Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 2244

ACAP -- Application Configuration Access Protocol

Pages: 71
Proposed Standard
Errata
Updated by:  6075
Part 2 of 3 – Pages 25 to 53
First   Prev   Next

Top   ToC   RFC2244 - Page 25   prevText
4.       Namespace Conventions

4.1.     Dataset Namespace

   The dataset namespace is a slash-separated hierarchy.  The first
   component of the dataset namespace is a dataset class.  Dataset
   classes MUST have a vendor prefix (vendor.<vendor/product>) or be
   specified in a standards track or IESG approved experimental RFC.
   See section 7.3 for the registration template.

   The second component of the dataset name is "site", "group", "host",
   or "user" referring to server-wide data, administrative group data,
   per-host data and per-user data respectively.

   For "group", "host", and "user" areas, the third component of the
   path is the group name, the fully qualified host domain name, or the
   user name.  A path of the form "/<dataset-class>/~/" is a convenient
   abbreviation for "/<dataset-class>/user/<current-user>/".

   Dataset names which begin with "/byowner/" are reserved as an
   alternate view of the namespace.  This provides a way to see all the
   dataset classes which a particular owner uses.  For example,
   "/byowner/~/<dataset-class>/" is an alternate name for
   "/<dataset-class>/~/".  Byowner provides a way to view a list of
   dataset classes owned by a given user; this is done using the dataset
   "/byowner/user/<current-user>/" with the NOINHERIT SEARCH modifier.

   The dataset "/" may be used to find all dataset classes visible to
   the current user.  A dataset of the form "/<dataset-class>/user/" may
   be used to find all users which have made a dataset or entry of that
   class visible to the current user.

   The formal syntax for a dataset name is defined by the "dataset-name"
   rule in section 4.3.

4.2.     Attribute Namespace

   Attribute names which do not contain a dot (".") are reserved for
   standardized attributes which have meaning in any dataset.  In order
   to simplify client implementations, the attribute namespace is
   intended to be unique across all datasets.  To achieve this,
   attribute names are prefixed with the dataset class name followed by
   a dot (".").  Attributes which affect management of the dataset are
   prefixed with "dataset.".  In addition, a subtree of the "vendor."
   attribute namespace may be registered with IANA according to the
   rules in section 7.4.  ACAP implementors are encouraged to help
   define interoperable dataset classes specifications rather than using
   the private attribute namespace.
Top   ToC   RFC2244 - Page 26
   Some users or sites may wish to add their own private attributes to
   certain dataset classes.  In order to enable this, the "user.<user-
   name>." and "site." subtrees of the attribute namespace are reserved
   for user-specific and site-specific attributes respectively and will
   not be standardized.  Such attributes are not interoperable so are
   discouraged in favor of defining standard attributes.  A future
   extension is expected to permit discovery of syntax for user or
   site-specific attributes.  Clients wishing to support display of user
   or site-specific attributes should display the value of any non-NIL
   single-valued "user.<user-name>." or "site."  attribute which has
   valid UTF-8 syntax.

   The formal syntax for an attribute name is defined by the
   "attribute-name" rule in the next section.

4.3.     Formal Syntax for Dataset and Attribute Namespace

   The naming conventions for datasets and attributes are defined by the
   following ABNF.   Note that this grammar is not part of the ACAP
   protocol syntax in section 8, as dataset names and attribute names
   are encoded as strings within the ACAP protocol.

   attribute-dacl  = "dataset.acl" *("." name-component)

   attribute-dset  = dataset-std 1*("." name-component)
                     ;; MUST be defined in a dataset class specification

   attribute-name  = attribute-std / attr-site / attr-user / vendor-name

   attribute-std   = "entry" / "subdataset" / "modtime" /
                     "dataset.inherit" / attribute-dacl / attribute-dset

   attr-site       = "site" 1*("." name-component)

   attr-user       = "user." name-component 1*("." name-component)

   byowner         = "/byowner/" owner "/"
                     [dataset-class "/" dataset-sub]

   dataset-class   = dataset-std / vendor-name

   dataset-normal  = "/" [dataset-class "/"
                     (owner-prefix / dataset-tail)]

   dataset-name    = byowner / dataset-normal
Top   ToC   RFC2244 - Page 27
   dataset-std     = name-component
                     ;; MUST be registered with IANA and the spec MUST
                     ;; be published as a standards track or
                     ;; IESG-approved experimental RFC

   dataset-sub     = *(dname-component "/")
                     ;; The rules for this portion of the namespace may
                     ;; be further restricted by the dataset class
                     ;; specification.

   dataset-tail    = owner "/" dataset-sub

   dname-component = 1*UTF8-CHAR
                     ;; MUST NOT begin with "." or contain "/"

   name-component  = 1*UTF8-CHAR
                     ;; MUST NOT contain ".", "/", "%", or "*"

   owner           = "site" / owner-host / owner-group /
                     owner-user / "~"

   owner-group     = "group/" dname-component

   owner-host      = "host/" dname-component

   owner-prefix    = "group/" / "host/" / "user/"

   owner-user      = "user/" dname-component

   vendor-name     = vendor-token *("." name-component)

   vendor-token    = "vendor." name-component
                     ;; MUST be registered with IANA

5.       Dataset Management

   The entry with an empty name ("") in the dataset is used to hold
   management information for the dataset as a whole.

5.1.     Dataset Inheritance

   It is possible for one dataset to inherit data from another.  The
   dataset from which the data is inherited is called the base dataset.
   Data in the base dataset appears in the inheriting dataset, except
   when overridden by a STORE to the inheriting dataset.
Top   ToC   RFC2244 - Page 28
   The base dataset is usually a system-wide or group-wide set of
   defaults.  A system-wide dataset usually has one inheriting dataset
   per user, allowing each user to add to or modify the defaults as
   appropriate.

   An entry which exists in both the inheriting and base dataset
   inherits a modtime equal to the greater of the two modtimes.  An
   attribute in such an entry is inherited from the base dataset if it
   was never modified by a STORE command in the inheriting dataset or if
   DEFAULT was stored to that attribute.  This permits default entries
   to be amended rather than replaced in the inheriting dataset.

   The "subdataset" attribute is not directly inherited.  If the base
   dataset includes a "subdataset" attribute and the inheriting dataset
   does not, then the "subdataset" attribute will inherit a virtual
   value of a list containing a ".".  The subdataset at that node is
   said to be a "virtual" dataset as it is simply a virtual copy of the
   appropriate base dataset with all "subdataset" attributes changed to
   a list containing a ".".  A virtual dataset is not visible if
   NOINHERIT is specified on the SEARCH command.

   Servers MUST support at least two levels of inheritance.  This
   permits a user's dataset such as "/options/user/fred/common" to
   inherit from a group dataset such as "/options/group/dinosaur
   operators/common" which in turn inherits from a server-wide dataset
   such as "/options/site/common".

5.2.     Dataset Attributes

   The following attributes apply to management of the dataset when
   stored in the "" entry of a dataset.  These attributes are not
   inherited.

   dataset.acl
        This holds the default access control list for the dataset.
        This attribute is validated, so an invalid access control list
        in a STORE command will result in a NO response with an INVALID
        response code.

   dataset.acl.<attribute>
        This holds the default access control list for an attribute
        within the dataset.  This attribute is validated, so an invalid
        access control list in a STORE command will result in a NO
        response with an INVALID response code.

   dataset.inherit
        This holds the name of a dataset from which to inherit according
        to the rules in the previous section.  This attribute MAY refer
Top   ToC   RFC2244 - Page 29
        to a non-existent dataset, in which case nothing is inherited.
        This attribute is validated, so illegal dataset syntax or an
        attempt to store a multi-value will result in a NO response with
        an INVALID response code.

5.3.     Dataset Creation

   When a dataset is first created (by storing a "." in the subdataset
   attribute or storing an entry in a previously non-existent dataset),
   the dataset attributes are initialized with the values from the
   parent dataset in the "/byowner/" hierarchy.  In the case of the
   "dataset.inherit" attribute, the appropriate hierarchy component is
   added.  For example, given the following entry (note that \t refers
   to the US-ASCII horizontal tab character):

   entry path        "/byowner/user/joe/"
   dataset.acl       ("joe\txrwia" "fred\txr")
   dataset.inherit   "/byowner/site"

   If a new dataset class "/byowner/user/joe/new" is created, it will
   have the following dataset attributes:

   entry path        "/byowner/user/joe/new/"
   dataset.acl       ("joe\txrwia" "fred\txr")
   dataset.inherit   "/byowner/site/new"

   Note that the dataset "/byowner/user/joe/new/" is equivalent to
   "/new/user/joe/".

5.4.     Dataset Class Capabilities

   Certain dataset classes or dataset class features may only be useful
   if there is an active updating client or integrated server support
   for the feature.  The dataset class "capability" is reserved to allow
   clients or servers to advertise such features.  The "entry" attribute
   within this dataset class is the name of the dataset class whose
   features are being described.  The attributes are prefixed with
   "capability.<dataset-class>." and are defined by the appropriate
   dataset class specification.

   Since it is possible for an unprivileged user to run an active client
   for himself, a per-user capability dataset is useful.  The dataset
   "/capability/~/" holds information about all features available to
   the user (via inheritance), and the dataset "/capability/site/" holds
   information about all features supported by the site.
Top   ToC   RFC2244 - Page 30
5.5.     Dataset Quotas

   Management and scope of quotas is implementation dependent.  Clients
   can check the applicable quota limit and usage (in bytes) with the
   GETQUOTA command.  Servers can notify the client of a low quota
   situation with the QUOTA untagged response.

6.       Command and Response Specifications

   ACAP commands and responses are described in this section.  Commands
   are organized first by the state in which the command is permitted,
   then by a general category of command type.

   Command arguments, identified by "Arguments:" in the command
   descriptions below, are described by function, not by syntax.  The
   precise syntax of command arguments is described in the Formal Syntax
   section.

   Some commands cause specific server data to be returned; these are
   identified by "Data:" in the command descriptions below.  See the
   response descriptions in the Responses section for information on
   these responses, and the Formal Syntax section for the precise syntax
   of these responses.  It is possible for server data to be transmitted
   as a result of any command; thus, commands that do not specifically
   require server data specify "no specific data for this command"
   instead of "none".

   The "Result:" in the command description refers to the possible
   tagged status responses to a command, and any special interpretation
   of these status responses.

6.1.     Initial Connection

   Upon session startup, the server sends one of two untagged responses:
   ACAP or BYE.  The untagged BYE response is described in section
   6.2.8.

6.1.1.   ACAP Untagged Response

   Data:       capability list

      The untagged ACAP response indicates the session is ready to
      accept commands and contains a space-separated listing of
      capabilities that the server supports.  Each capability is
      represented by a list containing the capability name optionally
      followed by capability specific string arguments.
Top   ToC   RFC2244 - Page 31
      ACAP capability names MUST be registered with IANA according to
      the rules in section 7.1.

      Client implementations SHOULD NOT require any capability name
      beyond those defined in this specification, and MUST tolerate any
      unknown capability names.  A client implementation MAY be
      configurable to require SASL mechanisms other than CRAM-MD5
      [CRAM-MD5] for site security policy reasons.

      The following initial capabilities are defined:

      CONTEXTLIMIT
            The CONTEXTLIMIT capability has one argument which is a
            number describing the maximum number of contexts the server
            supports per connection.  The number 0 indicates the server
            has no limit, otherwise this number MUST be greater than
            100.

      IMPLEMENTATION
            The IMPLEMENTATION capability has one argument which is a
            string describing the server implementation.  ACAP clients
            MUST NOT alter their behavior based on this value.  It is
            intended primarily for debugging purposes.

      SASL  The SASL capability includes a list of the authentication
            mechanisms supported by the server.  See section 6.3.1.


   Example:    S: * ACAP (IMPLEMENTATION "ACME v3.5")
                         (SASL "CRAM-MD5") (CONTEXTLIMIT "200")

6.2.     Any State

   The following commands and responses are valid in any state.

6.2.1.   NOOP Command

   Arguments:  none

   Data:       no specific data for this command (but see below)

   Result:     OK - noop completed
               BAD - command unknown or arguments invalid

      The NOOP command always succeeds.  It does nothing.  It can be
      used to reset any inactivity auto-logout timer on the server.

   Example:    C: a002 NOOP
Top   ToC   RFC2244 - Page 32
               S: a002 OK "NOOP completed"


6.2.2.   LANG Command

   Arguments:  list of language preferences

   Data:       intermediate response: LANG

   Result:     OK - lang completed
               NO - no matching language available
               BAD - command unknown or arguments invalid

      One or more arguments are supplied to indicate the client's
      preferred languages [LANG-TAGS] for error messages.  The server
      will match each client preference in order against its internal
      table of available error string languages.  For a client
      preference to match a server language, the client's language tag
      MUST be a prefix of the server's tag and match up to a "-" or the
      end of string.  If a match is found, the server returns an
      intermediate LANG response and an OK response.  The LANG response
      indicates the actual language selected and appropriate comparators
      for use with the languages listed in the LANG command.

      If no LANG command is issued, all error text strings MUST be in
      the registered language "i-default" [CHARSET-LANG-POLICY],
      intended for an international audience.

   Example:    C: A003 LANG "fr-ca" "fr" "en-ca" "en-uk"
               S: A003 LANG "fr-ca" "i;octet" "i;ascii-numeric"
                       "i;ascii-casemap" "en;primary" "fr;primary"
               S: A003 OK "Bonjour"


6.2.3.   LANG Intermediate Response

   Data:       language for error responses
               appropriate comparators

      The LANG response indicates the language which will be used for
      error responses and the comparators which are appropriate for the
      languages listed in the LANG command.  The comparators SHOULD be
      in approximate order from most efficient (usually "i;octet") to
      most appropriate for human text in the preferred language.
Top   ToC   RFC2244 - Page 33
6.2.4.   LOGOUT Command

   Arguments:  none

   Data:       mandatory untagged response: BYE

   Result:     OK - logout completed
               BAD - command unknown or arguments invalid

      The LOGOUT command informs the server that the client is done with
      the session.  The server must send a BYE untagged response before
      the (tagged) OK response, and then close the network connection.

   Example:    C: A023 LOGOUT
               S: * BYE "ACAP Server logging out"
               S: A023 OK "LOGOUT completed"
               (Server and client then close the connection)


6.2.5.   OK Response

   Data:       optional response code
               human-readable text

      The OK response indicates an information message from the server.
      When tagged, it indicates successful completion of the associated
      command.  The human-readable text may be presented to the user as
      an information message.  The untagged form indicates an
      information-only message; the nature of the information MAY be
      indicated by a response code.

   Example:    S: * OK "Master ACAP server is back up"


6.2.6.   NO Response

   Data:       optional response code
               human-readable text

      The NO response indicates an operational error message from the
      server.  When tagged, it indicates unsuccessful completion of the
      associated command.  The untagged form indicates a warning; the
      command may still complete successfully.  The human-readable text
      describes the condition.

   Example:    C: A010 SEARCH "/addressbook/" DEPTH 3 RETURN ("*")
                       EQUAL "entry" "+i;octet" "bozo"
               S: * NO "Master ACAP server is down, your data may
Top   ToC   RFC2244 - Page 34
                        be out of date."
               S: A010 OK "search done"
                  ...
               C: A222 STORE ("/folder/site/comp.mail.misc"
                              "folder.creation-time" "19951206103412")
               S: A222 NO (PERMISSION ("/folder/site/")) "Permission
               denied"


6.2.7.   BAD Response

   Data:       optional response code
               human-readable text

      The BAD response indicates an error message from the server.  When
      tagged, it reports a protocol-level error in the client's command;
      the tag indicates the command that caused the error.  The untagged
      form indicates a protocol-level error for which the associated
      command can not be determined; it may also indicate an internal
      server failure.  The human-readable text describes the condition.

   Example:    C: ...empty line...
               S: * BAD "Empty command line"
               C: A443 BLURDYBLOOP
               S: A443 BAD "Unknown command"
               C: A444 NOOP Hello
               S: A444 BAD "invalid arguments"


6.2.8.   BYE Untagged Response

   Data:       optional response code
               human-readable text

      The untagged BYE response indicates that the server is about to
      close the connection.  The human-readable text may be displayed to
      the user in a status report by the client.  The BYE response may
      be sent as part of a normal logout sequence, or as a panic
      shutdown announcement by the server.  It is also used by some
      server implementations as an announcement of an inactivity auto-
      logout.

      This response is also used as one of two possible greetings at
      session startup.  It indicates that the server is not willing to
      accept a session from this client.

   Example:    S: * BYE "Auto-logout; idle for too long"
Top   ToC   RFC2244 - Page 35
6.2.9.   ALERT Untagged Response

   Data:       optional response code
               human-readable text

      The human-readable text contains a special human generated alert
      message that MUST be presented to the user in a fashion that calls
      the user's attention to the message.  This is intended to be used
      for vital messages from the server administrator to the user, such
      as a warning that the server will soon be shut down for
      maintenance.

   Example:    S: * ALERT "This ACAP server will be shut down in
                           10 minutes for system maintenance."


6.3.     Non-Authenticated State

   In non-authenticated state, the AUTHENTICATE command establishes
   authentication and enters authenticated state.  The AUTHENTICATE
   command provides a general mechanism for a variety of authentication
   techniques.

   Server implementations may allow non-authenticated access to certain
   information by supporting the SASL ANONYMOUS [SASL-ANON] mechanism.

   Once authenticated (including as anonymous), it is not possible to
   re-enter non-authenticated state.

   Only the any-state commands (NOOP, LANG and LOGOUT) and the
   AUTHENTICATE command are valid in non-authenticated state.


6.3.1.   AUTHENTICATE Command

   Arguments:  SASL mechanism name
               optional initial response

   Data:       continuation data may be requested

   Result:     OK - authenticate completed, now in authenticated state
               NO - authenticate failure: unsupported authentication
                    mechanism, credentials rejected
               BAD - command unknown or arguments invalid,
                    authentication exchange cancelled
Top   ToC   RFC2244 - Page 36
      The AUTHENTICATE command indicates a SASL [SASL] authentication
      mechanism to the server.  If the server supports the requested
      authentication mechanism, it performs an authentication protocol
      exchange to authenticate and identify the user.  Optionally, it
      also negotiates a security layer for subsequent protocol
      interactions.  If the requested authentication mechanism is not
      supported, the server rejects the AUTHENTICATE command by sending
      a tagged NO response.

      The authentication protocol exchange consists of a series of
      server challenges and client answers that are specific to the
      authentication mechanism.  A server challenge consists of a
      command continuation request with the "+" token followed by a
      string.  The client answer consists of a line consisting of a
      string.  If the client wishes to cancel an authentication
      exchange, it should issue a line with a single unquoted "*".  If
      the server receives such an answer, it must reject the
      AUTHENTICATE command by sending a tagged BAD response.

      The optional initial-response argument to the AUTHENTICATE command
      is used to save a round trip when using authentication mechanisms
      that are defined to send no data in the initial challenge.  When
      the initial-response argument is used with such a mechanism, the
      initial empty challenge is not sent to the client and the server
      uses the data in the initial-response argument as if it were sent
      in response to the empty challenge.  If the initial-response
      argument to the AUTHENTICATE command is used with a mechanism that
      sends data in the initial challenge, the server rejects the
      AUTHENTICATE command by sending a tagged NO response.

      The service name specified by this protocol's profile of SASL is
      "acap".

      If a security layer is negotiated through the SASL authentication
      exchange, it takes effect immediately following the CRLF that
      concludes the authentication exchange for the client, and the CRLF
      of the tagged OK response for the server.

      All ACAP implementations MUST implement the CRAM-MD5 SASL
      mechanism [CRAM-MD5], although they MAY offer a configuration
      option to disable it if site security policy dictates.  The
      example below is the same example described in the CRAM-MD5
      specification.

      If an AUTHENTICATE command fails with a NO response, the client
      may try another authentication mechanism by issuing another
      AUTHENTICATE command.  In other words, the client may request
      authentication types in decreasing order of preference.
Top   ToC   RFC2244 - Page 37
   Example:    S: * ACAP (IMPLEMENTATION "Blorfysoft v3.5")
                         (SASL "CRAM-MD5" "KERBEROS_V4")
               C: A001 AUTHENTICATE "CRAM-MD5"
               S: + "<1896.697170952@postoffice.reston.mci.net>"
               C: "tim b913a602c7eda7a495b4e6e7334d3890"
               S: A001 OK "CRAM-MD5 authentication successful"


6.4.     Searching

   This section describes the SEARCH command, for retrieving data from
   datasets.


6.4.1.   SEARCH Command

   Arguments:  dataset or context name
               optional list of modifiers
               search criteria

   Data:       intermediate responses: ENTRY, MODTIME, REFER
               untagged responses: ADDTO, REMOVEFROM, CHANGE, MODTIME

   Result:     OK - search completed
               NO - search failure: can't perform search
               BAD - command unknown or arguments invalid

      The SEARCH command identifies a subset of entries in a dataset and
      returns information on that subset to the client.  Inherited
      entries and attributes are included in the search unless the
      NOINHERIT search modifier is included or the user does not have
      permission to read the attributes in the base dataset.

      The first argument to SEARCH identifies what is to be searched.
      If the string begins with a slash ("/"), it is the name of a
      dataset to be searched, otherwise it is a name of a context that
      was created by a SEARCH command given previously in the session.

      A successful SEARCH command MAY result in intermediate ENTRY
      responses and MUST result in a MODTIME intermediate response.

      Following that are zero or more modifiers to the search.  Each
      modifier may be specified at most once.  The defined modifiers
      are:
Top   ToC   RFC2244 - Page 38
      DEPTH number
           The SEARCH command will traverse the dataset tree up to the
           specified depth.  ENTRY responses will include the full path
           to the entry.  A value of "0" indicates that the search
           should traverse the entire tree.  A value of "1" is the
           default and indicates only the specified dataset should be
           searched.  If a dataset is traversed which is not located on
           the current server, then a REFER intermediate response is
           returned for that subtree and the search continues.

      HARDLIMIT number
           If the SEARCH command would result in more than number
           entries, the SEARCH fails with a NO completion result with a
           WAYTOOMANY response code.

      LIMIT number number
           Limits the number of intermediate ENTRY responses that the
           search may generate.  The first numeric argument specifies
           the limit, the second number specifies the number of entries
           to return if the number of matches exceeds the limit.  If the
           limit is exceeded, the SEARCH command still succeeds,
           returning the total number of matches in a TOOMANY response
           code in the tagged OK response.

      MAKECONTEXT [ENUMERATE] [NOTIFY] context
           Causes the SEARCH command to create a context with the name
           given in the argument to refer to the matching entries.  If
           the SEARCH is successful, the context name may then be given
           as an argument to subsequent SEARCH commands to search the
           set of matching entries.  If a context with the specified
           name already exists, it is first freed.  If a new context may
           not be created due to the server's limit on the number of
           existing contexts, the command fails, returning a
           TRYFREECONTEXT response code in the NO completion response.

           The optional "ENUMERATE" and "NOTIFY" arguments may be
           included to request enumeration of the context (for virtual
           scroll bars) or change notifications for the context.  If
           "NOTIFY" is not requested, the context represents a snapshot
           of the entries at the time the SEARCH was issued.

           ENUMERATE requests that the contents of the context be
           ordered according to the SORT modifier and that sequential
           numbers, starting with one, be assigned to the entries in the
           context.  This permits the RANGE modifier to be used to fetch
           portions of the ordered context.
Top   ToC   RFC2244 - Page 39
           NOTIFY requests that the server send untagged ADDTO,
           REMOVEFROM, CHANGE, and MODTIME responses while the context
           created by this SEARCH command exists.  The server MAY issue
           untagged ADDTO, REMOVEFROM, CHANGE and MODTIME notifications
           for a context at any time between the issuing of the SEARCH
           command with MAKECONTEXT NOTIFY and the completion of a
           FREECONTEXT command for the context.  Notifications are only
           issued for changes which occur after the server receives the
           SEARCH command which created the context.  After issuing a
           sequence of ADDTO, REMOVEFROM or CHANGE notifications, the
           server MUST issue an untagged MODTIME notification indicating
           that the client has all updates to the entries in the context
           up to and including the given modtime value.  Servers are
           permitted a reasonable delay to batch change notifications
           before sending them to the client.

           The position arguments of the ADDTO, REMOVEFROM and CHANGE
           notifications are 0 if ENUMERATE is not requested.

      NOINHERIT
           This causes the SEARCH command to operate without
           inheritance.  It can be used to tell which values are
           explicit overrides.  If MAKECONTEXT is also specified, the
           created context is also not affected by inheritance.

      RETURN (metadata...)
           Specifies what is to be returned in intermediate ENTRY
           responses.  If this modifier is not specified, no
           intermediate ENTRY responses are returned.

           Inside the parentheses is an optional list of attributes,
           each optionally followed by a parenthesized list of metadata.
           If the parenthesized list of metadata is not specified, it
           defaults to "(value)".

           An attribute name with a trailing "*" requests all attributes
           with that prefix.  A "*" by itself requests all attributes.
           If the parenthesized list of metadata is not specified for an
           attribute with a trailing "*", it defaults to "(attribute
           value)".  Results matching such an attribute pattern are
           grouped in parentheses.

           Following the last intermediate ENTRY response, the server
           returns a single intermediate MODTIME response.
Top   ToC   RFC2244 - Page 40
      SORT (attribute comparator ...)
           Specifies the order in which any resulting ENTRY replies are
           to be returned to the client.  The SORT modifier takes as an
           argument a parenthesized list of one or more
           attribute/comparator pairs.  Attribute lists the attribute to
           sort on, comparator specifies the name of the collation rule
           to apply to the values of the attribute.  Successive
           attribute/comparator pairs are used to order two entries only
           when all preceding pairs indicate the two entries collate the
           same.

           If the SORT modifier is used in conjunction with the
           MAKECONTEXT modifier, the SORT modifier specifies the
           ordering of entries in the created context.

           If no SORT modifier is specified, or none of the
           attribute/comparator pairs indicates an order for the two
           entries, the server uses the order of the entries that exists
           in the context or dataset being searched.


      Following the modifiers is the search criteria.  Searching
      criteria consist of one or more search keys.  Search keys may be
      combined using the AND, and OR search keys.  For example, the
      criteria (the newline is for readability and not part of the
      criteria):
          AND COMPARE "modtime" "+i;octet" "19951206103400"
              COMPARE "modtime" "-i;octet" "19960112000000"
      refers to all entries modified between 10:34 December 6 1995 and
      midnight January 12, 1996 UTC.

      The currently defined search keys are as follows.

      ALL  This matches all entries.

      AND search-key1 search-key2
           Entries that match both search keys.

      COMPARE attribute comparator value
           Entries for which the value of the specified attribute
           collates using the specified comparator the same or later
           than the specified value.

      COMPARESTRICT attribute comparator value
           Entries for which the specified attribute collates using the
           specified comparator later than the specified value.
Top   ToC   RFC2244 - Page 41
      EQUAL attribute comparator value
           Entries for which the value of the attribute is equal to the
           specified value using the specified comparator.

      NOT search-key
           Entries that do not match the specified search key.

      OR search-key1 search-key2
           Entries that match either search key.

      PREFIX attribute comparator value
           Entries which begin with the specified value using the
           specified comparator.  If the specified comparator doesn't
           support substring matching, a BAD response is returned.

      RANGE start end time
           Entries which are within the specified range of the
           enumerated context's ordering.  The lowest-ordered entry in
           the context is assigned number one, the next lowest entry is
           assigned number two, and so on.  The numeric arguments
           specify the lowest and highest numbers to match. The time
           specifies that the client has processed notifications for the
           context up to the specified time.  If the context has been
           modified since then, the server MUST either return a NO with
           a MODIFIED response code, or return the results that the
           SEARCH would have returned if none of the changes since that
           time had been made.

           RANGE is only permitted on enumerated contexts.  If RANGE is
           used with a dataset or non-enumerated context, the server
           MUST return a BAD response.

      SUBSTRING attribute comparator value
           Entries which contain the specified value, using the
           specified comparator.  If the specified comparator doesn't
           support substring matching, a BAD response is returned.


6.4.2.   ENTRY Intermediate Response

   Data:       entry name
               entry data

      The ENTRY intermediate response occurs as a result of a SEARCH or
      STORE command. This is the means by which dataset entries are
      returned to the client.
Top   ToC   RFC2244 - Page 42
      The ENTRY response begins with the entry name, if a SEARCH command
      without the DEPTH modifier was issued, or the entry path in other
      cases.  This is followed by a set of zero or more items, one for
      each metadata item in the RETURN search modifier.  Results
      matching an attribute pattern or returning multiple metadata items
      are grouped in parentheses.

6.4.3.   MODTIME Intermediate Response

   Data:       modtime value

      The MODTIME intermediate response occurs as a result of a SEARCH
      command.  It indicates that the just created context or the
      previously returned ENTRY responses include all updates to the
      returned entries up to and including the modtime value in the
      argument.

6.4.4.   REFER Intermediate Response

   Data:       dataset path
               relative ACAP URLs

      The REFER intermediate response occurs as a result of a
      multi-level SEARCH where one of the levels is located on a
      different server.  The response indicates the dataset which is not
      located on the current server and one or more relative ACAP URLs
      for where that dataset may be found.

6.4.5.   Search Examples

   Here are some SEARCH command exchanges between the client and server:

   C: A046 SEARCH "/addressbook/" DEPTH 3 RETURN ("addressbook.Alias"
           "addressbook.Email" "addressbook.List") OR NOT EQUAL
           "addressbook.Email" "i;octet" NIL NOT EQUAL
           "addressbook.List" "i;octet" NIL
   S: A046 ENTRY "/addressbook/user/joe/A0345" "fred"
           "fred@stone.org" NIL
   S: A046 ENTRY "/addressbook/user/fred/A0537" "joe" "joe@stone.org"
           NIL
   S: A046 ENTRY "/addressbook/group/Dinosaur Operators/A423"
           "saurians" NIL "1"
   S: A046 MODTIME "19970728105252"
   S: A046 OK "SEARCH completed"

   C: A047 SEARCH "/addressbook/user/fred/" RETURN ("*") EQUAL "entry"
           "i;octet" "A0345"
   S: A047 ENTRY "A0345" (("modtime" "19970728102226")
Top   ToC   RFC2244 - Page 43
           ("addressbook.Alias" "fred") ("addressbook.Email"
           "fred@stone.org") ("addressbook.CommonName"
           "Fred Flintstone") ("addressbook.Surname" "Flintstone")
           ("addressbook.GivenName" "Fred"))
   S: A047 MODTIME "19970728105258"
   S: A047 OK "SEARCH completed"

   C: A048 SEARCH "/options/~/vendor.example/" RETURN
           ("option.value"("size" "value" "myrights"))
           SORT ("entry" "i;octet") COMPARE "modtime" "i;octet"
           "19970727123225"
   S: A048 ENTRY "blurdybloop" (5 "ghoti" "rwia")
   S: A048 ENTRY "buckybits" (2 "10" "rwia")
   S: A048 ENTRY "windowSize" (7 "100x100" "rwia")
   S: A048 MODTIME "19970728105304"
   S: A048 OK "SEARCH completed"

   C: A049 SEARCH "/addressbook/~/public" RETURN ("addressbook.Alias"
           "addressbook.Email") MAKECONTEXT ENUMERATE "blob" LIMIT 100 1
           SORT ("addressbook.Alias" "i;octet") NOT EQUAL
           "addressbook.Email" NIL
   S: A049 ENTRY "A437" "aaguy" "aaguy@stone.org"
   S: A049 MODTIME "19970728105308"
   S: A049 OK (TOOMANY 347) "Context 'blob' created"

   C: A050 SEARCH "blob" RANGE 2 2 "19970728105308" ALL
   S: A050 ENTRY "A238" "abguy" "abguy@stone.org"
   S: A050 MODTIME "19970728105310"
   S: A050 OK "SEARCH Completed"

6.5.     Contexts

   The following commands use contexts created by a SEARCH command with
   a MAKECONTEXT modifier.


6.5.1.   FREECONTEXT Command

   Arguments:  context name

   Data:       no specific data for this command

   Result:     OK - freecontext completed
               NO - freecontext failure: no such context
               BAD - command unknown or arguments invalid
Top   ToC   RFC2244 - Page 44
      The FREECONTEXT command causes the server to free all state
      associated with the named context.  The context may no longer be
      searched and the server will no longer issue any untagged
      responses for the context.  The context is no longer counted
      against the server's limit on the number of contexts.

   Example:    C: A683 FREECONTEXT "blurdybloop"
               S: A683 OK "Freecontext completed"


6.5.2.   UPDATECONTEXT Command

   Arguments:  list of context names

   Data:       untagged responses: ADDTO REMOVEFROM CHANGE MODTIME

   Result:     OK - Updatecontext completed: all updates completed
               NO - Updatecontext failed: no such context
                                          not a notify context
               BAD - command unknown or arguments invalid

      The UPDATECONTEXT command causes the server to ensure that the
      client is notified of all changes known to the server for the
      contexts listed as arguments up to the current time.  The contexts
      listed in the arguments must have been previously given to a
      successful SEARCH command with a MAKECONTEXT NOTIFY modifier.  A
      MODTIME untagged response MUST be returned if any read-write
      metadata in the context changed since the last MODTIME for that
      context.  This includes metadata which is not listed in the RETURN
      modifier for the context.

      While a server may issue untagged ADDTO, REMOVEFROM, CHANGE, and
      MODTIME at any time, the UPDATECONTEXT command is used to "prod"
      the server to send any notifications it has not sent yet.

      The UPDATECONTEXT command SHOULD NOT be used to poll for updates.

   Example:    C: Z4S9 UPDATECONTEXT "blurdybloop" "blarfl"
               S: Z4S9 OK "client has been notified of all changes"


6.5.3.   ADDTO Untagged Response

   Data:       context name
               entry name
               position
               metadata list
Top   ToC   RFC2244 - Page 45
      The untagged ADDTO response informs the client that an entry has
      been added to a context.  The response includes the position
      number of the added entry (the first entry in the context is
      numbered 1) and those metadata contained in the entry which match
      the RETURN statement when the context was created.

      For enumerated contexts, the ADDTO response implicitly adds one to
      the position of all members of the context which had position
      numbers that were greater than or equal to the ADDTO position
      number.  For non-enumerated contexts, the position field is always
      0.

   Example:    S: * ADDTO "blurdybloop" "fred" 15
                    ("addressbook.Email" "fred@stone.org")


6.5.4.   REMOVEFROM Untagged Response

   Data:       context name
               entry name
               old position

      The untagged REMOVEFROM response informs the client that an entry
      has been removed from a context.  The response includes the
      position number that the removed entry used to have (the first
      entry in the context is numbered 1).

      For enumerated contexts, the REMOVEFROM response implicitly
      subtracts one from the position numbers of all members of the
      context which had position numbers greater than the REMOVEFROM
      position number.  For non-enumerated contexts, the position field
      is always 0.

   Example:    S: * REMOVEFROM "blurdybloop" "fred" 15


6.5.5.   CHANGE Untagged Response

   Data:       context name
               entry name
               old position
               new position
               metadata list

      The untagged CHANGE response informs the client that an entry in a
      context has either changed position in the context or has changed
      the values of one or more of the attributes specified in the
      RETURN modifier when the context was created.
Top   ToC   RFC2244 - Page 46
      The response includes the previous and current position numbers of
      the entry (which are 0 if ENUMERATE was not specified on the
      context) and the attribute metadata requested in the RETURN
      modifier when the context was created.

      For enumerated contexts, the CHANGE response implicitly changes
      the position numbers of all entries which had position numbers
      between the old and new position.  If old position is less than
      new position, than one is subtracted from all entries which had
      position numbers in that range.  Otherwise one is added to all
      entries which had position numbers in that range.  If the old
      position and new position are the same, then no implicit position
      renumbering occurs.

      CHANGE responses are not issued for entries which have changed
      position implicitly due to another ADDTO, REMOVEFROM or CHANGE
      response.

   Example:    S: * CHANGE "blurdybloop" "fred" 15 10
                    ("addressbook.Email" "fred@stone.org")


6.5.6.   MODTIME Untagged Response

   Data:       context name
               modtime value

      The untagged MODTIME response informs the client that it has
      received all updates to entries in the context which have modtime
      values less than or equal to the modtime value in the argument.

   Example:    S: * MODTIME mycontext "19970320162338"

6.6.     Dataset modification

   The following commands and responses handle modification of datasets.
Top   ToC   RFC2244 - Page 47
6.6.1.   STORE Command

   Arguments:  entry store list

   Data:       intermediate responses: ENTRY

   Result:     OK - store completed
               NO - store failure: can't store that name
                    UNCHANGEDSINCE specified and entry changed
               BAD - command unknown or arguments invalid
                     invalid UTF-8 syntax in attribute name


      Creates, modifies, or deletes the named entries in the named
      datasets.  The values of metadata not specified in the command are
      not changed.  Setting the "value" metadata of an attribute to NIL
      removes that attribute from the entry.  Setting the "value" of the
      "entry" attribute to NIL removes that entry from the dataset and
      cancels inheritance for the entire entry.  Setting the "value" of
      the "entry" attribute to DEFAULT removes that entry from the
      inheriting dataset and reverts the entry and its attributes to
      inherited values, if any.  Changing the value of the "entry"
      attribute renames the entry.

      Storing DEFAULT to the "value" metadata of an attribute is
      equivalent to storing NIL, except that inheritance is enabled for
      that attribute.  If a non-NIL value is inherited then an ENTRY
      intermediate response is generated to notify the client of the
      this change.  The ENTRY response includes the entry-path and the
      attribute name and value metadata for each attribute which
      reverted to a non-NIL inherited setting.

      Storing NIL to the "value" metadata of an attribute MAY be treated
      equivalent to storing DEFAULT to that "value" if there is a NIL
      value in the base dataset.

      The STORE command is followed by one or more entry store lists.
      Each entry store list begins with an entry path followed by STORE
      modifiers, followed by zero or more attribute store items.  Each
      attribute store item is made up of the attribute name followed by
      NIL (to remove the attribute's value), DEFAULT (to revert the item
      to any inherited value), a single value (to set the attribute's
      single value), or a list of metadata items to modify.  The
      following STORE modifiers may be specified:
Top   ToC   RFC2244 - Page 48
      NOCREATE
           By default, the server MUST create any datasets necessary to
           store the entry, including multiple hierarchy levels.  If
           NOCREATE is specified, the STORE command will fail with a
           NOEXIST error unless the parent dataset already exists.

      UNCHANGEDSINCE
           If the "modtime" of the entry is later than the
           unchangedsince time, then the store fails with a MODIFIED
           response code.  Use of UNCHANGEDSINCE with a time of
           "00000101000000" will always fail if the entry exists.
           Clients writing to a shared dataset are encouraged to use
           UNCHANGEDSINCE when modifying an existing entry.


      The server MUST either make all the changes specified in a single
      STORE command or make none of them.  If successful, the server
      MUST update the "modtime" attribute for every entry which was
      changed.

      It is illegal to list any metadata item within an attribute twice,
      any attribute within an entry twice or any entry path twice.  The
      server MUST return a BAD response if this happens.

      The server MAY re-order the strings in a multi-value on STORE and
      MAY remove duplicate strings.  However, SEARCH MUST return multi-
      values and the associated size list metadata in a consistant
      order.


   Example:    C: A342 STORE ("/addressbook/user/fred/ABC547"
                       "addressbook.TelephoneNumber" "555-1234"
                       "addressbook.CommonName" "Barney Rubble"
                       "addressbook.AlternateNames" ("value"
                       ("Barnacus Rubble" "Coco Puffs Thief"))
                       "addressbook.Email" NIL)
               S: A342 OK "Store completed"
               C: A343 STORE ("/addressbook/user/joe/ABD42"
                       UNCHANGEDSINCE "19970320162338"
                       "user.joe.hair-length" "10 inches")
               S: A343 NO (MODIFIED) "'ABD42' has been changed
                       by somebody else."
               C: A344 STORE ("/addressbook/group/Developers/ACD54"
                       "entry" NIL)
               S: A344 OK "Store completed"
               C: A345 STORE ("/option/~/common/SMTPserver"
                       "option.value" DEFAULT)
               S: A345 ENTRY "/option/~/common/SMTPserver"
Top   ToC   RFC2244 - Page 49
                       "option.value" "smtp.server.do.main"
               S: A345 OK "Store completed"
               C: A347 STORE ("/addressbook/~/" "dataset.inherit"
                       "/addressbook/group/Developers")
               S: A347 OK "Store completed"


6.6.2.   DELETEDSINCE Command

   Arguments:  dataset name
               time

   Data:       intermediate response: DELETED

   Result:     OK - DELETEDSINCE completed
               NO - DELETEDSINCE failure: can't read dataset
                    date too far in the past
               BAD - command unknown or arguments invalid

      The DELETEDSINCE command returns in intermediate DELETED replies
      the names of entries that have been deleted from the named dataset
      since the given time.

      Servers may impose a limit on the number or age of deleted entry
      names they keep track of.  If the server does not have information
      going back to the specified time, the command fails, returning a
      TOOOLD response code in the tagged NO response.

   Example:    C: Z4S9 DELETEDSINCE "/folder/site/" 19951205103412
               S: Z4S9 DELETED "blurdybloop"
               S: Z4S9 DELETED "anteaters"
               S: Z4S9 OK "DELETEDSINCE completed"
               C: Z4U3 DELETEDSINCE "/folder/site/" 19951009040854
               S: Z4U3 NO (TOOOLD) "Don't have that information"


6.6.3.   DELETED Intermediate Response

   Data:       entry name

      The intermediate DELETED response occurs as a result of a
      DELETEDSINCE command. It returns an entry that has been deleted
      from the dataset specified in the DELETEDSINCE command.

6.7.     Access Control List Commands

   The commands in this section are used to manage access control lists.
Top   ToC   RFC2244 - Page 50
6.7.1.   SETACL Command

   Arguments:  acl object
               authentication identifier
               access rights

   Data:       no specific data for this command

   Result:     OK - setacl completed
               NO - setacl failure: can't set acl
               BAD - command unknown or arguments invalid

      The SETACL command changes the access control list on the
      specified object so that the specified identifier is granted the
      permissions enumerated in rights.  If the object did not
      previously have an access control list, one is created.


   Example:    C: A123 SETACL ("/addressbook/~/public/") "anyone" "r"
               S: A123 OK "Setacl complete"
               C: A124 SETACL ("/folder/site/") "B1FF" "rwa"
               S: A124 NO (PERMISSION ("/folder/site/")) "'B1FF' not
                       permitted to modify access rights
                       for '/folder/site/'"



6.7.2.   DELETEACL Command

   Arguments:  acl object
               optional authentication identifier

   Data:       no specific data for this command

   Result:     OK - deleteacl completed
               NO - deleteacl failure: can't delete acl
               BAD - command unknown or arguments invalid

      If given the optional identifier argument, the DELETEACL command
      removes any portion of the access control list on the specified
      object for the specified identifier.

      If not given the optional identifier argument, the DELETEACL
      command removes the ACL from the object entirely, causing access
      to be controlled by a higher-level default ACL.  This form of the
      DELETEACL command is not permitted on the default ACL for a
      dataset and servers MUST return a BAD.
Top   ToC   RFC2244 - Page 51
   Example:    C: A223 DELETEACL ("/addressbook/~/public") "anyone"
               S: A223 OK "Deleteacl complete"
               C: A224 DELETEACL ("/folder/site")
               S: A224 BAD "Can't delete ACL from dataset"
               C: A225 DELETEACL ("/addressbook/user/fred"
                       "addressbook.Email" "barney")
               S: A225 OK "Deleteacl complete"


6.7.3.   MYRIGHTS Command

   Arguments:  acl object

   Data:       intermediate responses: MYRIGHTS

   Result:     OK - myrights completed
               NO - myrights failure: can't get rights
               BAD - command unknown or arguments invalid

      The MYRIGHTS command returns the set of rights that the client has
      to the given dataset or dataset attribute.


   Example:    C: A003 MYRIGHTS ("/folder/site")
               S: A003 MYRIGHTS "r"
               S: A003 OK "Myrights complete"


6.7.4.   MYRIGHTS Intermediate Response

   Data:       rights

      The MYRIGHTS response occurs as a result of a MYRIGHTS command.
      The argument is the set of rights that the client has for the
      object referred to in the MYRIGHTS command.

6.7.5.   LISTRIGHTS Command

   Arguments:  acl object
               authentication identifier

   Data:       untagged responses: LISTRIGHTS

   Result:     OK - listrights completed
               NO - listrights failure: can't get rights list
               BAD - command unknown or arguments invalid
Top   ToC   RFC2244 - Page 52
      The LISTRIGHTS command takes an object and an identifier and
      returns information about what rights the current user may revoke
      or grant to that identifier in the ACL for that object.

   Example:    C: a001 LISTRIGHTS ("/folder/~/") "smith"
               S: a001 LISTRIGHTS "xra" "w" "i"
               S: a001 OK Listrights completed
               C: a005 LISTRIGHTS ("/folder/site/archive/imap") "anyone"
               S: a005 LISTRIGHTS "" "x" "r" "w" "i"
               S: a005 OK Listrights completed



6.7.6.   LISTRIGHTS Intermediate Response

   Data:       required rights
               list of optional rights

      The LISTRIGHTS response occurs as a result of a LISTRIGHTS
      command.  The first argument is a string containing the (possibly
      empty) set of rights the identifier will always be granted on the
      dataset or attribute.

      Following this are zero or more strings each containing a single
      right which the current user may revoke or grant to the identifier
      in the dataset or attribute.

      The same right MUST NOT be listed more than once in the LISTRIGHTS
      response.


6.8.     Quotas

   The section defines the commands and responses relating to quotas.


6.8.1.   GETQUOTA Command

   Arguments:  dataset

   Data:       untagged responses: QUOTA

   Result:     OK - Quota information returned
               NO - Quota failure: can't access resource limit
                                   no resource limit
               BAD - command unknown or arguments invalid
Top   ToC   RFC2244 - Page 53
      The GETQUOTA command takes the name of a dataset, and returns in
      an untagged QUOTA response the name of the dataset, quota limit in
      bytes that applies to that dataset and the quota usage within that
      limit.  The scope of a quota limit is implementation dependent.

   Example:    C: A043 GETQUOTA "/option/user/fred/common"
               S: * QUOTA "/option/user/fred/common" 1048576 2475
               S: A043 OK "Getquota completed"


6.8.3.   QUOTA Untagged Response

   Data:       dataset
               quota limit in bytes
               amount of quota limit used
               extension data

      The QUOTA untagged response is generated as a result of a GETQUOTA
      command or MAY be generated by the server in response to a SEARCH
      or STORE command to warn about high usage of a quota.  It includes
      the name of the applicable dataset, the quota limit in bytes, the
      quota usage and some optional extension data.  Clients MUST
      tolerate the extension data as its use is reserved for a future
      extension.

6.9.     Extensions

   In order to simplify the process of extending the protocol, clients
   MUST tolerate unknown server responses which meet the syntax of
   response-extend.  In addition, clients MUST tolerate unknown server
   response codes which meet the syntax of resp-code-ext.  Availability
   of new commands MUST be announced via a capability on the initial
   greeting line and such commands SHOULD meet the syntax of
   command-extend.

   Servers MUST respond to unknown commands with a BAD command
   completion result.  Servers MUST skip over non-synchronizing literals
   contained in an unknown command.  This may be done by assuming the
   unknown command matches the command-extend syntax, or by reading a
   line at a time and checking for the non-synchronizing literal syntax
   at the end of the line.



(page 53 continued on part 3)

Next Section