Unmasking the LDAP Search Filter - Page 3
LDAP attributes values may include special characters. These include \ (backslash), * (asterisk), and several others depending on the LDAP flavor. To include these characters in your search you must preface the desired character with the escape sequence. For example, (sn=hodges\5cSmith) will search on the string hodge\smith. For more detailed information on how to incorporate special characters in a search, review the Microsoft search filter reference listed below.
LDAP version 3 provides you the capability of building your match operators and rules for a particular attribute or object. Once these are created, they can be referred to in your search string. (sn:18.104.22.168.444:=foutley) for example compares entries with a surname of foutley using the matching rule designated by (in this case fictional) OID 22.214.171.124.444. These matching rules typically relate to syntax and text case of matching entries. There is an LDAP draft draft-ietf-ldapbis-syntaxes specifically for syntaxes and matching rules. An optional (:dn) argument can be used to search the distinguished name attribute as well. (sn:dn:126.96.36.199.444:=foutley)searches surname and distinguished name for records containing foutley.
In addition to the operators and syntax rules listed above, there are also a large number of error messages and result codes to help you refine and debug your searches. For a complete list of the error messages and their meanings, see the Netscape reference below. Here are just a few of the most useful ones:
- A result code of 0 means a successful operation.
- A result code of 18 means that you used a matching rule that does not exist for a particular attribute.
- A result code of 50 means you do not have the rights to perform an operation.
Next Time on LDAP Searches
So far, in these two articles, we have presented a high-level overview of LDAP searches. As you can see, LDAP searches are not all that complicated. You do not need to be a full-time coding geek to employ this useful tool. Next time, in part 3, we'll discuss how to use LDAP searches in URLs, e-mail and in the command line. We will conclude the series with an introduction to LDAP browsers. Until next time, happy searching!
www.hawaii.edu/brownbags/ldap/ldap2.pdf Good presentation on LDAP and LDAP search.
http://www.hawaii.edu/ldap/details.html Good overview of LDAP URL syntax with examples.
http://java.sun.com/products/jndi/tutorial/basics/directory/filter.html Sun overview on search filters.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/search_filter_syntax.asp Overview of search filters including special characters.
http://developer.netscape.com/docs/manuals/dirsdk/csdk30/error.htm Netscape list of LDAP v3 compliant and custom error codes.
LDAP Public Directories
http://www.emailman.com/ldap/public.html List of public directories that you can use for testing queries.
http://www.alvestrand.no//objectid/ Great overview on registering OIDs and listing those already defined.
http://perl-ldap.sourceforge.net/rfc.html One location (of many) to find LDAP
http://www.ietf.org/ids.by.wg/ldapbis One of the IETF standard groups that are revising the LDAP v3 protocol. Also has an active mailing list you can join.