[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 RFC 4515

Network Working Group                                 M. Smith, Editor
Request for Comments: DRAFT              Netscape Communications Corp.
Obsoletes: RFC 2254                                           T. Howes
Expires: 7 November 2001                               Loudcloud, Inc.
                                                            7 May 2001


            The String Representation of LDAP Search Filters
                   <draft-ietf-ldapbis-filter-01.txt>



1.  Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Discussion of this document should take place on the LDAP (v3)
   Revison (ldapbis) Working Group mailing list <ietf-
   ldapbis@openldap.org>.  After appropriate review and discussion, this
   document will be submitted as a Standards Track replacement for RFC
   2254.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

2.  Abstract

   The Lightweight Directory Access Protocol (LDAP) [RFC2251bis] defines
   a network representation of a search filter transmitted to an LDAP
   server.  Some applications may find it useful to have a common way of
   representing these search filters in a human-readable form.  This
   document defines a human-readable string format for representing the



Smith & Howes      Intended Category: Standards Track           [Page 1]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


   full range of possible LDAP version 3 search filters, including
   extended match filters.

   This document replaces RFC 2254.  See Appendix A for a list of
   changes relative to RFC 2254.

3.  LDAP Search Filter Definition

   An LDAPv3 search filter is defined in Sections 4.5.1 of [RFC2251bis]
   as follows:

        Filter ::= CHOICE {
                and                [0] SET OF Filter,
                or                 [1] SET OF Filter,
                not                [2] Filter,
                equalityMatch      [3] AttributeValueAssertion,
                substrings         [4] SubstringFilter,
                greaterOrEqual     [5] AttributeValueAssertion,
                lessOrEqual        [6] AttributeValueAssertion,
                present            [7] AttributeDescription,
                approxMatch        [8] AttributeValueAssertion,
                extensibleMatch    [9] MatchingRuleAssertion
        }

        SubstringFilter ::= SEQUENCE {
                type    AttributeDescription,
                -- at least one must be present
                substrings    SEQUENCE OF CHOICE {
                        initial        [0] AssertionValue,
                        any            [1] AssertionValue,
                        final          [2] AssertionValue
                }
        }

        AttributeValueAssertion ::= SEQUENCE {
                attributeDesc   AttributeDescription,
                assertionValue  AssertionValue
        }

        MatchingRuleAssertion ::= SEQUENCE {
                matchingRule    [1] MatchingRuleID OPTIONAL,
                type            [2] AttributeDescription OPTIONAL,
                matchValue      [3] AssertionValue,
                dnAttributes    [4] BOOLEAN DEFAULT FALSE
        }

        AttributeDescription ::= LDAPString




Smith & Howes      Intended Category: Standards Track           [Page 2]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


        AttributeValue ::= OCTET STRING

        MatchingRuleID ::= LDAPString

        AssertionValue ::= OCTET STRING

        LDAPString ::= OCTET STRING

   where the LDAPString above is limited to the UTF-8 encoding of the
   ISO 10646 character set [RFC2279].  The AttributeDescription is a
   string representation of the attribute description and is defined in
   [RFC2251bis].  The AttributeValue and AssertionValue OCTET STRING
   have the form defined in [RFC2252bis].  The Filter is encoded for
   transmission over a network using the Basic Encoding Rules defined in
   [ASN.1], with simplifications described in [RFC2251bis].

4.  String Search Filter Definition

   The string representation of an LDAP search filter is defined by the
   following grammar, following the ABNF notation defined in [RFC2234].
   The filter format uses a prefix notation.

      filter         = "(" filtercomp ")"
      filtercomp     = and / or / not / item
      and            = "&" filterlist
      or             = "|" filterlist
      not            = "!" filter
      filterlist     = 1*filter
      item           = simple / present / substring / extensible
      simple         = attr filtertype assertionvalue
      filtertype     = equal / approx / greater / less
      equal          = "="
      approx         = "~="
      greater        = ">="
      less           = "<="
      extensible     = attr [":dn"] [":" matchingrule] ":=" assertionvalue
                       / [":dn"] ":" matchingrule ":=" assertionvalue
      present        = attr "=*"
      substring      = attr "=" [initial] any [final]
      initial        = assertionvalue
      any            = "*" *(assertionvalue "*")
      final          = assertionvalue
      attr           = <AttributeDescription from Section 4.1.5 of [RFC2251bis]>
      matchingrule   = <MatchingRuleId from Section 4.1.9 of [RFC2251bis]>
      assertionvalue = <AssertionValue from Section 4.1.7 of [RFC2251bis]
                        encoded using the valueencoding rule>
      valueencoding  = 0*(normal / escaped)
      normal         = %x01-27 / %x2b-5b / %x5d-7f



Smith & Howes      Intended Category: Standards Track           [Page 3]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


      escaped        = "\" hex hex
      hex            = %x30-39 / %x41-46 / %x61-66


   The attr and matchingrule constructs are as described in the
   corresponding section of [RFC2251bis] given above.













































Smith & Howes      Intended Category: Standards Track           [Page 4]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


   The valueencoding rule provides that the characters "*" (ASCII 0x2a),
   "(" (ASCII 0x28), ")" (ASCII 0x29), "\" (ASCII 0x5c), and NUL (ASCII
   0x00) are represented as the backslash "\" character (ASCII 0x5c)
   followed by the two hexadecimal digits representing the ASCII value
   of the encoded character.

   This simple escaping mechanism eliminates filter-parsing ambiguities
   and allows any filter that can be represented in LDAP to be
   represented as a NUL-terminated string. Other characters besides the
   ones listed above may be escaped using this mechanism, for example,
   non-printing characters.  Each octet of the character to be escaped
   is replaced by a backslash and two hex digits, which form a single
   octet in the code of the character.

   For example, the filter checking whether the "cn" attribute contained
   a value with the character "*" anywhere in it would be represented as
   "(cn=*\2a*)".

   Note that although both the substring and present productions in the
   grammar above can produce the "attr=*" construct, this construct is
   used only to denote a presence filter.

5.  Examples

   This section gives a few examples of search filters written using
   this notation.

        (cn=Babs Jensen)
        (!(cn=Tim Howes))
        (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
        (o=univ*of*mich*)
        (seeAlso=)

   The following examples illustrate the use of extensible matching.

        (cn:1.2.3.4.5:=Fred Flintstone)
        (cn:=Betty Rubble)
        (sn:dn:2.4.6.8.10:=Barney Rubble)
        (o:dn:=Ace Industry)
        (:1.2.3:=Wilma Flintstone)
        (:dn:2.4.6.8.10:=Dino)

   The first example shows use of the matching rule "1.2.3.4.5".

   The second example demonstrates use of a MatchingRuleAssertion form
   without a matchingRule.

   The third example illustrates the use of the ":dn" notation to



Smith & Howes      Intended Category: Standards Track           [Page 5]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


   indicate that matching rule "2.4.6.8.10" should be used when making
   comparisons, and that the attributes of an entry's distinguished name
   should be considered part of the entry when evaluating the match.

   The fourth example denotes an equality match, except that DN
   components should be considered part of the entry when doing the
   match.

   The fifth example is a filter that should be applied to any attribute
   supporting the matching rule given (since the attr has been omitted).

   The sixth and final example is also a filter that should be applied
   to any attribute supporting the matching rule given.  Attributes
   supporting the matching rule contained in the DN should also be
   considered.

   The following examples illustrate the use of the escaping mechanism.

        (o=Parens R Us \28for all your parenthetical needs\29)
        (cn=*\2A*)
        (filename=C:\5cMyFile)
        (bin=\00\00\00\04)
        (sn=Lu\c4\8di\c4\87)
        (1.3.6.1.4.1.1466.0;binary=\04\02\48\69)

   The first example shows the use of the escaping mechanism to
   represent parenthesis characters. The second shows how to represent a
   "*" in an assertion value, preventing it from being interpreted as a
   substring indicator. The third illustrates the escaping of the
   backslash character.

   The fourth example shows a filter searching for the four-byte value
   0x00000004, illustrating the use of the escaping mechanism to
   represent arbitrary data, including NUL characters.

   The fifth example illustrates the use of the escaping mechanism to
   represent various non-ASCII UTF-8 characters.

   The sixth and final example demonstrates assertion of a BER encoded
   value.

6.  Security Considerations

   This memo describes a string representation of LDAP search filters.
   While the representation itself has no known security implications,
   LDAP search filters do. They are interpreted by LDAP servers to
   select entries from which data is retrieved.  LDAP servers should
   take care to protect the data they maintain from unauthorized access.



Smith & Howes      Intended Category: Standards Track           [Page 6]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


   Please refer to the Security Considerations sections of [RFC2251bis],
   [RFC2829bis], and [RFC2830bis] for more information.

7.  References

   [ASN.1] Specification of ASN.1 encoding rules: Basic, Canonical, and
   Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994.

   [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax
   Specifications:  ABNF", RFC 2234, November 1997.

   [RFC2251bis] IETF LDAPBis WG, "Lightweight Directory Access Protocol
   (v3)", a work in progress.

   [RFC2252bis] IETF LDAPBis WG, "Lightweight Directory Access Protocol
   (v3): Attribute Syntax Definitions", a work in progress.

   [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
   RFC 2279, January 1998.

   [RFC2829bis] IETF LDAPBis WG, "Authentication Methods for LDAP", a
   work in progress.

   [RFC2830bis] IETF LDAPBis WG, "Lightweight Directory Access Protocol
   (v3): Extension for Transport Layer Security", a work in progress.


8.  Acknowledgments

   This document is an update to RFC 2254 by Tim Howes.  Changes
   included in this revised specification are based upon discussions
   among the authors, discussions within the LDAP (v3) Revision Working
   Group (ldapbis), and discussions within other IETF Working Groups.
   The contributions of individuals in these working groups is
   gratefully acknowledged.


9.  Authors' Address

   Mark Smith (document editor)
   Netscape Communications Corp.
   Mailstop USCA17-201
   4170 Network Circle
   Santa Clara, CA 95054
   USA
   +1 650 937-3477
   mcs@netscape.com




Smith & Howes      Intended Category: Standards Track           [Page 7]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


   Tim Howes
   Loudcloud, Inc.
   599 N. Mathilda Ave.
   Sunnyvale, CA 94086
   USA
   +1 408 744-7509
   howes@loudcloud.com

10.  Full Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


11.  Appendix A: Changes Since RFC 2254

11.1.  Technical Changes

   "String Search Filter Definition" section: replaced the "value" rule
   with a new "assertionvalue" rule within the "simple", "extensible",
   and "substring" ("initial", "any", and "final") rules.  This matches
   a change made in [RFC22521bis].  Added angle brackets around free-
   form prose in the "attr", "matchingrule", and "value" rules.
   Introduced the "valueencoding" and associated "normal" and "escaped"
   rules to reduce the dependence on descriptive text.



Smith & Howes      Intended Category: Standards Track           [Page 8]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


11.2.  Editorial Changes

   IESG Note: removed note about lack of satisfactory mandatory
   authentication mechanisms.

   Header and "Authors' Addresses" sections: added Mark Smith as the
   document editor and updated Tim's affiliation and contact
   information.

   Copyright: changed the year to 2001.

   "Abstract" section: updated second paragraph to indicate that RFC
   2254 is replaced by this document (instead of RFC 1960).

   "LDAP Search Filter Definition" section: made corrections to the
   LDAPv3 search filter ABNF so it matches that used in [RFC2251bis].
   In particular, the "at least one must be present" comment and the
   "substrings" label were added to the SubstringFilter
   initial/any/final sequence, the second element of the
   AttributeValueAssertion was changed from "attributeValue
   AttributeValue" to "assertionValue AssertionValue", and the
   occurrences of "LDAPString" were replaced with "AssertionValue"
   within the initial, any, and final elements of the substrings choice.


   "String Search Filter Definition" section:  clarified the definition
   of 'value' (now 'assertionvalue') to take into account the fact that
   it is not precisely an AttributeAssertion from [RFC2251bis] section
   4.1.6 (special handling is required for some characters).  Added a
   note that each octet of a character to be escaped is replaced by a
   backslash and two hex digits, which form a single octet in the code
   of the character (text taken from the [RFC2253bis] document).

   "Examples" section: added four additional examples: (seeAlso=),
   (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), and
   (1.3.6.1.4.1.1466.0;binary=\04\02\48\69). Replaced one occurrence of
   "a value" with "an assertion value".

   "Security Considerations" section: added references to [RFC2251bis],
   [RFC2829bis], and [RFC2830bis].

   "References" section: changed from [1] style to [RFC2251bis] style
   throughout the document.  Added entries for [RFC2829bis] and
   [RFC2830bis] and updated UTF-8 reference to RFC 2279.  Replaced RFC
   822 reference with a reference to RFC 2234.

   "Acknowledgments" section: added.




Smith & Howes      Intended Category: Standards Track           [Page 9]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


   "Appendix A: Changes Since RFC 2254" section: added.

   "Appendix B: Changes Since Previous Document Revision" section:
   added.

   "Table of Contents" section: added.


12.  Appendix B: Changes Since Previous Document Revision

   This appendix lists all changes relative to the last published
   revision, draft-ietf-ldapbis-filter-00.txt.  Note that these changes
   are also included in Appendix A, but are included here for those who
   have already reviewed draft-ietf-ldapbis-filter-00.txt.  This section
   will be removed before this document is published as an RFC.


12.1.  Technical Changes

   "String Search Filter Definition" section: replaced all occurrences
   of the "value" rule with "assertionvalue" within the "initial",
   "any", and "final" rules.  This was done to reflect changes made to
   the ASN.1 definition of the Filter in [RFC2251bis].  Also, the
   "escaped" rule was revised and a "hex" rule was added to allow any
   character to be escaped.


12.2.  Editorial Changes

   "LDAP Search Filter Definition" section: updated the ASN.1 definition
   of the Filter to match that used in [RFC2251bis].  Specifically, the
   occurrences of LDAPString within the initial, any, and final elements
   of the substrings element were replaced with AssertionValue.

   "String Search Filter Definition" section: corrected truncated text
   that described the valueencoding rule (the text was truncated after
   (ASCII 0x29)).  Added a note that each octet of a character to be
   escaped is replaced by a backslash and two hex digits, which form a
   single octet in the code of the character (text taken from the
   [RFC2253bis] document).

   "Examples" section: replaced one occurrence of "a value" with "an
   assertion value".

   References: updated references to refer to LDAPBis WG documents.

   "Appendix C: Loose Ends": removed this section entirely.




Smith & Howes      Intended Category: Standards Track          [Page 10]

INTERNET-DRAFT   String Representation of LDAP Filters        7 May 2001


This Internet Draft expires on 7 November 2001.


















































Smith & Howes      Intended Category: Standards Track          [Page 11]
1.     Status of this Memo............................................1
2.     Abstract.......................................................1
3.     LDAP Search Filter Definition..................................2
4.     String Search Filter Definition................................3
5.     Examples.......................................................5
6.     Security Considerations........................................6
7.     References.....................................................7
8.     Acknowledgments................................................7
9.     Authors' Address...............................................7
10.    Full Copyright Statement.......................................8
11.    Appendix A: Changes Since RFC 2254.............................8
11.1.     Technical Changes...........................................8
11.2.     Editorial Changes...........................................9
12.    Appendix B: Changes Since Previous Document Revision...........10
12.1.     Technical Changes...........................................10
12.2.     Editorial Changes...........................................10


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/