Advanced Searching Options
Chapter 4 presented LDAP searches as a means of verifying the correctness of your directory. That’s obviously a very limited use of the search capability: a directory isn’t much use if you can’t search it. Given our limited goals in the previous chapter, we didn’t do justice to the topic of search filters. It’s now time to take a more thorough look at the topic of filters.[1]
In its commonly used form, an LDAP search filter has the following syntax:
(attribute
filterOperator
value
)
The attribute
is the actual name of the
attribute type. The
filterOperator
is one of:
-
=
For equality matches
-
~=
For approximate matches
-
<=
For less than comparisons
-
>=
For greater than comparisons
If you deal only with string comparisons, you may only need the equality operator.
The value
portion can be either an
absolute value, such as carter
or
555-1234
, or a pattern using the asterisk (*)
character as a wildcard. Here are some wildcard searches:
-
(cn=*carter)
Finds all entries whose
cn
attribute ends in “carter” (not just those with a last name of Carter)-
(telephoneNumber=555*)
Finds all telephone numbers beginning with 555
You can combine single filters like these using the following Boolean operators:
-
&
Logical AND
-
|
Logical OR
-
!
Logical NOT
LDAP search filters use prefix notation for joining search
conditions. Therefore, to search for users with a surname
(sn
) of “smith”
or “jones,” you can build the
following filter:
(|(sn=smith)(sn=jones))
The sn
attribute uses a case-insensitive ...
Get LDAP System Administration now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.