5.1.1.6 Authentication Expiration

  • If the authentication method used to establish a connection specifies an expiry time, the DC MUST associate the expiry time with the connection. The expiry time is then used as follows: A DC MUST disconnect connections having expiry times in a given period of time following the expiry time. Although the protocol places no boundary or other requirement on the length of the given time period, it is recommended that implementations minimize the length of the time period to improve client usability of the directory.

  • When a DC receives a new LDAP request on an existing connection that has an associated expiry time, where the current time exceeds the expiry time, the DC MUST NOT execute the LDAP request. Instead, the DC MUST disconnect the connection and send a Notice of Disconnection.

The Notice of Disconnection has the following ASN.1 definition:

    NoticeOfDisconnectionLDAPMessage ::= SEQUENCE {
            messageID       MessageID,
            protocolOp      CHOICE {
                   extendedResp    NoticeOfDisconnectionExtendedResponse },
            responseName    [10] LDAPOID}
    
    NoticeOfDisconnectionExtendedResponse ::= [APPLICATION 24] SEQUENCE {
            COMPONENTS OF LDAPResult }
    
    where MessageID is defined in [RFC2251]

Note that the NoticeOfDisconnectionLDAPMessage is used instead of the LDAPMessage specified in [RFC2251].