LDAP search filters define criteria for selecting items from a directory. The criteria are based on attribute values. The syntax for search filters is defined in RFC2254 (The String Representation of LDAP Search Filters).
The simplest filter places a condition on a single attribute value:
(attributeType filterType value)
Filters must be within parentheses.
attributeType is the name of the attribute upon which you are placing the condition.
filterType is one of four valid arithmetic operators.
value is the value that you are comparing to the attribute.
The following table lists the valid operators that you can use in a search filter.
Operator
Meaning
=
equal
~=
approximately equal
<=
less than or equal to
>=
greater than or equal to
For example, the search filter (uid=jdoe) returns the directory item that has the uid attribute of value jdoe.
Substrings and any values
In search filters, the asterisk (*) represents any sequence of characters. You can use the asterisk for expressing values that have specific prefixes or suffix, or to express any value.
The expression (uid=j*) matches all items with a uid attribute that begins with j.
The expression (uid=*doe) matches all items with a uid attribute that ends with doe.
The expression (uid=*) matches all items that have a uid attribute of any value.
Logical operators
Use logical operators to apply conditions on more than one attribute, or to apply the opposite of the condition specified by a filter. Logical operators precede the filters to which they are applied. The following table lists the logical operators and provides examples of their use.
Logical operator
Description
Example
&
All associated filters match.
(&(uid=j*)(c=CA))
Matches all directory items that have a uid attribute value that begins with j and a c attribute value that equals CA.
|
Any of the associated filters match.
(|(c=CA)(c=US))
Matches all directory items that have a c attribute value that equals either CA or US.
!
The opposite of the filter.
(!(uid=j*))
Matches all directory items that have a uid attribute value that does not begin with j.
Escape character
To express the literal value of a special character, precede the character with a back slash (\). For example, if an attribute value includes parentheses, escape the opening and closing parenthesis with the back slash:
(telephoneNumber=\(555\) 555-1234)
All directory items
All directory items must have a value for the objectClass attribute. The following search filter matches all items in the area of the directory that is searched:
Substrings and any values