idnits 2.17.1 draft-ietf-ldapbis-filter-02.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 2 instances of too long lines in the document, the longest one being 5 characters in excess of 72. ** The abstract seems to contain references ([Protocol], [ROADMAP]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 90: '... matchingRule [1] MatchingRuleID OPTIONAL,...' RFC 2119 keyword, line 91: '... type [2] AttributeDescription OPTIONAL,...' == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (22 February 2002) is 8098 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'ROADMAP' is mentioned on line 50, but not defined -- Looks like a reference, but probably isn't: '0' on line 78 -- Looks like a reference, but probably isn't: '1' on line 394 -- Looks like a reference, but probably isn't: '2' on line 91 -- Looks like a reference, but probably isn't: '3' on line 92 -- Looks like a reference, but probably isn't: '4' on line 93 -- Looks like a reference, but probably isn't: '5' on line 66 -- Looks like a reference, but probably isn't: '6' on line 67 -- Looks like a reference, but probably isn't: '7' on line 68 -- Looks like a reference, but probably isn't: '8' on line 69 -- Looks like a reference, but probably isn't: '9' on line 70 == Missing Reference: 'RFC2251bis' is mentioned on line 437, but not defined ** Obsolete undefined reference: RFC 2251 (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' -- No information found for draft-ietf-ldapbis-protocol-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Protocol' ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629) -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Roadmap' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' Summary: 14 errors (**), 0 flaws (~~), 5 warnings (==), 20 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group M. Smith, Editor 2 Request for Comments: DRAFT Netscape Communications Corp. 3 Obsoletes: RFC 2254 T. Howes 4 Expires: August 2002 Loudcloud, Inc. 5 22 February 2002 7 LDAP: String Representation of Search Filters 8 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. Internet-Drafts are working 14 documents of the Internet Engineering Task Force (IETF), its areas, 15 and its working groups. Note that other groups may also distribute 16 working documents as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet- Drafts as reference 21 material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 Discussion of this document should take place on the LDAP (v3) 30 Revision (ldapbis) Working Group mailing list . After appropriate review and discussion, this 32 document will be submitted as a Standards Track replacement for RFC 33 2254. 35 Copyright Notice 37 Copyright (C) The Internet Society (2002). All Rights Reserved. 39 2. Abstract 41 The Lightweight Directory Access Protocol (LDAP) [Protocol] defines a 42 network representation of a search filter transmitted to an LDAP 43 server. Some applications may find it useful to have a common way of 44 representing these search filters in a human-readable form. This 45 document defines a human-readable string format for representing the 46 full range of possible LDAP version 3 search filters, including 47 extended match filters. 49 This document is an integral part of the LDAP Technical 50 Specification [ROADMAP]. 52 This document replaces RFC 2254. Changes to RFC 2254 are summarized 53 in Appendix A. 55 3. LDAP Search Filter Definition 57 An LDAPv3 search filter is defined in Sections 4.5.1 of [Protocol] as 58 follows: 60 Filter ::= CHOICE { 61 and [0] SET SIZE (1..MAX) OF Filter, 62 or [1] SET OF SIZE (1..MAX) Filter, 63 not [2] Filter, 64 equalityMatch [3] AttributeValueAssertion, 65 substrings [4] SubstringFilter, 66 greaterOrEqual [5] AttributeValueAssertion, 67 lessOrEqual [6] AttributeValueAssertion, 68 present [7] AttributeDescription, 69 approxMatch [8] AttributeValueAssertion, 70 extensibleMatch [9] MatchingRuleAssertion 71 } 73 SubstringFilter ::= SEQUENCE { 74 type AttributeDescription, 75 -- at least one must be present 76 -- initial and final can occur at most once 77 substrings SEQUENCE OF CHOICE { 78 initial [0] AssertionValue, 79 any [1] AssertionValue, 80 final [2] AssertionValue 81 } 82 } 84 AttributeValueAssertion ::= SEQUENCE { 85 attributeDesc AttributeDescription, 86 assertionValue AssertionValue 87 } 89 MatchingRuleAssertion ::= SEQUENCE { 90 matchingRule [1] MatchingRuleID OPTIONAL, 91 type [2] AttributeDescription OPTIONAL, 92 matchValue [3] AssertionValue, 93 dnAttributes [4] BOOLEAN DEFAULT FALSE 95 } 97 AttributeDescription ::= LDAPString 99 AttributeValue ::= OCTET STRING 101 MatchingRuleID ::= LDAPString 103 AssertionValue ::= OCTET STRING 105 LDAPString ::= OCTET STRING 107 where the LDAPString above is limited to the UTF-8 encoding of the 108 ISO 10646 character set [RFC2279]. The AttributeDescription is a 109 string representation of the attribute description and is defined in 110 [Protocol]. The AttributeValue and AssertionValue OCTET STRING have 111 the form defined in [Syntaxes]. The Filter is encoded for 112 transmission over a network using the Basic Encoding Rules defined in 113 [ASN.1], with simplifications described in [Protocol]. 115 4. String Search Filter Definition 117 The string representation of an LDAP search filter is defined by the 118 following grammar, following the ABNF notation defined in [RFC2234]. 119 The filter format uses a prefix notation. 121 filter = "(" filtercomp ")" 122 filtercomp = and / or / not / item 123 and = "&" filterlist 124 or = "|" filterlist 125 not = "!" filter 126 filterlist = 1*filter 127 item = simple / present / substring / extensible 128 simple = attr filtertype assertionvalue 129 filtertype = equal / approx / greater / less 130 equal = "=" 131 approx = "~=" 132 greater = ">=" 133 less = "<=" 134 extensible = attr [":dn"] [":" matchingrule] ":=" assertionvalue 135 / [":dn"] ":" matchingrule ":=" assertionvalue 136 / ":=" assertionvalue 137 present = attr "=*" 138 substring = attr "=" [initial] any [final] 139 initial = assertionvalue 140 any = "*" *(assertionvalue "*") 141 final = assertionvalue 142 attr = AttributeDescription 143 ; The rule is defined in 144 ; Section 4.1.5 of [Protocol]. 145 matchingrule = oid 146 ; The rule is defined in Section 4.1 147 ; of [Syntaxes] and is used to encode a 148 ; matching rule OBJECT IDENTIFIER. 149 assertionvalue = valueencoding 150 ; The rule is used to encode an 151 ; from Section 4.1.7 of [Protocol]. 152 valueencoding = 0*(normal / escaped) 153 normal = %x01-27 / %x2b-5b / %x5d-7f 154 escaped = "\" hex hex 155 hex = %x30-39 / %x41-46 / %x61-66 157 Note that although both the and productions in 158 the grammar above can produce the "attr=*" construct, this construct 159 is used only to denote a presence filter. 161 The rule provides that the octets that represent the 162 ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII 163 0x29), "\" (ASCII 0x5c), NUL (ASCII 0x00), and all octets greater 164 than 0x7f are represented as a backslash "\" (ASCII 0x5c) followed by 165 the two hexadecimal digits representing the value of the encoded 166 octet. 168 This simple escaping mechanism eliminates filter-parsing ambiguities 169 and allows any filter that can be represented in LDAP to be 170 represented as a NUL-terminated string. Other octets that are part of 171 the set may be escaped using this mechanism, for example, 172 non-printing ASCII characters. 174 For AssertionValues that contain UTF-8 character data, each octet of 175 the character to be escaped is replaced by a backslash and two hex 176 digits, which form a single octet in the code of the character. 178 For example, the filter checking whether the "cn" attribute contained 179 a value with the character "*" anywhere in it would be represented as 180 "(cn=*\2a*)". 182 5. Examples 184 This section gives a few examples of search filters written using 185 this notation. 187 (cn=Babs Jensen) 188 (!(cn=Tim Howes)) 189 (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) 190 (o=univ*of*mich*) 191 (seeAlso=) 193 The following examples illustrate the use of extensible matching. 195 (cn:1.2.3.4.5:=Fred Flintstone) 196 (cn:=Betty Rubble) 197 (sn:dn:2.4.6.8.10:=Barney Rubble) 198 (o:dn:=Ace Industry) 199 (:1.2.3:=Wilma Flintstone) 200 (:dn:2.4.6.8.10:=Dino) 201 (:=Fred Flintstone) 203 The first example shows use of the matching rule "1.2.3.4.5". 205 The second example demonstrates use of a MatchingRuleAssertion form 206 without a matchingRule. 208 The third example illustrates the use of the ":dn" notation to 209 indicate that matching rule "2.4.6.8.10" should be used when making 210 comparisons, and that the attributes of an entry's distinguished name 211 should be considered part of the entry when evaluating the match. 213 The fourth example denotes an equality match, except that DN 214 components should be considered part of the entry when doing the 215 match. 217 The fifth example is a filter that should be applied to any attribute 218 supporting the matching rule given (since the attr has been omitted). 220 The sixth example is also a filter that should be applied to any 221 attribute supporting the matching rule given. Attributes supporting 222 the matching rule contained in the DN should also be considered. 224 The seventh and final example is a filter that should be applied to 225 any attribute (since both the attr and matching rule have been 226 omitted). 228 The following examples illustrate the use of the escaping mechanism. 230 (o=Parens R Us \28for all your parenthetical needs\29) 231 (cn=*\2A*) 232 (filename=C:\5cMyFile) 233 (bin=\00\00\00\04) 234 (sn=Lu\c4\8di\c4\87) 235 (1.3.6.1.4.1.1466.0;binary=\04\02\48\69) 237 The first example shows the use of the escaping mechanism to 238 represent parenthesis characters. The second shows how to represent a 239 "*" in an assertion value, preventing it from being interpreted as a 240 substring indicator. The third illustrates the escaping of the 241 backslash character. 243 The fourth example shows a filter searching for the four-byte value 244 0x00000004, illustrating the use of the escaping mechanism to 245 represent arbitrary data, including NUL characters. 247 The fifth example illustrates the use of the escaping mechanism to 248 represent various non-ASCII UTF-8 characters. 250 The sixth and final example demonstrates assertion of a BER encoded 251 value. 253 6. Security Considerations 255 This memo describes a string representation of LDAP search filters. 256 While the representation itself has no known security implications, 257 LDAP search filters do. They are interpreted by LDAP servers to 258 select entries from which data is retrieved. LDAP servers should 259 take care to protect the data they maintain from unauthorized access. 261 Please refer to the Security Considerations sections of [Protocol] 262 and [AuthMeth] for more information. 264 7. References 266 [ASN.1] Specification of ASN.1 encoding rules: Basic, Canonical, and 267 Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994. 269 [AuthMeth] R. Harrison (editor), "LDAP: Authentication Methods and 270 Connection Level Security Mechanisms", draft-ietf-ldapbis-authmeth- 271 xx.txt, a work in progress. 273 [Protocol] J. Sermersheim (editor), "LDAP: The Protocol", draft- 274 ietf-ldapbis-protocol-xx.txt, a work in progress. 276 [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax 277 Specifications: ABNF", RFC 2234, November 1997. 279 [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", 280 RFC 2279, January 1998. 282 [Roadmap] K. Zeilenga (editor), "LDAP: Technical Specification Road 283 Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in progress. 285 [Syntaxes] K. Dally (editor), "LDAP: Syntaxes", draft-ietf-ldapbis- 286 syntaxes-xx.txt, a work in progress. 288 8. Acknowledgments 290 This document replaces RFC 2254 by Tim Howes. Changes included in 291 this revised specification are based upon discussions among the 292 authors, discussions within the LDAP (v3) Revision Working Group 293 (ldapbis), and discussions within other IETF Working Groups. The 294 contributions of individuals in these working groups is gratefully 295 acknowledged. 297 9. Authors' Address 299 Mark Smith (document editor) 300 Netscape Communications Corp. 301 447 Marlpool Drive 302 Saline, MI 48176 303 USA 304 +1 650 937-3477 305 mcs@netscape.com 307 Tim Howes 308 Loudcloud, Inc. 309 599 N. Mathilda Ave. 310 Sunnyvale, CA 94086 311 USA 312 +1 408 744-7509 313 howes@loudcloud.com 315 10. Full Copyright Statement 317 Copyright (C) The Internet Society (2002). All Rights Reserved. 319 This document and translations of it may be copied and furnished to 320 others, and derivative works that comment on or otherwise explain it 321 or assist in its implementation may be prepared, copied, published 322 and distributed, in whole or in part, without restriction of any 323 kind, provided that the above copyright notice and this paragraph are 324 included on all such copies and derivative works. However, this 325 document itself may not be modified in any way, such as by removing 326 the copyright notice or references to the Internet Society or other 327 Internet organizations, except as needed for the purpose of 328 developing Internet standards in which case the procedures for 329 copyrights defined in the Internet Standards process must be 330 followed, or as required to translate it into languages other than 331 English. 333 The limited permissions granted above are perpetual and will not be 334 revoked by the Internet Society or its successors or assigns. 336 This document and the information contained herein is provided on an 337 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 338 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 339 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 340 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 341 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 343 11. Appendix A: Changes Since RFC 2254 345 11.1. Technical Changes 347 "String Search Filter Definition" section: replaced the "value" rule 348 with a new "assertionvalue" rule within the "simple", "extensible", 349 and "substring" ("initial", "any", and "final") rules. This matches 350 a change made in [Syntaxes]. 351 Revised the "attr", "matchingrule", and "assertionvalue" ABNF to more 352 precisely reference productions from the [Protocol] and [Syntaxes] 353 documents. 354 Introduced the "valueencoding" and associated "normal" and "escaped" 355 rules to reduce the dependence on descriptive text. 356 Added a third option to the "extensible" production to allow creation 357 of a MatchingRuleAssertion that only has a matchValue. 359 11.2. Editorial Changes 361 Changed document title to include "LDAP:" prefix. 363 IESG Note: removed note about lack of satisfactory mandatory 364 authentication mechanisms. 366 Header and "Authors' Addresses" sections: added Mark Smith as the 367 document editor and updated Tim's affiliation and contact 368 information. 370 Copyright: changed the year to 2002. 372 "Abstract" section: updated second paragraph to indicate that RFC 373 2254 is replaced by this document (instead of RFC 1960). Added 374 reference to the [Roadmap] document. 376 "LDAP Search Filter Definition" section: made corrections to the 377 LDAPv3 search filter ABNF so it matches that used in [Protocol]. 379 "String Search Filter Definition" section: clarified the definition 380 of 'value' (now 'assertionvalue') to take into account the fact that 381 it is not precisely an AttributeAssertion from [Protocol] section 382 4.1.6 (special handling is required for some characters). Added a 383 note that each octet of a character to be escaped is replaced by a 384 backslash and two hex digits, which represent a single octet. 386 "Examples" section: added five additional examples: (seeAlso=), 387 (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), (:=Fred Flintstone), 388 and (1.3.6.1.4.1.1466.0;binary=\04\02\48\69). Replaced one occurrence 389 of "a value" with "an assertion value". 391 "Security Considerations" section: added references to [Protocol] and 392 [AuthMeth]. 394 "References" section: changed from [1] style to [Protocol] style 395 throughout the document. Added entries for [AuthMeth] and updated 396 UTF-8 reference to RFC 2279. Replaced RFC 822 reference with a 397 reference to RFC 2234. 399 "Acknowledgments" section: added. 401 "Appendix A: Changes Since RFC 2254" section: added. 403 "Appendix B: Changes Since Previous Document Revision" section: 404 added. 406 "Table of Contents" section: added. 408 12. Appendix B: Changes Since Previous Document Revision 410 This appendix lists all changes relative to the last published 411 revision, draft-ietf-ldapbis-filter-01.txt. Note that these changes 412 are also included in Appendix A, but are included here for those who 413 have already reviewed draft-ietf-ldapbis-filter-01.txt. This section 414 will be removed before this document is published as an RFC. 416 12.1. Technical Changes 418 "String Search Filter Definition" section: Added a third option to 419 the "extensible" production to allow creation of a 420 MatchingRuleAssertion that only has a "assertionvalue". 422 12.2. Editorial Changes 424 Changed document title to include "LDAP:" prefix. 426 "LDAP Search Filter Definition" section: updated the ASN.1 definition 427 of the Filter to match that used in [Protocol]. 429 "String Search Filter Definition" section: Revised "attr", 430 "matchingrule", and "assertionvalue" ABNF to directly reference 431 productions from the [Protocol] and [Syntaxes] documents. 432 Revised the text on hexadecimal escaping to be less UTF-8 centric. 434 "Examples" section: added a new example (:=Fred Flintstone) that only 435 has an "assertionvalue." 437 References: replaced [RFC2251bis] references with [Protocol]; similar 438 changes for other LDAP documents. Added reference to [Roadmap]. 439 "Authors' Addresses" section: updated Mark Smith's postal address. 441 This Internet Draft expires in August 2002. 443 1. Status of this Memo............................................1 444 2. Abstract.......................................................1 445 3. LDAP Search Filter Definition..................................2 446 4. String Search Filter Definition................................3 447 5. Examples.......................................................4 448 6. Security Considerations........................................6 449 7. References.....................................................6 450 8. Acknowledgments................................................7 451 9. Authors' Address...............................................7 452 10. Full Copyright Statement.......................................7 453 11. Appendix A: Changes Since RFC 2254.............................8 454 11.1. Technical Changes...........................................8 455 11.2. Editorial Changes...........................................8 456 12. Appendix B: Changes Since Previous Document Revision...........9 457 12.1. Technical Changes...........................................9 458 12.2. Editorial Changes...........................................10