Network Working Group
T. Howes
Request for Comments: 2254
Netscape Communications Corp.
Category: Standards Track
December 1997
The String Representation of LDAP Search Filters
1. Status of this Memo
This document specifies an Internet standards track protocol
for the
Internet community, and requests discussion and suggestions
for
improvements. Please refer to the current edition
of the "Internet
Official Protocol Standards" (STD 1) for the standardization
state
and status of this protocol. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1997). All Rights Reserved.
IESG Note
This document describes a directory access protocol that
provides
both read and update access. Update access requires
secure
authentication, but this document does not mandate implementation
of
any satisfactory authentication mechanisms.
In accordance with RFC 2026, section 4.4.1, this specification
is
being approved by IESG as a Proposed Standard despite
this
limitation, for the following reasons:
a. to encourage implementation and interoperability testing
of
these protocols (with or without update
access) before they
are deployed, and
b. to encourage deployment and use of these protocols in
read-only
applications. (e.g. applications
where LDAPv3 is used as
a query language for directories which
are updated by some
secure mechanism other than LDAP), and
c. to avoid delaying the advancement and deployment of
other Internet
standards-track protocols which require
the ability to query, but
not update, LDAPv3 directory servers.
Howes Standards Track [Page 1]
RFC 2254
String Representation of LDAP
December 1997
Readers are hereby warned that until mandatory authentication
mechanisms are standardized, clients and servers written
according to
this specification which make use of update functionality
are
UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF
AUTHENTICATION
IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
Implementors are hereby discouraged from deploying LDAPv3
clients or
servers which implement the update functionality, until
a Proposed
Standard for mandatory authentication in LDAPv3 has been
approved and
published as an RFC.
2. Abstract
The Lightweight Directory Access Protocol (LDAP) [1] defines
a
network representation of a search filter transmitted
to an LDAP
server. Some applications may find it useful to
have a common way of
representing these search filters in a human-readable
form. This
document defines a human-readable string format for representing
LDAP
search filters.
This document replaces RFC 1960, extending the string LDAP
filter
definition to include support for LDAP version 3 extended
match
filters, and including support for representing the full
range of
possible LDAP search filters.
Howes Standards Track [Page 2]
RFC 2254
String Representation of LDAP
December 1997
3. LDAP Search Filter Definition
An LDAPv3 search filter is defined in Section 4.5.1 of
[1] as
follows:
Filter ::= CHOICE {
and
[0] SET OF Filter,
or
[1] SET OF Filter,
not
[2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present
[7] AttributeDescription,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion
}
SubstringFilter ::= SEQUENCE
{
type AttributeDescription,
SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1]
LDAPString,
final [2] LDAPString
}
}
AttributeValueAssertion ::=
SEQUENCE {
attributeDesc AttributeDescription,
attributeValue AttributeValue
}
MatchingRuleAssertion ::=
SEQUENCE {
matchingRule [1] MatchingRuleID OPTIONAL,
type
[2] AttributeDescription OPTIONAL,
matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE
}
AttributeDescription ::= LDAPString
AttributeValue ::= OCTET STRING
MatchingRuleID ::= LDAPString
AssertionValue ::= OCTET STRING
LDAPString ::= OCTET STRING
Howes Standards Track [Page 3]
RFC 2254
String Representation of LDAP
December 1997
where the LDAPString above is limited to the UTF-8 encoding
of the
ISO 10646 character set [4]. The AttributeDescription
is a string
representation of the attribute description and is defined
in [1].
The AttributeValue and AssertionValue OCTET STRING have
the form
defined in [2]. The Filter is encoded for transmission
over a
network using the Basic Encoding Rules defined in [3],
with
simplifications described in [1].
4. String Search Filter Definition
The string representation of an LDAP search filter is defined
by the
following grammar, following the ABNF notation defined
in [5]. The
filter format uses a prefix notation.
filter
= "(" filtercomp ")"
filtercomp = and / or /
not / item
and
= "&" filterlist
or
= "|" filterlist
not
= "!" filter
filterlist = 1*filter
item
= simple / present / substring / extensible
simple
= attr filtertype value
filtertype = equal / approx
/ greater / less
equal
= "="
approx
= "~="
greater
= ">="
less
= "<="
extensible = attr [":dn"]
[":" matchingrule] ":=" value
/ [":dn"] ":" matchingrule ":=" value
present
= attr "=*"
substring = attr "="
[initial] any [final]
initial
= value
any
= "*" *(value "*")
final
= value
attr
= AttributeDescription from Section 4.1.5 of [1]
matchingrule = MatchingRuleId
from Section 4.1.9 of [1]
value
= AttributeValue from Section 4.1.6 of [1]
The attr, matchingrule, and value constructs are as described
in the
corresponding section of [1] given above.
Howes Standards Track [Page 4]
RFC 2254
String Representation of LDAP
December 1997
If a value should contain any of the following characters
Character
ASCII value
---------------------------
*
0x2a
(
0x28
)
0x29
\
0x5c
NUL
0x00
the character must be encoded as the backslash '\' character
(ASCII
0x5c) followed by the two hexadecimal digits representing
the ASCII
value of the encoded character. The case of the two hexadecimal
digits is not significant.
This simple escaping mechanism eliminates filter-parsing
ambiguities
and allows any filter that can be represented in LDAP
to be
represented as a NUL-terminated string. Other characters
besides the
ones listed above may be escaped using this mechanism,
for example,
non-printing characters.
For example, the filter checking whether the "cn" attribute
contained
a value with the character "*" anywhere in it would be
represented as
"(cn=*\2a*)".
Note that although both the substring and present productions
in the
grammar above can produce the "attr=*" construct, this
construct is
used only to denote a presence filter.
5. Examples
This section gives a few examples of search filters written
using
this notation.
(cn=Babs Jensen)
(!(cn=Tim Howes))
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs
J*)))
(o=univ*of*mich*)
The following examples illustrate the use of extensible matching.
(cn:1.2.3.4.5:=Fred Flintstone)
(sn:dn:2.4.6.8.10:=Barney
Rubble)
(o:dn:=Ace Industry)
(:dn:2.4.6.8.10:=Dino)
Howes Standards Track [Page 5]
RFC 2254
String Representation of LDAP
December 1997
The second example illustrates the use of the ":dn" notation
to
indicate that matching rule "2.4.6.8.10" should be used
when making
comparisons, and that the attributes of an entry's distinguished
name
should be considered part of the entry when evaluating
the match.
The third example denotes an equality match, except that
DN
components should be considered part of the entry when
doing the
match.
The fourth example is a filter that should be applied to
any
attribute supporting the matching rule given (since the
attr has been
left off). Attributes supporting the matching rule contained
in the
DN should also be considered.
The following examples illustrate the use of the escaping mechanism.
(o=Parens R Us \28for all
your parenthetical needs\29)
(cn=*\2A*)
(filename=C:\5cMyFile)
(bin=\00\00\00\04)
(sn=Lu\c4\8di\c4\87)
The first example shows the use of the escaping mechanism
to
represent parenthesis characters. The second shows how
to represent a
"*" in a value, preventing it from being interpreted as
a substring
indicator. The third illustrates the escaping of the backslash
character.
The fourth example shows a filter searching for the four-byte
value
0x00000004, illustrating the use of the escaping mechanism
to
represent arbitrary data, including NUL characters.
The final example illustrates the use of the escaping mechanism
to
represent various non-ASCII UTF-8 characters.
6. Security Considerations
This memo describes a string representation of LDAP search
filters.
While the representation itself has no known security
implications,
LDAP search filters do. They are interpreted by LDAP servers
to
select entries from which data is retrieved. LDAP
servers should
take care to protect the data they maintain from unauthorized
access.
Howes Standards Track [Page 6]
RFC 2254
String Representation of LDAP
December 1997
7. References
[1] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory
Access
Protocol (v3)", RFC 2251, December 1997.
[2] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
Directory Access Protocol (v3): Attribute Syntax Definitions",
RFC
2252, December 1997.
[3] Specification of ASN.1 encoding rules: Basic, Canonical,
and
Distinguished Encoding Rules, ITU-T Recommendation X.690,
1994.
[4] Yergeau, F., "UTF-8, a transformation format of Unicode
and ISO
10646", RFC 2044, October 1996.
[5] Crocker, D., "Standard for the Format of ARPA Internet
Text
Messages", STD 11, RFC 822, August 1982.
8. Author's Address
Tim Howes
Netscape Communications Corp.
501 E. Middlefield Road
Mountain View, CA 94043
USA
Phone: +1 415 937-3419
EMail: howes@netscape.com
Howes Standards Track [Page 7]
RFC 2254
String Representation of LDAP
December 1997
9. Full Copyright Statement
Copyright (C) The Internet Society (1997). All Rights Reserved.
This document and translations of it may be copied and
furnished to
others, and derivative works that comment on or otherwise
explain it
or assist in its implementation may be prepared, copied,
published
and distributed, in whole or in part, without restriction
of any
kind, provided that the above copyright notice and this
paragraph are
included on all such copies and derivative works.
However, this
document itself may not be modified in any way, such as
by removing
the copyright notice or references to the Internet Society
or other
Internet organizations, except as needed for the purpose
of
developing Internet standards in which case the procedures
for
copyrights defined in the Internet Standards process must
be
followed, or as required to translate it into languages
other than
English.
The limited permissions granted above are perpetual and
will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided
on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Howes
Standards Track
[Page 8]