idnits 2.17.1 draft-ietf-ldapbis-filter-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 2 instances of too long lines in the document, the longest one being 5 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 115: '... matchingRule [1] MatchingRuleId OPTIONAL,...' RFC 2119 keyword, line 116: '... type [2] AttributeDescription OPTIONAL,...' == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. -- The draft header indicates that this document obsoletes RFC2254, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (9 August 2002) is 7928 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 106 -- Looks like a reference, but probably isn't: '1' on line 423 -- Looks like a reference, but probably isn't: '2' on line 116 -- Looks like a reference, but probably isn't: '3' on line 117 -- Looks like a reference, but probably isn't: '4' on line 118 -- Looks like a reference, but probably isn't: '5' on line 95 -- Looks like a reference, but probably isn't: '6' on line 96 -- Looks like a reference, but probably isn't: '7' on line 97 -- Looks like a reference, but probably isn't: '8' on line 98 -- Looks like a reference, but probably isn't: '9' on line 99 -- No information found for draft-ietf-ldapbis-authmeth-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'AuthMeth' -- No information found for draft-ietf-ldapbis-protocol-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Protocol' ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629) -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Roadmap' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' Summary: 10 errors (**), 0 flaws (~~), 3 warnings (==), 21 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Smith, Editor 3 Request for Comments: DRAFT Netscape Communications Corp. 4 Obsoletes: RFC 2254 T. Howes 5 Expires: 9 February 2003 Loudcloud, Inc. 6 9 August 2002 8 LDAP: String Representation of Search Filters 9 11 1. Status of this Memo 13 This document is an Internet-Draft and is in full conformance with 14 all provisions of Section 10 of RFC2026. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet- Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 Discussion of this document should take place on the LDAP (v3) 33 Revision (ldapbis) Working Group mailing list . 36 Copyright (C) The Internet Society (2002). All Rights Reserved. 38 2. Abstract 40 LDAP search filters are transmitted in the LDAP protocol using a 41 binary representation that is appropriate for use on the network. 42 This document defines a human-readable string representation of LDAP 43 search filters that is appropriate for use in LDAP URLs and in other 44 applications. 46 3. Table of Contents 48 1. Status of this Memo............................................1 49 2. Abstract.......................................................1 50 3. Table of Contents..............................................2 51 4. Introduction...................................................2 52 5. LDAP Search Filter Definition..................................2 53 6. String Search Filter Definition................................3 54 7. Examples.......................................................5 55 8. Security Considerations........................................6 56 9. Normative References...........................................7 57 10. Acknowledgments................................................7 58 11. Authors' Address...............................................7 59 12. Full Copyright Statement.......................................8 60 13. Appendix A: Changes Since RFC 2254.............................8 61 13.1. Technical Changes...........................................8 62 13.2. Editorial Changes...........................................9 63 14. Appendix B: Changes Since Previous Document Revision...........10 64 14.1. Technical Changes...........................................10 65 14.2. Editorial Changes...........................................10 67 4. Introduction 69 The Lightweight Directory Access Protocol (LDAP) [Protocol] defines a 70 network representation of a search filter transmitted to an LDAP 71 server. Some applications may find it useful to have a common way of 72 representing these search filters in a human-readable form; LDAP URLs 73 are an example of one such application. This document defines a 74 human-readable string format for representing the full range of 75 possible LDAP version 3 search filters, including extended match 76 filters. 78 This document is an integral part of the LDAP Technical 79 Specification [Roadmap]. 81 This document replaces RFC 2254. Changes to RFC 2254 are summarized 82 in Appendix A. 84 5. LDAP Search Filter Definition 86 An LDAPv3 search filter is defined in Section 4.5.1 of [Protocol] as 87 follows: 89 Filter ::= CHOICE { 90 and [0] SET SIZE (1..MAX) OF Filter, 91 or [1] SET SIZE (1..MAX) OF Filter, 92 not [2] Filter, 93 equalityMatch [3] AttributeValueAssertion, 94 substrings [4] SubstringFilter, 95 greaterOrEqual [5] AttributeValueAssertion, 96 lessOrEqual [6] AttributeValueAssertion, 97 present [7] AttributeDescription, 98 approxMatch [8] AttributeValueAssertion, 99 extensibleMatch [9] MatchingRuleAssertion } 101 SubstringFilter ::= SEQUENCE { 102 type AttributeDescription, 103 -- at least one must be present, 104 -- initial and final can occur at most once 105 substrings SEQUENCE OF CHOICE { 106 initial [0] AssertionValue, 107 any [1] AssertionValue, 108 final [2] AssertionValue } } 110 AttributeValueAssertion ::= SEQUENCE { 111 attributeDesc AttributeDescription, 112 assertionValue AssertionValue } 114 MatchingRuleAssertion ::= SEQUENCE { 115 matchingRule [1] MatchingRuleId OPTIONAL, 116 type [2] AttributeDescription OPTIONAL, 117 matchValue [3] AssertionValue, 118 dnAttributes [4] BOOLEAN DEFAULT FALSE } 120 AttributeDescription ::= LDAPString 122 AttributeValue ::= OCTET STRING 124 MatchingRuleId ::= LDAPString 126 AssertionValue ::= OCTET STRING 128 LDAPString ::= OCTET STRING 130 where the LDAPString above is limited to the UTF-8 encoding of the 131 ISO 10646 character set [RFC2279]. The AttributeDescription is a 132 string representation of the attribute description and is defined in 133 [Protocol]. The AttributeValue and AssertionValue OCTET STRING have 134 the form defined in [Syntaxes]. The Filter is encoded for 135 transmission over a network using the Basic Encoding Rules defined in 136 [ASN.1], with simplifications described in [Protocol]. 138 6. String Search Filter Definition 140 The string representation of an LDAP search filter is defined by the 141 following grammar, following the ABNF notation defined in [RFC2234]. 143 The filter format uses a prefix notation. 145 filter = "(" filtercomp ")" 146 filtercomp = and / or / not / item 147 and = "&" filterlist 148 or = "|" filterlist 149 not = "!" filter 150 filterlist = 1*filter 151 item = simple / present / substring / extensible 152 simple = attr filtertype assertionvalue 153 filtertype = equal / approx / greater / less 154 equal = "=" 155 approx = "~=" 156 greater = ">=" 157 less = "<=" 158 extensible = attr [":dn"] [":" matchingrule] ":=" assertionvalue 159 / [":dn"] ":" matchingrule ":=" assertionvalue 160 / ":=" assertionvalue 161 present = attr "=*" 162 substring = attr "=" [initial] any [final] 163 initial = assertionvalue 164 any = "*" *(assertionvalue "*") 165 final = assertionvalue 166 attr = AttributeDescription 167 ; The rule is defined in 168 ; Section 4.1.4 of [Protocol]. 169 matchingrule = oid 170 ; The rule is defined in Section 2.1 171 ; of [Syntaxes] and is used to encode a 172 ; matching rule OBJECT IDENTIFIER. 173 assertionvalue = valueencoding 174 ; The rule is used to encode an 175 ; from Section 4.1.6 of [Protocol]. 176 valueencoding = 0*(normal / escaped) 177 normal = %x01-27 / %x2b-5b / %x5d-7f 178 escaped = "\" hex hex 179 hex = %x30-39 / %x41-46 / %x61-66 181 Note that although both the and productions in 182 the grammar above can produce the "attr=*" construct, this construct 183 is used only to denote a presence filter. 185 The rule provides that the octets that represent the 186 ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII 187 0x29), "\" (ASCII 0x5c), NUL (ASCII 0x00), and all octets greater 188 than 0x7f are represented as a backslash "\" (ASCII 0x5c) followed by 189 the two hexadecimal digits representing the value of the encoded 190 octet. 192 This simple escaping mechanism eliminates filter-parsing ambiguities 193 and allows any filter that can be represented in LDAP to be 194 represented as a NUL-terminated string. Other octets that are part of 195 the set may be escaped using this mechanism, for example, 196 non-printing ASCII characters. 198 For AssertionValues that contain UTF-8 character data, each octet of 199 the character to be escaped is replaced by a backslash and two hex 200 digits, which form a single octet in the code of the character. 202 For example, the filter checking whether the "cn" attribute contained 203 a value with the character "*" anywhere in it would be represented as 204 "(cn=*\2a*)". 206 7. Examples 208 This section gives a few examples of search filters written using 209 this notation. 211 (cn=Babs Jensen) 212 (!(cn=Tim Howes)) 213 (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) 214 (o=univ*of*mich*) 215 (seeAlso=) 217 The following examples illustrate the use of extensible matching. 219 (cn:1.2.3.4.5:=Fred Flintstone) 220 (cn:=Betty Rubble) 221 (sn:dn:2.4.6.8.10:=Barney Rubble) 222 (o:dn:=Ace Industry) 223 (:1.2.3:=Wilma Flintstone) 224 (:dn:2.4.6.8.10:=Dino) 225 (:=Fred Flintstone) 227 The first example shows use of the matching rule "1.2.3.4.5". 229 The second example demonstrates use of a MatchingRuleAssertion form 230 without a matchingRule. 232 The third example illustrates the use of the ":dn" notation to 233 indicate that matching rule "2.4.6.8.10" should be used when making 234 comparisons, and that the attributes of an entry's distinguished name 235 should be considered part of the entry when evaluating the match. 237 The fourth example denotes an equality match, except that DN 238 components should be considered part of the entry when doing the 239 match. 241 The fifth example is a filter that should be applied to any attribute 242 supporting the matching rule given (since the attr has been omitted). 244 The sixth example is also a filter that should be applied to any 245 attribute supporting the matching rule given. Attributes supporting 246 the matching rule contained in the DN should also be considered. 248 The seventh and final example is a filter that should be applied to 249 any attribute (since both the attr and matching rule have been 250 omitted). 252 The following examples illustrate the use of the escaping mechanism. 254 (o=Parens R Us \28for all your parenthetical needs\29) 255 (cn=*\2A*) 256 (filename=C:\5cMyFile) 257 (bin=\00\00\00\04) 258 (sn=Lu\c4\8di\c4\87) 259 (1.3.6.1.4.1.1466.0;binary=\04\02\48\69) 261 The first example shows the use of the escaping mechanism to 262 represent parenthesis characters. The second shows how to represent a 263 "*" in an assertion value, preventing it from being interpreted as a 264 substring indicator. The third illustrates the escaping of the 265 backslash character. 267 The fourth example shows a filter searching for the four-byte value 268 0x00000004, illustrating the use of the escaping mechanism to 269 represent arbitrary data, including NUL characters. 271 The fifth example illustrates the use of the escaping mechanism to 272 represent various non-ASCII UTF-8 characters. 274 The sixth and final example demonstrates assertion of a BER encoded 275 value. 277 8. Security Considerations 279 This memo describes a string representation of LDAP search filters. 280 While the representation itself has no known security implications, 281 LDAP search filters do. They are interpreted by LDAP servers to 282 select entries from which data is retrieved. LDAP servers should 283 take care to protect the data they maintain from unauthorized access. 285 Please refer to the Security Considerations sections of [Protocol] 286 and [AuthMeth] for more information. 288 9. Normative References 290 [ASN.1] Specification of ASN.1 encoding rules: Basic, Canonical, and 291 Distinguished Encoding Rules, ITU-T Recommendation X.690, 1994. 293 [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and 294 Connection Level Security Mechanisms", draft-ietf-ldapbis-authmeth- 295 xx.txt, a work in progress. 297 [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol", draft- 298 ietf-ldapbis-protocol-xx.txt, a work in progress. 300 [RFC2234] Crocker, D., Overell, P., "Augmented BNF for Syntax 301 Specifications: ABNF", RFC 2234, November 1997. 303 [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", 304 RFC 2279, January 1998. 306 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification Road 307 Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in progress. 309 [Syntaxes] Dally, K. (editor), "LDAP: Syntaxes", draft-ietf-ldapbis- 310 syntaxes-xx.txt, a work in progress. 312 10. Acknowledgments 314 This document replaces RFC 2254 by Tim Howes. Changes included in 315 this revised specification are based upon discussions among the 316 authors, discussions within the LDAP (v3) Revision Working Group 317 (ldapbis), and discussions within other IETF Working Groups. The 318 contributions of individuals in these working groups is gratefully 319 acknowledged. 321 11. Authors' Address 323 Mark Smith, Editor 324 Netscape Communications Corp. 325 360 W. Caribbean Drive 326 Sunnyvale, CA 94089 327 USA 328 +1 650 937-3477 329 mcs@netscape.com 330 Tim Howes 331 Loudcloud, Inc. 332 599 N. Mathilda Ave. 333 Sunnyvale, CA 94086 334 USA 335 +1 408 744-7509 336 howes@loudcloud.com 338 12. Full Copyright Statement 340 Copyright (C) The Internet Society (2002). All Rights Reserved. 342 This document and translations of it may be copied and furnished to 343 others, and derivative works that comment on or otherwise explain it 344 or assist in its implementation may be prepared, copied, published 345 and distributed, in whole or in part, without restriction of any 346 kind, provided that the above copyright notice and this paragraph are 347 included on all such copies and derivative works. However, this 348 document itself may not be modified in any way, such as by removing 349 the copyright notice or references to the Internet Society or other 350 Internet organizations, except as needed for the purpose of 351 developing Internet standards in which case the procedures for 352 copyrights defined in the Internet Standards process must be 353 followed, or as required to translate it into languages other than 354 English. 356 The limited permissions granted above are perpetual and will not be 357 revoked by the Internet Society or its successors or assigns. 359 This document and the information contained herein is provided on an 360 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 361 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 362 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 363 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 364 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 366 13. Appendix A: Changes Since RFC 2254 368 13.1. Technical Changes 370 "String Search Filter Definition" section: replaced the "value" rule 371 with a new "assertionvalue" rule within the "simple", "extensible", 372 and "substring" ("initial", "any", and "final") rules. This matches 373 a change made in [Syntaxes]. 374 Revised the "attr", "matchingrule", and "assertionvalue" ABNF to more 375 precisely reference productions from the [Protocol] and [Syntaxes] 376 documents. 378 Introduced the "valueencoding" and associated "normal" and "escaped" 379 rules to reduce the dependence on descriptive text. 380 Added a third option to the "extensible" production to allow creation 381 of a MatchingRuleAssertion that only has a matchValue. 383 13.2. Editorial Changes 385 Changed document title to include "LDAP:" prefix. 387 IESG Note: removed note about lack of satisfactory mandatory 388 authentication mechanisms. 390 Header and "Authors' Addresses" sections: added Mark Smith as the 391 document editor and updated affiliation and contact information. 393 "Table of Contents" section: added. 395 Copyright: updated the year. 397 "Abstract" section: separated from introductory material. 399 "Introduction" section: new section; separated from the Abstract. 400 Updated second paragraph to indicate that RFC 2254 is replaced by 401 this document (instead of RFC 1960). Added reference to the [Roadmap] 402 document. 404 "LDAP Search Filter Definition" section: made corrections to the 405 LDAPv3 search filter ABNF so it matches that used in [Protocol]. 407 "String Search Filter Definition" section: clarified the definition 408 of 'value' (now 'assertionvalue') to take into account the fact that 409 it is not precisely an AttributeAssertion from [Protocol] section 410 4.1.6 (special handling is required for some characters). Added a 411 note that each octet of a character to be escaped is replaced by a 412 backslash and two hex digits, which represent a single octet. 414 "Examples" section: added five additional examples: (seeAlso=), 415 (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), (:=Fred Flintstone), 416 and (1.3.6.1.4.1.1466.0;binary=\04\02\48\69). Replaced one occurrence 417 of "a value" with "an assertion value". 419 "Security Considerations" section: added references to [Protocol] and 420 [AuthMeth]. 422 "Normative References" section: renamed from "References" per new RFC 423 guidelines. Changed from [1] style to [Protocol] style throughout the 424 document. Added entries for [AuthMeth] and [Roadmap] and updated 425 UTF-8 reference to RFC 2279. Replaced RFC 822 reference with a 426 reference to RFC 2234. 428 "Acknowledgments" section: added. 430 "Appendix A: Changes Since RFC 2254" section: added. 432 "Appendix B: Changes Since Previous Document Revision" section: 433 added. 435 14. Appendix B: Changes Since Previous Document Revision 437 This appendix lists all changes relative to the last published 438 revision, draft-ietf-ldapbis-filter-02.txt. Note that these changes 439 are also included in Appendix A, but are included here for those who 440 have already reviewed draft-ietf-ldapbis-filter-02.txt. This section 441 will be removed before this document is published as an RFC. 443 14.1. Technical Changes 445 None. 447 14.2. Editorial Changes 449 "Abstract" section: separated from introductory material. 451 "Table of Contents" section: moved to correct location (after 452 Abstract). 454 "Introduction" section: new section; separated from the Abstract. 456 "LDAP Search Filter Definition " section: updated section references 457 to match current LDAPBis drafts. Made minor changes to the ASN.1 so 458 it exactly matches that used in the Protocol document. 460 "Normative References" section: renamed from "References" per new RFC 461 guidelines; changed author names to "Last, F." format for 462 consistency. 464 "Authors' Address" section: updated Mark Smith's postal address. 466 This Internet Draft expires on 9 February 2003.