Search filter syntax

LDAP search filters define criteria for selecting items from a directory. The criteria are based on attribute values. The syntax for search filters is defined in RFC2254 (The String Representation of LDAP Search Filters).

The simplest filter places a condition on a single attribute value:

(attributeType filterType value)
  • Filters must be within parentheses.

  • attributeType is the name of the attribute upon which you are placing the condition.

  • filterType is one of four valid arithmetic operators.

  • value is the value that you are comparing to the attribute.

The following table lists the valid operators that you can use in a search filter.

Operator

Meaning

=

equal

~=

approximately equal

<=

less than or equal to

>=

greater than or equal to

For example, the search filter (uid=jdoe) returns the directory item that has the uid attribute of value jdoe.

Substrings and any values

In search filters, the asterisk (*) represents any sequence of characters. You can use the asterisk for expressing values that have specific prefixes or suffix, or to express any value.

  • The expression (uid=j*) matches all items with a uid attribute that begins with j.

  • The expression (uid=*doe) matches all items with a uid attribute that ends with doe.

  • The expression (uid=*) matches all items that have a uid attribute of any value.

Logical operators

Use logical operators to apply conditions on more than one attribute, or to apply the opposite of the condition specified by a filter. Logical operators precede the filters to which they are applied. The following table lists the logical operators and provides examples of their use.

Logical operator

Description

Example

&

All associated filters match.

(&(uid=j*)(c=CA))

Matches all directory items that have a uid attribute value that begins with j and a c attribute value that equals CA.

|

Any of the associated filters match.

(|(c=CA)(c=US))

Matches all directory items that have a c attribute value that equals either CA or US.

!

The opposite of the filter.

(!(uid=j*))

Matches all directory items that have a uid attribute value that does not begin with j.

Escape character

To express the literal value of a special character, precede the character with a backslash (\). For example, if an attribute value includes parentheses, precede the opening and closing parenthesis with the backslash:

(telephoneNumber=\(555\) 555-1234)

All directory items

All directory items must have a value for the objectClass attribute. The following search filter matches all items in the area of the directory that is searched:

(objecClass=*)