LDAP Search Filters

LDAP search filters are a very powerful way to refine your LDAP directory search.

By using search filters, you can refine your search to quite exact specifications, so it is important that you know how to use them.

What follows is a general overview of LDAP search filter syntax and some simple examples.

The technical documentation accompanying your LDAP Directory Server should provide any implementation specific advice on search filters.

Most vendors comply with RFC 2254 The String Representation of LDAP Search Filters. See http://www.faqs.org/rfcs/rfc2254.

& and

| or

! not

= equal

~= approx

-= greater

<= less

* any

(attribute= value)

(! (attribute= value))

(& (! (attribute= value)) (attribute=value))

  • (objectClass=*) - finds all entries which have an objectClass attribute which equals any value
  • (objectClass=inetOrgPerson) - finds all entries which have an objectClass attribute which equals inetOrgPerson
  • (cn=Carl Jones) - finds all entries which have a cn attribute equal to Carl Jones
  • (!(cn=Mary Simmons)) - finds all entries which do not have a cn attribute equal to Mary Simmons
  • (& (objectClass=organizationalUnit) (objectClass=computer)) - finds all entries which have an objectClass attribute of organizationalUnit AND an objectClass attribute of computer
  • (| (objectClass=organizationalUnit) (objectClass=computer)) - finds all entries which have an objectClass attribute of organizationalUnit OR an objectClass attribute of computer
  • (& (objectClass=profPerson) (| (sn=Walker) (cn=Mary S*))) - finds all entries which have an sn attribute equal to Walker OR which have a cn attribute equal to Mary S with any characters coming after the S AND which have an objectClass attribute equal to profPerson
  • (o~=Hamburg) - finds all entries which have an o attribute which is approximately equal to Hamburg
  • (& (objectClass=person) (!(objectClass=computer)) (!(sn=*))) - finds all entries which have an objectClass attribute equal to person AND which do not have an objectClass attribute equal to computer AND which do not have an sn attribute equal to any value

For further information, refer to the documentation accompanying your LDAP server implementation.