1 Internet-Draft David Chadwick
2 LDAPExt WG University of Salford
3 Intended Category: Standards Track Sean Mullan
5 Expires: 26 December 2002 26 June 2002
8 Returning Matched Values with LDAPv3
9 <draft-ietf-ldapext-matchedval-06.txt>
14 This document is an Internet-Draft and is in full conformance with
15 all the provisions of Section 10 of RFC2026 [1].
17 Internet-Drafts are working documents of the Internet Engineering
18 Task Force (IETF), its areas, and its working groups. Note that other
19 groups may also distribute working documents as Internet-Drafts.
21 Internet-Drafts are draft documents valid for a maximum of six months
22 and may be updated, replaced, or obsoleted by other documents at any
23 time. It is inappropriate to use Internet-Drafts as reference
24 material or to cite them other than as "work in progress."
26 The list of current Internet-Drafts can be accessed at
27 http://www.ietf.org/ietf/1id-abstracts.txt.
29 The list of Internet-Draft Shadow Directories can be accessed at
30 http://www.ietf.org/shadow.html.
32 Comments and suggestions on this document are encouraged. Comments on
33 this document should be sent to the LDAPEXT working group discussion
35 ietf-ldapext@netscape.com
37 or directly to the authors.
42 This document describes a control for the Lightweight Directory
43 Access Protocol version 3 that is used to return a subset of
44 attribute values from an entry, specifically, only those values that
45 match a "values return" filter. Without support for this control, a
46 client must retrieve all of an attribute's values and search for
47 specific values locally.
52 When reading an attribute from an entry using the Lightweight
53 Directory Access Protocol version 3 (LDAPv3) [2], it is normally only
54 possible to read either the attribute type, or the attribute type and
55 all its values. It is not possible to selectively read just a few of
56 the attribute values. If an attribute holds many values, for example,
57 the userCertificate attribute, or the subschema publishing
58 operational attributes objectClasses and attributeTypes [3], then it
59 may be desirable for the user to be able to selectively retrieve a
60 subset of the values, specifically, those attribute values that match
61 some user defined selection criteria. Without the control specified
62 in this document a client must read all of the attribute's values and
63 filter out the unwanted values, necessitating the client to implement
64 the matching rules. It also requires the client to potentially read
65 and process many irrelevant values, which can be inefficient if the
66 values are large or complex, or there are many values stored per
69 This document specifies an LDAPv3 control to enable a user to return
70 only those values that matched (i.e. returned TRUE to) one or more
71 elements of a newly defined "values return" filter. This control can
72 be especially useful when used in conjunction with extensible
73 matching rules that match on one or more components of complex binary
76 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
77 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
78 document are to be interpreted as described in RFC 2119 [4].
81 2. The valuesReturnFilter Control
83 The valuesReturnFilter control is either critical or non-critical as
84 determined by the user. It only has meaning for the Search operation,
85 and SHOULD only be added to the Search operation by the client. If
86 the server supports the control and it is present on a Search
87 operation, the server MUST obey the control regardless of the value
88 of the criticality flag.
90 If the control is marked as critical, and either the server does not
91 support the control or the control is applied to an operation other
92 than Search, then the server MUST return an
93 unavailableCriticalExtension error. If the control is not marked as
94 critical, and either the server does not support the control or the
95 control is applied to an operation other than Search, then the server
96 MUST ignore the control.
98 The object identifier for this control is 1.2.826.0.1.3344810.2.3.
100 The controlValue is an OCTET STRING, whose value is the BER encoding,
101 as per Section 5.1 of RFC 2251 [2], of a value of the type
104 ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
106 SimpleFilterItem ::= CHOICE {
107 equalityMatch [3] AttributeValueAssertion,
108 substrings [4] SubstringFilter,
109 greaterOrEqual [5] AttributeValueAssertion,
110 lessOrEqual [6] AttributeValueAssertion,
111 present [7] AttributeDescription,
112 approxMatch [8] AttributeValueAssertion,
113 extensibleMatch [9] SimpleMatchingAssertion }
115 SimpleMatchingAssertion ::= SEQUENCE {
116 matchingRule [1] MatchingRuleId OPTIONAL,
117 type [2] AttributeDescription OPTIONAL,
118 --- at least one of the above must be present
119 matchValue [3] AssertionValue}
121 All the above data types have their standard meanings as defined in
124 If the server supports this control, the server MUST make use of the
127 (1) The Search Filter is first executed in order to determine
128 which entries satisfy the Search criteria (these are the
129 filtered entries). The control has no impact on this step.
131 (2) If the typesOnly parameter of the Search Request is TRUE,
132 the control has no effect and the Search Request is processed as
133 if the control had not been specified.
135 (3) If the attributes parameter of the Search Request consists
136 of a list containing only the attribute with OID "1.1"
137 (specifying that no attributes are to be returned), the control
138 has no effect and the Search Request is processed as if the
139 control had not been specified.
141 (4) For each attribute listed in the attributes parameter of the
142 Search Request, the server MUST apply the control as follows to
143 each entry in the set of filtered entries:
145 i) Every attribute value that evaluates TRUE against one or
146 more elements of the ValuesReturnFilter is placed in the
147 corresponding SearchResultEntry.
148 ii) Every attribute value that evaluates FALSE or undefined
149 against all elements of the ValuesReturnFilter is not
150 placed in the corresponding SearchResultEntry. An
151 attribute that has no values selected is returned with an
154 Note. If the AttributeDescriptionList is empty or comprises "*"
155 then the control MUST be applied against every user attribute.
156 If the AttributeDescriptionList contains a "+" then the control
157 MUST be applied against every operational attribute.
160 3. Relationship to X.500
162 The control is a superset of the matchedValuesOnly (MVO) boolean of
163 the X.500 Directory Access Protocol (DAP) [5] Search argument, as
164 amended in the latest version [6]. Close examination of the
165 matchedValuesOnly boolean by the LDAP Extensions (LDAPEXT) Working
166 Group revealed ambiguities and complexities in the MVO boolean that
167 could not easily be resolved. For example, it was not clear if the
168 MVO boolean governed only those attribute values that contributed to
169 the overall truth of the filter, or all of the attribute values even
170 if the filter item containing the attribute evaluated to false. For
171 this reason the LDAPEXT group decided to replace the MVO boolean with
172 a simple filter that removes any uncertainty as to whether an
173 attribute value has been selected or not.
176 4. Relationship to other LDAP Controls
178 The purpose of this control is to select zero, one or more attribute
179 values from each requested attribute in a filtered entry, and to
180 discard the remainder. Once the attribute values have been discarded
181 by this control they MUST NOT be re-instated into the Search results
184 This control acts independently of other LDAP controls such as server
185 side sorting [10] and duplicate entries [7]. However, there might be
186 interactions between this control and other controls so that a
187 different set of Search Result Entries are returned, or the entries
188 are returned in a different order, depending upon the sequencing of
189 this control and other controls in the LDAP request. For example,
190 with server side sorting, if sorting is done first, and value return
191 filtering second, the set of Search Results may appear to be in the
192 wrong order since the value filtering may remove the attribute values
193 upon which the ordering was done. (The sorting document specifies
194 that entries without any sort key attribute values should be treated
195 as coming after all other attribute values.) Similarly with duplicate
196 entries, if duplication is performed before value filtering, the set
197 of Search Result Entries may contain identical duplicate entries,
198 each with an empty set of attribute values, because the value
199 filtering removed the attribute values that were used to duplicate
202 For these reasons the ValuesReturnFilter control in a SearchRequest
203 SHOULD precede other controls that affect the number and ordering of
209 All entries are provided in LDAP Data Interchange Format (LDIF)[8].
211 The string representation of the valuesReturnFilter in the examples
212 below uses the following ABNF [12] notation:
214 valuesReturnFilter = "(" 1*simpleFilterItem ")"
215 simpleFilterItem = "(" item ")"
217 where item is as defined below (adapted from RFC2254 [11]).
219 item = simple / present / substring / extensible
220 simple = attr filtertype value
221 filtertype = equal / approx / greater / less
226 extensible = attr [":" matchingrule] ":=" value
227 / ":" matchingrule ":=" value
229 substring = attr "=" [initial] any [final]
231 any = "*" *(value "*")
233 attr = AttributeDescription from Section 4.1.5 of [1]
234 matchingrule = MatchingRuleId from Section 4.1.9 of [1]
235 value = AttributeValue from Section 4.1.6 of [1]
237 (1) The first example shows how the control can be set to return all
238 attribute values from one attribute type (e.g. telephoneNumber) and a
239 subset of values from another attribute type (e.g. mail).
241 The entries below represent organizationalPerson object classes
242 located somewhere beneath the distinguished name dc=ac,dc=uk.
244 dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
247 objectClass: organizationalPerson
249 objectClass: inetOrgPerson
250 mail: sean.mullan@hotmail.com
251 mail: mullan@east.sun.com
252 telephoneNumber: + 781 442 0926
253 telephoneNumber: 555-9999
255 dn: cn=David Chadwick,ou=isi,o=salford,dc=ac,dc=uk
258 objectClass: organizationalPerson
260 objectClass: inetOrgPerson
261 mail: d.w.chadwick@salford.ac.uk
263 An LDAP search operation is specified with a baseObject set to the
264 DN of the search base (i.e. dc=ac,dc=uk), a subtree scope, a filter
265 set to (sn=mullan), and the list of attributes to be returned set to
266 "mail,telephoneNumber". In addition, a ValuesReturnFilter control is
267 set to ((mail=*hotmail.com)(telephoneNumber=*))
269 The search results returned by the server would consist of the
272 dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
273 mail: sean.mullan@hotmail.com
274 telephoneNumber: + 781 442 0926
275 telephoneNumber: 555-9999
277 Note that the control has no effect on the values returned for the
278 "telephoneNumber" attribute (all of the values are returned), since
279 the control specified that all values should be returned.
282 (2) The second example shows how one might retrieve a single
283 attribute type subschema definition for the "gunk" attribute with OID
284 1.2.3.4.5 from the subschema subentry
286 Assume the subschema subentry is held below the root entry with DN
287 cn=subschema subentry,o=myorg and this holds an attributeTypes
288 operational attribute holding the descriptions of the 35 attributes
289 known to this server (each description is held as a single attribute
290 value of the attributeTypes attribute).
292 dn: cn=subschema subentry,o=myorg
293 cn: subschema subentry
294 objectClass: subschema
295 attributeTypes: ( 2.5.4.3 NAME 'cn' SUP name )
296 attributeTypes: ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
297 attributeTypes: ( 2.5.4.0 NAME 'objectClass' EQUALITY
298 objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
299 attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY
300 generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
301 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-
302 MODIFICATION USAGE directoryOperation )
303 attributeTypes: ( 2.5.21.6 NAME 'objectClasses' EQUALITY
304 objectIdentifierFirstComponentMatch SYNTAX
305 1.3.6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )
306 attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMatch
307 SUBSTR caseIgnoreSubstringsMatch SYNTAX
308 1.3.6.1.4.1.1466.115.121.1.44{64} )
309 attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' EQUALITY
310 objectIdentifierFirstComponentMatch SYNTAX
311 1.3.6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )
313 plus another 28 - you get the idea.
316 The user creates an LDAP search operation with a baseObject set to
317 cn=subschema subentry,o=myorg, a scope of base, a filter set to
318 (objectClass=subschema), the list of attributes to be returned set to
319 "attributeTypes", and the ValuesReturnFilter set to
320 ((attributeTypes=1.2.3.4.5))
322 The search result returned by the server would consist of the
325 dn: cn=subschema subentry,o=myorg
326 attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMatch
327 SUBSTR caseIgnoreSubstringsMatch SYNTAX
328 1.3.6.1.4.1.1466.115.121.1.44{64} )
331 (3) The final example shows how the control can be used to match on a
332 userCertificate attribute value. Note that this example requires the
333 LDAP server to support the certificateExactMatch matching rule
336 The entry below represent a pkiUser object class stored in the
339 dn: cn=David Chadwick+serialNumber=123456,ou=people,o=University
344 objectClass: organizationalPerson
346 objectClass: inetOrgPerson
348 mail: d.w.chadwick@salford.ac.uk
349 userCertificate: {binary representation of a certificate with a
350 serial number of 2468 issued by o=truetrust ltd, c=gb}
351 userCertificate: {binary representation of certificate with a serial
352 number of 1357 issued by o=truetrust ltd, c=gb}
353 userCertificate: {binary representation of certificate with a serial
354 number of 1234 issued by dc=certs R us, dc=com}
356 An LDAP search operation is specified with a baseObject set to
357 o=University of Salford,c=gb, a subtree scope, a filter set to
358 (sn=chadwick) and the list of attributes to be returned set to
359 "userCertificate". In addition, a ValuesReturnFilter control is set
360 to (userCertificate=1357$o=truetrust ltd, c=gb)
362 The search result returned by the server would consist of the
365 dn: cn=David Chadwick+serialNumber=123456,ou=people,o=University
367 userCertificate;binary: {binary representation of certificate with a
368 serial number of 1357 issued by o=truetrust ltd, c=gb}
371 6. Security Considerations
373 This document does not primarily discuss security issues.
375 Note however that attribute values MUST only be returned if the
376 access controls applied by the LDAP server allow them to be returned,
377 and in this respect the effect of the ValuesReturnFilter control is
380 Note that the ValuesReturnFilter control may have a positive effect
381 on the deployment of public key infrastructures. Certain PKI
382 operations, like searching for specific certificates, become more
383 practical when combined with X.509 certificate matching rules at the
384 server, and more scalable, since the control avoids the downloading
385 of potentially large numbers of irrelevant certificates which would
386 have to be processed and filtered locally (which in some cases is
387 very difficult to perform).
392 The authors would like to thank members of the LDAPExt list for their
393 constructive comments on earlier versions of this document, and in
394 particular to Harald Alvestrand who first suggested having an
395 attribute return filter and Bruce Greenblatt who first proposed a
396 syntax for this control.
401 Copyright (C) The Internet Society (date). All Rights Reserved.
403 This document and translations of it may be copied and furnished to
404 others, and derivative works that comment on or otherwise explain it
405 or assist in its implementation may be prepared, copied, published
406 and distributed, in whole or in part, without restriction of any
407 kind, provided that the above copyright notice and this paragraph are
408 included on all such copies and derivative works. However, this
409 document itself may not be modified in any way, such as by removing
410 the copyright notice or references to the Internet Society or other
411 Internet organizations, except as needed for the purpose of
412 developing Internet standards in which case the procedures for
413 copyrights defined in the Internet Standards process must be
414 followed, or as required to translate it into languages other than
417 The limited permissions granted above are perpetual and will not be
418 revoked by the Internet Society or its successors or assigns.
420 This document and the information contained herein is provided on an
421 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
422 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
423 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
424 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
425 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
432 [1] S. Bradner. "The Internet Standards Process -- Revision 3", RFC
434 [2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
435 Protocol (v3)", Dec. 1997, RFC 2251
436 [3] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight Directory
437 Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, Dec
439 [4] S.Bradner. "Key words for use in RFCs to Indicate Requirement
440 Levels", RFC 2119, March 1997.
444 [5] ITU-T Rec. X.511, "The Directory: Abstract Service Definition",
446 [6] Draft ISO/IEC 9594 / ITU-T Rec X.511 (2001) The Directory:
447 Abstract Service Definition.
448 [7] J. Sermersheim. "LDAP Control for a Duplicate Entry
449 Representation of Search Results", Internet Draft <draft-ietf-
450 ldapext-ldapv3-dupent-06.txt>, October 2000.
451 [8] G. Good. "The LDAP Data Interchange Format (LDIF) - Technical
452 Specification". RFC 2849, June 2000.
453 [9] D. Chadwick, S.Legg. "Internet X.509 Public Key Infrastructure -
454 Additional LDAP Schema for PKIs", Internet Draft <draft-pkix-ldap-
455 pki-schema-00.txt>, June 2002
456 [10] T. Howes, M. Wahl, A. Anantha, "LDAP Control Extension for
457 Server Side Sorting of Search Results", RFC 2891, August 2000
458 [11] T. Howes. "The String Representation of LDAP Search Filters".
459 RFC 2254, December 1997.
460 [12] D. Crocker, Ed. "Augmented BNF for Syntax Specifications: ABNF."
461 RFC 2234. November 1997.
464 10. Authors Addresses
468 University of Salford
472 Email: d.w.chadwick@salford.ac.uk
473 Tel: +44 161 295 5351
477 East Point Business Park
481 Email: sean.mullan@sun.com
484 11. Changes since version 2
486 i) Revised the examples to be more appropriate
487 ii) Section on interactions with other LDAP controls added
488 iii) Removed Editor's note concerning present filter
489 iv) Tightened wording about its applicability to other operations
490 and use of criticality field
492 Changes since version 3
494 i) Mandated that at least one of type and matchingRule in
495 simpleMatchingAssertion be present
496 ii) Fixed LDIF mistakes in the examples
497 iii) Additional minor editorials only
499 Changes since version 4
501 i) corrected the ABNF for single items of valuesReturnFilter
503 Changes since version 5
505 i) added some adapted BNFL from [11] into the examples
506 (specifically the [":dn"] component was removed)
507 ii) general editorial tidying up prior to Last Call