Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
Network Working Group K. Zeilenga, Ed.
Request for Comments: 3698 OpenLDAP Foundation
Updates: 2798 February 2004
Category: Standards Track
Lightweight Directory Access Protocol (LDAP):
Additional Matching Rules
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document provides a collection of matching rules for use with
the Lightweight Directory Access Protocol (LDAP). As these matching
rules are simple adaptations of matching rules specified for use with
the X.500 Directory, most are already in wide use.
Table of Contents
1. Background and Intended Use. . . . . . . . . . . . . . . . . . 2
2. Matching Rules . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1. booleanMatch . . . . . . . . . . . . . . . . . . . . . . 2
2.2. caseExactMatch . . . . . . . . . . . . . . . . . . . . . 2
2.3. caseExactOrderingMatch . . . . . . . . . . . . . . . . . 3
2.4. caseExactSubstringsMatch . . . . . . . . . . . . . . . . 3
2.5. caseIgnoreListSubstringsMatch. . . . . . . . . . . . . . 3
2.6. directoryStringFirstComponentMatch . . . . . . . . . . . 4
2.7. integerOrderingMatch . . . . . . . . . . . . . . . . . . 4
2.8. keywordMatch . . . . . . . . . . . . . . . . . . . . . . 4
2.9. numericStringOrderingMatch . . . . . . . . . . . . . . . 5
2.10. octetStringOrderingMatch . . . . . . . . . . . . . . . . 5
2.11. storedPrefixMatch. . . . . . . . . . . . . . . . . . . . 5
2.12. wordMatch. . . . . . . . . . . . . . . . . . . . . . . . 6
3. Security Considerations. . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 6
5. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Zeilenga Standards Track [Page 1]
RFC 3698 LDAP: Additional Matching Rules February 2004
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 7
7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 8
8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 9
1. Background and Intended Use
This document adapts additional X.500 Directory [X.500] matching
rules [X.520] for use with the Lightweight Directory Access Protocol
(LDAP) [RFC3377]. Most of these rules are widely used today on the
Internet, such as in support of the inetOrgPerson [RFC2798] and
Policy Core Information Model [RFC3703] LDAP schemas. The rules are
applicable to many other applications.
This document supersedes the informational matching rules
descriptions provided in RFC 2798 that are now provided in this
document. Specifically, section 2 of this document replaces section
9.3.3 of RFC 2798.
Schema definitions are provided using LDAP description formats
[RFC2252]. Definitions provided here are formatted (line wrapped)
for readability.
2. Matching Rules
2.1. booleanMatch
The booleanMatch rule compares for equality a asserted Boolean value
with an attribute value of BOOLEAN syntax. The rule returns TRUE if
and only if the values are the same, i.e., both are TRUE or both are
FALSE. (Source: X.520)
( 2.5.13.13 NAME 'booleanMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
The BOOLEAN (1.3.6.1.4.1.1466.115.121.1.7) syntax is described in
[RFC2252].
2.2. caseExactMatch
The caseExactMatch rule compares for equality the asserted value with
an attribute value of DirectoryString syntax. The rule is identical
to the caseIgnoreMatch [RFC2252] rule except that case is not
ignored. (Source: X.520)
Zeilenga Standards Track [Page 2]
RFC 3698 LDAP: Additional Matching Rules February 2004
( 2.5.13.5 NAME 'caseExactMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.3. caseExactOrderingMatch
The caseExactOrderingMatch rule compares the collation order of the
asserted string with an attribute value of DirectoryString syntax.
The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule
except that letters are not folded. (Source: X.520)
( 2.5.13.6 NAME 'caseExactOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.4. caseExactSubstringsMatch
The caseExactSubstringsMatch rule determines whether the asserted
value(s) are substrings of an attribute value of DirectoryString
syntax. The rule is identical to the caseIgnoreSubstringsMatch
[RFC2252] rule except that case is not ignored. (Source: X.520)
( 2.5.13.7 NAME 'caseExactSubstringsMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is
described in [RFC2252].
2.5. caseIgnoreListSubstringsMatch
The caseIgnoreListSubstringMatch rule compares the asserted substring
with an attribute value which is a sequence of DirectoryStrings, but
where the case (upper or lower) is not significant for comparison
purposes. The asserted value matches a stored value if and only if
the asserted value matches the string formed by concatenating the
strings of the stored value. This matching is done according to the
caseIgnoreSubstringsMatch [RFC2252] rule; however, none of the
initial, any, or final values of the asserted value are considered to
match a substring of the concatenated string which spans more than
one of the strings of the stored value. (Source: X.520)
( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )
Zeilenga Standards Track [Page 3]
RFC 3698 LDAP: Additional Matching Rules February 2004
The SubstringsAssertion (1.3.6.1.4.1.1466.115.121.1.58) syntax is
described in [RFC2252].
2.6. directoryStringFirstComponentMatch
The directoryStringFirstComponentMatch rule compares for equality the
asserted DirectoryString value with an attribute value of type
SEQUENCE whose first component is mandatory and of type
DirectoryString. The rule returns TRUE if and only if the attribute
value has a first component whose value matches the asserted
DirectoryString using the rules of caseIgnoreMatch [RFC2252]. A
value of the assertion syntax is derived from a value of the
attribute syntax by using the value of the first component of the
SEQUENCE. (Source: X.520)
( 2.5.13.31 NAME 'directoryStringFirstComponentMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.7. integerOrderingMatch
The integerOrderingMatch rule compares the ordering of the asserted
integer with an attribute value of INTEGER syntax. The rule returns
True if the attribute value is less than the asserted value. (Source:
X.520)
( 2.5.13.15 NAME 'integerOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax is described in
[RFC2252].
2.8. keywordMatch
The keywordMatch rule compares the asserted string with keywords in
an attribute value of DirectoryString syntax. The rule returns TRUE
if and only if the asserted value matches any keyword in the
attribute value. The identification of keywords in an attribute
value and of the exactness of match are both implementation specific.
(Source: X.520)
( 2.5.13.33 NAME 'keywordMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
Zeilenga Standards Track [Page 4]
RFC 3698 LDAP: Additional Matching Rules February 2004
2.9. numericStringOrderingMatch
The numericStringOrderingMatch rule compares the collation order of
the asserted string with an attribute value of NumericString syntax.
The rule is identical to the caseIgnoreOrderingMatch [RFC2252] rule
except that all space characters are skipped during comparison (case
is irrelevant as characters are numeric). (Source: X.520)
( 2.5.13.9 NAME 'numericStringOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
The NumericString (1.3.6.1.4.1.1466.115.121.1.36) syntax is described
in [RFC2252].
2.10. octetStringOrderingMatch
The octetStringOrderingMatch rule compares the collation order of the
asserted octet string with an attribute value of OCTET STRING syntax.
The rule compares octet strings from first octet to last octet, and
from the most significant bit to the least significant bit within the
octet. The first occurrence of a different bit determines the
ordering of the strings. A zero bit precedes a one bit. If the
strings are identical but contain different numbers of octets, the
shorter string precedes the longer string. (Source: X.520)
( 2.5.13.18 NAME 'octetStringOrderingMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
The OCTET STRING (1.3.6.1.4.1.1466.115.121.1.40) syntax is described
in [RFC2252].
2.11. storedPrefixMatch
The storedPrefixMatch rule determines whether an attribute value,
whose syntax is DirectoryString is a prefix (i.e., initial substring)
of the asserted value, without regard to the case (upper or lower) of
the strings. The rule returns TRUE if and only if the attribute
value is an initial substring of the asserted value with
corresponding characters identical except possibly with regard to
case. (Source: X.520)
( 2.5.13.41 NAME 'storedPrefixMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
Zeilenga Standards Track [Page 5]
RFC 3698 LDAP: Additional Matching Rules February 2004
Note: This rule can be used, for example, to compare values in the
Directory which are telephone area codes with a purported value
which is a telephone number.
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
2.12. wordMatch
The wordMatch rule compares the asserted string with words in an
attribute value of DirectoryString syntax. The rule returns TRUE if
and only if the asserted word matches any word in the attribute
value. Individual word matching is as for the caseIgnoreMatch
[RFC2252] matching rule. The precise definition of a "word" is
implementation specific. (Source: X.520)
( 2.5.13.32 NAME 'wordMatch'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax is
described in [RFC2252].
3. Security Considerations
General LDAP security considerations [RFC3377] is applicable to the
use of this schema. Additional considerations are noted above where
appropriate.
4. IANA Considerations
The Internet Assigned Numbers Authority (IANA) has updated the LDAP
descriptors registry [RFC3383] as indicated in the following
template:
Subject: Request for LDAP Descriptor Registration Update
Descriptor (short name): see comment
Object Identifier: see comments
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Usage: see comments
Specification: RFC 3698
Author/Change Controller: IESG
Comments:
Zeilenga Standards Track [Page 6]
RFC 3698 LDAP: Additional Matching Rules February 2004
The following descriptors have been added:
NAME Type OID
------------------------ ---- ---------
booleanMatch M 2.5.13.13
caseExactMatch M 2.5.13.5
caseExactOrderingMatch M 2.5.13.6
caseExactSubstringsMatch M 2.5.13.7
caseIgnoreListSubstringsMatch M 2.5.13.12
directoryStringFirstComponentMatch M 2.5.13.31
integerOrderingMatch M 2.5.13.15
keywordMatch M 2.5.13.33
numericStringOrderingMatch M 2.5.13.9
octetStringOrderingMatch M 2.5.13.18
storedPrefixMatch M 2.5.13.41
wordMatch M 2.5.13.32
where Type M is Matching Rule.
This document makes no new OID assignments. It only associates LDAP
matching rule descriptions with existing X.500 matching rules.
5. Acknowledgments
This document borrows from [X.520], an ITU-T Recommendation.
6. References
6.1. Normative References
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
"Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
6.2. Informative References
[RFC2798] Smith, M., "The LDAP inetOrgPerson Object Class", RFC
2798, April 2000.
[RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
RFC 3383, September 2002.
[RFC3703] Strassner, J., Moore, B., Moats, R. and E. Ellesson,
"Policy Core LDAP Schema", RFC 3703, February 2004.
Zeilenga Standards Track [Page 7]
RFC 3698 LDAP: Additional Matching Rules February 2004
[X.500] International Telecommunication Union -
Telecommunication Standardization Sector, "The
Directory -- Overview of concepts, models and
services," X.500(1993) (also ISO/IEC 9594-1:1994).
[X.520] International Telecommunication Union -
Telecommunication Standardization Sector, "The
Directory: Selected Attribute Types", X.520(1997).
7. Author's Address
Kurt D. Zeilenga
OpenLDAP Foundation
EMail: Kurt@OpenLDAP.org
Zeilenga Standards Track [Page 8]
RFC 3698 LDAP: Additional Matching Rules February 2004
8. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78 and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Zeilenga Standards Track [Page 9]