Overview#

LDAP URL URLs are URLs used with JNDI and other LDAP Protocol Exchanges.

RFC 2255 and describes the format of LDAP URLs. RFC 4516 document replaces RFC 2255.

LDAP URL Definition#

An LDAP URL begins with the protocol prefix "ldap" and is defined by the following grammar.
ldapurl    = scheme "://" [hostport] ["/" [dn ["?" [attributes] ["?" [scope]  ["?" [filter] ["?" extensions]]]]]]
scheme     = "ldap"
attributes = attrdesc *("," attrdesc)
scope      = "base" / "one" / "sub"
dn         = distinguishedName from Section 3 of [1]
hostport   = hostport from Section 5 of RFC 1738 [5]
attrdesc   = AttributeDescription from Section 4.1.5 of [2]
filter     = filter from Section 4 of [4]
extensions = extension *("," extension)
extension  = ["!"] extype ["=" exvalue]
extype     = token / xtoken
exvalue    = LDAPString from section 4.1.2 of [2]
token      = oid from section 4.1 of [3]
xtoken     = ("X-" / "x-") token

The format of an LDAP URL is described in RFC 4516, and may include the following elements:

  • The address of the directory server - laura.willeke.com
  • The port number of the directory server - 389
  • The BaseDN - CN=Users,DC=mad,DC=willeke,DC=com
  • AttributeSelection - company,title,department,objectClass
  • LDAP Search Scope for the search - sub
  • LDAP SearchFilter for identifying the entries to match - (&(objectCategory=person)(objectClass=user))
  • A set of extensions that provide information about the way in which the search should be processed - not used in example

All of these elements are OPTIONAL. Technically, all that is required of an LDAP URL is the string "ldap://".

Note that any URL-illegal characters (e.g., spaces), URL special characters (as defined in section 2.2 of RFC 1738) and the reserved character '?' (ASCII 63) occurring inside a DN, LDAP SearchFilter, or other element of an LDAP URL MUST be escaped using the % method described in RFC 1738. If a comma character ',' occurs inside an extension value, the character MUST also be escaped using the % method.

Common Examples#

The LDAP URL:
ldap://sh.svr.willeke.com:389/ou=people,dc=willeke,dc=com/??sub?(b1isbrolemembership=*)
Would return
  • From the LDAP server sh.svr.willeke.com on port 389
  • From the baseDN of "ou=people,dc=willeke,dc=com" and all levels be low. (Subtree)
  • All the entries that have "dictcrolemembership" populated with any value

The LDAP URL:

ldaps://sh.svr.willeke.com:636/ou=people,dc=willeke,dc=com??sub?(dictcrolemembership=Test with ISB)
Would return
  • From the LDAP server over SSL, sh.svr.willeke.com on port 636
  • From the baseDN of "ou=people,dc=willeke,dc=com" and all levels be low. (Subtree)
  • All the entries that have "dictcrolemembership" populated with the value "Test with ISB"

General LDAP URL Format:#

ldap://"[hostname[":"port]]"/"[dn["?"[attributes]["?"[scope]["?"[filter]["?"[extensions]]]]]]
LDAP URLs are defined in RFC 2255, and are an extension of general URLs, which are defined in RFC 1738. The text in the quotes indicates literal text that needs to be entered exactly. Everything else is a symbol for some element of the URL. Those elements that are within brackets are optional, but notice the nesting of the brackets. Some of the elements require that preceding ones be included as well. The portNumber defaults to 389 if omitted, which is the default port used by most LDAP servers. If the filter is omitted it defaults to objectClass=*, which means to return all entries in the scope. The possible values for the scope are base, one, and sub. The scope defaults to base if it is omitted. An omitted DN defaults to the root of the tree.

Search elements were described in solution 10062361

Example: "ldap://ldap.acme.com/ou=accounting,o=acme,c=us?telephoneNumber?sub?objectClass=inetOrgPerson" The above example will return the telephone numbers for all accounting department employees in the Acme company. Notice that this example left off the portNumber and the extension portion of the URL. That's okay because they're both optional. An LDAP client reading an LDAP URL should default to use port 389 if the portNumber isn't present. Another thing that you commonly notice in LDAP URLs is that the attribute list portion is left blank. A blank attribute list indicates that you want to see all of the attributes for the matched entries. But because the attribute list is required if you include a scope, you have to remember to put the literal ?? Between the dn and scope as a placeholder for the attribute list. The filter objectClass=inetOrgPerson means that we want to see all objects within our scope that are of class inetOrgPerson (User).

Do a general search#

ldap://10.5.2.10/??sub? (this would search everything in the directory)

Search in NDS at the COUNTRY level#

ldap://10.5.2.10/c=us??sub? (this would search everything under C=US) ldap://10.5.2.10/c=us??sub?(cn=john) (this would search for the user "john" under C=US) ldap://10.5.2.10c=us??sub?(cn=j*) (this would search for everything beginning with "j" under C=US)

NOTE: Many time NDS isn't set up with a Country, so don't always include the country in the search.

Search in NDS at the ORGANIZATION level #

ldap://10.5.2.10/o=acme??sub? (this would search for everything under O=ACME) ldap://10.5.2.10/o=acme??sub?(cn=john) (this would search for the user "john" under O=ACME) ldap://10.5.2.10/o=acme??sub?(cn=j*) (this would search for everything beginning with "j" under O=ACME)

Search in NDS with multiple ORGANIZATIONAL UNIT'S#

ldap://10.5.2.10/ou=marketing,ou=sales,o=acme??sub? (this would search for everything under OU=MARKETING.OU=SALES.O=ACME) ldap://10.5.2.10/ou=marketing,ou=sales,o=acme??sub?(cn=john) (this would search for the user "john" under OU=MARKETING.OU=SALES.O=ACME) ldap://10.5.2.10/ou=marketing,ou=sales,o=acme??sub?(cn=j*) (this would search for everything beginning with "j" under OU=MARKETING.OU=SALES.O=ACME)

Search in NDS on names with spaces in them (Sales Dept) ldap://10.5.2.10/ou=sales%20dept,o=acme??one (this would search for everyone under Acme's Sales Dept) ldap://10.5.2.10/ou=sales%20dept,o=acme??base (this would search in Acme's Sales Dept only)

Search the subtree under o=Novell for all user objects ldap://10.44.82.2/o=novell??sub?ObjectClass=inetOrgPerson

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-15) was last changed on 23-Sep-2016 11:57 by jim