Unmasking the LDAP Search Filter

Need to locate critical information in your corporate LDAP directory but have shied away from learning how? Relax. In part 2 of our series, we explore the core of the LDAP search function — the search filter syntax itself.

By Hallett German | Posted Feb 25, 2004
Page 1 of 3
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The time has come — you need to locate critical information that resides in your corporate LDAP directory. Until now, you have avoided learning the LDAP search functions. The reasons why can vary. Perhaps your eyes glazed over looking at the seemingly overwhelming information in RFCs 2251, 2254, and 2255, or maybe you heard from others that there was a steep learning curve. You might have tried the ldapsearch command from the DOS or UNIX command line without success.

Fear not, our guide below will aid your mastery of this invaluable tool. Once you have learned a few commands, you can easily locate the information contained within your existing corporate contact repository for yourself.

In the first article in this series on the powerful capabilities of LDAP search functions, we introduced you to some of the basic concepts and some potential uses for them. In the second article, we will explore the core of the LDAP search function — the search filter syntax itself.

LDAP Search Framework

LDAP search filters need to be understood within a framework. The framework includes what attributes you are searching on and the value or range of values that you are trying to match. Each search filter involves at a minimum of three components:
  • The attribute(s) to search for, called the attribute data type
  • The search filter operator that will determine what to match — sometimes called the match operator
  • The actual value of the attribute you are searching for

Each search needs to have a minimum of one of each of the components. You can create compound search filters by connecting two or more search filters modules. They are enclosed in parentheses to clarify filter content and will include one or more of three compound search filter operators (AND, OR, NOT). You can add as many compound and wildcard filters as needed — as long as you have the correct number of matching parentheses.

Attribute Data Type

Attribute data types are typically the object class or attribute name. Each attribute type has a unique OID (ObjectIdentifiers), which are written as dot delimited numbers (1.2.3.4). Each OID is registered and follows a hierarchical structure.

Search Filters

Exact Match (Equality Filter or =) - Return records exactly matching the attribute value.

Wild Card (Presence Filter) - Useful to determine if an attribute exists or if you wish to find all values for an attribute. For example, email=* will return all records with e-mail addresses.

Wild Card (Substring Filter or *) - Returns records that match the attribute value combined with one or more wildcards. Use wildcards if you are not sure of an exact value. Wildcards are usually placed at the start or end of an attribute value. They can also be placed both in front and back of a string. Eg. *smi* will match all strings that contain the substring "smi". One caveat, use wildcards with restraint — they may return too many records or take too long to run. A badly formed wild card will surely bring the wrath of your LDAP administrator upon your head.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter