[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00 rfc1960                                                    
Network Working Group                                        Tim Howes
INTERNET DRAFT                                  University of Michigan
                                                     19 December, 1995

             A String Representation of LDAP Search Filters

1.  Status of this Memo

This document is an Internet-Draft.  Internet-Drafts are  working  docu-
ments  of the Internet Engineering Task Force (IETF), its areas, and its
working groups.  Note that other  groups  may  also  distribute  working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum  of  six  months
and  may  be  updated,  replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''

To learn the current status of  any  Internet-Draft,  please  check  the
``1id-abstracts.txt''  listing  contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net  (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

2.  Abstract

The Lightweight Directory Access Protocol (LDAP) [1] defines  a  network
representation  of  a search filter transmitted to an LDAP server.  Some
applications may find it useful to have a  common  way  of  representing
these  search filters in a human-readable form.  This document defines a
human-readable string format for representing LDAP search filters.

3.  LDAP Search Filter Definition

An LDAP search filter is defined in [1] as follows:

     Filter ::= CHOICE {
             and                [0] SET OF Filter,
             or                 [1] SET OF Filter,
             not                [2] Filter,
             equalityMatch      [3] AttributeValueAssertion,
             substrings         [4] SubstringFilter,
             greaterOrEqual     [5] AttributeValueAssertion,
             lessOrEqual        [6] AttributeValueAssertion,
             present            [7] AttributeType,
             approxMatch        [8] AttributeValueAssertion

Howes                                                           [Page 1]

RFC DRAFT                                                  December 1995


     SubstringFilter ::= SEQUENCE {
             type    AttributeType,
             SEQUENCE OF CHOICE {
                     initial        [0] LDAPString,
                     any            [1] LDAPString,
                     final          [2] LDAPString

     AttributeValueAssertion ::= SEQUENCE {
             attributeType   AttributeType,
             attributeValue  AttributeValue

     AttributeType ::= LDAPString

     AttributeValue ::= OCTET STRING

     LDAPString ::= OCTET STRING

where the LDAPString above is limited to the  IA5  character  set.   The
AttributeType  is a string representation of the attribute type name and
is defined in [1].  The AttributeValue OCTET STRING has the form defined
in [2].  The Filter is encoded for transmission over a network using the
Basic Encoding Rules defined in [3], with simplifications  described  in

4.  String Search Filter Definition

The string representation of an LDAP search filter  is  defined  by  the
following grammar.  It uses a prefix format.

     <filter> ::= '(' <filtercomp> ')'
     <filtercomp> ::= <and> | <or> | <not> | <item>
     <and> ::= '&' <filterlist>
     <or> ::= '|' <filterlist>
     <not> ::= '!' <filter>
     <filterlist> ::= <filter> | <filter> <filterlist>
     <item> ::= <simple> | <present> | <substring>
     <simple> ::= <attr> <filtertype> <value>
     <filtertype> ::= <equal> | <approx> | <greater> | <less>
     <equal> ::= '='
     <approx> ::= '~='
     <greater> ::= '>='
     <less> ::= '<='
     <present> ::= <attr> '=*'

Howes                                                           [Page 2]

RFC DRAFT                                                  December 1995

     <substring> ::= <attr> '=' <initial> <any> <final>
     <initial> ::= NULL | <value>
     <any> ::= '*' <starval>
     <starval> ::= NULL | <value> '*' <starval>
     <final> ::= NULL | <value>

<attr> is a string representing an AttributeType,  and  has  the  format
defined  in [1].  <value> is a string representing an AttributeValue, or
part of one, and has the form defined in [2].  If a <value> must contain
one  of  the  characters  '*'  or '(' or ')', these characters should be
escaped by preceding them with the backslash '\' character.   Note  that
although  both the <substring> and <present> productions can produce the
'attr=*' construct, this construct is used only  to  denote  a  presence

5.  Examples

This section gives a few examples of search filters written  using  this

     (cn=Babs Jensen)
     (!(cn=Tim Howes))
     (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))

6.  Security Considerations

Security considerations are not discussed in this document.

7.  Bibliography

[1]  Lightweight Directory Access Protocol.  Wengyik Yeong,  Tim  Howes,
     Steve Kille, Request for Comment (RFC) 1777, March 1995

[2]  The String  Representation  of  Standard  Attribute  Syntaxes.   T.
     Howes, S.  Kille, W. Yeong, C.J. Robbins; Request for Comment (RFC)
     1778, March 1995

[3]  Specification of Basic Encoding Rules for Abstract Syntax  Notation
     One (ASN.1).  CCITT Recommendation X.209, 1988.

8.  Author's Address

   Tim Howes
   University of Michigan
   ITD Research Systems
   535 W William St.
   Ann Arbor, MI 48103-4943

Howes                                                           [Page 3]

RFC DRAFT                                                  December 1995

   +1 313 747-4454

Howes                                                           [Page 4]