INTERNET-DRAFT Editor: Kurt D. Zeilenga Intended Category: Standard Track OpenLDAP Foundation Expires in six months 5 June 2003 Updates: RFC 2798 LDAP: Additional Matching Rules <draft-zeilenga-ldap-user-schema-mr-00.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. This document is a subset of technical specification offered in draft-zeilenga-ldap-user-schema-xx.txt. This document is intended to be, after appropriate review and revision, submitted to the RFC Editor as a Standard Track document. Distribution of this memo is unlimited. Technical discussion of this document will take place on the IETF Directory Interest mailing list <directory@apps.ietf.org>. Please send editorial comments directly to the author <Kurt@OpenLDAP.org>. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of Internet-Draft Shadow Directories can be accessed at <http://www.ietf.org/shadow.html>. Copyright (C) The Internet Society (2003). All Rights Reserved. Please see the Full Copyright section near the end of this document for more information. Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 1]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 Abstract This document provides a collection of matching rules for use with the Lightweight Directory Access Protocol (LDAP). As these matching rules are simple adaptations of matching rules specified for use with the X.500 Directory, most are already in wide use. Table of Contents (to be expanded by editor) Status of this Memo 1 Abstract 2 Table of Contents 1. Background and Intended Use 2. Matching Rules 3 2.1. booleanMatch 2.2. caseExactMatch 2.3. caseExactOrderingMatch 2.4. caseExactSubstringsMatch 4 2.5. caseIgnoreListSubstringsMatch 2.6. directoryStringFirstComponentMatch 2.7. integerOrderingMatch 5 2.8. keywordMatch 2.9. numericStringOrderingMatch 2.10. octetStringOrderingMatch 6 2.11. storedPrefixMatch 2.12. wordMatch 3. Security Considerations 7 4. IANA Considerations 5. Acknowledgments 8 6. Author's Address 7. Normative References 8. Informative References Intellectual Property Rights 9 Full Copyright 1. Background and Intended Use This document adapts additional X.500 Directory [X.500] matching rules [X.520] for use with the Lightweight Directory Access Protocol (LDAP) [RFC3377]. Most of these rules are widely used today on the Internet, such as in support of the inetOrgPerson [RFC2798] and Policy Core Information Model [PCIM] LDAP schemas. The rules are applicable to many other applications. This document supersedes the informational matching rules descriptions provided in RFC 2798 that are now provided in this document. Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 2]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 Specifically, section 2 of this document replaces section 9.3.3 of RFC 2798. Schema definitions are provided using LDAP description formats [RFC2252]. Definitions provided here are formatted (line wrapped) for readability. 2. Matching Rules 2.1. booleanMatch The booleanMatch rule compares for equality a asserted Boolean value with an attribute value of BOOLEAN syntax. The rule returns TRUE if and only if the values are the same, i.e. both are TRUE or both are FALSE. (Source: X.520) ( 2.5.13.13 NAME 'booleanMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) The BOOLEAN (1.3.6.1.4.1.1466.115.121.1.7) syntax is described in [RFC2252]. 2.2. caseExactMatch The caseExactMatch rule compares for equality the asserted value with an attribute value of DirectoryString syntax. The rule is identical to the caseIgnoreMatch [RFC2252] rule except that case is not ignored. (Source: X.520) ( 2.5.13.5 NAME 'caseExactMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is described in [RFC2252]. 2.3. caseExactOrderingMatch The caseExactOrderingMatch rule compares the collation order of the asserted string with an attribute value of DirectoryString syntax. The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule except that letters are not folded. (Source: X.520) ( 2.5.13.6 NAME 'caseExactOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 3]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is described in [RFC2252]. 2.4. caseExactSubstringsMatch The caseExactSubstringsMatch rule determines whether the asserted value(s) are substrings of an attribute value of DirectoryString syntax. The rule is identical to the caseIgnoreSubstringsMatch [RFC2252] rule except that case is not ignored. (Source: X.520) ( 2.5.13.7 NAME 'caseExactSubstringsMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is described in [RFC2252]. 2.5. caseIgnoreListSubstringsMatch The caseIgnoreListSubstringMatch rule compares the asserted substring with an attribute value which is a sequence of DirectoryStrings, but where the case (upper or lower) is not significant for comparison purposes. The asserted value matches a stored value if and only if the asserted value matches the string formed by concatenating the strings of the stored value. This matching is done according to the caseIgnoreSubstringsMatch [RFC2252] rule; however, none of the initial, any, or final values of the asserted value are considered to match a substring of the concatenated string which spans more than one of the strings of the stored value. (Source: X.520) ( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is described in [RFC2252]. 2.6. directoryStringFirstComponentMatch The directoryStringFirstComponentMatch rule compares for equality the asserted DirectoryString value with an attribute value of type SEQUENCE whose first component is mandatory and of type DirectoryString. The rule returns TRUE if and only if the attribute value has a first component whose value matches the asserted DirectoryString using the rules of caseIgnoreMatch [RFC2252]. A value of the assertion syntax is derived from a value of the attribute syntax by using the value of the first component of the SEQUENCE. Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 4]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 (Source: X.520) ( 2.5.13.31 NAME 'directoryStringFirstComponentMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is described in [RFC2252]. 2.7. integerOrderingMatch The integerOrderingMatch rule compares the ordering of the asserted integer with an attribute value of INTEGER syntax. The rule returns True if the attribute value is less than the asserted value. (Source: X.520) ( 2.5.13.15 NAME 'integerOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax is described in [RFC2252]. 2.8. keywordMatch The keywordMatch rule compares the asserted string with keywords in an attribute value of DirectoryString syntax. The rule returns TRUE if and only if the asserted value matches any keyword in the attribute value. The identification of keywords in an attribute value and of the exactness of match are both implementation specific. (Source: X.520) ( 2.5.13.32 NAME 'keywordMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is described in [RFC2252]. 2.9. numericStringOrderingMatch The numericStringOrderingMatch rule compares the collation order of the asserted string with an attribute value of NumericString syntax. The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule except that all space characters are skipped during comparison (case is irrelevant as characters are numeric). (Source: X.520) ( 2.5.13.9 NAME 'numericStringOrderingMatch' Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 5]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) The NumericString (1.3.6.1.4.1.1466.115.121.1.36) syntax is described in [RFC2252]. 2.10. octetStringOrderingMatch The octetStringOrderingMatch rule compares the collation order of the asserted octet string with an attribute value of OCTET STRING syntax. The rule compares octet strings from first octet to last octet, and from the most significant bit to the least significant bit within the octet. The first occurrence of a different bit determines the ordering of the strings. A zero bit precedes a one bit. If the strings are identical but contain different numbers of octets, the shorter string precedes the longer string. (Source: X.520) ( 2.5.13.18 NAME 'octetStringOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) The OCTET STRING (1.3.6.1.4.1.1466.115.121.1.40) syntax is described in [RFC2252]. 2.11. storedPrefixMatch The storedPrefixMatch rule determines whether an attribute value, whose syntax is DirectoryString is a prefix (i.e. initial substring) of the asserted value, without regard to the case (upper or lower) of the strings. The rule returns TRUE if and only if the attribute value is an initial substring of the asserted value with corresponding characters identical except possibly with regard to case. (Source: X.520) ( 2.5.13.41 NAME 'storedPrefixMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Note: This rule can be used, for example, to compare values in the Directory which are telephone area codes with a purported value which is a telephone number. The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is described in [RFC2252]. 2.12. wordMatch The wordMatch rule compares the asserted string with words in an Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 6]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 attribute value of DirectoryString syntax. The rule returns TRUE if and only if the asserted word matches any word in the attribute value. Individual word matching is as for the caseIgnoreMatch [RFC2252] matching rule. The precise definition of a "word" is implementation specific. (Source: X.520) ( 2.5.13.32 NAME 'wordMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is described in [RFC2252]. 3. Security Considerations General LDAP security considerations [RFC3377] is applicable to the use of this schema. Additional considerations are noted above where appropriate. 4. IANA Considerations It is requested that the Internet Assigned Numbers Authority (IANA) update upon Standard Action the LDAP descriptors registry [RFC3383] as indicated the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comments Person & email address to contact for further information: Kurt Zeilenga <kurt@OpenLDAP.org> Usage: see comments Specification: RFC XXXX Author/Change Controller: IESG Comments: The following descriptors should be added: NAME Type OID ------------------------ ---- --------- booleanMatch M 2.5.13.13 caseExactMatch M 2.5.13.5 caseExactOrderingMatch M 2.5.13.6 caseExactSubstringsMatch M 2.5.13.7 caseIgnoreListSubstringsMatch M 2.5.13.12 directoryStringFirstComponentMatch M 2.5.13.31 integerOrderingMatch M 2.5.13.15 keywordMatch M 2.5.13.32 Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 7]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 numericStringOrderingMatch M 2.5.13.9 octetStringOrderingMatch M 2.5.13.18 storedPrefixMatch M 2.5.13.41 wordMatch M 2.5.13.32 where Type M is Matching Rule. This document make no new OID assignments. It only associates LDAP matching rule descriptions with existing X.500 matching rules. 5. Acknowledgments This document borrows from [X.520], an ITU-T Recommendation. 6. Author's Address Kurt D. Zeilenga OpenLDAP Foundation <Kurt@OpenLDAP.org> 7. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14 (also RFC 2119), March 1997. [RFC2252] Wahl, M., A. Coulbeck, T. Howes, and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997. [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002. 8. Informative References [RFC2798] Smith, M., "The LDAP inetOrgPerson Object Class", RFC 2798, April 2000. [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64 (also RFC 3383), September 2002. Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 8]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 [X.500] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory -- Overview of concepts, models and services," X.500(1993) (also ISO/IEC 9594-1:1994). [X.520] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Selected Attribute Types", X.520(1997). [PCIM] Strassner, J., B. Moore, R. Moats, E. Ellesson, "Policy Core LDAP Schema", a work in progress. Intellectual Property Rights The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 9]
INTERNET-DRAFT LDAP: Additional Matching Rules 5 June 2003 the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Zeilenga draft-zeilenga-ldap-user-schema-mr-00 [Page 10]
