With a little side of applesauce...

Sunday, January 28, 2007

LDAP search filters

I spent the day working with LDAP search filters, and want to put a quick reference here:
boolean operators:

(& () ())
(& (objectClass=user) (sn=jones))
(| () ())
(| (sn=jones) (sn=j*))

(from http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1192536,00.html)

Examples of LDAP Search Filters:

How do I match more than one attribute?

For example, if my users are distinguished by having two objectClass attributes (one equal to ‘person’ and another to ‘user’), this is how I would match for it:


Notice the ampersand symbol ‘&’ symbol at the start. Translated this means: search for objectClass=person AND object=user.



Translated this means: search for objectClass=person OR object=user.

The pipe symbol ‘|’ denotes ‘OR’.


This means: search for all entries that have objectClass=user AND cn that contains the word ‘Marketing’.
How do I match 3 attributes?

This gets a little tricky:


Notice how we weave one query into another. For 4 attributes, this would be:


And so on.
Matching Components of Distinguished Names

You may want to match part of a DN, for instance when you need to look for your groups in two subtrees of your server.


will find groups with an OU component of their DN which is either ’sova’ or ‘music’.
(from http://confluence.atlassian.com/display/DEV/How+to+write+a+LDAP+search+filter)

And, the RFC5415: “Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters”:


No comments: