823 00000 n
0000554643 00000 n
-0005049796 00000 n
+0005049844 00000 n
0000004877 00000 n
0000004922 00000 n
0000557704 00000 n
-0005049731 00000 n
+0005049779 00000 n
0000004981 00000 n
0000005030 00000 n
0000557959 00000 n
-0005049599 00000 n
+0005049647 00000 n
0000005084 00000 n
0000005130 00000 n
0000560537 00000 n
-0005049534 00000 n
+0005049582 00000 n
0000005189 00000 n
0000005238 00000 n
0000560792 00000 n
-0005049402 00000 n
+0005049450 00000 n
0000005292 00000 n
0000005362 00000 n
0000563366 00000 n
-0005049337 00000 n
+0005049385 00000 n
0000005421 00000 n
0000005470 00000 n
0000570178 00000 n
-0005049205 00000 n
+0005049253 00000 n
0000005524 00000 n
0000005591 00000 n
0000570305 00000 n
-0005049140 00000 n
+0005049188 00000 n
0000005650 00000 n
0000005699 00000 n
0000570752 00000 n
-0005049022 00000 n
+0005049070 00000 n
0000005753 00000 n
0000005818 00000 n
0000575827 00000 n
-0005048957 00000 n
+0005049005 00000 n
0000005877 00000 n
0000005926 00000 n
0000578697 00000 n
-0005048864 00000 n
+0005048912 00000 n
0000005975 00000 n
0000006016 00000 n
0000581705 00000 n
-0005048746 00000 n
+0005048794 00000 n
0000006065 00000 n
0000006102 00000 n
0000584519 00000 n
-0005048667 00000 n
+0005048715 00000 n
0000006156 00000 n
0000006208 00000 n
0000584646 00000 n
-0005048574 00000 n
+0005048622 00000 n
0000006262 00000 n
0000006325 00000 n
0000584772 00000 n
-0005048481 00000 n
+0005048529 00000 n
0000006379 00000 n
0000006438 00000 n
0000584899 00000 n
-0005048388 00000 n
+0005048436 00000 n
0000006492 00000 n
0000006566 00000 n
0000586794 00000 n
-0005048309 00000 n
+0005048357 00000 n
0000006620 00000 n
0000006731 00000 n
0000589335 00000 n
-0005048177 00000 n
+0005048225 00000 n
0000006778 00000 n
0000006822 00000 n
0000616982 00000 n
-0005048098 00000 n
+0005048146 00000 n
0000006871 00000 n
0000006916 00000 n
0000628026 00000 n
-0005048005 00000 n
+0005048053 00000 n
0000006965 00000 n
0000007023 00000 n
0000636069 00000 n
-0005047873 00000 n
+0005047921 00000 n
0000007072 00000 n
0000007120 00000 n
0000636196 00000 n
-0005047794 00000 n
+0005047842 00000 n
0000007174 00000 n
0000007223 00000 n
0000644402 00000 n
-0005047715 00000 n
+0005047763 00000 n
0000007277 00000 n
0000007331 00000 n
0000653704 00000 n
-0005047622 00000 n
+0005047670 00000 n
0000007380 00000 n
0000007441 00000 n
0000662297 00000 n
-0005047529 00000 n
+0005047577 00000 n
0000007490 00000 n
0000007538 00000 n
0000665298 00000 n
-0005047397 00000 n
+0005047445 00000 n
0000007587 00000 n
0000007649 00000 n
0000665425 00000 n
-0005047279 00000 n
+0005047327 00000 n
0000007703 00000 n
0000007757 00000 n
0000665552 00000 n
-0005047200 00000 n
+0005047248 00000 n
0000007816 00000 n
0000007865 00000 n
0000666380 00000 n
-0005047107 00000 n
+0005047155 00000 n
0000007924 00000 n
0000007998 00000 n
0000669034 00000 n
-0005047028 00000 n
+0005047076 00000 n
0000008057 00000 n
0000008118 00000 n
0000675251 00000 n
-0005046949 00000 n
+0005046997 00000 n
0000008172 00000 n
0000008231 00000 n
0000680455 00000 n
-0005046831 00000 n
+0005046879 00000 n
0000008280 00000 n
0000008317 00000 n
0000680582 00000 n
-0005046752 00000 n
+0005046800 00000 n
0000008371 00000 n
0000008440 00000 n
0000680709 00000 n
-0005046659 00000 n
+0005046707 00000 n
0000008494 00000 n
0000008576 00000 n
0000682848 00000 n
-0005046566 00000 n
+0005046614 00000 n
0000008630 00000 n
0000008697 00000 n
0000685568 00000 n
-0005046473 00000 n
+0005046521 00000 n
0000008751 00000 n
0000008820 00000 n
0000685695 00000 n
-0005046380 00000 n
+0005046428 00000 n
0000008874 00000 n
0000008916 00000 n
0000685821 00000 n
-0005046287 00000 n
+0005046335 00000 n
0000008970 00000 n
0000009025 00000 n
0000687714 00000 n
-0005046208 00000 n
+0005046256 00000 n
0000009079 00000 n
0000009167 00000 n
0000690216 00000 n
-0005046076 00000 n
+0005046124 00000 n
0000009214 00000 n
0000009265 00000 n
0000690343 00000 n
-0005045997 00000 n
+0005046045 00000 n
0000009314 00000 n
0000009359 00000 n
0000693134 00000 n
-0005045865 00000 n
+0005045913 00000 n
0000009408 00000 n
0000009464 00000 n
0000696046 00000 n
-0005045747 00000 n
+0005045795 00000 n
0000009518 00000 n
0000009579 00000 n
0000702330 00000 n
-0005045682 00000 n
+0005045730 00000 n
0000009638 00000 n
0000009691 00000 n
0000706819 00000 n
-0005045589 00000 n
+0005045637 00000 n
0000009745 00000 n
0000009795 00000 n
0000710151 00000 n
-0005045496 00000 n
+0005045544 00000 n
0000009849 00000 n
0000009906 00000 n
0000713287 00000 n
-0005045403 00000 n
+0005045451 00000 n
0000009960 00000 n
0000010036 00000 n
0000713414 00000 n
-0005045285 00000 n
+0005045333 00000 n
0000010090 00000 n
0000010166 00000 n
0000713541 00000 n
-0005045206 00000 n
+0005045254 00000 n
0000010225 00000 n
0000010280 00000 n
0000716442 00000 n
-0005045127 00000 n
+0005045175 00000 n
0000010339 00000 n
0000010395 00000 n
0000716569 00000 n
-0005044995 00000 n
+0005045043 00000 n
0000010444 00000 n
0000010506 00000 n
0000719563 00000 n
-0005044930 00000 n
+0005044978 00000 n
0000010560 00000 n
0000010607 00000 n
0000727441 00000 n
-0005044812 00000 n
+0005044860 00000 n
0000010656 00000 n
0000010693 00000 n
0000727568 00000 n
-0005044733 00000 n
+0005044781 00000 n
0000010747 00000 n
0000010803 00000 n
0000730207 00000 n
-0005044640 00000 n
+0005044688 00000 n
0000010857 00000 n
0000010937 00000 n
0000730333 00000 n
-0005044547 00000 n
+0005044595 00000 n
0000010991 00000 n
0000011055 00000 n
0000731445 00000 n
-0005044468 00000 n
+0005044516 00000 n
0000011109 00000 n
0000011163 00000 n
0000733489 00000 n
-0005044336 00000 n
+0005044384 00000 n
0000011210 00000 n
0000011257 00000 n
0000733616 00000 n
-0005044257 00000 n
+0005044305 00000 n
0000011306 00000 n
0000011351 00000 n
0000736100 00000 n
-0005044125 00000 n
+0005044173 00000 n
0000011400 00000 n
0000011476 00000 n
0000740279 00000 n
-0005044046 00000 n
+0005044094 00000 n
0000011530 00000 n
0000011597 00000 n
0000745927 00000 n
-0005043953 00000 n
+0005044001 00000 n
0000011651 00000 n
0000011734 00000 n
0000749094 00000 n
-0005043860 00000 n
+0005043908 00000 n
0000011788 00000 n
0000011859 00000 n
0000749412 00000 n
-0005043742 00000 n
+0005043790 00000 n
0000011913 00000 n
0000011997 00000 n
0000751981 00000 n
-0005043663 00000 n
+0005043711 00000 n
0000012056 00000 n
0000012119 00000 n
0000752108 00000 n
-0005043570 00000 n
+0005043618 00000 n
0000012178 00000 n
0000012224 00000 n
0000752235 00000 n
-0005043491 00000 n
+0005043539 00000 n
0000012283 00000 n
0000012323 00000 n
0000754983 00000 n
-0005043359 00000 n
+0005043407 00000 n
0000012372 00000 n
0000012416 00000 n
0000755110 00000 n
-0005043280 00000 n
+0005043328 00000 n
0000012470 00000 n
0000012535 00000 n
0000764012 00000 n
-0005043201 00000 n
+0005043249 00000 n
0000012589 00000 n
0000012657 00000 n
0000767647 00000 n
-0005043069 00000 n
+0005043117 00000 n
0000012706 00000 n
0000012757 00000 n
0000767774 00000 n
-0005042990 00000 n
+0005043038 00000 n
0000012811 00000 n
0000012855 00000 n
0000771820 00000 n
-0005042897 00000 n
+0005042945 00000 n
0000012909 00000 n
0000012959 00000 n
0000778902 00000 n
-0005042765 00000 n
+0005042813 00000 n
0000013013 00000 n
0000013066 00000 n
0000781266 00000 n
-0005042700 00000 n
+0005042748 00000 n
0000013125 00000 n
0000013168 00000 n
0000781393 00000 n
-0005042607 00000 n
+0005042655 00000 n
0000013222 00000 n
0000013268 00000 n
0000784143 00000 n
-0005042514 00000 n
+0005042562 00000 n
0000013322 00000 n
0000013370 00000 n
0000784270 00000 n
-0005042435 00000 n
+0005042483 00000 n
0000013424 00000 n
0000013455 00000 n
0000784397 00000 n
-0005042342 00000 n
+0005042390 00000 n
0000013504 00000 n
0000013581 00000 n
0000787045 00000 n
-0005042224 00000 n
+0005042272 00000 n
0000013630 00000 n
0000013667 00000 n
0000787172 00000 n
-0005042145 00000 n
+0005042193 00000 n
0000013721 00000 n
0000013780 00000 n
0000787299 00000 n
-0005042052 00000 n
+0005042100 00000 n
0000013834 00000 n
0000013890 00000 n
0000789578 00000 n
-0005041973 00000 n
+0005042021 00000 n
0000013944 00000 n
0000014001 00000 n
0000791784 00000 n
-0005041841 00000 n
+0005041889 00000 n
0000014048 00000 n
0000014096 00000 n
0000791911 00000 n
-0005041762 00000 n
+0005041810 00000 n
0000014145 00000 n
0000014190 00000 n
0000795240 00000 n
-0005041669 00000 n
+0005041717 00000 n
0000014239 00000 n
0000014273 00000 n
0000795367 00000 n
-0005041537 00000 n
+0005041585 00000 n
0000014322 00000 n
0000014367 00000 n
0000795494 00000 n
-0005041458 00000 n
+0005041506 00000 n
0000014421 00000 n
0000014477 00000 n
0000800075 00000 n
-0005041379 00000 n
+0005041427 00000 n
0000014531 00000 n
0000014578 00000 n
0000809287 00000 n
-0005041300 00000 n
+0005041348 00000 n
0000014627 00000 n
0000014664 00000 n
0000810942 00000 n
-0005041182 00000 n
+0005041230 00000 n
0000014711 00000 n
0000014779 00000 n
0000811069 00000 n
-0005041103 00000 n
+0005041151 00000 n
0000014828 00000 n
0000014873 00000 n
0000811196 00000 n
-0005040971 00000 n
+0005041019 00000 n
0000014922 00000 n
0000014963 00000 n
0000814221 00000 n
-0005040853 00000 n
+0005040901 00000 n
0000015017 00000 n
0000015063 00000 n
0000814348 00000 n
-0005040774 00000 n
+0005040822 00000 n
0000015122 00000 n
0000015176 00000 n
0000863681 00000 n
-0005040681 00000 n
+0005040729 00000 n
0000015235 00000 n
0000015278 00000 n
0000913063 00000 n
-0005040602 00000 n
+0005040650 00000 n
0000015337 00000 n
0000015378 00000 n
0000948558 00000 n
-0005040509 00000 n
+0005040557 00000 n
0000015432 00000 n
0000015504 00000 n
0000975006 00000 n
-0005040430 00000 n
+0005040478 00000 n
0000015558 00000 n
0000015625 00000 n
0001001938 00000 n
-0005040351 00000 n
+0005040399 00000 n
0000015674 00000 n
0000015711 00000 n
0001174940 00000 n
-0005040214 00000 n
+0005040262 00000 n
0000015755 00000 n
0000015806 00000 n
0001176041 00000 n
-0005040135 00000 n
+0005040183 00000 n
0000015855 00000 n
0000015910 00000 n
0001178386 00000 n
-0005040003 00000 n
+0005040051 00000 n
0000015957 00000 n
0000016047 00000 n
0001178513 00000 n
-0005039924 00000 n
+0005039972 00000 n
0000016096 00000 n
0000016154 00000 n
0001178640 00000 n
-0005039806 00000 n
+0005039854 00000 n
0000016203 00000 n
0000016261 00000 n
0001181749 00000 n
-0005039727 00000 n
+0005039775 00000 n
0000016315 00000 n
0000016363 00000 n
0001184294 00000 n
-0005039634 00000 n
+0005039682 00000 n
0000016417 00000 n
0000016467 00000 n
0001187865 00000 n
-0005039541 00000 n
+0005039589 00000 n
0000016521 00000 n
0000016561 00000 n
0001187992 00000 n
-0005039448 00000 n
+0005039496 00000 n
0000016615 00000 n
0000016678 00000 n
0001188119 00000 n
-0005039369 00000 n
+0005039417 00000 n
0000016732 00000 n
0000016786 00000 n
0001189555 00000 n
-0005039237 00000 n
+0005039285 00000 n
0000016834 00000 n
0000016881 00000 n
0001192204 00000 n
-0005039158 00000 n
+0005039206 00000 n
0000016931 00000 n
0000016977 00000 n
0001194568 00000 n
-0005039065 00000 n
+0005039113 00000 n
0000017027 00000 n
0000017069 00000 n
0001196470 00000 n
-0005038933 00000 n
+0005038981 00000 n
0000017119 00000 n
0000017154 00000 n
0001199145 00000 n
-0005038854 00000 n
+0005038902 00000 n
0000017209 00000 n
0000017255 00000 n
0001205137 00000 n
-0005038761 00000 n
+0005038809 00000 n
0000017310 00000 n
0000017359 00000 n
0001207702 00000 n
-0005038682 00000 n
+0005038730 00000 n
0000017414 00000 n
0000017465 00000 n
0001211821 00000 n
-0005038550 00000 n
+0005038598 00000 n
0000017515 00000 n
0000017562 00000 n
0001217983 00000 n
-0005038471 00000 n
+0005038519 00000 n
0000017617 00000 n
0000017674 00000 n
0001223038 00000 n
-0005038378 00000 n
+0005038426 00000 n
0000017729 00000 n
0000017785 00000 n
0001227250 00000 n
-0005038285 00000 n
+0005038333 00000 n
0000017840 00000 n
0000017897 00000 n
0001230043 00000 n
-0005038192 00000 n
+0005038240 00000 n
0000017952 00000 n
0000018009 00000 n
0001232887 00000 n
-0005038099 00000 n
+0005038147 00000 n
0000018064 00000 n
0000018121 00000 n
0001233014 00000 n
-0005038006 00000 n
+0005038054 00000 n
0000018176 00000 n
0000018222 00000 n
0001236428 00000 n
-0005037913 00000 n
+0005037961 00000 n
0000018277 00000 n
0000018340 00000 n
0001239748 00000 n
-0005037834 00000 n
+0005037882 00000 n
0000018395 00000 n
0000018461 00000 n
0001240003 00000 n
-0005037702 00000 n
+0005037750 00000 n
0000018511 00000 n
0000018581 00000 n
0001244011 00000 n
-0005037623 00000 n
+0005037671 00000 n
0000018636 00000 n
0000018688 00000 n
0001249718 00000 n
-0005037530 00000 n
+0005037578 00000 n
0000018743 00000 n
0000018786 00000 n
0001249845 00000 n
-0005037451 00000 n
+0005037499 00000 n
0000018841 00000 n
0000018887 00000 n
0001251873 00000 n
-0005037319 00000 n
+0005037367 00000 n
0000018937 00000 n
0000018975 00000 n
0001251999 00000 n
-0005037240 00000 n
+0005037288 00000 n
0000019030 00000 n
0000019085 00000 n
0001254625 00000 n
-0005037161 00000 n
+0005037209 00000 n
0000019140 00000 n
0000019188 00000 n
0001258178 00000 n
-0005037029 00000 n
+0005037077 00000 n
0000019238 00000 n
0000019293 00000 n
0001260817 00000 n
-0005036950 00000 n
+0005036998 00000 n
0000019348 00000 n
0000019400 00000 n
0001263502 00000 n
-0005036857 00000 n
+0005036905 00000 n
0000019455 00000 n
0000019500 00000 n
0001266324 00000 n
-0005036739 00000 n
+0005036787 00000 n
0000019555 00000 n
0000019603 00000 n
0001266451 00000 n
-0005036674 00000 n
+0005036722 00000 n
0000019663 00000 n
0000019725 00000 n
0001305828 00000 n
-0005036556 00000 n
+0005036604 00000 n
0000019775 00000 n
0000019813 00000 n
0001305955 00000 n
-0005036477 00000 n
+0005036525 00000 n
0000019868 00000 n
0000019932 00000 n
0001308498 00000 n
-0005036384 00000 n
+0005036432 00000 n
0000019987 00000 n
0000020047 00000 n
0001308625 00000 n
-0005036291 00000 n
+0005036339 00000 n
0000020102 00000 n
0000020174 00000 n
0001308752 00000 n
-0005036198 00000 n
+0005036246 00000 n
0000020229 00000 n
0000020303 00000 n
0001314090 00000 n
-0005036119 00000 n
+0005036167 00000 n
0000020358 00000 n
0000020441 00000 n
0001317221 00000 n
-0005035987 00000 n
+0005036035 00000 n
0000020489 00000 n
0000020549 00000 n
0001319829 00000 n
-0005035869 00000 n
+0005035917 00000 n
0000020599 00000 n
0000020645 00000 n
0001319956 00000 n
-0005035790 00000 n
+0005035838 00000 n
0000020700 00000 n
0000020773 00000 n
0001322242 00000 n
-0005035711 00000 n
+0005035759 00000 n
0000020828 00000 n
0000020882 00000 n
0001325349 00000 n
-0005035579 00000 n
+0005035627 00000 n
0000020932 00000 n
0000020978 00000 n
0001325476 00000 n
-0005035461 00000 n
+0005035509 00000 n
0000021033 00000 n
0000021090 00000 n
0001354918 00000 n
-0005035382 00000 n
+0005035430 00000 n
0000021150 00000 n
0000021212 00000 n
0001355041 00000 n
-0005035303 00000 n
+0005035351 00000 n
0000021272 00000 n
0000021338 00000 n
0001357910 00000 n
-0005035210 00000 n
+0005035258 00000 n
0000021393 00000 n
0000021472 00000 n
0001358037 00000 n
-0005035117 00000 n
+0005035165 00000 n
0000021527 00000 n
0000021602 00000 n
0001362294 00000 n
-0005034985 00000 n
+0005035033 00000 n
0000021657 00000 n
0000021707 00000 n
0001365249 00000 n
-0005034920 00000 n
+0005034968 00000 n
0000021767 00000 n
0000021828 00000 n
0001367921 00000 n
-0005034841 00000 n
+0005034889 00000 n
0000021883 00000 n
0000021956 00000 n
0001370943 00000 n
-0005034709 00000 n
+0005034757 00000 n
0000022006 00000 n
0000022055 00000 n
0001371068 00000 n
-0005034630 00000 n
+0005034678 00000 n
0000022110 00000 n
0000022155 00000 n
0001374963 00000 n
-0005034512 00000 n
+0005034560 00000 n
0000022210 00000 n
0000022253 00000 n
0001378367 00000 n
-0005034433 00000 n
+0005034481 00000 n
0000022313 00000 n
0000022365 00000 n
0001397971 00000 n
-0005034354 00000 n
+0005034402 00000 n
0000022425 00000 n
0000022475 00000 n
0001398226 00000 n
-0005034222 00000 n
+0005034270 00000 n
0000022525 00000 n
0000022567 00000 n
0001401201 00000 n
-0005034143 00000 n
+0005034191 00000 n
0000022622 00000 n
0000022658 00000 n
0001401328 00000 n
-0005034050 00000 n
+0005034098 00000 n
0000022713 00000 n
0000022778 00000 n
0001403903 00000 n
-0005033957 00000 n
+0005034005 00000 n
0000022833 00000 n
0000022866 00000 n
0001404030 00000 n
-0005033838 00000 n
+0005033886 00000 n
0000022921 00000 n
0000022955 00000 n
0001411420 00000 n
-0005033759 00000 n
+0005033807 00000 n
0000023015 00000 n
0000023066 00000 n
0001411547 00000 n
-0005033666 00000 n
+0005033714 00000 n
0000023126 00000 n
0000023207 00000 n
0001414013 00000 n
-0005033573 00000 n
+0005033621 00000 n
0000023267 00000 n
0000023318 00000 n
0001416777 00000 n
-0005033480 00000 n
+0005033528 00000 n
0000023378 00000 n
0000023435 00000 n
0001420291 00000 n
-0005033387 00000 n
+0005033435 00000 n
0000023495 00000 n
0000023541 00000 n
0001424352 00000 n
-0005033294 00000 n
+0005033342 00000 n
0000023601 00000 n
0000023660 00000 n
0001424479 00000 n
-0005033201 00000 n
+0005033249 00000 n
0000023720 00000 n
0000023777 00000 n
0001434869 00000 n
-0005033108 00000 n
+0005033156 00000 n
0000023837 00000 n
0000023910 00000 n
0001436799 00000 n
-0005033015 00000 n
+0005033063 00000 n
0000023970 00000 n
0000024041 00000 n
0001439052 00000 n
-0005032922 00000 n
+0005032970 00000 n
0000024102 00000 n
0000024156 00000 n
0001439179 00000 n
-0005032843 00000 n
+0005032891 00000 n
0000024217 00000 n
0000024298 00000 n
0001440626 00000 n
-0005032725 00000 n
+0005032773 00000 n
0000024348 00000 n
0000024386 00000 n
0001440753 00000 n
-0005032646 00000 n
+0005032694 00000 n
0000024441 00000 n
0000024486 00000 n
0001440880 00000 n
-0005032567 00000 n
+0005032615 00000 n
0000024541 00000 n
0000024597 00000 n
0001448781 00000 n
-0005032435 00000 n
+0005032483 00000 n
0000024645 00000 n
0000024710 00000 n
0001462213 00000 n
-0005032356 00000 n
+0005032404 00000 n
0000024760 00000 n
0000024806 00000 n
0001484943 00000 n
-0005032224 00000 n
+0005032272 00000 n
0000024856 00000 n
0000024891 00000 n
0001487587 00000 n
-0005032145 00000 n
+0005032193 00000 n
0000024946 00000 n
0000025009 00000 n
0001490455 00000 n
-0005032052 00000 n
+0005032100 00000 n
0000025064 00000 n
0000025158 00000 n
0001496117 00000 n
-0005031920 00000 n
+0005031968 00000 n
0000025213 00000 n
0000025276 00000 n
0001496372 00000 n
-0005031855 00000 n
+0005031903 00000 n
0000025336 00000 n
0000025412 00000 n
0001499225 00000 n
-0005031762 00000 n
+0005031810 00000 n
0000025467 00000 n
0000025541 00000 n
0001502102 00000 n
-0005031683 00000 n
+0005031731 00000 n
0000025596 00000 n
0000025644 00000 n
0001504346 00000 n
-0005031551 00000 n
+0005031599 00000 n
0000025694 00000 n
0000025740 00000 n
0001504473 00000 n
-0005031472 00000 n
+0005031520 00000 n
0000025795 00000 n
0000025854 00000 n
0001507457 00000 n
-0005031393 00000 n
+0005031441 00000 n
0000025909 00000 n
0000025969 00000 n
0001510021 00000 n
-0005031275 00000 n
+0005031323 00000 n
0000026019 00000 n
0000026057 00000 n
0001510148 00000 n
-0005031196 00000 n
+0005031244 00000 n
0000026112 00000 n
0000026158 00000 n
0001510275 00000 n
-0005031117 00000 n
+0005031165 00000 n
0000026213 00000 n
0000026296 00000 n
0001514633 00000 n
-0005030982 00000 n
+0005031030 00000 n
0000026344 00000 n
0000026419 00000 n
0001517378 00000 n
-0005030903 00000 n
+0005030951 00000 n
0000026469 00000 n
0000026502 00000 n
0001517505 00000 n
-0005030810 00000 n
+0005030858 00000 n
0000026552 00000 n
0000026609 00000 n
0001520320 00000 n
-0005030674 00000 n
+0005030722 00000 n
0000026659 00000 n
0000026718 00000 n
0001520447 00000 n
-0005030550 00000 n
+0005030598 00000 n
0000026774 00000 n
0000026849 00000 n
0001522310 00000 n
-0005030466 00000 n
+0005030514 00000 n
0000026910 00000 n
0000026970 00000 n
0001525887 00000 n
-0005030367 00000 n
+0005030415 00000 n
0000027031 00000 n
0000027098 00000 n
0001529912 00000 n
-0005030268 00000 n
+0005030316 00000 n
0000027159 00000 n
0000027213 00000 n
0001530040 00000 n
-0005030184 00000 n
+0005030232 00000 n
0000027274 00000 n
0000027325 00000 n
0001532240 00000 n
-0005030086 00000 n
+0005030134 00000 n
0000027381 00000 n
0000027439 00000 n
0001537316 00000 n
-0005029962 00000 n
+0005030010 00000 n
0000027495 00000 n
0000027543 00000 n
0001539455 00000 n
-0005029893 00000 n
+0005029941 00000 n
0000027604 00000 n
0000027692 00000 n
0001543931 00000 n
-0005029755 00000 n
+0005029803 00000 n
0000027743 00000 n
0000027801 00000 n
0001545748 00000 n
-0005029671 00000 n
+0005029719 00000 n
0000027857 00000 n
0000027905 00000 n
0001545876 00000 n
-0005029572 00000 n
+0005029620 00000 n
0000027961 00000 n
0000028014 00000 n
0001547854 00000 n
-0005029473 00000 n
+0005029521 00000 n
0000028070 00000 n
0000028120 00000 n
0001547982 00000 n
-0005029389 00000 n
+0005029437 00000 n
0000028176 00000 n
0000028216 00000 n
0001550260 00000 n
-0005029291 00000 n
+0005029339 00000 n
0000028267 00000 n
0000028333 00000 n
0001554847 00000 n
-0005029152 00000 n
+0005029200 00000 n
0000028384 00000 n
0000028438 00000 n
0001556586 00000 n
-0005029068 00000 n
+0005029116 00000 n
0000028494 00000 n
0000028544 00000 n
0001560672 00000 n
-0005028984 00000 n
+0005029032 00000 n
0000028600 00000 n
0000028646 00000 n
0001565751 00000 n
-0005028886 00000 n
+0005028934 00000 n
0000028697 00000 n
0000028761 00000 n
0001567713 00000 n
-0005028747 00000 n
+0005028795 00000 n
0000028812 00000 n
0000028854 00000 n
0001569926 00000 n
-0005028663 00000 n
+0005028711 00000 n
0000028910 00000 n
0000028976 00000 n
0001572263 00000 n
-0005028564 00000 n
+0005028612 00000 n
0000029032 00000 n
0000029092 00000 n
0001572391 00000 n
-0005028424 00000 n
+0005028472 00000 n
0000029148 00000 n
0000029212 00000 n
0001575203 00000 n
-0005028340 00000 n
+0005028388 00000 n
0000029273 00000 n
0000029318 00000 n
0001580696 00000 n
-0005028241 00000 n
+0005028289 00000 n
0000029379 00000 n
0000029437 00000 n
0001585214 00000 n
-0005028142 00000 n
+0005028190 00000 n
0000029498 00000 n
0000029547 00000 n
0001585342 00000 n
-0005028058 00000 n
+0005028106 00000 n
0000029608 00000 n
0000029675 00000 n
0001585470 00000 n
-0005027974 00000 n
+0005028022 00000 n
0000029731 00000 n
0000029776 00000 n
0001591300 00000 n
-0005027876 00000 n
+0005027924 00000 n
0000029827 00000 n
0000029875 00000 n
0001591428 00000 n
-0005027778 00000 n
+0005027826 00000 n
0000029927 00000 n
0000029987 00000 n
0001591556 00000 n
-0005027680 00000 n
+0005027728 00000 n
0000030039 00000 n
0000030082 00000 n
0001593480 00000 n
-0005027582 00000 n
+0005027630 00000 n
0000030134 00000 n
0000030189 00000 n
0001593608 00000 n
-0005027443 00000 n
+0005027491 00000 n
0000030241 00000 n
0000030299 00000 n
0001595296 00000 n
-0005027359 00000 n
+0005027407 00000 n
0000030356 00000 n
0000030421 00000 n
0001595424 00000 n
-0005027275 00000 n
+0005027323 00000 n
0000030478 00000 n
0000030545 00000 n
0001595552 00000 n
-0005027192 00000 n
+0005027240 00000 n
0000030597 00000 n
0000030654 00000 n
0001599212 00000 n
-0005027054 00000 n
+0005027102 00000 n
0000030703 00000 n
0000030761 00000 n
0001601974 00000 n
-0005026929 00000 n
+0005026977 00000 n
0000030812 00000 n
0000030877 00000 n
0001602100 00000 n
-0005026845 00000 n
+0005026893 00000 n
0000030933 00000 n
0000030984 00000 n
0001602228 00000 n
-0005026746 00000 n
+0005026794 00000 n
0000031040 00000 n
0000031112 00000 n
0001613104 00000 n
-0005026647 00000 n
+0005026695 00000 n
0000031168 00000 n
0000031221 00000 n
0001613232 00000 n
-0005026563 00000 n
+0005026611 00000 n
0000031277 00000 n
0000031329 00000 n
0001616393 00000 n
-0005026438 00000 n
+0005026486 00000 n
0000031380 00000 n
0000031437 00000 n
0001616521 00000 n
-0005026313 00000 n
+0005026361 00000 n
0000031493 00000 n
0000031540 00000 n
0001616649 00000 n
-0005026229 00000 n
+0005026277 00000 n
0000031601 00000 n
0000031675 00000 n
0001622157 00000 n
-0005026145 00000 n
+0005026193 00000 n
0000031736 00000 n
0000031777 00000 n
0001626007 00000 n
-0005026046 00000 n
+0005026094 00000 n
0000031833 00000 n
0000031886 00000 n
0001633361 00000 n
-0005025947 00000 n
+0005025995 00000 n
0000031942 00000 n
0000032005 00000 n
0001646954 00000 n
-0005025822 00000 n
+0005025870 00000 n
0000032061 00000 n
0000032155 00000 n
0001650359 00000 n
-0005025738 00000 n
+0005025786 00000 n
0000032216 00000 n
0000032299 00000 n
0001650487 00000 n
-0005025654 00000 n
+0005025702 00000 n
0000032360 00000 n
0000032425 00000 n
0001652502 00000 n
-0005025515 00000 n
+0005025563 00000 n
0000032474 00000 n
0000032532 00000 n
0001655327 00000 n
-0005025390 00000 n
+0005025438 00000 n
0000032583 00000 n
0000032639 00000 n
0001658303 00000 n
-0005025306 00000 n
+0005025354 00000 n
0000032695 00000 n
0000032759 00000 n
0001663235 00000 n
-0005025207 00000 n
+0005025255 00000 n
0000032815 00000 n
0000032868 00000 n
0001665040 00000 n
-0005025123 00000 n
+0005025171 00000 n
0000032924 00000 n
0000033006 00000 n
0001667243 00000 n
-0005025024 00000 n
+0005025072 00000 n
0000033057 00000 n
0000033111 00000 n
0001669208 00000 n
-0005024899 00000 n
+0005024947 00000 n
0000033162 00000 n
0000033201 00000 n
0001669336 00000 n
-0005024830 00000 n
+0005024878 00000 n
0000033257 00000 n
0000033354 00000 n
0001673597 00000 n
-0005024691 00000 n
+0005024739 00000 n
0000033403 00000 n
0000033477 00000 n
0001676214 00000 n
-0005024607 00000 n
+0005024655 00000 n
0000033528 00000 n
0000033575 00000 n
0001678810 00000 n
-0005024467 00000 n
+0005024515 00000 n
0000033626 00000 n
0000033679 00000 n
0001678938 00000 n
-0005024383 00000 n
+0005024431 00000 n
0000033735 00000 n
0000033812 00000 n
0001683880 00000 n
-0005024284 00000 n
+0005024332 00000 n
0000033868 00000 n
0000033916 00000 n
0001686414 00000 n
-0005024159 00000 n
+0005024207 00000 n
0000033972 00000 n
0000034033 00000 n
0001722636 00000 n
-0005024090 00000 n
+0005024138 00000 n
0000034094 00000 n
0000034170 00000 n
0001727800 00000 n
-0005023950 00000 n
+0005023998 00000 n
0000034221 00000 n
0000034279 00000 n
0001727928 00000 n
-0005023866 00000 n
+0005023914 00000 n
0000034335 00000 n
0000034393 00000 n
0001728056 00000 n
-0005023767 00000 n
+0005023815 00000 n
0000034449 00000 n
0000034522 00000 n
0001728184 00000 n
-0005023683 00000 n
+0005023731 00000 n
0000034578 00000 n
0000034628 00000 n
0001731022 00000 n
-0005023543 00000 n
+0005023591 00000 n
0000034679 00000 n
0000034730 00000 n
0001736531 00000 n
-0005023433 00000 n
+0005023481 00000 n
0000034786 00000 n
0000034842 00000 n
0001736659 00000 n
-0005023349 00000 n
+0005023397 00000 n
0000034903 00000 n
0000034963 00000 n
0001736915 00000 n
-0005023265 00000 n
+0005023313 00000 n
0000035024 00000 n
0000035069 00000 n
0001742350 00000 n
-0005023125 00000 n
+0005023173 00000 n
0000035120 00000 n
0000035203 00000 n
0001742478 00000 n
-0005023041 00000 n
+0005023089 00000 n
0000035259 00000 n
0000035338 00000 n
0001742606 00000 n
-0005022942 00000 n
+0005022990 00000 n
0000035394 00000 n
0000035460 00000 n
0001745236 00000 n
-0005022843 00000 n
+0005022891 00000 n
0000035516 00000 n
0000035566 00000 n
0001745364 00000 n
-0005022703 00000 n
+0005022751 00000 n
0000035622 00000 n
0000035687 00000 n
0001748283 00000 n
-0005022619 00000 n
+0005022667 00000 n
0000035748 00000 n
0000035794 00000 n
0001748411 00000 n
-0005022535 00000 n
+0005022583 00000 n
0000035855 00000 n
0000035906 00000 n
0001751261 00000 n
-0005022436 00000 n
+0005022484 00000 n
0000035962 00000 n
0000036029 00000 n
0001754749 00000 n
-0005022337 00000 n
+0005022385 00000 n
0000036085 00000 n
0000036175 00000 n
0001759318 00000 n
-0005022238 00000 n
+0005022286 00000 n
0000036231 00000 n
0000036317 00000 n
0001759446 00000 n
-0005022113 00000 n
+0005022161 00000 n
0000036373 00000 n
0000036448 00000 n
0001761848 00000 n
-0005022029 00000 n
+0005022077 00000 n
0000036509 00000 n
0000036562 00000 n
0001764124 00000 n
-0005021930 00000 n
+0005021978 00000 n
0000036623 00000 n
0000036700 00000 n
0001766236 00000 n
-0005021846 00000 n
+0005021894 00000 n
0000036761 00000 n
0000036843 00000 n
0001766364 00000 n
-0005021721 00000 n
+0005021769 00000 n
0000036894 00000 n
0000036933 00000 n
0001766492 00000 n
-0005021637 00000 n
+0005021685 00000 n
0000036989 00000 n
0000037053 00000 n
0001770962 00000 n
-0005021538 00000 n
+0005021586 00000 n
0000037109 00000 n
0000037185 00000 n
0001771090 00000 n
-0005021454 00000 n
+0005021502 00000 n
0000037241 00000 n
0000037309 00000 n
0001779084 00000 n
-0005021315 00000 n
+0005021363 00000 n
0000037358 00000 n
0000037413 00000 n
0001779212 00000 n
-0005021231 00000 n
+0005021279 00000 n
0000037464 00000 n
0000037511 00000 n
0001782042 00000 n
-0005021091 00000 n
+0005021139 00000 n
0000037562 00000 n
0000037598 00000 n
0001784688 00000 n
-0005020981 00000 n
+0005021029 00000 n
0000037654 00000 n
0000037712 00000 n
0001792174 00000 n
-0005020897 00000 n
+0005020945 00000 n
0000037773 00000 n
0000037830 00000 n
0001792302 00000 n
-0005020798 00000 n
+0005020846 00000 n
0000037891 00000 n
0000037954 00000 n
0001792430 00000 n
-0005020699 00000 n
+0005020747 00000 n
0000038015 00000 n
0000038078 00000 n
0001794917 00000 n
-0005020600 00000 n
+0005020648 00000 n
0000038139 00000 n
0000038200 00000 n
0001795045 00000 n
-0005020501 00000 n
+0005020549 00000 n
0000038261 00000 n
0000038310 00000 n
0001795173 00000 n
-0005020402 00000 n
+0005020450 00000 n
0000038371 00000 n
0000038416 00000 n
0001797750 00000 n
-0005020303 00000 n
+0005020351 00000 n
0000038477 00000 n
0000038527 00000 n
0001797878 00000 n
-0005020204 00000 n
+0005020252 00000 n
0000038588 00000 n
0000038651 00000 n
0001798006 00000 n
-0005020120 00000 n
+0005020168 00000 n
0000038712 00000 n
0000038777 00000 n
0001800751 00000 n
-0005019980 00000 n
+0005020028 00000 n
0000038828 00000 n
0000038875 00000 n
0001803397 00000 n
-0005019870 00000 n
+0005019918 00000 n
0000038931 00000 n
0000038980 00000 n
0001803524 00000 n
-0005019786 00000 n
+0005019834 00000 n
0000039041 00000 n
0000039088 00000 n
0001807047 00000 n
-0005019702 00000 n
+0005019750 00000 n
0000039149 00000 n
0000039203 00000 n
0001811823 00000 n
-0005019562 00000 n
+0005019610 00000 n
0000039254 00000 n
0000039319 00000 n
0001817839 00000 n
-0005019478 00000 n
+0005019526 00000 n
0000039375 00000 n
0000039430 00000 n
0001819485 00000 n
-0005019394 00000 n
+0005019442 00000 n
0000039486 00000 n
0000039536 00000 n
0001822013 00000 n
-0005019295 00000 n
+0005019343 00000 n
0000039587 00000 n
0000039639 00000 n
0001822141 00000 n
-0005019155 00000 n
+0005019203 00000 n
0000039690 00000 n
0000039729 00000 n
0001825075 00000 n
-0005019071 00000 n
+0005019119 00000 n
0000039785 00000 n
0000039839 00000 n
0001825203 00000 n
-0005018972 00000 n
+0005019020 00000 n
0000039895 00000 n
0000039971 00000 n
0001825331 00000 n
-0005018888 00000 n
+0005018936 00000 n
0000040027 00000 n
0000040106 00000 n
0001827977 00000 n
-0005018804 00000 n
+0005018852 00000 n
0000040157 00000 n
0000040201 00000 n
0001830431 00000 n
-0005018665 00000 n
+0005018713 00000 n
0000040250 00000 n
0000040296 00000 n
0001830559 00000 n
-0005018581 00000 n
+0005018629 00000 n
0000040347 00000 n
0000040385 00000 n
0001830687 00000 n
-0005018482 00000 n
+0005018530 00000 n
0000040436 00000 n
0000040483 00000 n
0001834078 00000 n
-0005018342 00000 n
+0005018390 00000 n
0000040534 00000 n
0000040614 00000 n
0001834205 00000 n
-0005018258 00000 n
+0005018306 00000 n
0000040670 00000 n
0000040725 00000 n
0001837660 00000 n
-0005018159 00000 n
+0005018207 00000 n
0000040781 00000 n
0000040830 00000 n
0001837916 00000 n
-0005018060 00000 n
+0005018108 00000 n
0000040886 00000 n
0000040940 00000 n
0001840721 00000 n
-0005017961 00000 n
+0005018009 00000 n
0000040996 00000 n
0000041040 00000 n
0001840849 00000 n
-0005017862 00000 n
+0005017910 00000 n
0000041096 00000 n
0000041157 00000 n
0001843520 00000 n
-0005017778 00000 n
+0005017826 00000 n
0000041213 00000 n
0000041256 00000 n
0001846374 00000 n
-0005017679 00000 n
+0005017727 00000 n
0000041307 00000 n
0000041348 00000 n
0001846502 00000 n
-0005017554 00000 n
+0005017602 00000 n
0000041399 00000 n
0000041438 00000 n
0001846630 00000 n
-0005017470 00000 n
+0005017518 00000 n
0000041494 00000 n
0000041575 00000 n
0001846758 00000 n
-0005017386 00000 n
+0005017434 00000 n
0000041631 00000 n
0000041710 00000 n
0001851426 00000 n
-0005017247 00000 n
+0005017295 00000 n
0000041759 00000 n
0000041822 00000 n
0001854068 00000 n
-0005017163 00000 n
+0005017211 00000 n
0000041873 00000 n
0000041920 00000 n
0001854196 00000 n
-0005017064 00000 n
+0005017112 00000 n
0000041971 00000 n
0000042026 00000 n
0001856941 00000 n
-0005016924 00000 n
+0005016972 00000 n
0000042077 00000 n
0000042145 00000 n
0001857068 00000 n
-0005016840 00000 n
+0005016888 00000 n
0000042201 00000 n
0000042257 00000 n
0001880044 00000 n
-0005016741 00000 n
+0005016789 00000 n
0000042313 00000 n
0000042371 00000 n
0001880172 00000 n
-0005016657 00000 n
+0005016705 00000 n
0000042427 00000 n
0000042483 00000 n
0001882435 00000 n
-0005016517 00000 n
+0005016565 00000 n
0000042534 00000 n
0000042600 00000 n
0001885088 00000 n
-0005016433 00000 n
+0005016481 00000 n
0000042656 00000 n
0000042711 00000 n
0001887640 00000 n
-0005016349 00000 n
+0005016397 00000 n
0000042767 00000 n
0000042823 00000 n
0001890473 00000 n
-0005016250 00000 n
+0005016298 00000 n
0000042874 00000 n
0000042941 00000 n
0001890601 00000 n
-0005016125 00000 n
+0005016173 00000 n
0000042992 00000 n
0000043031 00000 n
0001890729 00000 n
-0005016041 00000 n
+0005016089 00000 n
0000043087 00000 n
0000043147 00000 n
0001892914 00000 n
-0005015957 00000 n
+0005016005 00000 n
0000043203 00000 n
0000043293 00000 n
0001896816 00000 n
-0005015818 00000 n
+0005015866 00000 n
0000043342 00000 n
0000043422 00000 n
0001896944 00000 n
-0005015734 00000 n
+0005015782 00000 n
0000043473 00000 n
0000043520 00000 n
0001900355 00000 n
-0005015609 00000 n
+0005015657 00000 n
0000043571 00000 n
0000043610 00000 n
0001902798 00000 n
-0005015540 00000 n
+0005015588 00000 n
0000043666 00000 n
0000043726 00000 n
0001905647 00000 n
-0005015400 00000 n
+0005015448 00000 n
0000043775 00000 n
0000043833 00000 n
0001905775 00000 n
-0005015316 00000 n
+0005015364 00000 n
0000043884 00000 n
0000043931 00000 n
0001908434 00000 n
-0005015176 00000 n
+0005015224 00000 n
0000043982 00000 n
0000044030 00000 n
0001910813 00000 n
-0005015092 00000 n
+0005015140 00000 n
0000044086 00000 n
0000044150 00000 n
0001911388 00000 n
-0005015008 00000 n
+0005015056 00000 n
0000044206 00000 n
0000044275 00000 n
0001914844 00000 n
-0005014868 00000 n
+0005014916 00000 n
0000044326 00000 n
0000044378 00000 n
0001917796 00000 n
-0005014784 00000 n
+0005014832 00000 n
0000044434 00000 n
0000044499 00000 n
0001919732 00000 n
-0005014700 00000 n
+0005014748 00000 n
0000044555 00000 n
0000044613 00000 n
0001927305 00000 n
-0005014560 00000 n
+0005014608 00000 n
0000044664 00000 n
0000044721 00000 n
0001927433 00000 n
-0005014450 00000 n
+0005014498 00000 n
0000044777 00000 n
0000044834 00000 n
0001933469 00000 n
-0005014366 00000 n
+0005014414 00000 n
0000044895 00000 n
0000044945 00000 n
0001940654 00000 n
-0005014267 00000 n
+0005014315 00000 n
0000045006 00000 n
0000045058 00000 n
0001946005 00000 n
-0005014168 00000 n
+0005014216 00000 n
0000045119 00000 n
0000045184 00000 n
0001948793 00000 n
-0005014069 00000 n
+0005014117 00000 n
0000045245 00000 n
0000045289 00000 n
0001952410 00000 n
-0005013970 00000 n
+0005014018 00000 n
0000045350 00000 n
0000045417 00000 n
0001952537 00000 n
-0005013886 00000 n
+0005013934 00000 n
0000045478 00000 n
0000045529 00000 n
0001959433 00000 n
-0005013746 00000 n
+0005013794 00000 n
0000045580 00000 n
0000045643 00000 n
0001965467 00000 n
-0005013662 00000 n
+0005013710 00000 n
0000045699 00000 n
0000045772 00000 n
0001965595 00000 n
-0005013563 00000 n
+0005013611 00000 n
0000045828 00000 n
0000045891 00000 n
0001968702 00000 n
-0005013464 00000 n
+0005013512 00000 n
0000045947 00000 n
0000046005 00000 n
0001968830 00000 n
-0005013365 00000 n
+0005013413 00000 n
0000046061 00000 n
0000046118 00000 n
0001978433 00000 n
-0005013281 00000 n
+0005013329 00000 n
0000046174 00000 n
0000046233 00000 n
0001981560 00000 n
-0005013141 00000 n
+0005013189 00000 n
0000046284 00000 n
0000046345 00000 n
0001981688 00000 n
-0005013057 00000 n
+0005013105 00000 n
0000046401 00000 n
0000046467 00000 n
0001984796 00000 n
-0005012932 00000 n
+0005012980 00000 n
0000046523 00000 n
0000046591 00000 n
0001988341 00000 n
-0005012848 00000 n
+0005012896 00000 n
0000046652 00000 n
0000046706 00000 n
0001992740 00000 n
-0005012749 00000 n
+0005012797 00000 n
0000046767 00000 n
0000046858 00000 n
0001995463 00000 n
-0005012650 00000 n
+0005012698 00000 n
0000046919 00000 n
0000046989 00000 n
0001997559 00000 n
-0005012551 00000 n
+0005012599 00000 n
0000047050 00000 n
0000047120 00000 n
0002001290 00000 n
-0005012452 00000 n
+0005012500 00000 n
0000047181 00000 n
0000047243 00000 n
0002003364 00000 n
-0005012353 00000 n
+0005012401 00000 n
0000047304 00000 n
0000047363 00000 n
0002006144 00000 n
-0005012254 00000 n
+0005012302 00000 n
0000047424 00000 n
0000047488 00000 n
0002008359 00000 n
-0005012155 00000 n
+0005012203 00000 n
0000047549 00000 n
0000047611 00000 n
0002010397 00000 n
-0005012071 00000 n
+0005012119 00000 n
0000047672 00000 n
0000047734 00000 n
0002012906 00000 n
-0005011931 00000 n
+0005011979 00000 n
0000047785 00000 n
0000047847 00000 n
0002013034 00000 n
-0005011847 00000 n
+0005011895 00000 n
0000047903 00000 n
0000047963 00000 n
0002016240 00000 n
-0005011748 00000 n
+0005011796 00000 n
0000048019 00000 n
0000048083 00000 n
0002022604 00000 n
-0005011649 00000 n
+0005011697 00000 n
0000048139 00000 n
0000048204 00000 n
0002025484 00000 n
-0005011565 00000 n
+0005011613 00000 n
0000048260 00000 n
0000048352 00000 n
0002028233 00000 n
-0005011425 00000 n
+0005011473 00000 n
0000048403 00000 n
0000048442 00000 n
0002028361 00000 n
-0005011341 00000 n
+0005011389 00000 n
0000048498 00000 n
0000048574 00000 n
0002035585 00000 n
-0005011242 00000 n
+0005011290 00000 n
0000048630 00000 n
0000048694 00000 n
0002038544 00000 n
-0005011143 00000 n
+0005011191 00000 n
0000048750 00000 n
0000048821 00000 n
0002043831 00000 n
-0005011044 00000 n
+0005011092 00000 n
0000048877 00000 n
0000048961 00000 n
0002046380 00000 n
-0005010945 00000 n
+0005010993 00000 n
0000049017 00000 n
0000049083 00000 n
0002050973 00000 n
-0005010846 00000 n
+0005010894 00000 n
0000049139 00000 n
0000049190 00000 n
0002054366 00000 n
-0005010762 00000 n
+0005010810 00000 n
0000049246 00000 n
0000049320 00000 n
0002054494 00000 n
-0005010622 00000 n
+0005010670 00000 n
0000049371 00000 n
0000049417 00000 n
0002054622 00000 n
-0005010538 00000 n
+0005010586 00000 n
0000049473 00000 n
0000049518 00000 n
0002057000 00000 n
-0005010439 00000 n
+0005010487 00000 n
0000049574 00000 n
0000049634 00000 n
0002057128 00000 n
-0005010340 00000 n
+0005010388 00000 n
0000049690 00000 n
0000049737 00000 n
0002057256 00000 n
-0005010256 00000 n
+0005010304 00000 n
0000049793 00000 n
0000049844 00000 n
0002060375 00000 n
-0005010157 00000 n
+0005010205 00000 n
0000049896 00000 n
0000049971 00000 n
0002065425 00000 n
-0005010058 00000 n
+0005010106 00000 n
0000050023 00000 n
0000050072 00000 n
0002068485 00000 n
-0005009959 00000 n
+0005010007 00000 n
0000050124 00000 n
0000050191 00000 n
0002071908 00000 n
-0005009860 00000 n
+0005009908 00000 n
0000050243 00000 n
0000050328 00000 n
0002072035 00000 n
-0005009735 00000 n
+0005009783 00000 n
0000050380 00000 n
0000050420 00000 n
0002072163 00000 n
-0005009651 00000 n
+0005009699 00000 n
0000050477 00000 n
0000050553 00000 n
0002072291 00000 n
-0005009567 00000 n
+0005009615 00000 n
0000050610 00000 n
0000050711 00000 n
0002076338 00000 n
-0005009427 00000 n
+0005009475 00000 n
0000050760 00000 n
0000050813 00000 n
0002076465 00000 n
-0005009302 00000 n
+0005009350 00000 n
0000050864 00000 n
0000050902 00000 n
0002076592 00000 n
-0005009218 00000 n
+0005009266 00000 n
0000050958 00000 n
0000051007 00000 n
0002076720 00000 n
-0005009134 00000 n
+0005009182 00000 n
0000051063 00000 n
0000051099 00000 n
0002080190 00000 n
-0005008994 00000 n
+0005009042 00000 n
0000051150 00000 n
0000051208 00000 n
0002080318 00000 n
-0005008910 00000 n
+0005008958 00000 n
0000051264 00000 n
0000051320 00000 n
0002083129 00000 n
-0005008811 00000 n
+0005008859 00000 n
0000051376 00000 n
0000051437 00000 n
0002087934 00000 n
-0005008727 00000 n
+0005008775 00000 n
0000051493 00000 n
0000051556 00000 n
0002093510 00000 n
-0005008587 00000 n
+0005008635 00000 n
0000051607 00000 n
0000051655 00000 n
0002096286 00000 n
-0005008503 00000 n
+0005008551 00000 n
0000051711 00000 n
0000051785 00000 n
0002096414 00000 n
-0005008404 00000 n
+0005008452 00000 n
0000051841 00000 n
0000051921 00000 n
0002099360 00000 n
-0005008305 00000 n
+0005008353 00000 n
0000051977 00000 n
0000052043 00000 n
0002101735 00000 n
-0005008206 00000 n
+0005008254 00000 n
0000052099 00000 n
0000052190 00000 n
0002104545 00000 n
-0005008122 00000 n
+0005008170 00000 n
0000052246 00000 n
0000052295 00000 n
0002107119 00000 n
-0005007982 00000 n
+0005008030 00000 n
0000052346 00000 n
0000052433 00000 n
0002107246 00000 n
-0005007898 00000 n
+0005007946 00000 n
0000052489 00000 n
0000052551 00000 n
0002110100 00000 n
-0005007799 00000 n
+0005007847 00000 n
0000052607 00000 n
0000052664 00000 n
0002110228 00000 n
-0005007700 00000 n
+0005007748 00000 n
0000052720 00000 n
0000052788 00000 n
0002136516 00000 n
-0005007601 00000 n
+0005007649 00000 n
0000052844 00000 n
0000052898 00000 n
0002169569 00000 n
-0005007502 00000 n
+0005007550 00000 n
0000052954 00000 n
0000053039 00000 n
0002172396 00000 n
-0005007403 00000 n
+0005007451 00000 n
0000053095 00000 n
0000053175 00000 n
0002174556 00000 n
-0005007304 00000 n
+0005007352 00000 n
0000053231 00000 n
0000053294 00000 n
0002177175 00000 n
-0005007220 00000 n
+0005007268 00000 n
0000053350 00000 n
0000053425 00000 n
0002180303 00000 n
-0005007079 00000 n
+0005007127 00000 n
0000053476 00000 n
0000053533 00000 n
0002183115 00000 n
-0005006995 00000 n
+0005007043 00000 n
0000053589 00000 n
0000053644 00000 n
0002185618 00000 n
-0005006896 00000 n
+0005006944 00000 n
0000053700 00000 n
0000053754 00000 n
0002187755 00000 n
-0005006756 00000 n
+0005006804 00000 n
0000053810 00000 n
0000053856 00000 n
0002187883 00000 n
-0005006687 00000 n
+0005006735 00000 n
0000053917 00000 n
0000053966 00000 n
0002190234 00000 n
-0005006588 00000 n
+0005006636 00000 n
0000054022 00000 n
0000054060 00000 n
0002190362 00000 n
-0005006489 00000 n
+0005006537 00000 n
0000054116 00000 n
0000054150 00000 n
0002243364 00000 n
-0005006390 00000 n
+0005006438 00000 n
0000054206 00000 n
0000054244 00000 n
0002311224 00000 n
-0005006291 00000 n
+0005006339 00000 n
0000054300 00000 n
0000054355 00000 n
0002311352 00000 n
-0005006192 00000 n
+0005006240 00000 n
0000054411 00000 n
0000054467 00000 n
0002358687 00000 n
-0005006093 00000 n
+0005006141 00000 n
0000054523 00000 n
0000054564 00000 n
0002396384 00000 n
-0005005994 00000 n
+0005006042 00000 n
0000054621 00000 n
0000054681 00000 n
0002398913 00000 n
-0005005895 00000 n
+0005005943 00000 n
0000054738 00000 n
0000054787 00000 n
0002399041 00000 n
-0005005796 00000 n
+0005005844 00000 n
0000054844 00000 n
0000054883 00000 n
0002401624 00000 n
-0005005697 00000 n
+0005005745 00000 n
0000054940 00000 n
0000054985 00000 n
0002401752 00000 n
-0005005598 00000 n
+0005005646 00000 n
0000055042 00000 n
0000055104 00000 n
0002406766 00000 n
-0005005499 00000 n
+0005005547 00000 n
0000055161 00000 n
0000055249 00000 n
0002406894 00000 n
-0005005400 00000 n
+0005005448 00000 n
0000055306 00000 n
0000055386 00000 n
0002479610 00000 n
-0005005301 00000 n
+0005005349 00000 n
0000055443 00000 n
0000055501 00000 n
0002501794 00000 n
-0005005202 00000 n
+0005005250 00000 n
0000055558 00000 n
0000055615 00000 n
0002505665 00000 n
-0005005118 00000 n
+0005005166 00000 n
0000055672 00000 n
0000055732 00000 n
0002509077 00000 n
-0005004978 00000 n
+0005005026 00000 n
0000055783 00000 n
0000055844 00000 n
0002509205 00000 n
-0005004894 00000 n
+0005004942 00000 n
0000055900 00000 n
0000055970 00000 n
0002509333 00000 n
-0005004795 00000 n
+0005004843 00000 n
0000056026 00000 n
0000056084 00000 n
0002568959 00000 n
-0005004711 00000 n
+0005004759 00000 n
0000056140 00000 n
0000056198 00000 n
0002572147 00000 n
-0005004571 00000 n
+0005004619 00000 n
0000056249 00000 n
0000056340 00000 n
0002572275 00000 n
-0005004487 00000 n
+0005004535 00000 n
0000056396 00000 n
0000056473 00000 n
0002605273 00000 n
-0005004403 00000 n
+0005004451 00000 n
0000056529 00000 n
0000056607 00000 n
0002608496 00000 n
-0005004263 00000 n
+0005004311 00000 n
0000056658 00000 n
0000056706 00000 n
0002608624 00000 n
-0005004179 00000 n
+0005004227 00000 n
0000056762 00000 n
0000056822 00000 n
0002611296 00000 n
-0005004095 00000 n
+0005004143 00000 n
0000056878 00000 n
0000056941 00000 n
0002611424 00000 n
-0005003955 00000 n
+0005004003 00000 n
0000056992 00000 n
0000057066 00000 n
0002611552 00000 n
-0005003871 00000 n
+0005003919 00000 n
0000057122 00000 n
0000057212 00000 n
0002614263 00000 n
-0005003772 00000 n
+0005003820 00000 n
0000057268 00000 n
0000057332 00000 n
0002614389 00000 n
-0005003673 00000 n
+0005003721 00000 n
0000057388 00000 n
0000057442 00000 n
0002614517 00000 n
-0005003589 00000 n
+0005003637 00000 n
0000057498 00000 n
0000057588 00000 n
0002617423 00000 n
-0005003448 00000 n
+0005003496 00000 n
0000057640 00000 n
0000057703 00000 n
0002617551 00000 n
-0005003364 00000 n
+0005003412 00000 n
0000057760 00000 n
0000057820 00000 n
0002621667 00000 n
-0005003265 00000 n
+0005003313 00000 n
0000057877 00000 n
0000057942 00000 n
0002623267 00000 n
-0005003166 00000 n
+0005003214 00000 n
0000057999 00000 n
0000058077 00000 n
0002626828 00000 n
-0005003067 00000 n
+0005003115 00000 n
0000058134 00000 n
0000058197 00000 n
0002629055 00000 n
-0005002968 00000 n
+0005003016 00000 n
0000058254 00000 n
0000058315 00000 n
0002629183 00000 n
-0005002869 00000 n
+0005002917 00000 n
0000058372 00000 n
0000058455 00000 n
0002632229 00000 n
-0005002770 00000 n
+0005002818 00000 n
0000058512 00000 n
0000058565 00000 n
0002639104 00000 n
-0005002671 00000 n
+0005002719 00000 n
0000058622 00000 n
0000058701 00000 n
0002641815 00000 n
-0005002572 00000 n
+0005002620 00000 n
0000058758 00000 n
0000058816 00000 n
0002641943 00000 n
-0005002473 00000 n
+0005002521 00000 n
0000058874 00000 n
0000058938 00000 n
0002645379 00000 n
-0005002374 00000 n
+0005002422 00000 n
0000058996 00000 n
0000059050 00000 n
0002648073 00000 n
-0005002275 00000 n
+0005002323 00000 n
0000059108 00000 n
0000059191 00000 n
0002650720 00000 n
-0005002176 00000 n
+0005002224 00000 n
0000059249 00000 n
0000059306 00000 n
0002708542 00000 n
-0005002077 00000 n
+0005002125 00000 n
0000059364 00000 n
0000059414 00000 n
0002711584 00000 n
-0005001978 00000 n
+0005002026 00000 n
0000059472 00000 n
0000059546 00000 n
0002711712 00000 n
-0005001894 00000 n
+0005001942 00000 n
0000059604 00000 n
0000059692 00000 n
0002714196 00000 n
-0005001754 00000 n
+0005001802 00000 n
0000059744 00000 n
0000059830 00000 n
0002716944 00000 n
-0005001670 00000 n
+0005001718 00000 n
0000059887 00000 n
0000059949 00000 n
0002719716 00000 n
-0005001571 00000 n
+0005001619 00000 n
0000060006 00000 n
0000060071 00000 n
0002719844 00000 n
-0005001472 00000 n
+0005001520 00000 n
0000060128 00000 n
0000060203 00000 n
0002721809 00000 n
-0005001373 00000 n
+0005001421 00000 n
0000060260 00000 n
0000060340 00000 n
0002724684 00000 n
-0005001274 00000 n
+0005001322 00000 n
0000060397 00000 n
0000060464 00000 n
0002739186 00000 n
-0005001190 00000 n
+0005001238 00000 n
0000060521 00000 n
0000060575 00000 n
0002741969 00000 n
-0005001050 00000 n
+0005001098 00000 n
0000060627 00000 n
0000060678 00000 n
0002742097 00000 n
-0005000966 00000 n
+0005001014 00000 n
0000060735 00000 n
0000060786 00000 n
0002742225 00000 n
-0005000867 00000 n
+0005000915 00000 n
0000060843 00000 n
0000060885 00000 n
0002744209 00000 n
-0005000768 00000 n
+0005000816 00000 n
0000060942 00000 n
0000060989 00000 n
0002744337 00000 n
-0005000684 00000 n
+0005000732 00000 n
0000061046 00000 n
0000061090 00000 n
0002746541 00000 n
-0005000544 00000 n
+0005000592 00000 n
0000061142 00000 n
0000061210 00000 n
0002750420 00000 n
-0005000419 00000 n
+0005000467 00000 n
0000061267 00000 n
0000061331 00000 n
0002753919 00000 n
-0005000335 00000 n
+0005000383 00000 n
0000061393 00000 n
0000061448 00000 n
0002754047 00000 n
-0005000236 00000 n
+0005000284 00000 n
0000061510 00000 n
0000061578 00000 n
0002754175 00000 n
-0005000137 00000 n
+0005000185 00000 n
0000061640 00000 n
0000061694 00000 n
0002758565 00000 n
-0005000038 00000 n
+0005000086 00000 n
0000061756 00000 n
0000061833 00000 n
0002764074 00000 n
-0004999939 00000 n
+0004999987 00000 n
0000061895 00000 n
0000061956 00000 n
0002767626 00000 n
-0004999840 00000 n
+0004999888 00000 n
0000062018 00000 n
0000062075 00000 n
0002771494 00000 n
-0004999741 00000 n
+0004999789 00000 n
0000062137 00000 n
0000062246 00000 n
0002771622 00000 n
-0004999657 00000 n
+0004999705 00000 n
0000062308 00000 n
0000062371 00000 n
0002775375 00000 n
-0004999573 00000 n
+0004999621 00000 n
0000062428 00000 n
0000062512 00000 n
0002786734 00000 n
-0004999433 00000 n
+0004999481 00000 n
0000062564 00000 n
0000062616 00000 n
0002789451 00000 n
-0004999349 00000 n
+0004999397 00000 n
0000062673 00000 n
0000062719 00000 n
0002789579 00000 n
-0004999250 00000 n
+0004999298 00000 n
0000062776 00000 n
0000062837 00000 n
0002791932 00000 n
-0004999151 00000 n
+0004999199 00000 n
0000062894 00000 n
0000062976 00000 n
0002792060 00000 n
-0004999052 00000 n
+0004999100 00000 n
0000063033 00000 n
0000063089 00000 n
0002794494 00000 n
-0004998953 00000 n
+0004999001 00000 n
0000063146 00000 n
0000063196 00000 n
0002796993 00000 n
-0004998854 00000 n
+0004998902 00000 n
0000063253 00000 n
0000063301 00000 n
0002797121 00000 n
-0004998770 00000 n
+0004998818 00000 n
0000063358 00000 n
0000063409 00000 n
0002797249 00000 n
-0004998671 00000 n
+0004998719 00000 n
0000063461 00000 n
0000063507 00000 n
0002802198 00000 n
-0004998531 00000 n
+0004998579 00000 n
0000063559 00000 n
0000063634 00000 n
0002802325 00000 n
-0004998447 00000 n
+0004998495 00000 n
0000063691 00000 n
0000063757 00000 n
0002804839 00000 n
-0004998348 00000 n
+0004998396 00000 n
0000063814 00000 n
0000063856 00000 n
0002804967 00000 n
-0004998264 00000 n
+0004998312 00000 n
0000063913 00000 n
0000063962 00000 n
0002807225 00000 n
-0004998165 00000 n
+0004998213 00000 n
0000064014 00000 n
0000064088 00000 n
0002838763 00000 n
-0004998066 00000 n
+0004998114 00000 n
0000064140 00000 n
0000064193 00000 n
0002839019 00000 n
-0004997925 00000 n
+0004997973 00000 n
0000064245 00000 n
0000064285 00000 n
0002839147 00000 n
-0004997841 00000 n
+0004997889 00000 n
0000064342 00000 n
0000064412 00000 n
0002841879 00000 n
-0004997742 00000 n
+0004997790 00000 n
0000064469 00000 n
0000064564 00000 n
0002842010 00000 n
-0004997643 00000 n
+0004997691 00000 n
0000064621 00000 n
0000064701 00000 n
0002842141 00000 n
-0004997544 00000 n
+0004997592 00000 n
0000064758 00000 n
0000064808 00000 n
0002842271 00000 n
-0004997445 00000 n
+0004997493 00000 n
0000064865 00000 n
0000064931 00000 n
0002845216 00000 n
-0004997346 00000 n
+0004997394 00000 n
0000064988 00000 n
0000065071 00000 n
0002845347 00000 n
-0004997247 00000 n
+0004997295 00000 n
0000065128 00000 n
0000065216 00000 n
0002845478 00000 n
-0004997148 00000 n
+0004997196 00000 n
0000065273 00000 n
0000065346 00000 n
0002847946 00000 n
-0004997049 00000 n
+0004997097 00000 n
0000065403 00000 n
0000065488 00000 n
0002848077 00000 n
-0004996950 00000 n
+0004996998 00000 n
0000065546 00000 n
0000065626 00000 n
0002848208 00000 n
-0004996851 00000 n
+0004996899 00000 n
0000065684 00000 n
0000065753 00000 n
0002848339 00000 n
-0004996752 00000 n
+0004996800 00000 n
0000065811 00000 n
0000065898 00000 n
0002848470 00000 n
-0004996653 00000 n
+0004996701 00000 n
0000065956 00000 n
0000066030 00000 n
0002850908 00000 n
-0004996554 00000 n
+0004996602 00000 n
0000066088 00000 n
0000066132 00000 n
0002851039 00000 n
-0004996455 00000 n
+0004996503 00000 n
0000066190 00000 n
0000066279 00000 n
0002855308 00000 n
-0004996356 00000 n
+0004996404 00000 n
0000066337 00000 n
0000066425 00000 n
0002855439 00000 n
-0004996257 00000 n
+0004996305 00000 n
0000066483 00000 n
0000066566 00000 n
0002858666 00000 n
-0004996158 00000 n
+0004996206 00000 n
0000066624 00000 n
0000066714 00000 n
0002858797 00000 n
-0004996059 00000 n
+0004996107 00000 n
0000066772 00000 n
0000066849 00000 n
0002858928 00000 n
-0004995975 00000 n
+0004996023 00000 n
0000066907 00000 n
0000066997 00000 n
0002859059 00000 n
-0004995891 00000 n
+0004995939 00000 n
0000067049 00000 n
0000067115 00000 n
0003005652 00000 n
-0004995752 00000 n
+0004995800 00000 n
0000067164 00000 n
0000067217 00000 n
0003005782 00000 n
-0004995668 00000 n
+0004995716 00000 n
0000067268 00000 n
0000067315 00000 n
0003005913 00000 n
-0004995569 00000 n
+0004995617 00000 n
0000067366 00000 n
0000067402 00000 n
0003010360 00000 n
-0004995429 00000 n
+0004995477 00000 n
0000067453 00000 n
0000067495 00000 n
0003010491 00000 n
-0004995345 00000 n
+0004995393 00000 n
0000067551 00000 n
0000067584 00000 n
0003012701 00000 n
-0004995246 00000 n
+0004995294 00000 n
0000067640 00000 n
0000067684 00000 n
0003017292 00000 n
-0004995106 00000 n
+0004995154 00000 n
0000067740 00000 n
0000067781 00000 n
0003017554 00000 n
-0004995037 00000 n
+0004995085 00000 n
0000067842 00000 n
0000067897 00000 n
0003020270 00000 n
-0004994938 00000 n
+0004994986 00000 n
0000067953 00000 n
0000067994 00000 n
0003020401 00000 n
-0004994839 00000 n
+0004994887 00000 n
0000068050 00000 n
0000068085 00000 n
0003025834 00000 n
-0004994740 00000 n
+0004994788 00000 n
0000068141 00000 n
0000068177 00000 n
0003025965 00000 n
-0004994615 00000 n
+0004994663 00000 n
0000068233 00000 n
0000068275 00000 n
0003030395 00000 n
-0004994546 00000 n
+0004994594 00000 n
0000068336 00000 n
0000068383 00000 n
0003042798 00000 n
-0004994421 00000 n
+0004994469 00000 n
0000068434 00000 n
0000068491 00000 n
0003042929 00000 n
-0004994337 00000 n
+0004994385 00000 n
0000068547 00000 n
0000068585 00000 n
0003043059 00000 n
-0004994238 00000 n
+0004994286 00000 n
0000068641 00000 n
0000068674 00000 n
0003044739 00000 n
-0004994154 00000 n
+0004994202 00000 n
0000068730 00000 n
0000068770 00000 n
0003049350 00000 n
-0004994015 00000 n
+0004994063 00000 n
0000068819 00000 n
0000068882 00000 n
0003049480 00000 n
-0004993931 00000 n
+0004993979 00000 n
0000068933 00000 n
0000068980 00000 n
0003061791 00000 n
-0004993832 00000 n
+0004993880 00000 n
0000069031 00000 n
0000069069 00000 n
0003061922 00000 n
-0004993692 00000 n
+0004993740 00000 n
0000069120 00000 n
0000069167 00000 n
0003064540 00000 n
-0004993608 00000 n
+0004993656 00000 n
0000069223 00000 n
0000069262 00000 n
0003064671 00000 n
-0004993524 00000 n
+0004993572 00000 n
0000069318 00000 n
0000069370 00000 n
0003067287 00000 n
-0004993384 00000 n
+0004993432 00000 n
0000069421 00000 n
0000069464 00000 n
0003067418 00000 n
-0004993300 00000 n
+0004993348 00000 n
0000069520 00000 n
0000069580 00000 n
0003069886 00000 n
-0004993201 00000 n
+0004993249 00000 n
0000069636 00000 n
0000069699 00000 n
0003070017 00000 n
-0004993102 00000 n
+0004993150 00000 n
0000069755 00000 n
0000069802 00000 n
0003072888 00000 n
-0004993003 00000 n
+0004993051 00000 n
0000069858 00000 n
0000069918 00000 n
0003075835 00000 n
-0004992904 00000 n
+0004992952 00000 n
0000069974 00000 n
0000070030 00000 n
0003075965 00000 n
-0004992820 00000 n
+0004992868 00000 n
0000070086 00000 n
0000070128 00000 n
0003078790 00000 n
-0004992680 00000 n
+0004992728 00000 n
0000070179 00000 n
0000070235 00000 n
0003078921 00000 n
-0004992596 00000 n
+0004992644 00000 n
0000070291 00000 n
0000070331 00000 n
0003079052 00000 n
-0004992497 00000 n
+0004992545 00000 n
0000070387 00000 n
0000070427 00000 n
0003082028 00000 n
-0004992372 00000 n
+0004992420 00000 n
0000070483 00000 n
0000070529 00000 n
0003082159 00000 n
-0004992288 00000 n
+0004992336 00000 n
0000070590 00000 n
0000070690 00000 n
0003087579 00000 n
-0004992189 00000 n
+0004992237 00000 n
0000070751 00000 n
0000070799 00000 n
0003091643 00000 n
-0004992090 00000 n
+0004992138 00000 n
0000070860 00000 n
0000070908 00000 n
0003092823 00000 n
-0004991991 00000 n
+0004992039 00000 n
0000070969 00000 n
0000071038 00000 n
0003094749 00000 n
-0004991892 00000 n
+0004991940 00000 n
0000071099 00000 n
0000071169 00000 n
0003098447 00000 n
-0004991793 00000 n
+0004991841 00000 n
0000071230 00000 n
0000071290 00000 n
0003104895 00000 n
-0004991709 00000 n
+0004991757 00000 n
0000071351 00000 n
0000071406 00000 n
0003111632 00000 n
-0004991610 00000 n
+0004991658 00000 n
0000071457 00000 n
0000071493 00000 n
0003114114 00000 n
-0004991485 00000 n
+0004991533 00000 n
0000071544 00000 n
0000071583 00000 n
0003114245 00000 n
-0004991401 00000 n
+0004991449 00000 n
0000071639 00000 n
0000071687 00000 n
0003114376 00000 n
-0004991317 00000 n
+0004991365 00000 n
0000071743 00000 n
0000071812 00000 n
0003117501 00000 n
-0004991178 00000 n
+0004991226 00000 n
0000071861 00000 n
0000071920 00000 n
0003117631 00000 n
-0004991094 00000 n
+0004991142 00000 n
0000071971 00000 n
0000072018 00000 n
0003117761 00000 n
-0004990995 00000 n
+0004991043 00000 n
0000072069 00000 n
0000072123 00000 n
0003120609 00000 n
-0004990855 00000 n
+0004990903 00000 n
0000072174 00000 n
0000072225 00000 n
0003120740 00000 n
-0004990771 00000 n
+0004990819 00000 n
0000072281 00000 n
0000072345 00000 n
0003126560 00000 n
-0004990687 00000 n
+0004990735 00000 n
0000072401 00000 n
0000072460 00000 n
0003129921 00000 n
-0004990562 00000 n
+0004990610 00000 n
0000072511 00000 n
0000072563 00000 n
0003133497 00000 n
-0004990478 00000 n
+0004990526 00000 n
0000072619 00000 n
0000072688 00000 n
0003135814 00000 n
-0004990394 00000 n
+0004990442 00000 n
0000072744 00000 n
0000072798 00000 n
0003139335 00000 n
-0004990255 00000 n
+0004990303 00000 n
0000072847 00000 n
0000072906 00000 n
0003139465 00000 n
-0004990171 00000 n
+0004990219 00000 n
0000072957 00000 n
0000073004 00000 n
0003142883 00000 n
-0004990031 00000 n
+0004990079 00000 n
0000073055 00000 n
0000073118 00000 n
0003145770 00000 n
-0004989947 00000 n
+0004989995 00000 n
0000073174 00000 n
0000073224 00000 n
0003145901 00000 n
-0004989807 00000 n
+0004989855 00000 n
0000073280 00000 n
0000073338 00000 n
0003148908 00000 n
-0004989738 00000 n
+0004989786 00000 n
0000073399 00000 n
0000073446 00000 n
0003149039 00000 n
-0004989613 00000 n
+0004989661 00000 n
0000073502 00000 n
0000073570 00000 n
0003151840 00000 n
-0004989529 00000 n
+0004989577 00000 n
0000073631 00000 n
0000073703 00000 n
0003154729 00000 n
-0004989445 00000 n
+0004989493 00000 n
0000073764 00000 n
0000073824 00000 n
0003157876 00000 n
-0004989346 00000 n
+0004989394 00000 n
0000073875 00000 n
0000073931 00000 n
0003160351 00000 n
-0004989206 00000 n
+0004989254 00000 n
0000073982 00000 n
0000074024 00000 n
0003160482 00000 n
-0004989122 00000 n
+0004989170 00000 n
0000074080 00000 n
0000074129 00000 n
0003162888 00000 n
-0004989023 00000 n
+0004989071 00000 n
0000074185 00000 n
0000074229 00000 n
0003163019 00000 n
-0004988939 00000 n
+0004988987 00000 n
0000074285 00000 n
0000074322 00000 n
0003163149 00000 n
-0004988840 00000 n
+0004988888 00000 n
0000074373 00000 n
0000074443 00000 n
0003166078 00000 n
-0004988715 00000 n
+0004988763 00000 n
0000074494 00000 n
0000074533 00000 n
0003166209 00000 n
-0004988646 00000 n
+0004988694 00000 n
0000074589 00000 n
0000074637 00000 n
0003167928 00000 n
-0004988507 00000 n
+0004988555 00000 n
0000074686 00000 n
0000074744 00000 n
0003168058 00000 n
-0004988423 00000 n
+0004988471 00000 n
0000074795 00000 n
0000074842 00000 n
0003168189 00000 n
-0004988283 00000 n
+0004988331 00000 n
0000074893 00000 n
0000074935 00000 n
0003170994 00000 n
-0004988158 00000 n
+0004988206 00000 n
0000074991 00000 n
0000075059 00000 n
0003171125 00000 n
-0004988074 00000 n
+0004988122 00000 n
0000075120 00000 n
0000075172 00000 n
0003174225 00000 n
-0004987975 00000 n
+0004988023 00000 n
0000075233 00000 n
0000075290 00000 n
0003174488 00000 n
-0004987876 00000 n
+0004987924 00000 n
0000075351 00000 n
0000075435 00000 n
0003177007 00000 n
-0004987792 00000 n
+0004987840 00000 n
0000075496 00000 n
0000075559 00000 n
0003179764 00000 n
-0004987652 00000 n
+0004987700 00000 n
0000075615 00000 n
0000075691 00000 n
0003179895 00000 n
-0004987568 00000 n
+0004987616 00000 n
0000075752 00000 n
0000075809 00000 n
0003188432 00000 n
-0004987469 00000 n
+0004987517 00000 n
0000075870 00000 n
0000075923 00000 n
0003188562 00000 n
-0004987385 00000 n
+0004987433 00000 n
0000075984 00000 n
0000076042 00000 n
0003197146 00000 n
-0004987286 00000 n
+0004987334 00000 n
0000076098 00000 n
0000076159 00000 n
0003197277 00000 n
-0004987187 00000 n
+0004987235 00000 n
0000076215 00000 n
0000076310 00000 n
0003197407 00000 n
-0004987062 00000 n
+0004987110 00000 n
0000076366 00000 n
0000076449 00000 n
0003200300 00000 n
-0004986978 00000 n
+0004987026 00000 n
0000076510 00000 n
0000076576 00000 n
0003200893 00000 n
-0004986879 00000 n
+0004986927 00000 n
0000076637 00000 n
0000076681 00000 n
0003203339 00000 n
-0004986780 00000 n
+0004986828 00000 n
0000076742 00000 n
0000076784 00000 n
0003203470 00000 n
-0004986696 00000 n
+0004986744 00000 n
0000076845 00000 n
0000076882 00000 n
0003203601 00000 n
-0004986597 00000 n
+0004986645 00000 n
0000076933 00000 n
0000076977 00000 n
0003206297 00000 n
-0004986498 00000 n
+0004986546 00000 n
0000077028 00000 n
0000077090 00000 n
0003209043 00000 n
-0004986358 00000 n
+0004986406 00000 n
0000077141 00000 n
0000077200 00000 n
0003209174 00000 n
-0004986233 00000 n
+0004986281 00000 n
0000077256 00000 n
0000077300 00000 n
0003209305 00000 n
-0004986164 00000 n
+0004986212 00000 n
0000077361 00000 n
0000077431 00000 n
0003212008 00000 n
-0004986065 00000 n
+0004986113 00000 n
0000077487 00000 n
0000077541 00000 n
0003220030 00000 n
-0004985981 00000 n
+0004986029 00000 n
0000077597 00000 n
0000077643 00000 n
0003227619 00000 n
-0004985856 00000 n
+0004985904 00000 n
0000077694 00000 n
0000077733 00000 n
0003227750 00000 n
-0004985772 00000 n
+0004985820 00000 n
0000077789 00000 n
0000077871 00000 n
0003227881 00000 n
-0004985673 00000 n
+0004985721 00000 n
0000077927 00000 n
0000077982 00000 n
0003232867 00000 n
-0004985574 00000 n
+0004985622 00000 n
0000078038 00000 n
0000078094 00000 n
0003236192 00000 n
-0004985490 00000 n
+0004985538 00000 n
0000078150 00000 n
0000078234 00000 n
0003238864 00000 n
-0004985351 00000 n
+0004985399 00000 n
0000078283 00000 n
0000078351 00000 n
0003238994 00000 n
-0004985267 00000 n
+0004985315 00000 n
0000078402 00000 n
0000078449 00000 n
0003244285 00000 n
-0004985127 00000 n
+0004985175 00000 n
0000078500 00000 n
0000078546 00000 n
0003244416 00000 n
-0004985002 00000 n
+0004985050 00000 n
0000078602 00000 n
0000078654 00000 n
0003247171 00000 n
-0004984933 00000 n
+0004984981 00000 n
0000078715 00000 n
0000078774 00000 n
0003259993 00000 n
-0004984793 00000 n
+0004984841 00000 n
0000078830 00000 n
0000078887 00000 n
0003261487 00000 n
-0004984709 00000 n
+0004984757 00000 n
0000078948 00000 n
0000079004 00000 n
0003261618 00000 n
-0004984625 00000 n
+0004984673 00000 n
0000079065 00000 n
0000079126 00000 n
0003266225 00000 n
-0004984526 00000 n
+0004984574 00000 n
0000079182 00000 n
0000079236 00000 n
0003268807 00000 n
-0004984427 00000 n
+0004984475 00000 n
0000079292 00000 n
0000079364 00000 n
0003271680 00000 n
-0004984302 00000 n
+0004984350 00000 n
0000079420 00000 n
0000079496 00000 n
0003271810 00000 n
-0004984218 00000 n
+0004984266 00000 n
0000079557 00000 n
0000079625 00000 n
0003274902 00000 n
-0004984119 00000 n
+0004984167 00000 n
0000079686 00000 n
0000079748 00000 n
0003276572 00000 n
-0004984020 00000 n
+0004984068 00000 n
0000079809 00000 n
0000079868 00000 n
0003276703 00000 n
-0004983936 00000 n
+0004983984 00000 n
0000079929 00000 n
0000080002 00000 n
0003278569 00000 n
-0004983811 00000 n
+0004983859 00000 n
0000080053 00000 n
0000080092 00000 n
0003278700 00000 n
-0004983727 00000 n
+0004983775 00000 n
0000080148 00000 n
0000080198 00000 n
0003280454 00000 n
-0004983643 00000 n
+0004983691 00000 n
0000080254 00000 n
0000080323 00000 n
0003283303 00000 n
-0004983504 00000 n
+0004983552 00000 n
0000080372 00000 n
0000080446 00000 n
0003283433 00000 n
-0004983420 00000 n
+0004983468 00000 n
0000080497 00000 n
0000080544 00000 n
0003285812 00000 n
-0004983321 00000 n
+0004983369 00000 n
0000080595 00000 n
0000080643 00000 n
0003285943 00000 n
-0004983181 00000 n
+0004983229 00000 n
0000080694 00000 n
0000080762 00000 n
0003288421 00000 n
-0004983097 00000 n
+0004983145 00000 n
0000080818 00000 n
0000080856 00000 n
0003290750 00000 n
-0004982998 00000 n
+0004983046 00000 n
0000080912 00000 n
0000080956 00000 n
0003290881 00000 n
-0004982899 00000 n
+0004982947 00000 n
0000081012 00000 n
0000081054 00000 n
0003292901 00000 n
-0004982815 00000 n
+0004982863 00000 n
0000081110 00000 n
0000081156 00000 n
0003296343 00000 n
-0004982675 00000 n
+0004982723 00000 n
0000081207 00000 n
0000081285 00000 n
0003301762 00000 n
-0004982591 00000 n
+0004982639 00000 n
0000081341 00000 n
0000081391 00000 n
0003301893 00000 n
-0004982492 00000 n
+0004982540 00000 n
0000081447 00000 n
0000081491 00000 n
0003305712 00000 n
-0004982393 00000 n
+0004982441 00000 n
0000081547 00000 n
0000081585 00000 n
0003305843 00000 n
-0004982294 00000 n
+0004982342 00000 n
0000081641 00000 n
0000081679 00000 n
0003308803 00000 n
-0004982210 00000 n
+0004982258 00000 n
0000081735 00000 n
0000081774 00000 n
0003309264 00000 n
-0004982085 00000 n
+0004982133 00000 n
0000081825 00000 n
0000081864 00000 n
0003311321 00000 n
-0004982001 00000 n
+0004982049 00000 n
0000081920 00000 n
0000081974 00000 n
0003311452 00000 n
-0004981902 00000 n
+0004981950 00000 n
0000082030 00000 n
0000082087 00000 n
0003311583 00000 n
-0004981818 00000 n
+0004981866 00000 n
0000082143 00000 n
0000082203 00000 n
0003315670 00000 n
-0004981679 00000 n
+0004981727 00000 n
0000082252 00000 n
0000082300 00000 n
0003315800 00000 n
-0004981595 00000 n
+0004981643 00000 n
0000082351 00000 n
0000082398 00000 n
0003315931 00000 n
-0004981496 00000 n
+0004981544 00000 n
0000082449 00000 n
0000082505 00000 n
0003318813 00000 n
-0004981397 00000 n
+0004981445 00000 n
0000082556 00000 n
0000082600 00000 n
0003321673 00000 n
-0004981298 00000 n
+0004981346 00000 n
0000082651 00000 n
0000082702 00000 n
0003321804 00000 n
-0004981158 00000 n
+0004981206 00000 n
0000082753 00000 n
0000082796 00000 n
0003324824 00000 n
-0004981074 00000 n
+0004981122 00000 n
0000082852 00000 n
0000082903 00000 n
0003333682 00000 n
-0004980975 00000 n
+0004981023 00000 n
0000082959 00000 n
0000083013 00000 n
0003337094 00000 n
-0004980891 00000 n
+0004980939 00000 n
0000083069 00000 n
0000083128 00000 n
0003339574 00000 n
-0004980766 00000 n
+0004980814 00000 n
0000083179 00000 n
0000083218 00000 n
0003339704 00000 n
-0004980697 00000 n
+0004980745 00000 n
0000083274 00000 n
0000083325 00000 n
0003342051 00000 n
-0004980558 00000 n
+0004980606 00000 n
0000083374 00000 n
0000083423 00000 n
0003342181 00000 n
-0004980474 00000 n
+0004980522 00000 n
0000083474 00000 n
0000083521 00000 n
0003342312 00000 n
-0004980349 00000 n
+0004980397 00000 n
0000083572 00000 n
0000083628 00000 n
0003345381 00000 n
-0004980265 00000 n
+0004980313 00000 n
0000083684 00000 n
0000083720 00000 n
0003345512 00000 n
-0004980166 00000 n
+0004980214 00000 n
0000083776 00000 n
0000083809 00000 n
0003348218 00000 n
-0004980067 00000 n
+0004980115 00000 n
0000083865 00000 n
0000083899 00000 n
0003348349 00000 n
-0004979983 00000 n
+0004980031 00000 n
0000083955 00000 n
0000084020 00000 n
0003350901 00000 n
-0004979844 00000 n
+0004979892 00000 n
0000084069 00000 n
0000084118 00000 n
0003351031 00000 n
-0004979760 00000 n
+0004979808 00000 n
0000084169 00000 n
0000084216 00000 n
0003352965 00000 n
-0004979635 00000 n
+0004979683 00000 n
0000084267 00000 n
0000084313 00000 n
0003353096 00000 n
-0004979551 00000 n
+0004979599 00000 n
0000084369 00000 n
0000084414 00000 n
0003353226 00000 n
-0004979411 00000 n
+0004979459 00000 n
0000084470 00000 n
0000084518 00000 n
0003355551 00000 n
-0004979327 00000 n
+0004979375 00000 n
0000084579 00000 n
0000084632 00000 n
0003355682 00000 n
-0004979228 00000 n
+0004979276 00000 n
0000084693 00000 n
0000084750 00000 n
0003357827 00000 n
-0004979129 00000 n
+0004979177 00000 n
0000084811 00000 n
0000084878 00000 n
0003357956 00000 n
-0004979030 00000 n
+0004979078 00000 n
0000084939 00000 n
0000085020 00000 n
0003360355 00000 n
-0004978931 00000 n
+0004978979 00000 n
0000085081 00000 n
0000085137 00000 n
0003360486 00000 n
-0004978832 00000 n
+0004978880 00000 n
0000085198 00000 n
0000085262 00000 n
0003360617 00000 n
-0004978748 00000 n
+0004978796 00000 n
0000085323 00000 n
0000085384 00000 n
0003363954 00000 n
-0004978649 00000 n
+0004978697 00000 n
0000085440 00000 n
0000085485 00000 n
0003364085 00000 n
-0004978550 00000 n
+0004978598 00000 n
0000085541 00000 n
0000085602 00000 n
0003365665 00000 n
-0004978451 00000 n
+0004978499 00000 n
0000085658 00000 n
0000085716 00000 n
0003365796 00000 n
-0004978367 00000 n
+0004978415 00000 n
0000085772 00000 n
0000085811 00000 n
0003368626 00000 n
-0004978269 00000 n
+0004978317 00000 n
0000085860 00000 n
0000085918 00000 n
0003373345 00000 n
-0004978145 00000 n
+0004978193 00000 n
0000085967 00000 n
0000086032 00000 n
0003376264 00000 n
-0004978035 00000 n
+0004978083 00000 n
0000086083 00000 n
0000086123 00000 n
0003376395 00000 n
-0004977951 00000 n
+0004977999 00000 n
0000086179 00000 n
0000086230 00000 n
0003379664 00000 n
-0004977852 00000 n
+0004977900 00000 n
0000086286 00000 n
0000086351 00000 n
0003390496 00000 n
-0004977768 00000 n
+0004977816 00000 n
0000086407 00000 n
0000086466 00000 n
0003402227 00000 n
-0004977628 00000 n
+0004977676 00000 n
0000086511 00000 n
0000086562 00000 n
0003404332 00000 n
-0004977503 00000 n
+0004977551 00000 n
0000086611 00000 n
0000086671 00000 n
0003404462 00000 n
-0004977378 00000 n
+0004977426 00000 n
0000086722 00000 n
0000086771 00000 n
0003407092 00000 n
-0004977294 00000 n
+0004977342 00000 n
0000086827 00000 n
0000086896 00000 n
0003407223 00000 n
-0004977195 00000 n
+0004977243 00000 n
0000086952 00000 n
0000087020 00000 n
0003407351 00000 n
-0004977111 00000 n
+0004977159 00000 n
0000087076 00000 n
0000087125 00000 n
0003407482 00000 n
-0004976986 00000 n
+0004977034 00000 n
0000087176 00000 n
0000087234 00000 n
0003407613 00000 n
-0004976902 00000 n
+0004976950 00000 n
0000087290 00000 n
0000087352 00000 n
0003407743 00000 n
-0004976762 00000 n
+0004976810 00000 n
0000087408 00000 n
0000087463 00000 n
0003412733 00000 n
-0004976678 00000 n
+0004976726 00000 n
0000087524 00000 n
0000087585 00000 n
0003412864 00000 n
-0004976579 00000 n
+0004976627 00000 n
0000087646 00000 n
0000087694 00000 n
0003414249 00000 n
-0004976480 00000 n
+0004976528 00000 n
0000087755 00000 n
0000087799 00000 n
0003419821 00000 n
-0004976396 00000 n
+0004976444 00000 n
0000087860 00000 n
0000087933 00000 n
0003422821 00000 n
-0004976271 00000 n
+0004976319 00000 n
0000087989 00000 n
0000088034 00000 n
0003422952 00000 n
-0004976187 00000 n
+0004976235 00000 n
0000088095 00000 n
0000088139 00000 n
0003423083 00000 n
-0004976088 00000 n
+0004976136 00000 n
0000088200 00000 n
0000088249 00000 n
0003426391 00000 n
-0004975989 00000 n
+0004976037 00000 n
0000088310 00000 n
0000088374 00000 n
0003429125 00000 n
-0004975905 00000 n
+0004975953 00000 n
0000088435 00000 n
0000088469 00000 n
0003436538 00000 n
-0004975765 00000 n
+0004975813 00000 n
0000088518 00000 n
0000088587 00000 n
0003436667 00000 n
-0004975640 00000 n
+0004975688 00000 n
0000088638 00000 n
0000088692 00000 n
0003436798 00000 n
-0004975515 00000 n
+0004975563 00000 n
0000088748 00000 n
0000088786 00000 n
0003441313 00000 n
-0004975431 00000 n
+0004975479 00000 n
0000088847 00000 n
0000088890 00000 n
0003443921 00000 n
-0004975332 00000 n
+0004975380 00000 n
0000088951 00000 n
0000089014 00000 n
0003444052 00000 n
-0004975233 00000 n
+0004975281 00000 n
0000089075 00000 n
0000089118 00000 n
0003446615 00000 n
-0004975134 00000 n
+0004975182 00000 n
0000089179 00000 n
0000089235 00000 n
0003446746 00000 n
-0004975050 00000 n
+0004975098 00000 n
0000089296 00000 n
0000089349 00000 n
0003446877 00000 n
-0004974966 00000 n
+0004975014 00000 n
0000089405 00000 n
0000089459 00000 n
0003449364 00000 n
-0004974841 00000 n
+0004974889 00000 n
0000089510 00000 n
0000089553 00000 n
0003451853 00000 n
-0004974757 00000 n
+0004974805 00000 n
0000089609 00000 n
0000089657 00000 n
0003451984 00000 n
-0004974673 00000 n
+0004974721 00000 n
0000089713 00000 n
0000089771 00000 n
0003460114 00000 n
-0004974548 00000 n
+0004974596 00000 n
0000089820 00000 n
0000089891 00000 n
0003460244 00000 n
-0004974464 00000 n
+0004974512 00000 n
0000089942 00000 n
0000089989 00000 n
0003462713 00000 n
-0004974324 00000 n
+0004974372 00000 n
0000090040 00000 n
0000090095 00000 n
0003462844 00000 n
-0004974199 00000 n
+0004974247 00000 n
0000090151 00000 n
0000090205 00000 n
0003464968 00000 n
-0004974115 00000 n
+0004974163 00000 n
0000090266 00000 n
0000090318 00000 n
0003465099 00000 n
-0004974031 00000 n
+0004974079 00000 n
0000090379 00000 n
0000090440 00000 n
0003468277 00000 n
-0004973932 00000 n
+0004973980 00000 n
0000090496 00000 n
0000090545 00000 n
0003472883 00000 n
-0004973833 00000 n
+0004973881 00000 n
0000090601 00000 n
0000090654 00000 n
0003473278 00000 n
-0004973749 00000 n
+0004973797 00000 n
0000090710 00000 n
0000090780 00000 n
0003475854 00000 n
-0004973624 00000 n
+0004973672 00000 n
0000090831 00000 n
0000090880 00000 n
0003475984 00000 n
-0004973540 00000 n
+0004973588 00000 n
0000090936 00000 n
0000090982 00000 n
0003478621 00000 n
-0004973441 00000 n
+0004973489 00000 n
0000091038 00000 n
0000091081 00000 n
0003481224 00000 n
-0004973342 00000 n
+0004973390 00000 n
0000091137 00000 n
0000091179 00000 n
0003481355 00000 n
-0004973243 00000 n
+0004973291 00000 n
0000091235 00000 n
0000091280 00000 n
0003481486 00000 n
-0004973144 00000 n
+0004973192 00000 n
0000091336 00000 n
0000091379 00000 n
0003483905 00000 n
-0004973045 00000 n
+0004973093 00000 n
0000091435 00000 n
0000091478 00000 n
0003484036 00000 n
-0004972946 00000 n
+0004972994 00000 n
0000091534 00000 n
0000091575 00000 n
0003484166 00000 n
-0004972862 00000 n
+0004972910 00000 n
0000091631 00000 n
0000091683 00000 n
0003485490 00000 n
-0004972721 00000 n
+0004972769 00000 n
0000091728 00000 n
0000091771 00000 n
0003487828 00000 n
-0004972596 00000 n
+0004972644 00000 n
0000091820 00000 n
0000091871 00000 n
0003487958 00000 n
-0004972512 00000 n
+0004972560 00000 n
0000091922 00000 n
0000091960 00000 n
0003488089 00000 n
-0004972413 00000 n
+0004972461 00000 n
0000092011 00000 n
0000092048 00000 n
0003491367 00000 n
-0004972329 00000 n
+0004972377 00000 n
0000092099 00000 n
0000092134 00000 n
0003515320 00000 n
-0004972189 00000 n
+0004972237 00000 n
0000092183 00000 n
0000092251 00000 n
0003515450 00000 n
-0004972064 00000 n
+0004972112 00000 n
0000092302 00000 n
0000092345 00000 n
0003515579 00000 n
-0004971980 00000 n
+0004972028 00000 n
0000092401 00000 n
0000092456 00000 n
0003518593 00000 n
-0004971881 00000 n
+0004971929 00000 n
0000092512 00000 n
0000092547 00000 n
0003518724 00000 n
-0004971782 00000 n
+0004971830 00000 n
0000092603 00000 n
0000092639 00000 n
0003518855 00000 n
-0004971657 00000 n
+0004971705 00000 n
0000092695 00000 n
0000092750 00000 n
0003539323 00000 n
-0004971573 00000 n
+0004971621 00000 n
0000092811 00000 n
0000092888 00000 n
0003582907 00000 n
-0004971489 00000 n
+0004971537 00000 n
0000092949 00000 n
0000093022 00000 n
0003583038 00000 n
-0004971390 00000 n
+0004971438 00000 n
0000093073 00000 n
0000093110 00000 n
0003583169 00000 n
-0004971291 00000 n
+0004971339 00000 n
0000093161 00000 n
0000093212 00000 n
0003587367 00000 n
-0004971207 00000 n
+0004971255 00000 n
0000093263 00000 n
0000093321 00000 n
0003590471 00000 n
-0004971067 00000 n
+0004971115 00000 n
0000093370 00000 n
0000093416 00000 n
0003590601 00000 n
-0004970983 00000 n
+0004971031 00000 n
0000093467 00000 n
0000093505 00000 n
0003590732 00000 n
-0004970884 00000 n
+0004970932 00000 n
0000093556 00000 n
0000093601 00000 n
0003594111 00000 n
-0004970744 00000 n
+0004970792 00000 n
0000093652 00000 n
0000093690 00000 n
0003597754 00000 n
-0004970675 00000 n
+0004970723 00000 n
0000093746 00000 n
0000093803 00000 n
0003598280 00000 n
-0004970576 00000 n
+0004970624 00000 n
0000093854 00000 n
0000093895 00000 n
0003600804 00000 n
-0004970477 00000 n
+0004970525 00000 n
0000093946 00000 n
0000094002 00000 n
0003602253 00000 n
-0004970393 00000 n
+0004970441 00000 n
0000094053 00000 n
0000094086 00000 n
0003604651 00000 n
-0004970268 00000 n
+0004970316 00000 n
0000094135 00000 n
0000094185 00000 n
0003604781 00000 n
-0004970184 00000 n
+0004970232 00000 n
0000094236 00000 n
0000094283 00000 n
0003604912 00000 n
-0004970100 00000 n
+0004970148 00000 n
0000094334 00000 n
0000094378 00000 n
0003611160 00000 n
-0004969973 00000 n
+0004970021 00000 n
0000094423 00000 n
0000094469 00000 n
0003613501 00000 n
-0004969848 00000 n
+0004969896 00000 n
0000094518 00000 n
0000094570 00000 n
0003613631 00000 n
-0004969723 00000 n
+0004969771 00000 n
0000094621 00000 n
0000094686 00000 n
0003613762 00000 n
-0004969639 00000 n
+0004969687 00000 n
0000094742 00000 n
0000094782 00000 n
0003613893 00000 n
-0004969514 00000 n
+0004969562 00000 n
0000094838 00000 n
0000094896 00000 n
0003616753 00000 n
-0004969430 00000 n
+0004969478 00000 n
0000094957 00000 n
0000095005 00000 n
0003616884 00000 n
-0004969346 00000 n
+0004969394 00000 n
0000095066 00000 n
0000095117 00000 n
0003619987 00000 n
-0004969247 00000 n
+0004969295 00000 n
0000095168 00000 n
0000095239 00000 n
0003620118 00000 n
-0004969148 00000 n
+0004969196 00000 n
0000095290 00000 n
0000095347 00000 n
0003622042 00000 n
-0004969008 00000 n
+0004969056 00000 n
0000095398 00000 n
0000095445 00000 n
0003625315 00000 n
-0004968898 00000 n
+0004968946 00000 n
0000095501 00000 n
0000095574 00000 n
0003625446 00000 n
-0004968814 00000 n
+0004968862 00000 n
0000095635 00000 n
0000095708 00000 n
0003625577 00000 n
-0004968715 00000 n
+0004968763 00000 n
0000095769 00000 n
0000095849 00000 n
0003627942 00000 n
-0004968631 00000 n
+0004968679 00000 n
0000095910 00000 n
0000095971 00000 n
0003628073 00000 n
-0004968506 00000 n
+0004968554 00000 n
0000096022 00000 n
0000096083 00000 n
0003629946 00000 n
-0004968422 00000 n
+0004968470 00000 n
0000096139 00000 n
0000096191 00000 n
0003631923 00000 n
-0004968297 00000 n
+0004968345 00000 n
0000096247 00000 n
0000096313 00000 n
0003634067 00000 n
-0004968213 00000 n
+0004968261 00000 n
0000096374 00000 n
0000096436 00000 n
0003635533 00000 n
-0004968129 00000 n
+0004968177 00000 n
0000096497 00000 n
0000096563 00000 n
0003637921 00000 n
-0004967989 00000 n
+0004968037 00000 n
0000096612 00000 n
0000096655 00000 n
0003638051 00000 n
-0004967905 00000 n
+0004967953 00000 n
0000096706 00000 n
0000096736 00000 n
0003640606 00000 n
-0004967806 00000 n
+0004967854 00000 n
0000096787 00000 n
0000096821 00000 n
0003640737 00000 n
-0004967707 00000 n
+0004967755 00000 n
0000096872 00000 n
0000096902 00000 n
0003644027 00000 n
-0004967608 00000 n
+0004967656 00000 n
0000096953 00000 n
0000096992 00000 n
0003644158 00000 n
-0004967509 00000 n
+0004967557 00000 n
0000097043 00000 n
0000097095 00000 n
0003646862 00000 n
-0004967384 00000 n
+0004967432 00000 n
0000097146 00000 n
0000097179 00000 n
0003646993 00000 n
-0004967300 00000 n
+0004967348 00000 n
0000097235 00000 n
0000097283 00000 n
0003647124 00000 n
-0004967216 00000 n
+0004967264 00000 n
0000097339 00000 n
0000097387 00000 n
0003650611 00000 n
-0004967076 00000 n
+0004967124 00000 n
0000097436 00000 n
0000097496 00000 n
0003650741 00000 n
-0004966992 00000 n
+0004967040 00000 n
0000097547 00000 n
0000097590 00000 n
0003653659 00000 n
-0004966852 00000 n
+0004966900 00000 n
0000097641 00000 n
0000097677 00000 n
0003653790 00000 n
-0004966768 00000 n
+0004966816 00000 n
0000097733 00000 n
0000097805 00000 n
0003653921 00000 n
-0004966669 00000 n
+0004966717 00000 n
0000097861 00000 n
0000097923 00000 n
0003656654 00000 n
-0004966585 00000 n
+0004966633 00000 n
0000097979 00000 n
0000098047 00000 n
0003656785 00000 n
-0004966445 00000 n
+0004966493 00000 n
0000098098 00000 n
0000098146 00000 n
0003656916 00000 n
-0004966361 00000 n
+0004966409 00000 n
0000098202 00000 n
0000098264 00000 n
0003659816 00000 n
-0004966262 00000 n
+0004966310 00000 n
0000098320 00000 n
0000098387 00000 n
0003659947 00000 n
-0004966163 00000 n
+0004966211 00000 n
0000098443 00000 n
0000098523 00000 n
0003660078 00000 n
-0004966064 00000 n
+0004966112 00000 n
0000098579 00000 n
0000098632 00000 n
0003662667 00000 n
-0004965965 00000 n
+0004966013 00000 n
0000098688 00000 n
0000098746 00000 n
0003662798 00000 n
-0004965881 00000 n
+0004965929 00000 n
0000098802 00000 n
0000098847 00000 n
0003662927 00000 n
-0004965741 00000 n
+0004965789 00000 n
0000098898 00000 n
0000098937 00000 n
0003666280 00000 n
-0004965672 00000 n
+0004965720 00000 n
0000098993 00000 n
0000099038 00000 n
0003666411 00000 n
-0004965573 00000 n
+0004965621 00000 n
0000099089 00000 n
0000099142 00000 n
0003668760 00000 n
-0004965489 00000 n
+0004965537 00000 n
0000099193 00000 n
0000099233 00000 n
0003671185 00000 n
-0004965348 00000 n
+0004965396 00000 n
0000099282 00000 n
0000099338 00000 n
0003671315 00000 n
-0004965264 00000 n
+0004965312 00000 n
0000099389 00000 n
0000099426 00000 n
0003671446 00000 n
-0004965165 00000 n
+0004965213 00000 n
0000099477 00000 n
0000099517 00000 n
0003674161 00000 n
-0004965066 00000 n
+0004965114 00000 n
0000099568 00000 n
0000099603 00000 n
0003676597 00000 n
-0004964967 00000 n
+0004965015 00000 n
0000099654 00000 n
0000099688 00000 n
0003676728 00000 n
-0004964868 00000 n
+0004964916 00000 n
0000099739 00000 n
0000099774 00000 n
0003676859 00000 n
-0004964769 00000 n
+0004964817 00000 n
0000099825 00000 n
0000099859 00000 n
0003676990 00000 n
-0004964670 00000 n
+0004964718 00000 n
0000099910 00000 n
0000099945 00000 n
0003679704 00000 n
-0004964571 00000 n
+0004964619 00000 n
0000099996 00000 n
0000100033 00000 n
0003679835 00000 n
-0004964472 00000 n
+0004964520 00000 n
0000100084 00000 n
0000100123 00000 n
0003679965 00000 n
-0004964373 00000 n
+0004964421 00000 n
0000100175 00000 n
0000100256 00000 n
0003682513 00000 n
-0004964274 00000 n
+0004964322 00000 n
0000100308 00000 n
0000100352 00000 n
0003682644 00000 n
-0004964190 00000 n
+0004964238 00000 n
0000100404 00000 n
0000100461 00000 n
0003684923 00000 n
-0004964050 00000 n
+0004964098 00000 n
0000100510 00000 n
0000100575 00000 n
0003685053 00000 n
-0004963966 00000 n
+0004964014 00000 n
0000100626 00000 n
0000100664 00000 n
0003688979 00000 n
-0004963826 00000 n
+0004963874 00000 n
0000100715 00000 n
0000100752 00000 n
0003689109 00000 n
-0004963742 00000 n
+0004963790 00000 n
0000100808 00000 n
0000100872 00000 n
0003692920 00000 n
-0004963643 00000 n
+0004963691 00000 n
0000100928 00000 n
0000100989 00000 n
0003696350 00000 n
-0004963559 00000 n
+0004963607 00000 n
0000101045 00000 n
0000101100 00000 n
0003697865 00000 n
-0004963460 00000 n
+0004963508 00000 n
0000101151 00000 n
0000101184 00000 n
0003701343 00000 n
-0004963376 00000 n
+0004963424 00000 n
0000101235 00000 n
0000101276 00000 n
0003703903 00000 n
-0004963236 00000 n
+0004963284 00000 n
0000101325 00000 n
0000101370 00000 n
0003707329 00000 n
-0004963152 00000 n
+0004963200 00000 n
0000101421 00000 n
0000101459 00000 n
0003709920 00000 n
-0004963068 00000 n
+0004963116 00000 n
0000101510 00000 n
0000101554 00000 n
0003712323 00000 n
-0004962928 00000 n
+0004962976 00000 n
0000101603 00000 n
0000101667 00000 n
0003712453 00000 n
-0004962844 00000 n
+0004962892 00000 n
0000101718 00000 n
0000101765 00000 n
0003716022 00000 n
-0004962719 00000 n
+0004962767 00000 n
0000101816 00000 n
0000101863 00000 n
0003717950 00000 n
-0004962635 00000 n
+0004962683 00000 n
0000101919 00000 n
0000101958 00000 n
0003722855 00000 n
-0004962551 00000 n
+0004962599 00000 n
0000102014 00000 n
0000102053 00000 n
0003725721 00000 n
-0004962452 00000 n
+0004962500 00000 n
0000102102 00000 n
0000102169 00000 n
0003764350 00000 n
-0004962353 00000 n
+0004962401 00000 n
0000102219 00000 n
0000102248 00000 n
0003769380 00000 n
-0004962269 00000 n
+0004962317 00000 n
0000102299 00000 n
0000102333 00000 n
0000102743 00000 n
@@ -127441,22 +127438,22 @@
0000102387 00000 n
0000102859 00000 n
0000102922 00000 n
-0004933087 00000 n
-0004934428 00000 n
-0004937248 00000 n
+0004933135 00000 n
+0004934476 00000 n
+0004937296 00000 n
0000105651 00000 n
0000105285 00000 n
0000103074 00000 n
0000105401 00000 n
-0004935760 00000 n
+0004935808 00000 n
0000105587 00000 n
-0004934280 00000 n
-0004932938 00000 n
+0004934328 00000 n
+0004932986 00000 n
0000106421 00000 n
0000106241 00000 n
0000105753 00000 n
0000106357 00000 n
-0004935612 00000 n
+0004935660 00000 n
0000107898 00000 n
0000108048 00000 n
0000108220 00000 n
@@ -127486,9 +127483,9 @@
0000106523 00000 n
0000111719 00000 n
0000111840 00000 n
-0004936061 00000 n
-0004933836 00000 n
-0004936802 00000 n
+0004936109 00000 n
+0004933884 00000 n
+0004936850 00000 n
0000418478 00000 n
0000452902 00000 n
0000546262 00000 n
@@ -127596,7 +127593,7 @@
0000125652 00000 n
0000124286 00000 n
0000129681 00000 n
-0004937374 00000 n
+0004937422 00000 n
0001905711 00000 n
0002076402 00000 n
0003005717 00000 n
@@ -127774,7 +127771,7 @@
0000152435 00000 n
0000150989 00000 n
0000158460 00000 n
-0004937500 00000 n
+0004937548 00000 n
0000160774 00000 n
0000160933 00000 n
0000161093 00000 n
@@ -128008,7 +128005,7 @@
0000198890 00000 n
0000197295 00000 n
0000204931 00000 n
-0004937626 00000 n
+0004937674 00000 n
0000207325 00000 n
0000207486 00000 n
0000207651 00000 n
@@ -128126,7 +128123,7 @@
0000221943 00000 n
0000220289 00000 n
0000228510 00000 n
-0004936209 00000 n
+0004936257 00000 n
0000230936 00000 n
0000231097 00000 n
0000231253 00000 n
@@ -128247,7 +128244,7 @@
0000246640 00000 n
0000244774 00000 n
0000252828 00000 n
-0004937752 00000 n
+0004937800 00000 n
0000255316 00000 n
0000255477 00000 n
0000255643 00000 n
@@ -128484,7 +128481,7 @@
0000294277 00000 n
0000292811 00000 n
0000300530 00000 n
-0004937878 00000 n
+0004937926 00000 n
0000302939 00000 n
0000303093 00000 n
0000303249 00000 n
@@ -128717,7 +128714,7 @@
0000339951 00000 n
0000338508 00000 n
0000346231 00000 n
-0004938004 00000 n
+0004938052 00000 n
0000347865 00000 n
0000348022 00000 n
0000348175 00000 n
@@ -128869,7 +128866,7 @@
0000364170 00000 n
0000363496 00000 n
0000365625 00000 n
-0004938130 00000 n
+0004938178 00000 n
0003091774 00000 n
0003136940 00000 n
0003333091 00000 n
@@ -129059,7 +129056,7 @@
0000382925 00000 n
0000381817 00000 n
0000386554 00000 n
-0004938256 00000 n
+0004938304 00000 n
0004689119 00000 n
0000428618 00000 n
0000450231 00000 n
@@ -129173,13 +129170,13 @@
0000402205 00000 n
0000402269 00000 n
0000401973 00000 n
-0004934722 00000 n
+0004934770 00000 n
0000402395 00000 n
0000403855 00000 n
0000403675 00000 n
0000402603 00000 n
0000403791 00000 n
-0004938382 00000 n
+0004938430 00000 n
0000406402 00000 n
0000405967 00000 n
0000403999 00000 n
@@ -129201,9 +129198,9 @@
0000411894 00000 n
0000411957 00000 n
0000412021 00000 n
-0004934576 00000 n
-0004933984 00000 n
-0004936951 00000 n
+0004934624 00000 n
+0004934032 00000 n
+0004936999 00000 n
0000414038 00000 n
0000413858 00000 n
0000412271 00000 n
@@ -129214,7 +129211,7 @@
0000414822 00000 n
0000414706 00000 n
0000414605 00000 n
-0004938508 00000 n
+0004938556 00000 n
0000415787 00000 n
0000415354 00000 n
0000414864 00000 n
@@ -129232,7 +129229,7 @@
0000417734 00000 n
0000416212 00000 n
0000418353 00000 n
-0004935463 00000 n
+0004935511 00000 n
0000418604 00000 n
0000418037 00000 n
0000418730 00000 n
@@ -129244,7 +129241,7 @@
0000422462 00000 n
0000422590 00000 n
0000422654 00000 n
-0004937099 00000 n
+0004937147 00000 n
0000422717 00000 n
0000422781 00000 n
0000422845 00000 n
@@ -129267,13 +129264,13 @@
0000428438 00000 n
0000425995 00000 n
0000428554 00000 n
-0004938634 00000 n
+0004938682 00000 n
0000431533 00000 n
0000432392 00000 n
0000431396 00000 n
0000428848 00000 n
0000431691 00000 n
-0004933686 00000 n
+0004933734 00000 n
0000431816 00000 n
0000431944 00000 n
0000432008 00000 n
@@ -129321,7 +129318,7 @@
0000446066 00000 n
0000446192 00000 n
0000446319 00000 n
-0004938760 00000 n
+0004938808 00000 n
0000447563 00000 n
0000447257 00000 n
0000446513 00000 n
@@ -129379,7 +129376,7 @@
0000463040 00000 n
0000463104 00000 n
0000463168 00000 n
-0004938886 00000 n
+0004938934 00000 n
0000465057 00000 n
0000465404 00000 n
0000464920 00000 n
@@ -129438,8 +129435,8 @@
0000476265 00000 n
0000474784 00000 n
0000477576 00000 n
-0004933536 00000 n
-0004935314 00000 n
+0004933584 00000 n
+0004935362 00000 n
0000476758 00000 n
0000477020 00000 n
0000477068 00000 n
@@ -129487,7 +129484,7 @@
0000486061 00000 n
0000486125 00000 n
0000486189 00000 n
-0004939012 00000 n
+0004939060 00000 n
0000487844 00000 n
0000487473 00000 n
0000486396 00000 n
@@ -129571,7 +129568,7 @@
0000503239 00000 n
0000503303 00000 n
0000503367 00000 n
-0004939138 00000 n
+0004939186 00000 n
0000505726 00000 n
0000505356 00000 n
0000503547 00000 n
@@ -129644,7 +129641,7 @@
0000520380 00000 n
0000520444 00000 n
0000520507 00000 n
-0004939264 00000 n
+0004939312 00000 n
0000522402 00000 n
0000522555 00000 n
0000522703 00000 n
@@ -129778,7 +129775,7 @@
0000542893 00000 n
0000542777 00000 n
0000542676 00000 n
-0004939390 00000 n
+0004939438 00000 n
0000543906 00000 n
0000543472 00000 n
0000542935 00000 n
@@ -129816,7 +129813,7 @@
0000554706 00000 n
0000554770 00000 n
0000554834 00000 n
-0004939516 00000 n
+0004939564 00000 n
0000558086 00000 n
0000557525 00000 n
0000555042 00000 n
@@ -129875,12 +129872,12 @@
0000572899 00000 n
0000571036 00000 n
0000573015 00000 n
-0004939642 00000 n
+0004939690 00000 n
0000576210 00000 n
0000575648 00000 n
0000573209 00000 n
0000575764 00000 n
-0004935911 00000 n
+0004935959 00000 n
0000575890 00000 n
0000575954 00000 n
0000576018 00000 n
@@ -129918,7 +129915,7 @@
0000587152 00000 n
0000587051 00000 n
0000587268 00000 n
-0004939768 00000 n
+0004939816 00000 n
0000589115 00000 n
0000591249 00000 n
0000589462 00000 n
@@ -129959,7 +129956,7 @@
0000627962 00000 n
0000627491 00000 n
0000628089 00000 n
-0004939894 00000 n
+0004939942 00000 n
0000736163 00000 n
0000630826 00000 n
0000630647 00000 n
@@ -129980,21 +129977,21 @@
0000638895 00000 n
0000636466 00000 n
0000639182 00000 n
-0004934869 00000 n
+0004934917 00000 n
0000641757 00000 n
0000641999 00000 n
0000641620 00000 n
0000639418 00000 n
0000641936 00000 n
-0004936505 00000 n
-0004936358 00000 n
+0004936553 00000 n
+0004936406 00000 n
0000646569 00000 n
0000644529 00000 n
0000644222 00000 n
0000642256 00000 n
0000644338 00000 n
0000644465 00000 n
-0004940020 00000 n
+0004940068 00000 n
0000646881 00000 n
0000647040 00000 n
0000647432 00000 n
@@ -130078,7 +130075,7 @@
0000666252 00000 n
0000666316 00000 n
0000666442 00000 n
-0004940146 00000 n
+0004940194 00000 n
0000669161 00000 n
0000668855 00000 n
0000666649 00000 n
@@ -130121,7 +130118,7 @@
0000681023 00000 n
0000682784 00000 n
0000682910 00000 n
-0004940272 00000 n
+0004940320 00000 n
0000685948 00000 n
0000685389 00000 n
0000683104 00000 n
@@ -130157,7 +130154,7 @@
0000698675 00000 n
0000696289 00000 n
0000698791 00000 n
-0004940398 00000 n
+0004940446 00000 n
0000701610 00000 n
0000701764 00000 n
0000701917 00000 n
@@ -130219,7 +130216,7 @@
0000716868 00000 n
0000719499 00000 n
0000719626 00000 n
-0004940524 00000 n
+0004940572 00000 n
0000723434 00000 n
0000724390 00000 n
0000722973 00000 n
@@ -130267,7 +130264,7 @@
0000735920 00000 n
0000733873 00000 n
0000736036 00000 n
-0004940650 00000 n
+0004940698 00000 n
0000738126 00000 n
0000737947 00000 n
0000736371 00000 n
@@ -130314,7 +130311,7 @@
0000752044 00000 n
0000752171 00000 n
0000752298 00000 n
-0004940776 00000 n
+0004940824 00000 n
0000755046 00000 n
0000754613 00000 n
0000754766 00000 n
@@ -130372,7 +130369,7 @@
0000771756 00000 n
0000771881 00000 n
0000771402 00000 n
-0004940902 00000 n
+0004940950 00000 n
0000773906 00000 n
0000773510 00000 n
0000772243 00000 n
@@ -130411,7 +130408,7 @@
0000787108 00000 n
0000787235 00000 n
0000787362 00000 n
-0004941028 00000 n
+0004941076 00000 n
0000789705 00000 n
0000789399 00000 n
0000787570 00000 n
@@ -130464,7 +130461,7 @@
0000802679 00000 n
0000802743 00000 n
0000802807 00000 n
-0004941154 00000 n
+0004941202 00000 n
0000805838 00000 n
0000805990 00000 n
0000806304 00000 n
@@ -130544,7 +130541,7 @@
0000863744 00000 n
0000863808 00000 n
0000863872 00000 n
-0004941280 00000 n
+0004941328 00000 n
0000934853 00000 n
0000948366 00000 n
0000881153 00000 n
@@ -130631,7 +130628,7 @@
0000974878 00000 n
0000974942 00000 n
0000975069 00000 n
-0004941406 00000 n
+0004941454 00000 n
0001144062 00000 n
0001144190 00000 n
0000988960 00000 n
@@ -130676,7 +130673,7 @@
0001067341 00000 n
0001066840 00000 n
0001110126 00000 n
-0004941532 00000 n
+0004941580 00000 n
0001144254 00000 n
0001111152 00000 n
0001110601 00000 n
@@ -130699,7 +130696,7 @@
0001175294 00000 n
0001175178 00000 n
0001175077 00000 n
-0004941658 00000 n
+0004941706 00000 n
0001176232 00000 n
0001175798 00000 n
0001175336 00000 n
@@ -130742,7 +130739,7 @@
0001187928 00000 n
0001188055 00000 n
0001188182 00000 n
-0004941784 00000 n
+0004941832 00000 n
0001189681 00000 n
0001189376 00000 n
0001188446 00000 n
@@ -130774,7 +130771,7 @@
0001202107 00000 n
0001202171 00000 n
0001202235 00000 n
-0004941910 00000 n
+0004941958 00000 n
0001205264 00000 n
0001204830 00000 n
0001202429 00000 n
@@ -130786,7 +130783,7 @@
0001207522 00000 n
0001205422 00000 n
0001207638 00000 n
-0004933385 00000 n
+0004933433 00000 n
0001210049 00000 n
0001209870 00000 n
0001207973 00000 n
@@ -130815,7 +130812,7 @@
0001218555 00000 n
0001218619 00000 n
0001218683 00000 n
-0004942036 00000 n
+0004942084 00000 n
0001221798 00000 n
0001226084 00000 n
0001223165 00000 n
@@ -130887,7 +130884,7 @@
0001239875 00000 n
0001239939 00000 n
0001240066 00000 n
-0004942162 00000 n
+0004942210 00000 n
0001242792 00000 n
0001244266 00000 n
0001242676 00000 n
@@ -130934,7 +130931,7 @@
0001258050 00000 n
0001258114 00000 n
0001258241 00000 n
-0004942288 00000 n
+0004942336 00000 n
0001260944 00000 n
0001260638 00000 n
0001258504 00000 n
@@ -130979,7 +130976,7 @@
0001299249 00000 n
0001302519 00000 n
0001302775 00000 n
-0004942414 00000 n
+0004942462 00000 n
0001305572 00000 n
0001306082 00000 n
0001305329 00000 n
@@ -131015,7 +131012,7 @@
0001315159 00000 n
0001315058 00000 n
0001315275 00000 n
-0004942540 00000 n
+0004942588 00000 n
0001317348 00000 n
0001317042 00000 n
0001315381 00000 n
@@ -131060,7 +131057,7 @@
0001340612 00000 n
0001339713 00000 n
0001352515 00000 n
-0004942666 00000 n
+0004942714 00000 n
0001342422 00000 n
0001342579 00000 n
0001342627 00000 n
@@ -131112,7 +131109,7 @@
0001370879 00000 n
0001371004 00000 n
0001371131 00000 n
-0004942792 00000 n
+0004942840 00000 n
0001372953 00000 n
0001372774 00000 n
0001371339 00000 n
@@ -131154,7 +131151,7 @@
0001384535 00000 n
0001384599 00000 n
0001384663 00000 n
-0004942918 00000 n
+0004942966 00000 n
0001390605 00000 n
0001386663 00000 n
0001386228 00000 n
@@ -131195,7 +131192,7 @@
0001395805 00000 n
0001395869 00000 n
0001395933 00000 n
-0004943044 00000 n
+0004943092 00000 n
0001398353 00000 n
0001397792 00000 n
0001396113 00000 n
@@ -131243,7 +131240,7 @@
0001411860 00000 n
0001413949 00000 n
0001414076 00000 n
-0004943170 00000 n
+0004943218 00000 n
0001415502 00000 n
0001415323 00000 n
0001414284 00000 n
@@ -131320,7 +131317,7 @@
0001431791 00000 n
0001431855 00000 n
0001429725 00000 n
-0004943296 00000 n
+0004943344 00000 n
0001434337 00000 n
0001434497 00000 n
0001434657 00000 n
@@ -131360,7 +131357,7 @@
0001446653 00000 n
0001444787 00000 n
0001446769 00000 n
-0004943422 00000 n
+0004943470 00000 n
0001448907 00000 n
0001448602 00000 n
0001447205 00000 n
@@ -131422,7 +131419,7 @@
0001487844 00000 n
0001490391 00000 n
0001490518 00000 n
-0004943548 00000 n
+0004943596 00000 n
0001493323 00000 n
0001493144 00000 n
0001490712 00000 n
@@ -131469,7 +131466,7 @@
0001507393 00000 n
0001507520 00000 n
0001507648 00000 n
-0004943674 00000 n
+0004943722 00000 n
0001510402 00000 n
0001509842 00000 n
0001507883 00000 n
@@ -131511,7 +131508,7 @@
0001520719 00000 n
0001522246 00000 n
0001522374 00000 n
-0004943800 00000 n
+0004943848 00000 n
0001523727 00000 n
0001523548 00000 n
0001522568 00000 n
@@ -131541,7 +131538,7 @@
0001533890 00000 n
0001532498 00000 n
0001534006 00000 n
-0004943926 00000 n
+0004943974 00000 n
0001535231 00000 n
0001535052 00000 n
0001534186 00000 n
@@ -131591,7 +131588,7 @@
0001547790 00000 n
0001547918 00000 n
0001548046 00000 n
-0004944052 00000 n
+0004944100 00000 n
0001549900 00000 n
0001550388 00000 n
0001549754 00000 n
@@ -131621,7 +131618,7 @@
0001558269 00000 n
0001556844 00000 n
0001558385 00000 n
-0004944178 00000 n
+0004944226 00000 n
0001560409 00000 n
0001560800 00000 n
0001560272 00000 n
@@ -131651,7 +131648,7 @@
0001567985 00000 n
0001569862 00000 n
0001569990 00000 n
-0004944304 00000 n
+0004944352 00000 n
0001571886 00000 n
0001572519 00000 n
0001571740 00000 n
@@ -131688,7 +131685,7 @@
0001585278 00000 n
0001585406 00000 n
0001585534 00000 n
-0004944430 00000 n
+0004944478 00000 n
0001588264 00000 n
0001588085 00000 n
0001585742 00000 n
@@ -131721,7 +131718,7 @@
0001596899 00000 n
0001595809 00000 n
0001597015 00000 n
-0004944556 00000 n
+0004944604 00000 n
0001599340 00000 n
0001599033 00000 n
0001597195 00000 n
@@ -131753,7 +131750,7 @@
0001613040 00000 n
0001613168 00000 n
0001613296 00000 n
-0004944682 00000 n
+0004944730 00000 n
0001616176 00000 n
0001617481 00000 n
0001616039 00000 n
@@ -131842,7 +131839,7 @@
0001633233 00000 n
0001633297 00000 n
0001633425 00000 n
-0004944808 00000 n
+0004944856 00000 n
0001636883 00000 n
0001637039 00000 n
0001638464 00000 n
@@ -131918,7 +131915,7 @@
0001650423 00000 n
0001650551 00000 n
0001650064 00000 n
-0004944934 00000 n
+0004944982 00000 n
0001652629 00000 n
0001652323 00000 n
0001650801 00000 n
@@ -131935,7 +131932,7 @@
0001655656 00000 n
0001658112 00000 n
0001658367 00000 n
-0004934131 00000 n
+0004934179 00000 n
0001660717 00000 n
0001660537 00000 n
0001658589 00000 n
@@ -131950,7 +131947,7 @@
0001663507 00000 n
0001664976 00000 n
0001665104 00000 n
-0004945060 00000 n
+0004945108 00000 n
0001667031 00000 n
0001667371 00000 n
0001666894 00000 n
@@ -131981,7 +131978,7 @@
0001673841 00000 n
0001676150 00000 n
0001676278 00000 n
-0004945186 00000 n
+0004945234 00000 n
0001679066 00000 n
0001678631 00000 n
0001676514 00000 n
@@ -132026,7 +132023,7 @@
0001720037 00000 n
0001722572 00000 n
0001722700 00000 n
-0004945312 00000 n
+0004945360 00000 n
0001724845 00000 n
0001724474 00000 n
0001722908 00000 n
@@ -132074,7 +132071,7 @@
0001739621 00000 n
0001739684 00000 n
0001739748 00000 n
-0004945438 00000 n
+0004945486 00000 n
0001742733 00000 n
0001742171 00000 n
0001740027 00000 n
@@ -132088,7 +132085,7 @@
0001745172 00000 n
0001745300 00000 n
0001745428 00000 n
-0004932787 00000 n
+0004932835 00000 n
0001748539 00000 n
0001748104 00000 n
0001745664 00000 n
@@ -132109,7 +132106,7 @@
0001752494 00000 n
0001754685 00000 n
0001754813 00000 n
-0004945564 00000 n
+0004945612 00000 n
0001756327 00000 n
0001756148 00000 n
0001755035 00000 n
@@ -132152,7 +132149,7 @@
0001768098 00000 n
0001768162 00000 n
0001768226 00000 n
-0004945690 00000 n
+0004945738 00000 n
0001771217 00000 n
0001770527 00000 n
0001768477 00000 n
@@ -132188,7 +132185,7 @@
0001779470 00000 n
0001781978 00000 n
0001782105 00000 n
-0004945816 00000 n
+0004945864 00000 n
0001784816 00000 n
0001784509 00000 n
0001782356 00000 n
@@ -132223,7 +132220,7 @@
0001797814 00000 n
0001797942 00000 n
0001798070 00000 n
-0004945942 00000 n
+0004945990 00000 n
0001800879 00000 n
0001800572 00000 n
0001798292 00000 n
@@ -132277,7 +132274,7 @@
0001815775 00000 n
0001814624 00000 n
0001815891 00000 n
-0004946068 00000 n
+0004946116 00000 n
0001817967 00000 n
0001817660 00000 n
0001816128 00000 n
@@ -132318,7 +132315,7 @@
0001828392 00000 n
0001828291 00000 n
0001828508 00000 n
-0004946194 00000 n
+0004946242 00000 n
0001830815 00000 n
0001830252 00000 n
0001828614 00000 n
@@ -132330,7 +132327,7 @@
0001833553 00000 n
0001830931 00000 n
0001834014 00000 n
-0004935016 00000 n
+0004935064 00000 n
0001833857 00000 n
0001834142 00000 n
0001834269 00000 n
@@ -132373,7 +132370,7 @@
0001846566 00000 n
0001846694 00000 n
0001846821 00000 n
-0004946320 00000 n
+0004946368 00000 n
0001848959 00000 n
0001848524 00000 n
0001847029 00000 n
@@ -132413,7 +132410,7 @@
0001880108 00000 n
0001880236 00000 n
0001880364 00000 n
-0004946446 00000 n
+0004946494 00000 n
0001861922 00000 n
0001862079 00000 n
0001862127 00000 n
@@ -132451,7 +132448,7 @@
0001893890 00000 n
0001893186 00000 n
0001894006 00000 n
-0004946572 00000 n
+0004946620 00000 n
0001896282 00000 n
0001896132 00000 n
0001897072 00000 n
@@ -132498,7 +132495,7 @@
0001908370 00000 n
0001908213 00000 n
0001908498 00000 n
-0004946698 00000 n
+0004946746 00000 n
0001911515 00000 n
0001910634 00000 n
0001908764 00000 n
@@ -132547,7 +132544,7 @@
0001923411 00000 n
0001922104 00000 n
0001923527 00000 n
-0004946824 00000 n
+0004946872 00000 n
0001926446 00000 n
0001926596 00000 n
0001926748 00000 n
@@ -132620,7 +132617,7 @@
0001943744 00000 n
0001945941 00000 n
0001946069 00000 n
-0004946950 00000 n
+0004946998 00000 n
0001948429 00000 n
0001948580 00000 n
0001948921 00000 n
@@ -132647,7 +132644,7 @@
0001958997 00000 n
0001955880 00000 n
0001959113 00000 n
-0004935164 00000 n
+0004935212 00000 n
0001959177 00000 n
0001959241 00000 n
0001959305 00000 n
@@ -132664,7 +132661,7 @@
0001965403 00000 n
0001965531 00000 n
0001965659 00000 n
-0004947076 00000 n
+0004947124 00000 n
0001968486 00000 n
0001968958 00000 n
0001968349 00000 n
@@ -132717,7 +132714,7 @@
0001984988 00000 n
0001985052 00000 n
0001985115 00000 n
-0004947202 00000 n
+0004947250 00000 n
0001988469 00000 n
0001988162 00000 n
0001985351 00000 n
@@ -132746,7 +132743,7 @@
0001998895 00000 n
0001997817 00000 n
0001999011 00000 n
-0004947328 00000 n
+0004947376 00000 n
0002001417 00000 n
0002001111 00000 n
0001999177 00000 n
@@ -132778,7 +132775,7 @@
0002012842 00000 n
0002012970 00000 n
0002013098 00000 n
-0004947454 00000 n
+0004947502 00000 n
0002016368 00000 n
0002015742 00000 n
0002013377 00000 n
@@ -132840,7 +132837,7 @@
0002031907 00000 n
0002031971 00000 n
0002032035 00000 n
-0004947580 00000 n
+0004947628 00000 n
0002035713 00000 n
0002034230 00000 n
0002032243 00000 n
@@ -132872,7 +132869,7 @@
0002044117 00000 n
0002046316 00000 n
0002046444 00000 n
-0004947706 00000 n
+0004947754 00000 n
0002047563 00000 n
0002047384 00000 n
0002046652 00000 n
@@ -132915,7 +132912,7 @@
0002060247 00000 n
0002060311 00000 n
0002060439 00000 n
-0004947832 00000 n
+0004947880 00000 n
0002062697 00000 n
0002062518 00000 n
0002060717 00000 n
@@ -132951,7 +132948,7 @@
0002073820 00000 n
0002073719 00000 n
0002073936 00000 n
-0004947958 00000 n
+0004948006 00000 n
0002076106 00000 n
0002075945 00000 n
0002079768 00000 n
@@ -133032,7 +133029,7 @@
0002096350 00000 n
0002096477 00000 n
0002096541 00000 n
-0004948084 00000 n
+0004948132 00000 n
0002099488 00000 n
0002098861 00000 n
0002096735 00000 n
@@ -133073,7 +133070,7 @@
0002112559 00000 n
0002110556 00000 n
0002133651 00000 n
-0004948210 00000 n
+0004948258 00000 n
0002133462 00000 n
0002136303 00000 n
0002137957 00000 n
@@ -133116,7 +133113,7 @@
0002177546 00000 n
0002180239 00000 n
0002180367 00000 n
-0004948336 00000 n
+0004948384 00000 n
0002183243 00000 n
0002182737 00000 n
0002180631 00000 n
@@ -133162,7 +133159,7 @@
0002243711 00000 n
0002279091 00000 n
0002279219 00000 n
-0004948462 00000 n
+0004948510 00000 n
0002278591 00000 n
0002311160 00000 n
0002312999 00000 n
@@ -133203,7 +133200,7 @@
0002398849 00000 n
0002398977 00000 n
0002399105 00000 n
-0004948588 00000 n
+0004948636 00000 n
0002401880 00000 n
0002401445 00000 n
0002399371 00000 n
@@ -133244,7 +133241,7 @@
0002479546 00000 n
0002479674 00000 n
0002479802 00000 n
-0004948714 00000 n
+0004948762 00000 n
0002462019 00000 n
0002462176 00000 n
0002462224 00000 n
@@ -133315,7 +133312,7 @@
0002572780 00000 n
0002605081 00000 n
0002605337 00000 n
-0004948840 00000 n
+0004948888 00000 n
0002604892 00000 n
0002608078 00000 n
0002608752 00000 n
@@ -133381,7 +133378,7 @@
0002624622 00000 n
0002623566 00000 n
0002624738 00000 n
-0004948966 00000 n
+0004949014 00000 n
0002626956 00000 n
0002626649 00000 n
0002624932 00000 n
@@ -133414,7 +133411,7 @@
0002636488 00000 n
0002639040 00000 n
0002639168 00000 n
-0004949092 00000 n
+0004949140 00000 n
0002642071 00000 n
0002641636 00000 n
0002639418 00000 n
@@ -133456,7 +133453,7 @@
0002708478 00000 n
0002708606 00000 n
0002708734 00000 n
-0004949218 00000 n
+0004949266 00000 n
0002708139 00000 n
0002711840 00000 n
0002711405 00000 n
@@ -133494,7 +133491,7 @@
0002724620 00000 n
0002724748 00000 n
0002724812 00000 n
-0004949344 00000 n
+0004949392 00000 n
0002726914 00000 n
0002726607 00000 n
0002725062 00000 n
@@ -133532,7 +133529,7 @@
0002736849 00000 n
0002736913 00000 n
0002736977 00000 n
-0004949470 00000 n
+0004949518 00000 n
0002739314 00000 n
0002738943 00000 n
0002737198 00000 n
@@ -133577,7 +133574,7 @@
0002753983 00000 n
0002754111 00000 n
0002754239 00000 n
-0004949596 00000 n
+0004949644 00000 n
0002757145 00000 n
0002757362 00000 n
0002757578 00000 n
@@ -133652,7 +133649,7 @@
0002778476 00000 n
0002778935 00000 n
0002780544 00000 n
-0004949722 00000 n
+0004949770 00000 n
0002783761 00000 n
0002784285 00000 n
0002783615 00000 n
@@ -133689,7 +133686,7 @@
0002797057 00000 n
0002797185 00000 n
0002797313 00000 n
-0004949848 00000 n
+0004949896 00000 n
0002799599 00000 n
0002799420 00000 n
0002797549 00000 n
@@ -133727,7 +133724,7 @@
0002838955 00000 n
0002839083 00000 n
0002839211 00000 n
-0004949974 00000 n
+0004950022 00000 n
0002812817 00000 n
0002812974 00000 n
0002813022 00000 n
@@ -133801,7 +133798,7 @@
0002858993 00000 n
0002859124 00000 n
0002858448 00000 n
-0004950105 00000 n
+0004950153 00000 n
0003003536 00000 n
0002887215 00000 n
0002859808 00000 n
@@ -133861,7 +133858,7 @@
0003014330 00000 n
0003012991 00000 n
0003014450 00000 n
-0004950238 00000 n
+0004950286 00000 n
0003016924 00000 n
0003017685 00000 n
0003016772 00000 n
@@ -133909,7 +133906,7 @@
0003030856 00000 n
0003033086 00000 n
0003033152 00000 n
-0004950371 00000 n
+0004950419 00000 n
0003036065 00000 n
0003035748 00000 n
0003033349 00000 n
@@ -133954,7 +133951,7 @@
0003047320 00000 n
0003046346 00000 n
0003047440 00000 n
-0004950504 00000 n
+0004950552 00000 n
0003049611 00000 n
0003049165 00000 n
0003047623 00000 n
@@ -133992,7 +133989,7 @@
0003069820 00000 n
0003069951 00000 n
0003070081 00000 n
-0004950637 00000 n
+0004950685 00000 n
0003075474 00000 n
0003073019 00000 n
0003072703 00000 n
@@ -134036,7 +134033,7 @@
0003087644 00000 n
0003086801 00000 n
0003087276 00000 n
-0004950770 00000 n
+0004950818 00000 n
0003092954 00000 n
0003091282 00000 n
0003087897 00000 n
@@ -134085,7 +134082,7 @@
0003101405 00000 n
0003101471 00000 n
0003101536 00000 n
-0004950903 00000 n
+0004950951 00000 n
0003647189 00000 n
0003102718 00000 n
0003102533 00000 n
@@ -134119,7 +134116,7 @@
0003110245 00000 n
0003111566 00000 n
0003111697 00000 n
-0004951036 00000 n
+0004951084 00000 n
0003114507 00000 n
0003113929 00000 n
0003111908 00000 n
@@ -134156,7 +134153,7 @@
0003124301 00000 n
0003126494 00000 n
0003126625 00000 n
-0004951169 00000 n
+0004951217 00000 n
0003128818 00000 n
0003128989 00000 n
0003129170 00000 n
@@ -134195,7 +134192,7 @@
0003137288 00000 n
0003137186 00000 n
0003137408 00000 n
-0004951302 00000 n
+0004951350 00000 n
0003139596 00000 n
0003139150 00000 n
0003137517 00000 n
@@ -134234,7 +134231,7 @@
0003154597 00000 n
0003154663 00000 n
0003154794 00000 n
-0004951435 00000 n
+0004951483 00000 n
0003157614 00000 n
0003158007 00000 n
0003157472 00000 n
@@ -134285,7 +134282,7 @@
0003171322 00000 n
0003171388 00000 n
0003171454 00000 n
-0004951568 00000 n
+0004951616 00000 n
0003174817 00000 n
0003174040 00000 n
0003171692 00000 n
@@ -134332,7 +134329,7 @@
0003188627 00000 n
0003188693 00000 n
0003188759 00000 n
-0004951701 00000 n
+0004951749 00000 n
0003191668 00000 n
0003190823 00000 n
0003188970 00000 n
@@ -134404,7 +134401,7 @@
0003203877 00000 n
0003206231 00000 n
0003206362 00000 n
-0004951834 00000 n
+0004951882 00000 n
0003209436 00000 n
0003208858 00000 n
0003206616 00000 n
@@ -134443,7 +134440,7 @@
0003222453 00000 n
0003220363 00000 n
0003222753 00000 n
-0004951967 00000 n
+0004952015 00000 n
0003225473 00000 n
0003225539 00000 n
0003225223 00000 n
@@ -134485,7 +134482,7 @@
0003236653 00000 n
0003236551 00000 n
0003236773 00000 n
-0004952100 00000 n
+0004952148 00000 n
0003238496 00000 n
0003239125 00000 n
0003238344 00000 n
@@ -134517,7 +134514,7 @@
0003252498 00000 n
0003250142 00000 n
0003252618 00000 n
-0004952233 00000 n
+0004952281 00000 n
0003255003 00000 n
0003254818 00000 n
0003252815 00000 n
@@ -134546,7 +134543,7 @@
0003264086 00000 n
0003266159 00000 n
0003266290 00000 n
-0004952366 00000 n
+0004952414 00000 n
0003268937 00000 n
0003268622 00000 n
0003266558 00000 n
@@ -134582,7 +134579,7 @@
0003279004 00000 n
0003280388 00000 n
0003280519 00000 n
-0004952499 00000 n
+0004952547 00000 n
0003281393 00000 n
0003281208 00000 n
0003280730 00000 n
@@ -134613,7 +134610,7 @@
0003290684 00000 n
0003290815 00000 n
0003290946 00000 n
-0004952632 00000 n
+0004952680 00000 n
0003293032 00000 n
0003292716 00000 n
0003291157 00000 n
@@ -134650,7 +134647,7 @@
0003305646 00000 n
0003305777 00000 n
0003305908 00000 n
-0004952765 00000 n
+0004952813 00000 n
0003308420 00000 n
0003309395 00000 n
0003308268 00000 n
@@ -134692,7 +134689,7 @@
0003316248 00000 n
0003318747 00000 n
0003318877 00000 n
-0004952898 00000 n
+0004952946 00000 n
0003321432 00000 n
0003321934 00000 n
0003321290 00000 n
@@ -134739,7 +134736,7 @@
0003336963 00000 n
0003337028 00000 n
0003337159 00000 n
-0004953031 00000 n
+0004953079 00000 n
0003339508 00000 n
0003339835 00000 n
0003339258 00000 n
@@ -134777,7 +134774,7 @@
0003348768 00000 n
0003348666 00000 n
0003348888 00000 n
-0004953164 00000 n
+0004953212 00000 n
0003351162 00000 n
0003350716 00000 n
0003348997 00000 n
@@ -134818,7 +134815,7 @@
0003364019 00000 n
0003364150 00000 n
0003363464 00000 n
-0004953297 00000 n
+0004953345 00000 n
0003365927 00000 n
0003365480 00000 n
0003364403 00000 n
@@ -134855,7 +134852,7 @@
0003376198 00000 n
0003376329 00000 n
0003376460 00000 n
-0004953430 00000 n
+0004953478 00000 n
0003383702 00000 n
0003379795 00000 n
0003379479 00000 n
@@ -134992,7 +134989,7 @@
0003401658 00000 n
0003401556 00000 n
0003401778 00000 n
-0004953563 00000 n
+0004953611 00000 n
0003402292 00000 n
0003402107 00000 n
0003401887 00000 n
@@ -135040,7 +135037,7 @@
0003412667 00000 n
0003412798 00000 n
0003412929 00000 n
-0004953696 00000 n
+0004953744 00000 n
0003414380 00000 n
0003414064 00000 n
0003413210 00000 n
@@ -135067,7 +135064,7 @@
0003418729 00000 n
0003419755 00000 n
0003419886 00000 n
-0004953829 00000 n
+0004953877 00000 n
0003422297 00000 n
0003422447 00000 n
0003422597 00000 n
@@ -135119,7 +135116,7 @@
0003434778 00000 n
0003434676 00000 n
0003434898 00000 n
-0004953962 00000 n
+0004954010 00000 n
0003436929 00000 n
0003436353 00000 n
0003435007 00000 n
@@ -135160,7 +135157,7 @@
0003449232 00000 n
0003449298 00000 n
0003449429 00000 n
-0004954095 00000 n
+0004954143 00000 n
0003451787 00000 n
0003451501 00000 n
0003452114 00000 n
@@ -135195,7 +135192,7 @@
0003462647 00000 n
0003462778 00000 n
0003462909 00000 n
-0004954228 00000 n
+0004954276 00000 n
0003465230 00000 n
0003464783 00000 n
0003463163 00000 n
@@ -135233,7 +135230,7 @@
0003475788 00000 n
0003475918 00000 n
0003476049 00000 n
-0004954361 00000 n
+0004954409 00000 n
0003478751 00000 n
0003478240 00000 n
0003476274 00000 n
@@ -135263,7 +135260,7 @@
0003485852 00000 n
0003485732 00000 n
0003485630 00000 n
-0004954494 00000 n
+0004954542 00000 n
0003487544 00000 n
0003488220 00000 n
0003487402 00000 n
@@ -135322,7 +135319,7 @@
0003504420 00000 n
0003504486 00000 n
0003504551 00000 n
-0004954627 00000 n
+0004954675 00000 n
0003507764 00000 n
0003507184 00000 n
0003504761 00000 n
@@ -135370,7 +135367,7 @@
0003518658 00000 n
0003518789 00000 n
0003518920 00000 n
-0004954760 00000 n
+0004954808 00000 n
0003539257 00000 n
0003539454 00000 n
0003520376 00000 n
@@ -135409,7 +135406,7 @@
0003587773 00000 n
0003587671 00000 n
0003587893 00000 n
-0004954893 00000 n
+0004954941 00000 n
0003590230 00000 n
0003589886 00000 n
0003590863 00000 n
@@ -135454,7 +135451,7 @@
0003602616 00000 n
0003602514 00000 n
0003602736 00000 n
-0004955026 00000 n
+0004955074 00000 n
0003605042 00000 n
0003604466 00000 n
0003602845 00000 n
@@ -135480,7 +135477,7 @@
0003611522 00000 n
0003611402 00000 n
0003611300 00000 n
-0004955159 00000 n
+0004955207 00000 n
0003613017 00000 n
0003613183 00000 n
0003614023 00000 n
@@ -135527,7 +135524,7 @@
0003625380 00000 n
0003625511 00000 n
0003625642 00000 n
-0004955292 00000 n
+0004955340 00000 n
0003628203 00000 n
0003627757 00000 n
0003625867 00000 n
@@ -135557,7 +135554,7 @@
0003635897 00000 n
0003635795 00000 n
0003636017 00000 n
-0004955425 00000 n
+0004955473 00000 n
0003638182 00000 n
0003637736 00000 n
0003636126 00000 n
@@ -135592,7 +135589,7 @@
0003647530 00000 n
0003647428 00000 n
0003647650 00000 n
-0004955558 00000 n
+0004955606 00000 n
0003649618 00000 n
0003649791 00000 n
0003649982 00000 n
@@ -135650,7 +135647,7 @@
0003666936 00000 n
0003667002 00000 n
0003667068 00000 n
-0004955691 00000 n
+0004955739 00000 n
0003668488 00000 n
0003668890 00000 n
0003668346 00000 n
@@ -135689,7 +135686,7 @@
0003679900 00000 n
0003679480 00000 n
0003680030 00000 n
-0004955824 00000 n
+0004955872 00000 n
0003682775 00000 n
0003682328 00000 n
0003680241 00000 n
@@ -135723,8 +135720,8 @@
0003690852 00000 n
0003689527 00000 n
0003690972 00000 n
-0004933236 00000 n
-0004936652 00000 n
+0004933284 00000 n
+0004936700 00000 n
0003693051 00000 n
0003692602 00000 n
0003691311 00000 n
@@ -135732,7 +135729,7 @@
0003692788 00000 n
0003692854 00000 n
0003692985 00000 n
-0004955957 00000 n
+0004956005 00000 n
0003694817 00000 n
0003694500 00000 n
0003693196 00000 n
@@ -135766,7 +135763,7 @@
0003701721 00000 n
0003701619 00000 n
0003701841 00000 n
-0004956090 00000 n
+0004956138 00000 n
0003704034 00000 n
0003703718 00000 n
0003701950 00000 n
@@ -135806,7 +135803,7 @@
0003715890 00000 n
0003715956 00000 n
0003716087 00000 n
-0004956223 00000 n
+0004956271 00000 n
0003718081 00000 n
0003717765 00000 n
0003716325 00000 n
@@ -135832,7 +135829,7 @@
0003723497 00000 n
0003723116 00000 n
0003723617 00000 n
-0004956356 00000 n
+0004956404 00000 n
0003725491 00000 n
0003725917 00000 n
0003725349 00000 n
@@ -135871,7 +135868,7 @@
0003738669 00000 n
0003738734 00000 n
0003738800 00000 n
-0004956489 00000 n
+0004956537 00000 n
0003741824 00000 n
0003741244 00000 n
0003738983 00000 n
@@ -135913,7 +135910,7 @@
0003752407 00000 n
0003754772 00000 n
0003754838 00000 n
-0004956622 00000 n
+0004956670 00000 n
0003757614 00000 n
0003757363 00000 n
0003755021 00000 n
@@ -135948,7 +135945,7 @@
0003766663 00000 n
0003766561 00000 n
0003766783 00000 n
-0004956755 00000 n
+0004956803 00000 n
0003768825 00000 n
0003769143 00000 n
0003771707 00000 n
@@ -135981,7 +135978,7 @@
0003778150 00000 n
0003778048 00000 n
0003778270 00000 n
-0004956888 00000 n
+0004956936 00000 n
0003781227 00000 n
0003781379 00000 n
0003781531 00000 n
@@ -136698,7 +136695,7 @@
0003884668 00000 n
0003883021 00000 n
0003902021 00000 n
-0004957021 00000 n
+0004957069 00000 n
0003904991 00000 n
0003905143 00000 n
0003905296 00000 n
@@ -137378,7 +137375,7 @@
0004002792 00000 n
0004001056 00000 n
0004019804 00000 n
-0004957154 00000 n
+0004957202 00000 n
0004022958 00000 n
0004023111 00000 n
0004023264 00000 n
@@ -138041,7 +138038,7 @@
0004116447 00000 n
0004115066 00000 n
0004134923 00000 n
-0004957287 00000 n
+0004957335 00000 n
0004138348 00000 n
0004138501 00000 n
0004138653 00000 n
@@ -138729,7 +138726,7 @@
0004234704 00000 n
0004233213 00000 n
0004253854 00000 n
-0004957420 00000 n
+0004957468 00000 n
0004257003 00000 n
0004257154 00000 n
0004257307 00000 n
@@ -139502,7 +139499,7 @@
0004367466 00000 n
0004365883 00000 n
0004387575 00000 n
-0004957553 00000 n
+0004957601 00000 n
0004390895 00000 n
0004391046 00000 n
0004391198 00000 n
@@ -140224,7 +140221,7 @@
0004494715 00000 n
0004493112 00000 n
0004512046 00000 n
-0004957686 00000 n
+0004957734 00000 n
0004515305 00000 n
0004515458 00000 n
0004515611 00000 n
@@ -140949,7 +140946,7 @@
0004619526 00000 n
0004618027 00000 n
0004637051 00000 n
-0004957819 00000 n
+0004957867 00000 n
0004640656 00000 n
0004640809 00000 n
0004640962 00000 n
@@ -141300,998 +141297,998 @@
0004770562 00000 n
0004789619 00000 n
0004790262 00000 n
-0004796724 00000 n
-0004797042 00000 n
-0004800356 00000 n
-0004800626 00000 n
-0004804572 00000 n
-0004804850 00000 n
-0004817502 00000 n
-0004817968 00000 n
-0004819760 00000 n
-0004819990 00000 n
-0004821767 00000 n
-0004821998 00000 n
-0004832783 00000 n
-0004833310 00000 n
-0004837617 00000 n
-0004837912 00000 n
-0004847808 00000 n
-0004848281 00000 n
-0004862515 00000 n
-0004863071 00000 n
-0004870785 00000 n
-0004871184 00000 n
-0004873693 00000 n
-0004874012 00000 n
-0004893254 00000 n
-0004893810 00000 n
-0004895733 00000 n
-0004895960 00000 n
-0004897882 00000 n
-0004898109 00000 n
-0004900111 00000 n
-0004900340 00000 n
-0004916923 00000 n
-0004917572 00000 n
-0004930244 00000 n
-0004930720 00000 n
-0004932555 00000 n
-0004957932 00000 n
-0004958060 00000 n
-0004958188 00000 n
-0004958316 00000 n
-0004958444 00000 n
-0004958572 00000 n
-0004958700 00000 n
-0004958828 00000 n
-0004958956 00000 n
-0004959084 00000 n
-0004959212 00000 n
-0004959340 00000 n
-0004959468 00000 n
-0004959596 00000 n
-0004959724 00000 n
-0004959852 00000 n
-0004959980 00000 n
-0004960108 00000 n
-0004960242 00000 n
-0004960376 00000 n
-0004960510 00000 n
-0004960644 00000 n
-0004960778 00000 n
-0004960912 00000 n
-0004961046 00000 n
-0004961180 00000 n
-0004961314 00000 n
-0004961438 00000 n
-0004961573 00000 n
-0004961708 00000 n
-0004961843 00000 n
-0004961978 00000 n
-0004962083 00000 n
-0004962190 00000 n
-0005054549 00000 n
-0005054705 00000 n
-0005054852 00000 n
-0005055004 00000 n
-0005055151 00000 n
-0005055295 00000 n
-0005055491 00000 n
-0005055683 00000 n
-0005055877 00000 n
-0005056063 00000 n
-0005056248 00000 n
-0005056434 00000 n
-0005056619 00000 n
-0005056805 00000 n
-0005056990 00000 n
-0005057176 00000 n
-0005057361 00000 n
-0005057547 00000 n
-0005057731 00000 n
-0005057915 00000 n
-0005058101 00000 n
-0005058286 00000 n
-0005058472 00000 n
-0005058657 00000 n
-0005058843 00000 n
-0005059028 00000 n
-0005059214 00000 n
-0005059397 00000 n
-0005059583 00000 n
-0005059768 00000 n
-0005059954 00000 n
-0005060138 00000 n
-0005060322 00000 n
-0005060508 00000 n
-0005060693 00000 n
-0005060879 00000 n
-0005061064 00000 n
-0005061252 00000 n
-0005061442 00000 n
-0005061634 00000 n
-0005061824 00000 n
-0005062016 00000 n
-0005062205 00000 n
-0005062394 00000 n
-0005062586 00000 n
-0005062772 00000 n
-0005062964 00000 n
-0005063154 00000 n
-0005063346 00000 n
-0005063536 00000 n
-0005063728 00000 n
-0005063918 00000 n
-0005064110 00000 n
-0005064300 00000 n
-0005064492 00000 n
-0005064681 00000 n
-0005064870 00000 n
-0005065062 00000 n
-0005065252 00000 n
-0005065444 00000 n
-0005065634 00000 n
-0005065826 00000 n
-0005066016 00000 n
-0005066208 00000 n
-0005066395 00000 n
-0005066587 00000 n
-0005066765 00000 n
-0005066942 00000 n
-0005067120 00000 n
-0005067297 00000 n
-0005067475 00000 n
-0005067652 00000 n
-0005067830 00000 n
-0005068006 00000 n
-0005068182 00000 n
-0005068360 00000 n
-0005068549 00000 n
-0005068768 00000 n
-0005068967 00000 n
-0005069210 00000 n
-0005069388 00000 n
-0005069558 00000 n
-0005069737 00000 n
-0005069951 00000 n
-0005070167 00000 n
-0005070384 00000 n
-0005070600 00000 n
-0005070794 00000 n
-0005070994 00000 n
-0005071186 00000 n
-0005071385 00000 n
-0005071585 00000 n
-0005071787 00000 n
-0005071987 00000 n
-0005072189 00000 n
-0005072389 00000 n
-0005072588 00000 n
-0005072786 00000 n
-0005072998 00000 n
-0005073200 00000 n
-0005073394 00000 n
-0005073614 00000 n
-0005073845 00000 n
-0005074079 00000 n
-0005074313 00000 n
-0005074546 00000 n
-0005074772 00000 n
-0005075003 00000 n
-0005075239 00000 n
-0005075473 00000 n
-0005075705 00000 n
-0005075932 00000 n
-0005076122 00000 n
-0005076368 00000 n
-0005076570 00000 n
-0005076783 00000 n
-0005077001 00000 n
-0005077214 00000 n
-0005077424 00000 n
-0005077632 00000 n
-0005077842 00000 n
-0005078051 00000 n
-0005078253 00000 n
-0005078459 00000 n
-0005078651 00000 n
-0005078848 00000 n
-0005079045 00000 n
-0005079240 00000 n
-0005079436 00000 n
-0005079631 00000 n
-0005079827 00000 n
-0005080022 00000 n
-0005080218 00000 n
-0005080414 00000 n
-0005080609 00000 n
-0005080803 00000 n
-0005080999 00000 n
-0005081193 00000 n
-0005081387 00000 n
-0005081581 00000 n
-0005081775 00000 n
-0005081970 00000 n
-0005082164 00000 n
-0005082358 00000 n
-0005082552 00000 n
-0005082746 00000 n
-0005082940 00000 n
-0005083134 00000 n
-0005083328 00000 n
-0005083524 00000 n
-0005083719 00000 n
-0005083914 00000 n
-0005084108 00000 n
-0005084304 00000 n
-0005084498 00000 n
-0005084692 00000 n
-0005084886 00000 n
-0005085080 00000 n
-0005085274 00000 n
-0005085470 00000 n
-0005085664 00000 n
-0005085858 00000 n
-0005086052 00000 n
-0005086246 00000 n
-0005086440 00000 n
-0005086634 00000 n
-0005086828 00000 n
-0005087022 00000 n
-0005087216 00000 n
-0005087410 00000 n
-0005087604 00000 n
-0005087798 00000 n
-0005087992 00000 n
-0005088186 00000 n
-0005088380 00000 n
-0005088574 00000 n
-0005088768 00000 n
-0005088962 00000 n
-0005089156 00000 n
-0005089350 00000 n
-0005089544 00000 n
-0005089738 00000 n
-0005089932 00000 n
-0005090126 00000 n
-0005090320 00000 n
-0005090514 00000 n
-0005090708 00000 n
-0005090902 00000 n
-0005091096 00000 n
-0005091295 00000 n
-0005091492 00000 n
-0005091689 00000 n
-0005091889 00000 n
-0005092086 00000 n
-0005092280 00000 n
-0005092477 00000 n
-0005092671 00000 n
-0005092866 00000 n
-0005093066 00000 n
-0005093264 00000 n
-0005093458 00000 n
-0005093652 00000 n
-0005093846 00000 n
-0005094040 00000 n
-0005094234 00000 n
-0005094428 00000 n
-0005094625 00000 n
-0005094825 00000 n
-0005095025 00000 n
-0005095225 00000 n
-0005095425 00000 n
-0005095625 00000 n
-0005095825 00000 n
-0005096025 00000 n
-0005096225 00000 n
-0005096425 00000 n
-0005096625 00000 n
-0005096825 00000 n
-0005097019 00000 n
-0005097213 00000 n
-0005097407 00000 n
-0005097601 00000 n
-0005097795 00000 n
-0005097989 00000 n
-0005098183 00000 n
-0005098377 00000 n
-0005098571 00000 n
-0005098765 00000 n
-0005098959 00000 n
-0005099153 00000 n
-0005099347 00000 n
-0005099541 00000 n
-0005099735 00000 n
-0005099935 00000 n
-0005100135 00000 n
-0005100335 00000 n
-0005100535 00000 n
-0005100735 00000 n
-0005100935 00000 n
-0005101135 00000 n
-0005101335 00000 n
-0005101535 00000 n
-0005101735 00000 n
-0005101935 00000 n
-0005102135 00000 n
-0005102335 00000 n
-0005102535 00000 n
-0005102735 00000 n
-0005102935 00000 n
-0005103135 00000 n
-0005103335 00000 n
-0005103535 00000 n
-0005103735 00000 n
-0005103935 00000 n
-0005104135 00000 n
-0005104335 00000 n
-0005104535 00000 n
-0005104735 00000 n
-0005104935 00000 n
-0005105135 00000 n
-0005105335 00000 n
-0005105535 00000 n
-0005105735 00000 n
-0005105963 00000 n
-0005106183 00000 n
-0005106404 00000 n
-0005106616 00000 n
-0005106874 00000 n
-0005107132 00000 n
-0005107390 00000 n
-0005107648 00000 n
-0005107906 00000 n
-0005108164 00000 n
-0005108419 00000 n
-0005108663 00000 n
-0005108915 00000 n
-0005109173 00000 n
-0005109435 00000 n
-0005109699 00000 n
-0005109954 00000 n
-0005110215 00000 n
-0005110487 00000 n
-0005110748 00000 n
-0005111009 00000 n
-0005111259 00000 n
-0005111503 00000 n
-0005111737 00000 n
-0005111985 00000 n
-0005112233 00000 n
-0005112483 00000 n
-0005112732 00000 n
-0005112979 00000 n
-0005113226 00000 n
-0005113482 00000 n
-0005113738 00000 n
-0005113998 00000 n
-0005114262 00000 n
-0005114525 00000 n
-0005114787 00000 n
-0005115043 00000 n
-0005115301 00000 n
-0005115557 00000 n
-0005115821 00000 n
-0005116084 00000 n
-0005116345 00000 n
-0005116601 00000 n
-0005116865 00000 n
-0005117128 00000 n
-0005117389 00000 n
-0005117645 00000 n
-0005117901 00000 n
-0005118157 00000 n
-0005118410 00000 n
-0005118660 00000 n
-0005118909 00000 n
-0005119159 00000 n
-0005119408 00000 n
-0005119653 00000 n
-0005119904 00000 n
-0005120160 00000 n
-0005120416 00000 n
-0005120669 00000 n
-0005120919 00000 n
-0005121168 00000 n
-0005121418 00000 n
-0005121660 00000 n
-0005121902 00000 n
-0005122144 00000 n
-0005122380 00000 n
-0005122628 00000 n
-0005122876 00000 n
-0005123123 00000 n
-0005123365 00000 n
-0005123607 00000 n
-0005123849 00000 n
-0005124092 00000 n
-0005124334 00000 n
-0005124581 00000 n
-0005124823 00000 n
-0005125063 00000 n
-0005125299 00000 n
-0005125537 00000 n
-0005125779 00000 n
-0005126024 00000 n
-0005126268 00000 n
-0005126518 00000 n
-0005126760 00000 n
-0005127002 00000 n
-0005127244 00000 n
-0005127486 00000 n
-0005127723 00000 n
-0005127957 00000 n
-0005128199 00000 n
-0005128441 00000 n
-0005128682 00000 n
-0005128924 00000 n
-0005129158 00000 n
-0005129397 00000 n
-0005129645 00000 n
-0005129887 00000 n
-0005130133 00000 n
-0005130383 00000 n
-0005130632 00000 n
-0005130880 00000 n
-0005131122 00000 n
-0005131364 00000 n
-0005131606 00000 n
-0005131850 00000 n
-0005132095 00000 n
-0005132339 00000 n
-0005132589 00000 n
-0005132833 00000 n
-0005133078 00000 n
-0005133326 00000 n
-0005133568 00000 n
-0005133813 00000 n
-0005134055 00000 n
-0005134296 00000 n
-0005134538 00000 n
-0005134778 00000 n
-0005135017 00000 n
-0005135253 00000 n
-0005135495 00000 n
-0005135737 00000 n
-0005135979 00000 n
-0005136220 00000 n
-0005136457 00000 n
-0005136694 00000 n
-0005136936 00000 n
-0005137178 00000 n
-0005137420 00000 n
-0005137662 00000 n
-0005137903 00000 n
-0005138145 00000 n
-0005138386 00000 n
-0005138623 00000 n
-0005138864 00000 n
-0005139114 00000 n
-0005139363 00000 n
-0005139613 00000 n
-0005139855 00000 n
-0005140100 00000 n
-0005140346 00000 n
-0005140588 00000 n
-0005140834 00000 n
-0005141076 00000 n
-0005141326 00000 n
-0005141575 00000 n
-0005141821 00000 n
-0005142063 00000 n
-0005142311 00000 n
-0005142559 00000 n
-0005142803 00000 n
-0005143049 00000 n
-0005143297 00000 n
-0005143542 00000 n
-0005143784 00000 n
-0005144025 00000 n
-0005144267 00000 n
-0005144501 00000 n
-0005144746 00000 n
-0005144999 00000 n
-0005145247 00000 n
-0005145495 00000 n
-0005145743 00000 n
-0005146004 00000 n
-0005146206 00000 n
-0005146395 00000 n
-0005146617 00000 n
-0005146835 00000 n
-0005147016 00000 n
-0005147202 00000 n
-0005147386 00000 n
-0005147570 00000 n
-0005147756 00000 n
-0005147941 00000 n
-0005148127 00000 n
-0005148312 00000 n
-0005148498 00000 n
-0005148683 00000 n
-0005148869 00000 n
-0005149054 00000 n
-0005149240 00000 n
-0005149424 00000 n
-0005149608 00000 n
-0005149794 00000 n
-0005149979 00000 n
-0005150165 00000 n
-0005150348 00000 n
-0005150534 00000 n
-0005150719 00000 n
-0005150905 00000 n
-0005151090 00000 n
-0005151276 00000 n
-0005151461 00000 n
-0005151647 00000 n
-0005151831 00000 n
-0005152015 00000 n
-0005152201 00000 n
-0005152386 00000 n
-0005152572 00000 n
-0005152757 00000 n
-0005152943 00000 n
-0005153128 00000 n
-0005153314 00000 n
-0005153499 00000 n
-0005153685 00000 n
-0005153866 00000 n
-0005154052 00000 n
-0005154236 00000 n
-0005154420 00000 n
-0005154606 00000 n
-0005154791 00000 n
-0005154977 00000 n
-0005155162 00000 n
-0005155348 00000 n
-0005155533 00000 n
-0005155719 00000 n
-0005155904 00000 n
-0005156090 00000 n
-0005156274 00000 n
-0005156458 00000 n
-0005156644 00000 n
-0005156829 00000 n
-0005157015 00000 n
-0005157198 00000 n
-0005157384 00000 n
-0005157569 00000 n
-0005157755 00000 n
-0005157940 00000 n
-0005158126 00000 n
-0005158311 00000 n
-0005158497 00000 n
-0005158681 00000 n
-0005158865 00000 n
-0005159051 00000 n
-0005159236 00000 n
-0005159422 00000 n
-0005159607 00000 n
-0005159793 00000 n
-0005159978 00000 n
-0005160164 00000 n
-0005160349 00000 n
-0005160535 00000 n
-0005160716 00000 n
-0005160902 00000 n
-0005161086 00000 n
-0005161270 00000 n
-0005161456 00000 n
-0005161641 00000 n
-0005161827 00000 n
-0005162012 00000 n
-0005162203 00000 n
-0005162393 00000 n
-0005162585 00000 n
-0005162775 00000 n
-0005162967 00000 n
-0005163156 00000 n
-0005163345 00000 n
-0005163537 00000 n
-0005163727 00000 n
-0005163919 00000 n
-0005164106 00000 n
-0005164298 00000 n
-0005164488 00000 n
-0005164680 00000 n
-0005164870 00000 n
-0005165062 00000 n
-0005165252 00000 n
-0005165444 00000 n
-0005165633 00000 n
-0005165822 00000 n
-0005166014 00000 n
-0005166204 00000 n
-0005166396 00000 n
-0005166586 00000 n
-0005166778 00000 n
-0005166968 00000 n
-0005167160 00000 n
-0005167350 00000 n
-0005167542 00000 n
-0005167727 00000 n
-0005167919 00000 n
-0005168108 00000 n
-0005168297 00000 n
-0005168489 00000 n
-0005168679 00000 n
-0005168871 00000 n
-0005169061 00000 n
-0005169253 00000 n
-0005169443 00000 n
-0005169635 00000 n
-0005169825 00000 n
-0005170017 00000 n
-0005170206 00000 n
-0005170395 00000 n
-0005170587 00000 n
-0005170777 00000 n
-0005170969 00000 n
-0005171156 00000 n
-0005171348 00000 n
-0005171538 00000 n
-0005171730 00000 n
-0005171920 00000 n
-0005172112 00000 n
-0005172302 00000 n
-0005172494 00000 n
-0005172683 00000 n
-0005172872 00000 n
-0005173064 00000 n
-0005173254 00000 n
-0005173446 00000 n
-0005173636 00000 n
-0005173828 00000 n
-0005174018 00000 n
-0005174210 00000 n
-0005174400 00000 n
-0005174576 00000 n
-0005174752 00000 n
-0005174934 00000 n
-0005175120 00000 n
-0005175306 00000 n
-0005175488 00000 n
-0005175678 00000 n
-0005175869 00000 n
-0005176063 00000 n
-0005176261 00000 n
-0005176459 00000 n
-0005176645 00000 n
-0005176813 00000 n
-0005177026 00000 n
-0005177245 00000 n
-0005177439 00000 n
-0005177705 00000 n
-0005177938 00000 n
-0005178142 00000 n
-0005178350 00000 n
-0005178562 00000 n
-0005178778 00000 n
-0005178994 00000 n
-0005179210 00000 n
-0005179426 00000 n
-0005179636 00000 n
-0005179835 00000 n
-0005180047 00000 n
-0005180259 00000 n
-0005180471 00000 n
-0005180694 00000 n
-0005180911 00000 n
-0005181129 00000 n
-0005181347 00000 n
-0005181565 00000 n
-0005181783 00000 n
-0005182001 00000 n
-0005182212 00000 n
-0005182436 00000 n
-0005182654 00000 n
-0005182877 00000 n
-0005183103 00000 n
-0005183322 00000 n
-0005183540 00000 n
-0005183758 00000 n
-0005183976 00000 n
-0005184194 00000 n
-0005184412 00000 n
-0005184630 00000 n
-0005184839 00000 n
-0005185054 00000 n
-0005185272 00000 n
-0005185490 00000 n
-0005185708 00000 n
-0005185917 00000 n
-0005186128 00000 n
-0005186346 00000 n
-0005186564 00000 n
-0005186782 00000 n
-0005187002 00000 n
-0005187223 00000 n
-0005187441 00000 n
-0005187659 00000 n
-0005187863 00000 n
-0005188067 00000 n
-0005188271 00000 n
-0005188484 00000 n
-0005188674 00000 n
-0005188882 00000 n
-0005189120 00000 n
-0005189367 00000 n
-0005189619 00000 n
-0005189871 00000 n
-0005190123 00000 n
-0005190375 00000 n
-0005190627 00000 n
-0005190879 00000 n
-0005191131 00000 n
-0005191388 00000 n
-0005191646 00000 n
-0005191904 00000 n
-0005192162 00000 n
-0005192420 00000 n
-0005192678 00000 n
-0005192936 00000 n
-0005193194 00000 n
-0005193452 00000 n
-0005193710 00000 n
-0005193968 00000 n
-0005194223 00000 n
-0005194478 00000 n
-0005194736 00000 n
-0005194994 00000 n
-0005195252 00000 n
-0005195510 00000 n
-0005195773 00000 n
-0005196047 00000 n
-0005196313 00000 n
-0005196579 00000 n
-0005196845 00000 n
-0005197111 00000 n
-0005197377 00000 n
-0005197649 00000 n
-0005197921 00000 n
-0005198189 00000 n
-0005198450 00000 n
-0005198708 00000 n
-0005198966 00000 n
-0005199230 00000 n
-0005199494 00000 n
-0005199752 00000 n
-0005200010 00000 n
-0005200268 00000 n
-0005200526 00000 n
-0005200784 00000 n
-0005201042 00000 n
-0005201300 00000 n
-0005201558 00000 n
-0005201816 00000 n
-0005202074 00000 n
-0005202332 00000 n
-0005202590 00000 n
-0005202848 00000 n
-0005203103 00000 n
-0005203347 00000 n
-0005203598 00000 n
-0005203856 00000 n
-0005204114 00000 n
-0005204372 00000 n
-0005204630 00000 n
-0005204888 00000 n
-0005205146 00000 n
-0005205399 00000 n
-0005205643 00000 n
-0005205894 00000 n
-0005206152 00000 n
-0005206410 00000 n
-0005206668 00000 n
-0005206917 00000 n
-0005207161 00000 n
-0005207405 00000 n
-0005207649 00000 n
-0005207893 00000 n
-0005208137 00000 n
-0005208415 00000 n
-0005208709 00000 n
-0005209001 00000 n
-0005209297 00000 n
-0005209595 00000 n
-0005209893 00000 n
-0005210191 00000 n
-0005210489 00000 n
-0005210782 00000 n
-0005211069 00000 n
-0005211367 00000 n
-0005211665 00000 n
-0005211968 00000 n
-0005212271 00000 n
-0005212569 00000 n
-0005212867 00000 n
-0005213165 00000 n
-0005213463 00000 n
-0005213761 00000 n
-0005214048 00000 n
-0005214346 00000 n
-0005214644 00000 n
-0005214942 00000 n
-0005215237 00000 n
-0005215530 00000 n
-0005215821 00000 n
-0005216105 00000 n
-0005216326 00000 n
-0005216528 00000 n
-0005216730 00000 n
-0005216932 00000 n
-0005217134 00000 n
-0005217333 00000 n
-0005217530 00000 n
-0005217738 00000 n
-0005217944 00000 n
-0005218145 00000 n
-0005218330 00000 n
-0005218452 00000 n
-0005218570 00000 n
-0005218700 00000 n
-0005218825 00000 n
-0005218950 00000 n
-0005219075 00000 n
-0005219199 00000 n
-0005219324 00000 n
-0005219449 00000 n
-0005219574 00000 n
-0005219698 00000 n
-0005219822 00000 n
-0005219945 00000 n
-0005220070 00000 n
-0005220203 00000 n
-0005220329 00000 n
-0005220457 00000 n
-0005220589 00000 n
-0005220726 00000 n
-0005220860 00000 n
-0005220991 00000 n
-0005221120 00000 n
-0005221247 00000 n
-0005221374 00000 n
-0005221501 00000 n
-0005221628 00000 n
-0005221755 00000 n
-0005221882 00000 n
-0005222009 00000 n
-0005222136 00000 n
-0005222263 00000 n
-0005222390 00000 n
-0005222517 00000 n
-0005222644 00000 n
-0005222771 00000 n
-0005222898 00000 n
-0005223025 00000 n
-0005223152 00000 n
-0005223279 00000 n
-0005223406 00000 n
-0005223533 00000 n
-0005223660 00000 n
-0005223787 00000 n
-0005223914 00000 n
-0005224040 00000 n
-0005224178 00000 n
-0005224321 00000 n
-0005224463 00000 n
-0005224605 00000 n
-0005224746 00000 n
-0005224887 00000 n
-0005225029 00000 n
-0005225171 00000 n
-0005225312 00000 n
-0005225453 00000 n
-0005225592 00000 n
-0005225732 00000 n
-0005225872 00000 n
-0005226012 00000 n
-0005226151 00000 n
-0005226291 00000 n
-0005226431 00000 n
-0005226571 00000 n
-0005226711 00000 n
-0005226849 00000 n
-0005226988 00000 n
-0005227128 00000 n
-0005227268 00000 n
-0005227407 00000 n
-0005227546 00000 n
-0005227685 00000 n
-0005227818 00000 n
-0005227944 00000 n
-0005228069 00000 n
-0005228193 00000 n
-0005228318 00000 n
-0005228443 00000 n
-0005228568 00000 n
-0005228693 00000 n
-0005228817 00000 n
-0005228942 00000 n
-0005229067 00000 n
-0005229192 00000 n
-0005229316 00000 n
-0005229441 00000 n
-0005229566 00000 n
-0005229691 00000 n
-0005229815 00000 n
-0005229940 00000 n
-0005230065 00000 n
-0005230190 00000 n
-0005230313 00000 n
-0005230438 00000 n
-0005230563 00000 n
-0005230688 00000 n
-0005230813 00000 n
-0005230938 00000 n
-0005231061 00000 n
-0005231183 00000 n
-0005231308 00000 n
-0005231439 00000 n
-0005231571 00000 n
-0005231705 00000 n
-0005231839 00000 n
-0005231972 00000 n
-0005232105 00000 n
-0005232239 00000 n
-0005232372 00000 n
-0005232509 00000 n
-0005232652 00000 n
-0005232795 00000 n
-0005232937 00000 n
-0005233081 00000 n
-0005233227 00000 n
-0005233371 00000 n
-0005233514 00000 n
-0005233657 00000 n
-0005233800 00000 n
-0005233943 00000 n
-0005234086 00000 n
-0005234228 00000 n
-0005234375 00000 n
-0005234528 00000 n
-0005234681 00000 n
-0005234833 00000 n
-0005234973 00000 n
-0005235099 00000 n
-0005235193 00000 n
-0005235313 00000 n
-0005235437 00000 n
-0005235566 00000 n
-0005235698 00000 n
-0005235825 00000 n
-0005235952 00000 n
-0005236079 00000 n
-0005236212 00000 n
-0005236353 00000 n
-0005236493 00000 n
-0005236634 00000 n
-0005236767 00000 n
-0005236892 00000 n
-0005237016 00000 n
-0005237141 00000 n
-0005237264 00000 n
-0005237391 00000 n
-0005237529 00000 n
-0005237672 00000 n
-0005237814 00000 n
-0005237946 00000 n
-0005238020 00000 n
-0005238141 00000 n
-0005238267 00000 n
-0005238401 00000 n
-0005238515 00000 n
-0005238615 00000 n
-0005238657 00000 n
-0005238961 00000 n
+0004796771 00000 n
+0004797090 00000 n
+0004800404 00000 n
+0004800674 00000 n
+0004804620 00000 n
+0004804898 00000 n
+0004817550 00000 n
+0004818016 00000 n
+0004819808 00000 n
+0004820038 00000 n
+0004821815 00000 n
+0004822046 00000 n
+0004832831 00000 n
+0004833358 00000 n
+0004837665 00000 n
+0004837960 00000 n
+0004847856 00000 n
+0004848329 00000 n
+0004862563 00000 n
+0004863119 00000 n
+0004870833 00000 n
+0004871232 00000 n
+0004873741 00000 n
+0004874060 00000 n
+0004893302 00000 n
+0004893858 00000 n
+0004895781 00000 n
+0004896008 00000 n
+0004897930 00000 n
+0004898157 00000 n
+0004900159 00000 n
+0004900388 00000 n
+0004916971 00000 n
+0004917620 00000 n
+0004930292 00000 n
+0004930768 00000 n
+0004932603 00000 n
+0004957980 00000 n
+0004958108 00000 n
+0004958236 00000 n
+0004958364 00000 n
+0004958492 00000 n
+0004958620 00000 n
+0004958748 00000 n
+0004958876 00000 n
+0004959004 00000 n
+0004959132 00000 n
+0004959260 00000 n
+0004959388 00000 n
+0004959516 00000 n
+0004959644 00000 n
+0004959772 00000 n
+0004959900 00000 n
+0004960028 00000 n
+0004960156 00000 n
+0004960290 00000 n
+0004960424 00000 n
+0004960558 00000 n
+0004960692 00000 n
+0004960826 00000 n
+0004960960 00000 n
+0004961094 00000 n
+0004961228 00000 n
+0004961362 00000 n
+0004961486 00000 n
+0004961621 00000 n
+0004961756 00000 n
+0004961891 00000 n
+0004962026 00000 n
+0004962131 00000 n
+0004962238 00000 n
+0005054597 00000 n
+0005054753 00000 n
+0005054900 00000 n
+0005055052 00000 n
+0005055199 00000 n
+0005055343 00000 n
+0005055539 00000 n
+0005055731 00000 n
+0005055925 00000 n
+0005056111 00000 n
+0005056296 00000 n
+0005056482 00000 n
+0005056667 00000 n
+0005056853 00000 n
+0005057038 00000 n
+0005057224 00000 n
+0005057409 00000 n
+0005057595 00000 n
+0005057779 00000 n
+0005057963 00000 n
+0005058149 00000 n
+0005058334 00000 n
+0005058520 00000 n
+0005058705 00000 n
+0005058891 00000 n
+0005059076 00000 n
+0005059262 00000 n
+0005059445 00000 n
+0005059631 00000 n
+0005059816 00000 n
+0005060002 00000 n
+0005060186 00000 n
+0005060370 00000 n
+0005060556 00000 n
+0005060741 00000 n
+0005060927 00000 n
+0005061112 00000 n
+0005061300 00000 n
+0005061490 00000 n
+0005061682 00000 n
+0005061872 00000 n
+0005062064 00000 n
+0005062253 00000 n
+0005062442 00000 n
+0005062634 00000 n
+0005062820 00000 n
+0005063012 00000 n
+0005063202 00000 n
+0005063394 00000 n
+0005063584 00000 n
+0005063776 00000 n
+0005063966 00000 n
+0005064158 00000 n
+0005064348 00000 n
+0005064540 00000 n
+0005064729 00000 n
+0005064918 00000 n
+0005065110 00000 n
+0005065300 00000 n
+0005065492 00000 n
+0005065682 00000 n
+0005065874 00000 n
+0005066064 00000 n
+0005066256 00000 n
+0005066443 00000 n
+0005066635 00000 n
+0005066813 00000 n
+0005066990 00000 n
+0005067168 00000 n
+0005067345 00000 n
+0005067523 00000 n
+0005067700 00000 n
+0005067878 00000 n
+0005068054 00000 n
+0005068230 00000 n
+0005068408 00000 n
+0005068597 00000 n
+0005068816 00000 n
+0005069015 00000 n
+0005069258 00000 n
+0005069436 00000 n
+0005069606 00000 n
+0005069785 00000 n
+0005069999 00000 n
+0005070215 00000 n
+0005070432 00000 n
+0005070648 00000 n
+0005070842 00000 n
+0005071042 00000 n
+0005071234 00000 n
+0005071433 00000 n
+0005071633 00000 n
+0005071835 00000 n
+0005072035 00000 n
+0005072237 00000 n
+0005072437 00000 n
+0005072636 00000 n
+0005072834 00000 n
+0005073046 00000 n
+0005073248 00000 n
+0005073442 00000 n
+0005073662 00000 n
+0005073893 00000 n
+0005074127 00000 n
+0005074361 00000 n
+0005074594 00000 n
+0005074820 00000 n
+0005075051 00000 n
+0005075287 00000 n
+0005075521 00000 n
+0005075753 00000 n
+0005075980 00000 n
+0005076170 00000 n
+0005076416 00000 n
+0005076618 00000 n
+0005076831 00000 n
+0005077049 00000 n
+0005077262 00000 n
+0005077472 00000 n
+0005077680 00000 n
+0005077890 00000 n
+0005078099 00000 n
+0005078301 00000 n
+0005078507 00000 n
+0005078699 00000 n
+0005078896 00000 n
+0005079093 00000 n
+0005079288 00000 n
+0005079484 00000 n
+0005079679 00000 n
+0005079875 00000 n
+0005080070 00000 n
+0005080266 00000 n
+0005080462 00000 n
+0005080657 00000 n
+0005080851 00000 n
+0005081047 00000 n
+0005081241 00000 n
+0005081435 00000 n
+0005081629 00000 n
+0005081823 00000 n
+0005082018 00000 n
+0005082212 00000 n
+0005082406 00000 n
+0005082600 00000 n
+0005082794 00000 n
+0005082988 00000 n
+0005083182 00000 n
+0005083376 00000 n
+0005083572 00000 n
+0005083767 00000 n
+0005083962 00000 n
+0005084156 00000 n
+0005084352 00000 n
+0005084546 00000 n
+0005084740 00000 n
+0005084934 00000 n
+0005085128 00000 n
+0005085322 00000 n
+0005085518 00000 n
+0005085712 00000 n
+0005085906 00000 n
+0005086100 00000 n
+0005086294 00000 n
+0005086488 00000 n
+0005086682 00000 n
+0005086876 00000 n
+0005087070 00000 n
+0005087264 00000 n
+0005087458 00000 n
+0005087652 00000 n
+0005087846 00000 n
+0005088040 00000 n
+0005088234 00000 n
+0005088428 00000 n
+0005088622 00000 n
+0005088816 00000 n
+0005089010 00000 n
+0005089204 00000 n
+0005089398 00000 n
+0005089592 00000 n
+0005089786 00000 n
+0005089980 00000 n
+0005090174 00000 n
+0005090368 00000 n
+0005090562 00000 n
+0005090756 00000 n
+0005090950 00000 n
+0005091144 00000 n
+0005091343 00000 n
+0005091540 00000 n
+0005091737 00000 n
+0005091937 00000 n
+0005092134 00000 n
+0005092328 00000 n
+0005092525 00000 n
+0005092719 00000 n
+0005092914 00000 n
+0005093114 00000 n
+0005093312 00000 n
+0005093506 00000 n
+0005093700 00000 n
+0005093894 00000 n
+0005094088 00000 n
+0005094282 00000 n
+0005094476 00000 n
+0005094673 00000 n
+0005094873 00000 n
+0005095073 00000 n
+0005095273 00000 n
+0005095473 00000 n
+0005095673 00000 n
+0005095873 00000 n
+0005096073 00000 n
+0005096273 00000 n
+0005096473 00000 n
+0005096673 00000 n
+0005096873 00000 n
+0005097067 00000 n
+0005097261 00000 n
+0005097455 00000 n
+0005097649 00000 n
+0005097843 00000 n
+0005098037 00000 n
+0005098231 00000 n
+0005098425 00000 n
+0005098619 00000 n
+0005098813 00000 n
+0005099007 00000 n
+0005099201 00000 n
+0005099395 00000 n
+0005099589 00000 n
+0005099783 00000 n
+0005099983 00000 n
+0005100183 00000 n
+0005100383 00000 n
+0005100583 00000 n
+0005100783 00000 n
+0005100983 00000 n
+0005101183 00000 n
+0005101383 00000 n
+0005101583 00000 n
+0005101783 00000 n
+0005101983 00000 n
+0005102183 00000 n
+0005102383 00000 n
+0005102583 00000 n
+0005102783 00000 n
+0005102983 00000 n
+0005103183 00000 n
+0005103383 00000 n
+0005103583 00000 n
+0005103783 00000 n
+0005103983 00000 n
+0005104183 00000 n
+0005104383 00000 n
+0005104583 00000 n
+0005104783 00000 n
+0005104983 00000 n
+0005105183 00000 n
+0005105383 00000 n
+0005105583 00000 n
+0005105783 00000 n
+0005106011 00000 n
+0005106231 00000 n
+0005106452 00000 n
+0005106664 00000 n
+0005106922 00000 n
+0005107180 00000 n
+0005107438 00000 n
+0005107696 00000 n
+0005107954 00000 n
+0005108212 00000 n
+0005108467 00000 n
+0005108711 00000 n
+0005108963 00000 n
+0005109221 00000 n
+0005109483 00000 n
+0005109747 00000 n
+0005110002 00000 n
+0005110263 00000 n
+0005110535 00000 n
+0005110796 00000 n
+0005111057 00000 n
+0005111307 00000 n
+0005111551 00000 n
+0005111785 00000 n
+0005112033 00000 n
+0005112281 00000 n
+0005112531 00000 n
+0005112780 00000 n
+0005113027 00000 n
+0005113274 00000 n
+0005113530 00000 n
+0005113786 00000 n
+0005114046 00000 n
+0005114310 00000 n
+0005114573 00000 n
+0005114835 00000 n
+0005115091 00000 n
+0005115349 00000 n
+0005115605 00000 n
+0005115869 00000 n
+0005116132 00000 n
+0005116393 00000 n
+0005116649 00000 n
+0005116913 00000 n
+0005117176 00000 n
+0005117437 00000 n
+0005117693 00000 n
+0005117949 00000 n
+0005118205 00000 n
+0005118458 00000 n
+0005118708 00000 n
+0005118957 00000 n
+0005119207 00000 n
+0005119456 00000 n
+0005119701 00000 n
+0005119952 00000 n
+0005120208 00000 n
+0005120464 00000 n
+0005120717 00000 n
+0005120967 00000 n
+0005121216 00000 n
+0005121466 00000 n
+0005121708 00000 n
+0005121950 00000 n
+0005122192 00000 n
+0005122428 00000 n
+0005122676 00000 n
+0005122924 00000 n
+0005123171 00000 n
+0005123413 00000 n
+0005123655 00000 n
+0005123897 00000 n
+0005124140 00000 n
+0005124382 00000 n
+0005124629 00000 n
+0005124871 00000 n
+0005125111 00000 n
+0005125347 00000 n
+0005125585 00000 n
+0005125827 00000 n
+0005126072 00000 n
+0005126316 00000 n
+0005126566 00000 n
+0005126808 00000 n
+0005127050 00000 n
+0005127292 00000 n
+0005127534 00000 n
+0005127771 00000 n
+0005128005 00000 n
+0005128247 00000 n
+0005128489 00000 n
+0005128730 00000 n
+0005128972 00000 n
+0005129206 00000 n
+0005129445 00000 n
+0005129693 00000 n
+0005129935 00000 n
+0005130181 00000 n
+0005130431 00000 n
+0005130680 00000 n
+0005130928 00000 n
+0005131170 00000 n
+0005131412 00000 n
+0005131654 00000 n
+0005131898 00000 n
+0005132143 00000 n
+0005132387 00000 n
+0005132637 00000 n
+0005132881 00000 n
+0005133126 00000 n
+0005133374 00000 n
+0005133616 00000 n
+0005133861 00000 n
+0005134103 00000 n
+0005134344 00000 n
+0005134586 00000 n
+0005134826 00000 n
+0005135065 00000 n
+0005135301 00000 n
+0005135543 00000 n
+0005135785 00000 n
+0005136027 00000 n
+0005136268 00000 n
+0005136505 00000 n
+0005136742 00000 n
+0005136984 00000 n
+0005137226 00000 n
+0005137468 00000 n
+0005137710 00000 n
+0005137951 00000 n
+0005138193 00000 n
+0005138434 00000 n
+0005138671 00000 n
+0005138912 00000 n
+0005139162 00000 n
+0005139411 00000 n
+0005139661 00000 n
+0005139903 00000 n
+0005140148 00000 n
+0005140394 00000 n
+0005140636 00000 n
+0005140882 00000 n
+0005141124 00000 n
+0005141374 00000 n
+0005141623 00000 n
+0005141869 00000 n
+0005142111 00000 n
+0005142359 00000 n
+0005142607 00000 n
+0005142851 00000 n
+0005143097 00000 n
+0005143345 00000 n
+0005143590 00000 n
+0005143832 00000 n
+0005144073 00000 n
+0005144315 00000 n
+0005144549 00000 n
+0005144794 00000 n
+0005145047 00000 n
+0005145295 00000 n
+0005145543 00000 n
+0005145791 00000 n
+0005146052 00000 n
+0005146254 00000 n
+0005146443 00000 n
+0005146665 00000 n
+0005146883 00000 n
+0005147064 00000 n
+0005147250 00000 n
+0005147434 00000 n
+0005147618 00000 n
+0005147804 00000 n
+0005147989 00000 n
+0005148175 00000 n
+0005148360 00000 n
+0005148546 00000 n
+0005148731 00000 n
+0005148917 00000 n
+0005149102 00000 n
+0005149288 00000 n
+0005149472 00000 n
+0005149656 00000 n
+0005149842 00000 n
+0005150027 00000 n
+0005150213 00000 n
+0005150396 00000 n
+0005150582 00000 n
+0005150767 00000 n
+0005150953 00000 n
+0005151138 00000 n
+0005151324 00000 n
+0005151509 00000 n
+0005151695 00000 n
+0005151879 00000 n
+0005152063 00000 n
+0005152249 00000 n
+0005152434 00000 n
+0005152620 00000 n
+0005152805 00000 n
+0005152991 00000 n
+0005153176 00000 n
+0005153362 00000 n
+0005153547 00000 n
+0005153733 00000 n
+0005153914 00000 n
+0005154100 00000 n
+0005154284 00000 n
+0005154468 00000 n
+0005154654 00000 n
+0005154839 00000 n
+0005155025 00000 n
+0005155210 00000 n
+0005155396 00000 n
+0005155581 00000 n
+0005155767 00000 n
+0005155952 00000 n
+0005156138 00000 n
+0005156322 00000 n
+0005156506 00000 n
+0005156692 00000 n
+0005156877 00000 n
+0005157063 00000 n
+0005157246 00000 n
+0005157432 00000 n
+0005157617 00000 n
+0005157803 00000 n
+0005157988 00000 n
+0005158174 00000 n
+0005158359 00000 n
+0005158545 00000 n
+0005158729 00000 n
+0005158913 00000 n
+0005159099 00000 n
+0005159284 00000 n
+0005159470 00000 n
+0005159655 00000 n
+0005159841 00000 n
+0005160026 00000 n
+0005160212 00000 n
+0005160397 00000 n
+0005160583 00000 n
+0005160764 00000 n
+0005160950 00000 n
+0005161134 00000 n
+0005161318 00000 n
+0005161504 00000 n
+0005161689 00000 n
+0005161875 00000 n
+0005162060 00000 n
+0005162251 00000 n
+0005162441 00000 n
+0005162633 00000 n
+0005162823 00000 n
+0005163015 00000 n
+0005163204 00000 n
+0005163393 00000 n
+0005163585 00000 n
+0005163775 00000 n
+0005163967 00000 n
+0005164154 00000 n
+0005164346 00000 n
+0005164536 00000 n
+0005164728 00000 n
+0005164918 00000 n
+0005165110 00000 n
+0005165300 00000 n
+0005165492 00000 n
+0005165681 00000 n
+0005165870 00000 n
+0005166062 00000 n
+0005166252 00000 n
+0005166444 00000 n
+0005166634 00000 n
+0005166826 00000 n
+0005167016 00000 n
+0005167208 00000 n
+0005167398 00000 n
+0005167590 00000 n
+0005167775 00000 n
+0005167967 00000 n
+0005168156 00000 n
+0005168345 00000 n
+0005168537 00000 n
+0005168727 00000 n
+0005168919 00000 n
+0005169109 00000 n
+0005169301 00000 n
+0005169491 00000 n
+0005169683 00000 n
+0005169873 00000 n
+0005170065 00000 n
+0005170254 00000 n
+0005170443 00000 n
+0005170635 00000 n
+0005170825 00000 n
+0005171017 00000 n
+0005171204 00000 n
+0005171396 00000 n
+0005171586 00000 n
+0005171778 00000 n
+0005171968 00000 n
+0005172160 00000 n
+0005172350 00000 n
+0005172542 00000 n
+0005172731 00000 n
+0005172920 00000 n
+0005173112 00000 n
+0005173302 00000 n
+0005173494 00000 n
+0005173684 00000 n
+0005173876 00000 n
+0005174066 00000 n
+0005174258 00000 n
+0005174448 00000 n
+0005174624 00000 n
+0005174800 00000 n
+0005174982 00000 n
+0005175168 00000 n
+0005175354 00000 n
+0005175536 00000 n
+0005175726 00000 n
+0005175917 00000 n
+0005176111 00000 n
+0005176309 00000 n
+0005176507 00000 n
+0005176693 00000 n
+0005176861 00000 n
+0005177074 00000 n
+0005177293 00000 n
+0005177487 00000 n
+0005177753 00000 n
+0005177986 00000 n
+0005178190 00000 n
+0005178398 00000 n
+0005178610 00000 n
+0005178826 00000 n
+0005179042 00000 n
+0005179258 00000 n
+0005179474 00000 n
+0005179684 00000 n
+0005179883 00000 n
+0005180095 00000 n
+0005180307 00000 n
+0005180519 00000 n
+0005180742 00000 n
+0005180959 00000 n
+0005181177 00000 n
+0005181395 00000 n
+0005181613 00000 n
+0005181831 00000 n
+0005182049 00000 n
+0005182260 00000 n
+0005182484 00000 n
+0005182702 00000 n
+0005182925 00000 n
+0005183151 00000 n
+0005183370 00000 n
+0005183588 00000 n
+0005183806 00000 n
+0005184024 00000 n
+0005184242 00000 n
+0005184460 00000 n
+0005184678 00000 n
+0005184887 00000 n
+0005185102 00000 n
+0005185320 00000 n
+0005185538 00000 n
+0005185756 00000 n
+0005185965 00000 n
+0005186176 00000 n
+0005186394 00000 n
+0005186612 00000 n
+0005186830 00000 n
+0005187050 00000 n
+0005187271 00000 n
+0005187489 00000 n
+0005187707 00000 n
+0005187911 00000 n
+0005188115 00000 n
+0005188319 00000 n
+0005188532 00000 n
+0005188722 00000 n
+0005188930 00000 n
+0005189168 00000 n
+0005189415 00000 n
+0005189667 00000 n
+0005189919 00000 n
+0005190171 00000 n
+0005190423 00000 n
+0005190675 00000 n
+0005190927 00000 n
+0005191179 00000 n
+0005191436 00000 n
+0005191694 00000 n
+0005191952 00000 n
+0005192210 00000 n
+0005192468 00000 n
+0005192726 00000 n
+0005192984 00000 n
+0005193242 00000 n
+0005193500 00000 n
+0005193758 00000 n
+0005194016 00000 n
+0005194271 00000 n
+0005194526 00000 n
+0005194784 00000 n
+0005195042 00000 n
+0005195300 00000 n
+0005195558 00000 n
+0005195821 00000 n
+0005196095 00000 n
+0005196361 00000 n
+0005196627 00000 n
+0005196893 00000 n
+0005197159 00000 n
+0005197425 00000 n
+0005197697 00000 n
+0005197969 00000 n
+0005198237 00000 n
+0005198498 00000 n
+0005198756 00000 n
+0005199014 00000 n
+0005199278 00000 n
+0005199542 00000 n
+0005199800 00000 n
+0005200058 00000 n
+0005200316 00000 n
+0005200574 00000 n
+0005200832 00000 n
+0005201090 00000 n
+0005201348 00000 n
+0005201606 00000 n
+0005201864 00000 n
+0005202122 00000 n
+0005202380 00000 n
+0005202638 00000 n
+0005202896 00000 n
+0005203151 00000 n
+0005203395 00000 n
+0005203646 00000 n
+0005203904 00000 n
+0005204162 00000 n
+0005204420 00000 n
+0005204678 00000 n
+0005204936 00000 n
+0005205194 00000 n
+0005205447 00000 n
+0005205691 00000 n
+0005205942 00000 n
+0005206200 00000 n
+0005206458 00000 n
+0005206716 00000 n
+0005206965 00000 n
+0005207209 00000 n
+0005207453 00000 n
+0005207697 00000 n
+0005207941 00000 n
+0005208185 00000 n
+0005208463 00000 n
+0005208757 00000 n
+0005209049 00000 n
+0005209345 00000 n
+0005209643 00000 n
+0005209941 00000 n
+0005210239 00000 n
+0005210537 00000 n
+0005210830 00000 n
+0005211117 00000 n
+0005211415 00000 n
+0005211713 00000 n
+0005212016 00000 n
+0005212319 00000 n
+0005212617 00000 n
+0005212915 00000 n
+0005213213 00000 n
+0005213511 00000 n
+0005213809 00000 n
+0005214096 00000 n
+0005214394 00000 n
+0005214692 00000 n
+0005214990 00000 n
+0005215285 00000 n
+0005215578 00000 n
+0005215869 00000 n
+0005216153 00000 n
+0005216374 00000 n
+0005216576 00000 n
+0005216778 00000 n
+0005216980 00000 n
+0005217182 00000 n
+0005217381 00000 n
+0005217578 00000 n
+0005217786 00000 n
+0005217992 00000 n
+0005218193 00000 n
+0005218378 00000 n
+0005218500 00000 n
+0005218618 00000 n
+0005218748 00000 n
+0005218873 00000 n
+0005218998 00000 n
+0005219123 00000 n
+0005219247 00000 n
+0005219372 00000 n
+0005219497 00000 n
+0005219622 00000 n
+0005219746 00000 n
+0005219870 00000 n
+0005219993 00000 n
+0005220118 00000 n
+0005220251 00000 n
+0005220377 00000 n
+0005220505 00000 n
+0005220637 00000 n
+0005220774 00000 n
+0005220908 00000 n
+0005221039 00000 n
+0005221168 00000 n
+0005221295 00000 n
+0005221422 00000 n
+0005221549 00000 n
+0005221676 00000 n
+0005221803 00000 n
+0005221930 00000 n
+0005222057 00000 n
+0005222184 00000 n
+0005222311 00000 n
+0005222438 00000 n
+0005222565 00000 n
+0005222692 00000 n
+0005222819 00000 n
+0005222946 00000 n
+0005223073 00000 n
+0005223200 00000 n
+0005223327 00000 n
+0005223454 00000 n
+0005223581 00000 n
+0005223708 00000 n
+0005223835 00000 n
+0005223962 00000 n
+0005224088 00000 n
+0005224226 00000 n
+0005224369 00000 n
+0005224511 00000 n
+0005224653 00000 n
+0005224794 00000 n
+0005224935 00000 n
+0005225077 00000 n
+0005225219 00000 n
+0005225360 00000 n
+0005225501 00000 n
+0005225640 00000 n
+0005225780 00000 n
+0005225920 00000 n
+0005226060 00000 n
+0005226199 00000 n
+0005226339 00000 n
+0005226479 00000 n
+0005226619 00000 n
+0005226759 00000 n
+0005226897 00000 n
+0005227036 00000 n
+0005227176 00000 n
+0005227316 00000 n
+0005227455 00000 n
+0005227594 00000 n
+0005227733 00000 n
+0005227866 00000 n
+0005227992 00000 n
+0005228117 00000 n
+0005228241 00000 n
+0005228366 00000 n
+0005228491 00000 n
+0005228616 00000 n
+0005228741 00000 n
+0005228865 00000 n
+0005228990 00000 n
+0005229115 00000 n
+0005229240 00000 n
+0005229364 00000 n
+0005229489 00000 n
+0005229614 00000 n
+0005229739 00000 n
+0005229863 00000 n
+0005229988 00000 n
+0005230113 00000 n
+0005230238 00000 n
+0005230361 00000 n
+0005230486 00000 n
+0005230611 00000 n
+0005230736 00000 n
+0005230861 00000 n
+0005230986 00000 n
+0005231109 00000 n
+0005231231 00000 n
+0005231356 00000 n
+0005231487 00000 n
+0005231619 00000 n
+0005231753 00000 n
+0005231887 00000 n
+0005232020 00000 n
+0005232153 00000 n
+0005232287 00000 n
+0005232420 00000 n
+0005232557 00000 n
+0005232700 00000 n
+0005232843 00000 n
+0005232985 00000 n
+0005233129 00000 n
+0005233275 00000 n
+0005233419 00000 n
+0005233562 00000 n
+0005233705 00000 n
+0005233848 00000 n
+0005233991 00000 n
+0005234134 00000 n
+0005234276 00000 n
+0005234423 00000 n
+0005234576 00000 n
+0005234729 00000 n
+0005234881 00000 n
+0005235021 00000 n
+0005235147 00000 n
+0005235241 00000 n
+0005235361 00000 n
+0005235485 00000 n
+0005235614 00000 n
+0005235746 00000 n
+0005235873 00000 n
+0005236000 00000 n
+0005236127 00000 n
+0005236260 00000 n
+0005236401 00000 n
+0005236541 00000 n
+0005236682 00000 n
+0005236815 00000 n
+0005236940 00000 n
+0005237064 00000 n
+0005237189 00000 n
+0005237312 00000 n
+0005237439 00000 n
+0005237577 00000 n
+0005237720 00000 n
+0005237862 00000 n
+0005237994 00000 n
+0005238068 00000 n
+0005238189 00000 n
+0005238315 00000 n
+0005238449 00000 n
+0005238563 00000 n
+0005238663 00000 n
+0005238705 00000 n
+0005239009 00000 n
trailer
<< /Size 18549
/Root 18547 0 R
/Info 18548 0 R
-/ID [<C1F9F87B08B3D8FD5610F6F3B003D103> <C1F9F87B08B3D8FD5610F6F3B003D103>] >>
+/ID [<D6A7453855D976A4C4395C6439B5A355> <D6A7453855D976A4C4395C6439B5A355>] >>
startxref
-5239295
+5239343
%%EOF
Modified: branches/samba/upstream/docs/htmldocs/manpages/pdbedit.8.html
===================================================================
--- branches/samba/upstream/docs/htmldocs/manpages/pdbedit.8.html 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/htmldocs/manpages/pdbedit.8.html 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,10 +1,10 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>pdbedit</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="pdbedit"><a name="pdbedit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pdbedit — manage the SAM database (Database of Samba Users)</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">pdbedit</code> [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-t, --password-from-stdin] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control] [-y]</p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id2489573"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The pdbedit program is used to manage the users accounts
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>pdbedit</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="pdbedit"><a name="pdbedit.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pdbedit — manage the SAM database (Database of Samba Users)</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">pdbedit</code> [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-K] [-a] [-t, --password-from-stdin] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control] [-y]</p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id2489581"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The pdbedit program is used to manage the users accounts
stored in the sam database and can only be run by root.</p><p>The pdbedit tool uses the passdb modular interface and is
independent from the kind of users database used (currently there
are smbpasswd, ldap, nis+ and tdb based and more can be added
without changing the tool).</p><p>There are five main ways to use pdbedit: adding a user account,
removing a user account, modifing a user account, listing user
- accounts, importing users accounts.</p></div><div class="refsect1" title="OPTIONS"><a name="id2489610"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-L</span></dt><dd><p>This option lists all the user accounts
+ accounts, importing users accounts.</p></div><div class="refsect1" title="OPTIONS"><a name="id2489618"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-L</span></dt><dd><p>This option lists all the user accounts
present in the users database.
This option prints a list of user/uid pairs separated by
the ':' character.</p><p>Example: <code class="literal">pdbedit -L</code></p><pre class="programlisting">
@@ -147,8 +147,8 @@
compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension
<code class="constant">".progname"</code> will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
-</p></dd></dl></div></div><div class="refsect1" title="NOTES"><a name="id2538733"></a><h2>NOTES</h2><p>This command may be used only by root.</p></div><div class="refsect1" title="VERSION"><a name="id2538743"></a><h2>VERSION</h2><p>This man page is correct for version 3 of
- the Samba suite.</p></div><div class="refsect1" title="SEE ALSO"><a name="id2538754"></a><h2>SEE ALSO</h2><p><a class="citerefentry" href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>, <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a></p></div><div class="refsect1" title="AUTHOR"><a name="id2538776"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
+</p></dd></dl></div></div><div class="refsect1" title="NOTES"><a name="id2538740"></a><h2>NOTES</h2><p>This command may be used only by root.</p></div><div class="refsect1" title="VERSION"><a name="id2538749"></a><h2>VERSION</h2><p>This man page is correct for version 3 of
+ the Samba suite.</p></div><div class="refsect1" title="SEE ALSO"><a name="id2538760"></a><h2>SEE ALSO</h2><p><a class="citerefentry" href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>, <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a></p></div><div class="refsect1" title="AUTHOR"><a name="id2538782"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</p><p>The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.</p></div></div></body></html>
Modified: branches/samba/upstream/docs/manpages/cifs.upcall.8
===================================================================
--- branches/samba/upstream/docs/manpages/cifs.upcall.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/cifs.upcall.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: cifs.upcall
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "CIFS\&.UPCALL" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "CIFS\&.UPCALL" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/eventlogadm.8
===================================================================
--- branches/samba/upstream/docs/manpages/eventlogadm.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/eventlogadm.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: eventlogadm
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "EVENTLOGADM" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "EVENTLOGADM" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/findsmb.1
===================================================================
--- branches/samba/upstream/docs/manpages/findsmb.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/findsmb.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: findsmb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "FINDSMB" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "FINDSMB" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_ad.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_ad.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_ad.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_ad
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_AD" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_AD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_adex.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_adex.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_adex.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_adex
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_ADEX" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_ADEX" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_hash.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_hash.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_hash.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_hash
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_HASH" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_HASH" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_ldap.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_ldap.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_ldap.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_ldap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_LDAP" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_LDAP" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_nss.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_nss.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_nss.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_nss
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_NSS" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_NSS" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_rid.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_rid.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_rid.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_rid
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_RID" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_RID" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_tdb.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_tdb.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_tdb.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_tdb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_TDB" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_TDB" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/idmap_tdb2.8
===================================================================
--- branches/samba/upstream/docs/manpages/idmap_tdb2.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/idmap_tdb2.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: idmap_tdb2
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "IDMAP_TDB2" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "IDMAP_TDB2" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldb.3
===================================================================
--- branches/samba/upstream/docs/manpages/ldb.3 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldb.3 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldb
.\" Author: [see the "Author" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: C Library Functions
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LDB" "3" "01/04/2010" "Samba 3\&.4" "C Library Functions"
+.TH "LDB" "3" "01/18/2010" "Samba 3\&.4" "C Library Functions"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldbadd.1
===================================================================
--- branches/samba/upstream/docs/manpages/ldbadd.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldbadd.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldbadd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LDBADD" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "LDBADD" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldbdel.1
===================================================================
--- branches/samba/upstream/docs/manpages/ldbdel.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldbdel.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldbdel
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LDBDEL" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "LDBDEL" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldbedit.1
===================================================================
--- branches/samba/upstream/docs/manpages/ldbedit.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldbedit.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldbedit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LDBEDIT" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "LDBEDIT" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldbmodify.1
===================================================================
--- branches/samba/upstream/docs/manpages/ldbmodify.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldbmodify.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldbmodify
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LDBMODIFY" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "LDBMODIFY" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldbrename.1
===================================================================
--- branches/samba/upstream/docs/manpages/ldbrename.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldbrename.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldbrename
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "LDBRENAME" "1" "01/04/2010" "[FIXME: source]" "[FIXME: manual]"
+.TH "LDBRENAME" "1" "01/18/2010" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ldbsearch.1
===================================================================
--- branches/samba/upstream/docs/manpages/ldbsearch.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ldbsearch.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ldbsearch
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LDBSEARCH" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "LDBSEARCH" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/libsmbclient.7
===================================================================
--- branches/samba/upstream/docs/manpages/libsmbclient.7 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/libsmbclient.7 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: libsmbclient
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: 7
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LIBSMBCLIENT" "7" "01/04/2010" "Samba 3\&.4" "7"
+.TH "LIBSMBCLIENT" "7" "01/18/2010" "Samba 3\&.4" "7"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/lmhosts.5
===================================================================
--- branches/samba/upstream/docs/manpages/lmhosts.5 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/lmhosts.5 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: lmhosts
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: File Formats and Conventions
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LMHOSTS" "5" "01/04/2010" "Samba 3\&.4" "File Formats and Conventions"
+.TH "LMHOSTS" "5" "01/18/2010" "Samba 3\&.4" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/log2pcap.1
===================================================================
--- branches/samba/upstream/docs/manpages/log2pcap.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/log2pcap.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: log2pcap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "LOG2PCAP" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "LOG2PCAP" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/mount.cifs.8
===================================================================
--- branches/samba/upstream/docs/manpages/mount.cifs.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/mount.cifs.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: mount.cifs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "MOUNT\&.CIFS" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "MOUNT\&.CIFS" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/net.8
===================================================================
--- branches/samba/upstream/docs/manpages/net.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/net.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: net
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "NET" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "NET" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/nmbd.8
===================================================================
--- branches/samba/upstream/docs/manpages/nmbd.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/nmbd.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: nmbd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "NMBD" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "NMBD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/nmblookup.1
===================================================================
--- branches/samba/upstream/docs/manpages/nmblookup.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/nmblookup.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: nmblookup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "NMBLOOKUP" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "NMBLOOKUP" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/ntlm_auth.1
===================================================================
--- branches/samba/upstream/docs/manpages/ntlm_auth.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/ntlm_auth.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: ntlm_auth
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "NTLM_AUTH" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "NTLM_AUTH" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/pam_winbind.8
===================================================================
--- branches/samba/upstream/docs/manpages/pam_winbind.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/pam_winbind.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: pam_winbind
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: 8
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "PAM_WINBIND" "8" "01/04/2010" "Samba 3\&.4" "8"
+.TH "PAM_WINBIND" "8" "01/18/2010" "Samba 3\&.4" "8"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/pdbedit.8
===================================================================
--- branches/samba/upstream/docs/manpages/pdbedit.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/pdbedit.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: pdbedit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "PDBEDIT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "PDBEDIT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
@@ -22,7 +22,7 @@
pdbedit \- manage the SAM database (Database of Samba Users)
.SH "SYNOPSIS"
.HP \w'\ 'u
-pdbedit [\-L] [\-v] [\-w] [\-u\ username] [\-f\ fullname] [\-h\ homedir] [\-D\ drive] [\-S\ script] [\-p\ profile] [\-a] [\-t,\ \-\-password\-from\-stdin] [\-m] [\-r] [\-x] [\-i\ passdb\-backend] [\-e\ passdb\-backend] [\-b\ passdb\-backend] [\-g] [\-d\ debuglevel] [\-s\ configfile] [\-P\ account\-policy] [\-C\ value] [\-c\ account\-control] [\-y]
+pdbedit [\-L] [\-v] [\-w] [\-u\ username] [\-f\ fullname] [\-h\ homedir] [\-D\ drive] [\-S\ script] [\-p\ profile] [\-K] [\-a] [\-t,\ \-\-password\-from\-stdin] [\-m] [\-r] [\-x] [\-i\ passdb\-backend] [\-e\ passdb\-backend] [\-b\ passdb\-backend] [\-g] [\-d\ debuglevel] [\-s\ configfile] [\-P\ account\-policy] [\-C\ value] [\-c\ account\-control] [\-y]
.SH "DESCRIPTION"
.PP
This tool is part of the
Modified: branches/samba/upstream/docs/manpages/profiles.1
===================================================================
--- branches/samba/upstream/docs/manpages/profiles.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/profiles.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: profiles
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "PROFILES" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "PROFILES" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/rpcclient.1
===================================================================
--- branches/samba/upstream/docs/manpages/rpcclient.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/rpcclient.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: rpcclient
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "RPCCLIENT" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "RPCCLIENT" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/samba.7
===================================================================
--- branches/samba/upstream/docs/manpages/samba.7 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/samba.7 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: samba
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: Miscellanea
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SAMBA" "7" "01/04/2010" "Samba 3\&.4" "Miscellanea"
+.TH "SAMBA" "7" "01/18/2010" "Samba 3\&.4" "Miscellanea"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/sharesec.1
===================================================================
--- branches/samba/upstream/docs/manpages/sharesec.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/sharesec.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: sharesec
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SHARESEC" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SHARESEC" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smb.conf.5
===================================================================
--- branches/samba/upstream/docs/manpages/smb.conf.5 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smb.conf.5 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smb.conf
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: File Formats and Conventions
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMB\&.CONF" "5" "01/04/2010" "Samba 3\&.4" "File Formats and Conventions"
+.TH "SMB\&.CONF" "5" "01/18/2010" "Samba 3\&.4" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbcacls.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbcacls.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbcacls.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbcacls
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBCACLS" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBCACLS" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbclient.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbclient.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbclient.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbclient
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBCLIENT" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBCLIENT" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbcontrol.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbcontrol.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbcontrol.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbcontrol
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBCONTROL" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBCONTROL" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbcquotas.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbcquotas.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbcquotas.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbcquotas
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBCQUOTAS" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBCQUOTAS" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbd.8
===================================================================
--- branches/samba/upstream/docs/manpages/smbd.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbd.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBD" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "SMBD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbget.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbget.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbget.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbget
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBGET" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBGET" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbgetrc.5
===================================================================
--- branches/samba/upstream/docs/manpages/smbgetrc.5 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbgetrc.5 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbgetrc
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: File Formats and Conventions
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBGETRC" "5" "01/04/2010" "Samba 3\&.4" "File Formats and Conventions"
+.TH "SMBGETRC" "5" "01/18/2010" "Samba 3\&.4" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbpasswd.5
===================================================================
--- branches/samba/upstream/docs/manpages/smbpasswd.5 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbpasswd.5 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbpasswd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: File Formats and Conventions
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBPASSWD" "5" "01/04/2010" "Samba 3\&.4" "File Formats and Conventions"
+.TH "SMBPASSWD" "5" "01/18/2010" "Samba 3\&.4" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbpasswd.8
===================================================================
--- branches/samba/upstream/docs/manpages/smbpasswd.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbpasswd.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbpasswd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBPASSWD" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "SMBPASSWD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbspool.8
===================================================================
--- branches/samba/upstream/docs/manpages/smbspool.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbspool.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbspool
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBSPOOL" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "SMBSPOOL" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbstatus.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbstatus.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbstatus.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbstatus
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBSTATUS" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBSTATUS" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbtar.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbtar.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbtar.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbtar
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBTAR" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBTAR" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/smbtree.1
===================================================================
--- branches/samba/upstream/docs/manpages/smbtree.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/smbtree.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smbtree
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMBTREE" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "SMBTREE" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/swat.8
===================================================================
--- branches/samba/upstream/docs/manpages/swat.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/swat.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: swat
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SWAT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "SWAT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/tdbbackup.8
===================================================================
--- branches/samba/upstream/docs/manpages/tdbbackup.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/tdbbackup.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: tdbbackup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "TDBBACKUP" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "TDBBACKUP" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/tdbdump.8
===================================================================
--- branches/samba/upstream/docs/manpages/tdbdump.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/tdbdump.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: tdbdump
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "TDBDUMP" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "TDBDUMP" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/tdbtool.8
===================================================================
--- branches/samba/upstream/docs/manpages/tdbtool.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/tdbtool.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: tdbtool
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "TDBTOOL" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "TDBTOOL" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/testparm.1
===================================================================
--- branches/samba/upstream/docs/manpages/testparm.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/testparm.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: testparm
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "TESTPARM" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "TESTPARM" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/umount.cifs.8
===================================================================
--- branches/samba/upstream/docs/manpages/umount.cifs.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/umount.cifs.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: umount.cifs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "UMOUNT\&.CIFS" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "UMOUNT\&.CIFS" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_acl_tdb.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_acl_tdb.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_acl_tdb.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_acl_tdb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_ACL_TDB" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_ACL_TDB" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_acl_xattr.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_acl_xattr.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_acl_xattr.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_acl_xattr
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_ACL_XATTR" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_ACL_XATTR" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_audit.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_audit.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_audit.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_AUDIT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_AUDIT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_cacheprime.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_cacheprime.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_cacheprime.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_cacheprime
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_CACHEPRIME" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_CACHEPRIME" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_cap.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_cap.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_cap.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_cap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_CAP" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_CAP" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_catia.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_catia.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_catia.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_catia
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_CATIA" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_CATIA" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_commit.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_commit.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_commit.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_commit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_COMMIT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_COMMIT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_default_quota.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_default_quota.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_default_quota.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_default_quota
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_DEFAULT_QUOTA" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_DEFAULT_QUOTA" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_dirsort.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_dirsort.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_dirsort.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_dirsort
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_DIRSORT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_DIRSORT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_extd_audit.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_extd_audit.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_extd_audit.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_extd_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_EXTD_AUDIT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_EXTD_AUDIT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_fake_perms.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_fake_perms.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_fake_perms.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_fake_perms
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_FAKE_PERMS" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_FAKE_PERMS" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_fileid.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_fileid.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_fileid.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_fileid
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_FILEID" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_FILEID" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_full_audit.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_full_audit.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_full_audit.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_full_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_FULL_AUDIT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_FULL_AUDIT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_gpfs.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_gpfs.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_gpfs.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_gpfs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_GPFS" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_GPFS" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_netatalk.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_netatalk.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_netatalk.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_netatalk
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_NETATALK" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_NETATALK" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_notify_fam.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_notify_fam.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_notify_fam.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_notify_fam
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_NOTIFY_FAM" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_NOTIFY_FAM" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_prealloc.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_prealloc.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_prealloc.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_prealloc
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_PREALLOC" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_PREALLOC" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_preopen.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_preopen.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_preopen.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_preopen
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_PREOPEN" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_PREOPEN" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_readahead.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_readahead.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_readahead.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_readahead
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_READAHEAD" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_READAHEAD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_readonly.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_readonly.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_readonly.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_readonly
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_READONLY" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_READONLY" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_recycle.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_recycle.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_recycle.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_recycle
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_RECYCLE" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_RECYCLE" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_shadow_copy.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_shadow_copy.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_shadow_copy.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_shadow_copy
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_SHADOW_COPY" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_SHADOW_COPY" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_shadow_copy2.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_shadow_copy2.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_shadow_copy2.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_shadow_copy2
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_SHADOW_COPY2" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_SHADOW_COPY2" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_smb_traffic_analyzer.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_smb_traffic_analyzer.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_smb_traffic_analyzer.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: smb_traffic_analyzer
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "SMB_TRAFFIC_ANALYZER" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "SMB_TRAFFIC_ANALYZER" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_streams_depot.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_streams_depot.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_streams_depot.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_streams_depot
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_STREAMS_DEPOT" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_STREAMS_DEPOT" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_streams_xattr.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_streams_xattr.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_streams_xattr.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_streams_xattr
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_STREAMS_XATTR" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_STREAMS_XATTR" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfs_xattr_tdb.8
===================================================================
--- branches/samba/upstream/docs/manpages/vfs_xattr_tdb.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfs_xattr_tdb.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfs_xattr_tdb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFS_XATTR_TDB" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "VFS_XATTR_TDB" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/vfstest.1
===================================================================
--- branches/samba/upstream/docs/manpages/vfstest.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/vfstest.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: vfstest
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "VFSTEST" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "VFSTEST" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/wbinfo.1
===================================================================
--- branches/samba/upstream/docs/manpages/wbinfo.1 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/wbinfo.1 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: wbinfo
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: User Commands
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "WBINFO" "1" "01/04/2010" "Samba 3\&.4" "User Commands"
+.TH "WBINFO" "1" "01/18/2010" "Samba 3\&.4" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/winbind_krb5_locator.7
===================================================================
--- branches/samba/upstream/docs/manpages/winbind_krb5_locator.7 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/winbind_krb5_locator.7 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: winbind_krb5_locator
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: 7
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "WINBIND_KRB5_LOCATOR" "7" "01/04/2010" "Samba 3\&.4" "7"
+.TH "WINBIND_KRB5_LOCATOR" "7" "01/18/2010" "Samba 3\&.4" "7"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs/manpages/winbindd.8
===================================================================
--- branches/samba/upstream/docs/manpages/winbindd.8 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs/manpages/winbindd.8 2010-01-20 19:20:07 UTC (rev 3240)
@@ -2,12 +2,12 @@
.\" Title: winbindd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\" Date: 01/04/2010
+.\" Date: 01/18/2010
.\" Manual: System Administration tools
.\" Source: Samba 3.4
.\" Language: English
.\"
-.TH "WINBINDD" "8" "01/04/2010" "Samba 3\&.4" "System Administration tools"
+.TH "WINBINDD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Modified: branches/samba/upstream/docs-xml/manpages-3/pdbedit.8.xml
===================================================================
--- branches/samba/upstream/docs-xml/manpages-3/pdbedit.8.xml 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/docs-xml/manpages-3/pdbedit.8.xml 2010-01-20 19:20:07 UTC (rev 3240)
@@ -28,6 +28,7 @@
<arg choice="opt">-D drive</arg>
<arg choice="opt">-S script</arg>
<arg choice="opt">-p profile</arg>
+ <arg choice="opt">-K</arg>
<arg choice="opt">-a</arg>
<arg choice="opt">-t, --password-from-stdin</arg>
<arg choice="opt">-m</arg>
Modified: branches/samba/upstream/packaging/RHEL/makerpms.sh
===================================================================
--- branches/samba/upstream/packaging/RHEL/makerpms.sh 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/packaging/RHEL/makerpms.sh 2010-01-20 19:20:07 UTC (rev 3240)
@@ -20,7 +20,7 @@
USERID=`id -u`
GRPID=`id -g`
-VERSION='3.4.4'
+VERSION='3.4.5'
REVISION=''
SPECFILE="samba.spec"
RPMVER=`rpm --version | awk '{print $3}'`
Modified: branches/samba/upstream/packaging/RHEL/samba.spec
===================================================================
--- branches/samba/upstream/packaging/RHEL/samba.spec 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/packaging/RHEL/samba.spec 2010-01-20 19:20:07 UTC (rev 3240)
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: samba
-Version: 3.4.4
+Version: 3.4.5
Release: 1
Epoch: 0
License: GNU GPL version 3
Modified: branches/samba/upstream/packaging/RHEL-CTDB/samba.spec
===================================================================
--- branches/samba/upstream/packaging/RHEL-CTDB/samba.spec 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/packaging/RHEL-CTDB/samba.spec 2010-01-20 19:20:07 UTC (rev 3240)
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: samba
-Version: 3.4.4
+Version: 3.4.5
Release: ctdb.1
Epoch: 0
License: GNU GPL version 3
Modified: branches/samba/upstream/source3/VERSION
===================================================================
--- branches/samba/upstream/source3/VERSION 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/VERSION 2010-01-20 19:20:07 UTC (rev 3240)
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# Bug fix releases use a letter for the patch revision #
Modified: branches/samba/upstream/source3/include/version.h
===================================================================
--- branches/samba/upstream/source3/include/version.h 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/include/version.h 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,8 +1,8 @@
/* Autogenerated by script/mkversion.sh */
#define SAMBA_VERSION_MAJOR 3
#define SAMBA_VERSION_MINOR 4
-#define SAMBA_VERSION_RELEASE 4
-#define SAMBA_VERSION_OFFICIAL_STRING "3.4.4"
+#define SAMBA_VERSION_RELEASE 5
+#define SAMBA_VERSION_OFFICIAL_STRING "3.4.5"
#ifdef SAMBA_VERSION_VENDOR_FUNCTION
# define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
#else /* SAMBA_VERSION_VENDOR_FUNCTION */
Modified: branches/samba/upstream/source3/libsmb/libsmb_context.c
===================================================================
--- branches/samba/upstream/source3/libsmb/libsmb_context.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/libsmb/libsmb_context.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -192,13 +192,8 @@
}
/* Things we have to clean up */
- free(smbc_getWorkgroup(context));
smbc_setWorkgroup(context, NULL);
-
- free(smbc_getNetbiosName(context));
smbc_setNetbiosName(context, NULL);
-
- free(smbc_getUser(context));
smbc_setUser(context, NULL);
DEBUG(3, ("Context %p successfully freed\n", context));
@@ -426,7 +421,6 @@
smbc_init_context(SMBCCTX *context)
{
int pid;
- char *user = NULL;
char *home = NULL;
if (!context) {
@@ -535,7 +529,7 @@
/*
* FIXME: Is this the best way to get the user info?
*/
- user = getenv("USER");
+ char *user = getenv("USER");
/* walk around as "guest" if no username can be found */
if (!user) {
user = SMB_STRDUP("guest");
@@ -549,6 +543,12 @@
}
smbc_setUser(context, user);
+ SAFE_FREE(user);
+
+ if (!smbc_getUser(context)) {
+ errno = ENOMEM;
+ return NULL;
+ }
}
if (!smbc_getNetbiosName(context)) {
@@ -581,6 +581,12 @@
}
smbc_setNetbiosName(context, netbios_name);
+ SAFE_FREE(netbios_name);
+
+ if (!smbc_getNetbiosName(context)) {
+ errno = ENOMEM;
+ return NULL;
+ }
}
DEBUG(1, ("Using netbios name %s.\n", smbc_getNetbiosName(context)));
@@ -602,6 +608,12 @@
}
smbc_setWorkgroup(context, workgroup);
+ SAFE_FREE(workgroup);
+
+ if (!smbc_getWorkgroup(context)) {
+ errno = ENOMEM;
+ return NULL;
+ }
}
DEBUG(1, ("Using workgroup %s.\n", smbc_getWorkgroup(context)));
Modified: branches/samba/upstream/source3/libsmb/libsmb_dir.c
===================================================================
--- branches/samba/upstream/source3/libsmb/libsmb_dir.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/libsmb/libsmb_dir.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -303,7 +303,7 @@
}
/* For each returned entry... */
- for (i = 0; i < total_entries; i++) {
+ for (i = 0; i < info_ctr.ctr.ctr1->count; i++) {
/* pull out the share name */
fstrcpy(name, info_ctr.ctr.ctr1->array[i].name);
Modified: branches/samba/upstream/source3/libsmb/libsmb_path.c
===================================================================
--- branches/samba/upstream/source3/libsmb/libsmb_path.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/libsmb/libsmb_path.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -308,7 +308,7 @@
if (!*pp_server) {
return -1;
}
- *pp_server[wl] = '\0';
+ (*pp_server)[wl] = '\0';
return 0;
}
Modified: branches/samba/upstream/source3/libsmb/libsmb_setget.c
===================================================================
--- branches/samba/upstream/source3/libsmb/libsmb_setget.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/libsmb/libsmb_setget.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -39,7 +39,10 @@
void
smbc_setNetbiosName(SMBCCTX *c, char * netbios_name)
{
- c->netbios_name = netbios_name;
+ SAFE_FREE(c->netbios_name);
+ if (netbios_name) {
+ c->netbios_name = SMB_STRDUP(netbios_name);
+ }
}
/** Get the workgroup used for making connections */
@@ -53,7 +56,10 @@
void
smbc_setWorkgroup(SMBCCTX *c, char * workgroup)
{
- c->workgroup = workgroup;
+ SAFE_FREE(c->workgroup);
+ if (workgroup) {
+ c->workgroup = SMB_STRDUP(workgroup);
+ }
}
/** Get the username used for making connections */
@@ -67,7 +73,10 @@
void
smbc_setUser(SMBCCTX *c, char * user)
{
- c->user = user;
+ SAFE_FREE(c->user);
+ if (user) {
+ c->user = SMB_STRDUP(user);
+ }
}
/** Get the debug level */
Modified: branches/samba/upstream/source3/modules/vfs_cap.c
===================================================================
--- branches/samba/upstream/source3/modules/vfs_cap.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/modules/vfs_cap.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -600,12 +600,13 @@
size_t len = 0;
for (p1 = from; *p1; len++) {
- if (is_hex(from)) {
+ if (is_hex(p1)) {
p1 += 3;
} else {
p1++;
}
}
+ len++;
to = TALLOC_ARRAY(ctx, char, len);
if (!to) {
Modified: branches/samba/upstream/source3/rpc_server/srv_pipe_hnd.c
===================================================================
--- branches/samba/upstream/source3/rpc_server/srv_pipe_hnd.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/rpc_server/srv_pipe_hnd.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -890,6 +890,13 @@
out:
(*is_data_outstanding) = prs_offset(&p->out_data.frag) > n;
+ if (p->out_data.current_pdu_sent == prs_offset(&p->out_data.frag)) {
+ /* We've returned everything in the out_data.frag
+ * so we're done with this pdu. Free it and reset
+ * current_pdu_sent. */
+ p->out_data.current_pdu_sent = 0;
+ prs_mem_free(&p->out_data.frag);
+ }
return data_returned;
}
Modified: branches/samba/upstream/source3/smbd/pipes.c
===================================================================
--- branches/samba/upstream/source3/smbd/pipes.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/smbd/pipes.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -326,6 +326,11 @@
done:
chain_reply(req);
+ /*
+ * We must free here as the ownership of req was
+ * moved to the connection struct in reply_pipe_write_and_X().
+ */
+ TALLOC_FREE(req);
}
/****************************************************************************
@@ -431,4 +436,9 @@
done:
chain_reply(req);
+ /*
+ * We must free here as the ownership of req was
+ * moved to the connection struct in reply_pipe_read_and_X().
+ */
+ TALLOC_FREE(req);
}
Modified: branches/samba/upstream/source3/smbd/posix_acls.c
===================================================================
--- branches/samba/upstream/source3/smbd/posix_acls.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/smbd/posix_acls.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1107,6 +1107,9 @@
nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
}
+ if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
+ nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER);
+ }
}
DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
Modified: branches/samba/upstream/source3/smbd/reply.c
===================================================================
--- branches/samba/upstream/source3/smbd/reply.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/smbd/reply.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -46,9 +46,9 @@
{
char *d = path;
const char *s = path;
- NTSTATUS ret = NT_STATUS_OK;
bool start_of_name_component = True;
bool stream_started = false;
+ bool check_quota = false;
*p_last_component_contains_wcard = False;
@@ -66,7 +66,7 @@
return NT_STATUS_OBJECT_NAME_INVALID;
}
if (StrCaseCmp(s, ":$DATA") != 0) {
- return NT_STATUS_INVALID_PARAMETER;
+ check_quota = true;
}
break;
}
@@ -127,8 +127,7 @@
/* Are we at the start ? Can't go back further if so. */
if (d <= path) {
- ret = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
- break;
+ return NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
}
/* Go back one level... */
/* We know this is safe as '/' cannot be part of a mb sequence. */
@@ -201,7 +200,13 @@
*d = '\0';
- return ret;
+ if (check_quota) {
+ if (StrCaseCmp(path, FAKE_FILE_NAME_QUOTA_UNIX) != 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ return NT_STATUS_OK;
}
/****************************************************************************
Modified: branches/samba/upstream/source3/utils/net_rpc.c
===================================================================
--- branches/samba/upstream/source3/utils/net_rpc.c 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source3/utils/net_rpc.c 2010-01-20 19:20:07 UTC (rev 3240)
@@ -586,6 +586,12 @@
int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
{
+ int conn_flags = NET_FLAGS_PDC;
+
+ if (!c->opt_user_specified) {
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
if (c->display_usage) {
d_printf("Usage:\n"
"net rpc getsid\n"
@@ -594,7 +600,7 @@
}
return run_rpc_command(c, NULL, &ndr_table_samr.syntax_id,
- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
+ conn_flags,
rpc_getsid_internals,
argc, argv);
}
Deleted: branches/samba/upstream/source4/heimdal/lib/wind/rfc3454.txt
===================================================================
--- branches/samba/upstream/source4/heimdal/lib/wind/rfc3454.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/heimdal/lib/wind/rfc3454.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,5099 +0,0 @@
-
-
-
-
-
-
-Network Working Group P. Hoffman
-Request for Comments: 3454 IMC & VPNC
-Category: Standards Track M. Blanchet
- Viagenie
- December 2002
-
-
- Preparation of Internationalized Strings ("stringprep")
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2002). All Rights Reserved.
-
-Abstract
-
- This document describes a framework for preparing Unicode text
- strings in order to increase the likelihood that string input and
- string comparison work in ways that make sense for typical users
- throughout the world. The stringprep protocol is useful for protocol
- identifier values, company and personal names, internationalized
- domain names, and other text strings.
-
- This document does not specify how protocols should prepare text
- strings. Protocols must create profiles of stringprep in order to
- fully specify the processing options.
-
-Table of Contents
-
- 1. Introduction....................................................3
- 1.1 Terminology..................................................4
- 1.2 Using stringprep in protocols................................4
- 2. Preparation Overview............................................6
- 3. Mapping.........................................................7
- 3.1 Commonly mapped to nothing...................................7
- 3.2 Case folding.................................................8
- 4. Normalization...................................................9
- 5. Prohibited Output..............................................10
- 5.1 Space characters............................................11
- 5.2 Control characters..........................................11
- 5.3 Private use.................................................12
-
-
-
-Hoffman & Blanchet Standards Track [Page 1]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 5.4 Non-character code points...................................12
- 5.5 Surrogate codes.............................................13
- 5.6 Inappropriate for plain text................................13
- 5.7 Inappropriate for canonical representation..................13
- 5.8 Change display properties or deprecated.....................13
- 5.9 Tagging characters..........................................14
- 6. Bidirectional Characters.......................................14
- 7. Unassigned Code Points in Stringprep Profiles..................15
- 7.1 Categories of code points...................................16
- 7.2 Reasons for difference between stored strings and queries...17
- 7.3 Versions of applications and stored strings.................18
- 8. References.....................................................19
- 8.1 Normative references........................................19
- 8.2 Informative references......................................19
- 9. Security Considerations........................................19
- 9.1 Stringprep-specific security considerations.................19
- 9.2 Generic Unicode security considerations.....................20
- 10. IANA Considerations...........................................21
- 11. Acknowledgements..............................................22
- A. Unicode repertoires............................................23
- A.1 Unassigned code points in Unicode 3.2.......................23
- B. Mapping Tables.................................................31
- B.1 Commonly mapped to nothing..................................31
- B.2 Mapping for case-folding used with NFKC.....................32
- B.3 Mapping for case-folding used with no normalization.........61
- C. Prohibition tables.............................................78
- C.1 Space characters............................................78
- C.1.1 ASCII space characters..................................78
- C.1.2 Non-ASCII space characters..............................79
- C.2 Control characters..........................................79
- C.2.1 ASCII control characters................................79
- C.2.2 Non-ASCII control characters............................79
- C.3 Private use.................................................80
- C.4 Non-character code points...................................80
- C.5 Surrogate codes.............................................80
- C.6 Inappropriate for plain text................................80
- C.7 Inappropriate for canonical representation..................81
- C.8 Change display properties or are deprecated.................81
- C.9 Tagging characters..........................................81
- D. Bidirectional tables...........................................81
- D.1 Characters with bidirectional property "R" or "AL"..........81
- D.2 Characters with bidirectional property "L"..................82
- Authors' Addresses................................................90
- Full Copyright Statement..........................................91
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 2]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-1. Introduction
-
- Application programs can display text in many different ways.
- Similarly, a user can enter text into an application program in a
- myriad of fashions. Internationalized text (that is, text that is
- not restricted to the narrow set of US-ASCII characters) has many
- input and display behaviors that make it difficult to compare text in
- a consistent fashion.
-
- This document specifies a framework of processing rules for Unicode
- text. Other protocols can create profiles of these rules; these
- profiles will allow users to enter internationalized text strings in
- applications and have the highest chance of getting the content of
- the strings correct. In this case, "correct" means that if two
- different people enter what they think is the same string into two
- different input mechanisms, the strings should match on a character-
- by-character basis.
-
- This framework does not describe how data is transcoded from other
- character sets into Unicode. In systems that uses non-Unicode
- character sets, the transcoding algorithm is a critical part of
- enabling secure and "correct" operation of internationalized text
- strings.
-
- In addition to helping string matching, profiles of stringprep can
- also exclude characters that should not normally appear in text that
- is used in the protocol. The profile can prevent such characters by
- changing the characters to be excluded to other characters, by
- removing those characters, or by causing an error if the characters
- would appear in the output. For example, because the backspace
- character can cause unpredictable display results, a profile can
- specify that a string containing a backspace character would cause an
- error.
-
- A profile of stringprep converts a single string of input characters
- to a string of output characters, or returns an error if the output
- string would contain a prohibited character. Stringprep profiles
- cannot both emit a string and return an error.
-
- Stringprep profiles cannot account for all of the variations that
- might occur or that a user might expect. In particular, a profile
- will not be able to account for choice of spellings in all languages
- for all scripts because the number of alternative spellings of words
- and phrases is immense. Users would probably expect all spelling
- equivalents to be made equivalent, or none of them to be. Examples
- of spelling equivalents include "theater" vs. "theatre", and
- "hemoglobin" vs. "h<U+00E6>moglobin" in American vs. British English.
- Other examples are simplified Chinese spellings of names (for
-
-
-
-Hoffman & Blanchet Standards Track [Page 3]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- example,"<U+7EDF><U+4E00><U+7801>") vs. the equivalent traditional
- Chinese spelling (for example, "<U+7D71><U+4E00><U+78BC>").
- Language-specific equivalences such as "Aepfel" vs. "<U+00C4>pfel",
- which are sometimes considered equivalent in German, may not be
- considered equivalent in other languages.
-
-1.1 Terminology
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14, RFC 2119
- [RFC2119].
-
- Note: A glossary of terms used in Unicode and ISO/IEC 10646 can be
- found in [Glossary]. Information on the 10646/Unicode character
- encoding model can be found in [CharModel].
-
- Character names in this document use the notation for code points and
- names from the Unicode Standard [Unicode3.2] and ISO/IEC 10646
- [ISO10646]. For example, the letter "a" may be represented as either
- "U+0061" or "LATIN SMALL LETTER A". In the lists of mappings and the
- prohibited characters, the "U+" is left off to make the lists easier
- to read. The comments for character ranges are shown in square
- brackets (such as "[CONTROL CHARACTERS]") and do not come from the
- standards.
-
-1.2 Using stringprep in protocols
-
- The stringprep protocol does not stand on its own; it has to be used
- by other protocols at precisely-defined places in those other
- protocols. For example, a protocol that has strings that come from
- the entire ISO/IEC 10646 [ISO10646] character repertoire might
- specify that only strings that have been processed with a particular
- profile of stringprep are legal. Another example would be a protocol
- that does string comparison as a step in the protocol; that protocol
- might specify that such comparison is done only after processing the
- strings with a specific profile of stringprep.
-
- When two protocols that use different profiles of stringprep
- interoperate, there may be conflict about what characters are and are
- not allowed in the final string. Thus, protocol developers should
- strongly consider re-using existing profiles of stringprep.
-
- When developers wish to allow users as wide of a range of characters
- as possible in input text strings, they should, where possible, cause
- stringprep to convert characters from the input string to a canonical
- form instead of prohibiting them.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 4]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- Although it would be easy to use the stringprep process to "correct"
- perceived mis-features or bugs in the current character standards,
- stringprep profiles SHOULD NOT do so.
-
- A profile of stringprep can create tables different from those in the
- appendixes of this document, but it will be an exception when they
- do. The intention of stringprep is to define the tables and have the
- profiles of stringprep select among those defined tables.
-
- A profile of stringprep MUST include all of the following:
-
- - The intended applicability of the profile
-
- - The character repertoire that is the input and output to stringprep
- (which is Unicode 3.2 for this version of stringprep)
-
- - The mapping tables from this document used (as described in section
- 3)
-
- - Any additional mapping tables specific to the profile
-
- - The Unicode normalization used, if any (as described in section 4)
-
- - The tables from this document of characters that are prohibited as
- output (as described in section 5)
-
- - The bidirectional string testing used, if any (as described in
- section 6)
-
- - Any additional characters that are prohibited as output specific to
- the profile
-
- Each profile MUST state the character repertoire on which the profile
- will operate. Appendix A lists the Unicode repertoires that can be
- selected. No repertoire is ever complete, and it is expected that
- characters will be added to the Unicode repertoire for the
- foreseeable future. Section 7 of this document describes how to
- handle characters that are assigned in later versions of the Unicode
- repertories. Subsections of appendix A also list unassigned code
- points for each repertoire.
-
- This document is for Unicode version 3.2, and should not be
- considered to automatically apply to later Unicode versions. The
- IETF, through an explicit standards action, may update this document
- as appropriate to handle later Unicode versions.
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 5]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- This document lists the unassigned code points in the range 0 to
- 10FFFF for Unicode 3.2 in appendix A. The list in appendix A MUST be
- used by implementations of this specification. If there are any
- discrepancies between the list in appendix A and the Unicode 3.2
- specification, the list in appendix A always takes precedence.
-
- Each profile of stringprep MUST be registered with IANA. The
- registration procedure is described in the IANA Considerations
- appendix; basically, the IESG must review each profile of stringprep.
- Protocol developers are strongly encouraged to look through the IANA
- profile registry when creating new profiles for stringprep, and to
- re-use logic from earlier profiles where possible in new profiles.
- In some cases, an existing profile can be reused by a different
- protocol.
-
-2. Preparation Overview
-
- The steps for preparing strings are:
-
- 1) Map -- For each character in the input, check if it has a mapping
- and, if so, replace it with its mapping. This is described in
- section 3.
-
- 2) Normalize -- Possibly normalize the result of step 1 using Unicode
- normalization. This is described in section 4.
-
- 3) Prohibit -- Check for any characters that are not allowed in the
- output. If any are found, return an error. This is described in
- section 5.
-
- 4) Check bidi -- Possibly check for right-to-left characters, and if
- any are found, make sure that the whole string satisfies the
- requirements for bidirectional strings. If the string does not
- satisfy the requirements for bidirectional strings, return an
- error. This is described in section 6.
-
- The above steps MUST be performed in the order given to comply with
- this specification.
-
- The mappings described in section 3, and the optional Unicode
- normalization described in section 4, can be one-to-none, one-to-one,
- one-to-many, many-to-one, or many-to-many. That is, some characters
- might be eliminated or replaced by more than one character, and the
- output of this step might be shorter or longer than the input.
- Because of this, the system using stringprep MUST be prepared to
- receive a longer or shorter string than the one input in the
- stringprep algorithm.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 6]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-3. Mapping
-
- Each character in the input stream MUST be checked against a mapping
- table. The mapping table SHOULD come from this document, although
- the mapping table MAY be added to or altered by the profile. The
- mapping tables are subsections of appendix B.
-
- The lists in appendix B MUST be used by implementations of this
- specification. If there are any discrepancies between the lists in
- appendix B and subsections below, the lists in appendix B always
- takes precedence.
-
- For any individual character, the mapping table MAY specify that a
- character be mapped to nothing, or mapped to one other character, or
- mapped to a string of other characters.
-
- Mapped characters are not re-scanned during the mapping step. That
- is, if character A at position X is mapped to character B, character
- B which is now at position X is not checked against the mapping
- table.
-
-3.1 Commonly mapped to nothing
-
- The following characters are simply deleted from the input (that is,
- they are mapped to nothing) because their presence or absence in
- protocol identifiers should not make two strings different. They are
- listed in Table B.1.
-
- Some characters are only useful in line-based text, and are otherwise
- invisible and ignored.
-
- 00AD; SOFT HYPHEN
- 1806; MONGOLIAN TODO SOFT HYPHEN
- 200B; ZERO WIDTH SPACE
- 2060; WORD JOINER
- FEFF; ZERO WIDTH NO-BREAK SPACE
-
- Some characters affect glyph choice and glyph placement, but do not
- bear semantics.
-
- 034F; COMBINING GRAPHEME JOINER
- 180B; MONGOLIAN FREE VARIATION SELECTOR ONE
- 180C; MONGOLIAN FREE VARIATION SELECTOR TWO
- 180D; MONGOLIAN FREE VARIATION SELECTOR THREE
- 200C; ZERO WIDTH NON-JOINER
- 200D; ZERO WIDTH JOINER
- FE00; VARIATION SELECTOR-1
- FE01; VARIATION SELECTOR-2
-
-
-
-Hoffman & Blanchet Standards Track [Page 7]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- FE02; VARIATION SELECTOR-3
- FE03; VARIATION SELECTOR-4
- FE04; VARIATION SELECTOR-5
- FE05; VARIATION SELECTOR-6
- FE06; VARIATION SELECTOR-7
- FE07; VARIATION SELECTOR-8
- FE08; VARIATION SELECTOR-9
- FE09; VARIATION SELECTOR-10
- FE0A; VARIATION SELECTOR-11
- FE0B; VARIATION SELECTOR-12
- FE0C; VARIATION SELECTOR-13
- FE0D; VARIATION SELECTOR-14
- FE0E; VARIATION SELECTOR-15
- FE0F; VARIATION SELECTOR-16
-
-3.2 Case folding
-
- If a profile is going to map characters for case-insensitive
- comparison, that profile SHOULD map using either appendix B.2 or
- appendix B.3. appendix B.2 is for profiles that also use Unicode
- normalization form KC, while appendix B.3 is for profiles that do
- not use Unicode normalization. These tables map from uppercase to
- lowercase characters. Note that this could have been "change all
- lowercase characters into uppercase characters". However, the
- upper-to-lower folding was chosen because there is a tradition of
- using lowercase in current Internet applications and protocols.
-
- If a profile creates its own mapping tables for case folding, they
- SHOULD be based on [UTR21], and SHOULD map from uppercase characters
- to lowercase. The "CaseFolding.txt" file from the Unicode database
- SHOULD be used to prepare the mapping table. The profile SHOULD do
- full case mapping (that is, using statuses C, F, and I).
-
- If the profile is using Unicode normalization form KC (as described
- in section 4 of this document), it is important to note that there
- are some characters that do not have mappings in [UTR21] but still
- need processing. These characters include a few Greek characters and
- many symbols that contain Latin characters. The list of characters
- to add to the mapping table can determined by the following
- algorithm:
-
- b = NormalizeWithKC(Fold(a));
- c = NormalizeWithKC(Fold(b));
- if c is not the same as b, add a mapping for "a to c".
-
- Because NormalizeWithKC(Fold(c)) always equals c, the table is stable
- from that point on.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 8]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- Appendix B.3 is derived from the CaseFolding-3.txt file associated
- with Unicode 3.2; appendix B.2 is based on appendix B.3 with the
- additional characters added from the algorithm above.
-
- Authors of profiles of this document need to consider the effects of
- changing the mapping of any currently-assigned character when
- updating their profiles. Adding a new mapping for a currently-
- assigned character, or changing an existing mapping, could cause a
- variance between the behavior of systems that have been updated and
- systems that have not been updated.
-
-4. Normalization
-
- The output of the mapping step is optionally normalized using one of
- the Unicode normalization forms, as described in [UAX15]. A profile
- can specify one of two options for Unicode normalization:
-
- - no normalization
-
- - Unicode normalization with form KC
-
- A profile MAY choose to do no normalization. However, such a profile
- can easily yield results that will be surprising to typical users,
- depending on the input mechanism they use. For example, some input
- mechanisms enter compatibility characters that look exactly like the
- underlying characters, but have different code points. Another
- example of where Unicode normalization helps create predictable
- results is with characters that have multiple combining diacritics:
- normalization orders those diacritics in a predictable fashion.
-
- On the other hand, Unicode normalization requires fairly large tables
- and somewhat complicated character reordering logic. The size and
- complexity should not be considered daunting except in the most
- restricted of environments, and needs to be weighed against the
- problems of user surprise from comparing unnormalized strings. Note
- that the tables used for normalization are not given in this
- document, but instead must be derived from the Unicode database, as
- described in [UAX15].
-
- There is a third form of normalization, Unicode normalization with
- form C. If a profile is going to use a Unicode normalization, it
- MUST use Unicode normalization form KC. Form KC maps many
- "compatibility characters" to their equivalents. Some user interface
- systems make it possible to enter compatibility characters instead of
- the base equivalents. Thus, using form KC instead of form C will
- cause more strings that users would expect to match to actually
- match.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 9]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- A profile that specifies Unicode normalization MUST use the
- normalization in [UAX15] that is associated with the version of the
- Unicode character set specified for the profile.
-
- The composition process described in [UAX15] requires a fixed
- composition version of Unicode to ensure that strings normalized
- under one version of Unicode remain normalized under all future
- versions of Unicode.
-
- The IETF is relying on Unicode not to change the normalization of
- currently-assigned characters in future versions of normalization.
- If a future version of the normalization tables changes the
- normalized value of an existing character, authors of profiles of
- this document have to look at the changes very carefully before they
- update their normalization tables. Such a change could cause a
- variance between the behavior of systems that have been updated and
- systems that have not been updated.
-
-5. Prohibited Output
-
- Before the text can be emitted, it MUST be checked for prohibited
- code points. There are a variety of prohibited code points, as
- described in this section. A profile of this document MAY use all or
- some of the tables in appendix C.
-
- The stringprep process never emits both an error and a string. If an
- error is detected during the checking for prohibited code points,
- only an error is returned.
-
- Note that the subsections below describe how the tables in appendix C
- were formed. They are here for people who want to understand more,
- but they should be ignored by implementors. Implementations that use
- tables MUST map based on the tables themselves, not based on the
- descriptions in this section of how the tables were created.
-
- The lists in appendix C MUST be used by implementations of this
- specification. If there are any discrepancies between the lists in
- appendix C and subsections below, the lists in appendix C always take
- precedence.
-
- Some code points listed in one section may also appear in other
- sections.
-
- It is important to note that a profile of this document MAY prohibit
- additional characters.
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 10]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- Each subsection of this section has a matching subsection in appendix
- C. For example, the characters listed in section 5.1 are listed in
- appendix C.1.
-
-5.1 Space characters
-
- Space characters can make accurate visual transcription of strings
- nearly impossible and could lead to user entry errors in many ways.
- Note that the list below is split into two tables in appendix C:
- Table C.1.1 contains the ASCII code points, while Table C.1.2
- contains the non-ASCII code points. Most profiles of this document
- that want to prohibit space characters will want to include both
- tables.
-
- 0020; SPACE
- 00A0; NO-BREAK SPACE
- 1680; OGHAM SPACE MARK
- 2000; EN QUAD
- 2001; EM QUAD
- 2002; EN SPACE
- 2003; EM SPACE
- 2004; THREE-PER-EM SPACE
- 2005; FOUR-PER-EM SPACE
- 2006; SIX-PER-EM SPACE
- 2007; FIGURE SPACE
- 2008; PUNCTUATION SPACE
- 2009; THIN SPACE
- 200A; HAIR SPACE
- 200B; ZERO WIDTH SPACE
- 202F; NARROW NO-BREAK SPACE
- 205F; MEDIUM MATHEMATICAL SPACE
- 3000; IDEOGRAPHIC SPACE
-
-5.2 Control characters
-
- Control characters (or characters with control function) cannot be
- seen and can cause unpredictable results when displayed. Note that
- the list below is split into two tables in appendix C: Table C.2.1
- contains the ASCII code points, while Table C.2.2 contains the non-
- ASCII code points. Most profiles of this document that want to
- prohibit control characters will want to include both tables.
-
- 0000-001F; [CONTROL CHARACTERS]
- 007F; DELETE
- 0080-009F; [CONTROL CHARACTERS]
- 06DD; ARABIC END OF AYAH
- 070F; SYRIAC ABBREVIATION MARK
- 180E; MONGOLIAN VOWEL SEPARATOR
-
-
-
-Hoffman & Blanchet Standards Track [Page 11]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 200C; ZERO WIDTH NON-JOINER
- 200D; ZERO WIDTH JOINER
- 2028; LINE SEPARATOR
- 2029; PARAGRAPH SEPARATOR
- 2060; WORD JOINER
- 2061; FUNCTION APPLICATION
- 2062; INVISIBLE TIMES
- 2063; INVISIBLE SEPARATOR
- 206A-206F; [CONTROL CHARACTERS]
- FEFF; ZERO WIDTH NO-BREAK SPACE
- FFF9-FFFC; [CONTROL CHARACTERS]
- 1D173-1D17A; [MUSICAL CONTROL CHARACTERS]
-
-5.3 Private use
-
- Because private-use characters do not have defined meanings, they are
- likely to be prohibited. The private-use characters are:
-
- E000-F8FF; [PRIVATE USE, PLANE 0]
- F0000-FFFFD; [PRIVATE USE, PLANE 15]
- 100000-10FFFD; [PRIVATE USE, PLANE 16]
-
-5.4 Non-character code points
-
- Non-character code points are code points that have been allocated in
- ISO/IEC 10646 but are not characters. Because they are already
- assigned, they are guaranteed not to later change into characters.
-
- FDD0-FDEF; [NONCHARACTER CODE POINTS]
- FFFE-FFFF; [NONCHARACTER CODE POINTS]
- 1FFFE-1FFFF; [NONCHARACTER CODE POINTS]
- 2FFFE-2FFFF; [NONCHARACTER CODE POINTS]
- 3FFFE-3FFFF; [NONCHARACTER CODE POINTS]
- 4FFFE-4FFFF; [NONCHARACTER CODE POINTS]
- 5FFFE-5FFFF; [NONCHARACTER CODE POINTS]
- 6FFFE-6FFFF; [NONCHARACTER CODE POINTS]
- 7FFFE-7FFFF; [NONCHARACTER CODE POINTS]
- 8FFFE-8FFFF; [NONCHARACTER CODE POINTS]
- 9FFFE-9FFFF; [NONCHARACTER CODE POINTS]
- AFFFE-AFFFF; [NONCHARACTER CODE POINTS]
- BFFFE-BFFFF; [NONCHARACTER CODE POINTS]
- CFFFE-CFFFF; [NONCHARACTER CODE POINTS]
- DFFFE-DFFFF; [NONCHARACTER CODE POINTS]
- EFFFE-EFFFF; [NONCHARACTER CODE POINTS]
- FFFFE-FFFFF; [NONCHARACTER CODE POINTS]
- 10FFFE-10FFFF; [NONCHARACTER CODE POINTS]
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 12]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- The non-character code points are listed in the PropList.txt file
- from the Unicode database.
-
-5.5 Surrogate codes
-
- The following code points are permanently reserved for use as
- surrogate code values in the UTF-16 encoding, will never be assigned
- to characters in the Unicode repertoire, and are therefore
- prohibited:
-
- D800-DFFF; [SURROGATE CODES]
-
-5.6 Inappropriate for plain text
-
- The following characters do not appear in regular text.
-
- FFF9; INTERLINEAR ANNOTATION ANCHOR
- FFFA; INTERLINEAR ANNOTATION SEPARATOR
- FFFB; INTERLINEAR ANNOTATION TERMINATOR
- FFFC; OBJECT REPLACEMENT CHARACTER
-
- Although the replacement character (U+FFFD) might be used when a
- string is displayed, it doesn't make sense for it to be part of the
- string itself. It is often displayed by renderers to indicate "there
- would be some character here, but it cannot be rendered". For
- example, on a computer with no Asian fonts, a string with three
- ideographs might be rendered with three replacement characters.
-
- FFFD; REPLACEMENT CHARACTER
-
-5.7 Inappropriate for canonical representation
-
- The ideographic description characters allow different sequences of
- characters to be rendered the same way, which makes them
- inappropriate for strings that have to have a single canonical
- representation.
-
- 2FF0-2FFB; [IDEOGRAPHIC DESCRIPTION CHARACTERS]
-
-5.8 Change display properties or are deprecated
-
- The following characters can cause changes in display or the order in
- which characters appear when rendered, or are deprecated in Unicode.
-
- 0340; COMBINING GRAVE TONE MARK
- 0341; COMBINING ACUTE TONE MARK
- 200E; LEFT-TO-RIGHT MARK
- 200F; RIGHT-TO-LEFT MARK
-
-
-
-Hoffman & Blanchet Standards Track [Page 13]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 202A; LEFT-TO-RIGHT EMBEDDING
- 202B; RIGHT-TO-LEFT EMBEDDING
- 202C; POP DIRECTIONAL FORMATTING
- 202D; LEFT-TO-RIGHT OVERRIDE
- 202E; RIGHT-TO-LEFT OVERRIDE
- 206A; INHIBIT SYMMETRIC SWAPPING
- 206B; ACTIVATE SYMMETRIC SWAPPING
- 206C; INHIBIT ARABIC FORM SHAPING
- 206D; ACTIVATE ARABIC FORM SHAPING
- 206E; NATIONAL DIGIT SHAPES
- 206F; NOMINAL DIGIT SHAPES
-
-5.9 Tagging characters
-
- The following characters are used for tagging text and are invisible.
-
- E0001; LANGUAGE TAG
- E0020-E007F; [TAGGING CHARACTERS]
-
-6. Bidirectional Characters
-
- Most characters are displayed from left to right, but some are
- displayed from right to left. This feature of Unicode is called
- "bidirectional text", or "bidi" for short. The Unicode standard has
- an extensive discussion of how to reorder glyphs for display when
- dealing with bidirectional text such as Arabic or Hebrew. See [UAX9]
- for more information. In particular, all Unicode text is stored in
- logical order.
-
- A profile MAY choose to ignore bidirectional text. However, ignoring
- bidirectional text can cause display ambiguities. For example, it is
- quite easy to create two different strings with the same characters
- (but in different order) that are correctly displayed identically.
- Therefore, in order to avoid most problems with ambiguous
- bidirectional text display, profile creators should strongly consider
- including the bidirectional character handling described in this
- section in their profile.
-
- The stringprep process never emits both an error and a string. If an
- error is detected during the checking of bidirectional strings, only
- an error is returned.
-
- [Unicode3.2] defines several bidirectional categories; each character
- has one bidirectional category assigned to it. For the purposes of
- the requirements below, an "RandALCat character" is a character that
- has Unicode bidirectional categories "R" or "AL"; an "LCat character"
- is a character that has Unicode bidirectional category "L". Note
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 14]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- that there are many characters which fall in neither of the above
- definitions; Latin digits (<U+0030> through <U+0039>) are examples of
- this because they have bidirectional category "EN".
-
- In any profile that specifies bidirectional character handling, all
- three of the following requirements MUST be met:
-
- 1) The characters in section 5.8 MUST be prohibited.
-
- 2) If a string contains any RandALCat character, the string MUST NOT
- contain any LCat character.
-
- 3) If a string contains any RandALCat character, a RandALCat
- character MUST be the first character of the string, and a
- RandALCat character MUST be the last character of the string.
-
- Note that requirement 3 prohibits strings such as <U+0627><U+0031>
- ("aleph 1") but allows strings such as <U+0627><U+0031><U+0628>
- ("aleph 1 beh"). [UAX9] goes into great detail about the display
- order of strings that contain particular categories of characters in
- particular sequences.
-
- Table D.1 lists the characters that belong to Unicode bidirectional
- categories "R" and "AL". Table D.2 lists all the characters that
- belong to Unicode bidirectonal category "L". These tables are
- derived from [Unicode3.2].
-
-7. Unassigned Code Points in Stringprep Profiles
-
- This section describes two different types of strings in typical
- protocols where internationalized strings are used: "stored strings"
- and "queries". Of course, different Internet protocols use strings
- very differently, so these terms cannot be used exactly in every
- protocol that needs to use stringprep. In general, "stored strings"
- are strings that are used in protocol identifiers and named entities,
- such as names in digital certificates and DNS domain name parts.
- "Queries" are strings that are used to match against strings that are
- stored identifiers, such as user-entered names for digital
- certificate authorities and DNS lookups.
-
- All code points not assigned in the character repertoire named in a
- stringprep profile are called "unassigned code points". Stored
- strings using the profile MUST NOT contain any unassigned code
- points. Queries for matching strings MAY contain unassigned code
- points. Note that this is the only part of this document where the
- requirements for queries differs from the requirements for stored
- strings.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 15]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- Using two different policies for where unassigned code points can
- appear removes the need for versioning in protocols that use
- stringprep profiles. This is very useful since it makes the overall
- processing simpler and does not impose a "protocol" to handle
- versioning. It is expected that the ISO/IEC 10646 and Unicode
- repertoires will be updated fairly frequently; at the time that this
- document is being written, it has happened approximately once a year.
- Each time a new version of a repertoire appears, a new version of a
- profile MAY be created. Some end users will want to use the new code
- points as soon as they are defined.
-
- The list of unassigned code points MUST be given in a profile, and
- that list MUST be used by implementations of the profile.
-
- The goal of the requirements in this section is to prevent
- comparisons between two strings that were both permitted to contain
- unassigned code points. When two strings X and Y are compared and
- string Y was prepared in a way that permits unassigned code points, a
- negative result to the comparison is not definitive; it's possible
- that the strings don't match even though they would match if a more
- recent version of the profile were used for Y. However, if both X
- and Y were prepared in a way that permits unassigned code points,
- something worse can happen: even a positive result for the comparison
- is not definitive. It is possible that the strings do match even
- though they would not match if a more recent version of the profile
- were used (one that prohibits a code point appearing in both X and
- Y).
-
- Due to the way that versioning is handled in this section, stored
- strings that are embedded in structures that cannot be changed (such
- as the signed parts of digital certificates) MUST NOT contain any
- unassigned code points.
-
-7.1 Categories of code points
-
- Each code point in a repertoire named by a profile of stringprep can
- be categorized by how it acts in the process described in earlier
- sections of this document:
-
- AO Code points that can be in the output
-
- MN Code points that cannot be in the output because they
- never appear as output from mapping or normalization
-
- D Code points that cannot be in the output because they are
- disallowed in the prohibition step
-
- U Unassigned code points
-
-
-
-Hoffman & Blanchet Standards Track [Page 16]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- A subsequent version of a profile that references a newer version of
- a repertoire with new code points will inherently have some code
- points move from category U to either D, MN, or AO. For backwards
- compatibility, a subsequent version of a profile MUST NOT move code
- points from any other category. That is, current AO, MN, or D code
- points MUST NOT ever change to a different category.
-
- Stored strings MUST NOT contain any code points outside of AO for the
- latest version of a profile. That is, they are forbidden to contain
- code points from the MN, D, or U categories.
-
- Applications creating queries MUST treat U code points as if they
- were AO when preparing the query to be entered in the process
- described by a profile of stringprep. Those applications MAY
- optionally have a preprocessor that provide stricter checks: treating
- unassigned code points in the input as errors, or warning the user
- about the fact that the code point is unassigned in the version of a
- profile that the software is based on; such a choice is a local
- matter for the software.
-
-7.2 Reasons for the difference between stored strings and queries
-
- Different software using different versions of a stringprep profile
- need to interoperate with maximal compatibility. The scheme
- described in this section (stored strings MUST NOT contain unassigned
- code points, queries MAY include unassigned code points) allows that
- compatibility without introducing any known security or
- interoperability issues.
-
- The list below shows what happens if a query contains a code point
- from category U that is allowed in a newer version of a profile. The
- query either matches the string that was intended, or matches no
- string at all. In this list, the query comes from an application
- using version "oldVersion" of a profile, the stored string was
- created using version "newVersion" of the same profile, and the code
- point X was in category U in oldVersion, and has changed category to
- AO, MN, or D. There are 3 possible scenarios:
-
- 1. X is assigned to AO -- In newVersion, X is in category AO.
- Because the application passed X through, it gets back a positive
- match with the stored string. There is one exceptional case,
- where X is a combining mark.
-
- The order of combining marks is normalized, so if another
- combining mark Y has a lower combining class than X then XY will
- be put in the canonical order YX. (Unassigned code points are
- never reordered, so this doesn't happen in oldVersion). If the
- query contains YX, the query will get positive match with the
-
-
-
-Hoffman & Blanchet Standards Track [Page 17]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- stored string. However, no string can be stored with XY, so a
- query with XY will get a negative answer to the test for matching.
-
- 2. X is assigned to MN -- In newVersion, X is normalized to code
- point "nX" and therefore X is now put in category MN. This cannot
- exist in any stored string, so any query containing X will get a
- negative answer to the test for matching. Note, however, if the
- query had contained the letter nX, it would have positively
- matched.
-
- 3. X is assigned to D -- In newVersion, X is in category D. This
- cannot exist in any stored string, so any query containing X will
- get a negative answer to the test for matching.
-
- In none of the cases does the query get data for a stored string
- other than the one it actually tried to match against.
-
- Profiles are stable between versions in the following sense: If a
- string S has been prepared using newVersion, then it will not change
- if it is subsequently prepared using oldVersion.
-
-7.3 Versions of applications and stored strings
-
- Another way to see that this versioning system works is to compare
- what happens when an application uses a newer or older version of a
- profile.
-
- Newer query application -- Suppose that a querying application is
- using version newVersion and the stored string was created using
- version oldVersion. This case is simple: there will be no characters
- in the stored string that cannot be queried by the application
- because the new profile uses a superset of the code points used for
- making the stored string.
-
- Newer stored string -- Suppose that a querying application is using
- oldVersion and the stored string was created using a profile that
- uses newVersion. Because the querying application let unassigned
- code points pass through, the user can query on stored strings that
- use code points in newVersion. No stored strings can have code
- points that are unassigned in newVersion, since that is illegal. In
- order to get a match, the querying application has to enter the
- unassigned code points in the proper order, and has to use unassigned
- code points that would make it through both the mapping and the
- normalization steps.
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 18]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-8. References
-
-8.1 Normative references
-
- [UAX15] Mark Davis and Martin Duerst. Unicode Standard Annex
- #15: Unicode Normalization Forms, Version 3.2.0.
- <http://www.unicode.org/unicode/reports/tr15/tr15-
- 22.html>.
-
- [Unicode3.2] The Unicode Consortium. The Unicode Standard, Version
- 3.2.0 is defined by The Unicode Standard, Version 3.0
- (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
- as amended by the Unicode Standard Annex #27: Unicode
- 3.1 (http://www.unicode.org/reports/tr27/) and by the
- Unicode Standard Annex #28: Unicode 3.2
- (http://www.unicode.org/reports/tr28/).
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-8.2 Informative references
-
- [CharModel] Unicode Technical Report;17, Character Encoding Model.
- <http://www.unicode.org/unicode/reports/tr17/>.
-
- [Glossary] Unicode Glossary, <http://www.unicode.org/glossary/>.
-
- [ISO10646] ISO/IEC, "Information Technology - Universal Multiple-
- Octet Coded Character Set (UCS) - Part 1: Architecture
- and Basic Multilingual Plane", ISO/IEC 10646-1:2000,
- October 2000.
-
- [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for IANA
- Considerations", BCP 26, RFC 2434, October 1998.
-
- [UAX9] The Unicode Consortium. Unicode Standard Annex #9, The
- Bidirectional Algorithm,
- <http://www.unicode.org/unicode/reports/tr9/>.
-
- [UTR21] Mark Davis. Case Mappings. Unicode Technical Report 21.
- <http://www.unicode.org/unicode/reports/tr21/>.
-
-9. Security Considerations
-
- Stringprep is used with Unicode characters. There are security
- considerations that are specific to stringprep, and others that are
- generic to using Unicode.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 19]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-9.1 Stringprep-specific security considerations
-
- The Unicode and ISO/IEC 10646 repertoires have many characters that
- look similar. In many cases, users of security protocols might do
- visual matching, such as when comparing the names of trusted third
- parties. Because it is impossible to map similar-looking characters
- without a great deal of context such as knowing the fonts used,
- stringprep does nothing to map similar-looking characters together
- nor to prohibit some characters because they look like others. User
- applications can help disambiguate some similar-looking characters by
- showing the user when a string changes between scripts.
-
- Most profiles of stringprep can cause changes in strings that are
- input to stringprep. Because of this, protocols that have sets of
- non-allowed characters or sequences MUST check for the non-allowed
- characters or sequences after the stringprep processing.
-
- This document does not mandate the checking of bidirectional
- characters in section 6. If the requirements in section 6 are not
- used in a profile of stringprep, it is easy to create many strings
- whose characters are in different order but are displayed
- identically. This can cause security-related user confusion similar
- to look-alike characters, as described above.
-
- Stringprep does not do anything to assure that any algorithms
- translating characters from non-Unicode into Unicode produce the same
- output in all implementations.
-
- Some Unicode codepoints are invisible. Protocols that allow these
- characters (that is, do not map them out or prohibit them in
- stringprep) can cause users confusion when two identical-looking
- strings do not match.
-
-9.2 Generic Unicode security considerations
-
- Using Unicode characters explicitly forces applications to use
- multi-octet characters. Converting an application from one that uses
- single-octet characters to one that uses multi-octet characters must
- be done very carefully, particularly in an application that checks
- for values of characters or sorts characters.
-
- Protocols that use stringprep usually also use encodings of Unicode,
- such as UTF-8 or UTF-16. Some applications using those encodings
- have been known to not check for illegal or ill-formed sequences in
- the encodings, and thereby have not detected sequences of octets that
- would have been detected if they used just ASCII. For example, in
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 20]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- UTF-8 the octet sequence "0xC0 0xAB" is an illegal formation of
- U+002B (plus sign). All programs should reject any string that is an
- illegal or ill-formed octet sequence for the encoding being used.
-
- Both Unicode normalization and conversion between Unicode encodings
- can cause strings to grow or shrink. Programs that used fixed-size
- buffers, or that make assumptions that buffers will always be greater
- than or less than particular sizes, are likely to fail in insecure
- fashions when using Unicode normalization or encoding conversions.
-
- Covering an extensive list of security threats and considerations on
- the use of current and future versions of Unicode is outside of the
- scope of this document.
-
-10. IANA Considerations
-
- Stringprep profiles MUST have IETF consensus as described in
- [RFC2434]. Each profile MUST be reviewed by the IESG before it is
- registered. The IESG MAY change a profile before registration.
-
- IANA has set up a registry of stringprep profiles. This registry is
- a single text file that lists the known profiles. Each entry in the
- registry has three fields:
-
- - Profile name
-
- - RFC in which the profile is defined
-
- - Indicator whether or not this is the newest version of the profile
-
- Each version of a profile will remain listed in the registry forever.
- That is, if a new version of a profile supersedes an earlier version,
- both versions will continue to be listed in the registry, but the
- current version indicator will be turned off for the earlier version
- and turned on for the newer version.
-
- It is probably harmful if a large number of profiles of stringprep
- proliferate. Therefore, the IESG may reject proposals for new
- profiles and instead suggest that protocols reuse existing profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 21]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-11. Acknowledgements
-
- Many people from the IETF IDN Working Group and the Unicode Technical
- Committee contributed ideas that went into the first document of this
- document. Mark Davis and Patrik Faltstrom were particularly helpful
- in some of the ideas, such as the versioning description.
-
- The IDN nameprep design team made many useful changes to the first
- document. That team and its advisors include:
-
- Asmus Freytag
- Cathy Wissink
- Francois Yergeau
- James Seng
- Marc Blanchet
- Mark Davis
- Martin Duerst
- Patrik Faltstrom
- Paul Hoffman
-
- Additional significant improvements were proposed by:
-
- Jonathan Rosenne
- Kent Karlsson
- Scott Hollenbeck
- Dave Crocker
- Erik Nordmark
- Matitiahu Allouche
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 22]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-A. Unicode repertoires
-
- The following is the only repertoire covered in this document:
-
- Unicode 3.2, as defined in [Unicode3.2].
-
-A.1 Unassigned code points in Unicode 3.2
-
- ----- Start Table A.1 -----
- 0221
- 0234-024F
- 02AE-02AF
- 02EF-02FF
- 0350-035F
- 0370-0373
- 0376-0379
- 037B-037D
- 037F-0383
- 038B
- 038D
- 03A2
- 03CF
- 03F7-03FF
- 0487
- 04CF
- 04F6-04F7
- 04FA-04FF
- 0510-0530
- 0557-0558
- 0560
- 0588
- 058B-0590
- 05A2
- 05BA
- 05C5-05CF
- 05EB-05EF
- 05F5-060B
- 060D-061A
- 061C-061E
- 0620
- 063B-063F
- 0656-065F
- 06EE-06EF
- 06FF
- 070E
- 072D-072F
- 074B-077F
- 07B2-0900
-
-
-
-Hoffman & Blanchet Standards Track [Page 23]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0904
- 093A-093B
- 094E-094F
- 0955-0957
- 0971-0980
- 0984
- 098D-098E
- 0991-0992
- 09A9
- 09B1
- 09B3-09B5
- 09BA-09BB
- 09BD
- 09C5-09C6
- 09C9-09CA
- 09CE-09D6
- 09D8-09DB
- 09DE
- 09E4-09E5
- 09FB-0A01
- 0A03-0A04
- 0A0B-0A0E
- 0A11-0A12
- 0A29
- 0A31
- 0A34
- 0A37
- 0A3A-0A3B
- 0A3D
- 0A43-0A46
- 0A49-0A4A
- 0A4E-0A58
- 0A5D
- 0A5F-0A65
- 0A75-0A80
- 0A84
- 0A8C
- 0A8E
- 0A92
- 0AA9
- 0AB1
- 0AB4
- 0ABA-0ABB
- 0AC6
- 0ACA
- 0ACE-0ACF
- 0AD1-0ADF
- 0AE1-0AE5
-
-
-
-Hoffman & Blanchet Standards Track [Page 24]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0AF0-0B00
- 0B04
- 0B0D-0B0E
- 0B11-0B12
- 0B29
- 0B31
- 0B34-0B35
- 0B3A-0B3B
- 0B44-0B46
- 0B49-0B4A
- 0B4E-0B55
- 0B58-0B5B
- 0B5E
- 0B62-0B65
- 0B71-0B81
- 0B84
- 0B8B-0B8D
- 0B91
- 0B96-0B98
- 0B9B
- 0B9D
- 0BA0-0BA2
- 0BA5-0BA7
- 0BAB-0BAD
- 0BB6
- 0BBA-0BBD
- 0BC3-0BC5
- 0BC9
- 0BCE-0BD6
- 0BD8-0BE6
- 0BF3-0C00
- 0C04
- 0C0D
- 0C11
- 0C29
- 0C34
- 0C3A-0C3D
- 0C45
- 0C49
- 0C4E-0C54
- 0C57-0C5F
- 0C62-0C65
- 0C70-0C81
- 0C84
- 0C8D
- 0C91
- 0CA9
- 0CB4
-
-
-
-Hoffman & Blanchet Standards Track [Page 25]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0CBA-0CBD
- 0CC5
- 0CC9
- 0CCE-0CD4
- 0CD7-0CDD
- 0CDF
- 0CE2-0CE5
- 0CF0-0D01
- 0D04
- 0D0D
- 0D11
- 0D29
- 0D3A-0D3D
- 0D44-0D45
- 0D49
- 0D4E-0D56
- 0D58-0D5F
- 0D62-0D65
- 0D70-0D81
- 0D84
- 0D97-0D99
- 0DB2
- 0DBC
- 0DBE-0DBF
- 0DC7-0DC9
- 0DCB-0DCE
- 0DD5
- 0DD7
- 0DE0-0DF1
- 0DF5-0E00
- 0E3B-0E3E
- 0E5C-0E80
- 0E83
- 0E85-0E86
- 0E89
- 0E8B-0E8C
- 0E8E-0E93
- 0E98
- 0EA0
- 0EA4
- 0EA6
- 0EA8-0EA9
- 0EAC
- 0EBA
- 0EBE-0EBF
- 0EC5
- 0EC7
- 0ECE-0ECF
-
-
-
-Hoffman & Blanchet Standards Track [Page 26]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0EDA-0EDB
- 0EDE-0EFF
- 0F48
- 0F6B-0F70
- 0F8C-0F8F
- 0F98
- 0FBD
- 0FCD-0FCE
- 0FD0-0FFF
- 1022
- 1028
- 102B
- 1033-1035
- 103A-103F
- 105A-109F
- 10C6-10CF
- 10F9-10FA
- 10FC-10FF
- 115A-115E
- 11A3-11A7
- 11FA-11FF
- 1207
- 1247
- 1249
- 124E-124F
- 1257
- 1259
- 125E-125F
- 1287
- 1289
- 128E-128F
- 12AF
- 12B1
- 12B6-12B7
- 12BF
- 12C1
- 12C6-12C7
- 12CF
- 12D7
- 12EF
- 130F
- 1311
- 1316-1317
- 131F
- 1347
- 135B-1360
- 137D-139F
- 13F5-1400
-
-
-
-Hoffman & Blanchet Standards Track [Page 27]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1677-167F
- 169D-169F
- 16F1-16FF
- 170D
- 1715-171F
- 1737-173F
- 1754-175F
- 176D
- 1771
- 1774-177F
- 17DD-17DF
- 17EA-17FF
- 180F
- 181A-181F
- 1878-187F
- 18AA-1DFF
- 1E9C-1E9F
- 1EFA-1EFF
- 1F16-1F17
- 1F1E-1F1F
- 1F46-1F47
- 1F4E-1F4F
- 1F58
- 1F5A
- 1F5C
- 1F5E
- 1F7E-1F7F
- 1FB5
- 1FC5
- 1FD4-1FD5
- 1FDC
- 1FF0-1FF1
- 1FF5
- 1FFF
- 2053-2056
- 2058-205E
- 2064-2069
- 2072-2073
- 208F-209F
- 20B2-20CF
- 20EB-20FF
- 213B-213C
- 214C-2152
- 2184-218F
- 23CF-23FF
- 2427-243F
- 244B-245F
- 24FF
-
-
-
-Hoffman & Blanchet Standards Track [Page 28]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 2614-2615
- 2618
- 267E-267F
- 268A-2700
- 2705
- 270A-270B
- 2728
- 274C
- 274E
- 2753-2755
- 2757
- 275F-2760
- 2795-2797
- 27B0
- 27BF-27CF
- 27EC-27EF
- 2B00-2E7F
- 2E9A
- 2EF4-2EFF
- 2FD6-2FEF
- 2FFC-2FFF
- 3040
- 3097-3098
- 3100-3104
- 312D-3130
- 318F
- 31B8-31EF
- 321D-321F
- 3244-3250
- 327C-327E
- 32CC-32CF
- 32FF
- 3377-337A
- 33DE-33DF
- 33FF
- 4DB6-4DFF
- 9FA6-9FFF
- A48D-A48F
- A4C7-ABFF
- D7A4-D7FF
- FA2E-FA2F
- FA6B-FAFF
- FB07-FB12
- FB18-FB1C
- FB37
- FB3D
- FB3F
- FB42
-
-
-
-Hoffman & Blanchet Standards Track [Page 29]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- FB45
- FBB2-FBD2
- FD40-FD4F
- FD90-FD91
- FDC8-FDCF
- FDFD-FDFF
- FE10-FE1F
- FE24-FE2F
- FE47-FE48
- FE53
- FE67
- FE6C-FE6F
- FE75
- FEFD-FEFE
- FF00
- FFBF-FFC1
- FFC8-FFC9
- FFD0-FFD1
- FFD8-FFD9
- FFDD-FFDF
- FFE7
- FFEF-FFF8
- 10000-102FF
- 1031F
- 10324-1032F
- 1034B-103FF
- 10426-10427
- 1044E-1CFFF
- 1D0F6-1D0FF
- 1D127-1D129
- 1D1DE-1D3FF
- 1D455
- 1D49D
- 1D4A0-1D4A1
- 1D4A3-1D4A4
- 1D4A7-1D4A8
- 1D4AD
- 1D4BA
- 1D4BC
- 1D4C1
- 1D4C4
- 1D506
- 1D50B-1D50C
- 1D515
- 1D51D
- 1D53A
- 1D53F
- 1D545
-
-
-
-Hoffman & Blanchet Standards Track [Page 30]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D547-1D549
- 1D551
- 1D6A4-1D6A7
- 1D7CA-1D7CD
- 1D800-1FFFD
- 2A6D7-2F7FF
- 2FA1E-2FFFD
- 30000-3FFFD
- 40000-4FFFD
- 50000-5FFFD
- 60000-6FFFD
- 70000-7FFFD
- 80000-8FFFD
- 90000-9FFFD
- A0000-AFFFD
- B0000-BFFFD
- C0000-CFFFD
- D0000-DFFFD
- E0000
- E0002-E001F
- E0080-EFFFD
- ----- End Table A.1 -----
-
-B. Mapping Tables
-
- The following is the mapping table from section 3. The table has
- three columns:
-
- - the code point that is mapped from
- - the zero or more code points that it is mapped to
- - the reason for the mapping
-
- The columns are separated by semicolons. Note that the second column
- may be empty, or it may have one code point, or it may have more than
- one code point, with each code point separated by a space.
-
-B.1 Commonly mapped to nothing
-
- ----- Start Table B.1 -----
- 00AD; ; Map to nothing
- 034F; ; Map to nothing
- 1806; ; Map to nothing
- 180B; ; Map to nothing
- 180C; ; Map to nothing
- 180D; ; Map to nothing
- 200B; ; Map to nothing
- 200C; ; Map to nothing
- 200D; ; Map to nothing
-
-
-
-Hoffman & Blanchet Standards Track [Page 31]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 2060; ; Map to nothing
- FE00; ; Map to nothing
- FE01; ; Map to nothing
- FE02; ; Map to nothing
- FE03; ; Map to nothing
- FE04; ; Map to nothing
- FE05; ; Map to nothing
- FE06; ; Map to nothing
- FE07; ; Map to nothing
- FE08; ; Map to nothing
- FE09; ; Map to nothing
- FE0A; ; Map to nothing
- FE0B; ; Map to nothing
- FE0C; ; Map to nothing
- FE0D; ; Map to nothing
- FE0E; ; Map to nothing
- FE0F; ; Map to nothing
- FEFF; ; Map to nothing
- ----- End Table B.1 -----
-
-B.2 Mapping for case-folding used with NFKC
-
- ----- Start Table B.2 -----
- 0041; 0061; Case map
- 0042; 0062; Case map
- 0043; 0063; Case map
- 0044; 0064; Case map
- 0045; 0065; Case map
- 0046; 0066; Case map
- 0047; 0067; Case map
- 0048; 0068; Case map
- 0049; 0069; Case map
- 004A; 006A; Case map
- 004B; 006B; Case map
- 004C; 006C; Case map
- 004D; 006D; Case map
- 004E; 006E; Case map
- 004F; 006F; Case map
- 0050; 0070; Case map
- 0051; 0071; Case map
- 0052; 0072; Case map
- 0053; 0073; Case map
- 0054; 0074; Case map
- 0055; 0075; Case map
- 0056; 0076; Case map
- 0057; 0077; Case map
- 0058; 0078; Case map
- 0059; 0079; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 32]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 005A; 007A; Case map
- 00B5; 03BC; Case map
- 00C0; 00E0; Case map
- 00C1; 00E1; Case map
- 00C2; 00E2; Case map
- 00C3; 00E3; Case map
- 00C4; 00E4; Case map
- 00C5; 00E5; Case map
- 00C6; 00E6; Case map
- 00C7; 00E7; Case map
- 00C8; 00E8; Case map
- 00C9; 00E9; Case map
- 00CA; 00EA; Case map
- 00CB; 00EB; Case map
- 00CC; 00EC; Case map
- 00CD; 00ED; Case map
- 00CE; 00EE; Case map
- 00CF; 00EF; Case map
- 00D0; 00F0; Case map
- 00D1; 00F1; Case map
- 00D2; 00F2; Case map
- 00D3; 00F3; Case map
- 00D4; 00F4; Case map
- 00D5; 00F5; Case map
- 00D6; 00F6; Case map
- 00D8; 00F8; Case map
- 00D9; 00F9; Case map
- 00DA; 00FA; Case map
- 00DB; 00FB; Case map
- 00DC; 00FC; Case map
- 00DD; 00FD; Case map
- 00DE; 00FE; Case map
- 00DF; 0073 0073; Case map
- 0100; 0101; Case map
- 0102; 0103; Case map
- 0104; 0105; Case map
- 0106; 0107; Case map
- 0108; 0109; Case map
- 010A; 010B; Case map
- 010C; 010D; Case map
- 010E; 010F; Case map
- 0110; 0111; Case map
- 0112; 0113; Case map
- 0114; 0115; Case map
- 0116; 0117; Case map
- 0118; 0119; Case map
- 011A; 011B; Case map
- 011C; 011D; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 33]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 011E; 011F; Case map
- 0120; 0121; Case map
- 0122; 0123; Case map
- 0124; 0125; Case map
- 0126; 0127; Case map
- 0128; 0129; Case map
- 012A; 012B; Case map
- 012C; 012D; Case map
- 012E; 012F; Case map
- 0130; 0069 0307; Case map
- 0132; 0133; Case map
- 0134; 0135; Case map
- 0136; 0137; Case map
- 0139; 013A; Case map
- 013B; 013C; Case map
- 013D; 013E; Case map
- 013F; 0140; Case map
- 0141; 0142; Case map
- 0143; 0144; Case map
- 0145; 0146; Case map
- 0147; 0148; Case map
- 0149; 02BC 006E; Case map
- 014A; 014B; Case map
- 014C; 014D; Case map
- 014E; 014F; Case map
- 0150; 0151; Case map
- 0152; 0153; Case map
- 0154; 0155; Case map
- 0156; 0157; Case map
- 0158; 0159; Case map
- 015A; 015B; Case map
- 015C; 015D; Case map
- 015E; 015F; Case map
- 0160; 0161; Case map
- 0162; 0163; Case map
- 0164; 0165; Case map
- 0166; 0167; Case map
- 0168; 0169; Case map
- 016A; 016B; Case map
- 016C; 016D; Case map
- 016E; 016F; Case map
- 0170; 0171; Case map
- 0172; 0173; Case map
- 0174; 0175; Case map
- 0176; 0177; Case map
- 0178; 00FF; Case map
- 0179; 017A; Case map
- 017B; 017C; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 34]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 017D; 017E; Case map
- 017F; 0073; Case map
- 0181; 0253; Case map
- 0182; 0183; Case map
- 0184; 0185; Case map
- 0186; 0254; Case map
- 0187; 0188; Case map
- 0189; 0256; Case map
- 018A; 0257; Case map
- 018B; 018C; Case map
- 018E; 01DD; Case map
- 018F; 0259; Case map
- 0190; 025B; Case map
- 0191; 0192; Case map
- 0193; 0260; Case map
- 0194; 0263; Case map
- 0196; 0269; Case map
- 0197; 0268; Case map
- 0198; 0199; Case map
- 019C; 026F; Case map
- 019D; 0272; Case map
- 019F; 0275; Case map
- 01A0; 01A1; Case map
- 01A2; 01A3; Case map
- 01A4; 01A5; Case map
- 01A6; 0280; Case map
- 01A7; 01A8; Case map
- 01A9; 0283; Case map
- 01AC; 01AD; Case map
- 01AE; 0288; Case map
- 01AF; 01B0; Case map
- 01B1; 028A; Case map
- 01B2; 028B; Case map
- 01B3; 01B4; Case map
- 01B5; 01B6; Case map
- 01B7; 0292; Case map
- 01B8; 01B9; Case map
- 01BC; 01BD; Case map
- 01C4; 01C6; Case map
- 01C5; 01C6; Case map
- 01C7; 01C9; Case map
- 01C8; 01C9; Case map
- 01CA; 01CC; Case map
- 01CB; 01CC; Case map
- 01CD; 01CE; Case map
- 01CF; 01D0; Case map
- 01D1; 01D2; Case map
- 01D3; 01D4; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 35]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 01D5; 01D6; Case map
- 01D7; 01D8; Case map
- 01D9; 01DA; Case map
- 01DB; 01DC; Case map
- 01DE; 01DF; Case map
- 01E0; 01E1; Case map
- 01E2; 01E3; Case map
- 01E4; 01E5; Case map
- 01E6; 01E7; Case map
- 01E8; 01E9; Case map
- 01EA; 01EB; Case map
- 01EC; 01ED; Case map
- 01EE; 01EF; Case map
- 01F0; 006A 030C; Case map
- 01F1; 01F3; Case map
- 01F2; 01F3; Case map
- 01F4; 01F5; Case map
- 01F6; 0195; Case map
- 01F7; 01BF; Case map
- 01F8; 01F9; Case map
- 01FA; 01FB; Case map
- 01FC; 01FD; Case map
- 01FE; 01FF; Case map
- 0200; 0201; Case map
- 0202; 0203; Case map
- 0204; 0205; Case map
- 0206; 0207; Case map
- 0208; 0209; Case map
- 020A; 020B; Case map
- 020C; 020D; Case map
- 020E; 020F; Case map
- 0210; 0211; Case map
- 0212; 0213; Case map
- 0214; 0215; Case map
- 0216; 0217; Case map
- 0218; 0219; Case map
- 021A; 021B; Case map
- 021C; 021D; Case map
- 021E; 021F; Case map
- 0220; 019E; Case map
- 0222; 0223; Case map
- 0224; 0225; Case map
- 0226; 0227; Case map
- 0228; 0229; Case map
- 022A; 022B; Case map
- 022C; 022D; Case map
- 022E; 022F; Case map
- 0230; 0231; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 36]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0232; 0233; Case map
- 0345; 03B9; Case map
- 037A; 0020 03B9; Additional folding
- 0386; 03AC; Case map
- 0388; 03AD; Case map
- 0389; 03AE; Case map
- 038A; 03AF; Case map
- 038C; 03CC; Case map
- 038E; 03CD; Case map
- 038F; 03CE; Case map
- 0390; 03B9 0308 0301; Case map
- 0391; 03B1; Case map
- 0392; 03B2; Case map
- 0393; 03B3; Case map
- 0394; 03B4; Case map
- 0395; 03B5; Case map
- 0396; 03B6; Case map
- 0397; 03B7; Case map
- 0398; 03B8; Case map
- 0399; 03B9; Case map
- 039A; 03BA; Case map
- 039B; 03BB; Case map
- 039C; 03BC; Case map
- 039D; 03BD; Case map
- 039E; 03BE; Case map
- 039F; 03BF; Case map
- 03A0; 03C0; Case map
- 03A1; 03C1; Case map
- 03A3; 03C3; Case map
- 03A4; 03C4; Case map
- 03A5; 03C5; Case map
- 03A6; 03C6; Case map
- 03A7; 03C7; Case map
- 03A8; 03C8; Case map
- 03A9; 03C9; Case map
- 03AA; 03CA; Case map
- 03AB; 03CB; Case map
- 03B0; 03C5 0308 0301; Case map
- 03C2; 03C3; Case map
- 03D0; 03B2; Case map
- 03D1; 03B8; Case map
- 03D2; 03C5; Additional folding
- 03D3; 03CD; Additional folding
- 03D4; 03CB; Additional folding
- 03D5; 03C6; Case map
- 03D6; 03C0; Case map
- 03D8; 03D9; Case map
- 03DA; 03DB; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 37]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 03DC; 03DD; Case map
- 03DE; 03DF; Case map
- 03E0; 03E1; Case map
- 03E2; 03E3; Case map
- 03E4; 03E5; Case map
- 03E6; 03E7; Case map
- 03E8; 03E9; Case map
- 03EA; 03EB; Case map
- 03EC; 03ED; Case map
- 03EE; 03EF; Case map
- 03F0; 03BA; Case map
- 03F1; 03C1; Case map
- 03F2; 03C3; Case map
- 03F4; 03B8; Case map
- 03F5; 03B5; Case map
- 0400; 0450; Case map
- 0401; 0451; Case map
- 0402; 0452; Case map
- 0403; 0453; Case map
- 0404; 0454; Case map
- 0405; 0455; Case map
- 0406; 0456; Case map
- 0407; 0457; Case map
- 0408; 0458; Case map
- 0409; 0459; Case map
- 040A; 045A; Case map
- 040B; 045B; Case map
- 040C; 045C; Case map
- 040D; 045D; Case map
- 040E; 045E; Case map
- 040F; 045F; Case map
- 0410; 0430; Case map
- 0411; 0431; Case map
- 0412; 0432; Case map
- 0413; 0433; Case map
- 0414; 0434; Case map
- 0415; 0435; Case map
- 0416; 0436; Case map
- 0417; 0437; Case map
- 0418; 0438; Case map
- 0419; 0439; Case map
- 041A; 043A; Case map
- 041B; 043B; Case map
- 041C; 043C; Case map
- 041D; 043D; Case map
- 041E; 043E; Case map
- 041F; 043F; Case map
- 0420; 0440; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 38]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0421; 0441; Case map
- 0422; 0442; Case map
- 0423; 0443; Case map
- 0424; 0444; Case map
- 0425; 0445; Case map
- 0426; 0446; Case map
- 0427; 0447; Case map
- 0428; 0448; Case map
- 0429; 0449; Case map
- 042A; 044A; Case map
- 042B; 044B; Case map
- 042C; 044C; Case map
- 042D; 044D; Case map
- 042E; 044E; Case map
- 042F; 044F; Case map
- 0460; 0461; Case map
- 0462; 0463; Case map
- 0464; 0465; Case map
- 0466; 0467; Case map
- 0468; 0469; Case map
- 046A; 046B; Case map
- 046C; 046D; Case map
- 046E; 046F; Case map
- 0470; 0471; Case map
- 0472; 0473; Case map
- 0474; 0475; Case map
- 0476; 0477; Case map
- 0478; 0479; Case map
- 047A; 047B; Case map
- 047C; 047D; Case map
- 047E; 047F; Case map
- 0480; 0481; Case map
- 048A; 048B; Case map
- 048C; 048D; Case map
- 048E; 048F; Case map
- 0490; 0491; Case map
- 0492; 0493; Case map
- 0494; 0495; Case map
- 0496; 0497; Case map
- 0498; 0499; Case map
- 049A; 049B; Case map
- 049C; 049D; Case map
- 049E; 049F; Case map
- 04A0; 04A1; Case map
- 04A2; 04A3; Case map
- 04A4; 04A5; Case map
- 04A6; 04A7; Case map
- 04A8; 04A9; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 39]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 04AA; 04AB; Case map
- 04AC; 04AD; Case map
- 04AE; 04AF; Case map
- 04B0; 04B1; Case map
- 04B2; 04B3; Case map
- 04B4; 04B5; Case map
- 04B6; 04B7; Case map
- 04B8; 04B9; Case map
- 04BA; 04BB; Case map
- 04BC; 04BD; Case map
- 04BE; 04BF; Case map
- 04C1; 04C2; Case map
- 04C3; 04C4; Case map
- 04C5; 04C6; Case map
- 04C7; 04C8; Case map
- 04C9; 04CA; Case map
- 04CB; 04CC; Case map
- 04CD; 04CE; Case map
- 04D0; 04D1; Case map
- 04D2; 04D3; Case map
- 04D4; 04D5; Case map
- 04D6; 04D7; Case map
- 04D8; 04D9; Case map
- 04DA; 04DB; Case map
- 04DC; 04DD; Case map
- 04DE; 04DF; Case map
- 04E0; 04E1; Case map
- 04E2; 04E3; Case map
- 04E4; 04E5; Case map
- 04E6; 04E7; Case map
- 04E8; 04E9; Case map
- 04EA; 04EB; Case map
- 04EC; 04ED; Case map
- 04EE; 04EF; Case map
- 04F0; 04F1; Case map
- 04F2; 04F3; Case map
- 04F4; 04F5; Case map
- 04F8; 04F9; Case map
- 0500; 0501; Case map
- 0502; 0503; Case map
- 0504; 0505; Case map
- 0506; 0507; Case map
- 0508; 0509; Case map
- 050A; 050B; Case map
- 050C; 050D; Case map
- 050E; 050F; Case map
- 0531; 0561; Case map
- 0532; 0562; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 40]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0533; 0563; Case map
- 0534; 0564; Case map
- 0535; 0565; Case map
- 0536; 0566; Case map
- 0537; 0567; Case map
- 0538; 0568; Case map
- 0539; 0569; Case map
- 053A; 056A; Case map
- 053B; 056B; Case map
- 053C; 056C; Case map
- 053D; 056D; Case map
- 053E; 056E; Case map
- 053F; 056F; Case map
- 0540; 0570; Case map
- 0541; 0571; Case map
- 0542; 0572; Case map
- 0543; 0573; Case map
- 0544; 0574; Case map
- 0545; 0575; Case map
- 0546; 0576; Case map
- 0547; 0577; Case map
- 0548; 0578; Case map
- 0549; 0579; Case map
- 054A; 057A; Case map
- 054B; 057B; Case map
- 054C; 057C; Case map
- 054D; 057D; Case map
- 054E; 057E; Case map
- 054F; 057F; Case map
- 0550; 0580; Case map
- 0551; 0581; Case map
- 0552; 0582; Case map
- 0553; 0583; Case map
- 0554; 0584; Case map
- 0555; 0585; Case map
- 0556; 0586; Case map
- 0587; 0565 0582; Case map
- 1E00; 1E01; Case map
- 1E02; 1E03; Case map
- 1E04; 1E05; Case map
- 1E06; 1E07; Case map
- 1E08; 1E09; Case map
- 1E0A; 1E0B; Case map
- 1E0C; 1E0D; Case map
- 1E0E; 1E0F; Case map
- 1E10; 1E11; Case map
- 1E12; 1E13; Case map
- 1E14; 1E15; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 41]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1E16; 1E17; Case map
- 1E18; 1E19; Case map
- 1E1A; 1E1B; Case map
- 1E1C; 1E1D; Case map
- 1E1E; 1E1F; Case map
- 1E20; 1E21; Case map
- 1E22; 1E23; Case map
- 1E24; 1E25; Case map
- 1E26; 1E27; Case map
- 1E28; 1E29; Case map
- 1E2A; 1E2B; Case map
- 1E2C; 1E2D; Case map
- 1E2E; 1E2F; Case map
- 1E30; 1E31; Case map
- 1E32; 1E33; Case map
- 1E34; 1E35; Case map
- 1E36; 1E37; Case map
- 1E38; 1E39; Case map
- 1E3A; 1E3B; Case map
- 1E3C; 1E3D; Case map
- 1E3E; 1E3F; Case map
- 1E40; 1E41; Case map
- 1E42; 1E43; Case map
- 1E44; 1E45; Case map
- 1E46; 1E47; Case map
- 1E48; 1E49; Case map
- 1E4A; 1E4B; Case map
- 1E4C; 1E4D; Case map
- 1E4E; 1E4F; Case map
- 1E50; 1E51; Case map
- 1E52; 1E53; Case map
- 1E54; 1E55; Case map
- 1E56; 1E57; Case map
- 1E58; 1E59; Case map
- 1E5A; 1E5B; Case map
- 1E5C; 1E5D; Case map
- 1E5E; 1E5F; Case map
- 1E60; 1E61; Case map
- 1E62; 1E63; Case map
- 1E64; 1E65; Case map
- 1E66; 1E67; Case map
- 1E68; 1E69; Case map
- 1E6A; 1E6B; Case map
- 1E6C; 1E6D; Case map
- 1E6E; 1E6F; Case map
- 1E70; 1E71; Case map
- 1E72; 1E73; Case map
- 1E74; 1E75; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 42]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1E76; 1E77; Case map
- 1E78; 1E79; Case map
- 1E7A; 1E7B; Case map
- 1E7C; 1E7D; Case map
- 1E7E; 1E7F; Case map
- 1E80; 1E81; Case map
- 1E82; 1E83; Case map
- 1E84; 1E85; Case map
- 1E86; 1E87; Case map
- 1E88; 1E89; Case map
- 1E8A; 1E8B; Case map
- 1E8C; 1E8D; Case map
- 1E8E; 1E8F; Case map
- 1E90; 1E91; Case map
- 1E92; 1E93; Case map
- 1E94; 1E95; Case map
- 1E96; 0068 0331; Case map
- 1E97; 0074 0308; Case map
- 1E98; 0077 030A; Case map
- 1E99; 0079 030A; Case map
- 1E9A; 0061 02BE; Case map
- 1E9B; 1E61; Case map
- 1EA0; 1EA1; Case map
- 1EA2; 1EA3; Case map
- 1EA4; 1EA5; Case map
- 1EA6; 1EA7; Case map
- 1EA8; 1EA9; Case map
- 1EAA; 1EAB; Case map
- 1EAC; 1EAD; Case map
- 1EAE; 1EAF; Case map
- 1EB0; 1EB1; Case map
- 1EB2; 1EB3; Case map
- 1EB4; 1EB5; Case map
- 1EB6; 1EB7; Case map
- 1EB8; 1EB9; Case map
- 1EBA; 1EBB; Case map
- 1EBC; 1EBD; Case map
- 1EBE; 1EBF; Case map
- 1EC0; 1EC1; Case map
- 1EC2; 1EC3; Case map
- 1EC4; 1EC5; Case map
- 1EC6; 1EC7; Case map
- 1EC8; 1EC9; Case map
- 1ECA; 1ECB; Case map
- 1ECC; 1ECD; Case map
- 1ECE; 1ECF; Case map
- 1ED0; 1ED1; Case map
- 1ED2; 1ED3; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 43]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1ED4; 1ED5; Case map
- 1ED6; 1ED7; Case map
- 1ED8; 1ED9; Case map
- 1EDA; 1EDB; Case map
- 1EDC; 1EDD; Case map
- 1EDE; 1EDF; Case map
- 1EE0; 1EE1; Case map
- 1EE2; 1EE3; Case map
- 1EE4; 1EE5; Case map
- 1EE6; 1EE7; Case map
- 1EE8; 1EE9; Case map
- 1EEA; 1EEB; Case map
- 1EEC; 1EED; Case map
- 1EEE; 1EEF; Case map
- 1EF0; 1EF1; Case map
- 1EF2; 1EF3; Case map
- 1EF4; 1EF5; Case map
- 1EF6; 1EF7; Case map
- 1EF8; 1EF9; Case map
- 1F08; 1F00; Case map
- 1F09; 1F01; Case map
- 1F0A; 1F02; Case map
- 1F0B; 1F03; Case map
- 1F0C; 1F04; Case map
- 1F0D; 1F05; Case map
- 1F0E; 1F06; Case map
- 1F0F; 1F07; Case map
- 1F18; 1F10; Case map
- 1F19; 1F11; Case map
- 1F1A; 1F12; Case map
- 1F1B; 1F13; Case map
- 1F1C; 1F14; Case map
- 1F1D; 1F15; Case map
- 1F28; 1F20; Case map
- 1F29; 1F21; Case map
- 1F2A; 1F22; Case map
- 1F2B; 1F23; Case map
- 1F2C; 1F24; Case map
- 1F2D; 1F25; Case map
- 1F2E; 1F26; Case map
- 1F2F; 1F27; Case map
- 1F38; 1F30; Case map
- 1F39; 1F31; Case map
- 1F3A; 1F32; Case map
- 1F3B; 1F33; Case map
- 1F3C; 1F34; Case map
- 1F3D; 1F35; Case map
- 1F3E; 1F36; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 44]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1F3F; 1F37; Case map
- 1F48; 1F40; Case map
- 1F49; 1F41; Case map
- 1F4A; 1F42; Case map
- 1F4B; 1F43; Case map
- 1F4C; 1F44; Case map
- 1F4D; 1F45; Case map
- 1F50; 03C5 0313; Case map
- 1F52; 03C5 0313 0300; Case map
- 1F54; 03C5 0313 0301; Case map
- 1F56; 03C5 0313 0342; Case map
- 1F59; 1F51; Case map
- 1F5B; 1F53; Case map
- 1F5D; 1F55; Case map
- 1F5F; 1F57; Case map
- 1F68; 1F60; Case map
- 1F69; 1F61; Case map
- 1F6A; 1F62; Case map
- 1F6B; 1F63; Case map
- 1F6C; 1F64; Case map
- 1F6D; 1F65; Case map
- 1F6E; 1F66; Case map
- 1F6F; 1F67; Case map
- 1F80; 1F00 03B9; Case map
- 1F81; 1F01 03B9; Case map
- 1F82; 1F02 03B9; Case map
- 1F83; 1F03 03B9; Case map
- 1F84; 1F04 03B9; Case map
- 1F85; 1F05 03B9; Case map
- 1F86; 1F06 03B9; Case map
- 1F87; 1F07 03B9; Case map
- 1F88; 1F00 03B9; Case map
- 1F89; 1F01 03B9; Case map
- 1F8A; 1F02 03B9; Case map
- 1F8B; 1F03 03B9; Case map
- 1F8C; 1F04 03B9; Case map
- 1F8D; 1F05 03B9; Case map
- 1F8E; 1F06 03B9; Case map
- 1F8F; 1F07 03B9; Case map
- 1F90; 1F20 03B9; Case map
- 1F91; 1F21 03B9; Case map
- 1F92; 1F22 03B9; Case map
- 1F93; 1F23 03B9; Case map
- 1F94; 1F24 03B9; Case map
- 1F95; 1F25 03B9; Case map
- 1F96; 1F26 03B9; Case map
- 1F97; 1F27 03B9; Case map
- 1F98; 1F20 03B9; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 45]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1F99; 1F21 03B9; Case map
- 1F9A; 1F22 03B9; Case map
- 1F9B; 1F23 03B9; Case map
- 1F9C; 1F24 03B9; Case map
- 1F9D; 1F25 03B9; Case map
- 1F9E; 1F26 03B9; Case map
- 1F9F; 1F27 03B9; Case map
- 1FA0; 1F60 03B9; Case map
- 1FA1; 1F61 03B9; Case map
- 1FA2; 1F62 03B9; Case map
- 1FA3; 1F63 03B9; Case map
- 1FA4; 1F64 03B9; Case map
- 1FA5; 1F65 03B9; Case map
- 1FA6; 1F66 03B9; Case map
- 1FA7; 1F67 03B9; Case map
- 1FA8; 1F60 03B9; Case map
- 1FA9; 1F61 03B9; Case map
- 1FAA; 1F62 03B9; Case map
- 1FAB; 1F63 03B9; Case map
- 1FAC; 1F64 03B9; Case map
- 1FAD; 1F65 03B9; Case map
- 1FAE; 1F66 03B9; Case map
- 1FAF; 1F67 03B9; Case map
- 1FB2; 1F70 03B9; Case map
- 1FB3; 03B1 03B9; Case map
- 1FB4; 03AC 03B9; Case map
- 1FB6; 03B1 0342; Case map
- 1FB7; 03B1 0342 03B9; Case map
- 1FB8; 1FB0; Case map
- 1FB9; 1FB1; Case map
- 1FBA; 1F70; Case map
- 1FBB; 1F71; Case map
- 1FBC; 03B1 03B9; Case map
- 1FBE; 03B9; Case map
- 1FC2; 1F74 03B9; Case map
- 1FC3; 03B7 03B9; Case map
- 1FC4; 03AE 03B9; Case map
- 1FC6; 03B7 0342; Case map
- 1FC7; 03B7 0342 03B9; Case map
- 1FC8; 1F72; Case map
- 1FC9; 1F73; Case map
- 1FCA; 1F74; Case map
- 1FCB; 1F75; Case map
- 1FCC; 03B7 03B9; Case map
- 1FD2; 03B9 0308 0300; Case map
- 1FD3; 03B9 0308 0301; Case map
- 1FD6; 03B9 0342; Case map
- 1FD7; 03B9 0308 0342; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 46]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1FD8; 1FD0; Case map
- 1FD9; 1FD1; Case map
- 1FDA; 1F76; Case map
- 1FDB; 1F77; Case map
- 1FE2; 03C5 0308 0300; Case map
- 1FE3; 03C5 0308 0301; Case map
- 1FE4; 03C1 0313; Case map
- 1FE6; 03C5 0342; Case map
- 1FE7; 03C5 0308 0342; Case map
- 1FE8; 1FE0; Case map
- 1FE9; 1FE1; Case map
- 1FEA; 1F7A; Case map
- 1FEB; 1F7B; Case map
- 1FEC; 1FE5; Case map
- 1FF2; 1F7C 03B9; Case map
- 1FF3; 03C9 03B9; Case map
- 1FF4; 03CE 03B9; Case map
- 1FF6; 03C9 0342; Case map
- 1FF7; 03C9 0342 03B9; Case map
- 1FF8; 1F78; Case map
- 1FF9; 1F79; Case map
- 1FFA; 1F7C; Case map
- 1FFB; 1F7D; Case map
- 1FFC; 03C9 03B9; Case map
- 20A8; 0072 0073; Additional folding
- 2102; 0063; Additional folding
- 2103; 00B0 0063; Additional folding
- 2107; 025B; Additional folding
- 2109; 00B0 0066; Additional folding
- 210B; 0068; Additional folding
- 210C; 0068; Additional folding
- 210D; 0068; Additional folding
- 2110; 0069; Additional folding
- 2111; 0069; Additional folding
- 2112; 006C; Additional folding
- 2115; 006E; Additional folding
- 2116; 006E 006F; Additional folding
- 2119; 0070; Additional folding
- 211A; 0071; Additional folding
- 211B; 0072; Additional folding
- 211C; 0072; Additional folding
- 211D; 0072; Additional folding
- 2120; 0073 006D; Additional folding
- 2121; 0074 0065 006C; Additional folding
- 2122; 0074 006D; Additional folding
- 2124; 007A; Additional folding
- 2126; 03C9; Case map
- 2128; 007A; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 47]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 212A; 006B; Case map
- 212B; 00E5; Case map
- 212C; 0062; Additional folding
- 212D; 0063; Additional folding
- 2130; 0065; Additional folding
- 2131; 0066; Additional folding
- 2133; 006D; Additional folding
- 213E; 03B3; Additional folding
- 213F; 03C0; Additional folding
- 2145; 0064; Additional folding
- 2160; 2170; Case map
- 2161; 2171; Case map
- 2162; 2172; Case map
- 2163; 2173; Case map
- 2164; 2174; Case map
- 2165; 2175; Case map
- 2166; 2176; Case map
- 2167; 2177; Case map
- 2168; 2178; Case map
- 2169; 2179; Case map
- 216A; 217A; Case map
- 216B; 217B; Case map
- 216C; 217C; Case map
- 216D; 217D; Case map
- 216E; 217E; Case map
- 216F; 217F; Case map
- 24B6; 24D0; Case map
- 24B7; 24D1; Case map
- 24B8; 24D2; Case map
- 24B9; 24D3; Case map
- 24BA; 24D4; Case map
- 24BB; 24D5; Case map
- 24BC; 24D6; Case map
- 24BD; 24D7; Case map
- 24BE; 24D8; Case map
- 24BF; 24D9; Case map
- 24C0; 24DA; Case map
- 24C1; 24DB; Case map
- 24C2; 24DC; Case map
- 24C3; 24DD; Case map
- 24C4; 24DE; Case map
- 24C5; 24DF; Case map
- 24C6; 24E0; Case map
- 24C7; 24E1; Case map
- 24C8; 24E2; Case map
- 24C9; 24E3; Case map
- 24CA; 24E4; Case map
- 24CB; 24E5; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 48]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 24CC; 24E6; Case map
- 24CD; 24E7; Case map
- 24CE; 24E8; Case map
- 24CF; 24E9; Case map
- 3371; 0068 0070 0061; Additional folding
- 3373; 0061 0075; Additional folding
- 3375; 006F 0076; Additional folding
- 3380; 0070 0061; Additional folding
- 3381; 006E 0061; Additional folding
- 3382; 03BC 0061; Additional folding
- 3383; 006D 0061; Additional folding
- 3384; 006B 0061; Additional folding
- 3385; 006B 0062; Additional folding
- 3386; 006D 0062; Additional folding
- 3387; 0067 0062; Additional folding
- 338A; 0070 0066; Additional folding
- 338B; 006E 0066; Additional folding
- 338C; 03BC 0066; Additional folding
- 3390; 0068 007A; Additional folding
- 3391; 006B 0068 007A; Additional folding
- 3392; 006D 0068 007A; Additional folding
- 3393; 0067 0068 007A; Additional folding
- 3394; 0074 0068 007A; Additional folding
- 33A9; 0070 0061; Additional folding
- 33AA; 006B 0070 0061; Additional folding
- 33AB; 006D 0070 0061; Additional folding
- 33AC; 0067 0070 0061; Additional folding
- 33B4; 0070 0076; Additional folding
- 33B5; 006E 0076; Additional folding
- 33B6; 03BC 0076; Additional folding
- 33B7; 006D 0076; Additional folding
- 33B8; 006B 0076; Additional folding
- 33B9; 006D 0076; Additional folding
- 33BA; 0070 0077; Additional folding
- 33BB; 006E 0077; Additional folding
- 33BC; 03BC 0077; Additional folding
- 33BD; 006D 0077; Additional folding
- 33BE; 006B 0077; Additional folding
- 33BF; 006D 0077; Additional folding
- 33C0; 006B 03C9; Additional folding
- 33C1; 006D 03C9; Additional folding
- 33C3; 0062 0071; Additional folding
- 33C6; 0063 2215 006B 0067; Additional folding
- 33C7; 0063 006F 002E; Additional folding
- 33C8; 0064 0062; Additional folding
- 33C9; 0067 0079; Additional folding
- 33CB; 0068 0070; Additional folding
- 33CD; 006B 006B; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 49]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 33CE; 006B 006D; Additional folding
- 33D7; 0070 0068; Additional folding
- 33D9; 0070 0070 006D; Additional folding
- 33DA; 0070 0072; Additional folding
- 33DC; 0073 0076; Additional folding
- 33DD; 0077 0062; Additional folding
- FB00; 0066 0066; Case map
- FB01; 0066 0069; Case map
- FB02; 0066 006C; Case map
- FB03; 0066 0066 0069; Case map
- FB04; 0066 0066 006C; Case map
- FB05; 0073 0074; Case map
- FB06; 0073 0074; Case map
- FB13; 0574 0576; Case map
- FB14; 0574 0565; Case map
- FB15; 0574 056B; Case map
- FB16; 057E 0576; Case map
- FB17; 0574 056D; Case map
- FF21; FF41; Case map
- FF22; FF42; Case map
- FF23; FF43; Case map
- FF24; FF44; Case map
- FF25; FF45; Case map
- FF26; FF46; Case map
- FF27; FF47; Case map
- FF28; FF48; Case map
- FF29; FF49; Case map
- FF2A; FF4A; Case map
- FF2B; FF4B; Case map
- FF2C; FF4C; Case map
- FF2D; FF4D; Case map
- FF2E; FF4E; Case map
- FF2F; FF4F; Case map
- FF30; FF50; Case map
- FF31; FF51; Case map
- FF32; FF52; Case map
- FF33; FF53; Case map
- FF34; FF54; Case map
- FF35; FF55; Case map
- FF36; FF56; Case map
- FF37; FF57; Case map
- FF38; FF58; Case map
- FF39; FF59; Case map
- FF3A; FF5A; Case map
- 10400; 10428; Case map
- 10401; 10429; Case map
- 10402; 1042A; Case map
- 10403; 1042B; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 50]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 10404; 1042C; Case map
- 10405; 1042D; Case map
- 10406; 1042E; Case map
- 10407; 1042F; Case map
- 10408; 10430; Case map
- 10409; 10431; Case map
- 1040A; 10432; Case map
- 1040B; 10433; Case map
- 1040C; 10434; Case map
- 1040D; 10435; Case map
- 1040E; 10436; Case map
- 1040F; 10437; Case map
- 10410; 10438; Case map
- 10411; 10439; Case map
- 10412; 1043A; Case map
- 10413; 1043B; Case map
- 10414; 1043C; Case map
- 10415; 1043D; Case map
- 10416; 1043E; Case map
- 10417; 1043F; Case map
- 10418; 10440; Case map
- 10419; 10441; Case map
- 1041A; 10442; Case map
- 1041B; 10443; Case map
- 1041C; 10444; Case map
- 1041D; 10445; Case map
- 1041E; 10446; Case map
- 1041F; 10447; Case map
- 10420; 10448; Case map
- 10421; 10449; Case map
- 10422; 1044A; Case map
- 10423; 1044B; Case map
- 10424; 1044C; Case map
- 10425; 1044D; Case map
- 1D400; 0061; Additional folding
- 1D401; 0062; Additional folding
- 1D402; 0063; Additional folding
- 1D403; 0064; Additional folding
- 1D404; 0065; Additional folding
- 1D405; 0066; Additional folding
- 1D406; 0067; Additional folding
- 1D407; 0068; Additional folding
- 1D408; 0069; Additional folding
- 1D409; 006A; Additional folding
- 1D40A; 006B; Additional folding
- 1D40B; 006C; Additional folding
- 1D40C; 006D; Additional folding
- 1D40D; 006E; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 51]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D40E; 006F; Additional folding
- 1D40F; 0070; Additional folding
- 1D410; 0071; Additional folding
- 1D411; 0072; Additional folding
- 1D412; 0073; Additional folding
- 1D413; 0074; Additional folding
- 1D414; 0075; Additional folding
- 1D415; 0076; Additional folding
- 1D416; 0077; Additional folding
- 1D417; 0078; Additional folding
- 1D418; 0079; Additional folding
- 1D419; 007A; Additional folding
- 1D434; 0061; Additional folding
- 1D435; 0062; Additional folding
- 1D436; 0063; Additional folding
- 1D437; 0064; Additional folding
- 1D438; 0065; Additional folding
- 1D439; 0066; Additional folding
- 1D43A; 0067; Additional folding
- 1D43B; 0068; Additional folding
- 1D43C; 0069; Additional folding
- 1D43D; 006A; Additional folding
- 1D43E; 006B; Additional folding
- 1D43F; 006C; Additional folding
- 1D440; 006D; Additional folding
- 1D441; 006E; Additional folding
- 1D442; 006F; Additional folding
- 1D443; 0070; Additional folding
- 1D444; 0071; Additional folding
- 1D445; 0072; Additional folding
- 1D446; 0073; Additional folding
- 1D447; 0074; Additional folding
- 1D448; 0075; Additional folding
- 1D449; 0076; Additional folding
- 1D44A; 0077; Additional folding
- 1D44B; 0078; Additional folding
- 1D44C; 0079; Additional folding
- 1D44D; 007A; Additional folding
- 1D468; 0061; Additional folding
- 1D469; 0062; Additional folding
- 1D46A; 0063; Additional folding
- 1D46B; 0064; Additional folding
- 1D46C; 0065; Additional folding
- 1D46D; 0066; Additional folding
- 1D46E; 0067; Additional folding
- 1D46F; 0068; Additional folding
- 1D470; 0069; Additional folding
- 1D471; 006A; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 52]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D472; 006B; Additional folding
- 1D473; 006C; Additional folding
- 1D474; 006D; Additional folding
- 1D475; 006E; Additional folding
- 1D476; 006F; Additional folding
- 1D477; 0070; Additional folding
- 1D478; 0071; Additional folding
- 1D479; 0072; Additional folding
- 1D47A; 0073; Additional folding
- 1D47B; 0074; Additional folding
- 1D47C; 0075; Additional folding
- 1D47D; 0076; Additional folding
- 1D47E; 0077; Additional folding
- 1D47F; 0078; Additional folding
- 1D480; 0079; Additional folding
- 1D481; 007A; Additional folding
- 1D49C; 0061; Additional folding
- 1D49E; 0063; Additional folding
- 1D49F; 0064; Additional folding
- 1D4A2; 0067; Additional folding
- 1D4A5; 006A; Additional folding
- 1D4A6; 006B; Additional folding
- 1D4A9; 006E; Additional folding
- 1D4AA; 006F; Additional folding
- 1D4AB; 0070; Additional folding
- 1D4AC; 0071; Additional folding
- 1D4AE; 0073; Additional folding
- 1D4AF; 0074; Additional folding
- 1D4B0; 0075; Additional folding
- 1D4B1; 0076; Additional folding
- 1D4B2; 0077; Additional folding
- 1D4B3; 0078; Additional folding
- 1D4B4; 0079; Additional folding
- 1D4B5; 007A; Additional folding
- 1D4D0; 0061; Additional folding
- 1D4D1; 0062; Additional folding
- 1D4D2; 0063; Additional folding
- 1D4D3; 0064; Additional folding
- 1D4D4; 0065; Additional folding
- 1D4D5; 0066; Additional folding
- 1D4D6; 0067; Additional folding
- 1D4D7; 0068; Additional folding
- 1D4D8; 0069; Additional folding
- 1D4D9; 006A; Additional folding
- 1D4DA; 006B; Additional folding
- 1D4DB; 006C; Additional folding
- 1D4DC; 006D; Additional folding
- 1D4DD; 006E; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 53]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D4DE; 006F; Additional folding
- 1D4DF; 0070; Additional folding
- 1D4E0; 0071; Additional folding
- 1D4E1; 0072; Additional folding
- 1D4E2; 0073; Additional folding
- 1D4E3; 0074; Additional folding
- 1D4E4; 0075; Additional folding
- 1D4E5; 0076; Additional folding
- 1D4E6; 0077; Additional folding
- 1D4E7; 0078; Additional folding
- 1D4E8; 0079; Additional folding
- 1D4E9; 007A; Additional folding
- 1D504; 0061; Additional folding
- 1D505; 0062; Additional folding
- 1D507; 0064; Additional folding
- 1D508; 0065; Additional folding
- 1D509; 0066; Additional folding
- 1D50A; 0067; Additional folding
- 1D50D; 006A; Additional folding
- 1D50E; 006B; Additional folding
- 1D50F; 006C; Additional folding
- 1D510; 006D; Additional folding
- 1D511; 006E; Additional folding
- 1D512; 006F; Additional folding
- 1D513; 0070; Additional folding
- 1D514; 0071; Additional folding
- 1D516; 0073; Additional folding
- 1D517; 0074; Additional folding
- 1D518; 0075; Additional folding
- 1D519; 0076; Additional folding
- 1D51A; 0077; Additional folding
- 1D51B; 0078; Additional folding
- 1D51C; 0079; Additional folding
- 1D538; 0061; Additional folding
- 1D539; 0062; Additional folding
- 1D53B; 0064; Additional folding
- 1D53C; 0065; Additional folding
- 1D53D; 0066; Additional folding
- 1D53E; 0067; Additional folding
- 1D540; 0069; Additional folding
- 1D541; 006A; Additional folding
- 1D542; 006B; Additional folding
- 1D543; 006C; Additional folding
- 1D544; 006D; Additional folding
- 1D546; 006F; Additional folding
- 1D54A; 0073; Additional folding
- 1D54B; 0074; Additional folding
- 1D54C; 0075; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 54]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D54D; 0076; Additional folding
- 1D54E; 0077; Additional folding
- 1D54F; 0078; Additional folding
- 1D550; 0079; Additional folding
- 1D56C; 0061; Additional folding
- 1D56D; 0062; Additional folding
- 1D56E; 0063; Additional folding
- 1D56F; 0064; Additional folding
- 1D570; 0065; Additional folding
- 1D571; 0066; Additional folding
- 1D572; 0067; Additional folding
- 1D573; 0068; Additional folding
- 1D574; 0069; Additional folding
- 1D575; 006A; Additional folding
- 1D576; 006B; Additional folding
- 1D577; 006C; Additional folding
- 1D578; 006D; Additional folding
- 1D579; 006E; Additional folding
- 1D57A; 006F; Additional folding
- 1D57B; 0070; Additional folding
- 1D57C; 0071; Additional folding
- 1D57D; 0072; Additional folding
- 1D57E; 0073; Additional folding
- 1D57F; 0074; Additional folding
- 1D580; 0075; Additional folding
- 1D581; 0076; Additional folding
- 1D582; 0077; Additional folding
- 1D583; 0078; Additional folding
- 1D584; 0079; Additional folding
- 1D585; 007A; Additional folding
- 1D5A0; 0061; Additional folding
- 1D5A1; 0062; Additional folding
- 1D5A2; 0063; Additional folding
- 1D5A3; 0064; Additional folding
- 1D5A4; 0065; Additional folding
- 1D5A5; 0066; Additional folding
- 1D5A6; 0067; Additional folding
- 1D5A7; 0068; Additional folding
- 1D5A8; 0069; Additional folding
- 1D5A9; 006A; Additional folding
- 1D5AA; 006B; Additional folding
- 1D5AB; 006C; Additional folding
- 1D5AC; 006D; Additional folding
- 1D5AD; 006E; Additional folding
- 1D5AE; 006F; Additional folding
- 1D5AF; 0070; Additional folding
- 1D5B0; 0071; Additional folding
- 1D5B1; 0072; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 55]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D5B2; 0073; Additional folding
- 1D5B3; 0074; Additional folding
- 1D5B4; 0075; Additional folding
- 1D5B5; 0076; Additional folding
- 1D5B6; 0077; Additional folding
- 1D5B7; 0078; Additional folding
- 1D5B8; 0079; Additional folding
- 1D5B9; 007A; Additional folding
- 1D5D4; 0061; Additional folding
- 1D5D5; 0062; Additional folding
- 1D5D6; 0063; Additional folding
- 1D5D7; 0064; Additional folding
- 1D5D8; 0065; Additional folding
- 1D5D9; 0066; Additional folding
- 1D5DA; 0067; Additional folding
- 1D5DB; 0068; Additional folding
- 1D5DC; 0069; Additional folding
- 1D5DD; 006A; Additional folding
- 1D5DE; 006B; Additional folding
- 1D5DF; 006C; Additional folding
- 1D5E0; 006D; Additional folding
- 1D5E1; 006E; Additional folding
- 1D5E2; 006F; Additional folding
- 1D5E3; 0070; Additional folding
- 1D5E4; 0071; Additional folding
- 1D5E5; 0072; Additional folding
- 1D5E6; 0073; Additional folding
- 1D5E7; 0074; Additional folding
- 1D5E8; 0075; Additional folding
- 1D5E9; 0076; Additional folding
- 1D5EA; 0077; Additional folding
- 1D5EB; 0078; Additional folding
- 1D5EC; 0079; Additional folding
- 1D5ED; 007A; Additional folding
- 1D608; 0061; Additional folding
- 1D609; 0062; Additional folding
- 1D60A; 0063; Additional folding
- 1D60B; 0064; Additional folding
- 1D60C; 0065; Additional folding
- 1D60D; 0066; Additional folding
- 1D60E; 0067; Additional folding
- 1D60F; 0068; Additional folding
- 1D610; 0069; Additional folding
- 1D611; 006A; Additional folding
- 1D612; 006B; Additional folding
- 1D613; 006C; Additional folding
- 1D614; 006D; Additional folding
- 1D615; 006E; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 56]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D616; 006F; Additional folding
- 1D617; 0070; Additional folding
- 1D618; 0071; Additional folding
- 1D619; 0072; Additional folding
- 1D61A; 0073; Additional folding
- 1D61B; 0074; Additional folding
- 1D61C; 0075; Additional folding
- 1D61D; 0076; Additional folding
- 1D61E; 0077; Additional folding
- 1D61F; 0078; Additional folding
- 1D620; 0079; Additional folding
- 1D621; 007A; Additional folding
- 1D63C; 0061; Additional folding
- 1D63D; 0062; Additional folding
- 1D63E; 0063; Additional folding
- 1D63F; 0064; Additional folding
- 1D640; 0065; Additional folding
- 1D641; 0066; Additional folding
- 1D642; 0067; Additional folding
- 1D643; 0068; Additional folding
- 1D644; 0069; Additional folding
- 1D645; 006A; Additional folding
- 1D646; 006B; Additional folding
- 1D647; 006C; Additional folding
- 1D648; 006D; Additional folding
- 1D649; 006E; Additional folding
- 1D64A; 006F; Additional folding
- 1D64B; 0070; Additional folding
- 1D64C; 0071; Additional folding
- 1D64D; 0072; Additional folding
- 1D64E; 0073; Additional folding
- 1D64F; 0074; Additional folding
- 1D650; 0075; Additional folding
- 1D651; 0076; Additional folding
- 1D652; 0077; Additional folding
- 1D653; 0078; Additional folding
- 1D654; 0079; Additional folding
- 1D655; 007A; Additional folding
- 1D670; 0061; Additional folding
- 1D671; 0062; Additional folding
- 1D672; 0063; Additional folding
- 1D673; 0064; Additional folding
- 1D674; 0065; Additional folding
- 1D675; 0066; Additional folding
- 1D676; 0067; Additional folding
- 1D677; 0068; Additional folding
- 1D678; 0069; Additional folding
- 1D679; 006A; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 57]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D67A; 006B; Additional folding
- 1D67B; 006C; Additional folding
- 1D67C; 006D; Additional folding
- 1D67D; 006E; Additional folding
- 1D67E; 006F; Additional folding
- 1D67F; 0070; Additional folding
- 1D680; 0071; Additional folding
- 1D681; 0072; Additional folding
- 1D682; 0073; Additional folding
- 1D683; 0074; Additional folding
- 1D684; 0075; Additional folding
- 1D685; 0076; Additional folding
- 1D686; 0077; Additional folding
- 1D687; 0078; Additional folding
- 1D688; 0079; Additional folding
- 1D689; 007A; Additional folding
- 1D6A8; 03B1; Additional folding
- 1D6A9; 03B2; Additional folding
- 1D6AA; 03B3; Additional folding
- 1D6AB; 03B4; Additional folding
- 1D6AC; 03B5; Additional folding
- 1D6AD; 03B6; Additional folding
- 1D6AE; 03B7; Additional folding
- 1D6AF; 03B8; Additional folding
- 1D6B0; 03B9; Additional folding
- 1D6B1; 03BA; Additional folding
- 1D6B2; 03BB; Additional folding
- 1D6B3; 03BC; Additional folding
- 1D6B4; 03BD; Additional folding
- 1D6B5; 03BE; Additional folding
- 1D6B6; 03BF; Additional folding
- 1D6B7; 03C0; Additional folding
- 1D6B8; 03C1; Additional folding
- 1D6B9; 03B8; Additional folding
- 1D6BA; 03C3; Additional folding
- 1D6BB; 03C4; Additional folding
- 1D6BC; 03C5; Additional folding
- 1D6BD; 03C6; Additional folding
- 1D6BE; 03C7; Additional folding
- 1D6BF; 03C8; Additional folding
- 1D6C0; 03C9; Additional folding
- 1D6D3; 03C3; Additional folding
- 1D6E2; 03B1; Additional folding
- 1D6E3; 03B2; Additional folding
- 1D6E4; 03B3; Additional folding
- 1D6E5; 03B4; Additional folding
- 1D6E6; 03B5; Additional folding
- 1D6E7; 03B6; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 58]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D6E8; 03B7; Additional folding
- 1D6E9; 03B8; Additional folding
- 1D6EA; 03B9; Additional folding
- 1D6EB; 03BA; Additional folding
- 1D6EC; 03BB; Additional folding
- 1D6ED; 03BC; Additional folding
- 1D6EE; 03BD; Additional folding
- 1D6EF; 03BE; Additional folding
- 1D6F0; 03BF; Additional folding
- 1D6F1; 03C0; Additional folding
- 1D6F2; 03C1; Additional folding
- 1D6F3; 03B8; Additional folding
- 1D6F4; 03C3; Additional folding
- 1D6F5; 03C4; Additional folding
- 1D6F6; 03C5; Additional folding
- 1D6F7; 03C6; Additional folding
- 1D6F8; 03C7; Additional folding
- 1D6F9; 03C8; Additional folding
- 1D6FA; 03C9; Additional folding
- 1D70D; 03C3; Additional folding
- 1D71C; 03B1; Additional folding
- 1D71D; 03B2; Additional folding
- 1D71E; 03B3; Additional folding
- 1D71F; 03B4; Additional folding
- 1D720; 03B5; Additional folding
- 1D721; 03B6; Additional folding
- 1D722; 03B7; Additional folding
- 1D723; 03B8; Additional folding
- 1D724; 03B9; Additional folding
- 1D725; 03BA; Additional folding
- 1D726; 03BB; Additional folding
- 1D727; 03BC; Additional folding
- 1D728; 03BD; Additional folding
- 1D729; 03BE; Additional folding
- 1D72A; 03BF; Additional folding
- 1D72B; 03C0; Additional folding
- 1D72C; 03C1; Additional folding
- 1D72D; 03B8; Additional folding
- 1D72E; 03C3; Additional folding
- 1D72F; 03C4; Additional folding
- 1D730; 03C5; Additional folding
- 1D731; 03C6; Additional folding
- 1D732; 03C7; Additional folding
- 1D733; 03C8; Additional folding
- 1D734; 03C9; Additional folding
- 1D747; 03C3; Additional folding
- 1D756; 03B1; Additional folding
- 1D757; 03B2; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 59]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D758; 03B3; Additional folding
- 1D759; 03B4; Additional folding
- 1D75A; 03B5; Additional folding
- 1D75B; 03B6; Additional folding
- 1D75C; 03B7; Additional folding
- 1D75D; 03B8; Additional folding
- 1D75E; 03B9; Additional folding
- 1D75F; 03BA; Additional folding
- 1D760; 03BB; Additional folding
- 1D761; 03BC; Additional folding
- 1D762; 03BD; Additional folding
- 1D763; 03BE; Additional folding
- 1D764; 03BF; Additional folding
- 1D765; 03C0; Additional folding
- 1D766; 03C1; Additional folding
- 1D767; 03B8; Additional folding
- 1D768; 03C3; Additional folding
- 1D769; 03C4; Additional folding
- 1D76A; 03C5; Additional folding
- 1D76B; 03C6; Additional folding
- 1D76C; 03C7; Additional folding
- 1D76D; 03C8; Additional folding
- 1D76E; 03C9; Additional folding
- 1D781; 03C3; Additional folding
- 1D790; 03B1; Additional folding
- 1D791; 03B2; Additional folding
- 1D792; 03B3; Additional folding
- 1D793; 03B4; Additional folding
- 1D794; 03B5; Additional folding
- 1D795; 03B6; Additional folding
- 1D796; 03B7; Additional folding
- 1D797; 03B8; Additional folding
- 1D798; 03B9; Additional folding
- 1D799; 03BA; Additional folding
- 1D79A; 03BB; Additional folding
- 1D79B; 03BC; Additional folding
- 1D79C; 03BD; Additional folding
- 1D79D; 03BE; Additional folding
- 1D79E; 03BF; Additional folding
- 1D79F; 03C0; Additional folding
- 1D7A0; 03C1; Additional folding
- 1D7A1; 03B8; Additional folding
- 1D7A2; 03C3; Additional folding
- 1D7A3; 03C4; Additional folding
- 1D7A4; 03C5; Additional folding
- 1D7A5; 03C6; Additional folding
- 1D7A6; 03C7; Additional folding
- 1D7A7; 03C8; Additional folding
-
-
-
-Hoffman & Blanchet Standards Track [Page 60]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D7A8; 03C9; Additional folding
- 1D7BB; 03C3; Additional folding
- ----- End Table B.2 -----
-
-B.3 Mapping for case-folding used with no normalization
-
- ----- Start Table B.3 -----
- 0041; 0061; Case map
- 0042; 0062; Case map
- 0043; 0063; Case map
- 0044; 0064; Case map
- 0045; 0065; Case map
- 0046; 0066; Case map
- 0047; 0067; Case map
- 0048; 0068; Case map
- 0049; 0069; Case map
- 004A; 006A; Case map
- 004B; 006B; Case map
- 004C; 006C; Case map
- 004D; 006D; Case map
- 004E; 006E; Case map
- 004F; 006F; Case map
- 0050; 0070; Case map
- 0051; 0071; Case map
- 0052; 0072; Case map
- 0053; 0073; Case map
- 0054; 0074; Case map
- 0055; 0075; Case map
- 0056; 0076; Case map
- 0057; 0077; Case map
- 0058; 0078; Case map
- 0059; 0079; Case map
- 005A; 007A; Case map
- 00B5; 03BC; Case map
- 00C0; 00E0; Case map
- 00C1; 00E1; Case map
- 00C2; 00E2; Case map
- 00C3; 00E3; Case map
- 00C4; 00E4; Case map
- 00C5; 00E5; Case map
- 00C6; 00E6; Case map
- 00C7; 00E7; Case map
- 00C8; 00E8; Case map
- 00C9; 00E9; Case map
- 00CA; 00EA; Case map
- 00CB; 00EB; Case map
- 00CC; 00EC; Case map
- 00CD; 00ED; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 61]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 00CE; 00EE; Case map
- 00CF; 00EF; Case map
- 00D0; 00F0; Case map
- 00D1; 00F1; Case map
- 00D2; 00F2; Case map
- 00D3; 00F3; Case map
- 00D4; 00F4; Case map
- 00D5; 00F5; Case map
- 00D6; 00F6; Case map
- 00D8; 00F8; Case map
- 00D9; 00F9; Case map
- 00DA; 00FA; Case map
- 00DB; 00FB; Case map
- 00DC; 00FC; Case map
- 00DD; 00FD; Case map
- 00DE; 00FE; Case map
- 00DF; 0073 0073; Case map
- 0100; 0101; Case map
- 0102; 0103; Case map
- 0104; 0105; Case map
- 0106; 0107; Case map
- 0108; 0109; Case map
- 010A; 010B; Case map
- 010C; 010D; Case map
- 010E; 010F; Case map
- 0110; 0111; Case map
- 0112; 0113; Case map
- 0114; 0115; Case map
- 0116; 0117; Case map
- 0118; 0119; Case map
- 011A; 011B; Case map
- 011C; 011D; Case map
- 011E; 011F; Case map
- 0120; 0121; Case map
- 0122; 0123; Case map
- 0124; 0125; Case map
- 0126; 0127; Case map
- 0128; 0129; Case map
- 012A; 012B; Case map
- 012C; 012D; Case map
- 012E; 012F; Case map
- 0130; 0069 0307; Case map
- 0132; 0133; Case map
- 0134; 0135; Case map
- 0136; 0137; Case map
- 0139; 013A; Case map
- 013B; 013C; Case map
- 013D; 013E; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 62]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 013F; 0140; Case map
- 0141; 0142; Case map
- 0143; 0144; Case map
- 0145; 0146; Case map
- 0147; 0148; Case map
- 0149; 02BC 006E; Case map
- 014A; 014B; Case map
- 014C; 014D; Case map
- 014E; 014F; Case map
- 0150; 0151; Case map
- 0152; 0153; Case map
- 0154; 0155; Case map
- 0156; 0157; Case map
- 0158; 0159; Case map
- 015A; 015B; Case map
- 015C; 015D; Case map
- 015E; 015F; Case map
- 0160; 0161; Case map
- 0162; 0163; Case map
- 0164; 0165; Case map
- 0166; 0167; Case map
- 0168; 0169; Case map
- 016A; 016B; Case map
- 016C; 016D; Case map
- 016E; 016F; Case map
- 0170; 0171; Case map
- 0172; 0173; Case map
- 0174; 0175; Case map
- 0176; 0177; Case map
- 0178; 00FF; Case map
- 0179; 017A; Case map
- 017B; 017C; Case map
- 017D; 017E; Case map
- 017F; 0073; Case map
- 0181; 0253; Case map
- 0182; 0183; Case map
- 0184; 0185; Case map
- 0186; 0254; Case map
- 0187; 0188; Case map
- 0189; 0256; Case map
- 018A; 0257; Case map
- 018B; 018C; Case map
- 018E; 01DD; Case map
- 018F; 0259; Case map
- 0190; 025B; Case map
- 0191; 0192; Case map
- 0193; 0260; Case map
- 0194; 0263; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 63]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0196; 0269; Case map
- 0197; 0268; Case map
- 0198; 0199; Case map
- 019C; 026F; Case map
- 019D; 0272; Case map
- 019F; 0275; Case map
- 01A0; 01A1; Case map
- 01A2; 01A3; Case map
- 01A4; 01A5; Case map
- 01A6; 0280; Case map
- 01A7; 01A8; Case map
- 01A9; 0283; Case map
- 01AC; 01AD; Case map
- 01AE; 0288; Case map
- 01AF; 01B0; Case map
- 01B1; 028A; Case map
- 01B2; 028B; Case map
- 01B3; 01B4; Case map
- 01B5; 01B6; Case map
- 01B7; 0292; Case map
- 01B8; 01B9; Case map
- 01BC; 01BD; Case map
- 01C4; 01C6; Case map
- 01C5; 01C6; Case map
- 01C7; 01C9; Case map
- 01C8; 01C9; Case map
- 01CA; 01CC; Case map
- 01CB; 01CC; Case map
- 01CD; 01CE; Case map
- 01CF; 01D0; Case map
- 01D1; 01D2; Case map
- 01D3; 01D4; Case map
- 01D5; 01D6; Case map
- 01D7; 01D8; Case map
- 01D9; 01DA; Case map
- 01DB; 01DC; Case map
- 01DE; 01DF; Case map
- 01E0; 01E1; Case map
- 01E2; 01E3; Case map
- 01E4; 01E5; Case map
- 01E6; 01E7; Case map
- 01E8; 01E9; Case map
- 01EA; 01EB; Case map
- 01EC; 01ED; Case map
- 01EE; 01EF; Case map
- 01F0; 006A 030C; Case map
- 01F1; 01F3; Case map
- 01F2; 01F3; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 64]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 01F4; 01F5; Case map
- 01F6; 0195; Case map
- 01F7; 01BF; Case map
- 01F8; 01F9; Case map
- 01FA; 01FB; Case map
- 01FC; 01FD; Case map
- 01FE; 01FF; Case map
- 0200; 0201; Case map
- 0202; 0203; Case map
- 0204; 0205; Case map
- 0206; 0207; Case map
- 0208; 0209; Case map
- 020A; 020B; Case map
- 020C; 020D; Case map
- 020E; 020F; Case map
- 0210; 0211; Case map
- 0212; 0213; Case map
- 0214; 0215; Case map
- 0216; 0217; Case map
- 0218; 0219; Case map
- 021A; 021B; Case map
- 021C; 021D; Case map
- 021E; 021F; Case map
- 0220; 019E; Case map
- 0222; 0223; Case map
- 0224; 0225; Case map
- 0226; 0227; Case map
- 0228; 0229; Case map
- 022A; 022B; Case map
- 022C; 022D; Case map
- 022E; 022F; Case map
- 0230; 0231; Case map
- 0232; 0233; Case map
- 0345; 03B9; Case map
- 0386; 03AC; Case map
- 0388; 03AD; Case map
- 0389; 03AE; Case map
- 038A; 03AF; Case map
- 038C; 03CC; Case map
- 038E; 03CD; Case map
- 038F; 03CE; Case map
- 0390; 03B9 0308 0301; Case map
- 0391; 03B1; Case map
- 0392; 03B2; Case map
- 0393; 03B3; Case map
- 0394; 03B4; Case map
- 0395; 03B5; Case map
- 0396; 03B6; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 65]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0397; 03B7; Case map
- 0398; 03B8; Case map
- 0399; 03B9; Case map
- 039A; 03BA; Case map
- 039B; 03BB; Case map
- 039C; 03BC; Case map
- 039D; 03BD; Case map
- 039E; 03BE; Case map
- 039F; 03BF; Case map
- 03A0; 03C0; Case map
- 03A1; 03C1; Case map
- 03A3; 03C3; Case map
- 03A4; 03C4; Case map
- 03A5; 03C5; Case map
- 03A6; 03C6; Case map
- 03A7; 03C7; Case map
- 03A8; 03C8; Case map
- 03A9; 03C9; Case map
- 03AA; 03CA; Case map
- 03AB; 03CB; Case map
- 03B0; 03C5 0308 0301; Case map
- 03C2; 03C3; Case map
- 03D0; 03B2; Case map
- 03D1; 03B8; Case map
- 03D5; 03C6; Case map
- 03D6; 03C0; Case map
- 03D8; 03D9; Case map
- 03DA; 03DB; Case map
- 03DC; 03DD; Case map
- 03DE; 03DF; Case map
- 03E0; 03E1; Case map
- 03E2; 03E3; Case map
- 03E4; 03E5; Case map
- 03E6; 03E7; Case map
- 03E8; 03E9; Case map
- 03EA; 03EB; Case map
- 03EC; 03ED; Case map
- 03EE; 03EF; Case map
- 03F0; 03BA; Case map
- 03F1; 03C1; Case map
- 03F2; 03C3; Case map
- 03F4; 03B8; Case map
- 03F5; 03B5; Case map
- 0400; 0450; Case map
- 0401; 0451; Case map
- 0402; 0452; Case map
- 0403; 0453; Case map
- 0404; 0454; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 66]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0405; 0455; Case map
- 0406; 0456; Case map
- 0407; 0457; Case map
- 0408; 0458; Case map
- 0409; 0459; Case map
- 040A; 045A; Case map
- 040B; 045B; Case map
- 040C; 045C; Case map
- 040D; 045D; Case map
- 040E; 045E; Case map
- 040F; 045F; Case map
- 0410; 0430; Case map
- 0411; 0431; Case map
- 0412; 0432; Case map
- 0413; 0433; Case map
- 0414; 0434; Case map
- 0415; 0435; Case map
- 0416; 0436; Case map
- 0417; 0437; Case map
- 0418; 0438; Case map
- 0419; 0439; Case map
- 041A; 043A; Case map
- 041B; 043B; Case map
- 041C; 043C; Case map
- 041D; 043D; Case map
- 041E; 043E; Case map
- 041F; 043F; Case map
- 0420; 0440; Case map
- 0421; 0441; Case map
- 0422; 0442; Case map
- 0423; 0443; Case map
- 0424; 0444; Case map
- 0425; 0445; Case map
- 0426; 0446; Case map
- 0427; 0447; Case map
- 0428; 0448; Case map
- 0429; 0449; Case map
- 042A; 044A; Case map
- 042B; 044B; Case map
- 042C; 044C; Case map
- 042D; 044D; Case map
- 042E; 044E; Case map
- 042F; 044F; Case map
- 0460; 0461; Case map
- 0462; 0463; Case map
- 0464; 0465; Case map
- 0466; 0467; Case map
- 0468; 0469; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 67]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 046A; 046B; Case map
- 046C; 046D; Case map
- 046E; 046F; Case map
- 0470; 0471; Case map
- 0472; 0473; Case map
- 0474; 0475; Case map
- 0476; 0477; Case map
- 0478; 0479; Case map
- 047A; 047B; Case map
- 047C; 047D; Case map
- 047E; 047F; Case map
- 0480; 0481; Case map
- 048A; 048B; Case map
- 048C; 048D; Case map
- 048E; 048F; Case map
- 0490; 0491; Case map
- 0492; 0493; Case map
- 0494; 0495; Case map
- 0496; 0497; Case map
- 0498; 0499; Case map
- 049A; 049B; Case map
- 049C; 049D; Case map
- 049E; 049F; Case map
- 04A0; 04A1; Case map
- 04A2; 04A3; Case map
- 04A4; 04A5; Case map
- 04A6; 04A7; Case map
- 04A8; 04A9; Case map
- 04AA; 04AB; Case map
- 04AC; 04AD; Case map
- 04AE; 04AF; Case map
- 04B0; 04B1; Case map
- 04B2; 04B3; Case map
- 04B4; 04B5; Case map
- 04B6; 04B7; Case map
- 04B8; 04B9; Case map
- 04BA; 04BB; Case map
- 04BC; 04BD; Case map
- 04BE; 04BF; Case map
- 04C1; 04C2; Case map
- 04C3; 04C4; Case map
- 04C5; 04C6; Case map
- 04C7; 04C8; Case map
- 04C9; 04CA; Case map
- 04CB; 04CC; Case map
- 04CD; 04CE; Case map
- 04D0; 04D1; Case map
- 04D2; 04D3; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 68]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 04D4; 04D5; Case map
- 04D6; 04D7; Case map
- 04D8; 04D9; Case map
- 04DA; 04DB; Case map
- 04DC; 04DD; Case map
- 04DE; 04DF; Case map
- 04E0; 04E1; Case map
- 04E2; 04E3; Case map
- 04E4; 04E5; Case map
- 04E6; 04E7; Case map
- 04E8; 04E9; Case map
- 04EA; 04EB; Case map
- 04EC; 04ED; Case map
- 04EE; 04EF; Case map
- 04F0; 04F1; Case map
- 04F2; 04F3; Case map
- 04F4; 04F5; Case map
- 04F8; 04F9; Case map
- 0500; 0501; Case map
- 0502; 0503; Case map
- 0504; 0505; Case map
- 0506; 0507; Case map
- 0508; 0509; Case map
- 050A; 050B; Case map
- 050C; 050D; Case map
- 050E; 050F; Case map
- 0531; 0561; Case map
- 0532; 0562; Case map
- 0533; 0563; Case map
- 0534; 0564; Case map
- 0535; 0565; Case map
- 0536; 0566; Case map
- 0537; 0567; Case map
- 0538; 0568; Case map
- 0539; 0569; Case map
- 053A; 056A; Case map
- 053B; 056B; Case map
- 053C; 056C; Case map
- 053D; 056D; Case map
- 053E; 056E; Case map
- 053F; 056F; Case map
- 0540; 0570; Case map
- 0541; 0571; Case map
- 0542; 0572; Case map
- 0543; 0573; Case map
- 0544; 0574; Case map
- 0545; 0575; Case map
- 0546; 0576; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 69]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0547; 0577; Case map
- 0548; 0578; Case map
- 0549; 0579; Case map
- 054A; 057A; Case map
- 054B; 057B; Case map
- 054C; 057C; Case map
- 054D; 057D; Case map
- 054E; 057E; Case map
- 054F; 057F; Case map
- 0550; 0580; Case map
- 0551; 0581; Case map
- 0552; 0582; Case map
- 0553; 0583; Case map
- 0554; 0584; Case map
- 0555; 0585; Case map
- 0556; 0586; Case map
- 0587; 0565 0582; Case map
- 1E00; 1E01; Case map
- 1E02; 1E03; Case map
- 1E04; 1E05; Case map
- 1E06; 1E07; Case map
- 1E08; 1E09; Case map
- 1E0A; 1E0B; Case map
- 1E0C; 1E0D; Case map
- 1E0E; 1E0F; Case map
- 1E10; 1E11; Case map
- 1E12; 1E13; Case map
- 1E14; 1E15; Case map
- 1E16; 1E17; Case map
- 1E18; 1E19; Case map
- 1E1A; 1E1B; Case map
- 1E1C; 1E1D; Case map
- 1E1E; 1E1F; Case map
- 1E20; 1E21; Case map
- 1E22; 1E23; Case map
- 1E24; 1E25; Case map
- 1E26; 1E27; Case map
- 1E28; 1E29; Case map
- 1E2A; 1E2B; Case map
- 1E2C; 1E2D; Case map
- 1E2E; 1E2F; Case map
- 1E30; 1E31; Case map
- 1E32; 1E33; Case map
- 1E34; 1E35; Case map
- 1E36; 1E37; Case map
- 1E38; 1E39; Case map
- 1E3A; 1E3B; Case map
- 1E3C; 1E3D; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 70]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1E3E; 1E3F; Case map
- 1E40; 1E41; Case map
- 1E42; 1E43; Case map
- 1E44; 1E45; Case map
- 1E46; 1E47; Case map
- 1E48; 1E49; Case map
- 1E4A; 1E4B; Case map
- 1E4C; 1E4D; Case map
- 1E4E; 1E4F; Case map
- 1E50; 1E51; Case map
- 1E52; 1E53; Case map
- 1E54; 1E55; Case map
- 1E56; 1E57; Case map
- 1E58; 1E59; Case map
- 1E5A; 1E5B; Case map
- 1E5C; 1E5D; Case map
- 1E5E; 1E5F; Case map
- 1E60; 1E61; Case map
- 1E62; 1E63; Case map
- 1E64; 1E65; Case map
- 1E66; 1E67; Case map
- 1E68; 1E69; Case map
- 1E6A; 1E6B; Case map
- 1E6C; 1E6D; Case map
- 1E6E; 1E6F; Case map
- 1E70; 1E71; Case map
- 1E72; 1E73; Case map
- 1E74; 1E75; Case map
- 1E76; 1E77; Case map
- 1E78; 1E79; Case map
- 1E7A; 1E7B; Case map
- 1E7C; 1E7D; Case map
- 1E7E; 1E7F; Case map
- 1E80; 1E81; Case map
- 1E82; 1E83; Case map
- 1E84; 1E85; Case map
- 1E86; 1E87; Case map
- 1E88; 1E89; Case map
- 1E8A; 1E8B; Case map
- 1E8C; 1E8D; Case map
- 1E8E; 1E8F; Case map
- 1E90; 1E91; Case map
- 1E92; 1E93; Case map
- 1E94; 1E95; Case map
- 1E96; 0068 0331; Case map
- 1E97; 0074 0308; Case map
- 1E98; 0077 030A; Case map
- 1E99; 0079 030A; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 71]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1E9A; 0061 02BE; Case map
- 1E9B; 1E61; Case map
- 1EA0; 1EA1; Case map
- 1EA2; 1EA3; Case map
- 1EA4; 1EA5; Case map
- 1EA6; 1EA7; Case map
- 1EA8; 1EA9; Case map
- 1EAA; 1EAB; Case map
- 1EAC; 1EAD; Case map
- 1EAE; 1EAF; Case map
- 1EB0; 1EB1; Case map
- 1EB2; 1EB3; Case map
- 1EB4; 1EB5; Case map
- 1EB6; 1EB7; Case map
- 1EB8; 1EB9; Case map
- 1EBA; 1EBB; Case map
- 1EBC; 1EBD; Case map
- 1EBE; 1EBF; Case map
- 1EC0; 1EC1; Case map
- 1EC2; 1EC3; Case map
- 1EC4; 1EC5; Case map
- 1EC6; 1EC7; Case map
- 1EC8; 1EC9; Case map
- 1ECA; 1ECB; Case map
- 1ECC; 1ECD; Case map
- 1ECE; 1ECF; Case map
- 1ED0; 1ED1; Case map
- 1ED2; 1ED3; Case map
- 1ED4; 1ED5; Case map
- 1ED6; 1ED7; Case map
- 1ED8; 1ED9; Case map
- 1EDA; 1EDB; Case map
- 1EDC; 1EDD; Case map
- 1EDE; 1EDF; Case map
- 1EE0; 1EE1; Case map
- 1EE2; 1EE3; Case map
- 1EE4; 1EE5; Case map
- 1EE6; 1EE7; Case map
- 1EE8; 1EE9; Case map
- 1EEA; 1EEB; Case map
- 1EEC; 1EED; Case map
- 1EEE; 1EEF; Case map
- 1EF0; 1EF1; Case map
- 1EF2; 1EF3; Case map
- 1EF4; 1EF5; Case map
- 1EF6; 1EF7; Case map
- 1EF8; 1EF9; Case map
- 1F08; 1F00; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 72]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1F09; 1F01; Case map
- 1F0A; 1F02; Case map
- 1F0B; 1F03; Case map
- 1F0C; 1F04; Case map
- 1F0D; 1F05; Case map
- 1F0E; 1F06; Case map
- 1F0F; 1F07; Case map
- 1F18; 1F10; Case map
- 1F19; 1F11; Case map
- 1F1A; 1F12; Case map
- 1F1B; 1F13; Case map
- 1F1C; 1F14; Case map
- 1F1D; 1F15; Case map
- 1F28; 1F20; Case map
- 1F29; 1F21; Case map
- 1F2A; 1F22; Case map
- 1F2B; 1F23; Case map
- 1F2C; 1F24; Case map
- 1F2D; 1F25; Case map
- 1F2E; 1F26; Case map
- 1F2F; 1F27; Case map
- 1F38; 1F30; Case map
- 1F39; 1F31; Case map
- 1F3A; 1F32; Case map
- 1F3B; 1F33; Case map
- 1F3C; 1F34; Case map
- 1F3D; 1F35; Case map
- 1F3E; 1F36; Case map
- 1F3F; 1F37; Case map
- 1F48; 1F40; Case map
- 1F49; 1F41; Case map
- 1F4A; 1F42; Case map
- 1F4B; 1F43; Case map
- 1F4C; 1F44; Case map
- 1F4D; 1F45; Case map
- 1F50; 03C5 0313; Case map
- 1F52; 03C5 0313 0300; Case map
- 1F54; 03C5 0313 0301; Case map
- 1F56; 03C5 0313 0342; Case map
- 1F59; 1F51; Case map
- 1F5B; 1F53; Case map
- 1F5D; 1F55; Case map
- 1F5F; 1F57; Case map
- 1F68; 1F60; Case map
- 1F69; 1F61; Case map
- 1F6A; 1F62; Case map
- 1F6B; 1F63; Case map
- 1F6C; 1F64; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 73]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1F6D; 1F65; Case map
- 1F6E; 1F66; Case map
- 1F6F; 1F67; Case map
- 1F80; 1F00 03B9; Case map
- 1F81; 1F01 03B9; Case map
- 1F82; 1F02 03B9; Case map
- 1F83; 1F03 03B9; Case map
- 1F84; 1F04 03B9; Case map
- 1F85; 1F05 03B9; Case map
- 1F86; 1F06 03B9; Case map
- 1F87; 1F07 03B9; Case map
- 1F88; 1F00 03B9; Case map
- 1F89; 1F01 03B9; Case map
- 1F8A; 1F02 03B9; Case map
- 1F8B; 1F03 03B9; Case map
- 1F8C; 1F04 03B9; Case map
- 1F8D; 1F05 03B9; Case map
- 1F8E; 1F06 03B9; Case map
- 1F8F; 1F07 03B9; Case map
- 1F90; 1F20 03B9; Case map
- 1F91; 1F21 03B9; Case map
- 1F92; 1F22 03B9; Case map
- 1F93; 1F23 03B9; Case map
- 1F94; 1F24 03B9; Case map
- 1F95; 1F25 03B9; Case map
- 1F96; 1F26 03B9; Case map
- 1F97; 1F27 03B9; Case map
- 1F98; 1F20 03B9; Case map
- 1F99; 1F21 03B9; Case map
- 1F9A; 1F22 03B9; Case map
- 1F9B; 1F23 03B9; Case map
- 1F9C; 1F24 03B9; Case map
- 1F9D; 1F25 03B9; Case map
- 1F9E; 1F26 03B9; Case map
- 1F9F; 1F27 03B9; Case map
- 1FA0; 1F60 03B9; Case map
- 1FA1; 1F61 03B9; Case map
- 1FA2; 1F62 03B9; Case map
- 1FA3; 1F63 03B9; Case map
- 1FA4; 1F64 03B9; Case map
- 1FA5; 1F65 03B9; Case map
- 1FA6; 1F66 03B9; Case map
- 1FA7; 1F67 03B9; Case map
- 1FA8; 1F60 03B9; Case map
- 1FA9; 1F61 03B9; Case map
- 1FAA; 1F62 03B9; Case map
- 1FAB; 1F63 03B9; Case map
- 1FAC; 1F64 03B9; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 74]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1FAD; 1F65 03B9; Case map
- 1FAE; 1F66 03B9; Case map
- 1FAF; 1F67 03B9; Case map
- 1FB2; 1F70 03B9; Case map
- 1FB3; 03B1 03B9; Case map
- 1FB4; 03AC 03B9; Case map
- 1FB6; 03B1 0342; Case map
- 1FB7; 03B1 0342 03B9; Case map
- 1FB8; 1FB0; Case map
- 1FB9; 1FB1; Case map
- 1FBA; 1F70; Case map
- 1FBB; 1F71; Case map
- 1FBC; 03B1 03B9; Case map
- 1FBE; 03B9; Case map
- 1FC2; 1F74 03B9; Case map
- 1FC3; 03B7 03B9; Case map
- 1FC4; 03AE 03B9; Case map
- 1FC6; 03B7 0342; Case map
- 1FC7; 03B7 0342 03B9; Case map
- 1FC8; 1F72; Case map
- 1FC9; 1F73; Case map
- 1FCA; 1F74; Case map
- 1FCB; 1F75; Case map
- 1FCC; 03B7 03B9; Case map
- 1FD2; 03B9 0308 0300; Case map
- 1FD3; 03B9 0308 0301; Case map
- 1FD6; 03B9 0342; Case map
- 1FD7; 03B9 0308 0342; Case map
- 1FD8; 1FD0; Case map
- 1FD9; 1FD1; Case map
- 1FDA; 1F76; Case map
- 1FDB; 1F77; Case map
- 1FE2; 03C5 0308 0300; Case map
- 1FE3; 03C5 0308 0301; Case map
- 1FE4; 03C1 0313; Case map
- 1FE6; 03C5 0342; Case map
- 1FE7; 03C5 0308 0342; Case map
- 1FE8; 1FE0; Case map
- 1FE9; 1FE1; Case map
- 1FEA; 1F7A; Case map
- 1FEB; 1F7B; Case map
- 1FEC; 1FE5; Case map
- 1FF2; 1F7C 03B9; Case map
- 1FF3; 03C9 03B9; Case map
- 1FF4; 03CE 03B9; Case map
- 1FF6; 03C9 0342; Case map
- 1FF7; 03C9 0342 03B9; Case map
- 1FF8; 1F78; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 75]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1FF9; 1F79; Case map
- 1FFA; 1F7C; Case map
- 1FFB; 1F7D; Case map
- 1FFC; 03C9 03B9; Case map
- 2126; 03C9; Case map
- 212A; 006B; Case map
- 212B; 00E5; Case map
- 2160; 2170; Case map
- 2161; 2171; Case map
- 2162; 2172; Case map
- 2163; 2173; Case map
- 2164; 2174; Case map
- 2165; 2175; Case map
- 2166; 2176; Case map
- 2167; 2177; Case map
- 2168; 2178; Case map
- 2169; 2179; Case map
- 216A; 217A; Case map
- 216B; 217B; Case map
- 216C; 217C; Case map
- 216D; 217D; Case map
- 216E; 217E; Case map
- 216F; 217F; Case map
- 24B6; 24D0; Case map
- 24B7; 24D1; Case map
- 24B8; 24D2; Case map
- 24B9; 24D3; Case map
- 24BA; 24D4; Case map
- 24BB; 24D5; Case map
- 24BC; 24D6; Case map
- 24BD; 24D7; Case map
- 24BE; 24D8; Case map
- 24BF; 24D9; Case map
- 24C0; 24DA; Case map
- 24C1; 24DB; Case map
- 24C2; 24DC; Case map
- 24C3; 24DD; Case map
- 24C4; 24DE; Case map
- 24C5; 24DF; Case map
- 24C6; 24E0; Case map
- 24C7; 24E1; Case map
- 24C8; 24E2; Case map
- 24C9; 24E3; Case map
- 24CA; 24E4; Case map
- 24CB; 24E5; Case map
- 24CC; 24E6; Case map
- 24CD; 24E7; Case map
- 24CE; 24E8; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 76]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 24CF; 24E9; Case map
- FB00; 0066 0066; Case map
- FB01; 0066 0069; Case map
- FB02; 0066 006C; Case map
- FB03; 0066 0066 0069; Case map
- FB04; 0066 0066 006C; Case map
- FB05; 0073 0074; Case map
- FB06; 0073 0074; Case map
- FB13; 0574 0576; Case map
- FB14; 0574 0565; Case map
- FB15; 0574 056B; Case map
- FB16; 057E 0576; Case map
- FB17; 0574 056D; Case map
- FF21; FF41; Case map
- FF22; FF42; Case map
- FF23; FF43; Case map
- FF24; FF44; Case map
- FF25; FF45; Case map
- FF26; FF46; Case map
- FF27; FF47; Case map
- FF28; FF48; Case map
- FF29; FF49; Case map
- FF2A; FF4A; Case map
- FF2B; FF4B; Case map
- FF2C; FF4C; Case map
- FF2D; FF4D; Case map
- FF2E; FF4E; Case map
- FF2F; FF4F; Case map
- FF30; FF50; Case map
- FF31; FF51; Case map
- FF32; FF52; Case map
- FF33; FF53; Case map
- FF34; FF54; Case map
- FF35; FF55; Case map
- FF36; FF56; Case map
- FF37; FF57; Case map
- FF38; FF58; Case map
- FF39; FF59; Case map
- FF3A; FF5A; Case map
- 10400; 10428; Case map
- 10401; 10429; Case map
- 10402; 1042A; Case map
- 10403; 1042B; Case map
- 10404; 1042C; Case map
- 10405; 1042D; Case map
- 10406; 1042E; Case map
- 10407; 1042F; Case map
- 10408; 10430; Case map
-
-
-
-Hoffman & Blanchet Standards Track [Page 77]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 10409; 10431; Case map
- 1040A; 10432; Case map
- 1040B; 10433; Case map
- 1040C; 10434; Case map
- 1040D; 10435; Case map
- 1040E; 10436; Case map
- 1040F; 10437; Case map
- 10410; 10438; Case map
- 10411; 10439; Case map
- 10412; 1043A; Case map
- 10413; 1043B; Case map
- 10414; 1043C; Case map
- 10415; 1043D; Case map
- 10416; 1043E; Case map
- 10417; 1043F; Case map
- 10418; 10440; Case map
- 10419; 10441; Case map
- 1041A; 10442; Case map
- 1041B; 10443; Case map
- 1041C; 10444; Case map
- 1041D; 10445; Case map
- 1041E; 10446; Case map
- 1041F; 10447; Case map
- 10420; 10448; Case map
- 10421; 10449; Case map
- 10422; 1044A; Case map
- 10423; 1044B; Case map
- 10424; 1044C; Case map
- 10425; 1044D; Case map
- ----- End Table B.3 -----
-
-C. Prohibition tables
-
- The tables in this appendix consist of lines with one prohibited code
- point per line. The format of the lines are the value of the code
- point, a semicolon, and a comment which is the name of the code
- point.
-
-C.1 Space characters
-
-C.1.1 ASCII space characters
-
- ----- Start Table C.1.1 -----
- 0020; SPACE
- ----- End Table C.1.1 -----
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 78]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-C.1.2 Non-ASCII space characters
- ----- Start Table C.1.2 -----
- 00A0; NO-BREAK SPACE
- 1680; OGHAM SPACE MARK
- 2000; EN QUAD
- 2001; EM QUAD
- 2002; EN SPACE
- 2003; EM SPACE
- 2004; THREE-PER-EM SPACE
- 2005; FOUR-PER-EM SPACE
- 2006; SIX-PER-EM SPACE
- 2007; FIGURE SPACE
- 2008; PUNCTUATION SPACE
- 2009; THIN SPACE
- 200A; HAIR SPACE
- 200B; ZERO WIDTH SPACE
- 202F; NARROW NO-BREAK SPACE
- 205F; MEDIUM MATHEMATICAL SPACE
- 3000; IDEOGRAPHIC SPACE
- ----- End Table C.1.2 -----
-
-C.2 Control characters
-
-C.2.1 ASCII control characters
-
- ----- Start Table C.2.1 -----
- 0000-001F; [CONTROL CHARACTERS]
- 007F; DELETE
- ----- End Table C.2.1 -----
-
-C.2.2 Non-ASCII control characters
-
- ----- Start Table C.2.2 -----
- 0080-009F; [CONTROL CHARACTERS]
- 06DD; ARABIC END OF AYAH
- 070F; SYRIAC ABBREVIATION MARK
- 180E; MONGOLIAN VOWEL SEPARATOR
- 200C; ZERO WIDTH NON-JOINER
- 200D; ZERO WIDTH JOINER
- 2028; LINE SEPARATOR
- 2029; PARAGRAPH SEPARATOR
- 2060; WORD JOINER
- 2061; FUNCTION APPLICATION
- 2062; INVISIBLE TIMES
- 2063; INVISIBLE SEPARATOR
- 206A-206F; [CONTROL CHARACTERS]
- FEFF; ZERO WIDTH NO-BREAK SPACE
- FFF9-FFFC; [CONTROL CHARACTERS]
-
-
-
-Hoffman & Blanchet Standards Track [Page 79]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D173-1D17A; [MUSICAL CONTROL CHARACTERS]
- ----- End Table C.2.2 -----
-
-C.3 Private use
-
- ----- Start Table C.3 -----
- E000-F8FF; [PRIVATE USE, PLANE 0]
- F0000-FFFFD; [PRIVATE USE, PLANE 15]
- 100000-10FFFD; [PRIVATE USE, PLANE 16]
- ----- End Table C.3 -----
-
-C.4 Non-character code points
-
- ----- Start Table C.4 -----
- FDD0-FDEF; [NONCHARACTER CODE POINTS]
- FFFE-FFFF; [NONCHARACTER CODE POINTS]
- 1FFFE-1FFFF; [NONCHARACTER CODE POINTS]
- 2FFFE-2FFFF; [NONCHARACTER CODE POINTS]
- 3FFFE-3FFFF; [NONCHARACTER CODE POINTS]
- 4FFFE-4FFFF; [NONCHARACTER CODE POINTS]
- 5FFFE-5FFFF; [NONCHARACTER CODE POINTS]
- 6FFFE-6FFFF; [NONCHARACTER CODE POINTS]
- 7FFFE-7FFFF; [NONCHARACTER CODE POINTS]
- 8FFFE-8FFFF; [NONCHARACTER CODE POINTS]
- 9FFFE-9FFFF; [NONCHARACTER CODE POINTS]
- AFFFE-AFFFF; [NONCHARACTER CODE POINTS]
- BFFFE-BFFFF; [NONCHARACTER CODE POINTS]
- CFFFE-CFFFF; [NONCHARACTER CODE POINTS]
- DFFFE-DFFFF; [NONCHARACTER CODE POINTS]
- EFFFE-EFFFF; [NONCHARACTER CODE POINTS]
- FFFFE-FFFFF; [NONCHARACTER CODE POINTS]
- 10FFFE-10FFFF; [NONCHARACTER CODE POINTS]
- ----- End Table C.4 -----
-
-C.5 Surrogate codes
-
- ----- Start Table C.5 -----
- D800-DFFF; [SURROGATE CODES]
- ----- End Table C.5 -----
-
-C.6 Inappropriate for plain text
-
- ----- Start Table C.6 -----
- FFF9; INTERLINEAR ANNOTATION ANCHOR
- FFFA; INTERLINEAR ANNOTATION SEPARATOR
- FFFB; INTERLINEAR ANNOTATION TERMINATOR
- FFFC; OBJECT REPLACEMENT CHARACTER
- FFFD; REPLACEMENT CHARACTER
-
-
-
-Hoffman & Blanchet Standards Track [Page 80]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- ----- End Table C.6 -----
-
-C.7 Inappropriate for canonical representation
-
- ----- Start Table C.7 -----
- 2FF0-2FFB; [IDEOGRAPHIC DESCRIPTION CHARACTERS]
- ----- End Table C.7 -----
-
-C.8 Change display properties or are deprecated
-
- ----- Start Table C.8 -----
- 0340; COMBINING GRAVE TONE MARK
- 0341; COMBINING ACUTE TONE MARK
- 200E; LEFT-TO-RIGHT MARK
- 200F; RIGHT-TO-LEFT MARK
- 202A; LEFT-TO-RIGHT EMBEDDING
- 202B; RIGHT-TO-LEFT EMBEDDING
- 202C; POP DIRECTIONAL FORMATTING
- 202D; LEFT-TO-RIGHT OVERRIDE
- 202E; RIGHT-TO-LEFT OVERRIDE
- 206A; INHIBIT SYMMETRIC SWAPPING
- 206B; ACTIVATE SYMMETRIC SWAPPING
- 206C; INHIBIT ARABIC FORM SHAPING
- 206D; ACTIVATE ARABIC FORM SHAPING
- 206E; NATIONAL DIGIT SHAPES
- 206F; NOMINAL DIGIT SHAPES
- ----- End Table C.8 -----
-
-C.9 Tagging characters
-
- ----- Start Table C.9 -----
- E0001; LANGUAGE TAG
- E0020-E007F; [TAGGING CHARACTERS]
- ----- End Table C.9 -----
-
-D. Bidirectional tables
-
-D.1 Characters with bidirectional property "R" or "AL"
-
- ----- Start Table D.1 -----
- 05BE
- 05C0
- 05C3
- 05D0-05EA
- 05F0-05F4
- 061B
- 061F
- 0621-063A
-
-
-
-Hoffman & Blanchet Standards Track [Page 81]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0640-064A
- 066D-066F
- 0671-06D5
- 06DD
- 06E5-06E6
- 06FA-06FE
- 0700-070D
- 0710
- 0712-072C
- 0780-07A5
- 07B1
- 200F
- FB1D
- FB1F-FB28
- FB2A-FB36
- FB38-FB3C
- FB3E
- FB40-FB41
- FB43-FB44
- FB46-FBB1
- FBD3-FD3D
- FD50-FD8F
- FD92-FDC7
- FDF0-FDFC
- FE70-FE74
- FE76-FEFC
- ----- End Table D.1 -----
-
-D.2 Characters with bidirectional property "L"
-
- ----- Start Table D.2 -----
- 0041-005A
- 0061-007A
- 00AA
- 00B5
- 00BA
- 00C0-00D6
- 00D8-00F6
- 00F8-0220
- 0222-0233
- 0250-02AD
- 02B0-02B8
- 02BB-02C1
- 02D0-02D1
- 02E0-02E4
- 02EE
- 037A
- 0386
-
-
-
-Hoffman & Blanchet Standards Track [Page 82]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0388-038A
- 038C
- 038E-03A1
- 03A3-03CE
- 03D0-03F5
- 0400-0482
- 048A-04CE
- 04D0-04F5
- 04F8-04F9
- 0500-050F
- 0531-0556
- 0559-055F
- 0561-0587
- 0589
- 0903
- 0905-0939
- 093D-0940
- 0949-094C
- 0950
- 0958-0961
- 0964-0970
- 0982-0983
- 0985-098C
- 098F-0990
- 0993-09A8
- 09AA-09B0
- 09B2
- 09B6-09B9
- 09BE-09C0
- 09C7-09C8
- 09CB-09CC
- 09D7
- 09DC-09DD
- 09DF-09E1
- 09E6-09F1
- 09F4-09FA
- 0A05-0A0A
- 0A0F-0A10
- 0A13-0A28
- 0A2A-0A30
- 0A32-0A33
- 0A35-0A36
- 0A38-0A39
- 0A3E-0A40
- 0A59-0A5C
- 0A5E
- 0A66-0A6F
- 0A72-0A74
-
-
-
-Hoffman & Blanchet Standards Track [Page 83]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0A83
- 0A85-0A8B
- 0A8D
- 0A8F-0A91
- 0A93-0AA8
- 0AAA-0AB0
- 0AB2-0AB3
- 0AB5-0AB9
- 0ABD-0AC0
- 0AC9
- 0ACB-0ACC
- 0AD0
- 0AE0
- 0AE6-0AEF
- 0B02-0B03
- 0B05-0B0C
- 0B0F-0B10
- 0B13-0B28
- 0B2A-0B30
- 0B32-0B33
- 0B36-0B39
- 0B3D-0B3E
- 0B40
- 0B47-0B48
- 0B4B-0B4C
- 0B57
- 0B5C-0B5D
- 0B5F-0B61
- 0B66-0B70
- 0B83
- 0B85-0B8A
- 0B8E-0B90
- 0B92-0B95
- 0B99-0B9A
- 0B9C
- 0B9E-0B9F
- 0BA3-0BA4
- 0BA8-0BAA
- 0BAE-0BB5
- 0BB7-0BB9
- 0BBE-0BBF
- 0BC1-0BC2
- 0BC6-0BC8
- 0BCA-0BCC
- 0BD7
- 0BE7-0BF2
- 0C01-0C03
- 0C05-0C0C
-
-
-
-Hoffman & Blanchet Standards Track [Page 84]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0C0E-0C10
- 0C12-0C28
- 0C2A-0C33
- 0C35-0C39
- 0C41-0C44
- 0C60-0C61
- 0C66-0C6F
- 0C82-0C83
- 0C85-0C8C
- 0C8E-0C90
- 0C92-0CA8
- 0CAA-0CB3
- 0CB5-0CB9
- 0CBE
- 0CC0-0CC4
- 0CC7-0CC8
- 0CCA-0CCB
- 0CD5-0CD6
- 0CDE
- 0CE0-0CE1
- 0CE6-0CEF
- 0D02-0D03
- 0D05-0D0C
- 0D0E-0D10
- 0D12-0D28
- 0D2A-0D39
- 0D3E-0D40
- 0D46-0D48
- 0D4A-0D4C
- 0D57
- 0D60-0D61
- 0D66-0D6F
- 0D82-0D83
- 0D85-0D96
- 0D9A-0DB1
- 0DB3-0DBB
- 0DBD
- 0DC0-0DC6
- 0DCF-0DD1
- 0DD8-0DDF
- 0DF2-0DF4
- 0E01-0E30
- 0E32-0E33
- 0E40-0E46
- 0E4F-0E5B
- 0E81-0E82
- 0E84
- 0E87-0E88
-
-
-
-Hoffman & Blanchet Standards Track [Page 85]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 0E8A
- 0E8D
- 0E94-0E97
- 0E99-0E9F
- 0EA1-0EA3
- 0EA5
- 0EA7
- 0EAA-0EAB
- 0EAD-0EB0
- 0EB2-0EB3
- 0EBD
- 0EC0-0EC4
- 0EC6
- 0ED0-0ED9
- 0EDC-0EDD
- 0F00-0F17
- 0F1A-0F34
- 0F36
- 0F38
- 0F3E-0F47
- 0F49-0F6A
- 0F7F
- 0F85
- 0F88-0F8B
- 0FBE-0FC5
- 0FC7-0FCC
- 0FCF
- 1000-1021
- 1023-1027
- 1029-102A
- 102C
- 1031
- 1038
- 1040-1057
- 10A0-10C5
- 10D0-10F8
- 10FB
- 1100-1159
- 115F-11A2
- 11A8-11F9
- 1200-1206
- 1208-1246
- 1248
- 124A-124D
- 1250-1256
- 1258
- 125A-125D
- 1260-1286
-
-
-
-Hoffman & Blanchet Standards Track [Page 86]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1288
- 128A-128D
- 1290-12AE
- 12B0
- 12B2-12B5
- 12B8-12BE
- 12C0
- 12C2-12C5
- 12C8-12CE
- 12D0-12D6
- 12D8-12EE
- 12F0-130E
- 1310
- 1312-1315
- 1318-131E
- 1320-1346
- 1348-135A
- 1361-137C
- 13A0-13F4
- 1401-1676
- 1681-169A
- 16A0-16F0
- 1700-170C
- 170E-1711
- 1720-1731
- 1735-1736
- 1740-1751
- 1760-176C
- 176E-1770
- 1780-17B6
- 17BE-17C5
- 17C7-17C8
- 17D4-17DA
- 17DC
- 17E0-17E9
- 1810-1819
- 1820-1877
- 1880-18A8
- 1E00-1E9B
- 1EA0-1EF9
- 1F00-1F15
- 1F18-1F1D
- 1F20-1F45
- 1F48-1F4D
- 1F50-1F57
- 1F59
- 1F5B
- 1F5D
-
-
-
-Hoffman & Blanchet Standards Track [Page 87]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1F5F-1F7D
- 1F80-1FB4
- 1FB6-1FBC
- 1FBE
- 1FC2-1FC4
- 1FC6-1FCC
- 1FD0-1FD3
- 1FD6-1FDB
- 1FE0-1FEC
- 1FF2-1FF4
- 1FF6-1FFC
- 200E
- 2071
- 207F
- 2102
- 2107
- 210A-2113
- 2115
- 2119-211D
- 2124
- 2126
- 2128
- 212A-212D
- 212F-2131
- 2133-2139
- 213D-213F
- 2145-2149
- 2160-2183
- 2336-237A
- 2395
- 249C-24E9
- 3005-3007
- 3021-3029
- 3031-3035
- 3038-303C
- 3041-3096
- 309D-309F
- 30A1-30FA
- 30FC-30FF
- 3105-312C
- 3131-318E
- 3190-31B7
- 31F0-321C
- 3220-3243
- 3260-327B
- 327F-32B0
- 32C0-32CB
- 32D0-32FE
-
-
-
-Hoffman & Blanchet Standards Track [Page 88]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 3300-3376
- 337B-33DD
- 33E0-33FE
- 3400-4DB5
- 4E00-9FA5
- A000-A48C
- AC00-D7A3
- D800-FA2D
- FA30-FA6A
- FB00-FB06
- FB13-FB17
- FF21-FF3A
- FF41-FF5A
- FF66-FFBE
- FFC2-FFC7
- FFCA-FFCF
- FFD2-FFD7
- FFDA-FFDC
- 10300-1031E
- 10320-10323
- 10330-1034A
- 10400-10425
- 10428-1044D
- 1D000-1D0F5
- 1D100-1D126
- 1D12A-1D166
- 1D16A-1D172
- 1D183-1D184
- 1D18C-1D1A9
- 1D1AE-1D1DD
- 1D400-1D454
- 1D456-1D49C
- 1D49E-1D49F
- 1D4A2
- 1D4A5-1D4A6
- 1D4A9-1D4AC
- 1D4AE-1D4B9
- 1D4BB
- 1D4BD-1D4C0
- 1D4C2-1D4C3
- 1D4C5-1D505
- 1D507-1D50A
- 1D50D-1D514
- 1D516-1D51C
- 1D51E-1D539
- 1D53B-1D53E
- 1D540-1D544
- 1D546
-
-
-
-Hoffman & Blanchet Standards Track [Page 89]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
- 1D54A-1D550
- 1D552-1D6A3
- 1D6A8-1D7C9
- 20000-2A6D6
- 2F800-2FA1D
- F0000-FFFFD
- 100000-10FFFD
- ----- End Table D.2 -----
-
-Authors' Addresses
-
- Paul Hoffman
- Internet Mail Consortium and VPN Consortium
- 127 Segre Place
- Santa Cruz, CA 95060 USA
-
- EMail: paul.hoffman at imc.org and paul.hoffman at vpnc.org
-
-
- Marc Blanchet
- Viagenie inc.
- 2875 boul. Laurier, bur. 300
- Ste-Foy, Quebec, Canada, G1V 2M2
-
- EMail: Marc.Blanchet at viagenie.qc.ca
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 90]
-�
-RFC 3454 Preparation of Internationalized Strings December 2002
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2002). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 91]
-�
Deleted: branches/samba/upstream/source4/heimdal/lib/wind/rfc3490.txt
===================================================================
--- branches/samba/upstream/source4/heimdal/lib/wind/rfc3490.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/heimdal/lib/wind/rfc3490.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1235 +0,0 @@
-
-
-
-
-
-
-Network Working Group P. Faltstrom
-Request for Comments: 3490 Cisco
-Category: Standards Track P. Hoffman
- IMC & VPNC
- A. Costello
- UC Berkeley
- March 2003
-
-
- Internationalizing Domain Names in Applications (IDNA)
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
- Until now, there has been no standard method for domain names to use
- characters outside the ASCII repertoire. This document defines
- internationalized domain names (IDNs) and a mechanism called
- Internationalizing Domain Names in Applications (IDNA) for handling
- them in a standard fashion. IDNs use characters drawn from a large
- repertoire (Unicode), but IDNA allows the non-ASCII characters to be
- represented using only the ASCII characters already allowed in so-
- called host names today. This backward-compatible representation is
- required in existing protocols like DNS, so that IDNs can be
- introduced with no changes to the existing infrastructure. IDNA is
- only meant for processing domain names, not free text.
-
-Table of Contents
-
- 1. Introduction.................................................. 2
- 1.1 Problem Statement......................................... 3
- 1.2 Limitations of IDNA....................................... 3
- 1.3 Brief overview for application developers................. 4
- 2. Terminology................................................... 5
- 3. Requirements and applicability................................ 7
- 3.1 Requirements.............................................. 7
- 3.2 Applicability............................................. 8
- 3.2.1. DNS resource records................................ 8
-
-
-
-Faltstrom, et al. Standards Track [Page 1]
-�
-RFC 3490 IDNA March 2003
-
-
- 3.2.2. Non-domain-name data types stored in domain names... 9
- 4. Conversion operations......................................... 9
- 4.1 ToASCII................................................... 10
- 4.2 ToUnicode................................................. 11
- 5. ACE prefix.................................................... 12
- 6. Implications for typical applications using DNS............... 13
- 6.1 Entry and display in applications......................... 14
- 6.2 Applications and resolver libraries....................... 15
- 6.3 DNS servers............................................... 15
- 6.4 Avoiding exposing users to the raw ACE encoding........... 16
- 6.5 DNSSEC authentication of IDN domain names................ 16
- 7. Name server considerations.................................... 17
- 8. Root server considerations.................................... 17
- 9. References.................................................... 18
- 9.1 Normative References...................................... 18
- 9.2 Informative References.................................... 18
- 10. Security Considerations...................................... 19
- 11. IANA Considerations.......................................... 20
- 12. Authors' Addresses........................................... 21
- 13. Full Copyright Statement..................................... 22
-
-1. Introduction
-
- IDNA works by allowing applications to use certain ASCII name labels
- (beginning with a special prefix) to represent non-ASCII name labels.
- Lower-layer protocols need not be aware of this; therefore IDNA does
- not depend on changes to any infrastructure. In particular, IDNA
- does not depend on any changes to DNS servers, resolvers, or protocol
- elements, because the ASCII name service provided by the existing DNS
- is entirely sufficient for IDNA.
-
- This document does not require any applications to conform to IDNA,
- but applications can elect to use IDNA in order to support IDN while
- maintaining interoperability with existing infrastructure. If an
- application wants to use non-ASCII characters in domain names, IDNA
- is the only currently-defined option. Adding IDNA support to an
- existing application entails changes to the application only, and
- leaves room for flexibility in the user interface.
-
- A great deal of the discussion of IDN solutions has focused on
- transition issues and how IDN will work in a world where not all of
- the components have been updated. Proposals that were not chosen by
- the IDN Working Group would depend on user applications, resolvers,
- and DNS servers being updated in order for a user to use an
- internationalized domain name. Rather than rely on widespread
- updating of all components, IDNA depends on updates to user
- applications only; no changes are needed to the DNS protocol or any
- DNS servers or the resolvers on user's computers.
-
-
-
-Faltstrom, et al. Standards Track [Page 2]
-�
-RFC 3490 IDNA March 2003
-
-
-1.1 Problem Statement
-
- The IDNA specification solves the problem of extending the repertoire
- of characters that can be used in domain names to include the Unicode
- repertoire (with some restrictions).
-
- IDNA does not extend the service offered by DNS to the applications.
- Instead, the applications (and, by implication, the users) continue
- to see an exact-match lookup service. Either there is a single
- exactly-matching name or there is no match. This model has served
- the existing applications well, but it requires, with or without
- internationalized domain names, that users know the exact spelling of
- the domain names that the users type into applications such as web
- browsers and mail user agents. The introduction of the larger
- repertoire of characters potentially makes the set of misspellings
- larger, especially given that in some cases the same appearance, for
- example on a business card, might visually match several Unicode code
- points or several sequences of code points.
-
- IDNA allows the graceful introduction of IDNs not only by avoiding
- upgrades to existing infrastructure (such as DNS servers and mail
- transport agents), but also by allowing some rudimentary use of IDNs
- in applications by using the ASCII representation of the non-ASCII
- name labels. While such names are very user-unfriendly to read and
- type, and hence are not suitable for user input, they allow (for
- instance) replying to email and clicking on URLs even though the
- domain name displayed is incomprehensible to the user. In order to
- allow user-friendly input and output of the IDNs, the applications
- need to be modified to conform to this specification.
-
- IDNA uses the Unicode character repertoire, which avoids the
- significant delays that would be inherent in waiting for a different
- and specific character set be defined for IDN purposes by some other
- standards developing organization.
-
-1.2 Limitations of IDNA
-
- The IDNA protocol does not solve all linguistic issues with users
- inputting names in different scripts. Many important language-based
- and script-based mappings are not covered in IDNA and need to be
- handled outside the protocol. For example, names that are entered in
- a mix of traditional and simplified Chinese characters will not be
- mapped to a single canonical name. Another example is Scandinavian
- names that are entered with U+00F6 (LATIN SMALL LETTER O WITH
- DIAERESIS) will not be mapped to U+00F8 (LATIN SMALL LETTER O WITH
- STROKE).
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 3]
-�
-RFC 3490 IDNA March 2003
-
-
- An example of an important issue that is not considered in detail in
- IDNA is how to provide a high probability that a user who is entering
- a domain name based on visual information (such as from a business
- card or billboard) or aural information (such as from a telephone or
- radio) would correctly enter the IDN. Similar issues exist for ASCII
- domain names, for example the possible visual confusion between the
- letter 'O' and the digit zero, but the introduction of the larger
- repertoire of characters creates more opportunities of similar
- looking and similar sounding names. Note that this is a complex
- issue relating to languages, input methods on computers, and so on.
- Furthermore, the kind of matching and searching necessary for a high
- probability of success would not fit the role of the DNS and its
- exact matching function.
-
-1.3 Brief overview for application developers
-
- Applications can use IDNA to support internationalized domain names
- anywhere that ASCII domain names are already supported, including DNS
- master files and resolver interfaces. (Applications can also define
- protocols and interfaces that support IDNs directly using non-ASCII
- representations. IDNA does not prescribe any particular
- representation for new protocols, but it still defines which names
- are valid and how they are compared.)
-
- The IDNA protocol is contained completely within applications. It is
- not a client-server or peer-to-peer protocol: everything is done
- inside the application itself. When used with a DNS resolver
- library, IDNA is inserted as a "shim" between the application and the
- resolver library. When used for writing names into a DNS zone, IDNA
- is used just before the name is committed to the zone.
-
- There are two operations described in section 4 of this document:
-
- - The ToASCII operation is used before sending an IDN to something
- that expects ASCII names (such as a resolver) or writing an IDN
- into a place that expects ASCII names (such as a DNS master file).
-
- - The ToUnicode operation is used when displaying names to users,
- for example names obtained from a DNS zone.
-
- It is important to note that the ToASCII operation can fail. If it
- fails when processing a domain name, that domain name cannot be used
- as an internationalized domain name and the application has to have
- some method of dealing with this failure.
-
- IDNA requires that implementations process input strings with
- Nameprep [NAMEPREP], which is a profile of Stringprep [STRINGPREP],
- and then with Punycode [PUNYCODE]. Implementations of IDNA MUST
-
-
-
-Faltstrom, et al. Standards Track [Page 4]
-�
-RFC 3490 IDNA March 2003
-
-
- fully implement Nameprep and Punycode; neither Nameprep nor Punycode
- are optional.
-
-2. Terminology
-
- The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
- and "MAY" in this document are to be interpreted as described in BCP
- 14, RFC 2119 [RFC2119].
-
- A code point is an integer value associated with a character in a
- coded character set.
-
- Unicode [UNICODE] is a coded character set containing tens of
- thousands of characters. A single Unicode code point is denoted by
- "U+" followed by four to six hexadecimal digits, while a range of
- Unicode code points is denoted by two hexadecimal numbers separated
- by "..", with no prefixes.
-
- ASCII means US-ASCII [USASCII], a coded character set containing 128
- characters associated with code points in the range 0..7F. Unicode
- is an extension of ASCII: it includes all the ASCII characters and
- associates them with the same code points.
-
- The term "LDH code points" is defined in this document to mean the
- code points associated with ASCII letters, digits, and the hyphen-
- minus; that is, U+002D, 30..39, 41..5A, and 61..7A. "LDH" is an
- abbreviation for "letters, digits, hyphen".
-
- [STD13] talks about "domain names" and "host names", but many people
- use the terms interchangeably. Further, because [STD13] was not
- terribly clear, many people who are sure they know the exact
- definitions of each of these terms disagree on the definitions. In
- this document the term "domain name" is used in general. This
- document explicitly cites [STD3] whenever referring to the host name
- syntax restrictions defined therein.
-
- A label is an individual part of a domain name. Labels are usually
- shown separated by dots; for example, the domain name
- "www.example.com" is composed of three labels: "www", "example", and
- "com". (The zero-length root label described in [STD13], which can
- be explicit as in "www.example.com." or implicit as in
- "www.example.com", is not considered a label in this specification.)
- IDNA extends the set of usable characters in labels that are text.
- For the rest of this document, the term "label" is shorthand for
- "text label", and "every label" means "every text label".
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 5]
-�
-RFC 3490 IDNA March 2003
-
-
- An "internationalized label" is a label to which the ToASCII
- operation (see section 4) can be applied without failing (with the
- UseSTD3ASCIIRules flag unset). This implies that every ASCII label
- that satisfies the [STD13] length restriction is an internationalized
- label. Therefore the term "internationalized label" is a
- generalization, embracing both old ASCII labels and new non-ASCII
- labels. Although most Unicode characters can appear in
- internationalized labels, ToASCII will fail for some input strings,
- and such strings are not valid internationalized labels.
-
- An "internationalized domain name" (IDN) is a domain name in which
- every label is an internationalized label. This implies that every
- ASCII domain name is an IDN (which implies that it is possible for a
- name to be an IDN without it containing any non-ASCII characters).
- This document does not attempt to define an "internationalized host
- name". Just as has been the case with ASCII names, some DNS zone
- administrators may impose restrictions, beyond those imposed by DNS
- or IDNA, on the characters or strings that may be registered as
- labels in their zones. Such restrictions have no impact on the
- syntax or semantics of DNS protocol messages; a query for a name that
- matches no records will yield the same response regardless of the
- reason why it is not in the zone. Clients issuing queries or
- interpreting responses cannot be assumed to have any knowledge of
- zone-specific restrictions or conventions.
-
- In IDNA, equivalence of labels is defined in terms of the ToASCII
- operation, which constructs an ASCII form for a given label, whether
- or not the label was already an ASCII label. Labels are defined to
- be equivalent if and only if their ASCII forms produced by ToASCII
- match using a case-insensitive ASCII comparison. ASCII labels
- already have a notion of equivalence: upper case and lower case are
- considered equivalent. The IDNA notion of equivalence is an
- extension of that older notion. Equivalent labels in IDNA are
- treated as alternate forms of the same label, just as "foo" and "Foo"
- are treated as alternate forms of the same label.
-
- To allow internationalized labels to be handled by existing
- applications, IDNA uses an "ACE label" (ACE stands for ASCII
- Compatible Encoding). An ACE label is an internationalized label
- that can be rendered in ASCII and is equivalent to an
- internationalized label that cannot be rendered in ASCII. Given any
- internationalized label that cannot be rendered in ASCII, the ToASCII
- operation will convert it to an equivalent ACE label (whereas an
- ASCII label will be left unaltered by ToASCII). ACE labels are
- unsuitable for display to users. The ToUnicode operation will
- convert any label to an equivalent non-ACE label. In fact, an ACE
- label is formally defined to be any label that the ToUnicode
- operation would alter (whereas non-ACE labels are left unaltered by
-
-
-
-Faltstrom, et al. Standards Track [Page 6]
-�
-RFC 3490 IDNA March 2003
-
-
- ToUnicode). Every ACE label begins with the ACE prefix specified in
- section 5. The ToASCII and ToUnicode operations are specified in
- section 4.
-
- The "ACE prefix" is defined in this document to be a string of ASCII
- characters that appears at the beginning of every ACE label. It is
- specified in section 5.
-
- A "domain name slot" is defined in this document to be a protocol
- element or a function argument or a return value (and so on)
- explicitly designated for carrying a domain name. Examples of domain
- name slots include: the QNAME field of a DNS query; the name argument
- of the gethostbyname() library function; the part of an email address
- following the at-sign (@) in the From: field of an email message
- header; and the host portion of the URI in the src attribute of an
- HTML <IMG> tag. General text that just happens to contain a domain
- name is not a domain name slot; for example, a domain name appearing
- in the plain text body of an email message is not occupying a domain
- name slot.
-
- An "IDN-aware domain name slot" is defined in this document to be a
- domain name slot explicitly designated for carrying an
- internationalized domain name as defined in this document. The
- designation may be static (for example, in the specification of the
- protocol or interface) or dynamic (for example, as a result of
- negotiation in an interactive session).
-
- An "IDN-unaware domain name slot" is defined in this document to be
- any domain name slot that is not an IDN-aware domain name slot.
- Obviously, this includes any domain name slot whose specification
- predates IDNA.
-
-3. Requirements and applicability
-
-3.1 Requirements
-
- IDNA conformance means adherence to the following four requirements:
-
- 1) Whenever dots are used as label separators, the following
- characters MUST be recognized as dots: U+002E (full stop), U+3002
- (ideographic full stop), U+FF0E (fullwidth full stop), U+FF61
- (halfwidth ideographic full stop).
-
- 2) Whenever a domain name is put into an IDN-unaware domain name slot
- (see section 2), it MUST contain only ASCII characters. Given an
- internationalized domain name (IDN), an equivalent domain name
- satisfying this requirement can be obtained by applying the
-
-
-
-
-Faltstrom, et al. Standards Track [Page 7]
-�
-RFC 3490 IDNA March 2003
-
-
- ToASCII operation (see section 4) to each label and, if dots are
- used as label separators, changing all the label separators to
- U+002E.
-
- 3) ACE labels obtained from domain name slots SHOULD be hidden from
- users when it is known that the environment can handle the non-ACE
- form, except when the ACE form is explicitly requested. When it
- is not known whether or not the environment can handle the non-ACE
- form, the application MAY use the non-ACE form (which might fail,
- such as by not being displayed properly), or it MAY use the ACE
- form (which will look unintelligle to the user). Given an
- internationalized domain name, an equivalent domain name
- containing no ACE labels can be obtained by applying the ToUnicode
- operation (see section 4) to each label. When requirements 2 and
- 3 both apply, requirement 2 takes precedence.
-
- 4) Whenever two labels are compared, they MUST be considered to match
- if and only if they are equivalent, that is, their ASCII forms
- (obtained by applying ToASCII) match using a case-insensitive
- ASCII comparison. Whenever two names are compared, they MUST be
- considered to match if and only if their corresponding labels
- match, regardless of whether the names use the same forms of label
- separators.
-
-3.2 Applicability
-
- IDNA is applicable to all domain names in all domain name slots
- except where it is explicitly excluded.
-
- This implies that IDNA is applicable to many protocols that predate
- IDNA. Note that IDNs occupying domain name slots in those protocols
- MUST be in ASCII form (see section 3.1, requirement 2).
-
-3.2.1. DNS resource records
-
- IDNA does not apply to domain names in the NAME and RDATA fields of
- DNS resource records whose CLASS is not IN. This exclusion applies
- to every non-IN class, present and future, except where future
- standards override this exclusion by explicitly inviting the use of
- IDNA.
-
- There are currently no other exclusions on the applicability of IDNA
- to DNS resource records; it depends entirely on the CLASS, and not on
- the TYPE. This will remain true, even as new types are defined,
- unless there is a compelling reason for a new type to complicate
- matters by imposing type-specific rules.
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 8]
-�
-RFC 3490 IDNA March 2003
-
-
-3.2.2. Non-domain-name data types stored in domain names
-
- Although IDNA enables the representation of non-ASCII characters in
- domain names, that does not imply that IDNA enables the
- representation of non-ASCII characters in other data types that are
- stored in domain names. For example, an email address local part is
- sometimes stored in a domain label (hostmaster at example.com would be
- represented as hostmaster.example.com in the RDATA field of an SOA
- record). IDNA does not update the existing email standards, which
- allow only ASCII characters in local parts. Therefore, unless the
- email standards are revised to invite the use of IDNA for local
- parts, a domain label that holds the local part of an email address
- SHOULD NOT begin with the ACE prefix, and even if it does, it is to
- be interpreted literally as a local part that happens to begin with
- the ACE prefix.
-
-4. Conversion operations
-
- An application converts a domain name put into an IDN-unaware slot or
- displayed to a user. This section specifies the steps to perform in
- the conversion, and the ToASCII and ToUnicode operations.
-
- The input to ToASCII or ToUnicode is a single label that is a
- sequence of Unicode code points (remember that all ASCII code points
- are also Unicode code points). If a domain name is represented using
- a character set other than Unicode or US-ASCII, it will first need to
- be transcoded to Unicode.
-
- Starting from a whole domain name, the steps that an application
- takes to do the conversions are:
-
- 1) Decide whether the domain name is a "stored string" or a "query
- string" as described in [STRINGPREP]. If this conversion follows
- the "queries" rule from [STRINGPREP], set the flag called
- "AllowUnassigned".
-
- 2) Split the domain name into individual labels as described in
- section 3.1. The labels do not include the separator.
-
- 3) For each label, decide whether or not to enforce the restrictions
- on ASCII characters in host names [STD3]. (Applications already
- faced this choice before the introduction of IDNA, and can
- continue to make the decision the same way they always have; IDNA
- makes no new recommendations regarding this choice.) If the
- restrictions are to be enforced, set the flag called
- "UseSTD3ASCIIRules" for that label.
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 9]
-�
-RFC 3490 IDNA March 2003
-
-
- 4) Process each label with either the ToASCII or the ToUnicode
- operation as appropriate. Typically, you use the ToASCII
- operation if you are about to put the name into an IDN-unaware
- slot, and you use the ToUnicode operation if you are displaying
- the name to a user; section 3.1 gives greater detail on the
- applicable requirements.
-
- 5) If ToASCII was applied in step 4 and dots are used as label
- separators, change all the label separators to U+002E (full stop).
-
- The following two subsections define the ToASCII and ToUnicode
- operations that are used in step 4.
-
- This description of the protocol uses specific procedure names, names
- of flags, and so on, in order to facilitate the specification of the
- protocol. These names, as well as the actual steps of the
- procedures, are not required of an implementation. In fact, any
- implementation which has the same external behavior as specified in
- this document conforms to this specification.
-
-4.1 ToASCII
-
- The ToASCII operation takes a sequence of Unicode code points that
- make up one label and transforms it into a sequence of code points in
- the ASCII range (0..7F). If ToASCII succeeds, the original sequence
- and the resulting sequence are equivalent labels.
-
- It is important to note that the ToASCII operation can fail. ToASCII
- fails if any step of it fails. If any step of the ToASCII operation
- fails on any label in a domain name, that domain name MUST NOT be
- used as an internationalized domain name. The method for dealing
- with this failure is application-specific.
-
- The inputs to ToASCII are a sequence of code points, the
- AllowUnassigned flag, and the UseSTD3ASCIIRules flag. The output of
- ToASCII is either a sequence of ASCII code points or a failure
- condition.
-
- ToASCII never alters a sequence of code points that are all in the
- ASCII range to begin with (although it could fail). Applying the
- ToASCII operation multiple times has exactly the same effect as
- applying it just once.
-
- ToASCII consists of the following steps:
-
- 1. If the sequence contains any code points outside the ASCII range
- (0..7F) then proceed to step 2, otherwise skip to step 3.
-
-
-
-
-Faltstrom, et al. Standards Track [Page 10]
-�
-RFC 3490 IDNA March 2003
-
-
- 2. Perform the steps specified in [NAMEPREP] and fail if there is an
- error. The AllowUnassigned flag is used in [NAMEPREP].
-
- 3. If the UseSTD3ASCIIRules flag is set, then perform these checks:
-
- (a) Verify the absence of non-LDH ASCII code points; that is, the
- absence of 0..2C, 2E..2F, 3A..40, 5B..60, and 7B..7F.
-
- (b) Verify the absence of leading and trailing hyphen-minus; that
- is, the absence of U+002D at the beginning and end of the
- sequence.
-
- 4. If the sequence contains any code points outside the ASCII range
- (0..7F) then proceed to step 5, otherwise skip to step 8.
-
- 5. Verify that the sequence does NOT begin with the ACE prefix.
-
- 6. Encode the sequence using the encoding algorithm in [PUNYCODE] and
- fail if there is an error.
-
- 7. Prepend the ACE prefix.
-
- 8. Verify that the number of code points is in the range 1 to 63
- inclusive.
-
-4.2 ToUnicode
-
- The ToUnicode operation takes a sequence of Unicode code points that
- make up one label and returns a sequence of Unicode code points. If
- the input sequence is a label in ACE form, then the result is an
- equivalent internationalized label that is not in ACE form, otherwise
- the original sequence is returned unaltered.
-
- ToUnicode never fails. If any step fails, then the original input
- sequence is returned immediately in that step.
-
- The ToUnicode output never contains more code points than its input.
- Note that the number of octets needed to represent a sequence of code
- points depends on the particular character encoding used.
-
- The inputs to ToUnicode are a sequence of code points, the
- AllowUnassigned flag, and the UseSTD3ASCIIRules flag. The output of
- ToUnicode is always a sequence of Unicode code points.
-
- 1. If all code points in the sequence are in the ASCII range (0..7F)
- then skip to step 3.
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 11]
-�
-RFC 3490 IDNA March 2003
-
-
- 2. Perform the steps specified in [NAMEPREP] and fail if there is an
- error. (If step 3 of ToASCII is also performed here, it will not
- affect the overall behavior of ToUnicode, but it is not
- necessary.) The AllowUnassigned flag is used in [NAMEPREP].
-
- 3. Verify that the sequence begins with the ACE prefix, and save a
- copy of the sequence.
-
- 4. Remove the ACE prefix.
-
- 5. Decode the sequence using the decoding algorithm in [PUNYCODE] and
- fail if there is an error. Save a copy of the result of this
- step.
-
- 6. Apply ToASCII.
-
- 7. Verify that the result of step 6 matches the saved copy from step
- 3, using a case-insensitive ASCII comparison.
-
- 8. Return the saved copy from step 5.
-
-5. ACE prefix
-
- The ACE prefix, used in the conversion operations (section 4), is two
- alphanumeric ASCII characters followed by two hyphen-minuses. It
- cannot be any of the prefixes already used in earlier documents,
- which includes the following: "bl--", "bq--", "dq--", "lq--", "mq--",
- "ra--", "wq--" and "zq--". The ToASCII and ToUnicode operations MUST
- recognize the ACE prefix in a case-insensitive manner.
-
- The ACE prefix for IDNA is "xn--" or any capitalization thereof.
-
- This means that an ACE label might be "xn--de-jg4avhby1noc0d", where
- "de-jg4avhby1noc0d" is the part of the ACE label that is generated by
- the encoding steps in [PUNYCODE].
-
- While all ACE labels begin with the ACE prefix, not all labels
- beginning with the ACE prefix are necessarily ACE labels. Non-ACE
- labels that begin with the ACE prefix will confuse users and SHOULD
- NOT be allowed in DNS zones.
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 12]
-�
-RFC 3490 IDNA March 2003
-
-
-6. Implications for typical applications using DNS
-
- In IDNA, applications perform the processing needed to input
- internationalized domain names from users, display internationalized
- domain names to users, and process the inputs and outputs from DNS
- and other protocols that carry domain names.
-
- The components and interfaces between them can be represented
- pictorially as:
-
- +------+
- | User |
- +------+
- ^
- | Input and display: local interface methods
- | (pen, keyboard, glowing phosphorus, ...)
- +-------------------|-------------------------------+
- | v |
- | +-----------------------------+ |
- | | Application | |
- | | (ToASCII and ToUnicode | |
- | | operations may be | |
- | | called here) | |
- | +-----------------------------+ |
- | ^ ^ | End system
- | | | |
- | Call to resolver: | | Application-specific |
- | ACE | | protocol: |
- | v | ACE unless the |
- | +----------+ | protocol is updated |
- | | Resolver | | to handle other |
- | +----------+ | encodings |
- | ^ | |
- +-----------------|----------|----------------------+
- DNS protocol: | |
- ACE | |
- v v
- +-------------+ +---------------------+
- | DNS servers | | Application servers |
- +-------------+ +---------------------+
-
- The box labeled "Application" is where the application splits a
- domain name into labels, sets the appropriate flags, and performs the
- ToASCII and ToUnicode operations. This is described in section 4.
-
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 13]
-�
-RFC 3490 IDNA March 2003
-
-
-6.1 Entry and display in applications
-
- Applications can accept domain names using any character set or sets
- desired by the application developer, and can display domain names in
- any charset. That is, the IDNA protocol does not affect the
- interface between users and applications.
-
- An IDNA-aware application can accept and display internationalized
- domain names in two formats: the internationalized character set(s)
- supported by the application, and as an ACE label. ACE labels that
- are displayed or input MUST always include the ACE prefix.
- Applications MAY allow input and display of ACE labels, but are not
- encouraged to do so except as an interface for special purposes,
- possibly for debugging, or to cope with display limitations as
- described in section 6.4.. ACE encoding is opaque and ugly, and
- should thus only be exposed to users who absolutely need it. Because
- name labels encoded as ACE name labels can be rendered either as the
- encoded ASCII characters or the proper decoded characters, the
- application MAY have an option for the user to select the preferred
- method of display; if it does, rendering the ACE SHOULD NOT be the
- default.
-
- Domain names are often stored and transported in many places. For
- example, they are part of documents such as mail messages and web
- pages. They are transported in many parts of many protocols, such as
- both the control commands and the RFC 2822 body parts of SMTP, and
- the headers and the body content in HTTP. It is important to
- remember that domain names appear both in domain name slots and in
- the content that is passed over protocols.
-
- In protocols and document formats that define how to handle
- specification or negotiation of charsets, labels can be encoded in
- any charset allowed by the protocol or document format. If a
- protocol or document format only allows one charset, the labels MUST
- be given in that charset.
-
- In any place where a protocol or document format allows transmission
- of the characters in internationalized labels, internationalized
- labels SHOULD be transmitted using whatever character encoding and
- escape mechanism that the protocol or document format uses at that
- place.
-
- All protocols that use domain name slots already have the capacity
- for handling domain names in the ASCII charset. Thus, ACE labels
- (internationalized labels that have been processed with the ToASCII
- operation) can inherently be handled by those protocols.
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 14]
-�
-RFC 3490 IDNA March 2003
-
-
-6.2 Applications and resolver libraries
-
- Applications normally use functions in the operating system when they
- resolve DNS queries. Those functions in the operating system are
- often called "the resolver library", and the applications communicate
- with the resolver libraries through a programming interface (API).
-
- Because these resolver libraries today expect only domain names in
- ASCII, applications MUST prepare labels that are passed to the
- resolver library using the ToASCII operation. Labels received from
- the resolver library contain only ASCII characters; internationalized
- labels that cannot be represented directly in ASCII use the ACE form.
- ACE labels always include the ACE prefix.
-
- An operating system might have a set of libraries for performing the
- ToASCII operation. The input to such a library might be in one or
- more charsets that are used in applications (UTF-8 and UTF-16 are
- likely candidates for almost any operating system, and script-
- specific charsets are likely for localized operating systems).
-
- IDNA-aware applications MUST be able to work with both non-
- internationalized labels (those that conform to [STD13] and [STD3])
- and internationalized labels.
-
- It is expected that new versions of the resolver libraries in the
- future will be able to accept domain names in other charsets than
- ASCII, and application developers might one day pass not only domain
- names in Unicode, but also in local script to a new API for the
- resolver libraries in the operating system. Thus the ToASCII and
- ToUnicode operations might be performed inside these new versions of
- the resolver libraries.
-
- Domain names passed to resolvers or put into the question section of
- DNS requests follow the rules for "queries" from [STRINGPREP].
-
-6.3 DNS servers
-
- Domain names stored in zones follow the rules for "stored strings"
- from [STRINGPREP].
-
- For internationalized labels that cannot be represented directly in
- ASCII, DNS servers MUST use the ACE form produced by the ToASCII
- operation. All IDNs served by DNS servers MUST contain only ASCII
- characters.
-
- If a signaling system which makes negotiation possible between old
- and new DNS clients and servers is standardized in the future, the
- encoding of the query in the DNS protocol itself can be changed from
-
-
-
-Faltstrom, et al. Standards Track [Page 15]
-�
-RFC 3490 IDNA March 2003
-
-
- ACE to something else, such as UTF-8. The question whether or not
- this should be used is, however, a separate problem and is not
- discussed in this memo.
-
-6.4 Avoiding exposing users to the raw ACE encoding
-
- Any application that might show the user a domain name obtained from
- a domain name slot, such as from gethostbyaddr or part of a mail
- header, will need to be updated if it is to prevent users from seeing
- the ACE.
-
- If an application decodes an ACE name using ToUnicode but cannot show
- all of the characters in the decoded name, such as if the name
- contains characters that the output system cannot display, the
- application SHOULD show the name in ACE format (which always includes
- the ACE prefix) instead of displaying the name with the replacement
- character (U+FFFD). This is to make it easier for the user to
- transfer the name correctly to other programs. Programs that by
- default show the ACE form when they cannot show all the characters in
- a name label SHOULD also have a mechanism to show the name that is
- produced by the ToUnicode operation with as many characters as
- possible and replacement characters in the positions where characters
- cannot be displayed.
-
- The ToUnicode operation does not alter labels that are not valid ACE
- labels, even if they begin with the ACE prefix. After ToUnicode has
- been applied, if a label still begins with the ACE prefix, then it is
- not a valid ACE label, and is not equivalent to any of the
- intermediate Unicode strings constructed by ToUnicode.
-
-6.5 DNSSEC authentication of IDN domain names
-
- DNS Security [RFC2535] is a method for supplying cryptographic
- verification information along with DNS messages. Public Key
- Cryptography is used in conjunction with digital signatures to
- provide a means for a requester of domain information to authenticate
- the source of the data. This ensures that it can be traced back to a
- trusted source, either directly, or via a chain of trust linking the
- source of the information to the top of the DNS hierarchy.
-
- IDNA specifies that all internationalized domain names served by DNS
- servers that cannot be represented directly in ASCII must use the ACE
- form produced by the ToASCII operation. This operation must be
- performed prior to a zone being signed by the private key for that
- zone. Because of this ordering, it is important to recognize that
- DNSSEC authenticates the ASCII domain name, not the Unicode form or
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 16]
-�
-RFC 3490 IDNA March 2003
-
-
- the mapping between the Unicode form and the ASCII form. In the
- presence of DNSSEC, this is the name that MUST be signed in the zone
- and MUST be validated against.
-
- One consequence of this for sites deploying IDNA in the presence of
- DNSSEC is that any special purpose proxies or forwarders used to
- transform user input into IDNs must be earlier in the resolution flow
- than DNSSEC authenticating nameservers for DNSSEC to work.
-
-7. Name server considerations
-
- Existing DNS servers do not know the IDNA rules for handling non-
- ASCII forms of IDNs, and therefore need to be shielded from them.
- All existing channels through which names can enter a DNS server
- database (for example, master files [STD13] and DNS update messages
- [RFC2136]) are IDN-unaware because they predate IDNA, and therefore
- requirement 2 of section 3.1 of this document provides the needed
- shielding, by ensuring that internationalized domain names entering
- DNS server databases through such channels have already been
- converted to their equivalent ASCII forms.
-
- It is imperative that there be only one ASCII encoding for a
- particular domain name. Because of the design of the ToASCII and
- ToUnicode operations, there are no ACE labels that decode to ASCII
- labels, and therefore name servers cannot contain multiple ASCII
- encodings of the same domain name.
-
- [RFC2181] explicitly allows domain labels to contain octets beyond
- the ASCII range (0..7F), and this document does not change that.
- Note, however, that there is no defined interpretation of octets
- 80..FF as characters. If labels containing these octets are returned
- to applications, unpredictable behavior could result. The ASCII form
- defined by ToASCII is the only standard representation for
- internationalized labels in the current DNS protocol.
-
-8. Root server considerations
-
- IDNs are likely to be somewhat longer than current domain names, so
- the bandwidth needed by the root servers is likely to go up by a
- small amount. Also, queries and responses for IDNs will probably be
- somewhat longer than typical queries today, so more queries and
- responses may be forced to go to TCP instead of UDP.
-
-
-
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 17]
-�
-RFC 3490 IDNA March 2003
-
-
-9. References
-
-9.1 Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ("stringprep")", RFC 3454,
- December 2002.
-
- [NAMEPREP] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
- Profile for Internationalized Domain Names (IDN)", RFC
- 3491, March 2003.
-
- [PUNYCODE] Costello, A., "Punycode: A Bootstring encoding of
- Unicode for use with Internationalized Domain Names in
- Applications (IDNA)", RFC 3492, March 2003.
-
- [STD3] Braden, R., "Requirements for Internet Hosts --
- Communication Layers", STD 3, RFC 1122, and
- "Requirements for Internet Hosts -- Application and
- Support", STD 3, RFC 1123, October 1989.
-
- [STD13] Mockapetris, P., "Domain names - concepts and
- facilities", STD 13, RFC 1034 and "Domain names -
- implementation and specification", STD 13, RFC 1035,
- November 1987.
-
-9.2 Informative References
-
- [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
- RFC 2535, March 1999.
-
- [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
- Specification", RFC 2181, July 1997.
-
- [UAX9] Unicode Standard Annex #9, The Bidirectional Algorithm,
- <http://www.unicode.org/unicode/reports/tr9/>.
-
- [UNICODE] The Unicode Consortium. The Unicode Standard, Version
- 3.2.0 is defined by The Unicode Standard, Version 3.0
- (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
- as amended by the Unicode Standard Annex #27: Unicode
- 3.1 (http://www.unicode.org/reports/tr27/) and by the
- Unicode Standard Annex #28: Unicode 3.2
- (http://www.unicode.org/reports/tr28/).
-
-
-
-
-Faltstrom, et al. Standards Track [Page 18]
-�
-RFC 3490 IDNA March 2003
-
-
- [USASCII] Cerf, V., "ASCII format for Network Interchange", RFC
- 20, October 1969.
-
-10. Security Considerations
-
- Security on the Internet partly relies on the DNS. Thus, any change
- to the characteristics of the DNS can change the security of much of
- the Internet.
-
- This memo describes an algorithm which encodes characters that are
- not valid according to STD3 and STD13 into octet values that are
- valid. No security issues such as string length increases or new
- allowed values are introduced by the encoding process or the use of
- these encoded values, apart from those introduced by the ACE encoding
- itself.
-
- Domain names are used by users to identify and connect to Internet
- servers. The security of the Internet is compromised if a user
- entering a single internationalized name is connected to different
- servers based on different interpretations of the internationalized
- domain name.
-
- When systems use local character sets other than ASCII and Unicode,
- this specification leaves the the problem of transcoding between the
- local character set and Unicode up to the application. If different
- applications (or different versions of one application) implement
- different transcoding rules, they could interpret the same name
- differently and contact different servers. This problem is not
- solved by security protocols like TLS that do not take local
- character sets into account.
-
- Because this document normatively refers to [NAMEPREP], [PUNYCODE],
- and [STRINGPREP], it includes the security considerations from those
- documents as well.
-
- If or when this specification is updated to use a more recent Unicode
- normalization table, the new normalization table will need to be
- compared with the old to spot backwards incompatible changes. If
- there are such changes, they will need to be handled somehow, or
- there will be security as well as operational implications. Methods
- to handle the conflicts could include keeping the old normalization,
- or taking care of the conflicting characters by operational means, or
- some other method.
-
- Implementations MUST NOT use more recent normalization tables than
- the one referenced from this document, even though more recent tables
- may be provided by operating systems. If an application is unsure of
- which version of the normalization tables are in the operating
-
-
-
-Faltstrom, et al. Standards Track [Page 19]
-�
-RFC 3490 IDNA March 2003
-
-
- system, the application needs to include the normalization tables
- itself. Using normalization tables other than the one referenced
- from this specification could have security and operational
- implications.
-
- To help prevent confusion between characters that are visually
- similar, it is suggested that implementations provide visual
- indications where a domain name contains multiple scripts. Such
- mechanisms can also be used to show when a name contains a mixture of
- simplified and traditional Chinese characters, or to distinguish zero
- and one from O and l. DNS zone adminstrators may impose restrictions
- (subject to the limitations in section 2) that try to minimize
- homographs.
-
- Domain names (or portions of them) are sometimes compared against a
- set of privileged or anti-privileged domains. In such situations it
- is especially important that the comparisons be done properly, as
- specified in section 3.1 requirement 4. For labels already in ASCII
- form, the proper comparison reduces to the same case-insensitive
- ASCII comparison that has always been used for ASCII labels.
-
- The introduction of IDNA means that any existing labels that start
- with the ACE prefix and would be altered by ToUnicode will
- automatically be ACE labels, and will be considered equivalent to
- non-ASCII labels, whether or not that was the intent of the zone
- adminstrator or registrant.
-
-11. IANA Considerations
-
- IANA has assigned the ACE prefix in consultation with the IESG.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 20]
-�
-RFC 3490 IDNA March 2003
-
-
-12. Authors' Addresses
-
- Patrik Faltstrom
- Cisco Systems
- Arstaangsvagen 31 J
- S-117 43 Stockholm Sweden
-
- EMail: paf at cisco.com
-
-
- Paul Hoffman
- Internet Mail Consortium and VPN Consortium
- 127 Segre Place
- Santa Cruz, CA 95060 USA
-
- EMail: phoffman at imc.org
-
-
- Adam M. Costello
- University of California, Berkeley
-
- URL: http://www.nicemice.net/amc/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 21]
-�
-RFC 3490 IDNA March 2003
-
-
-13. Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al. Standards Track [Page 22]
-�
Deleted: branches/samba/upstream/source4/heimdal/lib/wind/rfc3491.txt
===================================================================
--- branches/samba/upstream/source4/heimdal/lib/wind/rfc3491.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/heimdal/lib/wind/rfc3491.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group P. Hoffman
-Request for Comments: 3491 IMC & VPNC
-Category: Standards Track M. Blanchet
- Viagenie
- March 2003
-
-
- Nameprep: A Stringprep Profile for
- Internationalized Domain Names (IDN)
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
- This document describes how to prepare internationalized domain name
- (IDN) labels in order to increase the likelihood that name input and
- name comparison work in ways that make sense for typical users
- throughout the world. This profile of the stringprep protocol is
- used as part of a suite of on-the-wire protocols for
- internationalizing the Domain Name System (DNS).
-
-1. Introduction
-
- This document specifies processing rules that will allow users to
- enter internationalized domain names (IDNs) into applications and
- have the highest chance of getting the content of the strings
- correct. It is a profile of stringprep [STRINGPREP]. These
- processing rules are only intended for internationalized domain
- names, not for arbitrary text.
-
- This profile defines the following, as required by [STRINGPREP].
-
- - The intended applicability of the profile: internationalized
- domain names processed by IDNA.
-
- - The character repertoire that is the input and output to
- stringprep: Unicode 3.2, specified in section 2.
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 1]
-�
-RFC 3491 IDN Nameprep March 2003
-
-
- - The mappings used: specified in section 3.
-
- - The Unicode normalization used: specified in section 4.
-
- - The characters that are prohibited as output: specified in section
- 5.
-
- - Bidirectional character handling: specified in section 6.
-
-1.1 Interaction of protocol parts
-
- Nameprep is used by the IDNA [IDNA] protocol for preparing domain
- names; it is not designed for any other purpose. It is explicitly
- not designed for processing arbitrary free text and SHOULD NOT be
- used for that purpose. Nameprep is a profile of Stringprep
- [STRINGPREP]. Implementations of Nameprep MUST fully implement
- Stringprep.
-
- Nameprep is used to process domain name labels, not domain names.
- IDNA calls nameprep for each label in a domain name, not for the
- whole domain name.
-
-1.2 Terminology
-
- The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
- in this document are to be interpreted as described in BCP 14, RFC
- 2119 [RFC2119].
-
-2. Character Repertoire
-
- This profile uses Unicode 3.2, as defined in [STRINGPREP] Appendix A.
-
-3. Mapping
-
- This profile specifies mapping using the following tables from
- [STRINGPREP]:
-
- Table B.1
- Table B.2
-
-4. Normalization
-
- This profile specifies using Unicode normalization form KC, as
- described in [STRINGPREP].
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 2]
-�
-RFC 3491 IDN Nameprep March 2003
-
-
-5. Prohibited Output
-
- This profile specifies prohibiting using the following tables from
- [STRINGPREP]:
-
- Table C.1.2
- Table C.2.2
- Table C.3
- Table C.4
- Table C.5
- Table C.6
- Table C.7
- Table C.8
- Table C.9
-
- IMPORTANT NOTE: This profile MUST be used with the IDNA protocol.
- The IDNA protocol has additional prohibitions that are checked
- outside of this profile.
-
-6. Bidirectional characters
-
- This profile specifies checking bidirectional strings as described in
- [STRINGPREP] section 6.
-
-7. Unassigned Code Points in Internationalized Domain Names
-
- If the processing in [IDNA] specifies that a list of unassigned code
- points be used, the system uses table A.1 from [STRINGPREP] as its
- list of unassigned code points.
-
-8. References
-
-8.1 Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ("stringprep")", RFC 3454,
- December 2002.
-
- [IDNA] Faltstrom, P., Hoffman, P. and A. Costello,
- "Internationalizing Domain Names in Applications
- (IDNA)", RFC 3490, March 2003.
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 3]
-�
-RFC 3491 IDN Nameprep March 2003
-
-
-8.2 Informative references
-
- [STD13] Mockapetris, P., "Domain names - concepts and
- facilities", STD 13, RFC 1034, and "Domain names -
- implementation and specification", STD 13, RFC 1035,
- November 1987.
-
-9. Security Considerations
-
- The Unicode and ISO/IEC 10646 repertoires have many characters that
- look similar. In many cases, users of security protocols might do
- visual matching, such as when comparing the names of trusted third
- parties. Because it is impossible to map similar-looking characters
- without a great deal of context such as knowing the fonts used,
- stringprep does nothing to map similar-looking characters together
- nor to prohibit some characters because they look like others.
-
- Security on the Internet partly relies on the DNS. Thus, any change
- to the characteristics of the DNS can change the security of much of
- the Internet.
-
- Domain names are used by users to connect to Internet servers. The
- security of the Internet would be compromised if a user entering a
- single internationalized name could be connected to different servers
- based on different interpretations of the internationalized domain
- name.
-
- Current applications might assume that the characters allowed in
- domain names will always be the same as they are in [STD13]. This
- document vastly increases the number of characters available in
- domain names. Every program that uses "special" characters in
- conjunction with domain names may be vulnerable to attack based on
- the new characters allowed by this specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 4]
-�
-RFC 3491 IDN Nameprep March 2003
-
-
-10. IANA Considerations
-
- This is a profile of stringprep. It has been registered by the IANA
- in the stringprep profile registry
- (www.iana.org/assignments/stringprep-profiles).
-
- Name of this profile:
- Nameprep
-
- RFC in which the profile is defined:
- This document.
-
- Indicator whether or not this is the newest version of the
- profile:
- This is the first version of Nameprep.
-
-11. Acknowledgements
-
- Many people from the IETF IDN Working Group and the Unicode Technical
- Committee contributed ideas that went into this document.
-
- The IDN Nameprep design team made many useful changes to the
- document. That team and its advisors include:
-
- Asmus Freytag
- Cathy Wissink
- Francois Yergeau
- James Seng
- Marc Blanchet
- Mark Davis
- Martin Duerst
- Patrik Faltstrom
- Paul Hoffman
-
- Additional significant improvements were proposed by:
-
- Jonathan Rosenne
- Kent Karlsson
- Scott Hollenbeck
- Dave Crocker
- Erik Nordmark
- Matitiahu Allouche
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 5]
-�
-RFC 3491 IDN Nameprep March 2003
-
-
-12. Authors' Addresses
-
- Paul Hoffman
- Internet Mail Consortium and VPN Consortium
- 127 Segre Place
- Santa Cruz, CA 95060 USA
-
- EMail: paul.hoffman at imc.org and paul.hoffman at vpnc.org
-
-
- Marc Blanchet
- Viagenie inc.
- 2875 boul. Laurier, bur. 300
- Ste-Foy, Quebec, Canada, G1V 2M2
-
- EMail: Marc.Blanchet at viagenie.qc.ca
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 6]
-�
-RFC 3491 IDN Nameprep March 2003
-
-
-13. Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet Standards Track [Page 7]
-�
Deleted: branches/samba/upstream/source4/heimdal/lib/wind/rfc3492.txt
===================================================================
--- branches/samba/upstream/source4/heimdal/lib/wind/rfc3492.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/heimdal/lib/wind/rfc3492.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1963 +0,0 @@
-
-
-
-
-
-
-Network Working Group A. Costello
-Request for Comments: 3492 Univ. of California, Berkeley
-Category: Standards Track March 2003
-
-
- Punycode: A Bootstring encoding of Unicode
- for Internationalized Domain Names in Applications (IDNA)
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
- Punycode is a simple and efficient transfer encoding syntax designed
- for use with Internationalized Domain Names in Applications (IDNA).
- It uniquely and reversibly transforms a Unicode string into an ASCII
- string. ASCII characters in the Unicode string are represented
- literally, and non-ASCII characters are represented by ASCII
- characters that are allowed in host name labels (letters, digits, and
- hyphens). This document defines a general algorithm called
- Bootstring that allows a string of basic code points to uniquely
- represent any string of code points drawn from a larger set.
- Punycode is an instance of Bootstring that uses particular parameter
- values specified by this document, appropriate for IDNA.
-
-Table of Contents
-
- 1. Introduction...............................................2
- 1.1 Features..............................................2
- 1.2 Interaction of protocol parts.........................3
- 2. Terminology................................................3
- 3. Bootstring description.....................................4
- 3.1 Basic code point segregation..........................4
- 3.2 Insertion unsort coding...............................4
- 3.3 Generalized variable-length integers..................5
- 3.4 Bias adaptation.......................................7
- 4. Bootstring parameters......................................8
- 5. Parameter values for Punycode..............................8
- 6. Bootstring algorithms......................................9
-
-
-
-Costello Standards Track [Page 1]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- 6.1 Bias adaptation function.............................10
- 6.2 Decoding procedure...................................11
- 6.3 Encoding procedure...................................12
- 6.4 Overflow handling....................................13
- 7. Punycode examples.........................................14
- 7.1 Sample strings.......................................14
- 7.2 Decoding traces......................................17
- 7.3 Encoding traces......................................19
- 8. Security Considerations...................................20
- 9. References................................................21
- 9.1 Normative References.................................21
- 9.2 Informative References...............................21
- A. Mixed-case annotation.....................................22
- B. Disclaimer and license....................................22
- C. Punycode sample implementation............................23
- Author's Address.............................................34
- Full Copyright Statement.....................................35
-
-1. Introduction
-
- [IDNA] describes an architecture for supporting internationalized
- domain names. Labels containing non-ASCII characters can be
- represented by ACE labels, which begin with a special ACE prefix and
- contain only ASCII characters. The remainder of the label after the
- prefix is a Punycode encoding of a Unicode string satisfying certain
- constraints. For the details of the prefix and constraints, see
- [IDNA] and [NAMEPREP].
-
- Punycode is an instance of a more general algorithm called
- Bootstring, which allows strings composed from a small set of "basic"
- code points to uniquely represent any string of code points drawn
- from a larger set. Punycode is Bootstring with particular parameter
- values appropriate for IDNA.
-
-1.1 Features
-
- Bootstring has been designed to have the following features:
-
- * Completeness: Every extended string (sequence of arbitrary code
- points) can be represented by a basic string (sequence of basic
- code points). Restrictions on what strings are allowed, and on
- length, can be imposed by higher layers.
-
- * Uniqueness: There is at most one basic string that represents a
- given extended string.
-
- * Reversibility: Any extended string mapped to a basic string can
- be recovered from that basic string.
-
-
-
-Costello Standards Track [Page 2]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- * Efficient encoding: The ratio of basic string length to extended
- string length is small. This is important in the context of
- domain names because RFC 1034 [RFC1034] restricts the length of a
- domain label to 63 characters.
-
- * Simplicity: The encoding and decoding algorithms are reasonably
- simple to implement. The goals of efficiency and simplicity are
- at odds; Bootstring aims at a good balance between them.
-
- * Readability: Basic code points appearing in the extended string
- are represented as themselves in the basic string (although the
- main purpose is to improve efficiency, not readability).
-
- Punycode can also support an additional feature that is not used by
- the ToASCII and ToUnicode operations of [IDNA]. When extended
- strings are case-folded prior to encoding, the basic string can use
- mixed case to tell how to convert the folded string into a mixed-case
- string. See appendix A "Mixed-case annotation".
-
-1.2 Interaction of protocol parts
-
- Punycode is used by the IDNA protocol [IDNA] for converting domain
- labels into ASCII; it is not designed for any other purpose. It is
- explicitly not designed for processing arbitrary free text.
-
-2. Terminology
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14, RFC 2119
- [RFC2119].
-
- A code point is an integral value associated with a character in a
- coded character set.
-
- As in the Unicode Standard [UNICODE], Unicode code points are denoted
- by "U+" followed by four to six hexadecimal digits, while a range of
- code points is denoted by two hexadecimal numbers separated by "..",
- with no prefixes.
-
- The operators div and mod perform integer division; (x div y) is the
- quotient of x divided by y, discarding the remainder, and (x mod y)
- is the remainder, so (x div y) * y + (x mod y) == x. Bootstring uses
- these operators only with nonnegative operands, so the quotient and
- remainder are always nonnegative.
-
- The break statement jumps out of the innermost loop (as in C).
-
-
-
-
-Costello Standards Track [Page 3]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- An overflow is an attempt to compute a value that exceeds the maximum
- value of an integer variable.
-
-3. Bootstring description
-
- Bootstring represents an arbitrary sequence of code points (the
- "extended string") as a sequence of basic code points (the "basic
- string"). This section describes the representation. Section 6
- "Bootstring algorithms" presents the algorithms as pseudocode.
- Sections 7.1 "Decoding traces" and 7.2 "Encoding traces" trace the
- algorithms for sample inputs.
-
- The following sections describe the four techniques used in
- Bootstring. "Basic code point segregation" is a very simple and
- efficient encoding for basic code points occurring in the extended
- string: they are simply copied all at once. "Insertion unsort
- coding" encodes the non-basic code points as deltas, and processes
- the code points in numerical order rather than in order of
- appearance, which typically results in smaller deltas. The deltas
- are represented as "generalized variable-length integers", which use
- basic code points to represent nonnegative integers. The parameters
- of this integer representation are dynamically adjusted using "bias
- adaptation", to improve efficiency when consecutive deltas have
- similar magnitudes.
-
-3.1 Basic code point segregation
-
- All basic code points appearing in the extended string are
- represented literally at the beginning of the basic string, in their
- original order, followed by a delimiter if (and only if) the number
- of basic code points is nonzero. The delimiter is a particular basic
- code point, which never appears in the remainder of the basic string.
- The decoder can therefore find the end of the literal portion (if
- there is one) by scanning for the last delimiter.
-
-3.2 Insertion unsort coding
-
- The remainder of the basic string (after the last delimiter if there
- is one) represents a sequence of nonnegative integral deltas as
- generalized variable-length integers, described in section 3.3. The
- meaning of the deltas is best understood in terms of the decoder.
-
- The decoder builds the extended string incrementally. Initially, the
- extended string is a copy of the literal portion of the basic string
- (excluding the last delimiter). The decoder inserts non-basic code
- points, one for each delta, into the extended string, ultimately
- arriving at the final decoded string.
-
-
-
-
-Costello Standards Track [Page 4]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- At the heart of this process is a state machine with two state
- variables: an index i and a counter n. The index i refers to a
- position in the extended string; it ranges from 0 (the first
- position) to the current length of the extended string (which refers
- to a potential position beyond the current end). If the current
- state is <n,i>, the next state is <n,i+1> if i is less than the
- length of the extended string, or <n+1,0> if i equals the length of
- the extended string. In other words, each state change causes i to
- increment, wrapping around to zero if necessary, and n counts the
- number of wrap-arounds.
-
- Notice that the state always advances monotonically (there is no way
- for the decoder to return to an earlier state). At each state, an
- insertion is either performed or not performed. At most one
- insertion is performed in a given state. An insertion inserts the
- value of n at position i in the extended string. The deltas are a
- run-length encoding of this sequence of events: they are the lengths
- of the runs of non-insertion states preceeding the insertion states.
- Hence, for each delta, the decoder performs delta state changes, then
- an insertion, and then one more state change. (An implementation
- need not perform each state change individually, but can instead use
- division and remainder calculations to compute the next insertion
- state directly.) It is an error if the inserted code point is a
- basic code point (because basic code points were supposed to be
- segregated as described in section 3.1).
-
- The encoder's main task is to derive the sequence of deltas that will
- cause the decoder to construct the desired string. It can do this by
- repeatedly scanning the extended string for the next code point that
- the decoder would need to insert, and counting the number of state
- changes the decoder would need to perform, mindful of the fact that
- the decoder's extended string will include only those code points
- that have already been inserted. Section 6.3 "Encoding procedure"
- gives a precise algorithm.
-
-3.3 Generalized variable-length integers
-
- In a conventional integer representation the base is the number of
- distinct symbols for digits, whose values are 0 through base-1. Let
- digit_0 denote the least significant digit, digit_1 the next least
- significant, and so on. The value represented is the sum over j of
- digit_j * w(j), where w(j) = base^j is the weight (scale factor) for
- position j. For example, in the base 8 integer 437, the digits are
- 7, 3, and 4, and the weights are 1, 8, and 64, so the value is 7 +
- 3*8 + 4*64 = 287. This representation has two disadvantages: First,
- there are multiple encodings of each value (because there can be
- extra zeros in the most significant positions), which is inconvenient
-
-
-
-
-Costello Standards Track [Page 5]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- when unique encodings are needed. Second, the integer is not self-
- delimiting, so if multiple integers are concatenated the boundaries
- between them are lost.
-
- The generalized variable-length representation solves these two
- problems. The digit values are still 0 through base-1, but now the
- integer is self-delimiting by means of thresholds t(j), each of which
- is in the range 0 through base-1. Exactly one digit, the most
- significant, satisfies digit_j < t(j). Therefore, if several
- integers are concatenated, it is easy to separate them, starting with
- the first if they are little-endian (least significant digit first),
- or starting with the last if they are big-endian (most significant
- digit first). As before, the value is the sum over j of digit_j *
- w(j), but the weights are different:
-
- w(0) = 1
- w(j) = w(j-1) * (base - t(j-1)) for j > 0
-
- For example, consider the little-endian sequence of base 8 digits
- 734251... Suppose the thresholds are 2, 3, 5, 5, 5, 5... This
- implies that the weights are 1, 1*(8-2) = 6, 6*(8-3) = 30, 30*(8-5) =
- 90, 90*(8-5) = 270, and so on. 7 is not less than 2, and 3 is not
- less than 3, but 4 is less than 5, so 4 is the last digit. The value
- of 734 is 7*1 + 3*6 + 4*30 = 145. The next integer is 251, with
- value 2*1 + 5*6 + 1*30 = 62. Decoding this representation is very
- similar to decoding a conventional integer: Start with a current
- value of N = 0 and a weight w = 1. Fetch the next digit d and
- increase N by d * w. If d is less than the current threshold (t)
- then stop, otherwise increase w by a factor of (base - t), update t
- for the next position, and repeat.
-
- Encoding this representation is similar to encoding a conventional
- integer: If N < t then output one digit for N and stop, otherwise
- output the digit for t + ((N - t) mod (base - t)), then replace N
- with (N - t) div (base - t), update t for the next position, and
- repeat.
-
- For any particular set of values of t(j), there is exactly one
- generalized variable-length representation of each nonnegative
- integral value.
-
- Bootstring uses little-endian ordering so that the deltas can be
- separated starting with the first. The t(j) values are defined in
- terms of the constants base, tmin, and tmax, and a state variable
- called bias:
-
- t(j) = base * (j + 1) - bias,
- clamped to the range tmin through tmax
-
-
-
-Costello Standards Track [Page 6]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- The clamping means that if the formula yields a value less than tmin
- or greater than tmax, then t(j) = tmin or tmax, respectively. (In
- the pseudocode in section 6 "Bootstring algorithms", the expression
- base * (j + 1) is denoted by k for performance reasons.) These t(j)
- values cause the representation to favor integers within a particular
- range determined by the bias.
-
-3.4 Bias adaptation
-
- After each delta is encoded or decoded, bias is set for the next
- delta as follows:
-
- 1. Delta is scaled in order to avoid overflow in the next step:
-
- let delta = delta div 2
-
- But when this is the very first delta, the divisor is not 2, but
- instead a constant called damp. This compensates for the fact
- that the second delta is usually much smaller than the first.
-
- 2. Delta is increased to compensate for the fact that the next delta
- will be inserting into a longer string:
-
- let delta = delta + (delta div numpoints)
-
- numpoints is the total number of code points encoded/decoded so
- far (including the one corresponding to this delta itself, and
- including the basic code points).
-
- 3. Delta is repeatedly divided until it falls within a threshold, to
- predict the minimum number of digits needed to represent the next
- delta:
-
- while delta > ((base - tmin) * tmax) div 2
- do let delta = delta div (base - tmin)
-
- 4. The bias is set:
-
- let bias =
- (base * the number of divisions performed in step 3) +
- (((base - tmin + 1) * delta) div (delta + skew))
-
- The motivation for this procedure is that the current delta
- provides a hint about the likely size of the next delta, and so
- t(j) is set to tmax for the more significant digits starting with
- the one expected to be last, tmin for the less significant digits
- up through the one expected to be third-last, and somewhere
- between tmin and tmax for the digit expected to be second-last
-
-
-
-Costello Standards Track [Page 7]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- (balancing the hope of the expected-last digit being unnecessary
- against the danger of it being insufficient).
-
-4. Bootstring parameters
-
- Given a set of basic code points, one needs to be designated as the
- delimiter. The base cannot be greater than the number of
- distinguishable basic code points remaining. The digit-values in the
- range 0 through base-1 need to be associated with distinct non-
- delimiter basic code points. In some cases multiple code points need
- to have the same digit-value; for example, uppercase and lowercase
- versions of the same letter need to be equivalent if basic strings
- are case-insensitive.
-
- The initial value of n cannot be greater than the minimum non-basic
- code point that could appear in extended strings.
-
- The remaining five parameters (tmin, tmax, skew, damp, and the
- initial value of bias) need to satisfy the following constraints:
-
- 0 <= tmin <= tmax <= base-1
- skew >= 1
- damp >= 2
- initial_bias mod base <= base - tmin
-
- Provided the constraints are satisfied, these five parameters affect
- efficiency but not correctness. They are best chosen empirically.
-
- If support for mixed-case annotation is desired (see appendix A),
- make sure that the code points corresponding to 0 through tmax-1 all
- have both uppercase and lowercase forms.
-
-5. Parameter values for Punycode
-
- Punycode uses the following Bootstring parameter values:
-
- base = 36
- tmin = 1
- tmax = 26
- skew = 38
- damp = 700
- initial_bias = 72
- initial_n = 128 = 0x80
-
- Although the only restriction Punycode imposes on the input integers
- is that they be nonnegative, these parameters are especially designed
- to work well with Unicode [UNICODE] code points, which are integers
- in the range 0..10FFFF (but not D800..DFFF, which are reserved for
-
-
-
-Costello Standards Track [Page 8]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- use by the UTF-16 encoding of Unicode). The basic code points are
- the ASCII [ASCII] code points (0..7F), of which U+002D (-) is the
- delimiter, and some of the others have digit-values as follows:
-
- code points digit-values
- ------------ ----------------------
- 41..5A (A-Z) = 0 to 25, respectively
- 61..7A (a-z) = 0 to 25, respectively
- 30..39 (0-9) = 26 to 35, respectively
-
- Using hyphen-minus as the delimiter implies that the encoded string
- can end with a hyphen-minus only if the Unicode string consists
- entirely of basic code points, but IDNA forbids such strings from
- being encoded. The encoded string can begin with a hyphen-minus, but
- IDNA prepends a prefix. Therefore IDNA using Punycode conforms to
- the RFC 952 rule that host name labels neither begin nor end with a
- hyphen-minus [RFC952].
-
- A decoder MUST recognize the letters in both uppercase and lowercase
- forms (including mixtures of both forms). An encoder SHOULD output
- only uppercase forms or only lowercase forms, unless it uses mixed-
- case annotation (see appendix A).
-
- Presumably most users will not manually write or type encoded strings
- (as opposed to cutting and pasting them), but those who do will need
- to be alert to the potential visual ambiguity between the following
- sets of characters:
-
- G 6
- I l 1
- O 0
- S 5
- U V
- Z 2
-
- Such ambiguities are usually resolved by context, but in a Punycode
- encoded string there is no context apparent to humans.
-
-6. Bootstring algorithms
-
- Some parts of the pseudocode can be omitted if the parameters satisfy
- certain conditions (for which Punycode qualifies). These parts are
- enclosed in {braces}, and notes immediately following the pseudocode
- explain the conditions under which they can be omitted.
-
-
-
-
-
-
-
-Costello Standards Track [Page 9]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- Formally, code points are integers, and hence the pseudocode assumes
- that arithmetic operations can be performed directly on code points.
- In some programming languages, explicit conversion between code
- points and integers might be necessary.
-
-6.1 Bias adaptation function
-
- function adapt(delta,numpoints,firsttime):
- if firsttime then let delta = delta div damp
- else let delta = delta div 2
- let delta = delta + (delta div numpoints)
- let k = 0
- while delta > ((base - tmin) * tmax) div 2 do begin
- let delta = delta div (base - tmin)
- let k = k + base
- end
- return k + (((base - tmin + 1) * delta) div (delta + skew))
-
- It does not matter whether the modifications to delta and k inside
- adapt() affect variables of the same name inside the
- encoding/decoding procedures, because after calling adapt() the
- caller does not read those variables before overwriting them.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 10]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-6.2 Decoding procedure
-
- let n = initial_n
- let i = 0
- let bias = initial_bias
- let output = an empty string indexed from 0
- consume all code points before the last delimiter (if there is one)
- and copy them to output, fail on any non-basic code point
- if more than zero code points were consumed then consume one more
- (which will be the last delimiter)
- while the input is not exhausted do begin
- let oldi = i
- let w = 1
- for k = base to infinity in steps of base do begin
- consume a code point, or fail if there was none to consume
- let digit = the code point's digit-value, fail if it has none
- let i = i + digit * w, fail on overflow
- let t = tmin if k <= bias {+ tmin}, or
- tmax if k >= bias + tmax, or k - bias otherwise
- if digit < t then break
- let w = w * (base - t), fail on overflow
- end
- let bias = adapt(i - oldi, length(output) + 1, test oldi is 0?)
- let n = n + i div (length(output) + 1), fail on overflow
- let i = i mod (length(output) + 1)
- {if n is a basic code point then fail}
- insert n into output at position i
- increment i
- end
-
- The full statement enclosed in braces (checking whether n is a basic
- code point) can be omitted if initial_n exceeds all basic code points
- (which is true for Punycode), because n is never less than initial_n.
-
- In the assignment of t, where t is clamped to the range tmin through
- tmax, "+ tmin" can always be omitted. This makes the clamping
- calculation incorrect when bias < k < bias + tmin, but that cannot
- happen because of the way bias is computed and because of the
- constraints on the parameters.
-
- Because the decoder state can only advance monotonically, and there
- is only one representation of any delta, there is therefore only one
- encoded string that can represent a given sequence of integers. The
- only error conditions are invalid code points, unexpected end-of-
- input, overflow, and basic code points encoded using deltas instead
- of appearing literally. If the decoder fails on these errors as
- shown above, then it cannot produce the same output for two distinct
- inputs. Without this property it would have been necessary to re-
-
-
-
-Costello Standards Track [Page 11]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- encode the output and verify that it matches the input in order to
- guarantee the uniqueness of the encoding.
-
-6.3 Encoding procedure
-
- let n = initial_n
- let delta = 0
- let bias = initial_bias
- let h = b = the number of basic code points in the input
- copy them to the output in order, followed by a delimiter if b > 0
- {if the input contains a non-basic code point < n then fail}
- while h < length(input) do begin
- let m = the minimum {non-basic} code point >= n in the input
- let delta = delta + (m - n) * (h + 1), fail on overflow
- let n = m
- for each code point c in the input (in order) do begin
- if c < n {or c is basic} then increment delta, fail on overflow
- if c == n then begin
- let q = delta
- for k = base to infinity in steps of base do begin
- let t = tmin if k <= bias {+ tmin}, or
- tmax if k >= bias + tmax, or k - bias otherwise
- if q < t then break
- output the code point for digit t + ((q - t) mod (base - t))
- let q = (q - t) div (base - t)
- end
- output the code point for digit q
- let bias = adapt(delta, h + 1, test h equals b?)
- let delta = 0
- increment h
- end
- end
- increment delta and n
- end
-
- The full statement enclosed in braces (checking whether the input
- contains a non-basic code point less than n) can be omitted if all
- code points less than initial_n are basic code points (which is true
- for Punycode if code points are unsigned).
-
- The brace-enclosed conditions "non-basic" and "or c is basic" can be
- omitted if initial_n exceeds all basic code points (which is true for
- Punycode), because the code point being tested is never less than
- initial_n.
-
- In the assignment of t, where t is clamped to the range tmin through
- tmax, "+ tmin" can always be omitted. This makes the clamping
- calculation incorrect when bias < k < bias + tmin, but that cannot
-
-
-
-Costello Standards Track [Page 12]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- happen because of the way bias is computed and because of the
- constraints on the parameters.
-
- The checks for overflow are necessary to avoid producing invalid
- output when the input contains very large values or is very long.
-
- The increment of delta at the bottom of the outer loop cannot
- overflow because delta < length(input) before the increment, and
- length(input) is already assumed to be representable. The increment
- of n could overflow, but only if h == length(input), in which case
- the procedure is finished anyway.
-
-6.4 Overflow handling
-
- For IDNA, 26-bit unsigned integers are sufficient to handle all valid
- IDNA labels without overflow, because any string that needed a 27-bit
- delta would have to exceed either the code point limit (0..10FFFF) or
- the label length limit (63 characters). However, overflow handling
- is necessary because the inputs are not necessarily valid IDNA
- labels.
-
- If the programming language does not provide overflow detection, the
- following technique can be used. Suppose A, B, and C are
- representable nonnegative integers and C is nonzero. Then A + B
- overflows if and only if B > maxint - A, and A + (B * C) overflows if
- and only if B > (maxint - A) div C, where maxint is the greatest
- integer for which maxint + 1 cannot be represented. Refer to
- appendix C "Punycode sample implementation" for demonstrations of
- this technique in the C language.
-
- The decoding and encoding algorithms shown in sections 6.2 and 6.3
- handle overflow by detecting it whenever it happens. Another
- approach is to enforce limits on the inputs that prevent overflow
- from happening. For example, if the encoder were to verify that no
- input code points exceed M and that the input length does not exceed
- L, then no delta could ever exceed (M - initial_n) * (L + 1), and
- hence no overflow could occur if integer variables were capable of
- representing values that large. This prevention approach would
- impose more restrictions on the input than the detection approach
- does, but might be considered simpler in some programming languages.
-
- In theory, the decoder could use an analogous approach, limiting the
- number of digits in a variable-length integer (that is, limiting the
- number of iterations in the innermost loop). However, the number of
- digits that suffice to represent a given delta can sometimes
- represent much larger deltas (because of the adaptation), and hence
- this approach would probably need integers wider than 32 bits.
-
-
-
-
-Costello Standards Track [Page 13]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- Yet another approach for the decoder is to allow overflow to occur,
- but to check the final output string by re-encoding it and comparing
- to the decoder input. If and only if they do not match (using a
- case-insensitive ASCII comparison) overflow has occurred. This
- delayed-detection approach would not impose any more restrictions on
- the input than the immediate-detection approach does, and might be
- considered simpler in some programming languages.
-
- In fact, if the decoder is used only inside the IDNA ToUnicode
- operation [IDNA], then it need not check for overflow at all, because
- ToUnicode performs a higher level re-encoding and comparison, and a
- mismatch has the same consequence as if the Punycode decoder had
- failed.
-
-7. Punycode examples
-
-7.1 Sample strings
-
- In the Punycode encodings below, the ACE prefix is not shown.
- Backslashes show where line breaks have been inserted in strings too
- long for one line.
-
- The first several examples are all translations of the sentence "Why
- can't they just speak in <language>?" (courtesy of Michael Kaplan's
- "provincial" page [PROVINCIAL]). Word breaks and punctuation have
- been removed, as is often done in domain names.
-
- (A) Arabic (Egyptian):
- u+0644 u+064A u+0647 u+0645 u+0627 u+0628 u+062A u+0643 u+0644
- u+0645 u+0648 u+0634 u+0639 u+0631 u+0628 u+064A u+061F
- Punycode: egbpdaj6bu4bxfgehfvwxn
-
- (B) Chinese (simplified):
- u+4ED6 u+4EEC u+4E3A u+4EC0 u+4E48 u+4E0D u+8BF4 u+4E2D u+6587
- Punycode: ihqwcrb4cv8a8dqg056pqjye
-
- (C) Chinese (traditional):
- u+4ED6 u+5011 u+7232 u+4EC0 u+9EBD u+4E0D u+8AAA u+4E2D u+6587
- Punycode: ihqwctvzc91f659drss3x8bo0yb
-
- (D) Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky
- U+0050 u+0072 u+006F u+010D u+0070 u+0072 u+006F u+0073 u+0074
- u+011B u+006E u+0065 u+006D u+006C u+0075 u+0076 u+00ED u+010D
- u+0065 u+0073 u+006B u+0079
- Punycode: Proprostnemluvesky-uyb24dma41a
-
-
-
-
-
-
-Costello Standards Track [Page 14]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- (E) Hebrew:
- u+05DC u+05DE u+05D4 u+05D4 u+05DD u+05E4 u+05E9 u+05D5 u+05D8
- u+05DC u+05D0 u+05DE u+05D3 u+05D1 u+05E8 u+05D9 u+05DD u+05E2
- u+05D1 u+05E8 u+05D9 u+05EA
- Punycode: 4dbcagdahymbxekheh6e0a7fei0b
-
- (F) Hindi (Devanagari):
- u+092F u+0939 u+0932 u+094B u+0917 u+0939 u+093F u+0928 u+094D
- u+0926 u+0940 u+0915 u+094D u+092F u+094B u+0902 u+0928 u+0939
- u+0940 u+0902 u+092C u+094B u+0932 u+0938 u+0915 u+0924 u+0947
- u+0939 u+0948 u+0902
- Punycode: i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd
-
- (G) Japanese (kanji and hiragana):
- u+306A u+305C u+307F u+3093 u+306A u+65E5 u+672C u+8A9E u+3092
- u+8A71 u+3057 u+3066 u+304F u+308C u+306A u+3044 u+306E u+304B
- Punycode: n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa
-
- (H) Korean (Hangul syllables):
- u+C138 u+ACC4 u+C758 u+BAA8 u+B4E0 u+C0AC u+B78C u+B4E4 u+C774
- u+D55C u+AD6D u+C5B4 u+B97C u+C774 u+D574 u+D55C u+B2E4 u+BA74
- u+C5BC u+B9C8 u+B098 u+C88B u+C744 u+AE4C
- Punycode: 989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5j\
- psd879ccm6fea98c
-
- (I) Russian (Cyrillic):
- U+043F u+043E u+0447 u+0435 u+043C u+0443 u+0436 u+0435 u+043E
- u+043D u+0438 u+043D u+0435 u+0433 u+043E u+0432 u+043E u+0440
- u+044F u+0442 u+043F u+043E u+0440 u+0443 u+0441 u+0441 u+043A
- u+0438
- Punycode: b1abfaaepdrnnbgefbaDotcwatmq2g4l
-
- (J) Spanish: Porqu<eacute>nopuedensimplementehablarenEspa<ntilde>ol
- U+0050 u+006F u+0072 u+0071 u+0075 u+00E9 u+006E u+006F u+0070
- u+0075 u+0065 u+0064 u+0065 u+006E u+0073 u+0069 u+006D u+0070
- u+006C u+0065 u+006D u+0065 u+006E u+0074 u+0065 u+0068 u+0061
- u+0062 u+006C u+0061 u+0072 u+0065 u+006E U+0045 u+0073 u+0070
- u+0061 u+00F1 u+006F u+006C
- Punycode: PorqunopuedensimplementehablarenEspaol-fmd56a
-
- (K) Vietnamese:
- T<adotbelow>isaoh<odotbelow>kh<ocirc>ngth<ecirchookabove>ch\
- <ihookabove>n<oacute>iti<ecircacute>ngVi<ecircdotbelow>t
- U+0054 u+1EA1 u+0069 u+0073 u+0061 u+006F u+0068 u+1ECD u+006B
- u+0068 u+00F4 u+006E u+0067 u+0074 u+0068 u+1EC3 u+0063 u+0068
- u+1EC9 u+006E u+00F3 u+0069 u+0074 u+0069 u+1EBF u+006E u+0067
- U+0056 u+0069 u+1EC7 u+0074
- Punycode: TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g
-
-
-
-Costello Standards Track [Page 15]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- The next several examples are all names of Japanese music artists,
- song titles, and TV programs, just because the author happens to have
- them handy (but Japanese is useful for providing examples of single-
- row text, two-row text, ideographic text, and various mixtures
- thereof).
-
- (L) 3<nen>B<gumi><kinpachi><sensei>
- u+0033 u+5E74 U+0042 u+7D44 u+91D1 u+516B u+5148 u+751F
- Punycode: 3B-ww4c5e180e575a65lsy2b
-
- (M) <amuro><namie>-with-SUPER-MONKEYS
- u+5B89 u+5BA4 u+5948 u+7F8E u+6075 u+002D u+0077 u+0069 u+0074
- u+0068 u+002D U+0053 U+0055 U+0050 U+0045 U+0052 u+002D U+004D
- U+004F U+004E U+004B U+0045 U+0059 U+0053
- Punycode: -with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n
-
- (N) Hello-Another-Way-<sorezore><no><basho>
- U+0048 u+0065 u+006C u+006C u+006F u+002D U+0041 u+006E u+006F
- u+0074 u+0068 u+0065 u+0072 u+002D U+0057 u+0061 u+0079 u+002D
- u+305D u+308C u+305E u+308C u+306E u+5834 u+6240
- Punycode: Hello-Another-Way--fc4qua05auwb3674vfr0b
-
- (O) <hitotsu><yane><no><shita>2
- u+3072 u+3068 u+3064 u+5C4B u+6839 u+306E u+4E0B u+0032
- Punycode: 2-u9tlzr9756bt3uc0v
-
- (P) Maji<de>Koi<suru>5<byou><mae>
- U+004D u+0061 u+006A u+0069 u+3067 U+004B u+006F u+0069 u+3059
- u+308B u+0035 u+79D2 u+524D
- Punycode: MajiKoi5-783gue6qz075azm5e
-
- (Q) <pafii>de<runba>
- u+30D1 u+30D5 u+30A3 u+30FC u+0064 u+0065 u+30EB u+30F3 u+30D0
- Punycode: de-jg4avhby1noc0d
-
- (R) <sono><supiido><de>
- u+305D u+306E u+30B9 u+30D4 u+30FC u+30C9 u+3067
- Punycode: d9juau41awczczp
-
- The last example is an ASCII string that breaks the existing rules
- for host name labels. (It is not a realistic example for IDNA,
- because IDNA never encodes pure ASCII labels.)
-
- (S) -> $1.00 <-
- u+002D u+003E u+0020 u+0024 u+0031 u+002E u+0030 u+0030 u+0020
- u+003C u+002D
- Punycode: -> $1.00 <--
-
-
-
-
-Costello Standards Track [Page 16]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-7.2 Decoding traces
-
- In the following traces, the evolving state of the decoder is shown
- as a sequence of hexadecimal values, representing the code points in
- the extended string. An asterisk appears just after the most
- recently inserted code point, indicating both n (the value preceeding
- the asterisk) and i (the position of the value just after the
- asterisk). Other numerical values are decimal.
-
- Decoding trace of example B from section 7.1:
-
- n is 128, i is 0, bias is 72
- input is "ihqwcrb4cv8a8dqg056pqjye"
- there is no delimiter, so extended string starts empty
- delta "ihq" decodes to 19853
- bias becomes 21
- 4E0D *
- delta "wc" decodes to 64
- bias becomes 20
- 4E0D 4E2D *
- delta "rb" decodes to 37
- bias becomes 13
- 4E3A * 4E0D 4E2D
- delta "4c" decodes to 56
- bias becomes 17
- 4E3A 4E48 * 4E0D 4E2D
- delta "v8a" decodes to 599
- bias becomes 32
- 4E3A 4EC0 * 4E48 4E0D 4E2D
- delta "8d" decodes to 130
- bias becomes 23
- 4ED6 * 4E3A 4EC0 4E48 4E0D 4E2D
- delta "qg" decodes to 154
- bias becomes 25
- 4ED6 4EEC * 4E3A 4EC0 4E48 4E0D 4E2D
- delta "056p" decodes to 46301
- bias becomes 84
- 4ED6 4EEC 4E3A 4EC0 4E48 4E0D 4E2D 6587 *
- delta "qjye" decodes to 88531
- bias becomes 90
- 4ED6 4EEC 4E3A 4EC0 4E48 4E0D 8BF4 * 4E2D 6587
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 17]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- Decoding trace of example L from section 7.1:
-
- n is 128, i is 0, bias is 72
- input is "3B-ww4c5e180e575a65lsy2b"
- literal portion is "3B-", so extended string starts as:
- 0033 0042
- delta "ww4c" decodes to 62042
- bias becomes 27
- 0033 0042 5148 *
- delta "5e" decodes to 139
- bias becomes 24
- 0033 0042 516B * 5148
- delta "180e" decodes to 16683
- bias becomes 67
- 0033 5E74 * 0042 516B 5148
- delta "575a" decodes to 34821
- bias becomes 82
- 0033 5E74 0042 516B 5148 751F *
- delta "65l" decodes to 14592
- bias becomes 67
- 0033 5E74 0042 7D44 * 516B 5148 751F
- delta "sy2b" decodes to 42088
- bias becomes 84
- 0033 5E74 0042 7D44 91D1 * 516B 5148 751F
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 18]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-7.3 Encoding traces
-
- In the following traces, code point values are hexadecimal, while
- other numerical values are decimal.
-
- Encoding trace of example B from section 7.1:
-
- bias is 72
- input is:
- 4ED6 4EEC 4E3A 4EC0 4E48 4E0D 8BF4 4E2D 6587
- there are no basic code points, so no literal portion
- next code point to insert is 4E0D
- needed delta is 19853, encodes as "ihq"
- bias becomes 21
- next code point to insert is 4E2D
- needed delta is 64, encodes as "wc"
- bias becomes 20
- next code point to insert is 4E3A
- needed delta is 37, encodes as "rb"
- bias becomes 13
- next code point to insert is 4E48
- needed delta is 56, encodes as "4c"
- bias becomes 17
- next code point to insert is 4EC0
- needed delta is 599, encodes as "v8a"
- bias becomes 32
- next code point to insert is 4ED6
- needed delta is 130, encodes as "8d"
- bias becomes 23
- next code point to insert is 4EEC
- needed delta is 154, encodes as "qg"
- bias becomes 25
- next code point to insert is 6587
- needed delta is 46301, encodes as "056p"
- bias becomes 84
- next code point to insert is 8BF4
- needed delta is 88531, encodes as "qjye"
- bias becomes 90
- output is "ihqwcrb4cv8a8dqg056pqjye"
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 19]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- Encoding trace of example L from section 7.1:
-
- bias is 72
- input is:
- 0033 5E74 0042 7D44 91D1 516B 5148 751F
- basic code points (0033, 0042) are copied to literal portion: "3B-"
- next code point to insert is 5148
- needed delta is 62042, encodes as "ww4c"
- bias becomes 27
- next code point to insert is 516B
- needed delta is 139, encodes as "5e"
- bias becomes 24
- next code point to insert is 5E74
- needed delta is 16683, encodes as "180e"
- bias becomes 67
- next code point to insert is 751F
- needed delta is 34821, encodes as "575a"
- bias becomes 82
- next code point to insert is 7D44
- needed delta is 14592, encodes as "65l"
- bias becomes 67
- next code point to insert is 91D1
- needed delta is 42088, encodes as "sy2b"
- bias becomes 84
- output is "3B-ww4c5e180e575a65lsy2b"
-
-8. Security Considerations
-
- Users expect each domain name in DNS to be controlled by a single
- authority. If a Unicode string intended for use as a domain label
- could map to multiple ACE labels, then an internationalized domain
- name could map to multiple ASCII domain names, each controlled by a
- different authority, some of which could be spoofs that hijack
- service requests intended for another. Therefore Punycode is
- designed so that each Unicode string has a unique encoding.
-
- However, there can still be multiple Unicode representations of the
- "same" text, for various definitions of "same". This problem is
- addressed to some extent by the Unicode standard under the topic of
- canonicalization, and this work is leveraged for domain names by
- Nameprep [NAMEPREP].
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 20]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-9. References
-
-9.1 Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-9.2 Informative References
-
- [RFC952] Harrenstien, K., Stahl, M. and E. Feinler, "DOD Internet
- Host Table Specification", RFC 952, October 1985.
-
- [RFC1034] Mockapetris, P., "Domain Names - Concepts and
- Facilities", STD 13, RFC 1034, November 1987.
-
- [IDNA] Faltstrom, P., Hoffman, P. and A. Costello,
- "Internationalizing Domain Names in Applications
- (IDNA)", RFC 3490, March 2003.
-
- [NAMEPREP] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
- Profile for Internationalized Domain Names (IDN)", RFC
- 3491, March 2003.
-
- [ASCII] Cerf, V., "ASCII format for Network Interchange", RFC
- 20, October 1969.
-
- [PROVINCIAL] Kaplan, M., "The 'anyone can be provincial!' page",
- http://www.trigeminal.com/samples/provincial.html.
-
- [UNICODE] The Unicode Consortium, "The Unicode Standard",
- http://www.unicode.org/unicode/standard/standard.html.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 21]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-A. Mixed-case annotation
-
- In order to use Punycode to represent case-insensitive strings,
- higher layers need to case-fold the strings prior to Punycode
- encoding. The encoded string can use mixed case as an annotation
- telling how to convert the folded string into a mixed-case string for
- display purposes. Note, however, that mixed-case annotation is not
- used by the ToASCII and ToUnicode operations specified in [IDNA], and
- therefore implementors of IDNA can disregard this appendix.
-
- Basic code points can use mixed case directly, because the decoder
- copies them verbatim, leaving lowercase code points lowercase, and
- leaving uppercase code points uppercase. Each non-basic code point
- is represented by a delta, which is represented by a sequence of
- basic code points, the last of which provides the annotation. If it
- is uppercase, it is a suggestion to map the non-basic code point to
- uppercase (if possible); if it is lowercase, it is a suggestion to
- map the non-basic code point to lowercase (if possible).
-
- These annotations do not alter the code points returned by decoders;
- the annotations are returned separately, for the caller to use or
- ignore. Encoders can accept annotations in addition to code points,
- but the annotations do not alter the output, except to influence the
- uppercase/lowercase form of ASCII letters.
-
- Punycode encoders and decoders need not support these annotations,
- and higher layers need not use them.
-
-B. Disclaimer and license
-
- Regarding this entire document or any portion of it (including the
- pseudocode and C code), the author makes no guarantees and is not
- responsible for any damage resulting from its use. The author grants
- irrevocable permission to anyone to use, modify, and distribute it in
- any way that does not diminish the rights of anyone else to use,
- modify, and distribute it, provided that redistributed derivative
- works do not contain misleading author or version information.
- Derivative works need not be licensed under similar terms.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 22]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-C. Punycode sample implementation
-
-/*
-punycode.c from RFC 3492
-http://www.nicemice.net/idn/
-Adam M. Costello
-http://www.nicemice.net/amc/
-
-This is ANSI C code (C89) implementing Punycode (RFC 3492).
-
-*/
-
-
-/************************************************************/
-/* Public interface (would normally go in its own .h file): */
-
-#include <limits.h>
-
-enum punycode_status {
- punycode_success,
- punycode_bad_input, /* Input is invalid. */
- punycode_big_output, /* Output would exceed the space provided. */
- punycode_overflow /* Input needs wider integers to process. */
-};
-
-#if UINT_MAX >= (1 << 26) - 1
-typedef unsigned int punycode_uint;
-#else
-typedef unsigned long punycode_uint;
-#endif
-
-enum punycode_status punycode_encode(
- punycode_uint input_length,
- const punycode_uint input[],
- const unsigned char case_flags[],
- punycode_uint *output_length,
- char output[] );
-
- /* punycode_encode() converts Unicode to Punycode. The input */
- /* is represented as an array of Unicode code points (not code */
- /* units; surrogate pairs are not allowed), and the output */
- /* will be represented as an array of ASCII code points. The */
- /* output string is *not* null-terminated; it will contain */
- /* zeros if and only if the input contains zeros. (Of course */
- /* the caller can leave room for a terminator and add one if */
- /* needed.) The input_length is the number of code points in */
- /* the input. The output_length is an in/out argument: the */
- /* caller passes in the maximum number of code points that it */
-
-
-
-Costello Standards Track [Page 23]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- /* can receive, and on successful return it will contain the */
- /* number of code points actually output. The case_flags array */
- /* holds input_length boolean values, where nonzero suggests that */
- /* the corresponding Unicode character be forced to uppercase */
- /* after being decoded (if possible), and zero suggests that */
- /* it be forced to lowercase (if possible). ASCII code points */
- /* are encoded literally, except that ASCII letters are forced */
- /* to uppercase or lowercase according to the corresponding */
- /* uppercase flags. If case_flags is a null pointer then ASCII */
- /* letters are left as they are, and other code points are */
- /* treated as if their uppercase flags were zero. The return */
- /* value can be any of the punycode_status values defined above */
- /* except punycode_bad_input; if not punycode_success, then */
- /* output_size and output might contain garbage. */
-
-enum punycode_status punycode_decode(
- punycode_uint input_length,
- const char input[],
- punycode_uint *output_length,
- punycode_uint output[],
- unsigned char case_flags[] );
-
- /* punycode_decode() converts Punycode to Unicode. The input is */
- /* represented as an array of ASCII code points, and the output */
- /* will be represented as an array of Unicode code points. The */
- /* input_length is the number of code points in the input. The */
- /* output_length is an in/out argument: the caller passes in */
- /* the maximum number of code points that it can receive, and */
- /* on successful return it will contain the actual number of */
- /* code points output. The case_flags array needs room for at */
- /* least output_length values, or it can be a null pointer if the */
- /* case information is not needed. A nonzero flag suggests that */
- /* the corresponding Unicode character be forced to uppercase */
- /* by the caller (if possible), while zero suggests that it be */
- /* forced to lowercase (if possible). ASCII code points are */
- /* output already in the proper case, but their flags will be set */
- /* appropriately so that applying the flags would be harmless. */
- /* The return value can be any of the punycode_status values */
- /* defined above; if not punycode_success, then output_length, */
- /* output, and case_flags might contain garbage. On success, the */
- /* decoder will never need to write an output_length greater than */
- /* input_length, because of how the encoding is defined. */
-
-/**********************************************************/
-/* Implementation (would normally go in its own .c file): */
-
-#include <string.h>
-
-
-
-
-Costello Standards Track [Page 24]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-/*** Bootstring parameters for Punycode ***/
-
-enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp = 700,
- initial_bias = 72, initial_n = 0x80, delimiter = 0x2D };
-
-/* basic(cp) tests whether cp is a basic code point: */
-#define basic(cp) ((punycode_uint)(cp) < 0x80)
-
-/* delim(cp) tests whether cp is a delimiter: */
-#define delim(cp) ((cp) == delimiter)
-
-/* decode_digit(cp) returns the numeric value of a basic code */
-/* point (for use in representing integers) in the range 0 to */
-/* base-1, or base if cp is does not represent a value. */
-
-static punycode_uint decode_digit(punycode_uint cp)
-{
- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
- cp - 97 < 26 ? cp - 97 : base;
-}
-
-/* encode_digit(d,flag) returns the basic code point whose value */
-/* (when used for representing integers) is d, which needs to be in */
-/* the range 0 to base-1. The lowercase form is used unless flag is */
-/* nonzero, in which case the uppercase form is used. The behavior */
-/* is undefined if flag is nonzero and digit d has no uppercase form. */
-
-static char encode_digit(punycode_uint d, int flag)
-{
- return d + 22 + 75 * (d < 26) - ((flag != 0) << 5);
- /* 0..25 map to ASCII a..z or A..Z */
- /* 26..35 map to ASCII 0..9 */
-}
-
-/* flagged(bcp) tests whether a basic code point is flagged */
-/* (uppercase). The behavior is undefined if bcp is not a */
-/* basic code point. */
-
-#define flagged(bcp) ((punycode_uint)(bcp) - 65 < 26)
-
-/* encode_basic(bcp,flag) forces a basic code point to lowercase */
-/* if flag is zero, uppercase if flag is nonzero, and returns */
-/* the resulting code point. The code point is unchanged if it */
-/* is caseless. The behavior is undefined if bcp is not a basic */
-/* code point. */
-
-static char encode_basic(punycode_uint bcp, int flag)
-{
-
-
-
-Costello Standards Track [Page 25]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- bcp -= (bcp - 97 < 26) << 5;
- return bcp + ((!flag && (bcp - 65 < 26)) << 5);
-}
-
-/*** Platform-specific constants ***/
-
-/* maxint is the maximum value of a punycode_uint variable: */
-static const punycode_uint maxint = -1;
-/* Because maxint is unsigned, -1 becomes the maximum value. */
-
-/*** Bias adaptation function ***/
-
-static punycode_uint adapt(
- punycode_uint delta, punycode_uint numpoints, int firsttime )
-{
- punycode_uint k;
-
- delta = firsttime ? delta / damp : delta >> 1;
- /* delta >> 1 is a faster way of doing delta / 2 */
- delta += delta / numpoints;
-
- for (k = 0; delta > ((base - tmin) * tmax) / 2; k += base) {
- delta /= base - tmin;
- }
-
- return k + (base - tmin + 1) * delta / (delta + skew);
-}
-
-/*** Main encode function ***/
-
-enum punycode_status punycode_encode(
- punycode_uint input_length,
- const punycode_uint input[],
- const unsigned char case_flags[],
- punycode_uint *output_length,
- char output[] )
-{
- punycode_uint n, delta, h, b, out, max_out, bias, j, m, q, k, t;
-
- /* Initialize the state: */
-
- n = initial_n;
- delta = out = 0;
- max_out = *output_length;
- bias = initial_bias;
-
- /* Handle the basic code points: */
-
-
-
-
-Costello Standards Track [Page 26]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- for (j = 0; j < input_length; ++j) {
- if (basic(input[j])) {
- if (max_out - out < 2) return punycode_big_output;
- output[out++] =
- case_flags ? encode_basic(input[j], case_flags[j]) : input[j];
- }
- /* else if (input[j] < n) return punycode_bad_input; */
- /* (not needed for Punycode with unsigned code points) */
- }
-
- h = b = out;
-
- /* h is the number of code points that have been handled, b is the */
- /* number of basic code points, and out is the number of characters */
- /* that have been output. */
-
- if (b > 0) output[out++] = delimiter;
-
- /* Main encoding loop: */
-
- while (h < input_length) {
- /* All non-basic code points < n have been */
- /* handled already. Find the next larger one: */
-
- for (m = maxint, j = 0; j < input_length; ++j) {
- /* if (basic(input[j])) continue; */
- /* (not needed for Punycode) */
- if (input[j] >= n && input[j] < m) m = input[j];
- }
-
- /* Increase delta enough to advance the decoder's */
- /* <n,i> state to <m,0>, but guard against overflow: */
-
- if (m - n > (maxint - delta) / (h + 1)) return punycode_overflow;
- delta += (m - n) * (h + 1);
- n = m;
-
- for (j = 0; j < input_length; ++j) {
- /* Punycode does not need to check whether input[j] is basic: */
- if (input[j] < n /* || basic(input[j]) */ ) {
- if (++delta == 0) return punycode_overflow;
- }
-
- if (input[j] == n) {
- /* Represent delta as a generalized variable-length integer: */
-
- for (q = delta, k = base; ; k += base) {
- if (out >= max_out) return punycode_big_output;
-
-
-
-Costello Standards Track [Page 27]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- t = k <= bias /* + tmin */ ? tmin : /* +tmin not needed */
- k >= bias + tmax ? tmax : k - bias;
- if (q < t) break;
- output[out++] = encode_digit(t + (q - t) % (base - t), 0);
- q = (q - t) / (base - t);
- }
-
- output[out++] = encode_digit(q, case_flags && case_flags[j]);
- bias = adapt(delta, h + 1, h == b);
- delta = 0;
- ++h;
- }
- }
-
- ++delta, ++n;
- }
-
- *output_length = out;
- return punycode_success;
-}
-
-/*** Main decode function ***/
-
-enum punycode_status punycode_decode(
- punycode_uint input_length,
- const char input[],
- punycode_uint *output_length,
- punycode_uint output[],
- unsigned char case_flags[] )
-{
- punycode_uint n, out, i, max_out, bias,
- b, j, in, oldi, w, k, digit, t;
-
- /* Initialize the state: */
-
- n = initial_n;
- out = i = 0;
- max_out = *output_length;
- bias = initial_bias;
-
- /* Handle the basic code points: Let b be the number of input code */
- /* points before the last delimiter, or 0 if there is none, then */
- /* copy the first b code points to the output. */
-
- for (b = j = 0; j < input_length; ++j) if (delim(input[j])) b = j;
- if (b > max_out) return punycode_big_output;
-
- for (j = 0; j < b; ++j) {
-
-
-
-Costello Standards Track [Page 28]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- if (case_flags) case_flags[out] = flagged(input[j]);
- if (!basic(input[j])) return punycode_bad_input;
- output[out++] = input[j];
- }
-
- /* Main decoding loop: Start just after the last delimiter if any */
- /* basic code points were copied; start at the beginning otherwise. */
-
- for (in = b > 0 ? b + 1 : 0; in < input_length; ++out) {
-
- /* in is the index of the next character to be consumed, and */
- /* out is the number of code points in the output array. */
-
- /* Decode a generalized variable-length integer into delta, */
- /* which gets added to i. The overflow checking is easier */
- /* if we increase i as we go, then subtract off its starting */
- /* value at the end to obtain delta. */
-
- for (oldi = i, w = 1, k = base; ; k += base) {
- if (in >= input_length) return punycode_bad_input;
- digit = decode_digit(input[in++]);
- if (digit >= base) return punycode_bad_input;
- if (digit > (maxint - i) / w) return punycode_overflow;
- i += digit * w;
- t = k <= bias /* + tmin */ ? tmin : /* +tmin not needed */
- k >= bias + tmax ? tmax : k - bias;
- if (digit < t) break;
- if (w > maxint / (base - t)) return punycode_overflow;
- w *= (base - t);
- }
-
- bias = adapt(i - oldi, out + 1, oldi == 0);
-
- /* i was supposed to wrap around from out+1 to 0, */
- /* incrementing n each time, so we'll fix that now: */
-
- if (i / (out + 1) > maxint - n) return punycode_overflow;
- n += i / (out + 1);
- i %= (out + 1);
-
- /* Insert n at position i of the output: */
-
- /* not needed for Punycode: */
- /* if (decode_digit(n) <= base) return punycode_invalid_input; */
- if (out >= max_out) return punycode_big_output;
-
- if (case_flags) {
- memmove(case_flags + i + 1, case_flags + i, out - i);
-
-
-
-Costello Standards Track [Page 29]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- /* Case of last character determines uppercase flag: */
- case_flags[i] = flagged(input[in - 1]);
- }
-
- memmove(output + i + 1, output + i, (out - i) * sizeof *output);
- output[i++] = n;
- }
-
- *output_length = out;
- return punycode_success;
-}
-
-/******************************************************************/
-/* Wrapper for testing (would normally go in a separate .c file): */
-
-#include <assert.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-/* For testing, we'll just set some compile-time limits rather than */
-/* use malloc(), and set a compile-time option rather than using a */
-/* command-line option. */
-
-enum {
- unicode_max_length = 256,
- ace_max_length = 256
-};
-
-static void usage(char **argv)
-{
- fprintf(stderr,
- "\n"
- "%s -e reads code points and writes a Punycode string.\n"
- "%s -d reads a Punycode string and writes code points.\n"
- "\n"
- "Input and output are plain text in the native character set.\n"
- "Code points are in the form u+hex separated by whitespace.\n"
- "Although the specification allows Punycode strings to contain\n"
- "any characters from the ASCII repertoire, this test code\n"
- "supports only the printable characters, and needs the Punycode\n"
- "string to be followed by a newline.\n"
- "The case of the u in u+hex is the force-to-uppercase flag.\n"
- , argv[0], argv[0]);
- exit(EXIT_FAILURE);
-}
-
-static void fail(const char *msg)
-
-
-
-Costello Standards Track [Page 30]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-{
- fputs(msg,stderr);
- exit(EXIT_FAILURE);
-}
-
-static const char too_big[] =
- "input or output is too large, recompile with larger limits\n";
-static const char invalid_input[] = "invalid input\n";
-static const char overflow[] = "arithmetic overflow\n";
-static const char io_error[] = "I/O error\n";
-
-/* The following string is used to convert printable */
-/* characters between ASCII and the native charset: */
-
-static const char print_ascii[] =
- "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
- "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
- " !\"#$%&'()*+,-./"
- "0123456789:;<=>?"
- "@ABCDEFGHIJKLMNO"
- "PQRSTUVWXYZ[\\]^_"
- "`abcdefghijklmno"
- "pqrstuvwxyz{|}~\n";
-
-int main(int argc, char **argv)
-{
- enum punycode_status status;
- int r;
- unsigned int input_length, output_length, j;
- unsigned char case_flags[unicode_max_length];
-
- if (argc != 2) usage(argv);
- if (argv[1][0] != '-') usage(argv);
- if (argv[1][2] != 0) usage(argv);
-
- if (argv[1][1] == 'e') {
- punycode_uint input[unicode_max_length];
- unsigned long codept;
- char output[ace_max_length+1], uplus[3];
- int c;
-
- /* Read the input code points: */
-
- input_length = 0;
-
- for (;;) {
- r = scanf("%2s%lx", uplus, &codept);
- if (ferror(stdin)) fail(io_error);
-
-
-
-Costello Standards Track [Page 31]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- if (r == EOF || r == 0) break;
-
- if (r != 2 || uplus[1] != '+' || codept > (punycode_uint)-1) {
- fail(invalid_input);
- }
-
- if (input_length == unicode_max_length) fail(too_big);
-
- if (uplus[0] == 'u') case_flags[input_length] = 0;
- else if (uplus[0] == 'U') case_flags[input_length] = 1;
- else fail(invalid_input);
-
- input[input_length++] = codept;
- }
-
- /* Encode: */
-
- output_length = ace_max_length;
- status = punycode_encode(input_length, input, case_flags,
- &output_length, output);
- if (status == punycode_bad_input) fail(invalid_input);
- if (status == punycode_big_output) fail(too_big);
- if (status == punycode_overflow) fail(overflow);
- assert(status == punycode_success);
-
- /* Convert to native charset and output: */
-
- for (j = 0; j < output_length; ++j) {
- c = output[j];
- assert(c >= 0 && c <= 127);
- if (print_ascii[c] == 0) fail(invalid_input);
- output[j] = print_ascii[c];
- }
-
- output[j] = 0;
- r = puts(output);
- if (r == EOF) fail(io_error);
- return EXIT_SUCCESS;
- }
-
- if (argv[1][1] == 'd') {
- char input[ace_max_length+2], *p, *pp;
- punycode_uint output[unicode_max_length];
-
- /* Read the Punycode input string and convert to ASCII: */
-
- fgets(input, ace_max_length+2, stdin);
- if (ferror(stdin)) fail(io_error);
-
-
-
-Costello Standards Track [Page 32]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
- if (feof(stdin)) fail(invalid_input);
- input_length = strlen(input) - 1;
- if (input[input_length] != '\n') fail(too_big);
- input[input_length] = 0;
-
- for (p = input; *p != 0; ++p) {
- pp = strchr(print_ascii, *p);
- if (pp == 0) fail(invalid_input);
- *p = pp - print_ascii;
- }
-
- /* Decode: */
-
- output_length = unicode_max_length;
- status = punycode_decode(input_length, input, &output_length,
- output, case_flags);
- if (status == punycode_bad_input) fail(invalid_input);
- if (status == punycode_big_output) fail(too_big);
- if (status == punycode_overflow) fail(overflow);
- assert(status == punycode_success);
-
- /* Output the result: */
-
- for (j = 0; j < output_length; ++j) {
- r = printf("%s+%04lX\n",
- case_flags[j] ? "U" : "u",
- (unsigned long) output[j] );
- if (r < 0) fail(io_error);
- }
-
- return EXIT_SUCCESS;
- }
-
- usage(argv);
- return EXIT_SUCCESS; /* not reached, but quiets compiler warning */
-}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 33]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-Author's Address
-
- Adam M. Costello
- University of California, Berkeley
- http://www.nicemice.net/amc/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 34]
-�
-RFC 3492 IDNA Punycode March 2003
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello Standards Track [Page 35]
-�
Deleted: branches/samba/upstream/source4/heimdal/lib/wind/rfc4013.txt
===================================================================
--- branches/samba/upstream/source4/heimdal/lib/wind/rfc4013.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/heimdal/lib/wind/rfc4013.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4013 OpenLDAP Foundation
-Category: Standards Track February 2005
-
-
- SASLprep: Stringprep Profile for User Names and Passwords
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2005).
-
-Abstract
-
- This document describes how to prepare Unicode strings representing
- user names and passwords for comparison. The document defines the
- "SASLprep" profile of the "stringprep" algorithm to be used for both
- user names and passwords. This profile is intended to be used by
- Simple Authentication and Security Layer (SASL) mechanisms (such as
- PLAIN, CRAM-MD5, and DIGEST-MD5), as well as other protocols
- exchanging simple user names and/or passwords.
-
-1. Introduction
-
- The use of simple user names and passwords in authentication and
- authorization is pervasive on the Internet. To increase the
- likelihood that user name and password input and comparison work in
- ways that make sense for typical users throughout the world, this
- document defines rules for preparing internationalized user names and
- passwords for comparison. For simplicity and implementation ease, a
- single algorithm is defined for both user names and passwords.
-
- The algorithm assumes all strings are comprised of characters from
- the Unicode [Unicode] character set.
-
- This document defines the "SASLprep" profile of the "stringprep"
- algorithm [StringPrep].
-
- The profile is designed for use in Simple Authentication and Security
- Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and
- [DIGEST-MD5]. It may be applicable where simple user names and
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4013 SASLprep February 2005
-
-
- passwords are used. This profile is not intended for use in
- preparing identity strings that are not simple user names (e.g.,
- email addresses, domain names, distinguished names), or where
- identity or password strings that are not character data, or require
- different handling (e.g., case folding).
-
- This document does not alter the technical specification of any
- existing protocols. Any specification that wishes to use the
- algorithm described in this document needs to explicitly incorporate
- this document and provide precise details as to where and how this
- algorithm is used by implementations of that specification.
-
-2. The SASLprep Profile
-
- This section defines the "SASLprep" profile of the "stringprep"
- algorithm [StringPrep]. This profile is intended for use in
- preparing strings representing simple user names and passwords.
-
- This profile uses Unicode 3.2 [Unicode].
-
- Character names in this document use the notation for code points and
- names from the Unicode Standard [Unicode]. For example, the letter
- "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
- In the lists of mappings and the prohibited characters, the "U+" is
- left off to make the lists easier to read. The comments for
- character ranges are shown in square brackets (such as "[CONTROL
- CHARACTERS]") and do not come from the standard.
-
- Note: A glossary of terms used in Unicode can be found in [Glossary].
- Information on the Unicode character encoding model can be found in
- [CharModel].
-
-2.1. Mapping
-
- This profile specifies:
-
- - non-ASCII space characters [StringPrep, C.1.2] that can be
- mapped to SPACE (U+0020), and
-
- - the "commonly mapped to nothing" characters [StringPrep, B.1]
- that can be mapped to nothing.
-
-2.2. Normalization
-
- This profile specifies using Unicode normalization form KC, as
- described in Section 4 of [StringPrep].
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4013 SASLprep February 2005
-
-
-2.3. Prohibited Output
-
- This profile specifies the following characters as prohibited input:
-
- - Non-ASCII space characters [StringPrep, C.1.2]
- - ASCII control characters [StringPrep, C.2.1]
- - Non-ASCII control characters [StringPrep, C.2.2]
- - Private Use characters [StringPrep, C.3]
- - Non-character code points [StringPrep, C.4]
- - Surrogate code points [StringPrep, C.5]
- - Inappropriate for plain text characters [StringPrep, C.6]
- - Inappropriate for canonical representation characters
- [StringPrep, C.7]
- - Change display properties or deprecated characters
- [StringPrep, C.8]
- - Tagging characters [StringPrep, C.9]
-
-2.4. Bidirectional Characters
-
- This profile specifies checking bidirectional strings as described in
- [StringPrep, Section 6].
-
-2.5. Unassigned Code Points
-
- This profile specifies the [StringPrep, A.1] table as its list of
- unassigned code points.
-
-3. Examples
-
- The following table provides examples of how various character data
- is transformed by the SASLprep string preparation algorithm
-
- # Input Output Comments
- - ----- ------ --------
- 1 I<U+00AD>X IX SOFT HYPHEN mapped to nothing
- 2 user user no transformation
- 3 USER USER case preserved, will not match #2
- 4 <U+00AA> a output is NFKC, input in ISO 8859-1
- 5 <U+2168> IX output is NFKC, will match #1
- 6 <U+0007> Error - prohibited character
- 7 <U+0627><U+0031> Error - bidirectional check
-
-4. Security Considerations
-
- This profile is intended to prepare simple user name and password
- strings for comparison or use in cryptographic functions (e.g.,
- message digests). The preparation algorithm was specifically
- designed such that its output is canonical, and it is well-formed.
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4013 SASLprep February 2005
-
-
- However, due to an anomaly [PR29] in the specification of Unicode
- normalization, canonical equivalence is not guaranteed for a select
- few character sequences. These sequences, however, do not appear in
- well-formed text. This specification was published despite this
- known technical problem. It is expected that this specification will
- be revised before further progression on the Standards Track (after
- [Unicode] and/or [StringPrep] specifications have been updated to
- address this problem).
-
- It is not intended for preparing identity strings that are not simple
- user names (e.g., distinguished names, domain names), nor is the
- profile intended for use of simple user names that require different
- handling (such as case folding). Protocols (or applications of those
- protocols) that have application-specific identity forms and/or
- comparison algorithms should use mechanisms specifically designed for
- these forms and algorithms.
-
- Application of string preparation may have an impact upon the
- feasibility of brute force and dictionary attacks. While the number
- of possible prepared strings is less than the number of possible
- Unicode strings, the number of usable names and passwords is greater
- than as if only ASCII was used. Though SASLprep eliminates some
- Unicode code point sequences as possible prepared strings, that
- elimination generally makes the (canonical) output forms practicable
- and prohibits nonsensical inputs.
-
- User names and passwords should be protected from eavesdropping.
-
- General "stringprep" and Unicode security considerations apply. Both
- are discussed in [StringPrep].
-
-5. IANA Considerations
-
- This document details the "SASLprep" profile of the [StringPrep]
- protocol. This profile has been registered in the stringprep profile
- registry.
-
- Name of this profile: SASLprep
- RFC in which the profile is defined: RFC 4013
- Indicator whether or not this is the newest version of the
- profile: This is the first version of the SASPprep profile.
-
-6. Acknowledgement
-
- This document borrows text from "Preparation of Internationalized
- Strings ('stringprep')" and "Nameprep: A Stringprep Profile for
- Internationalized Domain Names", both by Paul Hoffman and Marc
- Blanchet. This document is a product of the IETF SASL WG.
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4013 SASLprep February 2005
-
-
-7. Normative References
-
- [StringPrep] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ("stringprep")", RFC 3454,
- December 2002.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version
- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
- 61633-5), as amended by the "Unicode Standard Annex
- #27: Unicode 3.1"
- (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
-8. Informative References
-
- [Glossary] The Unicode Consortium, "Unicode Glossary",
- <http://www.unicode.org/glossary/>.
-
- [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
- #17, Character Encoding Model", UTR17,
- <http://www.unicode.org/unicode/reports/tr17/>, August
- 2000.
-
- [SASL] Melnikov, A., Ed., "Simple Authentication and Security
- Layer (SASL)", Work in Progress.
-
- [CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism", Work in
- Progress.
-
- [DIGEST-MD5] Leach, P., Newman, C., and A. Melnikov, "Using Digest
- Authentication as a SASL Mechanism", Work in Progress.
-
- [PLAIN] Zeilenga, K., Ed., "The Plain SASL Mechanism", Work in
- Progress.
-
- [PR29] "Public Review Issue #29: Normalization Issue",
- <http://www.unicode.org/review/pr-29.html>, February
- 2004.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4013 SASLprep February 2005
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2005).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the IETF's procedures with respect to rights in IETF Documents can
- be found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at ietf-
- ipr at ietf.org.
-
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
Deleted: branches/samba/upstream/source4/heimdal/lib/wind/rfc4518.txt
===================================================================
--- branches/samba/upstream/source4/heimdal/lib/wind/rfc4518.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/heimdal/lib/wind/rfc4518.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,787 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4518 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP):
- Internationalized String Preparation
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The previous Lightweight Directory Access Protocol (LDAP) technical
- specifications did not precisely define how character string matching
- is to be performed. This led to a number of usability and
- interoperability problems. This document defines string preparation
- algorithms for character-based matching rules defined for use in
- LDAP.
-
-1. Introduction
-
-1.1. Background
-
- A Lightweight Directory Access Protocol (LDAP) [RFC4510] matching
- rule [RFC4517] defines an algorithm for determining whether a
- presented value matches an attribute value in accordance with the
- criteria defined for the rule. The proposition may be evaluated to
- True, False, or Undefined.
-
- True - the attribute contains a matching value,
-
- False - the attribute contains no matching value,
-
- Undefined - it cannot be determined whether the attribute contains
- a matching value.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- For instance, the caseIgnoreMatch matching rule may be used to
- compare whether the commonName attribute contains a particular value
- without regard for case and insignificant spaces.
-
-1.2. X.500 String Matching Rules
-
- "X.520: Selected attribute types" [X.520] provides (among other
- things) value syntaxes and matching rules for comparing values
- commonly used in the directory [X.500]. These specifications are
- inadequate for strings composed of Unicode [Unicode] characters.
-
- The caseIgnoreMatch matching rule [X.520], for example, is simply
- defined as being a case-insensitive comparison where insignificant
- spaces are ignored. For printableString, there is only one space
- character and case mapping is bijective, hence this definition is
- sufficient. However, for Unicode string types such as
- universalString, this is not sufficient. For example, a case-
- insensitive matching implementation that folded lowercase characters
- to uppercase would yield different results than an implementation
- that used uppercase to lowercase folding. Or one implementation may
- view space as referring to only SPACE (U+0020), a second
- implementation may view any character with the space separator (Zs)
- property as a space, and another implementation may view any
- character with the whitespace (WS) category as a space.
-
- The lack of precise specification for character string matching has
- led to significant interoperability problems. When used in
- certificate chain validation, security vulnerabilities can arise. To
- address these problems, this document defines precise algorithms for
- preparing character strings for matching.
-
-1.3. Relationship to "stringprep"
-
- The character string preparation algorithms described in this
- document are based upon the "stringprep" approach [RFC3454]. In
- "stringprep", presented and stored values are first prepared for
- comparison so that a character-by-character comparison yields the
- "correct" result.
-
- The approach used here is a refinement of the "stringprep" [RFC3454]
- approach. Each algorithm involves two additional preparation steps.
-
- a) Prior to applying the Unicode string preparation steps outlined in
- "stringprep", the string is transcoded to Unicode.
-
- b) After applying the Unicode string preparation steps outlined in
- "stringprep", the string is modified to appropriately handle
- characters insignificant to the matching rule.
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- Hence, preparation of character strings for X.500 [X.500] matching
- [X.501] involves the following steps:
-
- 1) Transcode
- 2) Map
- 3) Normalize
- 4) Prohibit
- 5) Check Bidi (Bidirectional)
- 6) Insignificant Character Handling
-
- These steps are described in Section 2.
-
- It is noted that while various tables of Unicode characters included
- or referenced by this specification are derived from Unicode
- [Unicode] data, these tables are to be considered definitive for the
- purpose of implementing this specification.
-
-1.4. Relationship to the LDAP Technical Specification
-
- This document is an integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification [RFC3377] in its entirety.
-
- This document details new LDAP internationalized character string
- preparation algorithms used by [RFC4517] and possible other technical
- specifications defining LDAP syntaxes and/or matching rules.
-
-1.5. Relationship to X.500
-
- LDAP is defined [RFC4510] in X.500 terms as an X.500 access
- mechanism. As such, there is a strong desire for alignment between
- LDAP and X.500 syntax and semantics. The character string
- preparation algorithms described in this document are based upon
- "Internationalized String Matching Rules for X.500" [XMATCH] proposal
- to ITU/ISO Joint Study Group 2.
-
-1.6. Conventions and Terms
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- Character names in this document use the notation for code points and
- names from the Unicode Standard [Unicode]. For example, the letter
- "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
- In the lists of mappings and the prohibited characters, the "U+" is
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- left off to make the lists easier to read. The comments for
- character ranges are shown in square brackets (such as "[CONTROL
- CHARACTERS]") and do not come from the standard.
-
- Note: a glossary of terms used in Unicode can be found in [Glossary].
- Information on the Unicode character encoding model can be found in
- [CharModel].
-
- The term "combining mark", as used in this specification, refers to
- any Unicode [Unicode] code point that has a mark property (Mn, Mc,
- Me). Appendix A provides a definitive list of combining marks.
-
-2. String Preparation
-
- The following six-step process SHALL be applied to each presented and
- attribute value in preparation for character string matching rule
- evaluation.
-
- 1) Transcode
- 2) Map
- 3) Normalize
- 4) Prohibit
- 5) Check bidi
- 6) Insignificant Character Handling
-
- Failure in any step causes the assertion to evaluate to Undefined.
-
- The character repertoire of this process is Unicode 3.2 [Unicode].
-
- Note that this six-step process specification is intended to describe
- expected matching behavior. Implementations are free to use
- alternative processes so long as the matching rule evaluation
- behavior provided is consistent with the behavior described by this
- specification.
-
-2.1. Transcode
-
- Each non-Unicode string value is transcoded to Unicode.
-
- PrintableString [X.680] values are transcoded directly to Unicode.
-
- UniversalString, UTF8String, and bmpString [X.680] values need not be
- transcoded as they are Unicode-based strings (in the case of
- bmpString, a subset of Unicode).
-
- TeletexString [X.680] values are transcoded to Unicode. As there is
- no standard for mapping TeletexString values to Unicode, the mapping
- is left a local matter.
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- For these and other reasons, use of TeletexString is NOT RECOMMENDED.
-
- The output is the transcoded string.
-
-2.2. Map
-
- SOFT HYPHEN (U+00AD) and MONGOLIAN TODO SOFT HYPHEN (U+1806) code
- points are mapped to nothing. COMBINING GRAPHEME JOINER (U+034F) and
- VARIATION SELECTORs (U+180B-180D, FF00-FE0F) code points are also
- mapped to nothing. The OBJECT REPLACEMENT CHARACTER (U+FFFC) is
- mapped to nothing.
-
- CHARACTER TABULATION (U+0009), LINE FEED (LF) (U+000A), LINE
- TABULATION (U+000B), FORM FEED (FF) (U+000C), CARRIAGE RETURN (CR)
- (U+000D), and NEXT LINE (NEL) (U+0085) are mapped to SPACE (U+0020).
-
- All other control code (e.g., Cc) points or code points with a
- control function (e.g., Cf) are mapped to nothing. The following is
- a complete list of these code points: U+0000-0008, 000E-001F, 007F-
- 0084, 0086-009F, 06DD, 070F, 180E, 200C-200F, 202A-202E, 2060-2063,
- 206A-206F, FEFF, FFF9-FFFB, 1D173-1D17A, E0001, E0020-E007F.
-
- ZERO WIDTH SPACE (U+200B) is mapped to nothing. All other code
- points with Separator (space, line, or paragraph) property (e.g., Zs,
- Zl, or Zp) are mapped to SPACE (U+0020). The following is a complete
- list of these code points: U+0020, 00A0, 1680, 2000-200A, 2028-2029,
- 202F, 205F, 3000.
-
- For case ignore, numeric, and stored prefix string matching rules,
- characters are case folded per B.2 of [RFC3454].
-
- The output is the mapped string.
-
-2.3. Normalize
-
- The input string is to be normalized to Unicode Form KC
- (compatibility composed) as described in [UAX15]. The output is the
- normalized string.
-
-2.4. Prohibit
-
- All Unassigned code points are prohibited. Unassigned code points
- are listed in Table A.1 of [RFC3454].
-
- Characters that, per Section 5.8 of [RFC3454], change display
- properties or are deprecated are prohibited. These characters are
- listed in Table C.8 of [RFC3454].
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- Private Use code points are prohibited. These characters are listed
- in Table C.3 of [RFC3454].
-
- All non-character code points are prohibited. These code points are
- listed in Table C.4 of [RFC3454].
-
- Surrogate codes are prohibited. These characters are listed in Table
- C.5 of [RFC3454].
-
- The REPLACEMENT CHARACTER (U+FFFD) code point is prohibited.
-
- The step fails if the input string contains any prohibited code
- point. Otherwise, the output is the input string.
-
-2.5. Check bidi
-
- Bidirectional characters are ignored.
-
-2.6. Insignificant Character Handling
-
- In this step, the string is modified to ensure proper handling of
- characters insignificant to the matching rule. This modification
- differs from matching rule to matching rule.
-
- Section 2.6.1 applies to case ignore and exact string matching.
- Section 2.6.2 applies to numericString matching.
- Section 2.6.3 applies to telephoneNumber matching.
-
-2.6.1. Insignificant Space Handling
-
- For the purposes of this section, a space is defined to be the SPACE
- (U+0020) code point followed by no combining marks.
-
- NOTE - The previous steps ensure that the string cannot contain
- any code points in the separator class, other than SPACE
- (U+0020).
-
- For input strings that are attribute values or non-substring
- assertion values: If the input string contains no non-space
- character, then the output is exactly two SPACEs. Otherwise (the
- input string contains at least one non-space character), the string
- is modified such that the string starts with exactly one space
- character, ends with exactly one SPACE character, and any inner
- (non-empty) sequence of space characters is replaced with exactly two
- SPACE characters. For instance, the input strings
- "foo<SPACE>bar<SPACE><SPACE>", result in the output
- "<SPACE>foo<SPACE><SPACE>bar<SPACE>".
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- For input strings that are substring assertion values: If the string
- being prepared contains no non-space characters, then the output
- string is exactly one SPACE. Otherwise, the following steps are
- taken:
-
- - If the input string is an initial substring, it is modified to
- start with exactly one SPACE character;
-
- - If the input string is an initial or an any substring that ends in
- one or more space characters, it is modified to end with exactly
- one SPACE character;
-
- - If the input string is an any or a final substring that starts in
- one or more space characters, it is modified to start with exactly
- one SPACE character; and
-
- - If the input string is a final substring, it is modified to end
- with exactly one SPACE character.
-
- For instance, for the input string "foo<SPACE>bar<SPACE><SPACE>" as
- an initial substring, the output would be
- "<SPACE>foo<SPACE><SPACE>bar<SPACE>". As an any or final substring,
- the same input would result in "foo<SPACE>bar<SPACE>".
-
- Appendix B discusses the rationale for the behavior.
-
-2.6.2. numericString Insignificant Character Handling
-
- For the purposes of this section, a space is defined to be the SPACE
- (U+0020) code point followed by no combining marks.
-
- All spaces are regarded as insignificant and are to be removed.
-
- For example, removal of spaces from the Form KC string:
- "<SPACE><SPACE>123<SPACE><SPACE>456<SPACE><SPACE>"
- would result in the output string:
- "123456"
- and the Form KC string:
- "<SPACE><SPACE><SPACE>"
- would result in the output string:
- "" (an empty string).
-
-2.6.3. telephoneNumber Insignificant Character Handling
-
- For the purposes of this section, a hyphen is defined to be a
- HYPHEN-MINUS (U+002D), ARMENIAN HYPHEN (U+058A), HYPHEN (U+2010),
- NON-BREAKING HYPHEN (U+2011), MINUS SIGN (U+2212), SMALL HYPHEN-MINUS
- (U+FE63), or FULLWIDTH HYPHEN-MINUS (U+FF0D) code point followed by
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- no combining marks and a space is defined to be the SPACE (U+0020)
- code point followed by no combining marks.
-
- All hyphens and spaces are considered insignificant and are to be
- removed.
-
- For example, removal of hyphens and spaces from the Form KC string:
- "<SPACE><HYPHEN>123<SPACE><SPACE>456<SPACE><HYPHEN>"
- would result in the output string:
- "123456"
- and the Form KC string:
- "<HYPHEN><HYPHEN><HYPHEN>"
- would result in the (empty) output string:
- "".
-
-3. Security Considerations
-
- "Preparation of Internationalized Strings ("stringprep")" [RFC3454]
- security considerations generally apply to the algorithms described
- here.
-
-4. Acknowledgements
-
- The approach used in this document is based upon design principles
- and algorithms described in "Preparation of Internationalized Strings
- ('stringprep')" [RFC3454] by Paul Hoffman and Marc Blanchet. Some
- additional guidance was drawn from Unicode Technical Standards,
- Technical Reports, and Notes.
-
- This document is a product of the IETF LDAP Revision (LDAPBIS)
- Working Group.
-
-5. References
-
-5.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ("stringprep")", RFC 3454,
- December 2002.
-
- [RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510,
- June 2006.
-
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version
- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
- 61633-5), as amended by the "Unicode Standard Annex
- #27: Unicode 3.1"
- (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [UAX15] Davis, M. and M. Duerst, "Unicode Standard Annex #15:
- Unicode Normalization Forms, Version 3.2.0".
- <http://www.unicode.org/unicode/reports/tr15/tr15-
- 22.html>, March 2002.
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
-5.2. Informative References
-
- [X.500] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Overview of concepts, models and
- services," X.500(1993) (also ISO/IEC 9594-1:1994).
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.520] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Selected Attribute Types", X.520(1993) (also
- ISO/IEC 9594-6:1994).
-
- [Glossary] The Unicode Consortium, "Unicode Glossary",
- <http://www.unicode.org/glossary/>.
-
- [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
- #17, Character Encoding Model", UTR17,
- <http://www.unicode.org/unicode/reports/tr17/>, August
- 2000.
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002.
-
- [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): String Representation of Search
- Filters", RFC 4515, June 2006.
-
- [XMATCH] Zeilenga, K., "Internationalized String Matching Rules
- for X.500", Work in Progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
-Appendix A. Combining Marks
-
- This appendix is normative.
-
- This table was derived from Unicode [Unicode] data files; it lists
- all code points with the Mn, Mc, or Me properties. This table is to
- be considered definitive for the purposes of implementation of this
- specification.
-
- 0300-034F 0360-036F 0483-0486 0488-0489 0591-05A1
- 05A3-05B9 05BB-05BC 05BF 05C1-05C2 05C4 064B-0655 0670
- 06D6-06DC 06DE-06E4 06E7-06E8 06EA-06ED 0711 0730-074A
- 07A6-07B0 0901-0903 093C 093E-094F 0951-0954 0962-0963
- 0981-0983 09BC 09BE-09C4 09C7-09C8 09CB-09CD 09D7
- 09E2-09E3 0A02 0A3C 0A3E-0A42 0A47-0A48 0A4B-0A4D
- 0A70-0A71 0A81-0A83 0ABC 0ABE-0AC5 0AC7-0AC9 0ACB-0ACD
- 0B01-0B03 0B3C 0B3E-0B43 0B47-0B48 0B4B-0B4D 0B56-0B57
- 0B82 0BBE-0BC2 0BC6-0BC8 0BCA-0BCD 0BD7 0C01-0C03
- 0C3E-0C44 0C46-0C48 0C4A-0C4D 0C55-0C56 0C82-0C83
- 0CBE-0CC4 0CC6-0CC8 0CCA-0CCD 0CD5-0CD6 0D02-0D03
- 0D3E-0D43 0D46-0D48 0D4A-0D4D 0D57 0D82-0D83 0DCA
- 0DCF-0DD4 0DD6 0DD8-0DDF 0DF2-0DF3 0E31 0E34-0E3A
- 0E47-0E4E 0EB1 0EB4-0EB9 0EBB-0EBC 0EC8-0ECD 0F18-0F19
- 0F35 0F37 0F39 0F3E-0F3F 0F71-0F84 0F86-0F87 0F90-0F97
- 0F99-0FBC 0FC6 102C-1032 1036-1039 1056-1059 1712-1714
- 1732-1734 1752-1753 1772-1773 17B4-17D3 180B-180D 18A9
- 20D0-20EA 302A-302F 3099-309A FB1E FE00-FE0F FE20-FE23
- 1D165-1D169 1D16D-1D172 1D17B-1D182 1D185-1D18B
- 1D1AA-1D1AD
-
-Appendix B. Substrings Matching
-
- This appendix is non-normative.
-
- In the absence of substrings matching, the insignificant space
- handling for case ignore/exact matching could be simplified.
- Specifically, the handling could be to require that all sequences of
- one or more spaces be replaced with one space and, if the string
- contains non-space characters, removal of all leading spaces and
- trailing spaces.
-
- In the presence of substrings matching, this simplified space
- handling would lead to unexpected and undesirable matching behavior.
- For instance:
-
- 1) (CN=foo\20*\20bar) would match the CN value "foobar";
-
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- 2) (CN=*\20foobar\20*) would match "foobar", but
- (CN=*\20*foobar*\20*) would not.
-
- Note to readers not familiar with LDAP substrings matching: the LDAP
- filter [RFC4515] assertion (CN=A*B*C) says to "match any value (of
- the attribute CN) that begins with A, contains B after A, ends with C
- where C is also after B."
-
- The first case illustrates that this simplified space handling would
- cause leading and trailing spaces in substrings of the string to be
- regarded as insignificant. However, only leading and trailing (as
- well as multiple consecutive spaces) of the string (as a whole) are
- insignificant.
-
- The second case illustrates that this simplified space handling would
- cause sub-partitioning failures. That is, if a prepared any
- substring matches a partition of the attribute value, then an
- assertion constructed by subdividing that substring into multiple
- substrings should also match.
-
- In designing an appropriate approach for space handling for
- substrings matching, one must study key aspects of X.500 case
- exact/ignore matching. X.520 [X.520] says:
-
- The [substrings] rule returns TRUE if there is a partitioning of
- the attribute value (into portions) such that:
-
- - the specified substrings (initial, any, final) match
- different portions of the value in the order of the strings
- sequence;
-
- - initial, if present, matches the first portion of the value;
-
- - final, if present, matches the last portion of the value;
-
- - any, if present, matches some arbitrary portion of the
- value.
-
- That is, the substrings assertion (CN=foo\20*\20bar) matches the
- attribute value "foo<SPACE><SPACE>bar" as the value can be
- partitioned into the portions "foo<SPACE>" and "<SPACE>bar" meeting
- the above requirements.
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- X.520 also says:
-
- [T]he following spaces are regarded as not significant:
-
- - leading spaces (i.e., those preceding the first character
- that is not a space);
-
- - trailing spaces (i.e., those following the last character
- that is not a space);
-
- - multiple consecutive spaces (these are taken as equivalent
- to a single space character).
-
- This statement applies to the assertion values and attribute values
- as whole strings, and not individually to substrings of an assertion
- value. In particular, the statements should be taken to mean that if
- an assertion value and attribute value match without any
- consideration to insignificant characters, then that assertion value
- should also match any attribute value that differs only by inclusion
- nor removal of insignificant characters.
-
- Hence the assertion (CN=foo\20*\20bar) matches
- "foo<SPACE><SPACE><SPACE>bar" and "foo<SPACE>bar" as these values
- only differ from "foo<SPACE><SPACE>bar" by the inclusion or removal
- of insignificant spaces.
-
- Astute readers of this text will also note that there are special
- cases where the specified space handling does not ignore spaces that
- could be considered insignificant. For instance, the assertion
- (CN=\20*\20*\20) does not match "<SPACE><SPACE><SPACE>"
- (insignificant spaces present in value) or " " (insignificant spaces
- not present in value). However, as these cases have no practical
- application that cannot be met by simple assertions, e.g., (cn=\20),
- and this minor anomaly can only be fully addressed by a preparation
- algorithm to be used in conjunction with character-by-character
- partitioning and matching, the anomaly is considered acceptable.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc2307.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc2307.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc2307.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1179 +0,0 @@
-
-
-
-
-
-
-Network Working Group L. Howard
-Request for Comments: 2307 Independent Consultant
-Category: Experimental March 1998
-
-
- An Approach for Using LDAP as a Network Information Service
-
-Status of this Memo
-
- This memo defines an Experimental Protocol for the Internet
- community. It does not specify an Internet standard of any kind.
- Discussion and suggestions for improvement are requested.
- Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1998). All Rights Reserved.
-
-Abstract
-
- This document describes an experimental mechanism for mapping
- entities related to TCP/IP and the UNIX system into X.500 [X500]
- entries so that they may be resolved with the Lightweight Directory
- Access Protocol [RFC2251]. A set of attribute types and object
- classes are proposed, along with specific guidelines for interpreting
- them.
-
- The intention is to assist the deployment of LDAP as an
- organizational nameservice. No proposed solutions are intended as
- standards for the Internet. Rather, it is hoped that a general
- consensus will emerge as to the appropriate solution to such
- problems, leading eventually to the adoption of standards. The
- proposed mechanism has already been implemented with some success.
-
-1. Background and Motivation
-
- The UNIX (R) operating system, and its derivatives (specifically,
- those which support TCP/IP and conform to the X/Open Single UNIX
- specification [XOPEN]) require a means of looking up entities, by
- matching them against search criteria or by enumeration. (Other
- operating systems that support TCP/IP may provide some means of
- resolving some of these entities. This schema is applicable to those
- environments also.)
-
- These entities include users, groups, IP services (which map names to
- IP ports and protocols, and vice versa), IP protocols (which map
- names to IP protocol numbers and vice versa), RPCs (which map names
- to ONC Remote Procedure Call [RFC1057] numbers and vice versa), NIS
-
-
-
-Howard Experimental [Page 1]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- netgroups, booting information (boot parameters and MAC address
- mappings), filesystem mounts, IP hosts and networks, and RFC822 mail
- aliases.
-
- Resolution requests are made through a set of C functions, provided
- in the UNIX system's C library. For example, the UNIX system utility
- "ls", which enumerates the contents of a filesystem directory, uses
- the C library function getpwuid() in order to map user IDs to login
- names. Once the request is made, it is resolved using a "nameservice"
- which is supported by the client library. The nameservice may be, at
- its simplest, a collection of files in the local filesystem which are
- opened and searched by the C library. Other common nameservices
- include the Network Information Service (NIS) and the Domain Name
- System (DNS). (The latter is typically used for resolving hosts,
- services and networks.) Both these nameservices have the advantage of
- being distributed and thus permitting a common set of entities to be
- shared amongst many clients.
-
- LDAP is a distributed, hierarchical directory service access protocol
- which is used to access repositories of users and other network-
- related entities. Because LDAP is often not tightly integrated with
- the host operating system, information such as users may need to be
- kept both in LDAP and in an operating system supported nameservice
- such as NIS. By using LDAP as the the primary means of resolving
- these entities, these redundancy issues are minimized and the
- scalability of LDAP can be exploited. (By comparison, NIS services
- based on flat files do not have the scalability or extensibility of
- LDAP or X.500.)
-
- The object classes and attributes defined below are suitable for
- representing the aforementioned entities in a form compatible with
- LDAP and X.500 directory services.
-
-2. General Issues
-
-2.1. Terminology
-
- The key words "MUST", "SHOULD", and "MAY" used in this document are
- to be interpreted as described in [RFC2119].
-
- For the purposes of this document, the term "nameservice" refers to a
- service, such as NIS or flat files, that is used by the operating
- system to resolve entities within a single, local naming context.
- Contrast this with a "directory service" such as LDAP, which supports
- extensible schema and multiple naming contexts.
-
-
-
-
-
-
-Howard Experimental [Page 2]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- The term "NIS-related entities" broadly refers to entities which are
- typically resolved using the Network Information Service. (NIS was
- previously known as YP.) Deploying LDAP for resolving these entities
- does not imply that NIS be used, as a gateway or otherwise. In
- particular, the host and network classes are generically applicable,
- and may be implemented on any system that wishes to use LDAP or X.500
- for host and network resolution.
-
- The "DUA" (directory user agent) refers to the LDAP client querying
- these entities, such as an LDAP to NIS gateway or the C library. The
- "client" refers to the application which ultimately makes use of the
- information returned by the resolution. It is irrelevant whether the
- DUA and the client reside within the same address space. The act of
- the DUA making this information to the client is termed
- "republishing".
-
- To avoid confusion, the term "login name" refers to the user's login
- name (being the value of the uid attribute) and the term "user ID"
- refers to he user's integer identification number (being the value of
- the uidNumber attribute).
-
- The phrases "resolving an entity" and "resolution of entities" refer
- respectively to enumerating NIS-related entities of a given type, and
- matching them against a given search criterion. One or more entities
- are returned as a result of successful "resolutions" (a "match"
- operation will only return one entity).
-
- The use of the term UNIX does not confer upon this schema the
- endorsement of owners of the UNIX trademark. Where necessary, the
- term "TCP/IP entity" is used to refer to protocols, services, hosts,
- and networks, and the term "UNIX entity" to its complement. (The
- former category does not mandate the host operating system supporting
- the interfaces required for resolving UNIX entities.)
-
- The OIDs defined below are derived from iso(1) org(3) dod(6)
- internet(1) directory(1) nisSchema(1).
-
-2.2. Attributes
-
- The attributes and classes defined in this document are summarized
- below.
-
- The following attributes are defined in this document:
-
- uidNumber
- gidNumber
- gecos
- homeDirectory
-
-
-
-Howard Experimental [Page 3]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- loginShell
- shadowLastChange
- shadowMin
- shadowMax
- shadowWarning
- shadowInactive
- shadowExpire
- shadowFlag
- memberUid
- memberNisNetgroup
- nisNetgroupTriple
- ipServicePort
- ipServiceProtocol
- ipProtocolNumber
- oncRpcNumber
- ipHostNumber
- ipNetworkNumber
- ipNetmaskNumber
- macAddress
- bootParameter
- bootFile
- nisMapName
- nisMapEntry
-
- Additionally, some of the attributes defined in [RFC2256] are
- required.
-
-2.3. Object classes
-
- The following object classes are defined in this document:
-
- posixAccount
- shadowAccount
- posixGroup
- ipService
- ipProtocol
- oncRpc
- ipHost
- ipNetwork
- nisNetgroup
- nisMap
- nisObject
- ieee802Device
- bootableDevice
-
- Additionally, some of the classes defined in [RFC2256] are required.
-
-
-
-
-
-Howard Experimental [Page 4]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-2.4. Syntax definitions
-
- The following syntax definitions [RFC2252] are used by this schema.
- The nisNetgroupTripleSyntax represents NIS netgroup triples:
-
- ( nisSchema.0.0 NAME 'nisNetgroupTripleSyntax'
- DESC 'NIS netgroup triple' )
-
- Values in this syntax are represented by the following:
-
- nisnetgrouptriple = "(" hostname "," username "," domainname ")"
- hostname = "" / "-" / keystring
- username = "" / "-" / keystring
- domainname = "" / "-" / keystring
-
- X.500 servers may use the following representation of the above
- syntax:
-
- nisNetgroupTripleSyntax ::= SEQUENCE {
- hostname [0] IA5String OPTIONAL,
- username [1] IA5String OPTIONAL,
- domainname [2] IA5String OPTIONAL
- }
-
- The bootParameterSyntax syntax represents boot parameters:
-
- ( nisSchema.0.1 NAME 'bootParameterSyntax'
- DESC 'Boot parameter' )
-
- where:
-
- bootparameter = key "=" server ":" path
- key = keystring
- server = keystring
- path = keystring
-
- X.500 servers may use the following representation of the above
- syntax:
-
- bootParameterSyntax ::= SEQUENCE {
- key IA5String,
- server IA5String,
- path IA5String
- }
-
- Values adhering to these syntaxes are encoded as strings by LDAP
- servers.
-
-
-
-
-Howard Experimental [Page 5]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-3. Attribute definitions
-
- This section contains attribute definitions to be implemented by DUAs
- supporting this schema.
-
- ( nisSchema.1.0 NAME 'uidNumber'
- DESC 'An integer uniquely identifying a user in an
- administrative domain'
- EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.1 NAME 'gidNumber'
- DESC 'An integer uniquely identifying a group in an
- administrative domain'
- EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.2 NAME 'gecos'
- DESC 'The GECOS field; the common name'
- EQUALITY caseIgnoreIA5Match
- SUBSTRINGS caseIgnoreIA5SubstringsMatch
- SYNTAX 'IA5String' SINGLE-VALUE )
-
- ( nisSchema.1.3 NAME 'homeDirectory'
- DESC 'The absolute path to the home directory'
- EQUALITY caseExactIA5Match
- SYNTAX 'IA5String' SINGLE-VALUE )
-
- ( nisSchema.1.4 NAME 'loginShell'
- DESC 'The path to the login shell'
- EQUALITY caseExactIA5Match
- SYNTAX 'IA5String' SINGLE-VALUE )
-
- ( nisSchema.1.5 NAME 'shadowLastChange'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.6 NAME 'shadowMin'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.7 NAME 'shadowMax'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.8 NAME 'shadowWarning'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.9 NAME 'shadowInactive'
-
-
-
-Howard Experimental [Page 6]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.10 NAME 'shadowExpire'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.11 NAME 'shadowFlag'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.12 NAME 'memberUid'
- EQUALITY caseExactIA5Match
- SUBSTRINGS caseExactIA5SubstringsMatch
- SYNTAX 'IA5String' )
-
- ( nisSchema.1.13 NAME 'memberNisNetgroup'
- EQUALITY caseExactIA5Match
- SUBSTRINGS caseExactIA5SubstringsMatch
- SYNTAX 'IA5String' )
-
- ( nisSchema.1.14 NAME 'nisNetgroupTriple'
- DESC 'Netgroup triple'
- SYNTAX 'nisNetgroupTripleSyntax' )
-
- ( nisSchema.1.15 NAME 'ipServicePort'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.16 NAME 'ipServiceProtocol'
- SUP name )
-
- ( nisSchema.1.17 NAME 'ipProtocolNumber'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.18 NAME 'oncRpcNumber'
- EQUALITY integerMatch
- SYNTAX 'INTEGER' SINGLE-VALUE )
-
- ( nisSchema.1.19 NAME 'ipHostNumber'
- DESC 'IP address as a dotted decimal, eg. 192.168.1.1,
- omitting leading zeros'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 'IA5String{128}' )
-
- ( nisSchema.1.20 NAME 'ipNetworkNumber'
- DESC 'IP network as a dotted decimal, eg. 192.168,
-
-
-
-Howard Experimental [Page 7]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- omitting leading zeros'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 'IA5String{128}' SINGLE-VALUE )
-
- ( nisSchema.1.21 NAME 'ipNetmaskNumber'
- DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
- omitting leading zeros'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 'IA5String{128}' SINGLE-VALUE )
-
- ( nisSchema.1.22 NAME 'macAddress'
- DESC 'MAC address in maximal, colon separated hex
- notation, eg. 00:00:92:90:ee:e2'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 'IA5String{128}' )
-
- ( nisSchema.1.23 NAME 'bootParameter'
- DESC 'rpc.bootparamd parameter'
- SYNTAX 'bootParameterSyntax' )
-
- ( nisSchema.1.24 NAME 'bootFile'
- DESC 'Boot image name'
- EQUALITY caseExactIA5Match
- SYNTAX 'IA5String' )
-
- ( nisSchema.1.26 NAME 'nisMapName'
- SUP name )
-
- ( nisSchema.1.27 NAME 'nisMapEntry'
- EQUALITY caseExactIA5Match
- SUBSTRINGS caseExactIA5SubstringsMatch
- SYNTAX 'IA5String{1024}' SINGLE-VALUE )
-
-4. Class definitions
-
- This section contains class definitions to be implemented by DUAs
- supporting the schema.
-
- The rfc822MailGroup object class MAY be used to represent a mail
- group for the purpose of alias expansion. Several alternative schemes
- for mail routing and delivery using LDAP directories, which are
- outside the scope of this document.
-
- ( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY
- DESC 'Abstraction of an account with POSIX attributes'
- MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
- MAY ( userPassword $ loginShell $ gecos $ description ) )
-
-
-
-
-Howard Experimental [Page 8]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY
- DESC 'Additional attributes for shadow passwords'
- MUST uid
- MAY ( userPassword $ shadowLastChange $ shadowMin
- shadowMax $ shadowWarning $ shadowInactive $
- shadowExpire $ shadowFlag $ description ) )
-
- ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
- DESC 'Abstraction of a group of accounts'
- MUST ( cn $ gidNumber )
- MAY ( userPassword $ memberUid $ description ) )
-
- ( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL
- DESC 'Abstraction an Internet Protocol service.
- Maps an IP port and protocol (such as tcp or udp)
- to one or more names; the distinguished value of
- the cn attribute denotes the service's canonical
- name'
- MUST ( cn $ ipServicePort $ ipServiceProtocol )
- MAY ( description ) )
-
- ( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
- DESC 'Abstraction of an IP protocol. Maps a protocol number
- to one or more names. The distinguished value of the cn
- attribute denotes the protocol's canonical name'
- MUST ( cn $ ipProtocolNumber $ description )
- MAY description )
-
- ( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL
- DESC 'Abstraction of an Open Network Computing (ONC)
- [RFC1057] Remote Procedure Call (RPC) binding.
- This class maps an ONC RPC number to a name.
- The distinguished value of the cn attribute denotes
- the RPC service's canonical name'
- MUST ( cn $ oncRpcNumber $ description )
- MAY description )
-
- ( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY
-
- DESC 'Abstraction of a host, an IP device. The distinguished
- value of the cn attribute denotes the host's canonical
- name. Device SHOULD be used as a structural class'
- MUST ( cn $ ipHostNumber )
- MAY ( l $ description $ manager ) )
-
- ( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
- DESC 'Abstraction of a network. The distinguished value of
- the cn attribute denotes the network's canonical name'
-
-
-
-Howard Experimental [Page 9]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- MUST ( cn $ ipNetworkNumber )
- MAY ( ipNetmaskNumber $ l $ description $ manager ) )
-
- ( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
- DESC 'Abstraction of a netgroup. May refer to other netgroups'
- MUST cn
- MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
-
- ( nisSchema.2.09 NAME 'nisMap' SUP top STRUCTURAL
- DESC 'A generic abstraction of a NIS map'
- MUST nisMapName
- MAY description )
-
- ( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL
- DESC 'An entry in a NIS map'
- MUST ( cn $ nisMapEntry $ nisMapName )
- MAY description )
-
- ( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY
- DESC 'A device with a MAC address; device SHOULD be
- used as a structural class'
- MAY macAddress )
-
- ( nisSchema.2.12 NAME 'bootableDevice' SUP top AUXILIARY
- DESC 'A device with boot parameters; device SHOULD be
- used as a structural class'
- MAY ( bootFile $ bootParameter ) )
-
-5. Implementation details
-
-5.1. Suggested resolution methods
-
- The preferred means of directing a client application (one using the
- shared services of the C library) to use LDAP as its information
- source for the functions listed in 5.2 is to modify the source code
- to directly query LDAP. As the source to commercial C libraries and
- applications is rarely available to the end-user, one could emulate a
- supported nameservice (such as NIS). (This is also an appropriate
- opportunity to perform caching of entries across process address
- spaces.) In the case of NIS, reference implementations are widely
- available and the RPC interface is well known.
-
- The means by which the operating system is directed to use LDAP is
- implementation dependent. For example, some operating systems and C
- libraries support end-user extensible resolvers using dynamically
- loadable libraries and a nameservice "switch". The means in which the
- DUA locates LDAP servers is also implementation dependent.
-
-
-
-
-Howard Experimental [Page 10]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-5.2. Affected library functions
-
- The following functions are typically found in the C libraries of
- most UNIX and POSIX compliant systems. An LDAP search filter
- [RFC2254] which may be used to satisfy the function call is included
- alongside each function name. Parameters are denoted by %s and %d for
- string and integer arguments, respectively. Long lines are broken.
-
- getpwnam() (&(objectClass=posixAccount)(uid=%s))
- getpwuid() (&(objectClass=posixAccount)
- (uidNumber=%d))
- getpwent() (objectClass=posixAccount)
-
- getspnam() (&(objectClass=shadowAccount)(uid=%s))
- getspent() (objectClass=shadowAccount)
-
- getgrnam() (&(objectClass=posixGroup)(cn=%s))
- getgrgid() (&(objectClass=posixGroup)
- (gidNumber=%d))
- getgrent() (objectClass=posixGroup)
-
- getservbyname() (&(objectClass=ipService)
- (cn=%s)(ipServiceProtocol=%s))
- getservbyport() (&(objectClass=ipService)
- (ipServicePort=%d)
- (ipServiceProtocol=%s))
- getservent() (objectClass=ipService)
-
- getrpcbyname() (&(objectClass=oncRpc)(cn=%s))
- getrpcbynumber() (&(objectClass=oncRpc)(oncRpcNumber=%d))
- getrpcent() (objectClass=oncRpc)
-
- getprotobyname() (&(objectClass=ipProtocol)(cn=%s))
- getprotobynumber() (&(objectClass=ipProtocol)
- (ipProtocolNumber=%d))
- getprotoent() (objectClass=ipProtocol)
-
- gethostbyname() (&(objectClass=ipHost)(cn=%s))
- gethostbyaddr() (&(objectClass=ipHost)(ipHostNumber=%s))
- gethostent() (objectClass=ipHost)
-
- getnetbyname() (&(objectClass=ipNetwork)(cn=%s))
- getnetbyaddr() (&(objectClass=ipNetwork)
- (ipNetworkNumber=%s))
- getnetent() (objectClass=ipNetwork)
-
- setnetgrent() (&(objectClass=nisNetgroup)(cn=%s))
-
-
-
-
-Howard Experimental [Page 11]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-5.3. Interpreting user and group entries
-
- User and group resolution is initiated by the functions prefixed by
- getpw and getgr respectively. The uid attribute contains the user's
- login name. The cn attribute, in posixGroup entries, contains the
- group's name.
-
- The account object class provides a convenient structural class for
- posixAccount, and SHOULD be used where additional attributes are not
- required.
-
- It is suggested that uid and cn are used as the RDN attribute type
- for posixAccount and posixGroup entries, respectively.
-
- An account's GECOS field is preferably determined by a value of the
- gecos attribute. If no gecos attribute exists, the value of the cn
- attribute MUST be used. (The existence of the gecos attribute allows
- information embedded in the GECOS field, such as a user's telephone
- number, to be returned to the client without overloading the cn
- attribute. It also accommodates directories where the common name
- does not contain the user's full name.)
-
- An entry of class posixAccount, posixGroup, or shadowAccount without
- a userPassword attribute MUST NOT be used for authentication. The
- client should be returned a non-matchable password such as "x".
-
- userPassword values MUST be represented by following syntax:
-
- passwordvalue = schemeprefix encryptedpassword
- schemeprefix = "{" scheme "}"
- scheme = "crypt" / "md5" / "sha" / altscheme
- altscheme = "x-" keystring
- encryptedpassword = encrypted password
-
- The encrypted password contains of a plaintext key hashed using the
- algorithm scheme.
-
- userPassword values which do not adhere to this syntax MUST NOT be
- used for authentication. The DUA MUST iterate through the values of
- the attribute until a value matching the above syntax is found. Only
- if encryptedpassword is an empty string does the user have no
- password. DUAs are not required to consider encryption schemes which
- the client will not recognize; in most cases, it may be sufficient to
- consider only "crypt".
-
- Below is an example of a userPassword attribute:
-
- userPassword: {crypt}X5/DBrWPOQQaI
-
-
-
-Howard Experimental [Page 12]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- A future standard may specify LDAP v3 attribute descriptions to
- represent hashed userPasswords, as noted below. This schema MUST NOT
- be used with LDAP v2 DUAs and DSAs.
-
- attributetype = attributename sep attributeoption
- attributename = "userPassword"
- sep = ";"
- attributeoption = schemeclass "-" scheme
- schemeclass = "hash" / altschemeclass
- scheme = "crypt" / "md5" / "sha" / altscheme
- altschemeclass = "x-" keystring
- altscheme = keystring
-
-
- Below is an example of a userPassword attribute, represented with an
- LDAP v3 attribute description:
-
- userPassword;hash-crypt: X5/DBrWPOQQaI
-
-
- A DUA MAY utilise the attributes in the shadowAccount class to
- provide shadow password service (getspnam() and getspent()). In such
- cases, the DUA MUST NOT make use of the userPassword attribute for
- getpwnam() et al, and MUST return a non-matchable password (such as
- "x") to the client instead.
-
-5.4. Interpreting hosts and networks
-
- The ipHostNumber and ipNetworkNumber attributes are defined in
- preference to dNSRecord (defined in [RFC1279]), in order to simplify
- the DUA's role in interpreting entries in the directory. A dNSRecord
- expresses a complete resource record, including time to live and
- class data, which is extraneous to this schema.
-
- Additionally, the ipHost and ipNetwork classes permit a host or
- network (respectively) and all its aliases to be represented by a
- single entry in the directory. This is not necessarily possible if a
- DNS resource record is mapped directly to an LDAP entry.
- Implementations that wish to use LDAP to master DNS zone information
- are not precluded from doing so, and may simply avoid the ipHost and
- ipNetwork classes.
-
- This document redefines, although not exclusively, the ipNetwork
- class defined in [RFC1279], in order to achieve consistent naming
- with ipHost. The ipNetworkNumber attribute is also used in the
- siteContact object class [ROSE].
-
-
-
-
-
-Howard Experimental [Page 13]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- The trailing zeros in a network address MUST be omitted. CIDR-style
- network addresses (eg. 192.168.1/24) MAY be used.
-
- Hosts with IPv6 addresses MUST be written in their "preferred" form
- as defined in section 2.2.1 of [RFC1884], such that all components of
- the address are indicated and leading zeros are omitted. This
- provides a consistent means of resolving ipHosts by address.
-
-5.5. Interpreting other entities
-
- In general, a one-to-one mapping between entities and LDAP entries is
- proposed, in that each entity has exactly one representation in the
- DIT. In some cases this is not feasible; for example, a service which
- is represented in more than one protocol domain. Consider the
- following entry:
-
- dn: cn=domain, dc=aja, dc=com
- cn: domain
- cn: nameserver
- objectClass: top
- objectClass: ipService
- ipServicePort: 53
- ipServiceProtocol: tcp
- ipServiceProtocol: udp
-
- This entry MUST map to the following two (2) services entities:
-
- domain 53/tcp nameserver
- domain 53/udp nameserver
-
- While the above two entities may be represented as separate LDAP
- entities, with different distinguished names (such as
- cn=domain+ipServiceProtocol=tcp, ... and
- cn=domain+ipServiceProtocol=udp, ...) it is convenient to represent
- them as a single entry. (If a service is represented in multiple
- protocol domains with different ports, then multiple entries are
- required; multivalued RDNs may be used to distinguish them.)
-
- With the exception of userPassword values, which are parsed according
- to the syntax considered in section 5.2, any empty values (consisting
- of a zero length string) are returned by the DUA to the client. The
- DUA MUST reject any entries which do not conform to the schema
- (missing mandatory attributes). Non-conforming entries SHOULD be
- ignored while enumerating entries.
-
- The nisObject object class MAY be used as a generic means of
- representing NIS entities. Its use is not encouraged; where support
- for entities not described in this schema is desired, an appropriate
-
-
-
-Howard Experimental [Page 14]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- schema should be devised. Implementors are strongly advised to
- support end-user extensible mappings between NIS entities and object
- classes. (Where the nisObject class is used, the nisMapName attribute
- may be used as a RDN.)
-
-5.6. Canonicalizing entries with multi-valued naming attributes
-
- For entities such as hosts, services, networks, protocols, and RPCs,
- where there may be one or more aliases, the respective entry's
- relative distinguished name SHOULD be used to determine the canonical
- name. Any other values for the same attribute are used as aliases.
- For example, the service described in section 5.5 has the canonical
- name "domain" and exactly one alias, "nameserver".
-
- The schema in this document generally only defines one attribute per
- class which is suitable for distinguishing an entity (excluding any
- attributes with integer syntax; it is assumed that entries will be
- distinguished on name). Usually, this is the common name (cn)
- attribute. This aids the DUA in determining the canonical name of an
- entity, as it can examine the value of the relative distinguished
- name. Aliases are thus any values of the distinguishing attribute
- (such as cn) which do not match the canonical name of the entity.
-
- In the event that a different attribute is used to distinguish the
- entry, as may be the case where these object classes are used as
- auxiliary classes, the entry's canonical name may not be present in
- the RDN. In this case, the DUA MUST choose one of the non-
- distinguished values to represent the entity's canonical name. As the
- directory server guarantees no ordering of attribute values, it may
- not be possible to distinguish an entry deterministically. This
- ambiguity SHOULD NOT be resolved by mapping one directory entry into
- multiple entities.
-
-6. Implementation focus
-
- A NIS server which uses LDAP instead of local files has been
- developed which supports the schema defined in this document.
-
- A reference implementation of the C library resolution code has been
- written for the Free Software Foundation. It may support other C
- libraries which support the Name Service Switch (NSS) or the
- Information Retrieval Service (IRS).
-
- The author has made available a freely distributable set of scripts
- which parses local databases such as /etc/passwd and /etc/hosts into
- a form suitable for loading into an LDAP server.
-
-
-
-
-
-Howard Experimental [Page 15]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-7. Security Considerations
-
- The entirety of related security considerations are outside the scope
- of this document. It is noted that making passwords encrypted with a
- widely understood hash function (such as crypt()) available to non-
- privileged users is dangerous because it exposes them to dictionary
- and brute-force attacks. This is proposed only for compatibility
- with existing UNIX system implementations. Sites where security is
- critical SHOULD consider using a strong authentication service for
- user authentication.
-
- Alternatively, the encrypted password could be made available only to
- a subset of privileged DUAs, which would provide "shadow" password
- service to client applications. This may be difficult to enforce.
-
- Because the schema represents operating system-level entities, access
- to these entities SHOULD be granted on a discretionary basis. (There
- is little point in restricting access to data which will be
- republished without restriction, however.) It is particularly
- important that only administrators can modify entries defined in this
- schema, with the exception of allowing a principal to change their
- password (which may be done on behalf of the user by a client bound
- as a superior principal, such that password restrictions may be
- enforced). For example, if a user were allowed to change the value of
- their uidNumber attribute, they could subvert security by
- equivalencing their account with the superuser account.
-
- A subtree of the DIT which is to be republished by a DUA (such as a
- NIS gateway) SHOULD be within the same administrative domain that the
- republishing DUA represents. (For example, principals outside an
- organization, while conceivably part of the DIT, should not be
- considered with the same degree of authority as those within the
- organization.)
-
- Finally, care should be exercised with integer attributes of a
- sensitive nature (particularly the uidNumber and gidNumber
- attributes) which contain zero-length values. DUAs MAY treat such
- values as corresponding to the "nobody" or "nogroup" user and group,
- respectively.
-
-8. Acknowledgements
-
- Thanks to Leif Hedstrom of Netscape Communications Corporation,
- Michael Grant and Rosanna Lee of Sun Microsystems Inc., Ed Reed of
- Novell Inc., and Mark Wahl of Critical Angle Inc. for their valuable
- contributions to the development of this schema. Thanks to Andrew
- Josey of The Open Group for clarifying the use of the UNIX trademark,
- and to Tim Howes and Peter J. Cherny for their support.
-
-
-
-Howard Experimental [Page 16]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- UNIX is a registered trademark of The Open Group.
-
-9. References
-
- [RFC1057]
- Sun Microsystems, Inc., "RPC: Remote Procedure Call: Protocol
- Specification Version 2", RFC 1057, June 1988.
-
- [RFC1279]
- Kille, S., "X.500 and Domains", RFC 1279, November 1991.
-
- [RFC1884]
- Hinden, R., and S. Deering, "IP Version 6 Addressing
- Architecture", RFC 1884, December 1995.
-
- [RFC2119]
- Bradner, S., "Key Words for use in RFCs to Indicate Requirement
- Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2251]
- Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, December 1997.
-
- [RFC2252]
- Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
- Directory Access Protocol (v3): Attribute Syntax Definitions",
- RFC 2252, December 1997.
-
- [RFC2254]
- Howes, T., "The String Representation of LDAP Search Filters",
- RFC 2254, December 1997.
-
- [RFC2256]
- Wahl, M., "A Summary of the X.500(96) User Schema for use with
- LDAPv3", RFC 2256, December 1997.
-
- [ROSE]
- M. T. Rose, "The Little Black Book: Mail Bonding with OSI
- Directory Services", ISBN 0-13-683210-5, Prentice-Hall, Inc.,
- 1992.
-
- [X500]
- "Information Processing Systems - Open Systems Interconnection -
- The Directory: Overview of Concepts, Models and Service",
- ISO/IEC JTC 1/SC21, International Standard 9594-1, 1988.
-
-
-
-
-
-
-Howard Experimental [Page 17]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- [XOPEN]
- ISO/IEC 9945-1:1990, Information Technology - Portable Operating
- Systems Interface (POSIX) - Part 1: Systems Application
- Programming Interface (API) [C Language]
-
-10. Author's Address
-
- Luke Howard
- PO Box 59
- Central Park Vic 3145
- Australia
-
- EMail: lukeh at xedoc.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howard Experimental [Page 18]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-A. Example entries
-
- The examples described in this section are provided to illustrate the
- schema described in this memo. They are not meant to be exhaustive.
-
- The following entry is an example of the posixAccount class:
-
- dn: uid=lester, dc=aja, dc=com
- objectClass: top
- objectClass: account
- objectClass: posixAccount
- uid: lester
- cn: Lester the Nightfly
- userPassword: {crypt}X5/DBrWPOQQaI
- gecos: Lester
- loginShell: /bin/csh
- uidNumber: 10
- gidNumber: 10
- homeDirectory: /home/lester
-
-
- This corresponds the UNIX system password file entry:
-
- lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/sh
-
- The following entry is an example of the ipHost class:
-
- dn: cn=peg.aja.com, dc=aja, dc=com
- objectClass: top
- objectClass: device
- objectClass: ipHost
- objectClass: bootableDevice
- objectClass: ieee802Device
- cn: peg.aja.com
- cn: www.aja.com
- ipHostNumber: 10.0.0.1
- macAddress: 00:00:92:90:ee:e2
- bootFile: mach
- bootParameter: root=fs:/nfsroot/peg
- bootParameter: swap=fs:/nfsswap/peg
- bootParameter: dump=fs:/nfsdump/peg
-
- This entry represents the host canonically peg.aja.com, also known as
- www.aja.com. The Ethernet address and four boot parameters are also
- specified.
-
-
-
-
-
-
-Howard Experimental [Page 19]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
- An example of the nisNetgroup class:
-
- dn: cn=nightfly, dc=aja, dc=com
- objectClass: top
- objectClass: nisNetgroup
- cn: nightfly
- nisNetgroupTriple: (charlemagne,peg,dunes.aja.com)
- nisNetgroupTriple: (lester,-,)
- memberNisNetgroup: kamakiriad
-
- This entry represents the netgroup nightfly, which contains two
- triples (the user charlemagne, the host peg, and the domain
- dunes.aja.com; and, the user lester, no host, and any domain) and one
- netgroup (kamakiriad).
-
- Finally, an example of the nisObject class:
-
- dn: nisMapName=tracks, dc=dunes, dc=aja, dc=com
- objectClass: top
- objectClass: nisMap
- nisMapName: tracks
-
- dn: cn=Maxine, nisMapName=tracks, dc=dunes, dc=aja, dc=com
- objectClass: top
- objectClass: nisObject
- cn: Maxine
- nisMapName: tracks
- nisMapEntry: Nightfly$4
-
- This entry represents the NIS map tracks, and a single map entry.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howard Experimental [Page 20]
-�
-RFC 2307 Using LDAP as a Network Information Service March 1998
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (1998). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howard Experimental [Page 21]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc2696.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc2696.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc2696.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group C. Weider
-Request for Comments: 2696 A. Herron
-Category: Informational A. Anantha
- Microsoft
- T. Howes
- Netscape
- September 1999
-
-
- LDAP Control Extension for Simple Paged Results Manipulation
-
-Status of this Memo
-
- This memo provides information for the Internet community. It does
- not specify an Internet standard of any kind. Distribution of this
- memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (1999). All Rights Reserved.
-
-1. Abstract
-
- This document describes an LDAPv3 control extension for simple paging
- of search results. This control extension allows a client to control
- the rate at which an LDAP server returns the results of an LDAP
- search operation. This control may be useful when the LDAP client has
- limited resources and may not be able to process the entire result
- set from a given LDAP query, or when the LDAP client is connected
- over a low-bandwidth connection. Other operations on the result set
- are not defined in this extension. This extension is not designed to
- provide more sophisticated result set management.
-
- The key words "MUST", "SHOULD", and "MAY" used in this document are
- to be interpreted as described in [bradner97].
-
-2. The Control
-
- This control is included in the searchRequest and searchResultDone
- messages as part of the controls field of the LDAPMessage, as defined
- in Section 4.1.12 of [LDAPv3]. The structure of this control is as
- follows:
-
-
-
-
-
-
-
-
-
-Weider, et al. Informational [Page 1]
-�
-RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
-
-
-pagedResultsControl ::= SEQUENCE {
- controlType 1.2.840.113556.1.4.319,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue searchControlValue
-}
-
-The searchControlValue is an OCTET STRING wrapping the BER-encoded
-version of the following SEQUENCE:
-
-realSearchControlValue ::= SEQUENCE {
- size INTEGER (0..maxInt),
- -- requested page size from client
- -- result set size estimate from server
- cookie OCTET STRING
-}
-
-3. Client-Server Interaction
-
- An LDAP client application that needs to control the rate at which
- results are returned MAY specify on the searchRequest a
- pagedResultsControl with size set to the desired page size and cookie
- set to the zero-length string. The page size specified MAY be greater
- than zero and less than the sizeLimit value specified in the
- searchRequest.
-
- If the page size is greater than or equal to the sizeLimit value, the
- server should ignore the control as the request can be satisfied in a
- single page. If the server does not support this control, the server
- MUST return an error of unsupportedCriticalExtension if the client
- requested it as critical, otherwise the server SHOULD ignore the
- control. The remainder of this section assumes the server does not
- ignore the client's pagedResultsControl.
-
- Each time the server returns a set of results to the client when
- processing a search request containing the pagedResultsControl, the
- server includes the pagedResultsControl control in the
- searchResultDone message. In the control returned to the client, the
- size MAY be set to the server's estimate of the total number of
- entries in the entire result set. Servers that cannot provide such an
- estimate MAY set this size to zero (0). The cookie MUST be set to an
- empty value if there are no more entries to return (i.e., the page of
- search results returned was the last), or, if there are more entries
- to return, to an octet string of the server's choosing,used to resume
- the search.
-
- The client MUST consider the cookie to be an opaque structure and
- make no assumptions about its internal organization or value. When
- the client wants to retrieve more entries for the result set, it MUST
-
-
-
-Weider, et al. Informational [Page 2]
-�
-RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
-
-
- send to the server a searchRequest with all values identical to the
- initial request with the exception of the messageID, the cookie, and
- optionally a modified pageSize. The cookie MUST be the octet string
- on the last searchResultDone response returned by the server.
- Returning cookies from previous searchResultDone responses besides
- the last one is undefined, as the server implementation may restrict
- cookies from being reused.
-
- The server will then return the next set of results from the whole
- result set. This interaction will continue until the client has
- retrieved all the results, in which case the cookie in the
- searchResultDone field will be empty, or until the client abandons
- the search sequence as described below. Once the paged search
- sequence has been completed, the cookie is no longer valid and MUST
- NOT be used.
-
- A sequence of paged search requests is abandoned by the client
- sending a search request containing a pagedResultsControl with the
- size set to zero (0) and the cookie set to the last cookie returned
- by the server. A client MAY use the LDAP Abandon operation to
- abandon one paged search request in progress, but this is discouraged
- as it MAY invalidate the client's cookie.
-
- If, for any reason, the server cannot resume a paged search operation
- for a client, then it SHOULD return the appropriate error in a
- searchResultDone entry. If this occurs, both client and server should
- assume the paged result set is closed and no longer resumable.
-
- A client may have any number of outstanding search requests pending,
- any of which may have used the pagedResultsControl. A server
- implementation which requires a limit on the number of outstanding
- paged search requests from a given client MAY either return
- unwillingToPerform when the client attempts to create a new paged
- search request, or age out an older result set. If the server
- implementation ages out an older paged search request, it SHOULD
- return "unwilling to perform" if the client attempts to resume the
- paged search that was aged out.
-
- A client may safely assume that all entries that satisfy a given
- search query are returned once and only once during the set of paged
- search requests/responses necessary to enumerate the entire result
- set, unless the result set for that query has changed since the
- searchRequest starting the request/response sequence was processed.
- In that case, the client may receive a given entry multiple times
- and/or may not receive all entries matching the given search
- criteria.
-
-
-
-
-
-Weider, et al. Informational [Page 3]
-�
-RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
-
-
-4. Example
-
- The following example illustrates the client-server interaction
- between a client doing a search requesting a page size limit of 3.
- The entire result set returned by the server contains 5 entries.
-
- Lines beginning with "C:" indicate requests sent from client to
- server. Lines beginning with "S:" indicate responses sent from server
- to client. Lines beginning with "--" are comments to help explain the
- example.
-
- -- Client sends a search request asking for paged results
- -- with a page size of 3.
- C: SearchRequest + pagedResultsControl(3,"")
- -- Server responds with three entries plus an indication
- -- of 5 total entries in the search result and an opaque
- -- cooking to be used by the client when retrieving subsequent
- -- pages.
- S: SearchResultEntry
- S: SearchResultEntry
- S: SearchResultEntry
- S: SearchResultDone + pagedResultsControl(5, "opaque")
- -- Client sends an identical search request (except for
- -- message id), returning the opaque cooking, asking for
- -- the next page.
- C: SearchRequest + PagedResultsControl(3, "opaque")
- -- Server responds with two entries plus an indication
- -- that there are no more entries (null cookie).
- S: SearchResultEntry
- S: SearchResultEntry
- S: SearchResultDone + pagedResultsControl(5,"")
-
-5. Relationship to X.500
-
- For LDAP servers providing a front end to X.500 (93) directories, the
- paged results control defined in this document may be mapped directly
- onto the X.500 (93) PagedResultsRequest defined in X.511 [x500]. The
- size parameter may be mapped onto pageSize. The cookie parameter may
- be mapped onto queryReference. The sortKeys and reverse fields in
- the X.500 PagedResultsRequest are excluded.
-
-
-
-
-
-
-
-
-
-
-
-Weider, et al. Informational [Page 4]
-�
-RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
-
-
-6. Security Considerations
-
- Server implementors should consider the resources used when clients
- send searches with the simple paged control, to ensure that a
- client's misuse of this control does not lock out other legitimate
- operations.
-
- Servers implementations may enforce an overriding sizelimit, to
- prevent the retrieval of large portions of a publically-accessible
- directory.
-
- Clients can, using this control, determine how many entries match a
- particular filter, before the entries are returned to the client.
- This may require special processing in servers which perform access
- control checks on entries to determine whether the existence of the
- entry can be disclosed to the client.
-
-7. References
-
- [LDAPv3] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
- [Bradner97] Bradner, S., "Key Words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weider, et al. Informational [Page 5]
-�
-RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
-
-
-8. Authors' Addresses
-
- Chris Weider
- Microsoft Corp.
- 1 Microsoft Way
- Redmond, WA 98052
- USA
-
- Phone: +1 425 882-8080
- EMail: cweider at microsoft.com
-
-
- Andy Herron
- Microsoft Corp.
- 1 Microsoft Way
- Redmond, WA 98052
- USA
-
- Phone: +1 425 882-8080
- EMail: andyhe at microsoft.com
-
-
- Anoop Anantha
- Microsoft Corp.
- 1 Microsoft Way
- Redmond, WA 98052
- USA
-
- Phone: +1 425 882-8080
- EMail: anoopa at microsoft.com
-
-
- Tim Howes
- Netscape Communications Corp.
- 501 E. Middlefield Road
- Mountain View, CA 94043
- USA
-
- Phone: +1 415 937-2600
- EMail: howes at netscape.com
-
-
-
-
-
-
-
-
-
-
-
-Weider, et al. Informational [Page 6]
-�
-RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
-
-
-9. Full Copyright Statement
-
- Copyright (C) The Internet Society (1999). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weider, et al. Informational [Page 7]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc2849.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc2849.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc2849.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,787 +0,0 @@
-
-
-
-
-
-
-Network Working Group G. Good
-Request for Comments: 2849 iPlanet e-commerce Solutions
-Category: Standards Track June 2000
-
-
- The LDAP Data Interchange Format (LDIF) - Technical Specification
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
-Abstract
-
- This document describes a file format suitable for describing
- directory information or modifications made to directory information.
- The file format, known as LDIF, for LDAP Data Interchange Format, is
- typically used to import and export directory information between
- LDAP-based directory servers, or to describe a set of changes which
- are to be applied to a directory.
-
-Background and Intended Usage
-
- There are a number of situations where a common interchange format is
- desirable. For example, one might wish to export a copy of the
- contents of a directory server to a file, move that file to a
- different machine, and import the contents into a second directory
- server.
-
- Additionally, by using a well-defined interchange format, development
- of data import tools from legacy systems is facilitated. A fairly
- simple set of tools written in awk or perl can, for example, convert
- a database of personnel information into an LDIF file. This file can
- then be imported into a directory server, regardless of the internal
- database representation the target directory server uses.
-
- The LDIF format was originally developed and used in the University
- of Michigan LDAP implementation. The first use of LDIF was in
- describing directory entries. Later, the format was expanded to
- allow representation of changes to directory entries.
-
-
-
-
-Good Standards Track [Page 1]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
- Relationship to the application/directory MIME content-type:
-
- The application/directory MIME content-type [1] is a general
- framework and format for conveying directory information, and is
- independent of any particular directory service. The LDIF format is
- a simpler format which is perhaps easier to create, and may also be
- used, as noted, to describe a set of changes to be applied to a
- directory.
-
- The key words "MUST", "MUST NOT", "MAY", "SHOULD", and "SHOULD NOT"
- used in this document are to be interpreted as described in [7].
-
-Definition of the LDAP Data Interchange Format
-
- The LDIF format is used to convey directory information, or a
- description of a set of changes made to directory entries. An LDIF
- file consists of a series of records separated by line separators. A
- record consists of a sequence of lines describing a directory entry,
- or a sequence of lines describing a set of changes to a directory
- entry. An LDIF file specifies a set of directory entries, or a set
- of changes to be applied to directory entries, but not both.
-
- There is a one-to-one correlation between LDAP operations that modify
- the directory (add, delete, modify, and modrdn), and the types of
- changerecords described below ("add", "delete", "modify", and
- "modrdn" or "moddn"). This correspondence is intentional, and
- permits a straightforward translation from LDIF changerecords to
- protocol operations.
-
-Formal Syntax Definition of LDIF
-
- The following definition uses the augmented Backus-Naur Form
- specified in RFC 2234 [2].
-
-ldif-file = ldif-content / ldif-changes
-
-ldif-content = version-spec 1*(1*SEP ldif-attrval-record)
-
-ldif-changes = version-spec 1*(1*SEP ldif-change-record)
-
-ldif-attrval-record = dn-spec SEP 1*attrval-spec
-
-ldif-change-record = dn-spec SEP *control changerecord
-
-version-spec = "version:" FILL version-number
-
-
-
-
-
-
-Good Standards Track [Page 2]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-version-number = 1*DIGIT
- ; version-number MUST be "1" for the
- ; LDIF format described in this document.
-
-dn-spec = "dn:" (FILL distinguishedName /
- ":" FILL base64-distinguishedName)
-
-distinguishedName = SAFE-STRING
- ; a distinguished name, as defined in [3]
-
-base64-distinguishedName = BASE64-UTF8-STRING
- ; a distinguishedName which has been base64
- ; encoded (see note 10, below)
-
-rdn = SAFE-STRING
- ; a relative distinguished name, defined as
- ; <name-component> in [3]
-
-base64-rdn = BASE64-UTF8-STRING
- ; an rdn which has been base64 encoded (see
- ; note 10, below)
-
-control = "control:" FILL ldap-oid ; controlType
- 0*1(1*SPACE ("true" / "false")) ; criticality
- 0*1(value-spec) ; controlValue
- SEP
- ; (See note 9, below)
-
-ldap-oid = 1*DIGIT 0*1("." 1*DIGIT)
- ; An LDAPOID, as defined in [4]
-
-attrval-spec = AttributeDescription value-spec SEP
-
-value-spec = ":" ( FILL 0*1(SAFE-STRING) /
- ":" FILL (BASE64-STRING) /
- "<" FILL url)
- ; See notes 7 and 8, below
-
-url = <a Uniform Resource Locator,
- as defined in [6]>
- ; (See Note 6, below)
-
-AttributeDescription = AttributeType [";" options]
- ; Definition taken from [4]
-
-AttributeType = ldap-oid / (ALPHA *(attr-type-chars))
-
-options = option / (option ";" options)
-
-
-
-Good Standards Track [Page 3]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-option = 1*opt-char
-
-attr-type-chars = ALPHA / DIGIT / "-"
-
-opt-char = attr-type-chars
-
-changerecord = "changetype:" FILL
- (change-add / change-delete /
- change-modify / change-moddn)
-
-change-add = "add" SEP 1*attrval-spec
-
-change-delete = "delete" SEP
-
-change-moddn = ("modrdn" / "moddn") SEP
- "newrdn:" ( FILL rdn /
- ":" FILL base64-rdn) SEP
- "deleteoldrdn:" FILL ("0" / "1") SEP
- 0*1("newsuperior:"
- ( FILL distinguishedName /
- ":" FILL base64-distinguishedName) SEP)
-
-change-modify = "modify" SEP *mod-spec
-
-mod-spec = ("add:" / "delete:" / "replace:")
- FILL AttributeDescription SEP
- *attrval-spec
- "-" SEP
-
-SPACE = %x20
- ; ASCII SP, space
-
-FILL = *SPACE
-
-SEP = (CR LF / LF)
-
-CR = %x0D
- ; ASCII CR, carriage return
-
-LF = %x0A
- ; ASCII LF, line feed
-
-ALPHA = %x41-5A / %x61-7A
- ; A-Z / a-z
-
-DIGIT = %x30-39
- ; 0-9
-
-
-
-
-Good Standards Track [Page 4]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-UTF8-1 = %x80-BF
-
-UTF8-2 = %xC0-DF UTF8-1
-
-UTF8-3 = %xE0-EF 2UTF8-1
-
-UTF8-4 = %xF0-F7 3UTF8-1
-
-UTF8-5 = %xF8-FB 4UTF8-1
-
-UTF8-6 = %xFC-FD 5UTF8-1
-
-SAFE-CHAR = %x01-09 / %x0B-0C / %x0E-7F
- ; any value <= 127 decimal except NUL, LF,
- ; and CR
-
-SAFE-INIT-CHAR = %x01-09 / %x0B-0C / %x0E-1F /
- %x21-39 / %x3B / %x3D-7F
- ; any value <= 127 except NUL, LF, CR,
- ; SPACE, colon (":", ASCII 58 decimal)
- ; and less-than ("<" , ASCII 60 decimal)
-
-SAFE-STRING = [SAFE-INIT-CHAR *SAFE-CHAR]
-
-UTF8-CHAR = SAFE-CHAR / UTF8-2 / UTF8-3 /
- UTF8-4 / UTF8-5 / UTF8-6
-
-UTF8-STRING = *UTF8-CHAR
-
-BASE64-UTF8-STRING = BASE64-STRING
- ; MUST be the base64 encoding of a
- ; UTF8-STRING
-
-BASE64-CHAR = %x2B / %x2F / %x30-39 / %x3D / %x41-5A /
- %x61-7A
- ; +, /, 0-9, =, A-Z, and a-z
- ; as specified in [5]
-
-BASE64-STRING = [*(BASE64-CHAR)]
-
-
- Notes on LDIF Syntax
-
- 1) For the LDIF format described in this document, the version
- number MUST be "1". If the version number is absent,
- implementations MAY choose to interpret the contents as an
- older LDIF file format, supported by the University of
- Michigan ldap-3.3 implementation [8].
-
-
-
-Good Standards Track [Page 5]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
- 2) Any non-empty line, including comment lines, in an LDIF file
- MAY be folded by inserting a line separator (SEP) and a SPACE.
- Folding MUST NOT occur before the first character of the line.
- In other words, folding a line into two lines, the first of
- which is empty, is not permitted. Any line that begins with a
- single space MUST be treated as a continuation of the previous
- (non-empty) line. When joining folded lines, exactly one space
- character at the beginning of each continued line must be
- discarded. Implementations SHOULD NOT fold lines in the middle
- of a multi-byte UTF-8 character.
-
- 3) Any line that begins with a pound-sign ("#", ASCII 35) is a
- comment line, and MUST be ignored when parsing an LDIF file.
-
- 4) Any dn or rdn that contains characters other than those
- defined as "SAFE-UTF8-CHAR", or begins with a character other
- than those defined as "SAFE-INIT-UTF8-CHAR", above, MUST be
- base-64 encoded. Other values MAY be base-64 encoded. Any
- value that contains characters other than those defined as
- "SAFE-CHAR", or begins with a character other than those
- defined as "SAFE-INIT-CHAR", above, MUST be base-64 encoded.
- Other values MAY be base-64 encoded.
-
- 5) When a zero-length attribute value is to be included directly
- in an LDIF file, it MUST be represented as
- AttributeDescription ":" FILL SEP. For example, "seeAlso:"
- followed by a newline represents a zero-length "seeAlso"
- attribute value. It is also permissible for the value
- referred to by a URL to be of zero length.
-
- 6) When a URL is specified in an attrval-spec, the following
- conventions apply:
-
- a) Implementations SHOULD support the file:// URL format. The
- contents of the referenced file are to be included verbatim
- in the interpreted output of the LDIF file.
- b) Implementations MAY support other URL formats. The
- semantics associated with each supported URL will be
- documented in an associated Applicability Statement.
-
- 7) Distinguished names, relative distinguished names, and
- attribute values of DirectoryString syntax MUST be valid UTF-8
- strings. Implementations that read LDIF MAY interpret files
- in which these entities are stored in some other character set
- encoding, but implementations MUST NOT generate LDIF content
- which does not contain valid UTF-8 data.
-
-
-
-
-
-Good Standards Track [Page 6]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
- 8) Values or distinguished names that end with SPACE SHOULD be
- base-64 encoded.
-
- 9) When controls are included in an LDIF file, implementations
- MAY choose to ignore some or all of them. This may be
- necessary if the changes described in the LDIF file are being
- sent on an LDAPv2 connection (LDAPv2 does not support
- controls), or the particular controls are not supported by the
- remote server. If the criticality of a control is "true", then
- the implementation MUST either include the control, or MUST
- NOT send the operation to a remote server.
-
- 10) When an attrval-spec, distinguishedName, or rdn is base64-
- encoded, the encoding rules specified in [5] are used with the
- following exceptions: a) The requirement that base64 output
- streams must be represented as lines of no more than 76
- characters is removed. Lines in LDIF files may only be folded
- according to the folding rules described in note 2, above. b)
- Base64 strings in [5] may contain characters other than those
- defined in BASE64-CHAR, and are ignored. LDIF does not permit
- any extraneous characters, other than those used for line
- folding.
-
-Examples of LDAP Data Interchange Format
-
-Example 1: An simple LDAP file with two entries
-
-version: 1
-dn: cn=Barbara Jensen, ou=Product Development, dc=airius, dc=com
-objectclass: top
-objectclass: person
-objectclass: organizationalPerson
-cn: Barbara Jensen
-cn: Barbara J Jensen
-cn: Babs Jensen
-sn: Jensen
-uid: bjensen
-telephonenumber: +1 408 555 1212
-description: A big sailing fan.
-
-dn: cn=Bjorn Jensen, ou=Accounting, dc=airius, dc=com
-objectclass: top
-objectclass: person
-objectclass: organizationalPerson
-cn: Bjorn Jensen
-sn: Jensen
-telephonenumber: +1 408 555 1212
-
-
-
-
-Good Standards Track [Page 7]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-Example 2: A file containing an entry with a folded attribute value
-
-version: 1
-dn:cn=Barbara Jensen, ou=Product Development, dc=airius, dc=com
-objectclass:top
-objectclass:person
-objectclass:organizationalPerson
-cn:Barbara Jensen
-cn:Barbara J Jensen
-cn:Babs Jensen
-sn:Jensen
-uid:bjensen
-telephonenumber:+1 408 555 1212
-description:Babs is a big sailing fan, and travels extensively in sea
- rch of perfect sailing conditions.
-title:Product Manager, Rod and Reel Division
-
-Example 3: A file containing a base-64-encoded value
-
-version: 1
-dn: cn=Gern Jensen, ou=Product Testing, dc=airius, dc=com
-objectclass: top
-objectclass: person
-objectclass: organizationalPerson
-cn: Gern Jensen
-cn: Gern O Jensen
-sn: Jensen
-uid: gernj
-telephonenumber: +1 408 555 1212
-description:: V2hhdCBhIGNhcmVmdWwgcmVhZGVyIHlvdSBhcmUhICBUaGlzIHZhbHVl
-IGlzIGJhc2UtNjQtZW5jb2RlZCBiZWNhdXNlIGl0IGhhcyBhIGNvbnRyb2wgY2hhcmFjdG
-VyIGluIGl0IChhIENSKS4NICBCeSB0aGUgd2F5LCB5b3Ugc2hvdWxkIHJlYWxseSBnZXQg
-b3V0IG1vcmUu
-
-Example 4: A file containing an entries with UTF-8-encoded attribute
-values, including language tags. Comments indicate the contents
-of UTF-8-encoded attributes and distinguished names.
-
-version: 1
-dn:: b3U95Za25qWt6YOoLG89QWlyaXVz
-# dn:: ou=<JapaneseOU>,o=Airius
-objectclass: top
-objectclass: organizationalUnit
-ou:: 5Za25qWt6YOo
-# ou:: <JapaneseOU>
-ou;lang-ja:: 5Za25qWt6YOo
-# ou;lang-ja:: <JapaneseOU>
-ou;lang-ja;phonetic:: 44GI44GE44GO44KH44GG44G2
-
-
-
-Good Standards Track [Page 8]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-# ou;lang-ja:: <JapaneseOU_in_phonetic_representation>
-ou;lang-en: Sales
-description: Japanese office
-
-dn:: dWlkPXJvZ2FzYXdhcmEsb3U95Za25qWt6YOoLG89QWlyaXVz
-# dn:: uid=<uid>,ou=<JapaneseOU>,o=Airius
-userpassword: {SHA}O3HSv1MusyL4kTjP+HKI5uxuNoM=
-objectclass: top
-objectclass: person
-objectclass: organizationalPerson
-objectclass: inetOrgPerson
-uid: rogasawara
-mail: rogasawara at airius.co.jp
-givenname;lang-ja:: 44Ot44OJ44OL44O8
-# givenname;lang-ja:: <JapaneseGivenname>
-sn;lang-ja:: 5bCP56yg5Y6f
-# sn;lang-ja:: <JapaneseSn>
-cn;lang-ja:: 5bCP56yg5Y6fIOODreODieODi+ODvA==
-# cn;lang-ja:: <JapaneseCn>
-title;lang-ja:: 5Za25qWt6YOoIOmDqOmVtw==
-# title;lang-ja:: <JapaneseTitle>
-preferredlanguage: ja
-givenname:: 44Ot44OJ44OL44O8
-# givenname:: <JapaneseGivenname>
-sn:: 5bCP56yg5Y6f
-# sn:: <JapaneseSn>
-cn:: 5bCP56yg5Y6fIOODreODieODi+ODvA==
-# cn:: <JapaneseCn>
-title:: 5Za25qWt6YOoIOmDqOmVtw==
-# title:: <JapaneseTitle>
-givenname;lang-ja;phonetic:: 44KN44Gp44Gr44O8
-# givenname;lang-ja;phonetic::
-<JapaneseGivenname_in_phonetic_representation_kana>
-sn;lang-ja;phonetic:: 44GK44GM44GV44KP44KJ
-# sn;lang-ja;phonetic:: <JapaneseSn_in_phonetic_representation_kana>
-cn;lang-ja;phonetic:: 44GK44GM44GV44KP44KJIOOCjeOBqeOBq+ODvA==
-# cn;lang-ja;phonetic:: <JapaneseCn_in_phonetic_representation_kana>
-title;lang-ja;phonetic:: 44GI44GE44GO44KH44GG44G2IOOBtuOBoeOCh+OBhg==
-# title;lang-ja;phonetic::
-# <JapaneseTitle_in_phonetic_representation_kana>
-givenname;lang-en: Rodney
-sn;lang-en: Ogasawara
-cn;lang-en: Rodney Ogasawara
-title;lang-en: Sales, Director
-
-
-
-
-
-
-
-Good Standards Track [Page 9]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-Example 5: A file containing a reference to an external file
-
-version: 1
-dn: cn=Horatio Jensen, ou=Product Testing, dc=airius, dc=com
-objectclass: top
-objectclass: person
-objectclass: organizationalPerson
-cn: Horatio Jensen
-
-cn: Horatio N Jensen
-sn: Jensen
-uid: hjensen
-telephonenumber: +1 408 555 1212
-jpegphoto:< file:///usr/local/directory/photos/hjensen.jpg
-
-Example 6: A file containing a series of change records and comments
-
-version: 1
-# Add a new entry
-dn: cn=Fiona Jensen, ou=Marketing, dc=airius, dc=com
-changetype: add
-objectclass: top
-objectclass: person
-objectclass: organizationalPerson
-cn: Fiona Jensen
-sn: Jensen
-uid: fiona
-telephonenumber: +1 408 555 1212
-jpegphoto:< file:///usr/local/directory/photos/fiona.jpg
-
-# Delete an existing entry
-dn: cn=Robert Jensen, ou=Marketing, dc=airius, dc=com
-changetype: delete
-
-# Modify an entry's relative distinguished name
-dn: cn=Paul Jensen, ou=Product Development, dc=airius, dc=com
-changetype: modrdn
-newrdn: cn=Paula Jensen
-deleteoldrdn: 1
-
-# Rename an entry and move all of its children to a new location in
-# the directory tree (only implemented by LDAPv3 servers).
-dn: ou=PD Accountants, ou=Product Development, dc=airius, dc=com
-changetype: modrdn
-newrdn: ou=Product Development Accountants
-deleteoldrdn: 0
-newsuperior: ou=Accounting, dc=airius, dc=com
-
-
-
-
-Good Standards Track [Page 10]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-# Modify an entry: add an additional value to the postaladdress
-# attribute, completely delete the description attribute, replace
-# the telephonenumber attribute with two values, and delete a specific
-# value from the facsimiletelephonenumber attribute
-dn: cn=Paula Jensen, ou=Product Development, dc=airius, dc=com
-changetype: modify
-add: postaladdress
-postaladdress: 123 Anystreet $ Sunnyvale, CA $ 94086
--
-
-delete: description
--
-replace: telephonenumber
-telephonenumber: +1 408 555 1234
-telephonenumber: +1 408 555 5678
--
-delete: facsimiletelephonenumber
-facsimiletelephonenumber: +1 408 555 9876
--
-
-# Modify an entry: replace the postaladdress attribute with an empty
-# set of values (which will cause the attribute to be removed), and
-# delete the entire description attribute. Note that the first will
-# always succeed, while the second will only succeed if at least
-# one value for the description attribute is present.
-dn: cn=Ingrid Jensen, ou=Product Support, dc=airius, dc=com
-changetype: modify
-replace: postaladdress
--
-delete: description
--
-
-Example 7: An LDIF file containing a change record with a control
-version: 1
-# Delete an entry. The operation will attach the LDAPv3
-# Tree Delete Control defined in [9]. The criticality
-# field is "true" and the controlValue field is
-# absent, as required by [9].
-dn: ou=Product Development, dc=airius, dc=com
-control: 1.2.840.113556.1.4.805 true
-changetype: delete
-
-
-
-
-
-
-
-
-
-
-Good Standards Track [Page 11]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-Security Considerations
-
- Given typical directory applications, an LDIF file is likely to
- contain sensitive personal data. Appropriate measures should be
- taken to protect the privacy of those persons whose data is contained
- in an LDIF file.
-
- Since ":<" directives can cause external content to be included when
- processing an LDIF file, one should be cautious of accepting LDIF
- files from external sources. A "trojan" LDIF file could name a file
- with sensitive contents and cause it to be included in a directory
- entry, which a hostile entity could read via LDAP.
-
- LDIF does not provide any method for carrying authentication
- information with an LDIF file. Users of LDIF files must take care to
- verify the integrity of an LDIF file received from an external
- source.
-
-Acknowledgments
-
- The LDAP Interchange Format was developed as part of the University
- of Michigan LDAP reference implementation, and was developed by Tim
- Howes, Mark Smith, and Gordon Good. It is based in part upon work
- supported by the National Science Foundation under Grant No. NCR-
- 9416667.
-
- Members of the IETF LDAP Extensions Working group provided many
- helpful suggestions. In particular, Hallvard B. Furuseth of the
- University of Oslo made many significant contributions to this
- document, including a thorough review and rewrite of the BNF.
-
-References
-
- [1] Howes, T. and M. Smith, "A MIME Content-Type for Directory
- Information", RFC 2425, September 1998.
-
- [2] Crocker, D., and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 2234, November 1997.
-
- [3] Wahl, M., Kille, S. and T. Howes, "A String Representation of
- Distinguished Names", RFC 2253, December 1997.
-
- [4] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
- Protocol (v3)", RFC 2251, July 1997.
-
- [5] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
- Extensions (MIME) Part One: Format of Internet Message Bodies",
- RFC 2045, November 1996.
-
-
-
-Good Standards Track [Page 12]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
- [6] Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform
- Resource Locators (URL)", RFC 1738, December 1994.
-
- [7] Bradner, S., "Key Words for use in RFCs to Indicate Requirement
- Levels", BCP 14, RFC 2119, March 1997.
-
- [8] The SLAPD and SLURPD Administrators Guide. University of
- Michigan, April 1996. <URL:
- http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/toc.html>
-
- [9] M. P. Armijo, "Tree Delete Control", Work in Progress.
-
-Author's Address
-
- Gordon Good
- iPlanet e-commerce Solutions
- 150 Network Circle
- Mailstop USCA17-201
- Santa Clara, CA 95054, USA
-
- Phone: +1 408 276 4351
- EMail: ggood at netscape.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Good Standards Track [Page 13]
-�
-RFC 2849 LDAP Data Interchange Format June 2000
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Good Standards Track [Page 14]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc2891.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc2891.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc2891.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group T. Howes
-Request for Comments: 2891 Loudcloud
-Category: Standards Track M. Wahl
- Sun Microsystems
- A. Anantha
- Microsoft
- August 2000
-
-
- LDAP Control Extension for Server Side Sorting of Search Results
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
-Abstract
-
- This document describes two LDAPv3 control extensions for server side
- sorting of search results. These controls allows a client to specify
- the attribute types and matching rules a server should use when
- returning the results to an LDAP search request. The controls may be
- useful when the LDAP client has limited functionality or for some
- other reason cannot sort the results but still needs them sorted.
- Other permissible controls on search operations are not defined in
- this extension.
-
- The sort controls allow a server to return a result code for the
- sorting of the results that is independent of the result code
- returned for the search operation.
-
- The key words "MUST", "SHOULD", and "MAY" used in this document are
- to be interpreted as described in [bradner97].
-
-
-
-
-
-
-
-
-
-
-
-Howes, et al. Standards Track [Page 1]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
-1. The Controls
-
-1.1 Request Control
-
- This control is included in the searchRequest message as part of the
- controls field of the LDAPMessage, as defined in Section 4.1.12 of
- [LDAPv3].
-
- The controlType is set to "1.2.840.113556.1.4.473". The criticality
- MAY be either TRUE or FALSE (where absent is also equivalent to
- FALSE) at the client's option. The controlValue is an OCTET STRING,
- whose value is the BER encoding of a value of the following SEQUENCE:
-
- SortKeyList ::= SEQUENCE OF SEQUENCE {
- attributeType AttributeDescription,
- orderingRule [0] MatchingRuleId OPTIONAL,
- reverseOrder [1] BOOLEAN DEFAULT FALSE }
-
- The SortKeyList sequence is in order of highest to lowest sort key
- precedence.
-
- The MatchingRuleId, as defined in section 4.1.9 of [LDAPv3], SHOULD
- be one that is valid for the attribute type it applies to. If it is
- not, the server will return inappropriateMatching.
-
- Each attributeType should only occur in the SortKeyList once. If an
- attributeType is included in the sort key list multiple times, the
- server should return an error in the sortResult of
- unwillingToPerform.
-
- If the orderingRule is omitted, the ordering MatchingRule defined for
- use with this attribute MUST be used.
-
- Any conformant implementation of this control MUST allow a sort key
- list with at least one key.
-
-1.2 Response Control
-
- This control is included in the searchResultDone message as part of
- the controls field of the LDAPMessage, as defined in Section 4.1.12
- of [LDAPv3].
-
- The controlType is set to "1.2.840.113556.1.4.474". The criticality
- is FALSE (MAY be absent). The controlValue is an OCTET STRING, whose
- value is the BER encoding of a value of the following SEQUENCE:
-
-
-
-
-
-
-Howes, et al. Standards Track [Page 2]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
- SortResult ::= SEQUENCE {
- sortResult ENUMERATED {
- success (0), -- results are sorted
- operationsError (1), -- server internal failure
- timeLimitExceeded (3), -- timelimit reached before
- -- sorting was completed
- strongAuthRequired (8), -- refused to return sorted
- -- results via insecure
- -- protocol
- adminLimitExceeded (11), -- too many matching entries
- -- for the server to sort
- noSuchAttribute (16), -- unrecognized attribute
- -- type in sort key
- inappropriateMatching (18), -- unrecognized or
- -- inappropriate matching
- -- rule in sort key
- insufficientAccessRights (50), -- refused to return sorted
- -- results to this client
- busy (51), -- too busy to process
- unwillingToPerform (53), -- unable to sort
- other (80)
- },
- attributeType [0] AttributeDescription OPTIONAL }
-
-2. Client-Server Interaction
-
- The sortKeyRequestControl specifies one or more attribute types and
- matching rules for the results returned by a search request. The
- server SHOULD return all results for the search request in the order
- specified by the sort keys. If the reverseOrder field is set to TRUE,
- then the entries will be presented in reverse sorted order for the
- specified key.
-
- There are six possible scenarios that may occur as a result of the
- sort control being included on the search request:
-
- 1 - If the server does not support this sorting control and the
- client specified TRUE for the control's criticality field, then
- the server MUST return unavailableCriticalExtension as a return
- code in the searchResultDone message and not send back any other
- results. This behavior is specified in section 4.1.12 of
- [LDAPv3].
-
- 2 - If the server does not support this sorting control and the
- client specified FALSE for the control's criticality field, then
- the server MUST ignore the sort control and process the search
- request as if it were not present. This behavior is specified in
- section 4.1.12 of [LDAPv3].
-
-
-
-Howes, et al. Standards Track [Page 3]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
- 3 - If the server supports this sorting control but for some reason
- cannot sort the search results using the specified sort keys and
- the client specified TRUE for the control's criticality field,
- then the server SHOULD do the following: return
- unavailableCriticalExtension as a return code in the
- searchResultDone message; include the sortKeyResponseControl in
- the searchResultDone message, and not send back any search result
- entries.
-
- 4 - If the server supports this sorting control but for some reason
- cannot sort the search results using the specified sort keys and
- the client specified FALSE for the control's criticality field,
- then the server should return all search results unsorted and
- include the sortKeyResponseControl in the searchResultDone
- message.
-
- 5 - If the server supports this sorting control and can sort the
- search results using the specified sort keys, then it should
- include the sortKeyResponseControl in the searchResultDone
- message with a sortResult of success.
-
- 6 - If the search request failed for any reason and/or there are no
- searchResultEntry messages returned for the search response, then
- the server SHOULD omit the sortKeyResponseControl from the
- searchResultDone message.
-
- The client application is assured that the results are sorted in the
- specified key order if and only if the result code in the
- sortKeyResponseControl is success. If the server omits the
- sortKeyResponseControl from the searchResultDone message, the client
- SHOULD assume that the sort control was ignored by the server.
-
- The sortKeyResponseControl, if included by the server in the
- searchResultDone message, should have the sortResult set to either
- success if the results were sorted in accordance with the keys
- specified in the sortKeyRequestControl or set to the appropriate
- error code as to why it could not sort the data (such as
- noSuchAttribute or inappropriateMatching). Optionally, the server MAY
- set the attributeType to the first attribute type specified in the
- SortKeyList that was in error. The client SHOULD ignore the
- attributeType field if the sortResult is success.
-
- The server may not be able to sort the results using the specified
- sort keys because it may not recognize one of the attribute types,
- the matching rule associated with an attribute type is not
- applicable, or none of the attributes in the search response are of
- these types. Servers may also restrict the number of keys allowed in
- the control, such as only supporting a single key.
-
-
-
-Howes, et al. Standards Track [Page 4]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
- Servers that chain requests to other LDAP servers should ensure that
- the server satisfying the client's request sort the entire result set
- prior to sending back the results.
-
-2.1 Behavior in a chained environment
-
- If a server receives a sort request, the client expects to receive a
- set of sorted results. If a client submits a sort request to a server
- which chains the request and gets entries from multiple servers, and
- the client has set the criticality of the sort extension to TRUE, the
- server MUST merge sort the results before returning them to the
- client or MUST return unwillingToPerform.
-
-2.2 Other sort issues
-
- An entry that meets the search criteria may be missing one or more of
- the sort keys. In that case, the entry is considered to have a value
- of NULL for that key. This standard considers NULL to be a larger
- value than all other valid values for that key. For example, if only
- one key is specified, entries which meet the search criteria but do
- not have that key collate after all the entries which do have that
- key. If the reverseOrder flag is set, and only one key is specified,
- entries which meet the search criteria but do not have that key
- collate BEFORE all the entries which do have that key.
-
- If a sort key is a multi-valued attribute, and an entry happens to
- have multiple values for that attribute and no other controls are
- present that affect the sorting order, then the server SHOULD use the
- least value (according to the ORDERING rule for that attribute).
-
-3. Interaction with other search controls
-
- When the sortKeyRequestControl control is included with the
- pagedResultsControl control as specified in [LdapPaged], then the
- server should send the searchResultEntry messages sorted according to
- the sort keys applied to the entire result set. The server should not
- simply sort each page, as this will give erroneous results to the
- client.
-
- The sortKeyList must be present on each searchRequest message for the
- paged result. It also must not change between searchRequests for the
- same result set. If the server has sorted the data, then it SHOULD
- send back a sortKeyResponseControl control on every searchResultDone
- message for each page. This will allow clients to quickly determine
- if the result set is sorted, rather than waiting to receive the
- entire result set.
-
-
-
-
-
-Howes, et al. Standards Track [Page 5]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
-4. Security Considerations
-
- Implementors and administrators should be aware that allowing sorting
- of results could enable the retrieval of a large number of records
- from a given directory service, regardless of administrative limits
- set on the maximum number of records to return.
-
- A client that desired to pull all records out of a directory service
- could use a combination of sorting and updating of search filters to
- retrieve all records in a database in small result sets, thus
- circumventing administrative limits.
-
- This behavior can be overcome by the judicious use of permissions on
- the directory entries by the administrator and by intelligent
- implementations of administrative limits on the number of records
- retrieved by a client.
-
-5. References
-
- [LDAPv3] Wahl, M, Kille, S. and T. Howes, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
- [Bradner97] Bradner, S., "Key Words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [LdapPaged] Weider, C., Herron, A., Anantha, A. and T. Howes, "LDAP
- Control Extension for Simple Paged Results Manipulation",
- RFC 2696, September 1999.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes, et al. Standards Track [Page 6]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
-6. Authors' Addresses
-
- Anoop Anantha
- Microsoft Corp.
- 1 Microsoft Way
- Redmond, WA 98052
- USA
-
- Phone: +1 425 882-8080
- EMail: anoopa at microsoft.com
-
-
- Tim Howes
- Loudcloud, Inc.
- 615 Tasman Dr.
- Sunnyvale, CA 94089
- USA
-
- EMail: howes at loudcloud.com
-
-
- Mark Wahl
- Sun Microsystems, Inc.
- 8911 Capital of Texas Hwy Suite 4140
- Austin, TX 78759
- USA
-
- EMail: Mark.Wahl at sun.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes, et al. Standards Track [Page 7]
-�
-RFC 2891 LDAP Control Extension for Server Side Sorting August 2000
-
-
-7. Full Copyright Statement
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Howes, et al. Standards Track [Page 8]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc3296.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc3296.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc3296.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,787 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 3296 OpenLDAP Foundation
-Category: Standards Track July 2002
-
-
- Named Subordinate References in
- Lightweight Directory Access Protocol (LDAP) Directories
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2002). All Rights Reserved.
-
-Abstract
-
- This document details schema and protocol elements for representing
- and managing named subordinate references in Lightweight Directory
- Access Protocol (LDAP) Directories.
-
-Conventions
-
- Schema definitions are provided using LDAPv3 description formats
- [RFC2252]. Definitions provided here are formatted (line wrapped)
- for readability.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" used in
- this document are to be interpreted as described in BCP 14 [RFC2119].
-
-1. Background and Intended Usage
-
- The broadening of interest in LDAP (Lightweight Directory Access
- Protocol) [RFC2251] directories beyond their use as front ends to
- X.500 [X.500] directories has created a need to represent knowledge
- information in a more general way. Knowledge information is
- information about one or more servers maintained in another server,
- used to link servers and services together.
-
- This document details schema and protocol elements for representing
- and manipulating named subordinate references in LDAP directories. A
- referral object is used to hold subordinate reference information in
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- the directory. These referral objects hold one or more URIs
- [RFC2396] contained in values of the ref attribute type and are used
- to generate protocol referrals and continuations.
-
- A control, ManageDsaIT, is defined to allow manipulation of referral
- and other special objects as normal objects. As the name of control
- implies, it is intended to be analogous to the ManageDsaIT service
- option described in X.511(97) [X.511].
-
- Other forms of knowledge information are not detailed by this
- document. These forms may be described in subsequent documents.
-
- This document details subordinate referral processing requirements
- for servers. This document does not describe protocol syntax and
- semantics. This is detailed in RFC 2251 [RFC2251].
-
- This document does not detail use of subordinate knowledge references
- to support replicated environments nor distributed operations (e.g.,
- chaining of operations from one server to other servers).
-
-2. Schema
-
-2.1. The referral Object Class
-
- A referral object is a directory entry whose structural object class
- is (or is derived from) the referral object class.
-
- ( 2.16.840.1.113730.3.2.6
- NAME 'referral'
- DESC 'named subordinate reference object'
- STRUCTURAL
- MUST ref )
-
- The referral object class is a structural object class used to
- represent a subordinate reference in the directory. The referral
- object class SHOULD be used in conjunction with the extensibleObject
- object class to support the naming attributes used in the entry's
- Distinguished Name (DN) [RFC2253].
-
- Referral objects are normally instantiated at DSEs immediately
- subordinate to object entries within a naming context held by the
- DSA. Referral objects are analogous to X.500 subordinate knowledge
- (subr) DSEs [X.501].
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- In the presence of a ManageDsaIT control, referral objects are
- treated as normal entries as described in section 3. Note that the
- ref attribute is operational and will only be returned in a search
- entry response when requested.
-
- In the absence of a ManageDsaIT control, the content of referral
- objects are used to construct referrals and search references as
- described in Section 4 and, as such, the referral entries are not
- themselves visible to clients.
-
-2.2 The ref Attribute Type
-
- ( 2.16.840.1.113730.3.1.34
- NAME 'ref'
- DESC 'named reference - a labeledURI'
- EQUALITY caseExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- USAGE distributedOperation )
-
- The ref attribute type has directoryString syntax and is case
- sensitive. The ref attribute is multi-valued. Values placed in the
- attribute MUST conform to the specification given for the labeledURI
- attribute [RFC2079]. The labeledURI specification defines a format
- that is a URI, optionally followed by whitespace and a label. This
- document does not make use of the label portion of the syntax.
- Future documents MAY enable new functionality by imposing additional
- structure on the label portion of the syntax as it appears in the ref
- attribute.
-
- If the URI contained in a ref attribute value refers to a LDAP
- [RFC2251] server, it MUST be in the form of a LDAP URL [RFC2255].
- The LDAP URL SHOULD NOT contain an explicit scope specifier, filter,
- attribute description list, or any extensions. The LDAP URL SHOULD
- contain a non-empty DN. The handling of LDAP URLs with absent or
- empty DN parts or with explicit scope specifier is not defined by
- this specification.
-
- Other URI schemes MAY be used so long as all operations returning
- referrals based upon the value could be performed. This document
- does not detail use of non-LDAP URIs. This is left to future
- specifications.
-
- The referential integrity of the URI SHOULD NOT be validated by the
- server holding or returning the URI (whether as a value of the
- attribute or as part of a referral result or search reference
- response).
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- When returning a referral result or search continuation, the server
- MUST NOT return the separator or label portions of the attribute
- values as part of the reference. When the attribute contains
- multiple values, the URI part of each value is used to construct the
- referral result or search continuation.
-
- The ref attribute values SHOULD NOT be used as a relative name-
- component of an entry's DN [RFC2253].
-
- This document uses the ref attribute in conjunction with the referral
- object class to represent subordinate references. The ref attribute
- may be used for other purposes as defined by other documents.
-
-3. The ManageDsaIT Control
-
- The client may provide the ManageDsaIT control with an operation to
- indicate that the operation is intended to manage objects within the
- DSA (server) Information Tree. The control causes Directory-specific
- entries (DSEs), regardless of type, to be treated as normal entries
- allowing clients to interrogate and update these entries using LDAP
- operations.
-
- A client MAY specify the following control when issuing an add,
- compare, delete, modify, modifyDN, search request or an extended
- operation for which the control is defined.
-
- The control type is 2.16.840.1.113730.3.4.2. The control criticality
- may be TRUE or, if FALSE, absent. The control value is absent.
-
- When the control is present in the request, the server SHALL NOT
- generate a referral or continuation reference based upon information
- held in referral objects and instead SHALL treat the referral object
- as a normal entry. The server, however, is still free to return
- referrals for other reasons. When not present, referral objects
- SHALL be handled as described above.
-
- The control MAY cause other objects to be treated as normal entries
- as defined by subsequent documents.
-
-4. Named Subordinate References
-
- A named subordinate reference is constructed by instantiating a
- referral object in the referencing server with ref attribute values
- which point to the corresponding subtree maintained in the referenced
- server. In general, the name of the referral object is the same as
- the referenced object and this referenced object is a context prefix
- [X.501].
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- That is, if server A holds "DC=example,DC=net" and server B holds
- "DC=sub,DC=example,DC=net", server A may contain a referral object
- named "DC=sub,DC=example,DC=net" which contains a ref attribute with
- value of "ldap://B/DC=sub,DC=example,DC=net".
-
- dn: DC=sub,DC=example,DC=net
- dc: sub
- ref: ldap://B/DC=sub,DC=example,DC=net
- objectClass: referral
- objectClass: extensibleObject
-
- Typically the DN of the referral object and the DN of the object in
- the referenced server are the same.
-
- If the ref attribute has multiple values, all the DNs contained
- within the LDAP URLs SHOULD be equivalent. Administrators SHOULD
- avoid configuring naming loops using referrals.
-
- Named references MUST be treated as normal entries if the request
- includes the ManageDsaIT control as described in section 3.
-
-5. Scenarios
-
- The following sections contain specifications of how referral objects
- should be used in different scenarios followed by examples that
- illustrate that usage. The scenarios described here consist of
- referral object handling when finding target of a non-search
- operation, when finding the base of a search operation, and when
- generating search references. Lastly, other operation processing
- considerations are presented.
-
- It is to be noted that, in this document, a search operation is
- conceptually divided into two distinct, sequential phases: (1)
- finding the base object where the search is to begin, and (2)
- performing the search itself. The first phase is similar to, but not
- the same as, finding the target of a non-search operation.
-
- It should also be noted that the ref attribute may have multiple
- values and, where these sections refer to a single ref attribute
- value, multiple ref attribute values may be substituted and SHOULD be
- processed and returned (in any order) as a group in a referral or
- search reference in the same way as described for a single ref
- attribute value.
-
- Search references returned for a given request may be returned in any
- order.
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
-5.1. Example Configuration
-
- For example, suppose the contacted server (hosta) holds the entry
- "O=MNN,C=WW" and the entry "CN=Manager,O=MNN,C=WW" and the following
- referral objects:
-
- dn: OU=People,O=MNN,C=WW
- ou: People
- ref: ldap://hostb/OU=People,O=MNN,C=US
- ref: ldap://hostc/OU=People,O=MNN,C=US
- objectClass: referral
- objectClass: extensibleObject
-
- dn: OU=Roles,O=MNN,C=WW
- ou: Roles
- ref: ldap://hostd/OU=Roles,O=MNN,C=WW
- objectClass: referral
- objectClass: extensibleObject
-
- The first referral object provides the server with the knowledge that
- subtree "OU=People,O=MNN,C=WW" is held by hostb and hostc (e.g., one
- is the master and the other a shadow). The second referral object
- provides the server with the knowledge that the subtree
- "OU=Roles,O=MNN,C=WW" is held by hostd.
-
- Also, in the context of this document, the "nearest naming context"
- means the deepest context which the object is within. That is, if
- the object is within multiple naming contexts, the nearest naming
- context is the one which is subordinate to all other naming contexts
- the object is within.
-
-5.2. Target Object Considerations
-
- This section details referral handling for add, compare, delete,
- modify, and modify DN operations. If the client requests any of
- these operations, there are four cases that the server must handle
- with respect to the target object.
-
- The DN part MUST be modified such that it refers to the appropriate
- target in the referenced server (as detailed below). Even where the
- DN to be returned is the same as the target DN, the DN part SHOULD
- NOT be trimmed.
-
- In cases where the URI to be returned is a LDAP URL, the server
- SHOULD trim any present scope, filter, or attribute list from the URI
- before returning it. Critical extensions MUST NOT be trimmed or
- modified.
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- Case 1: The target object is not held by the server and is not within
- or subordinate to any naming context nor subordinate to any
- referral object held by the server.
-
- The server SHOULD process the request normally as appropriate for
- a non-existent base which is not within any naming context of the
- server (generally return noSuchObject or a referral based upon
- superior knowledge reference information). This document does not
- detail management or processing of superior knowledge reference
- information.
-
- Case 2: The target object is held by the server and is a referral
- object.
-
- The server SHOULD return the URI value contained in the ref
- attribute of the referral object appropriately modified as
- described above.
-
- Example: If the client issues a modify request for the target object
- of "OU=People,O=MNN,c=WW", the server will return:
-
- ModifyResponse (referral) {
- ldap://hostb/OU=People,O=MNN,C=WW
- ldap://hostc/OU=People,O=MNN,C=WW
- }
-
- Case 3: The target object is not held by the server, but the nearest
- naming context contains no referral object which the target object
- is subordinate to.
-
- If the nearest naming context contains no referral object which
- the target is subordinate to, the server SHOULD process the
- request as appropriate for a nonexistent target (generally return
- noSuchObject).
-
- Case 4: The target object is not held by the server, but the nearest
- naming context contains a referral object which the target object
- is subordinate to.
-
- If a client requests an operation for which the target object is
- not held by the server and the nearest naming context contains a
- referral object which the target object is subordinate to, the
- server SHOULD return a referral response constructed from the URI
- portion of the ref value of the referral object.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- Example: If the client issues an add request where the target object
- has a DN of "CN=Manager,OU=Roles,O=MNN,C=WW", the server will
- return:
-
- AddResponse (referral) {
- ldap://hostd/CN=Manager,OU=Roles,O=MNN,C=WW"
- }
-
- Note that the DN part of the LDAP URL is modified such that it
- refers to the appropriate entry in the referenced server.
-
-5.3. Base Object Considerations
-
- This section details referral handling for base object processing
- within search operations. Like target object considerations for
- non-search operations, there are the four cases.
-
- In cases where the URI to be returned is a LDAP URL, the server MUST
- provide an explicit scope specifier from the LDAP URL prior to
- returning it. In addition, the DN part MUST be modified such that it
- refers to the appropriate target in the referenced server (as
- detailed below).
-
- If aliasing dereferencing was necessary in finding the referral
- object, the DN part of the URI MUST be replaced with the base DN as
- modified by the alias dereferencing such that the return URL refers
- to the new target object per [RFC2251, 4.1.11].
-
- Critical extensions MUST NOT be trimmed nor modified.
-
- Case 1: The base object is not held by the server and is not within
- nor subordinate to any naming context held by the server.
-
- The server SHOULD process the request normally as appropriate for
- a non-existent base which not within any naming context of the
- server (generally return a superior referral or noSuchObject).
- This document does not detail management or processing of superior
- knowledge references.
-
- Case 2: The base object is held by the server and is a referral
- object.
-
- The server SHOULD return the URI value contained in the ref
- attribute of the referral object appropriately modified as
- described above.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- Example: If the client issues a subtree search in which the base
- object is "OU=Roles,O=MNN,C=WW", the server will return
-
- SearchResultDone (referral) {
- ldap://hostd/OU=Roles,O=MNN,C=WW??sub
- }
-
- If the client were to issue a base or oneLevel search instead of
- subtree, the returned LDAP URL would explicitly specify "base" or
- "one", respectively, instead of "sub".
-
- Case 3: The base object is not held by the server, but the nearest
- naming context contains no referral object which the base object
- is subordinate to.
-
- If the nearest naming context contains no referral object which
- the base is subordinate to, the request SHOULD be processed
- normally as appropriate for a nonexistent base (generally return
- noSuchObject).
-
- Case 4: The base object is not held by the server, but the nearest
- naming context contains a referral object which the base object is
- subordinate to.
-
- If a client requests an operation for which the target object is
- not held by the server and the nearest naming context contains a
- referral object which the target object is subordinate to, the
- server SHOULD return a referral response which is constructed from
- the URI portion of the ref value of the referral object.
-
- Example: If the client issues a base search request for
- "CN=Manager,OU=Roles,O=MNN,C=WW", the server will return
-
- SearchResultDone (referral) {
- ldap://hostd/CN=Manager,OU=Roles,O=MNN,C=WW??base"
- }
-
- If the client were to issue a subtree or oneLevel search instead
- of subtree, the returned LDAP URL would explicitly specify "sub"
- or "one", respectively, instead of "base".
-
- Note that the DN part of the LDAP URL is modified such that it
- refers to the appropriate entry in the referenced server.
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
-5.4. Search Continuation Considerations
-
- For search operations, once the base object has been found and
- determined not to be a referral object, the search may progress. Any
- entry matching the filter and scope of the search which is not a
- referral object is returned to the client normally as described in
- [RFC2251].
-
- For each referral object within the requested scope, regardless of
- the search filter, the server SHOULD return a SearchResultReference
- which is constructed from the URI component of values of the ref
- attribute. If the URI component is not a LDAP URL, it should be
- returned as is. If the LDAP URL's DN part is absent or empty, the DN
- part must be modified to contain the DN of the referral object. If
- the URI component is a LDAP URL, the URI SHOULD be modified to add an
- explicit scope specifier.
-
- Subtree Example:
-
- If a client requests a subtree search of "O=MNN,C=WW", then in
- addition to any entries within scope which match the filter, hosta
- will also return two search references as the two referral objects
- are within scope. One possible response might be:
-
- SearchEntry for O=MNN,C=WW
- SearchResultReference {
- ldap://hostb/OU=People,O=MNN,C=WW??sub
- ldap://hostc/OU=People,O=MNN,C=WW??sub
- }
- SearchEntry for CN=Manager,O=MNN,C=WW
- SearchResultReference {
- ldap://hostd/OU=Roles,O=MNN,C=WW??sub
- }
- SearchResultDone (success)
-
- One Level Example:
-
- If a client requests a one level search of "O=MNN,C=WW" then, in
- addition to any entries one level below the "O=MNN,C=WW" entry
- matching the filter, the server will also return two search
- references as the two referral objects are within scope. One
- possible sequence is shown:
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
- SearchResultReference {
- ldap://hostb/OU=People,O=MNN,C=WW??base
- ldap://hostc/OU=People,O=MNN,C=WW??base
- }
- SearchEntry for CN=Manager,O=MNN,C=WW
- SearchResultReference {
- ldap://hostd/OU=Roles,O=MNN,C=WW??base
- }
- SearchResultDone (success)
-
- Note: Unlike the examples in Section 4.5.3.1 of RFC 2251, the LDAP
- URLs returned with the SearchResultReference messages contain, as
- required by this specification, an explicit scope specifier.
-
-5.6. Other Considerations
-
- This section details processing considerations for other operations.
-
-5.6.1 Bind
-
- Servers SHOULD NOT return referral result code if the bind name (or
- authentication identity or authorization identity) is (or is
- subordinate to) a referral object but MAY use the knowledge
- information to process the bind request (such as in support a future
- distributed operation specification). Where the server makes no use
- of the knowledge information, the server processes the request
- normally as appropriate for a non-existent authentication or
- authorization identity (e.g., return invalidCredentials).
-
-5.6.2 Modify DN
-
- If the newSuperior is a referral object or is subordinate to a
- referral object, the server SHOULD return affectsMultipleDSAs. If
- the newRDN already exists but is a referral object, the server SHOULD
- return affectsMultipleDSAs instead of entryAlreadyExists.
-
-6. Security Considerations
-
- This document defines mechanisms that can be used to tie LDAP (and
- other) servers together. The information used to tie services
- together should be protected from unauthorized modification. If the
- server topology information is not public information, it should be
- protected from unauthorized disclosure as well.
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
-7. Acknowledgments
-
- This document borrows heavily from previous work by IETF LDAPext
- Working Group. In particular, this document is based upon "Named
- Referral in LDAP Directories" (an expired Internet Draft) by
- Christopher Lukas, Tim Howes, Michael Roszkowski, Mark C. Smith, and
- Mark Wahl.
-
-8. Normative References
-
- [RFC2079] Smith, M., "Definition of an X.500 Attribute Type and an
- Object Class to Hold Uniform Resource Identifiers (URIs)",
- RFC 2079, January 1997.
-
- [RFC2119] Bradner, S., "Key Words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
- [RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
- "Lightweight Directory Access Protocol (v3): Attribute
- Syntax Definitions", RFC 2252, December 1997.
-
- [RFC2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory
- Access Protocol (v3): UTF-8 String Representation of
- Distinguished Names", RFC 2253, December 1997.
-
- [RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255,
- December, 1997.
-
- [RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
- Resource Identifiers (URI): Generic Syntax", RFC 2396,
- August 1998.
-
- [X.501] ITU-T, "The Directory: Models", X.501, 1993.
-
-9. Informative References
-
- [X.500] ITU-T, "The Directory: Overview of Concepts, Models, and
- Services", X.500, 1993.
-
- [X.511] ITU-T, "The Directory: Abstract Service Definition", X.500,
- 1997.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
-10. Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 3296 Named Subordinate References in LDAP Directories July 2002
-
-
-11. Full Copyright Statement
-
- Copyright (C) The Internet Society (2002). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4510.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4510.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4510.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga, Ed.
-Request for Comments: 4510 OpenLDAP Foundation
-Obsoletes: 2251, 2252, 2253, 2254, 2255, June 2006
- 2256, 2829, 2830, 3377, 3771
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP):
- Technical Specification Road Map
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The Lightweight Directory Access Protocol (LDAP) is an Internet
- protocol for accessing distributed directory services that act in
- accordance with X.500 data and service models. This document
- provides a road map of the LDAP Technical Specification.
-
-1. The LDAP Technical Specification
-
- The technical specification detailing version 3 of the Lightweight
- Directory Access Protocol (LDAP), an Internet Protocol, consists of
- this document and the following documents:
-
- LDAP: The Protocol [RFC4511]
- LDAP: Directory Information Models [RFC4512]
- LDAP: Authentication Methods and Security Mechanisms [RFC4513]
- LDAP: String Representation of Distinguished Names [RFC4514]
- LDAP: String Representation of Search Filters [RFC4515]
- LDAP: Uniform Resource Locator [RFC4516]
- LDAP: Syntaxes and Matching Rules [RFC4517]
- LDAP: Internationalized String Preparation [RFC4518]
- LDAP: Schema for User Applications [RFC4519]
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4510 LDAP: TS Road Map June 2006
-
-
- The terms "LDAP" and "LDAPv3" are commonly used to refer informally
- to the protocol specified by this technical specification. The LDAP
- suite, as defined here, should be formally identified in other
- documents by a normative reference to this document.
-
- LDAP is an extensible protocol. Extensions to LDAP may be specified
- in other documents. Nomenclature denoting such combinations of
- LDAP-plus-extensions is not defined by this document but may be
- defined in some future document(s). Extensions are expected to be
- truly optional. Considerations for the LDAP extensions described in
- BCP 118, RFC 4521 [RFC4521] fully apply to this revision of the LDAP
- Technical Specification.
-
- IANA (Internet Assigned Numbers Authority) considerations for LDAP
- described in BCP 64, RFC 4520 [RFC4520] apply fully to this revision
- of the LDAP technical specification.
-
-1.1. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
-2. Relationship to X.500
-
- This technical specification defines LDAP in terms of [X.500] as an
- X.500 access mechanism. An LDAP server MUST act in accordance with
- the X.500 (1993) series of International Telecommunication Union -
- Telecommunication Standardization (ITU-T) Recommendations when
- providing the service. However, it is not required that an LDAP
- server make use of any X.500 protocols in providing this service.
- For example, LDAP can be mapped onto any other directory system so
- long as the X.500 data and service models [X.501][X.511], as used in
- LDAP, are not violated in the LDAP interface.
-
- This technical specification explicitly incorporates portions of
- X.500(93). Later revisions of X.500 do not automatically apply to
- this technical specification.
-
-3. Relationship to Obsolete Specifications
-
- This technical specification, as defined in Section 1, obsoletes
- entirely the previously defined LDAP technical specification defined
- in RFC 3377 (and consisting of RFCs 2251-2256, 2829, 2830, 3771, and
- 3377 itself). The technical specification was significantly
- reorganized.
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4510 LDAP: TS Road Map June 2006
-
-
- This document replaces RFC 3377 as well as Section 3.3 of RFC 2251.
- [RFC4512] replaces portions of RFC 2251, RFC 2252, and RFC 2256.
- [RFC4511] replaces the majority RFC 2251, portions of RFC 2252, and
- all of RFC 3771. [RFC4513] replaces RFC 2829, RFC 2830, and portions
- of RFC 2251. [RFC4517] replaces the majority of RFC 2252 and
- portions of RFC 2256. [RFC4519] replaces the majority of RFC 2256.
- [RFC4514] replaces RFC 2253. [RFC4515] replaces RFC 2254. [RFC4516]
- replaces RFC 2255.
-
- [RFC4518] is new to this revision of the LDAP technical
- specification.
-
- Each document of this specification contains appendices summarizing
- changes to all sections of the specifications they replace. Appendix
- A.1 of this document details changes made to RFC 3377. Appendix A.2
- of this document details changes made to Section 3.3 of RFC 2251.
-
- Additionally, portions of this technical specification update and/or
- replace a number of other documents not listed above. These
- relationships are discussed in the documents detailing these portions
- of this technical specification.
-
-4. Security Considerations
-
- LDAP security considerations are discussed in each document
- comprising the technical specification.
-
-5. Acknowledgements
-
- This document is based largely on RFC 3377 by J. Hodges and R.
- Morgan, a product of the LDAPBIS and LDAPEXT Working Groups. The
- document also borrows from RFC 2251 by M. Wahl, T. Howes, and S.
- Kille, a product of the ASID Working Group.
-
- This document is a product of the IETF LDAPBIS Working Group.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4510 LDAP: TS Road Map June 2006
-
-
-6. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access
- Protocol (LDAP): Authentication Methods and Security
- Mechanisms", RFC 4513, June 2006.
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): String Representation of Distinguished
- Names", RFC 4514, June 2006.
-
- [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): String Representation of Search
- Filters", RFC 4515, June 2006.
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): Uniform Resource Locator", RFC
- 4516, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [RFC4518] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Internationalized String Preparation", RFC
- 4518, June 2006.
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
- Protocol (LDAP): Schema for User Applications", RFC
- 4519, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [RFC4521] Zeilenga, K., "Considerations for LDAP Extensions", BCP
- 118, RFC 4521, June 2006.
-
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4510 LDAP: TS Road Map June 2006
-
-
- [X.500] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Overview of concepts, models and
- services", X.500(1993) (also ISO/IEC 9594-1:1994).
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models", X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.511] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Abstract Service Definition", X.511(1993)
- (also ISO/IEC 9594-3:1993).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4510 LDAP: TS Road Map June 2006
-
-
-Appendix A. Changes to Previous Documents
-
- This appendix outlines changes this document makes relative to the
- documents it replaces (in whole or in part).
-
-A.1. Changes to RFC 3377
-
- This document is nearly a complete rewrite of RFC 3377 as much of the
- material of RFC 3377 is no longer applicable. The changes include
- redefining the terms "LDAP" and "LDAPv3" to refer to this revision of
- the technical specification.
-
-A.2. Changes to Section 3.3 of RFC 2251
-
- The section was modified slightly (the word "document" was replaced
- with "technical specification") to clarify that it applies to the
- entire LDAP technical specification.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4510 LDAP: TS Road Map June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4511.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4511.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4511.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,3811 +0,0 @@
-
-
-
-
-
-
-Network Working Group J. Sermersheim, Ed.
-Request for Comments: 4511 Novell, Inc.
-Obsoletes: 2251, 2830, 3771 June 2006
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP): The Protocol
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes the protocol elements, along with their
- semantics and encodings, of the Lightweight Directory Access Protocol
- (LDAP). LDAP provides access to distributed directory services that
- act in accordance with X.500 data and service models. These protocol
- elements are based on those described in the X.500 Directory Access
- Protocol (DAP).
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. Relationship to Other LDAP Specifications ..................3
- 2. Conventions .....................................................3
- 3. Protocol Model ..................................................4
- 3.1. Operation and LDAP Message Layer Relationship ..............5
- 4. Elements of Protocol ............................................5
- 4.1. Common Elements ............................................5
- 4.1.1. Message Envelope ....................................6
- 4.1.2. String Types ........................................7
- 4.1.3. Distinguished Name and Relative Distinguished Name ..8
- 4.1.4. Attribute Descriptions ..............................8
- 4.1.5. Attribute Value .....................................8
- 4.1.6. Attribute Value Assertion ...........................9
- 4.1.7. Attribute and PartialAttribute ......................9
- 4.1.8. Matching Rule Identifier ...........................10
- 4.1.9. Result Message .....................................10
- 4.1.10. Referral ..........................................12
-
-
-
-Sermersheim Standards Track [Page 1]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- 4.1.11. Controls ..........................................14
- 4.2. Bind Operation ............................................16
- 4.2.1. Processing of the Bind Request .....................17
- 4.2.2. Bind Response ......................................18
- 4.3. Unbind Operation ..........................................18
- 4.4. Unsolicited Notification ..................................19
- 4.4.1. Notice of Disconnection ............................19
- 4.5. Search Operation ..........................................20
- 4.5.1. Search Request .....................................20
- 4.5.2. Search Result ......................................27
- 4.5.3. Continuation References in the Search Result .......28
- 4.6. Modify Operation ..........................................31
- 4.7. Add Operation .............................................33
- 4.8. Delete Operation ..........................................34
- 4.9. Modify DN Operation .......................................34
- 4.10. Compare Operation ........................................36
- 4.11. Abandon Operation ........................................36
- 4.12. Extended Operation .......................................37
- 4.13. IntermediateResponse Message .............................39
- 4.13.1. Usage with LDAP ExtendedRequest and
- ExtendedResponse ..................................40
- 4.13.2. Usage with LDAP Request Controls ..................40
- 4.14. StartTLS Operation .......................................40
- 4.14.1. StartTLS Request ..................................40
- 4.14.2. StartTLS Response .................................41
- 4.14.3. Removal of the TLS Layer ..........................41
- 5. Protocol Encoding, Connection, and Transfer ....................42
- 5.1. Protocol Encoding .........................................42
- 5.2. Transmission Control Protocol (TCP) .......................43
- 5.3. Termination of the LDAP session ...........................43
- 6. Security Considerations ........................................43
- 7. Acknowledgements ...............................................45
- 8. Normative References ...........................................46
- 9. Informative References .........................................48
- 10. IANA Considerations ...........................................48
- Appendix A. LDAP Result Codes .....................................49
- A.1. Non-Error Result Codes ....................................49
- A.2. Result Codes ..............................................49
- Appendix B. Complete ASN.1 Definition .............................54
- Appendix C. Changes ...............................................60
- C.1. Changes Made to RFC 2251 ..................................60
- C.2. Changes Made to RFC 2830 ..................................66
- C.3. Changes Made to RFC 3771 ..................................66
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 2]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-1. Introduction
-
- The Directory is "a collection of open systems cooperating to provide
- directory services" [X.500]. A directory user, which may be a human
- or other entity, accesses the Directory through a client (or
- Directory User Agent (DUA)). The client, on behalf of the directory
- user, interacts with one or more servers (or Directory System Agents
- (DSA)). Clients interact with servers using a directory access
- protocol.
-
- This document details the protocol elements of the Lightweight
- Directory Access Protocol (LDAP), along with their semantics.
- Following the description of protocol elements, it describes the way
- in which the protocol elements are encoded and transferred.
-
-1.1. Relationship to Other LDAP Specifications
-
- This document is an integral part of the LDAP Technical Specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety.
-
- This document, together with [RFC4510], [RFC4513], and [RFC4512],
- obsoletes RFC 2251 in its entirety. Section 3.3 is obsoleted by
- [RFC4510]. Sections 4.2.1 (portions) and 4.2.2 are obsoleted by
- [RFC4513]. Sections 3.2, 3.4, 4.1.3 (last paragraph), 4.1.4, 4.1.5,
- 4.1.5.1, 4.1.9 (last paragraph), 5.1, 6.1, and 6.2 (last paragraph)
- are obsoleted by [RFC4512]. The remainder of RFC 2251 is obsoleted
- by this document. Appendix C.1 summarizes substantive changes in the
- remainder.
-
- This document obsoletes RFC 2830, Sections 2 and 4. The remainder of
- RFC 2830 is obsoleted by [RFC4513]. Appendix C.2 summarizes
- substantive changes to the remaining sections.
-
- This document also obsoletes RFC 3771 in entirety.
-
-2. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
- to be interpreted as described in [RFC2119].
-
- Character names in this document use the notation for code points and
- names from the Unicode Standard [Unicode]. For example, the letter
- "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 3]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Note: a glossary of terms used in Unicode can be found in [Glossary].
- Information on the Unicode character encoding model can be found in
- [CharModel].
-
- The term "transport connection" refers to the underlying transport
- services used to carry the protocol exchange, as well as associations
- established by these services.
-
- The term "TLS layer" refers to Transport Layer Security (TLS)
- services used in providing security services, as well as associations
- established by these services.
-
- The term "SASL layer" refers to Simply Authentication and Security
- Layer (SASL) services used in providing security services, as well as
- associations established by these services.
-
- The term "LDAP message layer" refers to the LDAP Message Protocol
- Data Unit (PDU) services used in providing directory services, as
- well as associations established by these services.
-
- The term "LDAP session" refers to combined services (transport
- connection, TLS layer, SASL layer, LDAP message layer) and their
- associations.
-
- See the table in Section 5 for an illustration of these four terms.
-
-3. Protocol Model
-
- The general model adopted by this protocol is one of clients
- performing protocol operations against servers. In this model, a
- client transmits a protocol request describing the operation to be
- performed to a server. The server is then responsible for performing
- the necessary operation(s) in the Directory. Upon completion of an
- operation, the server typically returns a response containing
- appropriate data to the requesting client.
-
- Protocol operations are generally independent of one another. Each
- operation is processed as an atomic action, leaving the directory in
- a consistent state.
-
- Although servers are required to return responses whenever such
- responses are defined in the protocol, there is no requirement for
- synchronous behavior on the part of either clients or servers.
- Requests and responses for multiple operations generally may be
- exchanged between a client and server in any order. If required,
- synchronous behavior may be controlled by client applications.
-
-
-
-
-
-Sermersheim Standards Track [Page 4]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- The core protocol operations defined in this document can be mapped
- to a subset of the X.500 (1993) Directory Abstract Service [X.511].
- However, there is not a one-to-one mapping between LDAP operations
- and X.500 Directory Access Protocol (DAP) operations. Server
- implementations acting as a gateway to X.500 directories may need to
- make multiple DAP requests to service a single LDAP request.
-
-3.1. Operation and LDAP Message Layer Relationship
-
- Protocol operations are exchanged at the LDAP message layer. When
- the transport connection is closed, any uncompleted operations at the
- LDAP message layer are abandoned (when possible) or are completed
- without transmission of the response (when abandoning them is not
- possible). Also, when the transport connection is closed, the client
- MUST NOT assume that any uncompleted update operations have succeeded
- or failed.
-
-4. Elements of Protocol
-
- The protocol is described using Abstract Syntax Notation One
- ([ASN.1]) and is transferred using a subset of ASN.1 Basic Encoding
- Rules ([BER]). Section 5 specifies how the protocol elements are
- encoded and transferred.
-
- In order to support future extensions to this protocol, extensibility
- is implied where it is allowed per ASN.1 (i.e., sequence, set,
- choice, and enumerated types are extensible). In addition, ellipses
- (...) have been supplied in ASN.1 types that are explicitly
- extensible as discussed in [RFC4520]. Because of the implied
- extensibility, clients and servers MUST (unless otherwise specified)
- ignore trailing SEQUENCE components whose tags they do not recognize.
-
- Changes to the protocol other than through the extension mechanisms
- described here require a different version number. A client
- indicates the version it is using as part of the BindRequest,
- described in Section 4.2. If a client has not sent a Bind, the
- server MUST assume the client is using version 3 or later.
-
- Clients may attempt to determine the protocol versions a server
- supports by reading the 'supportedLDAPVersion' attribute from the
- root DSE (DSA-Specific Entry) [RFC4512].
-
-4.1. Common Elements
-
- This section describes the LDAPMessage envelope Protocol Data Unit
- (PDU) format, as well as data type definitions, which are used in the
- protocol operations.
-
-
-
-
-Sermersheim Standards Track [Page 5]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-4.1.1. Message Envelope
-
- For the purposes of protocol exchanges, all protocol operations are
- encapsulated in a common envelope, the LDAPMessage, which is defined
- as follows:
-
- LDAPMessage ::= SEQUENCE {
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResEntry SearchResultEntry,
- searchResDone SearchResultDone,
- searchResRef SearchResultReference,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modDNRequest ModifyDNRequest,
- modDNResponse ModifyDNResponse,
- compareRequest CompareRequest,
- compareResponse CompareResponse,
- abandonRequest AbandonRequest,
- extendedReq ExtendedRequest,
- extendedResp ExtendedResponse,
- ...,
- intermediateResponse IntermediateResponse },
- controls [0] Controls OPTIONAL }
-
- MessageID ::= INTEGER (0 .. maxInt)
-
- maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
-
- The ASN.1 type Controls is defined in Section 4.1.11.
-
- The function of the LDAPMessage is to provide an envelope containing
- common fields required in all protocol exchanges. At this time, the
- only common fields are the messageID and the controls.
-
- If the server receives an LDAPMessage from the client in which the
- LDAPMessage SEQUENCE tag cannot be recognized, the messageID cannot
- be parsed, the tag of the protocolOp is not recognized as a request,
- or the encoding structures or lengths of data fields are found to be
- incorrect, then the server SHOULD return the Notice of Disconnection
-
-
-
-Sermersheim Standards Track [Page 6]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- described in Section 4.4.1, with the resultCode set to protocolError,
- and MUST immediately terminate the LDAP session as described in
- Section 5.3.
-
- In other cases where the client or server cannot parse an LDAP PDU,
- it SHOULD abruptly terminate the LDAP session (Section 5.3) where
- further communication (including providing notice) would be
- pernicious. Otherwise, server implementations MUST return an
- appropriate response to the request, with the resultCode set to
- protocolError.
-
-4.1.1.1. MessageID
-
- All LDAPMessage envelopes encapsulating responses contain the
- messageID value of the corresponding request LDAPMessage.
-
- The messageID of a request MUST have a non-zero value different from
- the messageID of any other request in progress in the same LDAP
- session. The zero value is reserved for the unsolicited notification
- message.
-
- Typical clients increment a counter for each request.
-
- A client MUST NOT send a request with the same messageID as an
- earlier request in the same LDAP session unless it can be determined
- that the server is no longer servicing the earlier request (e.g.,
- after the final response is received, or a subsequent Bind
- completes). Otherwise, the behavior is undefined. For this purpose,
- note that Abandon and successfully abandoned operations do not send
- responses.
-
-4.1.2. String Types
-
- The LDAPString is a notational convenience to indicate that, although
- strings of LDAPString type encode as ASN.1 OCTET STRING types, the
- [ISO10646] character set (a superset of [Unicode]) is used, encoded
- following the UTF-8 [RFC3629] algorithm. Note that Unicode
- characters U+0000 through U+007F are the same as ASCII 0 through 127,
- respectively, and have the same single octet UTF-8 encoding. Other
- Unicode characters have a multiple octet UTF-8 encoding.
-
- LDAPString ::= OCTET STRING -- UTF-8 encoded,
- -- [ISO10646] characters
-
- The LDAPOID is a notational convenience to indicate that the
- permitted value of this string is a (UTF-8 encoded) dotted-decimal
- representation of an OBJECT IDENTIFIER. Although an LDAPOID is
-
-
-
-
-Sermersheim Standards Track [Page 7]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- encoded as an OCTET STRING, values are limited to the definition of
- <numericoid> given in Section 1.4 of [RFC4512].
-
- LDAPOID ::= OCTET STRING -- Constrained to <numericoid>
- -- [RFC4512]
-
- For example,
-
- 1.3.6.1.4.1.1466.1.2.3
-
-4.1.3. Distinguished Name and Relative Distinguished Name
-
- An LDAPDN is defined to be the representation of a Distinguished Name
- (DN) after encoding according to the specification in [RFC4514].
-
- LDAPDN ::= LDAPString
- -- Constrained to <distinguishedName> [RFC4514]
-
- A RelativeLDAPDN is defined to be the representation of a Relative
- Distinguished Name (RDN) after encoding according to the
- specification in [RFC4514].
-
- RelativeLDAPDN ::= LDAPString
- -- Constrained to <name-component> [RFC4514]
-
-4.1.4. Attribute Descriptions
-
- The definition and encoding rules for attribute descriptions are
- defined in Section 2.5 of [RFC4512]. Briefly, an attribute
- description is an attribute type and zero or more options.
-
- AttributeDescription ::= LDAPString
- -- Constrained to <attributedescription>
- -- [RFC4512]
-
-4.1.5. Attribute Value
-
- A field of type AttributeValue is an OCTET STRING containing an
- encoded attribute value. The attribute value is encoded according to
- the LDAP-specific encoding definition of its corresponding syntax.
- The LDAP-specific encoding definitions for different syntaxes and
- attribute types may be found in other documents and in particular
- [RFC4517].
-
- AttributeValue ::= OCTET STRING
-
-
-
-
-
-
-Sermersheim Standards Track [Page 8]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Note that there is no defined limit on the size of this encoding;
- thus, protocol values may include multi-megabyte attribute values
- (e.g., photographs).
-
- Attribute values may be defined that have arbitrary and non-printable
- syntax. Implementations MUST NOT display or attempt to decode an
- attribute value if its syntax is not known. The implementation may
- attempt to discover the subschema of the source entry and to retrieve
- the descriptions of 'attributeTypes' from it [RFC4512].
-
- Clients MUST only send attribute values in a request that are valid
- according to the syntax defined for the attributes.
-
-4.1.6. Attribute Value Assertion
-
- The AttributeValueAssertion (AVA) type definition is similar to the
- one in the X.500 Directory standards. It contains an attribute
- description and a matching rule ([RFC4512], Section 4.1.3) assertion
- value suitable for that type. Elements of this type are typically
- used to assert that the value in assertionValue matches a value of an
- attribute.
-
- AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
-
- AssertionValue ::= OCTET STRING
-
- The syntax of the AssertionValue depends on the context of the LDAP
- operation being performed. For example, the syntax of the EQUALITY
- matching rule for an attribute is used when performing a Compare
- operation. Often this is the same syntax used for values of the
- attribute type, but in some cases the assertion syntax differs from
- the value syntax. See objectIdentiferFirstComponentMatch in
- [RFC4517] for an example.
-
-4.1.7. Attribute and PartialAttribute
-
- Attributes and partial attributes consist of an attribute description
- and attribute values. A PartialAttribute allows zero values, while
- Attribute requires at least one value.
-
- PartialAttribute ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF value AttributeValue }
-
-
-
-
-
-
-Sermersheim Standards Track [Page 9]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Attribute ::= PartialAttribute(WITH COMPONENTS {
- ...,
- vals (SIZE(1..MAX))})
-
- No two of the attribute values may be equivalent as described by
- Section 2.2 of [RFC4512]. The set of attribute values is unordered.
- Implementations MUST NOT rely upon the ordering being repeatable.
-
-4.1.8. Matching Rule Identifier
-
- Matching rules are defined in Section 4.1.3 of [RFC4512]. A matching
- rule is identified in the protocol by the printable representation of
- either its <numericoid> or one of its short name descriptors
- [RFC4512], e.g., 'caseIgnoreMatch' or '2.5.13.2'.
-
- MatchingRuleId ::= LDAPString
-
-4.1.9. Result Message
-
- The LDAPResult is the construct used in this protocol to return
- success or failure indications from servers to clients. To various
- requests, servers will return responses containing the elements found
- in LDAPResult to indicate the final status of the protocol operation
- request.
-
- LDAPResult ::= SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongerAuthRequired (8),
- -- 9 reserved --
- referral (10),
- adminLimitExceeded (11),
- unavailableCriticalExtension (12),
- confidentialityRequired (13),
- saslBindInProgress (14),
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
-
-
-
-Sermersheim Standards Track [Page 10]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- -- 22-31 unused --
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- -- 35 reserved for undefined isLeaf --
- aliasDereferencingProblem (36),
- -- 37-47 unused --
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- -- 55-63 unused --
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- -- 70 reserved for CLDAP --
- affectsMultipleDSAs (71),
- -- 72-79 unused --
- other (80),
- ... },
- matchedDN LDAPDN,
- diagnosticMessage LDAPString,
- referral [3] Referral OPTIONAL }
-
- The resultCode enumeration is extensible as defined in Section 3.8 of
- [RFC4520]. The meanings of the listed result codes are given in
- Appendix A. If a server detects multiple errors for an operation,
- only one result code is returned. The server should return the
- result code that best indicates the nature of the error encountered.
- Servers may return substituted result codes to prevent unauthorized
- disclosures.
-
- The diagnosticMessage field of this construct may, at the server's
- option, be used to return a string containing a textual, human-
- readable diagnostic message (terminal control and page formatting
- characters should be avoided). As this diagnostic message is not
- standardized, implementations MUST NOT rely on the values returned.
- Diagnostic messages typically supplement the resultCode with
- additional information. If the server chooses not to return a
- textual diagnostic, the diagnosticMessage field MUST be empty.
-
-
-
-
-
-Sermersheim Standards Track [Page 11]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- For certain result codes (typically, but not restricted to
- noSuchObject, aliasProblem, invalidDNSyntax, and
- aliasDereferencingProblem), the matchedDN field is set (subject to
- access controls) to the name of the last entry (object or alias) used
- in finding the target (or base) object. This will be a truncated
- form of the provided name or, if an alias was dereferenced while
- attempting to locate the entry, of the resulting name. Otherwise,
- the matchedDN field is empty.
-
-4.1.10. Referral
-
- The referral result code indicates that the contacted server cannot
- or will not perform the operation and that one or more other servers
- may be able to. Reasons for this include:
-
- - The target entry of the request is not held locally, but the server
- has knowledge of its possible existence elsewhere.
-
- - The operation is restricted on this server -- perhaps due to a
- read-only copy of an entry to be modified.
-
- The referral field is present in an LDAPResult if the resultCode is
- set to referral, and it is absent with all other result codes. It
- contains one or more references to one or more servers or services
- that may be accessed via LDAP or other protocols. Referrals can be
- returned in response to any operation request (except Unbind and
- Abandon, which do not have responses). At least one URI MUST be
- present in the Referral.
-
- During a Search operation, after the baseObject is located, and
- entries are being evaluated, the referral is not returned. Instead,
- continuation references, described in Section 4.5.3, are returned
- when other servers would need to be contacted to complete the
- operation.
-
- Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
-
- URI ::= LDAPString -- limited to characters permitted in
- -- URIs
-
- If the client wishes to progress the operation, it contacts one of
- the supported services found in the referral. If multiple URIs are
- present, the client assumes that any supported URI may be used to
- progress the operation.
-
- Clients that follow referrals MUST ensure that they do not loop
- between servers. They MUST NOT repeatedly contact the same server
- for the same request with the same parameters. Some clients use a
-
-
-
-Sermersheim Standards Track [Page 12]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- counter that is incremented each time referral handling occurs for an
- operation, and these kinds of clients MUST be able to handle at least
- ten nested referrals while progressing the operation.
-
- A URI for a server implementing LDAP and accessible via TCP/IP (v4 or
- v6) [RFC793][RFC791] is written as an LDAP URL according to
- [RFC4516].
-
- Referral values that are LDAP URLs follow these rules:
-
- - If an alias was dereferenced, the <dn> part of the LDAP URL MUST be
- present, with the new target object name.
-
- - It is RECOMMENDED that the <dn> part be present to avoid ambiguity.
-
- - If the <dn> part is present, the client uses this name in its next
- request to progress the operation, and if it is not present the
- client uses the same name as in the original request.
-
- - Some servers (e.g., participating in distributed indexing) may
- provide a different filter in a URL of a referral for a Search
- operation.
-
- - If the <filter> part of the LDAP URL is present, the client uses
- this filter in its next request to progress this Search, and if it
- is not present the client uses the same filter as it used for that
- Search.
-
- - For Search, it is RECOMMENDED that the <scope> part be present to
- avoid ambiguity.
-
- - If the <scope> part is missing, the scope of the original Search is
- used by the client to progress the operation.
-
- - Other aspects of the new request may be the same as or different
- from the request that generated the referral.
-
- Other kinds of URIs may be returned. The syntax and semantics of
- such URIs is left to future specifications. Clients may ignore URIs
- that they do not support.
-
- UTF-8 encoded characters appearing in the string representation of a
- DN, search filter, or other fields of the referral value may not be
- legal for URIs (e.g., spaces) and MUST be escaped using the % method
- in [RFC3986].
-
-
-
-
-
-
-Sermersheim Standards Track [Page 13]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-4.1.11. Controls
-
- Controls provide a mechanism whereby the semantics and arguments of
- existing LDAP operations may be extended. One or more controls may
- be attached to a single LDAP message. A control only affects the
- semantics of the message it is attached to.
-
- Controls sent by clients are termed 'request controls', and those
- sent by servers are termed 'response controls'.
-
- Controls ::= SEQUENCE OF control Control
-
- Control ::= SEQUENCE {
- controlType LDAPOID,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue OCTET STRING OPTIONAL }
-
- The controlType field is the dotted-decimal representation of an
- OBJECT IDENTIFIER that uniquely identifies the control. This
- provides unambiguous naming of controls. Often, response control(s)
- solicited by a request control share controlType values with the
- request control.
-
- The criticality field only has meaning in controls attached to
- request messages (except UnbindRequest). For controls attached to
- response messages and the UnbindRequest, the criticality field SHOULD
- be FALSE, and MUST be ignored by the receiving protocol peer. A
- value of TRUE indicates that it is unacceptable to perform the
- operation without applying the semantics of the control.
- Specifically, the criticality field is applied as follows:
-
- - If the server does not recognize the control type, determines that
- it is not appropriate for the operation, or is otherwise unwilling
- to perform the operation with the control, and if the criticality
- field is TRUE, the server MUST NOT perform the operation, and for
- operations that have a response message, it MUST return with the
- resultCode set to unavailableCriticalExtension.
-
- - If the server does not recognize the control type, determines that
- it is not appropriate for the operation, or is otherwise unwilling
- to perform the operation with the control, and if the criticality
- field is FALSE, the server MUST ignore the control.
-
- - Regardless of criticality, if a control is applied to an
- operation, it is applied consistently and impartially to the
- entire operation.
-
-
-
-
-
-Sermersheim Standards Track [Page 14]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- The controlValue may contain information associated with the
- controlType. Its format is defined by the specification of the
- control. Implementations MUST be prepared to handle arbitrary
- contents of the controlValue octet string, including zero bytes. It
- is absent only if there is no value information that is associated
- with a control of its type. When a controlValue is defined in terms
- of ASN.1, and BER-encoded according to Section 5.1, it also follows
- the extensibility rules in Section 4.
-
- Servers list the controlType of request controls they recognize in
- the 'supportedControl' attribute in the root DSE (Section 5.1 of
- [RFC4512]).
-
- Controls SHOULD NOT be combined unless the semantics of the
- combination has been specified. The semantics of control
- combinations, if specified, are generally found in the control
- specification most recently published. When a combination of
- controls is encountered whose semantics are invalid, not specified
- (or not known), the message is considered not well-formed; thus, the
- operation fails with protocolError. Controls with a criticality of
- FALSE may be ignored in order to arrive at a valid combination.
- Additionally, unless order-dependent semantics are given in a
- specification, the order of a combination of controls in the SEQUENCE
- is ignored. Where the order is to be ignored but cannot be ignored
- by the server, the message is considered not well-formed, and the
- operation fails with protocolError. Again, controls with a
- criticality of FALSE may be ignored in order to arrive at a valid
- combination.
-
- This document does not specify any controls. Controls may be
- specified in other documents. Documents detailing control extensions
- are to provide for each control:
-
- - the OBJECT IDENTIFIER assigned to the control,
-
- - direction as to what value the sender should provide for the
- criticality field (note: the semantics of the criticality field are
- defined above should not be altered by the control's
- specification),
-
- - whether the controlValue field is present, and if so, the format of
- its contents,
-
- - the semantics of the control, and
-
- - optionally, semantics regarding the combination of the control with
- other controls.
-
-
-
-
-Sermersheim Standards Track [Page 15]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-4.2. Bind Operation
-
- The function of the Bind operation is to allow authentication
- information to be exchanged between the client and server. The Bind
- operation should be thought of as the "authenticate" operation.
- Operational, authentication, and security-related semantics of this
- operation are given in [RFC4513].
-
- The Bind request is defined as follows:
-
- BindRequest ::= [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication AuthenticationChoice }
-
- AuthenticationChoice ::= CHOICE {
- simple [0] OCTET STRING,
- -- 1 and 2 reserved
- sasl [3] SaslCredentials,
- ... }
-
- SaslCredentials ::= SEQUENCE {
- mechanism LDAPString,
- credentials OCTET STRING OPTIONAL }
-
- Fields of the BindRequest are:
-
- - version: A version number indicating the version of the protocol to
- be used at the LDAP message layer. This document describes version
- 3 of the protocol. There is no version negotiation. The client
- sets this field to the version it desires. If the server does not
- support the specified version, it MUST respond with a BindResponse
- where the resultCode is set to protocolError.
-
- - name: If not empty, the name of the Directory object that the
- client wishes to bind as. This field may take on a null value (a
- zero-length string) for the purposes of anonymous binds ([RFC4513],
- Section 5.1) or when using SASL [RFC4422] authentication
- ([RFC4513], Section 5.2). Where the server attempts to locate the
- named object, it SHALL NOT perform alias dereferencing.
-
- - authentication: Information used in authentication. This type is
- extensible as defined in Section 3.7 of [RFC4520]. Servers that do
- not support a choice supplied by a client return a BindResponse
- with the resultCode set to authMethodNotSupported.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 16]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Textual passwords (consisting of a character sequence with a known
- character set and encoding) transferred to the server using the
- simple AuthenticationChoice SHALL be transferred as UTF-8 [RFC3629]
- encoded [Unicode]. Prior to transfer, clients SHOULD prepare text
- passwords as "query" strings by applying the SASLprep [RFC4013]
- profile of the stringprep [RFC3454] algorithm. Passwords
- consisting of other data (such as random octets) MUST NOT be
- altered. The determination of whether a password is textual is a
- local client matter.
-
-4.2.1. Processing of the Bind Request
-
- Before processing a BindRequest, all uncompleted operations MUST
- either complete or be abandoned. The server may either wait for the
- uncompleted operations to complete, or abandon them. The server then
- proceeds to authenticate the client in either a single-step or
- multi-step Bind process. Each step requires the server to return a
- BindResponse to indicate the status of authentication.
-
- After sending a BindRequest, clients MUST NOT send further LDAP PDUs
- until receiving the BindResponse. Similarly, servers SHOULD NOT
- process or respond to requests received while processing a
- BindRequest.
-
- If the client did not bind before sending a request and receives an
- operationsError to that request, it may then send a BindRequest. If
- this also fails or the client chooses not to bind on the existing
- LDAP session, it may terminate the LDAP session, re-establish it, and
- begin again by first sending a BindRequest. This will aid in
- interoperating with servers implementing other versions of LDAP.
-
- Clients may send multiple Bind requests to change the authentication
- and/or security associations or to complete a multi-stage Bind
- process. Authentication from earlier binds is subsequently ignored.
-
- For some SASL authentication mechanisms, it may be necessary for the
- client to invoke the BindRequest multiple times ([RFC4513], Section
- 5.2). Clients MUST NOT invoke operations between two Bind requests
- made as part of a multi-stage Bind.
-
- A client may abort a SASL bind negotiation by sending a BindRequest
- with a different value in the mechanism field of SaslCredentials, or
- an AuthenticationChoice other than sasl.
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 17]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- If the client sends a BindRequest with the sasl mechanism field as an
- empty string, the server MUST return a BindResponse with the
- resultCode set to authMethodNotSupported. This will allow the client
- to abort a negotiation if it wishes to try again with the same SASL
- mechanism.
-
-4.2.2. Bind Response
-
- The Bind response is defined as follows.
-
- BindResponse ::= [APPLICATION 1] SEQUENCE {
- COMPONENTS OF LDAPResult,
- serverSaslCreds [7] OCTET STRING OPTIONAL }
-
- BindResponse consists simply of an indication from the server of the
- status of the client's request for authentication.
-
- A successful Bind operation is indicated by a BindResponse with a
- resultCode set to success. Otherwise, an appropriate result code is
- set in the BindResponse. For BindResponse, the protocolError result
- code may be used to indicate that the version number supplied by the
- client is unsupported.
-
- If the client receives a BindResponse where the resultCode is set to
- protocolError, it is to assume that the server does not support this
- version of LDAP. While the client may be able proceed with another
- version of this protocol (which may or may not require closing and
- re-establishing the transport connection), how to proceed with
- another version of this protocol is beyond the scope of this
- document. Clients that are unable or unwilling to proceed SHOULD
- terminate the LDAP session.
-
- The serverSaslCreds field is used as part of a SASL-defined bind
- mechanism to allow the client to authenticate the server to which it
- is communicating, or to perform "challenge-response" authentication.
- If the client bound with the simple choice, or the SASL mechanism
- does not require the server to return information to the client, then
- this field SHALL NOT be included in the BindResponse.
-
-4.3. Unbind Operation
-
- The function of the Unbind operation is to terminate an LDAP session.
- The Unbind operation is not the antithesis of the Bind operation as
- the name implies. The naming of these operations are historical.
- The Unbind operation should be thought of as the "quit" operation.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 18]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- The Unbind operation is defined as follows:
-
- UnbindRequest ::= [APPLICATION 2] NULL
-
- The client, upon transmission of the UnbindRequest, and the server,
- upon receipt of the UnbindRequest, are to gracefully terminate the
- LDAP session as described in Section 5.3. Uncompleted operations are
- handled as specified in Section 3.1.
-
-4.4. Unsolicited Notification
-
- An unsolicited notification is an LDAPMessage sent from the server to
- the client that is not in response to any LDAPMessage received by the
- server. It is used to signal an extraordinary condition in the
- server or in the LDAP session between the client and the server. The
- notification is of an advisory nature, and the server will not expect
- any response to be returned from the client.
-
- The unsolicited notification is structured as an LDAPMessage in which
- the messageID is zero and protocolOp is set to the extendedResp
- choice using the ExtendedResponse type (See Section 4.12). The
- responseName field of the ExtendedResponse always contains an LDAPOID
- that is unique for this notification.
-
- One unsolicited notification (Notice of Disconnection) is defined in
- this document. The specification of an unsolicited notification
- consists of:
-
- - the OBJECT IDENTIFIER assigned to the notification (to be specified
- in the responseName,
-
- - the format of the contents of the responseValue (if any),
-
- - the circumstances which will cause the notification to be sent, and
-
- - the semantics of the message.
-
-4.4.1. Notice of Disconnection
-
- This notification may be used by the server to advise the client that
- the server is about to terminate the LDAP session on its own
- initiative. This notification is intended to assist clients in
- distinguishing between an exceptional server condition and a
- transient network failure. Note that this notification is not a
- response to an Unbind requested by the client. Uncompleted
- operations are handled as specified in Section 3.1.
-
-
-
-
-
-Sermersheim Standards Track [Page 19]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- The responseName is 1.3.6.1.4.1.1466.20036, the responseValue field
- is absent, and the resultCode is used to indicate the reason for the
- disconnection. When the strongerAuthRequired resultCode is returned
- with this message, it indicates that the server has detected that an
- established security association between the client and server has
- unexpectedly failed or been compromised.
-
- Upon transmission of the Notice of Disconnection, the server
- gracefully terminates the LDAP session as described in Section 5.3.
-
-4.5. Search Operation
-
- The Search operation is used to request a server to return, subject
- to access controls and other restrictions, a set of entries matching
- a complex search criterion. This can be used to read attributes from
- a single entry, from entries immediately subordinate to a particular
- entry, or from a whole subtree of entries.
-
-4.5.1. Search Request
-
- The Search request is defined as follows:
-
- SearchRequest ::= [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2),
- ... },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- derefAlways (3) },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- typesOnly BOOLEAN,
- filter Filter,
- attributes AttributeSelection }
-
- AttributeSelection ::= SEQUENCE OF selector LDAPString
- -- The LDAPString is constrained to
- -- <attributeSelector> in Section 4.5.1.8
-
- Filter ::= CHOICE {
- and [0] SET SIZE (1..MAX) OF filter Filter,
- or [1] SET SIZE (1..MAX) OF filter Filter,
- not [2] Filter,
-
-
-
-Sermersheim Standards Track [Page 20]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion,
- ... }
-
- SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
- initial [0] AssertionValue, -- can occur at most once
- any [1] AssertionValue,
- final [2] AssertionValue } -- can occur at most once
- }
-
- MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
-
- Note that an X.500 "list"-like operation can be emulated by the
- client requesting a singleLevel Search operation with a filter
- checking for the presence of the 'objectClass' attribute, and that an
- X.500 "read"-like operation can be emulated by a baseObject Search
- operation with the same filter. A server that provides a gateway to
- X.500 is not required to use the Read or List operations, although it
- may choose to do so, and if it does, it must provide the same
- semantics as the X.500 Search operation.
-
-4.5.1.1. SearchRequest.baseObject
-
- The name of the base object entry (or possibly the root) relative to
- which the Search is to be performed.
-
-4.5.1.2. SearchRequest.scope
-
- Specifies the scope of the Search to be performed. The semantics (as
- described in [X.511]) of the defined values of this field are:
-
- baseObject: The scope is constrained to the entry named by
- baseObject.
-
- singleLevel: The scope is constrained to the immediate
- subordinates of the entry named by baseObject.
-
-
-
-
-Sermersheim Standards Track [Page 21]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- wholeSubtree: The scope is constrained to the entry named by
- baseObject and to all its subordinates.
-
-4.5.1.3. SearchRequest.derefAliases
-
- An indicator as to whether or not alias entries (as defined in
- [RFC4512]) are to be dereferenced during stages of the Search
- operation.
-
- The act of dereferencing an alias includes recursively dereferencing
- aliases that refer to aliases.
-
- Servers MUST detect looping while dereferencing aliases in order to
- prevent denial-of-service attacks of this nature.
-
- The semantics of the defined values of this field are:
-
- neverDerefAliases: Do not dereference aliases in searching or in
- locating the base object of the Search.
-
- derefInSearching: While searching subordinates of the base object,
- dereference any alias within the search scope. Dereferenced
- objects become the vertices of further search scopes where the
- Search operation is also applied. If the search scope is
- wholeSubtree, the Search continues in the subtree(s) of any
- dereferenced object. If the search scope is singleLevel, the
- search is applied to any dereferenced objects and is not applied
- to their subordinates. Servers SHOULD eliminate duplicate entries
- that arise due to alias dereferencing while searching.
-
- derefFindingBaseObj: Dereference aliases in locating the base
- object of the Search, but not when searching subordinates of the
- base object.
-
- derefAlways: Dereference aliases both in searching and in locating
- the base object of the Search.
-
-4.5.1.4. SearchRequest.sizeLimit
-
- A size limit that restricts the maximum number of entries to be
- returned as a result of the Search. A value of zero in this field
- indicates that no client-requested size limit restrictions are in
- effect for the Search. Servers may also enforce a maximum number of
- entries to return.
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 22]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-4.5.1.5. SearchRequest.timeLimit
-
- A time limit that restricts the maximum time (in seconds) allowed for
- a Search. A value of zero in this field indicates that no client-
- requested time limit restrictions are in effect for the Search.
- Servers may also enforce a maximum time limit for the Search.
-
-4.5.1.6. SearchRequest.typesOnly
-
- An indicator as to whether Search results are to contain both
- attribute descriptions and values, or just attribute descriptions.
- Setting this field to TRUE causes only attribute descriptions (and
- not values) to be returned. Setting this field to FALSE causes both
- attribute descriptions and values to be returned.
-
-4.5.1.7. SearchRequest.filter
-
- A filter that defines the conditions that must be fulfilled in order
- for the Search to match a given entry.
-
- The 'and', 'or', and 'not' choices can be used to form combinations
- of filters. At least one filter element MUST be present in an 'and'
- or 'or' choice. The others match against individual attribute values
- of entries in the scope of the Search. (Implementor's note: the
- 'not' filter is an example of a tagged choice in an implicitly-tagged
- module. In BER this is treated as if the tag were explicit.)
-
- A server MUST evaluate filters according to the three-valued logic of
- [X.511] (1993), Clause 7.8.1. In summary, a filter is evaluated to
- "TRUE", "FALSE", or "Undefined". If the filter evaluates to TRUE for
- a particular entry, then the attributes of that entry are returned as
- part of the Search result (subject to any applicable access control
- restrictions). If the filter evaluates to FALSE or Undefined, then
- the entry is ignored for the Search.
-
- A filter of the "and" choice is TRUE if all the filters in the SET OF
- evaluate to TRUE, FALSE if at least one filter is FALSE, and
- Undefined otherwise. A filter of the "or" choice is FALSE if all the
- filters in the SET OF evaluate to FALSE, TRUE if at least one filter
- is TRUE, and Undefined otherwise. A filter of the 'not' choice is
- TRUE if the filter being negated is FALSE, FALSE if it is TRUE, and
- Undefined if it is Undefined.
-
- A filter item evaluates to Undefined when the server would not be
- able to determine whether the assertion value matches an entry.
- Examples include:
-
-
-
-
-
-Sermersheim Standards Track [Page 23]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - An attribute description in an equalityMatch, substrings,
- greaterOrEqual, lessOrEqual, approxMatch, or extensibleMatch filter
- is not recognized by the server.
-
- - The attribute type does not define the appropriate matching rule.
-
- - A MatchingRuleId in the extensibleMatch is not recognized by the
- server or is not valid for the attribute type.
-
- - The type of filtering requested is not implemented.
-
- - The assertion value is invalid.
-
- For example, if a server did not recognize the attribute type
- shoeSize, the filters (shoeSize=*), (shoeSize=12), (shoeSize>=12),
- and (shoeSize<=12) would each evaluate to Undefined.
-
- Servers MUST NOT return errors if attribute descriptions or matching
- rule ids are not recognized, assertion values are invalid, or the
- assertion syntax is not supported. More details of filter processing
- are given in Clause 7.8 of [X.511].
-
-4.5.1.7.1. SearchRequest.filter.equalityMatch
-
- The matching rule for an equalityMatch filter is defined by the
- EQUALITY matching rule for the attribute type or subtype. The filter
- is TRUE when the EQUALITY rule returns TRUE as applied to the
- attribute or subtype and the asserted value.
-
-4.5.1.7.2. SearchRequest.filter.substrings
-
- There SHALL be at most one 'initial' and at most one 'final' in the
- 'substrings' of a SubstringFilter. If 'initial' is present, it SHALL
- be the first element of 'substrings'. If 'final' is present, it
- SHALL be the last element of 'substrings'.
-
- The matching rule for an AssertionValue in a substrings filter item
- is defined by the SUBSTR matching rule for the attribute type or
- subtype. The filter is TRUE when the SUBSTR rule returns TRUE as
- applied to the attribute or subtype and the asserted value.
-
- Note that the AssertionValue in a substrings filter item conforms to
- the assertion syntax of the EQUALITY matching rule for the attribute
- type rather than to the assertion syntax of the SUBSTR matching rule
- for the attribute type. Conceptually, the entire SubstringFilter is
- converted into an assertion value of the substrings matching rule
- prior to applying the rule.
-
-
-
-
-Sermersheim Standards Track [Page 24]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-4.5.1.7.3. SearchRequest.filter.greaterOrEqual
-
- The matching rule for a greaterOrEqual filter is defined by the
- ORDERING matching rule for the attribute type or subtype. The filter
- is TRUE when the ORDERING rule returns FALSE as applied to the
- attribute or subtype and the asserted value.
-
-4.5.1.7.4. SearchRequest.filter.lessOrEqual
-
- The matching rules for a lessOrEqual filter are defined by the
- ORDERING and EQUALITY matching rules for the attribute type or
- subtype. The filter is TRUE when either the ORDERING or EQUALITY
- rule returns TRUE as applied to the attribute or subtype and the
- asserted value.
-
-4.5.1.7.5. SearchRequest.filter.present
-
- A present filter is TRUE when there is an attribute or subtype of the
- specified attribute description present in an entry, FALSE when no
- attribute or subtype of the specified attribute description is
- present in an entry, and Undefined otherwise.
-
-4.5.1.7.6. SearchRequest.filter.approxMatch
-
- An approxMatch filter is TRUE when there is a value of the attribute
- type or subtype for which some locally-defined approximate matching
- algorithm (e.g., spelling variations, phonetic match, etc.) returns
- TRUE. If a value matches for equality, it also satisfies an
- approximate match. If approximate matching is not supported for the
- attribute, this filter item should be treated as an equalityMatch.
-
-4.5.1.7.7. SearchRequest.filter.extensibleMatch
-
- The fields of the extensibleMatch filter item are evaluated as
- follows:
-
- - If the matchingRule field is absent, the type field MUST be
- present, and an equality match is performed for that type.
-
- - If the type field is absent and the matchingRule is present, the
- matchValue is compared against all attributes in an entry that
- support that matchingRule.
-
- - If the type field is present and the matchingRule is present, the
- matchValue is compared against the specified attribute type and its
- subtypes.
-
-
-
-
-
-Sermersheim Standards Track [Page 25]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - If the dnAttributes field is set to TRUE, the match is additionally
- applied against all the AttributeValueAssertions in an entry's
- distinguished name, and it evaluates to TRUE if there is at least
- one attribute or subtype in the distinguished name for which the
- filter item evaluates to TRUE. The dnAttributes field is present
- to alleviate the need for multiple versions of generic matching
- rules (such as word matching), where one applies to entries and
- another applies to entries and DN attributes as well.
-
- The matchingRule used for evaluation determines the syntax for the
- assertion value. Once the matchingRule and attribute(s) have been
- determined, the filter item evaluates to TRUE if it matches at least
- one attribute type or subtype in the entry, FALSE if it does not
- match any attribute type or subtype in the entry, and Undefined if
- the matchingRule is not recognized, the matchingRule is unsuitable
- for use with the specified type, or the assertionValue is invalid.
-
-4.5.1.8. SearchRequest.attributes
-
- A selection list of the attributes to be returned from each entry
- that matches the search filter. Attributes that are subtypes of
- listed attributes are implicitly included. LDAPString values of this
- field are constrained to the following Augmented Backus-Naur Form
- (ABNF) [RFC4234]:
-
- attributeSelector = attributedescription / selectorspecial
-
- selectorspecial = noattrs / alluserattrs
-
- noattrs = %x31.2E.31 ; "1.1"
-
- alluserattrs = %x2A ; asterisk ("*")
-
- The <attributedescription> production is defined in Section 2.5 of
- [RFC4512].
-
- There are three special cases that may appear in the attributes
- selection list:
-
- 1. An empty list with no attributes requests the return of all
- user attributes.
-
- 2. A list containing "*" (with zero or more attribute
- descriptions) requests the return of all user attributes in
- addition to other listed (operational) attributes.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 26]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- 3. A list containing only the OID "1.1" indicates that no
- attributes are to be returned. If "1.1" is provided with other
- attributeSelector values, the "1.1" attributeSelector is
- ignored. This OID was chosen because it does not (and can not)
- correspond to any attribute in use.
-
- Client implementors should note that even if all user attributes are
- requested, some attributes and/or attribute values of the entry may
- not be included in Search results due to access controls or other
- restrictions. Furthermore, servers will not return operational
- attributes, such as objectClasses or attributeTypes, unless they are
- listed by name. Operational attributes are described in [RFC4512].
-
- Attributes are returned at most once in an entry. If an attribute
- description is named more than once in the list, the subsequent names
- are ignored. If an attribute description in the list is not
- recognized, it is ignored by the server.
-
-4.5.2. Search Result
-
- The results of the Search operation are returned as zero or more
- SearchResultEntry and/or SearchResultReference messages, followed by
- a single SearchResultDone message.
-
- SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes PartialAttributeList }
-
- PartialAttributeList ::= SEQUENCE OF
- partialAttribute PartialAttribute
-
- SearchResultReference ::= [APPLICATION 19] SEQUENCE
- SIZE (1..MAX) OF uri URI
-
- SearchResultDone ::= [APPLICATION 5] LDAPResult
-
- Each SearchResultEntry represents an entry found during the Search.
- Each SearchResultReference represents an area not yet explored during
- the Search. The SearchResultEntry and SearchResultReference messages
- may come in any order. Following all the SearchResultReference and
- SearchResultEntry responses, the server returns a SearchResultDone
- response, which contains an indication of success or details any
- errors that have occurred.
-
- Each entry returned in a SearchResultEntry will contain all
- appropriate attributes as specified in the attributes field of the
- Search Request, subject to access control and other administrative
- policy. Note that the PartialAttributeList may hold zero elements.
-
-
-
-Sermersheim Standards Track [Page 27]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- This may happen when none of the attributes of an entry were
- requested or could be returned. Note also that the partialAttribute
- vals set may hold zero elements. This may happen when typesOnly is
- requested, access controls prevent the return of values, or other
- reasons.
-
- Some attributes may be constructed by the server and appear in a
- SearchResultEntry attribute list, although they are not stored
- attributes of an entry. Clients SHOULD NOT assume that all
- attributes can be modified, even if this is permitted by access
- control.
-
- If the server's schema defines short names [RFC4512] for an attribute
- type, then the server SHOULD use one of those names in attribute
- descriptions for that attribute type (in preference to using the
- <numericoid> [RFC4512] format of the attribute type's object
- identifier). The server SHOULD NOT use the short name if that name
- is known by the server to be ambiguous, or if it is otherwise likely
- to cause interoperability problems.
-
-4.5.3. Continuation References in the Search Result
-
- If the server was able to locate the entry referred to by the
- baseObject but was unable or unwilling to search one or more non-
- local entries, the server may return one or more
- SearchResultReference messages, each containing a reference to
- another set of servers for continuing the operation. A server MUST
- NOT return any SearchResultReference messages if it has not located
- the baseObject and thus has not searched any entries. In this case,
- it would return a SearchResultDone containing either a referral or
- noSuchObject result code (depending on the server's knowledge of the
- entry named in the baseObject).
-
- If a server holds a copy or partial copy of the subordinate naming
- context (Section 5 of [RFC4512]), it may use the search filter to
- determine whether or not to return a SearchResultReference response.
- Otherwise, SearchResultReference responses are always returned when
- in scope.
-
- The SearchResultReference is of the same data type as the Referral.
-
- If the client wishes to progress the Search, it issues a new Search
- operation for each SearchResultReference that is returned. If
- multiple URIs are present, the client assumes that any supported URI
- may be used to progress the operation.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 28]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Clients that follow search continuation references MUST ensure that
- they do not loop between servers. They MUST NOT repeatedly contact
- the same server for the same request with the same parameters. Some
- clients use a counter that is incremented each time search result
- reference handling occurs for an operation, and these kinds of
- clients MUST be able to handle at least ten nested referrals while
- progressing the operation.
-
- Note that the Abandon operation described in Section 4.11 applies
- only to a particular operation sent at the LDAP message layer between
- a client and server. The client must individually abandon subsequent
- Search operations it wishes to.
-
- A URI for a server implementing LDAP and accessible via TCP/IP (v4 or
- v6) [RFC793][RFC791] is written as an LDAP URL according to
- [RFC4516].
-
- SearchResultReference values that are LDAP URLs follow these rules:
-
- - The <dn> part of the LDAP URL MUST be present, with the new target
- object name. The client uses this name when following the
- reference.
-
- - Some servers (e.g., participating in distributed indexing) may
- provide a different filter in the LDAP URL.
-
- - If the <filter> part of the LDAP URL is present, the client uses
- this filter in its next request to progress this Search, and if it
- is not present the client uses the same filter as it used for that
- Search.
-
- - If the originating search scope was singleLevel, the <scope> part
- of the LDAP URL will be "base".
-
- - It is RECOMMENDED that the <scope> part be present to avoid
- ambiguity. In the absence of a <scope> part, the scope of the
- original Search request is assumed.
-
- - Other aspects of the new Search request may be the same as or
- different from the Search request that generated the
- SearchResultReference.
-
- - The name of an unexplored subtree in a SearchResultReference need
- not be subordinate to the base object.
-
- Other kinds of URIs may be returned. The syntax and semantics of
- such URIs is left to future specifications. Clients may ignore URIs
- that they do not support.
-
-
-
-Sermersheim Standards Track [Page 29]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- UTF-8-encoded characters appearing in the string representation of a
- DN, search filter, or other fields of the referral value may not be
- legal for URIs (e.g., spaces) and MUST be escaped using the % method
- in [RFC3986].
-
-4.5.3.1. Examples
-
- For example, suppose the contacted server (hosta) holds the entry
- <DC=Example,DC=NET> and the entry <CN=Manager,DC=Example,DC=NET>. It
- knows that both LDAP servers (hostb) and (hostc) hold
- <OU=People,DC=Example,DC=NET> (one is the master and the other server
- a shadow), and that LDAP-capable server (hostd) holds the subtree
- <OU=Roles,DC=Example,DC=NET>. If a wholeSubtree Search of
- <DC=Example,DC=NET> is requested to the contacted server, it may
- return the following:
-
- SearchResultEntry for DC=Example,DC=NET
- SearchResultEntry for CN=Manager,DC=Example,DC=NET
- SearchResultReference {
- ldap://hostb/OU=People,DC=Example,DC=NET??sub
- ldap://hostc/OU=People,DC=Example,DC=NET??sub }
- SearchResultReference {
- ldap://hostd/OU=Roles,DC=Example,DC=NET??sub }
- SearchResultDone (success)
-
- Client implementors should note that when following a
- SearchResultReference, additional SearchResultReference may be
- generated. Continuing the example, if the client contacted the
- server (hostb) and issued the Search request for the subtree
- <OU=People,DC=Example,DC=NET>, the server might respond as follows:
-
- SearchResultEntry for OU=People,DC=Example,DC=NET
- SearchResultReference {
- ldap://hoste/OU=Managers,OU=People,DC=Example,DC=NET??sub }
- SearchResultReference {
- ldap://hostf/OU=Consultants,OU=People,DC=Example,DC=NET??sub }
- SearchResultDone (success)
-
- Similarly, if a singleLevel Search of <DC=Example,DC=NET> is
- requested to the contacted server, it may return the following:
-
- SearchResultEntry for CN=Manager,DC=Example,DC=NET
- SearchResultReference {
- ldap://hostb/OU=People,DC=Example,DC=NET??base
- ldap://hostc/OU=People,DC=Example,DC=NET??base }
- SearchResultReference {
- ldap://hostd/OU=Roles,DC=Example,DC=NET??base }
- SearchResultDone (success)
-
-
-
-Sermersheim Standards Track [Page 30]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- If the contacted server does not hold the base object for the Search,
- but has knowledge of its possible location, then it may return a
- referral to the client. In this case, if the client requests a
- subtree Search of <DC=Example,DC=ORG> to hosta, the server returns a
- SearchResultDone containing a referral.
-
- SearchResultDone (referral) {
- ldap://hostg/DC=Example,DC=ORG??sub }
-
-4.6. Modify Operation
-
- The Modify operation allows a client to request that a modification
- of an entry be performed on its behalf by a server. The Modify
- Request is defined as follows:
-
- ModifyRequest ::= [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- changes SEQUENCE OF change SEQUENCE {
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2),
- ... },
- modification PartialAttribute } }
-
- Fields of the Modify Request are:
-
- - object: The value of this field contains the name of the entry to
- be modified. The server SHALL NOT perform any alias dereferencing
- in determining the object to be modified.
-
- - changes: A list of modifications to be performed on the entry. The
- entire list of modifications MUST be performed in the order they
- are listed as a single atomic operation. While individual
- modifications may violate certain aspects of the directory schema
- (such as the object class definition and Directory Information Tree
- (DIT) content rule), the resulting entry after the entire list of
- modifications is performed MUST conform to the requirements of the
- directory model and controlling schema [RFC4512].
-
- - operation: Used to specify the type of modification being
- performed. Each operation type acts on the following
- modification. The values of this field have the following
- semantics, respectively:
-
- add: add values listed to the modification attribute,
- creating the attribute if necessary.
-
-
-
-
-Sermersheim Standards Track [Page 31]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- delete: delete values listed from the modification attribute.
- If no values are listed, or if all current values of the
- attribute are listed, the entire attribute is removed.
-
- replace: replace all existing values of the modification
- attribute with the new values listed, creating the attribute
- if it did not already exist. A replace with no value will
- delete the entire attribute if it exists, and it is ignored
- if the attribute does not exist.
-
- - modification: A PartialAttribute (which may have an empty SET
- of vals) used to hold the attribute type or attribute type and
- values being modified.
-
- Upon receipt of a Modify Request, the server attempts to perform the
- necessary modifications to the DIT and returns the result in a Modify
- Response, defined as follows:
-
- ModifyResponse ::= [APPLICATION 7] LDAPResult
-
- The server will return to the client a single Modify Response
- indicating either the successful completion of the DIT modification,
- or the reason that the modification failed. Due to the requirement
- for atomicity in applying the list of modifications in the Modify
- Request, the client may expect that no modifications of the DIT have
- been performed if the Modify Response received indicates any sort of
- error, and that all requested modifications have been performed if
- the Modify Response indicates successful completion of the Modify
- operation. Whether or not the modification was applied cannot be
- determined by the client if the Modify Response was not received
- (e.g., the LDAP session was terminated or the Modify operation was
- abandoned).
-
- Servers MUST ensure that entries conform to user and system schema
- rules or other data model constraints. The Modify operation cannot
- be used to remove from an entry any of its distinguished values,
- i.e., those values which form the entry's relative distinguished
- name. An attempt to do so will result in the server returning the
- notAllowedOnRDN result code. The Modify DN operation described in
- Section 4.9 is used to rename an entry.
-
- For attribute types that specify no equality matching, the rules in
- Section 2.5.1 of [RFC4512] are followed.
-
- Note that due to the simplifications made in LDAP, there is not a
- direct mapping of the changes in an LDAP ModifyRequest onto the
- changes of a DAP ModifyEntry operation, and different implementations
-
-
-
-
-Sermersheim Standards Track [Page 32]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- of LDAP-DAP gateways may use different means of representing the
- change. If successful, the final effect of the operations on the
- entry MUST be identical.
-
-4.7. Add Operation
-
- The Add operation allows a client to request the addition of an entry
- into the Directory. The Add Request is defined as follows:
-
- AddRequest ::= [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attributes AttributeList }
-
- AttributeList ::= SEQUENCE OF attribute Attribute
-
- Fields of the Add Request are:
-
- - entry: the name of the entry to be added. The server SHALL NOT
- dereference any aliases in locating the entry to be added.
-
- - attributes: the list of attributes that, along with those from the
- RDN, make up the content of the entry being added. Clients MAY or
- MAY NOT include the RDN attribute(s) in this list. Clients MUST
- NOT supply NO-USER-MODIFICATION attributes such as the
- createTimestamp or creatorsName attributes, since the server
- maintains these automatically.
-
- Servers MUST ensure that entries conform to user and system schema
- rules or other data model constraints. For attribute types that
- specify no equality matching, the rules in Section 2.5.1 of [RFC4512]
- are followed (this applies to the naming attribute in addition to any
- multi-valued attributes being added).
-
- The entry named in the entry field of the AddRequest MUST NOT exist
- for the AddRequest to succeed. The immediate superior (parent) of an
- object or alias entry to be added MUST exist. For example, if the
- client attempted to add <CN=JS,DC=Example,DC=NET>, the
- <DC=Example,DC=NET> entry did not exist, and the <DC=NET> entry did
- exist, then the server would return the noSuchObject result code with
- the matchedDN field containing <DC=NET>.
-
- Upon receipt of an Add Request, a server will attempt to add the
- requested entry. The result of the Add attempt will be returned to
- the client in the Add Response, defined as follows:
-
- AddResponse ::= [APPLICATION 9] LDAPResult
-
-
-
-
-
-Sermersheim Standards Track [Page 33]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- A response of success indicates that the new entry has been added to
- the Directory.
-
-4.8. Delete Operation
-
- The Delete operation allows a client to request the removal of an
- entry from the Directory. The Delete Request is defined as follows:
-
- DelRequest ::= [APPLICATION 10] LDAPDN
-
- The Delete Request consists of the name of the entry to be deleted.
- The server SHALL NOT dereference aliases while resolving the name of
- the target entry to be removed.
-
- Only leaf entries (those with no subordinate entries) can be deleted
- with this operation.
-
- Upon receipt of a Delete Request, a server will attempt to perform
- the entry removal requested and return the result in the Delete
- Response defined as follows:
-
- DelResponse ::= [APPLICATION 11] LDAPResult
-
-4.9. Modify DN Operation
-
- The Modify DN operation allows a client to change the Relative
- Distinguished Name (RDN) of an entry in the Directory and/or to move
- a subtree of entries to a new location in the Directory. The Modify
- DN Request is defined as follows:
-
- ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN,
- newSuperior [0] LDAPDN OPTIONAL }
-
- Fields of the Modify DN Request are:
-
- - entry: the name of the entry to be changed. This entry may or may
- not have subordinate entries.
-
- - newrdn: the new RDN of the entry. The value of the old RDN is
- supplied when moving the entry to a new superior without changing
- its RDN. Attribute values of the new RDN not matching any
- attribute value of the entry are added to the entry, and an
- appropriate error is returned if this fails.
-
-
-
-
-
-Sermersheim Standards Track [Page 34]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - deleteoldrdn: a boolean field that controls whether the old RDN
- attribute values are to be retained as attributes of the entry or
- deleted from the entry.
-
- - newSuperior: if present, this is the name of an existing object
- entry that becomes the immediate superior (parent) of the
- existing entry.
-
- The server SHALL NOT dereference any aliases in locating the objects
- named in entry or newSuperior.
-
- Upon receipt of a ModifyDNRequest, a server will attempt to perform
- the name change and return the result in the Modify DN Response,
- defined as follows:
-
- ModifyDNResponse ::= [APPLICATION 13] LDAPResult
-
- For example, if the entry named in the entry field was <cn=John
- Smith,c=US>, the newrdn field was <cn=John Cougar Smith>, and the
- newSuperior field was absent, then this operation would attempt to
- rename the entry as <cn=John Cougar Smith,c=US>. If there was
- already an entry with that name, the operation would fail with the
- entryAlreadyExists result code.
-
- Servers MUST ensure that entries conform to user and system schema
- rules or other data model constraints. For attribute types that
- specify no equality matching, the rules in Section 2.5.1 of [RFC4512]
- are followed (this pertains to newrdn and deleteoldrdn).
-
- The object named in newSuperior MUST exist. For example, if the
- client attempted to add <CN=JS,DC=Example,DC=NET>, the
- <DC=Example,DC=NET> entry did not exist, and the <DC=NET> entry did
- exist, then the server would return the noSuchObject result code with
- the matchedDN field containing <DC=NET>.
-
- If the deleteoldrdn field is TRUE, the attribute values forming the
- old RDN (but not the new RDN) are deleted from the entry. If the
- deleteoldrdn field is FALSE, the attribute values forming the old RDN
- will be retained as non-distinguished attribute values of the entry.
-
- Note that X.500 restricts the ModifyDN operation to affect only
- entries that are contained within a single server. If the LDAP
- server is mapped onto DAP, then this restriction will apply, and the
- affectsMultipleDSAs result code will be returned if this error
- occurred. In general, clients MUST NOT expect to be able to perform
- arbitrary movements of entries and subtrees between servers or
- between naming contexts.
-
-
-
-
-Sermersheim Standards Track [Page 35]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-4.10. Compare Operation
-
- The Compare operation allows a client to compare an assertion value
- with the values of a particular attribute in a particular entry in
- the Directory. The Compare Request is defined as follows:
-
- CompareRequest ::= [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion }
-
- Fields of the Compare Request are:
-
- - entry: the name of the entry to be compared. The server SHALL NOT
- dereference any aliases in locating the entry to be compared.
-
- - ava: holds the attribute value assertion to be compared.
-
- Upon receipt of a Compare Request, a server will attempt to perform
- the requested comparison and return the result in the Compare
- Response, defined as follows:
-
- CompareResponse ::= [APPLICATION 15] LDAPResult
-
- The resultCode is set to compareTrue, compareFalse, or an appropriate
- error. compareTrue indicates that the assertion value in the ava
- field matches a value of the attribute or subtype according to the
- attribute's EQUALITY matching rule. compareFalse indicates that the
- assertion value in the ava field and the values of the attribute or
- subtype did not match. Other result codes indicate either that the
- result of the comparison was Undefined (Section 4.5.1.7), or that
- some error occurred.
-
- Note that some directory systems may establish access controls that
- permit the values of certain attributes (such as userPassword) to be
- compared but not interrogated by other means.
-
-4.11. Abandon Operation
-
- The function of the Abandon operation is to allow a client to request
- that the server abandon an uncompleted operation. The Abandon
- Request is defined as follows:
-
- AbandonRequest ::= [APPLICATION 16] MessageID
-
- The MessageID is that of an operation that was requested earlier at
- this LDAP message layer. The Abandon request itself has its own
- MessageID. This is distinct from the MessageID of the earlier
- operation being abandoned.
-
-
-
-Sermersheim Standards Track [Page 36]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- There is no response defined in the Abandon operation. Upon receipt
- of an AbandonRequest, the server MAY abandon the operation identified
- by the MessageID. Since the client cannot tell the difference
- between a successfully abandoned operation and an uncompleted
- operation, the application of the Abandon operation is limited to
- uses where the client does not require an indication of its outcome.
-
- Abandon, Bind, Unbind, and StartTLS operations cannot be abandoned.
-
- In the event that a server receives an Abandon Request on a Search
- operation in the midst of transmitting responses to the Search, that
- server MUST cease transmitting entry responses to the abandoned
- request immediately, and it MUST NOT send the SearchResultDone. Of
- course, the server MUST ensure that only properly encoded LDAPMessage
- PDUs are transmitted.
-
- The ability to abandon other (particularly update) operations is at
- the discretion of the server.
-
- Clients should not send Abandon requests for the same operation
- multiple times, and they MUST also be prepared to receive results
- from operations they have abandoned (since these might have been in
- transit when the Abandon was requested or might not be able to be
- abandoned).
-
- Servers MUST discard Abandon requests for messageIDs they do not
- recognize, for operations that cannot be abandoned, and for
- operations that have already been abandoned.
-
-4.12. Extended Operation
-
- The Extended operation allows additional operations to be defined for
- services not already available in the protocol; for example, to Add
- operations to install transport layer security (see Section 4.14).
-
- The Extended operation allows clients to make requests and receive
- responses with predefined syntaxes and semantics. These may be
- defined in RFCs or be private to particular implementations.
-
- Each Extended operation consists of an Extended request and an
- Extended response.
-
- ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
- requestName [0] LDAPOID,
- requestValue [1] OCTET STRING OPTIONAL }
-
-
-
-
-
-
-Sermersheim Standards Track [Page 37]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- The requestName is a dotted-decimal representation of the unique
- OBJECT IDENTIFIER corresponding to the request. The requestValue is
- information in a form defined by that request, encapsulated inside an
- OCTET STRING.
-
- The server will respond to this with an LDAPMessage containing an
- ExtendedResponse.
-
- ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
- COMPONENTS OF LDAPResult,
- responseName [10] LDAPOID OPTIONAL,
- responseValue [11] OCTET STRING OPTIONAL }
-
- The responseName field, when present, contains an LDAPOID that is
- unique for this extended operation or response. This field is
- optional (even when the extension specification defines an LDAPOID
- for use in this field). The field will be absent whenever the server
- is unable or unwilling to determine the appropriate LDAPOID to
- return, for instance, when the requestName cannot be parsed or its
- value is not recognized.
-
- Where the requestName is not recognized, the server returns
- protocolError. (The server may return protocolError in other cases.)
-
- The requestValue and responseValue fields contain information
- associated with the operation. The format of these fields is defined
- by the specification of the Extended operation. Implementations MUST
- be prepared to handle arbitrary contents of these fields, including
- zero bytes. Values that are defined in terms of ASN.1 and BER-
- encoded according to Section 5.1 also follow the extensibility rules
- in Section 4.
-
- Servers list the requestName of Extended Requests they recognize in
- the 'supportedExtension' attribute in the root DSE (Section 5.1 of
- [RFC4512]).
-
- Extended operations may be specified in other documents. The
- specification of an Extended operation consists of:
-
- - the OBJECT IDENTIFIER assigned to the requestName,
-
- - the OBJECT IDENTIFIER (if any) assigned to the responseName (note
- that the same OBJECT IDENTIFIER may be used for both the
- requestName and responseName),
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 38]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - the format of the contents of the requestValue and responseValue
- (if any), and
-
- - the semantics of the operation.
-
-4.13. IntermediateResponse Message
-
- While the Search operation provides a mechanism to return multiple
- response messages for a single Search request, other operations, by
- nature, do not provide for multiple response messages.
-
- The IntermediateResponse message provides a general mechanism for
- defining single-request/multiple-response operations in LDAP. This
- message is intended to be used in conjunction with the Extended
- operation to define new single-request/multiple-response operations
- or in conjunction with a control when extending existing LDAP
- operations in a way that requires them to return Intermediate
- response information.
-
- It is intended that the definitions and descriptions of Extended
- operations and controls that make use of the IntermediateResponse
- message will define the circumstances when an IntermediateResponse
- message can be sent by a server and the associated meaning of an
- IntermediateResponse message sent in a particular circumstance.
-
- IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
- responseName [0] LDAPOID OPTIONAL,
- responseValue [1] OCTET STRING OPTIONAL }
-
- IntermediateResponse messages SHALL NOT be returned to the client
- unless the client issues a request that specifically solicits their
- return. This document defines two forms of solicitation: Extended
- operation and request control. IntermediateResponse messages are
- specified in documents describing the manner in which they are
- solicited (i.e., in the Extended operation or request control
- specification that uses them). These specifications include:
-
- - the OBJECT IDENTIFIER (if any) assigned to the responseName,
-
- - the format of the contents of the responseValue (if any), and
-
- - the semantics associated with the IntermediateResponse message.
-
- Extensions that allow the return of multiple types of
- IntermediateResponse messages SHALL identify those types using unique
- responseName values (note that one of these may specify no value).
-
-
-
-
-
-Sermersheim Standards Track [Page 39]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Sections 4.13.1 and 4.13.2 describe additional requirements on the
- inclusion of responseName and responseValue in IntermediateResponse
- messages.
-
-4.13.1. Usage with LDAP ExtendedRequest and ExtendedResponse
-
- A single-request/multiple-response operation may be defined using a
- single ExtendedRequest message to solicit zero or more
- IntermediateResponse messages of one or more kinds, followed by an
- ExtendedResponse message.
-
-4.13.2. Usage with LDAP Request Controls
-
- A control's semantics may include the return of zero or more
- IntermediateResponse messages prior to returning the final result
- code for the operation. One or more kinds of IntermediateResponse
- messages may be sent in response to a request control.
-
- All IntermediateResponse messages associated with request controls
- SHALL include a responseName. This requirement ensures that the
- client can correctly identify the source of IntermediateResponse
- messages when:
-
- - two or more controls using IntermediateResponse messages are
- included in a request for any LDAP operation or
-
- - one or more controls using IntermediateResponse messages are
- included in a request with an LDAP Extended operation that uses
- IntermediateResponse messages.
-
-4.14. StartTLS Operation
-
- The Start Transport Layer Security (StartTLS) operation's purpose is
- to initiate installation of a TLS layer. The StartTLS operation is
- defined using the Extended operation mechanism described in Section
- 4.12.
-
-4.14.1. StartTLS Request
-
- A client requests TLS establishment by transmitting a StartTLS
- request message to the server. The StartTLS request is defined in
- terms of an ExtendedRequest. The requestName is
- "1.3.6.1.4.1.1466.20037", and the requestValue field is always
- absent.
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 40]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- The client MUST NOT send any LDAP PDUs at this LDAP message layer
- following this request until it receives a StartTLS Extended response
- and, in the case of a successful response, completes TLS
- negotiations.
-
- Detected sequencing problems (particularly those detailed in Section
- 3.1.1 of [RFC4513]) result in the resultCode being set to
- operationsError.
-
- If the server does not support TLS (whether by design or by current
- configuration), it returns with the resultCode set to protocolError
- as described in Section 4.12.
-
-4.14.2. StartTLS Response
-
- When a StartTLS request is received, servers supporting the operation
- MUST return a StartTLS response message to the requestor. The
- responseName is "1.3.6.1.4.1.1466.20037" when provided (see Section
- 4.12). The responseValue is always absent.
-
- If the server is willing and able to negotiate TLS, it returns the
- StartTLS response with the resultCode set to success. Upon client
- receipt of a successful StartTLS response, protocol peers may
- commence with TLS negotiation as discussed in Section 3 of [RFC4513].
-
- If the server is otherwise unwilling or unable to perform this
- operation, the server is to return an appropriate result code
- indicating the nature of the problem. For example, if the TLS
- subsystem is not presently available, the server may indicate this by
- returning with the resultCode set to unavailable. In cases where a
- non-success result code is returned, the LDAP session is left without
- a TLS layer.
-
-4.14.3. Removal of the TLS Layer
-
- Either the client or server MAY remove the TLS layer and leave the
- LDAP message layer intact by sending and receiving a TLS closure
- alert.
-
- The initiating protocol peer sends the TLS closure alert and MUST
- wait until it receives a TLS closure alert from the other peer before
- sending further LDAP PDUs.
-
- When a protocol peer receives the initial TLS closure alert, it may
- choose to allow the LDAP message layer to remain intact. In this
- case, it MUST immediately transmit a TLS closure alert. Following
- this, it MAY send and receive LDAP PDUs.
-
-
-
-
-Sermersheim Standards Track [Page 41]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Protocol peers MAY terminate the LDAP session after sending or
- receiving a TLS closure alert.
-
-5. Protocol Encoding, Connection, and Transfer
-
- This protocol is designed to run over connection-oriented, reliable
- transports, where the data stream is divided into octets (8-bit
- units), with each octet and each bit being significant.
-
- One underlying service, LDAP over TCP, is defined in Section 5.2.
- This service is generally applicable to applications providing or
- consuming X.500-based directory services on the Internet. This
- specification was generally written with the TCP mapping in mind.
- Specifications detailing other mappings may encounter various
- obstacles.
-
- Implementations of LDAP over TCP MUST implement the mapping as
- described in Section 5.2.
-
- This table illustrates the relationship among the different layers
- involved in an exchange between two protocol peers:
-
- +----------------------+
- | LDAP message layer |
- +----------------------+ > LDAP PDUs
- +----------------------+ < data
- | SASL layer |
- +----------------------+ > SASL-protected data
- +----------------------+ < data
- | TLS layer |
- Application +----------------------+ > TLS-protected data
- ------------+----------------------+ < data
- Transport | transport connection |
- +----------------------+
-
-5.1. Protocol Encoding
-
- The protocol elements of LDAP SHALL be encoded for exchange using the
- Basic Encoding Rules [BER] of [ASN.1] with the following
- restrictions:
-
- - Only the definite form of length encoding is used.
-
- - OCTET STRING values are encoded in the primitive form only.
-
- - If the value of a BOOLEAN type is true, the encoding of the value
- octet is set to hex "FF".
-
-
-
-
-Sermersheim Standards Track [Page 42]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - If a value of a type is its default value, it is absent. Only some
- BOOLEAN and INTEGER types have default values in this protocol
- definition.
-
- These restrictions are meant to ease the overhead of encoding and
- decoding certain elements in BER.
-
- These restrictions do not apply to ASN.1 types encapsulated inside of
- OCTET STRING values, such as attribute values, unless otherwise
- stated.
-
-5.2. Transmission Control Protocol (TCP)
-
- The encoded LDAPMessage PDUs are mapped directly onto the TCP
- [RFC793] bytestream using the BER-based encoding described in Section
- 5.1. It is recommended that server implementations running over the
- TCP provide a protocol listener on the Internet Assigned Numbers
- Authority (IANA)-assigned LDAP port, 389 [PortReg]. Servers may
- instead provide a listener on a different port number. Clients MUST
- support contacting servers on any valid TCP port.
-
-5.3. Termination of the LDAP session
-
- Termination of the LDAP session is typically initiated by the client
- sending an UnbindRequest (Section 4.3), or by the server sending a
- Notice of Disconnection (Section 4.4.1). In these cases, each
- protocol peer gracefully terminates the LDAP session by ceasing
- exchanges at the LDAP message layer, tearing down any SASL layer,
- tearing down any TLS layer, and closing the transport connection.
-
- A protocol peer may determine that the continuation of any
- communication would be pernicious, and in this case, it may abruptly
- terminate the session by ceasing communication and closing the
- transport connection.
-
- In either case, when the LDAP session is terminated, uncompleted
- operations are handled as specified in Section 3.1.
-
-6. Security Considerations
-
- This version of the protocol provides facilities for simple
- authentication using a cleartext password, as well as any SASL
- [RFC4422] mechanism. Installing SASL and/or TLS layers can provide
- integrity and other data security services.
-
- It is also permitted that the server can return its credentials to
- the client, if it chooses to do so.
-
-
-
-
-Sermersheim Standards Track [Page 43]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Use of cleartext password is strongly discouraged where the
- underlying transport service cannot guarantee confidentiality and may
- result in disclosure of the password to unauthorized parties.
-
- Servers are encouraged to prevent directory modifications by clients
- that have authenticated anonymously [RFC4513].
-
- Security considerations for authentication methods, SASL mechanisms,
- and TLS are described in [RFC4513].
-
- Note that SASL authentication exchanges do not provide data
- confidentiality or integrity protection for the version or name
- fields of the BindRequest or the resultCode, diagnosticMessage, or
- referral fields of the BindResponse, nor for any information
- contained in controls attached to Bind requests or responses. Thus,
- information contained in these fields SHOULD NOT be relied on unless
- it is otherwise protected (such as by establishing protections at the
- transport layer).
-
- Implementors should note that various security factors (including
- authentication and authorization information and data security
- services) may change during the course of the LDAP session or even
- during the performance of a particular operation. For instance,
- credentials could expire, authorization identities or access controls
- could change, or the underlying security layer(s) could be replaced
- or terminated. Implementations should be robust in the handling of
- changing security factors.
-
- In some cases, it may be appropriate to continue the operation even
- in light of security factor changes. For instance, it may be
- appropriate to continue an Abandon operation regardless of the
- change, or to continue an operation when the change upgraded (or
- maintained) the security factor. In other cases, it may be
- appropriate to fail or alter the processing of the operation. For
- instance, if confidential protections were removed, it would be
- appropriate either to fail a request to return sensitive data or,
- minimally, to exclude the return of sensitive data.
-
- Implementations that cache attributes and entries obtained via LDAP
- MUST ensure that access controls are maintained if that information
- is to be provided to multiple clients, since servers may have access
- control policies that prevent the return of entries or attributes in
- Search results except to particular authenticated clients. For
- example, caches could serve result information only to the client
- whose request caused it to be in the cache.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 44]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- Servers may return referrals or Search result references that
- redirect clients to peer servers. It is possible for a rogue
- application to inject such referrals into the data stream in an
- attempt to redirect a client to a rogue server. Clients are advised
- to be aware of this and possibly reject referrals when
- confidentiality measures are not in place. Clients are advised to
- reject referrals from the StartTLS operation.
-
- The matchedDN and diagnosticMessage fields, as well as some
- resultCode values (e.g., attributeOrValueExists and
- entryAlreadyExists), could disclose the presence or absence of
- specific data in the directory that is subject to access and other
- administrative controls. Server implementations should restrict
- access to protected information equally under both normal and error
- conditions.
-
- Protocol peers MUST be prepared to handle invalid and arbitrary-
- length protocol encodings. Invalid protocol encodings include: BER
- encoding exceptions, format string and UTF-8 encoding exceptions,
- overflow exceptions, integer value exceptions, and binary mode on/off
- flag exceptions. The LDAPv3 PROTOS [PROTOS-LDAP] test suite provides
- excellent examples of these exceptions and test cases used to
- discover flaws.
-
- In the event that a protocol peer senses an attack that in its nature
- could cause damage due to further communication at any layer in the
- LDAP session, the protocol peer should abruptly terminate the LDAP
- session as described in Section 5.3.
-
-7. Acknowledgements
-
- This document is based on RFC 2251 by Mark Wahl, Tim Howes, and Steve
- Kille. RFC 2251 was a product of the IETF ASID Working Group.
-
- It is also based on RFC 2830 by Jeff Hodges, RL "Bob" Morgan, and
- Mark Wahl. RFC 2830 was a product of the IETF LDAPEXT Working Group.
-
- It is also based on RFC 3771 by Roger Harrison and Kurt Zeilenga.
- RFC 3771 was an individual submission to the IETF.
-
- This document is a product of the IETF LDAPBIS Working Group.
- Significant contributors of technical review and content include Kurt
- Zeilenga, Steven Legg, and Hallvard Furuseth.
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 45]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-8. Normative References
-
- [ASN.1] ITU-T Recommendation X.680 (07/2002) | ISO/IEC 8824-
- 1:2002 "Information Technology - Abstract Syntax
- Notation One (ASN.1): Specification of basic notation".
-
- [BER] ITU-T Rec. X.690 (07/2002) | ISO/IEC 8825-1:2002,
- "Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER), Canonical
- Encoding Rules (CER) and Distinguished Encoding Rules
- (DER)", 2002.
-
- [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
- Architecture and Basic Multilingual Plane, ISO/IEC
- 10646-1 : 1993.
-
- [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791,
- September 1981.
-
- [RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC
- 793, September 1981.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3454] Hoffman P. and M. Blanchet, "Preparation of
- Internationalized Strings ('stringprep')", RFC 3454,
- December 2002.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter,
- "Uniform Resource Identifier (URI): Generic Syntax",
- STD 66, RFC 3986, January 2005.
-
- [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
- Names and Passwords", RFC 4013, February 2005.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4346] Dierks, T. and E. Rescorla, "The TLS Protocol Version
- 1.1", RFC 4346, March 2006.
-
- [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
- Authentication and Security Layer (SASL)", RFC 4422,
- June 2006.
-
-
-
-Sermersheim Standards Track [Page 46]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4512] Zeilenga, K., Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access
- Protocol (LDAP): Authentication Methods and Security
- Mechanisms", RFC 4513, June 2006.
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): String Representation of Distinguished
- Names", RFC 4514, June 2006.
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): Uniform Resource Locator", RFC
- 4516, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version
- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
- 61633-5), as amended by the "Unicode Standard Annex
- #27: Unicode 3.1"
- (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [X.500] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
- Models and Service", 1993.
-
- [X.511] ITU-T Rec. X.511, "The Directory: Abstract Service
- Definition", 1993.
-
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 47]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-9. Informative References
-
- [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
- #17, Character Encoding Model", UTR17,
- <http://www.unicode.org/unicode/reports/tr17/>, August
- 2000.
-
- [Glossary] The Unicode Consortium, "Unicode Glossary",
- <http://www.unicode.org/glossary/>.
-
- [PortReg] IANA, "Port Numbers",
- <http://www.iana.org/assignments/port-numbers>.
-
- [PROTOS-LDAP] University of Oulu, "PROTOS Test-Suite: c06-ldapv3"
- <http://www.ee.oulu.fi/research/ouspg/protos/testing/
- c06/ldapv3/>.
-
-10. IANA Considerations
-
- The Internet Assigned Numbers Authority (IANA) has updated the LDAP
- result code registry to indicate that this document provides the
- definitive technical specification for result codes 0-36, 48-54, 64-
- 70, 80-90. It is also noted that one resultCode value
- (strongAuthRequired) has been renamed (to strongerAuthRequired).
-
- The IANA has also updated the LDAP Protocol Mechanism registry to
- indicate that this document and [RFC4513] provides the definitive
- technical specification for the StartTLS (1.3.6.1.4.1.1466.20037)
- Extended operation.
-
- IANA has assigned LDAP Object Identifier 18 [RFC4520] to identify the
- ASN.1 module defined in this document.
-
- Subject: Request for LDAP Object Identifier Registration
- Person & email address to contact for further information:
- Jim Sermersheim <jimse at novell.com>
- Specification: RFC 4511
- Author/Change Controller: IESG
- Comments:
- Identifies the LDAP ASN.1 module
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 48]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-Appendix A. LDAP Result Codes
-
- This normative appendix details additional considerations regarding
- LDAP result codes and provides a brief, general description of each
- LDAP result code enumerated in Section 4.1.9.
-
- Additional result codes MAY be defined for use with extensions
- [RFC4520]. Client implementations SHALL treat any result code that
- they do not recognize as an unknown error condition.
-
- The descriptions provided here do not fully account for result code
- substitutions used to prevent unauthorized disclosures (such as
- substitution of noSuchObject for insufficientAccessRights, or
- invalidCredentials for insufficientAccessRights).
-
-A.1. Non-Error Result Codes
-
- These result codes (called "non-error" result codes) do not indicate
- an error condition:
-
- success (0),
- compareFalse (5),
- compareTrue (6),
- referral (10), and
- saslBindInProgress (14).
-
- The success, compareTrue, and compareFalse result codes indicate
- successful completion (and, hence, are referred to as "successful"
- result codes).
-
- The referral and saslBindInProgress result codes indicate the client
- needs to take additional action to complete the operation.
-
-A.2. Result Codes
-
- Existing LDAP result codes are described as follows:
-
- success (0)
- Indicates the successful completion of an operation. Note:
- this code is not used with the Compare operation. See
- compareFalse (5) and compareTrue (6).
-
-
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 49]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- operationsError (1)
- Indicates that the operation is not properly sequenced with
- relation to other operations (of same or different type).
-
- For example, this code is returned if the client attempts to
- StartTLS [RFC4346] while there are other uncompleted operations
- or if a TLS layer was already installed.
-
- protocolError (2)
- Indicates the server received data that is not well-formed.
-
- For Bind operation only, this code is also used to indicate
- that the server does not support the requested protocol
- version.
-
- For Extended operations only, this code is also used to
- indicate that the server does not support (by design or
- configuration) the Extended operation associated with the
- requestName.
-
- For request operations specifying multiple controls, this may
- be used to indicate that the server cannot ignore the order
- of the controls as specified, or that the combination of the
- specified controls is invalid or unspecified.
-
- timeLimitExceeded (3)
- Indicates that the time limit specified by the client was
- exceeded before the operation could be completed.
-
- sizeLimitExceeded (4)
- Indicates that the size limit specified by the client was
- exceeded before the operation could be completed.
-
- compareFalse (5)
- Indicates that the Compare operation has successfully
- completed and the assertion has evaluated to FALSE or
- Undefined.
-
- compareTrue (6)
- Indicates that the Compare operation has successfully
- completed and the assertion has evaluated to TRUE.
-
- authMethodNotSupported (7)
- Indicates that the authentication method or mechanism is not
- supported.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 50]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- strongerAuthRequired (8)
- Indicates the server requires strong(er) authentication in
- order to complete the operation.
-
- When used with the Notice of Disconnection operation, this
- code indicates that the server has detected that an
- established security association between the client and
- server has unexpectedly failed or been compromised.
-
- referral (10)
- Indicates that a referral needs to be chased to complete the
- operation (see Section 4.1.10).
-
- adminLimitExceeded (11)
- Indicates that an administrative limit has been exceeded.
-
- unavailableCriticalExtension (12)
- Indicates a critical control is unrecognized (see Section
- 4.1.11).
-
- confidentialityRequired (13)
- Indicates that data confidentiality protections are required.
-
- saslBindInProgress (14)
- Indicates the server requires the client to send a new bind
- request, with the same SASL mechanism, to continue the
- authentication process (see Section 4.2).
-
- noSuchAttribute (16)
- Indicates that the named entry does not contain the specified
- attribute or attribute value.
-
- undefinedAttributeType (17)
- Indicates that a request field contains an unrecognized
- attribute description.
-
- inappropriateMatching (18)
- Indicates that an attempt was made (e.g., in an assertion) to
- use a matching rule not defined for the attribute type
- concerned.
-
- constraintViolation (19)
- Indicates that the client supplied an attribute value that
- does not conform to the constraints placed upon it by the
- data model.
-
- For example, this code is returned when multiple values are
- supplied to an attribute that has a SINGLE-VALUE constraint.
-
-
-
-Sermersheim Standards Track [Page 51]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- attributeOrValueExists (20)
- Indicates that the client supplied an attribute or value to
- be added to an entry, but the attribute or value already
- exists.
-
- invalidAttributeSyntax (21)
- Indicates that a purported attribute value does not conform
- to the syntax of the attribute.
-
- noSuchObject (32)
- Indicates that the object does not exist in the DIT.
-
- aliasProblem (33)
- Indicates that an alias problem has occurred. For example,
- the code may used to indicate an alias has been dereferenced
- that names no object.
-
- invalidDNSyntax (34)
- Indicates that an LDAPDN or RelativeLDAPDN field (e.g., search
- base, target entry, ModifyDN newrdn, etc.) of a request does
- not conform to the required syntax or contains attribute
- values that do not conform to the syntax of the attribute's
- type.
-
- aliasDereferencingProblem (36)
- Indicates that a problem occurred while dereferencing an
- alias. Typically, an alias was encountered in a situation
- where it was not allowed or where access was denied.
-
- inappropriateAuthentication (48)
- Indicates the server requires the client that had attempted
- to bind anonymously or without supplying credentials to
- provide some form of credentials.
-
- invalidCredentials (49)
- Indicates that the provided credentials (e.g., the user's name
- and password) are invalid.
-
- insufficientAccessRights (50)
- Indicates that the client does not have sufficient access
- rights to perform the operation.
-
- busy (51)
- Indicates that the server is too busy to service the
- operation.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 52]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- unavailable (52)
- Indicates that the server is shutting down or a subsystem
- necessary to complete the operation is offline.
-
- unwillingToPerform (53)
- Indicates that the server is unwilling to perform the
- operation.
-
- loopDetect (54)
- Indicates that the server has detected an internal loop (e.g.,
- while dereferencing aliases or chaining an operation).
-
- namingViolation (64)
- Indicates that the entry's name violates naming restrictions.
-
- objectClassViolation (65)
- Indicates that the entry violates object class restrictions.
-
- notAllowedOnNonLeaf (66)
- Indicates that the operation is inappropriately acting upon a
- non-leaf entry.
-
- notAllowedOnRDN (67)
- Indicates that the operation is inappropriately attempting to
- remove a value that forms the entry's relative distinguished
- name.
-
- entryAlreadyExists (68)
- Indicates that the request cannot be fulfilled (added, moved,
- or renamed) as the target entry already exists.
-
- objectClassModsProhibited (69)
- Indicates that an attempt to modify the object class(es) of
- an entry's 'objectClass' attribute is prohibited.
-
- For example, this code is returned when a client attempts to
- modify the structural object class of an entry.
-
- affectsMultipleDSAs (71)
- Indicates that the operation cannot be performed as it would
- affect multiple servers (DSAs).
-
- other (80)
- Indicates the server has encountered an internal error.
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 53]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-Appendix B. Complete ASN.1 Definition
-
- This appendix is normative.
-
- Lightweight-Directory-Access-Protocol-V3 {1 3 6 1 1 18}
- -- Copyright (C) The Internet Society (2006). This version of
- -- this ASN.1 module is part of RFC 4511; see the RFC itself
- -- for full legal notices.
- DEFINITIONS
- IMPLICIT TAGS
- EXTENSIBILITY IMPLIED ::=
-
- BEGIN
-
- LDAPMessage ::= SEQUENCE {
- messageID MessageID,
- protocolOp CHOICE {
- bindRequest BindRequest,
- bindResponse BindResponse,
- unbindRequest UnbindRequest,
- searchRequest SearchRequest,
- searchResEntry SearchResultEntry,
- searchResDone SearchResultDone,
- searchResRef SearchResultReference,
- modifyRequest ModifyRequest,
- modifyResponse ModifyResponse,
- addRequest AddRequest,
- addResponse AddResponse,
- delRequest DelRequest,
- delResponse DelResponse,
- modDNRequest ModifyDNRequest,
- modDNResponse ModifyDNResponse,
- compareRequest CompareRequest,
- compareResponse CompareResponse,
- abandonRequest AbandonRequest,
- extendedReq ExtendedRequest,
- extendedResp ExtendedResponse,
- ...,
- intermediateResponse IntermediateResponse },
- controls [0] Controls OPTIONAL }
-
- MessageID ::= INTEGER (0 .. maxInt)
-
- maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
-
- LDAPString ::= OCTET STRING -- UTF-8 encoded,
- -- [ISO10646] characters
-
-
-
-
-Sermersheim Standards Track [Page 54]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- LDAPOID ::= OCTET STRING -- Constrained to <numericoid>
- -- [RFC4512]
-
- LDAPDN ::= LDAPString -- Constrained to <distinguishedName>
- -- [RFC4514]
-
- RelativeLDAPDN ::= LDAPString -- Constrained to <name-component>
- -- [RFC4514]
-
- AttributeDescription ::= LDAPString
- -- Constrained to <attributedescription>
- -- [RFC4512]
-
- AttributeValue ::= OCTET STRING
-
- AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
-
- AssertionValue ::= OCTET STRING
-
- PartialAttribute ::= SEQUENCE {
- type AttributeDescription,
- vals SET OF value AttributeValue }
-
- Attribute ::= PartialAttribute(WITH COMPONENTS {
- ...,
- vals (SIZE(1..MAX))})
-
- MatchingRuleId ::= LDAPString
-
- LDAPResult ::= SEQUENCE {
- resultCode ENUMERATED {
- success (0),
- operationsError (1),
- protocolError (2),
- timeLimitExceeded (3),
- sizeLimitExceeded (4),
- compareFalse (5),
- compareTrue (6),
- authMethodNotSupported (7),
- strongerAuthRequired (8),
- -- 9 reserved --
- referral (10),
- adminLimitExceeded (11),
- unavailableCriticalExtension (12),
- confidentialityRequired (13),
- saslBindInProgress (14),
-
-
-
-Sermersheim Standards Track [Page 55]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- noSuchAttribute (16),
- undefinedAttributeType (17),
- inappropriateMatching (18),
- constraintViolation (19),
- attributeOrValueExists (20),
- invalidAttributeSyntax (21),
- -- 22-31 unused --
- noSuchObject (32),
- aliasProblem (33),
- invalidDNSyntax (34),
- -- 35 reserved for undefined isLeaf --
- aliasDereferencingProblem (36),
- -- 37-47 unused --
- inappropriateAuthentication (48),
- invalidCredentials (49),
- insufficientAccessRights (50),
- busy (51),
- unavailable (52),
- unwillingToPerform (53),
- loopDetect (54),
- -- 55-63 unused --
- namingViolation (64),
- objectClassViolation (65),
- notAllowedOnNonLeaf (66),
- notAllowedOnRDN (67),
- entryAlreadyExists (68),
- objectClassModsProhibited (69),
- -- 70 reserved for CLDAP --
- affectsMultipleDSAs (71),
- -- 72-79 unused --
- other (80),
- ... },
- matchedDN LDAPDN,
- diagnosticMessage LDAPString,
- referral [3] Referral OPTIONAL }
-
- Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI
-
- URI ::= LDAPString -- limited to characters permitted in
- -- URIs
-
- Controls ::= SEQUENCE OF control Control
-
- Control ::= SEQUENCE {
- controlType LDAPOID,
- criticality BOOLEAN DEFAULT FALSE,
- controlValue OCTET STRING OPTIONAL }
-
-
-
-
-Sermersheim Standards Track [Page 56]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- BindRequest ::= [APPLICATION 0] SEQUENCE {
- version INTEGER (1 .. 127),
- name LDAPDN,
- authentication AuthenticationChoice }
-
- AuthenticationChoice ::= CHOICE {
- simple [0] OCTET STRING,
- -- 1 and 2 reserved
- sasl [3] SaslCredentials,
- ... }
-
- SaslCredentials ::= SEQUENCE {
- mechanism LDAPString,
- credentials OCTET STRING OPTIONAL }
-
- BindResponse ::= [APPLICATION 1] SEQUENCE {
- COMPONENTS OF LDAPResult,
- serverSaslCreds [7] OCTET STRING OPTIONAL }
-
- UnbindRequest ::= [APPLICATION 2] NULL
-
- SearchRequest ::= [APPLICATION 3] SEQUENCE {
- baseObject LDAPDN,
- scope ENUMERATED {
- baseObject (0),
- singleLevel (1),
- wholeSubtree (2),
- ... },
- derefAliases ENUMERATED {
- neverDerefAliases (0),
- derefInSearching (1),
- derefFindingBaseObj (2),
- derefAlways (3) },
- sizeLimit INTEGER (0 .. maxInt),
- timeLimit INTEGER (0 .. maxInt),
- typesOnly BOOLEAN,
- filter Filter,
- attributes AttributeSelection }
-
- AttributeSelection ::= SEQUENCE OF selector LDAPString
- -- The LDAPString is constrained to
- -- <attributeSelector> in Section 4.5.1.8
-
- Filter ::= CHOICE {
- and [0] SET SIZE (1..MAX) OF filter Filter,
- or [1] SET SIZE (1..MAX) OF filter Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
-
-
-
-Sermersheim Standards Track [Page 57]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion,
- ... }
-
- SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
- initial [0] AssertionValue, -- can occur at most once
- any [1] AssertionValue,
- final [2] AssertionValue } -- can occur at most once
- }
-
- MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
-
- SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
- objectName LDAPDN,
- attributes PartialAttributeList }
-
- PartialAttributeList ::= SEQUENCE OF
- partialAttribute PartialAttribute
-
- SearchResultReference ::= [APPLICATION 19] SEQUENCE
- SIZE (1..MAX) OF uri URI
-
- SearchResultDone ::= [APPLICATION 5] LDAPResult
-
- ModifyRequest ::= [APPLICATION 6] SEQUENCE {
- object LDAPDN,
- changes SEQUENCE OF change SEQUENCE {
- operation ENUMERATED {
- add (0),
- delete (1),
- replace (2),
- ... },
- modification PartialAttribute } }
-
- ModifyResponse ::= [APPLICATION 7] LDAPResult
-
-
-
-
-
-
-Sermersheim Standards Track [Page 58]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- AddRequest ::= [APPLICATION 8] SEQUENCE {
- entry LDAPDN,
- attributes AttributeList }
-
- AttributeList ::= SEQUENCE OF attribute Attribute
-
- AddResponse ::= [APPLICATION 9] LDAPResult
-
- DelRequest ::= [APPLICATION 10] LDAPDN
-
- DelResponse ::= [APPLICATION 11] LDAPResult
-
- ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
- entry LDAPDN,
- newrdn RelativeLDAPDN,
- deleteoldrdn BOOLEAN,
- newSuperior [0] LDAPDN OPTIONAL }
-
- ModifyDNResponse ::= [APPLICATION 13] LDAPResult
-
- CompareRequest ::= [APPLICATION 14] SEQUENCE {
- entry LDAPDN,
- ava AttributeValueAssertion }
-
- CompareResponse ::= [APPLICATION 15] LDAPResult
-
- AbandonRequest ::= [APPLICATION 16] MessageID
-
- ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
- requestName [0] LDAPOID,
- requestValue [1] OCTET STRING OPTIONAL }
-
- ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
- COMPONENTS OF LDAPResult,
- responseName [10] LDAPOID OPTIONAL,
- responseValue [11] OCTET STRING OPTIONAL }
-
- IntermediateResponse ::= [APPLICATION 25] SEQUENCE {
- responseName [0] LDAPOID OPTIONAL,
- responseValue [1] OCTET STRING OPTIONAL }
-
- END
-
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 59]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-Appendix C. Changes
-
- This appendix is non-normative.
-
- This appendix summarizes substantive changes made to RFC 2251, RFC
- 2830, and RFC 3771.
-
-C.1. Changes Made to RFC 2251
-
- This section summarizes the substantive changes made to Sections 1,
- 2, 3.1, and 4, and the remainder of RFC 2251. Readers should
- consult [RFC4512] and [RFC4513] for summaries of changes to other
- sections.
-
-C.1.1. Section 1 (Status of this Memo)
-
- - Removed IESG note. Post publication of RFC 2251, mandatory LDAP
- authentication mechanisms have been standardized which are
- sufficient to remove this note. See [RFC4513] for authentication
- mechanisms.
-
-C.1.2. Section 3.1 (Protocol Model) and others
-
- - Removed notes giving history between LDAP v1, v2, and v3. Instead,
- added sufficient language so that this document can stand on its
- own.
-
-C.1.3. Section 4 (Elements of Protocol)
-
- - Clarified where the extensibility features of ASN.1 apply to the
- protocol. This change affected various ASN.1 types by the
- inclusion of ellipses (...) to certain elements.
- - Removed the requirement that servers that implement version 3 or
- later MUST provide the 'supportedLDAPVersion' attribute. This
- statement provided no interoperability advantages.
-
-C.1.4. Section 4.1.1 (Message Envelope)
-
- - There was a mandatory requirement for the server to return a
- Notice of Disconnection and drop the transport connection when a
- PDU is malformed in a certain way. This has been updated such that
- the server SHOULD return the Notice of Disconnection, and it MUST
- terminate the LDAP Session.
-
-C.1.5. Section 4.1.1.1 (Message ID)
-
- - Required that the messageID of requests MUST be non-zero as the
- zero is reserved for Notice of Disconnection.
-
-
-
-Sermersheim Standards Track [Page 60]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - Specified when it is and isn't appropriate to return an already
- used messageID. RFC 2251 accidentally imposed synchronous server
- behavior in its wording of this.
-
-C.1.6. Section 4.1.2 (String Types)
-
- - Stated that LDAPOID is constrained to <numericoid> from [RFC4512].
-
-C.1.7. Section 4.1.5.1 (Binary Option) and others
-
- - Removed the Binary Option from the specification. There are
- numerous interoperability problems associated with this method of
- alternate attribute type encoding. Work to specify a suitable
- replacement is ongoing.
-
-C.1.8. Section 4.1.8 (Attribute)
-
- - Combined the definitions of PartialAttribute and Attribute here,
- and defined Attribute in terms of PartialAttribute.
-
-C.1.9. Section 4.1.10 (Result Message)
-
- - Renamed "errorMessage" to "diagnosticMessage" as it is allowed to
- be sent for non-error results.
- - Moved some language into Appendix A, and referred the reader there.
- - Allowed matchedDN to be present for other result codes than those
- listed in RFC 2251.
- - Renamed the code "strongAuthRequired" to "strongerAuthRequired" to
- clarify that this code may often be returned to indicate that a
- stronger authentication is needed to perform a given operation.
-
-C.1.10. Section 4.1.11 (Referral)
-
- - Defined referrals in terms of URIs rather than URLs.
- - Removed the requirement that all referral URIs MUST be equally
- capable of progressing the operation. The statement was ambiguous
- and provided no instructions on how to carry it out.
- - Added the requirement that clients MUST NOT loop between servers.
- - Clarified the instructions for using LDAPURLs in referrals, and in
- doing so added a recommendation that the scope part be present.
- - Removed imperatives which required clients to use URLs in specific
- ways to progress an operation. These did nothing for
- interoperability.
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 61]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-C.1.11. Section 4.1.12 (Controls)
-
- - Specified how control values defined in terms of ASN.1 are to be
- encoded.
- - Noted that the criticality field is only applied to request
- messages (except UnbindRequest), and must be ignored when present
- on response messages and UnbindRequest.
- - Specified that non-critical controls may be ignored at the
- server's discretion. There was confusion in the original wording
- which led some to believe that recognized controls may not be
- ignored as long as they were associated with a proper request.
- - Added language regarding combinations of controls and the ordering
- of controls on a message.
- - Specified that when the semantics of the combination of controls
- is undefined or unknown, it results in a protocolError.
- - Changed "The server MUST be prepared" to "Implementations MUST be
- prepared" in paragraph 8 to reflect that both client and server
- implementations must be able to handle this (as both parse
- controls).
-
-C.1.12. Section 4.2 (Bind Operation)
-
- - Mandated that servers return protocolError when the version is not
- supported.
- - Disambiguated behavior when the simple authentication is used, the
- name is empty, and the password is non-empty.
- - Required servers to not dereference aliases for Bind. This was
- added for consistency with other operations and to help ensure
- data consistency.
- - Required that textual passwords be transferred as UTF-8 encoded
- Unicode, and added recommendations on string preparation. This was
- to help ensure interoperability of passwords being sent from
- different clients.
-
-C.1.13. Section 4.2.1 (Sequencing of the Bind Request)
-
- - This section was largely reorganized for readability, and language
- was added to clarify the authentication state of failed and
- abandoned Bind operations.
- - Removed: "If a SASL transfer encryption or integrity mechanism has
- been negotiated, that mechanism does not support the changing of
- credentials from one identity to another, then the client MUST
- instead establish a new connection."
- If there are dependencies between multiple negotiations of a
- particular SASL mechanism, the technical specification for that
- SASL mechanism details how applications are to deal with them.
- LDAP should not require any special handling.
- - Dropped MUST imperative in paragraph 3 to align with [RFC2119].
-
-
-
-Sermersheim Standards Track [Page 62]
-�
-RFC 4511 LDAPv3 June 2006
-
-
- - Mandated that clients not send non-Bind operations while a Bind is
- in progress, and suggested that servers not process them if they
- are received. This is needed to ensure proper sequencing of the
- Bind in relationship to other operations.
-
-C.1.14. Section 4.2.3 (Bind Response)
-
- - Moved most error-related text to Appendix A, and added text
- regarding certain errors used in conjunction with the Bind
- operation.
- - Prohibited the server from specifying serverSaslCreds when not
- appropriate.
-
-C.1.15. Section 4.3 (Unbind Operation)
-
- - Specified that both peers are to cease transmission and terminate
- the LDAP session for the Unbind operation.
-
-C.1.16. Section 4.4 (Unsolicited Notification)
-
- - Added instructions for future specifications of Unsolicited
- Notifications.
-
-C.1.17. Section 4.5.1 (Search Request)
-
- - SearchRequest attributes is now defined as an AttributeSelection
- type rather than AttributeDescriptionList, and an ABNF is
- provided.
- - SearchRequest attributes may contain duplicate attribute
- descriptions. This was previously prohibited. Now servers are
- instructed to ignore subsequent names when they are duplicated.
- This was relaxed in order to allow different short names and also
- OIDs to be requested for an attribute.
- - The present search filter now evaluates to Undefined when the
- specified attribute is not known to the server. It used to
- evaluate to FALSE, which caused behavior inconsistent with what
- most would expect, especially when the 'not' operator was used.
- - The Filter choice SubstringFilter substrings type is now defined
- with a lower bound of 1.
- - The SubstringFilter substrings 'initial, 'any', and 'final' types
- are now AssertionValue rather than LDAPString. Also, added
- imperatives stating that 'initial' (if present) must be listed
- first, and 'final' (if present) must be listed last.
- - Disambiguated the semantics of the derefAliases choices. There was
- question as to whether derefInSearching applied to the base object
- in a wholeSubtree Search.
- - Added instructions for equalityMatch, substrings, greaterOrEqual,
- lessOrEqual, and approxMatch.
-
-
-
-Sermersheim Standards Track [Page 63]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-
-C.1.18. Section 4.5.2 (Search Result)
-
- - Recommended that servers not use attribute short names when it
- knows they are ambiguous or may cause interoperability problems.
- - Removed all mention of ExtendedResponse due to lack of
- implementation.
-
-C.1.19. Section 4.5.3 (Continuation References in the Search Result)
-
- - Made changes similar to those made to Section 4.1.11.
-
-C.1.20. Section 4.5.3.1 (Example)
-
- - Fixed examples to adhere to changes made to Section 4.5.3.
-
-C.1.21. Section 4.6 (Modify Operation)
-
- - Replaced AttributeTypeAndValues with Attribute as they are
- equivalent.
- - Specified the types of modification changes that might
- temporarily violate schema. Some readers were under the impression
- that any temporary schema violation was allowed.
-
-C.1.22. Section 4.7 (Add Operation)
-
- - Aligned Add operation with X.511 in that the attributes of the RDN
- are used in conjunction with the listed attributes to create the
- entry. Previously, Add required that the distinguished values be
- present in the listed attributes.
- - Removed requirement that the objectClass attribute MUST be
- specified as some DSE types do not require this attribute.
- Instead, generic wording was added, requiring the added entry to
- adhere to the data model.
- - Removed recommendation regarding placement of objects. This is
- covered in the data model document.
-
-C.1.23. Section 4.9 (Modify DN Operation)
-
- - Required servers to not dereference aliases for Modify DN. This
- was added for consistency with other operations and to help ensure
- data consistency.
- - Allow Modify DN to fail when moving between naming contexts.
- - Specified what happens when the attributes of the newrdn are not
- present on the entry.
-
-
-
-
-
-
-Sermersheim Standards Track [Page 64]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-C.1.24. Section 4.10 (Compare Operation)
-
- - Specified that compareFalse means that the Compare took place and
- the result is false. There was confusion that led people to
- believe that an Undefined match resulted in compareFalse.
- - Required servers to not dereference aliases for Compare. This was
- added for consistency with other operations and to help ensure
- data consistency.
-
-C.1.25. Section 4.11 (Abandon Operation)
-
- - Explained that since Abandon returns no response, clients should
- not use it if they need to know the outcome.
- - Specified that Abandon and Unbind cannot be abandoned.
-
-C.1.26. Section 4.12 (Extended Operation)
-
- - Specified how values of Extended operations defined in terms of
- ASN.1 are to be encoded.
- - Added instructions on what Extended operation specifications
- consist of.
- - Added a recommendation that servers advertise supported Extended
- operations.
-
-C.1.27. Section 5.2 (Transfer Protocols)
-
- - Moved referral-specific instructions into referral-related
- sections.
-
-C.1.28. Section 7 (Security Considerations)
-
- - Reworded notes regarding SASL not protecting certain aspects of
- the LDAP Bind messages.
- - Noted that Servers are encouraged to prevent directory
- modifications by clients that have authenticated anonymously
- [RFC4513].
- - Added a note regarding the possibility of changes to security
- factors (authentication, authorization, and data confidentiality).
- - Warned against following referrals that may have been injected in
- the data stream.
- - Noted that servers should protect information equally, whether in
- an error condition or not, and mentioned matchedDN,
- diagnosticMessage, and resultCodes specifically.
- - Added a note regarding malformed and long encodings.
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 65]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-C.1.29. Appendix A (Complete ASN.1 Definition)
-
- - Added "EXTENSIBILITY IMPLIED" to ASN.1 definition.
- - Removed AttributeType. It is not used.
-
-C.2. Changes Made to RFC 2830
-
- This section summarizes the substantive changes made to Sections of
- RFC 2830. Readers should consult [RFC4513] for summaries of changes
- to other sections.
-
-C.2.1. Section 2.3 (Response other than "success")
-
- - Removed wording indicating that referrals can be returned from
- StartTLS.
- - Removed requirement that only a narrow set of result codes can be
- returned. Some result codes are required in certain scenarios, but
- any other may be returned if appropriate.
- - Removed requirement that the ExtendedResponse.responseName MUST be
- present. There are circumstances where this is impossible, and
- requiring this is at odds with language in Section 4.12.
-
-C.2.1. Section 4 (Closing a TLS Connection)
-
- - Reworded most of this section to align with definitions of the
- LDAP protocol layers.
- - Removed instructions on abrupt closure as this is covered in other
- areas of the document (specifically, Section 5.3)
-
-C.3. Changes Made to RFC 3771
-
- - Rewrote to fit into this document. In general, semantics were
- preserved. Supporting and background language seen as redundant
- due to its presence in this document was omitted.
-
- - Specified that Intermediate responses to a request may be of
- different types, and one of the response types may be specified to
- have no response value.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 66]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-Editor's Address
-
- Jim Sermersheim
- Novell, Inc.
- 1800 South Novell Place
- Provo, Utah 84606, USA
-
- Phone: +1 801 861-3088
- EMail: jimse at novell.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 67]
-�
-RFC 4511 LDAPv3 June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Sermersheim Standards Track [Page 68]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4512.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4512.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4512.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,2915 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4512 OpenLDAP Foundation
-Obsoletes: 2251, 2252, 2256, 3674 June 2006
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP):
- Directory Information Models
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The Lightweight Directory Access Protocol (LDAP) is an Internet
- protocol for accessing distributed directory services that act in
- accordance with X.500 data and service models. This document
- describes the X.500 Directory Information Models, as used in LDAP.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4512 LDAP Models June 2006
-
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. Relationship to Other LDAP Specifications ..................3
- 1.2. Relationship to X.501 ......................................4
- 1.3. Conventions ................................................4
- 1.4. Common ABNF Productions ....................................4
- 2. Model of Directory User Information .............................6
- 2.1. The Directory Information Tree .............................7
- 2.2. Structure of an Entry ......................................7
- 2.3. Naming of Entries ..........................................8
- 2.4. Object Classes .............................................9
- 2.5. Attribute Descriptions ....................................12
- 2.6. Alias Entries .............................................16
- 3. Directory Administrative and Operational Information ...........17
- 3.1. Subtrees ..................................................17
- 3.2. Subentries ................................................18
- 3.3. The 'objectClass' attribute ...............................18
- 3.4. Operational Attributes ....................................19
- 4. Directory Schema ...............................................22
- 4.1. Schema Definitions ........................................23
- 4.2. Subschema Subentries ......................................32
- 4.3. 'extensibleObject' object class ...........................35
- 4.4. Subschema Discovery .......................................35
- 5. DSA (Server) Informational Model ...............................36
- 5.1. Server-Specific Data Requirements .........................36
- 6. Other Considerations ...........................................40
- 6.1. Preservation of User Information ..........................40
- 6.2. Short Names ...............................................41
- 6.3. Cache and Shadowing .......................................41
- 7. Implementation Guidelines ......................................42
- 7.1. Server Guidelines .........................................42
- 7.2. Client Guidelines .........................................42
- 8. Security Considerations ........................................43
- 9. IANA Considerations ............................................43
- 10. Acknowledgements ..............................................44
- 11. Normative References ..........................................45
- Appendix A. Changes ...............................................47
- A.1. Changes to RFC 2251 .......................................47
- A.2. Changes to RFC 2252 .......................................49
- A.3. Changes to RFC 2256 .......................................50
- A.4. Changes to RFC 3674 .......................................51
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4512 LDAP Models June 2006
-
-
-1. Introduction
-
- This document discusses the X.500 Directory Information Models
- [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
- [RFC4510].
-
- The Directory is "a collection of open systems cooperating to provide
- directory services" [X.500]. The information held in the Directory
- is collectively known as the Directory Information Base (DIB). A
- Directory user, which may be a human or other entity, accesses the
- Directory through a client (or Directory User Agent (DUA)). The
- client, on behalf of the directory user, interacts with one or more
- servers (or Directory System Agents (DSA)). A server holds a
- fragment of the DIB.
-
- The DIB contains two classes of information:
-
- 1) user information (e.g., information provided and administrated
- by users). Section 2 describes the Model of User Information.
-
- 2) administrative and operational information (e.g., information
- used to administer and/or operate the directory). Section 3
- describes the model of Directory Administrative and Operational
- Information.
-
- These two models, referred to as the generic Directory Information
- Models, describe how information is represented in the Directory.
- These generic models provide a framework for other information
- models. Section 4 discusses the subschema information model and
- subschema discovery. Section 5 discusses the DSA (Server)
- Informational Model.
-
- Other X.500 information models (such as access control distribution
- knowledge and replication knowledge information models) may be
- adapted for use in LDAP. Specification of how these models apply to
- LDAP is left to future documents.
-
-1.1. Relationship to Other LDAP Specifications
-
- This document is a integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety.
-
- This document obsoletes RFC 2251, Sections 3.2 and 3.4, as well as
- portions of Sections 4 and 6. Appendix A.1 summarizes changes to
- these sections. The remainder of RFC 2251 is obsoleted by the
- [RFC4511], [RFC4513], and [RFC4510] documents.
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4512 LDAP Models June 2006
-
-
- This document obsoletes RFC 2252, Sections 4, 5, and 7. Appendix A.2
- summarizes changes to these sections. The remainder of RFC 2252 is
- obsoleted by [RFC4517].
-
- This document obsoletes RFC 2256, Sections 5.1, 5.2, 7.1, and 7.2.
- Appendix A.3 summarizes changes to these sections. The remainder of
- RFC 2256 is obsoleted by [RFC4519] and [RFC4517].
-
- This document obsoletes RFC 3674 in its entirety. Appendix A.4
- summarizes changes since RFC 3674.
-
-1.2. Relationship to X.501
-
- This document includes material, with and without adaptation, from
- [X.501] as necessary to describe this protocol. These adaptations
- (and any other differences herein) apply to this protocol, and only
- this protocol.
-
-1.3. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- Schema definitions are provided using LDAP description formats (as
- defined in Section 4.1). Definitions provided here are formatted
- (line wrapped) for readability. Matching rules and LDAP syntaxes
- referenced in these definitions are specified in [RFC4517].
-
-1.4. Common ABNF Productions
-
- A number of syntaxes in this document are described using Augmented
- Backus-Naur Form (ABNF) [RFC4234]. These syntaxes (as well as a
- number of syntaxes defined in other documents) rely on the following
- common productions:
-
- keystring = leadkeychar *keychar
- leadkeychar = ALPHA
- keychar = ALPHA / DIGIT / HYPHEN
- number = DIGIT / ( LDIGIT 1*DIGIT )
-
- ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
- DIGIT = %x30 / LDIGIT ; "0"-"9"
- LDIGIT = %x31-39 ; "1"-"9"
- HEX = DIGIT / %x41-46 / %x61-66 ; "0"-"9" / "A"-"F" / "a"-"f"
-
- SP = 1*SPACE ; one or more " "
- WSP = 0*SPACE ; zero or more " "
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4512 LDAP Models June 2006
-
-
- NULL = %x00 ; null (0)
- SPACE = %x20 ; space (" ")
- DQUOTE = %x22 ; quote (""")
- SHARP = %x23 ; octothorpe (or sharp sign) ("#")
- DOLLAR = %x24 ; dollar sign ("$")
- SQUOTE = %x27 ; single quote ("'")
- LPAREN = %x28 ; left paren ("(")
- RPAREN = %x29 ; right paren (")")
- PLUS = %x2B ; plus sign ("+")
- COMMA = %x2C ; comma (",")
- HYPHEN = %x2D ; hyphen ("-")
- DOT = %x2E ; period (".")
- SEMI = %x3B ; semicolon (";")
- LANGLE = %x3C ; left angle bracket ("<")
- EQUALS = %x3D ; equals sign ("=")
- RANGLE = %x3E ; right angle bracket (">")
- ESC = %x5C ; backslash ("\")
- USCORE = %x5F ; underscore ("_")
- LCURLY = %x7B ; left curly brace "{"
- RCURLY = %x7D ; right curly brace "}"
-
- ; Any UTF-8 [RFC3629] encoded Unicode [Unicode] character
- UTF8 = UTF1 / UTFMB
- UTFMB = UTF2 / UTF3 / UTF4
- UTF0 = %x80-BF
- UTF1 = %x00-7F
- UTF2 = %xC2-DF UTF0
- UTF3 = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /
- %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
- UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
- %xF4 %x80-8F 2(UTF0)
-
- OCTET = %x00-FF ; Any octet (8-bit data unit)
-
- Object identifiers (OIDs) [X.680] are represented in LDAP using a
- dot-decimal format conforming to the ABNF:
-
- numericoid = number 1*( DOT number )
-
- Short names, also known as descriptors, are used as more readable
- aliases for object identifiers. Short names are case insensitive and
- conform to the ABNF:
-
- descr = keystring
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Where either an object identifier or a short name may be specified,
- the following production is used:
-
- oid = descr / numericoid
-
- While the <descr> form is generally preferred when the usage is
- restricted to short names referring to object identifiers that
- identify like kinds of objects (e.g., attribute type descriptions,
- matching rule descriptions, object class descriptions), the
- <numericoid> form should be used when the object identifiers may
- identify multiple kinds of objects or when an unambiguous short name
- (descriptor) is not available.
-
- Implementations SHOULD treat short names (descriptors) used in an
- ambiguous manner (as discussed above) as unrecognized.
-
- Short Names (descriptors) are discussed further in Section 6.2.
-
-2. Model of Directory User Information
-
- As [X.501] states:
-
- The purpose of the Directory is to hold, and provide access to,
- information about objects of interest (objects) in some 'world'.
- An object can be anything which is identifiable (can be named).
-
- An object class is an identified family of objects, or conceivable
- objects, which share certain characteristics. Every object
- belongs to at least one class. An object class may be a subclass
- of other object classes, in which case the members of the former
- class, the subclass, are also considered to be members of the
- latter classes, the superclasses. There may be subclasses of
- subclasses, etc., to an arbitrary depth.
-
- A directory entry, a named collection of information, is the basic
- unit of information held in the Directory. There are multiple kinds
- of directory entries.
-
- An object entry represents a particular object. An alias entry
- provides alternative naming. A subentry holds administrative and/or
- operational information.
-
- The set of entries representing the DIB are organized hierarchically
- in a tree structure known as the Directory Information Tree (DIT).
-
- Section 2.1 describes the Directory Information Tree.
- Section 2.2 discusses the structure of entries.
- Section 2.3 discusses naming of entries.
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Section 2.4 discusses object classes.
- Section 2.5 discusses attribute descriptions.
- Section 2.6 discusses alias entries.
-
-2.1. The Directory Information Tree
-
- As noted above, the DIB is composed of a set of entries organized
- hierarchically in a tree structure known as the Directory Information
- Tree (DIT); specifically, a tree where vertices are the entries.
-
- The arcs between vertices define relations between entries. If an
- arc exists from X to Y, then the entry at X is the immediate superior
- of Y, and Y is the immediate subordinate of X. An entry's superiors
- are the entry's immediate superior and its superiors. An entry's
- subordinates are all of its immediate subordinates and their
- subordinates.
-
- Similarly, the superior/subordinate relationship between object
- entries can be used to derive a relation between the objects they
- represent. DIT structure rules can be used to govern relationships
- between objects.
-
- Note: An entry's immediate superior is also known as the entry's
- parent, and an entry's immediate subordinate is also known as
- the entry's child. Entries that have the same parent are known
- as siblings.
-
-2.2. Structure of an Entry
-
- An entry consists of a set of attributes that hold information about
- the object that the entry represents. Some attributes represent user
- information and are called user attributes. Other attributes
- represent operational and/or administrative information and are
- called operational attributes.
-
- An attribute is an attribute description (a type and zero or more
- options) with one or more associated values. An attribute is often
- referred to by its attribute description. For example, the
- 'givenName' attribute is the attribute that consists of the attribute
- description 'givenName' (the 'givenName' attribute type [RFC4519] and
- zero options) and one or more associated values.
-
- The attribute type governs whether the attribute can have multiple
- values, the syntax and matching rules used to construct and compare
- values of that attribute, and other functions. Options indicate
- subtypes and other functions.
-
- Attribute values conform to the defined syntax of the attribute type.
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4512 LDAP Models June 2006
-
-
- No two values of an attribute may be equivalent. Two values are
- considered equivalent if and only if they would match according to
- the equality matching rule of the attribute type. Or, if the
- attribute type is defined with no equality matching rule, two values
- are equivalent if and only if they are identical. (See 2.5.1 for
- other restrictions.)
-
- For example, a 'givenName' attribute can have more than one value,
- they must be Directory Strings, and they are case insensitive. A
- 'givenName' attribute cannot hold both "John" and "JOHN", as these
- are equivalent values per the equality matching rule of the attribute
- type.
-
- Additionally, no attribute is to have a value that is not equivalent
- to itself. For example, the 'givenName' attribute cannot have as a
- value a directory string that includes the REPLACEMENT CHARACTER
- (U+FFFD) code point, as matching involving that directory string is
- Undefined per this attribute's equality matching rule.
-
- When an attribute is used for naming of the entry, one and only one
- value of the attribute is used in forming the Relative Distinguished
- Name. This value is known as a distinguished value.
-
-2.3. Naming of Entries
-
-2.3.1. Relative Distinguished Names
-
- Each entry is named relative to its immediate superior. This
- relative name, known as its Relative Distinguished Name (RDN)
- [X.501], is composed of an unordered set of one or more attribute
- value assertions (AVA) consisting of an attribute description with
- zero options and an attribute value. These AVAs are chosen to match
- attribute values (each a distinguished value) of the entry.
-
- An entry's relative distinguished name must be unique among all
- immediate subordinates of the entry's immediate superior (i.e., all
- siblings).
-
- The following are examples of string representations of RDNs
- [RFC4514]:
-
- UID=12345
- OU=Engineering
- CN=Kurt Zeilenga+L=Redwood Shores
-
- The last is an example of a multi-valued RDN; that is, an RDN
- composed of multiple AVAs.
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 4512 LDAP Models June 2006
-
-
-2.3.2. Distinguished Names
-
- An entry's fully qualified name, known as its Distinguished Name (DN)
- [X.501], is the concatenation of its RDN and its immediate superior's
- DN. A Distinguished Name unambiguously refers to an entry in the
- tree. The following are examples of string representations of DNs
- [RFC4514]:
-
- UID=nobody at example.com,DC=example,DC=com
- CN=John Smith,OU=Sales,O=ACME Limited,L=Moab,ST=Utah,C=US
-
-2.3.3. Alias Names
-
- An alias, or alias name, is "an name for an object, provided by the
- use of alias entries" [X.501]. Alias entries are described in
- Section 2.6.
-
-2.4. Object Classes
-
- An object class is "an identified family of objects (or conceivable
- objects) that share certain characteristics" [X.501].
-
- As defined in [X.501]:
-
- Object classes are used in the Directory for a number of purposes:
-
- - describing and categorizing objects and the entries that
- correspond to these objects;
-
- - where appropriate, controlling the operation of the Directory;
-
- - regulating, in conjunction with DIT structure rule
- specifications, the position of entries in the DIT;
-
- - regulating, in conjunction with DIT content rule
- specifications, the attributes that are contained in entries;
-
- - identifying classes of entry that are to be associated with a
- particular policy by the appropriate administrative authority.
-
- An object class (a subclass) may be derived from an object class
- (its direct superclass) which is itself derived from an even more
- generic object class. For structural object classes, this process
- stops at the most generic object class, 'top' (defined in Section
- 2.4.1). An ordered set of superclasses up to the most superior
- object class of an object class is its superclass chain.
-
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 4512 LDAP Models June 2006
-
-
- An object class may be derived from two or more direct
- superclasses (superclasses not part of the same superclass chain).
- This feature of subclassing is termed multiple inheritance.
-
- Each object class identifies the set of attributes required to be
- present in entries belonging to the class and the set of attributes
- allowed to be present in entries belonging to the class. As an entry
- of a class must meet the requirements of each class it belongs to, it
- can be said that an object class inherits the sets of allowed and
- required attributes from its superclasses. A subclass can identify
- an attribute allowed by its superclass as being required. If an
- attribute is a member of both sets, it is required to be present.
-
- Each object class is defined to be one of three kinds of object
- classes: Abstract, Structural, or Auxiliary.
-
- Each object class is identified by an object identifier (OID) and,
- optionally, one or more short names (descriptors).
-
-2.4.1. Abstract Object Classes
-
- An abstract object class, as the name implies, provides a base of
- characteristics from which other object classes can be defined to
- inherit from. An entry cannot belong to an abstract object class
- unless it belongs to a structural or auxiliary class that inherits
- from that abstract class.
-
- Abstract object classes cannot derive from structural or auxiliary
- object classes.
-
- All structural object classes derive (directly or indirectly) from
- the 'top' abstract object class. Auxiliary object classes do not
- necessarily derive from 'top'.
-
- The following is the object class definition (see Section 4.1.1) for
- the 'top' object class:
-
- ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
-
- All entries belong to the 'top' abstract object class.
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 4512 LDAP Models June 2006
-
-
-2.4.2. Structural Object Classes
-
- As stated in [X.501]:
-
- An object class defined for use in the structural specification of
- the DIT is termed a structural object class. Structural object
- classes are used in the definition of the structure of the names
- of the objects for compliant entries.
-
- An object or alias entry is characterized by precisely one
- structural object class superclass chain which has a single
- structural object class as the most subordinate object class.
- This structural object class is referred to as the structural
- object class of the entry.
-
- Structural object classes are related to associated entries:
-
- - an entry conforming to a structural object class shall
- represent the real-world object constrained by the object
- class;
-
- - DIT structure rules only refer to structural object classes;
- the structural object class of an entry is used to specify the
- position of the entry in the DIT;
-
- - the structural object class of an entry is used, along with an
- associated DIT content rule, to control the content of an
- entry.
-
- The structural object class of an entry shall not be changed.
-
- Each structural object class is a (direct or indirect) subclass of
- the 'top' abstract object class.
-
- Structural object classes cannot subclass auxiliary object classes.
-
- Each entry is said to belong to its structural object class as well
- as all classes in its structural object class's superclass chain.
-
-2.4.3. Auxiliary Object Classes
-
- Auxiliary object classes are used to augment the characteristics of
- entries. They are commonly used to augment the sets of attributes
- required and allowed to be present in an entry. They can be used to
- describe entries or classes of entries.
-
- Auxiliary object classes cannot subclass structural object classes.
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 4512 LDAP Models June 2006
-
-
- An entry can belong to any subset of the set of auxiliary object
- classes allowed by the DIT content rule associated with the
- structural object class of the entry. If no DIT content rule is
- associated with the structural object class of the entry, the entry
- cannot belong to any auxiliary object class.
-
- The set of auxiliary object classes that an entry belongs to can
- change over time.
-
-2.5. Attribute Descriptions
-
- An attribute description is composed of an attribute type (see
- Section 2.5.1) and a set of zero or more attribute options (see
- Section 2.5.2).
-
- An attribute description is represented by the ABNF:
-
- attributedescription = attributetype options
- attributetype = oid
- options = *( SEMI option )
- option = 1*keychar
-
- where <attributetype> identifies the attribute type and each <option>
- identifies an attribute option. Both <attributetype> and <option>
- productions are case insensitive. The order in which <option>s
- appear is irrelevant. That is, any two <attributedescription>s that
- consist of the same <attributetype> and same set of <option>s are
- equivalent.
-
- Examples of valid attribute descriptions:
-
- 2.5.4.0
- cn;lang-de;lang-en
- owner
-
- An attribute description with an unrecognized attribute type is to be
- treated as unrecognized. Servers SHALL treat an attribute
- description with an unrecognized attribute option as unrecognized.
- Clients MAY treat an unrecognized attribute option as a tagging
- option (see Section 2.5.2.1).
-
- All attributes of an entry must have distinct attribute descriptions.
-
-2.5.1. Attribute Types
-
- An attribute type governs whether the attribute can have multiple
- values, the syntax and matching rules used to construct and compare
- values of that attribute, and other functions.
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 4512 LDAP Models June 2006
-
-
- If no equality matching is specified for the attribute type:
-
- - the attribute (of the type) cannot be used for naming;
- - when adding the attribute (or replacing all values), no two
- values may be equivalent (see 2.2);
- - individual values of a multi-valued attribute are not to be
- independently added or deleted;
- - attribute value assertions (such as matching in search filters
- and comparisons) using values of such a type cannot be
- performed.
-
- Otherwise, the specified equality matching rule is to be used to
- evaluate attribute value assertions concerning the attribute type.
- The specified equality rule is to be transitive and commutative.
-
- The attribute type indicates whether the attribute is a user
- attribute or an operational attribute. If operational, the attribute
- type indicates the operational usage and whether or not the attribute
- is modifiable by users. Operational attributes are discussed in
- Section 3.4.
-
- An attribute type (a subtype) may derive from a more generic
- attribute type (a direct supertype). The following restrictions
- apply to subtyping:
-
- - a subtype must have the same usage as its direct supertype,
- - a subtype's syntax must be the same, or a refinement of, its
- supertype's syntax, and
- - a subtype must be collective [RFC3671] if its supertype is
- collective.
-
- An attribute description consisting of a subtype and no options is
- said to be the direct description subtype of the attribute
- description consisting of the subtype's direct supertype and no
- options.
-
- Each attribute type is identified by an object identifier (OID) and,
- optionally, one or more short names (descriptors).
-
-2.5.2. Attribute Options
-
- There are multiple kinds of attribute description options. The LDAP
- technical specification details one kind: tagging options.
-
- Not all options can be associated with attributes held in the
- directory. Tagging options can be.
-
-
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Not all options can be used in conjunction with all attribute types.
- In such cases, the attribute description is to be treated as
- unrecognized.
-
- An attribute description that contains mutually exclusive options
- shall be treated as unrecognized. That is, "cn;x-bar;x-foo", where
- "x-foo" and "x-bar" are mutually exclusive, is to be treated as
- unrecognized.
-
- Other kinds of options may be specified in future documents. These
- documents must detail how new kinds of options they define relate to
- tagging options. In particular, these documents must detail whether
- or not new kinds of options can be associated with attributes held in
- the directory, how new kinds of options affect transfer of attribute
- values, and how new kinds of options are treated in attribute
- description hierarchies.
-
- Options are represented as short, case-insensitive textual strings
- conforming to the <option> production defined in Section 2.5 of this
- document.
-
- Procedures for registering options are detailed in BCP 64, RFC 4520
- [RFC4520].
-
-2.5.2.1. Tagging Options
-
- Attributes held in the directory can have attribute descriptions with
- any number of tagging options. Tagging options are never mutually
- exclusive.
-
- An attribute description with N tagging options is a direct
- (description) subtype of all attribute descriptions of the same
- attribute type and all but one of the N options. If the attribute
- type has a supertype, then the attribute description is also a direct
- (description) subtype of the attribute description of the supertype
- and the N tagging options. That is, 'cn;lang-de;lang-en' is a direct
- (description) subtype of 'cn;lang-de', 'cn;lang-en', and
- 'name;lang-de;lang-en' ('cn' is a subtype of 'name'; both are defined
- in [RFC4519]).
-
-2.5.3. Attribute Description Hierarchies
-
- An attribute description can be the direct subtype of zero or more
- other attribute descriptions as indicated by attribute type subtyping
- (as described in Section 2.5.1) or attribute tagging option subtyping
- (as described in Section 2.5.2.1). These subtyping relationships are
- used to form hierarchies of attribute descriptions and attributes.
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
-RFC 4512 LDAP Models June 2006
-
-
- As adapted from [X.501]:
-
- Attribute hierarchies allow access to the DIB with varying degrees
- of granularity. This is achieved by allowing the value components
- of attributes to be accessed by using either their specific
- attribute description (a direct reference to the attribute) or a
- more generic attribute description (an indirect reference).
-
- Semantically related attributes may be placed in a hierarchical
- relationship, the more specialized being placed subordinate to the
- more generalized. Searching for or retrieving attributes and
- their values is made easier by quoting the more generalized
- attribute description; a filter item so specified is evaluated for
- the more specialized descriptions as well as for the quoted
- description.
-
- Where subordinate specialized descriptions are selected to be
- returned as part of a search result these descriptions shall be
- returned if available. Where the more general descriptions are
- selected to be returned as part of a search result both the
- general and the specialized descriptions shall be returned, if
- available. An attribute value shall always be returned as a value
- of its own attribute description.
-
- All of the attribute descriptions in an attribute hierarchy are
- treated as distinct and unrelated descriptions for user
- modification of entry content.
-
- An attribute value stored in an object or alias entry is of
- precisely one attribute description. The description is indicated
- when the value is originally added to the entry.
-
- For the purpose of subschema administration of the entry, a
- specification that an attribute is required is fulfilled if the entry
- contains a value of an attribute description belonging to an
- attribute hierarchy where the attribute type of that description is
- the same as the required attribute's type. That is, a "MUST name"
- specification is fulfilled by 'name' or 'name;x-tag-option', but is
- not fulfilled by 'CN' or 'CN;x-tag-option' (even though 'CN' is a
- subtype of 'name'). Likewise, an entry may contain a value of an
- attribute description belonging to an attribute hierarchy where the
- attribute type of that description is either explicitly included in
- the definition of an object class to which the entry belongs or
- allowed by the DIT content rule applicable to that entry. That is,
- 'name' and 'name;x-tag-option' are allowed by "MAY name" (or by "MUST
- name"), but 'CN' and 'CN;x-tag-option' are not allowed by "MAY name"
- (or by "MUST name").
-
-
-
-
-Zeilenga Standards Track [Page 15]
-�
-RFC 4512 LDAP Models June 2006
-
-
- For the purposes of other policy administration, unless stated
- otherwise in the specification of the particular administrative
- model, all of the attribute descriptions in an attribute hierarchy
- are treated as distinct and unrelated descriptions.
-
-2.6. Alias Entries
-
- As adapted from [X.501]:
-
- An alias, or an alias name, for an object is an alternative name
- for an object or object entry which is provided by the use of
- alias entries.
-
- Each alias entry contains, within the 'aliasedObjectName'
- attribute (known as the 'aliasedEntryName' attribute in X.500), a
- name of some object. The distinguished name of the alias entry is
- thus also a name for this object.
-
- NOTE - The name within the 'aliasedObjectName' is said to be
- pointed to by the alias. It does not have to be the
- distinguished name of any entry.
-
- The conversion of an alias name to an object name is termed
- (alias) dereferencing and comprises the systematic replacement of
- alias names, where found within a purported name, by the value of
- the corresponding 'aliasedObjectName' attribute. The process may
- require the examination of more than one alias entry.
-
- Any particular entry in the DIT may have zero or more alias names.
- It therefore follows that several alias entries may point to the
- same entry. An alias entry may point to an entry that is not a
- leaf entry and may point to another alias entry.
-
- An alias entry shall have no subordinates, so that an alias entry
- is always a leaf entry.
-
- Every alias entry shall belong to the 'alias' object class.
-
- An entry with the 'alias' object class must also belong to an object
- class (or classes), or be governed by a DIT content rule, which
- allows suitable naming attributes to be present.
-
- Example:
-
- dn: cn=bar,dc=example,dc=com
- objectClass: top
- objectClass: alias
- objectClass: extensibleObject
-
-
-
-Zeilenga Standards Track [Page 16]
-�
-RFC 4512 LDAP Models June 2006
-
-
- cn: bar
- aliasedObjectName: cn=foo,dc=example,dc=com
-
-2.6.1. 'alias' Object Class
-
- Alias entries belong to the 'alias' object class.
-
- ( 2.5.6.1 NAME 'alias'
- SUP top STRUCTURAL
- MUST aliasedObjectName )
-
-2.6.2. 'aliasedObjectName' Attribute Type
-
- The 'aliasedObjectName' attribute holds the name of the entry an
- alias points to. The 'aliasedObjectName' attribute is known as the
- 'aliasedEntryName' attribute in X.500.
-
- ( 2.5.4.1 NAME 'aliasedObjectName'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE )
-
- The 'distinguishedNameMatch' matching rule and the DistinguishedName
- (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
-
-3. Directory Administrative and Operational Information
-
- This section discusses select aspects of the X.500 Directory
- Administrative and Operational Information model [X.501]. LDAP
- implementations MAY support other aspects of this model.
-
-3.1. Subtrees
-
- As defined in [X.501]:
-
- A subtree is a collection of object and alias entries situated at
- the vertices of a tree. Subtrees do not contain subentries. The
- prefix sub, in subtree, emphasizes that the base (or root) vertex
- of this tree is usually subordinate to the root of the DIT.
-
- A subtree begins at some vertex and extends to some identifiable
- lower boundary, possibly extending to leaves. A subtree is always
- defined within a context which implicitly bounds the subtree. For
- example, the vertex and lower boundaries of a subtree defining a
- replicated area are bounded by a naming context.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 17]
-�
-RFC 4512 LDAP Models June 2006
-
-
-3.2. Subentries
-
- A subentry is a "special sort of entry, known by the Directory, used
- to hold information associated with a subtree or subtree refinement"
- [X.501]. Subentries are used in Directory to hold for administrative
- and operational purposes as defined in [X.501]. Their use in LDAP is
- detailed in [RFC3672].
-
- The term "(sub)entry" in this specification indicates that servers
- implementing X.500(93) models are, in accordance with X.500(93) as
- described in [RFC3672], to use a subentry and that other servers are
- to use an object entry belonging to the appropriate auxiliary class
- normally used with the subentry (e.g., 'subschema' for subschema
- subentries) to mimic the subentry. This object entry's RDN SHALL be
- formed from a value of the 'cn' (commonName) attribute [RFC4519] (as
- all subentries are named with 'cn').
-
-3.3. The 'objectClass' attribute
-
- Each entry in the DIT has an 'objectClass' attribute.
-
- ( 2.5.4.0 NAME 'objectClass'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
- The 'objectIdentifierMatch' matching rule and the OBJECT IDENTIFIER
- (1.3.6.1.4.1.1466.115.121.1.38) syntax are defined in [RFC4517].
-
- The 'objectClass' attribute specifies the object classes of an entry,
- which (among other things) are used in conjunction with the
- controlling schema to determine the permitted attributes of an entry.
- Values of this attribute can be modified by clients, but the
- 'objectClass' attribute cannot be removed.
-
- Servers that follow X.500(93) models SHALL restrict modifications of
- this attribute to prevent the basic structural class of the entry
- from being changed. That is, one cannot change a 'person' into a
- 'country'.
-
- When creating an entry or adding an 'objectClass' value to an entry,
- all superclasses of the named classes SHALL be implicitly added as
- well if not already present. That is, if the auxiliary class 'x-a'
- is a subclass of the class 'x-b', adding 'x-a' to 'objectClass'
- causes 'x-b' to be implicitly added (if is not already present).
-
- Servers SHALL restrict modifications of this attribute to prevent
- superclasses of remaining 'objectClass' values from being deleted.
- That is, if the auxiliary class 'x-a' is a subclass of the auxiliary
-
-
-
-Zeilenga Standards Track [Page 18]
-�
-RFC 4512 LDAP Models June 2006
-
-
- class 'x-b' and the 'objectClass' attribute contains 'x-a' and 'x-b',
- an attempt to delete only 'x-b' from the 'objectClass' attribute is
- an error.
-
-3.4. Operational Attributes
-
- Some attributes, termed operational attributes, are used or
- maintained by servers for administrative and operational purposes.
- As stated in [X.501]: "There are three varieties of operational
- attributes: Directory operational attributes, DSA-shared operational
- attributes, and DSA-specific operational attributes".
-
- A directory operational attribute is used to represent operational
- and/or administrative information in the Directory Information Model.
- This includes operational attributes maintained by the server (e.g.,
- 'createTimestamp') as well as operational attributes that hold values
- administrated by the user (e.g., 'ditContentRules').
-
- A DSA-shared operational attribute is used to represent information
- of the DSA Information Model that is shared between DSAs.
-
- A DSA-specific operational attribute is used to represent information
- of the DSA Information Model that is specific to the DSA (though, in
- some cases, may be derived from information shared between DSAs;
- e.g., 'namingContexts').
-
- The DSA Information Model operational attributes are detailed in
- [X.501].
-
- Operational attributes are not normally visible. They are not
- returned in search results unless explicitly requested by name.
-
- Not all operational attributes are user modifiable.
-
- Entries may contain, among others, the following operational
- attributes:
-
- - creatorsName: the Distinguished Name of the user who added this
- entry to the directory,
-
- - createTimestamp: the time this entry was added to the directory,
-
- - modifiersName: the Distinguished Name of the user who last
- modified this entry, and
-
- - modifyTimestamp: the time this entry was last modified.
-
-
-
-
-
-Zeilenga Standards Track [Page 19]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
- 'modifiersName', and 'modifyTimestamp' attributes for all entries of
- the DIT.
-
-3.4.1. 'creatorsName'
-
- This attribute appears in entries that were added using the protocol
- (e.g., using the Add operation). The value is the distinguished name
- of the creator.
-
- ( 2.5.18.3 NAME 'creatorsName'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The 'distinguishedNameMatch' matching rule and the DistinguishedName
- (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
-
-3.4.2. 'createTimestamp'
-
- This attribute appears in entries that were added using the protocol
- (e.g., using the Add operation). The value is the time the entry was
- added.
-
- ( 2.5.18.1 NAME 'createTimestamp'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch'
- matching rules and the GeneralizedTime
- (1.3.6.1.4.1.1466.115.121.1.24) syntax are defined in [RFC4517].
-
-3.4.3. 'modifiersName'
-
- This attribute appears in entries that have been modified using the
- protocol (e.g., using the Modify operation). The value is the
- distinguished name of the last modifier.
-
- ( 2.5.18.4 NAME 'modifiersName'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
-
-
-
-Zeilenga Standards Track [Page 20]
-�
-RFC 4512 LDAP Models June 2006
-
-
- The 'distinguishedNameMatch' matching rule and the DistinguishedName
- (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
-
-3.4.4. 'modifyTimestamp'
-
- This attribute appears in entries that have been modified using the
- protocol (e.g., using the Modify operation). The value is the time
- the entry was last modified.
-
- ( 2.5.18.2 NAME 'modifyTimestamp'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The 'generalizedTimeMatch' and 'generalizedTimeOrderingMatch'
- matching rules and the GeneralizedTime
- (1.3.6.1.4.1.1466.115.121.1.24) syntax are defined in [RFC4517].
-
-3.4.5. 'structuralObjectClass'
-
- This attribute indicates the structural object class of the entry.
-
- ( 2.5.21.9 NAME 'structuralObjectClass'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The 'objectIdentifierMatch' matching rule and OBJECT IDENTIFIER
- (1.3.6.1.4.1.1466.115.121.1.38) syntax is defined in [RFC4517].
-
-3.4.6. 'governingStructureRule'
-
- This attribute indicates the structure rule governing the entry.
-
- ( 2.5.21.10 NAME 'governingStructureRule'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The 'integerMatch' matching rule and INTEGER
- (1.3.6.1.4.1.1466.115.121.1.27) syntax is defined in [RFC4517].
-
-
-
-
-
-
-Zeilenga Standards Track [Page 21]
-�
-RFC 4512 LDAP Models June 2006
-
-
-4. Directory Schema
-
- As defined in [X.501]:
-
- The Directory Schema is a set of definitions and constraints
- concerning the structure of the DIT, the possible ways entries are
- named, the information that can be held in an entry, the
- attributes used to represent that information and their
- organization into hierarchies to facilitate search and retrieval
- of the information and the ways in which values of attributes may
- be matched in attribute value and matching rule assertions.
-
- NOTE 1 - The schema enables the Directory system to, for example:
-
- - prevent the creation of subordinate entries of the wrong
- object-class (e.g., a country as a subordinate of a person);
-
- - prevent the addition of attribute-types to an entry
- inappropriate to the object-class (e.g., a serial number to a
- person's entry);
-
- - prevent the addition of an attribute value of a syntax not
- matching that defined for the attribute-type (e.g., a printable
- string to a bit string).
-
- Formally, the Directory Schema comprises a set of:
-
- a) Name Form definitions that define primitive naming relations
- for structural object classes;
-
- b) DIT Structure Rule definitions that define the names that
- entries may have and the ways in which the entries may be
- related to one another in the DIT;
-
- c) DIT Content Rule definitions that extend the specification of
- allowable attributes for entries beyond those indicated by the
- structural object classes of the entries;
-
- d) Object Class definitions that define the basic set of mandatory
- and optional attributes that shall be present, and may be
- present, respectively, in an entry of a given class, and which
- indicate the kind of object class that is being defined;
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 22]
-�
-RFC 4512 LDAP Models June 2006
-
-
- e) Attribute Type definitions that identify the object identifier
- by which an attribute is known, its syntax, associated matching
- rules, whether it is an operational attribute and if so its
- type, whether it is a collective attribute, whether it is
- permitted to have multiple values and whether or not it is
- derived from another attribute type;
-
- f) Matching Rule definitions that define matching rules.
-
- And in LDAP:
-
- g) LDAP Syntax definitions that define encodings used in LDAP.
-
-4.1. Schema Definitions
-
- Schema definitions in this section are described using ABNF and rely
- on the common productions specified in Section 1.2 as well as these:
-
- noidlen = numericoid [ LCURLY len RCURLY ]
- len = number
-
- oids = oid / ( LPAREN WSP oidlist WSP RPAREN )
- oidlist = oid *( WSP DOLLAR WSP oid )
-
- extensions = *( SP xstring SP qdstrings )
- xstring = "X" HYPHEN 1*( ALPHA / HYPHEN / USCORE )
-
- qdescrs = qdescr / ( LPAREN WSP qdescrlist WSP RPAREN )
- qdescrlist = [ qdescr *( SP qdescr ) ]
- qdescr = SQUOTE descr SQUOTE
-
- qdstrings = qdstring / ( LPAREN WSP qdstringlist WSP RPAREN )
- qdstringlist = [ qdstring *( SP qdstring ) ]
- qdstring = SQUOTE dstring SQUOTE
- dstring = 1*( QS / QQ / QUTF8 ) ; escaped UTF-8 string
-
- QQ = ESC %x32 %x37 ; "\27"
- QS = ESC %x35 ( %x43 / %x63 ) ; "\5C" / "\5c"
-
- ; Any UTF-8 encoded Unicode character
- ; except %x27 ("\'") and %x5C ("\")
- QUTF8 = QUTF1 / UTFMB
-
- ; Any ASCII character except %x27 ("\'") and %x5C ("\")
- QUTF1 = %x00-26 / %x28-5B / %x5D-7F
-
- Schema definitions in this section also share a number of common
- terms.
-
-
-
-Zeilenga Standards Track [Page 23]
-�
-RFC 4512 LDAP Models June 2006
-
-
- The NAME field provides a set of short names (descriptors) that are
- to be used as aliases for the OID.
-
- The DESC field optionally allows a descriptive string to be provided
- by the directory administrator and/or implementor. While
- specifications may suggest a descriptive string, there is no
- requirement that the suggested (or any) descriptive string be used.
-
- The OBSOLETE field, if present, indicates the element is not active.
-
- Implementors should note that future versions of this document may
- expand these definitions to include additional terms. Terms whose
- identifier begins with "X-" are reserved for private experiments and
- are followed by <SP> and <qdstrings> tokens.
-
-4.1.1. Object Class Definitions
-
- Object Class definitions are written according to the ABNF:
-
- ObjectClassDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- [ SP "SUP" SP oids ] ; superior object classes
- [ SP kind ] ; kind of class
- [ SP "MUST" SP oids ] ; attribute types
- [ SP "MAY" SP oids ] ; attribute types
- extensions WSP RPAREN
-
- kind = "ABSTRACT" / "STRUCTURAL" / "AUXILIARY"
-
- where:
- <numericoid> is object identifier assigned to this object class;
- NAME <qdescrs> are short names (descriptors) identifying this
- object class;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this object class is not active;
- SUP <oids> specifies the direct superclasses of this object class;
- the kind of object class is indicated by one of ABSTRACT,
- STRUCTURAL, or AUXILIARY (the default is STRUCTURAL);
- MUST and MAY specify the sets of required and allowed attribute
- types, respectively; and
- <extensions> describe extensions.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 24]
-�
-RFC 4512 LDAP Models June 2006
-
-
-4.1.2. Attribute Types
-
- Attribute Type definitions are written according to the ABNF:
-
- AttributeTypeDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- [ SP "SUP" SP oid ] ; supertype
- [ SP "EQUALITY" SP oid ] ; equality matching rule
- [ SP "ORDERING" SP oid ] ; ordering matching rule
- [ SP "SUBSTR" SP oid ] ; substrings matching rule
- [ SP "SYNTAX" SP noidlen ] ; value syntax
- [ SP "SINGLE-VALUE" ] ; single-value
- [ SP "COLLECTIVE" ] ; collective
- [ SP "NO-USER-MODIFICATION" ] ; not user modifiable
- [ SP "USAGE" SP usage ] ; usage
- extensions WSP RPAREN ; extensions
-
- usage = "userApplications" / ; user
- "directoryOperation" / ; directory operational
- "distributedOperation" / ; DSA-shared operational
- "dSAOperation" ; DSA-specific operational
-
- where:
- <numericoid> is object identifier assigned to this attribute type;
- NAME <qdescrs> are short names (descriptors) identifying this
- attribute type;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this attribute type is not active;
- SUP oid specifies the direct supertype of this type;
- EQUALITY, ORDERING, and SUBSTR provide the oid of the equality,
- ordering, and substrings matching rules, respectively;
- SYNTAX identifies value syntax by object identifier and may suggest
- a minimum upper bound;
- SINGLE-VALUE indicates attributes of this type are restricted to a
- single value;
- COLLECTIVE indicates this attribute type is collective
- [X.501][RFC3671];
- NO-USER-MODIFICATION indicates this attribute type is not user
- modifiable;
- USAGE indicates the application of this attribute type; and
- <extensions> describe extensions.
-
- Each attribute type description must contain at least one of the SUP
- or SYNTAX fields. If no SYNTAX field is provided, the attribute type
- description takes its value from the supertype.
-
-
-
-Zeilenga Standards Track [Page 25]
-�
-RFC 4512 LDAP Models June 2006
-
-
- If SUP field is provided, the EQUALITY, ORDERING, and SUBSTRING
- fields, if not specified, take their value from the supertype.
-
- Usage of userApplications, the default, indicates that attributes of
- this type represent user information. That is, they are user
- attributes.
-
- A usage of directoryOperation, distributedOperation, or dSAOperation
- indicates that attributes of this type represent operational and/or
- administrative information. That is, they are operational
- attributes.
-
- directoryOperation usage indicates that the attribute of this type is
- a directory operational attribute. distributedOperation usage
- indicates that the attribute of this type is a DSA-shared usage
- operational attribute. dSAOperation usage indicates that the
- attribute of this type is a DSA-specific operational attribute.
-
- COLLECTIVE requires usage userApplications. Use of collective
- attribute types in LDAP is discussed in [RFC3671].
-
- NO-USER-MODIFICATION requires an operational usage.
-
- Note that the <AttributeTypeDescription> does not list the matching
- rules that can be used with that attribute type in an extensibleMatch
- search filter [RFC4511]. This is done using the 'matchingRuleUse'
- attribute described in Section 4.1.4.
-
- This document refines the schema description of X.501 by requiring
- that the SYNTAX field in an <AttributeTypeDescription> be a string
- representation of an object identifier for the LDAP string syntax
- definition, with an optional indication of the suggested minimum
- bound of a value of this attribute.
-
- A suggested minimum upper bound on the number of characters in a
- value with a string-based syntax, or the number of bytes in a value
- for all other syntaxes, may be indicated by appending this bound
- count inside of curly braces following the syntax's OBJECT IDENTIFIER
- in an Attribute Type Description. This bound is not part of the
- syntax name itself. For instance, "1.3.6.4.1.1466.0{64}" suggests
- that server implementations should allow a string to be 64 characters
- long, although they may allow longer strings. Note that a single
- character of the Directory String syntax may be encoded in more than
- one octet since UTF-8 [RFC3629] is a variable-length encoding.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 26]
-�
-RFC 4512 LDAP Models June 2006
-
-
-4.1.3. Matching Rules
-
- Matching rules are used in performance of attribute value assertions,
- such as in performance of a Compare operation. They are also used in
- evaluating search filters, determining which individual values are to
- be added or deleted during performance of a Modify operation, and in
- comparing distinguished names.
-
- Each matching rule is identified by an object identifier (OID) and,
- optionally, one or more short names (descriptors).
-
- Matching rule definitions are written according to the ABNF:
-
- MatchingRuleDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- SP "SYNTAX" SP numericoid ; assertion syntax
- extensions WSP RPAREN ; extensions
-
- where:
- <numericoid> is object identifier assigned to this matching rule;
- NAME <qdescrs> are short names (descriptors) identifying this
- matching rule;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this matching rule is not active;
- SYNTAX identifies the assertion syntax (the syntax of the assertion
- value) by object identifier; and
- <extensions> describe extensions.
-
-4.1.4. Matching Rule Uses
-
- A matching rule use lists the attribute types that are suitable for
- use with an extensibleMatch search filter.
-
- Matching rule use descriptions are written according to the following
- ABNF:
-
- MatchingRuleUseDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- SP "APPLIES" SP oids ; attribute types
- extensions WSP RPAREN ; extensions
-
-
-
-
-
-Zeilenga Standards Track [Page 27]
-�
-RFC 4512 LDAP Models June 2006
-
-
- where:
- <numericoid> is the object identifier of the matching rule
- associated with this matching rule use description;
- NAME <qdescrs> are short names (descriptors) identifying this
- matching rule use;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this matching rule use is not active;
- APPLIES provides a list of attribute types the matching rule
- applies to; and
- <extensions> describe extensions.
-
-4.1.5. LDAP Syntaxes
-
- LDAP Syntaxes of (attribute and assertion) values are described in
- terms of ASN.1 [X.680] and, optionally, have an octet string encoding
- known as the LDAP-specific encoding. Commonly, the LDAP-specific
- encoding is constrained to a string of Unicode [Unicode] characters
- in UTF-8 [RFC3629] form.
-
- Each LDAP syntax is identified by an object identifier (OID).
-
- LDAP syntax definitions are written according to the ABNF:
-
- SyntaxDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "DESC" SP qdstring ] ; description
- extensions WSP RPAREN ; extensions
-
- where:
- <numericoid> is the object identifier assigned to this LDAP syntax;
- DESC <qdstring> is a short descriptive string; and
- <extensions> describe extensions.
-
-4.1.6. DIT Content Rules
-
- A DIT content rule is a "rule governing the content of entries of a
- particular structural object class" [X.501].
-
- For DIT entries of a particular structural object class, a DIT
- content rule specifies which auxiliary object classes the entries are
- allowed to belong to and which additional attributes (by type) are
- required, allowed, or not allowed to appear in the entries.
-
- The list of precluded attributes cannot include any attribute listed
- as mandatory in the rule, the structural object class, or any of the
- allowed auxiliary object classes.
-
-
-
-
-
-Zeilenga Standards Track [Page 28]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Each content rule is identified by the object identifier, as well as
- any short names (descriptors), of the structural object class it
- applies to.
-
- An entry may only belong to auxiliary object classes listed in the
- governing content rule.
-
- An entry must contain all attributes required by the object classes
- the entry belongs to as well as all attributes required by the
- governing content rule.
-
- An entry may contain any non-precluded attributes allowed by the
- object classes the entry belongs to as well as all attributes allowed
- by the governing content rule.
-
- An entry cannot include any attribute precluded by the governing
- content rule.
-
- An entry is governed by (if present and active in the subschema) the
- DIT content rule that applies to the structural object class of the
- entry (see Section 2.4.2). If no active rule is present for the
- entry's structural object class, the entry's content is governed by
- the structural object class (and possibly other aspects of user and
- system schema). DIT content rules for superclasses of the structural
- object class of an entry are not applicable to that entry.
-
- DIT content rule descriptions are written according to the ABNF:
-
- DITContentRuleDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- [ SP "AUX" SP oids ] ; auxiliary object classes
- [ SP "MUST" SP oids ] ; attribute types
- [ SP "MAY" SP oids ] ; attribute types
- [ SP "NOT" SP oids ] ; attribute types
- extensions WSP RPAREN ; extensions
-
- where:
- <numericoid> is the object identifier of the structural object
- class associated with this DIT content rule;
- NAME <qdescrs> are short names (descriptors) identifying this DIT
- content rule;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this DIT content rule use is not active;
- AUX specifies a list of auxiliary object classes that entries
- subject to this DIT content rule may belong to;
-
-
-
-Zeilenga Standards Track [Page 29]
-�
-RFC 4512 LDAP Models June 2006
-
-
- MUST, MAY, and NOT specify lists of attribute types that are
- required, allowed, or precluded, respectively, from appearing
- in entries subject to this DIT content rule; and
- <extensions> describe extensions.
-
-4.1.7. DIT Structure Rules and Name Forms
-
- It is sometimes desirable to regulate where object and alias entries
- can be placed in the DIT and how they can be named based upon their
- structural object class.
-
-4.1.7.1. DIT Structure Rules
-
- A DIT structure rule is a "rule governing the structure of the DIT by
- specifying a permitted superior to subordinate entry relationship. A
- structure rule relates a name form, and therefore a structural object
- class, to superior structure rules. This permits entries of the
- structural object class identified by the name form to exist in the
- DIT as subordinates to entries governed by the indicated superior
- structure rules" [X.501].
-
- DIT structure rule descriptions are written according to the ABNF:
-
- DITStructureRuleDescription = LPAREN WSP
- ruleid ; rule identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- SP "FORM" SP oid ; NameForm
- [ SP "SUP" ruleids ] ; superior rules
- extensions WSP RPAREN ; extensions
-
- ruleids = ruleid / ( LPAREN WSP ruleidlist WSP RPAREN )
- ruleidlist = ruleid *( SP ruleid )
- ruleid = number
-
- where:
- <ruleid> is the rule identifier of this DIT structure rule;
- NAME <qdescrs> are short names (descriptors) identifying this DIT
- structure rule;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this DIT structure rule use is not active;
- FORM is specifies the name form associated with this DIT structure
- rule;
- SUP identifies superior rules (by rule id); and
- <extensions> describe extensions.
-
-
-
-
-
-Zeilenga Standards Track [Page 30]
-�
-RFC 4512 LDAP Models June 2006
-
-
- If no superior rules are identified, the DIT structure rule applies
- to an autonomous administrative point (e.g., the root vertex of the
- subtree controlled by the subschema) [X.501].
-
-4.1.7.2. Name Forms
-
- A name form "specifies a permissible RDN for entries of a particular
- structural object class. A name form identifies a named object class
- and one or more attribute types to be used for naming (i.e., for the
- RDN). Name forms are primitive pieces of specification used in the
- definition of DIT structure rules" [X.501].
-
- Each name form indicates the structural object class to be named, a
- set of required attribute types, and a set of allowed attribute
- types. A particular attribute type cannot be in both sets.
-
- Entries governed by the form must be named using a value from each
- required attribute type and zero or more values from the allowed
- attribute types.
-
- Each name form is identified by an object identifier (OID) and,
- optionally, one or more short names (descriptors).
-
- Name form descriptions are written according to the ABNF:
-
- NameFormDescription = LPAREN WSP
- numericoid ; object identifier
- [ SP "NAME" SP qdescrs ] ; short names (descriptors)
- [ SP "DESC" SP qdstring ] ; description
- [ SP "OBSOLETE" ] ; not active
- SP "OC" SP oid ; structural object class
- SP "MUST" SP oids ; attribute types
- [ SP "MAY" SP oids ] ; attribute types
- extensions WSP RPAREN ; extensions
-
- where:
- <numericoid> is object identifier that identifies this name form;
- NAME <qdescrs> are short names (descriptors) identifying this name
- form;
- DESC <qdstring> is a short descriptive string;
- OBSOLETE indicates this name form is not active;
- OC identifies the structural object class this rule applies to,
- MUST and MAY specify the sets of required and allowed,
- respectively, naming attributes for this name form; and
- <extensions> describe extensions.
-
- All attribute types in the required ("MUST") and allowed ("MAY")
- lists shall be different.
-
-
-
-Zeilenga Standards Track [Page 31]
-�
-RFC 4512 LDAP Models June 2006
-
-
-4.2. Subschema Subentries
-
- Subschema (sub)entries are used for administering information about
- the directory schema. A single subschema (sub)entry contains all
- schema definitions (see Section 4.1) used by entries in a particular
- part of the directory tree.
-
- Servers that follow X.500(93) models SHOULD implement subschema using
- the X.500 subschema mechanisms (as detailed in Section 12 of
- [X.501]), so these are not ordinary object entries but subentries
- (see Section 3.2). LDAP clients SHOULD NOT assume that servers
- implement any of the other aspects of X.500 subschema.
-
- Servers MAY allow subschema modification. Procedures for subschema
- modification are discussed in Section 14.5 of [X.501].
-
- A server that masters entries and permits clients to modify these
- entries SHALL implement and provide access to these subschema
- (sub)entries including providing a 'subschemaSubentry' attribute in
- each modifiable entry. This is so clients may discover the
- attributes and object classes that are permitted to be present. It
- is strongly RECOMMENDED that all other servers implement this as
- well.
-
- The value of the 'subschemaSubentry' attribute is the name of the
- subschema (sub)entry holding the subschema controlling the entry.
-
- ( 2.5.18.10 NAME 'subschemaSubentry'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The 'distinguishedNameMatch' matching rule and the DistinguishedName
- (1.3.6.1.4.1.1466.115.121.1.12) syntax are defined in [RFC4517].
-
- Subschema is held in (sub)entries belonging to the subschema
- auxiliary object class.
-
- ( 2.5.20.1 NAME 'subschema' AUXILIARY
- MAY ( dITStructureRules $ nameForms $ ditContentRules $
- objectClasses $ attributeTypes $ matchingRules $
- matchingRuleUse ) )
-
- The 'ldapSyntaxes' operational attribute may also be present in
- subschema entries.
-
-
-
-
-
-Zeilenga Standards Track [Page 32]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Servers MAY provide additional attributes (described in other
- documents) in subschema (sub)entries.
-
- Servers SHOULD provide the attributes 'createTimestamp' and
- 'modifyTimestamp' in subschema (sub)entries, in order to allow
- clients to maintain their caches of schema information.
-
- The following subsections provide attribute type definitions for each
- of schema definition attribute types.
-
-4.2.1. 'objectClasses'
-
- This attribute holds definitions of object classes.
-
- ( 2.5.21.6 NAME 'objectClasses'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.37
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- ObjectClassDescription (1.3.6.1.4.1.1466.115.121.1.37) syntax are
- defined in [RFC4517].
-
-4.2.2. 'attributeTypes'
-
- This attribute holds definitions of attribute types.
-
- ( 2.5.21.5 NAME 'attributeTypes'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.3
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- AttributeTypeDescription (1.3.6.1.4.1.1466.115.121.1.3) syntax are
- defined in [RFC4517].
-
-4.2.3. 'matchingRules'
-
- This attribute holds definitions of matching rules.
-
- ( 2.5.21.4 NAME 'matchingRules'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.30
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- MatchingRuleDescription (1.3.6.1.4.1.1466.115.121.1.30) syntax are
- defined in [RFC4517].
-
-
-
-Zeilenga Standards Track [Page 33]
-�
-RFC 4512 LDAP Models June 2006
-
-
-4.2.4 'matchingRuleUse'
-
- This attribute holds definitions of matching rule uses.
-
- ( 2.5.21.8 NAME 'matchingRuleUse'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.31
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- MatchingRuleUseDescription (1.3.6.1.4.1.1466.115.121.1.31) syntax are
- defined in [RFC4517].
-
-4.2.5. 'ldapSyntaxes'
-
- This attribute holds definitions of LDAP syntaxes.
-
- ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.54
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- SyntaxDescription (1.3.6.1.4.1.1466.115.121.1.54) syntax are defined
- in [RFC4517].
-
-4.2.6. 'dITContentRules'
-
- This attribute lists DIT Content Rules that are present in the
- subschema.
-
- ( 2.5.21.2 NAME 'dITContentRules'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.16
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- DITContentRuleDescription (1.3.6.1.4.1.1466.115.121.1.16) syntax are
- defined in [RFC4517].
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 34]
-�
-RFC 4512 LDAP Models June 2006
-
-
-4.2.7. 'dITStructureRules'
-
- This attribute lists DIT Structure Rules that are present in the
- subschema.
-
- ( 2.5.21.1 NAME 'dITStructureRules'
- EQUALITY integerFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.17
- USAGE directoryOperation )
-
- The 'integerFirstComponentMatch' matching rule and the
- DITStructureRuleDescription (1.3.6.1.4.1.1466.115.121.1.17) syntax
- are defined in [RFC4517].
-
-4.2.8 'nameForms'
-
- This attribute lists Name Forms that are in force.
-
- ( 2.5.21.7 NAME 'nameForms'
- EQUALITY objectIdentifierFirstComponentMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.35
- USAGE directoryOperation )
-
- The 'objectIdentifierFirstComponentMatch' matching rule and the
- NameFormDescription (1.3.6.1.4.1.1466.115.121.1.35) syntax are
- defined in [RFC4517].
-
-4.3. 'extensibleObject' object class
-
- The 'extensibleObject' auxiliary object class allows entries that
- belong to it to hold any user attribute. The set of allowed
- attribute types of this object class is implicitly the set of all
- attribute types of userApplications usage.
-
- ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject'
- SUP top AUXILIARY )
-
- The mandatory attributes of the other object classes of this entry
- are still required to be present, and any precluded attributes are
- still not allowed to be present.
-
-4.4. Subschema Discovery
-
- To discover the DN of the subschema (sub)entry holding the subschema
- controlling a particular entry, a client reads that entry's
- 'subschemaSubentry' operational attribute. To read schema attributes
- from the subschema (sub)entry, clients MUST issue a Search operation
- [RFC4511] where baseObject is the DN of the subschema (sub)entry,
-
-
-
-Zeilenga Standards Track [Page 35]
-�
-RFC 4512 LDAP Models June 2006
-
-
- scope is baseObject, filter is "(objectClass=subschema)" [RFC4515],
- and the attributes field lists the names of the desired schema
- attributes (as they are operational). Note: the
- "(objectClass=subschema)" filter allows LDAP servers that gateway to
- X.500 to detect that subentry information is being requested.
-
- Clients SHOULD NOT assume that a published subschema is complete,
- that the server supports all of the schema elements it publishes, or
- that the server does not support an unpublished element.
-
-5. DSA (Server) Informational Model
-
- The LDAP protocol assumes there are one or more servers that jointly
- provide access to a Directory Information Tree (DIT). The server
- holding the original information is called the "master" (for that
- information). Servers that hold copies of the original information
- are referred to as "shadowing" or "caching" servers.
-
-
- As defined in [X.501]:
-
- context prefix: The sequence of RDNs leading from the Root of the
- DIT to the initial vertex of a naming context; corresponds to
- the distinguished name of that vertex.
-
- naming context: A subtree of entries held in a single master DSA.
-
- That is, a naming context is the largest collection of entries,
- starting at an entry that is mastered by a particular server, and
- including all its subordinates and their subordinates, down to the
- entries that are mastered by different servers. The context prefix
- is the name of the initial entry.
-
- The root of the DIT is a DSA-specific Entry (DSE) and not part of any
- naming context (or any subtree); each server has different attribute
- values in the root DSE.
-
-5.1. Server-Specific Data Requirements
-
- An LDAP server SHALL provide information about itself and other
- information that is specific to each server. This is represented as
- a group of attributes located in the root DSE, which is named with
- the DN with zero RDNs (whose [RFC4514] representation is as the
- zero-length string).
-
- These attributes are retrievable, subject to access control and other
- restrictions, if a client performs a Search operation [RFC4511] with
- an empty baseObject, scope of baseObject, the filter
-
-
-
-Zeilenga Standards Track [Page 36]
-�
-RFC 4512 LDAP Models June 2006
-
-
- "(objectClass=*)" [RFC4515], and the attributes field listing the
- names of the desired attributes. It is noted that root DSE
- attributes are operational and, like other operational attributes,
- are not returned in search requests unless requested by name.
-
- The root DSE SHALL NOT be included if the client performs a subtree
- search starting from the root.
-
- Servers may allow clients to modify attributes of the root DSE, where
- appropriate.
-
- The following attributes of the root DSE are defined below.
- Additional attributes may be defined in other documents.
-
- - altServer: alternative servers;
-
- - namingContexts: naming contexts;
-
- - supportedControl: recognized LDAP controls;
-
- - supportedExtension: recognized LDAP extended operations;
-
- - supportedFeatures: recognized LDAP features;
-
- - supportedLDAPVersion: LDAP versions supported; and
-
- - supportedSASLMechanisms: recognized Simple Authentication and
- Security Layers (SASL) [RFC4422] mechanisms.
-
- The values provided for these attributes may depend on session-
- specific and other factors. For example, a server supporting the
- SASL EXTERNAL mechanism might only list "EXTERNAL" when the client's
- identity has been established by a lower level. See [RFC4513].
-
- The root DSE may also include a 'subschemaSubentry' attribute. If it
- does, the attribute refers to the subschema (sub)entry holding the
- schema controlling the root DSE. Clients SHOULD NOT assume that this
- subschema (sub)entry controls other entries held by the server.
- General subschema discovery procedures are provided in Section 4.4.
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 37]
-�
-RFC 4512 LDAP Models June 2006
-
-
-5.1.1. 'altServer'
-
- The 'altServer' attribute lists URIs referring to alternative servers
- that may be contacted when this server becomes unavailable. URIs for
- servers implementing the LDAP are written according to [RFC4516].
- Other kinds of URIs may be provided. If the server does not know of
- any other servers that could be used, this attribute will be absent.
- Clients may cache this information in case their preferred server
- later becomes unavailable.
-
- ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- USAGE dSAOperation )
-
- The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax is defined in
- [RFC4517].
-
-5.1.2. 'namingContexts'
-
- The 'namingContexts' attribute lists the context prefixes of the
- naming contexts the server masters or shadows (in part or in whole).
- If the server is a first-level DSA [X.501], it should list (in
- addition) an empty string (indicating the root of the DIT). If the
- server does not master or shadow any information (e.g., it is an LDAP
- gateway to a public X.500 directory) this attribute will be absent.
- If the server believes it masters or shadows the entire directory,
- the attribute will have a single value, and that value will be the
- empty string (indicating the root of the DIT).
-
- This attribute may be used, for example, to select a suitable entry
- name for subsequent operations with this server.
-
- ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- USAGE dSAOperation )
-
- The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax is
- defined in [RFC4517].
-
-5.1.3. 'supportedControl'
-
- The 'supportedControl' attribute lists object identifiers identifying
- the request controls [RFC4511] the server supports. If the server
- does not support any request controls, this attribute will be absent.
- Object identifiers identifying response controls need not be listed.
-
- Procedures for registering object identifiers used to discovery of
- protocol mechanisms are detailed in BCP 64, RFC 4520 [RFC4520].
-
-
-
-Zeilenga Standards Track [Page 38]
-�
-RFC 4512 LDAP Models June 2006
-
-
- ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
- USAGE dSAOperation )
-
- The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
- defined in [RFC4517].
-
-5.1.4. 'supportedExtension'
-
- The 'supportedExtension' attribute lists object identifiers
- identifying the extended operations [RFC4511] that the server
- supports. If the server does not support any extended operations,
- this attribute will be absent.
-
- An extended operation generally consists of an extended request and
- an extended response but may also include other protocol data units
- (such as intermediate responses). The object identifier assigned to
- the extended request is used to identify the extended operation.
- Other object identifiers used in the extended operation need not be
- listed as values of this attribute.
-
- Procedures for registering object identifiers used to discovery of
- protocol mechanisms are detailed in BCP 64, RFC 4520 [RFC4520].
-
- ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
- USAGE dSAOperation )
-
- The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
- defined in [RFC4517].
-
-5.1.5. 'supportedFeatures'
-
- The 'supportedFeatures' attribute lists object identifiers
- identifying elective features that the server supports. If the
- server does not support any discoverable elective features, this
- attribute will be absent.
-
- ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
- USAGE dSAOperation )
-
- Procedures for registering object identifiers used to discovery of
- protocol mechanisms are detailed in BCP 64, RFC 4520 [RFC4520].
-
- The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax and
- objectIdentifierMatch matching rule are defined in [RFC4517].
-
-
-
-Zeilenga Standards Track [Page 39]
-�
-RFC 4512 LDAP Models June 2006
-
-
-5.1.6. 'supportedLDAPVersion'
-
- The 'supportedLDAPVersion' attribute lists the versions of LDAP that
- the server supports.
-
- ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- USAGE dSAOperation )
-
- The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax is defined in
- [RFC4517].
-
-5.1.7. 'supportedSASLMechanisms'
-
- The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
- [RFC4422] that the server recognizes and/or supports [RFC4513]. The
- contents of this attribute may depend on the current session state.
- If the server does not support any SASL mechanisms, this attribute
- will not be present.
-
- ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- USAGE dSAOperation )
-
- The Directory String (1.3.6.1.4.1.1466.115.121.1.15) syntax is
- defined in [RFC4517].
-
-6. Other Considerations
-
-6.1. Preservation of User Information
-
- Syntaxes may be defined that have specific value and/or value form
- (representation) preservation requirements. For example, a syntax
- containing digitally signed data can mandate that the server preserve
- both the value and form of value presented to ensure that the
- signature is not invalidated.
-
- Where such requirements have not been explicitly stated, servers
- SHOULD preserve the value of user information but MAY return the
- value in a different form. And where a server is unable (or
- unwilling) to preserve the value of user information, the server
- SHALL ensure that an equivalent value (per Section 2.3) is returned.
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 40]
-�
-RFC 4512 LDAP Models June 2006
-
-
-6.2. Short Names
-
- Short names, also known as descriptors, are used as more readable
- aliases for object identifiers and are used to identify various
- schema elements. However, it is not expected that LDAP
- implementations with human user interface would display these short
- names (or the object identifiers they refer to) to the user.
- Instead, they would most likely be performing translations (such as
- expressing the short name in one of the local national languages).
- For example, the short name "st" (stateOrProvinceName) might be
- displayed to a German-speaking user as "Land".
-
- The same short name might have different meaning in different
- subschemas, and, within a particular subschema, the same short name
- might refer to different object identifiers each identifying a
- different kind of schema element.
-
- Implementations MUST be prepared that the same short name might be
- used in a subschema to refer to the different kinds of schema
- elements. That is, there might be an object class 'x-fubar' and an
- attribute type 'x-fubar' in a subschema.
-
- Implementations MUST be prepared that the same short name might be
- used in the different subschemas to refer to the different schema
- elements. That is, there might be two matching rules 'x-fubar', each
- in different subschemas.
-
- Procedures for registering short names (descriptors) are detailed in
- BCP 64, RFC 4520 [RFC4520].
-
-6.3. Cache and Shadowing
-
- Some servers may hold cache or shadow copies of entries, which can be
- used to answer search and comparison queries, but will return
- referrals or contact other servers if modification operations are
- requested. Servers that perform shadowing or caching MUST ensure
- that they do not violate any access control constraints placed on the
- data by the originating server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 41]
-�
-RFC 4512 LDAP Models June 2006
-
-
-7. Implementation Guidelines
-
-7.1. Server Guidelines
-
- Servers MUST recognize all names of attribute types and object
- classes defined in this document but, unless stated otherwise, need
- not support the associated functionality. Servers SHOULD recognize
- all the names of attribute types and object classes defined in
- Section 3 and 4, respectively, of [RFC4519].
-
- Servers MUST ensure that entries conform to user and system schema
- rules or other data model constraints.
-
- Servers MAY support DIT Content Rules. Servers MAY support DIT
- Structure Rules and Name Forms.
-
- Servers MAY support alias entries.
-
- Servers MAY support the 'extensibleObject' object class.
-
- Servers MAY support subentries. If so, they MUST do so in accordance
- with [RFC3672]. Servers that do not support subentries SHOULD use
- object entries to mimic subentries as detailed in Section 3.2.
-
- Servers MAY implement additional schema elements. Servers SHOULD
- provide definitions of all schema elements they support in subschema
- (sub)entries.
-
-7.2. Client Guidelines
-
- In the absence of prior agreements with servers, clients SHOULD NOT
- assume that servers support any particular schema elements beyond
- those referenced in Section 7.1. The client can retrieve subschema
- information as described in Section 4.4.
-
- Clients MUST NOT display or attempt to decode a value as ASN.1 if the
- value's syntax is not known. Clients MUST NOT assume the LDAP-
- specific string encoding is restricted to a UTF-8 encoded string of
- Unicode characters or any particular subset of Unicode (such as a
- printable subset) unless such restriction is explicitly stated.
- Clients SHOULD NOT send attribute values in a request that are not
- valid according to the syntax defined for the attributes.
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 42]
-�
-RFC 4512 LDAP Models June 2006
-
-
-8. Security Considerations
-
- Attributes of directory entries are used to provide descriptive
- information about the real-world objects they represent, which can be
- people, organizations, or devices. Most countries have privacy laws
- regarding the publication of information about people.
-
- General security considerations for accessing directory information
- with LDAP are discussed in [RFC4511] and [RFC4513].
-
-9. IANA Considerations
-
- The Internet Assigned Numbers Authority (IANA) has updated the LDAP
- descriptors registry as indicated in the following template:
-
- Subject: Request for LDAP Descriptor Registration Update
- Descriptor (short name): see comment
- Object Identifier: see comment
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Usage: see comment
- Specification: RFC 4512
- Author/Change Controller: IESG
- Comments:
-
- The following descriptors (short names) has been added to
- the registry.
-
- NAME Type OID
- ------------------------ ---- -----------------
- governingStructureRule A 2.5.21.10
- structuralObjectClass A 2.5.21.9
-
- The following descriptors (short names) have been updated to
- refer to this RFC.
-
- NAME Type OID
- ------------------------ ---- -----------------
- alias O 2.5.6.1
- aliasedObjectName A 2.5.4.1
- altServer A 1.3.6.1.4.1.1466.101.120.6
- attributeTypes A 2.5.21.5
- createTimestamp A 2.5.18.1
- creatorsName A 2.5.18.3
- dITContentRules A 2.5.21.2
- dITStructureRules A 2.5.21.1
- extensibleObject O 1.3.6.1.4.1.1466.101.120.111
- ldapSyntaxes A 1.3.6.1.4.1.1466.101.120.16
-
-
-
-Zeilenga Standards Track [Page 43]
-�
-RFC 4512 LDAP Models June 2006
-
-
- matchingRuleUse A 2.5.21.8
- matchingRules A 2.5.21.4
- modifiersName A 2.5.18.4
- modifyTimestamp A 2.5.18.2
- nameForms A 2.5.21.7
- namingContexts A 1.3.6.1.4.1.1466.101.120.5
- objectClass A 2.5.4.0
- objectClasses A 2.5.21.6
- subschema O 2.5.20.1
- subschemaSubentry A 2.5.18.10
- supportedControl A 1.3.6.1.4.1.1466.101.120.13
- supportedExtension A 1.3.6.1.4.1.1466.101.120.7
- supportedFeatures A 1.3.6.1.4.1.4203.1.3.5
- supportedLDAPVersion A 1.3.6.1.4.1.1466.101.120.15
- supportedSASLMechanisms A 1.3.6.1.4.1.1466.101.120.14
- top O 2.5.6.0
-
-10. Acknowledgements
-
- This document is based in part on RFC 2251 by M. Wahl, T. Howes, and
- S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S. Kille; and
- RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
- Indexing of Directories (ASID) Working Group. This document is also
- based in part on "The Directory: Models" [X.501], a product of the
- International Telephone Union (ITU). Additional text was borrowed
- from RFC 2253 by M. Wahl, T. Howes, and S. Kille.
-
- This document is a product of the IETF LDAP Revision (LDAPBIS)
- Working Group.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 44]
-�
-RFC 4512 LDAP Models June 2006
-
-
-11. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC3671] Zeilenga, K., "Collective Attributes in the Lightweight
- Directory Access Protocol (LDAP)", RFC 3671, December
- 2003.
-
- [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
- Access Protocol (LDAP)", RFC 3672, December 2003.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
- Authentication and Security Layer (SASL)", RFC 4422,
- June 2006.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access
- Protocol (LDAP): Authentication Methods and Security
- Mechanisms", RFC 4513, June 2006.
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): String Representation of Distinguished
- Names", RFC 4514, June 2006.
-
- [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): String Representation of Search
- Filters", RFC 4515, June 2006.
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): Uniform Resource Locator", RFC
- 4516, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
-
-
-Zeilenga Standards Track [Page 45]
-�
-RFC 4512 LDAP Models June 2006
-
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
- Protocol (LDAP): Schema for User Applications", RFC
- 4519, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version
- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
- 61633-5), as amended by the "Unicode Standard Annex
- #27: Unicode 3.1"
- (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [X.500] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Overview of concepts, models and
- services," X.500(1993) (also ISO/IEC 9594-1:1994).
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 46]
-�
-RFC 4512 LDAP Models June 2006
-
-
-Appendix A. Changes
-
- This appendix is non-normative.
-
- This document amounts to nearly a complete rewrite of portions of RFC
- 2251, RFC 2252, and RFC 2256. This rewrite was undertaken to improve
- overall clarity of technical specification. This appendix provides a
- summary of substantive changes made to the portions of these
- documents incorporated into this document. Readers should consult
- [RFC4510], [RFC4511], [RFC4517], and [RFC4519] for summaries of
- remaining portions of these documents.
-
-A.1. Changes to RFC 2251
-
- This document incorporates from RFC 2251, Sections 3.2 and 3.4, and
- portions of Sections 4 and 6 as summarized below.
-
-A.1.1. Section 3.2 of RFC 2251
-
- Section 3.2 of RFC 2251 provided a brief introduction to the X.500
- data model, as used by LDAP. The previous specification relied on
- [X.501] but lacked clarity in how X.500 models are adapted for use by
- LDAP. This document describes the X.500 data models, as used by
- LDAP, in greater detail, especially in areas where adaptation is
- needed.
-
- Section 3.2.1 of RFC 2251 described an attribute as "a type with one
- or more associated values". In LDAP, an attribute is better
- described as an attribute description, a type with zero or more
- options, and one or more associated values.
-
- Section 3.2.2 of RFC 2251 mandated that subschema subentries contain
- objectClasses and attributeTypes attributes, yet X.500(93) treats
- these attributes as optional. While generally all implementations
- that support X.500(93) subschema mechanisms will provide both of
- these attributes, it is not absolutely required for interoperability
- that all servers do. The mandate was removed for consistency with
- X.500(93). The subschema discovery mechanism was also clarified to
- indicate that subschema controlling an entry is obtained by reading
- the (sub)entry referred to by that entry's 'subschemaSubentry'
- attribute.
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 47]
-�
-RFC 4512 LDAP Models June 2006
-
-
-A.1.2. Section 3.4 of RFC 2251
-
- Section 3.4 of RFC 2251 provided "Server-specific Data Requirements".
- This material, with changes, was incorporated in Section 5.1 of this
- document.
-
- Changes:
-
- - Clarify that attributes of the root DSE are subject to "other
- restrictions" in addition to access controls.
-
- - Clarify that only recognized extended requests need to be
- enumerated 'supportedExtension'.
-
- - Clarify that only recognized request controls need to be enumerated
- 'supportedControl'.
-
- - Clarify that root DSE attributes are operational and, like other
- operational attributes, will not be returned in search requests
- unless requested by name.
-
- - Clarify that not all root DSE attributes are user modifiable.
-
- - Remove inconsistent text regarding handling of the
- 'subschemaSubentry' attribute within the root DSE. The previous
- specification stated that the 'subschemaSubentry' attribute held in
- the root DSE referred to "subschema entries (or subentries) known
- by this server". This is inconsistent with the attribute's
- intended use as well as its formal definition as a single valued
- attribute [X.501]. It is also noted that a simple (possibly
- incomplete) list of subschema (sub)entries is not terribly useful.
- This document (in Section 5.1) specifies that the
- 'subschemaSubentry' attribute of the root DSE refers to the
- subschema controlling the root DSE. It is noted that the general
- subschema discovery mechanism remains available (see Section 4.4 of
- this document).
-
-A.1.3. Section 4 of RFC 2251
-
- Portions of Section 4 of RFC 2251 detailing aspects of the
- information model used by LDAP were incorporated in this document,
- including:
-
- - Restriction of distinguished values to attributes whose
- descriptions have no options (from Section 4.1.3);
-
-
-
-
-
-
-Zeilenga Standards Track [Page 48]
-�
-RFC 4512 LDAP Models June 2006
-
-
- - Data model aspects of Attribute Types (from Section 4.1.4),
- Attribute Descriptions (from 4.1.5), Attribute (from 4.1.8),
- Matching Rule Identifier (from 4.1.9); and
-
- - User schema requirements (from Sections 4.1.6, 4.5.1, and 4.7).
-
- Clarifications to these portions include:
-
- - Subtyping and AttributeDescriptions with options.
-
-A.1.4. Section 6 of RFC 2251
-
- The Section 6.1 and the second paragraph of Section 6.2 of RFC 2251
- where incorporated into this document.
-
-A.2. Changes to RFC 2252
-
- This document incorporates Sections 4, 5, and 7 from RFC 2252.
-
-A.2.1. Section 4 of RFC 2252
-
- The specification was updated to use Augmented BNF [RFC4234]. The
- string representation of an OBJECT IDENTIFIER was tightened to
- disallow leading zeros as described in RFC 2252.
-
- The <descr> syntax was changed to disallow semicolon (U+003B)
- characters in order to appear to be consistent its natural language
- specification "descr is the syntactic representation of an object
- descriptor, which consists of letters and digits, starting with a
- letter". In a related change, the statement "an AttributeDescription
- can be used as the value in a NAME part of an
- AttributeTypeDescription" was deleted. RFC 2252 provided no
- specification of the semantics of attribute options appearing in NAME
- fields.
-
- RFC 2252 stated that the <descr> form of <oid> SHOULD be preferred
- over the <numericoid> form. However, <descr> form can be ambiguous.
- To address this issue, the imperative was replaced with a statement
- (in Section 1.4) that while the <descr> form is generally preferred,
- <numericoid> should be used where an unambiguous <descr> is not
- available. Additionally, an expanded discussion of descriptor issues
- is in Section 6.2 ("Short Names").
-
- The ABNF for a quoted string (qdstring) was updated to reflect
- support for the escaping mechanism described in Section 4.3 of RFC
- 2252.
-
-
-
-
-
-Zeilenga Standards Track [Page 49]
-�
-RFC 4512 LDAP Models June 2006
-
-
-A.2.2. Section 5 of RFC 2252
-
- Definitions of operational attributes provided in Section 5 of RFC
- 2252 where incorporated into this document.
-
- The 'namingContexts' description was clarified. A first-level DSA
- should publish, in addition to other values, "" indicating the root
- of the DIT.
-
- The 'altServer' description was clarified. It may hold any URI.
-
- The 'supportedExtension' description was clarified. A server need
- only list the OBJECT IDENTIFIERs associated with the extended
- requests of the extended operations it recognizes.
-
- The 'supportedControl' description was clarified. A server need only
- list the OBJECT IDENTIFIERs associated with the request controls it
- recognizes.
-
- Descriptions for the 'structuralObjectClass' and
- 'governingStructureRule' operational attribute types were added.
-
- The attribute definition of 'subschemaSubentry' was corrected to list
- the terms SINGLE-VALUE and NO-USER-MODIFICATION in proper order.
-
-A.2.3. Section 7 of RFC 2252
-
- Section 7 of RFC 2252 provides definitions of the 'subschema' and
- 'extensibleObject' object classes. These definitions where
- integrated into Section 4.2 and Section 4.3 of this document,
- respectively. Section 7 of RFC 2252 also contained the object class
- implementation requirement. This was incorporated into Section 7 of
- this document.
-
- The specification of 'extensibleObject' was clarified regarding how
- it interacts with precluded attributes.
-
-A.3. Changes to RFC 2256
-
- This document incorporates Sections 5.1, 5.2, 7.1, and 7.2 of RFC
- 2256.
-
- Section 5.1 of RFC 2256 provided the definition of the 'objectClass'
- attribute type. This was integrated into Section 2.4.1 of this
- document. The statement "One of the values is either 'top' or
- 'alias'" was replaced with statement that one of the values is 'top'
- as entries belonging to 'alias' also belong to 'top'.
-
-
-
-
-Zeilenga Standards Track [Page 50]
-�
-RFC 4512 LDAP Models June 2006
-
-
- Section 5.2 of RFC 2256 provided the definition of the
- 'aliasedObjectName' attribute type. This was integrated into Section
- 2.6.2 of this document.
-
- Section 7.1 of RFC 2256 provided the definition of the 'top' object
- class. This was integrated into Section 2.4.1 of this document.
-
- Section 7.2 of RFC 2256 provided the definition of the 'alias' object
- class. This was integrated into Section 2.6.1 of this document.
-
-A.4. Changes to RFC 3674
-
- This document made no substantive change to the 'supportedFeatures'
- technical specification provided in RFC 3674.
-
-Editor's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 51]
-�
-RFC 4512 LDAP Models June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 52]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4513.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4513.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4513.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1907 +0,0 @@
-
-
-
-
-
-
-Network Working Group R. Harrison, Ed.
-Request for Comments: 4513 Novell, Inc.
-Obsoletes: 2251, 2829, 2830 June 2006
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP):
- Authentication Methods and Security Mechanisms
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes authentication methods and security
- mechanisms of the Lightweight Directory Access Protocol (LDAP). This
- document details establishment of Transport Layer Security (TLS)
- using the StartTLS operation.
-
- This document details the simple Bind authentication method including
- anonymous, unauthenticated, and name/password mechanisms and the
- Simple Authentication and Security Layer (SASL) Bind authentication
- method including the EXTERNAL mechanism.
-
- This document discusses various authentication and authorization
- states through which a session to an LDAP server may pass and the
- actions that trigger these state changes.
-
- This document, together with other documents in the LDAP Technical
- Specification (see Section 1 of the specification's road map),
- obsoletes RFC 2251, RFC 2829, and RFC 2830.
-
-
-
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 1]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-Table of Contents
-
- 1. Introduction ....................................................4
- 1.1. Relationship to Other Documents ............................6
- 1.2. Conventions ................................................6
- 2. Implementation Requirements .....................................7
- 3. StartTLS Operation ..............................................8
- 3.1. TLS Establishment Procedures ..............................8
- 3.1.1. StartTLS Request Sequencing .........................8
- 3.1.2. Client Certificate ..................................9
- 3.1.3. Server Identity Check ...............................9
- 3.1.3.1. Comparison of DNS Names ...................10
- 3.1.3.2. Comparison of IP Addresses ................11
- 3.1.3.3. Comparison of Other subjectName Types .....11
- 3.1.4. Discovery of Resultant Security Level ..............11
- 3.1.5. Refresh of Server Capabilities Information .........11
- 3.2. Effect of TLS on Authorization State .....................12
- 3.3. TLS Ciphersuites ..........................................12
- 4. Authorization State ............................................13
- 5. Bind Operation .................................................14
- 5.1. Simple Authentication Method ..............................14
- 5.1.1. Anonymous Authentication Mechanism of Simple Bind ..14
- 5.1.2. Unauthenticated Authentication Mechanism of
- Simple Bind ........................................14
- 5.1.3. Name/Password Authentication Mechanism of
- Simple Bind ........................................15
- 5.2. SASL Authentication Method ................................16
- 5.2.1. SASL Protocol Profile ..............................16
- 5.2.1.1. SASL Service Name for LDAP ................16
- 5.2.1.2. SASL Authentication Initiation and
- Protocol Exchange .........................16
- 5.2.1.3. Optional Fields ...........................17
- 5.2.1.4. Octet Where Negotiated Security
- Layers Take Effect ........................18
- 5.2.1.5. Determination of Supported SASL
- Mechanisms ................................18
- 5.2.1.6. Rules for Using SASL Layers ...............19
- 5.2.1.7. Support for Multiple Authentications ......19
- 5.2.1.8. SASL Authorization Identities .............19
- 5.2.2. SASL Semantics within LDAP .........................20
- 5.2.3. SASL EXTERNAL Authentication Mechanism .............20
- 5.2.3.1. Implicit Assertion ........................21
- 5.2.3.2. Explicit Assertion ........................21
- 6. Security Considerations ........................................21
- 6.1. General LDAP Security Considerations ......................21
- 6.2. StartTLS Security Considerations ..........................22
- 6.3. Bind Operation Security Considerations ....................23
- 6.3.1. Unauthenticated Mechanism Security Considerations ..23
-
-
-
-Harrison Standards Track [Page 2]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- 6.3.2. Name/Password Mechanism Security Considerations ....23
- 6.3.3. Password-Related Security Considerations ...........23
- 6.3.4. Hashed Password Security Considerations ............24
- 6.4. SASL Security Considerations ..............................24
- 6.5. Related Security Considerations ...........................25
- 7. IANA Considerations ............................................25
- 8. Acknowledgements ...............................................25
- 9. Normative References ...........................................26
- 10. Informative References ........................................27
- Appendix A. Authentication and Authorization Concepts .............28
- A.1. Access Control Policy .....................................28
- A.2. Access Control Factors ....................................28
- A.3. Authentication, Credentials, Identity .....................28
- A.4. Authorization Identity ....................................29
- Appendix B. Summary of Changes ....................................29
- B.1. Changes Made to RFC 2251 ..................................30
- B.1.1. Section 4.2.1 ("Sequencing of the Bind Request") ...30
- B.1.2. Section 4.2.2 ("Authentication and Other Security
- Services") .........................................30
- B.2. Changes Made to RFC 2829 ..................................30
- B.2.1. Section 4 ("Required security mechanisms") .........30
- B.2.2. Section 5.1 ("Anonymous authentication
- procedure") ........................................31
- B.2.3. Section 6 ("Password-based authentication") ........31
- B.2.4. Section 6.1 ("Digest authentication") ..............31
- B.2.5. Section 6.2 ("'simple' authentication choice under
- TLS encryption") ...................................31
- B.2.6. Section 6.3 ("Other authentication choices with
- TLS") ..............................................31
- B.2.7. Section 7.1 ("Certificate-based authentication
- with TLS") .........................................31
- B.2.8. Section 8 ("Other mechanisms") .....................32
- B.2.9. Section 9 ("Authorization Identity") ...............32
- B.2.10. Section 10 ("TLS Ciphersuites") ...................32
- B.3. Changes Made to RFC 2830 ..................................32
- B.3.1. Section 3.6 ("Server Identity Check") ..............32
- B.3.2. Section 3.7 ("Refresh of Server Capabilities
- Information") ......................................33
- B.3.3. Section 5 ("Effects of TLS on a Client's
- Authorization Identity") ...........................33
- B.3.4. Section 5.2 ("TLS Connection Closure Effects") .....33
-
-
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 3]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-1. Introduction
-
- The Lightweight Directory Access Protocol (LDAP) [RFC4510] is a
- powerful protocol for accessing directories. It offers means of
- searching, retrieving, and manipulating directory content and ways to
- access a rich set of security functions.
-
- It is vital that these security functions be interoperable among all
- LDAP clients and servers on the Internet; therefore there has to be a
- minimum subset of security functions that is common to all
- implementations that claim LDAP conformance.
-
- Basic threats to an LDAP directory service include (but are not
- limited to):
-
- (1) Unauthorized access to directory data via data-retrieval
- operations.
-
- (2) Unauthorized access to directory data by monitoring access of
- others.
-
- (3) Unauthorized access to reusable client authentication information
- by monitoring access of others.
-
- (4) Unauthorized modification of directory data.
-
- (5) Unauthorized modification of configuration information.
-
- (6) Denial of Service: Use of resources (commonly in excess) in a
- manner intended to deny service to others.
-
- (7) Spoofing: Tricking a user or client into believing that
- information came from the directory when in fact it did not,
- either by modifying data in transit or misdirecting the client's
- transport connection. Tricking a user or client into sending
- privileged information to a hostile entity that appears to be the
- directory server but is not. Tricking a directory server into
- believing that information came from a particular client when in
- fact it came from a hostile entity.
-
- (8) Hijacking: An attacker seizes control of an established protocol
- session.
-
- Threats (1), (4), (5), (6), (7), and (8) are active attacks. Threats
- (2) and (3) are passive attacks.
-
-
-
-
-
-
-Harrison Standards Track [Page 4]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- Threats (1), (4), (5), and (6) are due to hostile clients. Threats
- (2), (3), (7), and (8) are due to hostile agents on the path between
- client and server or hostile agents posing as a server, e.g., IP
- spoofing.
-
- LDAP offers the following security mechanisms:
-
- (1) Authentication by means of the Bind operation. The Bind
- operation provides a simple method that supports anonymous,
- unauthenticated, and name/password mechanisms, and the Simple
- Authentication and Security Layer (SASL) method, which supports a
- wide variety of authentication mechanisms.
-
- (2) Mechanisms to support vendor-specific access control facilities
- (LDAP does not offer a standard access control facility).
-
- (3) Data integrity service by means of security layers in Transport
- Layer Security (TLS) or SASL mechanisms.
-
- (4) Data confidentiality service by means of security layers in TLS
- or SASL mechanisms.
-
- (5) Server resource usage limitation by means of administrative
- limits configured on the server.
-
- (6) Server authentication by means of the TLS protocol or SASL
- mechanisms.
-
- LDAP may also be protected by means outside the LDAP protocol, e.g.,
- with IP layer security [RFC4301].
-
- Experience has shown that simply allowing implementations to pick and
- choose the security mechanisms that will be implemented is not a
- strategy that leads to interoperability. In the absence of mandates,
- clients will continue to be written that do not support any security
- function supported by the server, or worse, they will only support
- mechanisms that provide inadequate security for most circumstances.
-
- It is desirable to allow clients to authenticate using a variety of
- mechanisms including mechanisms where identities are represented as
- distinguished names [X.501][RFC4512], in string form [RFC4514], or as
- used in different systems (e.g., simple user names [RFC4013]).
- Because some authentication mechanisms transmit credentials in plain
- text form, and/or do not provide data security services and/or are
- subject to passive attacks, it is necessary to ensure secure
- interoperability by identifying a mandatory-to-implement mechanism
- for establishing transport-layer security services.
-
-
-
-
-Harrison Standards Track [Page 5]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- The set of security mechanisms provided in LDAP and described in this
- document is intended to meet the security needs for a wide range of
- deployment scenarios and still provide a high degree of
- interoperability among various LDAP implementations and deployments.
-
-1.1. Relationship to Other Documents
-
- This document is an integral part of the LDAP Technical Specification
- [RFC4510].
-
- This document, together with [RFC4510], [RFC4511], and [RFC4512],
- obsoletes RFC 2251 in its entirety. Sections 4.2.1 (portions) and
- 4.2.2 of RFC 2251 are obsoleted by this document. Appendix B.1
- summarizes the substantive changes made to RFC 2251 by this document.
-
- This document obsoletes RFC 2829 in its entirety. Appendix B.2
- summarizes the substantive changes made to RFC 2829 by this document.
-
- Sections 2 and 4 of RFC 2830 are obsoleted by [RFC4511]. The
- remainder of RFC 2830 is obsoleted by this document. Appendix B.3
- summarizes the substantive changes made to RFC 2830 by this document.
-
-1.2. Conventions
-
- The key words "MUST", "MUST NOT", "SHALL", "SHOULD", "SHOULD NOT",
- "MAY", and "OPTIONAL" in this document are to be interpreted as
- described in RFC 2119 [RFC2119].
-
- The term "user" represents any human or application entity that is
- accessing the directory using a directory client. A directory client
- (or client) is also known as a directory user agent (DUA).
-
- The term "transport connection" refers to the underlying transport
- services used to carry the protocol exchange, as well as associations
- established by these services.
-
- The term "TLS layer" refers to TLS services used in providing
- security services, as well as associations established by these
- services.
-
- The term "SASL layer" refers to SASL services used in providing
- security services, as well as associations established by these
- services.
-
- The term "LDAP message layer" refers to the LDAP Message (PDU)
- services used in providing directory services, as well as
- associations established by these services.
-
-
-
-
-Harrison Standards Track [Page 6]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- The term "LDAP session" refers to combined services (transport
- connection, TLS layer, SASL layer, LDAP message layer) and their
- associations.
-
- In general, security terms in this document are used consistently
- with the definitions provided in [RFC2828]. In addition, several
- terms and concepts relating to security, authentication, and
- authorization are presented in Appendix A of this document. While
- the formal definition of these terms and concepts is outside the
- scope of this document, an understanding of them is prerequisite to
- understanding much of the material in this document. Readers who are
- unfamiliar with security-related concepts are encouraged to review
- Appendix A before reading the remainder of this document.
-
-2. Implementation Requirements
-
- LDAP server implementations MUST support the anonymous authentication
- mechanism of the simple Bind method (Section 5.1.1).
-
- LDAP implementations that support any authentication mechanism other
- than the anonymous authentication mechanism of the simple Bind method
- MUST support the name/password authentication mechanism of the simple
- Bind method (Section 5.1.3) and MUST be capable of protecting this
- name/password authentication using TLS as established by the StartTLS
- operation (Section 3).
-
- Implementations SHOULD disallow the use of the name/password
- authentication mechanism by default when suitable data security
- services are not in place, and they MAY provide other suitable data
- security services for use with this authentication mechanism.
-
- Implementations MAY support additional authentication mechanisms.
- Some of these mechanisms are discussed below.
-
- LDAP server implementations SHOULD support client assertion of
- authorization identity via the SASL EXTERNAL mechanism (Section
- 5.2.3).
-
- LDAP server implementations that support no authentication mechanism
- other than the anonymous mechanism of the simple bind method SHOULD
- support use of TLS as established by the StartTLS operation (Section
- 3). (Other servers MUST support TLS per the second paragraph of this
- section.)
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 7]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- Implementations supporting TLS MUST support the
- TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite and SHOULD support the
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite. Support for the
- latter ciphersuite is recommended to encourage interoperability with
- implementations conforming to earlier LDAP StartTLS specifications.
-
-3. StartTLS Operation
-
- The Start Transport Layer Security (StartTLS) operation defined in
- Section 4.14 of [RFC4511] provides the ability to establish TLS
- [RFC4346] in an LDAP session.
-
- The goals of using the TLS protocol with LDAP are to ensure data
- confidentiality and integrity, and to optionally provide for
- authentication. TLS expressly provides these capabilities, although
- the authentication services of TLS are available to LDAP only in
- combination with the SASL EXTERNAL authentication method (see Section
- 5.2.3), and then only if the SASL EXTERNAL implementation chooses to
- make use of the TLS credentials.
-
-3.1. TLS Establishment Procedures
-
- This section describes the overall procedures clients and servers
- must follow for TLS establishment. These procedures take into
- consideration various aspects of the TLS layer including discovery of
- resultant security level and assertion of the client's authorization
- identity.
-
-3.1.1. StartTLS Request Sequencing
-
- A client may send the StartTLS extended request at any time after
- establishing an LDAP session, except:
-
- - when TLS is currently established on the session,
- - when a multi-stage SASL negotiation is in progress on the
- session, or
- - when there are outstanding responses for operation requests
- previously issued on the session.
-
- As described in [RFC4511], Section 4.14.1, a (detected) violation of
- any of these requirements results in a return of the operationsError
- resultCode.
-
- Client implementers should ensure that they strictly follow these
- operation sequencing requirements to prevent interoperability issues.
- Operational experience has shown that violating these requirements
-
-
-
-
-
-Harrison Standards Track [Page 8]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- causes interoperability issues because there are race conditions that
- prevent servers from detecting some violations of these requirements
- due to factors such as server hardware speed and network latencies.
-
- There is no general requirement that the client have or have not
- already performed a Bind operation (Section 5) before sending a
- StartTLS operation request; however, where a client intends to
- perform both a Bind operation and a StartTLS operation, it SHOULD
- first perform the StartTLS operation so that the Bind request and
- response messages are protected by the data security services
- established by the StartTLS operation.
-
-3.1.2. Client Certificate
-
- If an LDAP server requests or demands that a client provide a user
- certificate during TLS negotiation and the client does not present a
- suitable user certificate (e.g., one that can be validated), the
- server may use a local security policy to determine whether to
- successfully complete TLS negotiation.
-
- If a client that has provided a suitable certificate subsequently
- performs a Bind operation using the SASL EXTERNAL authentication
- mechanism (Section 5.2.3), information in the certificate may be used
- by the server to identify and authenticate the client.
-
-3.1.3. Server Identity Check
-
- In order to prevent man-in-the-middle attacks, the client MUST verify
- the server's identity (as presented in the server's Certificate
- message). In this section, the client's understanding of the
- server's identity (typically the identity used to establish the
- transport connection) is called the "reference identity".
-
- The client determines the type (e.g., DNS name or IP address) of the
- reference identity and performs a comparison between the reference
- identity and each subjectAltName value of the corresponding type
- until a match is produced. Once a match is produced, the server's
- identity has been verified, and the server identity check is
- complete. Different subjectAltName types are matched in different
- ways. Sections 3.1.3.1 - 3.1.3.3 explain how to compare values of
- various subjectAltName types.
-
- The client may map the reference identity to a different type prior
- to performing a comparison. Mappings may be performed for all
- available subjectAltName types to which the reference identity can be
- mapped; however, the reference identity should only be mapped to
- types for which the mapping is either inherently secure (e.g.,
- extracting the DNS name from a URI to compare with a subjectAltName
-
-
-
-Harrison Standards Track [Page 9]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- of type dNSName) or for which the mapping is performed in a secure
- manner (e.g., using DNSSEC, or using user- or admin-configured host-
- to-address/address-to-host lookup tables).
-
- The server's identity may also be verified by comparing the reference
- identity to the Common Name (CN) [RFC4519] value in the leaf Relative
- Distinguished Name (RDN) of the subjectName field of the server's
- certificate. This comparison is performed using the rules for
- comparison of DNS names in Section 3.1.3.1, below, with the exception
- that no wildcard matching is allowed. Although the use of the Common
- Name value is existing practice, it is deprecated, and Certification
- Authorities are encouraged to provide subjectAltName values instead.
- Note that the TLS implementation may represent DNs in certificates
- according to X.500 or other conventions. For example, some X.500
- implementations order the RDNs in a DN using a left-to-right (most
- significant to least significant) convention instead of LDAP's
- right-to-left convention.
-
- If the server identity check fails, user-oriented clients SHOULD
- either notify the user (clients may give the user the opportunity to
- continue with the LDAP session in this case) or close the transport
- connection and indicate that the server's identity is suspect.
- Automated clients SHOULD close the transport connection and then
- return or log an error indicating that the server's identity is
- suspect or both.
-
- Beyond the server identity check described in this section, clients
- should be prepared to do further checking to ensure that the server
- is authorized to provide the service it is requested to provide. The
- client may need to make use of local policy information in making
- this determination.
-
-3.1.3.1. Comparison of DNS Names
-
- If the reference identity is an internationalized domain name,
- conforming implementations MUST convert it to the ASCII Compatible
- Encoding (ACE) format as specified in Section 4 of RFC 3490 [RFC3490]
- before comparison with subjectAltName values of type dNSName.
- Specifically, conforming implementations MUST perform the conversion
- operation specified in Section 4 of RFC 3490 as follows:
-
- * in step 1, the domain name SHALL be considered a "stored
- string";
- * in step 3, set the flag called "UseSTD3ASCIIRules";
- * in step 4, process each label with the "ToASCII" operation; and
- * in step 5, change all label separators to U+002E (full stop).
-
-
-
-
-
-Harrison Standards Track [Page 10]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- After performing the "to-ASCII" conversion, the DNS labels and names
- MUST be compared for equality according to the rules specified in
- Section 3 of RFC3490.
-
- The '*' (ASCII 42) wildcard character is allowed in subjectAltName
- values of type dNSName, and then only as the left-most (least
- significant) DNS label in that value. This wildcard matches any
- left-most DNS label in the server name. That is, the subject
- *.example.com matches the server names a.example.com and
- b.example.com, but does not match example.com or a.b.example.com.
-
-3.1.3.2. Comparison of IP Addresses
-
- When the reference identity is an IP address, the identity MUST be
- converted to the "network byte order" octet string representation
- [RFC791][RFC2460]. For IP Version 4, as specified in RFC 791, the
- octet string will contain exactly four octets. For IP Version 6, as
- specified in RFC 2460, the octet string will contain exactly sixteen
- octets. This octet string is then compared against subjectAltName
- values of type iPAddress. A match occurs if the reference identity
- octet string and value octet strings are identical.
-
-3.1.3.3. Comparison of Other subjectName Types
-
- Client implementations MAY support matching against subjectAltName
- values of other types as described in other documents.
-
-3.1.4. Discovery of Resultant Security Level
-
- After a TLS layer is established in an LDAP session, both parties are
- to each independently decide whether or not to continue based on
- local policy and the security level achieved. If either party
- decides that the security level is inadequate for it to continue, it
- SHOULD remove the TLS layer immediately after the TLS (re)negotiation
- has completed (see [RFC4511], Section 4.14.3, and Section 3.2 below).
- Implementations may reevaluate the security level at any time and,
- upon finding it inadequate, should remove the TLS layer.
-
-3.1.5. Refresh of Server Capabilities Information
-
- After a TLS layer is established in an LDAP session, the client
- SHOULD discard or refresh all information about the server that it
- obtained prior to the initiation of the TLS negotiation and that it
- did not obtain through secure mechanisms. This protects against
- man-in-the-middle attacks that may have altered any server
- capabilities information retrieved prior to TLS layer installation.
-
-
-
-
-
-Harrison Standards Track [Page 11]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- The server may advertise different capabilities after installing a
- TLS layer. In particular, the value of 'supportedSASLMechanisms' may
- be different after a TLS layer has been installed (specifically, the
- EXTERNAL and PLAIN [PLAIN] mechanisms are likely to be listed only
- after a TLS layer has been installed).
-
-3.2. Effect of TLS on Authorization State
-
- The establishment, change, and/or closure of TLS may cause the
- authorization state to move to a new state. This is discussed
- further in Section 4.
-
-3.3. TLS Ciphersuites
-
- Several issues should be considered when selecting TLS ciphersuites
- that are appropriate for use in a given circumstance. These issues
- include the following:
-
- - The ciphersuite's ability to provide adequate confidentiality
- protection for passwords and other data sent over the transport
- connection. Client and server implementers should recognize
- that some TLS ciphersuites provide no confidentiality
- protection, while other ciphersuites that do provide
- confidentiality protection may be vulnerable to being cracked
- using brute force methods, especially in light of ever-
- increasing CPU speeds that reduce the time needed to
- successfully mount such attacks.
-
- - Client and server implementers should carefully consider the
- value of the password or data being protected versus the level
- of confidentiality protection provided by the ciphersuite to
- ensure that the level of protection afforded by the ciphersuite
- is appropriate.
-
- - The ciphersuite's vulnerability (or lack thereof) to man-in-the-
- middle attacks. Ciphersuites vulnerable to man-in-the-middle
- attacks SHOULD NOT be used to protect passwords or sensitive
- data, unless the network configuration is such that the danger
- of a man-in-the-middle attack is negligible.
-
- - After a TLS negotiation (either initial or subsequent) is
- completed, both protocol peers should independently verify that
- the security services provided by the negotiated ciphersuite are
- adequate for the intended use of the LDAP session. If they are
- not, the TLS layer should be closed.
-
-
-
-
-
-
-Harrison Standards Track [Page 12]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-4. Authorization State
-
- Every LDAP session has an associated authorization state. This state
- is comprised of numerous factors such as what (if any) authentication
- state has been established, how it was established, and what security
- services are in place. Some factors may be determined and/or
- affected by protocol events (e.g., Bind, StartTLS, or TLS closure),
- and some factors may be determined by external events (e.g., time of
- day or server load).
-
- While it is often convenient to view authorization state in
- simplistic terms (as we often do in this technical specification)
- such as "an anonymous state", it is noted that authorization systems
- in LDAP implementations commonly involve many factors that
- interrelate in complex manners.
-
- Authorization in LDAP is a local matter. One of the key factors in
- making authorization decisions is authorization identity. The Bind
- operation (defined in Section 4.2 of [RFC4511] and discussed further
- in Section 5 below) allows information to be exchanged between the
- client and server to establish an authorization identity for the LDAP
- session. The Bind operation may also be used to move the LDAP
- session to an anonymous authorization state (see Section 5.1.1).
-
- Upon initial establishment of the LDAP session, the session has an
- anonymous authorization identity. Among other things this implies
- that the client need not send a BindRequest in the first PDU of the
- LDAP message layer. The client may send any operation request prior
- to performing a Bind operation, and the server MUST treat it as if it
- had been performed after an anonymous Bind operation (Section 5.1.1).
-
- Upon receipt of a Bind request, the server immediately moves the
- session to an anonymous authorization state. If the Bind request is
- successful, the session is moved to the requested authentication
- state with its associated authorization state. Otherwise, the
- session remains in an anonymous state.
-
- It is noted that other events both internal and external to LDAP may
- result in the authentication and authorization states being moved to
- an anonymous one. For instance, the establishment, change, or
- closure of data security services may result in a move to an
- anonymous state, or the user's credential information (e.g.,
- certificate) may have expired. The former is an example of an event
- internal to LDAP, whereas the latter is an example of an event
- external to LDAP.
-
-
-
-
-
-
-Harrison Standards Track [Page 13]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-5. Bind Operation
-
- The Bind operation ([RFC4511], Section 4.2) allows authentication
- information to be exchanged between the client and server to
- establish a new authorization state.
-
- The Bind request typically specifies the desired authentication
- identity. Some Bind mechanisms also allow the client to specify the
- authorization identity. If the authorization identity is not
- specified, the server derives it from the authentication identity in
- an implementation-specific manner.
-
- If the authorization identity is specified, the server MUST verify
- that the client's authentication identity is permitted to assume
- (e.g., proxy for) the asserted authorization identity. The server
- MUST reject the Bind operation with an invalidCredentials resultCode
- in the Bind response if the client is not so authorized.
-
-5.1. Simple Authentication Method
-
- The simple authentication method of the Bind Operation provides three
- authentication mechanisms:
-
- - An anonymous authentication mechanism (Section 5.1.1).
-
- - An unauthenticated authentication mechanism (Section 5.1.2).
-
- - A name/password authentication mechanism using credentials
- consisting of a name (in the form of an LDAP distinguished name
- [RFC4514]) and a password (Section 5.1.3).
-
-5.1.1. Anonymous Authentication Mechanism of Simple Bind
-
- An LDAP client may use the anonymous authentication mechanism of the
- simple Bind method to explicitly establish an anonymous authorization
- state by sending a Bind request with a name value of zero length and
- specifying the simple authentication choice containing a password
- value of zero length.
-
-5.1.2. Unauthenticated Authentication Mechanism of Simple Bind
-
- An LDAP client may use the unauthenticated authentication mechanism
- of the simple Bind method to establish an anonymous authorization
- state by sending a Bind request with a name value (a distinguished
- name in LDAP string form [RFC4514] of non-zero length) and specifying
- the simple authentication choice containing a password value of zero
- length.
-
-
-
-
-Harrison Standards Track [Page 14]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- The distinguished name value provided by the client is intended to be
- used for trace (e.g., logging) purposes only. The value is not to be
- authenticated or otherwise validated (including verification that the
- DN refers to an existing directory object). The value is not to be
- used (directly or indirectly) for authorization purposes.
-
- Unauthenticated Bind operations can have significant security issues
- (see Section 6.3.1). In particular, users intending to perform
- Name/Password Authentication may inadvertently provide an empty
- password and thus cause poorly implemented clients to request
- Unauthenticated access. Clients SHOULD be implemented to require
- user selection of the Unauthenticated Authentication Mechanism by
- means other than user input of an empty password. Clients SHOULD
- disallow an empty password input to a Name/Password Authentication
- user interface. Additionally, Servers SHOULD by default fail
- Unauthenticated Bind requests with a resultCode of
- unwillingToPerform.
-
-5.1.3. Name/Password Authentication Mechanism of Simple Bind
-
- An LDAP client may use the name/password authentication mechanism of
- the simple Bind method to establish an authenticated authorization
- state by sending a Bind request with a name value (a distinguished
- name in LDAP string form [RFC4514] of non-zero length) and specifying
- the simple authentication choice containing an OCTET STRING password
- value of non-zero length.
-
- Servers that map the DN sent in the Bind request to a directory entry
- with an associated set of one or more passwords used with this
- mechanism will compare the presented password to that set of
- passwords. The presented password is considered valid if it matches
- any member of this set.
-
- A resultCode of invalidDNSyntax indicates that the DN sent in the
- name value is syntactically invalid. A resultCode of
- invalidCredentials indicates that the DN is syntactically correct but
- not valid for purposes of authentication, that the password is not
- valid for the DN, or that the server otherwise considers the
- credentials invalid. A resultCode of success indicates that the
- credentials are valid and that the server is willing to provide
- service to the entity these credentials identify.
-
- Server behavior is undefined for Bind requests specifying the
- name/password authentication mechanism with a zero-length name value
- and a password value of non-zero length.
-
-
-
-
-
-
-Harrison Standards Track [Page 15]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- The name/password authentication mechanism of the simple Bind method
- is not suitable for authentication in environments without
- confidentiality protection.
-
-5.2. SASL Authentication Method
-
- The sasl authentication method of the Bind Operation provides
- facilities for using any SASL mechanism including authentication
- mechanisms and other services (e.g., data security services).
-
-5.2.1. SASL Protocol Profile
-
- LDAP allows authentication via any SASL mechanism [RFC4422]. As LDAP
- includes native anonymous and name/password (plain text)
- authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
- SASL mechanisms are typically not used with LDAP.
-
- Each protocol that utilizes SASL services is required to supply
- certain information profiling the way they are exposed through the
- protocol ([RFC4422], Section 4). This section explains how each of
- these profiling requirements is met by LDAP.
-
-5.2.1.1. SASL Service Name for LDAP
-
- The SASL service name for LDAP is "ldap", which has been registered
- with the IANA as a SASL service name.
-
-5.2.1.2. SASL Authentication Initiation and Protocol Exchange
-
- SASL authentication is initiated via a BindRequest message
- ([RFC4511], Section 4.2) with the following parameters:
-
- - The version is 3.
- - The AuthenticationChoice is sasl.
- - The mechanism element of the SaslCredentials sequence contains
- the value of the desired SASL mechanism.
- - The optional credentials field of the SaslCredentials sequence
- MAY be used to provide an initial client response for mechanisms
- that are defined to have the client send data first (see
- [RFC4422], Sections 3 and 5).
-
- In general, a SASL authentication protocol exchange consists of a
- series of server challenges and client responses, the contents of
- which are specific to and defined by the SASL mechanism. Thus, for
- some SASL authentication mechanisms, it may be necessary for the
- client to respond to one or more server challenges by sending
- BindRequest messages multiple times. A challenge is indicated by the
- server sending a BindResponse message with the resultCode set to
-
-
-
-Harrison Standards Track [Page 16]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- saslBindInProgress. This indicates that the server requires the
- client to send a new BindRequest message with the same SASL mechanism
- to continue the authentication process.
-
- To the LDAP message layer, these challenges and responses are opaque
- binary tokens of arbitrary length. LDAP servers use the
- serverSaslCreds field (an OCTET STRING) in a BindResponse message to
- transmit each challenge. LDAP clients use the credentials field (an
- OCTET STRING) in the SaslCredentials sequence of a BindRequest
- message to transmit each response. Note that unlike some Internet
- protocols where SASL is used, LDAP is not text based and does not
- Base64-transform these challenge and response values.
-
- Clients sending a BindRequest message with the sasl choice selected
- SHOULD send a zero-length value in the name field. Servers receiving
- a BindRequest message with the sasl choice selected SHALL ignore any
- value in the name field.
-
- A client may abort a SASL Bind negotiation by sending a BindRequest
- message with a different value in the mechanism field of
- SaslCredentials or with an AuthenticationChoice other than sasl.
-
- If the client sends a BindRequest with the sasl mechanism field as an
- empty string, the server MUST return a BindResponse with a resultCode
- of authMethodNotSupported. This will allow the client to abort a
- negotiation if it wishes to try again with the same SASL mechanism.
-
- The server indicates completion of the SASL challenge-response
- exchange by responding with a BindResponse in which the resultCode
- value is not saslBindInProgress.
-
- The serverSaslCreds field in the BindResponse can be used to include
- an optional challenge with a success notification for mechanisms that
- are defined to have the server send additional data along with the
- indication of successful completion.
-
-5.2.1.3. Optional Fields
-
- As discussed above, LDAP provides an optional field for carrying an
- initial response in the message initiating the SASL exchange and
- provides an optional field for carrying additional data in the
- message indicating the outcome of the authentication exchange. As
- the mechanism-specific content in these fields may be zero length,
- SASL requires protocol specifications to detail how an empty field is
- distinguished from an absent field.
-
-
-
-
-
-
-Harrison Standards Track [Page 17]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- Zero-length initial response data is distinguished from no initial
- response data in the initiating message, a BindRequest PDU, by the
- presence of the SaslCredentials.credentials OCTET STRING (of length
- zero) in that PDU. If the client does not intend to send an initial
- response with the BindRequest initiating the SASL exchange, it MUST
- omit the SaslCredentials.credentials OCTET STRING (rather than
- include an zero-length OCTET STRING).
-
- Zero-length additional data is distinguished from no additional
- response data in the outcome message, a BindResponse PDU, by the
- presence of the serverSaslCreds OCTET STRING (of length zero) in that
- PDU. If a server does not intend to send additional data in the
- BindResponse message indicating outcome of the exchange, the server
- SHALL omit the serverSaslCreds OCTET STRING (rather than including a
- zero-length OCTET STRING).
-
-5.2.1.4. Octet Where Negotiated Security Layers Take Effect
-
- SASL layers take effect following the transmission by the server and
- reception by the client of the final BindResponse in the SASL
- exchange with a resultCode of success.
-
- Once a SASL layer providing data integrity or confidentiality
- services takes effect, the layer remains in effect until a new layer
- is installed (i.e., at the first octet following the final
- BindResponse of the Bind operation that caused the new layer to take
- effect). Thus, an established SASL layer is not affected by a failed
- or non-SASL Bind.
-
-5.2.1.5. Determination of Supported SASL Mechanisms
-
- Clients may determine the SASL mechanisms a server supports by
- reading the 'supportedSASLMechanisms' attribute from the root DSE
- (DSA-Specific Entry) ([RFC4512], Section 5.1). The values of this
- attribute, if any, list the mechanisms the server supports in the
- current LDAP session state. LDAP servers SHOULD allow all clients --
- even those with an anonymous authorization -- to retrieve the
- 'supportedSASLMechanisms' attribute of the root DSE both before and
- after the SASL authentication exchange. The purpose of the latter is
- to allow the client to detect possible downgrade attacks (see Section
- 6.4 and [RFC4422], Section 6.1.2).
-
- Because SASL mechanisms provide critical security functions, clients
- and servers should be configurable to specify what mechanisms are
- acceptable and allow only those mechanisms to be used. Both clients
- and servers must confirm that the negotiated security level meets
- their requirements before proceeding to use the session.
-
-
-
-
-Harrison Standards Track [Page 18]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-5.2.1.6. Rules for Using SASL Layers
-
- Upon installing a SASL layer, the client SHOULD discard or refresh
- all information about the server that it obtained prior to the
- initiation of the SASL negotiation and that it did not obtain through
- secure mechanisms.
-
- If a lower-level security layer (such as TLS) is installed, any SASL
- layer SHALL be layered on top of such security layers regardless of
- the order of their negotiation. In all other respects, the SASL
- layer and other security layers act independently, e.g., if both a
- TLS layer and a SASL layer are in effect, then removing the TLS layer
- does not affect the continuing service of the SASL layer.
-
-5.2.1.7. Support for Multiple Authentications
-
- LDAP supports multiple SASL authentications as defined in [RFC4422],
- Section 4.
-
-5.2.1.8. SASL Authorization Identities
-
- Some SASL mechanisms allow clients to request a desired authorization
- identity for the LDAP session ([RFC4422], Section 3.4). The decision
- to allow or disallow the current authentication identity to have
- access to the requested authorization identity is a matter of local
- policy. The authorization identity is a string of UTF-8 [RFC3629]
- encoded [Unicode] characters corresponding to the following Augmented
- Backus-Naur Form (ABNF) [RFC4234] grammar:
-
- authzId = dnAuthzId / uAuthzId
-
- ; distinguished-name-based authz id
- dnAuthzId = "dn:" distinguishedName
-
- ; unspecified authorization id, UTF-8 encoded
- uAuthzId = "u:" userid
- userid = *UTF8 ; syntax unspecified
-
- where the distinguishedName rule is defined in Section 3 of [RFC4514]
- and the UTF8 rule is defined in Section 1.4 of [RFC4512].
-
- The dnAuthzId choice is used to assert authorization identities in
- the form of a distinguished name to be matched in accordance with the
- distinguishedNameMatch matching rule ([RFC4517], Section 4.2.15).
- There is no requirement that the asserted distinguishedName value be
- that of an entry in the directory.
-
-
-
-
-
-Harrison Standards Track [Page 19]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- The uAuthzId choice allows clients to assert an authorization
- identity that is not in distinguished name form. The format of
- userid is defined only as a sequence of UTF-8 [RFC3629] encoded
- [Unicode] characters, and any further interpretation is a local
- matter. For example, the userid could identify a user of a specific
- directory service, be a login name, or be an email address. A
- uAuthzId SHOULD NOT be assumed to be globally unique. To compare
- uAuthzId values, each uAuthzId value MUST be prepared as a "query"
- string ([RFC3454], Section 7) using the SASLprep [RFC4013] algorithm,
- and then the two values are compared octet-wise.
-
- The above grammar is extensible. The authzId production may be
- extended to support additional forms of identities. Each form is
- distinguished by its unique prefix (see Section 3.12 of [RFC4520] for
- registration requirements).
-
-5.2.2. SASL Semantics within LDAP
-
- Implementers must take care to maintain the semantics of SASL
- specifications when handling data that has different semantics in the
- LDAP protocol.
-
- For example, the SASL DIGEST-MD5 authentication mechanism
- [DIGEST-MD5] utilizes an authentication identity and a realm that are
- syntactically simple strings and semantically simple username
- [RFC4013] and realm values. These values are not LDAP DNs, and there
- is no requirement that they be represented or treated as such.
-
-5.2.3. SASL EXTERNAL Authentication Mechanism
-
- A client can use the SASL EXTERNAL ([RFC4422], Appendix A) mechanism
- to request the LDAP server to authenticate and establish a resulting
- authorization identity using security credentials exchanged by a
- lower security layer (such as by TLS authentication). If the
- client's authentication credentials have not been established at a
- lower security layer, the SASL EXTERNAL Bind MUST fail with a
- resultCode of inappropriateAuthentication. Although this situation
- has the effect of leaving the LDAP session in an anonymous state
- (Section 4), the state of any installed security layer is unaffected.
-
- A client may either request that its authorization identity be
- automatically derived from its authentication credentials exchanged
- at a lower security layer, or it may explicitly provide a desired
- authorization identity. The former is known as an implicit
- assertion, and the latter as an explicit assertion.
-
-
-
-
-
-
-Harrison Standards Track [Page 20]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-5.2.3.1. Implicit Assertion
-
- An implicit authorization identity assertion is performed by invoking
- a Bind request of the SASL form using the EXTERNAL mechanism name
- that does not include the optional credentials field (found within
- the SaslCredentials sequence in the BindRequest). The server will
- derive the client's authorization identity from the authentication
- identity supplied by a security layer (e.g., a public key certificate
- used during TLS layer installation) according to local policy. The
- underlying mechanics of how this is accomplished are implementation
- specific.
-
-5.2.3.2. Explicit Assertion
-
- An explicit authorization identity assertion is performed by invoking
- a Bind request of the SASL form using the EXTERNAL mechanism name
- that includes the credentials field (found within the SaslCredentials
- sequence in the BindRequest). The value of the credentials field (an
- OCTET STRING) is the asserted authorization identity and MUST be
- constructed as documented in Section 5.2.1.8.
-
-6. Security Considerations
-
- Security issues are discussed throughout this document. The
- unsurprising conclusion is that security is an integral and necessary
- part of LDAP. This section discusses a number of LDAP-related
- security considerations.
-
-6.1. General LDAP Security Considerations
-
- LDAP itself provides no security or protection from accessing or
- updating the directory by means other than through the LDAP protocol,
- e.g., from inspection of server database files by database
- administrators.
-
- Sensitive data may be carried in almost any LDAP message, and its
- disclosure may be subject to privacy laws or other legal regulation
- in many countries. Implementers should take appropriate measures to
- protect sensitive data from disclosure to unauthorized entities.
-
- A session on which the client has not established data integrity and
- privacy services (e.g., via StartTLS, IPsec, or a suitable SASL
- mechanism) is subject to man-in-the-middle attacks to view and modify
- information in transit. Client and server implementers SHOULD take
- measures to protect sensitive data in the LDAP session from these
- attacks by using data protection services as discussed in this
- document. Clients and servers should provide the ability to be
- configured to require these protections. A resultCode of
-
-
-
-Harrison Standards Track [Page 21]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- confidentialityRequired indicates that the server requires
- establishment of (stronger) data confidentiality protection in order
- to perform the requested operation.
-
- Access control should always be applied when reading sensitive
- information or updating directory information.
-
- Various security factors, including authentication and authorization
- information and data security services may change during the course
- of the LDAP session, or even during the performance of a particular
- operation. Implementations should be robust in the handling of
- changing security factors.
-
-6.2. StartTLS Security Considerations
-
- All security gained via use of the StartTLS operation is gained by
- the use of TLS itself. The StartTLS operation, on its own, does not
- provide any additional security.
-
- The level of security provided through the use of TLS depends
- directly on both the quality of the TLS implementation used and the
- style of usage of that implementation. Additionally, a man-in-the-
- middle attacker can remove the StartTLS extended operation from the
- 'supportedExtension' attribute of the root DSE. Both parties SHOULD
- independently ascertain and consent to the security level achieved
- once TLS is established and before beginning use of the TLS-
- protected session. For example, the security level of the TLS layer
- might have been negotiated down to plaintext.
-
- Clients MUST either warn the user when the security level achieved
- does not provide an acceptable level of data confidentiality and/or
- data integrity protection, or be configurable to refuse to proceed
- without an acceptable level of security.
-
- As stated in Section 3.1.2, a server may use a local security policy
- to determine whether to successfully complete TLS negotiation.
- Information in the user's certificate that is originated or verified
- by the certification authority should be used by the policy
- administrator when configuring the identification and authorization
- policy.
-
- Server implementers SHOULD allow server administrators to elect
- whether and when data confidentiality and integrity are required, as
- well as elect whether authentication of the client during the TLS
- handshake is required.
-
- Implementers should be aware of and understand TLS security
- considerations as discussed in the TLS specification [RFC4346].
-
-
-
-Harrison Standards Track [Page 22]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-6.3. Bind Operation Security Considerations
-
- This section discusses several security considerations relevant to
- LDAP authentication via the Bind operation.
-
-6.3.1. Unauthenticated Mechanism Security Considerations
-
- Operational experience shows that clients can (and frequently do)
- misuse the unauthenticated authentication mechanism of the simple
- Bind method (see Section 5.1.2). For example, a client program might
- make a decision to grant access to non-directory information on the
- basis of successfully completing a Bind operation. LDAP server
- implementations may return a success response to an unauthenticated
- Bind request. This may erroneously leave the client with the
- impression that the server has successfully authenticated the
- identity represented by the distinguished name when in reality, an
- anonymous authorization state has been established. Clients that use
- the results from a simple Bind operation to make authorization
- decisions should actively detect unauthenticated Bind requests (by
- verifying that the supplied password is not empty) and react
- appropriately.
-
-6.3.2. Name/Password Mechanism Security Considerations
-
- The name/password authentication mechanism of the simple Bind method
- discloses the password to the server, which is an inherent security
- risk. There are other mechanisms, such as SASL DIGEST-MD5
- [DIGEST-MD5], that do not disclose the password to the server.
-
-6.3.3. Password-Related Security Considerations
-
- LDAP allows multi-valued password attributes. In systems where
- entries are expected to have one and only one password,
- administrative controls should be provided to enforce this behavior.
-
- The use of clear text passwords and other unprotected authentication
- credentials is strongly discouraged over open networks when the
- underlying transport service cannot guarantee confidentiality. LDAP
- implementations SHOULD NOT by default support authentication methods
- using clear text passwords and other unprotected authentication
- credentials unless the data on the session is protected using TLS or
- other data confidentiality and data integrity protection.
-
- The transmission of passwords in the clear -- typically for
- authentication or modification -- poses a significant security risk.
- This risk can be avoided by using SASL authentication [RFC4422]
-
-
-
-
-
-Harrison Standards Track [Page 23]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- mechanisms that do not transmit passwords in the clear or by
- negotiating transport or session layer data confidentiality services
- before transmitting password values.
-
- To mitigate the security risks associated with the transfer of
- passwords, a server implementation that supports any password-based
- authentication mechanism that transmits passwords in the clear MUST
- support a policy mechanism that at the time of authentication or
- password modification, requires that:
-
- A TLS layer has been successfully installed.
-
- OR
-
- Some other data confidentiality mechanism that protects the
- password value from eavesdropping has been provided.
-
- OR
-
- The server returns a resultCode of confidentialityRequired for
- the operation (i.e., name/password Bind with password value,
- SASL Bind transmitting a password value in the clear, add or
- modify including a userPassword value, etc.), even if the
- password value is correct.
-
- Server implementations may also want to provide policy mechanisms to
- invalidate or otherwise protect accounts in situations where a server
- detects that a password for an account has been transmitted in the
- clear.
-
-6.3.4. Hashed Password Security Considerations
-
- Some authentication mechanisms (e.g., DIGEST-MD5) transmit a hash of
- the password value that may be vulnerable to offline dictionary
- attacks. Implementers should take care to protect such hashed
- password values during transmission using TLS or other
- confidentiality mechanisms.
-
-6.4. SASL Security Considerations
-
- Until data integrity service is installed on an LDAP session, an
- attacker can modify the transmitted values of the
- 'supportedSASLMechanisms' attribute response and thus downgrade the
- list of available SASL mechanisms to include only the least secure
- mechanism. To detect this type of attack, the client may retrieve
- the SASL mechanisms the server makes available both before and after
- data integrity service is installed on an LDAP session. If the
- client finds that the integrity-protected list (the list obtained
-
-
-
-Harrison Standards Track [Page 24]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- after data integrity service was installed) contains a stronger
- mechanism than those in the previously obtained list, the client
- should assume the previously obtained list was modified by an
- attacker. In this circumstance it is recommended that the client
- close the underlying transport connection and then reconnect to
- reestablish the session.
-
-6.5. Related Security Considerations
-
- Additional security considerations relating to the various
- authentication methods and mechanisms discussed in this document
- apply and can be found in [RFC4422], [RFC4013], [RFC3454], and
- [RFC3629].
-
-7. IANA Considerations
-
- The IANA has updated the LDAP Protocol Mechanism registry to indicate
- that this document and [RFC4511] provide the definitive technical
- specification for the StartTLS (1.3.6.1.4.1.1466.20037) extended
- operation.
-
- The IANA has updated the LDAP LDAPMessage types registry to indicate
- that this document and [RFC4511] provide the definitive technical
- specification for the bindRequest (0) and bindResponse (1) message
- types.
-
- The IANA has updated the LDAP Bind Authentication Method registry to
- indicate that this document and [RFC4511] provide the definitive
- technical specification for the simple (0) and sasl (3) bind
- authentication methods.
-
- The IANA has updated the LDAP authzid prefixes registry to indicate
- that this document provides the definitive technical specification
- for the dnAuthzId (dn:) and uAuthzId (u:) authzid prefixes.
-
-8. Acknowledgements
-
- This document combines information originally contained in RFC 2251,
- RFC 2829, and RFC 2830. RFC 2251 was a product of the Access,
- Searching, and Indexing of Directories (ASID) Working Group. RFC
- 2829 and RFC 2830 were products of the LDAP Extensions (LDAPEXT)
- Working Group.
-
- This document is a product of the IETF LDAP Revision (LDAPBIS)
- working group.
-
-
-
-
-
-
-Harrison Standards Track [Page 25]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-9. Normative References
-
- [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791,
- September 1981.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
- (IPv6) Specification", RFC 2460, December 1998.
-
- [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ("stringprep")", RFC 3454,
- December 2002.
-
- [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
- "Internationalizing Domain Names in Applications
- (IDNA)", RFC 3490, March 2003.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
- Names and Passwords", RFC 4013, February 2005.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4346] Dierks, T. and E. Rescorla, "The TLS Protocol Version
- 1.1", RFC 4346, March 2006.
-
- [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
- Authentication and Security Layer (SASL)", RFC 4422,
- June 2006.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
-
-
-
-
-
-Harrison Standards Track [Page 26]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): String Representation of Distinguished
- Names", RFC 4514, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
- Protocol (LDAP): Schema for User Applications", RFC
- 4519, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version 3.0"
- (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-
- 5), as amended by the "Unicode Standard Annex #27:
- Unicode 3.1" (http://www.unicode.org/reports/tr27/) and
- by the "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [X.501] ITU-T Rec. X.501, "The Directory: Models", 1993.
-
-10. Informative References
-
- [DIGEST-MD5] Leach, P., Newman, C., and A. Melnikov, "Using Digest
- Authentication as a SASL Mechanism", Work in Progress,
- March 2006.
-
- [PLAIN] Zeilenga, K., "The Plain SASL Mechanism", Work in
- Progress, March 2005.
-
- [RFC2828] Shirey, R., "Internet Security Glossary", FYI 36, RFC
- 2828, May 2000.
-
- [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
- Internet Protocol", RFC 4301, December 2005.
-
- [RFC4505] Zeilenga, K., "The Anonymous SASL Mechanism", RFC 4505,
- June 2006.
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 27]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-Appendix A. Authentication and Authorization Concepts
-
- This appendix is non-normative.
-
- This appendix defines basic terms, concepts, and interrelationships
- regarding authentication, authorization, credentials, and identity.
- These concepts are used in describing how various security approaches
- are utilized in client authentication and authorization.
-
-A.1. Access Control Policy
-
- An access control policy is a set of rules defining the protection of
- resources, generally in terms of the capabilities of persons or other
- entities accessing those resources. Security objects and mechanisms,
- such as those described here, enable the expression of access control
- policies and their enforcement.
-
-A.2. Access Control Factors
-
- A request, when it is being processed by a server, may be associated
- with a wide variety of security-related factors. The server uses
- these factors to determine whether and how to process the request.
- These are called access control factors (ACFs). They might include
- source IP address, encryption strength, the type of operation being
- requested, time of day, etc.. Some factors may be specific to the
- request itself; others may be associated with the transport
- connection via which the request is transmitted; and others (e.g.,
- time of day) may be "environmental".
-
- Access control policies are expressed in terms of access control
- factors; for example, "a request having ACFs i,j,k can perform
- operation Y on resource Z". The set of ACFs that a server makes
- available for such expressions is implementation specific.
-
-A.3. Authentication, Credentials, Identity
-
- Authentication credentials are the evidence supplied by one party to
- another, asserting the identity of the supplying party (e.g., a user)
- who is attempting to establish a new authorization state with the
- other party (typically a server). Authentication is the process of
- generating, transmitting, and verifying these credentials and thus
- the identity they assert. An authentication identity is the name
- presented in a credential.
-
- There are many forms of authentication credentials. The form used
- depends upon the particular authentication mechanism negotiated by
- the parties. X.509 certificates, Kerberos tickets, and simple
- identity and password pairs are all examples of authentication
-
-
-
-Harrison Standards Track [Page 28]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- credential forms. Note that an authentication mechanism may
- constrain the form of authentication identities used with it.
-
-A.4. Authorization Identity
-
- An authorization identity is one kind of access control factor. It
- is the name of the user or other entity that requests that operations
- be performed. Access control policies are often expressed in terms
- of authorization identities; for example, "entity X can perform
- operation Y on resource Z".
-
- The authorization identity of an LDAP session is often semantically
- the same as the authentication identity presented by the client, but
- it may be different. SASL allows clients to specify an authorization
- identity distinct from the authentication identity asserted by the
- client's credentials. This permits agents such as proxy servers to
- authenticate using their own credentials, yet request the access
- privileges of the identity for which they are proxying [RFC4422].
- Also, the form of authentication identity supplied by a service like
- TLS may not correspond to the authorization identities used to
- express a server's access control policy, thus requiring a server-
- specific mapping to be done. The method by which a server composes
- and validates an authorization identity from the authentication
- credentials supplied by a client is implementation specific.
-
-Appendix B. Summary of Changes
-
- This appendix is non-normative.
-
- This appendix summarizes substantive changes made to RFC 2251, RFC
- 2829 and RFC 2830. In addition to the specific changes detailed
- below, the reader of this document should be aware that numerous
- general editorial changes have been made to the original content from
- the source documents. These changes include the following:
-
- - The material originally found in RFC 2251 Sections 4.2.1 and 4.2.2,
- RFC 2829 (all sections except Sections 2 and 4), and RFC 2830 was
- combined into a single document.
-
- - The combined material was substantially reorganized and edited to
- group related subjects, improve the document flow, and clarify
- intent.
-
- - Changes were made throughout the text to align with definitions of
- LDAP protocol layers and IETF security terminology.
-
-
-
-
-
-
-Harrison Standards Track [Page 29]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
- - Substantial updates and additions were made to security
- considerations from both documents based on current operational
- experience.
-
-B.1. Changes Made to RFC 2251
-
- This section summarizes the substantive changes made to Sections
- 4.2.1 and 4.2.2 of RFC 2251 by this document. Additional substantive
- changes to Section 4.2.1 of RFC 2251 are also documented in
- [RFC4511].
-
-B.1.1. Section 4.2.1 ("Sequencing of the Bind Request")
-
- - Paragraph 1: Removed the sentence, "If at any stage the client
- wishes to abort the bind process it MAY unbind and then drop the
- underlying connection". The Unbind operation still permits this
- behavior, but it is not documented explicitly.
-
- - Clarified that the session is moved to an anonymous state upon
- receipt of the BindRequest PDU and that it is only moved to a non-
- anonymous state if and when the Bind request is successful.
-
-B.1.2. Section 4.2.2 ("Authentication and Other Security Services")
-
- - RFC 2251 states that anonymous authentication MUST be performed
- using the simple bind method. This specification defines the
- anonymous authentication mechanism of the simple bind method and
- requires all conforming implementations to support it. Other
- authentication mechanisms producing anonymous authentication and
- authorization state may also be implemented and used by conforming
- implementations.
-
-B.2. Changes Made to RFC 2829
-
- This section summarizes the substantive changes made to RFC 2829.
-
-B.2.1. Section 4 ("Required security mechanisms")
-
- - The name/password authentication mechanism (see Section B.2.5
- below) protected by TLS replaces the SASL DIGEST-MD5 mechanism as
- LDAP's mandatory-to-implement password-based authentication
- mechanism. Implementations are encouraged to continue supporting
- SASL DIGEST-MD5 [DIGEST-MD5].
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 30]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-B.2.2. Section 5.1 ("Anonymous authentication procedure")
-
- - Clarified that anonymous authentication involves a name value of
- zero length and a password value of zero length. The
- unauthenticated authentication mechanism was added to handle simple
- Bind requests involving a name value with a non-zero length and a
- password value of zero length.
-
-B.2.3. Section 6 ("Password-based authentication")
-
- - See Section B.2.1.
-
-B.2.4. Section 6.1 ("Digest authentication")
-
- - As the SASL-DIGEST-MD5 mechanism is no longer mandatory to
- implement, this section is now historical and was not included in
- this document. RFC 2829, Section 6.1, continues to document the
- SASL DIGEST-MD5 authentication mechanism.
-
-B.2.5. Section 6.2 ("'simple' authentication choice under TLS
- encryption")
-
- - Renamed the "simple" authentication mechanism to the name/password
- authentication mechanism to better describe it.
-
- - The use of TLS was generalized to align with definitions of LDAP
- protocol layers. TLS establishment is now discussed as an
- independent subject and is generalized for use with all
- authentication mechanisms and other security layers.
-
- - Removed the implication that the userPassword attribute is the sole
- location for storage of password values to be used in
- authentication. There is no longer any implied requirement for how
- or where passwords are stored at the server for use in
- authentication.
-
-B.2.6. Section 6.3 ("Other authentication choices with TLS")
-
- - See Section B.2.5.
-
-B.2.7. Section 7.1 ("Certificate-based authentication with TLS")
-
- - See Section B.2.5.
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 31]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-B.2.8. Section 8 ("Other mechanisms")
-
- - All SASL authentication mechanisms are explicitly allowed within
- LDAP. Specifically, this means the SASL ANONYMOUS and SASL PLAIN
- mechanisms are no longer precluded from use within LDAP.
-
-B.2.9. Section 9 ("Authorization Identity")
-
- - Specified matching rules for dnAuthzId and uAuthzId values. In
- particular, the DN value in the dnAuthzId form must be matched
- using DN matching rules, and the uAuthzId value MUST be prepared
- using SASLprep rules before being compared octet-wise.
-
- - Clarified that uAuthzId values should not be assumed to be globally
- unique.
-
-B.2.10. Section 10 ("TLS Ciphersuites")
-
- - TLS ciphersuite recommendations are no longer included in this
- specification. Implementations must now support the
- TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite and should continue to
- support the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite.
-
- - Clarified that anonymous authentication involves a name value of
- zero length and a password value of zero length. The
- unauthenticated authentication mechanism was added to handle simple
- Bind requests involving a name value with a non-zero length and a
- password value of zero length.
-
-B.3. Changes Made to RFC 2830
-
- This section summarizes the substantive changes made to Sections 3
- and 5 of RFC 2830. Readers should consult [RFC4511] for summaries of
- changes to other sections.
-
-B.3.1. Section 3.6 ("Server Identity Check")
-
- - Substantially updated the server identity check algorithm to ensure
- that it is complete and robust. In particular, the use of all
- relevant values in the subjectAltName and the subjectName fields
- are covered by the algorithm and matching rules are specified for
- each type of value. Mapped (derived) forms of the server identity
- may now be used when the mapping is performed in a secure fashion.
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 32]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-B.3.2. Section 3.7 ("Refresh of Server Capabilities Information")
-
- - Clients are no longer required to always refresh information about
- server capabilities following TLS establishment. This is to allow
- for situations where this information was obtained through a secure
- mechanism.
-
-B.3.3. Section 5 ("Effects of TLS on a Client's Authorization
- Identity")
-
- - Establishing a TLS layer on an LDAP session may now cause the
- authorization state of the LDAP session to change.
-
-B.3.4. Section 5.2 ("TLS Connection Closure Effects")
-
- - Closing a TLS layer on an LDAP session changes the authentication
- and authorization state of the LDAP session based on local policy.
- Specifically, this means that implementations are not required to
- change the authentication and authorization states to anonymous
- upon TLS closure.
-
- - Replaced references to RFC 2401 with RFC 4301.
-
-Author's Address
-
- Roger Harrison
- Novell, Inc.
- 1800 S. Novell Place
- Provo, UT 84606
- USA
-
- Phone: +1 801 861 2642
- EMail: roger_harrison at novell.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Harrison Standards Track [Page 33]
-�
-RFC 4513 LDAP Authentication Methods June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Harrison Standards Track [Page 34]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4514.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4514.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4514.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,843 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga, Ed.
-Request for Comments: 4514 OpenLDAP Foundation
-Obsoletes: 2253 June 2006
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP):
- String Representation of Distinguished Names
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The X.500 Directory uses distinguished names (DNs) as primary keys to
- entries in the directory. This document defines the string
- representation used in the Lightweight Directory Access Protocol
- (LDAP) to transfer distinguished names. The string representation is
- designed to give a clean representation of commonly used
- distinguished names, while being able to represent any distinguished
- name.
-
-1. Background and Intended Usage
-
- In X.500-based directory systems [X.500], including those accessed
- using the Lightweight Directory Access Protocol (LDAP) [RFC4510],
- distinguished names (DNs) are used to unambiguously refer to
- directory entries [X.501][RFC4512].
-
- The structure of a DN [X.501] is described in terms of ASN.1 [X.680].
- In the X.500 Directory Access Protocol [X.511] (and other ITU-defined
- directory protocols), DNs are encoded using the Basic Encoding Rules
- (BER) [X.690]. In LDAP, DNs are represented in the string form
- described in this document.
-
- It is important to have a common format to be able to unambiguously
- represent a distinguished name. The primary goal of this
- specification is ease of encoding and decoding. A secondary goal is
- to have names that are human readable. It is not expected that LDAP
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- implementations with a human user interface would display these
- strings directly to the user, but that they would most likely be
- performing translations (such as expressing attribute type names in
- the local national language).
-
- This document defines the string representation of Distinguished
- Names used in LDAP [RFC4511][RFC4517]. Section 2 details the
- RECOMMENDED algorithm for converting a DN from its ASN.1 structured
- representation to a string. Section 3 details how to convert a DN
- from a string to an ASN.1 structured representation.
-
- While other documents may define other algorithms for converting a DN
- from its ASN.1 structured representation to a string, all algorithms
- MUST produce strings that adhere to the requirements of Section 3.
-
- This document does not define a canonical string representation for
- DNs. Comparison of DNs for equality is to be performed in accordance
- with the distinguishedNameMatch matching rule [RFC4517].
-
- This document is a integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety. This document obsoletes
- RFC 2253. Changes since RFC 2253 are summarized in Appendix B.
-
- This specification assumes familiarity with X.500 [X.500] and the
- concept of Distinguished Name [X.501][RFC4512].
-
-1.1. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- Character names in this document use the notation for code points and
- names from the Unicode Standard [Unicode]. For example, the letter
- "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
-
- Note: a glossary of terms used in Unicode can be found in [Glossary].
- Information on the Unicode character encoding model can be found in
- [CharModel].
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
-2. Converting DistinguishedName from ASN.1 to a String
-
- X.501 [X.501] defines the ASN.1 [X.680] structure of distinguished
- name. The following is a variant provided for discussion purposes.
-
- DistinguishedName ::= RDNSequence
-
- RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
- RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
- AttributeTypeAndValue
-
- AttributeTypeAndValue ::= SEQUENCE {
- type AttributeType,
- value AttributeValue }
-
- This section defines the RECOMMENDED algorithm for converting a
- distinguished name from an ASN.1-structured representation to a UTF-8
- [RFC3629] encoded Unicode [Unicode] character string representation.
- Other documents may describe other algorithms for converting a
- distinguished name to a string, but only strings that conform to the
- grammar defined in Section 3 SHALL be produced by LDAP
- implementations.
-
-2.1. Converting the RDNSequence
-
- If the RDNSequence is an empty sequence, the result is the empty or
- zero-length string.
-
- Otherwise, the output consists of the string encodings of each
- RelativeDistinguishedName in the RDNSequence (according to Section
- 2.2), starting with the last element of the sequence and moving
- backwards toward the first.
-
- The encodings of adjoining RelativeDistinguishedNames are separated
- by a comma (',' U+002C) character.
-
-2.2. Converting RelativeDistinguishedName
-
- When converting from an ASN.1 RelativeDistinguishedName to a string,
- the output consists of the string encodings of each
- AttributeTypeAndValue (according to Section 2.3), in any order.
-
- Where there is a multi-valued RDN, the outputs from adjoining
- AttributeTypeAndValues are separated by a plus sign ('+' U+002B)
- character.
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
-2.3. Converting AttributeTypeAndValue
-
- The AttributeTypeAndValue is encoded as the string representation of
- the AttributeType, followed by an equals sign ('=' U+003D) character,
- followed by the string representation of the AttributeValue. The
- encoding of the AttributeValue is given in Section 2.4.
-
- If the AttributeType is defined to have a short name (descriptor)
- [RFC4512] and that short name is known to be registered [REGISTRY]
- [RFC4520] as identifying the AttributeType, that short name, a
- <descr>, is used. Otherwise the AttributeType is encoded as the
- dotted-decimal encoding, a <numericoid>, of its OBJECT IDENTIFIER.
- The <descr> and <numericoid> are defined in [RFC4512].
-
- Implementations are not expected to dynamically update their
- knowledge of registered short names. However, implementations SHOULD
- provide a mechanism to allow their knowledge of registered short
- names to be updated.
-
-2.4. Converting an AttributeValue from ASN.1 to a String
-
- If the AttributeType is of the dotted-decimal form, the
- AttributeValue is represented by an number sign ('#' U+0023)
- character followed by the hexadecimal encoding of each of the octets
- of the BER encoding of the X.500 AttributeValue. This form is also
- used when the syntax of the AttributeValue does not have an LDAP-
- specific ([RFC4517], Section 3.1) string encoding defined for it, or
- the LDAP-specific string encoding is not restricted to UTF-8-encoded
- Unicode characters. This form may also be used in other cases, such
- as when a reversible string representation is desired (see Section
- 5.2).
-
- Otherwise, if the AttributeValue is of a syntax that has a LDAP-
- specific string encoding, the value is converted first to a UTF-8-
- encoded Unicode string according to its syntax specification (see
- [RFC4517], Section 3.3, for examples). If that UTF-8-encoded Unicode
- string does not have any of the following characters that need
- escaping, then that string can be used as the string representation
- of the value.
-
- - a space (' ' U+0020) or number sign ('#' U+0023) occurring at
- the beginning of the string;
-
- - a space (' ' U+0020) character occurring at the end of the
- string;
-
-
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- - one of the characters '"', '+', ',', ';', '<', '>', or '\'
- (U+0022, U+002B, U+002C, U+003B, U+003C, U+003E, or U+005C,
- respectively);
-
- - the null (U+0000) character.
-
- Other characters may be escaped.
-
- Each octet of the character to be escaped is replaced by a backslash
- and two hex digits, which form a single octet in the code of the
- character. Alternatively, if and only if the character to be escaped
- is one of
-
- ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\'
- (U+0020, U+0022, U+0023, U+002B, U+002C, U+003B,
- U+003C, U+003D, U+003E, U+005C, respectively)
-
- it can be prefixed by a backslash ('\' U+005C).
-
- Examples of the escaping mechanism are shown in Section 4.
-
-3. Parsing a String Back to a Distinguished Name
-
- The string representation of Distinguished Names is restricted to
- UTF-8 [RFC3629] encoded Unicode [Unicode] characters. The structure
- of this string representation is specified using the following
- Augmented BNF [RFC4234] grammar:
-
- distinguishedName = [ relativeDistinguishedName
- *( COMMA relativeDistinguishedName ) ]
- relativeDistinguishedName = attributeTypeAndValue
- *( PLUS attributeTypeAndValue )
- attributeTypeAndValue = attributeType EQUALS attributeValue
- attributeType = descr / numericoid
- attributeValue = string / hexstring
-
- ; The following characters are to be escaped when they appear
- ; in the value to be encoded: ESC, one of <escaped>, leading
- ; SHARP or SPACE, trailing SPACE, and NULL.
- string = [ ( leadchar / pair ) [ *( stringchar / pair )
- ( trailchar / pair ) ] ]
-
- leadchar = LUTF1 / UTFMB
- LUTF1 = %x01-1F / %x21 / %x24-2A / %x2D-3A /
- %x3D / %x3F-5B / %x5D-7F
-
- trailchar = TUTF1 / UTFMB
- TUTF1 = %x01-1F / %x21 / %x23-2A / %x2D-3A /
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- %x3D / %x3F-5B / %x5D-7F
-
- stringchar = SUTF1 / UTFMB
- SUTF1 = %x01-21 / %x23-2A / %x2D-3A /
- %x3D / %x3F-5B / %x5D-7F
-
- pair = ESC ( ESC / special / hexpair )
- special = escaped / SPACE / SHARP / EQUALS
- escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
- hexstring = SHARP 1*hexpair
- hexpair = HEX HEX
-
- where the productions <descr>, <numericoid>, <COMMA>, <DQUOTE>,
- <EQUALS>, <ESC>, <HEX>, <LANGLE>, <NULL>, <PLUS>, <RANGLE>, <SEMI>,
- <SPACE>, <SHARP>, and <UTFMB> are defined in [RFC4512].
-
- Each <attributeType>, either a <descr> or a <numericoid>, refers to
- an attribute type of an attribute value assertion (AVA). The
- <attributeType> is followed by an <EQUALS> and an <attributeValue>.
- The <attributeValue> is either in <string> or <hexstring> form.
-
- If in <string> form, a LDAP string representation asserted value can
- be obtained by replacing (left to right, non-recursively) each <pair>
- appearing in the <string> as follows:
-
- replace <ESC><ESC> with <ESC>;
- replace <ESC><special> with <special>;
- replace <ESC><hexpair> with the octet indicated by the <hexpair>.
-
- If in <hexstring> form, a BER representation can be obtained from
- converting each <hexpair> of the <hexstring> to the octet indicated
- by the <hexpair>.
-
- There is one or more attribute value assertions, separated by <PLUS>,
- for a relative distinguished name.
-
- There is zero or more relative distinguished names, separated by
- <COMMA>, for a distinguished name.
-
- Implementations MUST recognize AttributeType name strings
- (descriptors) listed in the following table, but MAY recognize other
- name strings.
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- String X.500 AttributeType
- ------ --------------------------------------------
- CN commonName (2.5.4.3)
- L localityName (2.5.4.7)
- ST stateOrProvinceName (2.5.4.8)
- O organizationName (2.5.4.10)
- OU organizationalUnitName (2.5.4.11)
- C countryName (2.5.4.6)
- STREET streetAddress (2.5.4.9)
- DC domainComponent (0.9.2342.19200300.100.1.25)
- UID userId (0.9.2342.19200300.100.1.1)
-
- These attribute types are described in [RFC4519].
-
- Implementations MAY recognize other DN string representations.
- However, as there is no requirement that alternative DN string
- representations be recognized (and, if so, how), implementations
- SHOULD only generate DN strings in accordance with Section 2 of this
- document.
-
-4. Examples
-
- This notation is designed to be convenient for common forms of name.
- This section gives a few examples of distinguished names written
- using this notation. First is a name containing three relative
- distinguished names (RDNs):
-
- UID=jsmith,DC=example,DC=net
-
- Here is an example of a name containing three RDNs, in which the
- first RDN is multi-valued:
-
- OU=Sales+CN=J. Smith,DC=example,DC=net
-
- This example shows the method of escaping of a special characters
- appearing in a common name:
-
- CN=James \"Jim\" Smith\, III,DC=example,DC=net
-
- The following shows the method for encoding a value that contains a
- carriage return character:
-
- CN=Before\0dAfter,DC=example,DC=net
-
- In this RDN example, the type in the RDN is unrecognized, and the
- value is the BER encoding of an OCTET STRING containing two octets,
- 0x48 and 0x69.
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- 1.3.6.1.4.1.1466.0=#04024869
-
- Finally, this example shows an RDN whose commonName value consists of
- 5 letters:
-
- Unicode Character Code UTF-8 Escaped
- ------------------------------- ------ ------ --------
- LATIN CAPITAL LETTER L U+004C 0x4C L
- LATIN SMALL LETTER U U+0075 0x75 u
- LATIN SMALL LETTER C WITH CARON U+010D 0xC48D \C4\8D
- LATIN SMALL LETTER I U+0069 0x69 i
- LATIN SMALL LETTER C WITH ACUTE U+0107 0xC487 \C4\87
-
- This could be encoded in printable ASCII [ASCII] (useful for
- debugging purposes) as:
-
- CN=Lu\C4\8Di\C4\87
-
-5. Security Considerations
-
- The following security considerations are specific to the handling of
- distinguished names. LDAP security considerations are discussed in
- [RFC4511] and other documents comprising the LDAP Technical
- Specification [RFC4510].
-
-5.1. Disclosure
-
- Distinguished Names typically consist of descriptive information
- about the entries they name, which can be people, organizations,
- devices, or other real-world objects. This frequently includes some
- of the following kinds of information:
-
- - the common name of the object (i.e., a person's full name)
- - an email or TCP/IP address
- - its physical location (country, locality, city, street address)
- - organizational attributes (such as department name or
- affiliation)
-
- In some cases, such information can be considered sensitive. In many
- countries, privacy laws exist that prohibit disclosure of certain
- kinds of descriptive information (e.g., email addresses). Hence,
- server implementers are encouraged to support Directory Information
- Tree (DIT) structural rules and name forms [RFC4512], as these
- provide a mechanism for administrators to select appropriate naming
- attributes for entries. Administrators are encouraged to use
- mechanisms, access controls, and other administrative controls that
- may be available to restrict use of attributes containing sensitive
- information in naming of entries. Additionally, use of
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- authentication and data security services in LDAP [RFC4513][RFC4511]
- should be considered.
-
-5.2. Use of Distinguished Names in Security Applications
-
- The transformations of an AttributeValue value from its X.501 form to
- an LDAP string representation are not always reversible back to the
- same BER (Basic Encoding Rules) or DER (Distinguished Encoding Rules)
- form. An example of a situation that requires the DER form of a
- distinguished name is the verification of an X.509 certificate.
-
- For example, a distinguished name consisting of one RDN with one AVA,
- in which the type is commonName and the value is of the TeletexString
- choice with the letters 'Sam', would be represented in LDAP as the
- string <CN=Sam>. Another distinguished name in which the value is
- still 'Sam', but is of the PrintableString choice, would have the
- same representation <CN=Sam>.
-
- Applications that require the reconstruction of the DER form of the
- value SHOULD NOT use the string representation of attribute syntaxes
- when converting a distinguished name to the LDAP format. Instead,
- they SHOULD use the hexadecimal form prefixed by the number sign ('#'
- U+0023) as described in the first paragraph of Section 2.4.
-
-6. Acknowledgements
-
- This document is an update to RFC 2253, by Mark Wahl, Tim Howes, and
- Steve Kille. RFC 2253 was a product of the IETF ASID Working Group.
-
- This document is a product of the IETF LDAPBIS Working Group.
-
-7. References
-
-7.1. Normative References
-
- [REGISTRY] IANA, Object Identifier Descriptors Registry,
- <http://www.iana.org/assignments/ldap-parameters>.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version
- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
- 61633-5), as amended by the "Unicode Standard Annex
- #27: Unicode 3.1"
- (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access
- Protocol (LDAP): Authentication Methods and Security
- Mechanisms", RFC 4513, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
- Protocol (LDAP): Schema for User Applications", RFC
- 4519, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
-7.2. Informative References
-
- [ASCII] Coded Character Set--7-bit American Standard Code for
- Information Interchange, ANSI X3.4-1986.
-
- [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
- #17, Character Encoding Model", UTR17,
- <http://www.unicode.org/unicode/reports/tr17/>, August
- 2000.
-
- [Glossary] The Unicode Consortium, "Unicode Glossary",
- <http://www.unicode.org/glossary/>.
-
- [X.500] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Overview of concepts, models and
- services," X.500(1993) (also ISO/IEC 9594-1:1994).
-
- [X.511] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Abstract Service Definition", X.511(1993)
- (also ISO/IEC 9594-3:1993).
-
- [X.690] International Telecommunication Union -
- Telecommunication Standardization Sector,
- "Specification of ASN.1 encoding rules: Basic Encoding
- Rules (BER), Canonical Encoding Rules (CER), and
- Distinguished Encoding Rules (DER)", X.690(1997) (also
- ISO/IEC 8825-1:1998).
-
- [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
- Technical Specification", RFC 2849, June 2000.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
-Appendix A. Presentation Issues
-
- This appendix is provided for informational purposes only; it is not
- a normative part of this specification.
-
- The string representation described in this document is not intended
- to be presented to humans without translation. However, at times it
- may be desirable to present non-translated DN strings to users. This
- section discusses presentation issues associated with non-translated
- DN strings. Issues with presentation of translated DN strings are
- not discussed in this appendix. Transcoding issues are also not
- discussed in this appendix.
-
- This appendix provides guidance for applications presenting DN
- strings to users. This section is not comprehensive; it does not
- discuss all presentation issues that implementers may face.
-
- Not all user interfaces are capable of displaying the full set of
- Unicode characters. Some Unicode characters are not displayable.
-
- It is recommended that human interfaces use the optional hex pair
- escaping mechanism (Section 2.3) to produce a string representation
- suitable for display to the user. For example, an application can
- generate a DN string for display that escapes all non-printable
- characters appearing in the AttributeValue's string representation
- (as demonstrated in the final example of Section 4).
-
- When a DN string is displayed in free-form text, it is often
- necessary to distinguish the DN string from surrounding text. While
- this is often done with whitespace (as demonstrated in Section 4), it
- is noted that DN strings may end with whitespace. Careful readers of
- Section 3 will note that the characters '<' (U+003C) and '>' (U+003E)
- may only appear in the DN string if escaped. These characters are
- intended to be used in free-form text to distinguish a DN string from
- surrounding text. For example, <CN=Sam\ > distinguishes the string
- representation of the DN composed of one RDN consisting of the AVA
- (the commonName (CN) value 'Sam ') from the surrounding text. It
- should be noted to the user that the wrapping '<' and '>' characters
- are not part of the DN string.
-
- DN strings can be quite long. It is often desirable to line-wrap
- overly long DN strings in presentations. Line wrapping should be
- done by inserting whitespace after the RDN separator character or, if
- necessary, after the AVA separator character. It should be noted to
- the user that the inserted whitespace is not part of the DN string
- and is to be removed before use in LDAP. For example, the following
- DN string is long:
-
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- CN=Kurt D. Zeilenga,OU=Engineering,L=Redwood Shores,
- O=OpenLDAP Foundation,ST=California,C=US
-
- So it has been line-wrapped for readability. The extra whitespace is
- to be removed before the DN string is used in LDAP.
-
- Inserting whitespace is not advised because it may not be obvious to
- the user which whitespace is part of the DN string and which
- whitespace was added for readability.
-
- Another alternative is to use the LDAP Data Interchange Format (LDIF)
- [RFC2849]. For example:
-
- # This entry has a long DN...
- dn: CN=Kurt D. Zeilenga,OU=Engineering,L=Redwood Shores,
- O=OpenLDAP Foundation,ST=California,C=US
- CN: Kurt D. Zeilenga
- SN: Zeilenga
- objectClass: person
-
-Appendix B. Changes Made since RFC 2253
-
- This appendix is provided for informational purposes only, it is not
- a normative part of this specification.
-
- The following substantive changes were made to RFC 2253:
-
- - Removed IESG Note. The IESG Note has been addressed.
- - Replaced all references to ISO 10646-1 with [Unicode].
- - Clarified (in Section 1) that this document does not define a
- canonical string representation.
- - Clarified that Section 2 describes the RECOMMENDED encoding
- algorithm and that alternative algorithms are allowed. Some
- encoding options described in RFC 2253 are now treated as
- alternative algorithms in this specification.
- - Revised specification (in Section 2) to allow short names of any
- registered attribute type to appear in string representations of
- DNs instead of being restricted to a "published table". Removed
- "as an example" language. Added statement (in Section 3)
- allowing recognition of additional names but require recognition
- of those names in the published table. The table now appears in
- Section 3.
- - Removed specification of additional requirements for LDAPv2
- implementations which also support LDAPv3 (RFC 2253, Section 4)
- as LDAPv2 is now Historic.
- - Allowed recognition of alternative string representations.
- - Updated Section 2.4 to allow hex pair escaping of all characters
- and clarified escaping for when multiple octet UTF-8 encodings
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
- are present. Indicated that null (U+0000) character is to be
- escaped. Indicated that equals sign ('=' U+003D) character may
- be escaped as '\='.
- - Rewrote Section 3 to use ABNF as defined in RFC 4234.
- - Updated the Section 3 ABNF. Changes include:
- + allowed AttributeType short names of length 1 (e.g., 'L'),
- + used more restrictive <oid> production in AttributeTypes,
- + did not require escaping of equals sign ('=' U+003D)
- characters,
- + did not require escaping of non-leading number sign ('#'
- U+0023) characters,
- + allowed space (' ' U+0020) to be escaped as '\ ',
- + required hex escaping of null (U+0000) characters, and
- + removed LDAPv2-only constructs.
- - Updated Section 3 to describe how to parse elements of the
- grammar.
- - Rewrote examples.
- - Added reference to documentations containing general LDAP
- security considerations.
- - Added discussion of presentation issues (Appendix A).
- - Added this appendix.
-
- In addition, numerous editorial changes were made.
-
-Editor's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
-RFC 4514 LDAP: Distinguished Names June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 15]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4515.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4515.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4515.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group M. Smith, Ed.
-Request for Comments: 4515 Pearl Crescent, LLC
-Obsoletes: 2254 T. Howes
-Category: Standards Track Opsware, Inc.
- June 2006
-
-
- Lightweight Directory Access Protocol (LDAP):
- String Representation of Search Filters
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- Lightweight Directory Access Protocol (LDAP) search filters are
- transmitted in the LDAP protocol using a binary representation that
- is appropriate for use on the network. This document defines a
- human-readable string representation of LDAP search filters that is
- appropriate for use in LDAP URLs (RFC 4516) and in other
- applications.
-
-Table of Contents
-
- 1. Introduction ....................................................2
- 2. LDAP Search Filter Definition ...................................2
- 3. String Search Filter Definition .................................3
- 4. Examples ........................................................5
- 5. Security Considerations .........................................7
- 6. Normative References ............................................7
- 7. Informative References ..........................................8
- 8. Acknowledgements ................................................8
- Appendix A: Changes Since RFC 2254 .................................9
- A.1. Technical Changes ..........................................9
- A.2. Editorial Changes ..........................................9
-
-
-
-
-
-
-
-Smith and Howes Standards Track [Page 1]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
-1. Introduction
-
- The Lightweight Directory Access Protocol (LDAP) [RFC4510] defines a
- network representation of a search filter transmitted to an LDAP
- server. Some applications may find it useful to have a common way of
- representing these search filters in a human-readable form; LDAP URLs
- [RFC4516] are an example of one such application. This document
- defines a human-readable string format for representing the full
- range of possible LDAP version 3 search filters, including extended
- match filters.
-
- This document is a integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety.
-
- This document replaces RFC 2254. Changes to RFC 2254 are summarized
- in Appendix A.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
-2. LDAP Search Filter Definition
-
- An LDAP search filter is defined in Section 4.5.1 of [RFC4511] as
- follows:
-
- Filter ::= CHOICE {
- and [0] SET SIZE (1..MAX) OF filter Filter,
- or [1] SET SIZE (1..MAX) OF filter Filter,
- not [2] Filter,
- equalityMatch [3] AttributeValueAssertion,
- substrings [4] SubstringFilter,
- greaterOrEqual [5] AttributeValueAssertion,
- lessOrEqual [6] AttributeValueAssertion,
- present [7] AttributeDescription,
- approxMatch [8] AttributeValueAssertion,
- extensibleMatch [9] MatchingRuleAssertion }
-
- SubstringFilter ::= SEQUENCE {
- type AttributeDescription,
- -- initial and final can occur at most once
- substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
- initial [0] AssertionValue,
- any [1] AssertionValue,
- final [2] AssertionValue } }
-
-
-
-
-
-Smith and Howes Standards Track [Page 2]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
- AttributeValueAssertion ::= SEQUENCE {
- attributeDesc AttributeDescription,
- assertionValue AssertionValue }
-
- MatchingRuleAssertion ::= SEQUENCE {
- matchingRule [1] MatchingRuleId OPTIONAL,
- type [2] AttributeDescription OPTIONAL,
- matchValue [3] AssertionValue,
- dnAttributes [4] BOOLEAN DEFAULT FALSE }
-
- AttributeDescription ::= LDAPString
- -- Constrained to <attributedescription>
- -- [RFC4512]
-
- AttributeValue ::= OCTET STRING
-
- MatchingRuleId ::= LDAPString
-
- AssertionValue ::= OCTET STRING
-
- LDAPString ::= OCTET STRING -- UTF-8 encoded,
- -- [Unicode] characters
-
- The AttributeDescription, as defined in [RFC4511], is a string
- representation of the attribute description that is discussed in
- [RFC4512]. The AttributeValue and AssertionValue OCTET STRING have
- the form defined in [RFC4517]. The Filter is encoded for
- transmission over a network using the Basic Encoding Rules (BER)
- defined in [X.690], with simplifications described in [RFC4511].
-
-3. String Search Filter Definition
-
- The string representation of an LDAP search filter is a string of
- UTF-8 [RFC3629] encoded Unicode characters [Unicode] that is defined
- by the following grammar, following the ABNF notation defined in
- [RFC4234]. The productions used that are not defined here are
- defined in Section 1.4 (Common ABNF Productions) of [RFC4512] unless
- otherwise noted. The filter format uses a prefix notation.
-
- filter = LPAREN filtercomp RPAREN
- filtercomp = and / or / not / item
- and = AMPERSAND filterlist
- or = VERTBAR filterlist
- not = EXCLAMATION filter
- filterlist = 1*filter
- item = simple / present / substring / extensible
- simple = attr filtertype assertionvalue
- filtertype = equal / approx / greaterorequal / lessorequal
-
-
-
-Smith and Howes Standards Track [Page 3]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
- equal = EQUALS
- approx = TILDE EQUALS
- greaterorequal = RANGLE EQUALS
- lessorequal = LANGLE EQUALS
- extensible = ( attr [dnattrs]
- [matchingrule] COLON EQUALS assertionvalue )
- / ( [dnattrs]
- matchingrule COLON EQUALS assertionvalue )
- present = attr EQUALS ASTERISK
- substring = attr EQUALS [initial] any [final]
- initial = assertionvalue
- any = ASTERISK *(assertionvalue ASTERISK)
- final = assertionvalue
- attr = attributedescription
- ; The attributedescription rule is defined in
- ; Section 2.5 of [RFC4512].
- dnattrs = COLON "dn"
- matchingrule = COLON oid
- assertionvalue = valueencoding
- ; The <valueencoding> rule is used to encode an <AssertionValue>
- ; from Section 4.1.6 of [RFC4511].
- valueencoding = 0*(normal / escaped)
- normal = UTF1SUBSET / UTFMB
- escaped = ESC HEX HEX
- UTF1SUBSET = %x01-27 / %x2B-5B / %x5D-7F
- ; UTF1SUBSET excludes 0x00 (NUL), LPAREN,
- ; RPAREN, ASTERISK, and ESC.
- EXCLAMATION = %x21 ; exclamation mark ("!")
- AMPERSAND = %x26 ; ampersand (or AND symbol) ("&")
- ASTERISK = %x2A ; asterisk ("*")
- COLON = %x3A ; colon (":")
- VERTBAR = %x7C ; vertical bar (or pipe) ("|")
- TILDE = %x7E ; tilde ("~")
-
- Note that although both the <substring> and <present> productions in
- the grammar above can produce the "attr=*" construct, this construct
- is used only to denote a presence filter.
-
- The <valueencoding> rule ensures that the entire filter string is a
- valid UTF-8 string and provides that the octets that represent the
- ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
- 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
- backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
- representing the value of the encoded octet.
-
-
-
-
-
-
-
-Smith and Howes Standards Track [Page 4]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
- This simple escaping mechanism eliminates filter-parsing ambiguities
- and allows any filter that can be represented in LDAP to be
- represented as a NUL-terminated string. Other octets that are part
- of the <normal> set may be escaped using this mechanism, for example,
- non-printing ASCII characters.
-
- For AssertionValues that contain UTF-8 character data, each octet of
- the character to be escaped is replaced by a backslash and two hex
- digits, which form a single octet in the code of the character. For
- example, the filter checking whether the "cn" attribute contained a
- value with the character "*" anywhere in it would be represented as
- "(cn=*\2a*)".
-
- As indicated by the <valueencoding> rule, implementations MUST escape
- all octets greater than 0x7F that are not part of a valid UTF-8
- encoding sequence when they generate a string representation of a
- search filter. Implementations SHOULD accept as input strings that
- are not valid UTF-8 strings. This is necessary because RFC 2254 did
- not clearly define the term "string representation" (and in
- particular did not mention that the string representation of an LDAP
- search filter is a string of UTF-8-encoded Unicode characters).
-
-4. Examples
-
- This section gives a few examples of search filters written using
- this notation.
-
- (cn=Babs Jensen)
- (!(cn=Tim Howes))
- (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
- (o=univ*of*mich*)
- (seeAlso=)
-
- The following examples illustrate the use of extensible matching.
-
- (cn:caseExactMatch:=Fred Flintstone)
- (cn:=Betty Rubble)
- (sn:dn:2.4.6.8.10:=Barney Rubble)
- (o:dn:=Ace Industry)
- (:1.2.3:=Wilma Flintstone)
- (:DN:2.4.6.8.10:=Dino)
-
- The first example shows use of the matching rule "caseExactMatch."
-
- The second example demonstrates use of a MatchingRuleAssertion form
- without a matchingRule.
-
-
-
-
-
-Smith and Howes Standards Track [Page 5]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
- The third example illustrates the use of the ":oid" notation to
- indicate that the matching rule identified by the OID "2.4.6.8.10"
- should be used when making comparisons, and that the attributes of an
- entry's distinguished name should be considered part of the entry
- when evaluating the match (indicated by the use of ":dn").
-
- The fourth example denotes an equality match, except that DN
- components should be considered part of the entry when doing the
- match.
-
- The fifth example is a filter that should be applied to any attribute
- supporting the matching rule given (since the <attr> has been
- omitted).
-
- The sixth and final example is also a filter that should be applied
- to any attribute supporting the matching rule given. Attributes
- supporting the matching rule contained in the DN should also be
- considered.
-
- The following examples illustrate the use of the escaping mechanism.
-
- (o=Parens R Us \28for all your parenthetical needs\29)
- (cn=*\2A*)
- (filename=C:\5cMyFile)
- (bin=\00\00\00\04)
- (sn=Lu\c4\8di\c4\87)
- (1.3.6.1.4.1.1466.0=\04\02\48\69)
-
- The first example shows the use of the escaping mechanism to
- represent parenthesis characters. The second shows how to represent
- a "*" in an assertion value, preventing it from being interpreted as
- a substring indicator. The third illustrates the escaping of the
- backslash character.
-
- The fourth example shows a filter searching for the four-octet value
- 00 00 00 04 (hex), illustrating the use of the escaping mechanism to
- represent arbitrary data, including NUL characters.
-
- The fifth example illustrates the use of the escaping mechanism to
- represent various non-ASCII UTF-8 characters. Specifically, there
- are 5 characters in the <assertionvalue> portion of this example:
- LATIN CAPITAL LETTER L (U+004C), LATIN SMALL LETTER U (U+0075), LATIN
- SMALL LETTER C WITH CARON (U+010D), LATIN SMALL LETTER I (U+0069),
- and LATIN SMALL LETTER C WITH ACUTE (U+0107).
-
- The sixth and final example demonstrates assertion of a BER-encoded
- value.
-
-
-
-
-Smith and Howes Standards Track [Page 6]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
-5. Security Considerations
-
- This memo describes a string representation of LDAP search filters.
- While the representation itself has no known security implications,
- LDAP search filters do. They are interpreted by LDAP servers to
- select entries from which data is retrieved. LDAP servers should
- take care to protect the data they maintain from unauthorized access.
-
- Please refer to the Security Considerations sections of [RFC4511] and
- [RFC4513] for more information.
-
-6. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version 3.0"
- (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
- as amended by the "Unicode Standard Annex #27: Unicode
- 3.1" (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2."
-
-
-
-
-Smith and Howes Standards Track [Page 7]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
-7. Informative References
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): Uniform Resource Locator", RFC
- 4516, June 2006.
-
- [X.690] Specification of ASN.1 encoding rules: Basic, Canonical,
- and Distinguished Encoding Rules, ITU-T Recommendation
- X.690, 1994.
-
-8. Acknowledgements
-
- This document replaces RFC 2254 by Tim Howes. RFC 2254 was a product
- of the IETF ASID Working Group.
-
- Changes included in this revised specification are based upon
- discussions among the authors, discussions within the LDAP (v3)
- Revision Working Group (ldapbis), and discussions within other IETF
- Working Groups. The contributions of individuals in these working
- groups is gratefully acknowledged.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Smith and Howes Standards Track [Page 8]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
-Appendix A: Changes Since RFC 2254
-
-A.1. Technical Changes
-
- Replaced [ISO 10646] reference with [Unicode].
-
- The following technical changes were made to the contents of the
- "String Search Filter Definition" section:
-
- Added statement that the string representation is a string of UTF-8-
- encoded Unicode characters.
-
- Revised all of the ABNF to use common productions from [RFC4512].
-
- Replaced the "value" rule with a new "assertionvalue" rule within the
- "simple", "extensible", and "substring" ("initial", "any", and
- "final") rules. This matches a change made in [RFC4517].
-
- Added "(" and ")" around the components of the <extensible>
- subproductions for clarity.
-
- Revised the "attr", "matchingrule", and "assertionvalue" ABNF to more
- precisely reference productions from the [RFC4512] and [RFC4511]
- documents.
-
- "String Search Filter Definition" section: replaced "greater" and
- "less" with "greaterorequal" and "lessorequal" to avoid confusion.
-
- Introduced the "valueencoding" and associated "normal" and "escaped"
- rules to reduce the dependence on descriptive text. The "normal"
- production restricts filter strings to valid UTF-8 sequences.
-
- Added a statement about expected behavior in light of RFC 2254's lack
- of a clear definition of "string representation."
-
-A.2. Editorial Changes
-
- Changed document title to include "LDAP:" prefix.
-
- IESG Note: removed note about lack of satisfactory mandatory
- authentication mechanisms.
-
- Header and "Authors' Addresses" sections: added Mark Smith as the
- document editor and updated affiliation and contact information.
-
- "Table of Contents" and "Intellectual Property" sections: added.
-
- Copyright: updated per latest IETF guidelines.
-
-
-
-Smith and Howes Standards Track [Page 9]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
- "Abstract" section: separated from introductory material.
-
- "Introduction" section: new section; separated from the Abstract.
- Updated second paragraph to indicate that RFC 2254 is replaced by
- this document (instead of RFC 1960). Added reference to the
- [RFC4510] document.
-
- "LDAP Search Filter Definition" section: made corrections to the LDAP
- search filter ABNF so it matches that used in [RFC4511].
-
- Clarified the definition of 'value' (now 'assertionvalue') to take
- into account the fact that it is not precisely an AttributeAssertion
- from [RFC4511] Section 4.1.6 (special handling is required for some
- characters). Added a note that each octet of a character to be
- escaped is replaced by a backslash and two hex digits, which
- represent a single octet.
-
- "Examples" section: added four additional examples: (seeAlso=),
- (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), and
- (1.3.6.1.4.1.1466.0=\04\02\48\69). Replaced one occurrence of "a
- value" with "an assertion value". Corrected the description of this
- example: (sn:dn:2.4.6.8.10:=Barney Rubble). Replaced the numeric OID
- in the first extensible match example with "caseExactMatch" to
- demonstrate use of the descriptive form. Used "DN" (uppercase) in
- the last extensible match example to remind the reader to treat the
- <dnattrs> production as case insensitive. Reworded the description
- of the fourth escaping mechanism example to avoid making assumptions
- about byte order. Added text to the fifth escaping mechanism example
- to spell out what the non-ASCII characters are in Unicode terms.
-
- "Security Considerations" section: added references to [RFC4511] and
- [RFC4513].
-
- "Normative References" section: renamed from "References" per new RFC
- guidelines. Changed from [1] style to [RFC4511] style throughout the
- document. Added entries for [Unicode], [RFC2119], [RFC4513],
- [RFC4512], and [RFC4510] and updated the UTF-8 reference. Replaced
- RFC 822 reference with a reference to RFC 4234.
-
- "Informative References" section: (new section) moved [X.690] to this
- section. Added a reference to [RFC4516].
-
- "Acknowledgements" section: added.
-
- "Appendix A: Changes Since RFC 2254" section: added.
-
- Surrounded the names of all ABNF productions with "<" and ">" where
- they are used in descriptive text.
-
-
-
-Smith and Howes Standards Track [Page 10]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
- Replaced all occurrences of "LDAPv3" with "LDAP."
-
-Authors' Addresses
-
- Mark Smith, Editor
- Pearl Crescent, LLC
- 447 Marlpool Dr.
- Saline, MI 48176
- USA
-
- Phone: +1 734 944-2856
- EMail: mcs at pearlcrescent.com
-
-
- Tim Howes
- Opsware, Inc.
- 599 N. Mathilda Ave.
- Sunnyvale, CA 94085
- USA
-
- Phone: +1 408 744-7509
- EMail: howes at opsware.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Smith and Howes Standards Track [Page 11]
-�
-RFC 4515 LDAP: String Representation of Search Filters June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Smith and Howes Standards Track [Page 12]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4516.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4516.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4516.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,843 +0,0 @@
-
-
-
-
-
-
-Network Working Group M. Smith, Ed.
-Request for Comments: 4516 Pearl Crescent, LLC
-Obsoletes: 2255 T. Howes
-Category: Standards Track Opsware, Inc.
- June 2006
-
-
- Lightweight Directory Access Protocol (LDAP):
- Uniform Resource Locator
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes a format for a Lightweight Directory Access
- Protocol (LDAP) Uniform Resource Locator (URL). An LDAP URL
- describes an LDAP search operation that is used to retrieve
- information from an LDAP directory, or, in the context of an LDAP
- referral or reference, an LDAP URL describes a service where an LDAP
- operation may be progressed.
-
-Table of Contents
-
- 1. Introduction ....................................................2
- 2. URL Definition ..................................................2
- 2.1. Percent-Encoding ...........................................4
- 3. Defaults for Fields of the LDAP URL .............................5
- 4. Examples ........................................................6
- 5. Security Considerations .........................................8
- 6. Normative References ............................................9
- 7. Informative References .........................................10
- 8. Acknowledgements ...............................................10
- Appendix A: Changes Since RFC 2255 ................................11
- A.1. Technical Changes .........................................11
- A.2. Editorial Changes .........................................11
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 1]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
-1. Introduction
-
- LDAP is the Lightweight Directory Access Protocol [RFC4510]. This
- document specifies the LDAP URL format for version 3 of LDAP and
- clarifies how LDAP URLs are resolved. This document also defines an
- extension mechanism for LDAP URLs. This mechanism may be used to
- provide access to new LDAP extensions.
-
- Note that not all the parameters of the LDAP search operation
- described in [RFC4511] can be expressed using the format defined in
- this document. Note also that URLs may be used to represent
- reference knowledge, including that for non-search operations.
-
- This document is an integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety.
-
- This document replaces RFC 2255. See Appendix A for a list of
- changes relative to RFC 2255.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
-2. URL Definition
-
- An LDAP URL begins with the protocol prefix "ldap" and is defined by
- the following grammar, following the ABNF notation defined in
- [RFC4234].
-
- ldapurl = scheme COLON SLASH SLASH [host [COLON port]]
- [SLASH dn [QUESTION [attributes]
- [QUESTION [scope] [QUESTION [filter]
- [QUESTION extensions]]]]]
- ; <host> and <port> are defined
- ; in Sections 3.2.2 and 3.2.3
- ; of [RFC3986].
- ; <filter> is from Section 3 of
- ; [RFC4515], subject to the
- ; provisions of the
- ; "Percent-Encoding" section
- ; below.
-
- scheme = "ldap"
-
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 2]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- dn = distinguishedName ; From Section 3 of [RFC4514],
- ; subject to the provisions of
- ; the "Percent-Encoding"
- ; section below.
-
- attributes = attrdesc *(COMMA attrdesc)
- attrdesc = selector *(COMMA selector)
- selector = attributeSelector ; From Section 4.5.1 of
- ; [RFC4511], subject to the
- ; provisions of the
- ; "Percent-Encoding" section
- ; below.
-
- scope = "base" / "one" / "sub"
- extensions = extension *(COMMA extension)
- extension = [EXCLAMATION] extype [EQUALS exvalue]
- extype = oid ; From section 1.4 of [RFC4512].
-
- exvalue = LDAPString ; From section 4.1.2 of
- ; [RFC4511], subject to the
- ; provisions of the
- ; "Percent-Encoding" section
- ; below.
-
- EXCLAMATION = %x21 ; exclamation mark ("!")
- SLASH = %x2F ; forward slash ("/")
- COLON = %x3A ; colon (":")
- QUESTION = %x3F ; question mark ("?")
-
- The "ldap" prefix indicates an entry or entries accessible from the
- LDAP server running on the given hostname at the given portnumber.
- Note that the <host> may contain literal IPv6 addresses as specified
- in Section 3.2.2 of [RFC3986].
-
- The <dn> is an LDAP Distinguished Name using the string format
- described in [RFC4514]. It identifies the base object of the LDAP
- search or the target of a non-search operation.
-
- The <attributes> construct is used to indicate which attributes
- should be returned from the entry or entries.
-
- The <scope> construct is used to specify the scope of the search to
- perform in the given LDAP server. The allowable scopes are "base"
- for a base object search, "one" for a one-level search, or "sub" for
- a subtree search.
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 3]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- The <filter> is used to specify the search filter to apply to entries
- within the specified scope during the search. It has the format
- specified in [RFC4515].
-
- The <extensions> construct provides the LDAP URL with an
- extensibility mechanism, allowing the capabilities of the URL to be
- extended in the future. Extensions are a simple comma-separated list
- of type=value pairs, where the =value portion MAY be omitted for
- options not requiring it. Each type=value pair is a separate
- extension. These LDAP URL extensions are not necessarily related to
- any of the LDAP extension mechanisms. Extensions may be supported or
- unsupported by the client resolving the URL. An extension prefixed
- with a '!' character (ASCII 0x21) is critical. An extension not
- prefixed with a '!' character is non-critical.
-
- If an LDAP URL extension is implemented (that is, if the
- implementation understands it and is able to use it), the
- implementation MUST make use of it. If an extension is not
- implemented and is marked critical, the implementation MUST NOT
- process the URL. If an extension is not implemented and is not
- marked critical, the implementation MUST ignore the extension.
-
- The extension type (<extype>) MAY be specified using the numeric OID
- <numericoid> form (e.g., 1.2.3.4) or the descriptor <descr> form
- (e.g., myLDAPURLExtension). Use of the <descr> form SHOULD be
- restricted to registered object identifier descriptive names. See
- [RFC4520] for registration details and usage guidelines for
- descriptive names.
-
- No LDAP URL extensions are defined in this document. Other documents
- or a future version of this document MAY define one or more
- extensions.
-
-2.1. Percent-Encoding
-
- A generated LDAP URL MUST consist only of the restricted set of
- characters included in one of the following three productions defined
- in [RFC3986]:
-
- <reserved>
- <unreserved>
- <pct-encoded>
-
- Implementations SHOULD accept other valid UTF-8 strings [RFC3629] as
- input. An octet MUST be encoded using the percent-encoding mechanism
- described in section 2.1 of [RFC3986] in any of these situations:
-
-
-
-
-
-Smith & Howes Standards Track [Page 4]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- The octet is not in the reserved set defined in section 2.2 of
- [RFC3986] or in the unreserved set defined in section 2.3 of
- [RFC3986].
-
- It is the single Reserved character '?' and occurs inside a <dn>,
- <filter>, or other element of an LDAP URL.
-
- It is a comma character ',' that occurs inside an <exvalue>.
-
- Note that before the percent-encoding mechanism is applied, the
- extensions component of the LDAP URL may contain one or more null
- (zero) bytes. No other component may.
-
-3. Defaults for Fields of the LDAP URL
-
- Some fields of the LDAP URL are optional, as described above. In the
- absence of any other specification, the following general defaults
- SHOULD be used when a field is absent. Note that other documents MAY
- specify different defaulting rules; for example, section 4.1.10 of
- [RFC4511] specifies a different rule for determining the correct DN
- to use when it is absent in an LDAP URL that is returned as a
- referral.
-
- <host>
- If no <host> is given, the client must have some a priori
- knowledge of an appropriate LDAP server to contact.
-
- <port>
- The default LDAP port is TCP port 389.
-
- <dn>
- If no <dn> is given, the default is the zero-length DN, "".
-
- <attributes>
- If the <attributes> part is omitted, all user attributes of the
- entry or entries should be requested (e.g., by setting the
- attributes field AttributeDescriptionList in the LDAP search
- request to a NULL list, or by using the special <alluserattrs>
- selector "*").
-
- <scope>
- If <scope> is omitted, a <scope> of "base" is assumed.
-
- <filter>
- If <filter> is omitted, a filter of "(objectClass=*)" is assumed.
-
- <extensions>
- If <extensions> is omitted, no extensions are assumed.
-
-
-
-Smith & Howes Standards Track [Page 5]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
-4. Examples
-
- The following are some example LDAP URLs that use the format defined
- above. The first example is an LDAP URL referring to the University
- of Michigan entry, available from an LDAP server of the client's
- choosing:
-
- ldap:///o=University%20of%20Michigan,c=US
-
- The next example is an LDAP URL referring to the University of
- Michigan entry in a particular ldap server:
-
- ldap://ldap1.example.net/o=University%20of%20Michigan,c=US
-
- Both of these URLs correspond to a base object search of the
- "o=University of Michigan,c=US" entry using a filter of
- "(objectclass=*)", requesting all attributes.
-
- The next example is an LDAP URL referring to only the postalAddress
- attribute of the University of Michigan entry:
-
- ldap://ldap1.example.net/o=University%20of%20Michigan,
- c=US?postalAddress
-
- The corresponding LDAP search operation is the same as in the
- previous example, except that only the postalAddress attribute is
- requested.
-
- The next example is an LDAP URL referring to the set of entries found
- by querying the given LDAP server on port 6666 and doing a subtree
- search of the University of Michigan for any entry with a common name
- of "Babs Jensen", retrieving all attributes:
-
- ldap://ldap1.example.net:6666/o=University%20of%20Michigan,
- c=US??sub?(cn=Babs%20Jensen)
-
- The next example is an LDAP URL referring to all children of the c=GB
- entry:
-
- LDAP://ldap1.example.com/c=GB?objectClass?ONE
-
- The objectClass attribute is requested to be returned along with the
- entries, and the default filter of "(objectclass=*)" is used.
-
- The next example is an LDAP URL to retrieve the mail attribute for
- the LDAP entry named "o=Question?,c=US", illustrating the use of the
- percent-encoding mechanism on the reserved character '?'.
-
-
-
-
-Smith & Howes Standards Track [Page 6]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- ldap://ldap2.example.com/o=Question%3f,c=US?mail
-
- The next example (which is broken into two lines for readability)
- illustrates the interaction between the LDAP string representation of
- the filters-quoting mechanism and the URL-quoting mechanisms.
-
- ldap://ldap3.example.com/o=Babsco,c=US
- ???(four-octet=%5c00%5c00%5c00%5c04)
-
- The filter in this example uses the LDAP escaping mechanism of \ to
- encode three zero or null bytes in the value. In LDAP, the filter
- would be written as (four-octet=\00\00\00\04). Because the \
- character must be escaped in a URL, the \s are percent-encoded as %5c
- (or %5C) in the URL encoding.
-
- The next example illustrates the interaction between the LDAP string
- representation of the DNs-quoting mechanism and URL-quoting
- mechanisms.
-
- ldap://ldap.example.com/o=An%20Example%5C2C%20Inc.,c=US
-
- The DN encoded in the above URL is:
-
- o=An Example\2C Inc.,c=US
-
- That is, the left-most RDN value is:
-
- An Example, Inc.
-
- The following three URLs are equivalent, assuming that the defaulting
- rules specified in Section 3 of this document are used:
-
- ldap://ldap.example.net
- ldap://ldap.example.net/
- ldap://ldap.example.net/?
-
- These three URLs point to the root DSE on the ldap.example.net
- server.
-
- The final two examples show use of a hypothetical, experimental bind
- name extension (the value associated with the extension is an LDAP
- DN).
-
- ldap:///??sub??e-bindname=cn=Manager%2cdc=example%2cdc=com
- ldap:///??sub??!e-bindname=cn=Manager%2cdc=example%2cdc=com
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 7]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- The two URLs are the same, except that the second one marks the
- e-bindname extension as critical. Notice the use of the percent-
- encoding mechanism to encode the commas within the distinguished name
- value in the e-bindname extension.
-
-5. Security Considerations
-
- The general URL security considerations discussed in [RFC3986] are
- relevant for LDAP URLs.
-
- The use of security mechanisms when processing LDAP URLs requires
- particular care, since clients may encounter many different servers
- via URLs, and since URLs are likely to be processed automatically,
- without user intervention. A client SHOULD have a user-configurable
- policy that controls which servers the client will establish LDAP
- sessions with and with which security mechanisms, and SHOULD NOT
- establish LDAP sessions that are inconsistent with this policy. If a
- client chooses to reuse an existing LDAP session when resolving one
- or more LDAP URLs, it MUST ensure that the session is compatible with
- the URL and that no security policies are violated.
-
- Sending authentication information, no matter the mechanism, may
- violate a user's privacy requirements. In the absence of specific
- policy permitting authentication information to be sent to a server,
- a client should use an anonymous LDAP session. (Note that clients
- conforming to previous LDAP URL specifications, where all LDAP
- sessions are anonymous and unprotected, are consistent with this
- specification; they simply have the default security policy.) Simply
- opening a transport connection to another server may violate some
- users' privacy requirements, so clients should provide the user with
- a way to control URL processing.
-
- Some authentication methods, in particular, reusable passwords sent
- to the server, may reveal easily-abused information to the remote
- server or to eavesdroppers in transit and should not be used in URL
- processing unless they are explicitly permitted by policy.
- Confirmation by the human user of the use of authentication
- information is appropriate in many circumstances. Use of strong
- authentication methods that do not reveal sensitive information is
- much preferred. If the URL represents a referral for an update
- operation, strong authentication methods SHOULD be used. Please
- refer to the Security Considerations section of [RFC4513] for more
- information.
-
- The LDAP URL format allows the specification of an arbitrary LDAP
- search operation to be performed when evaluating the LDAP URL.
- Following an LDAP URL may cause unexpected results, for example, the
- retrieval of large amounts of data or the initiation of a long-lived
-
-
-
-Smith & Howes Standards Track [Page 8]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- search. The security implications of resolving an LDAP URL are the
- same as those of resolving an LDAP search query.
-
-6. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
- Resource Identifier (URI): Generic Syntax", STD 66, RFC
- 3986, January 2005.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): String Representation of Distinguished Names", RFC
- 4514, June 2006.
-
- [RFC4515] Smith, M. Ed. and T. Howes, "Lightweight Directory Access
- Protocol (LDAP): String Representation of Search Filters",
- RFC 4515, June 2006.
-
-
-
-
-
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 9]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
-7. Informative References
-
- [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
- Resource Identifiers (URI): Generic Syntax", RFC 2396,
- August 1998.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
-8. Acknowledgements
-
- The LDAP URL format was originally defined at the University of
- Michigan. This material is based upon work supported by the National
- Science Foundation under Grant No. NCR-9416667. The support of both
- the University of Michigan and the National Science Foundation is
- gratefully acknowledged.
-
- This document obsoletes RFC 2255 by Tim Howes and Mark Smith.
- Changes included in this revised specification are based upon
- discussions among the authors, discussions within the LDAP (v3)
- Revision Working Group (ldapbis), and discussions within other IETF
- Working Groups. The contributions of individuals in these working
- groups is gratefully acknowledged. Several people in particular have
- made valuable comments on this document: RL "Bob" Morgan, Mark Wahl,
- Kurt Zeilenga, Jim Sermersheim, and Hallvard Furuseth deserve special
- thanks for their contributions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 10]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
-Appendix A: Changes Since RFC 2255
-
-A.1. Technical Changes
-
- The following technical changes were made to the contents of the "URL
- Definition" section:
-
- Revised all of the ABNF to use common productions from [RFC4512].
-
- Replaced references to [RFC2396] with a reference to [RFC3986] (this
- allows literal IPv6 addresses to be used inside the <host> portion of
- the URL, and a note was added to remind the reader of this
- enhancement). Referencing [RFC3986] required changes to the ABNF and
- text so that productions that are no longer defined by [RFC3986] are
- not used. For example, <hostport> is not defined by [RFC3986] so it
- has been replaced with host [COLON port]. Note that [RFC3986]
- includes new definitions for the "Reserved" and "Unreserved" sets of
- characters, and the net result is that the following two additional
- characters should be percent-encoded when they appear anywhere in the
- data used to construct an LDAP URL: "[" and "]" (these two characters
- were first added to the Reserved set by RFC 2732).
-
- Changed the definition of <attrdesc> to refer to <attributeSelector>
- from [RFC4511]. This allows the use of "*" in the <attrdesc> part of
- the URL. It is believed that existing implementations of RFC 2255
- already support this.
-
- Avoided use of <prose-val> (bracketed-string) productions in the
- <dn>, <host>, <attrdesc>, and <exvalue> rules.
-
- Changed the ABNF for <ldapurl> to group the <dn> component with the
- preceding <SLASH>.
-
- Changed the <extype> rule to be an <oid> from [RFC4512].
-
- Changed the text about extension types so it references [RFC4520].
- Reordered rules to more closely follow the order in which the
- elements appear in the URL.
-
- "Bindname Extension": removed due to lack of known implementations.
-
-A.2. Editorial Changes
-
- Changed document title to include "LDAP:" prefix.
-
- IESG Note: removed note about lack of satisfactory mandatory
- authentication mechanisms.
-
-
-
-
-Smith & Howes Standards Track [Page 11]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- "Status of this Memo" section: updated boilerplate to match current
- I-D guidelines.
-
- "Abstract" section: separated from introductory material.
-
- "Table of Contents" and "Intellectual Property" sections: added.
-
- "Introduction" section: new section; separated from the Abstract.
- Changed the text indicate that RFC 2255 is replaced by this document
- (instead of RFC 1959). Added text to indicate that LDAP URLs are
- used for references and referrals. Fixed typo (replaced the nonsense
- phrase "to perform to retrieve" with "used to retrieve"). Added a
- note to let the reader know that not all of the parameters of the
- LDAP search operation described in [RFC4511] can be expressed using
- this format.
-
- "URL Definition" section: removed second copy of <ldapurl> grammar
- and following two paragraphs (editorial error in RFC 2255). Fixed
- line break within '!' sequence. Reformatted the ABNF to improve
- readability by aligning comments and adding some blank lines.
- Replaced "residing in the LDAP server" with "accessible from the LDAP
- server" in the sentence immediately following the ABNF. Removed the
- sentence "Individual attrdesc names are as defined for
- AttributeDescription in [RFC4511]." because [RFC4511]'s
- <attributeSelector> is now used directly in the ABNF. Reworded last
- paragraph to clarify which characters must be percent-encoded. Added
- text to indicate that LDAP URLs are used for references and
- referrals. Added text that refers to the ABNF from RFC 4234.
- Clarified and strengthened the requirements with respect to
- processing of URLs that contain implemented and not implemented
- extensions (the approach now closely matches that specified in
- [RFC4511] for LDAP controls).
-
- "Defaults for Fields of the LDAP URL" section: added; formed by
- moving text about defaults out of the "URL Definition" section.
- Replaced direct reference to the attribute name "*" with a reference
- to the special <alluserattrs> selector "*" defined in [RFC4511].
-
- "URL Processing" section: removed.
-
- "Examples" section: Modified examples to use example.com and
- example.net hostnames. Added missing '?' to the LDAP URL example
- whose filter contains three null bytes. Removed space after one
- comma within a DN. Revised the bindname example to use e-bindname.
- Changed the name of an attribute used in one example from "int" to
- "four-octet" to avoid potential confusion. Added an example that
- demonstrates the interaction between DN escaping and URL percent-
- encoding. Added some examples to show URL equivalence with respect
-
-
-
-Smith & Howes Standards Track [Page 12]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
- to the <dn> portion of the URL. Used uppercase in some examples to
- remind the reader that some tokens are case-insensitive.
-
- "Security Considerations" section: Added a note about connection
- reuse. Added a note about using strong authentication methods for
- updates. Added a reference to [RFC4513]. Added note that simply
- opening a connection may violate some users' privacy requirements.
- Adopted the working group's revised LDAP terminology specification by
- replacing the word "connection" with "LDAP session" or "LDAP
- connection" as appropriate.
-
- "Acknowledgements" section: added statement that this document
- obsoletes RFC 2255. Added Kurt Zeilenga, Jim Sermersheim, and
- Hallvard Furuseth.
-
- "Normative References" section: renamed from "References" per new RFC
- guidelines. Changed from [1] style to [RFC4511] style throughout the
- document. Added references to RFC 4234 and RFC 3629. Updated all
- RFC 1738 references to point to the appropriate sections within
- [RFC3986]. Updated the LDAP references to refer to LDAPBis WG
- documents. Removed the reference to the LDAP Attribute Syntaxes
- document and added references to the [RFC4513], [RFC4520], and
- [RFC4510] documents.
-
- "Informative References" section: added.
-
- Header and "Authors' Addresses" sections: added "editor" next to Mark
- Smith's name. Updated affiliation and contact information.
-
- Copyright: updated the year.
-
- Throughout the document: surrounded the names of all ABNF productions
- with "<" and ">" where they are used in descriptive text.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 13]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
-Authors' Addresses
-
- Mark Smith, Editor
- Pearl Crescent, LLC
- 447 Marlpool Dr.
- Saline, MI 48176
- USA
-
- Phone: +1 734 944-2856
- EMail: mcs at pearlcrescent.com
-
-
- Tim Howes
- Opsware, Inc.
- 599 N. Mathilda Ave.
- Sunnyvale, CA 94085
- USA
-
- Phone: +1 408 744-7509
- EMail: howes at opsware.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 14]
-�
-RFC 4516 LDAP: Uniform Resource Locator June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Smith & Howes Standards Track [Page 15]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4517.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4517.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4517.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,2971 +0,0 @@
-
-
-
-
-
-
-Network Working Group S. Legg, Ed.
-Request for Comments: 4517 eB2Bcom
-Obsoletes: 2252, 2256 June 2006
-Updates: 3698
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP):
- Syntaxes and Matching Rules
-
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- Each attribute stored in a Lightweight Directory Access Protocol
- (LDAP) directory, whose values may be transferred in the LDAP
- protocol, has a defined syntax that constrains the structure and
- format of its values. The comparison semantics for values of a
- syntax are not part of the syntax definition but are instead provided
- through separately defined matching rules. Matching rules specify an
- argument, an assertion value, which also has a defined syntax. This
- document defines a base set of syntaxes and matching rules for use in
- defining attributes for LDAP directories.
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 2. Conventions .....................................................4
- 3. Syntaxes ........................................................4
- 3.1. General Considerations .....................................5
- 3.2. Common Definitions .........................................5
- 3.3. Syntax Definitions .........................................6
- 3.3.1. Attribute Type Description ..........................6
- 3.3.2. Bit String ..........................................6
- 3.3.3. Boolean .............................................7
- 3.3.4. Country String ......................................7
- 3.3.5. Delivery Method .....................................8
-
-
-
-Legg Standards Track [Page 1]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- 3.3.6. Directory String ....................................8
- 3.3.7. DIT Content Rule Description ........................9
- 3.3.8. DIT Structure Rule Description .....................10
- 3.3.9. DN .................................................10
- 3.3.10. Enhanced Guide ....................................11
- 3.3.11. Facsimile Telephone Number ........................12
- 3.3.12. Fax ...............................................12
- 3.3.13. Generalized Time ..................................13
- 3.3.14. Guide .............................................14
- 3.3.15. IA5 String ........................................15
- 3.3.16. Integer ...........................................15
- 3.3.17. JPEG ..............................................15
- 3.3.18. LDAP Syntax Description ...........................16
- 3.3.19. Matching Rule Description .........................16
- 3.3.20. Matching Rule Use Description .....................17
- 3.3.21. Name and Optional UID .............................17
- 3.3.22. Name Form Description .............................18
- 3.3.23. Numeric String ....................................18
- 3.3.24. Object Class Description ..........................18
- 3.3.25. Octet String ......................................19
- 3.3.26. OID ...............................................19
- 3.3.27. Other Mailbox .....................................20
- 3.3.28. Postal Address ....................................20
- 3.3.29. Printable String ..................................21
- 3.3.30. Substring Assertion ...............................22
- 3.3.31. Telephone Number ..................................23
- 3.3.32. Teletex Terminal Identifier .......................23
- 3.3.33. Telex Number ......................................24
- 3.3.34. UTC Time ..........................................24
- 4. Matching Rules .................................................25
- 4.1. General Considerations ....................................25
- 4.2. Matching Rule Definitions .................................27
- 4.2.1. bitStringMatch .....................................27
- 4.2.2. booleanMatch .......................................28
- 4.2.3. caseExactIA5Match ..................................28
- 4.2.4. caseExactMatch .....................................29
- 4.2.5. caseExactOrderingMatch .............................29
- 4.2.6. caseExactSubstringsMatch ...........................30
- 4.2.7. caseIgnoreIA5Match .................................30
- 4.2.8. caseIgnoreIA5SubstringsMatch .......................31
- 4.2.9. caseIgnoreListMatch ................................31
- 4.2.10. caseIgnoreListSubstringsMatch .....................32
- 4.2.11. caseIgnoreMatch ...................................33
- 4.2.12. caseIgnoreOrderingMatch ...........................33
- 4.2.13. caseIgnoreSubstringsMatch .........................34
- 4.2.14. directoryStringFirstComponentMatch ................34
- 4.2.15. distinguishedNameMatch ............................35
- 4.2.16. generalizedTimeMatch ..............................36
-
-
-
-Legg Standards Track [Page 2]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- 4.2.17. generalizedTimeOrderingMatch ......................36
- 4.2.18. integerFirstComponentMatch ........................36
- 4.2.19. integerMatch ......................................37
- 4.2.20. integerOrderingMatch ..............................37
- 4.2.21. keywordMatch ......................................38
- 4.2.22. numericStringMatch ................................38
- 4.2.23. numericStringOrderingMatch ........................39
- 4.2.24. numericStringSubstringsMatch ......................39
- 4.2.25. objectIdentifierFirstComponentMatch ...............40
- 4.2.26. objectIdentifierMatch .............................40
- 4.2.27. octetStringMatch ..................................41
- 4.2.28. octetStringOrderingMatch ..........................41
- 4.2.29. telephoneNumberMatch ..............................42
- 4.2.30. telephoneNumberSubstringsMatch ....................42
- 4.2.31. uniqueMemberMatch .................................43
- 4.2.32. wordMatch .........................................44
- 5. Security Considerations ........................................44
- 6. Acknowledgements ...............................................44
- 7. IANA Considerations ............................................45
- 8. References .....................................................46
- 8.1. Normative References ......................................46
- 8.2. Informative References ....................................48
- Appendix A. Summary of Syntax Object Identifiers ..................49
- Appendix B. Changes from RFC 2252 .................................49
-
-1. Introduction
-
- Each attribute stored in a Lightweight Directory Access Protocol
- (LDAP) directory [RFC4510], whose values may be transferred in the
- LDAP protocol [RFC4511], has a defined syntax (i.e., data type) that
- constrains the structure and format of its values. The comparison
- semantics for values of a syntax are not part of the syntax
- definition but are instead provided through separately defined
- matching rules. Matching rules specify an argument, an assertion
- value, which also has a defined syntax. This document defines a base
- set of syntaxes and matching rules for use in defining attributes for
- LDAP directories.
-
- Readers are advised to familiarize themselves with the Directory
- Information Models [RFC4512] before reading the rest of this
- document. Section 3 provides definitions for the base set of LDAP
- syntaxes. Section 4 provides definitions for the base set of
- matching rules for LDAP.
-
- This document is an integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety.
-
-
-
-
-Legg Standards Track [Page 3]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- Sections 4, 5, and 7 of RFC 2252 are obsoleted by [RFC4512]. The
- remainder of RFC 2252 is obsoleted by this document. Sections 6 and
- 8 of RFC 2256 are obsoleted by this document. The remainder of RFC
- 2256 is obsoleted by [RFC4519] and [RFC4512]. All but Section 2.11
- of RFC 3698 is obsoleted by this document.
-
- A number of schema elements that were included in the previous
- revision of the LDAP technical specification are not included in this
- revision of LDAP. Public Key Infrastructure schema elements are now
- specified in [RFC4523]. Unless reintroduced in future technical
- specifications, the remainder are to be considered Historic.
-
- The changes with respect to RFC 2252 are described in Appendix B of
- this document.
-
-2. Conventions
-
- In this document, the key words "MUST", "MUST NOT", "REQUIRED",
- "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
- and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119
- [RFC2119].
-
- Syntax definitions are written according to the <SyntaxDescription>
- ABNF [RFC4234] rule specified in [RFC4512], and matching rule
- definitions are written according to the <MatchingRuleDescription>
- ABNF rule specified in [RFC4512], except that the syntax and matching
- rule definitions provided in this document are line-wrapped for
- readability. When such definitions are transferred as attribute
- values in the LDAP protocol (e.g., as values of the ldapSyntaxes and
- matchingRules attributes [RFC4512], respectively), then those values
- would not contain line breaks.
-
-3. Syntaxes
-
- Syntax definitions constrain the structure of attribute values stored
- in an LDAP directory, and determine the representation of attribute
- and assertion values transferred in the LDAP protocol.
-
- Syntaxes that are required for directory operation, or that are in
- common use, are specified in this section. Servers SHOULD recognize
- all the syntaxes listed in this document, but are not required to
- otherwise support them, and MAY recognise or support other syntaxes.
- However, the definition of additional arbitrary syntaxes is
- discouraged since it will hinder interoperability. Client and server
- implementations typically do not have the ability to dynamically
- recognize new syntaxes.
-
-
-
-
-
-Legg Standards Track [Page 4]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-3.1. General Considerations
-
- The description of each syntax specifies how attribute or assertion
- values conforming to the syntax are to be represented when
- transferred in the LDAP protocol [RFC4511]. This representation is
- referred to as the LDAP-specific encoding to distinguish it from
- other methods of encoding attribute values (e.g., the Basic Encoding
- Rules (BER) encoding [BER] used by X.500 [X.500] directories).
-
- The LDAP-specific encoding of a given attribute syntax always
- produces octet-aligned values. To the greatest extent possible,
- encoding rules for LDAP syntaxes should produce character strings
- that can be displayed with little or no translation by clients
- implementing LDAP. However, clients MUST NOT assume that the LDAP-
- specific encoding of a value of an unrecognized syntax is a human-
- readable character string. There are a few cases (e.g., the JPEG
- syntax) when it is not reasonable to produce a human-readable
- representation.
-
- Each LDAP syntax is uniquely identified with an object identifier
- [ASN.1] represented in the dotted-decimal format (short descriptive
- names are not defined for syntaxes). These object identifiers are
- not intended to be displayed to users. The object identifiers for
- the syntaxes defined in this document are summarized in Appendix A.
-
- A suggested minimum upper bound on the number of characters in an
- attribute value with a string-based syntax, or the number of octets
- in a value for all other syntaxes, MAY be indicated by appending the
- bound inside of curly braces following the syntax's OBJECT IDENTIFIER
- in an attribute type definition (see the <noidlen> rule in
- [RFC4512]). Such a bound is not considered part of the syntax
- identifier.
-
- For example, "1.3.6.1.4.1.1466.115.121.1.15{64}" in an attribute
- definition suggests that the directory server will allow a value of
- the attribute to be up to 64 characters long, although it may allow
- longer character strings. Note that a single character of the
- Directory String syntax can be encoded in more than one octet, since
- UTF-8 [RFC3629] is a variable-length encoding. Therefore, a 64-
- character string may be more than 64 octets in length.
-
-3.2. Common Definitions
-
- The following ABNF rules are used in a number of the syntax
- definitions in Section 3.3.
-
- PrintableCharacter = ALPHA / DIGIT / SQUOTE / LPAREN / RPAREN /
- PLUS / COMMA / HYPHEN / DOT / EQUALS /
-
-
-
-Legg Standards Track [Page 5]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- SLASH / COLON / QUESTION / SPACE
- PrintableString = 1*PrintableCharacter
- IA5String = *(%x00-7F)
- SLASH = %x2F ; forward slash ("/")
- COLON = %x3A ; colon (":")
- QUESTION = %x3F ; question mark ("?")
-
- The <ALPHA>, <DIGIT>, <SQUOTE>, <LPAREN>, <RPAREN>, <PLUS>, <COMMA>,
- <HYPHEN>, <DOT>, <EQUALS>, and <SPACE> rules are defined in
- [RFC4512].
-
-3.3. Syntax Definitions
-
-3.3.1. Attribute Type Description
-
- A value of the Attribute Type Description syntax is the definition of
- an attribute type. The LDAP-specific encoding of a value of this
- syntax is defined by the <AttributeTypeDescription> rule in
- [RFC4512].
-
- For example, the following definition of the createTimestamp
- attribute type from [RFC4512] is also a value of the Attribute
- Type Description syntax. (Note: Line breaks have been added for
- readability; they are not part of the value when transferred in
- protocol.)
-
- ( 2.5.18.1 NAME 'createTimestamp'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- SINGLE-VALUE NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- The LDAP definition for the Attribute Type Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' )
-
- This syntax corresponds to the AttributeTypeDescription ASN.1 type
- from [X.501].
-
-3.3.2. Bit String
-
- A value of the Bit String syntax is a sequence of binary digits. The
- LDAP-specific encoding of a value of this syntax is defined by the
- following ABNF:
-
- BitString = SQUOTE *binary-digit SQUOTE "B"
- binary-digit = "0" / "1"
-
-
-
-Legg Standards Track [Page 6]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The <SQUOTE> rule is defined in [RFC4512].
-
- Example:
- '0101111101'B
-
- The LDAP definition for the Bit String syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
-
- This syntax corresponds to the BIT STRING ASN.1 type from [ASN.1].
-
-3.3.3. Boolean
-
- A value of the Boolean syntax is one of the Boolean values, true or
- false. The LDAP-specific encoding of a value of this syntax is
- defined by the following ABNF:
-
- Boolean = "TRUE" / "FALSE"
-
- The LDAP definition for the Boolean syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
-
- This syntax corresponds to the BOOLEAN ASN.1 type from [ASN.1].
-
-3.3.4. Country String
-
- A value of the Country String syntax is one of the two-character
- codes from ISO 3166 [ISO3166] for representing a country. The LDAP-
- specific encoding of a value of this syntax is defined by the
- following ABNF:
-
- CountryString = 2(PrintableCharacter)
-
- The <PrintableCharacter> rule is defined in Section 3.2.
-
- Examples:
-
- US
- AU
-
- The LDAP definition for the Country String syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )
-
- This syntax corresponds to the following ASN.1 type from [X.520]:
-
- PrintableString (SIZE (2)) -- ISO 3166 codes only
-
-
-
-Legg Standards Track [Page 7]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-3.3.5. Delivery Method
-
- A value of the Delivery Method syntax is a sequence of items that
- indicate, in preference order, the service(s) by which an entity is
- willing and/or capable of receiving messages. The LDAP-specific
- encoding of a value of this syntax is defined by the following ABNF:
-
- DeliveryMethod = pdm *( WSP DOLLAR WSP pdm )
-
- pdm = "any" / "mhs" / "physical" / "telex" / "teletex" /
- "g3fax" / "g4fax" / "ia5" / "videotex" / "telephone"
-
- The <WSP> and <DOLLAR> rules are defined in [RFC4512].
-
- Example:
- telephone $ videotex
-
- The LDAP definition for the Delivery Method syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' )
-
- This syntax corresponds to the following ASN.1 type from [X.520]:
-
- SEQUENCE OF INTEGER {
- any-delivery-method (0),
- mhs-delivery (1),
- physical-delivery (2),
- telex-delivery (3),
- teletex-delivery (4),
- g3-facsimile-delivery (5),
- g4-facsimile-delivery (6),
- ia5-terminal-delivery (7),
- videotex-delivery (8),
- telephone-delivery (9) }
-
-3.3.6. Directory String
-
- A value of the Directory String syntax is a string of one or more
- arbitrary characters from the Universal Character Set (UCS) [UCS]. A
- zero-length character string is not permitted. The LDAP-specific
- encoding of a value of this syntax is the UTF-8 encoding [RFC3629] of
- the character string. Such encodings conform to the following ABNF:
-
- DirectoryString = 1*UTF8
-
- The <UTF8> rule is defined in [RFC4512].
-
-
-
-
-
-Legg Standards Track [Page 8]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- Example:
- This is a value of Directory String containing #!%#@.
-
- Servers and clients MUST be prepared to receive arbitrary UCS code
- points, including code points outside the range of printable ASCII
- and code points not presently assigned to any character.
-
- Attribute type definitions using the Directory String syntax should
- not restrict the format of Directory String values, e.g., by
- requiring that the character string conforms to specific patterns
- described by ABNF. A new syntax should be defined in such cases.
-
- The LDAP definition for the Directory String syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )
-
- This syntax corresponds to the DirectoryString parameterized ASN.1
- type from [X.520].
-
- The DirectoryString ASN.1 type allows a choice between the
- TeletexString, PrintableString, or UniversalString ASN.1 types from
- [ASN.1]. However, note that the chosen alternative is not indicated
- in the LDAP-specific encoding of a Directory String value.
-
- Implementations that convert Directory String values from the LDAP-
- specific encoding to the BER encoding used by X.500 must choose an
- alternative that permits the particular characters in the string and
- must convert the characters from the UTF-8 encoding into the
- character encoding of the chosen alternative. When converting
- Directory String values from the BER encoding to the LDAP-specific
- encoding, the characters must be converted from the character
- encoding of the chosen alternative into the UTF-8 encoding. These
- conversions SHOULD be done in a manner consistent with the Transcode
- step of the string preparation algorithms [RFC4518] for LDAP.
-
-3.3.7. DIT Content Rule Description
-
- A value of the DIT Content Rule Description syntax is the definition
- of a DIT (Directory Information Tree) content rule. The LDAP-
- specific encoding of a value of this syntax is defined by the
- <DITContentRuleDescription> rule in [RFC4512].
-
- Example:
- ( 2.5.6.4 DESC 'content rule for organization'
- NOT ( x121Address $ telexNumber ) )
-
- Note: A line break has been added for readability; it is not part
- of the value.
-
-
-
-Legg Standards Track [Page 9]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The LDAP definition for the DIT Content Rule Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.16
- DESC 'DIT Content Rule Description' )
-
- This syntax corresponds to the DITContentRuleDescription ASN.1 type
- from [X.501].
-
-3.3.8. DIT Structure Rule Description
-
- A value of the DIT Structure Rule Description syntax is the
- definition of a DIT structure rule. The LDAP-specific encoding of a
- value of this syntax is defined by the <DITStructureRuleDescription>
- rule in [RFC4512].
-
- Example:
- ( 2 DESC 'organization structure rule' FORM 2.5.15.3 )
-
- The LDAP definition for the DIT Structure Rule Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.17
- DESC 'DIT Structure Rule Description' )
-
- This syntax corresponds to the DITStructureRuleDescription ASN.1 type
- from [X.501].
-
-3.3.9. DN
-
- A value of the DN syntax is the (purported) distinguished name (DN)
- of an entry [RFC4512]. The LDAP-specific encoding of a value of this
- syntax is defined by the <distinguishedName> rule from the string
- representation of distinguished names [RFC4514].
-
- Examples (from [RFC4514]):
- UID=jsmith,DC=example,DC=net
- OU=Sales+CN=J. Smith,DC=example,DC=net
- CN=John Smith\, III,DC=example,DC=net
- CN=Before\0dAfter,DC=example,DC=net
- 1.3.6.1.4.1.1466.0=#04024869,DC=example,DC=com
- CN=Lu\C4\8Di\C4\87
-
- The LDAP definition for the DN syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'DN' )
-
- The DN syntax corresponds to the DistinguishedName ASN.1 type from
- [X.501]. Note that a BER encoded distinguished name (as used by
- X.500) re-encoded into the LDAP-specific encoding is not necessarily
-
-
-
-Legg Standards Track [Page 10]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- reversible to the original BER encoding since the chosen string type
- in any DirectoryString components of the distinguished name is not
- indicated in the LDAP-specific encoding of the distinguished name
- (see Section 3.3.6).
-
-3.3.10. Enhanced Guide
-
- A value of the Enhanced Guide syntax suggests criteria, which consist
- of combinations of attribute types and filter operators, to be used
- in constructing filters to search for entries of particular object
- classes. The Enhanced Guide syntax improves upon the Guide syntax by
- allowing the recommended depth of the search to be specified.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
- EnhancedGuide = object-class SHARP WSP criteria WSP
- SHARP WSP subset
- object-class = WSP oid WSP
- subset = "baseobject" / "oneLevel" / "wholeSubtree"
-
- criteria = and-term *( BAR and-term )
- and-term = term *( AMPERSAND term )
- term = EXCLAIM term /
- attributetype DOLLAR match-type /
- LPAREN criteria RPAREN /
- true /
- false
- match-type = "EQ" / "SUBSTR" / "GE" / "LE" / "APPROX"
- true = "?true"
- false = "?false"
- BAR = %x7C ; vertical bar ("|")
- AMPERSAND = %x26 ; ampersand ("&")
- EXCLAIM = %x21 ; exclamation mark ("!")
-
- The <SHARP>, <WSP>, <oid>, <LPAREN>, <RPAREN>, <attributetype>, and
- <DOLLAR> rules are defined in [RFC4512].
-
- The LDAP definition for the Enhanced Guide syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' )
-
- Example:
- person#(sn$EQ)#oneLevel
-
- The Enhanced Guide syntax corresponds to the EnhancedGuide ASN.1 type
- from [X.520]. The EnhancedGuide type references the Criteria ASN.1
- type, also from [X.520]. The <true> rule, above, represents an empty
-
-
-
-Legg Standards Track [Page 11]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- "and" expression in a value of the Criteria type. The <false> rule,
- above, represents an empty "or" expression in a value of the Criteria
- type.
-
-3.3.11. Facsimile Telephone Number
-
- A value of the Facsimile Telephone Number syntax is a subscriber
- number of a facsimile device on the public switched telephone
- network. The LDAP-specific encoding of a value of this syntax is
- defined by the following ABNF:
-
- fax-number = telephone-number *( DOLLAR fax-parameter )
- telephone-number = PrintableString
- fax-parameter = "twoDimensional" /
- "fineResolution" /
- "unlimitedLength" /
- "b4Length" /
- "a3Width" /
- "b4Width" /
- "uncompressed"
-
- The <telephone-number> is a string of printable characters that
- complies with the internationally agreed format for representing
- international telephone numbers [E.123]. The <PrintableString> rule
- is defined in Section 3.2. The <DOLLAR> rule is defined in
- [RFC4512].
-
- The LDAP definition for the Facsimile Telephone Number syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Number')
-
- The Facsimile Telephone Number syntax corresponds to the
- FacsimileTelephoneNumber ASN.1 type from [X.520].
-
-3.3.12. Fax
-
- A value of the Fax syntax is an image that is produced using the
- Group 3 facsimile process [FAX] to duplicate an object, such as a
- memo. The LDAP-specific encoding of a value of this syntax is the
- string of octets for a Group 3 Fax image as defined in [FAX].
-
- The LDAP definition for the Fax syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' )
-
- The ASN.1 type corresponding to the Fax syntax is defined as follows,
- assuming EXPLICIT TAGS:
-
-
-
-
-Legg Standards Track [Page 12]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- Fax ::= CHOICE {
- g3-facsimile [3] G3FacsimileBodyPart
- }
-
- The G3FacsimileBodyPart ASN.1 type is defined in [X.420].
-
-3.3.13. Generalized Time
-
- A value of the Generalized Time syntax is a character string
- representing a date and time. The LDAP-specific encoding of a value
- of this syntax is a restriction of the format defined in [ISO8601],
- and is described by the following ABNF:
-
- GeneralizedTime = century year month day hour
- [ minute [ second / leap-second ] ]
- [ fraction ]
- g-time-zone
-
- century = 2(%x30-39) ; "00" to "99"
- year = 2(%x30-39) ; "00" to "99"
- month = ( %x30 %x31-39 ) ; "01" (January) to "09"
- / ( %x31 %x30-32 ) ; "10" to "12"
- day = ( %x30 %x31-39 ) ; "01" to "09"
- / ( %x31-32 %x30-39 ) ; "10" to "29"
- / ( %x33 %x30-31 ) ; "30" to "31"
- hour = ( %x30-31 %x30-39 ) / ( %x32 %x30-33 ) ; "00" to "23"
- minute = %x30-35 %x30-39 ; "00" to "59"
-
- second = ( %x30-35 %x30-39 ) ; "00" to "59"
- leap-second = ( %x36 %x30 ) ; "60"
-
- fraction = ( DOT / COMMA ) 1*(%x30-39)
- g-time-zone = %x5A ; "Z"
- / g-differential
- g-differential = ( MINUS / PLUS ) hour [ minute ]
- MINUS = %x2D ; minus sign ("-")
-
- The <DOT>, <COMMA>, and <PLUS> rules are defined in [RFC4512].
-
- The above ABNF allows character strings that do not represent valid
- dates (in the Gregorian calendar) and/or valid times (e.g., February
- 31, 1994). Such character strings SHOULD be considered invalid for
- this syntax.
-
- The time value represents coordinated universal time (equivalent to
- Greenwich Mean Time) if the "Z" form of <g-time-zone> is used;
- otherwise, the value represents a local time in the time zone
- indicated by <g-differential>. In the latter case, coordinated
-
-
-
-Legg Standards Track [Page 13]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- universal time can be calculated by subtracting the differential from
- the local time. The "Z" form of <g-time-zone> SHOULD be used in
- preference to <g-differential>.
-
- If <minute> is omitted, then <fraction> represents a fraction of an
- hour; otherwise, if <second> and <leap-second> are omitted, then
- <fraction> represents a fraction of a minute; otherwise, <fraction>
- represents a fraction of a second.
-
- Examples:
- 199412161032Z
- 199412160532-0500
-
- Both example values represent the same coordinated universal time:
- 10:32 AM, December 16, 1994.
-
- The LDAP definition for the Generalized Time syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )
-
- This syntax corresponds to the GeneralizedTime ASN.1 type from
- [ASN.1], with the constraint that local time without a differential
- SHALL NOT be used.
-
-3.3.14. Guide
-
- A value of the Guide syntax suggests criteria, which consist of
- combinations of attribute types and filter operators, to be used in
- constructing filters to search for entries of particular object
- classes. The Guide syntax is obsolete and should not be used for
- defining new attribute types.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
- Guide = [ object-class SHARP ] criteria
-
- The <object-class> and <criteria> rules are defined in Section
- 3.3.10. The <SHARP> rule is defined in [RFC4512].
-
- The LDAP definition for the Guide syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' )
-
- The Guide syntax corresponds to the Guide ASN.1 type from [X.520].
-
-
-
-
-
-
-Legg Standards Track [Page 14]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-3.3.15. IA5 String
-
- A value of the IA5 String syntax is a string of zero, one, or more
- characters from International Alphabet 5 (IA5) [T.50], the
- international version of the ASCII character set. The LDAP-specific
- encoding of a value of this syntax is the unconverted string of
- characters, which conforms to the <IA5String> rule in Section 3.2.
-
- The LDAP definition for the IA5 String syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
-
- This syntax corresponds to the IA5String ASN.1 type from [ASN.1].
-
-3.3.16. Integer
-
- A value of the Integer syntax is a whole number of unlimited
- magnitude. The LDAP-specific encoding of a value of this syntax is
- the optionally signed decimal digit character string representation
- of the number (for example, the number 1321 is represented by the
- character string "1321"). The encoding is defined by the following
- ABNF:
-
- Integer = ( HYPHEN LDIGIT *DIGIT ) / number
-
- The <HYPHEN>, <LDIGIT>, <DIGIT>, and <number> rules are defined in
- [RFC4512].
-
- The LDAP definition for the Integer syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'INTEGER' )
-
- This syntax corresponds to the INTEGER ASN.1 type from [ASN.1].
-
-3.3.17. JPEG
-
- A value of the JPEG syntax is an image in the JPEG File Interchange
- Format (JFIF), as described in [JPEG]. The LDAP-specific encoding of
- a value of this syntax is the sequence of octets of the JFIF encoding
- of the image.
-
- The LDAP definition for the JPEG syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' )
-
- The JPEG syntax corresponds to the following ASN.1 type:
-
-
-
-
-
-Legg Standards Track [Page 15]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- JPEG ::= OCTET STRING (CONSTRAINED BY
- { -- contents octets are an image in the --
- -- JPEG File Interchange Format -- })
-
-3.3.18. LDAP Syntax Description
-
- A value of the LDAP Syntax Description syntax is the description of
- an LDAP syntax. The LDAP-specific encoding of a value of this syntax
- is defined by the <SyntaxDescription> rule in [RFC4512].
-
- The LDAP definition for the LDAP Syntax Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description' )
-
- The above LDAP definition for the LDAP Syntax Description syntax is
- itself a legal value of the LDAP Syntax Description syntax.
-
- The ASN.1 type corresponding to the LDAP Syntax Description syntax is
- defined as follows, assuming EXPLICIT TAGS:
-
- LDAPSyntaxDescription ::= SEQUENCE {
- identifier OBJECT IDENTIFIER,
- description DirectoryString { ub-schema } OPTIONAL }
-
- The DirectoryString parameterized ASN.1 type is defined in [X.520].
-
- The value of ub-schema (an integer) is implementation defined. A
- non-normative definition appears in [X.520].
-
-3.3.19. Matching Rule Description
-
- A value of the Matching Rule Description syntax is the definition of
- a matching rule. The LDAP-specific encoding of a value of this
- syntax is defined by the <MatchingRuleDescription> rule in [RFC4512].
-
- Example:
- ( 2.5.13.2 NAME 'caseIgnoreMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- Note: A line break has been added for readability; it is not part of
- the syntax.
-
- The LDAP definition for the Matching Rule Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Description' )
-
- This syntax corresponds to the MatchingRuleDescription ASN.1 type
- from [X.501].
-
-
-
-Legg Standards Track [Page 16]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-3.3.20. Matching Rule Use Description
-
- A value of the Matching Rule Use Description syntax indicates the
- attribute types to which a matching rule may be applied in an
- extensibleMatch search filter [RFC4511]. The LDAP-specific encoding
- of a value of this syntax is defined by the
- <MatchingRuleUseDescription> rule in [RFC4512].
-
- Example:
- ( 2.5.13.16 APPLIES ( givenName $ surname ) )
-
- The LDAP definition for the Matching Rule Use Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.31
- DESC 'Matching Rule Use Description' )
-
- This syntax corresponds to the MatchingRuleUseDescription ASN.1 type
- from [X.501].
-
-3.3.21. Name and Optional UID
-
- A value of the Name and Optional UID syntax is the distinguished name
- [RFC4512] of an entity optionally accompanied by a unique identifier
- that serves to differentiate the entity from others with an identical
- distinguished name.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
- NameAndOptionalUID = distinguishedName [ SHARP BitString ]
-
- The <BitString> rule is defined in Section 3.3.2. The
- <distinguishedName> rule is defined in [RFC4514]. The <SHARP> rule
- is defined in [RFC4512].
-
- Note that although the '#' character may occur in the string
- representation of a distinguished name, no additional escaping of
- this character is performed when a <distinguishedName> is encoded in
- a <NameAndOptionalUID>.
-
- Example:
- 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B
-
- The LDAP definition for the Name and Optional UID syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )
-
-
-
-
-
-Legg Standards Track [Page 17]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- This syntax corresponds to the NameAndOptionalUID ASN.1 type from
- [X.520].
-
-3.3.22. Name Form Description
-
- A value of the Name Form Description syntax is the definition of a
- name form, which regulates how entries may be named. The LDAP-
- specific encoding of a value of this syntax is defined by the
- <NameFormDescription> rule in [RFC4512].
-
- Example:
- ( 2.5.15.3 NAME 'orgNameForm' OC organization MUST o )
-
- The LDAP definition for the Name Form Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' )
-
- This syntax corresponds to the NameFormDescription ASN.1 type from
- [X.501].
-
-3.3.23. Numeric String
-
- A value of the Numeric String syntax is a sequence of one or more
- numerals and spaces. The LDAP-specific encoding of a value of this
- syntax is the unconverted string of characters, which conforms to the
- following ABNF:
-
- NumericString = 1*(DIGIT / SPACE)
-
- The <DIGIT> and <SPACE> rules are defined in [RFC4512].
-
- Example:
- 15 079 672 281
-
- The LDAP definition for the Numeric String syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )
-
- This syntax corresponds to the NumericString ASN.1 type from [ASN.1].
-
-3.3.24. Object Class Description
-
- A value of the Object Class Description syntax is the definition of
- an object class. The LDAP-specific encoding of a value of this
- syntax is defined by the <ObjectClassDescription> rule in [RFC4512].
-
-
-
-
-
-
-Legg Standards Track [Page 18]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- Example:
- ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c
- MAY ( searchGuide $ description ) )
-
- Note: A line break has been added for readability; it is not part of
- the syntax.
-
- The LDAP definition for the Object Class Description syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Description' )
-
- This syntax corresponds to the ObjectClassDescription ASN.1 type from
- [X.501].
-
-3.3.25. Octet String
-
- A value of the Octet String syntax is a sequence of zero, one, or
- more arbitrary octets. The LDAP-specific encoding of a value of this
- syntax is the unconverted sequence of octets, which conforms to the
- following ABNF:
-
- OctetString = *OCTET
-
- The <OCTET> rule is defined in [RFC4512]. Values of this syntax are
- not generally human-readable.
-
- The LDAP definition for the Octet String syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )
-
- This syntax corresponds to the OCTET STRING ASN.1 type from [ASN.1].
-
-3.3.26. OID
-
- A value of the OID syntax is an object identifier: a sequence of two
- or more non-negative integers that uniquely identify some object or
- item of specification. Many of the object identifiers used in LDAP
- also have IANA registered names [RFC4520].
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the <oid> rule in [RFC4512].
-
- Examples:
- 1.2.3.4
- cn
-
- The LDAP definition for the OID syntax is:
-
-
-
-
-Legg Standards Track [Page 19]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )
-
- This syntax corresponds to the OBJECT IDENTIFIER ASN.1 type from
- [ASN.1].
-
-3.3.27. Other Mailbox
-
- A value of the Other Mailbox syntax identifies an electronic mailbox,
- in a particular named mail system. The LDAP-specific encoding of a
- value of this syntax is defined by the following ABNF:
-
- OtherMailbox = mailbox-type DOLLAR mailbox
- mailbox-type = PrintableString
- mailbox = IA5String
-
- The <mailbox-type> rule represents the type of mail system in which
- the mailbox resides (for example, "MCIMail"), and <mailbox> is the
- actual mailbox in the mail system described by <mailbox-type>. The
- <PrintableString> and <IA5String> rules are defined in Section 3.2.
- The <DOLLAR> rule is defined in [RFC4512].
-
- The LDAP definition for the Other Mailbox syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )
-
- The ASN.1 type corresponding to the Other Mailbox syntax is defined
- as follows, assuming EXPLICIT TAGS:
-
- OtherMailbox ::= SEQUENCE {
- mailboxType PrintableString,
- mailbox IA5String
- }
-
-3.3.28. Postal Address
-
- A value of the Postal Address syntax is a sequence of strings of one
- or more arbitrary UCS characters, which form an address in a physical
- mail system.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
-
-
-
-
-
-
-
-
-
-Legg Standards Track [Page 20]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- PostalAddress = line *( DOLLAR line )
- line = 1*line-char
- line-char = %x00-23
- / (%x5C "24") ; escaped "$"
- / %x25-5B
- / (%x5C "5C") ; escaped "\"
- / %x5D-7F
- / UTFMB
-
- Each character string (i.e., <line>) of a postal address value is
- encoded as a UTF-8 [RFC3629] string, except that "\" and "$"
- characters, if they occur in the string, are escaped by a "\"
- character followed by the two hexadecimal digit code for the
- character. The <DOLLAR> and <UTFMB> rules are defined in [RFC4512].
-
- Many servers limit the postal address to no more than six lines of no
- more than thirty characters each.
-
- Example:
- 1234 Main St.$Anytown, CA 12345$USA
- \241,000,000 Sweepstakes$PO Box 1000000$Anytown, CA 12345$USA
-
- The LDAP definition for the Postal Address syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
-
- This syntax corresponds to the PostalAddress ASN.1 type from [X.520];
- that is
-
- PostalAddress ::= SEQUENCE SIZE(1..ub-postal-line) OF
- DirectoryString { ub-postal-string }
-
- The values of ub-postal-line and ub-postal-string (both integers) are
- implementation defined. Non-normative definitions appear in [X.520].
-
-3.3.29. Printable String
-
- A value of the Printable String syntax is a string of one or more
- latin alphabetic, numeric, and selected punctuation characters as
- specified by the <PrintableCharacter> rule in Section 3.2.
-
- The LDAP-specific encoding of a value of this syntax is the
- unconverted string of characters, which conforms to the
- <PrintableString> rule in Section 3.2.
-
- Example:
- This is a PrintableString.
-
-
-
-
-Legg Standards Track [Page 21]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The LDAP definition for the PrintableString syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )
-
- This syntax corresponds to the PrintableString ASN.1 type from
- [ASN.1].
-
-3.3.30. Substring Assertion
-
- A value of the Substring Assertion syntax is a sequence of zero, one,
- or more character substrings used as an argument for substring
- extensible matching of character string attribute values; i.e., as
- the matchValue of a MatchingRuleAssertion [RFC4511]. Each substring
- is a string of one or more arbitrary characters from the Universal
- Character Set (UCS) [UCS]. A zero-length substring is not permitted.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
- SubstringAssertion = [ initial ] any [ final ]
-
- initial = substring
- any = ASTERISK *(substring ASTERISK)
- final = substring
- ASTERISK = %x2A ; asterisk ("*")
-
- substring = 1*substring-character
- substring-character = %x00-29
- / (%x5C "2A") ; escaped "*"
- / %x2B-5B
- / (%x5C "5C") ; escaped "\"
- / %x5D-7F
- / UTFMB
-
- Each <substring> of a Substring Assertion value is encoded as a UTF-8
- [RFC3629] string, except that "\" and "*" characters, if they occur
- in the substring, are escaped by a "\" character followed by the two
- hexadecimal digit code for the character.
-
- The Substring Assertion syntax is used only as the syntax of
- assertion values in the extensible match. It is not used as an
- attribute syntax, or in the SubstringFilter [RFC4511].
-
- The LDAP definition for the Substring Assertion syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.58 DESC 'Substring Assertion' )
-
-
-
-
-
-Legg Standards Track [Page 22]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- This syntax corresponds to the SubstringAssertion ASN.1 type from
- [X.520].
-
-3.3.31. Telephone Number
-
- A value of the Telephone Number syntax is a string of printable
- characters that complies with the internationally agreed format for
- representing international telephone numbers [E.123].
-
- The LDAP-specific encoding of a value of this syntax is the
- unconverted string of characters, which conforms to the
- <PrintableString> rule in Section 3.2.
-
- Examples:
- +1 512 315 0280
- +1-512-315-0280
- +61 3 9896 7830
-
- The LDAP definition for the Telephone Number syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )
-
- The Telephone Number syntax corresponds to the following ASN.1 type
- from [X.520]:
-
- PrintableString (SIZE(1..ub-telephone-number))
-
- The value of ub-telephone-number (an integer) is implementation
- defined. A non-normative definition appears in [X.520].
-
-3.3.32. Teletex Terminal Identifier
-
- A value of this syntax specifies the identifier and (optionally)
- parameters of a teletex terminal.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
- teletex-id = ttx-term *(DOLLAR ttx-param)
- ttx-term = PrintableString ; terminal identifier
- ttx-param = ttx-key COLON ttx-value ; parameter
- ttx-key = "graphic" / "control" / "misc" / "page" / "private"
- ttx-value = *ttx-value-octet
-
- ttx-value-octet = %x00-23
- / (%x5C "24") ; escaped "$"
- / %x25-5B
- / (%x5C "5C") ; escaped "\"
-
-
-
-Legg Standards Track [Page 23]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- / %x5D-FF
-
- The <PrintableString> and <COLON> rules are defined in Section 3.2.
- The <DOLLAR> rule is defined in [RFC4512].
-
- The LDAP definition for the Teletex Terminal Identifier syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.51
- DESC 'Teletex Terminal Identifier' )
-
- This syntax corresponds to the TeletexTerminalIdentifier ASN.1 type
- from [X.520].
-
-3.3.33. Telex Number
-
- A value of the Telex Number syntax specifies the telex number,
- country code, and answerback code of a telex terminal.
-
- The LDAP-specific encoding of a value of this syntax is defined by
- the following ABNF:
-
- telex-number = actual-number DOLLAR country-code
- DOLLAR answerback
- actual-number = PrintableString
- country-code = PrintableString
- answerback = PrintableString
-
- The <PrintableString> rule is defined in Section 3.2. The <DOLLAR>
- rule is defined in [RFC4512].
-
- The LDAP definition for the Telex Number syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
-
- This syntax corresponds to the TelexNumber ASN.1 type from [X.520].
-
-3.3.34. UTC Time
-
- A value of the UTC Time syntax is a character string representing a
- date and time to a precision of one minute or one second. The year
- is given as a two-digit number. The LDAP-specific encoding of a
- value of this syntax follows the format defined in [ASN.1] for the
- UTCTime type and is described by the following ABNF:
-
- UTCTime = year month day hour minute [ second ]
- [ u-time-zone ]
- u-time-zone = %x5A ; "Z"
- / u-differential
-
-
-
-Legg Standards Track [Page 24]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- u-differential = ( MINUS / PLUS ) hour minute
-
- The <year>, <month>, <day>, <hour>, <minute>, <second>, and <MINUS>
- rules are defined in Section 3.3.13. The <PLUS> rule is defined in
- [RFC4512].
-
- The above ABNF allows character strings that do not represent valid
- dates (in the Gregorian calendar) and/or valid times. Such character
- strings SHOULD be considered invalid for this syntax.
-
- The time value represents coordinated universal time if the "Z" form
- of <u-time-zone> is used; otherwise, the value represents a local
- time. In the latter case, if <u-differential> is provided, then
- coordinated universal time can be calculated by subtracting the
- differential from the local time. The <u-time-zone> SHOULD be
- present in time values, and the "Z" form of <u-time-zone> SHOULD be
- used in preference to <u-differential>.
-
- The LDAP definition for the UTC Time syntax is:
-
- ( 1.3.6.1.4.1.1466.115.121.1.53 DESC 'UTC Time' )
-
- Note: This syntax is deprecated in favor of the Generalized Time
- syntax.
-
- The UTC Time syntax corresponds to the UTCTime ASN.1 type from
- [ASN.1].
-
-4. Matching Rules
-
- Matching rules are used by directory implementations to compare
- attribute values against assertion values when performing Search and
- Compare operations [RFC4511]. They are also used when comparing a
- purported distinguished name [RFC4512] with the name of an entry.
- When modifying entries, matching rules are used to identify values to
- be deleted and to prevent an attribute from containing two equal
- values.
-
- Matching rules that are required for directory operation, or that are
- in common use, are specified in this section.
-
-4.1. General Considerations
-
- A matching rule is applied to attribute values through an
- AttributeValueAssertion or MatchingRuleAssertion [RFC4511]. The
- conditions under which an AttributeValueAssertion or
- MatchingRuleAssertion evaluates to Undefined are specified elsewhere
- [RFC4511]. If an assertion is not Undefined, then the result of the
-
-
-
-Legg Standards Track [Page 25]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- assertion is the result of applying the selected matching rule. A
- matching rule evaluates to TRUE, and in some cases Undefined, as
- specified in the description of the matching rule; otherwise, it
- evaluates to FALSE.
-
- Each assertion contains an assertion value. The definition of each
- matching rule specifies the syntax for the assertion value. The
- syntax of the assertion value is typically, but not necessarily, the
- same as the syntax of the attribute values to which the matching rule
- may be applied. Note that an AssertionValue in a SubstringFilter
- [RFC4511] conforms to the assertion syntax of the equality matching
- rule for the attribute type rather than to the assertion syntax of
- the substrings matching rule for the attribute type. Conceptually,
- the entire SubstringFilter is converted into an assertion value of
- the substrings matching rule prior to applying the rule.
-
- The definition of each matching rule indicates the attribute syntaxes
- to which the rule may be applied, by specifying conditions the
- corresponding ASN.1 type of a candidate attribute syntax must
- satisfy. These conditions are also satisfied if the corresponding
- ASN.1 type is a tagged or constrained derivative of the ASN.1 type
- explicitly mentioned in the rule description (i.e., ASN.1 tags and
- constraints are ignored in checking applicability), or is an
- alternative reference notation for the explicitly mentioned type.
- Each rule description lists, as examples of applicable attribute
- syntaxes, the complete list of the syntaxes defined in this document
- to which the matching rule applies. A matching rule may be
- applicable to additional syntaxes defined in other documents if those
- syntaxes satisfy the conditions on the corresponding ASN.1 type.
-
- The description of each matching rule indicates whether the rule is
- suitable for use as the equality matching rule (EQUALITY), ordering
- matching rule (ORDERING), or substrings matching rule (SUBSTR) in an
- attribute type definition [RFC4512].
-
- Each matching rule is uniquely identified with an object identifier.
- The definition of a matching rule should not subsequently be changed.
- If a change is desirable, then a new matching rule with a different
- object identifier should be defined instead.
-
- Servers MAY implement the wordMatch and keywordMatch matching rules,
- but they SHOULD implement the other matching rules in Section 4.2.
- Servers MAY implement additional matching rules.
-
- Servers that implement the extensibleMatch filter SHOULD allow the
- matching rules listed in Section 4.2 to be used in the
- extensibleMatch filter and SHOULD allow matching rules to be used
- with all attribute types known to the server, where the assertion
-
-
-
-Legg Standards Track [Page 26]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- syntax of the matching rule is the same as the value syntax of the
- attribute.
-
- Servers MUST publish, in the matchingRules attribute, the definitions
- of matching rules referenced by values of the attributeTypes and
- matchingRuleUse attributes in the same subschema entry. Other
- unreferenced matching rules MAY be published in the matchingRules
- attribute.
-
- If the server supports the extensibleMatch filter, then the server
- MAY use the matchingRuleUse attribute to indicate the applicability
- (in an extensibleMatch filter) of selected matching rules to
- nominated attribute types.
-
-4.2. Matching Rule Definitions
-
- Nominated character strings in assertion and attribute values are
- prepared according to the string preparation algorithms [RFC4518] for
- LDAP when evaluating the following matching rules:
-
- numericStringMatch,
- numericStringSubstringsMatch,
- caseExactMatch,
- caseExactOrderingMatch,
- caseExactSubstringsMatch,
- caseExactIA5Match,
- caseIgnoreIA5Match,
- caseIgnoreIA5SubstringsMatch,
- caseIgnoreListMatch,
- caseIgnoreListSubstringsMatch,
- caseIgnoreMatch,
- caseIgnoreOrderingMatch,
- caseIgnoreSubstringsMatch,
- directoryStringFirstComponentMatch,
- telephoneNumberMatch,
- telephoneNumberSubstringsMatch and
- wordMatch.
-
- The Transcode, Normalize, Prohibit, and Check bidi steps are the same
- for each of the matching rules. However, the Map and Insignificant
- Character Handling steps depend on the specific rule, as detailed in
- the description of these matching rules in the sections that follow.
-
-4.2.1. bitStringMatch
-
- The bitStringMatch rule compares an assertion value of the Bit String
- syntax to an attribute value of a syntax (e.g., the Bit String
- syntax) whose corresponding ASN.1 type is BIT STRING.
-
-
-
-Legg Standards Track [Page 27]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- If the corresponding ASN.1 type of the attribute syntax does not have
- a named bit list [ASN.1] (which is the case for the Bit String
- syntax), then the rule evaluates to TRUE if and only if the attribute
- value has the same number of bits as the assertion value and the bits
- match on a bitwise basis.
-
- If the corresponding ASN.1 type does have a named bit list, then
- bitStringMatch operates as above, except that trailing zero bits in
- the attribute and assertion values are treated as absent.
-
- The LDAP definition for the bitStringMatch rule is:
-
- ( 2.5.13.16 NAME 'bitStringMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-
- The bitStringMatch rule is an equality matching rule.
-
-4.2.2. booleanMatch
-
- The booleanMatch rule compares an assertion value of the Boolean
- syntax to an attribute value of a syntax (e.g., the Boolean syntax)
- whose corresponding ASN.1 type is BOOLEAN.
-
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value are both TRUE or both FALSE.
-
- The LDAP definition for the booleanMatch rule is:
-
- ( 2.5.13.13 NAME 'booleanMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
-
- The booleanMatch rule is an equality matching rule.
-
-4.2.3. caseExactIA5Match
-
- The caseExactIA5Match rule compares an assertion value of the IA5
- String syntax to an attribute value of a syntax (e.g., the IA5 String
- syntax) whose corresponding ASN.1 type is IA5String.
-
- The rule evaluates to TRUE if and only if the prepared attribute
- value character string and the prepared assertion value character
- string have the same number of characters and corresponding
- characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are not case folded in the Map preparation step, and only
- Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
-
-
-Legg Standards Track [Page 28]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The LDAP definition for the caseExactIA5Match rule is:
-
- ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- The caseExactIA5Match rule is an equality matching rule.
-
-4.2.4. caseExactMatch
-
- The caseExactMatch rule compares an assertion value of the Directory
- String syntax to an attribute value of a syntax (e.g., the Directory
- String, Printable String, Country String, or Telephone Number syntax)
- whose corresponding ASN.1 type is DirectoryString or one of the
- alternative string types of DirectoryString, such as PrintableString
- (the other alternatives do not correspond to any syntax defined in
- this document).
-
- The rule evaluates to TRUE if and only if the prepared attribute
- value character string and the prepared assertion value character
- string have the same number of characters and corresponding
- characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are not case folded in the Map preparation step, and only
- Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- The LDAP definition for the caseExactMatch rule is:
-
- ( 2.5.13.5 NAME 'caseExactMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The caseExactMatch rule is an equality matching rule.
-
-4.2.5. caseExactOrderingMatch
-
- The caseExactOrderingMatch rule compares an assertion value of the
- Directory String syntax to an attribute value of a syntax (e.g., the
- Directory String, Printable String, Country String, or Telephone
- Number syntax) whose corresponding ASN.1 type is DirectoryString or
- one of its alternative string types.
-
- The rule evaluates to TRUE if and only if, in the code point
- collation order, the prepared attribute value character string
- appears earlier than the prepared assertion value character string;
- i.e., the attribute value is "less than" the assertion value.
-
-
-
-
-
-Legg Standards Track [Page 29]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- In preparing the attribute value and assertion value for comparison,
- characters are not case folded in the Map preparation step, and only
- Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- The LDAP definition for the caseExactOrderingMatch rule is:
-
- ( 2.5.13.6 NAME 'caseExactOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The caseExactOrderingMatch rule is an ordering matching rule.
-
-4.2.6. caseExactSubstringsMatch
-
- The caseExactSubstringsMatch rule compares an assertion value of the
- Substring Assertion syntax to an attribute value of a syntax (e.g.,
- the Directory String, Printable String, Country String, or Telephone
- Number syntax) whose corresponding ASN.1 type is DirectoryString or
- one of its alternative string types.
-
- The rule evaluates to TRUE if and only if (1) the prepared substrings
- of the assertion value match disjoint portions of the prepared
- attribute value character string in the order of the substrings in
- the assertion value, (2) an <initial> substring, if present, matches
- the beginning of the prepared attribute value character string, and
- (3) a <final> substring, if present, matches the end of the prepared
- attribute value character string. A prepared substring matches a
- portion of the prepared attribute value character string if
- corresponding characters have the same code point.
-
- In preparing the attribute value and assertion value substrings for
- comparison, characters are not case folded in the Map preparation
- step, and only Insignificant Space Handling is applied in the
- Insignificant Character Handling step.
-
- The LDAP definition for the caseExactSubstringsMatch rule is:
-
- ( 2.5.13.7 NAME 'caseExactSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- The caseExactSubstringsMatch rule is a substrings matching rule.
-
-4.2.7. caseIgnoreIA5Match
-
- The caseIgnoreIA5Match rule compares an assertion value of the IA5
- String syntax to an attribute value of a syntax (e.g., the IA5 String
- syntax) whose corresponding ASN.1 type is IA5String.
-
-
-
-
-Legg Standards Track [Page 30]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The rule evaluates to TRUE if and only if the prepared attribute
- value character string and the prepared assertion value character
- string have the same number of characters and corresponding
- characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are case folded in the Map preparation step, and only
- Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- The LDAP definition for the caseIgnoreIA5Match rule is:
-
- ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- The caseIgnoreIA5Match rule is an equality matching rule.
-
-4.2.8. caseIgnoreIA5SubstringsMatch
-
- The caseIgnoreIA5SubstringsMatch rule compares an assertion value of
- the Substring Assertion syntax to an attribute value of a syntax
- (e.g., the IA5 String syntax) whose corresponding ASN.1 type is
- IA5String.
-
- The rule evaluates to TRUE if and only if (1) the prepared substrings
- of the assertion value match disjoint portions of the prepared
- attribute value character string in the order of the substrings in
- the assertion value, (2) an <initial> substring, if present, matches
- the beginning of the prepared attribute value character string, and
- (3) a <final> substring, if present, matches the end of the prepared
- attribute value character string. A prepared substring matches a
- portion of the prepared attribute value character string if
- corresponding characters have the same code point.
-
- In preparing the attribute value and assertion value substrings for
- comparison, characters are case folded in the Map preparation step,
- and only Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- ( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- The caseIgnoreIA5SubstringsMatch rule is a substrings matching rule.
-
-4.2.9. caseIgnoreListMatch
-
- The caseIgnoreListMatch rule compares an assertion value that is a
- sequence of strings to an attribute value of a syntax (e.g., the
-
-
-
-Legg Standards Track [Page 31]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- Postal Address syntax) whose corresponding ASN.1 type is a SEQUENCE
- OF the DirectoryString ASN.1 type.
-
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of strings and corresponding
- strings (by position) match according to the caseIgnoreMatch matching
- rule.
-
- In [X.520], the assertion syntax for this matching rule is defined to
- be:
-
- SEQUENCE OF DirectoryString {ub-match}
-
- That is, it is different from the corresponding type for the Postal
- Address syntax. The choice of the Postal Address syntax for the
- assertion syntax of the caseIgnoreListMatch in LDAP should not be
- seen as limiting the matching rule to apply only to attributes with
- the Postal Address syntax.
-
- The LDAP definition for the caseIgnoreListMatch rule is:
-
- ( 2.5.13.11 NAME 'caseIgnoreListMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
- The caseIgnoreListMatch rule is an equality matching rule.
-
-4.2.10. caseIgnoreListSubstringsMatch
-
- The caseIgnoreListSubstringsMatch rule compares an assertion value of
- the Substring Assertion syntax to an attribute value of a syntax
- (e.g., the Postal Address syntax) whose corresponding ASN.1 type is a
- SEQUENCE OF the DirectoryString ASN.1 type.
-
- The rule evaluates to TRUE if and only if the assertion value
- matches, per the caseIgnoreSubstringsMatch rule, the character string
- formed by concatenating the strings of the attribute value, except
- that none of the <initial>, <any>, or <final> substrings of the
- assertion value are considered to match a substring of the
- concatenated string which spans more than one of the original strings
- of the attribute value.
-
- Note that, in terms of the LDAP-specific encoding of the Postal
- Address syntax, the concatenated string omits the <DOLLAR> line
- separator and the escaping of "\" and "$" characters.
-
- The LDAP definition for the caseIgnoreListSubstringsMatch rule is:
-
- ( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
-
-
-
-Legg Standards Track [Page 32]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- The caseIgnoreListSubstringsMatch rule is a substrings matching rule.
-
-4.2.11. caseIgnoreMatch
-
- The caseIgnoreMatch rule compares an assertion value of the Directory
- String syntax to an attribute value of a syntax (e.g., the Directory
- String, Printable String, Country String, or Telephone Number syntax)
- whose corresponding ASN.1 type is DirectoryString or one of its
- alternative string types.
-
- The rule evaluates to TRUE if and only if the prepared attribute
- value character string and the prepared assertion value character
- string have the same number of characters and corresponding
- characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are case folded in the Map preparation step, and only
- Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- The LDAP definition for the caseIgnoreMatch rule is:
-
- ( 2.5.13.2 NAME 'caseIgnoreMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The caseIgnoreMatch rule is an equality matching rule.
-
-4.2.12. caseIgnoreOrderingMatch
-
- The caseIgnoreOrderingMatch rule compares an assertion value of the
- Directory String syntax to an attribute value of a syntax (e.g., the
- Directory String, Printable String, Country String, or Telephone
- Number syntax) whose corresponding ASN.1 type is DirectoryString or
- one of its alternative string types.
-
- The rule evaluates to TRUE if and only if, in the code point
- collation order, the prepared attribute value character string
- appears earlier than the prepared assertion value character string;
- i.e., the attribute value is "less than" the assertion value.
-
- In preparing the attribute value and assertion value for comparison,
- characters are case folded in the Map preparation step, and only
- Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- The LDAP definition for the caseIgnoreOrderingMatch rule is:
-
-
-
-Legg Standards Track [Page 33]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The caseIgnoreOrderingMatch rule is an ordering matching rule.
-
-4.2.13. caseIgnoreSubstringsMatch
-
- The caseIgnoreSubstringsMatch rule compares an assertion value of the
- Substring Assertion syntax to an attribute value of a syntax (e.g.,
- the Directory String, Printable String, Country String, or Telephone
- Number syntax) whose corresponding ASN.1 type is DirectoryString or
- one of its alternative string types.
-
- The rule evaluates to TRUE if and only if (1) the prepared substrings
- of the assertion value match disjoint portions of the prepared
- attribute value character string in the order of the substrings in
- the assertion value, (2) an <initial> substring, if present, matches
- the beginning of the prepared attribute value character string, and
- (3) a <final> substring, if present, matches the end of the prepared
- attribute value character string. A prepared substring matches a
- portion of the prepared attribute value character string if
- corresponding characters have the same code point.
-
- In preparing the attribute value and assertion value substrings for
- comparison, characters are case folded in the Map preparation step,
- and only Insignificant Space Handling is applied in the Insignificant
- Character Handling step.
-
- The LDAP definition for the caseIgnoreSubstringsMatch rule is:
-
- ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- The caseIgnoreSubstringsMatch rule is a substrings matching rule.
-
-4.2.14. directoryStringFirstComponentMatch
-
- The directoryStringFirstComponentMatch rule compares an assertion
- value of the Directory String syntax to an attribute value of a
- syntax whose corresponding ASN.1 type is a SEQUENCE with a mandatory
- first component of the DirectoryString ASN.1 type.
-
- Note that the assertion syntax of this matching rule differs from the
- attribute syntax of attributes for which this is the equality
- matching rule.
-
-
-
-
-
-
-Legg Standards Track [Page 34]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The rule evaluates to TRUE if and only if the assertion value matches
- the first component of the attribute value using the rules of
- caseIgnoreMatch.
-
- The LDAP definition for the directoryStringFirstComponentMatch
- matching rule is:
-
- ( 2.5.13.31 NAME 'directoryStringFirstComponentMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The directoryStringFirstComponentMatch rule is an equality matching
- rule. When using directoryStringFirstComponentMatch to compare two
- attribute values (of an applicable syntax), an assertion value must
- first be derived from one of the attribute values. An assertion
- value can be derived from an attribute value by taking the first
- component of that attribute value.
-
-4.2.15. distinguishedNameMatch
-
- The distinguishedNameMatch rule compares an assertion value of the DN
- syntax to an attribute value of a syntax (e.g., the DN syntax) whose
- corresponding ASN.1 type is DistinguishedName.
-
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value have the same number of relative distinguished names
- and corresponding relative distinguished names (by position) are the
- same. A relative distinguished name (RDN) of the assertion value is
- the same as an RDN of the attribute value if and only if they have
- the same number of attribute value assertions and each attribute
- value assertion (AVA) of the first RDN is the same as the AVA of the
- second RDN with the same attribute type. The order of the AVAs is
- not significant. Also note that a particular attribute type may
- appear in at most one AVA in an RDN. Two AVAs with the same
- attribute type are the same if their values are equal according to
- the equality matching rule of the attribute type. If one or more of
- the AVA comparisons evaluate to Undefined and the remaining AVA
- comparisons return TRUE then the distinguishedNameMatch rule
- evaluates to Undefined.
-
- The LDAP definition for the distinguishedNameMatch rule is:
-
- ( 2.5.13.1 NAME 'distinguishedNameMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- The distinguishedNameMatch rule is an equality matching rule.
-
-
-
-
-
-
-Legg Standards Track [Page 35]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-4.2.16. generalizedTimeMatch
-
- The generalizedTimeMatch rule compares an assertion value of the
- Generalized Time syntax to an attribute value of a syntax (e.g., the
- Generalized Time syntax) whose corresponding ASN.1 type is
- GeneralizedTime.
-
- The rule evaluates to TRUE if and only if the attribute value
- represents the same universal coordinated time as the assertion
- value. If a time is specified with the minutes or seconds absent,
- then the number of minutes or seconds (respectively) is assumed to be
- zero.
-
- The LDAP definition for the generalizedTimeMatch rule is:
-
- ( 2.5.13.27 NAME 'generalizedTimeMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- The generalizedTimeMatch rule is an equality matching rule.
-
-4.2.17. generalizedTimeOrderingMatch
-
- The generalizedTimeOrderingMatch rule compares the time ordering of
- an assertion value of the Generalized Time syntax to an attribute
- value of a syntax (e.g., the Generalized Time syntax) whose
- corresponding ASN.1 type is GeneralizedTime.
-
- The rule evaluates to TRUE if and only if the attribute value
- represents a universal coordinated time that is earlier than the
- universal coordinated time represented by the assertion value.
-
- The LDAP definition for the generalizedTimeOrderingMatch rule is:
-
- ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- The generalizedTimeOrderingMatch rule is an ordering matching rule.
-
-4.2.18. integerFirstComponentMatch
-
- The integerFirstComponentMatch rule compares an assertion value of
- the Integer syntax to an attribute value of a syntax (e.g., the DIT
- Structure Rule Description syntax) whose corresponding ASN.1 type is
- a SEQUENCE with a mandatory first component of the INTEGER ASN.1
- type.
-
-
-
-
-
-
-Legg Standards Track [Page 36]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- Note that the assertion syntax of this matching rule differs from the
- attribute syntax of attributes for which this is the equality
- matching rule.
-
- The rule evaluates to TRUE if and only if the assertion value and the
- first component of the attribute value are the same integer value.
-
- The LDAP definition for the integerFirstComponentMatch matching rule
- is:
-
- ( 2.5.13.29 NAME 'integerFirstComponentMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- The integerFirstComponentMatch rule is an equality matching rule.
- When using integerFirstComponentMatch to compare two attribute values
- (of an applicable syntax), an assertion value must first be derived
- from one of the attribute values. An assertion value can be derived
- from an attribute value by taking the first component of that
- attribute value.
-
-4.2.19. integerMatch
-
- The integerMatch rule compares an assertion value of the Integer
- syntax to an attribute value of a syntax (e.g., the Integer syntax)
- whose corresponding ASN.1 type is INTEGER.
-
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value are the same integer value.
-
- The LDAP definition for the integerMatch matching rule is:
-
- ( 2.5.13.14 NAME 'integerMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- The integerMatch rule is an equality matching rule.
-
-4.2.20. integerOrderingMatch
-
- The integerOrderingMatch rule compares an assertion value of the
- Integer syntax to an attribute value of a syntax (e.g., the Integer
- syntax) whose corresponding ASN.1 type is INTEGER.
-
- The rule evaluates to TRUE if and only if the integer value of the
- attribute value is less than the integer value of the assertion
- value.
-
- The LDAP definition for the integerOrderingMatch matching rule is:
-
-
-
-
-Legg Standards Track [Page 37]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- ( 2.5.13.15 NAME 'integerOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- The integerOrderingMatch rule is an ordering matching rule.
-
-4.2.21. keywordMatch
-
- The keywordMatch rule compares an assertion value of the Directory
- String syntax to an attribute value of a syntax (e.g., the Directory
- String syntax) whose corresponding ASN.1 type is DirectoryString.
-
- The rule evaluates to TRUE if and only if the assertion value
- character string matches any keyword in the attribute value. The
- identification of keywords in the attribute value and the exactness
- of the match are both implementation specific.
-
- The LDAP definition for the keywordMatch rule is:
-
- ( 2.5.13.33 NAME 'keywordMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-4.2.22. numericStringMatch
-
- The numericStringMatch rule compares an assertion value of the
- Numeric String syntax to an attribute value of a syntax (e.g., the
- Numeric String syntax) whose corresponding ASN.1 type is
- NumericString.
-
- The rule evaluates to TRUE if and only if the prepared attribute
- value character string and the prepared assertion value character
- string have the same number of characters and corresponding
- characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are not case folded in the Map preparation step, and only
- numericString Insignificant Character Handling is applied in the
- Insignificant Character Handling step.
-
- The LDAP definition for the numericStringMatch matching rule is:
-
- ( 2.5.13.8 NAME 'numericStringMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
-
- The numericStringMatch rule is an equality matching rule.
-
-
-
-
-
-
-
-Legg Standards Track [Page 38]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-4.2.23. numericStringOrderingMatch
-
- The numericStringOrderingMatch rule compares an assertion value of
- the Numeric String syntax to an attribute value of a syntax (e.g.,
- the Numeric String syntax) whose corresponding ASN.1 type is
- NumericString.
-
- The rule evaluates to TRUE if and only if, in the code point
- collation order, the prepared attribute value character string
- appears earlier than the prepared assertion value character string;
- i.e., the attribute value is "less than" the assertion value.
-
- In preparing the attribute value and assertion value for comparison,
- characters are not case folded in the Map preparation step, and only
- numericString Insignificant Character Handling is applied in the
- Insignificant Character Handling step.
-
- The rule is identical to the caseIgnoreOrderingMatch rule except that
- all space characters are skipped during comparison (case is
- irrelevant as the characters are numeric).
-
- The LDAP definition for the numericStringOrderingMatch matching rule
- is:
-
- ( 2.5.13.9 NAME 'numericStringOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
-
- The numericStringOrderingMatch rule is an ordering matching rule.
-
-4.2.24. numericStringSubstringsMatch
-
- The numericStringSubstringsMatch rule compares an assertion value of
- the Substring Assertion syntax to an attribute value of a syntax
- (e.g., the Numeric String syntax) whose corresponding ASN.1 type is
- NumericString.
-
- The rule evaluates to TRUE if and only if (1) the prepared substrings
- of the assertion value match disjoint portions of the prepared
- attribute value character string in the order of the substrings in
- the assertion value, (2) an <initial> substring, if present, matches
- the beginning of the prepared attribute value character string, and
- (3) a <final> substring, if present, matches the end of the prepared
- attribute value character string. A prepared substring matches a
- portion of the prepared attribute value character string if
- corresponding characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are not case folded in the Map preparation step, and only
-
-
-
-Legg Standards Track [Page 39]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- numericString Insignificant Character Handling is applied in the
- Insignificant Character Handling step.
-
- The LDAP definition for the numericStringSubstringsMatch matching
- rule is:
-
- ( 2.5.13.10 NAME 'numericStringSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- The numericStringSubstringsMatch rule is a substrings matching rule.
-
-4.2.25. objectIdentifierFirstComponentMatch
-
- The objectIdentifierFirstComponentMatch rule compares an assertion
- value of the OID syntax to an attribute value of a syntax (e.g., the
- Attribute Type Description, DIT Content Rule Description, LDAP Syntax
- Description, Matching Rule Description, Matching Rule Use
- Description, Name Form Description, or Object Class Description
- syntax) whose corresponding ASN.1 type is a SEQUENCE with a mandatory
- first component of the OBJECT IDENTIFIER ASN.1 type.
-
- Note that the assertion syntax of this matching rule differs from the
- attribute syntax of attributes for which this is the equality
- matching rule.
-
- The rule evaluates to TRUE if and only if the assertion value matches
- the first component of the attribute value using the rules of
- objectIdentifierMatch.
-
- The LDAP definition for the objectIdentifierFirstComponentMatch
- matching rule is:
-
- ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
- The objectIdentifierFirstComponentMatch rule is an equality matching
- rule. When using objectIdentifierFirstComponentMatch to compare two
- attribute values (of an applicable syntax), an assertion value must
- first be derived from one of the attribute values. An assertion
- value can be derived from an attribute value by taking the first
- component of that attribute value.
-
-4.2.26. objectIdentifierMatch
-
- The objectIdentifierMatch rule compares an assertion value of the OID
- syntax to an attribute value of a syntax (e.g., the OID syntax) whose
- corresponding ASN.1 type is OBJECT IDENTIFIER.
-
-
-
-
-Legg Standards Track [Page 40]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- The rule evaluates to TRUE if and only if the assertion value and the
- attribute value represent the same object identifier; that is, the
- same sequence of integers, whether represented explicitly in the
- <numericoid> form of <oid> or implicitly in the <descr> form (see
- [RFC4512]).
-
- If an LDAP client supplies an assertion value in the <descr> form and
- the chosen descriptor is not recognized by the server, then the
- objectIdentifierMatch rule evaluates to Undefined.
-
- The LDAP definition for the objectIdentifierMatch matching rule is:
-
- ( 2.5.13.0 NAME 'objectIdentifierMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
- The objectIdentifierMatch rule is an equality matching rule.
-
-4.2.27. octetStringMatch
-
- The octetStringMatch rule compares an assertion value of the Octet
- String syntax to an attribute value of a syntax (e.g., the Octet
- String or JPEG syntax) whose corresponding ASN.1 type is the OCTET
- STRING ASN.1 type.
-
- The rule evaluates to TRUE if and only if the attribute value and the
- assertion value are the same length and corresponding octets (by
- position) are the same.
-
- The LDAP definition for the octetStringMatch matching rule is:
-
- ( 2.5.13.17 NAME 'octetStringMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-
- The octetStringMatch rule is an equality matching rule.
-
-4.2.28. octetStringOrderingMatch
-
- The octetStringOrderingMatch rule compares an assertion value of the
- Octet String syntax to an attribute value of a syntax (e.g., the
- Octet String or JPEG syntax) whose corresponding ASN.1 type is the
- OCTET STRING ASN.1 type.
-
- The rule evaluates to TRUE if and only if the attribute value appears
- earlier in the collation order than the assertion value. The rule
- compares octet strings from the first octet to the last octet, and
- from the most significant bit to the least significant bit within the
- octet. The first occurrence of a different bit determines the
- ordering of the strings. A zero bit precedes a one bit. If the
-
-
-
-Legg Standards Track [Page 41]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- strings contain different numbers of octets but the longer string is
- identical to the shorter string up to the length of the shorter
- string, then the shorter string precedes the longer string.
-
- The LDAP definition for the octetStringOrderingMatch matching rule
- is:
-
- ( 2.5.13.18 NAME 'octetStringOrderingMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-
- The octetStringOrderingMatch rule is an ordering matching rule.
-
-4.2.29. telephoneNumberMatch
-
- The telephoneNumberMatch rule compares an assertion value of the
- Telephone Number syntax to an attribute value of a syntax (e.g., the
- Telephone Number syntax) whose corresponding ASN.1 type is a
- PrintableString representing a telephone number.
-
- The rule evaluates to TRUE if and only if the prepared attribute
- value character string and the prepared assertion value character
- string have the same number of characters and corresponding
- characters have the same code point.
-
- In preparing the attribute value and assertion value for comparison,
- characters are case folded in the Map preparation step, and only
- telephoneNumber Insignificant Character Handling is applied in the
- Insignificant Character Handling step.
-
- The LDAP definition for the telephoneNumberMatch matching rule is:
-
- ( 2.5.13.20 NAME 'telephoneNumberMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
- The telephoneNumberMatch rule is an equality matching rule.
-
-4.2.30. telephoneNumberSubstringsMatch
-
- The telephoneNumberSubstringsMatch rule compares an assertion value
- of the Substring Assertion syntax to an attribute value of a syntax
- (e.g., the Telephone Number syntax) whose corresponding ASN.1 type is
- a PrintableString representing a telephone number.
-
- The rule evaluates to TRUE if and only if (1) the prepared substrings
- of the assertion value match disjoint portions of the prepared
- attribute value character string in the order of the substrings in
- the assertion value, (2) an <initial> substring, if present, matches
- the beginning of the prepared attribute value character string, and
-
-
-
-Legg Standards Track [Page 42]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- (3) a <final> substring, if present, matches the end of the prepared
- attribute value character string. A prepared substring matches a
- portion of the prepared attribute value character string if
- corresponding characters have the same code point.
-
- In preparing the attribute value and assertion value substrings for
- comparison, characters are case folded in the Map preparation step,
- and only telephoneNumber Insignificant Character Handling is applied
- in the Insignificant Character Handling step.
-
- The LDAP definition for the telephoneNumberSubstringsMatch matching
- rule is:
-
- ( 2.5.13.21 NAME 'telephoneNumberSubstringsMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
-
- The telephoneNumberSubstringsMatch rule is a substrings matching
- rule.
-
-4.2.31. uniqueMemberMatch
-
- The uniqueMemberMatch rule compares an assertion value of the Name
- And Optional UID syntax to an attribute value of a syntax (e.g., the
- Name And Optional UID syntax) whose corresponding ASN.1 type is
- NameAndOptionalUID.
-
- The rule evaluates to TRUE if and only if the <distinguishedName>
- components of the assertion value and attribute value match according
- to the distinguishedNameMatch rule and either, (1) the <BitString>
- component is absent from both the attribute value and assertion
- value, or (2) the <BitString> component is present in both the
- attribute value and the assertion value and the <BitString> component
- of the assertion value matches the <BitString> component of the
- attribute value according to the bitStringMatch rule.
-
- Note that this matching rule has been altered from its description in
- X.520 [X.520] in order to make the matching rule commutative. Server
- implementors should consider using the original X.520 semantics
- (where the matching was less exact) for approximate matching of
- attributes with uniqueMemberMatch as the equality matching rule.
-
- The LDAP definition for the uniqueMemberMatch matching rule is:
-
- ( 2.5.13.23 NAME 'uniqueMemberMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
-
- The uniqueMemberMatch rule is an equality matching rule.
-
-
-
-
-Legg Standards Track [Page 43]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-4.2.32. wordMatch
-
- The wordMatch rule compares an assertion value of the Directory
- String syntax to an attribute value of a syntax (e.g., the Directory
- String syntax) whose corresponding ASN.1 type is DirectoryString.
-
- The rule evaluates to TRUE if and only if the assertion value word
- matches, according to the semantics of caseIgnoreMatch, any word in
- the attribute value. The precise definition of a word is
- implementation specific.
-
- The LDAP definition for the wordMatch rule is:
-
- ( 2.5.13.32 NAME 'wordMatch'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-5. Security Considerations
-
- In general, the LDAP-specific encodings for syntaxes defined in this
- document do not define canonical encodings. That is, a
- transformation from an LDAP-specific encoding into some other
- encoding (e.g., BER) and back into the LDAP-specific encoding will
- not necessarily reproduce exactly the original octets of the LDAP-
- specific encoding. Therefore, an LDAP-specific encoding should not
- be used where a canonical encoding is required.
-
- Furthermore, the LDAP-specific encodings do not necessarily enable an
- alternative encoding of values of the Directory String and DN
- syntaxes to be reconstructed; e.g., a transformation from a
- Distinguished Encoding Rules (DER) [BER] encoding to an LDAP-specific
- encoding and back to a DER encoding may not reproduce the original
- DER encoding. Therefore, LDAP-specific encodings should not be used
- where reversibility to DER is needed; e.g., for the verification of
- digital signatures. Instead, DER or a DER-reversible encoding should
- be used.
-
- When interpreting security-sensitive fields (in particular, fields
- used to grant or deny access), implementations MUST ensure that any
- matching rule comparisons are done on the underlying abstract value,
- regardless of the particular encoding used.
-
-6. Acknowledgements
-
- This document is primarily a revision of RFC 2252 by M. Wahl, A.
- Coulbeck, T. Howes, and S. Kille. RFC 2252 was a product of the IETF
- ASID Working Group.
-
-
-
-
-
-Legg Standards Track [Page 44]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- This document is based on input from the IETF LDAPBIS working group.
- The author would like to thank Kathy Dally for editing the early
- drafts of this document, and Jim Sermersheim and Kurt Zeilenga for
- their significant contributions to this revision.
-
-7. IANA Considerations
-
- The Internet Assigned Numbers Authority (IANA) has updated the LDAP
- descriptors registry [BCP64] as indicated by the following templates:
-
- Subject: Request for LDAP Descriptor Registration Update
- Descriptor (short name): see comment
- Object Identifier: see comment
- Person & email address to contact for further information:
- Steven Legg <steven.legg at eb2bcom.com>
- Usage: see comment
- Specification: RFC 4517
- Author/Change Controller: IESG
-
- NAME Type OID
- ------------------------------------------------------------------
- bitStringMatch M 2.5.13.16
- booleanMatch M 2.5.13.13
- caseExactIA5Match M 1.3.6.1.4.1.1466.109.114.1
- caseExactMatch M 2.5.13.5
- caseExactOrderingMatch M 2.5.13.6
- caseExactSubstringsMatch M 2.5.13.7
- caseIgnoreIA5Match M 1.3.6.1.4.1.1466.109.114.2
- caseIgnoreListMatch M 2.5.13.11
- caseIgnoreListSubstringsMatch M 2.5.13.12
- caseIgnoreMatch M 2.5.13.2
- caseIgnoreOrderingMatch M 2.5.13.3
- caseIgnoreSubstringsMatch M 2.5.13.4
- directoryStringFirstComponentMatch M 2.5.13.31
- distinguishedNameMatch M 2.5.13.1
- generalizedTimeMatch M 2.5.13.27
- generalizedTimeOrderingMatch M 2.5.13.28
- integerFirstComponentMatch M 2.5.13.29
- integerMatch M 2.5.13.14
- integerOrderingMatch M 2.5.13.15
- keywordMatch M 2.5.13.33
- numericStringMatch M 2.5.13.8
- numericStringOrderingMatch M 2.5.13.9
- numericStringSubstringsMatch M 2.5.13.10
- objectIdentifierFirstComponentMatch M 2.5.13.30
- octetStringMatch M 2.5.13.17
- octetStringOrderingMatch M 2.5.13.18
- telephoneNumberMatch M 2.5.13.20
-
-
-
-Legg Standards Track [Page 45]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- telephoneNumberSubstringsMatch M 2.5.13.21
- uniqueMemberMatch M 2.5.13.23
- wordMatch M 2.5.13.32
-
- The descriptor for the object identifier 2.5.13.0 was incorrectly
- registered as objectIdentifiersMatch (extraneous \`s') in BCP 64.
- It has been changed to the following, with a reference to
- RFC 4517.
-
- NAME Type OID
- ------------------------------------------------------------------
- objectIdentifierMatch M 2.5.13.0
-
- Subject: Request for LDAP Descriptor Registration
- Descriptor (short name): caseIgnoreIA5SubstringsMatch
- Object Identifier: 1.3.6.1.4.1.1466.109.114.3
- Person & email address to contact for further information:
- Steven Legg <steven.legg at eb2bcom.com>
- Usage: other (M)
- Specification: RFC 4517
- Author/Change Controller: IESG
-
-8. References
-
-8.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC4234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
-
-
-
-
-
-Legg Standards Track [Page 46]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): String Representation of Distinguished Names", RFC
- 4514, June 2006.
-
- [RFC4518] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Internationalized String Preparation", RFC 4518,
- June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [E.123] Notation for national and international telephone numbers,
- ITU-T Recommendation E.123, 1988.
-
- [FAX] Standardization of Group 3 facsimile apparatus for
- document transmission - Terminal Equipment and Protocols
- for Telematic Services, ITU-T Recommendation T.4, 1993
-
- [T.50] International Reference Alphabet (IRA) (Formerly
- International Alphabet No. 5 or IA5) Information
- Technology - 7-Bit Coded Character Set for Information
- Interchange, ITU-T Recommendation T.50, 1992
-
- [X.420] ITU-T Recommendation X.420 (1996) | ISO/IEC 10021-7:1997,
- Information Technology - Message Handling Systems (MHS):
- Interpersonal messaging system
-
- [X.501] ITU-T Recommendation X.501 (1993) | ISO/IEC 9594-2:1994,
- Information Technology - Open Systems Interconnection -
- The Directory: Models
-
- [X.520] ITU-T Recommendation X.520 (1993) | ISO/IEC 9594-6:1994,
- Information Technology - Open Systems Interconnection -
- The Directory: Selected attribute types
-
- [ASN.1] ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1:2002,
- Information technology - Abstract Syntax Notation One
- (ASN.1): Specification of basic notation
-
- [ISO3166] ISO 3166, "Codes for the representation of names of
- countries".
-
- [ISO8601] ISO 8601:2004, "Data elements and interchange formats --
- Information interchange -- Representation of dates and
- times".
-
-
-
-
-
-Legg Standards Track [Page 47]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- [UCS] Universal Multiple-Octet Coded Character Set (UCS) -
- Architecture and Basic Multilingual Plane, ISO/IEC 10646-
- 1: 1993 (with amendments).
-
- [JPEG] JPEG File Interchange Format (Version 1.02). Eric
- Hamilton, C-Cube Microsystems, Milpitas, CA, September 1,
- 1992.
-
-8.2. Informative References
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol
- (LDAP): Schema for User Applications", RFC 4519, June
- 2006.
-
- [RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Schema Definitions for X.509 Certificates", RFC
- 4523, June 2006.
-
- [X.500] ITU-T Recommendation X.500 (1993) | ISO/IEC 9594-1:1994,
- Information Technology - Open Systems Interconnection -
- The Directory: Overview of concepts, models and services
-
- [BER] ITU-T Recommendation X.690 (07/02) | ISO/IEC 8825-1:2002,
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER), Canonical
- Encoding Rules (CER) and Distinguished Encoding Rules
- (DER)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Legg Standards Track [Page 48]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-Appendix A. Summary of Syntax Object Identifiers
-
- The following list summarizes the object identifiers assigned to the
- syntaxes defined in this document.
-
- Syntax OBJECT IDENTIFIER
- ==============================================================
- Attribute Type Description 1.3.6.1.4.1.1466.115.121.1.3
- Bit String 1.3.6.1.4.1.1466.115.121.1.6
- Boolean 1.3.6.1.4.1.1466.115.121.1.7
- Country String 1.3.6.1.4.1.1466.115.121.1.11
- Delivery Method 1.3.6.1.4.1.1466.115.121.1.14
- Directory String 1.3.6.1.4.1.1466.115.121.1.15
- DIT Content Rule Description 1.3.6.1.4.1.1466.115.121.1.16
- DIT Structure Rule Description 1.3.6.1.4.1.1466.115.121.1.17
- DN 1.3.6.1.4.1.1466.115.121.1.12
- Enhanced Guide 1.3.6.1.4.1.1466.115.121.1.21
- Facsimile Telephone Number 1.3.6.1.4.1.1466.115.121.1.22
- Fax 1.3.6.1.4.1.1466.115.121.1.23
- Generalized Time 1.3.6.1.4.1.1466.115.121.1.24
- Guide 1.3.6.1.4.1.1466.115.121.1.25
- IA5 String 1.3.6.1.4.1.1466.115.121.1.26
- Integer 1.3.6.1.4.1.1466.115.121.1.27
- JPEG 1.3.6.1.4.1.1466.115.121.1.28
- LDAP Syntax Description 1.3.6.1.4.1.1466.115.121.1.54
- Matching Rule Description 1.3.6.1.4.1.1466.115.121.1.30
- Matching Rule Use Description 1.3.6.1.4.1.1466.115.121.1.31
- Name And Optional UID 1.3.6.1.4.1.1466.115.121.1.34
- Name Form Description 1.3.6.1.4.1.1466.115.121.1.35
- Numeric String 1.3.6.1.4.1.1466.115.121.1.36
- Object Class Description 1.3.6.1.4.1.1466.115.121.1.37
- Octet String 1.3.6.1.4.1.1466.115.121.1.40
- OID 1.3.6.1.4.1.1466.115.121.1.38
- Other Mailbox 1.3.6.1.4.1.1466.115.121.1.39
- Postal Address 1.3.6.1.4.1.1466.115.121.1.41
- Printable String 1.3.6.1.4.1.1466.115.121.1.44
- Substring Assertion 1.3.6.1.4.1.1466.115.121.1.58
- Telephone Number 1.3.6.1.4.1.1466.115.121.1.50
- Teletex Terminal Identifier 1.3.6.1.4.1.1466.115.121.1.51
- Telex Number 1.3.6.1.4.1.1466.115.121.1.52
- UTC Time 1.3.6.1.4.1.1466.115.121.1.53
-
-Appendix B. Changes from RFC 2252
-
- This annex lists the significant differences between this
- specification and RFC 2252.
-
-
-
-
-
-Legg Standards Track [Page 49]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- This annex is provided for informational purposes only. It is not a
- normative part of this specification.
-
- 1. The IESG Note has been removed.
-
- 2. The major part of Sections 4, 5 and 7 has been moved to [RFC4512]
- and revised. Changes to the parts of these sections moved to
- [RFC4512] are detailed in [RFC4512].
-
- 3. BNF descriptions of syntax formats have been replaced by ABNF
- [RFC4234] specifications.
-
- 4. The ambiguous statement in RFC 2252, Section 4.3 regarding the
- use of a backslash quoting mechanism to escape separator symbols
- has been removed. The escaping mechanism is now explicitly
- represented in the ABNF for the syntaxes where this provision
- applies.
-
- 5. The description of each of the LDAP syntaxes has been expanded so
- that they are less dependent on knowledge of X.500 for
- interpretation.
-
- 6. The relationship of LDAP syntaxes to corresponding ASN.1 type
- definitions has been made explicit.
-
- 7. The set of characters allowed in a <PrintableString> (formerly
- <printablestring>) has been corrected to align with the
- PrintableString ASN.1 type in [ASN.1]. Specifically, the double
- quote character has been removed and the single quote character
- and equals sign have been added.
-
- 8. Values of the Directory String, Printable String and Telephone
- Number syntaxes are now required to have at least one character.
-
- 9. The <DITContentRuleDescription>, <NameFormDescription> and
- <DITStructureRuleDescription> rules have been moved to [RFC4512].
-
- 10. The corresponding ASN.1 type for the Other Mailbox syntax has
- been incorporated from RFC 1274.
-
- 11. A corresponding ASN.1 type for the LDAP Syntax Description syntax
- has been invented.
-
- 12. The Binary syntax has been removed because it was not adequately
- specified, implementations with different incompatible
- interpretations exist, and it was confused with the ;binary
- transfer encoding.
-
-
-
-
-Legg Standards Track [Page 50]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- 13. All discussion of transfer options, including the ";binary"
- option, has been removed. All imperatives regarding binary
- transfer of values have been removed.
-
- 14. The Delivery Method, Enhanced Guide, Guide, Octet String, Teletex
- Terminal Identifier and Telex Number syntaxes from RFC 2256 have
- been incorporated.
-
- 15. The <criteria> rule for the Enhanced Guide and Guide syntaxes has
- been extended to accommodate empty "and" and "or" expressions.
-
- 16. An encoding for the <ttx-value> rule in the Teletex Terminal
- Identifier syntax has been defined.
-
- 17. The PKI-related syntaxes (Certificate, Certificate List and
- Certificate Pair) have been removed. They are reintroduced in
- [RFC4523] (as is the Supported Algorithm syntax from RFC 2256).
-
- 18. The MHS OR Address syntax has been removed since its
- specification (in RFC 2156) is not at draft standard maturity.
-
- 19. The DL Submit Permission syntax has been removed as it depends on
- the MHS OR Address syntax.
-
- 20. The Presentation Address syntax has been removed since its
- specification (in RFC 1278) is not at draft standard maturity.
-
- 21. The ACI Item, Access Point, Audio, Data Quality, DSA Quality, DSE
- Type, LDAP Schema Description, Master And Shadow Access Points,
- Modify Rights, Protocol Information, Subtree Specification,
- Supplier Information, Supplier Or Consumer and Supplier And
- Consumer syntaxes have been removed. These syntaxes are
- referenced in RFC 2252, but not defined.
-
- 22. The LDAP Schema Definition syntax (defined in RFC 2927) and the
- Mail Preference syntax have been removed on the grounds that they
- are out of scope for the core specification.
-
- 23. The description of each of the matching rules has been expanded
- so that they are less dependent on knowledge of X.500 for
- interpretation.
-
- 24. The caseIgnoreIA5SubstringsMatch matching rule from RFC 2798 has
- been added.
-
- 25. The caseIgnoreListSubstringsMatch, caseIgnoreOrderingMatch and
- caseIgnoreSubstringsMatch matching rules have been added to the
- list of matching rules for which the provisions for handling
-
-
-
-Legg Standards Track [Page 51]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
- leading, trailing and multiple adjoining whitespace characters
- apply (now through string preparation). This is consistent with
- the definitions of these matching rules in X.500. The
- caseIgnoreIA5SubstringsMatch rule has also been added to the
- list.
-
- 26. The specification of the octetStringMatch matching rule from
- RFC 2256 has been added to this document.
-
- 27. The presentationAddressMatch matching rule has been removed as it
- depends on an assertion syntax (Presentation Address) that is not
- at draft standard maturity.
-
- 28. The protocolInformationMatch matching rule has been removed as it
- depends on an undefined assertion syntax (Protocol Information).
-
- 29. The definitive reference for ASN.1 has been changed from X.208 to
- X.680 since X.680 is the version of ASN.1 referred to by X.500.
-
- 30. The specification of the caseIgnoreListSubstringsMatch matching
- rule from RFC 2798 & X.520 has been added.
-
- 31. String preparation algorithms have been applied to the character
- string matching rules.
-
- 32. The specifications of the booleanMatch, caseExactMatch,
- caseExactOrderingMatch, caseExactSubstringsMatch,
- directoryStringFirstComponentMatch, integerOrderingMatch,
- keywordMatch, numericStringOrderingMatch,
- octetStringOrderingMatch and wordMatch matching rules from
- RFC 3698 & X.520 have been added.
-
-Author's Address
-
- Steven Legg
- eB2Bcom
- Suite3, Woodhouse Corporate Centre
- 935 Station Street
- Box Hill North, Victoria 3129
- AUSTRALIA
-
- Phone: +61 3 9896 7830
- Fax: +61 3 9896 7801
- EMail: steven.legg at eb2bcom.com
-
-
-
-
-
-
-
-Legg Standards Track [Page 52]
-�
-RFC 4517 LDAP: Syntaxes and Matching Rules June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Legg Standards Track [Page 53]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4518.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4518.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4518.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,787 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4518 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP):
- Internationalized String Preparation
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The previous Lightweight Directory Access Protocol (LDAP) technical
- specifications did not precisely define how character string matching
- is to be performed. This led to a number of usability and
- interoperability problems. This document defines string preparation
- algorithms for character-based matching rules defined for use in
- LDAP.
-
-1. Introduction
-
-1.1. Background
-
- A Lightweight Directory Access Protocol (LDAP) [RFC4510] matching
- rule [RFC4517] defines an algorithm for determining whether a
- presented value matches an attribute value in accordance with the
- criteria defined for the rule. The proposition may be evaluated to
- True, False, or Undefined.
-
- True - the attribute contains a matching value,
-
- False - the attribute contains no matching value,
-
- Undefined - it cannot be determined whether the attribute contains
- a matching value.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- For instance, the caseIgnoreMatch matching rule may be used to
- compare whether the commonName attribute contains a particular value
- without regard for case and insignificant spaces.
-
-1.2. X.500 String Matching Rules
-
- "X.520: Selected attribute types" [X.520] provides (among other
- things) value syntaxes and matching rules for comparing values
- commonly used in the directory [X.500]. These specifications are
- inadequate for strings composed of Unicode [Unicode] characters.
-
- The caseIgnoreMatch matching rule [X.520], for example, is simply
- defined as being a case-insensitive comparison where insignificant
- spaces are ignored. For printableString, there is only one space
- character and case mapping is bijective, hence this definition is
- sufficient. However, for Unicode string types such as
- universalString, this is not sufficient. For example, a case-
- insensitive matching implementation that folded lowercase characters
- to uppercase would yield different results than an implementation
- that used uppercase to lowercase folding. Or one implementation may
- view space as referring to only SPACE (U+0020), a second
- implementation may view any character with the space separator (Zs)
- property as a space, and another implementation may view any
- character with the whitespace (WS) category as a space.
-
- The lack of precise specification for character string matching has
- led to significant interoperability problems. When used in
- certificate chain validation, security vulnerabilities can arise. To
- address these problems, this document defines precise algorithms for
- preparing character strings for matching.
-
-1.3. Relationship to "stringprep"
-
- The character string preparation algorithms described in this
- document are based upon the "stringprep" approach [RFC3454]. In
- "stringprep", presented and stored values are first prepared for
- comparison so that a character-by-character comparison yields the
- "correct" result.
-
- The approach used here is a refinement of the "stringprep" [RFC3454]
- approach. Each algorithm involves two additional preparation steps.
-
- a) Prior to applying the Unicode string preparation steps outlined in
- "stringprep", the string is transcoded to Unicode.
-
- b) After applying the Unicode string preparation steps outlined in
- "stringprep", the string is modified to appropriately handle
- characters insignificant to the matching rule.
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- Hence, preparation of character strings for X.500 [X.500] matching
- [X.501] involves the following steps:
-
- 1) Transcode
- 2) Map
- 3) Normalize
- 4) Prohibit
- 5) Check Bidi (Bidirectional)
- 6) Insignificant Character Handling
-
- These steps are described in Section 2.
-
- It is noted that while various tables of Unicode characters included
- or referenced by this specification are derived from Unicode
- [Unicode] data, these tables are to be considered definitive for the
- purpose of implementing this specification.
-
-1.4. Relationship to the LDAP Technical Specification
-
- This document is an integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification [RFC3377] in its entirety.
-
- This document details new LDAP internationalized character string
- preparation algorithms used by [RFC4517] and possible other technical
- specifications defining LDAP syntaxes and/or matching rules.
-
-1.5. Relationship to X.500
-
- LDAP is defined [RFC4510] in X.500 terms as an X.500 access
- mechanism. As such, there is a strong desire for alignment between
- LDAP and X.500 syntax and semantics. The character string
- preparation algorithms described in this document are based upon
- "Internationalized String Matching Rules for X.500" [XMATCH] proposal
- to ITU/ISO Joint Study Group 2.
-
-1.6. Conventions and Terms
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- Character names in this document use the notation for code points and
- names from the Unicode Standard [Unicode]. For example, the letter
- "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
- In the lists of mappings and the prohibited characters, the "U+" is
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- left off to make the lists easier to read. The comments for
- character ranges are shown in square brackets (such as "[CONTROL
- CHARACTERS]") and do not come from the standard.
-
- Note: a glossary of terms used in Unicode can be found in [Glossary].
- Information on the Unicode character encoding model can be found in
- [CharModel].
-
- The term "combining mark", as used in this specification, refers to
- any Unicode [Unicode] code point that has a mark property (Mn, Mc,
- Me). Appendix A provides a definitive list of combining marks.
-
-2. String Preparation
-
- The following six-step process SHALL be applied to each presented and
- attribute value in preparation for character string matching rule
- evaluation.
-
- 1) Transcode
- 2) Map
- 3) Normalize
- 4) Prohibit
- 5) Check bidi
- 6) Insignificant Character Handling
-
- Failure in any step causes the assertion to evaluate to Undefined.
-
- The character repertoire of this process is Unicode 3.2 [Unicode].
-
- Note that this six-step process specification is intended to describe
- expected matching behavior. Implementations are free to use
- alternative processes so long as the matching rule evaluation
- behavior provided is consistent with the behavior described by this
- specification.
-
-2.1. Transcode
-
- Each non-Unicode string value is transcoded to Unicode.
-
- PrintableString [X.680] values are transcoded directly to Unicode.
-
- UniversalString, UTF8String, and bmpString [X.680] values need not be
- transcoded as they are Unicode-based strings (in the case of
- bmpString, a subset of Unicode).
-
- TeletexString [X.680] values are transcoded to Unicode. As there is
- no standard for mapping TeletexString values to Unicode, the mapping
- is left a local matter.
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- For these and other reasons, use of TeletexString is NOT RECOMMENDED.
-
- The output is the transcoded string.
-
-2.2. Map
-
- SOFT HYPHEN (U+00AD) and MONGOLIAN TODO SOFT HYPHEN (U+1806) code
- points are mapped to nothing. COMBINING GRAPHEME JOINER (U+034F) and
- VARIATION SELECTORs (U+180B-180D, FF00-FE0F) code points are also
- mapped to nothing. The OBJECT REPLACEMENT CHARACTER (U+FFFC) is
- mapped to nothing.
-
- CHARACTER TABULATION (U+0009), LINE FEED (LF) (U+000A), LINE
- TABULATION (U+000B), FORM FEED (FF) (U+000C), CARRIAGE RETURN (CR)
- (U+000D), and NEXT LINE (NEL) (U+0085) are mapped to SPACE (U+0020).
-
- All other control code (e.g., Cc) points or code points with a
- control function (e.g., Cf) are mapped to nothing. The following is
- a complete list of these code points: U+0000-0008, 000E-001F, 007F-
- 0084, 0086-009F, 06DD, 070F, 180E, 200C-200F, 202A-202E, 2060-2063,
- 206A-206F, FEFF, FFF9-FFFB, 1D173-1D17A, E0001, E0020-E007F.
-
- ZERO WIDTH SPACE (U+200B) is mapped to nothing. All other code
- points with Separator (space, line, or paragraph) property (e.g., Zs,
- Zl, or Zp) are mapped to SPACE (U+0020). The following is a complete
- list of these code points: U+0020, 00A0, 1680, 2000-200A, 2028-2029,
- 202F, 205F, 3000.
-
- For case ignore, numeric, and stored prefix string matching rules,
- characters are case folded per B.2 of [RFC3454].
-
- The output is the mapped string.
-
-2.3. Normalize
-
- The input string is to be normalized to Unicode Form KC
- (compatibility composed) as described in [UAX15]. The output is the
- normalized string.
-
-2.4. Prohibit
-
- All Unassigned code points are prohibited. Unassigned code points
- are listed in Table A.1 of [RFC3454].
-
- Characters that, per Section 5.8 of [RFC3454], change display
- properties or are deprecated are prohibited. These characters are
- listed in Table C.8 of [RFC3454].
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- Private Use code points are prohibited. These characters are listed
- in Table C.3 of [RFC3454].
-
- All non-character code points are prohibited. These code points are
- listed in Table C.4 of [RFC3454].
-
- Surrogate codes are prohibited. These characters are listed in Table
- C.5 of [RFC3454].
-
- The REPLACEMENT CHARACTER (U+FFFD) code point is prohibited.
-
- The step fails if the input string contains any prohibited code
- point. Otherwise, the output is the input string.
-
-2.5. Check bidi
-
- Bidirectional characters are ignored.
-
-2.6. Insignificant Character Handling
-
- In this step, the string is modified to ensure proper handling of
- characters insignificant to the matching rule. This modification
- differs from matching rule to matching rule.
-
- Section 2.6.1 applies to case ignore and exact string matching.
- Section 2.6.2 applies to numericString matching.
- Section 2.6.3 applies to telephoneNumber matching.
-
-2.6.1. Insignificant Space Handling
-
- For the purposes of this section, a space is defined to be the SPACE
- (U+0020) code point followed by no combining marks.
-
- NOTE - The previous steps ensure that the string cannot contain
- any code points in the separator class, other than SPACE
- (U+0020).
-
- For input strings that are attribute values or non-substring
- assertion values: If the input string contains no non-space
- character, then the output is exactly two SPACEs. Otherwise (the
- input string contains at least one non-space character), the string
- is modified such that the string starts with exactly one space
- character, ends with exactly one SPACE character, and any inner
- (non-empty) sequence of space characters is replaced with exactly two
- SPACE characters. For instance, the input strings
- "foo<SPACE>bar<SPACE><SPACE>", result in the output
- "<SPACE>foo<SPACE><SPACE>bar<SPACE>".
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- For input strings that are substring assertion values: If the string
- being prepared contains no non-space characters, then the output
- string is exactly one SPACE. Otherwise, the following steps are
- taken:
-
- - If the input string is an initial substring, it is modified to
- start with exactly one SPACE character;
-
- - If the input string is an initial or an any substring that ends in
- one or more space characters, it is modified to end with exactly
- one SPACE character;
-
- - If the input string is an any or a final substring that starts in
- one or more space characters, it is modified to start with exactly
- one SPACE character; and
-
- - If the input string is a final substring, it is modified to end
- with exactly one SPACE character.
-
- For instance, for the input string "foo<SPACE>bar<SPACE><SPACE>" as
- an initial substring, the output would be
- "<SPACE>foo<SPACE><SPACE>bar<SPACE>". As an any or final substring,
- the same input would result in "foo<SPACE>bar<SPACE>".
-
- Appendix B discusses the rationale for the behavior.
-
-2.6.2. numericString Insignificant Character Handling
-
- For the purposes of this section, a space is defined to be the SPACE
- (U+0020) code point followed by no combining marks.
-
- All spaces are regarded as insignificant and are to be removed.
-
- For example, removal of spaces from the Form KC string:
- "<SPACE><SPACE>123<SPACE><SPACE>456<SPACE><SPACE>"
- would result in the output string:
- "123456"
- and the Form KC string:
- "<SPACE><SPACE><SPACE>"
- would result in the output string:
- "" (an empty string).
-
-2.6.3. telephoneNumber Insignificant Character Handling
-
- For the purposes of this section, a hyphen is defined to be a
- HYPHEN-MINUS (U+002D), ARMENIAN HYPHEN (U+058A), HYPHEN (U+2010),
- NON-BREAKING HYPHEN (U+2011), MINUS SIGN (U+2212), SMALL HYPHEN-MINUS
- (U+FE63), or FULLWIDTH HYPHEN-MINUS (U+FF0D) code point followed by
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- no combining marks and a space is defined to be the SPACE (U+0020)
- code point followed by no combining marks.
-
- All hyphens and spaces are considered insignificant and are to be
- removed.
-
- For example, removal of hyphens and spaces from the Form KC string:
- "<SPACE><HYPHEN>123<SPACE><SPACE>456<SPACE><HYPHEN>"
- would result in the output string:
- "123456"
- and the Form KC string:
- "<HYPHEN><HYPHEN><HYPHEN>"
- would result in the (empty) output string:
- "".
-
-3. Security Considerations
-
- "Preparation of Internationalized Strings ("stringprep")" [RFC3454]
- security considerations generally apply to the algorithms described
- here.
-
-4. Acknowledgements
-
- The approach used in this document is based upon design principles
- and algorithms described in "Preparation of Internationalized Strings
- ('stringprep')" [RFC3454] by Paul Hoffman and Marc Blanchet. Some
- additional guidance was drawn from Unicode Technical Standards,
- Technical Reports, and Notes.
-
- This document is a product of the IETF LDAP Revision (LDAPBIS)
- Working Group.
-
-5. References
-
-5.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
- Internationalized Strings ("stringprep")", RFC 3454,
- December 2002.
-
- [RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510,
- June 2006.
-
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version
- 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
- 61633-5), as amended by the "Unicode Standard Annex
- #27: Unicode 3.1"
- (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [UAX15] Davis, M. and M. Duerst, "Unicode Standard Annex #15:
- Unicode Normalization Forms, Version 3.2.0".
- <http://www.unicode.org/unicode/reports/tr15/tr15-
- 22.html>, March 2002.
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
-5.2. Informative References
-
- [X.500] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Overview of concepts, models and
- services," X.500(1993) (also ISO/IEC 9594-1:1994).
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.520] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Selected Attribute Types", X.520(1993) (also
- ISO/IEC 9594-6:1994).
-
- [Glossary] The Unicode Consortium, "Unicode Glossary",
- <http://www.unicode.org/glossary/>.
-
- [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
- #17, Character Encoding Model", UTR17,
- <http://www.unicode.org/unicode/reports/tr17/>, August
- 2000.
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002.
-
- [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): String Representation of Search
- Filters", RFC 4515, June 2006.
-
- [XMATCH] Zeilenga, K., "Internationalized String Matching Rules
- for X.500", Work in Progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
-Appendix A. Combining Marks
-
- This appendix is normative.
-
- This table was derived from Unicode [Unicode] data files; it lists
- all code points with the Mn, Mc, or Me properties. This table is to
- be considered definitive for the purposes of implementation of this
- specification.
-
- 0300-034F 0360-036F 0483-0486 0488-0489 0591-05A1
- 05A3-05B9 05BB-05BC 05BF 05C1-05C2 05C4 064B-0655 0670
- 06D6-06DC 06DE-06E4 06E7-06E8 06EA-06ED 0711 0730-074A
- 07A6-07B0 0901-0903 093C 093E-094F 0951-0954 0962-0963
- 0981-0983 09BC 09BE-09C4 09C7-09C8 09CB-09CD 09D7
- 09E2-09E3 0A02 0A3C 0A3E-0A42 0A47-0A48 0A4B-0A4D
- 0A70-0A71 0A81-0A83 0ABC 0ABE-0AC5 0AC7-0AC9 0ACB-0ACD
- 0B01-0B03 0B3C 0B3E-0B43 0B47-0B48 0B4B-0B4D 0B56-0B57
- 0B82 0BBE-0BC2 0BC6-0BC8 0BCA-0BCD 0BD7 0C01-0C03
- 0C3E-0C44 0C46-0C48 0C4A-0C4D 0C55-0C56 0C82-0C83
- 0CBE-0CC4 0CC6-0CC8 0CCA-0CCD 0CD5-0CD6 0D02-0D03
- 0D3E-0D43 0D46-0D48 0D4A-0D4D 0D57 0D82-0D83 0DCA
- 0DCF-0DD4 0DD6 0DD8-0DDF 0DF2-0DF3 0E31 0E34-0E3A
- 0E47-0E4E 0EB1 0EB4-0EB9 0EBB-0EBC 0EC8-0ECD 0F18-0F19
- 0F35 0F37 0F39 0F3E-0F3F 0F71-0F84 0F86-0F87 0F90-0F97
- 0F99-0FBC 0FC6 102C-1032 1036-1039 1056-1059 1712-1714
- 1732-1734 1752-1753 1772-1773 17B4-17D3 180B-180D 18A9
- 20D0-20EA 302A-302F 3099-309A FB1E FE00-FE0F FE20-FE23
- 1D165-1D169 1D16D-1D172 1D17B-1D182 1D185-1D18B
- 1D1AA-1D1AD
-
-Appendix B. Substrings Matching
-
- This appendix is non-normative.
-
- In the absence of substrings matching, the insignificant space
- handling for case ignore/exact matching could be simplified.
- Specifically, the handling could be to require that all sequences of
- one or more spaces be replaced with one space and, if the string
- contains non-space characters, removal of all leading spaces and
- trailing spaces.
-
- In the presence of substrings matching, this simplified space
- handling would lead to unexpected and undesirable matching behavior.
- For instance:
-
- 1) (CN=foo\20*\20bar) would match the CN value "foobar";
-
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- 2) (CN=*\20foobar\20*) would match "foobar", but
- (CN=*\20*foobar*\20*) would not.
-
- Note to readers not familiar with LDAP substrings matching: the LDAP
- filter [RFC4515] assertion (CN=A*B*C) says to "match any value (of
- the attribute CN) that begins with A, contains B after A, ends with C
- where C is also after B."
-
- The first case illustrates that this simplified space handling would
- cause leading and trailing spaces in substrings of the string to be
- regarded as insignificant. However, only leading and trailing (as
- well as multiple consecutive spaces) of the string (as a whole) are
- insignificant.
-
- The second case illustrates that this simplified space handling would
- cause sub-partitioning failures. That is, if a prepared any
- substring matches a partition of the attribute value, then an
- assertion constructed by subdividing that substring into multiple
- substrings should also match.
-
- In designing an appropriate approach for space handling for
- substrings matching, one must study key aspects of X.500 case
- exact/ignore matching. X.520 [X.520] says:
-
- The [substrings] rule returns TRUE if there is a partitioning of
- the attribute value (into portions) such that:
-
- - the specified substrings (initial, any, final) match
- different portions of the value in the order of the strings
- sequence;
-
- - initial, if present, matches the first portion of the value;
-
- - final, if present, matches the last portion of the value;
-
- - any, if present, matches some arbitrary portion of the
- value.
-
- That is, the substrings assertion (CN=foo\20*\20bar) matches the
- attribute value "foo<SPACE><SPACE>bar" as the value can be
- partitioned into the portions "foo<SPACE>" and "<SPACE>bar" meeting
- the above requirements.
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
- X.520 also says:
-
- [T]he following spaces are regarded as not significant:
-
- - leading spaces (i.e., those preceding the first character
- that is not a space);
-
- - trailing spaces (i.e., those following the last character
- that is not a space);
-
- - multiple consecutive spaces (these are taken as equivalent
- to a single space character).
-
- This statement applies to the assertion values and attribute values
- as whole strings, and not individually to substrings of an assertion
- value. In particular, the statements should be taken to mean that if
- an assertion value and attribute value match without any
- consideration to insignificant characters, then that assertion value
- should also match any attribute value that differs only by inclusion
- nor removal of insignificant characters.
-
- Hence the assertion (CN=foo\20*\20bar) matches
- "foo<SPACE><SPACE><SPACE>bar" and "foo<SPACE>bar" as these values
- only differ from "foo<SPACE><SPACE>bar" by the inclusion or removal
- of insignificant spaces.
-
- Astute readers of this text will also note that there are special
- cases where the specified space handling does not ignore spaces that
- could be considered insignificant. For instance, the assertion
- (CN=\20*\20*\20) does not match "<SPACE><SPACE><SPACE>"
- (insignificant spaces present in value) or " " (insignificant spaces
- not present in value). However, as these cases have no practical
- application that cannot be met by simple assertions, e.g., (cn=\20),
- and this minor anomaly can only be fully addressed by a preparation
- algorithm to be used in conjunction with character-by-character
- partitioning and matching, the anomaly is considered acceptable.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 4518 LDAP: Internationalized String Preparation June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4519.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4519.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4519.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1963 +0,0 @@
-
-
-
-
-
-
-Network Working Group A. Sciberras, Ed.
-Request for Comments: 4519 eB2Bcom
-Obsoletes: 2256 June 2006
-Updates: 2247, 2798, 2377
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP):
- Schema for User Applications
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document is an integral part of the Lightweight Directory Access
- Protocol (LDAP) technical specification. It provides a technical
- specification of attribute types and object classes intended for use
- by LDAP directory clients for many directory services, such as White
- Pages. These objects are widely used as a basis for the schema in
- many LDAP directories. This document does not cover attributes used
- for the administration of directory servers, nor does it include
- directory objects defined for specific uses in other documents.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 1]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. Relationship with Other Specifications .....................3
- 1.2. Conventions ................................................4
- 1.3. General Issues .............................................4
- 2. Attribute Types .................................................4
- 2.1. 'businessCategory' .........................................5
- 2.2. 'c' ........................................................5
- 2.3. 'cn' .......................................................5
- 2.4. 'dc' .......................................................6
- 2.5. 'description' ..............................................6
- 2.6. 'destinationIndicator' .....................................7
- 2.7. 'distinguishedName' ........................................7
- 2.8. 'dnQualifier' ..............................................8
- 2.9. 'enhancedSearchGuide' ......................................8
- 2.10. 'facsimileTelephoneNumber' ................................9
- 2.11. 'generationQualifier' .....................................9
- 2.12. 'givenName' ...............................................9
- 2.13. 'houseIdentifier' .........................................9
- 2.14. 'initials' ...............................................10
- 2.15. 'internationalISDNNumber' ................................10
- 2.16. 'l' ......................................................10
- 2.17. 'member' .................................................11
- 2.18. 'name' ...................................................11
- 2.19. 'o' ......................................................11
- 2.20. 'ou' .....................................................12
- 2.21. 'owner' ..................................................12
- 2.22. 'physicalDeliveryOfficeName' .............................12
- 2.23. 'postalAddress' ..........................................13
- 2.24. 'postalCode' .............................................13
- 2.25. 'postOfficeBox' ..........................................14
- 2.26. 'preferredDeliveryMethod' ................................14
- 2.27. 'registeredAddress' ......................................14
- 2.28. 'roleOccupant' ...........................................15
- 2.29. 'searchGuide' ............................................15
- 2.30. 'seeAlso' ................................................15
- 2.31. 'serialNumber' ...........................................16
- 2.32. 'sn' .....................................................16
- 2.33. 'st' .....................................................16
- 2.34. 'street' .................................................17
- 2.35. 'telephoneNumber' ........................................17
- 2.36. 'teletexTerminalIdentifier' ..............................17
- 2.37. 'telexNumber' ............................................18
- 2.38. 'title' ..................................................18
- 2.39. 'uid' ....................................................18
- 2.40. 'uniqueMember' ...........................................19
- 2.41. 'userPassword' ...........................................19
-
-
-
-Sciberras Standards Track [Page 2]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- 2.42. 'x121Address' ............................................20
- 2.43. 'x500UniqueIdentifier' ...................................20
- 3. Object Classes .................................................20
- 3.1. 'applicationProcess' ......................................21
- 3.2. 'country' .................................................21
- 3.3. 'dcObject' ................................................21
- 3.4. 'device' ..................................................21
- 3.5. 'groupOfNames' ............................................22
- 3.6. 'groupOfUniqueNames' ......................................22
- 3.7. 'locality' ................................................23
- 3.8. 'organization' ............................................23
- 3.9. 'organizationalPerson' ....................................24
- 3.10. 'organizationalRole' .....................................24
- 3.11. 'organizationalUnit' .....................................24
- 3.12. 'person' .................................................25
- 3.13. 'residentialPerson' ......................................25
- 3.14. 'uidObject' ..............................................26
- 4. IANA Considerations ............................................26
- 5. Security Considerations ........................................28
- 6. Acknowledgements ...............................................28
- 7. References .....................................................29
- 7.1. Normative References ......................................29
- 7.2. Informative References ....................................30
- Appendix A Changes Made Since RFC 2256 ...........................32
-
-1. Introduction
-
- This document provides an overview of attribute types and object
- classes intended for use by Lightweight Directory Access Protocol
- (LDAP) directory clients for many directory services, such as White
- Pages. Originally specified in the X.500 [X.500] documents, these
- objects are widely used as a basis for the schema in many LDAP
- directories. This document does not cover attributes used for the
- administration of directory servers, nor does it include directory
- objects defined for specific uses in other documents.
-
-1.1. Relationship with Other Specifications
-
- This document is an integral part of the LDAP technical specification
- [RFC4510], which obsoletes the previously defined LDAP technical
- specification, RFC 3377, in its entirety. In terms of RFC 2256,
- Sections 6 and 8 of RFC 2256 are obsoleted by [RFC4517]. Sections
- 5.1, 5.2, 7.1, and 7.2 of RFC 2256 are obsoleted by [RFC4512]. The
- remainder of RFC 2256 is obsoleted by this document. The technical
- specification for the 'dc' attribute type and 'dcObject' object class
- found in RFC 2247 are superseded by sections 2.4 and 3.3 of this
- document. The remainder of RFC 2247 remains in force.
-
-
-
-
-Sciberras Standards Track [Page 3]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- This document updates RFC 2798 by replacing the informative
- description of the 'uid' attribute type with the definitive
- description provided in Section 2.39 of this document.
-
- This document updates RFC 2377 by replacing the informative
- description of the 'uidObject' object class with the definitive
- description provided in Section 3.14 of this document.
-
- A number of schema elements that were included in the previous
- revision of the LDAP Technical Specification are not included in this
- revision of LDAP. PKI-related schema elements are now specified in
- [RFC4523]. Unless reintroduced in future technical specifications,
- the remainder are to be considered Historic.
-
- The descriptions in this document SHALL be considered definitive for
- use in LDAP.
-
-1.2. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [RFC2119].
-
-1.3. General Issues
-
- This document references Syntaxes defined in Section 3 of [RFC4517]
- and Matching Rules defined in Section 4 of [RFC4517].
-
- The definitions of Attribute Types and Object Classes are written
- using the Augmented Backus-Naur Form (ABNF) [RFC4234] of
- AttributeTypeDescription and ObjectClassDescription given in
- [RFC4512]. Lines have been folded for readability. When such values
- are transferred as attribute values in the LDAP Protocol, the values
- will not contain line breaks.
-
-2. Attribute Types
-
- The attribute types contained in this section hold user information.
-
- There is no requirement that servers implement the 'searchGuide' and
- 'teletexTerminalIdentifier' attribute types. In fact, their use is
- greatly discouraged.
-
- An LDAP server implementation SHOULD recognize the rest of the
- attribute types described in this section.
-
-
-
-
-
-
-Sciberras Standards Track [Page 4]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-2.1. 'businessCategory'
-
- The 'businessCategory' attribute type describes the kinds of business
- performed by an organization. Each kind is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.15 NAME 'businessCategory'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Examples: "banking", "transportation", and "real estate".
-
-2.2. 'c'
-
- The 'c' ('countryName' in X.500) attribute type contains a two-letter
- ISO 3166 [ISO3166] country code.
- (Source: X.520 [X.520])
-
- ( 2.5.4.6 NAME 'c'
- SUP name
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
- SINGLE-VALUE )
-
- 1.3.6.1.4.1.1466.115.121.1.11 refers to the Country String syntax
- [RFC4517].
-
- Examples: "DE", "AU" and "FR".
-
-2.3. 'cn'
-
- The 'cn' ('commonName' in X.500) attribute type contains names of an
- object. Each name is one value of this multi-valued attribute. If
- the object corresponds to a person, it is typically the person's full
- name.
- (Source: X.520 [X.520])
-
- ( 2.5.4.3 NAME 'cn'
- SUP name )
-
- Examples: "Martin K Smith", "Marty Smith" and "printer12".
-
-
-
-
-
-
-Sciberras Standards Track [Page 5]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-2.4. 'dc'
-
- The 'dc' ('domainComponent' in RFC 1274) attribute type is a string
- holding one component, a label, of a DNS domain name
- [RFC1034][RFC2181] naming a host [RFC1123]. That is, a value of this
- attribute is a string of ASCII characters adhering to the following
- ABNF [RFC4234]:
-
- label = (ALPHA / DIGIT) [*61(ALPHA / DIGIT / HYPHEN) (ALPHA / DIGIT)]
- ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
- DIGIT = %x30-39 ; "0"-"9"
- HYPHEN = %x2D ; hyphen ("-")
-
- The encoding of IA5String for use in LDAP is simply the characters of
- the ASCII label. The equality matching rule is case insensitive, as
- is today's DNS. (Source: RFC 2247 [RFC2247] and RFC 1274 [RFC 1274])
-
- ( 0.9.2342.19200300.100.1.25 NAME 'dc'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- SINGLE-VALUE )
-
- 1.3.6.1.4.1.1466.115.121.1.26 refers to the IA5 String syntax
- [RFC4517].
-
- Examples: Valid values include "example" and "com" but not
- "example.com". The latter is invalid as it contains multiple domain
- components.
-
- It is noted that the directory service will not ensure that values of
- this attribute conform to the host label restrictions [RFC1123]
- illustrated by the <label> production provided above. It is the
- directory client's responsibility to ensure that the labels it stores
- in this attribute are appropriately restricted.
-
- Directory applications supporting International Domain Names SHALL
- use the ToASCII method [RFC3490] to produce the domain component
- label. The special considerations discussed in Section 4 of RFC 3490
- [RFC3490] should be taken, depending on whether the domain component
- is used for "stored" or "query" purposes.
-
-2.5. 'description'
-
- The 'description' attribute type contains human-readable descriptive
- phrases about the object. Each description is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
-
-
-Sciberras Standards Track [Page 6]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.4.13 NAME 'description'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Examples: "a color printer", "Maintenance is done every Monday, at
- 1pm.", and "distribution list for all technical staff".
-
-2.6. 'destinationIndicator'
-
- The 'destinationIndicator' attribute type contains country and city
- strings associated with the object (the addressee) needed to provide
- the Public Telegram Service. The strings are composed in accordance
- with CCITT Recommendations F.1 [F.1] and F.31 [F.31]. Each string is
- one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.27 NAME 'destinationIndicator'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
-
- 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
- [RFC4517].
-
- Examples: "AASD" as a destination indicator for Sydney, Australia.
- "GBLD" as a destination indicator for London, United
- Kingdom.
-
- It is noted that the directory will not ensure that values of this
- attribute conform to the F.1 and F.31 CCITT Recommendations. It is
- the application's responsibility to ensure destination indicators
- that it stores in this attribute are appropriately constructed.
-
-2.7. 'distinguishedName'
-
- The 'distinguishedName' attribute type is not used as the name of the
- object itself, but it is instead a base type from which some user
- attribute types with a DN syntax can inherit.
-
- It is unlikely that values of this type itself will occur in an
- entry. LDAP server implementations that do not support attribute
- subtyping need not recognize this attribute in requests. Client
- implementations MUST NOT assume that LDAP servers are capable of
- performing attribute subtyping.
-
-
-
-Sciberras Standards Track [Page 7]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- (Source: X.520 [X.520])
-
- ( 2.5.4.49 NAME 'distinguishedName'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- 1.3.6.1.4.1.1466.115.121.1.12 refers to the DN syntax [RFC4517].
-
-2.8. 'dnQualifier'
-
- The 'dnQualifier' attribute type contains disambiguating information
- strings to add to the relative distinguished name of an entry. The
- information is intended for use when merging data from multiple
- sources in order to prevent conflicts between entries that would
- otherwise have the same name. Each string is one value of this
- multi-valued attribute. It is recommended that a value of the
- 'dnQualifier' attribute be the same for all entries from a particular
- source.
- (Source: X.520 [X.520])
-
- ( 2.5.4.46 NAME 'dnQualifier'
- EQUALITY caseIgnoreMatch
- ORDERING caseIgnoreOrderingMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
-
- 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
- [RFC4517].
-
- Examples: "20050322123345Z" - timestamps can be used to disambiguate
- information.
- "123456A" - serial numbers can be used to disambiguate
- information.
-
-2.9. 'enhancedSearchGuide'
-
- The 'enhancedSearchGuide' attribute type contains sets of information
- for use by directory clients in constructing search filters. Each
- set is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.47 NAME 'enhancedSearchGuide'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
-
- 1.3.6.1.4.1.1466.115.121.1.21 refers to the Enhanced Guide syntax
- [RFC4517].
-
-
-
-
-
-Sciberras Standards Track [Page 8]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- Examples: "person#(sn$APPROX)#wholeSubtree" and
- "organizationalUnit#(ou$SUBSTR)#oneLevel".
-
-2.10. 'facsimileTelephoneNumber'
-
- The 'facsimileTelephoneNumber' attribute type contains telephone
- numbers (and, optionally, the parameters) for facsimile terminals.
- Each telephone number is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.23 NAME 'facsimileTelephoneNumber'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
-
- 1.3.6.1.4.1.1466.115.121.1.22 refers to the Facsimile Telephone
- Number syntax [RFC4517].
-
- Examples: "+61 3 9896 7801" and "+81 3 347 7418$fineResolution".
-
-2.11. 'generationQualifier'
-
- The 'generationQualifier' attribute type contains name strings that
- are typically the suffix part of a person's name. Each string is one
- value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.44 NAME 'generationQualifier'
- SUP name )
-
- Examples: "III", "3rd", and "Jr.".
-
-2.12. 'givenName'
-
- The 'givenName' attribute type contains name strings that are the
- part of a person's name that is not their surname. Each string is
- one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.42 NAME 'givenName'
- SUP name )
-
- Examples: "Andrew", "Charles", and "Joanne".
-
-2.13. 'houseIdentifier'
-
- The 'houseIdentifier' attribute type contains identifiers for a
- building within a location. Each identifier is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
-
-
-Sciberras Standards Track [Page 9]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.4.51 NAME 'houseIdentifier'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Example: "20" to represent the house number 20.
-
-2.14. 'initials'
-
- The 'initials' attribute type contains strings of initials of some or
- all of an individual's names, except the surname(s). Each string is
- one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.43 NAME 'initials'
- SUP name )
-
- Examples: "K. A." and "K".
-
-2.15. 'internationalISDNNumber'
-
- The 'internationalISDNNumber' attribute type contains Integrated
- Services Digital Network (ISDN) addresses, as defined in the
- International Telecommunication Union (ITU) Recommendation E.164
- [E.164]. Each address is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.25 NAME 'internationalISDNNumber'
- EQUALITY numericStringMatch
- SUBSTR numericStringSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
-
- 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
- [RFC4517].
-
- Example: "0198 333 333".
-
-2.16. 'l'
-
- The 'l' ('localityName' in X.500) attribute type contains names of a
- locality or place, such as a city, county, or other geographic
- region. Each name is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
-
-
-
-
-Sciberras Standards Track [Page 10]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.4.7 NAME 'l'
- SUP name )
-
- Examples: "Geneva", "Paris", and "Edinburgh".
-
-2.17. 'member'
-
- The 'member' attribute type contains the distinguished names of
- objects that are on a list or in a group. Each name is one value of
- this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.31 NAME 'member'
- SUP distinguishedName )
-
- Examples: "cn=James Clarke,ou=Finance,o=Widget\, Inc." and
- "cn=John Xerri,ou=Finance,o=Widget\, Inc." may
- be two members of the financial team (group) at Widget,
- Inc., in which case, both of these distinguished names
- would be present as individual values of the member
- attribute.
-
-2.18. 'name'
-
- The 'name' attribute type is the attribute supertype from which user
- attribute types with the name syntax inherit. Such attribute types
- are typically used for naming. The attribute type is multi-valued.
-
- It is unlikely that values of this type itself will occur in an
- entry. LDAP server implementations that do not support attribute
- subtyping need not recognize this attribute in requests. Client
- implementations MUST NOT assume that LDAP servers are capable of
- performing attribute subtyping.
- (Source: X.520 [X.520])
-
- ( 2.5.4.41 NAME 'name'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
-2.19. 'o'
-
- The 'o' ('organizationName' in X.500) attribute type contains the
- names of an organization. Each name is one value of this
- multi-valued attribute.
-
-
-
-Sciberras Standards Track [Page 11]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- (Source: X.520 [X.520])
-
- ( 2.5.4.10 NAME 'o'
- SUP name )
-
- Examples: "Widget", "Widget, Inc.", and "Widget, Incorporated.".
-
-2.20. 'ou'
-
- The 'ou' ('organizationalUnitName' in X.500) attribute type contains
- the names of an organizational unit. Each name is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.11 NAME 'ou'
- SUP name )
-
- Examples: "Finance", "Human Resources", and "Research and
- Development".
-
-2.21. 'owner'
-
- The 'owner' attribute type contains the distinguished names of
- objects that have an ownership responsibility for the object that is
- owned. Each owner's name is one value of this multi-valued
- attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.32 NAME 'owner'
- SUP distinguishedName )
-
- Example: The mailing list object, whose DN is "cn=All Employees,
- ou=Mailing List,o=Widget\, Inc.", is owned by the Human
- Resources Director.
-
- Therefore, the value of the 'owner' attribute within the
- mailing list object, would be the DN of the director (role):
- "cn=Human Resources Director,ou=employee,o=Widget\, Inc.".
-
-2.22. 'physicalDeliveryOfficeName'
-
- The 'physicalDeliveryOfficeName' attribute type contains names that a
- Postal Service uses to identify a post office.
- (Source: X.520 [X.520])
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 12]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Examples: "Bremerhaven, Main" and "Bremerhaven, Bonnstrasse".
-
-2.23. 'postalAddress'
-
- The 'postalAddress' attribute type contains addresses used by a
- Postal Service to perform services for the object. Each address is
- one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.16 NAME 'postalAddress'
- EQUALITY caseIgnoreListMatch
- SUBSTR caseIgnoreListSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
- 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
- [RFC4517].
-
- Example: "15 Main St.$Ottawa$Canada".
-
-2.24. 'postalCode'
-
- The 'postalCode' attribute type contains codes used by a Postal
- Service to identify postal service zones. Each code is one value of
- this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.17 NAME 'postalCode'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Example: "22180", to identify Vienna, VA, in the USA.
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 13]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-2.25. 'postOfficeBox'
-
- The 'postOfficeBox' attribute type contains postal box identifiers
- that a Postal Service uses when a customer arranges to receive mail
- at a box on the premises of the Postal Service. Each postal box
- identifier is a single value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.18 NAME 'postOfficeBox'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Example: "Box 45".
-
-2.26. 'preferredDeliveryMethod'
-
- The 'preferredDeliveryMethod' attribute type contains an indication
- of the preferred method of getting a message to the object.
- (Source: X.520 [X.520])
-
- ( 2.5.4.28 NAME 'preferredDeliveryMethod'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
- SINGLE-VALUE )
-
- 1.3.6.1.4.1.1466.115.121.1.14 refers to the Delivery Method syntax
- [RFC4517].
-
- Example: If the mhs-delivery Delivery Method is preferred over
- telephone-delivery, which is preferred over all other
- methods, the value would be: "mhs $ telephone".
-
-2.27. 'registeredAddress'
-
- The 'registeredAddress' attribute type contains postal addresses
- suitable for reception of telegrams or expedited documents, where it
- is necessary to have the recipient accept delivery. Each address is
- one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.26 NAME 'registeredAddress'
- SUP postalAddress
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
-
-
-
-
-Sciberras Standards Track [Page 14]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- 1.3.6.1.4.1.1466.115.121.1.41 refers to the Postal Address syntax
- [RFC4517].
-
- Example: "Receptionist$Widget, Inc.$15 Main St.$Ottawa$Canada".
-
-2.28. 'roleOccupant'
-
- The 'roleOccupant' attribute type contains the distinguished names of
- objects (normally people) that fulfill the responsibilities of a role
- object. Each distinguished name is one value of this multi-valued
- attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.33 NAME 'roleOccupant'
- SUP distinguishedName )
-
- Example: The role object, "cn=Human Resources
- Director,ou=Position,o=Widget\, Inc.", is fulfilled by two
- people whose object names are "cn=Mary
- Smith,ou=employee,o=Widget\, Inc." and "cn=James
- Brown,ou=employee,o=Widget\, Inc.". The 'roleOccupant'
- attribute will contain both of these distinguished names,
- since they are the occupants of this role.
-
-2.29. 'searchGuide'
-
- The 'searchGuide' attribute type contains sets of information for use
- by clients in constructing search filters. It is superseded by
- 'enhancedSearchGuide', described above in Section 2.9. Each set is
- one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.14 NAME 'searchGuide'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
-
- 1.3.6.1.4.1.1466.115.121.1.25 refers to the Guide syntax [RFC4517].
-
- Example: "person#sn$EQ".
-
-2.30. 'seeAlso'
-
- The 'seeAlso' attribute type contains the distinguished names of
- objects that are related to the subject object. Each related object
- name is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.34 NAME 'seeAlso'
- SUP distinguishedName )
-
-
-
-Sciberras Standards Track [Page 15]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- Example: The person object "cn=James Brown,ou=employee,o=Widget\,
- Inc." is related to the role objects "cn=Football Team
- Captain,ou=sponsored activities,o=Widget\, Inc." and
- "cn=Chess Team,ou=sponsored activities,o=Widget\, Inc.".
- Since the role objects are related to the person object, the
- 'seeAlso' attribute will contain the distinguished name of
- each role object as separate values.
-
-2.31. 'serialNumber'
-
- The 'serialNumber' attribute type contains the serial numbers of
- devices. Each serial number is one value of this multi-valued
- attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.5 NAME 'serialNumber'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
-
- 1.3.6.1.4.1.1466.115.121.1.44 refers to the Printable String syntax
- [RFC4517].
-
- Examples: "WI-3005" and "XF551426".
-
-2.32. 'sn'
-
- The 'sn' ('surname' in X.500) attribute type contains name strings
- for the family names of a person. Each string is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.4 NAME 'sn'
- SUP name )
-
- Example: "Smith".
-
-2.33. 'st'
-
- The 'st' ('stateOrProvinceName' in X.500) attribute type contains the
- full names of states or provinces. Each name is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.8 NAME 'st'
- SUP name )
-
- Example: "California".
-
-
-
-Sciberras Standards Track [Page 16]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-2.34. 'street'
-
- The 'street' ('streetAddress' in X.500) attribute type contains site
- information from a postal address (i.e., the street name, place,
- avenue, and the house number). Each street is one value of this
- multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.9 NAME 'street'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Example: "15 Main St.".
-
-2.35. 'telephoneNumber'
-
- The 'telephoneNumber' attribute type contains telephone numbers that
- comply with the ITU Recommendation E.123 [E.123]. Each number is one
- value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.20 NAME 'telephoneNumber'
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
- 1.3.6.1.4.1.1466.115.121.1.50 refers to the Telephone Number syntax
- [RFC4517].
-
- Example: "+1 234 567 8901".
-
-2.36. 'teletexTerminalIdentifier'
-
- The withdrawal of Recommendation F.200 has resulted in the withdrawal
- of this attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
-
- 1.3.6.1.4.1.1466.115.121.1.51 refers to the Teletex Terminal
- Identifier syntax [RFC4517].
-
-
-
-
-
-Sciberras Standards Track [Page 17]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-2.37. 'telexNumber'
-
- The 'telexNumber' attribute type contains sets of strings that are a
- telex number, country code, and answerback code of a telex terminal.
- Each set is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.21 NAME 'telexNumber'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
-
- 1.3.6.1.4.1.1466.115.121.1.52 refers to the Telex Number syntax
- [RFC4517].
-
- Example: "12345$023$ABCDE".
-
-2.38. 'title'
-
- The 'title' attribute type contains the title of a person in their
- organizational context. Each title is one value of this multi-valued
- attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.12 NAME 'title'
- SUP name )
- Examples: "Vice President", "Software Engineer", and "CEO".
-
-2.39. 'uid'
-
- The 'uid' ('userid' in RFC 1274) attribute type contains computer
- system login names associated with the object. Each name is one
- value of this multi-valued attribute.
- (Source: RFC 2798 [RFC2798] and RFC 1274 [RFC1274])
-
- ( 0.9.2342.19200300.100.1.1 NAME 'uid'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- 1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax
- [RFC4517].
-
- Examples: "s9709015", "admin", and "Administrator".
-
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 18]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-2.40. 'uniqueMember'
-
- The 'uniqueMember' attribute type contains the distinguished names of
- an object that is on a list or in a group, where the relative
- distinguished names of the object include a value that distinguishes
- between objects when a distinguished name has been reused. Each
- distinguished name is one value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.50 NAME 'uniqueMember'
- EQUALITY uniqueMemberMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
-
- 1.3.6.1.4.1.1466.115.121.1.34 refers to the Name and Optional UID
- syntax [RFC4517].
-
- Example: If "ou=1st Battalion,o=Defense,c=US" is a battalion that was
- disbanded, establishing a new battalion with the "same" name
- would have a unique identifier value added, resulting in
- "ou=1st Battalion, o=Defense,c=US#'010101'B".
-
-2.41. 'userPassword'
-
- The 'userPassword' attribute contains octet strings that are known
- only to the user and the system to which the user has access. Each
- string is one value of this multi-valued attribute.
-
- The application SHOULD prepare textual strings used as passwords by
- transcoding them to Unicode, applying SASLprep [RFC4013], and
- encoding as UTF-8. The determination of whether a password is
- textual is a local client matter.
- (Source: X.509 [X.509])
-
- ( 2.5.4.35 NAME 'userPassword'
- EQUALITY octetStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-
- 1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
- [RFC4517].
-
- Passwords are stored using an Octet String syntax and are not
- encrypted. Transfer of cleartext passwords is strongly discouraged
- where the underlying transport service cannot guarantee
- confidentiality and may result in disclosure of the password to
- unauthorized parties.
-
- An example of a need for multiple values in the 'userPassword'
- attribute is an environment where every month the user is expected to
-
-
-
-Sciberras Standards Track [Page 19]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- use a different password generated by some automated system. During
- transitional periods, like the last and first day of the periods, it
- may be necessary to allow two passwords for the two consecutive
- periods to be valid in the system.
-
-2.42. 'x121Address'
-
- The 'x121Address' attribute type contains data network addresses as
- defined by ITU Recommendation X.121 [X.121]. Each address is one
- value of this multi-valued attribute.
- (Source: X.520 [X.520])
-
- ( 2.5.4.24 NAME 'x121Address'
- EQUALITY numericStringMatch
- SUBSTR numericStringSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
-
- 1.3.6.1.4.1.1466.115.121.1.36 refers to the Numeric String syntax
- [RFC4517].
-
- Example: "36111222333444555".
-
-2.43. 'x500UniqueIdentifier'
-
- The 'x500UniqueIdentifier' attribute type contains binary strings
- that are used to distinguish between objects when a distinguished
- name has been reused. Each string is one value of this multi-valued
- attribute.
-
- In X.520 [X.520], this attribute type is called 'uniqueIdentifier'.
- This is a different attribute type from both the 'uid' and
- 'uniqueIdentifier' LDAP attribute types. The 'uniqueIdentifier'
- attribute type is defined in [RFC4524].
- (Source: X.520 [X.520])
-
- ( 2.5.4.45 NAME 'x500UniqueIdentifier'
- EQUALITY bitStringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
-
- 1.3.6.1.4.1.1466.115.121.1.6 refers to the Bit String syntax
- [RFC4517].
-
-3. Object Classes
-
- LDAP servers SHOULD recognize all the Object Classes listed here as
- values of the 'objectClass' attribute (see [RFC4512]).
-
-
-
-
-
-Sciberras Standards Track [Page 20]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-3.1. 'applicationProcess'
-
- The 'applicationProcess' object class definition is the basis of an
- entry that represents an application executing in a computer system.
- (Source: X.521 [X.521])
-
- ( 2.5.6.11 NAME 'applicationProcess'
- SUP top
- STRUCTURAL
- MUST cn
- MAY ( seeAlso $
- ou $
- l $
- description ) )
-
-3.2. 'country'
-
- The 'country' object class definition is the basis of an entry that
- represents a country.
- (Source: X.521 [X.521])
-
- ( 2.5.6.2 NAME 'country'
- SUP top
- STRUCTURAL
- MUST c
- MAY ( searchGuide $
- description ) )
-
-3.3. 'dcObject'
-
- The 'dcObject' object class permits an entry to contains domain
- component information. This object class is defined as auxiliary,
- because it will be used in conjunction with an existing structural
- object class.
- (Source: RFC 2247 [RFC2247])
-
- ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
- SUP top
- AUXILIARY
- MUST dc )
-
-3.4. 'device'
-
- The 'device' object class is the basis of an entry that represents an
- appliance, computer, or network element.
- (Source: X.521 [X.521])
-
-
-
-
-
-Sciberras Standards Track [Page 21]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.6.14 NAME 'device'
- SUP top
- STRUCTURAL
- MUST cn
- MAY ( serialNumber $
- seeAlso $
- owner $
- ou $
- o $
- l $
- description ) )
-
-3.5. 'groupOfNames'
-
- The 'groupOfNames' object class is the basis of an entry that
- represents a set of named objects including information related to
- the purpose or maintenance of the set.
- (Source: X.521 [X.521])
-
- ( 2.5.6.9 NAME 'groupOfNames'
- SUP top
- STRUCTURAL
- MUST ( member $
- cn )
- MAY ( businessCategory $
- seeAlso $
- owner $
- ou $
- o $
- description ) )
-
-3.6. 'groupOfUniqueNames'
-
- The 'groupOfUniqueNames' object class is the same as the
- 'groupOfNames' object class except that the object names are not
- repeated or reassigned within a set scope.
- (Source: X.521 [X.521])
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 22]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.6.17 NAME 'groupOfUniqueNames'
- SUP top
- STRUCTURAL
- MUST ( uniqueMember $
- cn )
- MAY ( businessCategory $
- seeAlso $
- owner $
- ou $
- o $
- description ) )
-
-3.7. 'locality'
-
- The 'locality' object class is the basis of an entry that represents
- a place in the physical world.
- (Source: X.521 [X.521])
-
- ( 2.5.6.3 NAME 'locality'
- SUP top
- STRUCTURAL
- MAY ( street $
- seeAlso $
- searchGuide $
- st $
- l $
- description ) )
-
-3.8. 'organization'
-
- The 'organization' object class is the basis of an entry that
- represents a structured group of people.
- (Source: X.521 [X.521])
-
- ( 2.5.6.4 NAME 'organization'
- SUP top
- STRUCTURAL
- MUST o
- MAY ( userPassword $ searchGuide $ seeAlso $
- businessCategory $ x121Address $ registeredAddress $
- destinationIndicator $ preferredDeliveryMethod $
- telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationalISDNNumber $
- facsimileTelephoneNumber $ street $ postOfficeBox $
- postalCode $ postalAddress $ physicalDeliveryOfficeName $
- st $ l $ description ) )
-
-
-
-
-
-Sciberras Standards Track [Page 23]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-3.9. 'organizationalPerson'
-
- The 'organizationalPerson' object class is the basis of an entry that
- represents a person in relation to an organization.
- (Source: X.521 [X.521])
-
- ( 2.5.6.7 NAME 'organizationalPerson'
- SUP person
- STRUCTURAL
- MAY ( title $ x121Address $ registeredAddress $
- destinationIndicator $ preferredDeliveryMethod $
- telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationalISDNNumber $
- facsimileTelephoneNumber $ street $ postOfficeBox $
- postalCode $ postalAddress $ physicalDeliveryOfficeName $
- ou $ st $ l ) )
-
-3.10. 'organizationalRole'
-
- The 'organizationalRole' object class is the basis of an entry that
- represents a job, function, or position in an organization.
- (Source: X.521 [X.521])
-
- ( 2.5.6.8 NAME 'organizationalRole'
- SUP top
- STRUCTURAL
- MUST cn
- MAY ( x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $
- teletexTerminalIdentifier $ telephoneNumber $
- internationalISDNNumber $ facsimileTelephoneNumber $
- seeAlso $ roleOccupant $ preferredDeliveryMethod $
- street $ postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ ou $ st $ l $
- description ) )
-
-3.11. 'organizationalUnit'
-
- The 'organizationalUnit' object class is the basis of an entry that
- represents a piece of an organization.
- (Source: X.521 [X.521])
-
-
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 24]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- ( 2.5.6.5 NAME 'organizationalUnit'
- SUP top
- STRUCTURAL
- MUST ou
- MAY ( businessCategory $ description $ destinationIndicator $
- facsimileTelephoneNumber $ internationalISDNNumber $ l $
- physicalDeliveryOfficeName $ postalAddress $ postalCode $
- postOfficeBox $ preferredDeliveryMethod $
- registeredAddress $ searchGuide $ seeAlso $ st $ street $
- telephoneNumber $ teletexTerminalIdentifier $
- telexNumber $ userPassword $ x121Address ) )
-
-3.12 'person'
-
- The 'person' object class is the basis of an entry that represents a
- human being.
- (Source: X.521 [X.521])
-
- ( 2.5.6.6 NAME 'person'
- SUP top
- STRUCTURAL
- MUST ( sn $
- cn )
- MAY ( userPassword $
- telephoneNumber $
- seeAlso $ description ) )
-
-3.13. 'residentialPerson'
-
- The 'residentialPerson' object class is the basis of an entry that
- includes a person's residence in the representation of the person.
- (Source: X.521 [X.521])
-
- ( 2.5.6.10 NAME 'residentialPerson'
- SUP person
- STRUCTURAL
- MUST l
- MAY ( businessCategory $ x121Address $ registeredAddress $
- destinationIndicator $ preferredDeliveryMethod $
- telexNumber $ teletexTerminalIdentifier $
- telephoneNumber $ internationalISDNNumber $
- facsimileTelephoneNumber $ preferredDeliveryMethod $
- street $ postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l ) )
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 25]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-3.14. 'uidObject'
-
- The 'uidObject' object class permits an entry to contains user
- identification information. This object class is defined as
- auxiliary, because it will be used in conjunction with an existing
- structural object class.
- (Source: RFC 2377 [RFC2377])
-
- ( 1.3.6.1.1.3.1 NAME 'uidObject'
- SUP top
- AUXILIARY
- MUST uid )
-
-4. IANA Considerations
-
- The Internet Assigned Numbers Authority (IANA) has updated the LDAP
- descriptors registry as indicated in the following template:
-
- Subject: Request for LDAP Descriptor Registration Update
- Descriptor (short name): see comments
- Object Identifier: see comments
- Person & email address to contact for further information:
- Andrew Sciberras <andrew.sciberras at eb2bcom.com>
- Usage: (A = attribute type, O = Object Class) see comment
- Specification: RFC 4519
- Author/Change Controller: IESG
-
- Comments
-
- In the LDAP descriptors registry, the following descriptors (short
- names) have been updated to refer to RFC 4519. Names that need to
- be reserved, rather than assigned to an Object Identifier, will
- contain an Object Identifier value of RESERVED.
-
- NAME Type OID
- ------------------------ ---- ----------------------------
- applicationProcess O 2.5.6.11
- businessCategory A 2.5.4.15
- c A 2.5.4.6
- cn A 2.5.4.3
- commonName A 2.5.4.3
- country O 2.5.6.2
- countryName A 2.5.4.6
- dc A 0.9.2342.19200300.100.1.25
- dcObject O 1.3.6.1.4.1.1466.344
- description A 2.5.4.13
- destinationIndicator A 2.5.4.27
- device O 2.5.6.14
-
-
-
-Sciberras Standards Track [Page 26]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- NAME Type OID
- ------------------------ ---- ----------------------------
- distinguishedName A 2.5.4.49
- dnQualifier A 2.5.4.46
- domainComponent A 0.9.2342.19200300.100.1.25
- enhancedSearchGuide A 2.5.4.47
- facsimileTelephoneNumber A 2.5.4.23
- generationQualifier A 2.5.4.44
- givenName A 2.5.4.42
- gn A RESERVED
- groupOfNames O 2.5.6.9
- groupOfUniqueNames O 2.5.6.17
- houseIdentifier A 2.5.4.51
- initials A 2.5.4.43
- internationalISDNNumber A 2.5.4.25
- l A 2.5.4.7
- locality O 2.5.6.3
- localityName A 2.5.4.7
- member A 2.5.4.31
- name A 2.5.4.41
- o A 2.5.4.10
- organization O 2.5.6.4
- organizationName A 2.5.4.10
- organizationalPerson O 2.5.6.7
- organizationalRole O 2.5.6.8
- organizationalUnit O 2.5.6.5
- organizationalUnitName A 2.5.4.11
- ou A 2.5.4.11
- owner A 2.5.4.32
- person O 2.5.6.6
- physicalDeliveryOfficeName A 2.5.4.19
- postalAddress A 2.5.4.16
- postalCode A 2.5.4.17
- postOfficeBox A 2.5.4.18
- preferredDeliveryMethod A 2.5.4.28
- registeredAddress A 2.5.4.26
- residentialPerson O 2.5.6.10
- roleOccupant A 2.5.4.33
- searchGuide A 2.5.4.14
- seeAlso A 2.5.4.34
- serialNumber A 2.5.4.5
- sn A 2.5.4.4
- st A 2.5.4.8
- street A 2.5.4.9
- surname A 2.5.4.4
- telephoneNumber A 2.5.4.20
- teletexTerminalIdentifier A 2.5.4.22
- telexNumber A 2.5.4.21
-
-
-
-Sciberras Standards Track [Page 27]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- NAME Type OID
- ------------------------ ---- ----------------------------
- title A 2.5.4.12
- uid A 0.9.2342.19200300.100.1.1
- uidObject O 1.3.6.1.1.3.1
- uniqueMember A 2.5.4.50
- userid A 0.9.2342.19200300.100.1.1
- userPassword A 2.5.4.35
- x121Address A 2.5.4.24
- x500UniqueIdentifier A 2.5.4.45
-
-5. Security Considerations
-
- Attributes of directory entries are used to provide descriptive
- information about the real-world objects they represent, which can be
- people, organizations, or devices. Most countries have privacy laws
- regarding the publication of information about people.
-
- Transfer of cleartext passwords is strongly discouraged where the
- underlying transport service cannot guarantee confidentiality and
- integrity, since this may result in disclosure of the password to
- unauthorized parties.
-
- Multiple attribute values for the 'userPassword' attribute need to be
- used with care. Especially reset/deletion of a password by an
- administrator without knowing the old user password gets tricky or
- impossible if multiple values for different applications are present.
-
- Certainly, applications that intend to replace the 'userPassword'
- value(s) with new value(s) should use modify/replaceValues (or
- modify/deleteAttribute+addAttribute). In addition, server
- implementations are encouraged to provide administrative controls
- that, if enabled, restrict the 'userPassword' attribute to one value.
-
- Note that when used for authentication purposes [RFC4513], the user
- need only prove knowledge of one of the values, not all of the
- values.
-
-6. Acknowledgements
-
- The definitions, on which this document is based, have been developed
- by committees for telecommunications and international standards.
-
- This document is an update of RFC 2256 by Mark Wahl. RFC 2256 was a
- product of the IETF ASID Working Group.
-
-
-
-
-
-
-Sciberras Standards Track [Page 28]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- The 'dc' attribute type definition and the 'dcObject' object class
- definition in this document supersede the specification in RFC 2247
- by S. Kille, M. Wahl, A. Grimstad, R. Huber, and S. Sataluri.
-
- The 'uid' attribute type definition in this document supersedes the
- specification of the 'userid' in RFC 1274 by P. Barker and S. Kille
- and of the uid in RFC 2798 by M. Smith.
-
- The 'uidObject' object class definition in this document supersedes
- the specification of the 'uidObject' in RFC 2377 by A. Grimstad, R.
- Huber, S. Sataluri, and M. Wahl.
-
- This document is based upon input of the IETF LDAPBIS working group.
- The author wishes to thank S. Legg and K. Zeilenga for their
- significant contribution to this update. The author would also like
- to thank Kathy Dally, who edited early versions of this document.
-
-7. References
-
-7.1. Normative References
-
- [E.123] Notation for national and international telephone numbers,
- ITU-T Recommendation E.123, 1988
-
- [E.164] The international public telecommunication numbering plan,
- ITU-T Recommendation E.164, 1997
-
- [F.1] Operational Provisions For The International Public
- Telegram Service Transmission System, CCITT Recommendation
- F.1, 1992
-
- [F.31] Telegram Retransmission System, CCITT Recommendation F.31,
- 1988
-
- [ISO3166] ISO 3166, "Codes for the representation of names of
- countries".
-
- [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
- STD 13, RFC 1034, November 1987.
-
- [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
- and Support", STD 3, RFC 1123, October 1989.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
- Specification", RFC 2181, July 1997.
-
-
-
-Sciberras Standards Track [Page 29]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
- "Internationalizing Domain Names in Applications (IDNA)",
- RFC 3490, March 2003.
-
- [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names
- and Passwords", RFC 4013, February 2005.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006.
-
- [X.121] International numbering plan for public data networks,
- ITU-T Recommendation X.121, 1996
-
- [X.509] The Directory: Authentication Framework, ITU-T
- Recommendation X.509, 1993
-
- [X.520] The Directory: Selected Attribute Types, ITU-T
- Recommendation X.520, 1993
-
- [X.521] The Directory: Selected Object Classes. ITU-T
- Recommendation X.521, 1993
-
-7.2. Informative References
-
- [RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500
- Schema", RFC 1274, November 1991.
-
- [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S.
- Sataluri, "Using Domains in LDAP/X.500 Distinguished
- Names", RFC 2247, January 1998.
-
- [RFC2377] Grimstad, A., Huber, R., Sataluri, S., and M. Wahl,
- "Naming Plan for Internet Directory-Enabled Applications",
- RFC 2377, September 1998.
-
- [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
- Class", RFC 2798, April 2000.
-
-
-
-Sciberras Standards Track [Page 30]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- [RFC4513] Harrison R., Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
- [RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Schema Definitions for X.509 Certificates", RFC
- 4523, June 2006.
-
- [RFC4524] Zeilenga, E., Ed., "COSINE LDAP/X.500 Schema", RFC 4524,
- June 2006.
-
- [X.500] ITU-T Recommendations X.500 (1993) | ISO/IEC 9594-1:1994,
- Information Technology - Open Systems Interconnection -
- The Directory: Overview of concepts, models and services.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 31]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-Appendix A. Changes Made Since RFC 2256
-
- This appendix lists the changes that have been made from RFC 2256 to
- RFC 4519.
-
- This appendix is not a normative part of this specification, which
- has been provided for informational purposes only.
-
- 1. Replaced the document title.
-
- 2. Removed the IESG Note.
-
- 3. Dependencies on RFC 1274 have been eliminated.
-
- 4. Added a Security Considerations section and an IANA
- Considerations section.
-
- 5. Deleted the conformance requirement for subschema object
- classes in favor of a statement in [RFC4517].
-
- 6. Added explanation to attribute types and to each object class.
-
- 7. Removed Section 4, Syntaxes, and Section 6, Matching Rules,
- (moved to [RFC4517]).
-
- 8. Removed the certificate-related attribute types:
- authorityRevocationList, cACertificate,
- certificateRevocationList, crossCertificatePair,
- deltaRevocationList, supportedAlgorithms, and userCertificate.
-
- Removed the certificate-related Object Classes:
- certificationAuthority, certificationAuthority-V2,
- cRLDistributionPoint, strongAuthenticationUser, and
- userSecurityInformation
-
- LDAP PKI is now discussed in [RFC4523].
-
- 9. Removed the dmdName, knowledgeInformation,
- presentationAddress, protocolInformation, and
- supportedApplicationContext attribute types and the dmd,
- applicationEntity, and dSA object classes.
-
- 10. Deleted the aliasedObjectName and objectClass attribute type
- definitions. Deleted the alias and top object class
- definitions. They are included in [RFC4512].
-
-
-
-
-
-
-Sciberras Standards Track [Page 32]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- 11. Added the 'dc' attribute type from RFC 2247, making the
- distinction between 'stored' and 'query' values when preparing
- IDN strings.
-
- 12. Numerous editorial changes.
-
- 13. Removed upper bound after the SYNTAX oid in all attribute
- definitions where it appeared.
-
- 14. Added text about Unicode, SASLprep [RFC4013], and UTF-8 for
- userPassword.
-
- 15. Included definitions, comments and references for 'dcObject'
- and 'uidObject'.
-
- 16. Replaced PKI schema references to use RFC 4523.
-
- 17. Spelt out and referenced ABNF on first usage.
-
- 18. Removed Section 2.4 (Source). Replaced the source table with
- explicit references for each definition.
-
- 19. All references to an attribute type or object class are
- enclosed in single quotes.
-
- 20. The layout of attribute type definitions has been changed to
- provide consistency throughout the document:
- > Section Heading
- > Description of Attribute type
- > Multivalued description
- > Source Information
- > Definition
- > Example
- > Additional Comments
-
- Adding this consistent output included the addition of
- examples to some definitions.
-
- 21. References to alternate names for attributes types are
- provided with a reference to where they were originally
- specified.
-
- 22. Clarification of the description of 'distinguishedName' and
- 'name', in regards to these attribute types being supertypes.
-
- 23. Spelt out ISDN on first usage.
-
-
-
-
-
-Sciberras Standards Track [Page 33]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
- 24. Inserted a reference to [RFC4517] for the
- 'teletexTerminalIdentifier' definition's SYNTAX OID.
-
- 25. Additional names were added to the IANA Considerations. Names
- include 'commonName', 'dcObject', 'domainComponent', 'GN',
- 'localityName', 'organizationName', 'organizationUnitName',
- 'surname', 'uidObject' and 'userid'.
-
- 26. Renamed all instances of supercede to supersede.
-
- 27. Moved [F.1], [F.31] and [RFC4013] from informative to
- normative references.
-
- 28. Changed the 'c' definition to be consistent with X.500.
-
-Author's Address
-
- Andrew Sciberras
- eB2Bcom
- Suite 3, Woodhouse Corporate Centre,
- 935 Station Street,
- Box Hill North, Victoria 3129
- AUSTRALIA
-
- Phone: +61 3 9896 7833
- EMail: andrew.sciberras at eb2bcom.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 34]
-�
-RFC 4519 LDAP: Schema for User Applications June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Sciberras Standards Track [Page 35]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4520.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4520.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4520.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1067 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4520 OpenLDAP Foundation
-BCP: 64 June 2006
-Obsoletes: 3383
-Category: Best Current Practice
-
-
- Internet Assigned Numbers Authority (IANA) Considerations for
- the Lightweight Directory Access Protocol (LDAP)
-
-Status of This Memo
-
- This document specifies an Internet Best Current Practices for the
- Internet Community, and requests discussion and suggestions for
- improvements. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document provides procedures for registering extensible elements
- of the Lightweight Directory Access Protocol (LDAP). The document
- also provides guidelines to the Internet Assigned Numbers Authority
- (IANA) describing conditions under which new values can be assigned.
-
-1. Introduction
-
- The Lightweight Directory Access Protocol [RFC4510] (LDAP) is an
- extensible protocol. LDAP supports:
-
- - the addition of new operations,
- - the extension of existing operations, and
- - the extensible schema.
-
- This document details procedures for registering values used to
- unambiguously identify extensible elements of the protocol, including
- the following:
-
- - LDAP message types
- - LDAP extended operations and controls
- - LDAP result codes
- - LDAP authentication methods
- - LDAP attribute description options
- - Object Identifier descriptors
-
-
-
-
-
-Zeilenga Best Current Practice [Page 1]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- These registries are maintained by the Internet Assigned Numbers
- Authority (IANA).
-
- In addition, this document provides guidelines to IANA describing the
- conditions under which new values can be assigned.
-
- This document replaces RFC 3383.
-
-2. Terminology and Conventions
-
- This section details terms and conventions used in this document.
-
-2.1. Policy Terminology
-
- The terms "IESG Approval", "Standards Action", "IETF Consensus",
- "Specification Required", "First Come First Served", "Expert Review",
- and "Private Use" are used as defined in BCP 26 [RFC2434].
-
- The term "registration owner" (or "owner") refers to the party
- authorized to change a value's registration.
-
-2.2. Requirement Terminology
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119]. In
- this case, "the specification", as used by BCP 14, refers to the
- processing of protocols being submitted to the IETF standards
- process.
-
-2.3. Common ABNF Productions
-
- A number of syntaxes in this document are described using ABNF
- [RFC4234]. These syntaxes rely on the following common productions:
-
- ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
- LDIGIT = %x31-39 ; "1"-"9"
- DIGIT = %x30 / LDIGIT ; "0"-"9"
- HYPHEN = %x2D ; "-"
- DOT = %x2E ; "."
- number = DIGIT / ( LDIGIT 1*DIGIT )
- keychar = ALPHA / DIGIT / HYPHEN
- leadkeychar = ALPHA
- keystring = leadkeychar *keychar
- keyword = keystring
-
- Keywords are case insensitive.
-
-
-
-
-Zeilenga Best Current Practice [Page 2]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-3. IANA Considerations for LDAP
-
- This section details each kind of protocol value that can be
- registered and provides IANA guidelines on how to assign new values.
-
- IANA may reject obviously bogus registrations.
-
- LDAP values specified in RFCs MUST be registered. Other LDAP values,
- except those in private-use name spaces, SHOULD be registered. RFCs
- SHOULD NOT reference, use, or otherwise recognize unregistered LDAP
- values.
-
-3.1. Object Identifiers
-
- Numerous LDAP schema and protocol elements are identified by Object
- Identifiers (OIDs) [X.680]. Specifications that assign OIDs to
- elements SHOULD state who delegated the OIDs for their use.
-
- For IETF-developed elements, specifications SHOULD use OIDs under
- "Internet Directory Numbers" (1.3.6.1.1.x). For elements developed
- by others, any properly delegated OID can be used, including those
- under "Internet Directory Numbers" (1.3.6.1.1.x) or "Internet Private
- Enterprise Numbers" (1.3.6.1.4.1.x).
-
- Internet Directory Numbers (1.3.6.1.1.x) will be assigned upon Expert
- Review with Specification Required. Only one OID per specification
- will be assigned. The specification MAY then assign any number of
- OIDs within this arc without further coordination with IANA.
-
- Internet Private Enterprise Numbers (1.3.6.1.4.1.x) are assigned by
- IANA <http://www.iana.org/cgi-bin/enterprise.pl>. Practices for IANA
- assignment of Internet Private Enterprise Numbers are detailed in RFC
- 2578 [RFC2578].
-
- To avoid interoperability problems between early implementations of a
- "work in progress" and implementations of the published specification
- (e.g., the RFC), experimental OIDs SHOULD be used in "works in
- progress" and early implementations. OIDs under the Internet
- Experimental OID arc (1.3.6.1.3.x) may be used for this purpose.
- Practices for IANA assignment of these Internet Experimental numbers
- are detailed in RFC 2578 [RFC2578].
-
-3.2. Protocol Mechanisms
-
- LDAP provides a number of Root DSA-Specific Entry (DSE) attributes
- for discovery of protocol mechanisms identified by OIDs, including
- the supportedControl, supportedExtension, and supportedFeatures
- attributes [RFC4512].
-
-
-
-Zeilenga Best Current Practice [Page 3]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- A registry of OIDs used for discovery of protocol mechanisms is
- provided to allow implementors and others to locate the technical
- specification for these protocol mechanisms. Future specifications
- of additional Root DSE attributes holding values identifying protocol
- mechanisms MAY extend this registry for their values.
-
- Protocol mechanisms are registered on a First Come First Served
- basis.
-
-3.3. LDAP Syntaxes
-
- This registry provides a listing of LDAP syntaxes [RFC4512]. Each
- LDAP syntax is identified by an OID. This registry is provided to
- allow implementors and others to locate the technical specification
- describing a particular LDAP Syntax.
-
- LDAP Syntaxes are registered on a First Come First Served with
- Specification Required basis.
-
- Note: Unlike object classes, attribute types, and various other kinds
- of schema elements, descriptors are not used in LDAP to
- identify LDAP Syntaxes.
-
-3.4. Object Identifier Descriptors
-
- LDAP allows short descriptive names (or descriptors) to be used
- instead of a numeric Object Identifier to identify select protocol
- extensions [RFC4511], schema elements [RFC4512], LDAP URL [RFC4516]
- extensions, and other objects.
-
- Although the protocol allows the same descriptor to refer to
- different object identifiers in certain cases and the registry
- supports multiple registrations of the same descriptor (each
- indicating a different kind of schema element and different object
- identifier), multiple registrations of the same descriptor are to be
- avoided. All such multiple registration requests require Expert
- Review.
-
- Descriptors are restricted to strings of UTF-8 [RFC3629] encoded
- Unicode characters restricted by the following ABNF:
-
- name = keystring
-
- Descriptors are case insensitive.
-
- Multiple names may be assigned to a given OID. For purposes of
- registration, an OID is to be represented in numeric OID form (e.g.,
- 1.1.0.23.40) conforming to the following ABNF:
-
-
-
-Zeilenga Best Current Practice [Page 4]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- numericoid = number 1*( DOT number )
-
- While the protocol places no maximum length restriction upon
- descriptors, they should be short. Descriptors longer than 48
- characters may be viewed as too long to register.
-
- A value ending with a hyphen ("-") reserves all descriptors that
- start with that value. For example, the registration of the option
- "descrFamily-" reserves all options that start with "descrFamily-"
- for some related purpose.
-
- Descriptors beginning with "x-" are for Private Use and cannot be
- registered.
-
- Descriptors beginning with "e-" are reserved for experiments and will
- be registered on a First Come First Served basis.
-
- All other descriptors require Expert Review to be registered.
-
- The registrant need not "own" the OID being named.
-
- The OID name space is managed by the ISO/IEC Joint Technical
- Committee 1 - Subcommittee 6.
-
-3.5. AttributeDescription Options
-
- An AttributeDescription [RFC4512] can contain zero or more options
- specifying additional semantics. An option SHALL be restricted to a
- string of UTF-8 encoded Unicode characters limited by the following
- ABNF:
-
- option = keystring
-
- Options are case insensitive.
-
- While the protocol places no maximum length restriction upon option
- strings, they should be short. Options longer than 24 characters may
- be viewed as too long to register.
-
- Values ending with a hyphen ("-") reserve all option names that start
- with the name. For example, the registration of the option
- "optionFamily-" reserves all options that start with "optionFamily-"
- for some related purpose.
-
- Options beginning with "x-" are for Private Use and cannot be
- registered.
-
-
-
-
-
-Zeilenga Best Current Practice [Page 5]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- Options beginning with "e-" are reserved for experiments and will be
- registered on a First Come First Served basis.
-
- All other options require Standards Action or Expert Review with
- Specification Required to be registered.
-
-3.6. LDAP Message Types
-
- Each protocol message is encapsulated in an LDAPMessage envelope
- [RFC4511. The protocolOp CHOICE indicates the type of message
- encapsulated. Each message type consists of an ASN.1 identifier in
- the form of a keyword and a non-negative choice number. The choice
- number is combined with the class (APPLICATION) and data type
- (CONSTRUCTED or PRIMITIVE) to construct the BER tag in the message's
- encoding. The choice numbers for existing protocol messages are
- implicit in the protocol's ASN.1 defined in [RFC4511].
-
- New values will be registered upon Standards Action.
-
- Note: LDAP provides extensible messages that reduce but do not
- eliminate the need to add new message types.
-
-3.7. LDAP Authentication Method
-
- The LDAP Bind operation supports multiple authentication methods
- [RFC4511]. Each authentication choice consists of an ASN.1
- identifier in the form of a keyword and a non-negative integer.
-
- The registrant SHALL classify the authentication method usage using
- one of the following terms:
-
- COMMON - method is appropriate for common use on the
- Internet.
- LIMITED USE - method is appropriate for limited use.
- OBSOLETE - method has been deprecated or otherwise found to
- be inappropriate for any use.
-
- Methods without publicly available specifications SHALL NOT be
- classified as COMMON. New registrations of the class OBSOLETE cannot
- be registered.
-
- New authentication method integers in the range 0-1023 require
- Standards Action to be registered. New authentication method
- integers in the range 1024-4095 require Expert Review with
- Specification Required. New authentication method integers in the
- range 4096-16383 will be registered on a First Come First Served
- basis. Keywords associated with integers in the range 0-4095 SHALL
- NOT start with "e-" or "x-". Keywords associated with integers in
-
-
-
-Zeilenga Best Current Practice [Page 6]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- the range 4096-16383 SHALL start with "e-". Values greater than or
- equal to 16384 and keywords starting with "x-" are for Private Use
- and cannot be registered.
-
- Note: LDAP supports Simple Authentication and Security Layers
- [RFC4422] as an authentication choice. SASL is an extensible
- authentication framework.
-
-3.8. LDAP Result Codes
-
- LDAP result messages carry a resultCode enumerated value to indicate
- the outcome of the operation [RFC4511]. Each result code consists of
- an ASN.1 identifier in the form of a keyword and a non-negative
- integer.
-
- New resultCodes integers in the range 0-1023 require Standards Action
- to be registered. New resultCode integers in the range 1024-4095
- require Expert Review with Specification Required. New resultCode
- integers in the range 4096-16383 will be registered on a First Come
- First Served basis. Keywords associated with integers in the range
- 0-4095 SHALL NOT start with "e-" or "x-". Keywords associated with
- integers in the range 4096-16383 SHALL start with "e-". Values
- greater than or equal to 16384 and keywords starting with "x-" are
- for Private Use and cannot be registered.
-
-3.9. LDAP Search Scope
-
- LDAP SearchRequest messages carry a scope-enumerated value to
- indicate the extent of search within the DIT [RFC4511]. Each search
- value consists of an ASN.1 identifier in the form of a keyword and a
- non-negative integer.
-
- New scope integers in the range 0-1023 require Standards Action to be
- registered. New scope integers in the range 1024-4095 require Expert
- Review with Specification Required. New scope integers in the range
- 4096-16383 will be registered on a First Come First Served basis.
- Keywords associated with integers in the range 0-4095 SHALL NOT start
- with "e-" or "x-". Keywords associated with integers in the range
- 4096-16383 SHALL start with "e-". Values greater than or equal to
- 16384 and keywords starting with "x-" are for Private Use and cannot
- be registered.
-
-3.10. LDAP Filter Choice
-
- LDAP filters are used in making assertions against an object
- represented in the directory [RFC4511]. The Filter CHOICE indicates
- a type of assertion. Each Filter CHOICE consists of an ASN.1
- identifier in the form of a keyword and a non-negative choice number.
-
-
-
-Zeilenga Best Current Practice [Page 7]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- The choice number is combined with the class (APPLICATION) and data
- type (CONSTRUCTED or PRIMITIVE) to construct the BER tag in the
- message's encoding.
-
- Note: LDAP provides the extensibleMatching choice, which reduces but
- does not eliminate the need to add new filter choices.
-
-3.11. LDAP ModifyRequest Operation Type
-
- The LDAP ModifyRequest carries a sequence of modification operations
- [RFC4511]. Each kind (e.g., add, delete, replace) of operation
- consists of an ASN.1 identifier in the form of a keyword and a non-
- negative integer.
-
- New operation type integers in the range 0-1023 require Standards
- Action to be registered. New operation type integers in the range
- 1024-4095 require Expert Review with Specification Required. New
- operation type integers in the range 4096-16383 will be registered on
- a First Come First Served basis. Keywords associated with integers
- in the range 0-4095 SHALL NOT start with "e-" or "x-". Keywords
- associated with integers in the range 4096-16383 SHALL start with
- "e-". Values greater than or equal to 16384 and keywords starting
- with "x-" are for Private Use and cannot be registered.
-
-3.12. LDAP authzId Prefixes
-
- Authorization Identities in LDAP are strings conforming to the
- <authzId> production [RFC4513]. This production is extensible. Each
- new specific authorization form is identified by a prefix string
- conforming to the following ABNF:
-
- prefix = keystring COLON
- COLON = %x3A ; COLON (":" U+003A)
-
- Prefixes are case insensitive.
-
- While the protocol places no maximum length restriction upon prefix
- strings, they should be short. Prefixes longer than 12 characters
- may be viewed as too long to register.
-
- Prefixes beginning with "x-" are for Private Use and cannot be
- registered.
-
- Prefixes beginning with "e-" are reserved for experiments and will be
- registered on a First Come First Served basis.
-
- All other prefixes require Standards Action or Expert Review with
- Specification Required to be registered.
-
-
-
-Zeilenga Best Current Practice [Page 8]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-3.13. Directory Systems Names
-
- The IANA-maintained "Directory Systems Names" registry [IANADSN] of
- valid keywords for well-known attributes was used in the LDAPv2
- string representation of a distinguished name [RFC1779]. LDAPv2 is
- now Historic [RFC3494].
-
- Directory systems names are not known to be used in any other
- context. LDAPv3 [RFC4514] uses Object Identifier Descriptors
- [Section 3.2] (which have a different syntax than directory system
- names).
-
- New Directory System Names will no longer be accepted. For
- historical purposes, the current list of registered names should
- remain publicly available.
-
-4. Registration Procedure
-
- The procedure given here MUST be used by anyone who wishes to use a
- new value of a type described in Section 3 of this document.
-
- The first step is for the requester to fill out the appropriate form.
- Templates are provided in Appendix A.
-
- If the policy is Standards Action, the completed form SHOULD be
- provided to the IESG with the request for Standards Action. Upon
- approval of the Standards Action, the IESG SHALL forward the request
- (possibly revised) to IANA. The IESG SHALL be regarded as the
- registration owner of all values requiring Standards Action.
-
- If the policy is Expert Review, the requester SHALL post the
- completed form to the <directory at apps.ietf.org> mailing list for
- public review. The review period is two (2) weeks. If a revised
- form is later submitted, the review period is restarted. Anyone may
- subscribe to this list by sending a request to <directory-
- request at apps.ietf.org>. During the review, objections may be raised
- by anyone (including the Expert) on the list. After completion of
- the review, the Expert, based on public comments, SHALL either
- approve the request and forward it to the IANA OR deny the request.
- In either case, the Expert SHALL promptly notify the requester of the
- action. Actions of the Expert may be appealed [RFC2026]. The Expert
- is appointed by Applications Area Directors. The requester is viewed
- as the registration owner of values registered under Expert Review.
-
- If the policy is First Come First Served, the requester SHALL submit
- the completed form directly to the IANA: <iana at iana.org>. The
- requester is viewed as the registration owner of values registered
- under First Come First Served.
-
-
-
-Zeilenga Best Current Practice [Page 9]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- Neither the Expert nor IANA will take position on the claims of
- copyright or trademark issues regarding completed forms.
-
- Prior to submission of the Internet Draft (I-D) to the RFC Editor but
- after IESG review and tentative approval, the document editor SHOULD
- revise the I-D to use registered values.
-
-5. Registration Maintenance
-
- This section discusses maintenance of registrations.
-
-5.1. Lists of Registered Values
-
- IANA makes lists of registered values readily available to the
- Internet community on its web site: <http://www.iana.org/>.
-
-5.2. Change Control
-
- The registration owner MAY update the registration subject to the
- same constraints and review as with new registrations. In cases
- where the registration owner is unable or is unwilling to make
- necessary updates, the IESG MAY assume ownership of the registration
- in order to update the registration.
-
-5.3. Comments
-
- For cases where others (anyone other than the registration owner)
- have significant objections to the claims in a registration and the
- registration owner does not agree to change the registration,
- comments MAY be attached to a registration upon Expert Review. For
- registrations owned by the IESG, the objections SHOULD be addressed
- by initiating a request for Expert Review.
-
- The form of these requests is ad hoc, but MUST include the specific
- objections to be reviewed and SHOULD contain (directly or by
- reference) materials supporting the objections.
-
-6. Security Considerations
-
- The security considerations detailed in BCP 26 [RFC2434] are
- generally applicable to this document. Additional security
- considerations specific to each name space are discussed in Section
- 3, where appropriate.
-
- Security considerations for LDAP are discussed in documents
- comprising the technical specification [RFC4510].
-
-
-
-
-
-Zeilenga Best Current Practice [Page 10]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-7. Acknowledgement
-
- This document is a product of the IETF LDAP Revision (LDAPBIS)
- Working Group (WG). This document is a revision of RFC 3383, also a
- product of the LDAPBIS WG.
-
- This document includes text borrowed from "Guidelines for Writing an
- IANA Considerations Section in RFCs" [RFC2434] by Thomas Narten and
- Harald Alvestrand.
-
-8. References
-
-8.1. Normative References
-
- [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
- 3", BCP 9, RFC 2026, October 1996.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
- IANA Considerations Section in RFCs", BCP 26, RFC 2434,
- October 1998.
-
- [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
- "Structure of Management Information Version 2 (SMIv2)",
- STD 58, RFC 2578, April 1999.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
-
-
-Zeilenga Best Current Practice [Page 11]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory Access
- Protocol (LDAP): Uniform Resource Locator", RFC 4516, June
- 2006.
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version 3.0"
- (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
- as amended by the "Unicode Standard Annex #27: Unicode
- 3.1" (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [X.680] International Telecommunication Union - Telecommunication
- Standardization Sector, "Abstract Syntax Notation One
- (ASN.1) - Specification of Basic Notation", X.680(2002)
- (also ISO/IEC 8824-1:2002).
-
-8.2. Informative References
-
- [RFC1779] Kille, S., "A String Representation of Distinguished
- Names", RFC 1779, March 1995.
-
- [RFC3494] Zeilenga, K.,"Lightweight Directory Access Protocol
- version 2 (LDAPv2) to Historic Status", RFC 3494, March
- 2003.
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): String Representation of Distinguished Names", RFC
- 4514, June 2006.
-
- [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
- Authentication and Security Layer (SASL)", RFC 4422, June
- 2006.
-
- [IANADSN] IANA, "Directory Systems Names",
- http://www.iana.org/assignments/directory-system-names.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 12]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-Appendix A. Registration Templates
-
- This appendix provides registration templates for registering new
- LDAP values. Note that more than one value may be requested by
- extending the template by listing multiple values, or through use of
- tables.
-
-A.1. LDAP Object Identifier Registration Template
-
- Subject: Request for LDAP OID Registration
-
- Person & email address to contact for further information:
-
- Specification: (I-D)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-A.2. LDAP Protocol Mechanism Registration Template
-
- Subject: Request for LDAP Protocol Mechanism Registration
-
- Object Identifier:
-
- Description:
-
- Person & email address to contact for further information:
-
- Usage: (One of Control or Extension or Feature or other)
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 13]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-A.3. LDAP Syntax Registration Template
-
- Subject: Request for LDAP Syntax Registration
-
- Object Identifier:
-
- Description:
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-A.4. LDAP Descriptor Registration Template
-
- Subject: Request for LDAP Descriptor Registration
-
- Descriptor (short name):
-
- Object Identifier:
-
- Person & email address to contact for further information:
-
- Usage: (One of administrative role, attribute type, matching rule,
- name form, object class, URL extension, or other)
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 14]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-A.5. LDAP Attribute Description Option Registration Template
-
- Subject: Request for LDAP Attribute Description Option Registration
- Option Name:
-
- Family of Options: (YES or NO)
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-A.6. LDAP Message Type Registration Template
-
- Subject: Request for LDAP Message Type Registration
-
- LDAP Message Name:
-
- Person & email address to contact for further information:
-
- Specification: (Approved I-D)
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-A.7. LDAP Authentication Method Registration Template
-
- Subject: Request for LDAP Authentication Method Registration
-
- Authentication Method Name:
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Intended Usage: (One of COMMON, LIMITED-USE, OBSOLETE)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-
-
-Zeilenga Best Current Practice [Page 15]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-A.8. LDAP Result Code Registration Template
-
- Subject: Request for LDAP Result Code Registration
-
- Result Code Name:
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-A.8. LDAP Search Scope Registration Template
-
- Subject: Request for LDAP Search Scope Registration
-
- Search Scope Name:
-
- Filter Scope String:
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 16]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-A.9. LDAP Filter Choice Registration Template
-
- Subject: Request for LDAP Filter Choice Registration
-
- Filter Choice Name:
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-A.10. LDAP ModifyRequest Operation Registration Template
-
- Subject: Request for LDAP ModifyRequest Operation Registration
-
- ModifyRequest Operation Name:
-
- Person & email address to contact for further information:
-
- Specification: (RFC, I-D, URI)
-
- Author/Change Controller:
-
- Comments:
-
- (Any comments that the requester deems relevant to the request.)
-
-Appendix B. Changes since RFC 3383
-
- This informative appendix provides a summary of changes made since
- RFC 3383.
-
- - Object Identifier Descriptors practices were updated to require
- all descriptors defined in RFCs to be registered and
- recommending all other descriptors (excepting those in
- private-use name space) be registered. Additionally, all
- requests for multiple registrations of the same descriptor are
- now subject to Expert Review.
-
- - Protocol Mechanisms practices were updated to include values of
- the 'supportedFeatures' attribute type.
-
-
-
-
-
-Zeilenga Best Current Practice [Page 17]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
- - LDAP Syntax, Search Scope, Filter Choice, ModifyRequest
- operation, and authzId prefixes registries were added.
-
- - References to RFCs comprising the LDAP technical specifications
- have been updated to latest revisions.
-
- - References to ISO 10646 have been replaced with [Unicode].
-
- - The "Assigned Values" appendix providing initial registry
- values was removed.
-
- - Numerous editorial changes were made.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 18]
-�
-RFC 4520 IANA Considerations for LDAP June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 19]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4521.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4521.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4521.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,899 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4521 OpenLDAP Foundation
-BCP: 118 June 2006
-Category: Best Current Practice
-
-
- Considerations for
- Lightweight Directory Access Protocol (LDAP) Extensions
-
-Status of This Memo
-
- This document specifies an Internet Best Current Practices for the
- Internet Community, and requests discussion and suggestions for
- improvements. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The Lightweight Directory Access Protocol (LDAP) is extensible. It
- provides mechanisms for adding new operations, extending existing
- operations, and expanding user and system schemas. This document
- discusses considerations for designers of LDAP extensions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 1]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. Terminology ................................................3
- 2. General Considerations ..........................................4
- 2.1. Scope of Extension .........................................4
- 2.2. Interaction between extensions .............................4
- 2.3. Discovery Mechanism ........................................4
- 2.4. Internationalization Considerations ........................5
- 2.5. Use of the Basic Encoding Rules ............................5
- 2.6. Use of Formal Languages ....................................5
- 2.7. Examples ...................................................5
- 2.8. Registration of Protocol Values ............................5
- 3. LDAP Operation Extensions .......................................6
- 3.1. Controls ...................................................6
- 3.1.1. Extending Bind Operation with Controls ..............6
- 3.1.2. Extending the Start TLS Operation with Controls .....7
- 3.1.3. Extending the Search Operation with Controls ........7
- 3.1.4. Extending the Update Operations with Controls .......8
- 3.1.5. Extending the Responseless Operations with Controls..8
- 3.2. Extended Operations ........................................8
- 3.3. Intermediate Responses .....................................8
- 3.4. Unsolicited Notifications ..................................9
- 4. Extending the LDAP ASN.1 Definition .............................9
- 4.1. Result Codes ...............................................9
- 4.2. LDAP Message Types .........................................9
- 4.3. Authentication Methods ....................................10
- 4.4. General ASN.1 Extensibility ...............................10
- 5. Schema Extensions ..............................................10
- 5.1. LDAP Syntaxes .............................................11
- 5.2. Matching Rules ............................................11
- 5.3. Attribute Types ...........................................12
- 5.4. Object Classes ............................................12
- 6. Other Extension Mechanisms .....................................12
- 6.1. Attribute Description Options .............................12
- 6.2. Authorization Identities ..................................12
- 6.3. LDAP URL Extensions .......................................12
- 7. Security Considerations ........................................12
- 8. Acknowledgements ...............................................13
- 9. References .....................................................13
- 9.1. Normative References ......................................13
- 9.2. Informative References ....................................15
-
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 2]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-1. Introduction
-
- The Lightweight Directory Access Protocol (LDAP) [RFC4510] is an
- extensible protocol.
-
- LDAP allows for new operations to be added and for existing
- operations to be enhanced [RFC4511].
-
- LDAP allows additional schema to be defined [RFC4512][RFC4517]. This
- can include additional object classes, attribute types, matching
- rules, additional syntaxes, and other elements of schema. LDAP
- provides an ability to extend attribute types with options [RFC4512].
-
- LDAP supports a Simple Authentication and Security Layer (SASL)
- authentication method [RFC4511][RFC4513]. SASL [RFC4422] is
- extensible. LDAP may be extended to support additional
- authentication methods [RFC4511].
-
- LDAP supports establishment of Transport Layer Security (TLS)
- [RFC4511][RFC4513]. TLS [RFC4346] is extensible.
-
- LDAP has an extensible Uniform Resource Locator (URL) format
- [RFC4516].
-
- Lastly, LDAP allows for certain extensions to the protocol's Abstract
- Syntax Notation - One (ASN.1) [X.680] definition to be made. This
- facilitates a wide range of protocol enhancements, for example, new
- result codes needed to support extensions to be added through
- extension of the protocol's ASN.1 definition.
-
- This document describes practices that engineers should consider when
- designing extensions to LDAP.
-
-1.1. Terminology
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119]. In
- this document, "the specification", as used by BCP 14, RFC 2119,
- refers to the engineering of LDAP extensions.
-
- The term "Request Control" refers to a control attached to a client-
- generated message sent to a server. The term "Response Control"
- refers to a control attached to a server-generated message sent to a
- client.
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 3]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- DIT stands for Directory Information Tree.
- DSA stands for Directory System Agent, a server.
- DSE stands for DSA-Specific Entry.
- DUA stands for Directory User Agent, a client.
- DN stands for Distinguished Name.
-
-2. General Considerations
-
-2.1. Scope of Extension
-
- Mutually agreeing peers may, within the confines of an extension,
- agree to significant changes in protocol semantics. However,
- designers MUST consider the impact of an extension upon protocol
- peers that have not agreed to implement or otherwise recognize and
- support the extension. Extensions MUST be "truly optional"
- [RFC2119].
-
-2.2. Interaction between extensions
-
- Designers SHOULD consider how extensions they engineer interact with
- other extensions.
-
- Designers SHOULD consider the extensibility of extensions they
- specify. Extensions to LDAP SHOULD themselves be extensible.
-
- Except where it is stated otherwise, extensibility is implied.
-
-2.3. Discovery Mechanism
-
- Extensions SHOULD provide adequate discovery mechanisms.
-
- As LDAP design is based upon the client-request/server-response
- paradigm, the general discovery approach is for the client to
- discover the capabilities of the server before utilizing a particular
- extension. Commonly, this discovery involves querying the root DSE
- and/or other DSEs for operational information associated with the
- extension. LDAP provides no mechanism for a server to discover the
- capabilities of a client.
-
- The 'supportedControl' attribute [RFC4512] is used to advertise
- supported controls. The 'supportedExtension' attribute [RFC4512] is
- used to advertise supported extended operations. The
- 'supportedFeatures' attribute [RFC4512] is used to advertise
- features. Other root DSE attributes MAY be defined to advertise
- other capabilities.
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 4]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-2.4. Internationalization Considerations
-
- LDAP is designed to support the full Unicode [Unicode] repertory of
- characters. Extensions SHOULD avoid unnecessarily restricting
- applications to subsets of Unicode (e.g., Basic Multilingual Plane,
- ISO 8859-1, ASCII, Printable String).
-
- LDAP Language Tag options [RFC3866] provide a mechanism for tagging
- text (and other) values with language information. Extensions that
- define attribute types SHOULD allow use of language tags with these
- attributes.
-
-2.5. Use of the Basic Encoding Rules
-
- Numerous elements of LDAP are described using ASN.1 [X.680] and are
- encoded using a particular subset [Protocol, Section 5.2] of the
- Basic Encoding Rules (BER) [X.690]. To allow reuse of
- parsers/generators used in implementing the LDAP "core" technical
- specification [RFC4510], it is RECOMMENDED that extension elements
- (e.g., extension specific contents of controlValue, requestValue,
- responseValue fields) described by ASN.1 and encoded using BER be
- subjected to the restrictions of [Protocol, Section 5.2].
-
-2.6. Use of Formal Languages
-
- Formal languages SHOULD be used in specifications in accordance with
- IESG guidelines [FORMAL].
-
-2.7. Examples
-
- Example DN strings SHOULD conform to the syntax defined in [RFC4518].
- Example LDAP filter strings SHOULD conform to the syntax defined in
- [RFC4515]. Example LDAP URLs SHOULD conform to the syntax defined in
- [RFC4516]. Entries SHOULD be represented using LDIF [RFC2849].
-
-2.8. Registration of Protocol Values
-
- Designers SHALL register protocol values of their LDAP extensions in
- accordance with BCP 64, RFC 4520 [RFC4520]. Specifications that
- create new extensible protocol elements SHALL extend existing
- registries or establish new registries for values of these elements
- in accordance with BCP 64, RFC 4520 [RFC4520] and BCP 26, RFC 2434
- [RFC2434].
-
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 5]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-3. LDAP Operation Extensions
-
- Extensions SHOULD use controls in defining extensions that complement
- existing operations. Where the extension to be defined does not
- complement an existing operation, designers SHOULD consider defining
- an extended operation instead.
-
- For example, a subtree delete operation could be designed as either
- an extension of the delete operation or as a new operation. As the
- feature complements the existing delete operation, use of the control
- mechanism to extend the delete operation is likely more appropriate.
-
- As a counter (and contrived) example, a locate services operation (an
- operation that would return for a DN a set of LDAP URLs to services
- that may hold the entry named by this DN) could be designed as either
- a search operation or a new operation. As the feature doesn't
- complement the search operation (e.g., the operation is not contrived
- to search for entries held in the Directory Information Tree), it is
- likely more appropriate to define a new operation using the extended
- operation mechanism.
-
-3.1. Controls
-
- Controls [Protocol, Section 4.1.11] are the RECOMMENDED mechanism for
- extending existing operations. The existing operation can be a base
- operation defined in [RFC4511] (e.g., search, modify) , an extended
- operation (e.g., Start TLS [RFC4511], Password Modify [RFC3062]), or
- an operation defined as an extension to a base or extended operation.
-
- Extensions SHOULD NOT return Response controls unless the server has
- specific knowledge that the client can make use of the control.
- Generally, the client requests the return of a particular response
- control by providing a related request control.
-
- An existing operation MAY be extended to return IntermediateResponse
- messages [Protocol, Section 4.13].
-
- Specifications of controls SHALL NOT attach additional semantics to
- the criticality of controls beyond those defined in [Protocol,
- Section 4.1.11]. A specification MAY mandate the criticality take on
- a particular value (e.g., TRUE or FALSE), where appropriate.
-
-3.1.1. Extending Bind Operation with Controls
-
- Controls attached to the request and response messages of a Bind
- Operation [RFC4511] are not protected by any security layers
- established by that Bind operation.
-
-
-
-
-Zeilenga Best Current Practice [Page 6]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- Specifications detailing controls extending the Bind operation SHALL
- detail that the Bind negotiated security layers do not protect the
- information contained in these controls and SHALL detail how the
- information in these controls is protected or why the information
- does not need protection.
-
- It is RECOMMENDED that designers consider alternative mechanisms for
- providing the function. For example, an extended operation issued
- subsequent to the Bind operation (hence, protected by the security
- layers negotiated by the Bind operation) might be used to provide the
- desired function.
-
- Additionally, designers of Bind control extensions MUST also consider
- how the controls' semantics interact with individual steps of a
- multi-step Bind operation. Note that some steps are optional and
- thus may require special attention in the design.
-
-3.1.2. Extending the Start TLS Operation with Controls
-
- Controls attached to the request and response messages of a Start TLS
- Operation [RFC4511] are not protected by the security layers
- established by the Start TLS operation.
-
- Specifications detailing controls extending the Start TLS operation
- SHALL detail that the Start TLS negotiated security layers do not
- protect the information contained in these controls and SHALL detail
- how the information in these controls is protected or why the
- information does not need protection.
-
- It is RECOMMENDED that designers consider alternative mechanisms for
- providing the function. For example, an extended operation issued
- subsequent to the Start TLS operation (hence, protected by the
- security layers negotiated by the Start TLS operation) might be used
- to provided the desired function.
-
-3.1.3. Extending the Search Operation with Controls
-
- The Search operation processing has two distinct phases:
-
- - finding the base object; and
-
- - searching for objects at or under that base object.
-
- Specifications of controls extending the Search Operation should
- clearly state in which phase(s) the control's semantics apply.
- Semantics of controls that are not specific to the Search Operation
- SHOULD apply in the finding phase.
-
-
-
-
-Zeilenga Best Current Practice [Page 7]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-3.1.4. Extending the Update Operations with Controls
-
- Update operations have properties of atomicity, consistency,
- isolation, and durability ([ACID]).
-
- - atomicity: All or none of the DIT changes requested are made.
-
- - consistency: The resulting DIT state must be conform to schema
- and other constraints.
-
- - isolation: Intermediate states are not exposed.
-
- - durability: The resulting DIT state is preserved until
- subsequently updated.
-
- When defining a control that requests additional (or other) DIT
- changes be made to the DIT, these additional changes SHOULD NOT be
- treated as part of a separate transaction. The specification MUST be
- clear as to whether the additional DIT changes are part of the same
- or a separate transaction as the DIT changes expressed in the request
- of the base operation.
-
- When defining a control that requests additional (or other) DIT
- changes be made to the DIT, the specification MUST be clear as to the
- order in which these and the base changes are to be applied to the
- DIT.
-
-3.1.5. Extending the Responseless Operations with Controls
-
- The Abandon and Unbind operations do not include a response message.
- For this reason, specifications for controls designed to be attached
- to Abandon and Unbind requests SHOULD mandate that the control's
- criticality be FALSE.
-
-3.2. Extended Operations
-
- Extended Operations [Protocol, Section 4.12] are the RECOMMENDED
- mechanism for defining new operations. An extended operation
- consists of an ExtendedRequest message, zero or more
- IntermediateResponse messages, and an ExtendedResponse message.
-
-3.3. Intermediate Responses
-
- Extensions SHALL use IntermediateResponse messages instead of
- ExtendedResponse messages to return intermediate results.
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 8]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-3.4. Unsolicited Notifications
-
- Unsolicited notifications [Protocol, Section 4.4] offer a capability
- for the server to notify the client of events not associated with the
- operation currently being processed.
-
- Extensions SHOULD be designed such that unsolicited notifications are
- not returned unless the server has specific knowledge that the client
- can make use of the notification. Generally, the client requests the
- return of a particular unsolicited notification by performing a
- related extended operation.
-
- For example, a time hack extension could be designed to return
- unsolicited notifications at regular intervals that were enabled by
- an extended operation (which possibly specified the desired
- interval).
-
-4. Extending the LDAP ASN.1 Definition
-
- LDAP allows limited extension [Protocol, Section 4] of the LDAP ASN.1
- definition [Protocol, Appendix B] to be made.
-
-4.1. Result Codes
-
- Extensions that specify new operations or enhance existing operations
- often need to define new result codes. The extension SHOULD be
- designed such that a client has a reasonably clear indication of the
- nature of the successful or non-successful result.
-
- Extensions SHOULD use existing result codes to indicate conditions
- that are consistent with the intended meaning [RFC4511][X.511] of
- these codes. Extensions MAY introduce new result codes [RFC4520]
- where no existing result code provides an adequate indication of the
- nature of the result.
-
- Extensions SHALL NOT disallow or otherwise restrict the return of
- general service result codes, especially those reporting a protocol,
- service, or security problem, or indicating that the server is unable
- or unwilling to complete the operation.
-
-4.2. LDAP Message Types
-
- While extensions can specify new types of LDAP messages by extending
- the protocolOp CHOICE of the LDAPMessage SEQUENCE, this is generally
- unnecessary and inappropriate. Existing operation extension
- mechanisms (e.g., extended operations, unsolicited notifications, and
- intermediate responses) SHOULD be used instead. However, there may
- be cases where an extension does not fit well into these mechanisms.
-
-
-
-Zeilenga Best Current Practice [Page 9]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- In such cases, a new extension mechanism SHOULD be defined that can
- be used by multiple extensions that have similar needs.
-
-4.3. Authentication Methods
-
- The Bind operation currently supports two authentication methods,
- simple and SASL. SASL [RFC4422] is an extensible authentication
- framework used by multiple application-level protocols (e.g., BEEP,
- IMAP, SMTP). It is RECOMMENDED that new authentication processes be
- defined as SASL mechanisms. New LDAP authentication methods MAY be
- added to support new authentication frameworks.
-
- The Bind operation's primary function is to establish the LDAP
- association [RFC4513]. No other operation SHALL be defined (or
- extended) to establish the LDAP association. However, other
- operations MAY be defined to establish other security associations
- (e.g., IPsec).
-
-4.4. General ASN.1 Extensibility
-
- Section 4 of [RFC4511] states the following:
-
- In order to support future extensions to this protocol,
- extensibility is implied where it is allowed per ASN.1 (i.e.,
- sequence, set, choice, and enumerated types are extensible). In
- addition, ellipses (...) have been supplied in ASN.1 types that
- are explicitly extensible as discussed in [RFC4520]. Because of
- the implied extensibility, clients and servers MUST (unless
- otherwise specified) ignore trailing SEQUENCE components whose
- tags they do not recognize.
-
- Designers SHOULD avoid introducing extensions that rely on
- unsuspecting implementations to ignore trailing components of
- SEQUENCE whose tags they do not recognize.
-
-5. Schema Extensions
-
- Extensions defining LDAP schema elements SHALL provide schema
- definitions conforming with syntaxes defined in [Models, Section
- 4.1]. While provided definitions MAY be reformatted (line wrapped)
- for readability, this SHALL be noted in the specification.
-
- For definitions that allow a NAME field, new schema elements SHOULD
- provide one and only one name. The name SHOULD be short.
-
- Each schema definition allows a DESC field. The DESC field, if
- provided, SHOULD contain a short descriptive phrase. The DESC field
- MUST be regarded as informational. That is, the specification MUST
-
-
-
-Zeilenga Best Current Practice [Page 10]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- be written such that its interpretation is the same with and without
- the provided DESC fields.
-
- The extension SHALL NOT mandate that implementations provide the same
- DESC field in the schema they publish. Implementors MAY replace or
- remove the DESC field.
-
- Published schema elements SHALL NOT be redefined. Replacement schema
- elements (new OIDs, new NAMEs) SHOULD be defined as needed.
-
- Schema designers SHOULD reuse existing schema elements, where
- appropriate. However, any reuse MUST not alter the semantics of the
- element.
-
-5.1. LDAP Syntaxes
-
- Each LDAP syntax [RFC4517] is defined in terms of ASN.1 [X.680].
- Each extension detailing an LDAP syntax MUST specify the ASN.1 data
- definition associated with the syntax. A distinct LDAP syntax SHOULD
- be created for each distinct ASN.1 data definition (including
- constraints).
-
- Each LDAP syntax SHOULD have a string encoding defined for it. It is
- RECOMMENDED that this string encoding be restricted to UTF-8
- [RFC3629] encoded Unicode [Unicode] characters. Use of Generic
- String Encoding Rules (GSER) [RFC3641][RFC3642] or other generic
- string encoding rules to provide string encodings for complex ASN.1
- data definitions is RECOMMENDED. Otherwise, it is RECOMMENDED that
- the string encoding be described using a formal language (e.g., ABNF
- [RFC4234]). Formal languages SHOULD be used in specifications in
- accordance with IESG guidelines [FORMAL].
-
- If no string encoding is defined, the extension SHALL specify how the
- transfer encoding is to be indicated. Generally, the extension
- SHOULD mandate use of binary or other transfer encoding option.
-
-5.2. Matching Rules
-
- Three basic kinds of matching rules (e.g., EQUALITY, ORDERING, and
- SUBSTRING) may be associated with an attribute type. In addition,
- LDAP provides an extensible matching rule mechanism.
-
- The matching rule specification SHOULD detail which kind of matching
- rule it is and SHOULD describe which kinds of values it can be used
- with.
-
- In addition to requirements stated in the LDAP technical
- specification, equality matching rules SHOULD be commutative.
-
-
-
-Zeilenga Best Current Practice [Page 11]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-5.3. Attribute Types
-
- Designers SHOULD carefully consider how the structure of values is to
- be restricted. Designers SHOULD consider that servers will only
- enforce constraints of the attribute's syntax. That is, an attribute
- intended to hold URIs, but that has directoryString syntax, is not
- restricted to values that are URIs.
-
- Designers SHOULD carefully consider which matching rules, if any, are
- appropriate for the attribute type. Matching rules specified for an
- attribute type MUST be compatible with the attribute type's syntax.
-
- Extensions specifying operational attributes MUST detail how servers
- are to maintain and/or utilize values of each operational attribute.
-
-5.4. Object Classes
-
- Designers SHOULD carefully consider whether each attribute of an
- object class is required ("MUST") or allowed ("MAY").
-
- Extensions specifying object classes that allow (or require)
- operational attributes MUST specify how servers are to maintain
- and/or utilize entries belonging to these object classes.
-
-6. Other Extension Mechanisms
-
-6.1. Attribute Description Options
-
- Each option is identified by a string of letters, numbers, and
- hyphens. This string SHOULD be short.
-
-6.2. Authorization Identities
-
- Extensions interacting with authorization identities SHALL support
- the LDAP authzId format [RFC4513]. The authzId format is extensible.
-
-6.3. LDAP URL Extensions
-
- LDAP URL extensions are identified by a short string, a descriptor.
- Like other descriptors, the string SHOULD be short.
-
-7. Security Considerations
-
- LDAP does not place undue restrictions on the kinds of extensions
- that can be implemented. While this document attempts to outline
- some specific issues that designers need to consider, it is not (and
-
-
-
-
-
-Zeilenga Best Current Practice [Page 12]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- cannot be) all encompassing. Designers MUST do their own evaluations
- of the security considerations applicable to their extensions.
-
- Designers MUST NOT assume that the LDAP "core" technical
- specification [RFC4510] adequately addresses the specific concerns
- surrounding their extensions or assume that their extensions have no
- specific concerns.
-
- Extension specifications, however, SHOULD note whether security
- considerations specific to the feature they are extending, as well as
- general LDAP security considerations, apply to the extension.
-
-8. Acknowledgements
-
- The author thanks the IETF LDAP community for their thoughtful
- comments.
-
- This work builds upon "LDAP Extension Style Guide" [GUIDE] by Bruce
- Greenblatt.
-
-9. References
-
-9.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
- IANA Considerations Section in RFCs", BCP 26, RFC 2434,
- October 1998.
-
- [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
- Technical Specification", RFC 2849, June 2000.
-
- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
- 10646", STD 63, RFC 3629, November 2003.
-
- [RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1
- Types", RFC 3641, October 2003.
-
- [RFC3642] Legg, S., "Common Elements of Generic String Encoding
- Rules (GSER) Encodings", RFC 3642, October 2003.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
-
-
-
-
-Zeilenga Best Current Practice [Page 13]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- [RFC3866] Zeilenga, K., Ed., "Language Tags and Ranges in the
- Lightweight Directory Access Protocol (LDAP)", RFC 3866,
- July 2004.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
- [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory Access
- Protocol (LDAP): String Representation of Search Filters",
- RFC 4515, June 2006.
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory Access
- Protocol (LDAP): Uniform Resource Locator", RFC 4516, June
- 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006.
-
- [RFC4518] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): String Representation of Distinguished Names", RFC
- 4518, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
- Authentication and Security Layer (SASL)", RFC 4422, June
- 2006.
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 14]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
- [Unicode] The Unicode Consortium, "The Unicode Standard, Version
- 3.2.0" is defined by "The Unicode Standard, Version 3.0"
- (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
- as amended by the "Unicode Standard Annex #27: Unicode
- 3.1" (http://www.unicode.org/reports/tr27/) and by the
- "Unicode Standard Annex #28: Unicode 3.2"
- (http://www.unicode.org/reports/tr28/).
-
- [FORMAL] IESG, "Guidelines for the use of formal languages in IETF
- specifications",
- <http://www.ietf.org/IESG/STATEMENTS/pseudo-code-in-
- specs.txt>, 2001.
-
- [X.511] International Telecommunication Union - Telecommunication
- Standardization Sector, "The Directory: Abstract Service
- Definition", X.511(1993) (also ISO/IEC 9594-3:1993).
-
- [X.680] International Telecommunication Union - Telecommunication
- Standardization Sector, "Abstract Syntax Notation One
- (ASN.1) - Specification of Basic Notation", X.680(2002)
- (also ISO/IEC 8824-1:2002).
-
- [X.690] International Telecommunication Union - Telecommunication
- Standardization Sector, "Specification of ASN.1 encoding
- rules: Basic Encoding Rules (BER), Canonical Encoding
- Rules (CER), and Distinguished Encoding Rules (DER)",
- X.690(2002) (also ISO/IEC 8825-1:2002).
-
-9.2. Informative References
-
- [ACID] Section 4 of ISO/IEC 10026-1:1992.
-
- [GUIDE] Greenblatt, B., "LDAP Extension Style Guide", Work in
- Progress.
-
- [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation",
- RFC 3062, February 2001.
-
- [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
- (TLS) Protocol Version 1.1", RFC 4346, April 2006.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-Zeilenga Best Current Practice [Page 15]
-�
-RFC 4521 LDAP Extensions June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Best Current Practice [Page 16]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4522.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4522.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4522.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group S. Legg
-Request for Comments: 4522 eB2Bcom
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP):
- The Binary Encoding Option
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- Each attribute stored in a Lightweight Directory Access Protocol
- (LDAP) directory has a defined syntax (i.e., data type). A syntax
- definition specifies how attribute values conforming to the syntax
- are normally represented when transferred in LDAP operations. This
- representation is referred to as the LDAP-specific encoding to
- distinguish it from other methods of encoding attribute values. This
- document defines an attribute option, the binary option, that can be
- used to specify that the associated attribute values are instead
- encoded according to the Basic Encoding Rules (BER) used by X.500
- directories.
-
-Table of Contents
-
- 1. Introduction ....................................................2
- 2. Conventions .....................................................2
- 3. The Binary Option ...............................................2
- 4. Syntaxes Requiring Binary Transfer ..............................3
- 5. Attributes Returned in a Search .................................4
- 6. All User Attributes .............................................4
- 7. Conflicting Requests ............................................5
- 8. Security Considerations .........................................5
- 9. IANA Considerations .............................................5
- 10. References .....................................................5
- 10.1. Normative References ......................................5
- 10.2. Informative References ....................................6
-
-
-
-
-Legg Standards Track [Page 1]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
-1. Introduction
-
- Each attribute stored in a Lightweight Directory Access Protocol
- (LDAP) directory [RFC4510] has a defined syntax (i.e., data type)
- which constrains the structure and format of its values.
-
- The description of each syntax [RFC4517] specifies how attribute or
- assertion values [RFC4512] conforming to the syntax are normally
- represented when transferred in LDAP operations [RFC4511]. This
- representation is referred to as the LDAP-specific encoding to
- distinguish it from other methods of encoding attribute values.
-
- This document defines an attribute option, the binary option, which
- can be used in an attribute description [RFC4512] in an LDAP
- operation to specify that the associated attribute values or
- assertion values are, or are requested to be, encoded according to
- the Basic Encoding Rules (BER) [BER] as used by X.500 [X.500]
- directories, instead of the usual LDAP-specific encoding.
-
- The binary option was originally defined in RFC 2251 [RFC2251]. The
- LDAP technical specification [RFC4510] has obsoleted the previously
- defined LDAP technical specification [RFC3377], which included RFC
- 2251. The binary option was not included in the revised LDAP
- technical specification for a variety of reasons including
- implementation inconsistencies. No attempt is made here to resolve
- the known inconsistencies.
-
- This document reintroduces the binary option for use with certain
- attribute syntaxes, such as certificate syntax [RFC4523], that
- specifically require it. No attempt has been made to address use of
- the binary option with attributes of syntaxes that do not require its
- use. Unless addressed in a future specification, this use is to be
- avoided.
-
-2. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14, RFC 2119
- [BCP14].
-
-3. The Binary Option
-
- The binary option is indicated with the attribute option string
- "binary" in an attribute description. Note that, like all attribute
- options, the string representing the binary option is case
- insensitive.
-
-
-
-
-Legg Standards Track [Page 2]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
- Where the binary option is present in an attribute description, the
- associated attribute values or assertion values MUST be BER encoded
- (otherwise the values are encoded according to the LDAP-specific
- encoding [RFC4517] for the attribute's syntax). Note that it is
- possible for a syntax to be defined such that its LDAP-specific
- encoding is exactly the same as its BER encoding.
-
- In terms of the protocol [RFC4511], the binary option specifies that
- the contents octets of the associated AttributeValue or
- AssertionValue OCTET STRING are a complete BER encoding of the
- relevant value.
-
- The binary option is not a tagging option [RFC4512], so the presence
- of the binary option does not specify an attribute subtype. An
- attribute description containing the binary option references exactly
- the same attribute as the attribute description without the binary
- option. The supertype/subtype relationships of attributes with
- tagging options are not altered in any way by the presence or absence
- of the binary option.
-
- An attribute description SHALL be treated as unrecognized if it
- contains the binary option and the syntax of the attribute does not
- have an associated ASN.1 type [RFC4517], or the BER encoding of
- values of that type is not supported.
-
- The presence or absence of the binary option only affects the
- transfer of attribute and assertion values in the protocol; servers
- store any particular attribute value in a format of their choosing.
-
-4. Syntaxes Requiring Binary Transfer
-
- The attribute values of certain attribute syntaxes are defined
- without an LDAP-specific encoding and are required to be transferred
- in the BER-encoded form. For the purposes of this document, these
- syntaxes are said to have a binary transfer requirement. The
- certificate, certificate list, certificate pair, and supported
- algorithm syntaxes [RFC4523] are examples of syntaxes with a binary
- transfer requirement. These syntaxes also have an additional
- requirement that the exact BER encoding must be preserved. Note that
- this is a property of the syntaxes themselves, and not a property of
- the binary option. In the absence of this requirement, LDAP clients
- would need to re-encode values using the Distinguished Encoding Rules
- (DER).
-
-
-
-
-
-
-
-
-Legg Standards Track [Page 3]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
-5. Attributes Returned in a Search
-
- An LDAP search request [RFC4511] contains a list of the attributes
- (the requested attributes list) to be returned from each entry
- matching the search filter. An attribute description in the
- requested attributes list also implicitly requests all subtypes of
- the attribute type in the attribute description, whether through
- attribute subtyping or attribute tagging option subtyping [RFC4512].
-
- The requested attributes list MAY contain attribute descriptions with
- the binary option, but MUST NOT contain two attribute descriptions
- with the same attribute type and the same tagging options (even if
- only one of them has the binary option). The binary option in an
- attribute description in the requested attributes list implicitly
- applies to all the subtypes of the attribute type in the attribute
- description (however, see Section 7).
-
- Attributes of a syntax with the binary transfer requirement, if
- returned, SHALL be returned in the binary form (i.e., with the binary
- option in the attribute description and the associated attribute
- values BER encoded) regardless of whether the binary option was
- present in the request (for the attribute or for one of its
- supertypes).
-
- Attributes of a syntax without the binary transfer requirement, if
- returned, SHOULD be returned in the form explicitly requested. That
- is, if the attribute description in the requested attributes list
- contains the binary option, then the corresponding attribute in the
- result SHOULD be in the binary form. If the attribute description in
- the request does not contain the binary option, then the
- corresponding attribute in the result SHOULD NOT be in the binary
- form. A server MAY omit an attribute from the result if it does not
- support the requested encoding.
-
- Regardless of the encoding chosen, a particular attribute value is
- returned at most once.
-
-6. All User Attributes
-
- If the list of attributes in a search request is empty or contains
- the special attribute description string "*", then all user
- attributes are requested to be returned.
-
- Attributes of a syntax with the binary transfer requirement, if
- returned, SHALL be returned in the binary form.
-
-
-
-
-
-
-Legg Standards Track [Page 4]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
- Attributes of a syntax without the binary transfer requirement and
- having a defined LDAP-specific encoding SHOULD NOT be returned in the
- binary form.
-
- Attributes of a syntax without the binary transfer requirement and
- without a defined LDAP-specific encoding may be returned in the
- binary form or omitted from the result.
-
-7. Conflicting Requests
-
- A particular attribute could be explicitly requested by an attribute
- description and/or implicitly requested by the attribute descriptions
- of one or more of its supertypes, or by the special attribute
- description string "*". If the binary option is present in at least
- one, but not all, of these attribute descriptions then the effect of
- the request with respect to binary transfer is implementation
- defined.
-
-8. Security Considerations
-
- When interpreting security-sensitive fields, and in particular fields
- used to grant or deny access, implementations MUST ensure that any
- matching rule comparisons are done on the underlying abstract value,
- regardless of the particular encoding used.
-
-9. IANA Considerations
-
- The Internet Assigned Numbers Authority (IANA) has updated the LDAP
- attribute description option registry [BCP64] as indicated by the
- following template:
-
- Subject:
- Request for LDAP Attribute Description Option Registration
- Option Name: binary
- Family of Options: NO
- Person & email address to contact for further information:
- Steven Legg <steven.legg at eb2bcom.com>
- Specification: RFC 4522
- Author/Change Controller: IESG
-
-10. References
-
-10.1. Normative References
-
- [BCP14] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-
-
-
-Legg Standards Track [Page 5]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
- [BCP64] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC RFC 4510,
- June 2006.
-
- [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol
- (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Schema Definitions for X.509 Certificates", RFC
- 4523, June 2006.
-
- [BER] ITU-T Recommendation X.690 (07/02) | ISO/IEC 8825-1,
- Information Technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER), Canonical
- Encoding Rules (CER) and Distinguished Encoding Rules
- (DER).
-
-10.2. Informative References
-
- [RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
- [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
- Protocol (v3): Technical Specification", RFC 3377,
- September 2002.
-
- [X.500] ITU-T Recommendation X.500 (02/01) | ISO/IEC 9594-1:2001,
- Information technology - Open Systems Interconnection -
- The Directory: Overview of concepts, models and services
-
-
-
-
-
-
-
-
-
-
-Legg Standards Track [Page 6]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
-Author's Address
-
- Dr. Steven Legg
- eB2Bcom
- Suite 3, Woodhouse Corporate Centre
- 935 Station Street
- Box Hill North, Victoria 3129
- AUSTRALIA
-
- Phone: +61 3 9896 7830
- Fax: +61 3 9896 7801
- EMail: steven.legg at eb2bcom.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Legg Standards Track [Page 7]
-�
-RFC 4522 LDAP: The Binary Encoding Option June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Legg Standards Track [Page 8]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4523.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4523.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4523.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1347 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4523 OpenLDAP Foundation
-Obsoletes: 2252, 2256, 2587 June 2006
-Category: Standards Track
-
-
- Lightweight Directory Access Protocol (LDAP)
- Schema Definitions for X.509 Certificates
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
- Abstract
-
- This document describes schema for representing X.509 certificates,
- X.521 security information, and related elements in directories
- accessible using the Lightweight Directory Access Protocol (LDAP).
- The LDAP definitions for these X.509 and X.521 schema elements
- replace those provided in RFCs 2252 and 2256.
-
-1. Introduction
-
- This document provides LDAP [RFC4510] schema definitions [RFC4512]
- for a subset of elements specified in X.509 [X.509] and X.521
- [X.521], including attribute types for certificates, cross
- certificate pairs, and certificate revocation lists; matching rules
- to be used with these attribute types; and related object classes.
- LDAP syntax definitions are also provided for associated assertion
- and attribute values.
-
- As the semantics of these elements are as defined in X.509 and X.521,
- knowledge of X.509 and X.521 is necessary to make use of the LDAP
- schema definitions provided herein.
-
- This document, together with [RFC4510], obsoletes RFCs 2252 and 2256
- in their entirety. The changes (in this document) made since RFC
- 2252 and RFC 2256 include:
-
- - addition of pkiUser, pkiCA, and deltaCRL classes;
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- - update of attribute types to include equality matching rules in
- accordance with their X.500 specifications;
-
- - addition of certificate, certificate pair, certificate list,
- and algorithm identifier matching rules; and
-
- - addition of LDAP syntax for assertion syntaxes for these
- matching rules.
-
- This document obsoletes RFC 2587. The X.509 schema descriptions for
- LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- Schema definitions are provided using LDAP description formats
- [RFC4512]. Definitions provided here are formatted (line wrapped)
- for readability.
-
-2. Syntaxes
-
- This section describes various syntaxes used in LDAP to transfer
- certificates and related data types.
-
-2.1. Certificate
-
- ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )
-
- A value of this syntax is an X.509 Certificate [X.509, clause 7].
-
- Due to changes made to the definition of a Certificate through time,
- no LDAP-specific encoding is defined for this syntax. Values of this
- syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
- [X.690] and MUST only be transferred using the ;binary transfer
- option [RFC4522]; that is, by requesting and returning values using
- attribute descriptions such as "userCertificate;binary".
-
- As values of this syntax contain digitally signed data, values of
- this syntax and the form of each value MUST be preserved as
- presented.
-
-2.2. CertificateList
-
- ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )
-
- A value of this syntax is an X.509 CertificateList [X.509, clause
- 7.3].
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- Due to changes made to the definition of a CertificateList through
- time, no LDAP-specific encoding is defined for this syntax. Values
- of this syntax SHOULD be encoded using DER [X.690] and MUST only be
- transferred using the ;binary transfer option [RFC4522]; that is, by
- requesting and returning values using attribute descriptions such as
- "certificateRevocationList;binary".
-
- As values of this syntax contain digitally signed data, values of
- this syntax and the form of each value MUST be preserved as
- presented.
-
-2.3. CertificatePair
-
- ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' )
-
- A value of this syntax is an X.509 CertificatePair [X.509, clause
- 11.2.3].
-
- Due to changes made to the definition of an X.509 CertificatePair
- through time, no LDAP-specific encoding is defined for this syntax.
- Values of this syntax SHOULD be encoded using DER [X.690] and MUST
- only be transferred using the ;binary transfer option [RFC4522]; that
- is, by requesting and returning values using attribute descriptions
- such as "crossCertificatePair;binary".
-
- As values of this syntax contain digitally signed data, values of
- this syntax and the form of each value MUST be preserved as
- presented.
-
-2.4. SupportedAlgorithm
-
- ( 1.3.6.1.4.1.1466.115.121.1.49
- DESC 'X.509 Supported Algorithm' )
-
- A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause
- 11.2.7].
-
- Due to changes made to the definition of an X.509 SupportedAlgorithm
- through time, no LDAP-specific encoding is defined for this syntax.
- Values of this syntax SHOULD be encoded using DER [X.690] and MUST
- only be transferred using the ;binary transfer option [RFC4522]; that
- is, by requesting and returning values using attribute descriptions
- such as "supportedAlgorithms;binary".
-
- As values of this syntax contain digitally signed data, values of
- this syntax and the form of the value MUST be preserved as presented.
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-2.5. CertificateExactAssertion
-
- ( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' )
-
- A value of this syntax is an X.509 CertificateExactAssertion [X.509,
- clause 11.3.1]. Values of this syntax MUST be encoded using the
- Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1
- provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234]
- grammar for this syntax.
-
-2.6. CertificateAssertion
-
- ( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' )
-
- A value of this syntax is an X.509 CertificateAssertion [X.509,
- clause 11.3.2]. Values of this syntax MUST be encoded using GSER
- [RFC3641]. Appendix A.2 provides an equivalent ABNF [RFC4234]
- grammar for this syntax.
-
-2.7. CertificatePairExactAssertion
-
- ( 1.3.6.1.1.15.3
- DESC 'X.509 Certificate Pair Exact Assertion' )
-
- A value of this syntax is an X.509 CertificatePairExactAssertion
- [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using
- GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [RFC4234]
- grammar for this syntax.
-
-2.8. CertificatePairAssertion
-
- ( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' )
-
- A value of this syntax is an X.509 CertificatePairAssertion [X.509,
- clause 11.3.4]. Values of this syntax MUST be encoded using GSER
- [RFC3641]. Appendix A.4 provides an equivalent ABNF [RFC4234]
- grammar for this syntax.
-
-2.9. CertificateListExactAssertion
-
- ( 1.3.6.1.1.15.5
- DESC 'X.509 Certificate List Exact Assertion' )
-
- A value of this syntax is an X.509 CertificateListExactAssertion
- [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using
- GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for
- this syntax.
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-2.10. CertificateListAssertion
-
- ( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' )
-
- A value of this syntax is an X.509 CertificateListAssertion [X.509,
- clause 11.3.6]. Values of this syntax MUST be encoded using GSER
- [RFC3641]. Appendix A.6 provides an equivalent ABNF [RFC4234]
- grammar for this syntax.
-
-2.11. AlgorithmIdentifier
-
- ( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' )
-
- A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause
- 7]. Values of this syntax MUST be encoded using GSER [RFC3641].
-
- Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this
- syntax.
-
-3. Matching Rules
-
- This section introduces a set of certificate and related matching
- rules for use in LDAP. These rules are intended to act in accordance
- with their X.500 counterparts.
-
-3.1. certificateExactMatch
-
- The certificateExactMatch matching rule compares the presented
- certificate exact assertion value with an attribute value of the
- certificate syntax as described in clause 11.3.1 of [X.509].
-
- ( 2.5.13.34 NAME 'certificateExactMatch'
- DESC 'X.509 Certificate Exact Match'
- SYNTAX 1.3.6.1.1.15.1 )
-
-3.2. certificateMatch
-
- The certificateMatch matching rule compares the presented certificate
- assertion value with an attribute value of the certificate syntax as
- described in clause 11.3.2 of [X.509].
-
- ( 2.5.13.35 NAME 'certificateMatch'
- DESC 'X.509 Certificate Match'
- SYNTAX 1.3.6.1.1.15.2 )
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-3.3. certificatePairExactMatch
-
- The certificatePairExactMatch matching rule compares the presented
- certificate pair exact assertion value with an attribute value of the
- certificate pair syntax as described in clause 11.3.3 of [X.509].
-
- ( 2.5.13.36 NAME 'certificatePairExactMatch'
- DESC 'X.509 Certificate Pair Exact Match'
- SYNTAX 1.3.6.1.1.15.3 )
-
-3.4. certificatePairMatch
-
- The certificatePairMatch matching rule compares the presented
- certificate pair assertion value with an attribute value of the
- certificate pair syntax as described in clause 11.3.4 of [X.509].
-
- ( 2.5.13.37 NAME 'certificatePairMatch'
- DESC 'X.509 Certificate Pair Match'
- SYNTAX 1.3.6.1.1.15.4 )
-
-3.5. certificateListExactMatch
-
- The certificateListExactMatch matching rule compares the presented
- certificate list exact assertion value with an attribute value of the
- certificate pair syntax as described in clause 11.3.5 of [X.509].
-
- ( 2.5.13.38 NAME 'certificateListExactMatch'
- DESC 'X.509 Certificate List Exact Match'
- SYNTAX 1.3.6.1.1.15.5 )
-
-3.6. certificateListMatch
-
- The certificateListMatch matching rule compares the presented
- certificate list assertion value with an attribute value of the
- certificate pair syntax as described in clause 11.3.6 of [X.509].
-
- ( 2.5.13.39 NAME 'certificateListMatch'
- DESC 'X.509 Certificate List Match'
- SYNTAX 1.3.6.1.1.15.6 )
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-3.7. algorithmIdentifierMatch
-
- The algorithmIdentifierMatch mating rule compares a presented
- algorithm identifier with an attribute value of the supported
- algorithm as described in clause 11.3.7 of [X.509].
-
- ( 2.5.13.40 NAME 'algorithmIdentifier'
- DESC 'X.509 Algorithm Identifier Match'
- SYNTAX 1.3.6.1.1.15.7 )
-
-4. Attribute Types
-
- This section details a set of certificate and related attribute types
- for use in LDAP.
-
-4.1. userCertificate
-
- The userCertificate attribute holds the X.509 certificates issued to
- the user by one or more certificate authorities, as discussed in
- clause 11.2.1 of [X.509].
-
- ( 2.5.4.36 NAME 'userCertificate'
- DESC 'X.509 user certificate'
- EQUALITY certificateExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
-
- As required by this attribute type's syntax, values of this attribute
- are requested and transferred using the attribute description
- "userCertificate;binary".
-
-4.2. cACertificate
-
- The cACertificate attribute holds the X.509 certificates issued to
- the certificate authority (CA), as discussed in clause 11.2.2 of
- [X.509].
-
- ( 2.5.4.37 NAME 'cACertificate'
- DESC 'X.509 CA certificate'
- EQUALITY certificateExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
-
- As required by this attribute type's syntax, values of this attribute
- are requested and transferred using the attribute description
- "cACertificate;binary".
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-4.3. crossCertificatePair
-
- The crossCertificatePair attribute holds an X.509 certificate pair,
- as discussed in clause 11.2.3 of [X.509].
-
- ( 2.5.4.40 NAME 'crossCertificatePair'
- DESC 'X.509 cross certificate pair'
- EQUALITY certificatePairExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
-
- As required by this attribute type's syntax, values of this attribute
- are requested and transferred using the attribute description
- "crossCertificatePair;binary".
-
-4.4. certificateRevocationList
-
- The certificateRevocationList attribute holds certificate lists, as
- discussed in 11.2.4 of [X.509].
-
- ( 2.5.4.39 NAME 'certificateRevocationList'
- DESC 'X.509 certificate revocation list'
- EQUALITY certificateListExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
-
- As required by this attribute type's syntax, values of this attribute
- are requested and transferred using the attribute description
- "certificateRevocationList;binary".
-
-4.5. authorityRevocationList
-
- The authorityRevocationList attribute holds certificate lists, as
- discussed in 11.2.5 of [X.509].
-
- ( 2.5.4.38 NAME 'authorityRevocationList'
- DESC 'X.509 authority revocation list'
- EQUALITY certificateListExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
-
- As required by this attribute type's syntax, values of this attribute
- are requested and transferred using the attribute description
- "authorityRevocationList;binary".
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-4.6. deltaRevocationList
-
- The deltaRevocationList attribute holds certificate lists, as
- discussed in 11.2.6 of [X.509].
-
- ( 2.5.4.53 NAME 'deltaRevocationList'
- DESC 'X.509 delta revocation list'
- EQUALITY certificateListExactMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
-
- As required by this attribute type's syntax, values of this attribute
- MUST be requested and transferred using the attribute description
- "deltaRevocationList;binary".
-
-4.7. supportedAlgorithms
-
- The supportedAlgorithms attribute holds supported algorithms, as
- discussed in 11.2.7 of [X.509].
-
- ( 2.5.4.52 NAME 'supportedAlgorithms'
- DESC 'X.509 supported algorithms'
- EQUALITY algorithmIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
-
- As required by this attribute type's syntax, values of this attribute
- MUST be requested and transferred using the attribute description
- "supportedAlgorithms;binary".
-
-5. Object Classes
-
- This section details a set of certificate-related object classes for
- use in LDAP.
-
-5.1. pkiUser
-
- This object class is used in augment entries for objects that may be
- subject to certificates, as defined in clause 11.1.1 of [X.509].
-
- ( 2.5.6.21 NAME 'pkiUser'
- DESC 'X.509 PKI User'
- SUP top AUXILIARY
- MAY userCertificate )
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-5.2. pkiCA
-
- This object class is used to augment entries for objects that act as
- certificate authorities, as defined in clause 11.1.2 of [X.509]
-
- ( 2.5.6.22 NAME 'pkiCA'
- DESC 'X.509 PKI Certificate Authority'
- SUP top AUXILIARY
- MAY ( cACertificate $ certificateRevocationList $
- authorityRevocationList $ crossCertificatePair ) )
-
-5.3. cRLDistributionPoint
-
- This class is used to represent objects that act as CRL distribution
- points, as discussed in clause 11.1.3 of [X.509].
-
- ( 2.5.6.19 NAME 'cRLDistributionPoint'
- DESC 'X.509 CRL distribution point'
- SUP top STRUCTURAL
- MUST cn
- MAY ( certificateRevocationList $
- authorityRevocationList $ deltaRevocationList ) )
-
-5.4. deltaCRL
-
- The deltaCRL object class is used to augment entries to hold delta
- revocation lists, as discussed in clause 11.1.4 of [X.509].
-
- ( 2.5.6.23 NAME 'deltaCRL'
- DESC 'X.509 delta CRL'
- SUP top AUXILIARY
- MAY deltaRevocationList )
-
-5.5. strongAuthenticationUser
-
- This object class is used to augment entries for objects
- participating in certificate-based authentication, as defined in
- clause 6.15 of [X.521]. This object class is deprecated in favor of
- pkiUser.
-
- ( 2.5.6.15 NAME 'strongAuthenticationUser'
- DESC 'X.521 strong authentication user'
- SUP top AUXILIARY
- MUST userCertificate )
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-5.6. userSecurityInformation
-
- This object class is used to augment entries with needed additional
- associated security information, as defined in clause 6.16 of
- [X.521].
-
- ( 2.5.6.18 NAME 'userSecurityInformation'
- DESC 'X.521 user security information'
- SUP top AUXILIARY
- MAY ( supportedAlgorithms ) )
-
-5.7. certificationAuthority
-
- This object class is used to augment entries for objects that act as
- certificate authorities, as defined in clause 6.17 of [X.521]. This
- object class is deprecated in favor of pkiCA.
-
- ( 2.5.6.16 NAME 'certificationAuthority'
- DESC 'X.509 certificate authority'
- SUP top AUXILIARY
- MUST ( authorityRevocationList $
- certificateRevocationList $ cACertificate )
- MAY crossCertificatePair )
-
-5.8. certificationAuthority-V2
-
- This object class is used to augment entries for objects that act as
- certificate authorities, as defined in clause 6.18 of [X.521]. This
- object class is deprecated in favor of pkiCA.
-
- ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
- DESC 'X.509 certificate authority, version 2'
- SUP certificationAuthority AUXILIARY
- MAY deltaRevocationList )
-
-6. Security Considerations
-
- General certificate considerations [RFC3280] apply to LDAP-aware
- certificate applications. General LDAP security considerations
- [RFC4510] apply as well.
-
- While elements of certificate information are commonly signed, these
- signatures only protect the integrity of the signed information. In
- the absence of data integrity protections in LDAP (or lower layer,
- e.g., IPsec), a server is not assured that client certificate request
- (or other request) was unaltered in transit. Likewise, a client
- cannot be assured that the results of the query were unaltered in
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- transit. Hence, it is generally recommended that implementations
- make use of authentication and data integrity services in LDAP
- [RFC4513][RFC4511].
-
-7. IANA Considerations
-
-7.1. Object Identifier Registration
-
- The IANA has registered an LDAP Object Identifier [RFC4520] for use
- in this technical specification.
-
- Subject: Request for LDAP OID Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4523
- Author/Change Controller: IESG
- Comments:
- Identifies the LDAP X.509 Certificate schema elements
- introduced in this document.
-
-7.2. Descriptor Registration
-
- The IANA has updated the LDAP
- Descriptor registry [RFC44520] as indicated below.
-
- Subject: Request for LDAP Descriptor Registration
- Descriptor (short name): see table
- Object Identifier: see table
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Usage: see table
- Specification: RFC 4523
- Author/Change Controller: IESG
-
- algorithmIdentifierMatch M 2.5.13.40
- authorityRevocationList A 2.5.4.38 *
- cACertificate A 2.5.4.37 *
- cRLDistributionPoint O 2.5.6.19 *
- certificateExactMatch M 2.5.13.34
- certificateListExactMatch M 2.5.13.38
- certificateListMatch M 2.5.13.39
- certificateMatch M 2.5.13.35
- certificatePairExactMatch M 2.5.13.36
- certificatePairMatch M 2.5.13.37
- certificateRevocationList A 2.5.4.39 *
- certificationAuthority O 2.5.6.16 *
- certificationAuthority-V2 O 2.5.6.16.2 *
- crossCertificatePair A 2.5.4.40 *
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- deltaCRL O 2.5.6.23 *
- deltaRevocationList A 2.5.4.53 *
- pkiCA O 2.5.6.22 *
- pkiUser O 2.5.6.21 *
- strongAuthenticationUser O 2.5.6.15 *
- supportedAlgorithms A 2.5.4.52 *
- userCertificate A 2.5.4.36 *
- userSecurityInformation O 2.5.6.18 *
-
- * Updates previous registration
-
-8. Acknowledgements
-
- This document is based on X.509, a product of the ITU-T. A number of
- LDAP schema definitions were based on those found in RFCs 2252 and
- 2256, both products of the IETF ASID WG. The ABNF productions in
- Appendix A were provided by Steven Legg. Additional material was
- borrowed from prior works by David Chadwick and Steven Legg to refine
- the LDAP X.509 schema.
-
-9. References
-
-9.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1
- Types", RFC 3641, October 2003.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4522] Legg, S., "Lightweight Directory Access Protocol (LDAP):
- The Binary Encoding Option", RFC 4522, June 2006.
-
- [X.509] International Telecommunication Union - Telecommunication
- Standardization Sector, "The Directory: Authentication
- Framework", X.509(2000).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- [X.521] International Telecommunication Union - Telecommunication
- Standardization Sector, "The Directory: Selected Object
- Classes", X.521(2000).
-
- [X.690] International Telecommunication Union - Telecommunication
- Standardization Sector, "Specification of ASN.1 encoding
- rules: Basic Encoding Rules (BER), Canonical Encoding
- Rules (CER), and Distinguished Encoding Rules (DER)",
- X.690(2002) (also ISO/IEC 8825-1:2002).
-
-9.2. Informative References
-
- [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory
- Access Protocol", RFC 1777, March 1995.
-
- [RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay):
- Mapping between X.400 and RFC 822/MIME", RFC 2156, January
- 1998.
-
- [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
- X.509 Public Key Infrastructure Certificate and
- Certificate Revocation List (CRL) Profile", RFC 3280,
- April 2002.
-
- [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
- version 2 (LDAPv2) to Historic Status", RFC 3494, March
- 2003.
-
- [RFC3642] Legg, S., "Common Elements of Generic String Encoding
- Rules (GSER) Encodings", RFC 3642, October 2003.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4513] Harrison, R. Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-Appendix A.
-
- This appendix is informative.
-
- This appendix provides ABNF [RFC4234] grammars for GSER-based
- [RFC3641] LDAP-specific encodings specified in this document. These
- grammars where produced using, and relying on, Common Elements for
- GSER Encodings [RFC3642].
-
-A.1. CertificateExactAssertion
-
- CertificateExactAssertion = "{" sp cea-serialNumber ","
- sp cea-issuer sp "}"
-
- cea-serialNumber = id-serialNumber msp CertificateSerialNumber
- cea-issuer = id-issuer msp Name
-
- id-serialNumber =
- %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber'
- id-issuer = %x69.73.73.75.65.72 ; 'issuer'
-
- Name = id-rdnSequence ":" RDNSequence
- id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence'
-
- CertificateSerialNumber = INTEGER
-
-A.2. CertificateAssertion
-
-CertificateAssertion = "{" [ sp ca-serialNumber ]
- [ sep sp ca-issuer ]
- [ sep sp ca-subjectKeyIdentifier ]
- [ sep sp ca-authorityKeyIdentifier ]
- [ sep sp ca-certificateValid ]
- [ sep sp ca-privateKeyValid ]
- [ sep sp ca-subjectPublicKeyAlgID ]
- [ sep sp ca-keyUsage ]
- [ sep sp ca-subjectAltName ]
- [ sep sp ca-policy ]
- [ sep sp ca-pathToName ]
- [ sep sp ca-subject ]
- [ sep sp ca-nameConstraints ] sp "}"
-
-ca-serialNumber = id-serialNumber msp CertificateSerialNumber
-ca-issuer = id-issuer msp Name
-ca-subjectKeyIdentifier = id-subjectKeyIdentifier msp
- SubjectKeyIdentifier
-ca-authorityKeyIdentifier = id-authorityKeyIdentifier msp
- AuthorityKeyIdentifier
-
-
-
-Zeilenga Standards Track [Page 15]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-ca-certificateValid = id-certificateValid msp Time
-ca-privateKeyValid = id-privateKeyValid msp GeneralizedTime
-ca-subjectPublicKeyAlgID = id-subjectPublicKeyAlgID msp
- OBJECT-IDENTIFIER
-ca-keyUsage = id-keyUsage msp KeyUsage
-ca-subjectAltName = id-subjectAltName msp AltNameType
-ca-policy = id-policy msp CertPolicySet
-ca-pathToName = id-pathToName msp Name
-ca-subject = id-subject msp Name
-ca-nameConstraints = id-nameConstraints msp NameConstraintsSyntax
-
-id-subjectKeyIdentifier =
- %x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72
- ; 'subjectKeyIdentifier'
-id-authorityKeyIdentifier =
- %x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72
- ; 'authorityKeyIdentifier'
-id-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64
- ; 'certificateValid'
-id-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64
- ; 'privateKeyValid'
-id-subjectPublicKeyAlgID =
- %x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44
- ; 'subjectPublicKeyAlgID'
-id-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage'
-id-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65
- ; 'subjectAltName'
-id-policy = %x70.6F.6C.69.63.79 ; 'policy'
-id-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName'
-id-subject = %x73.75.62.6A.65.63.74 ; 'subject'
-id-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73
- ; 'nameConstraints'
-
-SubjectKeyIdentifier = KeyIdentifier
-
-KeyIdentifier = OCTET-STRING
-
-AuthorityKeyIdentifier = "{" [ sp aki-keyIdentifier ]
- [ sep sp aki-authorityCertIssuer ]
- [ sep sp aki-authorityCertSerialNumber ] sp "}"
-
-aki-keyIdentifier = id-keyIdentifier msp KeyIdentifier
-aki-authorityCertIssuer = id-authorityCertIssuer msp GeneralNames
-
-GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}"
-GeneralName = gn-otherName
- / gn-rfc822Name
- / gn-dNSName
-
-
-
-Zeilenga Standards Track [Page 16]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- / gn-x400Address
- / gn-directoryName
- / gn-ediPartyName
- / gn-uniformResourceIdentifier
- / gn-iPAddress
- / gn-registeredID
-
-gn-otherName = id-otherName ":" OtherName
-gn-rfc822Name = id-rfc822Name ":" IA5String
-gn-dNSName = id-dNSName ":" IA5String
-gn-x400Address = id-x400Address ":" ORAddress
-gn-directoryName = id-directoryName ":" Name
-gn-ediPartyName = id-ediPartyName ":" EDIPartyName
-gn-iPAddress = id-iPAddress ":" OCTET-STRING
-gn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER
-
-gn-uniformResourceIdentifier = id-uniformResourceIdentifier
- ":" IA5String
-
-id-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName'
-gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44
- ; 'registeredID'
-
-OtherName = "{" sp on-type-id "," sp on-value sp "}"
-on-type-id = id-type-id msp OBJECT-IDENTIFIER
-on-value = id-value msp Value
- ;; <Value> as defined in Section 3 of [RFC3641]
-
-id-type-id = %x74.79.70.65.2D.69.64 ; 'type-id'
-id-value = %x76.61.6C.75.65 ; 'value'
-
-ORAddress = dquote *SafeIA5Character dquote
-SafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote
- dquote dquote ; escaped double quote
-dquote = %x22 ; '"' (double quote)
-
-;; Note: The <ORAddress> rule encodes the x400Address component
-;; of a GeneralName as a character string between double quotes.
-;; The character string is first derived according to Section 4.1
-;; of [RFC2156], and then any embedded double quotes are escaped
-;; by being repeated. This resulting string is output between
-;; double quotes.
-
-EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}"
-nameAssigner = id-nameAssigner msp DirectoryString
-partyName = id-partyName msp DirectoryString
-id-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72
- ; 'nameAssigner'
-
-
-
-Zeilenga Standards Track [Page 17]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-id-partyName = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName'
-
-aki-authorityCertSerialNumber = id-authorityCertSerialNumber
- msp CertificateSerialNumber
-
-id-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72
- ; 'keyIdentifier'
-id-authorityCertIssuer =
- %x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72
- ; 'authorityCertIssuer'
-
-id-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43
- %x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72
- ; 'authorityCertSerialNumber'
-
-Time = time-utcTime / time-generalizedTime
-time-utcTime = id-utcTime ":" UTCTime
-time-generalizedTime = id-generalizedTime ":" GeneralizedTime
-id-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime'
-id-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65
- ; 'generalizedTime'
-
-KeyUsage = BIT-STRING / key-usage-bit-list
-key-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}"
-
-;; Note: The <key-usage-bit-list> rule encodes the one bits in
-;; a KeyUsage value as a comma separated list of identifiers.
-
-key-usage = id-digitalSignature
- / id-nonRepudiation
- / id-keyEncipherment
- / id-dataEncipherment
- / id-keyAgreement
- / id-keyCertSign
- / id-cRLSign
- / id-encipherOnly
- / id-decipherOnly
-
-id-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74
- %x75.72.65 ; 'digitalSignature'
-id-nonRepudiation = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E
- ; 'nonRepudiation'
-id-keyEncipherment = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74
- ; 'keyEncipherment'
-id-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E
- %x74 ; "dataEncipherment'
-id-keyAgreement = %x6B.65.79.41.67.72.65.65.6D.65.6E.74
- ; 'keyAgreement'
-
-
-
-Zeilenga Standards Track [Page 18]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-id-keyCertSign = %x6B.65.79.43.65.72.74.53.69.67.6E
- ; 'keyCertSign'
-id-cRLSign = %x63.52.4C.53.69.67.6E ; "cRLSign"
-id-encipherOnly = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79
- ; 'encipherOnly'
-id-decipherOnly = %x64.65.63.69.70.68.65.72.4F.6E.6C.79
- ; 'decipherOnly'
-
-AltNameType = ant-builtinNameForm / ant-otherNameForm
-
-ant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm
-ant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER
-
-id-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D
- ; 'builtinNameForm'
-id-otherNameForm = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D
- ; 'otherNameForm'
-
-BuiltinNameForm = id-rfc822Name
- / id-dNSName
- / id-x400Address
- / id-directoryName
- / id-ediPartyName
- / id-uniformResourceIdentifier
- / id-iPAddress
- / id-registeredId
-
-id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name'
-id-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName'
-id-x400Address = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address'
-id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65
- ; 'directoryName'
-id-ediPartyName = %x65.64.69.50.61.72.74.79.4E.61.6D.65
- ; 'ediPartyName'
-id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress'
-id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64
- ; 'registeredId'
-
-id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75
- %x72.63.65.49.64.65.6E.74.69.66.69.65.72
- ; 'uniformResourceIdentifier'
-
-CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}"
-CertPolicyId = OBJECT-IDENTIFIER
-
-NameConstraintsSyntax = "{" [ sp ncs-permittedSubtrees ]
- [ sep sp ncs-excludedSubtrees ] sp "}"
-
-
-
-
-Zeilenga Standards Track [Page 19]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-ncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees
-ncs-excludedSubtrees = id-excludedSubtrees msp GeneralSubtrees
-
-id-permittedSubtrees =
- %x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.65.73
- ; 'permittedSubtrees'
-id-excludedSubtrees =
- %x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73
- ; 'excludedSubtrees'
-
-GeneralSubtrees = "{" sp GeneralSubtree
- *( "," sp GeneralSubtree ) sp "}"
-GeneralSubtree = "{" sp gs-base
- [ "," sp gs-minimum ]
- [ "," sp gs-maximum ] sp "}"
-
-gs-base = id-base msp GeneralName
-gs-minimum = id-minimum msp BaseDistance
-gs-maximum = id-maximum msp BaseDistance
-
-id-base = %x62.61.73.65 ; 'base'
-id-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum'
-id-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum'
-
-BaseDistance = INTEGER-0-MAX
-
-A.3. CertificatePairExactAssertion
-
- CertificatePairExactAssertion = "{" [ sp cpea-issuedTo ]
- [sep sp cpea-issuedBy ] sp "}"
- ;; At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present.
-
- cpea-issuedTo = id-issuedToThisCAAssertion msp
- CertificateExactAssertion
- cpea-issuedBy = id-issuedByThisCAAssertion msp
- CertificateExactAssertion
-
- id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73
- %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion'
- id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73
- %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion'
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 20]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-A.4. CertificatePairAssertion
-
- CertificatePairAssertion = "{" [ sp cpa-issuedTo ]
- [sep sp cpa-issuedBy ] sp "}"
- ;; At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present.
-
- cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion
- cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion
-
-A.5. CertificateListExactAssertion
-
- CertificateListExactAssertion = "{" sp clea-issuer ","
- sp clea-thisUpdate
- [ "," sp clea-distributionPoint ] sp "}"
-
- clea-issuer = id-issuer msp Name
- clea-thisUpdate = id-thisUpdate msp Time
- clea-distributionPoint = id-distributionPoint msp
- DistributionPointName
-
- id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate'
- id-distributionPoint =
- %x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74
- ; 'distributionPoint'
-
- DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer
-
- dpn-fullName = id-fullName ":" GeneralNames
- dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":"
- RelativeDistinguishedName
-
- id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName'
- id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65
- %x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer'
-
-A.6. CertificateListAssertion
-
- CertificateListAssertion = "{" [ sp cla-issuer ]
- [ sep sp cla-minCRLNumber ]
- [ sep sp cla-maxCRLNumber ]
- [ sep sp cla-reasonFlags ]
- [ sep sp cla-dateAndTime ]
- [ sep sp cla-distributionPoint ]
- [ sep sp cla-authorityKeyIdentifier ] sp "}"
-
- cla-issuer = id-issuer msp Name
- cla-minCRLNumber = id-minCRLNumber msp CRLNumber
- cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber
-
-
-
-Zeilenga Standards Track [Page 21]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- cla-reasonFlags = id-reasonFlags msp ReasonFlags
- cla-dateAndTime = id-dateAndTime msp Time
-
- cla-distributionPoint = id-distributionPoint msp
- DistributionPointName
-
- cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp
- AuthorityKeyIdentifier
-
- id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72
- ; 'minCRLNumber'
- id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72
- ; 'maxCRLNumber'
- id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags'
- id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime'
-
- CRLNumber = INTEGER-0-MAX
-
- ReasonFlags = BIT-STRING
- / "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}"
-
- reason-flag = id-unused
- / id-keyCompromise
- / id-cACompromise
- / id-affiliationChanged
- / id-superseded
- / id-cessationOfOperation
- / id-certificateHold
- / id-privilegeWithdrawn
- / id-aACompromise
-
- id-unused = %x75.6E.75.73.65.64 ; 'unused'
- id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65
- ; 'keyCompromise'
- id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65
- ; 'cACompromise'
- id-affiliationChanged =
- %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64
- ; 'affiliationChanged'
- id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded'
- id-cessationOfOperation =
- %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E
- ; 'cessationOfOperation'
- id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64
- ; 'certificateHold'
- id-privilegeWithdrawn =
- %x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E
- ; 'privilegeWithdrawn'
-
-
-
-Zeilenga Standards Track [Page 22]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
- id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65
- ; 'aACompromise'
-
-A.7. AlgorithmIdentifier
-
- AlgorithmIdentifier = "{" sp ai-algorithm
- [ "," sp ai-parameters ] sp "}"
-
- ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER
- ai-parameters = id-parameters msp Value
- id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm'
- id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters'
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 23]
-�
-RFC 4523 LDAP X.509 Schema June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 24]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4524.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4524.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4524.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1403 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga, Ed.
-Request for Comments: 4524 OpenLDAP Foundation
-Obsoletes: 1274 June 2006
-Updates: 2247, 2798
-Category: Standards Track
-
-
- COSINE LDAP/X.500 Schema
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document provides a collection of schema elements for use with
- the Lightweight Directory Access Protocol (LDAP) from the COSINE and
- Internet X.500 pilot projects.
-
- This document obsoletes RFC 1274 and updates RFCs 2247 and 2798.
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. Relationship to Other Documents ............................3
- 1.2. Terminology and Conventions ................................4
- 2. COSINE Attribute Types ..........................................4
- 2.1. associatedDomain ...........................................4
- 2.2. associatedName .............................................5
- 2.3. buildingName ...............................................5
- 2.4. co .........................................................5
- 2.5. documentAuthor .............................................6
- 2.6. documentIdentifier .........................................6
- 2.7. documentLocation ...........................................6
- 2.8. documentPublisher ..........................................7
- 2.9. documentTitle ..............................................7
- 2.10. documentVersion ...........................................7
- 2.11. drink .....................................................8
- 2.12. homePhone .................................................8
- 2.13. homePostalAddress .........................................8
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- 2.14. host ......................................................9
- 2.15. info ......................................................9
- 2.16. mail ......................................................9
- 2.17. manager ..................................................10
- 2.18. mobile ...................................................10
- 2.19. organizationalStatus .....................................11
- 2.20. pager ....................................................11
- 2.21. personalTitle ............................................11
- 2.22. roomNumber ...............................................12
- 2.23. secretary ................................................12
- 2.24. uniqueIdentifier .........................................12
- 2.25. userClass ................................................13
- 3. COSINE Object Classes ..........................................13
- 3.1. account ...................................................13
- 3.2. document ..................................................14
- 3.3. documentSeries ............................................14
- 3.4. domain ....................................................15
- 3.5. domainRelatedObject .......................................16
- 3.6. friendlyCountry ...........................................16
- 3.7. rFC822LocalPart ...........................................17
- 3.8. room ......................................................18
- 3.9. simpleSecurityObject ......................................18
- 4. Security Considerations ........................................18
- 5. IANA Considerations ............................................19
- 6. Acknowledgements ...............................................20
- 7. References .....................................................20
- 7.1. Normative References ......................................20
- 7.2. Informative References ....................................21
- Appendix A. Changes since RFC 1274 ...............................23
- A.1. LDAP Short Names .........................................23
- A.2. pilotObject ..............................................23
- A.3. pilotPerson ..............................................23
- A.4. dNSDomain ................................................24
- A.5. pilotDSA and qualityLabelledData .........................24
- A.6. Attribute Syntaxes .......................................24
- Appendix B. Changes since RFC 2247 ...............................24
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
-1. Introduction
-
- In the late 1980s, X.500 Directory Services were standardized by the
- CCITT (Commite' Consultatif International de Telegraphique et
- Telephonique), now a part of the ITU (International Telephone Union).
- This lead to Directory Service piloting activities in the early
- 1990s, including the COSINE (Co-operation and Open Systems
- Interconnection in Europe) PARADISE Project pilot [COSINEpilot] in
- Europe. Motivated by needs for large-scale directory pilots, RFC
- 1274 was published to standardize the directory schema and naming
- architecture for use in the COSINE and other Internet X.500 pilots
- [RFC1274].
-
- In the years that followed, X.500 Directory Services have evolved to
- incorporate new capabilities and even new protocols. In particular,
- the Lightweight Directory Access Protocol (LDAP) [RFC4510] was
- introduced in the early 1990s [RFC1487], with Version 3 of LDAP
- introduced in the late 1990s [RFC2251] and subsequently revised in
- 2005 [RFC4510].
-
- While much of the material in RFC 1274 has been superceded by
- subsequently published ITU-T Recommendations and IETF RFCs, many of
- the schema elements lack standardized schema descriptions for use in
- modern X.500 and LDAP directory services despite the fact that these
- schema elements are in wide use today. As the old schema
- descriptions cannot be used without adaptation, interoperability
- issues may arise due to lack of standardized modern schema
- descriptions.
-
- This document addresses these issues by offering standardized schema
- descriptions, where needed, for widely used COSINE schema elements.
-
-1.1. Relationship to Other Documents
-
- This document, together with [RFC4519] and [RFC4517], obsoletes RFC
- 1274 in its entirety. [RFC4519] replaces Sections 9.3.1 (Userid) and
- 9.3.21 (Domain Component) of RFC 1274. [RFC4517] replaces Section
- 9.4 (Generally useful syntaxes) of RFC 1274.
-
- This document replaces the remainder of RFC 1274. Appendix A
- discusses changes since RFC 1274, as well as why certain schema
- elements were not brought forward in this revision of the COSINE
- schema. All elements not brought are to be regarded as Historic.
-
- The description of the 'domain' object class provided in this
- document supercedes that found in RFC 2247. That is, Section 3.4 of
- this document replaces Section 5.2 of [RFC2247].
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- Some of the schema elements specified here were described in RFC 2798
- (inetOrgPerson schema). This document supersedes these descriptions.
- This document, together with [RFC4519], replaces Section 9.1.3 of RFC
- 2798.
-
-1.2. Terminology and Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- DIT stands for Directory Information Tree.
- DN stands for Distinguished Name.
- DSA stands for Directory System Agent, a server.
- DSE stands for DSA-Specific Entry.
- DUA stands for Directory User Agent, a client.
-
- These terms are discussed in [RFC4512].
-
- Schema definitions are provided using LDAP description formats
- [RFC4512]. Definitions provided here are formatted (line wrapped)
- for readability.
-
-2. COSINE Attribute Types
-
- This section details COSINE attribute types for use in LDAP.
-
-2.1. associatedDomain
-
- The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181]
- host names [RFC1123] that are associated with an object. That is,
- values of this attribute should conform to the following ABNF:
-
- domain = root / label *( DOT label )
- root = SPACE
- label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ]
- LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z"
- SPACE = %x20 ; space (" ")
- HYPHEN = %x2D ; hyphen ("-")
- DOT = %x2E ; period (".")
-
- For example, the entry in the DIT with a DN <DC=example,DC=com> might
- have an associated domain of "example.com".
-
- ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
- 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
- described in [RFC4517].
-
- Note that the directory will not ensure that values of this attribute
- conform to the <domain> production provided above. It is the
- application's responsibility to ensure that domains it stores in this
- attribute are appropriately represented.
-
- Also note that applications supporting Internationalized Domain Names
- SHALL use the ToASCII method [RFC3490] to produce <label> components
- of the <domain> production.
-
-2.2. associatedName
-
- The 'associatedName' attribute specifies names of entries in the
- organizational DIT associated with a DNS domain [RFC1034][RFC2181].
-
- ( 0.9.2342.19200300.100.1.38 NAME 'associatedName'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
- 'distinguishedNameMatch' rule are described in [RFC4517].
-
-2.3. buildingName
-
- The 'buildingName' attribute specifies names of the buildings where
- an organization or organizational unit is based, for example, "The
- White House".
-
- ( 0.9.2342.19200300.100.1.48 NAME 'buildingName'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.4. co
-
- The 'co' (Friendly Country Name) attribute specifies names of
- countries in human-readable format, for example, "Germany" and
- "Federal Republic of Germany". It is commonly used in conjunction
- with the 'c' (Country Name) [RFC4519] attribute (whose values are
- restricted to the two-letter codes defined in [ISO3166]).
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- ( 0.9.2342.19200300.100.1.43 NAME 'co'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.5. documentAuthor
-
- The 'documentAuthor' attribute specifies the distinguished names of
- authors (or editors) of a document. For example,
-
- ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
- 'distinguishedNameMatch' rule are described in [RFC4517].
-
-2.6. documentIdentifier
-
- The 'documentIdentifier' attribute specifies unique identifiers for a
- document. A document may be identified by more than one unique
- identifier. For example, RFC 3383 and BCP 64 are unique identifiers
- that (presently) refer to the same document.
-
- ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.7. documentLocation
-
- The 'documentLocation' attribute specifies locations of the document
- original.
-
- ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.8. documentPublisher
-
- The 'documentPublisher' attribute is the persons and/or organizations
- that published the document. Documents that are jointly published
- have one value for each publisher.
-
- ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.9. documentTitle
-
- The 'documentTitle' attribute specifies the titles of a document.
- Multiple values are allowed to accommodate both long and short
- titles, or other situations where a document has multiple titles, for
- example, "The Lightweight Directory Access Protocol Technical
- Specification" and "The LDAP Technical Specification".
-
- ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.10. documentVersion
-
- The 'documentVersion' attribute specifies the version information of
- a document.
-
- ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.11. drink
-
- The 'drink' (favoriteDrink) attribute specifies the favorite drinks
- of an object (or person), for instance, "cola" and "beer".
-
- ( 0.9.2342.19200300.100.1.5 NAME 'drink'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.12. homePhone
-
- The 'homePhone' (Home Telephone Number) attribute specifies home
- telephone numbers (e.g., "+1 775 555 1234") associated with a person.
-
- ( 0.9.2342.19200300.100.1.20 NAME 'homePhone'
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
- The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
- 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
- described in [RFC4517].
-
-2.13. homePostalAddress
-
- The 'homePostalAddress' attribute specifies home postal addresses for
- an object. Each value should be limited to up to 6 directory strings
- of 30 characters each. (Note: It is not intended that the directory
- service enforce these limits.)
-
- ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress'
- EQUALITY caseIgnoreListMatch
- SUBSTR caseIgnoreListSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
-
- The PostalAddress (1.3.6.1.4.1.1466.115.121.1.41) syntax and the
- 'caseIgnoreListMatch' and 'caseIgnoreListSubstringsMatch' rules are
- described in [RFC4517].
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
-2.14. host
-
- The 'host' attribute specifies host computers, generally by their
- primary fully qualified domain name (e.g., my-host.example.com).
-
- ( 0.9.2342.19200300.100.1.9 NAME 'host'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.15. info
-
- The 'info' attribute specifies any general information pertinent to
- an object. This information is not necessarily descriptive of the
- object.
-
- Applications should not attach specific semantics to values of this
- attribute. The 'description' attribute [RFC4519] is available for
- specifying descriptive information pertinent to an object.
-
- ( 0.9.2342.19200300.100.1.4 NAME 'info'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.16. mail
-
- The 'mail' (rfc822mailbox) attribute type holds Internet mail
- addresses in Mailbox [RFC2821] form (e.g., user at example.com).
-
- ( 0.9.2342.19200300.100.1.3 NAME 'mail'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
-
- The IA5String (1.3.6.1.4.1.1466.115.121.1.26) syntax and the
- 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch' rules are
- described in [RFC4517].
-
-
-
-
-
-Zeilenga Standards Track [Page 9]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- Note that the directory will not ensure that values of this attribute
- conform to the <Mailbox> production [RFC2821]. It is the
- application's responsibility to ensure that domains it stores in this
- attribute are appropriately represented.
-
- Additionally, the directory will compare values per the matching
- rules named in the above attribute type description. As these rules
- differ from rules that normally apply to <Mailbox> comparisons,
- operational issues may arise. For example, the assertion
- (mail=joe at example.com) will match "JOE at example.com" even though the
- <local-parts> differ. Also, where a user has two <Mailbox>es whose
- addresses differ only by case of the <local-part>, both cannot be
- listed as values of the user's mail attribute (as they are considered
- equal by the 'caseIgnoreIA5Match' rule).
-
- Also note that applications supporting internationalized domain names
- SHALL use the ToASCII method [RFC3490] to produce <sub-domain>
- components of the <Mailbox> production.
-
-2.17. manager
-
- The 'manager' attribute specifies managers, by distinguished name, of
- the person (or entity).
-
- ( 0.9.2342.19200300.100.1.10 NAME 'manager'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
- 'distinguishedNameMatch' rule are described in [RFC4517].
-
-2.18. mobile
-
- The 'mobile' (mobileTelephoneNumber) attribute specifies mobile
- telephone numbers (e.g., "+1 775 555 6789") associated with a person
- (or entity).
-
- ( 0.9.2342.19200300.100.1.41 NAME 'mobile'
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
- The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
- 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
- described in [RFC4517].
-
-
-
-
-
-
-Zeilenga Standards Track [Page 10]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
-2.19. organizationalStatus
-
- The 'organizationalStatus' attribute specifies categories by which a
- person is often referred to in an organization. Examples of usage in
- academia might include "undergraduate student", "researcher",
- "professor", and "staff". Multiple values are allowed where the
- person is in multiple categories.
-
- Directory administrators and application designers SHOULD consider
- carefully the distinctions between this and the 'title' and
- 'userClass' attributes.
-
- ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.20. pager
-
- The 'pager' (pagerTelephoneNumber) attribute specifies pager
- telephone numbers (e.g., "+1 775 555 5555") for an object.
-
- ( 0.9.2342.19200300.100.1.42 NAME 'pager'
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
-
- The telephoneNumber (1.3.6.1.4.1.1466.115.121.1.50) syntax and the
- 'telephoneNumberMatch' and 'telephoneNumberSubstringsMatch' rules are
- described in [RFC4517].
-
-2.21. personalTitle
-
- The 'personalTitle' attribute specifies personal titles for a person.
- Examples of personal titles are "Frau", "Dr.", "Herr", and
- "Professor".
-
- ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-
-
-
-
-Zeilenga Standards Track [Page 11]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.22. roomNumber
-
- The 'roomNumber' attribute specifies the room number of an object.
- During periods of renumbering, or in other circumstances where a room
- has multiple valid room numbers associated with it, multiple values
- may be provided. Note that the 'cn' (commonName) attribute type
- SHOULD be used for naming room objects.
-
- ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-2.23. secretary
-
- The 'secretary' attribute specifies secretaries and/or administrative
- assistants, by distinguished name.
-
- ( 0.9.2342.19200300.100.1.21 NAME 'secretary'
- EQUALITY distinguishedNameMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
- The DistinguishedName (1.3.6.1.4.1.1466.115.121.1.12) syntax and the
- 'distinguishedNameMatch' rule are described in [RFC4517].
-
-2.24. uniqueIdentifier
-
- The 'uniqueIdentifier' attribute specifies a unique identifier for an
- object represented in the Directory. The domain within which the
- identifier is unique and the exact semantics of the identifier are
- for local definition. For a person, this might be an institution-
- wide payroll number. For an organizational unit, it might be a
- department code.
-
- ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
-
-
-
-
-Zeilenga Standards Track [Page 12]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
- Note: X.520 also describes an attribute called 'uniqueIdentifier'
- (2.5.4.45), which is called 'x500UniqueIdentifier' in LDAP
- [RFC4519]. The attribute detailed here ought not be confused
- with 'x500UniqueIdentifier'.
-
-2.25. userClass
-
- The 'userClass' attribute specifies categories of computer or
- application user. The semantics placed on this attribute are for
- local interpretation. Examples of current usage of this attribute in
- academia are "student", "staff", and "faculty". Note that the
- 'organizationalStatus' attribute type is now often preferred, as it
- makes no distinction between persons as opposed to users.
-
- ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
-
- The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
- 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
- in [RFC4517].
-
-3. COSINE Object Classes
-
- This section details COSINE object classes for use in LDAP.
-
-3.1. account
-
- The 'account' object class is used to define entries representing
- computer accounts. The 'uid' attribute SHOULD be used for naming
- entries of this object class.
-
- ( 0.9.2342.19200300.100.4.5 NAME 'account'
- SUP top STRUCTURAL
- MUST uid
- MAY ( description $ seeAlso $ l $ o $ ou $ host ) )
-
- The 'top' object class is described in [RFC4512]. The 'description',
- 'seeAlso', 'l', 'o', 'ou', and 'uid' attribute types are described in
- [RFC4519]. The 'host' attribute type is described in Section 2 of
- this document.
-
-
-
-
-
-Zeilenga Standards Track [Page 13]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- 3.3. documentSeriesExample:
-
- dn: uid=kdz,cn=Accounts,dc=Example,dc=COM
- objectClass: account
- uid: kdz
- seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
-
-3.2. document
-
- The 'document' object class is used to define entries that represent
- documents.
-
- ( 0.9.2342.19200300.100.4.6 NAME 'document'
- SUP top STRUCTURAL
- MUST documentIdentifier
- MAY ( cn $ description $ seeAlso $ l $ o $ ou $
- documentTitle $ documentVersion $ documentAuthor $
- documentLocation $ documentPublisher ) )
-
- The 'top' object class is described in [RFC4512]. The 'cn',
- 'description', 'seeAlso', 'l', 'o', and 'ou' attribute types are
- described in [RFC4519]. The 'documentIdentifier', 'documentTitle',
- 'documentVersion', 'documentAuthor', 'documentLocation', and
- 'documentPublisher' attribute types are described in Section 2 of
- this document.
-
- Example:
-
- dn: documentIdentifier=RFC 4524,cn=RFC,dc=Example,dc=COM
- objectClass: document
- documentIdentifier: RFC 4524
- documentTitle: COSINE LDAP/X.500 Schema
- documentAuthor: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
- documentLocation: http://www.rfc-editor.org/rfc/rfc4524.txt
- documentPublisher: Internet Engineering Task Force
- description: A collection of schema elements for use in LDAP
- description: Obsoletes RFC 1274
- seeAlso: documentIdentifier=RFC 4510,cn=RFC,dc=Example,dc=COM
- seeAlso: documentIdentifier=RFC 1274,cn=RFC,dc=Example,dc=COM
-
-3.3. documentSeries
-
- The 'documentSeries' object class is used to define an entry that
- represents a series of documents (e.g., The Request For Comments
- memos).
-
-
-
-
-
-
-Zeilenga Standards Track [Page 14]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries'
- SUP top STRUCTURAL
- MUST cn
- MAY ( description $ l $ o $ ou $ seeAlso $
- telephonenumber ) )
-
- The 'top' object class is described in [RFC4512]. The 'description',
- 'l', 'o', 'ou', 'seeAlso', and 'telephoneNumber' attribute types are
- described in [RFC4519].
-
- Example:
-
- dn: cn=RFC,dc=Example,dc=COM
- objectClass: documentSeries
- cn: Request for Comments
- cn: RFC
- description: a series of memos about the Internet
-
-3.4. domain
-
- The 'domain' object class is used to define entries that represent
- DNS domains for objects that are not organizations, organizational
- units, or other kinds of objects more appropriately defined using an
- object class specific to the kind of object being defined (e.g.,
- 'organization', 'organizationUnit').
-
- The 'dc' attribute should be used for naming entries of the 'domain'
- object class.
-
- ( 0.9.2342.19200300.100.4.13 NAME 'domain'
- SUP top STRUCTURAL
- MUST dc
- MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
- x121Address $ registeredAddress $ destinationIndicator $
- preferredDeliveryMethod $ telexNumber $
- teletexTerminalIdentifier $ telephoneNumber $
- internationaliSDNNumber $ facsimileTelephoneNumber $ street $
- postOfficeBox $ postalCode $ postalAddress $
- physicalDeliveryOfficeName $ st $ l $ description $ o $
- associatedName ) )
-
- The 'top' object class and the 'dc', 'userPassword', 'searchGuide',
- 'seeAlso', 'businessCategory', 'x121Address', 'registeredAddress',
- 'destinationIndicator', 'preferredDeliveryMethod', 'telexNumber',
- 'teletexTerminalIdentifier', 'telephoneNumber',
- 'internationaliSDNNumber', 'facsimileTelephoneNumber', 'street',
- 'postOfficeBox', 'postalCode', 'postalAddress',
- 'physicalDeliveryOfficeName', 'st', 'l', 'description', and 'o' types
-
-
-
-Zeilenga Standards Track [Page 15]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- are described in [RFC4519]. The 'associatedName' attribute type is
- described in Section 2 of this document.
-
- Example:
-
- dn: dc=com
- objectClass: domain
- dc: com
- description: the .COM TLD
-
-3.5. domainRelatedObject
-
- The 'domainRelatedObject' object class is used to define entries that
- represent DNS domains that are "equivalent" to an X.500 domain, e.g.,
- an organization or organizational unit.
-
- ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'
- SUP top AUXILIARY
- MUST associatedDomain )
-
- The 'top' object class is described in [RFC4512]. The
- 'associatedDomain' attribute type is described in Section 2 of this
- document.
-
- Example:
-
- dn: dc=example,dc=com
- objectClass: organization
- objectClass: dcObject
- objectClass: domainRelatedObject
- dc: example
- associatedDomain: example.com
- o: Example Organization
-
- The 'organization' and 'dcObject' object classes and the 'dc' and 'o'
- attribute types are described in [RFC4519].
-
-3.6. friendlyCountry
-
- The 'friendlyCountry' object class is used to define entries
- representing countries in the DIT. The object class is used to allow
- friendlier naming of countries than that allowed by the object class
- 'country' [RFC4519].
-
- ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry'
- SUP country STRUCTURAL
- MUST co )
-
-
-
-
-Zeilenga Standards Track [Page 16]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The 'country' object class is described in [RFC4519]. The 'co'
- attribute type is described in Section 2 of this document.
-
- Example:
-
- dn: c=DE
- objectClass: country
- objectClass: friendlyCountry
- c: DE
- co: Deutschland
- co: Germany
- co: Federal Republic of Germany
- co: FRG
-
- The 'c' attribute type is described in [RFC4519].
-
-3.7. rFC822LocalPart
-
- The 'rFC822LocalPart' object class is used to define entries that
- represent the local part of Internet mail addresses [RFC2822]. This
- treats the local part of the address as a 'domain' object.
-
- ( 0.9.2342.19200300.100.4.14 NAME 'rFC822localPart'
- SUP domain STRUCTURAL
- MAY ( cn $ description $ destinationIndicator $
- facsimileTelephoneNumber $ internationaliSDNNumber $
- physicalDeliveryOfficeName $ postalAddress $ postalCode $
- postOfficeBox $ preferredDeliveryMethod $ registeredAddress $
- seeAlso $ sn $ street $ telephoneNumber $
- teletexTerminalIdentifier $ telexNumber $ x121Address ) )
-
- The 'domain' object class is described in Section 3.4 of this
- document. The 'cn', 'description', 'destinationIndicator',
- 'facsimileTelephoneNumber', 'internationaliSDNNumber,
- 'physicalDeliveryOfficeName', 'postalAddress', 'postalCode',
- 'postOfficeBox', 'preferredDeliveryMethod', 'registeredAddress',
- 'seeAlso', 'sn, 'street', 'telephoneNumber',
- 'teletexTerminalIdentifier', 'telexNumber', and 'x121Address'
- attribute types are described in [RFC4519].
-
- Example:
-
- dn: dc=kdz,dc=example,dc=com
- objectClass: domain
- objectClass: rFC822LocalPart
- dc: kdz
- associatedName: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
-
-
-
-
-Zeilenga Standards Track [Page 17]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- The 'dc' attribute type is described in [RFC4519].
-
-3.8. room
-
- The 'room' object class is used to define entries representing rooms.
- The 'cn' (commonName) attribute SHOULD be used for naming entries of
- this object class.
-
- ( 0.9.2342.19200300.100.4.7 NAME 'room'
- SUP top STRUCTURAL
- MUST cn
- MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
-
- The 'top' object class is described in [RFC4512]. The 'cn',
- 'description', 'seeAlso', and 'telephoneNumber' attribute types are
- described in [RFC4519]. The 'roomNumber' attribute type is described
- in Section 2 of this document.
-
- dn: cn=conference room,dc=example,dc=com
- objectClass: room
- cn: conference room
- telephoneNumber: +1 755 555 1111
-
-3.9. simpleSecurityObject
-
- The 'simpleSecurityObject' object class is used to require an entry
- to have a 'userPassword' attribute when the entry's structural object
- class does not require (or allow) the 'userPassword attribute'.
-
- ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
- SUP top AUXILIARY
- MUST userPassword )
-
- The 'top' object class is described in [RFC4512]. The 'userPassword'
- attribute type is described in [RFC4519].
-
- dn: dc=kdz,dc=Example,dc=COM
- objectClass: account
- objectClass: simpleSecurityObject
- uid: kdz
- userPassword: My Password
- seeAlso: cn=Kurt D. Zeilenga,cn=Persons,dc=Example,dc=COM
-
-4. Security Considerations
-
- General LDAP security considerations [RFC4510] are applicable to the
- use of this schema. Additional considerations are noted above where
- appropriate.
-
-
-
-Zeilenga Standards Track [Page 18]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- Directories administrators should ensure that access to sensitive
- information be restricted to authorized entities and that appropriate
- data security services, including data integrity and data
- confidentiality, are used to protect against eavesdropping.
-
- Simple authentication (e.g., plain text passwords) mechanisms should
- only be used when adequate data security services are in place. LDAP
- offers reasonably strong authentication and data security services
- [RFC4513].
-
-5. IANA Considerations
-
- The Internet Assigned Numbers Authority (IANA) has updated the LDAP
- descriptors registry [RFC4520] as indicated in the following
- template:
-
- Subject: Request for LDAP Descriptor Registration Update
- Descriptor (short name): see comment
- Object Identifier: see comments
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Usage: see comments
- Specification: RFC 4524
- Author/Change Controller: IESG
- Comments:
-
- The following descriptors have been updated to refer to RFC 4524.
-
- NAME Type OID
- ------------------------ ---- --------------------------
- account O 0.9.2342.19200300.100.4.5
- associatedDomain A 0.9.2342.19200300.100.1.37
- associatedName A 0.9.2342.19200300.100.1.38
- buildingName A 0.9.2342.19200300.100.1.48
- co A 0.9.2342.19200300.100.1.43
- document O 0.9.2342.19200300.100.4.6
- documentAuthor A 0.9.2342.19200300.100.1.14
- documentIdentifier A 0.9.2342.19200300.100.1.11
- documentLocation A 0.9.2342.19200300.100.1.15
- documentPublisher A 0.9.2342.19200300.100.1.56
- documentSeries O 0.9.2342.19200300.100.4.8
- documentTitle A 0.9.2342.19200300.100.1.12
- documentVersion A 0.9.2342.19200300.100.1.13
- domain O 0.9.2342.19200300.100.4.13
- domainRelatedObject O 0.9.2342.19200300.100.4.17
- drink A 0.9.2342.19200300.100.1.5
- favouriteDrink A* 0.9.2342.19200300.100.1.5
- friendlyCountry O 0.9.2342.19200300.100.4.18
-
-
-
-Zeilenga Standards Track [Page 19]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- friendlyCountryName A* 0.9.2342.19200300.100.1.43
- homePhone A 0.9.2342.19200300.100.1.20
- homePostalAddress A 0.9.2342.19200300.100.1.39
- homeTelephone A* 0.9.2342.19200300.100.1.20
- host A 0.9.2342.19200300.100.1.9
- info A 0.9.2342.19200300.100.1.4
- mail A 0.9.2342.19200300.100.1.3
- manager A 0.9.2342.19200300.100.1.10
- mobile A 0.9.2342.19200300.100.1.41
- mobileTelephoneNumber A* 0.9.2342.19200300.100.1.41
- organizationalStatus A 0.9.2342.19200300.100.1.45
- pager A 0.9.2342.19200300.100.1.42
- pagerTelephoneNumber A* 0.9.2342.19200300.100.1.42
- personalTitle A 0.9.2342.19200300.100.1.40
- rFC822LocalPart O 0.9.2342.19200300.100.4.14
- rfc822Mailbox A* 0.9.2342.19200300.100.1.3
- room O 0.9.2342.19200300.100.4.7
- roomNumber A 0.9.2342.19200300.100.1.6
- secretary A 0.9.2342.19200300.100.1.21
- simpleSecurityObject O 0.9.2342.19200300.100.4.19
- singleLevelQuality A 0.9.2342.19200300.100.1.50
- uniqueIdentifier A 0.9.2342.19200300.100.1.44
- userClass A 0.9.2342.19200300.100.1.8
-
- where Type A is Attribute, Type O is ObjectClass, and *
- indicates that the registration is historic in nature.
-
-6. Acknowledgements
-
- This document is based on RFC 1274, by Paul Barker and Steve Kille,
- as well as on RFC 2247, by Steve Kill, Mark Wahl, Al Grimstad, Rick
- Huber, and Sri Satulari.
-
-7. References
-
-7.1. Normative References
-
- [RFC1034] Mockapetris, P., "Domain names - concepts and
- facilities", STD 13, RFC 1034, November 1987.
-
- [RFC1123] Braden, R., "Requirements for Internet Hosts -
- Application and Support", STD 3, RFC 1123, October
- 1989.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-
-
-
-Zeilenga Standards Track [Page 20]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
- Specification", RFC 2181, July 1997.
-
- [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S.
- Sataluri, "Using Domains in LDAP/X.500 Distinguished
- Names", RFC 2247, January 1998.
-
- [RFC2821] Klensin, J., Ed., "Simple Mail Transfer Protocol", RFC
- 2821, April 2001.
-
- [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April
- 2001.
-
- [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
- "Internationalizing Domain Names in Applications
- (IDNA)", RFC 3490, March 2003.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4513] Harrison, R., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security
- Mechanisms", RFC 4513, June 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RC 4517, June
- 2006.
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
- Protocol (LDAP): Schema for User Applications", RFC
- 4519, June 2006.
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
-7.2. Informative References
-
- [COSINEpilot] Goodman, D., "PARADISE" section of the March 1991
- INTERNET MONTHLY REPORTS (p. 28-29),
- http://www.iana.org/periodic-reports/imr-mar91.txt
-
-
-
-
-Zeilenga Standards Track [Page 21]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
- [ISO3166] International Organization for Standardization, "Codes
- for the representation of names of countries", ISO
- 3166.
-
- [RFC1274] Barker, P. and S. Kille, "The COSINE and Internet X.500
- Schema", RFC 1274, November 1991.
-
- [RFC1279] Hardcastle-Kille, S., "X.500 and Domains", RFC 1279,
- November 1991.
-
- [RFC1487] Yeong, W., Howes, T., and S. Kille, "X.500 Lightweight
- Directory Access Protocol", RFC 1487, July 1993.
-
- [RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight
- Directory Access Protocol (v3)", RFC 2251, December
- 1997.
-
- [RFC2798] Smith, M., "Definition of the inetOrgPerson LDAP Object
- Class", RFC 2798, April 2000.
-
- [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
- version 2 (LDAPv2) to Historic Status", RFC 3494, March
- 2003.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 22]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
-Appendix A. Changes since RFC 1274
-
- This document represents a substantial rewrite of RFC 1274. The
- following sections summarize the substantive changes.
-
-A.1. LDAP Short Names
-
- A number of COSINE attribute types have short names in LDAP.
-
- X.500 Name LDAP Short Name
- ------------- ---------------
- domainComponent dc
- favoriteDrink drink
- friendCountryName co
- homeTelephoneNumber homePhone
- mobileTelephoneNumber mobile
- pagerTelephoneNumber pager
- rfc822Mailbox mail
- userid uid
-
- While the LDAP short names are generally used in LDAP, some
- implementations may (for legacy reasons [RFC3494]) recognize the
- attribute type by its X.500 name. Hence, the X.500 names have been
- reserved solely for this purpose.
-
- Note: 'uid' and 'dc' are described in [RFC4519].
-
-A.2. pilotObject
-
- The 'pilotObject' object class was not brought forward as its
- function is largely replaced by operational attributes introduced in
- X.500(93) [X.501] and version 3 of LDAP [RFC4512]. For instance, the
- function of the 'lastModifiedBy' and 'lastModifiedTime' attribute
- types is now served by the 'creatorsName', 'createTimestamp',
- 'modifiersName', and 'modifyTimestamp' operational attributes
- [RFC4512].
-
-A.3. pilotPerson
-
- The 'pilotPerson' object class was not brought forward as its
- function is largely replaced by the 'organizationalPerson' [RFC4512]
- object class and its subclasses, such as 'inetOrgPerson' [RFC2798].
-
- Most of the related attribute types (e.g., 'mail', 'manager') were
- brought forward as they are used in other object classes.
-
-
-
-
-
-
-Zeilenga Standards Track [Page 23]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
-A.4. dNSDomain
-
- The 'dNSDomain' object class and related attribute types were not
- brought forward as its use is primarily experimental [RFC1279].
-
-A.5. pilotDSA and qualityLabelledData
-
- The 'pilotDSA' and 'qualityLabelledData' object classes, as well as
- related attribute types, were not brought forward as its use is
- primarily experimental [QoS].
-
-A.6. Attribute Syntaxes
-
- RFC 1274 defined and used caseIgnoreIA5StringSyntax attribute syntax.
- This has been replaced with the IA5String syntax and appropriate
- matching rules in 'mail' and 'associatedDomain'.
-
- RFC 1274 restricted 'mail' to have non-zero length values. This
- restriction is not reflected in the IA5String syntax used in the
- definitions provided in this specification. However, as values are
- to conform to the <Mailbox> production, the 'mail' should not contain
- zero-length values. Unfortunately, the directory service will not
- enforce this restriction.
-
-Appendix B. Changes since RFC 2247
-
- The 'domainNameForm' name form was not brought forward as
- specification of name forms used in LDAP is left to a future
- specification.
-
-Editor's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 24]
-�
-RFC 4524 COSINE LDAP/X.500 Schema June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 25]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4525.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4525.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4525.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4525 OpenLDAP Foundation
-Category: Informational June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- Modify-Increment Extension
-
-
-Status of This Memo
-
- This memo provides information for the Internet community. It does
- not specify an Internet standard of any kind. Distribution of this
- memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes an extension to the Lightweight Directory
- Access Protocol (LDAP) Modify operation to support an increment
- capability. This extension is useful in provisioning applications,
- especially when combined with the assertion control and/or the pre-
- read or post-read control extension.
-
-Table of Contents
-
- 1. Background and Intended Use .....................................1
- 2. The Modify-Increment Extension ..................................2
- 3. LDIF Support ....................................................2
- 4. Security Considerations .........................................3
- 5. IANA Considerations .............................................3
- 5.1. Object Identifier ..........................................3
- 5.2. LDAP Protocol Mechanism ....................................3
- 5.3. LDAP Protocol Mechanism ....................................4
- 6. References ......................................................4
- 6.1. Normative References .......................................4
- 6.2. Informative References .....................................5
-
-1. Background and Intended Use
-
- The Lightweight Directory Access Protocol (LDAP) [RFC4510] does not
- currently provide an operation to increment values of an attribute.
- A client must read the values of the attribute and then modify those
- values to increment them by the desired amount. As the values may be
- updated by other clients between this add and modify, the client must
-
-
-
-Zeilenga Informational [Page 1]
-�
-RFC 4525 LDAP Modify-Increment Extension June 2006
-
-
- be careful to construct the modify request so that it fails in this
- case, and upon failure, to re-read the values and construct a new
- modify request.
-
- This document extends the LDAP Modify Operation [RFC4511] to support
- an increment values capability. This feature is intended to be used
- with either the LDAP pre-read or post-read control extensions
- [RFC4527]. This feature may also be used with the LDAP assertion
- control extension [RFC4528] to provide test-and-increment
- functionality.
-
- In this document key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
- "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
- "OPTIONAL" are to be interpreted as described in BCP 14 [RFC2119].
-
-2. The Modify-Increment Extension
-
- This document extends the LDAP Modify request to support a increment
- values capability. Implementations of this extension SHALL support
- an additional ModifyRequest operation enumeration value increment
- (3), as described herein. Implementations not supporting this
- extension will treat this value as they would an unlisted value,
- e.g., as a protocol error.
-
- The increment (3) operation value specifies that an increment values
- modification is requested. All existing values of the modification
- attribute are to be incremented by the listed value. The
- modification attribute must be appropriate for the request (e.g., it
- must have INTEGER or other increment-able values), and the
- modification must provide one and only one value. If the attribute
- is not appropriate for the request, a constraintViolation or other
- appropriate error is to be returned. If multiple values are
- provided, a protocolError is to be returned.
-
- Servers supporting this feature SHOULD publish the object identifier
- (OID) 1.3.6.1.1.14 as a value of the 'supportedFeatures' [RFC4512]
- attribute in the root DSE. Clients supporting this feature SHOULD
- NOT use the feature unless they know the server supports it.
-
-3. LDIF Support
-
- To represent Modify-Increment requests in LDAP Data Interchange
- Format [RFC2849], the ABNF [RFC4234] production <mod-spec> is
- extended as follows:
-
- mod-spec =/ "increment:" FILL AttributeDescription SEP
- attrval-spec "-" SEP
-
-
-
-
-Zeilenga Informational [Page 2]
-�
-RFC 4525 LDAP Modify-Increment Extension June 2006
-
-
- For example,
-
- # Increment uidNumber
- dn: cn=max-assigned uidNumber,dc=example,dc=com
- changetype: modify
- increment: uidNumber
- uidNumber: 1
- -
-
- This LDIF fragment represents a Modify request to increment the
- value(s) of uidNumber by 1.
-
-4. Security Considerations
-
- General LDAP security considerations [RFC4510], as well as those
- specific to the LDAP Modify [RFC4511], apply to this Modify-Increment
- extension. Beyond these considerations, it is noted that
- introduction of this extension should reduce application complexity
- (by providing one operation for what presently requires multiple
- operations) and, hence, it may aid in the production of correct and
- secure implementations.
-
-5. IANA Considerations
-
- Registration of the following values [RFC4520] have been completed.
-
-5.1. Object Identifier
-
- The IANA has assigned an LDAP Object Identifier to identify the LDAP
- Modify-Increment feature, as defined in this document.
-
- Subject: Request for LDAP Object Identifier Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4525
- Author/Change Controller: Author
- Comments:
- Identifies the LDAP Modify-Increment feature
-
-5.2. LDAP Protocol Mechanism
-
- The following LDAP Protocol Mechanism has been registered.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.1.14
- Description: Modify-Increment
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
-
-
-
-Zeilenga Informational [Page 3]
-�
-RFC 4525 LDAP Modify-Increment Extension June 2006
-
-
- Usage: Feature
- Specification: RFC 4525
- Author/Change Controller: Kurt Zeilenga <kurt at openldap.org>
- Comments: none
-
-5.3. LDAP Protocol Mechanism
-
- The IANA has assigned an LDAP ModifyRequest Operation Type (3)
- [RFC4520] for use in this document.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- ModifyRequest Operation Name: increment
- Description: Modify-Increment
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Feature
- Specification: RFC 4525
- Author/Change Controller: Kurt Zeilenga <kurt at openldap.org>
- Comments: none
-
-6. References
-
-6.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
- Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
- Technical Specification", RFC 2849, June 2000.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
-
-
-
-
-
-
-
-Zeilenga Informational [Page 4]
-�
-RFC 4525 LDAP Modify-Increment Extension June 2006
-
-
-6.2. Informative References
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [RFC4527] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Read Entry Controls", RFC 4527, June 2006.
-
- [RFC4528] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Assertion Control", RFC 4528, June 2006.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Informational [Page 5]
-�
-RFC 4525 LDAP Modify-Increment Extension June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Informational [Page 6]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4526.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4526.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4526.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4526 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- Absolute True and False Filters
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document extends the Lightweight Directory Access Protocol
- (LDAP) to support absolute True and False filters based upon similar
- capabilities found in X.500 directory systems. The document also
- extends the String Representation of LDAP Search Filters to support
- these filters.
-
-Table of Contents
-
- 1. Background ......................................................1
- 2. Absolute True and False Filters .................................2
- 3. Security Considerations .........................................2
- 4. IANA Considerations .............................................3
- 5. References ......................................................3
- 5.1. Normative References .......................................3
- 5.2. Informative References .....................................3
-
-1. Background
-
- The X.500 Directory Access Protocol (DAP) [X.511] supports absolute
- True and False assertions. An 'and' filter with zero elements always
- evaluates to True. An 'or' filter with zero elements always
- evaluates to False. These filters are commonly used when requesting
- DSA-specific Entries (DSEs) that do not necessarily have
- 'objectClass' attributes; that is, where "(objectClass=*)" may
- evaluate to False.
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4526 LDAP Absolute True and False Filters June 2006
-
-
- Although LDAPv2 [RFC1777][RFC3494] placed no restriction on the
- number of elements in 'and' and 'or' filter sets, the LDAPv2 string
- representation [RFC1960][RFC3494] could not represent empty 'and' and
- 'or' filter sets. Due to this, absolute True or False filters were
- (unfortunately) eliminated from LDAPv3 [RFC4510].
-
- This documents extends LDAPv3 to support absolute True and False
- assertions by allowing empty 'and' and 'or' in Search filters
- [RFC4511] and extends the filter string representation [RFC4515] to
- allow empty filter lists.
-
- It is noted that certain search operations, such as those used to
- retrieve subschema information [RFC4512], require use of particular
- filters. This document does not change these requirements.
-
- This feature is intended to allow a more direct mapping between DAP
- and LDAP (as needed to implement DAP-to-LDAP gateways).
-
- In this document, the key words "MUST", "MUST NOT", "REQUIRED",
- "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
- and "OPTIONAL" are to be interpreted as described in BCP 14
- [RFC2119].
-
-2. Absolute True and False Filters
-
- Implementations of this extension SHALL allow 'and' and 'or' choices
- with zero filter elements.
-
- An 'and' filter consisting of an empty set of filters SHALL evaluate
- to True. This filter is represented by the string "(&)".
-
- An 'or' filter consisting of an empty set of filters SHALL evaluate
- to False. This filter is represented by the string "(|)".
-
- Servers supporting this feature SHOULD publish the Object Identifier
- 1.3.6.1.4.1.4203.1.5.3 as a value of the 'supportedFeatures'
- [RFC4512] attribute in the root DSE.
-
- Clients supporting this feature SHOULD NOT use the feature unless
- they know that the server supports it.
-
-3. Security Considerations
-
- The (re)introduction of absolute True and False filters is not
- believed to raise any new security considerations.
-
- Implementors of this (or any) LDAPv3 extension should be familiar
- with general LDAPv3 security considerations [RFC4510].
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4526 LDAP Absolute True and False Filters June 2006
-
-
-4. IANA Considerations
-
- Registration of this feature has been completed by the IANA
- [RFC4520].
-
- Subject: Request for LDAP Protocol Mechanism Registration Object
- Identifier: 1.3.6.1.4.1.4203.1.5.3 Description: True/False filters
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org> Usage: Feature Specification:
- RFC 4526 Author/Change Controller: IESG Comments: none
-
- This OID was assigned [ASSIGN] by OpenLDAP Foundation, under its
- IANA-assigned private enterprise allocation [PRIVATE], for use in
- this specification.
-
-5. References
-
-5.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4510] Zeilenga, K., Ed, "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4515] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): String Representation of Search
- Filters", RFC 4515, June 2006.
-
-5.2. Informative References
-
- [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight
- Directory Access Protocol", RFC 1777, March 1995.
-
- [RFC1960] Howes, T., "A String Representation of LDAP Search
- Filters", RFC 1960, June 1996.
-
- [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
- version 2 (LDAPv2) to Historic Status", RFC 3494, March
- 2003.
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4526 LDAP Absolute True and False Filters June 2006
-
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [X.500] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Overview of concepts, models and
- services," X.500(1993) (also ISO/IEC 9594-1:1994).
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.511] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Abstract Service Definition", X.511(1993)
- (also ISO/IEC 9594-3:1993).
-
- [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
- http://www.openldap.org/foundation/oid-delegate.txt.
-
- [PRIVATE] IANA, "Private Enterprise Numbers",
- http://www.iana.org/assignments/enterprise-numbers.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4526 LDAP Absolute True and False Filters June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4527.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4527.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4527.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4527 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- Read Entry Controls
-
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document specifies an extension to the Lightweight Directory
- Access Protocol (LDAP) to allow the client to read the target entry
- of an update operation. The client may request to read the entry
- before and/or after the modifications are applied. These reads are
- done as an atomic part of the update operation.
-
-Table of Contents
-
- 1. Background and Intent of Use ....................................2
- 2. Terminology .....................................................2
- 3. Read Entry Controls .............................................3
- 3.1. The Pre-Read Controls ......................................3
- 3.2. The Post-Read Controls .....................................3
- 4. Interaction with Other Controls .................................4
- 5. Security Considerations .........................................4
- 6. IANA Considerations .............................................5
- 6.1. Object Identifier ..........................................5
- 6.2. LDAP Protocol Mechanisms ...................................5
- 7. Acknowledgement .................................................5
- 8. References ......................................................6
- 8.1. Normative References .......................................6
- 8.2. Informative References .....................................7
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
-1. Background and Intent of Use
-
- This document specifies an extension to the Lightweight Directory
- Access Protocol (LDAP) [RFC4510] to allow the client to read the
- target entry of an update operation (e.g., Add, Delete, Modify,
- ModifyDN). The extension utilizes controls [RFC4511] attached to
- update requests to request and return copies of the target entry.
- One request control, called the Pre-Read request control, indicates
- that a copy of the entry before application of update is to be
- returned. Another control, called the Post-Read request control,
- indicates that a copy of the entry after application of the update is
- to be returned. Each request control has a corresponding response
- control used to return the entry.
-
- To ensure proper isolation, the controls are processed as an atomic
- part of the update operation.
-
- The functionality offered by these controls is based upon similar
- functionality in the X.500 Directory Access Protocol (DAP) [X.511].
-
- The Pre-Read controls may be used to obtain replaced or deleted
- values of modified attributes or a copy of the entry being deleted.
-
- The Post-Read controls may be used to obtain values of operational
- attributes, such as the 'entryUUID' [RFC4530] and 'modifyTimestamp'
- [RFC4512] attributes, updated by the server as part of the update
- operation.
-
-2. Terminology
-
- Protocol elements are described using ASN.1 [X.680] with implicit
- tags. The term "BER-encoded" means the element is to be encoded
- using the Basic Encoding Rules [X.690] under the restrictions
- detailed in Section 5.1 of [RFC4511].
-
- DN stands for Distinguished Name.
- DSA stands for Directory System Agent (i.e., a directory server).
- DSE stands for DSA-specific Entry.
-
- In this document, the key words "MUST", "MUST NOT", "REQUIRED",
- "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
- and "OPTIONAL" are to be interpreted as described in BCP 14
- [RFC2119].
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
-3. Read Entry Controls
-
-3.1. The Pre-Read Controls
-
- The Pre-Read request and response controls are identified by the
- 1.3.6.1.1.13.1 object identifier. Servers implementing these
- controls SHOULD publish 1.3.6.1.1.13.1 as a value of the
- 'supportedControl' [RFC4512] in their root DSE.
-
- The Pre-Read request control is a LDAP Control [RFC4511] whose
- controlType is 1.3.6.1.1.13.1 and whose controlValue is a BER-encoded
- AttributeSelection [RFC4511], as extended by [RFC3673]. The
- criticality may be TRUE or FALSE. This control is appropriate for
- the modifyRequest, delRequest, and modDNRequest LDAP messages.
-
- The corresponding response control is a LDAP Control whose
- controlType is 1.3.6.1.1.13.1 and whose the controlValue, an OCTET
- STRING, contains a BER-encoded SearchResultEntry. The criticality
- may be TRUE or FALSE. This control is appropriate for the
- modifyResponse, delResponse, and modDNResponse LDAP messages with a
- resultCode of success (0).
-
- When the request control is attached to an appropriate update LDAP
- request, the control requests the return of a copy of the target
- entry prior to the application of the update. The AttributeSelection
- indicates, as discussed in [RFC4511][RFC3673], which attributes are
- requested to appear in the copy. The server is to return a
- SearchResultEntry containing, subject to access controls and other
- constraints, values of the requested attributes.
-
- The normal processing of the update operation and the processing of
- this control MUST be performed as one atomic action isolated from
- other update operations.
-
- If the update operation fails (in either normal or control
- processing), no Pre-Read response control is provided.
-
-3.2. The Post-Read Controls
-
- The Post-Read request and response controls are identified by the
- 1.3.6.1.1.13.2 object identifier. Servers implementing these
- controls SHOULD publish 1.3.6.1.1.13.2 as a value of the
- 'supportedControl' [RFC4512] in their root DSE.
-
- The Post-Read request control is a LDAP Control [RFC4511] whose
- controlType is 1.3.6.1.1.13.2 and whose controlValue, an OCTET
- STRING, contains a BER-encoded AttributeSelection [RFC4511], as
- extended by [RFC3673]. The criticality may be TRUE or FALSE. This
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
- control is appropriate for the addRequest, modifyRequest, and
- modDNRequest LDAP messages.
-
- The corresponding response control is a LDAP Control whose
- controlType is 1.3.6.1.1.13.2 and whose controlValue is a BER-encoded
- SearchResultEntry. The criticality may be TRUE or FALSE. This
- control is appropriate for the addResponse, modifyResponse, and
- modDNResponse LDAP messages with a resultCode of success (0).
-
- When the request control is attached to an appropriate update LDAP
- request, the control requests the return of a copy of the target
- entry after the application of the update. The AttributeSelection
- indicates, as discussed in [RFC4511][RFC3673], which attributes are
- requested to appear in the copy. The server is to return a
- SearchResultEntry containing, subject to access controls and other
- constraints, values of the requested attributes.
-
- The normal processing of the update operation and the processing of
- this control MUST be performed as one atomic action isolated from
- other update operations.
-
- If the update operation fails (in either normal or control
- processing), no Post-Read response control is provided.
-
-4. Interaction with Other Controls
-
- The Pre-Read and Post-Read controls may be combined with each other
- and/or with a variety of other controls. When combined with the
- assertion control [RFC4528] and/or the manageDsaIT control [RFC3296],
- the semantics of each control included in the combination applies.
- The Pre-Read and Post-Read controls may be combined with other
- controls as detailed in other technical specifications.
-
-5. Security Considerations
-
- The controls defined in this document extend update operations to
- support read capabilities. Servers MUST ensure that the client is
- authorized for reading of the information provided in this control
- and that the client is authorized to perform the requested directory
- update.
-
- Security considerations for the update operations [RFC4511] extended
- by this control, as well as general LDAP security considerations
- [RFC4510], generally apply to implementation and use of this
- extension
-
-
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
-6. IANA Considerations
-
- Registration of the following protocol values [RFC4520] have been
- completed by the IANA.
-
-6.1. Object Identifier
-
- The IANA has registered an LDAP Object Identifier to identify LDAP
- protocol elements defined in this document.
-
- Subject: Request for LDAP Object Identifier Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4527
- Author/Change Controller: IESG
- Comments: Identifies the LDAP Read Entry Controls
-
-6.2. LDAP Protocol Mechanisms
-
- The IANA has registered the LDAP Protocol Mechanism described in this
- document.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.1.13.1
- Description: LDAP Pre-read Control
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Control
- Specification: RFC 4527
- Author/Change Controller: IESG
- Comments: none
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.1.13.2
- Description: LDAP Post-read Control
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Control
- Specification: RFC 4527
- Author/Change Controller: IESG
- Comments: none
-
-7. Acknowledgement
-
- The LDAP Pre-Read and Post-Read controls are modeled after similar
- capabilities offered in the DAP [X.511].
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
-8. References
-
-8.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3296] Zeilenga, K., "Named Subordinate References in
- Lightweight Directory Access Protocol (LDAP)
- Directories", RFC 3296, July 2002.
-
- [RFC3673] Zeilenga, K., "Lightweight Directory Access Protocol
- version 3 (LDAPv3): All Operational Attributes", RFC
- 3673, December 2003.
-
- [RFC4510] Zeilenga, K., Ed, "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4528] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Assertion Control", RFC 4528, June 2006.
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(1997) (also ISO/IEC 8824-1:1998).
-
- [X.690] International Telecommunication Union -
- Telecommunication Standardization Sector,
- "Specification of ASN.1 encoding rules: Basic Encoding
- Rules (BER), Canonical Encoding Rules (CER), and
- Distinguished Encoding Rules (DER)", X.690(1997) (also
- ISO/IEC 8825-1:1998).
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
-8.2. Informative References
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [RFC4530] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) EntryUUID Operational Attribute", RFC 4530, June
- 2006.
-
- [X.511] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Abstract Service Definition", X.511(1993)
- (also ISO/IEC 9594-3:1993).
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4527 LDAP Read Entry Controls June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4528.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4528.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4528.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4528 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- Assertion Control
-
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document defines the Lightweight Directory Access Protocol
- (LDAP) Assertion Control, which allows a client to specify that a
- directory operation should only be processed if an assertion applied
- to the target entry of the operation is true. It can be used to
- construct "test and set", "test and clear", and other conditional
- operations.
-
-Table of Contents
-
- 1. Overview ........................................................2
- 2. Terminology .....................................................2
- 3. The Assertion Control ...........................................2
- 4. Security Considerations .........................................3
- 5. IANA Considerations .............................................4
- 5.1. Object Identifier ..........................................4
- 5.2. LDAP Protocol Mechanism ....................................4
- 5.3. LDAP Result Code ...........................................4
- 6. Acknowledgements ................................................5
- 7. References ......................................................5
- 7.1. Normative References .......................................5
- 7.2. Informative References .....................................5
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4528 LDAP Assertion Control June 2006
-
-
-1. Overview
-
- This document defines the Lightweight Directory Access Protocol
- (LDAP) [RFC4510] assertion control. The assertion control allows the
- client to specify a condition that must be true for the operation to
- be processed normally. Otherwise, the operation is not performed.
- For instance, the control can be used with the Modify operation
- [RFC4511] to perform atomic "test and set" and "test and clear"
- operations.
-
- The control may be attached to any update operation to support
- conditional addition, deletion, modification, and renaming of the
- target object. The asserted condition is evaluated as an integral
- part the operation.
-
- The control may also be used with the search operation. Here, the
- assertion is applied to the base object of the search before
- searching for objects that match the search scope and filter.
-
- The control may also be used with the compare operation. Here, it
- extends the compare operation to allow a more complex assertion.
-
-2. Terminology
-
- Protocol elements are described using ASN.1 [X.680] with implicit
- tags. The term "BER-encoded" means the element is to be encoded
- using the Basic Encoding Rules [X.690] under the restrictions
- detailed in Section 5.1 of [RFC4511].
-
- DSA stands for Directory System Agent (or server).
- DSE stands for DSA-specific Entry.
-
- In this document, the key words "MUST", "MUST NOT", "REQUIRED",
- "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
- and "OPTIONAL" are to be interpreted as described in BCP 14
- [RFC2119].
-
-3. The Assertion Control
-
- The assertion control is an LDAP Control [RFC4511] whose controlType
- is 1.3.6.1.1.12 and whose controlValue is a BER-encoded Filter
- [Protocol, Section 4.5.1]. The criticality may be TRUE or FALSE.
- There is no corresponding response control.
-
- The control is appropriate for both LDAP interrogation and update
- operations [RFC4511], including Add, Compare, Delete, Modify,
- ModifyDN (rename), and Search. It is inappropriate for Abandon,
- Bind, Unbind, and StartTLS operations.
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4528 LDAP Assertion Control June 2006
-
-
- When the control is attached to an LDAP request, the processing of
- the request is conditional on the evaluation of the Filter as applied
- against the target of the operation. If the Filter evaluates to
- TRUE, then the request is processed normally. If the Filter
- evaluates to FALSE or Undefined, then assertionFailed (122)
- resultCode is returned, and no further processing is performed.
-
- For Add, Compare, and ModifyDN operations, the target is indicated by
- the entry field in the request. For Modify operations, the target is
- indicated by the object field. For Delete operations, the target is
- indicated by the DelRequest type. For Compare operations and all
- update operations, the evaluation of the assertion MUST be performed
- as an integral part of the operation. That is, the evaluation of the
- assertion and the normal processing of the operation SHALL be done as
- one atomic action.
-
- For Search operations, the target is indicated by the baseObject
- field, and the evaluation is done after "finding" but before
- "searching" [RFC4511]. Hence, no entries or continuations references
- are returned if the assertion fails.
-
- Servers implementing this technical specification SHOULD publish the
- object identifier 1.3.6.1.1.12 as a value of the 'supportedControl'
- attribute [RFC4512] in their root DSE. A server MAY choose to
- advertise this extension only when the client is authorized to use
- it.
-
- Other documents may specify how this control applies to other LDAP
- operations. In doing so, they must state how the target entry is
- determined.
-
-4. Security Considerations
-
- The filter may, like other components of the request, contain
- sensitive information. When it does, this information should be
- appropriately protected.
-
- As with any general assertion mechanism, the mechanism can be used to
- determine directory content. Hence, this mechanism SHOULD be subject
- to appropriate access controls.
-
- Some assertions may be very complex, requiring significant time and
- resources to evaluate. Hence, this mechanism SHOULD be subject to
- appropriate administrative controls.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4528 LDAP Assertion Control June 2006
-
-
- Security considerations for the base operations [RFC4511] extended by
- this control, as well as general LDAP security considerations
- [RFC4510], generally apply to implementation and use of this
- extension.
-
-5. IANA Considerations
-
-5.1. Object Identifier
-
- The IANA has assigned an LDAP Object Identifier [RFC4520] to identify
- the LDAP Assertion Control defined in this document.
-
- Subject: Request for LDAP Object Identifier Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4528
- Author/Change Controller: IESG
- Comments:
- Identifies the LDAP Assertion Control
-
-5.2. LDAP Protocol Mechanism
-
- Registration of this protocol mechanism [RFC4520] is requested.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.1.12
- Description: Assertion Control
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Control
- Specification: RFC 4528
- Author/Change Controller: IESG
- Comments: none
-
-5.3. LDAP Result Code
-
- The IANA has assigned an LDAP Result Code [RFC4520] called
- 'assertionFailed' (122).
-
- Subject: LDAP Result Code Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Result Code Name: assertionFailed
- Specification: RFC 4528
- Author/Change Controller: IESG
- Comments: none
-
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4528 LDAP Assertion Control June 2006
-
-
-6. Acknowledgements
-
- The assertion control concept is attributed to Morteza Ansari.
-
-7. References
-
-7.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
- [X.690] International Telecommunication Union -
- Telecommunication Standardization Sector,
- "Specification of ASN.1 encoding rules: Basic Encoding
- Rules (BER), Canonical Encoding Rules (CER), and
- Distinguished Encoding Rules (DER)", X.690(2002) (also
- ISO/IEC 8825-1:2002).
-
-7.2. Informative References
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4528 LDAP Assertion Control June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4529.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4529.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4529.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4529 OpenLDAP Foundation
-Category: Informational June 2006
-
-
- Requesting Attributes by Object Class in the
- Lightweight Directory Access Protocol (LDAP)
-
-Status of This Memo
-
- This memo provides information for the Internet community. It does
- not specify an Internet standard of any kind. Distribution of this
- memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- The Lightweight Directory Access Protocol (LDAP) search operation
- provides mechanisms for clients to request all user application
- attributes, all operational attributes, and/or attributes selected by
- their description. This document extends LDAP to support a mechanism
- that LDAP clients may use to request the return of all attributes of
- an object class.
-
-Table of Contents
-
- 1. Background and Intended Use .....................................1
- 2. Terminology .....................................................2
- 3. Return of all Attributes of an Object Class .....................2
- 4. Security Considerations .........................................3
- 5. IANA Considerations .............................................3
- 6. References ......................................................4
- 6.1. Normative References .......................................4
- 6.2. Informative References .....................................4
-
-1. Background and Intended Use
-
- In the Lightweight Directory Access Protocol (LDAP) [RFC4510], the
- search operation [RFC4511] supports requesting the return of a set of
- attributes. This set is determined by a list of attribute
- descriptions. Two special descriptors are defined to request all
- user attributes ("*") [RFC4511] and all operational attributes ("+")
- [RFC3673]. However, there is no convenient mechanism for requesting
- pre-defined sets of attributes such as the set of attributes used to
- represent a particular class of object.
-
-
-
-Zeilenga Informational [Page 1]
-�
-RFC 4529 Requesting Attributes by Object Class June 2006
-
-
- This document extends LDAP to allow an object class identifier to be
- specified in attributes lists, such as in Search requests, to request
- the return of all attributes belonging to an object class. The
- COMMERCIAL AT ("@", U+0040) character is used to distinguish an
- object class identifier from an attribute descriptions.
-
- For example, the attribute list of "@country" is equivalent to the
- attribute list of 'c', 'searchGuide', 'description', and
- 'objectClass'. This object class is described in [RFC4519].
-
- This extension is intended primarily to be used where the user is in
- direct control of the parameters of the LDAP search operation, for
- instance when entering an LDAP URL [RFC4516] into a web browser, such
- as <ldap:///dc=example,dc=com?@organization?base>.
-
-2. Terminology
-
- In this document, the key words "MUST", "MUST NOT", "REQUIRED",
- "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
- and "OPTIONAL" are to be interpreted as described in BCP 14
- [RFC2119].
-
- DSA stands for Directory System Agent (or server).
- DSE stands for DSA-specific Entry.
-
-3. Return of All Attributes of an Object Class
-
- This extension allows object class identifiers to be provided in the
- attributes field of the LDAP SearchRequest [RFC4511] or other request
- values of the AttributeSelection data type (e.g., attributes field in
- pre/post read controls [ReadEntry]) and/or <attributeSelector>
- production (e.g., attributes of an LDAP URL [RFC4516]). For each
- object class identified in the attributes field, the request is to be
- treated as if each attribute allowed by that class (by "MUST" or
- "MAY", directly or by "SUP"erior) [RFC4512] were itself listed.
-
- This extension extends the <attributeSelector> [RFC4511] production
- as indicated by the following ABNF [RFC4234]:
-
- attributeSelector =/ objectclassdescription
- objectclassdescription = ATSIGN oid options
- ATSIGN = %x40 ; COMMERCIAL AT ("@" U+0040)
-
- where <oid> and <options> productions are as defined in [RFC4512].
-
-
-
-
-
-
-
-Zeilenga Informational [Page 2]
-�
-RFC 4529 Requesting Attributes by Object Class June 2006
-
-
- The <oid> component of an <objectclassdescription> production
- identifies the object class by short name (descr) or object
- identifier (numericoid). If the value of the <oid> component is
- unrecognized or does not refer to an object class, the object class
- description is to be treated as an unrecognized attribute
- description.
-
- The <options> production is included in the grammar for extensibility
- purposes. An object class description with an unrecognized or
- inappropriate option is to be treated as unrecognized.
-
- Although object class description options and attribute description
- options share the same syntax, they are not semantically related.
- This document does not define any object description option.
-
- Servers supporting this feature SHOULD publish the object identifier
- (OID) 1.3.6.1.4.1.4203.1.5.2 as a value of the 'supportedFeatures'
- [RFC4512] attribute in the root DSE. Clients supporting this feature
- SHOULD NOT use the feature unless they know that the server supports
- it.
-
-4. Security Considerations
-
- This extension provides a shorthand for requesting all attributes of
- an object class. Because these attributes could have been listed
- individually, introduction of this shorthand is not believed to raise
- additional security considerations.
-
- Implementors of this LDAP extension should be familiar with security
- considerations applicable to the LDAP search operation [RFC4511], as
- well as with general LDAP security considerations [RFC4510].
-
-5. IANA Considerations
-
- Registration of the LDAP Protocol Mechanism [RFC4520] defined in this
- document has been completed.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.4.1.4203.1.5.2
- Description: OC AD Lists
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Feature
- Specification: RFC 4529
- Author/Change Controller: Kurt Zeilenga <kurt at openldap.org>
- Comments: none
-
-
-
-
-
-Zeilenga Informational [Page 3]
-�
-RFC 4529 Requesting Attributes by Object Class June 2006
-
-
- This OID was assigned [ASSIGN] by OpenLDAP Foundation, under its
- IANA-assigned private enterprise allocation [PRIVATE], for use in
- this specification.
-
-6. References
-
-6.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4234] Crocker, D., Ed. and P. Overell, "Augmented BNF for
- Syntax Specifications: ABNF", RFC 4234, October 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4516] Smith, M., Ed. and T. Howes, "Lightweight Directory
- Access Protocol (LDAP): Uniform Resource Locator", RFC
- 4516, June 2006.
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
-6.2. Informative References
-
- [RFC3673] Zeilenga, K., "Lightweight Directory Access Protocol
- version 3 (LDAPv3): All Operational Attributes", RFC
- 3673, December 2003.
-
- [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access
- Protocol (LDAP): Schema for User Applications", RFC
- 4519, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
-
-
-
-Zeilenga Informational [Page 4]
-�
-RFC 4529 Requesting Attributes by Object Class June 2006
-
-
- [ReadEntry] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Read Entry Controls", RFC 4527, June 2006.
-
- [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
- http://www.openldap.org/foundation/oid-delegate.txt.
-
- [PRIVATE] IANA, "Private Enterprise Numbers",
- http://www.iana.org/assignments/enterprise-numbers.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Informational [Page 5]
-�
-RFC 4529 Requesting Attributes by Object Class June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Informational [Page 6]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4530.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4530.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4530.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4530 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- entryUUID Operational Attribute
-
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes the LDAP/X.500 'entryUUID' operational
- attribute and associated matching rules and syntax. The attribute
- holds a server-assigned Universally Unique Identifier (UUID) for the
- object. Directory clients may use this attribute to distinguish
- objects identified by a distinguished name or to locate an object
- after renaming.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
-Table of Contents
-
- 1. Background and Intended Use .....................................2
- 2. UUID Schema Elements ............................................3
- 2.1. UUID Syntax ................................................3
- 2.2. 'uuidMatch' Matching Rule ..................................3
- 2.3. 'uuidOrderingMatch' Matching Rule ..........................3
- 2.4. 'entryUUID' Attribute ......................................4
- 3. Security Considerations .........................................4
- 4. IANA Considerations .............................................5
- 4.1. Object Identifier Registration .............................5
- 4.2. UUID Syntax Registration ...................................5
- 4.3. 'uuidMatch' Descriptor Registration ........................5
- 4.4. 'uuidOrderingMatch' Descriptor Registration ................5
- 4.5. 'entryUUID' Descriptor Registration ........................6
- 5. Acknowledgements ................................................6
- 6. References ......................................................6
- 6.1. Normative References .......................................6
- 6.2. Informative References .....................................7
-
-1. Background and Intended Use
-
- In X.500 Directory Services [X.501], such as those accessible using
- the Lightweight Directory Access Protocol (LDAP) [RFC4510], an object
- is identified by its distinguished name (DN). However, DNs are not
- stable identifiers. That is, a new object may be identified by a DN
- that previously identified another (now renamed or deleted) object.
-
- A Universally Unique Identifier (UUID) is "an identifier unique
- across both space and time, with respect to the space of all UUIDs"
- [RFC4122]. UUIDs are used in a wide range of systems.
-
- This document describes the 'entryUUID' operational attribute, which
- holds the UUID assigned to the object by the server. Clients may use
- this attribute to distinguish objects identified by a particular
- distinguished name or to locate a particular object after renaming.
-
- This document defines the UUID syntax, the 'uuidMatch' and
- 'uuidOrderingMatch' matching rules, and the 'entryUUID' attribute
- type.
-
- Schema definitions are provided using LDAP description formats
- [RFC4512]. Definitions provided here are formatted (line wrapped)
- for readability.
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
- In this document, the key words "MUST", "MUST NOT", "REQUIRED",
- "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
- and "OPTIONAL" are to be interpreted as described in BCP 14
- [RFC2119].
-
-2. UUID Schema Elements
-
-2.1. UUID Syntax
-
- A Universally Unique Identifier (UUID) [RFC4122] is a 16-octet (128-
- bit) value that identifies an object. The ASN.1 [X.680] type UUID is
- defined to represent UUIDs as follows:
-
- UUID ::= OCTET STRING (SIZE(16))
- -- constrained to an UUID [RFC4122]
-
- In LDAP, UUID values are encoded using the [ASCII] character string
- representation described in [RFC4122]. For example,
- "597ae2f6-16a6-1027-98f4-d28b5365dc14".
-
- The following is an LDAP syntax description suitable for publication
- in subschema subentries.
-
- ( 1.3.6.1.1.16.1 DESC 'UUID' )
-
-2.2. 'uuidMatch' Matching Rule
-
- The 'uuidMatch' matching rule compares an asserted UUID with a stored
- UUID for equality. Its semantics are the same as the
- 'octetStringMatch' [X.520][RFC4517] matching rule. The rule differs
- from 'octetStringMatch' in that the assertion value is encoded using
- the UUID string representation instead of the normal OCTET STRING
- string representation.
-
- The following is an LDAP matching rule description suitable for
- publication in subschema subentries.
-
- ( 1.3.6.1.1.16.2 NAME 'uuidMatch'
- SYNTAX 1.3.6.1.1.16.1 )
-
-2.3. 'uuidOrderingMatch' Matching Rule
-
- The 'uuidOrderingMatch' matching rule compares an asserted UUID with
- a stored UUID for ordering. Its semantics are the same as the
- 'octetStringOrderingMatch' [X.520][RFC4517] matching rule. The rule
- differs from 'octetStringOrderingMatch' in that the assertion value
- is encoded using the UUID string representation instead of the normal
- OCTET STRING string representation.
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
- The following is an LDAP matching rule description suitable for
- publication in subschema subentries.
-
- ( 1.3.6.1.1.16.3 NAME 'uuidOrderingMatch'
- SYNTAX 1.3.6.1.1.16.1 )
-
- Note that not all UUID variants have a defined ordering; and even
- where it does, servers are not obligated to assign UUIDs in any
- particular order. This matching rule is provided for completeness.
-
-2.4. 'entryUUID' Attribute
-
- The 'entryUUID' operational attribute provides the Universally Unique
- Identifier (UUID) assigned to the entry.
-
- The following is an LDAP attribute type description suitable for
- publication in subschema subentries.
-
- ( 1.3.6.1.1.16.4 NAME 'entryUUID'
- DESC 'UUID of the entry'
- EQUALITY uuidMatch
- ORDERING uuidOrderingMatch
- SYNTAX 1.3.6.1.1.16.1
- SINGLE-VALUE
- NO-USER-MODIFICATION
- USAGE directoryOperation )
-
- Servers SHALL generate and assign a new UUID to each entry upon its
- addition to the directory and provide that UUID as the value of the
- 'entryUUID' operational attribute. An entry's UUID is immutable.
-
- UUID are to be generated in accordance with Section 4 of [RFC4122].
- In particular, servers MUST ensure that each generated UUID is unique
- in space and time.
-
-3. Security Considerations
-
- An entry's relative distinguish name (RDN) is composed from attribute
- values of the entry, which are commonly descriptive of the object the
- entry represents. Although deployers are encouraged to use naming
- attributes whose values are widely disclosable [RFC4514], entries are
- often named using information that cannot be disclosed to all
- parties. As UUIDs do not contain any descriptive information of the
- object they identify, UUIDs may be used to identify a particular
- entry without disclosure of its contents.
-
- General UUID security considerations [RFC4122] apply.
-
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
- General LDAP security considerations [RFC4510] apply.
-
-4. IANA Considerations
-
- The IANA has registered the LDAP values [RFC4520] specified in this
- document.
-
-4.1. Object Identifier Registration
-
- Subject: Request for LDAP OID Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4530
- Author/Change Controller: IESG
- Comments:
- Identifies the UUID schema elements
-
-4.2. UUID Syntax Registration
-
- Subject: Request for LDAP Syntax Registration
- Object Identifier: 1.3.6.1.1.16.1
- Description: UUID
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4530
- Author/Change Controller: IESG
- Comments:
- Identifies the UUID syntax
-
-4.3. 'uuidMatch' Descriptor Registration
-
- Subject: Request for LDAP Descriptor Registration
- Descriptor (short name): uuidMatch
- Object Identifier: 1.3.6.1.1.16.2
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Usage: Matching Rule
- Specification: RFC 4530
- Author/Change Controller: IESG
-
-4.4. 'uuidOrderingMatch' Descriptor Registration
-
- Subject: Request for LDAP Descriptor Registration
- Descriptor (short name): uuidOrderingMatch
- Object Identifier: 1.3.6.1.1.16.3
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Usage: Matching Rule
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
- Specification: RFC 4530
- Author/Change Controller: IESG
-
-4.5. 'entryUUID' Descriptor Registration
-
- The IANA has registered the LDAP 'entryUUID' descriptor.
-
- Subject: Request for LDAP Descriptor Registration
- Descriptor (short name): entryUUID
- Object Identifier: 1.3.6.1.1.16.4
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Usage: Attribute Type
- Specification: RFC 4530
- Author/Change Controller: IESG
-
-5. Acknowledgements
-
- This document is based upon discussions in the LDAP Update and
- Duplication Protocols (LDUP) WG. Members of the LDAP Directorate
- provided review.
-
-6. References
-
-6.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
- Unique IDentifier (UUID) URN Namespace", RFC 4122, July
- 2005.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
- (LDAP): Syntaxes and Matching Rules", RFC 4517, June
- 2006.
-
- [ASCII] Coded Character Set--7-bit American Standard Code for
- Information Interchange, ANSI X3.4-1986.
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
- [X.501] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory -- Models," X.501(1993) (also ISO/IEC 9594-
- 2:1994).
-
- [X.520] International Telecommunication Union -
- Telecommunication Standardization Sector, "The
- Directory: Selected Attribute Types", X.520(1993) (also
- ISO/IEC 9594-6:1994).
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
-6.2. Informative References
-
- [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): String Representation of Distinguished
- Names", RFC 4514, June 2006.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
-RFC 4530 LDAP entryUUID June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 8]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4531.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4531.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4531.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,507 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4531 OpenLDAP Foundation
-Category: Experimental June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- Turn Operation
-
-
-Status of This Memo
-
- This memo defines an Experimental Protocol for the Internet
- community. It does not specify an Internet standard of any kind.
- Discussion and suggestions for improvement are requested.
- Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This specification describes a Lightweight Directory Access Protocol
- (LDAP) extended operation to reverse (or "turn") the roles of client
- and server for subsequent protocol exchanges in the session, or to
- enable each peer to act as both client and server with respect to the
- other.
-
-Table of Contents
-
- 1. Background and Intent of Use ....................................2
- 1.1. Terminology ................................................2
- 2. Turn Operation ..................................................2
- 2.1. Turn Request ...............................................3
- 2.2. Turn Response ..............................................3
- 3. Authentication ..................................................3
- 3.1. Use with TLS and Simple Authentication .....................4
- 3.2. Use with TLS and SASL EXTERNAL .............................4
- 3.3. Use of Mutual Authentication and SASL EXTERNAL .............4
- 4. TLS and SASL Security Layers ....................................5
- 5. Security Considerations .........................................6
- 6. IANA Considerations .............................................6
- 6.1. Object Identifier ..........................................6
- 6.2. LDAP Protocol Mechanism ....................................7
- 7. References ......................................................7
- 7.1. Normative References .......................................7
- 7.2. Informative References .....................................8
-
-
-
-
-Zeilenga Experimental [Page 1]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
-1. Background and Intent of Use
-
- The Lightweight Directory Access Protocol (LDAP) [RFC4510][RFC4511]
- is a client-server protocol that typically operates over reliable
- octet-stream transports, such as the Transport Control Protocol
- (TCP). Generally, the client initiates the stream by connecting to
- the server's listener at some well-known address.
-
- There are cases where it is desirable for the server to initiate the
- stream. Although it certainly is possible to write a technical
- specification detailing how to implement server-initiated LDAP
- sessions, this would require the design of new authentication and
- other security mechanisms to support server-initiated LDAP sessions.
-
- Instead, this document introduces an operation, the Turn operation,
- which may be used to reverse the client-server roles of the protocol
- peers. This allows the initiating protocol peer to become the server
- (after the reversal).
-
- As an additional feature, the Turn operation may be used to allow
- both peers to act in both roles. This is useful where both peers are
- directory servers that desire to request, as LDAP clients, that
- operations be performed by the other. This may be useful in
- replicated and/or distributed environments.
-
- This operation is intended to be used between protocol peers that
- have established a mutual agreement, by means outside of the
- protocol, that requires reversal of client-server roles, or allows
- both peers to act both as client and server.
-
-1.1. Terminology
-
- Protocol elements are described using ASN.1 [X.680] with implicit
- tags. The term "BER-encoded" means the element is to be encoded
- using the Basic Encoding Rules [X.690] under the restrictions
- detailed in Section 5.1 of [RFC4511].
-
-2. Turn Operation
-
- The Turn operation is defined as an LDAP-Extended Operation
- [Protocol, Section 4.12] identified by the 1.3.6.1.1.19 OID. The
- function of the Turn Operation is to request that the client-server
- roles be reversed, or, optionally, to request that both protocol
- peers be able to act both as client and server in respect to the
- other.
-
-
-
-
-
-
-Zeilenga Experimental [Page 2]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
-2.1. Turn Request
-
- The Turn request is an ExtendedRequest where the requestName field
- contains the 1.3.6.1.1.19 OID and the requestValue field is a BER-
- encoded turnValue:
-
- turnValue ::= SEQUENCE {
- mutual BOOLEAN DEFAULT FALSE,
- identifier LDAPString
- }
-
- A TRUE mutual field value indicates a request to allow both peers to
- act both as client and server. A FALSE mutual field value indicates
- a request to reserve the client and server roles.
-
- The value of the identifier field is a locally defined policy
- identifier (typically associated with a mutual agreement for which
- this turn is be executed as part of).
-
-2.2. Turn Response
-
- A Turn response is an ExtendedResponse where the responseName and
- responseValue fields are absent. A resultCode of success is returned
- if and only if the responder is willing and able to turn the session
- as requested. Otherwise, a different resultCode is returned.
-
-3. Authentication
-
- This extension's authentication model assumes separate authentication
- of the peers in each of their roles. A separate Bind exchange is
- expected between the peers in their new roles to establish identities
- in these roles.
-
- Upon completion of the Turn, the responding peer in its new client
- role has an anonymous association at the initiating peer in its new
- server role. If the turn was mutual, the authentication association
- of the initiating peer in its pre-existing client role is left intact
- at the responding peer in its pre-existing server role. If the turn
- was not mutual, this association is void.
-
- The responding peer may establish its identity in its client role by
- requesting and successfully completing a Bind operation.
-
- The remainder of this section discusses some authentication
- scenarios. In the protocol exchange illustrations, A refers to the
- initiating peer (the original client) and B refers to the responding
- peer (the original server).
-
-
-
-
-Zeilenga Experimental [Page 3]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
-3.1. Use with TLS and Simple Authentication
-
- A->B: StartTLS Request
- B->A: StartTLS(success) Response
- A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
- B->A: Bind(success) Response
- A->B: Turn(TRUE,"XXYYZ") Request
- B->A: Turn(success) Response
- B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
- A->B: Bind(success) Response
-
- In this scenario, TLS (Transport Layer Security) [RFC4346] is started
- and the initiating peer (the original client) establishes its
- identity with the responding peer prior to the Turn using the
- DN/password mechanism of the Simple method of the Bind operation.
- After the turn, the responding peer, in its new client role,
- establishes its identity with the initiating peer in its new server
- role.
-
-3.2. Use with TLS and SASL EXTERNAL
-
- A->B: StartTLS Request
- B->A: StartTLS(success) Response
- A->B: Bind(SASL(EXTERNAL)) Request
- B->A: Bind(success) Response
- A->B: Turn(TRUE,"XXYYZ") Request
- B->A: Turn(success) Response
- B->A: Bind(SASL(EXTERNAL)) Request
- A->B: Bind(success) Response
-
- In this scenario, TLS is started (with each peer providing a valid
- certificate), and the initiating peer (the original client)
- establishes its identity through the use of the EXTERNAL mechanism of
- the SASL (Simple Authentication and Security Layer) [RFC4422] method
- of the Bind operation prior to the Turn. After the turn, the
- responding peer, in its new client role, establishes its identity
- with the initiating peer in its new server role.
-
-3.3. Use of Mutual Authentication and SASL EXTERNAL
-
- A number of SASL mechanisms, such as GSSAPI [SASL-K5], support mutual
- authentication. The initiating peer, in its new server role, may use
- the identity of the responding peer, established by a prior
- authentication exchange, as its source for "external" identity in
- subsequent EXTERNAL exchange.
-
- A->B: Bind(SASL(GSSAPI)) Request
- <intermediate messages>
-
-
-
-Zeilenga Experimental [Page 4]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
- B->A: Bind(success) Response
- A->B: Turn(TRUE,"XXYYZ") Request
- B->A: Turn(success) Response
- B->A: Bind(SASL(EXTERNAL)) Request
- A->B: Bind(success) Response
-
- In this scenario, a GSSAPI mutual-authentication exchange is
- completed between the initiating peer (the original client) and the
- responding server (the original server) prior to the turn. After the
- turn, the responding peer, in its new client role, requests that the
- initiating peer utilize an "external" identity to establish its LDAP
- authorization identity.
-
-4. TLS and SASL Security Layers
-
- As described in [RFC4511], LDAP supports both Transport Layer
- Security (TLS) [RFC4346] and Simple Authentication and Security Layer
- (SASL) [RFC4422] security frameworks. The following table
- illustrates the relationship between the LDAP message layer, SASL
- layer, TLS layer, and transport connection within an LDAP session.
-
- +----------------------+
- | LDAP message layer |
- +----------------------+ > LDAP PDUs
- +----------------------+ < data
- | SASL layer |
- +----------------------+ > SASL-protected data
- +----------------------+ < data
- | TLS layer |
- Application +----------------------+ > TLS-protected data
- ------------+----------------------+ < data
- Transport | transport connection |
- +----------------------+
-
- This extension does not alter this relationship, nor does it remove
- the general restriction against multiple TLS layers, nor does it
- remove the general restriction against multiple SASL layers.
-
- As specified in [RFC4511], the StartTLS operation is used to initiate
- negotiation of a TLS layer. If a TLS is already installed, the
- StartTLS operation must fail. Upon establishment of the TLS layer,
- regardless of which peer issued the request to start TLS, the peer
- that initiated the LDAP session (the original client) performs the
- "server identity check", as described in Section 3.1.5 of [RFC4513],
- treating itself as the "client" and its peer as the "server".
-
- As specified in [RFC4422], a newly negotiated SASL security layer
- replaces the installed SASL security layer. Though the client/server
-
-
-
-Zeilenga Experimental [Page 5]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
- roles in LDAP, and hence SASL, may be reversed in subsequent
- exchanges, only one SASL security layer may be installed at any
- instance.
-
-5. Security Considerations
-
- Implementors should be aware that the reversing of client/server
- roles and/or allowing both peers to act as client and server likely
- introduces security considerations not foreseen by the authors of
- this document. In particular, the security implications of the
- design choices made in the authentication and data security models
- for this extension (discussed in Sections 3 and 4, respectively) are
- not fully studied. It is hoped that experimentation with this
- extension will lead to better understanding of the security
- implications of these models and other aspects of this extension, and
- that appropriate considerations will be documented in a future
- document. The following security considerations are apparent at this
- time.
-
- Implementors should take special care to process LDAP, SASL, TLS, and
- other events in the appropriate roles for the peers. Note that while
- the Turn reverses the client/server roles with LDAP, and in SASL
- authentication exchanges, it does not reverse the roles within the
- TLS layer or the transport connection.
-
- The responding server (the original server) should restrict use of
- this operation to authorized clients. Client knowledge of a valid
- identifier should not be the sole factor in determining authorization
- to turn.
-
- Where the peers except to establish TLS, TLS should be started prior
- to the Turn and any request to authenticate via the Bind operation.
-
- LDAP security considerations [RFC4511][RFC4513] generally apply to
- this extension.
-
-6. IANA Considerations
-
- The following values [RFC4520] have been registered by the IANA.
-
-6.1. Object Identifier
-
- The IANA has assigned an LDAP Object Identifier to identify the LDAP
- Turn Operation, as defined in this document.
-
-
-
-
-
-
-
-Zeilenga Experimental [Page 6]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
- Subject: Request for LDAP Object Identifier Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Specification: RFC 4531
- Author/Change Controller: Author
- Comments:
- Identifies the LDAP Turn Operation
-
-6.2. LDAP Protocol Mechanism
-
- The IANA has registered the LDAP Protocol Mechanism described in this
- document.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.1.19
- Description: LDAP Turn Operation
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Extended Operation
- Specification: RFC 4531
- Author/Change Controller: Author
- Comments: none
-
-7. References
-
-7.1. Normative References
-
- [RFC4346] Dierks, T. and, E. Rescorla, "The Transport Layer
- Security (TLS) Protocol Version 1.1", RFC 4346, April
- 2006.
-
- [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
- Authentication and Security Layer (SASL)", RFC 4422,
- June 2006.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access
- Protocol (LDAP): Technical Specification Road Map", RFC
- 4510, June 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access
- Protocol (LDAP): Authentication Methods and Security
- Mechanisms", RFC 4513, June 2006.
-
-
-
-
-
-
-Zeilenga Experimental [Page 7]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
- [X.680] International Telecommunication Union -
- Telecommunication Standardization Sector, "Abstract
- Syntax Notation One (ASN.1) - Specification of Basic
- Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
-
- [X.690] International Telecommunication Union -
- Telecommunication Standardization Sector,
- "Specification of ASN.1 encoding rules: Basic Encoding
- Rules (BER), Canonical Encoding Rules (CER), and
- Distinguished Encoding Rules (DER)", X.690(2002) (also
- ISO/IEC 8825-1:2002).
-
-7.2. Informative References
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority
- (IANA) Considerations for the Lightweight Directory
- Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [SASL-K5] Melnikov, A., Ed., "The Kerberos V5 ("GSSAPI") SASL
- Mechanism", Work in Progress, May 2006.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Experimental [Page 8]
-�
-RFC 4531 LDAP Turn Operation June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Experimental [Page 9]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4532.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4532.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4532.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4532 OpenLDAP Foundation
-Category: Standards Track June 2006
-
-
- Lightweight Directory Access Protocol (LDAP)
- "Who am I?" Operation
-
-Status of This Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This specification provides a mechanism for Lightweight Directory
- Access Protocol (LDAP) clients to obtain the authorization identity
- the server has associated with the user or application entity. This
- mechanism is specified as an LDAP extended operation called the LDAP
- "Who am I?" operation.
-
-1. Background and Intent of Use
-
- This specification describes a Lightweight Directory Access Protocol
- (LDAP) [RFC4510] operation that clients can use to obtain the primary
- authorization identity, in its primary form, that the server has
- associated with the user or application entity. The operation is
- called the "Who am I?" operation.
-
- This specification is intended to replace the existing Authorization
- Identity Controls [RFC3829] mechanism, which uses Bind request and
- response controls to request and return the authorization identity.
- Bind controls are not protected by security layers established by the
- Bind operation that includes them. While it is possible to establish
- security layers using StartTLS [RFC4511][RFC4513] prior to the Bind
- operation, it is often desirable to use security layers established
- by the Bind operation. An extended operation sent after a Bind
- operation is protected by the security layers established by the Bind
- operation.
-
-
-
-
-
-Zeilenga Standards Track [Page 1]
-�
-RFC 4532 LDAP "Who am I?" Operation June 2006
-
-
- There are other cases where it is desirable to request the
- authorization identity that the server associated with the client
- separately from the Bind operation. For example, the "Who am I?"
- operation can be augmented with a Proxied Authorization Control
- [RFC4370] to determine the authorization identity that the server
- associates with the identity asserted in the Proxied Authorization
- Control. The "Who am I?" operation can also be used prior to the
- Bind operation.
-
- Servers often associate multiple authorization identities with the
- client, and each authorization identity may be represented by
- multiple authzId [RFC4513] strings. This operation requests and
- returns the authzId that the server considers primary. In the
- specification, the term "the authorization identity" and "the
- authzId" are generally to be read as "the primary authorization
- identity" and the "the primary authzId", respectively.
-
-1.1. Conventions Used in This Document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
-2. The "Who am I?" Operation
-
- The "Who am I?" operation is defined as an LDAP Extended Operation
- [RFC4511] identified by the whoamiOID Object Identifier (OID). This
- section details the syntax of the operation's whoami request and
- response messages.
-
- whoamiOID ::= "1.3.6.1.4.1.4203.1.11.3"
-
-2.1. The whoami Request
-
- The whoami request is an ExtendedRequest with a requestName field
- containing the whoamiOID OID and an absent requestValue field. For
- example, a whoami request could be encoded as the sequence of octets
- (in hex):
-
- 30 1e 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31
- 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 33
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 2]
-�
-RFC 4532 LDAP "Who am I?" Operation June 2006
-
-
-2.2. The whoami Response
-
- The whoami response is an ExtendedResponse where the responseName
- field is absent and the response field, if present, is empty or an
- authzId [RFC4513]. For example, a whoami response returning the
- authzId "u:xxyyz at EXAMPLE.NET" (in response to the example request)
- would be encoded as the sequence of octets (in hex):
-
- 30 21 02 01 02 78 1c 0a 01 00 04 00 04 00 8b 13
- 75 3a 78 78 79 79 7a 40 45 58 41 4d 50 4c 45 2e
- 4e 45 54
-
-3. Operational Semantics
-
- The "Who am I?" operation provides a mechanism, a whoami Request, for
- the client to request that the server return the authorization
- identity it currently associates with the client. It also provides a
- mechanism, a whoami Response, for the server to respond to that
- request.
-
- Servers indicate their support for this extended operation by
- providing a whoamiOID object identifier as a value of the
- 'supportedExtension' attribute type in their root DSE. The server
- SHOULD advertise this extension only when the client is willing and
- able to perform this operation.
-
- If the server is willing and able to provide the authorization
- identity it associates with the client, the server SHALL return a
- whoami Response with a success resultCode. If the server is treating
- the client as an anonymous entity, the response field is present but
- empty. Otherwise, the server provides the authzId [RFC4513]
- representing the authorization identity it currently associates with
- the client in the response field.
-
- If the server is unwilling or unable to provide the authorization
- identity it associates with the client, the server SHALL return a
- whoami Response with an appropriate non-success resultCode (such as
- operationsError, protocolError, confidentialityRequired,
- insufficientAccessRights, busy, unavailable, unwillingToPerform, or
- other) and an absent response field.
-
- As described in [RFC4511] and [RFC4513], an LDAP session has an
- "anonymous" association until the client has been successfully
- authenticated using the Bind operation. Clients MUST NOT invoke the
- "Who am I?" operation while any Bind operation is in progress,
- including between two Bind requests made as part of a multi-stage
-
-
-
-
-
-Zeilenga Standards Track [Page 3]
-�
-RFC 4532 LDAP "Who am I?" Operation June 2006
-
-
- Bind operation. Where a whoami Request is received in violation of
- this absolute prohibition, the server should return a whoami Response
- with an operationsError resultCode.
-
-4. Extending the "Who am I?" Operation with Controls
-
- Future specifications may extend the "Who am I?" operation using the
- control mechanism [RFC4511]. When extended by controls, the "Who am
- I?" operation requests and returns the authorization identity the
- server associates with the client in a particular context indicated
- by the controls.
-
-4.1. Proxied Authorization Control
-
- The Proxied Authorization Control [RFC4370] is used by clients to
- request that the operation it is attached to operate under the
- authorization of an assumed identity. The client provides the
- identity to assume in the Proxied Authorization request control. If
- the client is authorized to assume the requested identity, the server
- executes the operation as if the requested identity had issued the
- operation.
-
- As servers often map the asserted authzId to another identity
- [RFC4513], it is desirable to request that the server provide the
- authzId it associates with the assumed identity.
-
- When a Proxied Authorization Control is be attached to the "Who am
- I?" operation, the operation requests the return of the authzId the
- server associates with the identity asserted in the Proxied
- Authorization Control. The authorizationDenied (123) result code is
- used to indicate that the server does not allow the client to assume
- the asserted identity.
-
-5. Security Considerations
-
- Identities associated with users may be sensitive information. When
- they are, security layers [RFC4511][RFC4513] should be established to
- protect this information. This mechanism is specifically designed to
- allow security layers established by a Bind operation to protect the
- integrity and/or confidentiality of the authorization identity.
-
- Servers may place access control or other restrictions upon the use
- of this operation. As stated in Section 3, the server SHOULD
- advertise this extension when it is willing and able to perform the
- operation.
-
- As with any other extended operations, general LDAP security
- considerations [RFC4510] apply.
-
-
-
-Zeilenga Standards Track [Page 4]
-�
-RFC 4532 LDAP "Who am I?" Operation June 2006
-
-
-6. IANA Considerations
-
- The OID 1.3.6.1.4.1.4203.1.11.3 is used to identify the LDAP "Who am
- I?" extended operation. This OID was assigned [ASSIGN] by the
- OpenLDAP Foundation, under its IANA-assigned private enterprise
- allocation [PRIVATE], for use in this specification.
-
- Registration of this protocol mechanism [RFC4520] has been completed
- by the IANA.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.4.1.4203.1.11.3
- Description: Who am I?
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Extended Operation
- Specification: RFC 4532
- Author/Change Controller: IESG
- Comments: none
-
-7. Acknowledgement
-
- This document borrows from prior work in this area, including
- "Authentication Response Control" [RFC3829] by Rob Weltman, Mark
- Smith, and Mark Wahl.
-
- The LDAP "Who am I?" operation takes it's name from the UNIX
- whoami(1) command. The whoami(1) command displays the effective user
- ID.
-
-8. References
-
-8.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC4370] Weltman, R., "Lightweight Directory Access Protocol (LDAP)
- Proxied Authorization Control", RFC 4370, February 2006.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
-
-
-
-
-Zeilenga Standards Track [Page 5]
-�
-RFC 4532 LDAP "Who am I?" Operation June 2006
-
-
- [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
- (LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
-
-8.2. Informative References
-
- [RFC3829] Weltman, R., Smith, M., and M. Wahl, "Lightweight Directory
- Access Protocol (LDAP) Authorization Identity Request and
- Response Controls", RFC 3829, July 2004.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
- http://www.openldap.org/foundation/oid-delegate.txt.
-
- [PRIVATE] IANA, "Private Enterprise Numbers",
- http://www.iana.org/assignments/enterprise-numbers.
-
-Author's Address
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 6]
-�
-RFC 4532 LDAP "Who am I?" Operation June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga Standards Track [Page 7]
-�
Deleted: branches/samba/upstream/source4/ldap_server/devdocs/rfc4533.txt
===================================================================
--- branches/samba/upstream/source4/ldap_server/devdocs/rfc4533.txt 2010-01-18 23:08:04 UTC (rev 3239)
+++ branches/samba/upstream/source4/ldap_server/devdocs/rfc4533.txt 2010-01-20 19:20:07 UTC (rev 3240)
@@ -1,1795 +0,0 @@
-
-
-
-
-
-
-Network Working Group K. Zeilenga
-Request for Comments: 4533 OpenLDAP Foundation
-Category: Experimental J.H. Choi
- IBM Corporation
- June 2006
-
-
- The Lightweight Directory Access Protocol (LDAP)
- Content Synchronization Operation
-
-Status of This Memo
-
- This memo defines an Experimental Protocol for the Internet
- community. It does not specify an Internet standard of any kind.
- Discussion and suggestions for improvement are requested.
- Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-IESG Note
-
- The IESG notes that this work was originally discussed in the LDUP
- working group. The group came to consensus on a different approach,
- documented in RFC 3928; that document is on the standards track and
- should be reviewed by those considering implementation of this
- proposal.
-
-Abstract
-
- This specification describes the Lightweight Directory Access
- Protocol (LDAP) Content Synchronization Operation. The operation
- allows a client to maintain a copy of a fragment of the Directory
- Information Tree (DIT). It supports both polling for changes and
- listening for changes. The operation is defined as an extension of
- the LDAP Search Operation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 1]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. Background .................................................3
- 1.2. Intended Usage .............................................4
- 1.3. Overview ...................................................5
- 1.4. Conventions ................................................8
- 2. Elements of the Sync Operation ..................................8
- 2.1. Common ASN.1 Elements ......................................9
- 2.2. Sync Request Control .......................................9
- 2.3. Sync State Control ........................................10
- 2.4. Sync Done Control .........................................10
- 2.5. Sync Info Message .........................................11
- 2.6. Sync Result Codes .........................................11
- 3. Content Synchronization ........................................11
- 3.1. Synchronization Session ...................................12
- 3.2. Content Determination .....................................12
- 3.3. refreshOnly Mode ..........................................13
- 3.4. refreshAndPersist Mode ....................................16
- 3.5. Search Request Parameters .................................17
- 3.6. objectName ................................................18
- 3.7. Canceling the Sync Operation ..............................19
- 3.8. Refresh Required ..........................................19
- 3.9. Chattiness Considerations .................................20
- 3.10. Operation Multiplexing ...................................21
- 4. Meta Information Considerations ................................22
- 4.1. Entry DN ..................................................22
- 4.2. Operational Attributes ....................................22
- 4.3. Collective Attributes .....................................23
- 4.4. Access and Other Administrative Controls ..................23
- 5. Interaction with Other Controls ................................23
- 5.1. ManageDsaIT Control .......................................24
- 5.2. Subentries Control ........................................24
- 6. Shadowing Considerations .......................................24
- 7. Security Considerations ........................................25
- 8. IANA Considerations ............................................26
- 8.1. Object Identifier .........................................26
- 8.2. LDAP Protocol Mechanism ...................................26
- 8.3. LDAP Result Codes .........................................26
- 9. Acknowledgements ...............................................26
- 10. Normative References ..........................................27
- 11. Informative References ........................................28
- Appendix A. CSN-based Implementation Considerations ..............29
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 2]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-1. Introduction
-
- The Lightweight Directory Access Protocol (LDAP) [RFC4510] provides a
- mechanism, the search operation [RFC4511], that allows a client to
- request directory content matching a complex set of assertions and to
- request that the server return this content, subject to access
- control and other restrictions, to the client. However, LDAP does
- not provide (despite the introduction of numerous extensions in this
- area) an effective and efficient mechanism for maintaining
- synchronized copies of directory content. This document introduces a
- new mechanism specifically designed to meet the content
- synchronization requirements of sophisticated directory applications.
-
- This document defines the LDAP Content Synchronization Operation, or
- Sync Operation for short, which allows a client to maintain a
- synchronized copy of a fragment of a Directory Information Tree
- (DIT). The Sync Operation is defined as a set of controls and other
- protocol elements that extend the Search Operation.
-
-1.1. Background
-
- Over the years, a number of content synchronization approaches have
- been suggested for use in LDAP directory services. These approaches
- are inadequate for one or more of the following reasons:
-
- - failure to ensure a reasonable level of convergence;
-
- - failure to detect that convergence cannot be achieved (without
- reload);
-
- - require pre-arranged synchronization agreements;
-
- - require the server to maintain histories of past changes to DIT
- content and/or meta information;
-
- - require the server to maintain synchronization state on a per-
- client basis; and/or
-
- - are overly chatty.
-
- The Sync Operation provides eventual convergence of synchronized
- content when possible and, when not, notification that a full reload
- is required.
-
- The Sync Operation does not require pre-arranged synchronization
- agreements.
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 3]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- The Sync Operation does not require that servers maintain or use any
- history of past changes to the DIT or to meta information. However,
- servers may maintain and use histories (e.g., change logs,
- tombstones, DIT snapshots) to reduce the number of messages generated
- and to reduce their size. As it is not always feasible to maintain
- and use histories, the operation may be implemented using purely
- (current) state-based approaches. The Sync Operation allows use of
- either the state-based approach or the history-based approach on an
- operation-by-operation basis to balance the size of history and the
- amount of traffic. The Sync Operation also allows the combined use
- of the state-based and the history-based approaches.
-
- The Sync Operation does not require that servers maintain
- synchronization state on a per-client basis. However, servers may
- maintain and use per-client state information to reduce the number of
- messages generated and the size of such messages.
-
- A synchronization mechanism can be considered overly chatty when
- synchronization traffic is not reasonably bounded. The Sync
- Operation traffic is bounded by the size of updated (or new) entries
- and the number of unchanged entries in the content. The operation is
- designed to avoid full content exchanges, even when the history
- information available to the server is insufficient to determine the
- client's state. The operation is also designed to avoid transmission
- of out-of-content history information, as its size is not bounded by
- the content and it is not always feasible to transmit such history
- information due to security reasons.
-
- This document includes a number of non-normative appendices providing
- additional information to server implementors.
-
-1.2. Intended Usage
-
- The Sync Operation is intended to be used in applications requiring
- eventually-convergent content synchronization. Upon completion of
- each synchronization stage of the operation, all information to
- construct a synchronized client copy of the content has been provided
- to the client or the client has been notified that a complete content
- reload is necessary. Except for transient inconsistencies due to
- concurrent operation (or other) processing at the server, the client
- copy is an accurate reflection of the content held by the server.
- Transient inconsistencies will be resolved by subsequent
- synchronization operations.
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 4]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Possible uses include the following:
-
- - White page service applications may use the Sync Operation to
- maintain a current copy of a DIT fragment, for example, a mail
- user agent that uses the sync operation to maintain a local
- copy of an enterprise address book.
-
- - Meta-information engines may use the Sync Operation to maintain
- a copy of a DIT fragment.
-
- - Caching proxy services may use the Sync Operation to maintain a
- coherent content cache.
-
- - Lightweight master-slave replication between heterogeneous
- directory servers. For example, the Sync Operation can be used
- by a slave server to maintain a shadow copy of a DIT fragment.
- (Note: The International Telephone Union (ITU) has defined the
- X.500 Directory [X.500] Information Shadowing Protocol (DISP)
- [X.525], which may be used for master-slave replication between
- directory servers. Other experimental LDAP replication
- protocols also exist.)
-
- This protocol is not intended to be used in applications requiring
- transactional data consistency.
-
- As this protocol transfers all visible values of entries belonging to
- the content upon change instead of change deltas, this protocol is
- not appropriate for bandwidth-challenged applications or deployments.
-
-1.3. Overview
-
- This section provides an overview of basic ways the Sync Operation
- can be used to maintain a synchronized client copy of a DIT fragment.
-
- - Polling for changes: refreshOnly mode
-
- - Listening for changes: refreshAndPersist mode
-
-1.3.1. Polling for Changes (refreshOnly)
-
- To obtain its initial client copy, the client issues a Sync request:
- a search request with the Sync Request Control with mode set to
- refreshOnly. The server, much like it would with a normal search
- operation, returns (subject to access controls and other
- restrictions) the content matching the search criteria (baseObject,
- scope, filter, attributes). Additionally, with each entry returned,
- the server provides a Sync State Control indicating state add. This
- control contains the Universally Unique Identifier (UUID) [UUID] of
-
-
-
-Zeilenga & Choi Experimental [Page 5]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- the entry [RFC4530]. Unlike the Distinguished Name (DN), which may
- change over time, an entry's UUID is stable. The initial content is
- followed by a SearchResultDone with a Sync Done Control. The Sync
- Done Control provides a syncCookie. The syncCookie represents
- session state.
-
- To poll for updates to the client copy, the client reissues the Sync
- Operation with the syncCookie previously returned. The server, much
- as it would with a normal search operation, determines which content
- would be returned as if the operation were a normal search operation.
- However, using the syncCookie as an indicator of what content the
- client was sent previously, the server sends copies of entries that
- have changed with a Sync State Control indicating state add. For
- each changed entry, all (modified or unmodified) attributes belonging
- to the content are sent.
-
- The server may perform either or both of the two distinct
- synchronization phases that are distinguished by how to synchronize
- entries deleted from the content: the present and the delete phases.
- When the server uses a single phase for the refresh stage, each phase
- is marked as ended by a SearchResultDone with a Sync Done Control. A
- present phase is identified by a FALSE refreshDeletes value in the
- Sync Done Control. A delete phase is identified by a TRUE
- refreshDeletes value. The present phase may be followed by a delete
- phase. The two phases are delimited by a refreshPresent Sync Info
- Message having a FALSE refreshDone value. In the case that both the
- phases are used, the present phase is used to bring the client copy
- up to the state at which the subsequent delete phase can begin.
-
- In the present phase, the server sends an empty entry (i.e., no
- attributes) with a Sync State Control indicating state present for
- each unchanged entry.
-
- The delete phase may be used when the server can reliably determine
- which entries in the prior client copy are no longer present in the
- content and the number of such entries is less than or equal to the
- number of unchanged entries. In the delete mode, the server sends an
- empty entry with a Sync State Control indicating state delete for
- each entry that is no longer in the content, instead of returning an
- empty entry with state present for each present entry.
-
- The server may send syncIdSet Sync Info Messages containing the set
- of UUIDs of either unchanged present entries or deleted entries,
- instead of sending multiple individual messages. If refreshDeletes
- of syncIdSet is set to FALSE, the UUIDs of unchanged present entries
- are contained in the syncUUIDs set; if refreshDeletes of syncIdSet is
- set to TRUE, the UUIDs of the entries no longer present in the
- content are contained in the syncUUIDs set. An optional cookie can
-
-
-
-Zeilenga & Choi Experimental [Page 6]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- be included in the syncIdSet to represent the state of the content
- after synchronizing the presence or the absence of the entries
- contained in the syncUUIDs set.
-
- The synchronized copy of the DIT fragment is constructed by the
- client.
-
- If refreshDeletes of syncDoneValue is FALSE, the new copy includes
- all changed entries returned by the reissued Sync Operation, as well
- as all unchanged entries identified as being present by the reissued
- Sync Operation, but whose content is provided by the previous Sync
- Operation. The unchanged entries not identified as being present are
- deleted from the client content. They had been either deleted,
- moved, or otherwise scoped-out from the content.
-
- If refreshDeletes of syncDoneValue is TRUE, the new copy includes all
- changed entries returned by the reissued Sync Operation, as well as
- all other entries of the previous copy except for those that are
- identified as having been deleted from the content.
-
- The client can, at some later time, re-poll for changes to this
- synchronized client copy.
-
-1.3.2. Listening for Changes (refreshAndPersist)
-
- Polling for changes can be expensive in terms of server, client, and
- network resources. The refreshAndPersist mode allows for active
- updates of changed entries in the content.
-
- By selecting the refreshAndPersist mode, the client requests that the
- server send updates of entries that are changed after the initial
- refresh content is determined. Instead of sending a SearchResultDone
- Message as in polling, the server sends a Sync Info Message to the
- client indicating that the refresh stage is complete and then enters
- the persist stage. After receipt of this Sync Info Message, the
- client will construct a synchronized copy as described in Section
- 1.3.1.
-
- The server may then send change notifications as the result of the
- original Sync search request, which now remains persistent in the
- server. For entries to be added to the returned content, the server
- sends a SearchResultEntry (with attributes) with a Sync State Control
- indicating state add. For entries to be deleted from the content,
- the server sends a SearchResultEntry containing no attributes and a
- Sync State Control indicating state delete. For entries to be
- modified in the return content, the server sends a SearchResultEntry
- (with attributes) with a Sync State Control indicating state modify.
-
-
-
-
-Zeilenga & Choi Experimental [Page 7]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Upon modification of an entry, all (modified or unmodified)
- attributes belonging to the content are sent.
-
- Note that renaming an entry of the DIT may cause an add state change
- where the entry is renamed into the content, a delete state change
- where the entry is renamed out of the content, and a modify state
- change where the entry remains in the content. Also note that a
- modification of an entry of the DIT may cause an add, delete, or
- modify state change to the content.
-
- Upon receipt of a change notification, the client updates its copy of
- the content.
-
- If the server desires to update the syncCookie during the persist
- stage, it may include the syncCookie in any Sync State Control or
- Sync Info Message returned.
-
- The operation persists until canceled [RFC3909] by the client or
- terminated by the server. A Sync Done Control shall be attached to
- SearchResultDone Message to provide a new syncCookie.
-
-1.4. Conventions
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14 [RFC2119].
-
- Protocol elements are described using ASN.1 [X.680] with implicit
- tags. The term "BER-encoded" means the element is to be encoded
- using the Basic Encoding Rules [X.690] under the restrictions
- detailed in Section 5.1 of [RFC4511].
-
-2. Elements of the Sync Operation
-
- The Sync Operation is defined as an extension to the LDAP Search
- Operation [RFC4511] where the directory user agent (DUA or client)
- submits a SearchRequest Message with a Sync Request Control and the
- directory system agent (DSA or server) responds with zero or more
- SearchResultEntry Messages, each with a Sync State Control; zero or
- more SearchResultReference Messages, each with a Sync State Control;
- zero or more Sync Info Intermediate Response Messages; and a
- SearchResultDone Message with a Sync Done Control.
-
- To allow clients to discover support for this operation, servers
- implementing this operation SHOULD publish 1.3.6.1.4.1.4203.1.9.1.1
- as a value of the 'supportedControl' attribute [RFC4512] of the root
- DSA-specific entry (DSE). A server MAY choose to advertise this
- extension only when the client is authorized to use it.
-
-
-
-Zeilenga & Choi Experimental [Page 8]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-2.1. Common ASN.1 Elements
-
-2.1.1. syncUUID
-
- The syncUUID data type is an OCTET STRING holding a 128-bit
- (16-octet) Universally Unique Identifier (UUID) [UUID].
-
- syncUUID ::= OCTET STRING (SIZE(16))
- -- constrained to UUID
-
-2.1.2. syncCookie
-
- The syncCookie is a notational convenience to indicate that, while
- the syncCookie type is encoded as an OCTET STRING, its value is an
- opaque value containing information about the synchronization session
- and its state. Generally, the session information would include a
- hash of the operation parameters that the server requires not be
- changed and the synchronization state information would include a
- commit (log) sequence number, a change sequence number, or a time
- stamp. For convenience of description, the term "no cookie" refers
- either to a null cookie or to a cookie with pre-initialized
- synchronization state.
-
- syncCookie ::= OCTET STRING
-
-2.2. Sync Request Control
-
- The Sync Request Control is an LDAP Control [RFC4511] where the
- controlType is the object identifier 1.3.6.1.4.1.4203.1.9.1.1 and the
- controlValue, an OCTET STRING, contains a BER-encoded
- syncRequestValue. The criticality field is either TRUE or FALSE.
-
- syncRequestValue ::= SEQUENCE {
- mode ENUMERATED {
- -- 0 unused
- refreshOnly (1),
- -- 2 reserved
- refreshAndPersist (3)
- },
- cookie syncCookie OPTIONAL,
- reloadHint BOOLEAN DEFAULT FALSE
- }
-
- The Sync Request Control is only applicable to the SearchRequest
- Message.
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 9]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-2.3. Sync State Control
-
- The Sync State Control is an LDAP Control [RFC4511] where the
- controlType is the object identifier 1.3.6.1.4.1.4203.1.9.1.2 and the
- controlValue, an OCTET STRING, contains a BER-encoded syncStateValue.
- The criticality is FALSE.
-
- syncStateValue ::= SEQUENCE {
- state ENUMERATED {
- present (0),
- add (1),
- modify (2),
- delete (3)
- },
- entryUUID syncUUID,
- cookie syncCookie OPTIONAL
- }
-
- The Sync State Control is only applicable to SearchResultEntry and
- SearchResultReference Messages.
-
-2.4. Sync Done Control
-
- The Sync Done Control is an LDAP Control [RFC4511] where the
- controlType is the object identifier 1.3.6.1.4.1.4203.1.9.1.3 and the
- controlValue contains a BER-encoded syncDoneValue. The criticality
- is FALSE (and hence absent).
-
- syncDoneValue ::= SEQUENCE {
- cookie syncCookie OPTIONAL,
- refreshDeletes BOOLEAN DEFAULT FALSE
- }
-
- The Sync Done Control is only applicable to the SearchResultDone
- Message.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 10]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-2.5. Sync Info Message
-
- The Sync Info Message is an LDAP Intermediate Response Message
- [RFC4511] where responseName is the object identifier
- 1.3.6.1.4.1.4203.1.9.1.4 and responseValue contains a BER-encoded
- syncInfoValue. The criticality is FALSE (and hence absent).
-
- syncInfoValue ::= CHOICE {
- newcookie [0] syncCookie,
- refreshDelete [1] SEQUENCE {
- cookie syncCookie OPTIONAL,
- refreshDone BOOLEAN DEFAULT TRUE
- },
- refreshPresent [2] SEQUENCE {
- cookie syncCookie OPTIONAL,
- refreshDone BOOLEAN DEFAULT TRUE
- },
- syncIdSet [3] SEQUENCE {
- cookie syncCookie OPTIONAL,
- refreshDeletes BOOLEAN DEFAULT FALSE,
- syncUUIDs SET OF syncUUID
- }
- }
-
-2.6. Sync Result Codes
-
- The following LDAP resultCode [RFC4511] is defined:
-
- e-syncRefreshRequired (4096)
-
-3. Content Synchronization
-
- The Sync Operation is invoked when the client sends a SearchRequest
- Message with a Sync Request Control.
-
- The absence of a cookie or an initialized synchronization state in a
- cookie indicates a request for initial content, while the presence of
- a cookie representing a state of a client copy indicates a request
- for a content update. Synchronization Sessions are discussed in
- Section 3.1. Content Determination is discussed in Section 3.2.
-
- The mode is either refreshOnly or refreshAndPersist. The refreshOnly
- and refreshAndPersist modes are discussed in Sections 3.3 and 3.4,
- respectively. The refreshOnly mode consists only of a refresh stage,
- while the refreshAndPersist mode consists of a refresh stage and a
- subsequent persist stage.
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 11]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-3.1. Synchronization Session
-
- A sequence of Sync Operations where the last cookie returned by the
- server for one operation is provided by the client in the next
- operation is said to belong to the same Synchronization Session.
-
- The client MUST specify the same content-controlling parameters (see
- Section 3.5) in each Search Request of the session. The client
- SHOULD also issue each Sync request of a session under the same
- authentication and authorization associations with equivalent
- integrity and protections. If the server does not recognize the
- request cookie or the request is made under different associations or
- non-equivalent protections, the server SHALL return the initial
- content as if no cookie had been provided or return an empty content
- with the e-syncRefreshRequired LDAP result code. The decision
- between the return of the initial content and the return of the empty
- content with the e-syncRefreshRequired result code MAY be based on
- reloadHint in the Sync Request Control from the client. If the
- server recognizes the request cookie as representing empty or initial
- synchronization state of the client copy, the server SHALL return the
- initial content.
-
- A Synchronization Session may span multiple LDAP sessions between the
- client and the server. The client SHOULD issue each Sync request of
- a session to the same server. (Note: Shadowing considerations are
- discussed in Section 6.)
-
-3.2. Content Determination
-
- The content to be provided is determined by parameters of the Search
- Request, as described in [RFC4511], and possibly other controls. The
- same content parameters SHOULD be used in each Sync request of a
- session. If different content is requested and the server is
- unwilling or unable to process the request, the server SHALL return
- the initial content as if no cookie had been provided or return an
- empty content with the e-syncRefreshRequired LDAP result code. The
- decision between the return of the initial content and the return of
- the empty content with the e-syncRefreshRequired result code MAY be
- based on reloadHint in the Sync Request Control from the client.
-
- The content may not necessarily include all entries or references
- that would be returned by a normal search operation, nor, for those
- entries included, all attributes returned by a normal search. When
- the server is unwilling or unable to provide synchronization for any
- attribute for a set of entries, the server MUST treat all filter
- components matching against these attributes as Undefined and MUST
- NOT return these attributes in SearchResultEntry responses.
-
-
-
-
-Zeilenga & Choi Experimental [Page 12]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Servers SHOULD support synchronization for all non-collective user-
- application attributes for all entries.
-
- The server may also return continuation references to other servers
- or to itself. The latter is allowed as the server may partition the
- entries it holds into separate synchronization contexts.
-
- The client may chase all or some of these continuations, each as a
- separate content synchronization session.
-
-3.3. refreshOnly Mode
-
- A Sync request with mode refreshOnly and with no cookie is a poll for
- initial content. A Sync request with mode refreshOnly and with a
- cookie representing a synchronization state is a poll for content
- update.
-
-3.3.1. Initial Content Poll
-
- Upon receipt of the request, the server provides the initial content
- using a set of zero or more SearchResultEntry and
- SearchResultReference Messages followed by a SearchResultDone
- Message.
-
- Each SearchResultEntry Message SHALL include a Sync State Control of
- state add, an entryUUID containing the entry's UUID, and no cookie.
- Each SearchResultReference Message SHALL include a Sync State Control
- of state add, an entryUUID containing the UUID associated with the
- reference (normally the UUID of the associated named referral
- [RFC3296] object), and no cookie. The SearchResultDone Message SHALL
- include a Sync Done Control having refreshDeletes set to FALSE.
-
- A resultCode value of success indicates that the operation
- successfully completed. Otherwise, the result code indicates the
- nature of the failure. The server may return e-syncRefreshRequired
- result code on the initial content poll if it is safe to do so when
- it is unable to perform the operation due to various reasons.
- reloadHint is set to FALSE in the SearchRequest Message requesting
- the initial content poll.
-
- If the operation is successful, a cookie representing the
- synchronization state of the current client copy SHOULD be returned
- for use in subsequent Sync Operations.
-
-3.3.2. Content Update Poll
-
- Upon receipt of the request, the server provides the content refresh
- using a set of zero or more SearchResultEntry and
-
-
-
-Zeilenga & Choi Experimental [Page 13]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- SearchResultReference Messages followed by a SearchResultDone
- Message.
-
- The server is REQUIRED to:
-
- a) provide the sequence of messages necessary for eventual
- convergence of the client's copy of the content to the server's
- copy,
-
- b) treat the request as an initial content request (e.g., ignore
- the cookie or the synchronization state represented in the
- cookie),
-
- c) indicate that the incremental convergence is not possible by
- returning e-syncRefreshRequired,
-
- d) return a resultCode other than success or e-
- syncRefreshRequired.
-
- A Sync Operation may consist of a single present phase, a single
- delete phase, or a present phase followed by a delete phase.
-
- In each phase, for each entry or reference that has been added to the
- content or been changed since the previous Sync Operation indicated
- by the cookie, the server returns a SearchResultEntry or
- SearchResultReference Message, respectively, each with a Sync State
- Control consisting of state add, an entryUUID containing the UUID of
- the entry or reference, and no cookie. Each SearchResultEntry
- Message represents the current state of a changed entry. Each
- SearchResultReference Message represents the current state of a
- changed reference.
-
- In the present phase, for each entry that has not been changed since
- the previous Sync Operation, an empty SearchResultEntry is returned
- whose objectName reflects the entry's current DN, whose attributes
- field is empty, and whose Sync State Control consists of state
- present, an entryUUID containing the UUID of the entry, and no
- cookie. For each reference that has not been changed since the
- previous Sync Operation, an empty SearchResultReference containing an
- empty SEQUENCE OF LDAPURL is returned with a Sync State Control
- consisting of state present, an entryUUID containing the UUID of the
- entry, and no cookie. No messages are sent for entries or references
- that are no longer in the content.
-
- Multiple empty entries with a Sync State Control of state present
- SHOULD be coalesced into one or more Sync Info Messages of syncIdSet
- value with refreshDeletes set to FALSE. syncUUIDs contain a set of
- UUIDs of the entries and references unchanged since the last Sync
-
-
-
-Zeilenga & Choi Experimental [Page 14]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Operation. syncUUIDs may be empty. The Sync Info Message of
- syncIdSet may contain a cookie to represent the state of the content
- after performing the synchronization of the entries in the set.
-
- In the delete phase, for each entry no longer in the content, the
- server returns a SearchResultEntry whose objectName reflects a past
- DN of the entry or is empty, whose attributes field is empty, and
- whose Sync State Control consists of state delete, an entryUUID
- containing the UUID of the deleted entry, and no cookie. For each
- reference no longer in the content, a SearchResultReference
- containing an empty SEQUENCE OF LDAPURL is returned with a Sync State
- Control consisting of state delete, an entryUUID containing the UUID
- of the deleted reference, and no cookie.
-
- Multiple empty entries with a Sync State Control of state delete
- SHOULD be coalesced into one or more Sync Info Messages of syncIdSet
- value with refreshDeletes set to TRUE. syncUUIDs contain a set of
- UUIDs of the entries and references that have been deleted from the
- content since the last Sync Operation. syncUUIDs may be empty. The
- Sync Info Message of syncIdSet may contain a cookie to represent the
- state of the content after performing the synchronization of the
- entries in the set.
-
- When a present phase is followed by a delete phase, the two phases
- are delimited by a Sync Info Message containing syncInfoValue of
- refreshPresent, which may contain a cookie representing the state
- after completing the present phase. The refreshPresent contains
- refreshDone, which is always FALSE in the refreshOnly mode of Sync
- Operation because it is followed by a delete phase.
-
- If a Sync Operation consists of a single phase, each phase and hence
- the Sync Operation are marked as ended by a SearchResultDone Message
- with Sync Done Control, which SHOULD contain a cookie representing
- the state of the content after completing the Sync Operation. The
- Sync Done Control contains refreshDeletes, which is set to FALSE for
- the present phase and set to TRUE for the delete phase.
-
- If a Sync Operation consists of a present phase followed by a delete
- phase, the Sync Operation is marked as ended at the end of the delete
- phase by a SearchResultDone Message with Sync Done Control, which
- SHOULD contain a cookie representing the state of the content after
- completing the Sync Operation. The Sync Done Control contains
- refreshDeletes, which is set to TRUE.
-
- The client can specify whether it prefers to receive an initial
- content by supplying reloadHint of TRUE or to receive a e-
- syncRefreshRequired resultCode by supplying reloadHint of FALSE
- (hence absent), in the case that the server determines that it is
-
-
-
-Zeilenga & Choi Experimental [Page 15]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- impossible or inefficient to achieve the eventual convergence by
- continuing the current incremental synchronization thread.
-
- A resultCode value of success indicates that the operation is
- successfully completed. A resultCode value of e-syncRefreshRequired
- indicates that a full or partial refresh is needed. Otherwise, the
- result code indicates the nature of failure. A cookie is provided in
- the Sync Done Control for use in subsequent Sync Operations for
- incremental synchronization.
-
-3.4. refreshAndPersist Mode
-
- A Sync request with mode refreshAndPersist asks for initial content
- or content update (during the refresh stage) followed by change
- notifications (during the persist stage).
-
-3.4.1. refresh Stage
-
- The content refresh is provided as described in Section 3.3, except
- that the successful completion of content refresh is indicated by
- sending a Sync Info Message of refreshDelete or refreshPresent with a
- refreshDone value set to TRUE instead of a SearchResultDone Message
- with resultCode success. A cookie SHOULD be returned in the Sync
- Info Message to represent the state of the content after finishing
- the refresh stage of the Sync Operation.
-
-3.4.2. persist Stage
-
- Change notifications are provided during the persist stage.
-
- As updates are made to the DIT, the server notifies the client of
- changes to the content. DIT updates may cause entries and references
- to be added to the content, deleted from the content, or modified
- within the content. DIT updates may also cause references to be
- added, deleted, or modified within the content.
-
- Where DIT updates cause an entry to be added to the content, the
- server provides a SearchResultEntry Message that represents the entry
- as it appears in the content. The message SHALL include a Sync State
- Control with state of add, an entryUUID containing the entry's UUID,
- and an optional cookie.
-
- Where DIT updates cause a reference to be added to the content, the
- server provides a SearchResultReference Message that represents the
- reference in the content. The message SHALL include a Sync State
- Control with state of add, an entryUUID containing the UUID
- associated with the reference, and an optional cookie.
-
-
-
-
-Zeilenga & Choi Experimental [Page 16]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Where DIT updates cause an entry to be modified within the content,
- the server provides a SearchResultEntry Message that represents the
- entry as it appears in the content. The message SHALL include a Sync
- State Control with state of modify, an entryUUID containing the
- entry's UUID, and an optional cookie.
-
- Where DIT updates cause a reference to be modified within the
- content, the server provides a SearchResultReference Message that
- represents the reference in the content. The message SHALL include a
- Sync State Control with state of modify, an entryUUID containing the
- UUID associated with the reference, and an optional cookie.
-
- Where DIT updates cause an entry to be deleted from the content, the
- server provides a SearchResultEntry Message with no attributes. The
- message SHALL include a Sync State Control with state of delete, an
- entryUUID containing the entry's UUID, and an optional cookie.
-
- Where DIT updates cause a reference to be deleted from the content,
- the server provides a SearchResultReference Message with an empty
- SEQUENCE OF LDAPURL. The message SHALL include a Sync State Control
- with state of delete, an entryUUID containing the UUID associated
- with the reference, and an optional cookie.
-
- Multiple empty entries with a Sync State Control of state delete
- SHOULD be coalesced into one or more Sync Info Messages of syncIdSet
- value with refreshDeletes set to TRUE. syncUUIDs contain a set of
- UUIDs of the entries and references that have been deleted from the
- content. The Sync Info Message of syncIdSet may contain a cookie to
- represent the state of the content after performing the
- synchronization of the entries in the set.
-
- With each of these messages, the server may provide a new cookie to
- be used in subsequent Sync Operations. Additionally, the server may
- also return Sync Info Messages of choice newCookie to provide a new
- cookie. The client SHOULD use the newest (last) cookie it received
- from the server in subsequent Sync Operations.
-
-3.5. Search Request Parameters
-
- As stated in Section 3.1, the client SHOULD specify the same
- content-controlling parameters in each Search Request of the session.
- All fields of the SearchRequest Message are considered content-
- controlling parameters except for sizeLimit and timeLimit.
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 17]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-3.5.1. baseObject
-
- As with the normal search operation, the refresh and persist stages
- are not isolated from DIT changes. It is possible that the entry
- referred to by the baseObject is deleted, renamed, or moved. It is
- also possible that the alias object used in finding the entry
- referred to by the baseObject is changed such that the baseObject
- refers to a different entry.
-
- If the DIT is updated during processing of the Sync Operation in a
- manner that causes the baseObject no longer to refer to any entry or
- in a manner that changes the entry the baseObject refers to, the
- server SHALL return an appropriate non-success result code, such as
- noSuchObject, aliasProblem, aliasDereferencingProblem, referral, or
- e-syncRefreshRequired.
-
-3.5.2. derefAliases
-
- This operation does not support alias dereferencing during searching.
- The client SHALL specify neverDerefAliases or derefFindingBaseObj for
- the SearchRequest derefAliases parameter. The server SHALL treat
- other values (e.g., derefInSearching, derefAlways) as protocol
- errors.
-
-3.5.3. sizeLimit
-
- The sizeLimit applies only to entries (regardless of their state in
- Sync State Control) returned during the refreshOnly operation or the
- refresh stage of the refreshAndPersist operation.
-
-3.5.4. timeLimit
-
- For a refreshOnly Sync Operation, the timeLimit applies to the whole
- operation. For a refreshAndPersist operation, the timeLimit applies
- only to the refresh stage including the generation of the Sync Info
- Message with a refreshDone value of TRUE.
-
-3.5.5. filter
-
- The client SHOULD avoid filter assertions that apply to the values of
- the attributes likely to be considered by the server as ones holding
- meta-information. See Section 4.
-
-3.6. objectName
-
- The Sync Operation uses entryUUID values provided in the Sync State
- Control as the primary keys to entries. The client MUST use these
- entryUUIDs to correlate synchronization messages.
-
-
-
-Zeilenga & Choi Experimental [Page 18]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- In some circumstances, the DN returned may not reflect the entry's
- current DN. In particular, when the entry is being deleted from the
- content, the server may provide an empty DN if the server does not
- wish to disclose the entry's current DN (or, if deleted from the DIT,
- the entry's last DN).
-
- Also note that the entry's DN may be viewed as meta information (see
- Section 4.1).
-
-3.7. Canceling the Sync Operation
-
- Servers MUST implement the LDAP Cancel [RFC3909] Operation and
- support cancellation of outstanding Sync Operations as described
- here.
-
- To cancel an outstanding Sync Operation, the client issues an LDAP
- Cancel [RFC3909] Operation.
-
- If at any time the server becomes unwilling or unable to continue
- processing a Sync Operation, the server SHALL return a
- SearchResultDone with a non-success resultCode indicating the reason
- for the termination of the operation.
-
- Whether the client or the server initiated the termination, the
- server may provide a cookie in the Sync Done Control for use in
- subsequent Sync Operations.
-
-3.8. Refresh Required
-
- In order to achieve the eventually-convergent synchronization, the
- server may terminate the Sync Operation in the refresh or persist
- stages by returning an e-syncRefreshRequired resultCode to the
- client. If no cookie is provided, a full refresh is needed. If a
- cookie representing a synchronization state is provided in this
- response, an incremental refresh is needed.
-
- To obtain a full refresh, the client then issues a new
- synchronization request with no cookie. To obtain an incremental
- reload, the client issues a new synchronization with the provided
- cookie.
-
- The server may choose to provide a full copy in the refresh stage
- (e.g., ignore the cookie or the synchronization state represented in
- the cookie) instead of providing an incremental refresh in order to
- achieve the eventual convergence.
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 19]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- The decision between the return of the initial content and the return
- of the e-syncRefreshRequired result code may be based on reloadHint
- in the Sync Request Control from the client.
-
- In the case of persist stage Sync, the server returns the resultCode
- of e-syncRefreshRequired to the client to indicate that the client
- needs to issue a new Sync Operation in order to obtain a synchronized
- copy of the content. If no cookie is provided, a full refresh is
- needed. If a cookie representing a synchronization state is
- provided, an incremental refresh is needed.
-
- The server may also return e-syncRefreshRequired if it determines
- that a refresh would be more efficient than sending all the messages
- required for convergence.
-
- Note that the client may receive one or more of SearchResultEntry,
- SearchResultReference, and/or Sync Info Messages before it receives a
- SearchResultDone Message with the e-syncRefreshRequired result code.
-
-3.9. Chattiness Considerations
-
- The server MUST ensure that the number of entry messages generated to
- refresh the client content does not exceed the number of entries
- presently in the content. While there is no requirement for servers
- to maintain history information, if the server has sufficient history
- to allow it to reliably determine which entries in the prior client
- copy are no longer present in the content and the number of such
- entries is less than or equal to the number of unchanged entries, the
- server SHOULD generate delete entry messages instead of present entry
- messages (see Section 3.3.2).
-
- When the amount of history information maintained in the server is
- not enough for the clients to perform infrequent refreshOnly Sync
- Operations, it is likely that the server has incomplete history
- information (e.g., due to truncation) by the time those clients
- connect again.
-
- The server SHOULD NOT resort to full reload when the history
- information is not enough to generate delete entry messages. The
- server SHOULD generate either present entry messages only or present
- entry messages followed by delete entry messages to bring the client
- copy to the current state. In the latter case, the present entry
- messages bring the client copy to a state covered by the history
- information maintained in the server.
-
- The server SHOULD maintain enough (current or historical) state
- information (such as a context-wide last modify time stamp) to
- determine if no changes were made in the context since the content
-
-
-
-Zeilenga & Choi Experimental [Page 20]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- refresh was provided and, when no changes were made, generate zero
- delete entry messages instead of present messages.
-
- The server SHOULD NOT use the history information when its use does
- not reduce the synchronization traffic or when its use can expose
- sensitive information not allowed to be received by the client.
-
- The server implementor should also consider chattiness issues that
- span multiple Sync Operations of a session. As noted in Section 3.8,
- the server may return e-syncRefreshRequired if it determines that a
- reload would be more efficient than continuing under the current
- operation. If reloadHint in the Sync Request is TRUE, the server may
- initiate a reload without directing the client to request a reload.
-
- The server SHOULD transfer a new cookie frequently to avoid having to
- transfer information already provided to the client. Even where DIT
- changes do not cause content synchronization changes to be
- transferred, it may be advantageous to provide a new cookie using a
- Sync Info Message. However, the server SHOULD avoid overloading the
- client or network with Sync Info Messages.
-
- During persist mode, the server SHOULD coalesce multiple outstanding
- messages updating the same entry. The server MAY delay generation of
- an entry update in anticipation of subsequent changes to that entry
- that could be coalesced. The length of the delay should be long
- enough to allow coalescing of update requests issued back to back but
- short enough that the transient inconsistency induced by the delay is
- corrected in a timely manner.
-
- The server SHOULD use the syncIdSet Sync Info Message when there are
- multiple delete or present messages to reduce the amount of
- synchronization traffic.
-
- Also note that there may be many clients interested in a particular
- directory change, and that servers attempting to service all of these
- at once may cause congestion on the network. The congestion issues
- are magnified when the change requires a large transfer to each
- interested client. Implementors and deployers of servers should take
- steps to prevent and manage network congestion.
-
-3.10. Operation Multiplexing
-
- The LDAP protocol model [RFC4511] allows operations to be multiplexed
- over a single LDAP session. Clients SHOULD NOT maintain multiple
- LDAP sessions with the same server. Servers SHOULD ensure that
- responses from concurrently processed operations are interleaved
- fairly.
-
-
-
-
-Zeilenga & Choi Experimental [Page 21]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Clients SHOULD combine Sync Operations whose result set is largely
- overlapping. This avoids having to return multiple messages, once
- for each overlapping session, for changes to entries in the overlap.
-
- Clients SHOULD NOT combine Sync Operations whose result sets are
- largely non-overlapping. This ensures that an event requiring an
- e-syncRefreshRequired response can be limited to as few result sets
- as possible.
-
-4. Meta Information Considerations
-
-4.1. Entry DN
-
- As an entry's DN is constructed from its relative DN (RDN) and the
- entry's parent's DN, it is often viewed as meta information.
-
- While renaming or moving to a new superior causes the entry's DN to
- change, that change SHOULD NOT, by itself, cause synchronization
- messages to be sent for that entry. However, if the renaming or the
- moving could cause the entry to be added or deleted from the content,
- appropriate synchronization messages should be generated to indicate
- this to the client.
-
- When a server treats the entry's DN as meta information, the server
- SHALL either
-
- - evaluate all MatchingRuleAssertions [RFC4511] to TRUE if
- matching a value of an attribute of the entry, otherwise
- Undefined, or
-
- - evaluate all MatchingRuleAssertion with dnAttributes of TRUE as
- Undefined.
-
- The latter choice is offered for ease of server implementation.
-
-4.2. Operational Attributes
-
- Where values of an operational attribute are determined by values not
- held as part of the entry it appears in, the operational attribute
- SHOULD NOT support synchronization of that operational attribute.
-
- For example, in servers that implement the X.501 subschema model
- [X.501], servers should not support synchronization of the
- subschemaSubentry attribute as its value is determined by values held
- and administrated in subschema subentries.
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 22]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- As a counter example, servers that implement aliases [RFC4512][X.501]
- can support synchronization of the aliasedObjectName attribute as its
- values are held and administrated as part of the alias entries.
-
- Servers SHOULD support synchronization of the following operational
- attributes: createTimestamp, modifyTimestamp, creatorsName,
- modifiersName [RFC4512]. Servers MAY support synchronization of
- other operational attributes.
-
-4.3. Collective Attributes
-
- A collective attribute is "a user attribute whose values are the same
- for each member of an entry collection" [X.501]. Use of collective
- attributes in LDAP is discussed in [RFC3671].
-
- Modification of a collective attribute generally affects the content
- of multiple entries, which are the members of the collection. It is
- inefficient to include values of collective attributes visible in
- entries of the collection, as a single modification of a collective
- attribute requires transmission of multiple SearchResultEntry (one
- for each entry of the collection that the modification affected).
-
- Servers SHOULD NOT synchronize collective attributes appearing in
- entries of any collection. Servers MAY support synchronization of
- collective attributes appearing in collective attribute subentries.
-
-4.4. Access and Other Administrative Controls
-
- Entries are commonly subject to access and other administrative
- Controls. While portions of the policy information governing a
- particular entry may be held in the entry, policy information is
- often held elsewhere (in superior entries, in subentries, in the root
- DSE, in configuration files, etc.). Because of this, changes to
- policy information make it difficult to ensure eventual convergence
- during incremental synchronization.
-
- Where it is impractical or infeasible to generate content changes
- resulting from a change to policy information, servers may opt to
- return e-syncRefreshRequired or to treat the Sync Operation as an
- initial content request (e.g., ignore the cookie or the
- synchronization state represented in the cookie).
-
-5. Interaction with Other Controls
-
- The Sync Operation may be used with:
-
- - ManageDsaIT Control [RFC3296]
-
-
-
-
-Zeilenga & Choi Experimental [Page 23]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- - Subentries Control [RFC3672]
-
- as described below. The Sync Operation may be used with other LDAP
- extensions as detailed in other documents.
-
-5.1. ManageDsaIT Control
-
- The ManageDsaIT Control [RFC3296] indicates that the operation acts
- upon the DSA Information Tree and causes referral and other special
- entries to be treated as object entries with respect to the
- operation.
-
-5.2. Subentries Control
-
- The Subentries Control is used with the search operation "to control
- the visibility of entries and subentries which are within scope"
- [RFC3672]. When used with the Sync Operation, the subentries control
- and other factors (search scope, filter, etc.) are used to determine
- whether an entry or subentry appears in the content.
-
-6. Shadowing Considerations
-
- As noted in [RFC4511], some servers may hold shadow copies of entries
- that can be used to answer search and comparison queries. Such
- servers may also support content synchronization requests. This
- section discusses considerations for implementors and deployers for
- the implementation and deployment of the Sync operation in shadowed
- directories.
-
- While a client may know of multiple servers that are equally capable
- of being used to obtain particular directory content from, a client
- SHOULD NOT assume that each of these servers is equally capable of
- continuing a content synchronization session. As stated in Section
- 3.1, the client SHOULD issue each Sync request of a Sync session to
- the same server.
-
- However, through domain naming or IP address redirection or other
- techniques, multiple physical servers can be made to appear as one
- logical server to a client. Only servers that are equally capable in
- regards to their support for the Sync operation and that hold equally
- complete copies of the entries should be made to appear as one
- logical server. In particular, each physical server acting as one
- logical server SHOULD be equally capable of continuing a content
- synchronization based upon cookies provided by any of the other
- physical servers without requiring a full reload. Because there is
- no standard LDAP shadowing mechanism, the specification of how to
- independently implement equally capable servers (as well as the
- precise definition of "equally capable") is left to future documents.
-
-
-
-Zeilenga & Choi Experimental [Page 24]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- Note that it may be difficult for the server to reliably determine
- what content was provided to the client by another server, especially
- in the shadowing environments that allow shadowing events to be
- coalesced. For these servers, the use of the delete phase discussed
- in Section 3.3.2 may not be applicable.
-
-7. Security Considerations
-
- In order to maintain a synchronized copy of the content, a client is
- to delete information from its copy of the content as described
- above. However, the client may maintain knowledge of information
- disclosed to it by the server separate from its copy of the content
- used for synchronization. Management of this knowledge is beyond the
- scope of this document. Servers should be careful not to disclose
- information for content the client is not authorized to have
- knowledge of and/or about.
-
- While the information provided by a series of refreshOnly Sync
- Operations is similar to that provided by a series of Search
- Operations, persist stage may disclose additional information. A
- client may be able to discern information about the particular
- sequence of update operations that caused content change.
-
- Implementors should take precautions against malicious cookie
- content, including malformed cookies or valid cookies used with
- different security associations and/or protections in an attempt to
- obtain unauthorized access to information. Servers may include a
- digital signature in the cookie to detect tampering.
-
- The operation may be the target of direct denial-of-service attacks.
- Implementors should provide safeguards to ensure the operation is not
- abused. Servers may place access control or other restrictions upon
- the use of this operation.
-
- Note that even small updates to the directory may cause a significant
- amount of traffic to be generated to clients using this operation. A
- user could abuse its update privileges to mount an indirect denial of
- service to these clients, other clients, and/or portions of the
- network. Servers should provide safeguards to ensure that update
- operations are not abused.
-
- Implementors of this (or any) LDAP extension should be familiar with
- general LDAP security considerations [RFC4510].
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 25]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-8. IANA Considerations
-
- Registration of the following values have been completed by the IANA
- [RFC4520].
-
-8.1. Object Identifier
-
- The OID arc 1.3.6.1.4.1.4203.1.9.1 was assigned [ASSIGN] by the
- OpenLDAP Foundation, under its IANA-assigned private enterprise
- allocation [PRIVATE], for use in this specification.
-
-8.2. LDAP Protocol Mechanism
-
- The IANA has registered the LDAP Protocol Mechanism described in this
- document.
-
- Subject: Request for LDAP Protocol Mechanism Registration
- Object Identifier: 1.3.6.1.4.1.4203.1.9.1.1
- Description: LDAP Content Synchronization Control
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at openldap.org>
- Usage: Control
- Specification: RFC 4533
- Author/Change Controller: Kurt D. Zeilenga, Jong Hyuk Choi
- Comments: none
-
-8.3. LDAP Result Codes
-
- The IANA has registered the LDAP Result Code described in this
- document.
-
- Subject: LDAP Result Code Registration
- Person & email address to contact for further information:
- Kurt Zeilenga <kurt at OpenLDAP.org>
- Result Code Name: e-syncRefreshRequired (4096)
- Specification: RFC 4533
- Author/Change Controller: Kurt D. Zeilenga, Jong Hyuk Choi
- Comments: none
-
-9. Acknowledgements
-
- This document borrows significantly from the LDAP Client Update
- Protocol [RFC3928], a product of the IETF LDUP working group. This
- document also benefited from Persistent Search [PSEARCH], Triggered
- Search [TSEARCH], and Directory Synchronization [DIRSYNC] works.
- This document also borrows from "Lightweight Directory Access
- Protocol (v3)" [RFC2251].
-
-
-
-
-Zeilenga & Choi Experimental [Page 26]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-10. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC3296] Zeilenga, K., "Named Subordinate References in
- Lightweight Directory Access Protocol (LDAP)
- Directories", RFC 3296, July 2002.
-
- [RFC3671] Zeilenga, K., "Collective Attributes in the Lightweight
- Directory Access Protocol (LDAP)", RFC 3671, December
- 2003.
-
- [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
- Access Protocol (LDAP)", RFC 3672, December 2003.
-
- [RFC3909] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) Cancel Operation", RFC 3909, October 2004.
-
- [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
- (LDAP): Technical Specification Road Map", RFC 4510, June
- 2006.
-
- [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
- Protocol (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP): Directory Information Models", RFC 4512, June
- 2006.
-
- [RFC4530] Zeilenga, K., "Lightweight Directory Access Protocol
- (LDAP) entryUUID Operational Attribute", RFC 4530, June
- 2006.
-
- [UUID] International Organization for Standardization (ISO),
- "Information technology - Open Systems Interconnection -
- Remote Procedure Call", ISO/IEC 11578:1996
-
- [X.501] International Telecommunication Union - Telecommunication
- Standardization Sector, "The Directory -- Models,"
- X.501(1993) (also ISO/IEC 9594-2:1994).
-
- [X.680] International Telecommunication Union - Telecommunication
- Standardization Sector, "Abstract Syntax Notation One
- (ASN.1) - Specification of Basic Notation", X.680(1997)
- (also ISO/IEC 8824-1:1998).
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 27]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- [X.690] International Telecommunication Union - Telecommunication
- Standardization Sector, "Specification of ASN.1 encoding
- rules: Basic Encoding Rules (BER), Canonical Encoding
- Rules (CER), and Distinguished Encoding Rules (DER)",
- X.690(1997) (also ISO/IEC 8825-1:1998).
-
-11. Informative References
-
- [RFC2251] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
- [RFC3928] Megginson, R., Ed., Smith, M., Natkovich, O., and J.
- Parham, "Lightweight Directory Access Protocol (LDAP)
- Client Update Protocol (LCUP)", RFC 3928, October 2004.
-
- [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
-
- [PRIVATE] IANA, "Private Enterprise Numbers",
- http://www.iana.org/assignments/enterprise-numbers.
-
- [ASSIGN] OpenLDAP Foundation, "OpenLDAP OID Delegations",
- http://www.openldap.org/foundation/oid-delegate.txt.
-
- [X.500] International Telecommunication Union - Telecommunication
- Standardization Sector, "The Directory -- Overview of
- concepts, models and services," X.500(1993) (also ISO/IEC
- 9594-1:1994).
-
- [X.525] International Telecommunication Union - Telecommunication
- Standardization Sector, "The Directory: Replication",
- X.525(1993).
-
- [DIRSYNC] Armijo, M., "Microsoft LDAP Control for Directory
- Synchronization", Work in Progress.
-
- [PSEARCH] Smith, M., et al., "Persistent Search: A Simple LDAP
- Change Notification Mechanism", Work in Progress.
-
- [TSEARCH] Wahl, M., "LDAPv3 Triggered Search Control", Work in
- Progress.
-
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 28]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-Appendix A. CSN-based Implementation Considerations
-
- This appendix is provided for informational purposes only; it is not
- a normative part of the LDAP Content Synchronization Operation's
- technical specification.
-
- This appendix discusses LDAP Content Synchronization Operation server
- implementation considerations associated with Change Sequence Number
- based approaches.
-
- Change Sequence Number based approaches are targeted for use in
- servers that do not maintain history information (e.g., change logs,
- state snapshots) about changes made to the Directory and hence, must
- rely on current directory state and minimal synchronization state
- information embedded in Sync Cookie. Servers that maintain history
- information should consider other approaches that exploit the history
- information.
-
- A Change Sequence Number is effectively a time stamp that has
- sufficient granularity to ensure that the precedence relationship in
- time of two updates to the same object can be determined. Change
- Sequence Numbers are not to be confused with Commit Sequence Numbers
- or Commit Log Record Numbers. A Commit Sequence Number allows one to
- determine how two commits (to the same object or different objects)
- relate to each other in time. A Change Sequence Number associated
- with different entries may be committed out of order. In the
- remainder of this Appendix, the term CSN refers to a Change Sequence
- Number.
-
- In these approaches, the server not only maintains a CSN for each
- directory entry (the entry CSN) but also maintains a value that we
- will call the context CSN. The context CSN is the greatest committed
- entry CSN that is not greater than any outstanding (uncommitted)
- entry CSNs for all entries in a directory context. The values of
- context CSN are used in syncCookie values as synchronization state
- indicators.
-
- As search operations are not isolated from individual directory
- update operations and individual update operations cannot be assumed
- to be serialized, one cannot assume that the returned content
- incorporates each relevant change whose change sequence number is
- less than or equal to the greatest entry CSN in the content. The
- content incorporates all the relevant changes whose change sequence
- numbers are less than or equal to context CSN before search
- processing. The content may also incorporate any subset of the
- changes whose change sequence number is greater than context CSN
- before search processing but less than or equal to the context CSN
- after search processing. The content does not incorporate any of the
-
-
-
-Zeilenga & Choi Experimental [Page 29]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
- changes whose CSN is greater than the context CSN after search
- processing.
-
- A simple server implementation could use the value of the context CSN
- before search processing to indicate state. Such an implementation
- would embed this value into each SyncCookie returned. We'll call
- this the cookie CSN. When a refresh was requested, the server would
- simply generate "update" messages for all entries in the content
- whose CSN is greater than the supplied cookie CSN and generate
- "present" messages for all other entries in the content. However, if
- the current context CSN is the same as the cookie CSN, the server
- should instead generate zero "updates" and zero "delete" messages and
- indicate a refreshDeletes of TRUE, as the directory has not changed.
-
- The implementation should also consider the impact of changes to meta
- information, such as access controls, that affect content
- determination. One approach is for the server to maintain a
- context-wide meta information CSN or meta CSN. This meta CSN would
- be updated whenever meta information affecting content determination
- was changed. If the value of the meta CSN is greater than the cookie
- CSN, the server should ignore the cookie and treat the request as an
- initial request for content.
-
- Additionally, servers may want to consider maintaining some per-
- session history information to reduce the number of messages needed
- to be transferred during incremental refreshes. Specifically, a
- server could record information about entries as they leave the scope
- of a disconnected sync session and later use this information to
- generate delete messages instead of present messages.
-
- When the history information is truncated, the CSN of the latest
- truncated history information entry may be recorded as the truncated
- CSN of the history information. The truncated CSN may be used to
- determine whether a client copy can be covered by the history
- information by comparing it to the synchronization state contained in
- the cookie supplied by the client.
-
- When there is a large number of sessions, it may make sense to
- maintain such history only for the selected clients. Also, servers
- taking this approach need to consider resource consumption issues to
- ensure reasonable server operation and to protect against abuse. It
- may be appropriate to restrict this mode of operation by policy.
-
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 30]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-Authors' Addresses
-
- Kurt D. Zeilenga
- OpenLDAP Foundation
-
- EMail: Kurt at OpenLDAP.org
-
-
- Jong Hyuk Choi
- IBM Corporation
-
- EMail: jongchoi at us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 31]
-�
-RFC 4533 LDAP Content Synchronization Operation June 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78 and at www.rfc-editor.org/copyright.html, and
- except as set forth therein, the authors retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr at ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Zeilenga & Choi Experimental [Page 32]
-�
More information about the Pkg-samba-maint
mailing list