Introduction to LDAP
The Lightweight Directory Access Protocol (LDAP) is a de facto standard protocol for accessing X.500 directories. See https://tools.ietf.org/html/rfc2251 .
An LDAP directory contains hierarchically sorted objects. An object is derived from one or many preconfigured object classes, which determines the set of allowed attributes the object may contain. An object may have children objects or children nodes, that is, other objects sorted hierarchically underneath it.
LDAP queries - search filter syntax
For a complete description of the LDAP search filter syntax, see https://tools.ietf.org/html/rfc2254 .
objectClass
All LDAP objects include an attribute called "objectClass
". The value(s) of this attribute tells what set of other attributes (mandatory or optional) you can expect from this particular LDAP object.
This search filter returns all objects that have inherited the object class "pkiCA
":
(objectClass=pkiCA)
Wild cards
To return all objects in the directory, the search filter would be
(objectClass=*)
.
Logical operators
You can use logical operators to create a compound search filter:
And: (
& <search filter 1> <search filter 2> ...
)Or: (
| <search filter 1> <search filter 2> ...
)
Example:
The following search returns all persons having a name beginning with "Simon", and a telephone number, that directs the call to Sweden or UK:
(&(cn=Simon*)(|(telephonenumber=+46 *)(telephonenumber=+44 *)))
Consult your directory schema to find out the exact abbreviations to use. In the example above, "cn" stands for "common name".
LDAP URL format
For a complete description of the LDAP URL format, see https://tools.ietf.org/html/rfc2255 .
The LDAP URL format looks as follows. Use this in the OCSP configuration file when doing LDAP configurations.
<protocol>://<host>[:<port>]/<base dn>?<attributes>?<scope>?<filter>?<extensions>
Any of the components to the right of the colon is optional and can be left out.
See this table for description of constants and values:
Constants and values | Description |
---|---|
| Replace |
| Replace |
| Replace |
| Replace For Nexus OCSP Responder, the attributes of interest are revocation lists and certificates. The exact attribute name may vary depending on the configuration of the LDAP server, but these are typically names:
|
| Specifies how to search and can be set to one of three values:
See https://tools.ietf.org/html/rfc2255 for details. |
| Specifies the search filter to use. See "Search filter” above. |
| See https://tools.ietf.org/html/rfc2255 for details. |
Example 1
This search returns the attribute telephonenumber
from the "John Doe
" object in the directory located at "ldap.net".
ldap://ldap.net/cn=John Doe,o=Nexus,c=SE?telephonenumber
Example 2
This search returns all the CRLs from the Nexus LDAP directory:
ldap://directory.nexus.com/?certificateRevocationList?sub
Example 3
This search returns all CA certificates from all CAs, whose names include "Nexus".
ldap://ldaphost/?cACertificate?sub?(&(objectClass=pkiCA)(cn=*Nexus*))
LDAP Certificate patterns
A special syntax called "certificate pattern" is used when referring to a particular certificate in the configuration file (see "Specify keys" in Key management section.) The certificate pattern syntax is based on the LDAP search filter syntax, with the operator placed before the argument list and each argument enclosed in parentheses.
A simple pattern is of the form <key>=<value>
. The value
may contain wild cards (* or ?). See also Distinguished name matching.
The key
refers to a Relative Distinguished Name (RDN) of the subject. If Nexus OCSP Responder is able to find such an RDN, <value>
will be matched against this one. Otherwise, the check will result in "false
".
For certain keys, the match will be performed as follows:
Key | Certificate information match |
---|---|
|
|
|
|
| Equivalent to " |
|
|
|
|
Several patterns can optionally be grouped together to produce complex patterns. The following operators are supported:
Operator | Example |
---|---|
And | &(<pattern 1>)(<pattern 2>) ... |
Or | |(<pattern 1>)(<pattern 3>)... |
Not | <pattern4>) |
Example 1:
Find all certificates issued to John Doe:
cn=John Doe
Example 2:
Find John Doe's certificate(s) issued by Acme CA:
&(cn=John Doe)(issuer=cn=Acme CA,o=Acme Inc.,c=NL)
Example 3:
The following two searches are equivalent:
&(cn=JohnDoe)(|(keyusage=keyencipherment)(keyusage=dataencipherment))
&(subject=*cn=John Doe,*)(keyusage=*cipherment)
Related information
RFC 2251 Lightweight Directory Access Protocol (v3):
RFC 2254 The String Representation of LDAP Search Filters:
RFC 2255 The LDAP URL Format: