draft-ietf-asid-ldapv3-filter-02.txt   rfc2254.txt 
Network Working Group Tim Howes Network Working Group T. Howes
INTERNET DRAFT Netscape Communications Corp. Request for Comments: 2254 Netscape Communications Corp.
OBSOLETES: RFC 1960 May 1997 Category: Standards Track December 1997
The String Representation of LDAP Search Filters The String Representation of LDAP Search Filters
<draft-ietf-asid-ldapv3-filter-02.txt>
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu- This document specifies an Internet standards track protocol for the
ments of the Internet Engineering Task Force (IETF), its areas, and its Internet community, and requests discussion and suggestions for
working groups. Note that other groups may also distribute working improvements. Please refer to the current edition of the "Internet
documents as Internet-Drafts. Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Internet-Drafts are draft documents valid for a maximum of six months Copyright Notice
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the Copyright (C) The Internet Society (1997). All Rights Reserved.
``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
2. Abstract IESG Note
The Lightweight Directory Access Protocol (LDAP) [1] defines a network This document describes a directory access protocol that provides
representation of a search filter transmitted to an LDAP server. Some both read and update access. Update access requires secure
applications may find it useful to have a common way of representing authentication, but this document does not mandate implementation of
these search filters in a human-readable form. This document defines a any satisfactory authentication mechanisms.
human-readable string format for representing LDAP search filters.
This document replaces RFC 1960, extending the string LDAP filter defin- In accordance with RFC 2026, section 4.4.1, this specification is
ition to include support for LDAP version 3 extended match filters, and being approved by IESG as a Proposed Standard despite this
including support for representing the full range of possible LDAP limitation, for the following reasons:
search filters.
RFC DRAFT May 1997 a. to encourage implementation and interoperability testing of
these protocols (with or without update access) before they
are deployed, and
3. LDAP Search Filter Definition b. to encourage deployment and use of these protocols in read-only
applications. (e.g. applications where LDAPv3 is used as
a query language for directories which are updated by some
secure mechanism other than LDAP), and
An LDAPv3 search filter is defined in Section 4.5.1 of [1] as follows: c. to avoid delaying the advancement and deployment of other Internet
standards-track protocols which require the ability to query, but
not update, LDAPv3 directory servers.
Filter ::= CHOICE { Readers are hereby warned that until mandatory authentication
and [0] SET OF Filter, mechanisms are standardized, clients and servers written according to
or [1] SET OF Filter, this specification which make use of update functionality are
not [2] Filter, UNLIKELY TO INTEROPERATE, or MAY INTEROPERATE ONLY IF AUTHENTICATION
equalityMatch [3] AttributeValueAssertion, IS REDUCED TO AN UNACCEPTABLY WEAK LEVEL.
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion
}
SubstringFilter ::= SEQUENCE { Implementors are hereby discouraged from deploying LDAPv3 clients or
type AttributeDescription, servers which implement the update functionality, until a Proposed
SEQUENCE OF CHOICE { Standard for mandatory authentication in LDAPv3 has been approved and
initial [0] LDAPString, published as an RFC.
any [1] LDAPString,
final [2] LDAPString
}
}
AttributeValueAssertion ::= SEQUENCE { 2. Abstract
attributeDesc AttributeDescription,
attributeValue AttributeValue
}
MatchingRuleAssertion ::= SEQUENCE { The Lightweight Directory Access Protocol (LDAP) [1] defines a
matchingRule [1] MatchingRuleID OPTIONAL, network representation of a search filter transmitted to an LDAP
type [2] AttributeDescription OPTIONAL, server. Some applications may find it useful to have a common way of
matchValue [3] AssertionValue, representing these search filters in a human-readable form. This
dnAttributes [4] BOOLEAN DEFAULT FALSE document defines a human-readable string format for representing LDAP
} search filters.
AttributeDescription ::= LDAPString This document replaces RFC 1960, extending the string LDAP filter
definition to include support for LDAP version 3 extended match
filters, and including support for representing the full range of
possible LDAP search filters.
AttributeValue ::= OCTET STRING 3. LDAP Search Filter Definition
MatchingRuleID ::= LDAPString An LDAPv3 search filter is defined in Section 4.5.1 of [1] as
follows:
AssertionValue ::= OCTET STRING Filter ::= CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion
}
LDAPString ::= OCTET STRING SubstringFilter ::= SEQUENCE {
type AttributeDescription,
SEQUENCE OF CHOICE {
initial [0] LDAPString,
any [1] LDAPString,
final [2] LDAPString
}
}
RFC DRAFT May 1997 AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription,
attributeValue AttributeValue
}
where the LDAPString above is limited to the UTF-8 encoding of the ISO MatchingRuleAssertion ::= SEQUENCE {
10646 character set [4]. The AttributeDescription is a string represen- matchingRule [1] MatchingRuleID OPTIONAL,
tation of the attribute description and is defined in [1]. The Attribu- type [2] AttributeDescription OPTIONAL,
teValue and AssertionValue OCTET STRING have the form defined in [2]. matchValue [3] AssertionValue,
The Filter is encoded for transmission over a network using the Basic dnAttributes [4] BOOLEAN DEFAULT FALSE
Encoding Rules defined in [3], with simplifications described in [1]. }
4. String Search Filter Definition AttributeDescription ::= LDAPString
The string representation of an LDAP search filter is defined by the AttributeValue ::= OCTET STRING
following grammar, following the ABNF notation defined in [5]. The
filter format uses a prefix notation.
filter = "(" filtercomp ")" MatchingRuleID ::= LDAPString
filtercomp = and / or / not / item
and = "&" filterlist
or = "|" filterlist
not = "!" filter
filterlist = 1*filter
item = simple / present / substring / extensible
simple = attr filtertype value
filtertype = equal / approx / greater / less
equal = "="
approx = "~="
greater = ">="
less = "<="
extensible = attr [":dn"] [":" matchingrule] ":=" value
/ [":dn"] ":" matchingrule ":=" value
present = attr "=*"
substring = attr "=" [initial] any [final]
initial = value
any = "*" *(value "*")
final = value
attr = AttributeDescription from Section 4.1.5 of [1]
matchingrule = MatchingRuleId from Section 4.1.9 of [1]
value = AttributeValue from Section 4.1.6 of [1]
The attr, matchingrule, and value constructs are as described in the AssertionValue ::= OCTET STRING
corresponding section of [1] given above.
RFC DRAFT May 1997 LDAPString ::= OCTET STRING
If a value should contain any of the following characters where the LDAPString above is limited to the UTF-8 encoding of the
ISO 10646 character set [4]. The AttributeDescription is a string
representation of the attribute description and is defined in [1].
The AttributeValue and AssertionValue OCTET STRING have the form
defined in [2]. The Filter is encoded for transmission over a
network using the Basic Encoding Rules defined in [3], with
simplifications described in [1].
Character ASCII value 4. String Search Filter Definition
---------------------------
* 0x2a
( 0x28
) 0x29
\ 0x5c
NUL 0x00
the character must be encoded as the backslash '\' character (ASCII The string representation of an LDAP search filter is defined by the
0x5c) followed by the two hexadecimal digits representing the ASCII following grammar, following the ABNF notation defined in [5]. The
value of the encoded character. The case of the two hexadecimal digits filter format uses a prefix notation.
is not significant.
This simple escaping mechanism eliminates filter-parsing ambiguities and filter = "(" filtercomp ")"
allows any filter that can be represented in LDAP to be represented as a filtercomp = and / or / not / item
NUL-terminated string. Other characters besides the ones listed above and = "&" filterlist
may be escaped using this mechanism, for example, non-printing charac- or = "|" filterlist
ters. not = "!" filter
filterlist = 1*filter
item = simple / present / substring / extensible
simple = attr filtertype value
filtertype = equal / approx / greater / less
equal = "="
approx = "~="
greater = ">="
less = "<="
extensible = attr [":dn"] [":" matchingrule] ":=" value
/ [":dn"] ":" matchingrule ":=" value
present = attr "=*"
substring = attr "=" [initial] any [final]
initial = value
any = "*" *(value "*")
final = value
attr = AttributeDescription from Section 4.1.5 of [1]
matchingrule = MatchingRuleId from Section 4.1.9 of [1]
value = AttributeValue from Section 4.1.6 of [1]
For example, the filter checking whether the "cn" attribute contained a The attr, matchingrule, and value constructs are as described in the
value with the character "*" anywhere in it would be represented as corresponding section of [1] given above.
"(cn=*\2a*)".
Note that although both the substring and present productions in the If a value should contain any of the following characters
grammar above can produce the "attr=*" construct, this construct is used
only to denote a presence filter.
5. Examples Character ASCII value
---------------------------
* 0x2a
( 0x28
) 0x29
\ 0x5c
NUL 0x00
This section gives a few examples of search filters written using this the character must be encoded as the backslash '\' character (ASCII
notation. 0x5c) followed by the two hexadecimal digits representing the ASCII
value of the encoded character. The case of the two hexadecimal
digits is not significant.
(cn=Babs Jensen) This simple escaping mechanism eliminates filter-parsing ambiguities
(!(cn=Tim Howes)) and allows any filter that can be represented in LDAP to be
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) represented as a NUL-terminated string. Other characters besides the
(o=univ*of*mich*) ones listed above may be escaped using this mechanism, for example,
non-printing characters.
The following examples illustrate the use of extensible matching. For example, the filter checking whether the "cn" attribute contained
a value with the character "*" anywhere in it would be represented as
"(cn=*\2a*)".
(cn:1.2.3.4.5:=Fred Flintstone) Note that although both the substring and present productions in the
(sn:dn:2.4.6.8.10:=Barney Rubble) grammar above can produce the "attr=*" construct, this construct is
(o:dn:=Ace Industry) used only to denote a presence filter.
(:dn:2.4.6.8.10:=Dino)
The second example illustrates the use of the ":dn" notation to indicate 5. Examples
that matching rule "2.4.6.8.10" should be used when making comparisons,
RFC DRAFT May 1997
and that the attributes of an entry's distinguished name should be con- This section gives a few examples of search filters written using
sidered part of the entry when evaluating the match. this notation.
The third example denotes an equality match, except that DN components (cn=Babs Jensen)
should be considered part of the entry when doing the match. (!(cn=Tim Howes))
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
(o=univ*of*mich*)
The fourth example is a filter that should be applied to any attribute The following examples illustrate the use of extensible matching.
supporting the matching rule given (since the attr has been left off).
Attributes supporting the matching rule contained in the DN should also
be considered.
The following examples illustrate the use of the escaping mechanism. (cn:1.2.3.4.5:=Fred Flintstone)
(sn:dn:2.4.6.8.10:=Barney Rubble)
(o:dn:=Ace Industry)
(:dn:2.4.6.8.10:=Dino)
(o=Parens R Us \28for all your parenthetical needs\29) The second example illustrates the use of the ":dn" notation to
(cn=*\2A*) indicate that matching rule "2.4.6.8.10" should be used when making
(filename=C:\5cMyFile) comparisons, and that the attributes of an entry's distinguished name
(bin=\00\00\00\04) should be considered part of the entry when evaluating the match.
(sn=Lu\c4\8di\c4\c7)
The first example shows the use of the escaping mechanism to represent The third example denotes an equality match, except that DN
parenthesis characters. The second shows how to represent a "*" in a components should be considered part of the entry when doing the
value, preventing it from being interpreted as a substring indicator. match.
The third illustrates the escaping of the backslash character.
The fourth example shows a filter searching for the four-byte value The fourth example is a filter that should be applied to any
0x00000004, illustrating the use of the escaping mechanism to represent attribute supporting the matching rule given (since the attr has been
arbitrary data, including NUL characters. left off). Attributes supporting the matching rule contained in the
DN should also be considered.
The final example illustrates the use of the escaping mechanism to The following examples illustrate the use of the escaping mechanism.
represent various non-ASCII UTF-8 characters.
6. Security Considerations (o=Parens R Us \28for all your parenthetical needs\29)
(cn=*\2A*)
(filename=C:\5cMyFile)
(bin=\00\00\00\04)
(sn=Lu\c4\8di\c4\87)
This memo describes a string representation of LDAP search filters. The first example shows the use of the escaping mechanism to
While the representation itself has no known security implications, LDAP represent parenthesis characters. The second shows how to represent a
search filters do. They are interpreted by LDAP servers to select "*" in a value, preventing it from being interpreted as a substring
entries from which data is retrieved. LDAP servers should take care to indicator. The third illustrates the escaping of the backslash
protect the data they maintain from unauthorized access. character.
7. References The fourth example shows a filter searching for the four-byte value
0x00000004, illustrating the use of the escaping mechanism to
represent arbitrary data, including NUL characters.
[1] Lightweight Directory Access Protocol (v3), M. Wahl, T. Howes, S. The final example illustrates the use of the escaping mechanism to
Kille, Internet Draft draft-ietf-asid-ldapv3-protocol-04.txt, represent various non-ASCII UTF-8 characters.
March, 1997.
[2] Lightweight Directory Access Protocol (v3): Attribute Syntax Defin- 6. Security Considerations
itions, M. Wahl, A. Coulbeck, T. Howes, S. Kille, Internet Draft
draft-ietf-asid-ldapv3-attributes-04.txt, March, 1997.
RFC DRAFT May 1997 This memo describes a string representation of LDAP search filters.
While the representation itself has no known security implications,
LDAP search filters do. They are interpreted by LDAP servers to
select entries from which data is retrieved. LDAP servers should
take care to protect the data they maintain from unauthorized access.
[3] Specification of ASN.1 encoding rules: Basic, Canonical, and Dis- 7. References
tinguished Encoding Rules, ITU-T Recommendation X.690, 1994.
[4] UTF-8, a transformation format of Unicode and ISO 10646, F. Yer- [1] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
geau, draft-yergeau-utf8-rev-00.txt, April, 1997. Protocol (v3)", RFC 2251, December 1997.
[5] Standard for the Format of ARPA Internet Text Messages, D. Crocker, [2] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
RFC 822, August, 1982. Directory Access Protocol (v3): Attribute Syntax Definitions", RFC
2252, December 1997.
8. Author's Address [3] Specification of ASN.1 encoding rules: Basic, Canonical, and
Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994.
[4] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
10646", RFC 2044, October 1996.
[5] Crocker, D., "Standard for the Format of ARPA Internet Text
Messages", STD 11, RFC 822, August 1982.
8. Author's Address
Tim Howes Tim Howes
Netscape Communications Corp. Netscape Communications Corp.
501 E. Middlefield Road 501 E. Middlefield Road
Mountain View, CA 94043 Mountain View, CA 94043
USA USA
+1 415 937-3419
howes@netscape.com Phone: +1 415 937-3419
EMail: howes@netscape.com
9. Full Copyright Statement
Copyright (C) The Internet Society (1997). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 59 change blocks. 
184 lines changed or deleted 207 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/