The LDAP search filter grammar is specified in RFC 2254 and 2251. The grammar uses ABNF notation.
filter = " ( " filtercomp " ) "
filtercomp = and / or /not /item
and = "&" filterlist
filterlist = 1*filter
or = "|" filterlist
filterlist = 1*filter
not = "!" filterlist
filterlist = 1*filter
item = simple/present/substring/extensible
simple = attr filtertype value
attr = name | name;binary
filtertype = equal/approx/greater/less
value = data valid for the attribute's syntax
equal = "="
approx = "~="
greater = ">="
less = "<="
present = attr "=*"
attr = name | name;binary
substing = attr "=" [initial] any [final]
attr = name | name;binary
initial = value
any = "*" *(value "*")
final = value
extensible = attr [":dn"] [":" matchingrule] ":="value
/[":dn] ":" matchingrule ":=" value
/matchingrule = name | OID
For additional options for the attr option, see Section 4.1.5 of RFC 2251.
For additional information on the value option, see Section 4.1.6 of RFC 2251.
IMPORTANT:
eDirectory does not support LDAP approximate (~=) matching or extensible matching rules.
You cannot use the dn attribute in an LDAP search filter. Filters using either distinguishedName= or dn= in the filter syntax will not function correctly.
Table 1-6 LDAP Filter Operators
|
Operator |
Description |
|---|---|
|
= |
Used for presence and equality matching. To test if an attribute exists in the directory, use (attributename=*). All entries that have the specified attribute will be returned. To test for equality, use (attributename=value). All entries that have attributename=value are returned. For example, (cn=Kim Smith) would return entries with Kim Smith as the common name attribute. (cn=*) would return all entries that contained a cn attribute. The = operator can also be used with wildcards to find a substring, (cn=*ary*) would return mary, hillary, and gary. |
|
>= |
Used to return attributes that are greater than or equal to the specified value. For this to work, the syntax type of the attribute must have defined a mechanism to make this comparison. For example, (cn>=Kim Smith) would return all entries from Kim Smith to Z. |
|
<= |
Used to return attributes that are less than or equal to the specified value. For this to work, the syntax type of the attribute must have defined a mechanism to make this comparison. For example, (cn<=Kim Smith) would return all entries from A to Kim Smith. |
|
~= |
Used for approximate matching. The algorithm used for approximate matching varies with different LDAP implementations. |
The following boolean operators can be combined with the standard operators to form more complex filters. Note that boolean operator syntax is used different in search filters than in the C and Java programming languages, but the concepts are the same.
Table 1-7 LDAP Filter Boolean Operators
|
Boolean Operators |
Description |
|---|---|
|
& |
And. For example, (&(cn=Kim Smith) (telephonenumber=555-5555)) would return entries with common name of Kim Smith and a telephone number of 555-5555. |
|
| |
Or. For example, (|(cn=Kim Smith)(cn=Kimberly Smith)) would return entries with common name Kim Smith or Kimberly Smith. |
|
! |
Not. For example, (!(cn=Kim Smith)) would return entries with any cn other than Kim Smith. Note that the ! operator is unary. |
|
Filter and Description |
|---|
|
(cn = Kim Smith) Returns entries with a common name of Kim Smith. |
|
(&(cn=Kim Smith)(telephonenumber=555*)(emailaddress=*acme.com)) Returns entries with a common name of Kim Smith, a telephone number that starts with 555, and an e-mail address that ends in acme.com |
|
(!(cn = Chris Jones)) Returns entries that do not have a common name of Chris Jones. |
|
(&(objectClass=inetOrgPerson) (| (sn=Smith) (cn=Chris S*) ) ) Returns entries that are of type inetOrgPerson with a surname of Smith or a common name beginning with Chris S. |
|
(&(o=acme)(objectclass=Country)(!(|(c=spain)(c=us)) Returns entries that are of type Country from the organization Acme, that are not countries spain or us. |