LDAP Names

Entries in the IBM SecureWay Directory are identified by theirnames. The characteristics of these names include:

• They have two forms: a string representation and a URL. • They have a uniform syntax.

• Namespace boundaries are not apparent in them.

A component of a name is called a relative distinguished name(RDN). An RDN represents a point within the namespace hierarchy. RDNs are separated by and concatenated using the comma (“,”). Each RDN is typed. RDNs have the form <type>=<value> for single valued RDNs. The plus sign (“+”) is used to form multi-valued RDNs: <type>=<value>+<type>=<value>.

The <type> is case-insensitive and the <value> is defined to have a particular syntax. The order of RDNs in an LDAP name is the most specific RDN first followed by the less specific RDNs moving up the DIT hierarchy. A

concatenated series of RDNs equates to a distinguished name. The DN is used to represent an object and the path to the object in the hierarchical namespace. A URL format for LDAP has been defined that includes a DN as a component of the URL. These forms are explained in the sections that follow.

2.2.1 String Form

The exact syntax for names is defined in RFC 2253. Rather than duplicating the RFC text, the following are examples of valid distinguished names written in string form:

• cn=Joe Q. Public, ou=Austin, o=IBM

This is a name containing three relative distinguished names (RDNs). • ou=deptUVZS + cn=Joe Q. Public, ou=Austin, o=IBM

This a name containing three RDNs in which the first RDN is multi-valued. • cn=L. Eagle, o=Sue\, Grabbit and Runn, c=GB

This example shows the method of quoting a comma (using a backslash as the escape character) in an organization name.

• cn=Before\0DAfter,o=Test,c=GB

This is an example name in which a value contains a carriage return character (0DH).

• sn=Lu\C4\8Di\C4\87

This last example represents an RDN surname value consisting of five letters (including non-standard ASCII characters) that is written in printable ASCII characters. Table 2 explains the quoted character codes.

Table 2. The ASCII encoding of an RDN surname (example)

For the detailed definition of DNs in string form, consult RFC 2253. More about Unicode character encoding (superset of ISO 10646) and its

transformation into UTF-8 can be found athttp://www.unicode.organd in RFC 2279.

2.2.2 URL Form

The LDAP URL format has the general form ldap://<host>:<port>/<path>, where <path> has the form <dn>[?<attributes>[?<scope>?<filter>]].

The <dn> is an LDAP distinguished name using the string representation (see previous section). The <attributes> indicates which attributes should be returned from the entry or entries. If omitted, all attributes are returned. The <scope> specifies the scope of the search to be performed. Scopes may be current entry, one-level (current entry’s children), or the whole subtree. The <filter> specifies the search filter to apply to entries within the specified scope during the search. The URL format allows Internet clients, for example, Web browsers, to have direct access to the LDAP protocol and thus LDAP directories.

Unicode Letter Description ISO 10646 Code UTF-8 Quoted

Latin capital letterL U0000004C 0x4C L

Latin small letteru U00000075 0x75 u

Latin small letterc with caron U0000010D 0xC48D \C4\8D

Latin small letteri U00000069 0x69 i

Examples of LDAP URLs are:

• ldap://austin.ibm.com/ou=Austin,o=IBM

This URL corresponds to a base object search of the <ou=Austin, o=IBM> entry using a filter <of objectClass=*> requesting all attributes (if a filter is omitted, a filter of <objectClass=*> is assumed by definition).

• ldap://austin.ibm.com/o=IBM?postalAddress

This is an LDAP URL referring to only the postalAddress attribute of the IBM entry.

• ldap:///ou=Austin,o=IBM??sub?(cn=Joe Q. Public)

This is an LDAP URL referring to the set of entries found by querying any capable LDAP server (no hostname was given) and doing a subtree search of the IBM Austin subtree for any entry with a common name of Joe Q. Public retrieving all attributes.

The LDAP URL format is defined in RFC 2255.

2.2.3 Additional Syntaxes

The IBM SecureWay Directory supports the syntax described above. In the future, additional syntaxes for distinguished names may be supported. Using the simple LDAP syntax example <cn=Joe Q. Public, ou=Austin, o=IBM>, the additional name syntaxes can include:

• DCE (OSF) form

RDNs are ordered from least significant to most significant and are slash (/) separated: /o=IBM/ou=Austin/cn=Joe Q. Public

• Reverse LDAP form

RDNs are ordered from least significant to most significant, but are still comma (,) separated: o=IBM, ou=Austin, cn=Joe Q. Public

Although the LDAP URL format basically allows updates (not only reads and searches) to be performed against an LDAP directory, its use for updates is discouraged until adequate security methods are mandated and/or implemented.