Advanced Searching Options

Chapter 4 presented LDAP searches as a means of verifying the correctness of your directory. That’s obviously a very limited use of the search capability: a directory isn’t much use if you can’t search it. Given our limited goals in the previous chapter, we didn’t do justice to the topic of search filters. It’s now time to take a more thorough look at the topic of filters.[1]

In its commonly used form, an LDAP search filter has the following syntax:

( attribute 
               filterOperator 
               value )

The attribute is the actual name of the attribute type. The filterOperator is one of:

=

For equality matches

~=

For approximate matches

<=

For less than comparisons

>=

For greater than comparisons

If you deal only with string comparisons, you may only need the equality operator.

The value portion can be either an absolute value, such as carter or 555-1234, or a pattern using the asterisk (*) character as a wildcard. Here are some wildcard searches:

(cn=*carter)

Finds all entries whose cn attribute ends in “carter” (not just those with a last name of Carter)

(telephoneNumber=555*)

Finds all telephone numbers beginning with 555

You can combine single filters like these using the following Boolean operators:

&

Logical AND

|

Logical OR

!

Logical NOT

LDAP search filters use prefix notation for joining search conditions. Therefore, to search for users with a surname (sn) of “smith” or “jones,” you can build the following filter:

(|(sn=smith)(sn=jones))

The sn attribute uses a case-insensitive ...

Get LDAP System Administration now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.