draft-ietf-ldapbis-filter-01.txt   draft-ietf-ldapbis-filter-02.txt 
Network Working Group M. Smith, Editor Network Working Group M. Smith, Editor
Request for Comments: DRAFT Netscape Communications Corp. Request for Comments: DRAFT Netscape Communications Corp.
Obsoletes: RFC 2254 T. Howes Obsoletes: RFC 2254 T. Howes
Expires: 7 November 2001 Loudcloud, Inc. Expires: August 2002 Loudcloud, Inc.
7 May 2001 22 February 2002
The String Representation of LDAP Search Filters LDAP: String Representation of Search Filters
<draft-ietf-ldapbis-filter-01.txt> <draft-ietf-ldapbis-filter-02.txt>
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
skipping to change at page 1, line 32 skipping to change at page 1, line 32
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Discussion of this document should take place on the LDAP (v3) Discussion of this document should take place on the LDAP (v3)
Revison (ldapbis) Working Group mailing list <ietf- Revision (ldapbis) Working Group mailing list <ietf-
ldapbis@openldap.org>. After appropriate review and discussion, this ldapbis@openldap.org>. After appropriate review and discussion, this
document will be submitted as a Standards Track replacement for RFC document will be submitted as a Standards Track replacement for RFC
2254. 2254.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
2. Abstract 2. Abstract
The Lightweight Directory Access Protocol (LDAP) [RFC2251bis] defines The Lightweight Directory Access Protocol (LDAP) [Protocol] defines a
a network representation of a search filter transmitted to an LDAP network representation of a search filter transmitted to an LDAP
server. Some applications may find it useful to have a common way of server. Some applications may find it useful to have a common way of
representing these search filters in a human-readable form. This representing these search filters in a human-readable form. This
document defines a human-readable string format for representing the document defines a human-readable string format for representing the
full range of possible LDAP version 3 search filters, including full range of possible LDAP version 3 search filters, including
extended match filters. extended match filters.
This document replaces RFC 2254. See Appendix A for a list of This document is an integral part of the LDAP Technical
changes relative to RFC 2254. Specification [ROADMAP].
This document replaces RFC 2254. Changes to RFC 2254 are summarized
in Appendix A.
3. LDAP Search Filter Definition 3. LDAP Search Filter Definition
An LDAPv3 search filter is defined in Sections 4.5.1 of [RFC2251bis] An LDAPv3 search filter is defined in Sections 4.5.1 of [Protocol] as
as follows: follows:
Filter ::= CHOICE { Filter ::= CHOICE {
and [0] SET OF Filter, and [0] SET SIZE (1..MAX) OF Filter,
or [1] SET OF Filter, or [1] SET OF SIZE (1..MAX) Filter,
not [2] Filter, not [2] Filter,
equalityMatch [3] AttributeValueAssertion, equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter, substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion, greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion, lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription, present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion, approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion extensibleMatch [9] MatchingRuleAssertion
} }
SubstringFilter ::= SEQUENCE { SubstringFilter ::= SEQUENCE {
type AttributeDescription, type AttributeDescription,
-- at least one must be present -- at least one must be present
-- initial and final can occur at most once
substrings SEQUENCE OF CHOICE { substrings SEQUENCE OF CHOICE {
initial [0] AssertionValue, initial [0] AssertionValue,
any [1] AssertionValue, any [1] AssertionValue,
final [2] AssertionValue final [2] AssertionValue
} }
} }
AttributeValueAssertion ::= SEQUENCE { AttributeValueAssertion ::= SEQUENCE {
attributeDesc AttributeDescription, attributeDesc AttributeDescription,
assertionValue AssertionValue assertionValue AssertionValue
skipping to change at page 3, line 15 skipping to change at page 3, line 19
MatchingRuleID ::= LDAPString MatchingRuleID ::= LDAPString
AssertionValue ::= OCTET STRING AssertionValue ::= OCTET STRING
LDAPString ::= OCTET STRING LDAPString ::= OCTET STRING
where the LDAPString above is limited to the UTF-8 encoding of the where the LDAPString above is limited to the UTF-8 encoding of the
ISO 10646 character set [RFC2279]. The AttributeDescription is a ISO 10646 character set [RFC2279]. The AttributeDescription is a
string representation of the attribute description and is defined in string representation of the attribute description and is defined in
[RFC2251bis]. The AttributeValue and AssertionValue OCTET STRING [Protocol]. The AttributeValue and AssertionValue OCTET STRING have
have the form defined in [RFC2252bis]. The Filter is encoded for the form defined in [Syntaxes]. The Filter is encoded for
transmission over a network using the Basic Encoding Rules defined in transmission over a network using the Basic Encoding Rules defined in
[ASN.1], with simplifications described in [RFC2251bis]. [ASN.1], with simplifications described in [Protocol].
4. String Search Filter Definition 4. String Search Filter Definition
The string representation of an LDAP search filter is defined by the The string representation of an LDAP search filter is defined by the
following grammar, following the ABNF notation defined in [RFC2234]. following grammar, following the ABNF notation defined in [RFC2234].
The filter format uses a prefix notation. The filter format uses a prefix notation.
filter = "(" filtercomp ")" filter = "(" filtercomp ")"
filtercomp = and / or / not / item filtercomp = and / or / not / item
and = "&" filterlist and = "&" filterlist
skipping to change at page 3, line 41 skipping to change at page 3, line 45
filterlist = 1*filter filterlist = 1*filter
item = simple / present / substring / extensible item = simple / present / substring / extensible
simple = attr filtertype assertionvalue simple = attr filtertype assertionvalue
filtertype = equal / approx / greater / less filtertype = equal / approx / greater / less
equal = "=" equal = "="
approx = "~=" approx = "~="
greater = ">=" greater = ">="
less = "<=" less = "<="
extensible = attr [":dn"] [":" matchingrule] ":=" assertionvalue extensible = attr [":dn"] [":" matchingrule] ":=" assertionvalue
/ [":dn"] ":" matchingrule ":=" assertionvalue / [":dn"] ":" matchingrule ":=" assertionvalue
/ ":=" assertionvalue
present = attr "=*" present = attr "=*"
substring = attr "=" [initial] any [final] substring = attr "=" [initial] any [final]
initial = assertionvalue initial = assertionvalue
any = "*" *(assertionvalue "*") any = "*" *(assertionvalue "*")
final = assertionvalue final = assertionvalue
attr = <AttributeDescription from Section 4.1.5 of [RFC2251bis]> attr = AttributeDescription
matchingrule = <MatchingRuleId from Section 4.1.9 of [RFC2251bis]> ; The <AttributeDescription> rule is defined in
assertionvalue = <AssertionValue from Section 4.1.7 of [RFC2251bis] ; Section 4.1.5 of [Protocol].
encoded using the valueencoding rule> matchingrule = oid
; The <oid> rule is defined in Section 4.1
; of [Syntaxes] and is used to encode a
; matching rule OBJECT IDENTIFIER.
assertionvalue = valueencoding
; The <valueencoding> rule is used to encode an
; <AssertionValue> from Section 4.1.7 of [Protocol].
valueencoding = 0*(normal / escaped) valueencoding = 0*(normal / escaped)
normal = %x01-27 / %x2b-5b / %x5d-7f normal = %x01-27 / %x2b-5b / %x5d-7f
escaped = "\" hex hex escaped = "\" hex hex
hex = %x30-39 / %x41-46 / %x61-66 hex = %x30-39 / %x41-46 / %x61-66
The attr and matchingrule constructs are as described in the Note that although both the <substring> and <present> productions in
corresponding section of [RFC2251bis] given above. the grammar above can produce the "attr=*" construct, this construct
is used only to denote a presence filter.
The valueencoding rule provides that the characters "*" (ASCII 0x2a), The <valueencoding> rule provides that the octets that represent the
"(" (ASCII 0x28), ")" (ASCII 0x29), "\" (ASCII 0x5c), and NUL (ASCII ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
0x00) are represented as the backslash "\" character (ASCII 0x5c) 0x29), "\" (ASCII 0x5c), NUL (ASCII 0x00), and all octets greater
followed by the two hexadecimal digits representing the ASCII value than 0x7f are represented as a backslash "\" (ASCII 0x5c) followed by
of the encoded character. the two hexadecimal digits representing the value of the encoded
octet.
This simple escaping mechanism eliminates filter-parsing ambiguities This simple escaping mechanism eliminates filter-parsing ambiguities
and allows any filter that can be represented in LDAP to be and allows any filter that can be represented in LDAP to be
represented as a NUL-terminated string. Other characters besides the represented as a NUL-terminated string. Other octets that are part of
ones listed above may be escaped using this mechanism, for example, the <normal> set may be escaped using this mechanism, for example,
non-printing characters. Each octet of the character to be escaped non-printing ASCII characters.
is replaced by a backslash and two hex digits, which form a single
octet in the code of the character. For AssertionValues that contain UTF-8 character data, each octet of
the character to be escaped is replaced by a backslash and two hex
digits, which form a single octet in the code of the character.
For example, the filter checking whether the "cn" attribute contained For example, the filter checking whether the "cn" attribute contained
a value with the character "*" anywhere in it would be represented as a value with the character "*" anywhere in it would be represented as
"(cn=*\2a*)". "(cn=*\2a*)".
Note that although both the substring and present productions in the
grammar above can produce the "attr=*" construct, this construct is
used only to denote a presence filter.
5. Examples 5. Examples
This section gives a few examples of search filters written using This section gives a few examples of search filters written using
this notation. this notation.
(cn=Babs Jensen) (cn=Babs Jensen)
(!(cn=Tim Howes)) (!(cn=Tim Howes))
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
(o=univ*of*mich*) (o=univ*of*mich*)
(seeAlso=) (seeAlso=)
The following examples illustrate the use of extensible matching. The following examples illustrate the use of extensible matching.
(cn:1.2.3.4.5:=Fred Flintstone) (cn:1.2.3.4.5:=Fred Flintstone)
(cn:=Betty Rubble) (cn:=Betty Rubble)
(sn:dn:2.4.6.8.10:=Barney Rubble) (sn:dn:2.4.6.8.10:=Barney Rubble)
(o:dn:=Ace Industry) (o:dn:=Ace Industry)
(:1.2.3:=Wilma Flintstone) (:1.2.3:=Wilma Flintstone)
(:dn:2.4.6.8.10:=Dino) (:dn:2.4.6.8.10:=Dino)
(:=Fred Flintstone)
The first example shows use of the matching rule "1.2.3.4.5". The first example shows use of the matching rule "1.2.3.4.5".
The second example demonstrates use of a MatchingRuleAssertion form The second example demonstrates use of a MatchingRuleAssertion form
without a matchingRule. without a matchingRule.
The third example illustrates the use of the ":dn" notation to The third example illustrates the use of the ":dn" notation to
indicate that matching rule "2.4.6.8.10" should be used when making indicate that matching rule "2.4.6.8.10" should be used when making
comparisons, and that the attributes of an entry's distinguished name comparisons, and that the attributes of an entry's distinguished name
should be considered part of the entry when evaluating the match. should be considered part of the entry when evaluating the match.
The fourth example denotes an equality match, except that DN The fourth example denotes an equality match, except that DN
components should be considered part of the entry when doing the components should be considered part of the entry when doing the
match. match.
The fifth example is a filter that should be applied to any attribute The fifth example is a filter that should be applied to any attribute
supporting the matching rule given (since the attr has been omitted). supporting the matching rule given (since the attr has been omitted).
The sixth and final example is also a filter that should be applied The sixth example is also a filter that should be applied to any
to any attribute supporting the matching rule given. Attributes attribute supporting the matching rule given. Attributes supporting
supporting the matching rule contained in the DN should also be the matching rule contained in the DN should also be considered.
considered.
The seventh and final example is a filter that should be applied to
any attribute (since both the attr and matching rule have been
omitted).
The following examples illustrate the use of the escaping mechanism. The following examples illustrate the use of the escaping mechanism.
(o=Parens R Us \28for all your parenthetical needs\29) (o=Parens R Us \28for all your parenthetical needs\29)
(cn=*\2A*) (cn=*\2A*)
(filename=C:\5cMyFile) (filename=C:\5cMyFile)
(bin=\00\00\00\04) (bin=\00\00\00\04)
(sn=Lu\c4\8di\c4\87) (sn=Lu\c4\8di\c4\87)
(1.3.6.1.4.1.1466.0;binary=\04\02\48\69) (1.3.6.1.4.1.1466.0;binary=\04\02\48\69)
The first example shows the use of the escaping mechanism to The first example shows the use of the escaping mechanism to
represent parenthesis characters. The second shows how to represent a represent parenthesis characters. The second shows how to represent a
"*" in an assertion value, preventing it from being interpreted as a "*" in an assertion value, preventing it from being interpreted as a
substring indicator. The third illustrates the escaping of the substring indicator. The third illustrates the escaping of the
backslash character. backslash character.
The fourth example shows a filter searching for the four-byte value The fourth example shows a filter searching for the four-byte value
0x00000004, illustrating the use of the escaping mechanism to 0x00000004, illustrating the use of the escaping mechanism to
represent arbitrary data, including NUL characters. represent arbitrary data, including NUL characters.
skipping to change at page 7, line 5 skipping to change at page 6, line 28
value. value.
6. Security Considerations 6. Security Considerations
This memo describes a string representation of LDAP search filters. This memo describes a string representation of LDAP search filters.
While the representation itself has no known security implications, While the representation itself has no known security implications,
LDAP search filters do. They are interpreted by LDAP servers to LDAP search filters do. They are interpreted by LDAP servers to
select entries from which data is retrieved. LDAP servers should select entries from which data is retrieved. LDAP servers should
take care to protect the data they maintain from unauthorized access. take care to protect the data they maintain from unauthorized access.
Please refer to the Security Considerations sections of [RFC2251bis], Please refer to the Security Considerations sections of [Protocol]
[RFC2829bis], and [RFC2830bis] for more information. and [AuthMeth] for more information.
7. References 7. References
[ASN.1] Specification of ASN.1 encoding rules: Basic, Canonical, and [ASN.1] Specification of ASN.1 encoding rules: Basic, Canonical, and
Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994. Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994.
[RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and
Specifications: ABNF", RFC 2234, November 1997. Connection Level Security Mechanisms", draft-ietf-ldapbis-authmeth-
xx.txt, a work in progress.
[RFC2251bis] IETF LDAPBis WG, "Lightweight Directory Access Protocol [Protocol] J. Sermersheim (editor), "LDAP: The Protocol", draft-
(v3)", a work in progress. ietf-ldapbis-protocol-xx.txt, a work in progress.
[RFC2252bis] IETF LDAPBis WG, "Lightweight Directory Access Protocol [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax
(v3): Attribute Syntax Definitions", a work in progress. Specifications: ABNF", RFC 2234, November 1997.
[RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
RFC 2279, January 1998. RFC 2279, January 1998.
[RFC2829bis] IETF LDAPBis WG, "Authentication Methods for LDAP", a [Roadmap] K. Zeilenga (editor), "LDAP: Technical Specification Road
work in progress. Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
[RFC2830bis] IETF LDAPBis WG, "Lightweight Directory Access Protocol [Syntaxes] K. Dally (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
(v3): Extension for Transport Layer Security", a work in progress. syntaxes-xx.txt, a work in progress.
8. Acknowledgments 8. Acknowledgments
This document is an update to RFC 2254 by Tim Howes. Changes This document replaces RFC 2254 by Tim Howes. Changes included in
included in this revised specification are based upon discussions this revised specification are based upon discussions among the
among the authors, discussions within the LDAP (v3) Revision Working authors, discussions within the LDAP (v3) Revision Working Group
Group (ldapbis), and discussions within other IETF Working Groups. (ldapbis), and discussions within other IETF Working Groups. The
The contributions of individuals in these working groups is contributions of individuals in these working groups is gratefully
gratefully acknowledged. acknowledged.
9. Authors' Address 9. Authors' Address
Mark Smith (document editor) Mark Smith (document editor)
Netscape Communications Corp. Netscape Communications Corp.
Mailstop USCA17-201 447 Marlpool Drive
4170 Network Circle Saline, MI 48176
Santa Clara, CA 95054
USA USA
+1 650 937-3477 +1 650 937-3477
mcs@netscape.com mcs@netscape.com
Tim Howes Tim Howes
Loudcloud, Inc. Loudcloud, Inc.
599 N. Mathilda Ave. 599 N. Mathilda Ave.
Sunnyvale, CA 94086 Sunnyvale, CA 94086
USA USA
+1 408 744-7509 +1 408 744-7509
howes@loudcloud.com howes@loudcloud.com
10. Full Copyright Statement 10. Full Copyright Statement
skipping to change at page 8, line 14 skipping to change at page 7, line 37
Tim Howes Tim Howes
Loudcloud, Inc. Loudcloud, Inc.
599 N. Mathilda Ave. 599 N. Mathilda Ave.
Sunnyvale, CA 94086 Sunnyvale, CA 94086
USA USA
+1 408 744-7509 +1 408 744-7509
howes@loudcloud.com howes@loudcloud.com
10. Full Copyright Statement 10. Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
skipping to change at page 8, line 47 skipping to change at page 8, line 23
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
11. Appendix A: Changes Since RFC 2254 11. Appendix A: Changes Since RFC 2254
11.1. Technical Changes 11.1. Technical Changes
"String Search Filter Definition" section: replaced the "value" rule "String Search Filter Definition" section: replaced the "value" rule
with a new "assertionvalue" rule within the "simple", "extensible", with a new "assertionvalue" rule within the "simple", "extensible",
and "substring" ("initial", "any", and "final") rules. This matches and "substring" ("initial", "any", and "final") rules. This matches
a change made in [RFC22521bis]. Added angle brackets around free- a change made in [Syntaxes].
form prose in the "attr", "matchingrule", and "value" rules. Revised the "attr", "matchingrule", and "assertionvalue" ABNF to more
precisely reference productions from the [Protocol] and [Syntaxes]
documents.
Introduced the "valueencoding" and associated "normal" and "escaped" Introduced the "valueencoding" and associated "normal" and "escaped"
rules to reduce the dependence on descriptive text. rules to reduce the dependence on descriptive text.
Added a third option to the "extensible" production to allow creation
of a MatchingRuleAssertion that only has a matchValue.
11.2. Editorial Changes 11.2. Editorial Changes
Changed document title to include "LDAP:" prefix.
IESG Note: removed note about lack of satisfactory mandatory IESG Note: removed note about lack of satisfactory mandatory
authentication mechanisms. authentication mechanisms.
Header and "Authors' Addresses" sections: added Mark Smith as the Header and "Authors' Addresses" sections: added Mark Smith as the
document editor and updated Tim's affiliation and contact document editor and updated Tim's affiliation and contact
information. information.
Copyright: changed the year to 2001. Copyright: changed the year to 2002.
"Abstract" section: updated second paragraph to indicate that RFC "Abstract" section: updated second paragraph to indicate that RFC
2254 is replaced by this document (instead of RFC 1960). 2254 is replaced by this document (instead of RFC 1960). Added
reference to the [Roadmap] document.
"LDAP Search Filter Definition" section: made corrections to the "LDAP Search Filter Definition" section: made corrections to the
LDAPv3 search filter ABNF so it matches that used in [RFC2251bis]. LDAPv3 search filter ABNF so it matches that used in [Protocol].
In particular, the "at least one must be present" comment and the
"substrings" label were added to the SubstringFilter
initial/any/final sequence, the second element of the
AttributeValueAssertion was changed from "attributeValue
AttributeValue" to "assertionValue AssertionValue", and the
occurrences of "LDAPString" were replaced with "AssertionValue"
within the initial, any, and final elements of the substrings choice.
"String Search Filter Definition" section: clarified the definition "String Search Filter Definition" section: clarified the definition
of 'value' (now 'assertionvalue') to take into account the fact that of 'value' (now 'assertionvalue') to take into account the fact that
it is not precisely an AttributeAssertion from [RFC2251bis] section it is not precisely an AttributeAssertion from [Protocol] section
4.1.6 (special handling is required for some characters). Added a 4.1.6 (special handling is required for some characters). Added a
note that each octet of a character to be escaped is replaced by a note that each octet of a character to be escaped is replaced by a
backslash and two hex digits, which form a single octet in the code backslash and two hex digits, which represent a single octet.
of the character (text taken from the [RFC2253bis] document).
"Examples" section: added four additional examples: (seeAlso=), "Examples" section: added five additional examples: (seeAlso=),
(cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), and (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), (:=Fred Flintstone),
(1.3.6.1.4.1.1466.0;binary=\04\02\48\69). Replaced one occurrence of and (1.3.6.1.4.1.1466.0;binary=\04\02\48\69). Replaced one occurrence
"a value" with "an assertion value". of "a value" with "an assertion value".
"Security Considerations" section: added references to [RFC2251bis], "Security Considerations" section: added references to [Protocol] and
[RFC2829bis], and [RFC2830bis]. [AuthMeth].
"References" section: changed from [1] style to [RFC2251bis] style "References" section: changed from [1] style to [Protocol] style
throughout the document. Added entries for [RFC2829bis] and throughout the document. Added entries for [AuthMeth] and updated
[RFC2830bis] and updated UTF-8 reference to RFC 2279. Replaced RFC UTF-8 reference to RFC 2279. Replaced RFC 822 reference with a
822 reference with a reference to RFC 2234. reference to RFC 2234.
"Acknowledgments" section: added. "Acknowledgments" section: added.
"Appendix A: Changes Since RFC 2254" section: added. "Appendix A: Changes Since RFC 2254" section: added.
"Appendix B: Changes Since Previous Document Revision" section: "Appendix B: Changes Since Previous Document Revision" section:
added. added.
"Table of Contents" section: added. "Table of Contents" section: added.
12. Appendix B: Changes Since Previous Document Revision 12. Appendix B: Changes Since Previous Document Revision
This appendix lists all changes relative to the last published This appendix lists all changes relative to the last published
revision, draft-ietf-ldapbis-filter-00.txt. Note that these changes revision, draft-ietf-ldapbis-filter-01.txt. Note that these changes
are also included in Appendix A, but are included here for those who are also included in Appendix A, but are included here for those who
have already reviewed draft-ietf-ldapbis-filter-00.txt. This section have already reviewed draft-ietf-ldapbis-filter-01.txt. This section
will be removed before this document is published as an RFC. will be removed before this document is published as an RFC.
12.1. Technical Changes 12.1. Technical Changes
"String Search Filter Definition" section: replaced all occurrences "String Search Filter Definition" section: Added a third option to
of the "value" rule with "assertionvalue" within the "initial", the "extensible" production to allow creation of a
"any", and "final" rules. This was done to reflect changes made to MatchingRuleAssertion that only has a "assertionvalue".
the ASN.1 definition of the Filter in [RFC2251bis]. Also, the
"escaped" rule was revised and a "hex" rule was added to allow any
character to be escaped.
12.2. Editorial Changes 12.2. Editorial Changes
"LDAP Search Filter Definition" section: updated the ASN.1 definition Changed document title to include "LDAP:" prefix.
of the Filter to match that used in [RFC2251bis]. Specifically, the
occurrences of LDAPString within the initial, any, and final elements
of the substrings element were replaced with AssertionValue.
"String Search Filter Definition" section: corrected truncated text "LDAP Search Filter Definition" section: updated the ASN.1 definition
that described the valueencoding rule (the text was truncated after of the Filter to match that used in [Protocol].
(ASCII 0x29)). Added a note that each octet of a character to be
escaped is replaced by a backslash and two hex digits, which form a
single octet in the code of the character (text taken from the
[RFC2253bis] document).
"Examples" section: replaced one occurrence of "a value" with "an "String Search Filter Definition" section: Revised "attr",
assertion value". "matchingrule", and "assertionvalue" ABNF to directly reference
productions from the [Protocol] and [Syntaxes] documents.
Revised the text on hexadecimal escaping to be less UTF-8 centric.
References: updated references to refer to LDAPBis WG documents. "Examples" section: added a new example (:=Fred Flintstone) that only
has an "assertionvalue."
"Appendix C: Loose Ends": removed this section entirely. References: replaced [RFC2251bis] references with [Protocol]; similar
changes for other LDAP documents. Added reference to [Roadmap].
"Authors' Addresses" section: updated Mark Smith's postal address.
This Internet Draft expires on 7 November 2001. This Internet Draft expires in August 2002.
1. Status of this Memo............................................1 1. Status of this Memo............................................1
2. Abstract.......................................................1 2. Abstract.......................................................1
3. LDAP Search Filter Definition..................................2 3. LDAP Search Filter Definition..................................2
4. String Search Filter Definition................................3 4. String Search Filter Definition................................3
5. Examples.......................................................5 5. Examples.......................................................4
6. Security Considerations........................................6 6. Security Considerations........................................6
7. References.....................................................7 7. References.....................................................6
8. Acknowledgments................................................7 8. Acknowledgments................................................7
9. Authors' Address...............................................7 9. Authors' Address...............................................7
10. Full Copyright Statement.......................................8 10. Full Copyright Statement.......................................7
11. Appendix A: Changes Since RFC 2254.............................8 11. Appendix A: Changes Since RFC 2254.............................8
11.1. Technical Changes...........................................8 11.1. Technical Changes...........................................8
11.2. Editorial Changes...........................................9 11.2. Editorial Changes...........................................8
12. Appendix B: Changes Since Previous Document Revision...........10 12. Appendix B: Changes Since Previous Document Revision...........9
12.1. Technical Changes...........................................10 12.1. Technical Changes...........................................9
12.2. Editorial Changes...........................................10 12.2. Editorial Changes...........................................10
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/