LDAP
search filters define criteria for selecting items from a directory.
The criteria are based on attribute values. The syntax for search
filters is defined in RFC2254 (The String Representation of LDAP
Search Filters).
The simplest filter places a condition on a single attribute
value:
(attributeType filterType value)
-
Filters must be within parentheses.
-
attributeType
is the name of the attribute upon
which you are placing the condition.
-
filterType
is one of four valid arithmetic operators.
-
value
is the value that you are comparing
to the attribute.
The following table lists the valid operators that you can use
in a search filter.
|
Operator
|
Meaning
|
|
=
|
equal
|
|
~=
|
approximately equal
|
|
<=
|
less than or equal to
|
|
>=
|
greater than or equal to
|
For example, the search filter
(uid=jdoe)
returns the
directory item that has the uid attribute of value
jdoe
.
Substrings and any values
In search filters, the asterisk (
*
)
represents any sequence of characters. You can use the asterisk
for expressing values that have specific prefixes or suffix, or
to express any value.
-
The expression
(uid=j*)
matches
all items with a
uid
attribute that begins with
j
.
-
The expression
(uid=*doe)
matches all items
with a
uid
attribute that ends with
doe
.
-
The expression
(uid=*)
matches all items that
have a
uid
attribute of any value.
Logical operators
Use logical operators to apply conditions on
more than one attribute, or to apply the opposite of the condition
specified by a filter. Logical operators precede the filters to
which they are applied. The following table lists the logical operators
and provides examples of their use.
|
Logical operator
|
Description
|
Example
|
|
&
|
All associated filters match.
|
(&(uid=j*)(c=CA))
Matches
all directory items that have a
uid
attribute value that
begins with
j
and a
c
attribute value
that equals
CA
.
|
|
|
|
Any of the associated filters match.
|
(|(c=CA)(c=US))
Matches
all directory items that have a
c
attribute value
that equals either
CA
or
US
.
|
|
!
|
The opposite of the filter.
|
(!(uid=j*))
Matches
all directory items that have a
uid
attribute value that
does not begin with
j
.
|
Escape character
To express the literal value of a special character,
precede the character with a backslash (\). For example, if an attribute
value includes parentheses, precede the opening and closing parenthesis
with the backslash:
(telephoneNumber=\(555\) 555-1234)
All directory items
All directory items must have a value
for the objectClass attribute. The following search filter matches
all items in the area of the directory that is searched:
(objecClass=*)
