| Internet-Draft | LDAP Additional syntaxes | March 2026 |
| Codère | Expires 16 September 2026 | [Page] |
This document registers additional syntax definitions for use in Lightweight Directory Access Protocol (LDAP) directory and Directory services series X.500. This includes widely used datatypes and syntaxes.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Lightweight Directory Access Protocol (LDAP) directory defines several data types which specify the syntax definitions of attributes. These are identified by ASN.1 OBJECT IDENTIFIER types. Furthermore, these syntax definitions can be used to uniquely identify data types as character representations in other applications. Some widely used syntax specifications are missing from the initial LDAP specification. This document provides additional syntax definitions that have been registered and may be used by application providers.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Some of the syntax definitions are defined according to the regular expressions defined in [RFC9485].¶
The following additional syntaxes and their associated descriptions and OBJECT IDENTIFIER types are defined.¶
The following additional syntaxes are defined and are based on [ASN.1].¶
The Date type represents a date in the Gregorian calendar. It is defined as a useful TIME type in [ASN.1] and conforms to the extended format syntax of a calendar date as defined in [ISO.8601.2004].¶
A Date value SHALL be written using the following syntax: YYYY-MM-DD where YYYY represents a year between 1582 and 9999, MM the month value from 01 to 12 and DD a day in the month from 01 to 31.¶
Examples:¶
The LDAP definition for the Date syntax is:¶
This syntax corresponds to the DATE ASN.1 type from [ASN.1].¶
The Date-time type represents a date and local time using a 24 hour clock. It is defined as a useful TIME type in [ASN.1] and conforms to the extended format syntax of a date and time without any timezone specifier as defined in [ISO.8601.2004].¶
A Date-Time value SHALL be written using the following syntax: YYYY-MM-DDThh:mm:ss where YYYY represents a year between 1582 and 9999, MM the month value from 01 to 12, DD a day in the month from 01 to 31, hh the hour from 00 to 24, mm the minute from 00 to 59, and ss the seconds with allowed values of 00 to 60 where 60 represents a leap second.¶
Examples:¶
The LDAP definition for the Date-Time syntax is:¶
This syntax corresponds to the DATE-TIME ASN.1 type from [ASN.1].¶
The Duration type represents an elapsed time with a resolution of up to a fractions of seconds. It is defined as a useful TIME type in [ASN.1] and conforms to a subset of the extended format syntax of a time interval by duration as defined in [ISO.8601.2004].¶
A duration syntax value SHALL conform to the following regular expression, and additionally at least one component designator and its associated valueSHALL be present (i.e., the strings "P" and "PT" are not valid Duration values):¶
P([0-9]+Y)?([0-9]+M)?([0-9]+D)?(T([0-9]+H)?([0-9]+M)?([0-9]+(\.[0-9]{1,3})?S)?)?¶
If the number of years, months, days, hours, minutes, or seconds in any expression equals zero, the number and its corresponding designator MAY be omitted. However, at least one number and its designator SHALL be present.¶
Examples:¶
The LDAP definition for the Duration syntax is:¶
This syntax corresponds to a very strict subset of the DURATION ASN.1 type from [ASN.1], in that the order of parameters need to be respected and fractional values SHALL only apply to the seconds designation and when present, are limited up to 3 digits (millisecond precision).¶
The Real type represents the computational approximations to the mathematical "real number". The format for the Real is as defined in Section 21 of [ASN.1].¶
A Real syntax value SHALL conform to the following regular expression:¶
([-]?[0-9]+(\.[0-9]+)?([E][-]?[0-9]+)?)|PLUS-INFINITY|MINUS-INFINITY|NOT-A-NUMBER¶
Examples:¶
The LDAP definition for the Real syntax is:¶
This syntax corresponds to a subset of the REAL ASN.1 type from [ASN.1] where the sequence syntax is not allowed, the values are limited to base ten, where a digit before the decimal point is required, where only the character 'E' is allowed to specify the exponent, where the preceding optional "+" sign is prohibited in both the mantissa and the exponent, and where leading zeros in the integer part SHALL NOT be present unless the integer part is "0".¶
The Time Of Day type represents a local time using a 24 hour clock. It is defined as a useful TIME type in [ASN.1] and conforms to the extended format syntax of a local time as defined in [ISO.8601.2004].¶
A Time Of Day value SHALL be written using the following syntax: hh:mm:ss where hh represents the hour from 00 to 24, mm represents the minute from 00 to 59, and ss represents the seconds with allowed values of 00 to 60 where 60 represents a leap second.¶
Examples for Time Of Day:¶
The LDAP definition for the Time Of Day syntax is:¶
This syntax corresponds to the TIME-OF-DAY ASN.1 type from [ASN.1].¶
The Visible String type represents a character repertoire that contains the printable ASCII character set (in the Unicode range U+0020 to U+007E). It is defined in [ASN.1].¶
This syntax value SHALL conform to the following regular expression:¶
[0-9A-Za-z !"#$%&'()*+,\-./:;<=>?@\[\\\]^_`{|}~]*¶
Examples:¶
The LDAP definition for the Visible String syntax is:¶
This syntax corresponds to the VisibleString ASN.1 type from [ASN.1].¶
The following additional syntaxes are defined as constraints of basic ASN.1 types that may be used to be more precise in encoding and input validation.¶
The Float32 type represents a real number which fits in the range of a [IEEE_754_2019] single precision floating point value.¶
The Float32 syntax follows the base 10 syntax of the real type (See Section 2.1.4) with a constrained range. For equality matching purposes, negative zero SHALL be considered equal to positive zero and NOT-A-NUMBER SHALL NOT be considered equal to any value, including itself.¶
Examples:¶
The LDAP definition for the Float32 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Float32 ::= REAL (WITH COMPONENTS {
mantissa (-16777215..16777215),
base (2),
exponent (-149..104) })
¶
The Float64 type represents a real number which fits in the range of a [IEEE_754_2019] double precision floating point value.¶
The Float64 syntax follows the base 10 syntax of the real type (See Section 2.1.4) with a constrained range. For equality matching purposes, negative zero SHALL be considered equal to positive zero and NOT-A-NUMBER SHALL NOT be considered equal to any value, including itself.¶
Examples:¶
The LDAP definition for the Float64 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Float64 ::= REAL (WITH COMPONENTS {
mantissa (-9007199254740991..9007199254740991),
base (2),
exponent (-1074..971) })
¶
The UInt8 type represents an unsigned integer value within the range 0 to 255 inclusive.¶
Examples:¶
The LDAP definition for the UInt8 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
UInt8 ::= INTEGER(0..255)¶
The UInt16 type represents an unsigned integer value within the range 0 to 65535 inclusive.¶
Examples:¶
The LDAP definition for the UInt16 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
UInt16 ::= INTEGER(0..65535)¶
The UInt32 type represents an unsigned integer value within the range 0 to 4294967295 inclusive.¶
Examples:¶
The LDAP definition for the UInt32 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
UInt32 ::= INTEGER(0..4294967295)¶
The UInt64 type represents an unsigned integer value within the range 0 to 18446744073709551615 inclusive.¶
Examples:¶
The LDAP definition for the UInt64 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
UInt64 ::= INTEGER(0..18446744073709551615)¶
The Int8 type represents a signed integer value within the range -128 to 127 inclusive.¶
Examples:¶
The LDAP definition for the Int8 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Int8 ::= INTEGER(-128..127)¶
The Int16 type represents a signed integer value within the range -32768 to 32767 inclusive.¶
Examples:¶
The LDAP definition for the Int16 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Int16 ::= INTEGER(-32768 .. 32767)¶
The Int32 type represents a signed integer value within the range -2147483648 to 2147483647 inclusive.¶
Examples:¶
The LDAP definition for the Int32 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Int32 ::= INTEGER(-2147483648..2147483647)¶
The Int64 type represents a signed integer value within the range -9223372036854775808 to 9223372036854775807 inclusive.¶
Examples:¶
The LDAP definition for the Int64 type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Int64 ::= INTEGER(-9223372036854775808..9223372036854775807)¶
The Percentage type represents a percentage value, that is an unsigned integer in the range 0 to 100 inclusive.¶
Examples:¶
The LDAP definition for the Percentage type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Percentage ::= INTEGER(0..100)¶
The following additional syntaxes are defined and are based on IETF RFC's, or other international standards.¶
A language provides a representation of a spoken or written language as well as an optional region and other specifiers. The exact syntax allowed is defined in Section 2 of [RFC5646].¶
A Language syntax value SHALL conform to the following regular expression:¶
([a-zA-Z]{2,8}|x-[a-zA-Z0-9]{1,8})(-[a-zA-Z0-9]{1,8})*¶
The regular expression provides a structural check only. Conformance to the full syntax defined in [RFC5646] is additionally required.¶
Examples:¶
The LDAP definition for the Language syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1]:¶
Language ::= PrintableString (PATTERN "([a-zA-Z]#(2,8)|x-[a-zA-Z0-9]#(1,8))(-[a-zA-Z0-9]#(1,8))*") -- ISO 639 code minimally¶
The Media Type syntax identifies values that represent an IANA registered Media type [IANAREG]. The format for the MIME Media type is defined in Section 4.2 of [RFC6838].¶
This syntax value SHALL conform to the following regular expression:¶
[A-Za-z0-9]([A-Za-z0-9!#$&^_.+-]){0,126}/[A-Za-z0-9]([A-Za-z0-9!#$&^_.+-]){0,126}¶
Examples:¶
The LDAP definition for the MIME Media type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ITU.X520.2019]:¶
MediaType ::= VisibleString (SIZE(3..255))¶
An OpenDate represents either part of a Date or a Date and Time in extended format as specified in ISO 8601. The exact syntax allowed is defined by W3C Date and Time formats [W3C.NOTE-datetime-19980827] with a 3 digit fraction. The time component, when present, always contains timezone information.¶
Examples:¶
The LDAP definition for the OpenDate syntax is:¶
This syntax corresponds to a subset of the TIME ASN.1 type from [ASN.1] with the specified configuration:¶
OpenDate ::= TIME((SETTINGS "Basic=Date Date=Y Year=Basic")| (SETTINGS "Basic=Date Date=YM Year=Basic")| (SETTINGS "Basic=Date Date=YMD Year=Basic")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HM Local-or-UTC=LD")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMS Local-or-UTC=LD")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMSF3 Local-or-UTC=LD")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HM Local-or-UTC=Z")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMS Local-or-UTC=Z")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMSF3 Local-or-UTC=Z"))¶
The URI syntax type identifies values that are referenced by a Uniform Resource Identifier (URI). The format and encoding for the URI is as defined in [RFC3986]. Even if relative URIs are allowed, it is RECOMMENDED they not be used unless the context of use is known.¶
Examples:¶
The LDAP definition for the URI syntax is:¶
This syntax corresponds to the following ASN.1 type from [ITU.X520.2019]:¶
URI ::= VisibleString (SIZE (1..ub-uri-length)) -- ub-uri-length MUST be at least 2000¶
The value of ub-uri-length (an integer) is implementation defined but MUST be at least 2000 characters.¶
The NCName syntax type should be used to identify values that represent identifiers and
local attribute names. A name is a subset of the NCName definition in [W3C.xml-names11].¶
This syntax value SHALL conform to the following regular expression:¶
[\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}._-]*¶
Examples:¶
The LDAP definition for the NCName type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ITU.X520.2019]:¶
-- NOTE: This type does not capture the -- structural constraints on permitted characters and start characters. -- The regular expression is the normative definition of valid values NCName ::= UnboundedDirectoryString¶
The Qualified Name syntax type identifies values that represent identifiers and
attribute names using namespaces. This is a subset of the QName definition in [W3C.xml-names11].¶
This syntax value SHALL conform to the following regular expression:¶
[\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}._-]*(:[\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}._-]*)?¶
Examples:¶
The LDAP definition for the QualifiedName type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ITU.X520.2019]:¶
-- NOTE: This type does not capture the -- structural constraints on permitted characters and start characters. -- The regular expression is the normative definition of valid values QualifiedName ::= UnboundedDirectoryString¶
The Text type represents a Unicode string with a restricted character repertoire. A Text string value MUST NOT contain any code point that has any of the following properties, as defined in the Unicode Character Database [Unicode]:¶
See Section 5 for security considerations regarding the handling, display, and comparison of values containing format characters or bidirectional controls.¶
Examples:¶
The LDAP definition for the Text type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ITU.X520.2019]:¶
Text ::= CHOICE {
printableString PrintableString,
bmpString BMPString
(FROM(
{0, 0, 0, 9} .. {0, 0, 0, 10} | -- U+0009..U+000A
{0, 0, 0, 13} .. {0, 0, 0, 13} | -- U+000D
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 160} .. {0, 0, 215, 255} | -- U+00A0..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} -- U+FDF0..U+FFFD
)),
universalString UniversalString
(FROM(
{0, 0, 0, 9} .. {0, 0, 0, 10} | -- U+0009..U+000A
{0, 0, 0, 13} .. {0, 0, 0, 13} | -- U+000D
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 160} .. {0, 0, 215, 255} | -- U+00A0..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} | -- U+FDF0..U+FFFD
{0, 1, 0, 0} .. {0, 1, 255, 253} | -- U+10000..U+1FFFD
{0, 2, 0, 0} .. {0, 2, 255, 253} | -- U+20000..U+2FFFD
{0, 3, 0, 0} .. {0, 3, 255, 253} | -- U+30000..U+3FFFD
{0, 4, 0, 0} .. {0, 4, 255, 253} | -- U+40000..U+4FFFD
{0, 5, 0, 0} .. {0, 5, 255, 253} | -- U+50000..U+5FFFD
{0, 6, 0, 0} .. {0, 6, 255, 253} | -- U+60000..U+6FFFD
{0, 7, 0, 0} .. {0, 7, 255, 253} | -- U+70000..U+7FFFD
{0, 8, 0, 0} .. {0, 8, 255, 253} | -- U+80000..U+8FFFD
{0, 9, 0, 0} .. {0, 9, 255, 253} | -- U+90000..U+9FFFD
{0, 10, 0, 0} .. {0, 10, 255, 253} | -- U+A0000..U+AFFFD
{0, 11, 0, 0} .. {0, 11, 255, 253} | -- U+B0000..U+BFFFD
{0, 12, 0, 0} .. {0, 12, 255, 253} | -- U+C0000..U+CFFFD
{0, 13, 0, 0} .. {0, 13, 255, 253} | -- U+D0000..U+DFFFD
{0, 14, 0, 0} .. {0, 14, 255, 253} -- U+E0000..U+EFFFD
)),
utf8String UTF8String
(FROM(
{0, 0, 0, 9} .. {0, 0, 0, 10} | -- U+0009..U+000A
{0, 0, 0, 13} .. {0, 0, 0, 13} | -- U+000D
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 160} .. {0, 0, 215, 255} | -- U+00A0..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} | -- U+FDF0..U+FFFD
{0, 1, 0, 0} .. {0, 1, 255, 253} | -- U+10000..U+1FFFD
{0, 2, 0, 0} .. {0, 2, 255, 253} | -- U+20000..U+2FFFD
{0, 3, 0, 0} .. {0, 3, 255, 253} | -- U+30000..U+3FFFD
{0, 4, 0, 0} .. {0, 4, 255, 253} | -- U+40000..U+4FFFD
{0, 5, 0, 0} .. {0, 5, 255, 253} | -- U+50000..U+5FFFD
{0, 6, 0, 0} .. {0, 6, 255, 253} | -- U+60000..U+6FFFD
{0, 7, 0, 0} .. {0, 7, 255, 253} | -- U+70000..U+7FFFD
{0, 8, 0, 0} .. {0, 8, 255, 253} | -- U+80000..U+8FFFD
{0, 9, 0, 0} .. {0, 9, 255, 253} | -- U+90000..U+9FFFD
{0, 10, 0, 0} .. {0, 10, 255, 253} | -- U+A0000..U+AFFFD
{0, 11, 0, 0} .. {0, 11, 255, 253} | -- U+B0000..U+BFFFD
{0, 12, 0, 0} .. {0, 12, 255, 253} | -- U+C0000..U+CFFFD
{0, 13, 0, 0} .. {0, 13, 255, 253} | -- U+D0000..U+DFFFD
{0, 14, 0, 0} .. {0, 14, 255, 253} -- U+E0000..U+EFFFD
))
}
¶
The Normalized String type represents a whitespace-normalized Unicode string. A Normalized String value SHALL conform to all the restrictions of the Text type (Section 2.3.7), with the following additional constraints:¶
Prior to validation, the following code points SHALL be mapped to U+0020 (SPACE):¶
The canonical form of a Normalized String contains only U+0020 SPACE as a whitespace character. All other Unicode scalar values permitted by the Text type are permitted.¶
See Section 5 for security considerations regarding the handling, display, and comparison of values containing format characters or bidirectional controls.¶
Examples:¶
The LDAP definition for the Normalized String syntax is:¶
This syntax corresponds to the following ASN.1 type definition:¶
NormalizedString ::= CHOICE {
printableString PrintableString,
bmpString BMPString
(FROM(
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 161} .. {0, 0, 22, 127} | -- U+00A1..U+167F
{0, 0, 22, 129} .. {0, 0, 31, 255} | -- U+1681..U+1FFF
{0, 0, 32, 11} .. {0, 0, 32, 39} | -- U+200B..U+2027
{0, 0, 32, 42} .. {0, 0, 32, 46} | -- U+202A..U+202E
{0, 0, 32, 48} .. {0, 0, 32, 94} | -- U+2030..U+205E
{0, 0, 32, 96} .. {0, 0, 47, 255} | -- U+2060..U+2FFF
{0, 0, 48, 1} .. {0, 0, 215, 255} | -- U+3001..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} -- U+FDF0..U+FFFD
)),
universalString UniversalString
(FROM(
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 161} .. {0, 0, 22, 127} | -- U+00A1..U+167F
{0, 0, 22, 129} .. {0, 0, 31, 255} | -- U+1681..U+1FFF
{0, 0, 32, 11} .. {0, 0, 32, 39} | -- U+200B..U+2027
{0, 0, 32, 42} .. {0, 0, 32, 46} | -- U+202A..U+202E
{0, 0, 32, 48} .. {0, 0, 32, 94} | -- U+2030..U+205E
{0, 0, 32, 96} .. {0, 0, 47, 255} | -- U+2060..U+2FFF
{0, 0, 48, 1} .. {0, 0, 215, 255} | -- U+3001..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} | -- U+FDF0..U+FFFD
{0, 1, 0, 0} .. {0, 1, 255, 253} | -- U+10000..U+1FFFD
{0, 2, 0, 0} .. {0, 2, 255, 253} | -- U+20000..U+2FFFD
{0, 3, 0, 0} .. {0, 3, 255, 253} | -- U+30000..U+3FFFD
{0, 4, 0, 0} .. {0, 4, 255, 253} | -- U+40000..U+4FFFD
{0, 5, 0, 0} .. {0, 5, 255, 253} | -- U+50000..U+5FFFD
{0, 6, 0, 0} .. {0, 6, 255, 253} | -- U+60000..U+6FFFD
{0, 7, 0, 0} .. {0, 7, 255, 253} | -- U+70000..U+7FFFD
{0, 8, 0, 0} .. {0, 8, 255, 253} | -- U+80000..U+8FFFD
{0, 9, 0, 0} .. {0, 9, 255, 253} | -- U+90000..U+9FFFD
{0, 10, 0, 0} .. {0, 10, 255, 253} | -- U+A0000..U+AFFFD
{0, 11, 0, 0} .. {0, 11, 255, 253} | -- U+B0000..U+BFFFD
{0, 12, 0, 0} .. {0, 12, 255, 253} | -- U+C0000..U+CFFFD
{0, 13, 0, 0} .. {0, 13, 255, 253} | -- U+D0000..U+DFFFD
{0, 14, 0, 0} .. {0, 14, 255, 253} -- U+E0000..U+EFFFD
)),
utf8String UTF8String
(FROM(
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 161} .. {0, 0, 22, 127} | -- U+00A1..U+167F
{0, 0, 22, 129} .. {0, 0, 31, 255} | -- U+1681..U+1FFF
{0, 0, 32, 11} .. {0, 0, 32, 39} | -- U+200B..U+2027
{0, 0, 32, 42} .. {0, 0, 32, 46} | -- U+202A..U+202E
{0, 0, 32, 48} .. {0, 0, 32, 94} | -- U+2030..U+205E
{0, 0, 32, 96} .. {0, 0, 47, 255} | -- U+2060..U+2FFF
{0, 0, 48, 1} .. {0, 0, 215, 255} | -- U+3001..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} | -- U+FDF0..U+FFFD
{0, 1, 0, 0} .. {0, 1, 255, 253} | -- U+10000..U+1FFFD
{0, 2, 0, 0} .. {0, 2, 255, 253} | -- U+20000..U+2FFFD
{0, 3, 0, 0} .. {0, 3, 255, 253} | -- U+30000..U+3FFFD
{0, 4, 0, 0} .. {0, 4, 255, 253} | -- U+40000..U+4FFFD
{0, 5, 0, 0} .. {0, 5, 255, 253} | -- U+50000..U+5FFFD
{0, 6, 0, 0} .. {0, 6, 255, 253} | -- U+60000..U+6FFFD
{0, 7, 0, 0} .. {0, 7, 255, 253} | -- U+70000..U+7FFFD
{0, 8, 0, 0} .. {0, 8, 255, 253} | -- U+80000..U+8FFFD
{0, 9, 0, 0} .. {0, 9, 255, 253} | -- U+90000..U+9FFFD
{0, 10, 0, 0} .. {0, 10, 255, 253} | -- U+A0000..U+AFFFD
{0, 11, 0, 0} .. {0, 11, 255, 253} | -- U+B0000..U+BFFFD
{0, 12, 0, 0} .. {0, 12, 255, 253} | -- U+C0000..U+CFFFD
{0, 13, 0, 0} .. {0, 13, 255, 253} | -- U+D0000..U+DFFFD
{0, 14, 0, 0} .. {0, 14, 255, 253} -- U+E0000..U+EFFFD
))
}
¶
The Token type represents a whitespace-normalized Unicode string. A Token value SHALL conform to all the restrictions of the Normalized String type (Section 2.3.8), with the following additional constraints:¶
This is similar to the Token datatype in [W3C.xmlschema11-2].¶
The resulting canonical form is either the empty string, or a string that does not begin or end with U+0020 SPACE and contains no consecutive U+0020 SPACE characters.¶
See Section 5 for security considerations regarding the handling, display, and comparison of values containing format characters or bidirectional controls.¶
Examples:¶
The LDAP definition for the Token type syntax is:¶
This syntax corresponds to the following ASN.1 type from [ASN.1] :¶
Token ::= CHOICE {
printableString PrintableString
(PATTERN "([^ ]+( [^ ]+)*)?"),
bmpString BMPString
(FROM(
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 161} .. {0, 0, 22, 127} | -- U+00A1..U+167F
{0, 0, 22, 129} .. {0, 0, 31, 255} | -- U+1681..U+1FFF
{0, 0, 32, 11} .. {0, 0, 32, 39} | -- U+200B..U+2027
{0, 0, 32, 42} .. {0, 0, 32, 46} | -- U+202A..U+202E
{0, 0, 32, 48} .. {0, 0, 32, 94} | -- U+2030..U+205E
{0, 0, 32, 96} .. {0, 0, 47, 255} | -- U+2060..U+2FFF
{0, 0, 48, 1} .. {0, 0, 215, 255} | -- U+3001..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} -- U+FDF0..U+FFFD
))
(PATTERN "([^ ]+( [^ ]+)*)?"),
universalString UniversalString
(FROM(
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 161} .. {0, 0, 22, 127} | -- U+00A1..U+167F
{0, 0, 22, 129} .. {0, 0, 31, 255} | -- U+1681..U+1FFF
{0, 0, 32, 11} .. {0, 0, 32, 39} | -- U+200B..U+2027
{0, 0, 32, 42} .. {0, 0, 32, 46} | -- U+202A..U+202E
{0, 0, 32, 48} .. {0, 0, 32, 94} | -- U+2030..U+205E
{0, 0, 32, 96} .. {0, 0, 47, 255} | -- U+2060..U+2FFF
{0, 0, 48, 1} .. {0, 0, 215, 255} | -- U+3001..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} | -- U+FDF0..U+FFFD
{0, 1, 0, 0} .. {0, 1, 255, 253} | -- U+10000..U+1FFFD
{0, 2, 0, 0} .. {0, 2, 255, 253} | -- U+20000..U+2FFFD
{0, 3, 0, 0} .. {0, 3, 255, 253} | -- U+30000..U+3FFFD
{0, 4, 0, 0} .. {0, 4, 255, 253} | -- U+40000..U+4FFFD
{0, 5, 0, 0} .. {0, 5, 255, 253} | -- U+50000..U+5FFFD
{0, 6, 0, 0} .. {0, 6, 255, 253} | -- U+60000..U+6FFFD
{0, 7, 0, 0} .. {0, 7, 255, 253} | -- U+70000..U+7FFFD
{0, 8, 0, 0} .. {0, 8, 255, 253} | -- U+80000..U+8FFFD
{0, 9, 0, 0} .. {0, 9, 255, 253} | -- U+90000..U+9FFFD
{0, 10, 0, 0} .. {0, 10, 255, 253} | -- U+A0000..U+AFFFD
{0, 11, 0, 0} .. {0, 11, 255, 253} | -- U+B0000..U+BFFFD
{0, 12, 0, 0} .. {0, 12, 255, 253} | -- U+C0000..U+CFFFD
{0, 13, 0, 0} .. {0, 13, 255, 253} | -- U+D0000..U+DFFFD
{0, 14, 0, 0} .. {0, 14, 255, 253} -- U+E0000..U+EFFFD
))
(PATTERN "([^ ]+( [^ ]+)*)?"),
utf8String UTF8String
(FROM(
{0, 0, 0, 32} .. {0, 0, 0, 126} | -- U+0020..U+007E
{0, 0, 0, 161} .. {0, 0, 22, 127} | -- U+00A1..U+167F
{0, 0, 22, 129} .. {0, 0, 31, 255} | -- U+1681..U+1FFF
{0, 0, 32, 11} .. {0, 0, 32, 39} | -- U+200B..U+2027
{0, 0, 32, 42} .. {0, 0, 32, 46} | -- U+202A..U+202E
{0, 0, 32, 48} .. {0, 0, 32, 94} | -- U+2030..U+205E
{0, 0, 32, 96} .. {0, 0, 47, 255} | -- U+2060..U+2FFF
{0, 0, 48, 1} .. {0, 0, 215, 255} | -- U+3001..U+D7FF
{0, 0, 249, 0} .. {0, 0, 253, 207} | -- U+F900..U+FDCF
{0, 0, 253, 240} .. {0, 0, 255, 253} | -- U+FDF0..U+FFFD
{0, 1, 0, 0} .. {0, 1, 255, 253} | -- U+10000..U+1FFFD
{0, 2, 0, 0} .. {0, 2, 255, 253} | -- U+20000..U+2FFFD
{0, 3, 0, 0} .. {0, 3, 255, 253} | -- U+30000..U+3FFFD
{0, 4, 0, 0} .. {0, 4, 255, 253} | -- U+40000..U+4FFFD
{0, 5, 0, 0} .. {0, 5, 255, 253} | -- U+50000..U+5FFFD
{0, 6, 0, 0} .. {0, 6, 255, 253} | -- U+60000..U+6FFFD
{0, 7, 0, 0} .. {0, 7, 255, 253} | -- U+70000..U+7FFFD
{0, 8, 0, 0} .. {0, 8, 255, 253} | -- U+80000..U+8FFFD
{0, 9, 0, 0} .. {0, 9, 255, 253} | -- U+90000..U+9FFFD
{0, 10, 0, 0} .. {0, 10, 255, 253} | -- U+A0000..U+AFFFD
{0, 11, 0, 0} .. {0, 11, 255, 253} | -- U+B0000..U+BFFFD
{0, 12, 0, 0} .. {0, 12, 255, 253} | -- U+C0000..U+CFFFD
{0, 13, 0, 0} .. {0, 13, 255, 253} | -- U+D0000..U+DFFFD
{0, 14, 0, 0} .. {0, 14, 255, 253} -- U+E0000..U+EFFFD
))
(PATTERN "([^ ]+( [^ ]+)*)?")
}
¶
The Time Of Day with Timezone syntax type represents a time with explicit timezone information using a 24 hour clock. It is defined as a TIME type in [ASN.1] and conforms to the extended format syntax of a time either represented as a local time followed by a UTC offset or as a UTC time indicated by the 'Z' designator, as defined in [ISO.8601.2004].¶
A Time Of Day with Timezone value SHALL be written using the following syntax: hh:mm:ss where hh represents the hour from 00 to 24, mm represents the minute from 00 to 59, and ss represents the seconds with allowed values of 00 to 60 where 60 represents a leap second followed by a timezone indicator.¶
The timezone indicator is in the form +hh:mm where hh represents the number of hours and mm the number of minutes if the local time is ahead of or equal to UTC time. The timezone indicator is -hh:mm if the local time is behind UTC time. If the time represents an UTC time, the time shall be followed without space, by the timezone UTC designator [Z]. This standard supports time differences in the range –15 hours to +15 hours to align with [ASN.1].¶
Examples:¶
The LDAP definition for the Time Of Day with Timezone syntax is:¶
This syntax corresponds to a subset of the TIME ASN.1 type from [ASN.1] with the specified configuration:¶
Time-with-timezone ::=
TIME((SETTINGS "Basic=Time Time=HMS Local-or-UTC=LD")|
(SETTINGS "Basic=Time Time=HMS Local-or-UTC=Z"))
¶
This section defines matching rules for syntaxes that require comparison semantics beyond simple
string matching. Syntaxes not listed here use existing matching rules from
[RFC4517]: integer types (Int8, Int16, Int32,
Int64, UInt8, UInt16, UInt32, UInt64, Percentage) use
integerMatch and integerOrderingMatch; string types (Text,
Normalized String, Token, Visible String, NCName, Qualified Name)
use caseExactMatch; Language and Media Type use caseIgnoreMatch;
and Date and Date-Time use caseExactMatch and
caseExactOrderingMatch.¶
The uriMatch rule compares for equality a presented value with an attribute value of type URI (Section 2.3.4).¶
The comparison is done using syntax-based normalization as defined in Section 6.2.2 of [RFC3986].¶
The LDAP definition for the uriMatch rule is:¶
The rule returns TRUE if the attribute value represents the same URI as the presented value.¶
The openDateMatch rule compares for equality a presented value with an attribute value of type OpenDate (Section 2.3.3).¶
For comparison purposes, OpenDate values SHALL first be normalized to a full date-time in UTC timezone using the following rules:¶
This normalization procedure is inspired by, but not identical to, the implicit timezone and value comparison rules defined in Section 9.4 of [W3C.xpath-functions-31]. After normalization, values are compared chronologically.¶
The LDAP definition for the openDateMatch rule is:¶
The rule returns TRUE if the attribute value represents the same OpenDate as the presented value.¶
The openDateOrderingMatch rule compares the ordering a presented value with an attribute value of type OpenDate (Section 2.3.3).¶
Values are first normalized using the algorithm in Section 3.2. The normalized values are then compared chronologically.¶
The LDAP definition for the openDateOrderingMatch rule is:¶
The rule returns TRUE if the attribute value represents an OpenDate which is earlier than the presented OpenDate.¶
The timeMatch rule compares for equality a presented value with an attribute value of type Time Of Day (Section 2.1.5).¶
Values are compared component by component (hours, minutes, seconds) in order of significance. A time value of 24:00:00 is considered end of day, and is therefore not equal to 00:00:00.¶
The LDAP definition for the timeMatch rule is:¶
The rule returns TRUE if the attribute value represents the same Time Of Day as the presented value.¶
The timeOrderingMatch rule compares the ordering of a presented value with an attribute value of type Time Of Day (Section 2.1.5).¶
Values are compared component by component (hours, minutes, seconds) in order of significance. A time value of 24:00:00 is considered end of day, and is therefore greater than 00:00:00.¶
The LDAP definition for the timeOrderingMatch rule is:¶
The rule returns TRUE if the attribute value represents a Time Of Day which is earlier than the presented Time Of Day.¶
The timeWithTZMatch rule compares for equality a presented value with an attribute value of type Time Of Day with Timezone (Section 2.3.10).¶
Before comparison, both values are normalized to UTC. During normalization, a time value of 24:00:00 is replaced with 00:00:00. After normalization, values are equal if and only if their hours, minutes and seconds components are identical.¶
The LDAP definition for the timeWithTZMatch rule is:¶
The rule returns TRUE if the attribute value represents the same Time Of Day with Timezone as the presented value.¶
The timeWithTZOrderingMatch rule compares the ordering of a presented value with an attribute value of type Time Of Day with Timezone (Section 2.3.10).¶
Before comparison, both values are normalized to UTC. During normalization, a time value of 24:00:00 is replaced with 00:00:00. After normalization, values are compared component by component (hours, minutes, seconds) in order of significance.¶
The LDAP definition for the timeWithTZOrderingMatch rule is:¶
The rule returns TRUE if the attribute value represents a Time Of Day with Timezone which is earlier than the presented Time Of Day with Timezone.¶
The realMatch rule compares for equality a presented value with an attribute value of type Real (Section 2.1.4).¶
This matching rule also applies to the Float32 and Float64 syntaxes, which are constrained subsets of the Real syntax.¶
Values are compared by their mathematical value. NOT-A-NUMBER is not equal to any value, including itself. Negative zero is equal to positive zero. MINUS-INFINITY is equal only to itself, and PLUS-INFINITY is equal only to itself.¶
The LDAP definition for the realMatch rule is:¶
The rule returns TRUE if the attribute value represents the same Real value as the presented value.¶
The realOrderingMatch rule compares the ordering of a presented value with an attribute value of type Real (Section 2.1.4).¶
This matching rule also applies to the Float32 and Float64 syntaxes, which are constrained subsets of the Real syntax.¶
MINUS-INFINITY is less than all finite values and PLUS-INFINITY is greater than all finite values. Negative zero is equal to positive zero for ordering purposes. NOT-A-NUMBER is greater than all other values, including PLUS-INFINITY. All NOT-A-NUMBER values are considered equal for ordering purposes.¶
Note: IEEE-754 [IEEE_754_2019] arithmetic comparison leaves NOT-A-NUMBER unordered with respect to all values. This rule instead assigns NOT-A-NUMBER a conventional position to ensure a total ordering, which is required for consistent indexing, sorting, and evaluation of inequality filters by directory implementations.¶
The LDAP definition for the realOrderingMatch rule is:¶
The rule returns TRUE if the attribute value is less than the presented value.¶
The durationMatch rule compares for equality a presented value with an attribute value of type Duration (Section 2.1.3).¶
Two duration values are equal if and only if they represent the same total number of months and the same total number of milliseconds, where:¶
Note that month components and day-time components are compared independently and are never converted into each other. Consequently, a duration such as P1M (one month) is never equal to P30D (thirty days), even though they may represent the same elapsed time for certain dates. This behavior is intentional and consistent with the abstract definition of duration.¶
Implementations SHOULD use integer arithmetic for these computations to avoid floating-point precision issues.¶
The LDAP definition for the durationMatch rule is:¶
The rule returns TRUE if the attribute value represents the same duration as the presented value.¶
IANA is requested to assign the LDAP values [RFC4520] specified in this document to https://www.iana.org/assignments/ldap-parameters/ldap-parameters.xhtml.¶
| Object Identifier | Syntax |
|---|---|
| 1.3.6.1.4.1.61799.5.40.31 | Date |
| 1.3.6.1.4.1.61799.5.40.33 | Date-Time |
| 1.3.6.1.4.1.61799.5.40.34 | Duration |
| 1.3.6.1.4.1.61799.5.40.9.4 | Float32 |
| 1.3.6.1.4.1.61799.5.40.9.8 | Float64 |
| 1.3.6.1.4.1.61799.5.40.2.1 | Int8 |
| 1.3.6.1.4.1.61799.5.40.2.2 | Int16 |
| 1.3.6.1.4.1.61799.5.40.2.4 | Int32 |
| 1.3.6.1.4.1.61799.5.40.2.8 | Int64 |
| 1.3.6.1.4.1.61799.5.40.19.1 | Language |
| 1.3.6.1.4.1.61799.5.40.12.6 | NCName |
| 1.3.6.1.4.1.61799.5.40.12.4 | Normalized String |
| 1.3.6.1.4.1.61799.5.40.26.5 | Media Type |
| 1.3.6.1.4.1.61799.5.40.14.1 | OpenDate |
| 1.3.6.1.4.1.61799.5.40.2.20 | Percentage |
| 1.3.6.1.4.1.61799.5.40.12.7 | QualifiedName |
| 1.3.6.1.4.1.61799.5.40.9 | Real |
| 1.3.6.1.4.1.61799.5.40.12.3 | Text |
| 1.3.6.1.4.1.61799.5.40.12.5 | Token |
| 1.3.6.1.4.1.61799.5.40.32 | Time Of Day |
| 1.3.6.1.4.1.61799.5.40.35 | Time Of Day with Timezone |
| 1.3.6.1.4.1.61799.5.40.2.21 | UInt8 |
| 1.3.6.1.4.1.61799.5.40.2.22 | UInt16 |
| 1.3.6.1.4.1.61799.5.40.2.24 | UInt32 |
| 1.3.6.1.4.1.61799.5.40.2.28 | UInt64 |
| 1.3.6.1.4.1.61799.5.40.26.4 | URI |
| 1.3.6.1.4.1.61799.5.40.26 | Visible String |
| Name | OID |
|---|---|
| durationMatch | 1.3.6.1.4.1.61799.5.13.34 |
| openDateMatch | 1.3.6.1.4.1.61799.5.13.14.1 |
| openDateOrderingMatch | 1.3.6.1.4.1.61799.5.13.14.1.1 |
| realMatch | 1.3.6.1.4.1.61799.5.13.9 |
| realOrderingMatch | 1.3.6.1.4.1.61799.5.13.9.1 |
| timeMatch | 1.3.6.1.4.1.61799.5.13.32 |
| timeOrderingMatch | 1.3.6.1.4.1.61799.5.13.32.1 |
| timeWithTZMatch | 1.3.6.1.4.1.61799.5.13.35 |
| timeWithTZOrderingMatch | 1.3.6.1.4.1.61799.5.13.35.1 |
| uriMatch | 1.3.6.1.4.1.61799.5.13.26.4 |
When interpreting security-sensitive fields (in particular, fields used to grant or deny access), implementations MUST ensure that any matching rule comparisons are done on the underlying abstract value, regardless of the particular encoding used.¶
The Text, Normalized String, and Token syntaxes have been defined for general textual information. For this reason, and for forward compatibility with future versions of the Unicode Standard, the prohibited code points have been kept to a minimum.¶
These syntaxes permit Unicode format characters (General_Category Cf) because they are required for the correct representation of text in several scripts. However, some format characters may pose security risks when values are displayed or compared without appropriate normalization. Applications MAY impose additional restrictions on permitted code points as a matter of local policy.¶
These syntaxes SHOULD NOT be used for security-sensitive attributes such as identifiers, group names, or access control labels. The NCName (Section 2.3.5) or Qualified Name (Section 2.3.6) syntaxes SHOULD be used for such purposes instead.¶
Text, Normalized String, and Token values SHOULD be matched and compared according to specific comparison rules, such as those defined in [RFC4518] or the PRECIS OpaqueString profile ([RFC8265]).¶
This document was sponsored by Andy Newton of the IETF ART group.¶
Sean Turner acted as a shepherd for this document to help it become a proposed standard.¶
This document was reviewed and improved with the help of Howard Chu.¶