Unmasking the LDAP Search Filter
Need to locate critical information in your corporate LDAP directory but have shied away from learning how? Relax. In part 2 of our series, we explore the core of the LDAP search function the search filter syntax itself.
The time has come you need to locate critical information that resides in your corporate LDAP directory. Until now, you have avoided learning the LDAP search functions. The reasons why can vary. Perhaps your eyes glazed over looking at the seemingly overwhelming information in RFCs 2251, 2254, and 2255, or maybe you heard from others that there was a steep learning curve. You might have tried the ldapsearch command from the DOS or UNIX command line without success.
Fear not, our guide below will aid your mastery of this invaluable tool. Once you have learned a few commands, you can easily locate the information contained within your existing corporate contact repository for yourself.
In the first article in this series on the powerful capabilities of LDAP search functions, we introduced you to some of the basic concepts and some potential uses for them. In the second article, we will explore the core of the LDAP search function the search filter syntax itself.
LDAP Search FrameworkLDAP search filters need to be understood within a framework. The framework includes what attributes you are searching on and the value or range of values that you are trying to match. Each search filter involves at a minimum of three components:
- The attribute(s) to search for, called the attribute data type
- The search filter operator that will determine what to match sometimes called the match operator
- The actual value of the attribute you are searching for
Attribute Data Type
Attribute data types are typically the object class or attribute name. Each attribute type has a unique OID (ObjectIdentifiers), which are written as dot delimited numbers (220.127.116.11). Each OID is registered and follows a hierarchical structure.
Exact Match (Equality Filter or =) - Return records exactly matching the attribute value.
Wild Card (Presence Filter) - Useful to determine if an attribute exists or if you wish to find all values for an attribute. For example, email=* will return all records with e-mail addresses.
Wild Card (Substring Filter or *) - Returns records that match the attribute value combined with one or more wildcards. Use wildcards if you are not sure of an exact value. Wildcards are usually placed at the start or end of an attribute value. They can also be placed both in front and back of a string. Eg. *smi* will match all strings that contain the substring "smi". One caveat, use wildcards with restraint they may return too many records or take too long to run. A badly formed wild card will surely bring the wrath of your LDAP administrator upon your head.