7 Network Working Group T. Howes
8 Request for Comments: 1558 University of Michigan
9 Category: Informational December 1993
12 A String Representation of LDAP Search Filters
16 This memo provides information for the Internet community. This memo
17 does not specify an Internet standard of any kind. Distribution of
18 this memo is unlimited.
22 The Lightweight Directory Access Protocol (LDAP) [1] defines a
23 network representation of a search filter transmitted to an LDAP
24 server. Some applications may find it useful to have a common way of
25 representing these search filters in a human-readable form. This
26 document defines a human-readable string format for representing LDAP
29 1. LDAP Search Filter Definition
31 An LDAP search filter is defined in [1] as follows:
34 and [0] SET OF Filter,
37 equalityMatch [3] AttributeValueAssertion,
38 substrings [4] SubstringFilter,
39 greaterOrEqual [5] AttributeValueAssertion,
40 lessOrEqual [6] AttributeValueAssertion,
41 present [7] AttributeType,
42 approxMatch [8] AttributeValueAssertion
45 SubstringFilter ::= SEQUENCE {
48 initial [0] LDAPString,
60 RFC 1558 Representation of LDAP Filters December 1993
63 AttributeValueAssertion ::= SEQUENCE
64 attributeType AttributeType,
65 attributeValue AttributeValue
68 AttributeType ::= LDAPString
70 AttributeValue ::= OCTET STRING
72 LDAPString ::= OCTET STRING
74 where the LDAPString above is limited to the IA5 character set. The
75 AttributeType is a string representation of the attribute object
76 identifier in dotted OID format (e.g., "2.5.4.10"), or the shorter
77 string name of the attribute (e.g., "organizationName", or "o"). The
78 AttributeValue OCTET STRING has the form defined in [2]. The Filter
79 is encoded for transmission over a network using the Basic Encoding
80 Rules defined in [3], with simplifications described in [1].
82 2. String Search Filter Definition
84 The string representation of an LDAP search filter is defined by the
85 following BNF. It uses a prefix format.
87 <filter> ::= '(' <filtercomp> ')'
88 <filtercomp> ::= <and> | <or> | <not> | <item>
89 <and> ::= '&' <filterlist>
90 <or> ::= '|' <filterlist>
91 <not> ::= '!' <filter>
92 <filterlist> ::= <filter> | <filter> <filterlist>
93 <item> ::= <simple> | <present> | <substring>
94 <simple> ::= <attr> <filtertype> <value>
95 <filtertype> ::= <equal> | <approx> | <greater> | <less>
100 <present> ::= <attr> '=*'
101 <substring> ::= <attr> '=' <initial> <any> <final>
102 <initial> ::= NULL | <value>
103 <any> ::= '*' <starval>
104 <starval> ::= NULL | <value> '*' <starval>
105 <final> ::= NULL | <value>
107 <attr> is a string representing an AttributeType, and has the format
108 defined in [1]. <value> is a string representing an AttributeValue,
109 or part of one, and has the form defined in [2]. If a <value> must
110 contain one of the characters '*' or '(' or ')', these characters
116 RFC 1558 Representation of LDAP Filters December 1993
119 should be escaped by preceding them with the backslash '\' character.
123 This section gives a few examples of search filters written using
128 (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
131 4. Security Considerations
133 Security issues are not discussed in this memo.
137 [1] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access
138 Protocol", RFC 1487, Performance Systems International,
139 University of Michigan, ISODE Consortium, July 1993.
141 [2] Howes, T., Kille, S., Yeong, W., and C. Robbins, "The String
142 Representation of Standard Attribute Syntaxes", RFC 1488,
143 University of Michigan, ISODE Consortium, Performance Systems
144 International, NeXor Ltd., July 1993.
146 [3] "Specification of Basic Encoding Rules for Abstract Syntax
147 Notation One (ASN.1)", CCITT Recommendation X.209, 1988.
152 University of Michigan
155 Ann Arbor, MI 48103-4943
158 Phone: +1 313 747-4454