]> Optima SC Inc.

CA carl.codere@optimasc.com http://www.optimasc.com

General Internet Engineering Task Force datatype object identifier LDAP Syntax definitions This document registers additional syntax definitions for use in Lightweight Directory Access Protocol (LDAP) directory and Directory services series X.500. This includes widely used datatypes and syntaxes.

Introduction The Lightweight Directory Access Protocol (LDAP) directory defines several data types which specify the syntax definitions of attributes. These are identified by ASN.1 OBJECT IDENTIFIER types. Furthermore, these syntax definitions can be used to uniquely identify data types as character representations in other applications. Some widely used syntax specifications are missing from the initial LDAP specification. This document provides additional syntax definitions that have been registered and may be used by application providers.

Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Some of the syntax definitions are defined according to the regular expressions defined in .

Syntaxes The following additional syntaxes and their associated descriptions and OBJECT IDENTIFIER types are defined.

ASN.1 Syntax Definitions The following additional syntaxes are defined and are based on .

Date The Date type represents a date in the Gregorian calendar. It is defined as a useful TIME type in and conforms to the extended format syntax of a calendar date as defined in . A Date value SHALL be written using the following syntax: YYYY-MM-DD where YYYY represents a year between 1582 and 9999, MM the month value from 01 to 12 and DD a day in the month from 01 to 31. Examples:

• 9999-02-25
• 1583-01-31

The LDAP definition for the Date syntax is:

• ( 1.3.6.1.4.1.61799.5.40.31 DESC 'Date' )

This syntax corresponds to the DATE ASN.1 type from .

Date-Time The Date-time type represents a date and local time using a 24 hour clock. It is defined as a useful TIME type in and conforms to the extended format syntax of a date and time without any timezone specifier as defined in . A Date-Time value SHALL be written using the following syntax: YYYY-MM-DDThh:mm:ss where YYYY represents a year between 1582 and 9999, MM the month value from 01 to 12, DD a day in the month from 01 to 31, hh the hour from 00 to 24, mm the minute from 00 to 59, and ss the seconds with allowed values of 00 to 60 where 60 represents a leap second. Examples:

• 1583-01-01T00:59:59
• 1975-01-19T23:45:34

The LDAP definition for the Date-Time syntax is:

• ( 1.3.6.1.4.1.61799.5.40.33 DESC 'Date-Time' )

This syntax corresponds to the DATE-TIME ASN.1 type from .

Duration The Duration type represents an elapsed time with a resolution of up to a fractions of seconds. It is defined as a useful TIME type in and conforms to a subset of the extended format syntax of a time interval by duration as defined in . A duration syntax value SHALL conform to the following regular expression, and additionally at least one component designator and its associated valueSHALL be present (i.e., the strings "P" and "PT" are not valid Duration values): P([0-9]+Y)?([0-9]+M)?([0-9]+D)?(T([0-9]+H)?([0-9]+M)?([0-9]+(\.[0-9]{1,3})?S)?)? If the number of years, months, days, hours, minutes, or seconds in any expression equals zero, the number and its corresponding designator MAY be omitted. However, at least one number and its designator SHALL be present. Examples:

• P29M0D -- 29 months, 0 days to an accuracy of 1 day.
• P29MT0S -- 29 months, 0 days, 0 hours, 0 minutes, 0 seconds, to an accuracy of 1 second.
• PT3445.5S -- 3445.5 seconds

The LDAP definition for the Duration syntax is:

• ( 1.3.6.1.4.1.61799.5.40.34 DESC 'Duration' )

This syntax corresponds to a very strict subset of the DURATION ASN.1 type from , in that the order of parameters need to be respected and fractional values SHALL only apply to the seconds designation and when present, are limited up to 3 digits (millisecond precision).

Real The Real type represents the computational approximations to the mathematical "real number". The format for the Real is as defined in Section 21 of . A Real syntax value SHALL conform to the following regular expression: ([-]?[0-9]+(\.[0-9]+)?([E][-]?[0-9]+)?)|PLUS-INFINITY|MINUS-INFINITY|NOT-A-NUMBER Examples:

• 3.14159
• MINUS-INFINITY
• 0
• -5.3E4 -- Equal to -53000
• 5E3 -- 5000

The LDAP definition for the Real syntax is:

• ( 1.3.6.1.4.1.61799.5.40.9 DESC 'Real' )

This syntax corresponds to a subset of the REAL ASN.1 type from where the sequence syntax is not allowed, the values are limited to base ten, where a digit before the decimal point is required, where only the character 'E' is allowed to specify the exponent, where the preceding optional "+" sign is prohibited in both the mantissa and the exponent, and where leading zeros in the integer part SHALL NOT be present unless the integer part is "0".

Time Of Day The Time Of Day type represents a local time using a 24 hour clock. It is defined as a useful TIME type in and conforms to the extended format syntax of a local time as defined in . A Time Of Day value SHALL be written using the following syntax: hh:mm:ss where hh represents the hour from 00 to 24, mm represents the minute from 00 to 59, and ss represents the seconds with allowed values of 00 to 60 where 60 represents a leap second. Examples for Time Of Day:

• 00:59:59
• 01:45:54

The LDAP definition for the Time Of Day syntax is:

• ( 1.3.6.1.4.1.61799.5.40.32 DESC 'Time Of Day' )

This syntax corresponds to the TIME-OF-DAY ASN.1 type from .

Visible String The Visible String type represents a character repertoire that contains the printable ASCII character set (in the Unicode range U+0020 to U+007E). It is defined in . This syntax value SHALL conform to the following regular expression: [0-9A-Za-z !"#$%&'()*+,\-./:;<=>?@\[\\\]^_`{|}~]* Examples:

• hello world
• (x+y)=z

The LDAP definition for the Visible String syntax is:

• ( 1.3.6.1.4.1.61799.5.40.26 DESC 'Visible String' )

This syntax corresponds to the VisibleString ASN.1 type from .

Constrained ASN.1 Syntax Definitions The following additional syntaxes are defined as constraints of basic ASN.1 types that may be used to be more precise in encoding and input validation.

Float32 The Float32 type represents a real number which fits in the range of a single precision floating point value. The Float32 syntax follows the base 10 syntax of the real type (See ) with a constrained range. For equality matching purposes, negative zero SHALL be considered equal to positive zero and NOT-A-NUMBER SHALL NOT be considered equal to any value, including itself. Examples:

• 3.14159 -- value will be rounded to the nearest representable value
• MINUS-INFINITY
• -5.3E4 -- Equal to -53000

The LDAP definition for the Float32 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.9.4 DESC 'Float32' )

This syntax corresponds to the following ASN.1 type from : Float32 ::= REAL (WITH COMPONENTS { mantissa (-16777215..16777215), base (2), exponent (-149..104) })

Float64 The Float64 type represents a real number which fits in the range of a double precision floating point value. The Float64 syntax follows the base 10 syntax of the real type (See ) with a constrained range. For equality matching purposes, negative zero SHALL be considered equal to positive zero and NOT-A-NUMBER SHALL NOT be considered equal to any value, including itself. Examples:

• 3.1415926535897932 -- value will be rounded to the nearest representable value
• NOT-A-NUMBER
• -5.3E4 -- Equal to -53000

The LDAP definition for the Float64 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.9.8 DESC 'Float64' )

This syntax corresponds to the following ASN.1 type from : Float64 ::= REAL (WITH COMPONENTS { mantissa (-9007199254740991..9007199254740991), base (2), exponent (-1074..971) })

UInt8 The UInt8 type represents an unsigned integer value within the range 0 to 255 inclusive. Examples:

• 0
• 34

The LDAP definition for the UInt8 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.21 DESC 'UInt8' )

This syntax corresponds to the following ASN.1 type from : UInt8 ::= INTEGER(0..255)

UInt16 The UInt16 type represents an unsigned integer value within the range 0 to 65535 inclusive. Examples:

• 0
• 64991

The LDAP definition for the UInt16 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.22 DESC 'UInt16' )

This syntax corresponds to the following ASN.1 type from : UInt16 ::= INTEGER(0..65535)

UInt32 The UInt32 type represents an unsigned integer value within the range 0 to 4294967295 inclusive. Examples:

• 0
• 40000000

The LDAP definition for the UInt32 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.24 DESC 'UInt32' )

This syntax corresponds to the following ASN.1 type from : UInt32 ::= INTEGER(0..4294967295)

UInt64 The UInt64 type represents an unsigned integer value within the range 0 to 18446744073709551615 inclusive. Examples:

• 0
• 844674407370955

The LDAP definition for the UInt64 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.28 DESC 'UInt64' )

This syntax corresponds to the following ASN.1 type from : UInt64 ::= INTEGER(0..18446744073709551615)

Int8 The Int8 type represents a signed integer value within the range -128 to 127 inclusive. Examples:

• 0
• -123

The LDAP definition for the Int8 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.1 DESC 'Int8' )

This syntax corresponds to the following ASN.1 type from : Int8 ::= INTEGER(-128..127)

Int16 The Int16 type represents a signed integer value within the range -32768 to 32767 inclusive. Examples:

• 15667
• -32000

The LDAP definition for the Int16 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.2 DESC 'Int16' )

This syntax corresponds to the following ASN.1 type from : Int16 ::= INTEGER(-32768 .. 32767)

Int32 The Int32 type represents a signed integer value within the range -2147483648 to 2147483647 inclusive. Examples:

• 15667
• -3200000

The LDAP definition for the Int32 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.4 DESC 'Int32' )

This syntax corresponds to the following ASN.1 type from : Int32 ::= INTEGER(-2147483648..2147483647)

Int64 The Int64 type represents a signed integer value within the range -9223372036854775808 to 9223372036854775807 inclusive. Examples:

• -2337203685477580
• 3372036854775807

The LDAP definition for the Int64 type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.8 DESC 'Int64' )

This syntax corresponds to the following ASN.1 type from : Int64 ::= INTEGER(-9223372036854775808..9223372036854775807)

Percentage The Percentage type represents a percentage value, that is an unsigned integer in the range 0 to 100 inclusive. Examples:

• 0
• 99

The LDAP definition for the Percentage type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.2.20 DESC 'Percentage' )

This syntax corresponds to the following ASN.1 type from : Percentage ::= INTEGER(0..100)

Other Syntax Definitions The following additional syntaxes are defined and are based on IETF RFC's, or other international standards.

Language A language provides a representation of a spoken or written language as well as an optional region and other specifiers. The exact syntax allowed is defined in Section 2 of . A Language syntax value SHALL conform to the following regular expression: ([a-zA-Z]{2,8}|x-[a-zA-Z0-9]{1,8})(-[a-zA-Z0-9]{1,8})* The regular expression provides a structural check only. Conformance to the full syntax defined in is additionally required. Examples:

• en
• fr-CA

The LDAP definition for the Language syntax is:

• ( 1.3.6.1.4.1.61799.5.40.19.1 DESC 'Language' )

This syntax corresponds to the following ASN.1 type from : Language ::= PrintableString (PATTERN "([a-zA-Z]#(2,8)|x-[a-zA-Z0-9]#(1,8))(-[a-zA-Z0-9]#(1,8))*") -- ISO 639 code minimally

Media type The Media Type syntax identifies values that represent an IANA registered Media type . The format for the MIME Media type is defined in Section 4.2 of . This syntax value SHALL conform to the following regular expression: [A-Za-z0-9]([A-Za-z0-9!#$&^_.+-]){0,126}/[A-Za-z0-9]([A-Za-z0-9!#$&^_.+-]){0,126} Examples:

• text/xhtml
• application/alto-costmap+json

The LDAP definition for the MIME Media type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.26.5 DESC 'Media Type' )

This syntax corresponds to the following ASN.1 type from : MediaType ::= VisibleString (SIZE(3..255))

OpenDate An OpenDate represents either part of a Date or a Date and Time in extended format as specified in ISO 8601. The exact syntax allowed is defined by W3C Date and Time formats with a 3 digit fraction. The time component, when present, always contains timezone information. Examples:

• 2034
• 1975-01
• 1975-01-19
• 1975-01-19T19:20+01:00
• 1975-01-19T19:20:30+01:00
• 1975-01-19T19:20:30.451+01:00
• 1975-01-19T18:20Z
• 1975-01-19T18:20:30Z
• 1975-01-19T18:20:30.451Z

The LDAP definition for the OpenDate syntax is:

• ( 1.3.6.1.4.1.61799.5.40.14.1 DESC 'OpenDate' )

This syntax corresponds to a subset of the TIME ASN.1 type from with the specified configuration: OpenDate ::= TIME((SETTINGS "Basic=Date Date=Y Year=Basic")| (SETTINGS "Basic=Date Date=YM Year=Basic")| (SETTINGS "Basic=Date Date=YMD Year=Basic")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HM Local-or-UTC=LD")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMS Local-or-UTC=LD")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMSF3 Local-or-UTC=LD")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HM Local-or-UTC=Z")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMS Local-or-UTC=Z")| (SETTINGS "Basic=Date-Time Date=YMD Year=Basic Time=HMSF3 Local-or-UTC=Z"))

URI The URI syntax type identifies values that are referenced by a Uniform Resource Identifier (URI). The format and encoding for the URI is as defined in . Even if relative URIs are allowed, it is RECOMMENDED they not be used unless the context of use is known. Examples:

• http://www.example.com/my/picture.jpg
• ldap://ldap.example.com/cn=babs%20jensen

The LDAP definition for the URI syntax is:

• ( 1.3.6.1.4.1.61799.5.40.26.4 DESC 'URI' )

This syntax corresponds to the following ASN.1 type from : URI ::= VisibleString (SIZE (1..ub-uri-length)) -- ub-uri-length MUST be at least 2000 The value of ub-uri-length (an integer) is implementation defined but MUST be at least 2000 characters.

NCName The NCName syntax type should be used to identify values that represent identifiers and local attribute names. A name is a subset of the NCName definition in . This syntax value SHALL conform to the following regular expression: [\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}._-]* Examples:

• MyID
• attribute.0.subdivision

The LDAP definition for the NCName type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.12.6 DESC 'NCName' )

This syntax corresponds to the following ASN.1 type from : -- NOTE: This type does not capture the -- structural constraints on permitted characters and start characters. -- The regular expression is the normative definition of valid values NCName ::= UnboundedDirectoryString

Qualified Name The Qualified Name syntax type identifies values that represent identifiers and attribute names using namespaces. This is a subset of the QName definition in . This syntax value SHALL conform to the following regular expression: [\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}._-]*(:[\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}._-]*)? Examples:

• MyID
• attribute.0:subdivision

The LDAP definition for the QualifiedName type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.12.7 DESC 'QualifiedName' )

This syntax corresponds to the following ASN.1 type from : -- NOTE: This type does not capture the -- structural constraints on permitted characters and start characters. -- The regular expression is the normative definition of valid values QualifiedName ::= UnboundedDirectoryString

Text The Text type represents a Unicode string with a restricted character repertoire. A Text string value MUST NOT contain any code point that has any of the following properties, as defined in the Unicode Character Database :

• General_Category of Cc (Control), with the exception of U+0009 (CHARACTER TABULATION), U+000A (LINE FEED), and U+000D (CARRIAGE RETURN), which are permitted;
• General_Category of Cs (Surrogate);
• General_Category of Co (Private_Use);
• Noncharacter_Code_Point, as defined in PropList.txt of the Unicode Character Database. This is a fixed set of 66 code points: U+FDD0..U+FDEF and U+nFFFE..U+nFFFF (where n ranges from 0 to 10 in hexadecimal).

See for security considerations regarding the handling, display, and comparison of values containing format characters or bidirectional controls. Examples:

• Hello world
• Ceci est une phrase qui est encore plus longue que la précédente

The LDAP definition for the Text type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.12.3 DESC 'Text' )

This syntax corresponds to the following ASN.1 type from :

Normalized String The Normalized String type represents a whitespace-normalized Unicode string. A Normalized String value SHALL conform to all the restrictions of the Text type (), with the following additional constraints: Prior to validation, the following code points SHALL be mapped to U+0020 (SPACE):

• U+0009 (CHARACTER TABULATION), U+000A (LINE FEED), and U+000D (CARRIAGE RETURN);
• Code points with General_Category Zs (Space_Separator) other than U+0020 (SPACE);
• Code points with General_Category Zl (Line_Separator) or Zp (Paragraph_Separator).

The canonical form of a Normalized String contains only U+0020 SPACE as a whitespace character. All other Unicode scalar values permitted by the Text type are permitted. See for security considerations regarding the handling, display, and comparison of values containing format characters or bidirectional controls. Examples:

• Paragraph start with some leading spaces.
• This is some other text with spaces.

The LDAP definition for the Normalized String syntax is:

• ( 1.3.6.1.4.1.61799.5.40.12.4 DESC 'Normalized String' )

This syntax corresponds to the following ASN.1 type definition:

Token The Token type represents a whitespace-normalized Unicode string. A Token value SHALL conform to all the restrictions of the Normalized String type (), with the following additional constraints:

• No leading and trailing U+0020 SPACE characters.
• No consecutive U+0020 SPACE characters.

This is similar to the Token datatype in . The resulting canonical form is either the empty string, or a string that does not begin or end with U+0020 SPACE and contains no consecutive U+0020 SPACE characters. See for security considerations regarding the handling, display, and comparison of values containing format characters or bidirectional controls. Examples:

• This is a token with spaces.
• _Token_

The LDAP definition for the Token type syntax is:

• ( 1.3.6.1.4.1.61799.5.40.12.5 DESC 'Token' )

This syntax corresponds to the following ASN.1 type from :

Time Of Day with Timezone The Time Of Day with Timezone syntax type represents a time with explicit timezone information using a 24 hour clock. It is defined as a TIME type in and conforms to the extended format syntax of a time either represented as a local time followed by a UTC offset or as a UTC time indicated by the 'Z' designator, as defined in . A Time Of Day with Timezone value SHALL be written using the following syntax: hh:mm:ss where hh represents the hour from 00 to 24, mm represents the minute from 00 to 59, and ss represents the seconds with allowed values of 00 to 60 where 60 represents a leap second followed by a timezone indicator. The timezone indicator is in the form +hh:mm where hh represents the number of hours and mm the number of minutes if the local time is ahead of or equal to UTC time. The timezone indicator is -hh:mm if the local time is behind UTC time. If the time represents an UTC time, the time shall be followed without space, by the timezone UTC designator [Z]. This standard supports time differences in the range –15 hours to +15 hours to align with . Examples:

• 00:59:59Z
• 01:45:54-01:00

The LDAP definition for the Time Of Day with Timezone syntax is:

• ( 1.3.6.1.4.1.61799.5.40.35 DESC 'Time Of Day with Timezone' )

This syntax corresponds to a subset of the TIME ASN.1 type from with the specified configuration: Time-with-timezone ::= TIME((SETTINGS "Basic=Time Time=HMS Local-or-UTC=LD")| (SETTINGS "Basic=Time Time=HMS Local-or-UTC=Z"))

Matching rules This section defines matching rules for syntaxes that require comparison semantics beyond simple string matching. Syntaxes not listed here use existing matching rules from : integer types (Int8, Int16, Int32, Int64, UInt8, UInt16, UInt32, UInt64, Percentage) use integerMatch and integerOrderingMatch; string types (Text, Normalized String, Token, Visible String, NCName, Qualified Name) use caseExactMatch; Language and Media Type use caseIgnoreMatch; and Date and Date-Time use caseExactMatch and caseExactOrderingMatch.

uriMatch The uriMatch rule compares for equality a presented value with an attribute value of type URI (). The comparison is done using syntax-based normalization as defined in Section 6.2.2 of . The LDAP definition for the uriMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.26.4 NAME 'uriMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.26.4 )

The rule returns TRUE if the attribute value represents the same URI as the presented value.

openDateMatch The openDateMatch rule compares for equality a presented value with an attribute value of type OpenDate (). For comparison purposes, OpenDate values SHALL first be normalized to a full date-time in UTC timezone using the following rules:

1. If the month component is absent it is assumed to be one.
2. If the day component is absent it is assumed to be one.
3. If the hours component is absent it is assumed to be zero.
4. If the minutes component is absent it is assumed to be zero.
5. If the seconds component is absent it is assumed to be zero.
6. If the decimal fraction component is absent it is assumed to be zero.
7. If a timezone is present the date and time is normalized to the UTC timezone.
8. If no timezone is present it is assumed, by convention, to be in the UTC timezone.
9. If the time component indicates a value of 24:00:00 it is replaced by 00:00:00 and the day is incremented by one.

This normalization procedure is inspired by, but not identical to, the implicit timezone and value comparison rules defined in Section 9.4 of . After normalization, values are compared chronologically. The LDAP definition for the openDateMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.14.1 NAME 'openDateMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.14.1 )

The rule returns TRUE if the attribute value represents the same OpenDate as the presented value.

openDateOrderingMatch The openDateOrderingMatch rule compares the ordering a presented value with an attribute value of type OpenDate (). Values are first normalized using the algorithm in . The normalized values are then compared chronologically. The LDAP definition for the openDateOrderingMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.14.1.1 NAME 'openDateOrderingMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.14.1 )

The rule returns TRUE if the attribute value represents an OpenDate which is earlier than the presented OpenDate.

timeMatch The timeMatch rule compares for equality a presented value with an attribute value of type Time Of Day (). Values are compared component by component (hours, minutes, seconds) in order of significance. A time value of 24:00:00 is considered end of day, and is therefore not equal to 00:00:00. The LDAP definition for the timeMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.32 NAME 'timeMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.32 )

The rule returns TRUE if the attribute value represents the same Time Of Day as the presented value.

timeOrderingMatch The timeOrderingMatch rule compares the ordering of a presented value with an attribute value of type Time Of Day (). Values are compared component by component (hours, minutes, seconds) in order of significance. A time value of 24:00:00 is considered end of day, and is therefore greater than 00:00:00. The LDAP definition for the timeOrderingMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.32.1 NAME 'timeOrderingMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.32 )

The rule returns TRUE if the attribute value represents a Time Of Day which is earlier than the presented Time Of Day.

timeWithTZMatch The timeWithTZMatch rule compares for equality a presented value with an attribute value of type Time Of Day with Timezone (). Before comparison, both values are normalized to UTC. During normalization, a time value of 24:00:00 is replaced with 00:00:00. After normalization, values are equal if and only if their hours, minutes and seconds components are identical. The LDAP definition for the timeWithTZMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.35 NAME 'timeWithTZMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.35 )

The rule returns TRUE if the attribute value represents the same Time Of Day with Timezone as the presented value.

timeWithTZOrderingMatch The timeWithTZOrderingMatch rule compares the ordering of a presented value with an attribute value of type Time Of Day with Timezone (). Before comparison, both values are normalized to UTC. During normalization, a time value of 24:00:00 is replaced with 00:00:00. After normalization, values are compared component by component (hours, minutes, seconds) in order of significance. The LDAP definition for the timeWithTZOrderingMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.35.1 NAME 'timeWithTZOrderingMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.35 )

The rule returns TRUE if the attribute value represents a Time Of Day with Timezone which is earlier than the presented Time Of Day with Timezone.

realMatch The realMatch rule compares for equality a presented value with an attribute value of type Real (). This matching rule also applies to the Float32 and Float64 syntaxes, which are constrained subsets of the Real syntax. Values are compared by their mathematical value. NOT-A-NUMBER is not equal to any value, including itself. Negative zero is equal to positive zero. MINUS-INFINITY is equal only to itself, and PLUS-INFINITY is equal only to itself. The LDAP definition for the realMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.9 NAME 'realMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.9 )

The rule returns TRUE if the attribute value represents the same Real value as the presented value.

realOrderingMatch The realOrderingMatch rule compares the ordering of a presented value with an attribute value of type Real (). This matching rule also applies to the Float32 and Float64 syntaxes, which are constrained subsets of the Real syntax. MINUS-INFINITY is less than all finite values and PLUS-INFINITY is greater than all finite values. Negative zero is equal to positive zero for ordering purposes. NOT-A-NUMBER is greater than all other values, including PLUS-INFINITY. All NOT-A-NUMBER values are considered equal for ordering purposes. Note: IEEE-754 arithmetic comparison leaves NOT-A-NUMBER unordered with respect to all values. This rule instead assigns NOT-A-NUMBER a conventional position to ensure a total ordering, which is required for consistent indexing, sorting, and evaluation of inequality filters by directory implementations. The LDAP definition for the realOrderingMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.9.1 NAME 'realOrderingMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.9 )

The rule returns TRUE if the attribute value is less than the presented value.

durationMatch The durationMatch rule compares for equality a presented value with an attribute value of type Duration (). Two duration values are equal if and only if they represent the same total number of months and the same total number of milliseconds, where:

• Total months is (years x 12) + months.
• Total milliseconds is (days x 86400000) + (hours x 3600000) + (minutes x 60000) + (seconds x 1000) + milliseconds.

Note that month components and day-time components are compared independently and are never converted into each other. Consequently, a duration such as P1M (one month) is never equal to P30D (thirty days), even though they may represent the same elapsed time for certain dates. This behavior is intentional and consistent with the abstract definition of duration. Implementations SHOULD use integer arithmetic for these computations to avoid floating-point precision issues. The LDAP definition for the durationMatch rule is:

• ( 1.3.6.1.4.1.61799.5.13.34 NAME 'durationMatch' SYNTAX 1.3.6.1.4.1.61799.5.40.34 )

The rule returns TRUE if the attribute value represents the same duration as the presented value.

IANA Considerations IANA is requested to assign the LDAP values specified in this document to .

Syntax registration

Subject:

Request for LDAP Syntax Registration

Object Identifier:

See table below

Description:

List of additional useful LDAP syntaxes

Person & email address to contact for further information:

carl.codere@optimasc.com

Specification/Reference: [ RFC-to-be ]

Author/Change Controller/Owner:

IESG

Comments:

See table for list of additional syntaxes

List of additional LDAP syntaxes

Object Identifier	Syntax
1.3.6.1.4.1.61799.5.40.31	Date
1.3.6.1.4.1.61799.5.40.33	Date-Time
1.3.6.1.4.1.61799.5.40.34	Duration
1.3.6.1.4.1.61799.5.40.9.4	Float32
1.3.6.1.4.1.61799.5.40.9.8	Float64
1.3.6.1.4.1.61799.5.40.2.1	Int8
1.3.6.1.4.1.61799.5.40.2.2	Int16
1.3.6.1.4.1.61799.5.40.2.4	Int32
1.3.6.1.4.1.61799.5.40.2.8	Int64
1.3.6.1.4.1.61799.5.40.19.1	Language
1.3.6.1.4.1.61799.5.40.12.6	NCName
1.3.6.1.4.1.61799.5.40.12.4	Normalized String
1.3.6.1.4.1.61799.5.40.26.5	Media Type
1.3.6.1.4.1.61799.5.40.14.1	OpenDate
1.3.6.1.4.1.61799.5.40.2.20	Percentage
1.3.6.1.4.1.61799.5.40.12.7	QualifiedName
1.3.6.1.4.1.61799.5.40.9	Real
1.3.6.1.4.1.61799.5.40.12.3	Text
1.3.6.1.4.1.61799.5.40.12.5	Token
1.3.6.1.4.1.61799.5.40.32	Time Of Day
1.3.6.1.4.1.61799.5.40.35	Time Of Day with Timezone
1.3.6.1.4.1.61799.5.40.2.21	UInt8
1.3.6.1.4.1.61799.5.40.2.22	UInt16
1.3.6.1.4.1.61799.5.40.2.24	UInt32
1.3.6.1.4.1.61799.5.40.2.28	UInt64
1.3.6.1.4.1.61799.5.40.26.4	URI
1.3.6.1.4.1.61799.5.40.26	Visible String

Object Identifier Descriptors registration

Subject:

Request for LDAP Descriptor Registration

Descriptor (short name):

See table below

Object Identifier:

See table below

Usage:

matching rule

Person & email address to contact for further information:

carl.codere@optimasc.com

Specification/Reference: [ RFC-to-be ]

Author/Change Controller/Owner:

IESG

Comments:

See table for list of additional matching rules

List of additional descriptor registrations

Name	OID
durationMatch	1.3.6.1.4.1.61799.5.13.34
openDateMatch	1.3.6.1.4.1.61799.5.13.14.1
openDateOrderingMatch	1.3.6.1.4.1.61799.5.13.14.1.1
realMatch	1.3.6.1.4.1.61799.5.13.9
realOrderingMatch	1.3.6.1.4.1.61799.5.13.9.1
timeMatch	1.3.6.1.4.1.61799.5.13.32
timeOrderingMatch	1.3.6.1.4.1.61799.5.13.32.1
timeWithTZMatch	1.3.6.1.4.1.61799.5.13.35
timeWithTZOrderingMatch	1.3.6.1.4.1.61799.5.13.35.1
uriMatch	1.3.6.1.4.1.61799.5.13.26.4

Security Considerations When interpreting security-sensitive fields (in particular, fields used to grant or deny access), implementations MUST ensure that any matching rule comparisons are done on the underlying abstract value, regardless of the particular encoding used.

Text, Normalized String and Token The Text, Normalized String, and Token syntaxes have been defined for general textual information. For this reason, and for forward compatibility with future versions of the Unicode Standard, the prohibited code points have been kept to a minimum. These syntaxes permit Unicode format characters (General_Category Cf) because they are required for the correct representation of text in several scripts. However, some format characters may pose security risks when values are displayed or compared without appropriate normalization. Applications MAY impose additional restrictions on permitted code points as a matter of local policy. These syntaxes SHOULD NOT be used for security-sensitive attributes such as identifiers, group names, or access control labels. The NCName () or Qualified Name () syntaxes SHOULD be used for such purposes instead. Text, Normalized String, and Token values SHOULD be matched and compared according to specific comparison rules, such as those defined in or the PRECIS OpaqueString profile ().

References Normative References International Telecommunication Union International Organization for Standardization International Telecommunications Union The Unicode Consortium Informative References International Telecommunications Union IANA

Acknowledgements This document was sponsored by Andy Newton of the IETF ART group. Sean Turner acted as a shepherd for this document to help it become a proposed standard.

Contributors This document was reviewed and improved with the help of Howard Chu.