7 Network Working Group M. Smith, Editor
8 Request for Comments: DRAFT Netscape Communications Corp.
9 Obsoletes: RFC 2254 T. Howes
10 Expires: 25 April 2004 Opsware, Inc.
14 LDAP: String Representation of Search Filters
15 <draft-ietf-ldapbis-filter-05.txt>
19 1. Status of this Memo
21 This document is an Internet-Draft and is subject to all provisions
22 of Section 10 of RFC2026.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that
26 other groups may also distribute working documents as Internet-
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet- Drafts as reference
32 material or to cite them other than as "work in progress."
34 The list of current Internet-Drafts can be accessed at
35 http://www.ietf.org/1id-abstracts.html
37 The list of Internet-Draft Shadow Directories can be accessed at
38 http://www.ietf.org/shadow.html
40 Discussion of this document should take place on the LDAP (v3)
41 Revision (ldapbis) Working Group mailing list <ietf-
42 ldapbis@openldap.org>.
44 Copyright (C) The Internet Society (2003). All Rights Reserved.
48 LDAP search filters are transmitted in the LDAP protocol using a
49 binary representation that is appropriate for use on the network.
50 This document defines a human-readable string representation of LDAP
51 search filters that is appropriate for use in LDAP URLs and in other
58 Smith & Howes Intended Category: Standards Track [Page 1]
60 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
65 1. Status of this Memo............................................1
66 2. Abstract.......................................................1
67 3. Table of Contents..............................................2
68 4. Introduction...................................................2
69 5. LDAP Search Filter Definition..................................2
70 6. String Search Filter Definition................................4
71 7. Examples.......................................................5
72 8. Security Considerations........................................7
73 9. Normative References...........................................7
74 10. Informative References.........................................8
75 11. Intellectual Property Rights...................................8
76 12. Acknowledgments................................................8
77 13. Authors' Address...............................................8
78 14. Full Copyright Statement.......................................9
79 15. Appendix A: Changes Since RFC 2254.............................9
80 15.1. Technical Changes...........................................10
81 15.2. Editorial Changes...........................................10
82 16. Appendix B: Changes Since Previous Document Revision...........11
83 16.1. Technical Changes...........................................12
84 16.2. Editorial Changes...........................................12
88 The Lightweight Directory Access Protocol (LDAP) [Protocol] defines a
89 network representation of a search filter transmitted to an LDAP
90 server. Some applications may find it useful to have a common way of
91 representing these search filters in a human-readable form; LDAP URLs
92 are an example of one such application. This document defines a
93 human-readable string format for representing the full range of
94 possible LDAP version 3 search filters, including extended match
97 This document is an integral part of the LDAP Technical
98 Specification [Roadmap].
100 This document replaces RFC 2254. Changes to RFC 2254 are summarized
103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
105 document are to be interpreted as described in BCP 14 [RFC2119].
107 5. LDAP Search Filter Definition
109 An LDAPv3 search filter is defined in Section 4.5.1 of [Protocol] as
114 Smith & Howes Intended Category: Standards Track [Page 2]
116 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
120 and [0] SET SIZE (1..MAX) OF Filter,
121 or [1] SET SIZE (1..MAX) OF Filter,
123 equalityMatch [3] AttributeValueAssertion,
124 substrings [4] SubstringFilter,
125 greaterOrEqual [5] AttributeValueAssertion,
126 lessOrEqual [6] AttributeValueAssertion,
127 present [7] AttributeDescription,
128 approxMatch [8] AttributeValueAssertion,
129 extensibleMatch [9] MatchingRuleAssertion }
131 SubstringFilter ::= SEQUENCE {
132 type AttributeDescription,
133 -- at least one must be present,
134 -- initial and final can occur at most once
135 substrings SEQUENCE OF CHOICE {
136 initial [0] AssertionValue,
137 any [1] AssertionValue,
138 final [2] AssertionValue } }
140 AttributeValueAssertion ::= SEQUENCE {
141 attributeDesc AttributeDescription,
142 assertionValue AssertionValue }
144 MatchingRuleAssertion ::= SEQUENCE {
145 matchingRule [1] MatchingRuleId OPTIONAL,
146 type [2] AttributeDescription OPTIONAL,
147 matchValue [3] AssertionValue,
148 dnAttributes [4] BOOLEAN DEFAULT FALSE }
150 AttributeDescription ::= LDAPString
151 -- Constrained to attributedescription
154 AttributeValue ::= OCTET STRING
156 MatchingRuleId ::= LDAPString
158 AssertionValue ::= OCTET STRING
160 LDAPString ::= OCTET STRING -- UTF-8 encoded,
161 -- ISO 10646 characters
163 where the LDAPString above is limited to the UTF-8 encoding [UTF-8]
164 of the ISO 10646 character set [ISO10646]. The AttributeDescription
165 is a string representation of the attribute description and is
166 defined in [Protocol]. The AttributeValue and AssertionValue OCTET
170 Smith & Howes Intended Category: Standards Track [Page 3]
172 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
175 STRING have the form defined in [Syntaxes]. The Filter is encoded
176 for transmission over a network using the Basic Encoding Rules
177 defined in [ASN.1], with simplifications described in [Protocol].
179 6. String Search Filter Definition
181 The string representation of an LDAP search filter is a string of
182 UTF-8 encoded ISO 10646-1 characters that is defined by the following
183 grammar, following the ABNF notation defined in [RFC2234]. The
184 productions used that are not defined here are defined in section 1.3
185 (Common ABNF Productions) of [Models] unless otherwise noted. The
186 filter format uses a prefix notation.
188 filter = LPAREN filtercomp RPAREN
189 filtercomp = and / or / not / item
190 and = AMPERSAND filterlist
191 or = VERTBAR filterlist
192 not = EXCLAMATION filter
193 filterlist = 1*filter
194 item = simple / present / substring / extensible
195 simple = attr filtertype assertionvalue
196 filtertype = equal / approx / greater / less
198 approx = TILDE EQUALS
199 greater = RANGLE EQUALS
201 extensible = attr [dnattrs] [matchingrule] COLON EQUALS assertionvalue
202 / [dnattrs] matchingrule COLON EQUALS assertionvalue
203 / COLON EQUALS assertionvalue
204 present = attr EQUALS ASTERISK
205 substring = attr EQUALS [initial] any [final]
206 initial = assertionvalue
207 any = ASTERISK *(assertionvalue ASTERISK)
208 final = assertionvalue
209 attr = attributedescription
210 ; The attributedescription rule is defined in
211 ; Section 2.5 of [Models].
213 matchingrule = COLON oid
214 assertionvalue = valueencoding
215 ; The <valueencoding> rule is used to encode an
216 ; <AssertionValue> from Section 4.1.6 of [Protocol].
217 valueencoding = 0*(normal / escaped)
218 normal = UTF1SUBSET / UTFMB
219 escaped = ESC HEX HEX
220 UTF1SUBSET = %x01-27 / %x2B-5B / %x5D-7F
221 ; UTF1SUBSET excludes 0x00 (NUL), LPAREN,
222 ; RPAREN, ASTERISK, and ESC.
226 Smith & Howes Intended Category: Standards Track [Page 4]
228 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
231 EXCLAMATION = %x21 ; exclamation mark ("!")
232 AMPERSAND = %x26 ; ampersand (or AND symbol) ("&")
233 ASTERISK = %x2A ; asterisk ("*")
234 COLON = %x3A ; colon (":")
235 VERTBAR = %x7C ; vertical bar (or pipe) ("|")
236 TILDE = %x7E ; tilde ("~")
239 Note that although both the <substring> and <present> productions in
240 the grammar above can produce the "attr=*" construct, this construct
241 is used only to denote a presence filter.
243 The <valueencoding> rule ensures that the entire filter string is a
244 valid UTF-8 string and provides that the octets that represent the
245 ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
246 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
247 backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
248 representing the value of the encoded octet.
250 This simple escaping mechanism eliminates filter-parsing ambiguities
251 and allows any filter that can be represented in LDAP to be
252 represented as a NUL-terminated string. Other octets that are part of
253 the <normal> set may be escaped using this mechanism, for example,
254 non-printing ASCII characters.
256 For AssertionValues that contain UTF-8 character data, each octet of
257 the character to be escaped is replaced by a backslash and two hex
258 digits, which form a single octet in the code of the character.
260 For example, the filter checking whether the "cn" attribute contained
261 a value with the character "*" anywhere in it would be represented as
264 As indicated by the valueencoding rule, implementations MUST escape
265 all octets greater than 0x7F that are not part of a valid UTF-8
266 encoding sequence when they generate a string representation of a
267 search filter. Implementations SHOULD accept as input a string that
268 includes invalid UTF-8 octet sequences. This is necessary because RFC
269 2254 did not clearly define the term "string representation" (and in
270 particular did not mention that the string representation of an LDAP
271 search filter is a string of UTF-8 encoded ISO 10646-1 characters).
275 This section gives a few examples of search filters written using
282 Smith & Howes Intended Category: Standards Track [Page 5]
284 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
288 (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
292 The following examples illustrate the use of extensible matching.
294 (cn:1.2.3.4.5:=Fred Flintstone)
296 (sn:dn:2.4.6.8.10:=Barney Rubble)
298 (:1.2.3:=Wilma Flintstone)
299 (:dn:2.4.6.8.10:=Dino)
301 The first example shows use of the matching rule "1.2.3.4.5".
303 The second example demonstrates use of a MatchingRuleAssertion form
304 without a matchingRule.
306 The third example illustrates the use of the ":dn" notation to
307 indicate that matching rule "2.4.6.8.10" should be used when making
308 comparisons, and that the attributes of an entry's distinguished name
309 should be considered part of the entry when evaluating the match.
311 The fourth example denotes an equality match, except that DN
312 components should be considered part of the entry when doing the
315 The fifth example is a filter that should be applied to any attribute
316 supporting the matching rule given (since the attr has been omitted).
318 The sixth and final example is also a filter that should be applied
319 to any attribute supporting the matching rule given. Attributes
320 supporting the matching rule contained in the DN should also be
323 The following examples illustrate the use of the escaping mechanism.
325 (o=Parens R Us \28for all your parenthetical needs\29)
327 (filename=C:\5cMyFile)
330 (1.3.6.1.4.1.1466.0=\04\02\48\69)
332 The first example shows the use of the escaping mechanism to
333 represent parenthesis characters. The second shows how to represent a
334 "*" in an assertion value, preventing it from being interpreted as a
338 Smith & Howes Intended Category: Standards Track [Page 6]
340 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
343 substring indicator. The third illustrates the escaping of the
346 The fourth example shows a filter searching for the four-byte value
347 0x00000004, illustrating the use of the escaping mechanism to
348 represent arbitrary data, including NUL characters.
350 The fifth example illustrates the use of the escaping mechanism to
351 represent various non-ASCII UTF-8 characters.
353 The sixth and final example demonstrates assertion of a BER encoded
356 8. Security Considerations
358 This memo describes a string representation of LDAP search filters.
359 While the representation itself has no known security implications,
360 LDAP search filters do. They are interpreted by LDAP servers to
361 select entries from which data is retrieved. LDAP servers should
362 take care to protect the data they maintain from unauthorized access.
364 Please refer to the Security Considerations sections of [Protocol]
365 and [AuthMeth] for more information.
367 9. Normative References
369 [ASN.1] Specification of ASN.1 encoding rules: Basic, Canonical, and
370 Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994.
372 [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
373 Connection Level Security Mechanisms", draft-ietf-ldapbis-authmeth-
374 xx.txt, a work in progress.
376 [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) -
377 Architecture and Basic Multilingual Plane, ISO/IEC 10646-1, 1993.
379 [Models] Zeilenga, K. (editor), "LDAP: Directory Information Models",
380 draft-ietf-ldapbis-models-xx.txt, a work in progress.
382 [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol", draft-
383 ietf-ldapbis-protocol-xx.txt, a work in progress.
385 [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
386 Requirement Levels", BCP 14 (also RFC 2119), March 1997.
388 [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax
389 Specifications: ABNF", RFC 2234, November 1997.
394 Smith & Howes Intended Category: Standards Track [Page 7]
396 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
399 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification Road
400 Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in progress.
402 [Syntaxes] Dally, K. (editor), "LDAP: Syntaxes", draft-ietf-ldapbis-
403 syntaxes-xx.txt, a work in progress.
405 [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
406 draft-yergeau-rfc2279bis-xx.txt, a work in progress.
408 10. Informative References
412 11. Intellectual Property Rights
414 The IETF takes no position regarding the validity or scope of any
415 intellectual property or other rights that might be claimed to
416 pertain to the implementation or use of the technology described in
417 this document or the extent to which any license under such rights
418 might or might not be available; neither does it represent that it
419 has made any effort to identify any such rights. Information on the
420 IETF's procedures with respect to rights in standards-track and
421 standards-related documentation can be found in BCP-11. Copies of
422 claims of rights made available for publication and any assurances of
423 licenses to be made available, or the result of an attempt made to
424 obtain a general license or permission for the use of such
425 proprietary rights by implementors or users of this specification can
426 be obtained from the IETF Secretariat.
428 The IETF invites any interested party to bring to its attention any
429 copyrights, patents or patent applications, or other proprietary
430 rights which may cover technology that may be required to practice
431 this standard. Please address the information to the IETF Executive
436 This document replaces RFC 2254 by Tim Howes. Changes included in
437 this revised specification are based upon discussions among the
438 authors, discussions within the LDAP (v3) Revision Working Group
439 (ldapbis), and discussions within other IETF Working Groups. The
440 contributions of individuals in these working groups is gratefully
450 Smith & Howes Intended Category: Standards Track [Page 8]
452 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
455 Netscape Communications Corp.
456 360 W. Caribbean Drive
460 MarkCSmithWork@aol.com
470 14. Full Copyright Statement
472 Copyright (C) The Internet Society (2003). All Rights Reserved.
474 This document and translations of it may be copied and furnished to
475 others, and derivative works that comment on or otherwise explain it
476 or assist in its implementation may be prepared, copied, published
477 and distributed, in whole or in part, without restriction of any
478 kind, provided that the above copyright notice and this paragraph are
479 included on all such copies and derivative works. However, this
480 document itself may not be modified in any way, such as by removing
481 the copyright notice or references to the Internet Society or other
482 Internet organizations, except as needed for the purpose of
483 developing Internet standards in which case the procedures for
484 copyrights defined in the Internet Standards process must be
485 followed, or as required to translate it into languages other than
488 The limited permissions granted above are perpetual and will not be
489 revoked by the Internet Society or its successors or assigns.
491 This document and the information contained herein is provided on an
492 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
493 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
494 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
495 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
496 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
499 15. Appendix A: Changes Since RFC 2254
506 Smith & Howes Intended Category: Standards Track [Page 9]
508 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
511 15.1. Technical Changes
513 The following technical changes were made to the contents of the
514 "String Search Filter Definition" section:
516 Added statement that the string representation is a string of UTF-8
517 encoded ISO 10646-1 characters.
519 Revised all of the ABNF to use common productions from [Models].
521 Replaced the "value" rule with a new "assertionvalue" rule within the
522 "simple", "extensible", and "substring" ("initial", "any", and
523 "final") rules. This matches a change made in [Syntaxes].
525 Revised the "attr", "matchingrule", and "assertionvalue" ABNF to more
526 precisely reference productions from the [Models] and [Protocol]
529 Introduced the "valueencoding" and associated "normal" and "escaped"
530 rules to reduce the dependence on descriptive text. The "normal"
531 production restricts filter strings to valid UTF-8 sequences.
533 Added a third option to the "extensible" production to allow creation
534 of a MatchingRuleAssertion that only has a matchValue.
536 Added a statement about expected behavior in light of RFC 2254's lack
537 of a clear definition of "string representation."
540 15.2. Editorial Changes
542 Changed document title to include "LDAP:" prefix.
544 IESG Note: removed note about lack of satisfactory mandatory
545 authentication mechanisms.
547 Header and "Authors' Addresses" sections: added Mark Smith as the
548 document editor and updated affiliation and contact information.
550 "Table of Contents" and "Intellectual Property Rights" sections:
553 Copyright: updated per latest IETF guidelines.
555 "Abstract" section: separated from introductory material.
557 "Introduction" section: new section; separated from the Abstract.
558 Updated second paragraph to indicate that RFC 2254 is replaced by
562 Smith & Howes Intended Category: Standards Track [Page 10]
564 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
567 this document (instead of RFC 1960). Added reference to the [Roadmap]
570 "LDAP Search Filter Definition" section: made corrections to the
571 LDAPv3 search filter ABNF so it matches that used in [Protocol].
573 Clarified the definition of 'value' (now 'assertionvalue') to take
574 into account the fact that it is not precisely an AttributeAssertion
575 from [Protocol] section 4.1.6 (special handling is required for some
576 characters). Added a note that each octet of a character to be
577 escaped is replaced by a backslash and two hex digits, which
578 represent a single octet.
580 "Examples" section: added four additional examples: (seeAlso=),
581 (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), and
582 (1.3.6.1.4.1.1466.0=\04\02\48\69). Replaced one occurrence of "a
583 value" with "an assertion value".
585 "Security Considerations" section: added references to [Protocol] and
588 "Normative References" section: renamed from "References" per new RFC
589 guidelines. Changed from [1] style to [Protocol] style throughout the
590 document. Added entries for [ISO10646], [RFC2119], [AuthMeth],
591 [Models], and [Roadmap] and updated the UTF-8 reference. Replaced
592 RFC 822 reference with a reference to RFC 2234.
594 "Informative References" section: added for clarity.
596 "Acknowledgments" section: added.
598 "Appendix A: Changes Since RFC 2254" section: added.
600 "Appendix B: Changes Since Previous Document Revision" section:
604 16. Appendix B: Changes Since Previous Document Revision
606 This appendix lists all changes relative to the previously published
607 revision, draft-ietf-ldapbis-filter-04.txt. Note that when
608 appropriate these changes are also included in Appendix A, but are
609 also included here for the benefit of the people who have already
610 reviewed draft-ietf-ldapbis-filter-04.txt. This section will be
611 removed before this document is published as an RFC.
618 Smith & Howes Intended Category: Standards Track [Page 11]
620 INTERNET-DRAFT LDAP: String Repres. of Search Filters 25 October 2003
623 16.1. Technical Changes
625 "Examples" section: Removed the (:=Fred Flintstone) example which is
626 not allowed by the protocol.
629 16.2. Editorial Changes
631 "String Search Filter Definition" section: Revised the last two
632 sentences in this section to improve clarity (the updated text now
633 begins with the text "Implementations SHOULD accept as input a string
636 Replaced all occurrences of "asterix" with the correctly spelled
639 "Normative References" section: changed UTF-8 reference to point to
640 the UTF-8 Internet Draft.
642 "Intellectual Property Rights" section: added.
644 Author's Addresses section: New email address for Mark Smith.
646 "Full Copyright Statement" section: updated text to match latest IETF
650 This Internet Draft expires on 25 April 2004.
674 Smith & Howes Intended Category: Standards Track [Page 12]