mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
2300 lines
95 KiB
Plaintext
2300 lines
95 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
INTERNET-DRAFT S. Legg
|
|||
|
draft-legg-ldapext-component-matching-08.txt Adacel Technologies
|
|||
|
Intended Category: Standard Track April 19, 2002
|
|||
|
|
|||
|
|
|||
|
LDAP & X.500 Component Matching Rules
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2002). All Rights Reserved.
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
|
|||
|
This document is an Internet-Draft and is in full conformance with
|
|||
|
all provisions of Section 10 of RFC2026.
|
|||
|
|
|||
|
Internet-Drafts are working documents of the Internet Engineering
|
|||
|
Task Force (IETF), its areas, and its working groups. Note that
|
|||
|
other groups may also distribute working documents as
|
|||
|
Internet-Drafts.
|
|||
|
|
|||
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|||
|
and may be updated, replaced, or obsoleted by other documents at any
|
|||
|
time. It is inappropriate to use Internet-Drafts as reference
|
|||
|
material or to cite them other than as "work in progress".
|
|||
|
|
|||
|
The list of current Internet-Drafts can be accessed at
|
|||
|
http://www.ietf.org/ietf/1id-abstracts.txt
|
|||
|
|
|||
|
The list of Internet-Draft Shadow Directories can be accessed at
|
|||
|
http://www.ietf.org/shadow.html.
|
|||
|
|
|||
|
Distribution of this document is unlimited. Comments should be sent
|
|||
|
to the LDAPEXT working group mailing list <ietf-ldapext@netscape.com>
|
|||
|
or to the author.
|
|||
|
|
|||
|
This Internet-Draft expires on 19 October 2002.
|
|||
|
|
|||
|
|
|||
|
1. Abstract
|
|||
|
|
|||
|
The syntaxes of attributes in a Lightweight Directory Access Protocol
|
|||
|
or X.500 directory range from simple data types, such as text string,
|
|||
|
integer, or boolean, to complex structured data types, such as the
|
|||
|
syntaxes of the directory schema operational attributes. The
|
|||
|
matching rules defined for the complex syntaxes, if any, usually only
|
|||
|
provide the most immediately useful matching capability. This
|
|||
|
document defines generic matching rules that can match any user
|
|||
|
selected component parts in an attribute value of any arbitrarily
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 1]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
complex attribute syntax.
|
|||
|
|
|||
|
|
|||
|
2. Table of Contents
|
|||
|
|
|||
|
1. Abstract ...................................................... 1
|
|||
|
2. Table of Contents ............................................. 2
|
|||
|
3. Introduction .................................................. 2
|
|||
|
4. Conventions ................................................... 4
|
|||
|
5. ComponentAssertion ............................................ 5
|
|||
|
5.1 Component Reference ....................................... 5
|
|||
|
5.1.1 Component Type Substitutions ......................... 7
|
|||
|
5.1.2 Referencing SET, SEQUENCE and CHOICE Components ...... 8
|
|||
|
5.1.3 Referencing SET OF and SEQUENCE OF Components ........ 9
|
|||
|
5.1.4 Referencing Components of Parameterized Types ........ 10
|
|||
|
5.1.5 Component Referencing Example ........................ 10
|
|||
|
5.1.6 Referencing Components of Open Types ................. 11
|
|||
|
5.1.6.1 Open Type Referencing Example ................... 12
|
|||
|
5.1.7 Referencing Contained Types .......................... 13
|
|||
|
5.1.7.1 Contained Type Referencing Example .............. 14
|
|||
|
5.2 Matching of Components .................................... 15
|
|||
|
5.2.1 Applicability of Existing Matching Rules ............. 16
|
|||
|
5.2.1.1 String Matching ................................. 16
|
|||
|
5.2.1.2 Telephone Number Matching ....................... 17
|
|||
|
5.2.1.3 Distinguished Name Matching ..................... 17
|
|||
|
5.2.2 Additional Useful Matching Rules ..................... 17
|
|||
|
5.2.2.1 The rdnMatch Matching Rule ...................... 18
|
|||
|
5.2.2.2 The presentMatch Matching Rule .................. 18
|
|||
|
5.2.3 Summary of Useful Matching Rules ..................... 19
|
|||
|
6. ComponentFilter ............................................... 21
|
|||
|
7. The componentFilterMatch Matching Rule ........................ 22
|
|||
|
8. Equality Matching of Complex Components ....................... 23
|
|||
|
8.1 The OpenAssertionType Syntax .............................. 24
|
|||
|
8.2 The allComponentsMatch Matching Rule ...................... 25
|
|||
|
8.3 Deriving Component Equality Matching Rules ................ 27
|
|||
|
8.4 The directoryComponentsMatch Matching Rule ................ 28
|
|||
|
9. Component Matching Examples ................................... 29
|
|||
|
10. Security Considerations ...................................... 36
|
|||
|
11. Acknowledgements ............................................. 36
|
|||
|
12. Normative References ......................................... 36
|
|||
|
13. Informative References ....................................... 37
|
|||
|
14. Intellectual Property Notice ................................. 38
|
|||
|
15. Copyright Notice ............................................. 38
|
|||
|
16. Author's Address ............................................. 39
|
|||
|
|
|||
|
|
|||
|
3. Introduction
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 2]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The structure or data type of data held in an attribute of an LDAP
|
|||
|
[3] or X.500 [18] directory is described by the attribute's syntax.
|
|||
|
Attribute syntaxes range from simple data types, such as text string,
|
|||
|
integer, or boolean, to complex data types, for example, the syntaxes
|
|||
|
of the directory schema operational attributes.
|
|||
|
|
|||
|
In X.500, the attribute syntaxes are explicitly described by ASN.1
|
|||
|
[11] type definitions. ASN.1 type notation has a number of simple
|
|||
|
data types (e.g. PrintableString, INTEGER, BOOLEAN), and combining
|
|||
|
types (i.e. SET, SEQUENCE, SET OF, SEQUENCE OF, and CHOICE) for
|
|||
|
constructing arbitrarily complex data types from simpler component
|
|||
|
types. In LDAP, the attribute syntaxes are usually described by ABNF
|
|||
|
[2] though there is an implied association between the LDAP attribute
|
|||
|
syntaxes and the X.500 ASN.1 types. To a large extent, the data
|
|||
|
types of attribute values in either an LDAP or X.500 directory are
|
|||
|
described by ASN.1 types. This formal description can be exploited
|
|||
|
to identify component parts of an attribute value for a variety of
|
|||
|
purposes. This document addresses attribute value matching.
|
|||
|
|
|||
|
With any complex attribute syntax there is normally a requirement to
|
|||
|
partially match an attribute value of that syntax by matching only
|
|||
|
selected components of the value. Typically, matching rules specific
|
|||
|
to the attribute syntax are defined to fill this need. These highly
|
|||
|
specific matching rules usually only provide the most immediately
|
|||
|
useful matching capability. Some complex attribute syntaxes don't
|
|||
|
even have an equality matching rule let alone any additional matching
|
|||
|
rules for partial matching. This document defines a generic way of
|
|||
|
matching user selected components in an attribute value of any
|
|||
|
arbitrarily complex attribute syntax, where that syntax is described
|
|||
|
using ASN.1 type notation. All of the type notations defined in [11]
|
|||
|
are supported.
|
|||
|
|
|||
|
Section 5 describes the ComponentAssertion, a testable assertion
|
|||
|
about the value of a component of an attribute value of any complex
|
|||
|
syntax.
|
|||
|
|
|||
|
Section 6 introduces the ComponentFilter assertion, which is an
|
|||
|
expression of ComponentAssertions. The ComponentFilter enables more
|
|||
|
powerful filter matching of components in an attribute value.
|
|||
|
|
|||
|
Section 7 defines the componentFilterMatch matching rule, which
|
|||
|
enables a ComponentFilter to be evaluated against attribute values.
|
|||
|
|
|||
|
Section 8 defines matching rules for component-wise equality matching
|
|||
|
of attribute values of any syntax described by an ASN.1 type
|
|||
|
definition.
|
|||
|
|
|||
|
Examples showing the usage of componentFilterMatch are in Section 9.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 3]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
For a new attribute syntax, the Generic String Encoding Rules [7] and
|
|||
|
the specifications in sections 5 to 8 of this document make it
|
|||
|
possible to fully and precisely define, the LDAP-specific encoding,
|
|||
|
the LDAP and X.500 binary encoding (and possibly other encodings in
|
|||
|
the future, e.g. XML via XER), a suitable equality matching rule, and
|
|||
|
a comprehensive collection of component matching capabilities, by
|
|||
|
simply writing down an ASN.1 type definition for the syntax. These
|
|||
|
implicit definitions are also automatically extended if the ASN.1
|
|||
|
type is later extended. The algorithmic relationship between the
|
|||
|
ASN.1 type definition, the various encodings and the component
|
|||
|
matching behaviour makes directory server implementation support for
|
|||
|
the component matching rules amenable to automatic code generation
|
|||
|
from ASN.1 type definitions.
|
|||
|
|
|||
|
Schema designers have the choice of storing related items of data as
|
|||
|
a single attribute value of a complex syntax in some entry, or as a
|
|||
|
subordinate entry where the related data items are stored as separate
|
|||
|
attribute values of simpler syntaxes. The inability to search
|
|||
|
component parts of a complex syntax has been used as an argument for
|
|||
|
favouring the subordinate entries approach. The component matching
|
|||
|
rules provide the analogous matching capability on an attribute value
|
|||
|
of a complex syntax that a search filter has on a subordinate entry.
|
|||
|
|
|||
|
Most LDAP syntaxes have corresponding ASN.1 type definitions, though
|
|||
|
they are usually not reproduced or referenced alongside the formal
|
|||
|
definition of the LDAP syntax. Syntaxes defined with only a
|
|||
|
character string encoding, i.e. without an explicit or implied
|
|||
|
corresponding ASN.1 type definition, cannot use the component
|
|||
|
matching capabilities described in this document unless and until a
|
|||
|
semantically equivalent ASN.1 type definition is defined for them.
|
|||
|
|
|||
|
|
|||
|
4. Conventions
|
|||
|
|
|||
|
Throughout this document "type" shall be taken to mean an ASN.1 type
|
|||
|
unless explicitly qualified as an attribute type, and "value" shall
|
|||
|
be taken to mean an ASN.1 value unless explicitly qualified as an
|
|||
|
attribute value.
|
|||
|
|
|||
|
Note that "ASN.1 value" does not mean a BER [19] encoded value. The
|
|||
|
ASN.1 value is an abstract concept that is independent of any
|
|||
|
particular encoding. BER is just one possible encoding of an ASN.1
|
|||
|
value. The component matching rules operate at the abstract level
|
|||
|
without regard for the possible encodings of a value.
|
|||
|
|
|||
|
Attribute type and matching rule definitions in this document are
|
|||
|
provided in both the X.500 [8] and LDAP [4] description formats. Note
|
|||
|
that the LDAP descriptions have been rendered with additional
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 4]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
white-space and line breaks for the sake of readability.
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in RFC 2119 [1].
|
|||
|
|
|||
|
|
|||
|
5. ComponentAssertion
|
|||
|
|
|||
|
A ComponentAssertion is an assertion about the presence, or values
|
|||
|
of, components within an ASN.1 value, i.e. an instance of an ASN.1
|
|||
|
type. The ASN.1 value is typically an attribute value, where the
|
|||
|
ASN.1 type is the syntax of the attribute. However a
|
|||
|
ComponentAssertion may also be applied to a component part of an
|
|||
|
attribute value. The assertion evaluates to either TRUE, FALSE or
|
|||
|
undefined for each tested ASN.1 value.
|
|||
|
|
|||
|
A ComponentAssertion is described by the following ASN.1 type
|
|||
|
(assumed to be defined with "EXPLICIT TAGS" in force):
|
|||
|
|
|||
|
ComponentAssertion ::= SEQUENCE {
|
|||
|
component ComponentReference,
|
|||
|
useDefaultValues BOOLEAN DEFAULT TRUE,
|
|||
|
rule MATCHING-RULE.&id,
|
|||
|
value MATCHING-RULE.&AssertionType }
|
|||
|
|
|||
|
ComponentReference ::= UTF8String
|
|||
|
|
|||
|
MATCHING-RULE.&id equates to the OBJECT IDENTIFIER of a matching
|
|||
|
rule. MATCHING-RULE.&AssertionType is an open type (formally known
|
|||
|
as the ANY type).
|
|||
|
|
|||
|
The "component" field of a ComponentAssertion identifies which
|
|||
|
component part of a value of some ASN.1 type is to be tested, the
|
|||
|
"useDefaultValues" field indicates whether DEFAULT values are to be
|
|||
|
substituted for absent component values, the "rule" field indicates
|
|||
|
how the component is to be tested, and the "value" field is an
|
|||
|
asserted ASN.1 value against which the component is tested. The
|
|||
|
ASN.1 type of the asserted value is determined by the chosen rule.
|
|||
|
|
|||
|
The fields of a ComponentAssertion are described in detail in the
|
|||
|
following sections.
|
|||
|
|
|||
|
|
|||
|
5.1 Component Reference
|
|||
|
|
|||
|
The component field in a ComponentAssertion is a UTF8 character
|
|||
|
string [6] whose textual content is a component reference,
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 5]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
identifying a component part of some ASN.1 type or value. A
|
|||
|
component reference conforms to the following ABNF [2], which extends
|
|||
|
the notation defined in Clause 14 of [11]:
|
|||
|
|
|||
|
component-reference = ComponentId *( "." ComponentId )
|
|||
|
ComponentId = identifier /
|
|||
|
from-beginning /
|
|||
|
count /
|
|||
|
from-end / ; extends Clause 14
|
|||
|
content / ; extends Clause 14
|
|||
|
select / ; extends Clause 14
|
|||
|
all
|
|||
|
|
|||
|
identifier = lowercase *alphanumeric
|
|||
|
*(hyphen 1*alphanumeric)
|
|||
|
alphanumeric = uppercase / lowercase / decimal-digit
|
|||
|
uppercase = %x41-5A ; "A" to "Z"
|
|||
|
lowercase = %x61-7A ; "a" to "z"
|
|||
|
hyphen = "-"
|
|||
|
|
|||
|
from-beginning = positive-number
|
|||
|
count = "0"
|
|||
|
from-end = "-" positive-number
|
|||
|
content = %x63.6F.6E.74.65.6E.74 ; "content"
|
|||
|
select = "(" Value *( "," Value ) ")"
|
|||
|
all = "*"
|
|||
|
|
|||
|
|
|||
|
positive-number = non-zero-digit *decimal-digit
|
|||
|
|
|||
|
decimal-digit = %x30-39 ; "0" to "9"
|
|||
|
non-zero-digit = %x31-39 ; "1" to "9"
|
|||
|
|
|||
|
An <identifier> conforms to the definition of an identifier in ASN.1
|
|||
|
notation (Clause 11.3 of [11]). It begins with a lowercase letter
|
|||
|
and is followed by zero or more letters, digits, and hyphens. A
|
|||
|
hyphen is not permitted to be the last character and a hyphen is not
|
|||
|
permitted to be followed by another hyphen.
|
|||
|
|
|||
|
The <Value> rule is described in [7].
|
|||
|
|
|||
|
A component reference is a sequence of one or more ComponentIds where
|
|||
|
each successive ComponentId identifies either an inner component at
|
|||
|
the next level of nesting of an ASN.1 combining type, i.e. SET,
|
|||
|
SEQUENCE, SET OF, SEQUENCE OF, or CHOICE, or a specific type within
|
|||
|
an ASN.1 open type.
|
|||
|
|
|||
|
A component reference is always considered in the context of a
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 6]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
particular complex ASN.1 type. When applied to the ASN.1 type the
|
|||
|
component reference identifies a specific component type. When
|
|||
|
applied to a value of the ASN.1 type a component reference identifies
|
|||
|
zero, one or more component values of that component type. The
|
|||
|
component values are potentially in a DEFAULT value if
|
|||
|
useDefaultValues is TRUE. The specific component type identified by
|
|||
|
the component reference determines what matching rules are capable of
|
|||
|
being used to match the component values.
|
|||
|
|
|||
|
An empty string for a component reference, which would identify the
|
|||
|
whole ASN.1 value, is NOT supported since assertions about a whole
|
|||
|
value are already possible by the direct application of a matching
|
|||
|
rule to an attribute value.
|
|||
|
|
|||
|
A valid component reference for a particular complex ASN.1 type is
|
|||
|
constructed by starting with the outermost combining type and
|
|||
|
repeatedly selecting one of the permissible forms of ComponentId to
|
|||
|
identify successively deeper nested components. A component
|
|||
|
reference MAY identify a component with a complex ASN.1 type, i.e. it
|
|||
|
is NOT required that the component type identified by a component
|
|||
|
reference be a simple ASN.1 type.
|
|||
|
|
|||
|
|
|||
|
5.1.1 Component Type Substitutions
|
|||
|
|
|||
|
ASN.1 type notation has a number of constructs for referencing other
|
|||
|
defined types, and constructs that are irrelevant for matching
|
|||
|
purposes. These constructs are not represented in a component
|
|||
|
reference in any way and substitutions of the component type are
|
|||
|
performed to eliminate them from further consideration. These
|
|||
|
substitutions automatically occur prior to each ComponentId, whether
|
|||
|
constructing or interpreting a component reference, but do not occur
|
|||
|
after the last ComponentId, except as allowed by Section 5.2.
|
|||
|
|
|||
|
If the ASN.1 type is an ASN.1 type reference then the component type
|
|||
|
is taken to be the actual definition on the right hand side of the
|
|||
|
type assignment for the referenced type.
|
|||
|
|
|||
|
If the ASN.1 type is a tagged type then the component type is taken
|
|||
|
to be the type without the tag.
|
|||
|
|
|||
|
If the ASN.1 type is a constrained type (see [11] and [14] for the
|
|||
|
details of ASN.1 constraint notation) then the component type is
|
|||
|
taken to be the type without the constraint.
|
|||
|
|
|||
|
If the ASN.1 type is an ObjectClassFieldType (Clause 14 of [13]) that
|
|||
|
denotes a specific ASN.1 type (e.g. MATCHING-RULE.&id denotes the
|
|||
|
OBJECT IDENTIFIER type) then the component type is taken to be the
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 7]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
denoted type. Section 5.1.6 describes the case where the
|
|||
|
ObjectClassFieldType denotes an open type.
|
|||
|
|
|||
|
If the ASN.1 type is a selection type other than one used in the list
|
|||
|
of components for a SET or SEQUENCE type then the component type is
|
|||
|
taken to be the selected alternative type from the named CHOICE.
|
|||
|
|
|||
|
If the ASN.1 type is a TypeFromObject (Clause 15 of [13]) then the
|
|||
|
component type is taken to be the denoted type.
|
|||
|
|
|||
|
If the ASN.1 type is a ValueSetFromObjects (Clause 15 of [13]) then
|
|||
|
the component type is taken to be the governing type of the denoted
|
|||
|
values.
|
|||
|
|
|||
|
|
|||
|
5.1.2 Referencing SET, SEQUENCE and CHOICE Components
|
|||
|
|
|||
|
If the ASN.1 type is a SET or SEQUENCE type then the <identifier>
|
|||
|
form of ComponentId MAY be used to identify the component type within
|
|||
|
that SET or SEQUENCE having that identifier. If <identifier>
|
|||
|
references an OPTIONAL component type and that component is not
|
|||
|
present in a particular value then there are no corresponding
|
|||
|
component values. If <identifier> references a DEFAULT component
|
|||
|
type and useDefaultValues is TRUE (the default setting for
|
|||
|
useDefaultValues) and that component is not present in a particular
|
|||
|
value then the component value is taken to be the default value. If
|
|||
|
<identifier> references a DEFAULT component type and useDefaultValues
|
|||
|
is FALSE and that component is not present in a particular value then
|
|||
|
there are no corresponding component values.
|
|||
|
|
|||
|
If the ASN.1 type is a CHOICE type then the <identifier> form of
|
|||
|
ComponentId MAY be used to identify the alternative type within that
|
|||
|
CHOICE having that identifier. If <identifier> references an
|
|||
|
alternative other than the one used in a particular value then there
|
|||
|
are no corresponding component values.
|
|||
|
|
|||
|
The COMPONENTS OF notation in Clause 24 of [11] augments the defined
|
|||
|
list of components in a SET or SEQUENCE type by including all the
|
|||
|
components of another defined SET or SEQUENCE type respectively.
|
|||
|
These included components are referenced directly by identifier as
|
|||
|
though they were defined in-line in the SET or SEQUENCE type
|
|||
|
containing the COMPONENTS OF notation.
|
|||
|
|
|||
|
The SelectionType (Clause 29 of [11]), when used in the list of
|
|||
|
components for a SET or SEQUENCE type, includes a single component
|
|||
|
from a defined CHOICE type. This included component is referenced
|
|||
|
directly by identifier as though it was defined in-line in the SET or
|
|||
|
SEQUENCE type.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 8]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The REAL type is treated as though it is the SEQUENCE type defined in
|
|||
|
Clause 20.5 of [11].
|
|||
|
|
|||
|
The EMBEDDED PDV type is treated as though it is the SEQUENCE type
|
|||
|
defined in Clause 32.5 of [11].
|
|||
|
|
|||
|
The EXTERNAL type is treated as though it is the SEQUENCE type
|
|||
|
defined in Clause 33.5 of [11].
|
|||
|
|
|||
|
The unrestricted CHARACTER STRING type is treated as though it is the
|
|||
|
SEQUENCE type defined in Clause 39.5 of [11].
|
|||
|
|
|||
|
The INSTANCE OF type is treated as though it is the SEQUENCE type
|
|||
|
defined in Annex C of [13].
|
|||
|
|
|||
|
The <identifier> form MUST NOT be used on any other ASN.1 type.
|
|||
|
|
|||
|
|
|||
|
5.1.3 Referencing SET OF and SEQUENCE OF Components
|
|||
|
|
|||
|
If the ASN.1 type is a SET OF or SEQUENCE OF type then the
|
|||
|
<from-beginning>, <from-end>, <count> and <all> forms of ComponentId
|
|||
|
can be used.
|
|||
|
|
|||
|
The <from-beginning> form of ComponentId MAY be used to identify one
|
|||
|
instance (i.e. value) of the component type of the SET OF or SEQUENCE
|
|||
|
OF type (e.g. if Foo ::= SET OF Bar, then Bar is the component type),
|
|||
|
where the instances are numbered from one upwards. If
|
|||
|
<from-beginning> references a higher numbered instance than the last
|
|||
|
instance in a particular value of the SET OF or SEQUENCE OF type then
|
|||
|
there is no corresponding component value.
|
|||
|
|
|||
|
The <from-end> form of ComponentId MAY be used to identify one
|
|||
|
instance of the component type of the SET OF or SEQUENCE OF type,
|
|||
|
where "-1" is the last instance, "-2" is the second last instance,
|
|||
|
and so on. If <from-end> references a lower numbered instance than
|
|||
|
the first instance in a particular value of the SET OF or SEQUENCE OF
|
|||
|
type then there is no corresponding component value.
|
|||
|
|
|||
|
The <count> form of ComponentId identifies a notional count of the
|
|||
|
number of instances of the component type in a value of the SET OF or
|
|||
|
SEQUENCE OF type. This count is not explicitly represented but for
|
|||
|
matching purposes it has an assumed ASN.1 type of INTEGER (0..MAX).
|
|||
|
A ComponentId of the <count> form MUST be the last ComponentId in a
|
|||
|
component reference.
|
|||
|
|
|||
|
The <all> form of ComponentId MAY be used to simultaneously identify
|
|||
|
all instances of the component type of the SET OF or SEQUENCE OF
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 9]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
type. It is through the <all> form that a component reference can
|
|||
|
identify more than one component value. However, if a particular
|
|||
|
value of the SET OF or SEQUENCE OF type is an empty list there are no
|
|||
|
corresponding component values.
|
|||
|
|
|||
|
Where multiple component values are identified, the remaining
|
|||
|
ComponentIds in the component reference, if any, can identify zero,
|
|||
|
one or more subcomponent values for each of the higher level
|
|||
|
component values.
|
|||
|
|
|||
|
The corresponding ASN.1 type for the <from-beginning>, <from-end>,
|
|||
|
and <all> forms of ComponentId is the component type of the SET OF or
|
|||
|
SEQUENCE OF type.
|
|||
|
|
|||
|
The <from-beginning>, <count>, <from-end> and <all> forms MUST NOT be
|
|||
|
used on ASN.1 types other than SET OF or SEQUENCE OF.
|
|||
|
|
|||
|
|
|||
|
5.1.4 Referencing Components of Parameterized Types
|
|||
|
|
|||
|
A component reference cannot be formed for a parameterized type
|
|||
|
unless the type has been used with actual parameters, in which case
|
|||
|
the type is treated as though the DummyReferences [15] have been
|
|||
|
substituted with the actual parameters.
|
|||
|
|
|||
|
|
|||
|
5.1.5 Component Referencing Example
|
|||
|
|
|||
|
Consider the following ASN.1 type definitions.
|
|||
|
|
|||
|
ExampleType ::= SEQUENCE {
|
|||
|
part1 [0] INTEGER,
|
|||
|
part2 [1] ExampleSet,
|
|||
|
part3 [2] SET OF OBJECT IDENTIFIER,
|
|||
|
part4 [3] ExampleChoice }
|
|||
|
|
|||
|
ExampleSet ::= SET {
|
|||
|
option PrintableString,
|
|||
|
setting BOOLEAN }
|
|||
|
|
|||
|
ExampleChoice ::= CHOICE {
|
|||
|
eeny-meeny BIT STRING,
|
|||
|
miney-mo OCTET STRING }
|
|||
|
|
|||
|
Following are component references constructed with respect to the
|
|||
|
type ExampleType.
|
|||
|
|
|||
|
The component reference "part1" identifies a component of a value of
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 10]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
ExampleType having the ASN.1 tagged type [0] INTEGER.
|
|||
|
|
|||
|
The component reference "part2" identifies a component of a value of
|
|||
|
ExampleType having the ASN.1 type of [1] ExampleSet
|
|||
|
|
|||
|
The component reference "part2.option" identifies a component of a
|
|||
|
value of ExampleType having the ASN.1 type of PrintableString. A
|
|||
|
ComponentAssertion could also be applied to a value of ASN.1 type
|
|||
|
ExampleSet, in which case the component reference "option" would
|
|||
|
identify the same kind of information.
|
|||
|
|
|||
|
The component reference "part3" identifies a component of a value of
|
|||
|
ExampleType having the ASN.1 type of [2] SET OF OBJECT IDENTIFIER.
|
|||
|
|
|||
|
The component reference "part3.2" identifies the second instance of
|
|||
|
the part3 SET OF. The instance has the ASN.1 type of OBJECT
|
|||
|
IDENTIFIER.
|
|||
|
|
|||
|
The component reference "part3.0" identifies the count of the number
|
|||
|
of instances in the part3 SET OF. The count has the corresponding
|
|||
|
ASN.1 type of INTEGER (0..MAX).
|
|||
|
|
|||
|
The component reference "part3.*" identifies all the instances in the
|
|||
|
part3 SET OF. Each instance has the ASN.1 type of OBJECT IDENTIFIER.
|
|||
|
|
|||
|
The component reference "part4" identifies a component of a value of
|
|||
|
ExampleType having the ASN.1 type of [3] ExampleChoice.
|
|||
|
|
|||
|
The component reference "part4.miney-mo" identifies a component of a
|
|||
|
value of ExampleType having the ASN.1 type of OCTET STRING.
|
|||
|
|
|||
|
|
|||
|
5.1.6 Referencing Components of Open Types
|
|||
|
|
|||
|
If a sequence of ComponentIds identifies an ObjectClassFieldType
|
|||
|
denoting an open type (e.g. ATTRIBUTE.&Type denotes an open type)
|
|||
|
then the ASN.1 type of the component varies. An open type is
|
|||
|
typically constrained by some other component(s) in an outer
|
|||
|
enclosing type, either formally through the use of a component
|
|||
|
relation constraint [14], or informally in the accompanying text, so
|
|||
|
the actual ASN.1 type of a value of the open type will generally be
|
|||
|
known. The constraint will also limit the range of permissible
|
|||
|
types. The <select> form of ComponentId MAY be used to identify one
|
|||
|
of these permissible types in an open type. Subcomponents of that
|
|||
|
type can then be identified with further ComponentIds.
|
|||
|
|
|||
|
The other components constraining the open type are termed the
|
|||
|
referenced components (using the terminology in [14]). The <select>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 11]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
form contains a list of one or more values which take the place of
|
|||
|
the value(s) of the referenced component(s) to uniquely identify one
|
|||
|
of the permissable types of the open type.
|
|||
|
|
|||
|
Where the open type is constrained by a component relation
|
|||
|
constraint, there is a <Value> in the <select> form for each of the
|
|||
|
referenced components in the component relation constraint, appearing
|
|||
|
in the same order. The ASN.1 type of each of these values is the
|
|||
|
same as the ASN.1 type of the corresponding referenced component.
|
|||
|
The type of a referenced component is potentially any ASN.1 type
|
|||
|
however it is typically an OBJECT IDENTIFIER or INTEGER, which means
|
|||
|
that the <Value> in the <select> form of ComponentId will nearly
|
|||
|
always be an <ObjectIdentifierValue> or <IntegerValue> (see [7]).
|
|||
|
Furthermore, component relation constraints typically have only one
|
|||
|
referenced component.
|
|||
|
|
|||
|
Where the open type is not constrained by a component relation
|
|||
|
constraint, the specification introducing the syntax containing the
|
|||
|
open type SHOULD explicitly nominate the referenced components and
|
|||
|
their order, so that the <select> form can be used.
|
|||
|
|
|||
|
If an instance of <select> contains a value other than the value of
|
|||
|
the referenced component used in a particular value of the outer
|
|||
|
enclosing type then there are no corresponding component values for
|
|||
|
the open type.
|
|||
|
|
|||
|
|
|||
|
5.1.6.1 Open Type Referencing Example
|
|||
|
|
|||
|
The ASN.1 type AttributeTypeAndValue from [8] describes a single
|
|||
|
attribute value of a nominated attribute type.
|
|||
|
|
|||
|
AttributeTypeAndValue ::= SEQUENCE {
|
|||
|
type ATTRIBUTE.&id ({SupportedAttributes}),
|
|||
|
value ATTRIBUTE.&Type ({SupportedAttributes}{@type}) }
|
|||
|
|
|||
|
ATTRIBUTE.&id denotes an OBJECT IDENTIFIER and
|
|||
|
({SupportedAttributes}) constrains the OBJECT IDENTIFIER to be a
|
|||
|
supported attribute type.
|
|||
|
|
|||
|
ATTRIBUTE.&Type denotes an open type, in this case an attribute
|
|||
|
value, and ({SupportedAttributes}{@type}) is a component relation
|
|||
|
constraint that constrains the open type to be of the attribute
|
|||
|
syntax for the attribute type. The component relation constraint
|
|||
|
references only the "type" component, which has the ASN.1 type of
|
|||
|
OBJECT IDENTIFIER, thus if the <select> form of ComponentId is used
|
|||
|
to identify attribute values of specific attribute types it will
|
|||
|
contain a single OBJECT IDENTIFIER value.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 12]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The component reference "value" on AttributeTypeAndValue refers to
|
|||
|
the open type.
|
|||
|
|
|||
|
One of the X.500 standard attributes is facsimileTelephoneNumber
|
|||
|
[10], which is identified with the OBJECT IDENTIFIER 2.5.4.23, and is
|
|||
|
defined to have the following syntax.
|
|||
|
|
|||
|
FacsimileTelephoneNumber ::= SEQUENCE {
|
|||
|
telephoneNumber PrintableString(SIZE(1..ub-telephone-number)),
|
|||
|
parameters G3FacsimileNonBasicParameters OPTIONAL }
|
|||
|
|
|||
|
The component reference "value.(2.5.4.23)" on AttributeTypeAndValue
|
|||
|
specifies an attribute value with the FacsimileTelephoneNumber
|
|||
|
syntax.
|
|||
|
|
|||
|
The component reference "value.(2.5.4.23).telephoneNumber" on
|
|||
|
AttributeTypeAndValue identifies the telephoneNumber component of a
|
|||
|
facsimileTelephoneNumber attribute value. The component reference
|
|||
|
"value.(facsimileTelephoneNumber)" is equivalent to
|
|||
|
"value.(2.5.4.23)".
|
|||
|
|
|||
|
If the AttributeTypeAndValue ASN.1 value contains an attribute type
|
|||
|
other than facsimileTelephoneNumber then there are no corresponding
|
|||
|
component values for the component references "value.(2.5.4.23)" and
|
|||
|
"value.(2.5.4.23).telephoneNumber".
|
|||
|
|
|||
|
|
|||
|
5.1.7 Referencing Contained Types
|
|||
|
|
|||
|
Sometimes the contents of a BIT STRING or OCTET STRING value are
|
|||
|
required to be the encodings of other ASN.1 values of specific ASN.1
|
|||
|
types. For example, the extnValue component of the Extension type
|
|||
|
component in the Certificate type [9] is an OCTET STRING that is
|
|||
|
required to contain a DER encoding of a certificate extension value.
|
|||
|
It is useful to be able to refer to the embedded encoded value and
|
|||
|
its components. An embedded encoded value is here referred to as a
|
|||
|
contained value and its associated type as the contained type.
|
|||
|
|
|||
|
If the ASN.1 type is a BIT STRING or OCTET STRING type containing
|
|||
|
encodings of other ASN.1 values then the <content> form of
|
|||
|
ComponentId MAY be used to identify the contained type.
|
|||
|
Subcomponents of that type can then be identified with further
|
|||
|
ComponentIds.
|
|||
|
|
|||
|
The contained type may be (effectively) an open type, constrained by
|
|||
|
some other component in an outer enclosing type (e.g. in a
|
|||
|
certificate Extension, extnValue is constrained by the chosen
|
|||
|
extnId). In these cases the next ComponentId, if any, MUST be of the
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 13]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
<select> form.
|
|||
|
|
|||
|
For the purpose of building component references, the content of the
|
|||
|
extnValue OCTET STRING in the Extension type is assumed to be an open
|
|||
|
type having a notional component relation constraint with the extnId
|
|||
|
component as the single referenced component, i.e.
|
|||
|
|
|||
|
EXTENSION.&ExtnType ({ExtensionSet}{@extnId})
|
|||
|
|
|||
|
The data-value component of the associated types for the EXTERNAL,
|
|||
|
EMBEDDED PDV and CHARACTER STRING types is an OCTET STRING containing
|
|||
|
the encoding of a data value described by the identification
|
|||
|
component. For the purpose of building component references, the
|
|||
|
content of the data-value OCTET STRING in these types is assumed to
|
|||
|
be an open type having a notional component relation constraint with
|
|||
|
the identification component as the single referenced component.
|
|||
|
|
|||
|
|
|||
|
5.1.7.1 Contained Type Referencing Example
|
|||
|
|
|||
|
The Extension ASN.1 type from [9] describes a single certificate
|
|||
|
extension value of a nominated extension type.
|
|||
|
|
|||
|
Extension ::= SEQUENCE {
|
|||
|
extnId EXTENSION.&id ({ExtensionSet}),
|
|||
|
critical BOOLEAN DEFAULT FALSE,
|
|||
|
extnValue OCTET STRING
|
|||
|
-- contains a DER encoding of a value of type &ExtnType
|
|||
|
-- for the extension object identified by extnId -- }
|
|||
|
|
|||
|
EXTENSION.&id denotes an OBJECT IDENTIFIER and ({ExtensionSet})
|
|||
|
constrains the OBJECT IDENTIFIER to be the identifier of a supported
|
|||
|
certificate extension.
|
|||
|
|
|||
|
The component reference "extnValue" on Extension refers to a
|
|||
|
component type of OCTET STRING. The corresponding component values
|
|||
|
will be OCTET STRING values. The component reference
|
|||
|
"extnValue.content" on Extension refers to the type of the contained
|
|||
|
type, which in this case is an open type.
|
|||
|
|
|||
|
One of the X.509 [X.509] standard extensions is basicConstraints,
|
|||
|
which is identified with the OBJECT IDENTIFIER 2.5.29.19 and is
|
|||
|
defined to have the following syntax.
|
|||
|
|
|||
|
BasicConstraintsSyntax ::= SEQUENCE {
|
|||
|
cA BOOLEAN DEFAULT FALSE,
|
|||
|
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 14]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The component reference "extnValue.content.(2.5.29.19)" on Extension
|
|||
|
specifies a BasicConstraintsSyntax extension value and the component
|
|||
|
reference "extnValue.content.(2.5.29.19).cA" identifies the cA
|
|||
|
component of a BasicConstraintsSyntax extension value.
|
|||
|
|
|||
|
|
|||
|
5.2 Matching of Components
|
|||
|
|
|||
|
The rule in a ComponentAssertion specifies how the zero, one or more
|
|||
|
component values identified by the component reference are tested by
|
|||
|
the assertion. Attribute matching rules are used to specify the
|
|||
|
semantics of the test.
|
|||
|
|
|||
|
Each matching rule has a notional set of attribute syntaxes
|
|||
|
(typically one), defined as ASN.1 types, to which it may be applied.
|
|||
|
When used in a ComponentAssertion these matching rules apply to the
|
|||
|
same ASN.1 types, only in this context the corresponding ASN.1 values
|
|||
|
are not complete attribute values.
|
|||
|
|
|||
|
Note that the referenced component type may be a tagged and/or
|
|||
|
constrained version of the expected attribute syntax (e.g. [0]
|
|||
|
INTEGER, whereas integerMatch would expect simply INTEGER), or an
|
|||
|
open type. Additional type substitutions of the kind described in
|
|||
|
Section 5.1.1 are performed as required to reduce the component type
|
|||
|
to the same type as the attribute syntax expected by the matching
|
|||
|
rule. If an open type is encountered the actual ASN.1 type of the
|
|||
|
component value is substituted before continuing.
|
|||
|
|
|||
|
If a matching rule applies to more than one attribute syntax (e.g.
|
|||
|
objectIdentifierFirstComponentMatch [10]) then the minimum number of
|
|||
|
substitutions required to conform to any one of those syntaxes are
|
|||
|
performed. If a matching rule can apply to any attribute syntax
|
|||
|
(e.g. the allComponentsMatch rule defined in Section 8.2) then the
|
|||
|
referenced component type is used as is, with no additional
|
|||
|
substitutions.
|
|||
|
|
|||
|
The value in a ComponentAssertion will be of the assertion syntax
|
|||
|
(i.e. ASN.1 type) required by the chosen matching rule. Note that
|
|||
|
the assertion syntax of a matching rule is not necessarily the same
|
|||
|
as the attribute syntax(es) to which the rule may be applied.
|
|||
|
|
|||
|
Some matching rules do not have a fixed assertion syntax (e.g.
|
|||
|
allComponentsMatch). The required assertion syntax is determined in
|
|||
|
each instance of use by the syntax of the attribute type to which the
|
|||
|
matching rule is applied. For these rules the ASN.1 type of the
|
|||
|
referenced component is used in place of an attribute syntax to
|
|||
|
decide the required assertion syntax.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 15]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The ComponentAssertion is undefined if:
|
|||
|
|
|||
|
a) the matching rule in the ComponentAssertion is not known to the
|
|||
|
evaluating procedure,
|
|||
|
|
|||
|
b) if no part of the component reference identifies an open type and
|
|||
|
the matching rule is not applicable to the referenced component
|
|||
|
type, even with the additional type substitutions,
|
|||
|
|
|||
|
c) the value in the ComponentAssertion does not conform to the
|
|||
|
assertion syntax defined for the matching rule,
|
|||
|
|
|||
|
d) an open type in the tested value cannot be decoded, or
|
|||
|
|
|||
|
e) the implementation does not support the particular combination of
|
|||
|
component reference and matching rule.
|
|||
|
|
|||
|
If the ComponentAssertion is not undefined then the
|
|||
|
ComponentAssertion evaluates to TRUE if there is at least one
|
|||
|
component value for which the matching rule applied to that component
|
|||
|
value returns TRUE, and evaluates to FALSE otherwise (which includes
|
|||
|
the case where there are no component values).
|
|||
|
|
|||
|
If some part of the component reference identifies an open type and
|
|||
|
the matching rule is not applicable to the referenced component type
|
|||
|
the ComponentAssertion evaluates to FALSE.
|
|||
|
|
|||
|
|
|||
|
5.2.1 Applicability of Existing Matching Rules
|
|||
|
|
|||
|
5.2.1.1 String Matching
|
|||
|
|
|||
|
ASN.1 has a number of built in restricted character string types with
|
|||
|
different character sets and/or different character encodings. A
|
|||
|
directory user generally has little interest in the particular
|
|||
|
character set or encoding used to represent a character string
|
|||
|
component value, and some directory server implementations make no
|
|||
|
distinction between the different string types in their internal
|
|||
|
representation of values. So rather than define string matching
|
|||
|
rules for each of the restricted character string types, the existing
|
|||
|
case ignore and case exact string matching rules are extended to
|
|||
|
apply to component values of any of the restricted character string
|
|||
|
types and any ChoiceOfStrings type [7], in addition to component
|
|||
|
values of the DirectoryString type. This extension is only for the
|
|||
|
purposes of component matching described in this document.
|
|||
|
|
|||
|
The relevant string matching rules are: caseIgnoreMatch,
|
|||
|
caseIgnoreOrderingMatch, caseIgnoreSubstringsMatch, caseExactMatch,
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 16]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
caseExactOrderingMatch and caseExactSubstringsMatch. The relevant
|
|||
|
restricted character string types are: NumericString,
|
|||
|
PrintableString, VisibleString, IA5String, UTF8String, BMPString,
|
|||
|
UniversalString, TeletexString, VideotexString, GraphicString and
|
|||
|
GeneralString. A ChoiceOfStrings type is a purely syntactic CHOICE
|
|||
|
of these ASN.1 string types. Note that [7] declares each and every
|
|||
|
use of the DirectoryString{} parameterized type to be a
|
|||
|
ChoiceOfStrings type.
|
|||
|
|
|||
|
The assertion syntax of the string matching rules is still
|
|||
|
DirectoryString regardless of the string syntax of the component
|
|||
|
being matched. Thus an implementation will be called upon to compare
|
|||
|
a DirectoryString value to a value of one of the restricted character
|
|||
|
string types, or a ChoiceOfStrings type. As is the case when
|
|||
|
comparing two DirectoryStrings where the chosen alternatives are of
|
|||
|
different string types, the comparison proceeds so long as the
|
|||
|
corresponding characters are representable in both character sets.
|
|||
|
Otherwise matching returns FALSE.
|
|||
|
|
|||
|
|
|||
|
5.2.1.2 Telephone Number Matching
|
|||
|
|
|||
|
Early editions of X.520 [10] gave the syntax of the telephoneNumber
|
|||
|
attribute as a constrained PrintableString. The fourth edition of
|
|||
|
X.520 equates the ASN.1 type name TelephoneNumber to the constrained
|
|||
|
PrintableString and uses TelephoneNumber as the attribute and
|
|||
|
assertion syntax. For the purposes of component matching,
|
|||
|
telephoneNumberMatch and telephoneNumberSubstringsMatch are permitted
|
|||
|
to be applied to any PrintableString value, as well as to
|
|||
|
TelephoneNumber values.
|
|||
|
|
|||
|
|
|||
|
5.2.1.3 Distinguished Name Matching
|
|||
|
|
|||
|
The DistinguishedName type is defined by assignment to be the same as
|
|||
|
the RDNSequence type, however RDNSequence is sometimes directly used
|
|||
|
in other type definitions. For the purposes of component matching,
|
|||
|
distinguishedNameMatch is also permitted to be applied to values of
|
|||
|
the RDNSequence type.
|
|||
|
|
|||
|
|
|||
|
5.2.2 Additional Useful Matching Rules
|
|||
|
|
|||
|
This section defines additional matching rules that may prove useful
|
|||
|
in ComponentAssertions. These rules MAY also be used in
|
|||
|
extensibleMatch search filters [3].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 17]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
5.2.2.1 The rdnMatch Matching Rule
|
|||
|
|
|||
|
The distinguishedNameMatch matching rule can match whole
|
|||
|
distinguished names but it is sometimes useful to be able to match
|
|||
|
specific RDNs in a DN without regard for the other RDNs in the DN.
|
|||
|
The rdnMatch matching rule allows component RDNs of a DN to be
|
|||
|
tested.
|
|||
|
|
|||
|
The LDAP-style definitions for rdnMatch and its assertion syntax are:
|
|||
|
|
|||
|
( 1.2.36.79672281.1.13.3 NAME 'rdnMatch'
|
|||
|
SYNTAX 1.2.36.79672281.1.5.0 )
|
|||
|
|
|||
|
( 1.2.36.79672281.1.5.0 DESC 'RDN' )
|
|||
|
|
|||
|
The LDAP-specific encoding for a value of the RDN syntax is given by
|
|||
|
the <RelativeDistinguishedNameValue> rule in [7].
|
|||
|
|
|||
|
The X.500-style definition for rdnMatch is:
|
|||
|
|
|||
|
rdnMatch MATCHING-RULE ::= {
|
|||
|
SYNTAX RelativeDistinguishedName
|
|||
|
ID { 1 2 36 79672281 1 13 3 } }
|
|||
|
|
|||
|
The rdnMatch rule evaluates to true if the component value and
|
|||
|
assertion value are the same RDN, using the same RDN comparison
|
|||
|
method as distinguishedNameMatch.
|
|||
|
|
|||
|
When using rdnMatch to match components of DNs it is important to
|
|||
|
note that the LDAP-specific encoding of a DN [5] reverses the order
|
|||
|
of the RDNs. So for the DN represented in LDAP as "cn=Steven
|
|||
|
Legg,o=Adacel,c=AU", the RDN "cn=Steven Legg" corresponds to the
|
|||
|
component reference "3", or alternatively, "-1".
|
|||
|
|
|||
|
|
|||
|
5.2.2.2 The presentMatch Matching Rule
|
|||
|
|
|||
|
At times it would be useful to test not if a specific value of a
|
|||
|
particular component is present, but whether any value of a
|
|||
|
particular component is present. The presentMatch matching rule
|
|||
|
allows the presence of a particular component value to be tested.
|
|||
|
|
|||
|
The LDAP-style definitions for presentMatch and its assertion syntax
|
|||
|
are:
|
|||
|
|
|||
|
( 1.2.36.79672281.1.13.5 NAME 'presentMatch'
|
|||
|
SYNTAX 1.2.36.79672281.1.5.1 )
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 18]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
( 1.2.36.79672281.1.5.1 DESC 'NULL' )
|
|||
|
|
|||
|
The LDAP-specific encoding for a value of the NULL syntax is given by
|
|||
|
the <NullValue> rule in [7].
|
|||
|
|
|||
|
The X.500-style definition for presentMatch is:
|
|||
|
|
|||
|
presentMatch MATCHING-RULE ::= {
|
|||
|
SYNTAX NULL
|
|||
|
ID { 1 2 36 79672281 1 13 5 } }
|
|||
|
|
|||
|
When used in a extensible match filter item, presentMatch behaves
|
|||
|
like the "present" case of a regular search filter. In a
|
|||
|
ComponentAssertion, presentMatch evaluates to TRUE if and only if the
|
|||
|
component reference identifies one or more component values,
|
|||
|
regardless of the actual component value contents. Note that if
|
|||
|
useDefaultValues is TRUE then the identified component values may be
|
|||
|
(part of) a DEFAULT value.
|
|||
|
|
|||
|
The notional count referenced by the <count> form of ComponentId is
|
|||
|
taken to be present if the SET OF value is present, and absent
|
|||
|
otherwise. Note that in ASN.1 notation an absent SET OF value is
|
|||
|
distinctly different from a SET OF value that is present but empty.
|
|||
|
It is up to the specification using the ASN.1 notation to decide
|
|||
|
whether the distinction matters. Often an empty SET OF component and
|
|||
|
an absent SET OF component are treated as semantically equivalent.
|
|||
|
If a SET OF value is present, but empty, a presentMatch on the SET OF
|
|||
|
component SHALL return TRUE and the notional count SHALL be regarded
|
|||
|
as present and equal to zero.
|
|||
|
|
|||
|
|
|||
|
5.2.3 Summary of Useful Matching Rules
|
|||
|
|
|||
|
The following is a non-exhaustive list of useful matching rules and
|
|||
|
the ASN.1 types to which they can be applied, taking account of all
|
|||
|
the extensions described in Section 5.2.1, and the new matching rules
|
|||
|
defined in Section 5.2.2.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 19]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
+================================+==============================+
|
|||
|
| Matching Rule | ASN.1 Type |
|
|||
|
+================================+==============================+
|
|||
|
| bitStringMatch | BIT STRING |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| booleanMatch | BOOLEAN |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| caseIgnoreMatch | NumericString |
|
|||
|
| caseIgnoreOrderingMatch | PrintableString |
|
|||
|
| caseIgnoreSubstringsMatch | VisibleString (ISO646String) |
|
|||
|
| caseExactMatch | IA5String |
|
|||
|
| caseExactOrderingMatch | UTF8String |
|
|||
|
| caseExactSubstringsMatch | BMPString (UCS-2, UNICODE) |
|
|||
|
| | UniversalString (UCS-4) |
|
|||
|
| | TeletexString (T61String) |
|
|||
|
| | VideotexString |
|
|||
|
| | GraphicString |
|
|||
|
| | GeneralString |
|
|||
|
| | any ChoiceOfStrings type |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| caseIgnoreIA5Match | IA5String |
|
|||
|
| caseExactIA5Match | |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| distinguishedNameMatch | DistinguishedName |
|
|||
|
| | RDNSequence |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| generalizedTimeMatch | GeneralizedTime |
|
|||
|
| generalizedTimeOrderingMatch | |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| integerMatch | INTEGER |
|
|||
|
| integerOrderingMatch | |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| numericStringMatch | NumericString |
|
|||
|
| numericStringOrderingMatch | |
|
|||
|
| numericStringSubstringsMatch | |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| objectIdentifierMatch | OBJECT IDENTIFIER |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| octetStringMatch | OCTET STRING |
|
|||
|
| octetStringOrderingMatch | |
|
|||
|
| octetStringSubstringsMatch | |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| presentMatch | any ASN.1 type |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| rdnMatch | RelativeDistinguishedName |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| telephoneNumberMatch | PrintableString |
|
|||
|
| telephoneNumberSubstringsMatch | TelephoneNumber |
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 20]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
| uTCTimeMatch | UTCTime |
|
|||
|
| uTCTimeOrderingMatch | |
|
|||
|
+--------------------------------+------------------------------+
|
|||
|
|
|||
|
Note that the allComponentsMatch matching rule defined in Section 8.2
|
|||
|
can be used for equality matching of values of the ENUMERATED, NULL,
|
|||
|
REAL and RELATIVE-OID ASN.1 types, among other things.
|
|||
|
|
|||
|
|
|||
|
6. ComponentFilter
|
|||
|
|
|||
|
The ComponentAssertion allows the value(s) of any one component type
|
|||
|
in a complex ASN.1 type to be matched, but there is often a desire to
|
|||
|
match the values of more than one component type. A ComponentFilter
|
|||
|
is an assertion about the presence, or values of, multiple components
|
|||
|
within an ASN.1 value.
|
|||
|
|
|||
|
The ComponentFilter assertion, an expression of ComponentAssertions,
|
|||
|
evaluates to either TRUE, FALSE or undefined for each tested ASN.1
|
|||
|
value.
|
|||
|
|
|||
|
A ComponentFilter is described by the following ASN.1 type (assumed
|
|||
|
to be defined with "EXPLICIT TAGS" in force):
|
|||
|
|
|||
|
ComponentFilter ::= CHOICE {
|
|||
|
item [0] ComponentAssertion,
|
|||
|
and [1] SEQUENCE OF ComponentFilter,
|
|||
|
or [2] SEQUENCE OF ComponentFilter,
|
|||
|
not [3] ComponentFilter }
|
|||
|
|
|||
|
Note: despite the use of SEQUENCE OF instead of SET OF for the "and"
|
|||
|
and "or" alternatives in ComponentFilter, the order of the component
|
|||
|
filters is not significant.
|
|||
|
|
|||
|
A ComponentFilter that is a ComponentAssertion evaluates to TRUE if
|
|||
|
the ComponentAssertion is TRUE, evaluates to FALSE if the
|
|||
|
ComponentAssertion is FALSE, and evaluates to undefined otherwise.
|
|||
|
|
|||
|
The "and" of a sequence of component filters evaluates to TRUE if the
|
|||
|
sequence is empty or if each component filter evaluates to TRUE,
|
|||
|
evaluates to FALSE if at least one component filter is FALSE, and
|
|||
|
evaluates to undefined otherwise.
|
|||
|
|
|||
|
The "or" of a sequence of component filters evaluates to FALSE if the
|
|||
|
sequence is empty or if each component filter evaluates to FALSE,
|
|||
|
evaluates to TRUE if at least one component filter is TRUE, and
|
|||
|
evaluates to undefined otherwise.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 21]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The "not" of a component filter evaluates to TRUE if the component
|
|||
|
filter is FALSE, evaluates to FALSE if the component filter is TRUE,
|
|||
|
and evaluates to undefined otherwise.
|
|||
|
|
|||
|
|
|||
|
7. The componentFilterMatch Matching Rule
|
|||
|
|
|||
|
The componentFilterMatch matching rule allows a ComponentFilter to be
|
|||
|
applied to an attribute value. The result of the matching rule is
|
|||
|
the result of applying the ComponentFilter to the attribute value.
|
|||
|
|
|||
|
The LDAP-style definitions for componentFilterMatch and its assertion
|
|||
|
syntax are:
|
|||
|
|
|||
|
( 1.2.36.79672281.1.13.2 NAME 'componentFilterMatch'
|
|||
|
SYNTAX 1.2.36.79672281.1.5.2 )
|
|||
|
|
|||
|
( 1.2.36.79672281.1.5.2 DESC 'ComponentFilter' )
|
|||
|
|
|||
|
The LDAP-specific encoding for the ComponentFilter assertion syntax
|
|||
|
is specified by the Generic String Encoding Rules in [7].
|
|||
|
|
|||
|
As a convenience to implementors, an equivalent ABNF description of
|
|||
|
the GSER encoding for ComponentFilter is provided here. In the event
|
|||
|
that there is a discrepancy between this ABNF and the encoding
|
|||
|
determined by [7], [7] is to be taken as definitive. The GSER
|
|||
|
encoding of a ComponentFilter is described by the following
|
|||
|
equivalent ABNF:
|
|||
|
|
|||
|
ComponentFilter = filter-item /
|
|||
|
and-filter /
|
|||
|
or-filter /
|
|||
|
not-filter
|
|||
|
|
|||
|
filter-item = item-chosen ComponentAssertion
|
|||
|
and-filter = and-chosen SequenceOfComponentFilter
|
|||
|
or-filter = or-chosen SequenceOfComponentFilter
|
|||
|
not-filter = not-chosen ComponentFilter
|
|||
|
|
|||
|
item-chosen = %x69.74.65.6D.3A ; "item:"
|
|||
|
and-chosen = %x61.6E.64.3A ; "and:"
|
|||
|
or-chosen = %x6F.72.3A ; "or:"
|
|||
|
not-chosen = %x6E.6F.74.3A ; "not:"
|
|||
|
|
|||
|
SequenceOfComponentFilter = "{" [ sp ComponentFilter
|
|||
|
*( "," sp ComponentFilter) ] sp "}"
|
|||
|
|
|||
|
ComponentAssertion = "{" sp component ","
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 22]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
[ sp useDefaultValues "," ]
|
|||
|
sp rule ","
|
|||
|
sp assertion-value sp "}"
|
|||
|
component = component-label msp
|
|||
|
dquote component-reference dquote
|
|||
|
useDefaultValues = use-defaults-label msp BooleanValue
|
|||
|
rule = rule-label msp ObjectIdentifierValue
|
|||
|
assertion-value = value-label msp Value
|
|||
|
|
|||
|
component-label = %x63.6F.6D.70.6F.6E.65.6E.74 ; "component"
|
|||
|
use-defaults-label = %x75.73.65.44.65.66.61.75.6C.74.56.61.6C.75
|
|||
|
%x65.73 ; "useDefaultValues"
|
|||
|
rule-label = %x72.75.6C.65 ; "rule"
|
|||
|
value-label = %x76.61.6C.75.65 ; "value"
|
|||
|
|
|||
|
sp = *%x20 ; zero, one or more space characters
|
|||
|
msp = 1*%x20 ; one or more space characters
|
|||
|
dquote = %x22 ; " (double quote)
|
|||
|
|
|||
|
The ABNF for <Value>, <ObjectIdentifierValue> and <BooleanValue> is
|
|||
|
defined in [7].
|
|||
|
|
|||
|
The ABNF descriptions of LDAP-specific encodings for attribute
|
|||
|
syntaxes typically do not clearly or consistently delineate the
|
|||
|
component parts of an attribute value. A regular and uniform
|
|||
|
character string encoding for arbitrary component data types is
|
|||
|
needed to encode the assertion value in a ComponentAssertion. The
|
|||
|
<Value> rule from [7] provides a human readable text encoding for a
|
|||
|
component value of any arbitrary ASN.1 type.
|
|||
|
|
|||
|
The X.500-style definition [8] for componentFilterMatch is:
|
|||
|
|
|||
|
componentFilterMatch MATCHING-RULE ::= {
|
|||
|
SYNTAX ComponentFilter
|
|||
|
ID { 1 2 36 79672281 1 13 2 } }
|
|||
|
|
|||
|
A ComponentAssertion can potentially use any matching rule, including
|
|||
|
componentFilterMatch, so componentFilterMatch MAY be nested. The
|
|||
|
component references in a nested componentFilterMatch are relative to
|
|||
|
the component corresponding to the containing ComponentAssertion. In
|
|||
|
Section 9, an example search on the seeAlso attribute shows this
|
|||
|
usage.
|
|||
|
|
|||
|
|
|||
|
8. Equality Matching of Complex Components
|
|||
|
|
|||
|
It is possible to test if an attribute value of a complex ASN.1
|
|||
|
syntax is the same as some purported (i.e. assertion) value by using
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 23]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
a complicated ComponentFilter that tests if corresponding components
|
|||
|
are the same. However, it would be more convenient to be able to
|
|||
|
present a whole assertion value to a matching rule that could do the
|
|||
|
component-wise comparison of an attribute value with the assertion
|
|||
|
value for any arbitrary attribute syntax. Similarly, the ability to
|
|||
|
do a straightforward equality comparison of a component value that is
|
|||
|
itself of a complex ASN.1 type would also be convenient.
|
|||
|
|
|||
|
It would be difficult to define a single matching rule that
|
|||
|
simultaneously satisfies all notions of what the equality matching
|
|||
|
semantics should be. For example, in some instances a case sensitive
|
|||
|
comparison of string components may be preferable to a case
|
|||
|
insensitive comparison. Therefore a basic equality matching rule,
|
|||
|
allComponentsMatch, is defined in Section 8.2, and the means to
|
|||
|
derive new matching rules from it with slightly different equality
|
|||
|
matching semantics are described in Section 8.3.
|
|||
|
|
|||
|
The directoryComponentsMatch defined in Section 8.4 is a derivation
|
|||
|
of allComponentsMatch that suits typical uses of the directory.
|
|||
|
Other specifications are free to derive new rules from
|
|||
|
allComponentsMatch or directoryComponentsMatch, that suit their usage
|
|||
|
of the directory.
|
|||
|
|
|||
|
The allComponentsMatch rule, the directoryComponentsMatch rule and
|
|||
|
any matching rules derived from them are collectively called
|
|||
|
component equality matching rules.
|
|||
|
|
|||
|
|
|||
|
8.1 The OpenAssertionType Syntax
|
|||
|
|
|||
|
The component equality matching rules have a variable assertion
|
|||
|
syntax. In X.500 this is indicated by omitting the optional SYNTAX
|
|||
|
field in the MATCHING-RULE information object. The assertion syntax
|
|||
|
then defaults to the target attribute's syntax in actual usage,
|
|||
|
unless the description of the matching rule says otherwise. The
|
|||
|
SYNTAX field in the LDAP-specific encoding of a
|
|||
|
MatchingRuleDescription is mandatory, so the OpenAssertionType syntax
|
|||
|
is defined to fill the same role. That is, the OpenAssertionType
|
|||
|
syntax is semantically equivalent to an omitted SYNTAX field in an
|
|||
|
X.500 MATCHING-RULE information object. OpenAssertionType MUST NOT
|
|||
|
be used as the attribute syntax in an attribute type definition.
|
|||
|
|
|||
|
Unless explicitly varied by the description of a particular matching
|
|||
|
rule, if an OpenAssertionType assertion value appears in a
|
|||
|
ComponentAssertion its LDAP-specific encoding is described by the
|
|||
|
<Value> rule in [7], otherwise its LDAP-specific encoding is the
|
|||
|
encoding defined for the syntax of the attribute type to which the
|
|||
|
matching rule with the OpenAssertionType assertion syntax is applied.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 24]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
The LDAP definition for the OpenAssertionType syntax is:
|
|||
|
|
|||
|
( 1.2.36.79672281.1.5.3 DESC 'OpenAssertionType' )
|
|||
|
|
|||
|
|
|||
|
8.2 The allComponentsMatch Matching Rule
|
|||
|
|
|||
|
The LDAP-style definition for allComponentsMatch is:
|
|||
|
|
|||
|
( 1.2.36.79672281.1.13.6 NAME 'allComponentsMatch'
|
|||
|
SYNTAX 1.2.36.79672281.1.5.3 )
|
|||
|
|
|||
|
The X.500-style definition for allComponentsMatch is:
|
|||
|
|
|||
|
allComponentsMatch MATCHING-RULE ::= {
|
|||
|
ID { 1 2 36 79672281 1 13 6 } }
|
|||
|
|
|||
|
When allComponentsMatch is used in a ComponentAssertion the assertion
|
|||
|
syntax is the same as the ASN.1 type of the identified component.
|
|||
|
Otherwise, the assertion syntax of allComponentsMatch is the same as
|
|||
|
the attribute syntax of the attribute to which the matching rule is
|
|||
|
applied.
|
|||
|
|
|||
|
Broadly speaking, this matching rule evaluates to true if and only if
|
|||
|
corresponding components of the assertion value and the attribute or
|
|||
|
component value are the same.
|
|||
|
|
|||
|
In detail, equality is determined by the following cases applied
|
|||
|
recursively.
|
|||
|
|
|||
|
a) Two values of a SET or SEQUENCE type are the same if and only if,
|
|||
|
for each component type, the corresponding component values are
|
|||
|
either,
|
|||
|
|
|||
|
1) both absent,
|
|||
|
|
|||
|
2) both present and the same, or
|
|||
|
|
|||
|
3) absent or the same as the DEFAULT value for the component, if a
|
|||
|
DEFAULT value is defined.
|
|||
|
|
|||
|
Values of an EMBEDDED PDV, EXTERNAL, unrestricted CHARACTER
|
|||
|
STRING, or INSTANCE OF type are compared according to their
|
|||
|
respective SEQUENCE type (see Section 5.1.2).
|
|||
|
|
|||
|
b) Two values of a SEQUENCE OF type are the same if and only if, the
|
|||
|
values have the same number of (possibly duplicated) instances and
|
|||
|
corresponding instances are the same.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 25]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
c) Two values of a SET OF type are the same if and only if, the
|
|||
|
values have the same number of instances and each distinct
|
|||
|
instance occurs in both values the same number of times, i.e. both
|
|||
|
values have the same instances, including duplicates, but in any
|
|||
|
order.
|
|||
|
|
|||
|
d) Two values of a CHOICE type are the same if and only if, both
|
|||
|
values are of the same chosen alternative and the component values
|
|||
|
are the same.
|
|||
|
|
|||
|
e) Two BIT STRING values are the same if and only if the values have
|
|||
|
the same number of bits and corresponding bits are the same. If
|
|||
|
the BIT STRING type is defined with a named bit list then trailing
|
|||
|
zero bits in the values are treated as absent for the purposes of
|
|||
|
this comparison.
|
|||
|
|
|||
|
f) Two BOOLEAN values are the same if and only if both are TRUE or
|
|||
|
both are FALSE.
|
|||
|
|
|||
|
g) Two values of a string type are the same if and only if the values
|
|||
|
have the same number of characters and corresponding characters
|
|||
|
are the same. Letter case is significant. For the purposes of
|
|||
|
allComponentsMatch, the string types are NumericString,
|
|||
|
PrintableString, TeletexString (T61String), VideotexString,
|
|||
|
IA5String, GraphicString, VisibleString (ISO646String),
|
|||
|
GeneralString, UniversalString, BMPString, UTF8String,
|
|||
|
GeneralizedTime, UTCTime and ObjectDescriptor.
|
|||
|
|
|||
|
h) Two INTEGER values are the same if and only if the integers are
|
|||
|
equal.
|
|||
|
|
|||
|
i) Two ENUMERATED values are the same if and only if the enumeration
|
|||
|
item identifiers are the same (equivalently, if the integer values
|
|||
|
associated with the identifiers are equal).
|
|||
|
|
|||
|
j) Two NULL values are always the same, unconditionally.
|
|||
|
|
|||
|
k) Two OBJECT IDENTIFIER values are the same if and only if the
|
|||
|
values have the same number of arcs and corresponding arcs are the
|
|||
|
same.
|
|||
|
|
|||
|
l) Two OCTET STRING values are the same if and only if the values
|
|||
|
have the same number of octets and corresponding octets are the
|
|||
|
same.
|
|||
|
|
|||
|
m) Two REAL values are the same if and only if they are both the same
|
|||
|
special value, or neither is a special value and they have the
|
|||
|
same base and represent the same real number. The special values
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 26]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
for REAL are zero, PLUS-INFINITY and MINUS-INFINITY.
|
|||
|
|
|||
|
n) Two RELATIVE-OID [12] values are the same if and only if the
|
|||
|
values have the same number of arcs and corresponding arcs are the
|
|||
|
same. The respective starting nodes for the RELATIVE-OID values
|
|||
|
are disregarded in the comparison, i.e. they are assumed to be the
|
|||
|
same.
|
|||
|
|
|||
|
o) Two values of an open type are the same if and only if both are of
|
|||
|
the same ASN.1 type and are the same according to that type.
|
|||
|
|
|||
|
Tags and constraints, being part of the type definition and not part
|
|||
|
of the abstract values, are ignored for matching purposes.
|
|||
|
|
|||
|
The allComponentsMatch rule MAY be used as the defined equality
|
|||
|
matching rule for an attribute.
|
|||
|
|
|||
|
|
|||
|
8.3 Deriving Component Equality Matching Rules
|
|||
|
|
|||
|
A new component equality matching rule with more refined matching
|
|||
|
semantics MAY be derived from allComponentsMatch, or any other
|
|||
|
component equality matching rule, using the convention described in
|
|||
|
this section.
|
|||
|
|
|||
|
The matching behaviour of a derived component equality matching rule
|
|||
|
is specified by nominating, for each of one or more identified
|
|||
|
components, a commutative equality matching rule that will be used to
|
|||
|
match values of that component. This overrides the matching that
|
|||
|
would otherwise occur for values of that component using the base
|
|||
|
rule for the derivation. These overrides can be conveniently
|
|||
|
represented as rows in a table of the following form.
|
|||
|
|
|||
|
Component | Matching Rule
|
|||
|
============+===============
|
|||
|
|
|
|||
|
|
|
|||
|
|
|||
|
Usually, all component values of a particular ASN.1 type are to be
|
|||
|
matched the same way. An ASN.1 type reference (e.g.
|
|||
|
DistinguishedName) or an ASN.1 built-in type name (e.g. INTEGER) in
|
|||
|
the Component column of the table specifies that the nominated
|
|||
|
equality matching rule is to be applied to all values of the named
|
|||
|
type, regardless of context.
|
|||
|
|
|||
|
An ASN.1 type reference with a component reference appended
|
|||
|
(separated by a ".") specifies that the nominated matching rule
|
|||
|
applies only to the identified components of values of the named
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 27]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
type. Other component values that happen to be of the same ASN.1
|
|||
|
type are not selected.
|
|||
|
|
|||
|
Additional type substitutions as described in Section 5.2 are assumed
|
|||
|
to be performed to align the component type with the matching rule
|
|||
|
assertion syntax.
|
|||
|
|
|||
|
Conceptually, the rows in a table for the base rule are appended to
|
|||
|
the rows in the table for a derived rule for the purpose of deciding
|
|||
|
the matching semantics of the derived rule. Notionally,
|
|||
|
allComponentsMatch has an empty table.
|
|||
|
|
|||
|
A row specifying values of an outer containing type (e.g.
|
|||
|
DistinguishedName) takes precedence over a row specifying values of
|
|||
|
an inner component type (e.g. RelativeDistinguishedName), regardless
|
|||
|
of their order in the table. Specifying a row for component values
|
|||
|
of an inner type is only useful if a value of the type can also
|
|||
|
appear on its own, or as a component of values of a different outer
|
|||
|
type. For example, if there is a row for DistinguishedName then a
|
|||
|
row for RelativeDistinguishedName can only ever apply to
|
|||
|
RelativeDistinguishedName component values that are not part of a
|
|||
|
DistinguishedName. A row for values of an outer type in the table
|
|||
|
for the base rule takes precedence over a row for values of an inner
|
|||
|
type in the table for the derived rule.
|
|||
|
|
|||
|
Where more than one row applies to a particular component value the
|
|||
|
earlier row takes precedence over the later row. Thus rows in the
|
|||
|
table for the derived rule take precedence over any rows for the same
|
|||
|
component in the table for the base rule.
|
|||
|
|
|||
|
|
|||
|
8.4 The directoryComponentsMatch Matching Rule
|
|||
|
|
|||
|
The directoryComponentsMatch matching rule is derived from the
|
|||
|
allComponentsMatch matching rule.
|
|||
|
|
|||
|
The LDAP-style definition for directoryComponentsMatch is:
|
|||
|
|
|||
|
( 1.2.36.79672281.1.13.7 NAME 'directoryComponentsMatch'
|
|||
|
SYNTAX 1.2.36.79672281.1.5.3 )
|
|||
|
|
|||
|
The X.500-style definition for directoryComponentsMatch is:
|
|||
|
|
|||
|
directoryComponentsMatch MATCHING-RULE ::= {
|
|||
|
ID { 1 2 36 79672281 1 13 7 } }
|
|||
|
|
|||
|
The matching semantics of directoryComponentsMatch are described by
|
|||
|
the following table, using the convention described in Section 8.3.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 28]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
ASN.1 Type | Matching Rule
|
|||
|
=========================================+========================
|
|||
|
RDNSequence | distinguishedNameMatch
|
|||
|
RelativeDistinguishedName | rdnMatch
|
|||
|
TelephoneNumber | telephoneNumberMatch
|
|||
|
FacsimileTelephoneNumber.telephoneNumber | telephoneNumberMatch
|
|||
|
NumericString | numericStringMatch
|
|||
|
GeneralizedTime | generalizedTimeMatch
|
|||
|
UTCTime | uTCTimeMatch
|
|||
|
DirectoryString{} | caseIgnoreMatch
|
|||
|
BMPString | caseIgnoreMatch
|
|||
|
GeneralString | caseIgnoreMatch
|
|||
|
GraphicString | caseIgnoreMatch
|
|||
|
IA5String | caseIgnoreMatch
|
|||
|
PrintableString | caseIgnoreMatch
|
|||
|
TeletexString | caseIgnoreMatch
|
|||
|
UniversalString | caseIgnoreMatch
|
|||
|
UTF8String | caseIgnoreMatch
|
|||
|
VideotexString | caseIgnoreMatch
|
|||
|
VisibleString | caseIgnoreMatch
|
|||
|
|
|||
|
Notes.
|
|||
|
|
|||
|
1) The DistinguishedName type is defined by assignment to be the same
|
|||
|
as the RDNSequence type. Some types (e.g. Name and LocalName)
|
|||
|
directly reference RDNSequence rather than DistinguishedName.
|
|||
|
Specifying RDNSequence captures all these DN-like types.
|
|||
|
|
|||
|
2) A RelativeDistinguishedName value is only matched by rdnMatch if
|
|||
|
it is not part of an RDNSequence value.
|
|||
|
|
|||
|
3) The telephone number component of the FacsimileTelephoneNumber
|
|||
|
ASN.1 type [10] is defined as a constrained PrintableString.
|
|||
|
PrintableString component values that are part of a
|
|||
|
FacsimileTelephoneNumber value can be identified separately from
|
|||
|
other components of PrintableString type by the specifier
|
|||
|
FacsimileTelephoneNumber.telephoneNumber, so that
|
|||
|
telephoneNumberMatch can be selectively applied. The fourth
|
|||
|
edition of X.520 defines the telephoneNumber component of
|
|||
|
FacsimileTelephoneNumber to be of the type TelephoneNumber, making
|
|||
|
the row for FacsimileTelephoneNumber.telephoneNumber components
|
|||
|
redundant.
|
|||
|
|
|||
|
The directoryComponentsMatch rule MAY be used as the defined equality
|
|||
|
matching rule for an attribute.
|
|||
|
|
|||
|
|
|||
|
9. Component Matching Examples
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 29]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
This section contains examples of search filters using the
|
|||
|
componentFilterMatch matching rule. The filters are described using
|
|||
|
the string representation of LDAP search filters from [17]. Note
|
|||
|
that [17] requires asterisks to be escaped in assertion values (in
|
|||
|
these examples the assertion values are all <ComponentAssertion>
|
|||
|
encodings). The asterisks have not been escaped in these examples
|
|||
|
for the sake of clarity, and to avoid confusing the LDAP protocol
|
|||
|
representation of search filter assertion values, where such escaping
|
|||
|
does not apply. Line breaks and indenting have been added only as an
|
|||
|
aid to readability.
|
|||
|
|
|||
|
The example search filters are all single extensible match filter
|
|||
|
items, though there is no reason why componentFilterMatch can't be
|
|||
|
used in more complicated search filters.
|
|||
|
|
|||
|
The first examples describe searches over the objectClasses schema
|
|||
|
operational attribute, which has an attribute syntax described by the
|
|||
|
ASN.1 type ObjectClassDescription [8], and holds the definitions of
|
|||
|
the object classes known to a directory server. The definition of
|
|||
|
ObjectClassDescription is as follows:
|
|||
|
|
|||
|
ObjectClassDescription ::= SEQUENCE {
|
|||
|
identifier OBJECT-CLASS.&id,
|
|||
|
name SET OF DirectoryString {ub-schema} OPTIONAL,
|
|||
|
description DirectoryString {ub-schema} OPTIONAL,
|
|||
|
obsolete BOOLEAN DEFAULT FALSE,
|
|||
|
information [0] ObjectClassInformation }
|
|||
|
|
|||
|
ObjectClassInformation ::= SEQUENCE {
|
|||
|
subclassOf SET OF OBJECT-CLASS.&id OPTIONAL,
|
|||
|
kind ObjectClassKind DEFAULT structural,
|
|||
|
mandatories [3] SET OF ATTRIBUTE.&id OPTIONAL,
|
|||
|
optionals [4] SET OF ATTRIBUTE.&id OPTIONAL }
|
|||
|
|
|||
|
ObjectClassKind ::= ENUMERATED {
|
|||
|
abstract (0),
|
|||
|
structural (1),
|
|||
|
auxiliary (2) }
|
|||
|
|
|||
|
OBJECT-CLASS.&id and ATTRIBUTE.&id are equivalent to the OBJECT
|
|||
|
IDENTIFIER ASN.1 type. A value of OBJECT-CLASS.&id is an OBJECT
|
|||
|
IDENTIFIER for an object class. A value of ATTRIBUTE.&id is an
|
|||
|
OBJECT IDENTIFIER for an attribute type.
|
|||
|
|
|||
|
The following search filter finds the object class definition for the
|
|||
|
object class identified by the OBJECT IDENTIFIER 2.5.6.18:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 30]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
item:{ component "identifier",
|
|||
|
rule objectIdentifierMatch, value 2.5.6.18 })
|
|||
|
|
|||
|
A match on the "identifier" component of objectClasses values is
|
|||
|
equivalent to the objectIdentifierFirstComponentMatch matching rule
|
|||
|
applied to attribute values of the objectClasses attribute type. The
|
|||
|
componentFilterMatch matching rule subsumes the functionality of the
|
|||
|
objectIdentifierFirstComponentMatch, integerFirstComponentMatch and
|
|||
|
directoryStringFirstComponentMatch matching rules.
|
|||
|
|
|||
|
The following search filter finds the object class definition for the
|
|||
|
object class called foobar:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "name.*",
|
|||
|
rule caseIgnoreMatch, value "foobar" })
|
|||
|
|
|||
|
An object class definition can have multiple names and the above
|
|||
|
filter will match an objectClasses value if any one of the names is
|
|||
|
"foobar".
|
|||
|
|
|||
|
The component reference "name.0" identifies the notional count of the
|
|||
|
number of names in an object class definition. The following search
|
|||
|
filter finds object class definitions with exactly one name:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "name.0", rule integerMatch, value 1 })
|
|||
|
|
|||
|
The "description" component of an ObjectClassDescription is defined
|
|||
|
to be an OPTIONAL DirectoryString. The following search filter finds
|
|||
|
object class definitions that have descriptions, regardless of the
|
|||
|
contents of the description string:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "description",
|
|||
|
rule presentMatch, value NULL })
|
|||
|
|
|||
|
The presentMatch returns TRUE if the description component is present
|
|||
|
and FALSE otherwise.
|
|||
|
|
|||
|
The following search filter finds object class definitions that don't
|
|||
|
have descriptions:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
not:item:{ component "description",
|
|||
|
rule presentMatch, value NULL })
|
|||
|
|
|||
|
The following search filter finds object class definitions with the
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 31]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
word "bogus" in the description:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "description",
|
|||
|
rule caseIgnoreSubstringsMatch,
|
|||
|
value { any:"bogus" } })
|
|||
|
|
|||
|
The assertion value is of the SubstringAssertion syntax, i.e.
|
|||
|
|
|||
|
SubstringAssertion ::= SEQUENCE OF CHOICE {
|
|||
|
initial [0] DirectoryString {ub-match},
|
|||
|
any [1] DirectoryString {ub-match},
|
|||
|
final [2] DirectoryString {ub-match} }
|
|||
|
|
|||
|
The "obsolete" component of an ObjectClassDescription is defined to
|
|||
|
be DEFAULT FALSE. An object class is obsolete if the "obsolete"
|
|||
|
component is present and set to TRUE. The following search filter
|
|||
|
finds all obsolete object classes:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "obsolete", rule booleanMatch, value TRUE })
|
|||
|
|
|||
|
An object class is not obsolete if the "obsolete" component is not
|
|||
|
present, in which case it defaults to FALSE, or is present but is
|
|||
|
explicitly set to FALSE. The following search filter finds all non-
|
|||
|
obsolete object classes:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "obsolete", rule booleanMatch, value FALSE })
|
|||
|
|
|||
|
The useDefaultValues flag in the ComponentAssertion defaults to TRUE
|
|||
|
so the componentFilterMatch rule treats an absent "obsolete"
|
|||
|
component as being present and set to FALSE. The following search
|
|||
|
filter finds only object class definitions where the "obsolete"
|
|||
|
component has been explicitly set to FALSE, rather than implicitly
|
|||
|
defaulting to FALSE:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "obsolete", useDefaultValues FALSE,
|
|||
|
rule booleanMatch, value FALSE })
|
|||
|
|
|||
|
With the useDefaultValues flag set to FALSE, if the "obsolete"
|
|||
|
component is absent the component reference identifies no component
|
|||
|
value and the matching rule will return FALSE. The matching rule can
|
|||
|
only return TRUE if the component is present and set to FALSE.
|
|||
|
|
|||
|
The "information.kind" component of the ObjectClassDescription is an
|
|||
|
ENUMERATED type. The allComponentsMatch matching rule can be used to
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 32]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
match values of an ENUMERATED type. The following search filter
|
|||
|
finds object class definitions for auxiliary object classes:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "information.kind",
|
|||
|
rule allComponentsMatch, value auxiliary })
|
|||
|
|
|||
|
The following search filter finds auxiliary object classes with
|
|||
|
commonName (cn or 2.5.4.3) as a mandatory attribute:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=and:{
|
|||
|
item:{ component "information.kind",
|
|||
|
rule allComponentsMatch, value auxiliary },
|
|||
|
item:{ component "information.mandatories.*",
|
|||
|
rule objectIdentifierMatch, value cn } })
|
|||
|
|
|||
|
The following search filter finds auxiliary object classes with
|
|||
|
commonName as a mandatory or optional attribute:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=and:{
|
|||
|
item:{ component "information.kind",
|
|||
|
rule allComponentsMatch, value auxiliary },
|
|||
|
or:{
|
|||
|
item:{ component "information.mandatories.*",
|
|||
|
rule objectIdentifierMatch, value cn },
|
|||
|
item:{ component "information.optionals.*",
|
|||
|
rule objectIdentifierMatch, value cn } } })
|
|||
|
|
|||
|
Extra care is required when matching optional SEQUENCE OF or SET OF
|
|||
|
components because of the distinction between an absent list of
|
|||
|
instances and a present, but empty, list of instances. The following
|
|||
|
search filter finds object class definitions with less than three
|
|||
|
names, including object class definitions with a present but empty
|
|||
|
list of names, but does not find object class definitions with an
|
|||
|
absent list of names:
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=
|
|||
|
item:{ component "name.0",
|
|||
|
rule integerOrderingMatch, value 3 })
|
|||
|
|
|||
|
If the "name" component is absent the "name.0" component is also
|
|||
|
considered to be absent and the ComponentAssertion evaluates to
|
|||
|
FALSE. If the "name" component is present, but empty, the "name.0"
|
|||
|
component is also present and equal to zero, so the
|
|||
|
ComponentAssertion evaluates to TRUE. To also find the object class
|
|||
|
definitions with an absent list of names the following search filter
|
|||
|
would be used:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 33]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
(objectClasses:componentFilterMatch:=or:{
|
|||
|
not:item:{ component "name", rule presentMatch, value NULL },
|
|||
|
item:{ component "name.0",
|
|||
|
rule integerOrderingMatch, value 3 } })
|
|||
|
|
|||
|
Distinguished names embedded in other syntaxes can be matched with a
|
|||
|
componentFilterMatch. The uniqueMember attribute type has an
|
|||
|
attribute syntax described by the ASN.1 type NameAndOptionalUID.
|
|||
|
|
|||
|
NameAndOptionalUID ::= SEQUENCE {
|
|||
|
dn DistinguishedName,
|
|||
|
uid UniqueIdentifier OPTIONAL }
|
|||
|
|
|||
|
The following search filter finds values of the uniqueMember
|
|||
|
attribute containing the author's DN:
|
|||
|
|
|||
|
(uniqueMember:componentFilterMatch:=
|
|||
|
item:{ component "dn",
|
|||
|
rule distinguishedNameMatch,
|
|||
|
value "cn=Steven Legg,o=Adacel,c=AU" })
|
|||
|
|
|||
|
The DistinguishedName and RelativeDistinguishedName ASN.1 types are
|
|||
|
also complex ASN.1 types so the component matching rules can be
|
|||
|
applied to their inner components.
|
|||
|
|
|||
|
DistinguishedName ::= RDNSequence
|
|||
|
|
|||
|
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
|
|||
|
|
|||
|
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
|
|||
|
AttributeTypeAndValue
|
|||
|
|
|||
|
AttributeTypeAndValue ::= SEQUENCE {
|
|||
|
type AttributeType ({SupportedAttributes}),
|
|||
|
value AttributeValue ({SupportedAttributes}{@type}) }
|
|||
|
|
|||
|
AttributeType ::= ATTRIBUTE.&id
|
|||
|
|
|||
|
AttributeValue ::= ATTRIBUTE.&Type
|
|||
|
|
|||
|
ATTRIBUTE.&Type is an open type. A value of ATTRIBUTE.&Type is
|
|||
|
constrained by the type component of AttributeTypeAndValue to be of
|
|||
|
the attribute syntax of the nominated attribute type. Note: the
|
|||
|
fourth edition of X.500 extends and renames the AttributeTypeAndValue
|
|||
|
SEQUENCE type.
|
|||
|
|
|||
|
The seeAlso attribute has the DistinguishedName syntax. The
|
|||
|
following search filter finds seeAlso attribute values containing the
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 34]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
RDN, "o=Adacel", anywhere in the DN:
|
|||
|
|
|||
|
(seeAlso:componentFilterMatch:=
|
|||
|
item:{ component "*", rule rdnMatch, value "o=Adacel" })
|
|||
|
|
|||
|
The following search filter finds all seeAlso attribute values with
|
|||
|
"cn=Steven Legg" as the RDN of the named entry (i.e. the "first" RDN
|
|||
|
in an LDAPDN or the "last" RDN in an X.500 DN):
|
|||
|
|
|||
|
(seeAlso:componentFilterMatch:=
|
|||
|
item:{ component "-1",
|
|||
|
rule rdnMatch, value "cn=Steven Legg" })
|
|||
|
|
|||
|
The following search filter finds all seeAlso attribute values naming
|
|||
|
entries in the DIT subtree of "o=Adacel,c=AU":
|
|||
|
|
|||
|
(seeAlso:componentFilterMatch:=and:{
|
|||
|
item:{ component "1", rule rdnMatch, value "c=AU" },
|
|||
|
item:{ component "2", rule rdnMatch, value "o=Adacel" } })
|
|||
|
|
|||
|
The following search filter finds all seeAlso attribute values
|
|||
|
containing the naming attribute types commonName (cn) and
|
|||
|
telephoneNumber in the same RDN:
|
|||
|
|
|||
|
(seeAlso:componentFilterMatch:=
|
|||
|
item:{ component "*", rule componentFilterMatch,
|
|||
|
value and:{
|
|||
|
item:{ component "*.type",
|
|||
|
rule objectIdentifierMatch, value cn },
|
|||
|
item:{ component "*.type",
|
|||
|
rule objectIdentifierMatch,
|
|||
|
value telephoneNumber } } })
|
|||
|
|
|||
|
The following search filter would find all seeAlso attribute values
|
|||
|
containing the attribute types commonName and telephoneNumber, but
|
|||
|
not necessarily in the same RDN:
|
|||
|
|
|||
|
(seeAlso:componentFilterMatch:=and:{
|
|||
|
item:{ component "*.*.type",
|
|||
|
rule objectIdentifierMatch, value cn },
|
|||
|
item:{ component "*.*.type",
|
|||
|
rule objectIdentifierMatch, value telephoneNumber } })
|
|||
|
|
|||
|
The following search filter finds all seeAlso attribute values
|
|||
|
containing the word "Adacel" in any organizationalUnitName (ou)
|
|||
|
attribute value in any AttributeTypeAndValue of any RDN:
|
|||
|
|
|||
|
(seeAlso:componentFilterMatch:=
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 35]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
item:{ component "*.*.value.(2.5.4.11)",
|
|||
|
rule caseIgnoreSubstringsMatch,
|
|||
|
value { any:"Adacel" } })
|
|||
|
|
|||
|
The component reference "*.*.value" identifies an open type, in this
|
|||
|
case an attribute value. In a particular AttributeTypeAndValue, if
|
|||
|
the attribute type is not organizationalUnitName then the
|
|||
|
ComponentAssertion evaluates to FALSE. Otherwise the substring
|
|||
|
assertion is evaluated against the attribute value.
|
|||
|
|
|||
|
|
|||
|
10. Security Considerations
|
|||
|
|
|||
|
The component matching rules described in this document allow for a
|
|||
|
compact specification of matching capabilities that could otherwise
|
|||
|
have been defined by a plethora of specific matching rules, i.e.
|
|||
|
despite their expressiveness and flexibility the component matching
|
|||
|
rules do not behave in a way uncharacteristic of other matching
|
|||
|
rules, so the security issues for component matching rules are no
|
|||
|
different than for any other matching rule. However, because the
|
|||
|
component matching rules are applicable to any attribute syntax,
|
|||
|
support for them in a directory server may allow searching of
|
|||
|
attributes that were previously unsearchable by virtue of there not
|
|||
|
being a suitable matching rule. Such attribute types ought to be
|
|||
|
properly protected with appropriate access controls.
|
|||
|
|
|||
|
|
|||
|
11. Acknowledgements
|
|||
|
|
|||
|
The author would like to thank Tom Gindin for private email
|
|||
|
discussions that clarified and refined the ideas presented in this
|
|||
|
document.
|
|||
|
|
|||
|
|
|||
|
12. Normative References
|
|||
|
|
|||
|
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
|||
|
Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
[2] Crocker, D. and P. Overell, "Augmented BNF for Syntax
|
|||
|
Specifications: ABNF", RFC 2234, November 1997.
|
|||
|
|
|||
|
[3] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
|
|||
|
Protocol (v3)", RFC 2251, December 1997.
|
|||
|
|
|||
|
[4] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight
|
|||
|
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
|||
|
RFC 2252, December 1997.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 36]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
[5] Wahl, M., Kille S. and T. Howes. "Lightweight Directory Access
|
|||
|
Protocol (v3): UTF-8 String Representation of Distinguished
|
|||
|
Names", RFC 2253, December 1997.
|
|||
|
|
|||
|
[6] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
|
|||
|
2279, January 1998.
|
|||
|
|
|||
|
[7] Legg, S., "Generic String Encoding Rules for ASN.1 Types",
|
|||
|
draft-legg-ldap-gser-xx.txt, a work in progress, March 2002.
|
|||
|
|
|||
|
[8] ITU-T Recommendation X.501 (1993) | ISO/IEC 9594-2:1994,
|
|||
|
Information Technology - Open Systems Interconnection - The
|
|||
|
Directory: Models
|
|||
|
|
|||
|
[9] ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8:1998,
|
|||
|
Information Technology - Open Systems Interconnection - The
|
|||
|
Directory: Authentication Framework
|
|||
|
|
|||
|
[10] ITU-T Recommendation X.520 (1993) | ISO/IEC 9594-6:1994,
|
|||
|
Information Technology - Open Systems Interconnection - The
|
|||
|
Directory: Selected attribute types
|
|||
|
|
|||
|
[11] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998
|
|||
|
Information Technology - Abstract Syntax Notation One (ASN.1):
|
|||
|
Specification of basic notation
|
|||
|
|
|||
|
[12] ITU-T Recommendation X.680 - Amendment 1 (06/99) | ISO/IEC
|
|||
|
8824-1:1998/Amd 1:2000 Relative object identifiers
|
|||
|
|
|||
|
[13] ITU-T Recommendation X.681 (1997) | ISO/IEC 8824-2:1998
|
|||
|
Information Technology - Abstract Syntax Notation One (ASN.1):
|
|||
|
Information object specification
|
|||
|
|
|||
|
[14] ITU-T Recommendation X.682 (1997) | ISO/IEC 8824-3:1998
|
|||
|
Information Technology - Abstract Syntax Notation One (ASN.1):
|
|||
|
Constraint specification
|
|||
|
|
|||
|
[15] ITU-T Recommendation X.683 (1997) | ISO/IEC 8824-4:1998
|
|||
|
Information Technology - Abstract Syntax Notation One (ASN.1):
|
|||
|
Parameterization of ASN.1 specifications
|
|||
|
|
|||
|
|
|||
|
13. Informative References
|
|||
|
|
|||
|
[16] Hovey, R. and S. Bradner, "The Organizations Involved in the
|
|||
|
IETF Standards Process", BCP 11, RFC 2028, October 1996.
|
|||
|
|
|||
|
[17] Howes, T., "The String Representation of LDAP Search Filters",
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 37]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
RFC 2254, December 1997.
|
|||
|
|
|||
|
[18] ITU-T Recommendation X.500 (1993) | ISO/IEC 9594-1:1994,
|
|||
|
Information Technology - Open Systems Interconnection - The
|
|||
|
Directory: Overview of concepts, models and services
|
|||
|
|
|||
|
[19] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1:1998
|
|||
|
Information Technology - ASN.1 encoding rules: Specification of
|
|||
|
Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and
|
|||
|
Distinguished Encoding Rules (DER)
|
|||
|
|
|||
|
|
|||
|
14. Intellectual Property Notice
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
intellectual property or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; neither does it represent that it
|
|||
|
has made any effort to identify any such rights. Information on the
|
|||
|
IETF's procedures with respect to rights in standards-track and
|
|||
|
standards-related documentation can be found in BCP-11. [16] Copies
|
|||
|
of claims of rights made available for publication and any assurances
|
|||
|
of licenses to be made available, or the result of an attempt made to
|
|||
|
obtain a general license or permission for the use of such
|
|||
|
proprietary rights by implementors or users of this specification can
|
|||
|
be obtained from the IETF Secretariat.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights which may cover technology that may be required to practice
|
|||
|
this standard. Please address the information to the IETF Executive
|
|||
|
Director.
|
|||
|
|
|||
|
|
|||
|
15. Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2002). All Rights Reserved.
|
|||
|
|
|||
|
This document and translations of it may be copied and furnished to
|
|||
|
others, and derivative works that comment on or otherwise explain it
|
|||
|
or assist in its implementation may be prepared, copied, published
|
|||
|
and distributed, in whole or in part, without restriction of any
|
|||
|
kind, provided that the above copyright notice and this paragraph are
|
|||
|
included on all such copies and derivative works. However, this
|
|||
|
document itself may not be modified in any way, such as by removing
|
|||
|
the copyright notice or references to the Internet Society or other
|
|||
|
Internet organizations, except as needed for the purpose of
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 38]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
developing Internet standards in which case the procedures for
|
|||
|
copyrights defined in the Internet Standards process must be
|
|||
|
followed, or as required to translate it into languages other than
|
|||
|
English.
|
|||
|
|
|||
|
The limited permissions granted above are perpetual and will not be
|
|||
|
revoked by the Internet Society or its successors or assigns.
|
|||
|
|
|||
|
This document and the information contained herein is provided on an
|
|||
|
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|||
|
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|||
|
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|||
|
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|||
|
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
|
|||
|
16. Author's Address
|
|||
|
|
|||
|
Steven Legg
|
|||
|
Adacel Technologies Ltd.
|
|||
|
405-409 Ferntree Gully Road
|
|||
|
Mount Waverley, Victoria 3149
|
|||
|
AUSTRALIA
|
|||
|
|
|||
|
Phone: +61 3 9451 2107
|
|||
|
Fax: +61 3 9541 2121
|
|||
|
EMail: steven.legg@adacel.com.au
|
|||
|
|
|||
|
|
|||
|
17. Appendix A - Changes From Previous Drafts
|
|||
|
|
|||
|
17.1 Changes in Draft 01
|
|||
|
|
|||
|
Section 4.1.7 (now 5.1.7) was added to enable component matching of
|
|||
|
values embedded in encoded form into BIT STRINGs or OCTET STRINGs.
|
|||
|
In particular, this is to allow component matching of values in
|
|||
|
Certificate extensions. The <content> rule was added in Section 4.1
|
|||
|
(now 5.1) to allow the OCTET STRING contents to be treated as either
|
|||
|
raw octets or as an embedded value.
|
|||
|
|
|||
|
References to a companion document summarizing the ASN.1 types of
|
|||
|
LDAP syntaxes were removed to avoid holding up this document.
|
|||
|
|
|||
|
The OpenType syntax was renamed to OpenAssertionType.
|
|||
|
|
|||
|
Object identifiers for the new syntax and matching rule definitions
|
|||
|
have been allocated from an arc belonging to Adacel Technologies Ltd.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 39]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
17.2 Changes in Draft 02
|
|||
|
|
|||
|
The context specific tagging in the ComponentAssertion ASN.1 type was
|
|||
|
unnecessary and has been removed.
|
|||
|
|
|||
|
The encoding of OpenAssertionType assertion values outside of
|
|||
|
ComponentAssertions has been clarified, and the description of
|
|||
|
OpenAssertionType has been promoted to its own section.
|
|||
|
|
|||
|
17.3 Changes in Draft 03
|
|||
|
|
|||
|
The default matching by allComponentsMatch of component values of BIT
|
|||
|
STRING types with named bit lists has been changed to ignore trailing
|
|||
|
zero bits.
|
|||
|
|
|||
|
Typographical errors in the <SafeUTF8Character> rule have been fixed.
|
|||
|
|
|||
|
17.4 Changes in Draft 04
|
|||
|
|
|||
|
When the matching rule in a ComponentAssertion has a variable
|
|||
|
assertion syntax it is not possible to determine the syntax of the
|
|||
|
value component from the ComponentAssertion alone when the associated
|
|||
|
component reference has referenced through an open type. Deducing
|
|||
|
what that syntax should be from inspection of the other
|
|||
|
ComponentAssertions in a ComponentFilter is difficult to implement in
|
|||
|
any comprehensive way. The <select> form of ComponentId has been
|
|||
|
introduced so that the syntax can always be determined from the
|
|||
|
contents of the ComponentAssertion alone. This not only simplifies
|
|||
|
implementation but can lead to simpler ComponentFilters since there
|
|||
|
is no longer a requirement to test that the components constraining
|
|||
|
an open type have particular values. The open type referencing
|
|||
|
example has been changed accordingly. The contained type referencing
|
|||
|
example has also been changed because it is an example of a contained
|
|||
|
open type.
|
|||
|
|
|||
|
The presentationAddressMatch rule is not commutative so it has been
|
|||
|
removed from the table defining directoryComponentsMatch. The default
|
|||
|
behaviour of allComponentsMatch is already a suitable commutative
|
|||
|
substitute for matching PresentationAddress values.
|
|||
|
|
|||
|
The null character has been included in the range of legal characters
|
|||
|
for <SafeUTF8Character>.
|
|||
|
|
|||
|
The ASN.1 type of the notional iteration count associated with SET OF
|
|||
|
and SEQUENCE OF values has been refined to INTEGER (0..MAX).
|
|||
|
|
|||
|
The encoding rules in Section 8 (now draft-legg-ldap-gser-xx.txt)
|
|||
|
have been formally named the Generic String Encoding Rules (GSER) and
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 40]
|
|||
|
|
|||
|
INTERNET-DRAFT LDAP & X.500 Component Matching Rules April 19, 2002
|
|||
|
|
|||
|
|
|||
|
a transfer syntax object identifier has been assigned.
|
|||
|
|
|||
|
The term "LDAP string encoding" has been replaced by the term "native
|
|||
|
LDAP-specific encoding" to align with terminology anticipated to be
|
|||
|
used in the revision of RFC 2252.
|
|||
|
|
|||
|
17.5 Changes in Draft 05
|
|||
|
|
|||
|
Reformatted the draft to conform to recent and proposed RFC editorial
|
|||
|
policy.
|
|||
|
|
|||
|
The use of the <oid> rule from RFC 2252 has been replaced by a local
|
|||
|
definition to specifically outlaw leading zero characters in OBJECT
|
|||
|
IDENTIFIER components.
|
|||
|
|
|||
|
Provisions for the RELATIVE-OID ASN.1 type defined in Amendment 1 to
|
|||
|
X.680 have been added.
|
|||
|
|
|||
|
The comparison of REAL values has been clarified and the GSER
|
|||
|
encoding of REAL values has been extended.
|
|||
|
|
|||
|
Removed extraneous spaces from example DNs.
|
|||
|
|
|||
|
17.6 Changes in Draft 06
|
|||
|
|
|||
|
An ABNF syntax error in the <exponent> rule was fixed.
|
|||
|
|
|||
|
17.7 Changes in Draft 07
|
|||
|
|
|||
|
The term "native LDAP encoding" has been replaced by the term "LDAP-
|
|||
|
specific encoding" to align with terminology anticipated to be used
|
|||
|
in the revision of RFC 2252.
|
|||
|
|
|||
|
Section 8 has been extracted to become a separate Internet draft,
|
|||
|
draft-legg-ldap-gser-00.txt. The specifications for ChoiceOfStrings
|
|||
|
types have also been moved to this new Internet draft. Various
|
|||
|
editorial changes have been made to this draft to accommodate this
|
|||
|
split.
|
|||
|
|
|||
|
17.8 Changes in Draft 08
|
|||
|
|
|||
|
The enumeratedMatch matching rule duplicates a subset of the
|
|||
|
functionality of allComponentsMatch so it has been removed. The
|
|||
|
enumeratedMatch rule has been replaced by allComponentsMatch in the
|
|||
|
examples. The description of the OpenAssertionType syntax has been
|
|||
|
moved into Section 8.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Legg Expires 19 October 2002 [Page 41]
|
|||
|
|