summaryrefslogtreecommitdiff
path: root/source4/ldap_server/devdocs/rfc4515.txt
blob: 86f03ebcd3501f1e186a078877d5d44f6072d029 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675






Network Working Group                                      M. Smith, Ed.
Request for Comments: 4515                           Pearl Crescent, LLC
Obsoletes: 2254                                                 T. Howes
Category: Standards Track                                  Opsware, Inc.
                                                               June 2006


             Lightweight Directory Access Protocol (LDAP):
                String Representation of Search Filters

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   Lightweight Directory Access Protocol (LDAP) search filters are
   transmitted in the LDAP protocol using a binary representation that
   is appropriate for use on the network.  This document defines a
   human-readable string representation of LDAP search filters that is
   appropriate for use in LDAP URLs (RFC 4516) and in other
   applications.

Table of Contents

   1. Introduction ....................................................2
   2. LDAP Search Filter Definition ...................................2
   3. String Search Filter Definition .................................3
   4. Examples ........................................................5
   5. Security Considerations .........................................7
   6. Normative References ............................................7
   7. Informative References ..........................................8
   8. Acknowledgements ................................................8
   Appendix A: Changes Since RFC 2254 .................................9
      A.1. Technical Changes ..........................................9
      A.2. Editorial Changes ..........................................9







Smith and Howes             Standards Track                     [Page 1]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


1.  Introduction

   The Lightweight Directory Access Protocol (LDAP) [RFC4510] defines a
   network representation of a search filter transmitted to an LDAP
   server.  Some applications may find it useful to have a common way of
   representing these search filters in a human-readable form; LDAP URLs
   [RFC4516] are an example of one such application.  This document
   defines a human-readable string format for representing the full
   range of possible LDAP version 3 search filters, including extended
   match filters.

   This document is a integral part of the LDAP technical specification
   [RFC4510], which obsoletes the previously defined LDAP technical
   specification, RFC 3377, in its entirety.

   This document replaces RFC 2254.  Changes to RFC 2254 are summarized
   in Appendix A.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119].

2.  LDAP Search Filter Definition

   An LDAP search filter is defined in Section 4.5.1 of [RFC4511] as
   follows:

        Filter ::= CHOICE {
            and                [0] SET SIZE (1..MAX) OF filter Filter,
            or                 [1] SET SIZE (1..MAX) OF filter Filter,
            not                [2] Filter,
            equalityMatch      [3] AttributeValueAssertion,
            substrings         [4] SubstringFilter,
            greaterOrEqual     [5] AttributeValueAssertion,
            lessOrEqual        [6] AttributeValueAssertion,
            present            [7] AttributeDescription,
            approxMatch        [8] AttributeValueAssertion,
            extensibleMatch    [9] MatchingRuleAssertion }

        SubstringFilter ::= SEQUENCE {
            type    AttributeDescription,
            -- initial and final can occur at most once
            substrings    SEQUENCE SIZE (1..MAX) OF substring CHOICE {
             initial        [0] AssertionValue,
             any            [1] AssertionValue,
             final          [2] AssertionValue } }





Smith and Howes             Standards Track                     [Page 2]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


        AttributeValueAssertion ::= SEQUENCE {
            attributeDesc   AttributeDescription,
            assertionValue  AssertionValue }

        MatchingRuleAssertion ::= SEQUENCE {
            matchingRule    [1] MatchingRuleId OPTIONAL,
            type            [2] AttributeDescription OPTIONAL,
            matchValue      [3] AssertionValue,
            dnAttributes    [4] BOOLEAN DEFAULT FALSE }

        AttributeDescription ::= LDAPString
                        -- Constrained to <attributedescription>
                        -- [RFC4512]

        AttributeValue ::= OCTET STRING

        MatchingRuleId ::= LDAPString

        AssertionValue ::= OCTET STRING

        LDAPString ::= OCTET STRING -- UTF-8 encoded,
                                    -- [Unicode] characters

   The AttributeDescription, as defined in [RFC4511], is a string
   representation of the attribute description that is discussed in
   [RFC4512].  The AttributeValue and AssertionValue OCTET STRING have
   the form defined in [RFC4517].  The Filter is encoded for
   transmission over a network using the Basic Encoding Rules (BER)
   defined in [X.690], with simplifications described in [RFC4511].

3.  String Search Filter Definition

   The string representation of an LDAP search filter is a string of
   UTF-8 [RFC3629] encoded Unicode characters [Unicode] that is defined
   by the following grammar, following the ABNF notation defined in
   [RFC4234].  The productions used that are not defined here are
   defined in Section 1.4 (Common ABNF Productions) of [RFC4512] unless
   otherwise noted.  The filter format uses a prefix notation.

      filter         = LPAREN filtercomp RPAREN
      filtercomp     = and / or / not / item
      and            = AMPERSAND filterlist
      or             = VERTBAR filterlist
      not            = EXCLAMATION filter
      filterlist     = 1*filter
      item           = simple / present / substring / extensible
      simple         = attr filtertype assertionvalue
      filtertype     = equal / approx / greaterorequal / lessorequal



Smith and Howes             Standards Track                     [Page 3]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


      equal          = EQUALS
      approx         = TILDE EQUALS
      greaterorequal = RANGLE EQUALS
      lessorequal    = LANGLE EQUALS
      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )
      present        = attr EQUALS ASTERISK
      substring      = attr EQUALS [initial] any [final]
      initial        = assertionvalue
      any            = ASTERISK *(assertionvalue ASTERISK)
      final          = assertionvalue
      attr           = attributedescription
                         ; The attributedescription rule is defined in
                         ; Section 2.5 of [RFC4512].
      dnattrs        = COLON "dn"
      matchingrule   = COLON oid
      assertionvalue = valueencoding
      ; The <valueencoding> rule is used to encode an <AssertionValue>
      ; from Section 4.1.6 of [RFC4511].
      valueencoding  = 0*(normal / escaped)
      normal         = UTF1SUBSET / UTFMB
      escaped        = ESC HEX HEX
      UTF1SUBSET     = %x01-27 / %x2B-5B / %x5D-7F
                          ; UTF1SUBSET excludes 0x00 (NUL), LPAREN,
                          ; RPAREN, ASTERISK, and ESC.
      EXCLAMATION    = %x21 ; exclamation mark ("!")
      AMPERSAND      = %x26 ; ampersand (or AND symbol) ("&")
      ASTERISK       = %x2A ; asterisk ("*")
      COLON          = %x3A ; colon (":")
      VERTBAR        = %x7C ; vertical bar (or pipe) ("|")
      TILDE          = %x7E ; tilde ("~")

   Note that although both the <substring> and <present> productions in
   the grammar above can produce the "attr=*" construct, this construct
   is used only to denote a presence filter.

   The <valueencoding> rule ensures that the entire filter string is a
   valid UTF-8 string and provides that the octets that represent the
   ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
   0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
   backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
   representing the value of the encoded octet.







Smith and Howes             Standards Track                     [Page 4]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


   This simple escaping mechanism eliminates filter-parsing ambiguities
   and allows any filter that can be represented in LDAP to be
   represented as a NUL-terminated string.  Other octets that are part
   of the <normal> set may be escaped using this mechanism, for example,
   non-printing ASCII characters.

   For AssertionValues that contain UTF-8 character data, each octet of
   the character to be escaped is replaced by a backslash and two hex
   digits, which form a single octet in the code of the character.  For
   example, the filter checking whether the "cn" attribute contained a
   value with the character "*" anywhere in it would be represented as
   "(cn=*\2a*)".

   As indicated by the <valueencoding> rule, implementations MUST escape
   all octets greater than 0x7F that are not part of a valid UTF-8
   encoding sequence when they generate a string representation of a
   search filter.  Implementations SHOULD accept as input strings that
   are not valid UTF-8 strings.  This is necessary because RFC 2254 did
   not clearly define the term "string representation" (and in
   particular did not mention that the string representation of an LDAP
   search filter is a string of UTF-8-encoded Unicode characters).

4.  Examples

   This section gives a few examples of search filters written using
   this notation.

        (cn=Babs Jensen)
        (!(cn=Tim Howes))
        (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
        (o=univ*of*mich*)
        (seeAlso=)

   The following examples illustrate the use of extensible matching.

        (cn:caseExactMatch:=Fred Flintstone)
        (cn:=Betty Rubble)
        (sn:dn:2.4.6.8.10:=Barney Rubble)
        (o:dn:=Ace Industry)
        (:1.2.3:=Wilma Flintstone)
        (:DN:2.4.6.8.10:=Dino)

   The first example shows use of the matching rule "caseExactMatch."

   The second example demonstrates use of a MatchingRuleAssertion form
   without a matchingRule.





Smith and Howes             Standards Track                     [Page 5]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


   The third example illustrates the use of the ":oid" notation to
   indicate that the matching rule identified by the OID "2.4.6.8.10"
   should be used when making comparisons, and that the attributes of an
   entry's distinguished name should be considered part of the entry
   when evaluating the match (indicated by the use of ":dn").

   The fourth example denotes an equality match, except that DN
   components should be considered part of the entry when doing the
   match.

   The fifth example is a filter that should be applied to any attribute
   supporting the matching rule given (since the <attr> has been
   omitted).

   The sixth and final example is also a filter that should be applied
   to any attribute supporting the matching rule given.  Attributes
   supporting the matching rule contained in the DN should also be
   considered.

   The following examples illustrate the use of the escaping mechanism.

        (o=Parens R Us \28for all your parenthetical needs\29)
        (cn=*\2A*)
        (filename=C:\5cMyFile)
        (bin=\00\00\00\04)
        (sn=Lu\c4\8di\c4\87)
        (1.3.6.1.4.1.1466.0=\04\02\48\69)

   The first example shows the use of the escaping mechanism to
   represent parenthesis characters.  The second shows how to represent
   a "*" in an assertion value, preventing it from being interpreted as
   a substring indicator.  The third illustrates the escaping of the
   backslash character.

   The fourth example shows a filter searching for the four-octet value
   00 00 00 04 (hex), illustrating the use of the escaping mechanism to
   represent arbitrary data, including NUL characters.

   The fifth example illustrates the use of the escaping mechanism to
   represent various non-ASCII UTF-8 characters.  Specifically, there
   are 5 characters in the <assertionvalue> portion of this example:
   LATIN CAPITAL LETTER L (U+004C), LATIN SMALL LETTER U (U+0075), LATIN
   SMALL LETTER C WITH CARON (U+010D), LATIN SMALL LETTER I (U+0069),
   and LATIN SMALL LETTER C WITH ACUTE (U+0107).

   The sixth and final example demonstrates assertion of a BER-encoded
   value.




Smith and Howes             Standards Track                     [Page 6]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


5.  Security Considerations

   This memo describes a string representation of LDAP search filters.
   While the representation itself has no known security implications,
   LDAP search filters do.  They are interpreted by LDAP servers to
   select entries from which data is retrieved.  LDAP servers should
   take care to protect the data they maintain from unauthorized access.

   Please refer to the Security Considerations sections of [RFC4511] and
   [RFC4513] for more information.

6.  Normative References

   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3629]   Yergeau, F., "UTF-8, a transformation format of ISO
               10646", STD 63, RFC 3629, November 2003.

   [RFC4234]   Crocker, D. and P. Overell, "Augmented BNF for Syntax
               Specifications: ABNF", RFC 4234, October 2005.

   [RFC4510]   Zeilenga, K., Ed., "Lightweight Directory Access Protocol
               (LDAP): Technical Specification Road Map", RFC 4510, June
               2006.

   [RFC4511]   Sermersheim, J., Ed., "Lightweight Directory Access
               Protocol (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4512]   Zeilenga, K., "Lightweight Directory Access Protocol
               (LDAP): Directory Information Models", RFC 4512, June
               2006.

   [RFC4513]   Harrison, R., Ed., "Lightweight Directory Access Protocol
               (LDAP): Authentication Methods and Security Mechanisms",
               RFC 4513, June 2006.

   [RFC4517]   Legg, S., Ed., "Lightweight Directory Access Protocol
               (LDAP): Syntaxes and Matching Rules", RFC 4517, June
               2006.

   [Unicode]   The Unicode Consortium, "The Unicode Standard, Version
               3.2.0" is defined by "The Unicode Standard, Version 3.0"
               (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
               as amended by the "Unicode Standard Annex #27: Unicode
               3.1" (http://www.unicode.org/reports/tr27/) and by the
               "Unicode Standard Annex #28: Unicode 3.2."




Smith and Howes             Standards Track                     [Page 7]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


7.  Informative References

   [RFC4516]   Smith, M., Ed. and T. Howes, "Lightweight Directory
               Access Protocol (LDAP): Uniform Resource Locator", RFC
               4516, June 2006.

   [X.690]     Specification of ASN.1 encoding rules: Basic, Canonical,
               and Distinguished Encoding Rules, ITU-T Recommendation
               X.690, 1994.

8.  Acknowledgements

   This document replaces RFC 2254 by Tim Howes.  RFC 2254 was a product
   of the IETF ASID Working Group.

   Changes included in this revised specification are based upon
   discussions among the authors, discussions within the LDAP (v3)
   Revision Working Group (ldapbis), and discussions within other IETF
   Working Groups.  The contributions of individuals in these working
   groups is gratefully acknowledged.































Smith and Howes             Standards Track                     [Page 8]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


Appendix A: Changes Since RFC 2254

A.1.  Technical Changes

   Replaced [ISO 10646] reference with [Unicode].

   The following technical changes were made to the contents of the
   "String Search Filter Definition" section:

   Added statement that the string representation is a string of UTF-8-
   encoded Unicode characters.

   Revised all of the ABNF to use common productions from [RFC4512].

   Replaced the "value" rule with a new "assertionvalue" rule within the
   "simple", "extensible", and "substring" ("initial", "any", and
   "final") rules.  This matches a change made in [RFC4517].

   Added "(" and ")" around the components of the <extensible>
   subproductions for clarity.

   Revised the "attr", "matchingrule", and "assertionvalue" ABNF to more
   precisely reference productions from the [RFC4512] and [RFC4511]
   documents.

   "String Search Filter Definition" section: replaced "greater" and
   "less" with "greaterorequal" and "lessorequal" to avoid confusion.

   Introduced the "valueencoding" and associated "normal" and "escaped"
   rules to reduce the dependence on descriptive text.  The "normal"
   production restricts filter strings to valid UTF-8 sequences.

   Added a statement about expected behavior in light of RFC 2254's lack
   of a clear definition of "string representation."

A.2.  Editorial Changes

   Changed document title to include "LDAP:" prefix.

   IESG Note: removed note about lack of satisfactory mandatory
   authentication mechanisms.

   Header and "Authors' Addresses" sections: added Mark Smith as the
   document editor and updated affiliation and contact information.

   "Table of Contents" and "Intellectual Property" sections: added.

   Copyright: updated per latest IETF guidelines.



Smith and Howes             Standards Track                     [Page 9]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


   "Abstract" section: separated from introductory material.

   "Introduction" section: new section; separated from the Abstract.
   Updated second paragraph to indicate that RFC 2254 is replaced by
   this document (instead of RFC 1960).  Added reference to the
   [RFC4510] document.

   "LDAP Search Filter Definition" section: made corrections to the LDAP
   search filter ABNF so it matches that used in [RFC4511].

   Clarified the definition of 'value' (now 'assertionvalue') to take
   into account the fact that it is not precisely an AttributeAssertion
   from [RFC4511] Section 4.1.6 (special handling is required for some
   characters).  Added a note that each octet of a character to be
   escaped is replaced by a backslash and two hex digits, which
   represent a single octet.

   "Examples" section: added four additional examples: (seeAlso=),
   (cn:=Betty Rubble), (:1.2.3:=Wilma Flintstone), and
   (1.3.6.1.4.1.1466.0=\04\02\48\69).  Replaced one occurrence of "a
   value" with "an assertion value".  Corrected the description of this
   example: (sn:dn:2.4.6.8.10:=Barney Rubble).  Replaced the numeric OID
   in the first extensible match example with "caseExactMatch" to
   demonstrate use of the descriptive form.  Used "DN" (uppercase) in
   the last extensible match example to remind the reader to treat the
   <dnattrs> production as case insensitive.  Reworded the description
   of the fourth escaping mechanism example to avoid making assumptions
   about byte order.  Added text to the fifth escaping mechanism example
   to spell out what the non-ASCII characters are in Unicode terms.

   "Security Considerations" section: added references to [RFC4511] and
   [RFC4513].

   "Normative References" section: renamed from "References" per new RFC
   guidelines.  Changed from [1] style to [RFC4511] style throughout the
   document.  Added entries for [Unicode], [RFC2119], [RFC4513],
   [RFC4512], and [RFC4510] and updated the UTF-8 reference.  Replaced
   RFC 822 reference with a reference to RFC 4234.

   "Informative References" section: (new section) moved [X.690] to this
   section.  Added a reference to [RFC4516].

   "Acknowledgements" section: added.

   "Appendix A: Changes Since RFC 2254" section: added.

   Surrounded the names of all ABNF productions with "<" and ">" where
   they are used in descriptive text.



Smith and Howes             Standards Track                    [Page 10]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


   Replaced all occurrences of "LDAPv3" with "LDAP."

Authors' Addresses

   Mark Smith, Editor
   Pearl Crescent, LLC
   447 Marlpool Dr.
   Saline, MI 48176
   USA

   Phone: +1 734 944-2856
   EMail: mcs@pearlcrescent.com


   Tim Howes
   Opsware, Inc.
   599 N. Mathilda Ave.
   Sunnyvale, CA 94085
   USA

   Phone: +1 408 744-7509
   EMail: howes@opsware.com





























Smith and Howes             Standards Track                    [Page 11]

RFC 4515     LDAP: String Representation of Search Filters     June 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Smith and Howes             Standards Track                    [Page 12]