Filtering for Bit Fields#

These are bit field related LDAP SearchFilters which show LDAP Query Examples that can be used to find information specific to the bit field within LDAP.

Microsoft Active Directory specific#

Not all LDAP server vendors provide complete matching rules. The OID's shown here are Microsoft Active Directory specific and will probably not work on other server implementations. We wish some of the other LDAP server vendors would.

Microsoft documents this usage here: http://support.microsoft.com/kb/269181

To perform filters to search on bit fields, a strange looking syntax has to be followed:

   <Attribute name>:<BitFilterRule-ID>:=<decimal comparative value>

There are two BitFilterRule Extensible Match Rules#

One for bit-wise AND comparisons and one for bit-wise OR comparisons:

Some examples#

Microsoft Active Directory utilizes a lot of bit fields which are efficient for data storage but difficult for human understanding. For an example, the attribute 'groupType' following bit mask is important in ADS group objects:
ADS_GROUP_TYPE_GLOBAL_GROUP     = 0x00000002
ADS_GROUP_TYPE_LOCAL_GROUP      = 0x00000004
ADS_GROUP_TYPE_UNIVERSAL_GROUP  = 0x00000008
ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000

A Search filter for universal groups#

A filter for universal groups has to search for those objects in whose attributes the 4th least significant bit is set. This can be checked by equating the attribute of the value 0x00000008 (this represents the 4th bit) in an AND filter:
(groupType:1.2.840.113556.1.4.803:=8)                    'All universal groups

A Search filter for all security groups (and not the distribution groups)#

Caution: In LDAP filters the hex value of the bit filter must be decimal at this point! So if all security groups (and not the distribution groups) are to be found, it has to be filtered for the 8th bit
(0x80000000 = 2147483648):

(groupType:1.2.840.113556.1.4.803:=2147483648)           'All security enabled groups

A Search filter for universal security groups#

Please note that bit-wise filtering is a much more complex procedure for a server. For this reason you should take into consideration the use of normal equity criteria. If looking e.g. for universal security groups, the two flags 0x80000000 and 0x00000008 can be added up and then be filtered for the according decimal value 2147483656:
(groupType=2147483656)                                  'All universal security groups

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-20) was last changed on 12-Oct-2014 09:25 by jim