C.1. Components of an LDAP URL

C.1. Components of an LDAP URL

LDAP URLs have the following syntax: 

ldap[s]://hostname:port/base_dn?attributes?scope?filter

The ldap:// protocol is used to connect to LDAP servers over unsecured connections, and the ldaps:// protocol is used to connect to LDAP servers over TLS/SSL connections. Table C.1, “LDAP URL Components” lists the components of an LDAP URL.

NOTE

The LDAP URL format is described in RFC 4516, which is available at http://www.ietf.org/rfc/rfc4516.txt.

Component Description
hostname Name (or IP address in dotted format) of the LDAP server. For example, ldap.example.com or 192.202.185.90.
port Port number of the LDAP server (for example, 696). If no port is specified, the standard LDAP port (389) or LDAPS port (636) is used.
base_dn Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree.
attributes The attributes to be returned. To specify more than one attribute, use commas to separate the attributes; for example, cn,mail,telephoneNumber. If no attributes are specified in the URL, all attributes are returned.
scope The scope of the search, which can be one of these values:
base retrieves information only about the distinguished name (base_dn) specified in the URL.
one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope.
sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope.
If no scope is specified, the server performs a base search.
filter Search filter to apply to entries within the specified scope of the search. If no filter is specified, the server uses the filter (objectClass=*).
Table C.1. LDAP URL Components

The attributes, scope, and filter components are identified by their positions in the URL. Even if no attributes are specified, the question marks still must be included to delimit that field.

For example, to specify a subtree search starting from dc=example,dc=com that returns all attributes for entries matching (sn=Jensen), use the following LDAP URL: 

ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen)

The two consecutive question marks, ??, indicate that no attributes have been specified. Since no specific attributes are identified in the URL, all attributes are returned in the search.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.