Chapter 12 Directory Server LDAP URLs

One way to express an LDAP query is to use a URL to specify the Directory Server host machine and the DN or filter for the search. Directory Server responds to queries sent as LDAP URLs and returns an HTML page representing the results. In this way, if anonymous searching is permitted, web browsers can perform searches of the directory. You can also use LDAP URLs to specify target entries when you manage Directory Server referrals or when you access control instructions.

For information about LDAP URLs, see the following sections:

• Components of an LDAP URL

• Escaping Unsafe Characters

• Examples of LDAP URLs

Components of an LDAP URL

LDAP URLs have the following syntax:

ldap[s]://hostname:port/base_dn?attributes?scope?filter

When ldap:// is specified, standard LDAP is used to connect to the LDAP servers. When ldaps:// is specified, LDAP over SSL is used to connect to the LDAP server.

Table 12–1 LDAP URL Components

Component	Description
hostname	Name (or IP address in dotted format) of the LDAP server. For example:  ldap.example.com or 192.168.1.100
port	Port number of the LDAP server.  If no port is specified, the standard LDAP port (389) or LDAPS port (636) is used.
base_dn	Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search.   If no base DN is specified, the search starts at the root of the directory tree.
attributes	The attributes to be returned. To specify more than one attribute, use commas to separate the attributes. For example, "cn,mail,telephoneNumber". If no attributes are specified in the URL, all attributes are returned.
scope	The scope of the search. The scope can be one of these values:  base retrieves information about the distinguished name (base_dn) specified in the URL only. one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope. sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope. If no scope is specified, the server performs a base search.
filter	Search filter to apply to entries within the specified scope of the search.  If no filter is specified, the server uses the filter objectClass=*.

The following components are identified by their positions in the URL: attributes, scope, and filter are. If you do not want to specify a component, you must include a question mark to delimit the field. Two consecutive question marks, ??, indicate that no attributes have been specified.

For example, to specify a subtree search starting from "dc=example,dc=com" that returns all attributes for entries matching "(sn=Jensen)", use the following LDAP URL.

ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen)

Because no specific attributes are identified in the URL, all attributes are returned in the search.

Escaping Unsafe Characters

Unsafe characters in a URL must be represented by a special sequence of characters. The following table lists the characters that are unsafe within URLs, and provides the associated escape characters to use in place of the unsafe character.

Table 12–2 Characters That Are Unsafe Within URLs

Unsafe Character	Escape Characters
space	%20
<	%3c
\>	%3e
"	%22
#	%23
%	%25
{	%7b
}	%7d
|	%7c
\\	%5c
^	%5e
~	%7e
[	%5b
]	%5d
”	%60

Examples of LDAP URLs

The syntax for LDAP URLs does not include any means for specifying credentials or passwords. Search request initiated through LDAP URLs are unauthenticated (anonymous), unless the LDAP client that supports LDAP URLs provides an authentication mechanism. This section gives examples of LDAP URLs.

---

Example 12–1 Base Search for an Entry

The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com.

ldap://ldap.example.com/dc=example,dc=com

• Because no port number is specified, the standard LDAP port number 389 is used.

• Because no attributes are specified, the search returns all attributes.

• Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com.

• Because no filter is specified, the directory uses the default filter objectclass=*.

---

---

Example 12–2 Retrieving postalAddress Attribute of an Entry

The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc=example,dc=com:

ldap://ldap.example.com/dc=example,dc=com?postalAddress

• Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com.

• Because no filter is specified, the directory uses the default filter objectclass=*.

---

---

Example 12–3 Retrieving cn and mail Attributes of an Entry

The following LDAP URL retrieves the cn, and mail attributes of the entry for Barbara Jensen.

ldap://ldap.example.com/cn=Barbara%20Jensen,dc=example, dc=com?cn,mail

• Because no search scope is specified, the search is restricted to the base entry cn=Barbara Jensen,dc=example,dc=com.

• Because no filter is specified, the directory uses the default filter objectclass=*.

---

---

Example 12–4 Retrieving the Surname Jensen Under dc=example,dc=com

The following LDAP URL specifies a search for entries that have the surname Jensen and are at any level under dc=example,dc=com:

ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen)

• Because no attributes are specified, the search returns all attributes.

• Because the search scope is sub, the search encompasses the base entry dc=example,dc com and entries at all levels under the base entry.

---

---

Example 12–5 Retrieving the Object Class for all Entries One Level Under dc=example,dc=com

The following LDAP URL specifies a search for the object class for all entries one level under dc=example,dc=com:

ldap://ldap.example.com/dc=example,dc=com?objectClass?one

• Because the search scope is one, the search encompasses all entries one level under the base entry dc=example,dc=com. The search scope does not include the base entry.

• Because no filter is specified, the directory uses the default filter objectclass=*.

---