An LDAP URL is a URL that begins with the ldap:// protocol prefix (or ldaps://, if the server is communicating over an SSL connection) and specifies a search request sent to an LDAP server.
When you access the directory server using a web-based client such as the directory server gateway, you must provide an LDAP URL identifying the directory server you wish to access. You can set the default LDAP URL to use with the directory server gateway using the baseurl parameter (in the gateway configuration file).
In addition, you may use LDAP URLs when managing directory server referrals or access control instructions.
This appendix contains the following sections:
"Components of an LDAP URL"
"Examples of LDAP URLs"
ldap[s]://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>
The ldap:// protocol is used to connect to LDAP servers over unsecured connections, and the ldaps:// protocol is used to connect to LDAP servers over SSL connections. Table A.1 lists the components of an LDAP URL.
Table A.1 Components of an LDAP URL ComponentDescription <hostname> Name (or IP address in dotted format) of the LDAP server (for example, ldap.airius.com or 192.202.185.90). <port> Port number of the LDAP server (for example, 696). If no port is specified, the standard LDAP port (389) or LDAPS port (636) is used. <base_dn> Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is starting point of the search. If this component is empty, the search starts at the root of the directory tree. <attributes> The attributes to be returned. To specify more than one attribute, use commas to delimit the attributes (for example, "cn,mail,telephoneNumber").If no attributes are specified in the URL, all attributes are returned. <scope> The scope of the search, which can be one of these values: base retrieves information only about the distinguished name (<base_dn>) specified in the URL. one retrieves information about entries one level below the distinguished name (<base_dn>) specified in the URL. The base entry is not included in this scope. sub retrieves information about entries at all levels below the distinguished name (<base_dn>) specified in the URL. The base entry is included in this scope.If no scope is specified, the server performs a base search. <filter> Search filter to apply to entries within the specified scope of the search. If no filter is specified, the server uses the filter (objectClass=*). <attributes>, <scope>, and <filter> are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.
Table A.1 Components of an LDAP URL ComponentDescription <hostname> Name (or IP address in dotted format) of the LDAP server (for example, ldap.airius.com or 192.202.185.90). <port> Port number of the LDAP server (for example, 696). If no port is specified, the standard LDAP port (389) or LDAPS port (636) is used. <base_dn> Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is starting point of the search. If this component is empty, the search starts at the root of the directory tree. <attributes> The attributes to be returned. To specify more than one attribute, use commas to delimit the attributes (for example, "cn,mail,telephoneNumber").If no attributes are specified in the URL, all attributes are returned. <scope> The scope of the search, which can be one of these values: base retrieves information only about the distinguished name (<base_dn>) specified in the URL. one retrieves information about entries one level below the distinguished name (<base_dn>) specified in the URL. The base entry is not included in this scope. sub retrieves information about entries at all levels below the distinguished name (<base_dn>) specified in the URL. The base entry is included in this scope.If no scope is specified, the server performs a base search. <filter> Search filter to apply to entries within the specified scope of the search. If no filter is specified, the server uses the filter (objectClass=*).
Table A.1 Components of an LDAP URL
For example, to specify a subtree search starting from "o=airius.com" that returns all attributes for entries matching "(sn=Jensen)", use the following URL:
ldap://ldap.airius.com/o=airius.com??sub?(sn=Jensen)
The two consecutive question marks??indicate that no attributes have been specified. Since no specific attributes are identified in the URL, all attributes are returned in the search.
Unsafe characterEscape characters space%20 <%3c >%3e "%22 #%23 %%25 {%7b }%7d |%7c \%5c ^%5e ~%7e [%5b ]%5d `%60
ldap://ldap.airius.com/o=airius.com
Because no port number is specified, the standard LDAP port number (389) is used.
Because no attributes are specified, the search returns all attributes.
Because no search scope is specified, the search is restricted to the base entry "o=airius.com".
Because no filter is specified, the default filter "(objectclass=*)" is used.
ldap://ldap.airius.com/o=airius.com?postalAddress
ldap://ldap.airius.com/cn=Barbara%20Jensen,o=airius.com?cn,mail,telepho neNumber
Because no search scope is specified, the search is restricted to the base entry "cn=Barbara Jensen,o=airius.com".
Because the search scope is sub, the search encompasses the base entry "o=airius.com" and entries at all levels under the base entry.
ldap://ldap.airius.com/o=airius.com?objectClass?one
Because the search scope is one, the search encompasses all entries one level under the base entry "o=airius.com". The search scope does not include the base entry.
Important. The syntax for LDAP URLs does not include any means for specifying credentials or passwords. Search requests initiated through LDAP URLs are unauthenticated, unless the LDAP client that supports LDAP URLs provides for authentication. The Netscape Directory Server gateway supports this.