Lightweight Directory Access Protocol (LDAP): Additional Matching Rules
RFC 3698
| Document | Type |
RFC
- Proposed Standard
(February 2004)
Updated by RFC 4517
Updates RFC 2798
Was
draft-zeilenga-ldap-user-schema-mr
(individual in gen area)
|
|
|---|---|---|---|
| Author | Kurt Zeilenga | ||
| Last updated | 2018-07-18 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Stream | WG state | (None) | |
| Document shepherd | (None) | ||
| IESG | IESG state | RFC 3698 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | Ted Hardie | ||
| IESG note | 2004-02-26: published as RFC 3698 | ||
| Send notices to | (None) |
RFC 3698
Network Working Group K. Zeilenga, Ed.
Request for Comments: 3698 OpenLDAP Foundation
Updates: 2798 February 2004
Category: Standards Track
Lightweight Directory Access Protocol (LDAP):
Additional Matching Rules
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document provides a collection of matching rules for use with
the Lightweight Directory Access Protocol (LDAP). As these matching
rules are simple adaptations of matching rules specified for use with
the X.500 Directory, most are already in wide use.
Table of Contents
1. Background and Intended Use. . . . . . . . . . . . . . . . . . 2
2. Matching Rules . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1. booleanMatch . . . . . . . . . . . . . . . . . . . . . . 2
2.2. caseExactMatch . . . . . . . . . . . . . . . . . . . . . 2
2.3. caseExactOrderingMatch . . . . . . . . . . . . . . . . . 3
2.4. caseExactSubstringsMatch . . . . . . . . . . . . . . . . 3
2.5. caseIgnoreListSubstringsMatch. . . . . . . . . . . . . . 3
2.6. directoryStringFirstComponentMatch . . . . . . . . . . . 4
2.7. integerOrderingMatch . . . . . . . . . . . . . . . . . . 4
2.8. keywordMatch . . . . . . . . . . . . . . . . . . . . . . 4
2.9. numericStringOrderingMatch . . . . . . . . . . . . . . . 5
2.10. octetStringOrderingMatch . . . . . . . . . . . . . . . . 5
2.11. storedPrefixMatch. . . . . . . . . . . . . . . . . . . . 5
2.12. wordMatch. . . . . . . . . . . . . . . . . . . . . . . . 6
3. Security Considerations. . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 6
5. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Zeilenga Standards Track [Page 1]
RFC 3698 LDAP: Additional Matching Rules February 2004
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 7
7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 8
8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 9
1. Background and Intended Use
This document adapts additional X.500 Directory [X.500] matching
rules [X.520] for use with the Lightweight Directory Access Protocol
(LDAP) [RFC3377]. Most of these rules are widely used today on the
Internet, such as in support of the inetOrgPerson [RFC2798] and
Policy Core Information Model [RFC3703] LDAP schemas. The rules are
applicable to many other applications.
This document supersedes the informational matching rules
descriptions provided in RFC 2798 that are now provided in this
document. Specifically, section 2 of this document replaces section
9.3.3 of RFC 2798.
Schema definitions are provided using LDAP description formats
[RFC2252]. Definitions provided here are formatted (line wrapped)
for readability.
2. Matching Rules
2.1. booleanMatch
The booleanMatch rule compares for equality a asserted Boolean value
with an attribute value of BOOLEAN syntax. The rule returns TRUE if
and only if the values are the same, i.e., both are TRUE or both are
FALSE. (Source: X.520)
( 2.5.13.13 NAME 'booleanMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
The BOOLEAN (1.3.6.1.4.1.1466.115.121.1.7) syntax is described in
[RFC2252].
2.2. caseExactMatch
The caseExactMatch rule compares for equality the asserted value with
an attribute value of DirectoryString syntax. The rule is identical
to the caseIgnoreMatch [RFC2252] rule except that case is not
ignored. (Source: X.520)
Zeilenga Standards Track [Page 2]
RFC 3698 LDAP: Additional Matching Rules February 2004
( 2.5.13.5 NAME 'caseExactMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.3. caseExactOrderingMatch
The caseExactOrderingMatch rule compares the collation order of the
asserted string with an attribute value of DirectoryString syntax.
The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule
except that letters are not folded. (Source: X.520)
( 2.5.13.6 NAME 'caseExactOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.4. caseExactSubstringsMatch
The caseExactSubstringsMatch rule determines whether the asserted
value(s) are substrings of an attribute value of DirectoryString
syntax. The rule is identical to the caseIgnoreSubstringsMatch
[RFC2252] rule except that case is not ignored. (Source: X.520)
( 2.5.13.7 NAME 'caseExactSubstringsMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is
described in [RFC2252].
2.5. caseIgnoreListSubstringsMatch
The caseIgnoreListSubstringMatch rule compares the asserted substring
with an attribute value which is a sequence of DirectoryStrings, but
where the case (upper or lower) is not significant for comparison
purposes. The asserted value matches a stored value if and only if
the asserted value matches the string formed by concatenating the
strings of the stored value. This matching is done according to the
caseIgnoreSubstringsMatch [RFC2252] rule; however, none of the
initial, any, or final values of the asserted value are considered to
match a substring of the concatenated string which spans more than
one of the strings of the stored value. (Source: X.520)
( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
Zeilenga Standards Track [Page 3]
RFC 3698 LDAP: Additional Matching Rules February 2004
The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is
described in [RFC2252].
2.6. directoryStringFirstComponentMatch
The directoryStringFirstComponentMatch rule compares for equality the
asserted DirectoryString value with an attribute value of type
SEQUENCE whose first component is mandatory and of type
DirectoryString. The rule returns TRUE if and only if the attribute
value has a first component whose value matches the asserted
DirectoryString using the rules of caseIgnoreMatch [RFC2252]. A
value of the assertion syntax is derived from a value of the
attribute syntax by using the value of the first component of the
SEQUENCE. (Source: X.520)
( 2.5.13.31 NAME 'directoryStringFirstComponentMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.7. integerOrderingMatch
The integerOrderingMatch rule compares the ordering of the asserted
integer with an attribute value of INTEGER syntax. The rule returns
True if the attribute value is less than the asserted value. (Source:
X.520)
( 2.5.13.15 NAME 'integerOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax is described in
[RFC2252].
2.8. keywordMatch
The keywordMatch rule compares the asserted string with keywords in
an attribute value of DirectoryString syntax. The rule returns TRUE
if and only if the asserted value matches any keyword in the
attribute value. The identification of keywords in an attribute
value and of the exactness of match are both implementation specific.
(Source: X.520)
( 2.5.13.33 NAME 'keywordMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
Zeilenga Standards Track [Page 4]
RFC 3698 LDAP: Additional Matching Rules February 2004
2.9. numericStringOrderingMatch
The numericStringOrderingMatch rule compares the collation order of
the asserted string with an attribute value of NumericString syntax.
The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule
except that all space characters are skipped during comparison (case
is irrelevant as characters are numeric). (Source: X.520)
( 2.5.13.9 NAME 'numericStringOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
The NumericString (1.3.6.1.4.1.1466.115.121.1.36) syntax is described
in [RFC2252].
2.10. octetStringOrderingMatch
The octetStringOrderingMatch rule compares the collation order of the
asserted octet string with an attribute value of OCTET STRING syntax.
The rule compares octet strings from first octet to last octet, and
from the most significant bit to the least significant bit within the
octet. The first occurrence of a different bit determines the
ordering of the strings. A zero bit precedes a one bit. If the
strings are identical but contain different numbers of octets, the
shorter string precedes the longer string. (Source: X.520)
( 2.5.13.18 NAME 'octetStringOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
The OCTET STRING (1.3.6.1.4.1.1466.115.121.1.40) syntax is described
in [RFC2252].
2.11. storedPrefixMatch
The storedPrefixMatch rule determines whether an attribute value,
whose syntax is DirectoryString is a prefix (i.e., initial substring)
of the asserted value, without regard to the case (upper or lower) of
the strings. The rule returns TRUE if and only if the attribute
value is an initial substring of the asserted value with
corresponding characters identical except possibly with regard to
case. (Source: X.520)
( 2.5.13.41 NAME 'storedPrefixMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
Zeilenga Standards Track [Page 5]
RFC 3698 LDAP: Additional Matching Rules February 2004
Note: This rule can be used, for example, to compare values in the
Directory which are telephone area codes with a purported value
which is a telephone number.
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.12. wordMatch
The wordMatch rule compares the asserted string with words in an
attribute value of DirectoryString syntax. The rule returns TRUE if
and only if the asserted word matches any word in the attribute
value. Individual word matching is as for the caseIgnoreMatch
[RFC2252] matching rule. The precise definition of a "word" is
implementation specific. (Source: X.520)
( 2.5.13.32 NAME 'wordMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
3. Security Considerations
General LDAP security considerations [RFC3377] is applicable to the
use of this schema. Additional considerations are noted above where
appropriate.
4. IANA Considerations
The Internet Assigned Numbers Authority (IANA) has updated the LDAP
descriptors registry [RFC3383] as indicated in the following
template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comments
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Usage: see comments
Specification: RFC 3698
Author/Change Controller: IESG
Comments:
Zeilenga Standards Track [Page 6]
RFC 3698 LDAP: Additional Matching Rules February 2004
The following descriptors have been added:
NAME Type OID
------------------------ ---- ---------
booleanMatch M 2.5.13.13
caseExactMatch M 2.5.13.5
caseExactOrderingMatch M 2.5.13.6
caseExactSubstringsMatch M 2.5.13.7
caseIgnoreListSubstringsMatch M 2.5.13.12
directoryStringFirstComponentMatch M 2.5.13.31
integerOrderingMatch M 2.5.13.15
keywordMatch M 2.5.13.33
numericStringOrderingMatch M 2.5.13.9
octetStringOrderingMatch M 2.5.13.18
storedPrefixMatch M 2.5.13.41
wordMatch M 2.5.13.32
where Type M is Matching Rule.
This document makes no new OID assignments. It only associates LDAP
matching rule descriptions with existing X.500 matching rules.
5. Acknowledgments
This document borrows from [X.520], an ITU-T Recommendation.
6. References
6.1. Normative References
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
"Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
6.2. Informative References
[RFC2798] Smith, M., "The LDAP inetOrgPerson Object Class", RFC
2798, April 2000.
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
RFC 3383, September 2002.
[RFC3703] Strassner, J., Moore, B., Moats, R. and E. Ellesson,
"Policy Core LDAP Schema", RFC 3703, February 2004.
Zeilenga Standards Track [Page 7]
RFC 3698 LDAP: Additional Matching Rules February 2004
[X.500] International Telecommunication Union -
Telecommunication Standardization Sector, "The
Directory -- Overview of concepts, models and
services," X.500(1993) (also ISO/IEC 9594-1:1994).
[X.520] International Telecommunication Union -
Telecommunication Standardization Sector, "The
Directory: Selected Attribute Types", X.520(1997).
7. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
EMail: Kurt@OpenLDAP.org
Zeilenga Standards Track [Page 8]
RFC 3698 LDAP: Additional Matching Rules February 2004
8. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78 and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Zeilenga Standards Track [Page 9]