Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


Network Working Group T. Howes Request for Comments: 2254 Netscape Communications Corp. Category: Standards Track December 1997

          The String Representation of LDAP Search Filters

1. Status of this Memo

 This document specifies an Internet standards track protocol for the
 Internet community, and requests discussion and suggestions for
 improvements.  Please refer to the current edition of the "Internet
 Official Protocol Standards" (STD 1) for the standardization state
 and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (1997).  All Rights Reserved.


 This document describes a directory access protocol that provides
 both read and update access.  Update access requires secure
 authentication, but this document does not mandate implementation of
 any satisfactory authentication mechanisms.
 In accordance with RFC 2026, section 4.4.1, this specification is
 being approved by IESG as a Proposed Standard despite this
 limitation, for the following reasons:
 a. to encourage implementation and interoperability testing of
    these protocols (with or without update access) before they
    are deployed, and
 b. to encourage deployment and use of these protocols in read-only
    applications.  (e.g. applications where LDAPv3 is used as
    a query language for directories which are updated by some
    secure mechanism other than LDAP), and
 c. to avoid delaying the advancement and deployment of other Internet
    standards-track protocols which require the ability to query, but
    not update, LDAPv3 directory servers.

Howes Standards Track [Page 1] RFC 2254 String Representation of LDAP December 1997

 Readers are hereby warned that until mandatory authentication
 mechanisms are standardized, clients and servers written according to
 this specification which make use of update functionality are
 Implementors are hereby discouraged from deploying LDAPv3 clients or
 servers which implement the update functionality, until a Proposed
 Standard for mandatory authentication in LDAPv3 has been approved and
 published as an RFC.

2. Abstract

 The Lightweight Directory Access Protocol (LDAP) [1] defines a
 network representation of a search filter transmitted to an LDAP
 server.  Some applications may find it useful to have a common way of
 representing these search filters in a human-readable form.  This
 document defines a human-readable string format for representing LDAP
 search filters.
 This document replaces RFC 1960, extending the string LDAP filter
 definition to include support for LDAP version 3 extended match
 filters, and including support for representing the full range of
 possible LDAP search filters.

Howes Standards Track [Page 2] RFC 2254 String Representation of LDAP December 1997

3. LDAP Search Filter Definition

 An LDAPv3 search filter is defined in Section 4.5.1 of [1] as
      Filter ::= CHOICE {
              and                [0] SET OF Filter,
              or                 [1] SET OF Filter,
              not                [2] Filter,
              equalityMatch      [3] AttributeValueAssertion,
              substrings         [4] SubstringFilter,
              greaterOrEqual     [5] AttributeValueAssertion,
              lessOrEqual        [6] AttributeValueAssertion,
              present            [7] AttributeDescription,
              approxMatch        [8] AttributeValueAssertion,
              extensibleMatch    [9] MatchingRuleAssertion
      SubstringFilter ::= SEQUENCE {
              type    AttributeDescription,
              SEQUENCE OF CHOICE {
                      initial        [0] LDAPString,
                      any            [1] LDAPString,
                      final          [2] LDAPString
      AttributeValueAssertion ::= SEQUENCE {
              attributeDesc   AttributeDescription,
              attributeValue  AttributeValue
      MatchingRuleAssertion ::= SEQUENCE {
              matchingRule    [1] MatchingRuleID OPTIONAL,
              type            [2] AttributeDescription OPTIONAL,
              matchValue      [3] AssertionValue,
              dnAttributes    [4] BOOLEAN DEFAULT FALSE
      AttributeDescription ::= LDAPString
      AttributeValue ::= OCTET STRING
      MatchingRuleID ::= LDAPString
      AssertionValue ::= OCTET STRING
      LDAPString ::= OCTET STRING

Howes Standards Track [Page 3] RFC 2254 String Representation of LDAP December 1997

 where the LDAPString above is limited to the UTF-8 encoding of the
 ISO 10646 character set [4].  The AttributeDescription is a string
 representation of the attribute description and is defined in [1].
 The AttributeValue and AssertionValue OCTET STRING have the form
 defined in [2].  The Filter is encoded for transmission over a
 network using the Basic Encoding Rules defined in [3], with
 simplifications described in [1].

4. String Search Filter Definition

 The string representation of an LDAP search filter is defined by the
 following grammar, following the ABNF notation defined in [5].  The
 filter format uses a prefix notation.
      filter     = "(" filtercomp ")"
      filtercomp = and / or / not / item
      and        = "&" filterlist
      or         = "|" filterlist
      not        = "!" filter
      filterlist = 1*filter
      item       = simple / present / substring / extensible
      simple     = attr filtertype value
      filtertype = equal / approx / greater / less
      equal      = "="
      approx     = "~="
      greater    = ">="
      less       = "<="
      extensible = attr [":dn"] [":" matchingrule] ":=" value
                   / [":dn"] ":" matchingrule ":=" value
      present    = attr "=*"
      substring  = attr "=" [initial] any [final]
      initial    = value
      any        = "*" *(value "*")
      final      = value
      attr       = AttributeDescription from Section 4.1.5 of [1]
      matchingrule = MatchingRuleId from Section 4.1.9 of [1]
      value      = AttributeValue from Section 4.1.6 of [1]
 The attr, matchingrule, and value constructs are as described in the
 corresponding section of [1] given above.

Howes Standards Track [Page 4] RFC 2254 String Representation of LDAP December 1997

 If a value should contain any of the following characters
         Character       ASCII value
         *               0x2a
         (               0x28
         )               0x29
         \               0x5c
         NUL             0x00
 the character must be encoded as the backslash '\' character (ASCII
 0x5c) followed by the two hexadecimal digits representing the ASCII
 value of the encoded character. The case of the two hexadecimal
 digits is not significant.
 This simple escaping mechanism eliminates filter-parsing ambiguities
 and allows any filter that can be represented in LDAP to be
 represented as a NUL-terminated string. Other characters besides the
 ones listed above may be escaped using this mechanism, for example,
 non-printing characters.
 For example, the filter checking whether the "cn" attribute contained
 a value with the character "*" anywhere in it would be represented as
 Note that although both the substring and present productions in the
 grammar above can produce the "attr=*" construct, this construct is
 used only to denote a presence filter.

5. Examples

 This section gives a few examples of search filters written using
 this notation.
      (cn=Babs Jensen)
      (!(cn=Tim Howes))
      (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
 The following examples illustrate the use of extensible matching.
      (cn: Flintstone)
      (sn:dn: Rubble)
      (o:dn:=Ace Industry)

Howes Standards Track [Page 5] RFC 2254 String Representation of LDAP December 1997

 The second example illustrates the use of the ":dn" notation to
 indicate that matching rule "" should be used when making
 comparisons, and that the attributes of an entry's distinguished name
 should be considered part of the entry when evaluating the match.
 The third example denotes an equality match, except that DN
 components should be considered part of the entry when doing the
 The fourth example is a filter that should be applied to any
 attribute supporting the matching rule given (since the attr has been
 left off). Attributes supporting the matching rule contained in the
 DN should also be considered.
 The following examples illustrate the use of the escaping mechanism.
      (o=Parens R Us \28for all your parenthetical needs\29)
 The first example shows the use of the escaping mechanism to
 represent parenthesis characters. The second shows how to represent a
 "*" in a value, preventing it from being interpreted as a substring
 indicator. The third illustrates the escaping of the backslash
 The fourth example shows a filter searching for the four-byte value
 0x00000004, illustrating the use of the escaping mechanism to
 represent arbitrary data, including NUL characters.
 The final example illustrates the use of the escaping mechanism to
 represent various non-ASCII UTF-8 characters.

6. Security Considerations

 This memo describes a string representation of LDAP search filters.
 While the representation itself has no known security implications,
 LDAP search filters do. They are interpreted by LDAP servers to
 select entries from which data is retrieved.  LDAP servers should
 take care to protect the data they maintain from unauthorized access.

Howes Standards Track [Page 6] RFC 2254 String Representation of LDAP December 1997

7. References

 [1] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
 Protocol (v3)", RFC 2251, December 1997.
 [2] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
 Directory Access Protocol (v3): Attribute Syntax Definitions", RFC
 2252, December 1997.
 [3] Specification of ASN.1 encoding rules: Basic, Canonical, and
 Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994.
 [4] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
 10646", RFC 2044, October 1996.
 [5] Crocker, D., "Standard for the Format of ARPA Internet Text
 Messages", STD 11, RFC 822, August 1982.

8. Author's Address

 Tim Howes
 Netscape Communications Corp.
 501 E. Middlefield Road
 Mountain View, CA 94043
 Phone: +1 415 937-3419

Howes Standards Track [Page 7] RFC 2254 String Representation of LDAP December 1997

9. Full Copyright Statement

 Copyright (C) The Internet Society (1997).  All Rights Reserved.
 This document and translations of it may be copied and furnished to
 others, and derivative works that comment on or otherwise explain it
 or assist in its implementation may be prepared, copied, published
 and distributed, in whole or in part, without restriction of any
 kind, provided that the above copyright notice and this paragraph are
 included on all such copies and derivative works.  However, this
 document itself may not be modified in any way, such as by removing
 the copyright notice or references to the Internet Society or other
 Internet organizations, except as needed for the purpose of
 developing Internet standards in which case the procedures for
 copyrights defined in the Internet Standards process must be
 followed, or as required to translate it into languages other than
 The limited permissions granted above are perpetual and will not be
 revoked by the Internet Society or its successors or assigns.
 This document and the information contained herein is provided on an

Howes Standards Track [Page 8]

/data/webs/external/dokuwiki/data/pages/rfc/rfc2254.txt · Last modified: 1997/12/22 20:12 by

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki