LDAP
search filters define criteria for selecting items from a directory.
The criteria are based on attribute values. The syntax for search
filters is defined in RFC2254 (The String Representation of LDAP
Search Filters).
The simplest filter places a condition on a single attribute
value:
(attributeType filterType value)
Filters must be within parentheses.
attributeType is the name of the attribute
upon which you are placing the condition.
filterType is one of four valid arithmetic
operators.
value is the value that you are comparing
to the attribute.
The following table lists the valid operators that you can use
in a search filter.
Operator
|
Meaning
|
|---|
=
|
equal
|
~=
|
approximately equal
|
<=
|
less than or equal to
|
>=
|
greater than or equal to
|
For example, the search filter (uid=jdoe) returns
the directory item that has the uid attribute of value jdoe.
Substrings and any values
In search filters, the asterisk (*)
represents any sequence of characters. You can use the asterisk
for expressing values that have specific prefixes or suffix, or
to express any value.
The expression (uid=j*) matches
all items with a uid attribute that begins with j.
The expression (uid=*doe) matches all items
with a uid attribute that ends with doe.
The expression (uid=*) matches all items
that have a uid attribute of any value.
Logical operators
Use logical operators to apply conditions on
more than one attribute, or to apply the opposite of the condition
specified by a filter. Logical operators precede the filters to
which they are applied. The following table lists the logical operators and
provides examples of their use.
Logical operator
|
Description
|
Example
|
|---|
&
|
All associated filters match.
|
(&(uid=j*)(c=CA))
Matches
all directory items that have a uid attribute value
that begins with j and a c attribute
value that equals CA.
|
|
|
Any of the associated filters match.
|
(|(c=CA)(c=US))
Matches
all directory items that have a c attribute value
that equals either CA or US.
|
!
|
The opposite of the filter.
|
(!(uid=j*))
Matches
all directory items that have a uid attribute value
that does not begin with j.
|
Escape character
To express the literal value of a special character,
precede the character with a backslash (\). For example, if an attribute
value includes parentheses, precede the opening and closing parenthesis
with the backslash:
(telephoneNumber=\(555\) 555-1234)
All directory items
All directory items must have a value
for the objectClass attribute. The following search filter matches
all items in the area of the directory that is searched:
(objecClass=*)
