The String Representation of LDAP Search Filters
RFC 2254

Document Type RFC - Proposed Standard (December 1997; Errata)
Obsoleted by RFC 4515, RFC 4510
Updated by RFC 3377
Obsoletes RFC 1960
Author Tim Howes 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2254 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          T. Howes
Request for Comments: 2254                Netscape Communications Corp.
Category: Standards Track                                 December 1997

            The String Representation of LDAP Search Filters

1. Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1997).  All Rights Reserved.


   This document describes a directory access protocol that provides
   both read and update access.  Update access requires secure
   authentication, but this document does not mandate implementation of
   any satisfactory authentication mechanisms.

   In accordance with RFC 2026, section 4.4.1, this specification is
   being approved by IESG as a Proposed Standard despite this
   limitation, for the following reasons:

   a. to encourage implementation and interoperability testing of
      these protocols (with or without update access) before they
      are deployed, and

   b. to encourage deployment and use of these protocols in read-only
      applications.  (e.g. applications where LDAPv3 is used as
      a query language for directories which are updated by some
      secure mechanism other than LDAP), and

   c. to avoid delaying the advancement and deployment of other Internet
      standards-track protocols which require the ability to query, but
      not update, LDAPv3 directory servers.

Howes                       Standards Track                     [Page 1]
RFC 2254             String Representation of LDAP         December 1997

   Readers are hereby warned that until mandatory authentication
   mechanisms are standardized, clients and servers written according to
   this specification which make use of update functionality are

   Implementors are hereby discouraged from deploying LDAPv3 clients or
   servers which implement the update functionality, until a Proposed
   Standard for mandatory authentication in LDAPv3 has been approved and
   published as an RFC.

2. Abstract

   The Lightweight Directory Access Protocol (LDAP) [1] defines a
   network representation of a search filter transmitted to an LDAP
   server.  Some applications may find it useful to have a common way of
   representing these search filters in a human-readable form.  This
   document defines a human-readable string format for representing LDAP
   search filters.

   This document replaces RFC 1960, extending the string LDAP filter
   definition to include support for LDAP version 3 extended match
   filters, and including support for representing the full range of
   possible LDAP search filters.

Howes                       Standards Track                     [Page 2]
RFC 2254             String Representation of LDAP         December 1997

3. LDAP Search Filter Definition

   An LDAPv3 search filter is defined in Section 4.5.1 of [1] as

        Filter ::= CHOICE {
                and                [0] SET OF Filter,
                or                 [1] SET OF Filter,
                not                [2] Filter,
                equalityMatch      [3] AttributeValueAssertion,
                substrings         [4] SubstringFilter,
                greaterOrEqual     [5] AttributeValueAssertion,
                lessOrEqual        [6] AttributeValueAssertion,
                present            [7] AttributeDescription,
                approxMatch        [8] AttributeValueAssertion,
                extensibleMatch    [9] MatchingRuleAssertion

        SubstringFilter ::= SEQUENCE {
                type    AttributeDescription,
                SEQUENCE OF CHOICE {
                        initial        [0] LDAPString,
                        any            [1] LDAPString,
                        final          [2] LDAPString

        AttributeValueAssertion ::= SEQUENCE {
                attributeDesc   AttributeDescription,
                attributeValue  AttributeValue

        MatchingRuleAssertion ::= SEQUENCE {
                matchingRule    [1] MatchingRuleID OPTIONAL,
                type            [2] AttributeDescription OPTIONAL,
                matchValue      [3] AssertionValue,
                dnAttributes    [4] BOOLEAN DEFAULT FALSE

        AttributeDescription ::= LDAPString

        AttributeValue ::= OCTET STRING

        MatchingRuleID ::= LDAPString

        AssertionValue ::= OCTET STRING

        LDAPString ::= OCTET STRING
Show full document text