Syntax and Operators#

Are boolean expressions that are used within LDAP SearchFilters and demonstrate how they can be used for LDAP Query Examples that can be used to find specific information using LDAP.

An LDAP SearchFilters consists of one or more boolean expressions, with logical operators prefixed to the expression list. The boolean expressions use the following format:

Attribute Operator Value
where Attribute is a valid LDAP attribute name and Value is the the field value.

The filter syntax supports the =, ~=, <, <=, >, >= and ! operators, and provides limited substring matching using the * operator.

In addition, the syntax also supports calls to matching extensions defined in the LDAP data source.

White space is not used as a separator between attribute, operator and value, and that string values are not specified using quotation marks.

Nested Filters#

LDAP filters consist of one or more boolean expression(s) which can be linked together by using operator choices. The operators are always placed in front of the operands. This is the so-called 'Polish Notation'. The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.

AND Operation:#

    & (...K1...) (...K2...)      
or with more than two criteria:
    (& (...K1...) (...K2...) (...K3...) (...K4...))

OR Operation:#

    (| (...K1...) (...K2...))

or with more than two criteria:

       (| (...K1...) (...K2...) (...K3...) (...K4...)) 

Nested Operators#

Every AND/OR operation can also be understood as a single criterion:

    (|(& (...K1...) (...K2...))(& (...K3...) (...K4...))) 
means:
    (K1 AND K2) OR (K3 AND K4)

Operands Operators operate on individual operands for an LDAP attribute, e.g. (givenName=Sandra). Following rules should be considered:

OperationSyntaxExampleComment
Equality(attribute=abc)(&(objectclass=user)(displayName=Foeckeler)
Negation(!attribute=abc)(!objectClass=group)
Presence(attribute=*)(mailNickName=*)
Absence(!attribute=*)(!proxyAddresses=*)
Greater than(attribute>=abc)(mdbStorageQuota>=100000)
Less than(attribute<=abc)(mdbStorageQuota<=100000)
Proximity(attribute~=abc)(displayName~=Foeckeler)Caution: ~= is not always supported (AD environments)
Wildcards(sn=F*)(mail=*@cerrotorre.de) or (givenName=*Paul*)

LDAP Filter Choices#

LDAP Filter Choices - (per RFC 4520)

Upper/lower case#

Most other string attributes are case-insensitive and a hit will be found even if the upper and lower case differs from your search filter.

Boolean Syntax#

Boolean attributes are in general case sensitive. The use of uppercase, TRUE or FALSE, is usually necessary for filtering boolean syntax attributes. Some LDAP server Implementations are not case sensitive for booleans, eDirectory as an example.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-16) was last changed on 2012-12-31 06:58 by jim