|Sun Java(TM) System Directory Server 5.2 2005Q1 Administration Reference|
LDAP URL Reference
One way to express an LDAP query is to use a URL to specify the Directory Server host machine and the DN or filter for the search. Directory Server responds to queries sent as LDAP URLs and returns an HTML page representing the results. This allows web browsers to perform searches of the directory, if anonymous searching is permitted.
You can also use LDAP URLs to specify target entries when managing Directory Server referrals or access control instructions.
This chapter contains the following sections:
Components of an LDAP URL
LDAP URLs have the following syntax:
When ldap://... is specified, standard LDAP is used to connect to the LDAP servers. When ldaps://... is specified, LDAP over SSL is used to connect to the LDAP server.
Table 6-1 LDAP URL Components
Name (or IP address in dotted format) of the LDAP server. For example:
ldap.example.com or 18.104.22.168
Port number of the LDAP server (for example, 49153).
If no port is specified, the standard LDAP port (389) or LDAPS port (636) is used.
Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search.
If no base DN is specified, the search starts at the root of the directory tree.
The attributes to be returned. To specify more than one attribute, use commas to separate the attributes (for example, "cn,mail,telephoneNumber").
If no attributes are specified in the URL, all attributes are returned.
The scope of the search, which can be one of these values:
- base retrieves information about the distinguished name (base_dn) specified in the URL only.
- one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope.
- sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope.
If no scope is specified, the server performs a base search.
Search filter to apply to entries within the specified scope of the search.
If no filter is specified, the server uses the filter (objectClass=*).
The attributes, scope, and filter components are identified by their positions in the URL. If you do not want to specify any attributes, you must still include the question marks delimiting that field. For example, to specify a subtree search starting from "dc=example,dc=com" that returns all attributes for entries matching "(sn=Jensen)", use the following LDAP URL:
The two consecutive question marks ?? indicate that no attributes have been specified. Since no specific attributes are identified in the URL, all attributes are returned in the search.
Escaping Unsafe Characters
Any unsafe characters in the URL must be represented by a special sequence of characters. This is called escaping unsafe characters. For example, a space is an unsafe character that must be represented as %20 within the URL. Thus, the distinguished name "o=example corporation" must be encoded as "o=example%20corporation".
The following table lists the characters that are considered unsafe within URLs and provides the associated escape characters to use in place of the unsafe character:
Table 6-2 Characters that are Unsafe Within URLs
Examples of LDAP URLs
- The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com.
- Because no port number is specified, the standard LDAP port number (389) is used.
- Because no attributes are specified, the search returns all attributes.
- Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com.
- Because no filter is specified, the directory uses the default filter (objectclass=*).
- The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc=example,dc=com:
- The following LDAP URL retrieves the cn, and mail attributes of the entry for David Brent:
- The following LDAP URL specifies a search for entries that have the surname Jensen and are at any level under dc=example,dc=com:
- The following LDAP URL specifies a search for the object class for all entries one level under dc=example,dc=com: