mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-24 13:24:56 +08:00
508 lines
17 KiB
Plaintext
508 lines
17 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group K. Zeilenga, Ed.
|
|||
|
Request for Comments: 3698 OpenLDAP Foundation
|
|||
|
Updates: 2798 February 2004
|
|||
|
Category: Standards Track
|
|||
|
|
|||
|
|
|||
|
Lightweight Directory Access Protocol (LDAP):
|
|||
|
Additional Matching Rules
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document specifies an Internet standards track protocol for the
|
|||
|
Internet community, and requests discussion and suggestions for
|
|||
|
improvements. Please refer to the current edition of the "Internet
|
|||
|
Official Protocol Standards" (STD 1) for the standardization state
|
|||
|
and status of this protocol. Distribution of this memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document provides a collection of matching rules for use with
|
|||
|
the Lightweight Directory Access Protocol (LDAP). As these matching
|
|||
|
rules are simple adaptations of matching rules specified for use with
|
|||
|
the X.500 Directory, most are already in wide use.
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Background and Intended Use. . . . . . . . . . . . . . . . . . 2
|
|||
|
2. Matching Rules . . . . . . . . . . . . . . . . . . . . . . . . 2
|
|||
|
2.1. booleanMatch . . . . . . . . . . . . . . . . . . . . . . 2
|
|||
|
2.2. caseExactMatch . . . . . . . . . . . . . . . . . . . . . 2
|
|||
|
2.3. caseExactOrderingMatch . . . . . . . . . . . . . . . . . 3
|
|||
|
2.4. caseExactSubstringsMatch . . . . . . . . . . . . . . . . 3
|
|||
|
2.5. caseIgnoreListSubstringsMatch. . . . . . . . . . . . . . 3
|
|||
|
2.6. directoryStringFirstComponentMatch . . . . . . . . . . . 4
|
|||
|
2.7. integerOrderingMatch . . . . . . . . . . . . . . . . . . 4
|
|||
|
2.8. keywordMatch . . . . . . . . . . . . . . . . . . . . . . 4
|
|||
|
2.9. numericStringOrderingMatch . . . . . . . . . . . . . . . 5
|
|||
|
2.10. octetStringOrderingMatch . . . . . . . . . . . . . . . . 5
|
|||
|
2.11. storedPrefixMatch. . . . . . . . . . . . . . . . . . . . 5
|
|||
|
2.12. wordMatch. . . . . . . . . . . . . . . . . . . . . . . . 6
|
|||
|
3. Security Considerations. . . . . . . . . . . . . . . . . . . . 6
|
|||
|
4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 6
|
|||
|
5. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 7
|
|||
|
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
|
|||
|
6.2. Informative References . . . . . . . . . . . . . . . . . 7
|
|||
|
7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 8
|
|||
|
8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 9
|
|||
|
|
|||
|
1. Background and Intended Use
|
|||
|
|
|||
|
This document adapts additional X.500 Directory [X.500] matching
|
|||
|
rules [X.520] for use with the Lightweight Directory Access Protocol
|
|||
|
(LDAP) [RFC3377]. Most of these rules are widely used today on the
|
|||
|
Internet, such as in support of the inetOrgPerson [RFC2798] and
|
|||
|
Policy Core Information Model [RFC3703] LDAP schemas. The rules are
|
|||
|
applicable to many other applications.
|
|||
|
|
|||
|
This document supersedes the informational matching rules
|
|||
|
descriptions provided in RFC 2798 that are now provided in this
|
|||
|
document. Specifically, section 2 of this document replaces section
|
|||
|
9.3.3 of RFC 2798.
|
|||
|
|
|||
|
Schema definitions are provided using LDAP description formats
|
|||
|
[RFC2252]. Definitions provided here are formatted (line wrapped)
|
|||
|
for readability.
|
|||
|
|
|||
|
2. Matching Rules
|
|||
|
|
|||
|
2.1. booleanMatch
|
|||
|
|
|||
|
The booleanMatch rule compares for equality a asserted Boolean value
|
|||
|
with an attribute value of BOOLEAN syntax. The rule returns TRUE if
|
|||
|
and only if the values are the same, i.e., both are TRUE or both are
|
|||
|
FALSE. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.13 NAME 'booleanMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
|
|||
|
|
|||
|
The BOOLEAN (1.3.6.1.4.1.1466.115.121.1.7) syntax is described in
|
|||
|
[RFC2252].
|
|||
|
|
|||
|
2.2. caseExactMatch
|
|||
|
|
|||
|
The caseExactMatch rule compares for equality the asserted value with
|
|||
|
an attribute value of DirectoryString syntax. The rule is identical
|
|||
|
to the caseIgnoreMatch [RFC2252] rule except that case is not
|
|||
|
ignored. (Source: X.520)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
( 2.5.13.5 NAME 'caseExactMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|||
|
|
|||
|
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
2.3. caseExactOrderingMatch
|
|||
|
|
|||
|
The caseExactOrderingMatch rule compares the collation order of the
|
|||
|
asserted string with an attribute value of DirectoryString syntax.
|
|||
|
The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule
|
|||
|
except that letters are not folded. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.6 NAME 'caseExactOrderingMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|||
|
|
|||
|
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
2.4. caseExactSubstringsMatch
|
|||
|
|
|||
|
The caseExactSubstringsMatch rule determines whether the asserted
|
|||
|
value(s) are substrings of an attribute value of DirectoryString
|
|||
|
syntax. The rule is identical to the caseIgnoreSubstringsMatch
|
|||
|
[RFC2252] rule except that case is not ignored. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.7 NAME 'caseExactSubstringsMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
|
|||
|
|
|||
|
The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
2.5. caseIgnoreListSubstringsMatch
|
|||
|
|
|||
|
The caseIgnoreListSubstringMatch rule compares the asserted substring
|
|||
|
with an attribute value which is a sequence of DirectoryStrings, but
|
|||
|
where the case (upper or lower) is not significant for comparison
|
|||
|
purposes. The asserted value matches a stored value if and only if
|
|||
|
the asserted value matches the string formed by concatenating the
|
|||
|
strings of the stored value. This matching is done according to the
|
|||
|
caseIgnoreSubstringsMatch [RFC2252] rule; however, none of the
|
|||
|
initial, any, or final values of the asserted value are considered to
|
|||
|
match a substring of the concatenated string which spans more than
|
|||
|
one of the strings of the stored value. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
2.6. directoryStringFirstComponentMatch
|
|||
|
|
|||
|
The directoryStringFirstComponentMatch rule compares for equality the
|
|||
|
asserted DirectoryString value with an attribute value of type
|
|||
|
SEQUENCE whose first component is mandatory and of type
|
|||
|
DirectoryString. The rule returns TRUE if and only if the attribute
|
|||
|
value has a first component whose value matches the asserted
|
|||
|
DirectoryString using the rules of caseIgnoreMatch [RFC2252]. A
|
|||
|
value of the assertion syntax is derived from a value of the
|
|||
|
attribute syntax by using the value of the first component of the
|
|||
|
SEQUENCE. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.31 NAME 'directoryStringFirstComponentMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|||
|
|
|||
|
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
2.7. integerOrderingMatch
|
|||
|
|
|||
|
The integerOrderingMatch rule compares the ordering of the asserted
|
|||
|
integer with an attribute value of INTEGER syntax. The rule returns
|
|||
|
True if the attribute value is less than the asserted value. (Source:
|
|||
|
X.520)
|
|||
|
|
|||
|
( 2.5.13.15 NAME 'integerOrderingMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|||
|
|
|||
|
The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax is described in
|
|||
|
[RFC2252].
|
|||
|
|
|||
|
2.8. keywordMatch
|
|||
|
|
|||
|
The keywordMatch rule compares the asserted string with keywords in
|
|||
|
an attribute value of DirectoryString syntax. The rule returns TRUE
|
|||
|
if and only if the asserted value matches any keyword in the
|
|||
|
attribute value. The identification of keywords in an attribute
|
|||
|
value and of the exactness of match are both implementation specific.
|
|||
|
(Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.33 NAME 'keywordMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|||
|
|
|||
|
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
2.9. numericStringOrderingMatch
|
|||
|
|
|||
|
The numericStringOrderingMatch rule compares the collation order of
|
|||
|
the asserted string with an attribute value of NumericString syntax.
|
|||
|
The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule
|
|||
|
except that all space characters are skipped during comparison (case
|
|||
|
is irrelevant as characters are numeric). (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.9 NAME 'numericStringOrderingMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
|
|||
|
|
|||
|
The NumericString (1.3.6.1.4.1.1466.115.121.1.36) syntax is described
|
|||
|
in [RFC2252].
|
|||
|
|
|||
|
2.10. octetStringOrderingMatch
|
|||
|
|
|||
|
The octetStringOrderingMatch rule compares the collation order of the
|
|||
|
asserted octet string with an attribute value of OCTET STRING syntax.
|
|||
|
The rule compares octet strings from first octet to last octet, and
|
|||
|
from the most significant bit to the least significant bit within the
|
|||
|
octet. The first occurrence of a different bit determines the
|
|||
|
ordering of the strings. A zero bit precedes a one bit. If the
|
|||
|
strings are identical but contain different numbers of octets, the
|
|||
|
shorter string precedes the longer string. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.18 NAME 'octetStringOrderingMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
|||
|
|
|||
|
The OCTET STRING (1.3.6.1.4.1.1466.115.121.1.40) syntax is described
|
|||
|
in [RFC2252].
|
|||
|
|
|||
|
2.11. storedPrefixMatch
|
|||
|
|
|||
|
The storedPrefixMatch rule determines whether an attribute value,
|
|||
|
whose syntax is DirectoryString is a prefix (i.e., initial substring)
|
|||
|
of the asserted value, without regard to the case (upper or lower) of
|
|||
|
the strings. The rule returns TRUE if and only if the attribute
|
|||
|
value is an initial substring of the asserted value with
|
|||
|
corresponding characters identical except possibly with regard to
|
|||
|
case. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.41 NAME 'storedPrefixMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
Note: This rule can be used, for example, to compare values in the
|
|||
|
Directory which are telephone area codes with a purported value
|
|||
|
which is a telephone number.
|
|||
|
|
|||
|
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
2.12. wordMatch
|
|||
|
|
|||
|
The wordMatch rule compares the asserted string with words in an
|
|||
|
attribute value of DirectoryString syntax. The rule returns TRUE if
|
|||
|
and only if the asserted word matches any word in the attribute
|
|||
|
value. Individual word matching is as for the caseIgnoreMatch
|
|||
|
[RFC2252] matching rule. The precise definition of a "word" is
|
|||
|
implementation specific. (Source: X.520)
|
|||
|
|
|||
|
( 2.5.13.32 NAME 'wordMatch'
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|||
|
|
|||
|
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
|
|||
|
described in [RFC2252].
|
|||
|
|
|||
|
3. Security Considerations
|
|||
|
|
|||
|
General LDAP security considerations [RFC3377] is applicable to the
|
|||
|
use of this schema. Additional considerations are noted above where
|
|||
|
appropriate.
|
|||
|
|
|||
|
4. IANA Considerations
|
|||
|
|
|||
|
The Internet Assigned Numbers Authority (IANA) has updated the LDAP
|
|||
|
descriptors registry [RFC3383] as indicated in the following
|
|||
|
template:
|
|||
|
|
|||
|
Subject: Request for LDAP Descriptor Registration Update
|
|||
|
Descriptor (short name): see comment
|
|||
|
Object Identifier: see comments
|
|||
|
Person & email address to contact for further information:
|
|||
|
Kurt Zeilenga <kurt@OpenLDAP.org>
|
|||
|
Usage: see comments
|
|||
|
Specification: RFC 3698
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 6]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
The following descriptors have been added:
|
|||
|
|
|||
|
NAME Type OID
|
|||
|
------------------------ ---- ---------
|
|||
|
booleanMatch M 2.5.13.13
|
|||
|
caseExactMatch M 2.5.13.5
|
|||
|
caseExactOrderingMatch M 2.5.13.6
|
|||
|
caseExactSubstringsMatch M 2.5.13.7
|
|||
|
caseIgnoreListSubstringsMatch M 2.5.13.12
|
|||
|
directoryStringFirstComponentMatch M 2.5.13.31
|
|||
|
integerOrderingMatch M 2.5.13.15
|
|||
|
keywordMatch M 2.5.13.33
|
|||
|
numericStringOrderingMatch M 2.5.13.9
|
|||
|
octetStringOrderingMatch M 2.5.13.18
|
|||
|
storedPrefixMatch M 2.5.13.41
|
|||
|
wordMatch M 2.5.13.32
|
|||
|
|
|||
|
where Type M is Matching Rule.
|
|||
|
|
|||
|
This document makes no new OID assignments. It only associates LDAP
|
|||
|
matching rule descriptions with existing X.500 matching rules.
|
|||
|
|
|||
|
5. Acknowledgments
|
|||
|
|
|||
|
This document borrows from [X.520], an ITU-T Recommendation.
|
|||
|
|
|||
|
6. References
|
|||
|
|
|||
|
6.1. Normative References
|
|||
|
|
|||
|
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
|
|||
|
"Lightweight Directory Access Protocol (v3): Attribute
|
|||
|
Syntax Definitions", RFC 2252, December 1997.
|
|||
|
|
|||
|
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
|
|||
|
Protocol (v3): Technical Specification", RFC 3377,
|
|||
|
September 2002.
|
|||
|
|
|||
|
6.2. Informative References
|
|||
|
|
|||
|
[RFC2798] Smith, M., "The LDAP inetOrgPerson Object Class", RFC
|
|||
|
2798, April 2000.
|
|||
|
|
|||
|
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
|
|||
|
RFC 3383, September 2002.
|
|||
|
|
|||
|
[RFC3703] Strassner, J., Moore, B., Moats, R. and E. Ellesson,
|
|||
|
"Policy Core LDAP Schema", RFC 3703, February 2004.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 7]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
[X.500] International Telecommunication Union -
|
|||
|
Telecommunication Standardization Sector, "The
|
|||
|
Directory -- Overview of concepts, models and
|
|||
|
services," X.500(1993) (also ISO/IEC 9594-1:1994).
|
|||
|
|
|||
|
[X.520] International Telecommunication Union -
|
|||
|
Telecommunication Standardization Sector, "The
|
|||
|
Directory: Selected Attribute Types", X.520(1997).
|
|||
|
|
|||
|
7. Author's Address
|
|||
|
|
|||
|
Kurt D. Zeilenga
|
|||
|
OpenLDAP Foundation
|
|||
|
|
|||
|
EMail: Kurt@OpenLDAP.org
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 8]
|
|||
|
|
|||
|
RFC 3698 LDAP: Additional Matching Rules February 2004
|
|||
|
|
|||
|
|
|||
|
8. Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004). This document is subject
|
|||
|
to the rights, licenses and restrictions contained in BCP 78 and
|
|||
|
except as set forth therein, the authors retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
|
|||
|
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
|
|||
|
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
|
|||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
|||
|
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed
|
|||
|
to pertain to the implementation or use of the technology
|
|||
|
described in this document or the extent to which any license
|
|||
|
under such rights might or might not be available; nor does it
|
|||
|
represent that it has made any independent effort to identify any
|
|||
|
such rights. Information on the procedures with respect to
|
|||
|
rights in RFC documents can be found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use
|
|||
|
of such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository
|
|||
|
at http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention
|
|||
|
any copyrights, patents or patent applications, or other
|
|||
|
proprietary rights that may cover technology that may be required
|
|||
|
to implement this standard. Please address the information to the
|
|||
|
IETF at ietf-ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Zeilenga Standards Track [Page 9]
|
|||
|
|