One way to express an LDAP query is to use a URL to specify the Directory Server host machine and the DN or filter for the search. Directory Server responds to queries sent as LDAP URLs and returns an HTML page representing the results. In this way, if anonymous searching is permitted, web browsers can perform searches of the directory. You can also use LDAP URLs to specify target entries when you manage Directory Server referrals or when you access control instructions.
For information about LDAP URLs, see the following sections:
LDAP URLs have the following syntax:
ldap[s]://hostname:port/base_dn?attributes?scope?filter
When ldap:// is specified, standard LDAP is used to connect to the LDAP servers. When ldaps:// is specified, LDAP over SSL is used to connect to the LDAP server.
Table 12–1 LDAP URL Components
The following components are identified by their positions in the URL: attributes, scope, and filter are. If you do not want to specify a component, you must include a question mark to delimit the field. Two consecutive question marks, ??, indicate that no attributes have been specified.
For example, to specify a subtree search starting from "dc=example,dc=com" that returns all attributes for entries matching "(sn=Jensen)", use the following LDAP URL.
ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen)
Because no specific attributes are identified in the URL, all attributes are returned in the search.
Unsafe characters in a URL must be represented by a special sequence of characters. The following table lists the characters that are unsafe within URLs, and provides the associated escape characters to use in place of the unsafe character.
Table 12–2 Characters That Are Unsafe Within URLs
Unsafe Character |
Escape Characters |
---|---|
space |
%20 |
< |
%3c |
\> |
%3e |
" |
%22 |
# |
%23 |
% |
%25 |
{ |
%7b |
} |
%7d |
| |
%7c |
\\ |
%5c |
^ |
%5e |
~ |
%7e |
[ |
%5b |
] |
%5d |
” |
%60 |
The syntax for LDAP URLs does not include any means for specifying credentials or passwords. Search request initiated through LDAP URLs are unauthenticated (anonymous), unless the LDAP client that supports LDAP URLs provides an authentication mechanism. This section gives examples of LDAP URLs.
The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com.
ldap://ldap.example.com/dc=example,dc=com
Because no port number is specified, the standard LDAP port number 389 is used.
Because no attributes are specified, the search returns all attributes.
Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com.
Because no filter is specified, the directory uses the default filter objectclass=*.
The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc=example,dc=com:
ldap://ldap.example.com/dc=example,dc=com?postalAddress
Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com.
Because no filter is specified, the directory uses the default filter objectclass=*.
The following LDAP URL retrieves the cn, and mail attributes of the entry for Barbara Jensen.
ldap://ldap.example.com/cn=Barbara%20Jensen,dc=example, dc=com?cn,mail
Because no search scope is specified, the search is restricted to the base entry cn=Barbara Jensen,dc=example,dc=com.
Because no filter is specified, the directory uses the default filter objectclass=*.
The following LDAP URL specifies a search for entries that have the surname Jensen and are at any level under dc=example,dc=com:
ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen)
Because no attributes are specified, the search returns all attributes.
Because the search scope is sub, the search encompasses the base entry dc=example,dc com and entries at all levels under the base entry.
The following LDAP URL specifies a search for the object class for all entries one level under dc=example,dc=com:
ldap://ldap.example.com/dc=example,dc=com?objectClass?one
Because the search scope is one, the search encompasses all entries one level under the base entry dc=example,dc=com. The search scope does not include the base entry.
Because no filter is specified, the directory uses the default filter objectclass=*.