Syntax and LDAP Filter Choices#

Are boolean expressions that are used within LDAP SearchFilters and demonstrate how they can be used for LDAP Query Examples that can be used to find specific information using LDAP.

An LDAP SearchFilters consists of one or more boolean expressions, with logical LDAP Filter Choices prefixed to the expression list. The boolean expressions use the following format:

Attribute Operator Value
where Attribute is a valid LDAP attribute name and Value is the the field value.

The filter syntax supports the =, ~=, <, <=, >, >= and ! operators, and provides limited substring matching using the * operator.

In addition, the syntax also supports calls to matchingRules defined in the LDAP data source.

White space is NOT used as a separator between attribute, LDAP Filter Choices and value, and that string values are NOT specified using quotation marks.

Nested Filters#

LDAP filters consist of one or more boolean expression(s) which can be linked together by using LDAP Filter Choices. The LDAP Filter Choices are always placed in front of the operands. This is the so-called 'Polish Notation'. The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.

AND Operation:#

    & (...K1...) (...K2...)      
or with more than two criteria:
    (& (...K1...) (...K2...) (...K3...) (...K4...))

OR Operation:#

    (| (...K1...) (...K2...))

or with more than two criteria:

       (| (...K1...) (...K2...) (...K3...) (...K4...)) 

Nested Operators#

Every AND/OR operation can also be understood as a single criterion:

    (|(& (...K1...) (...K2...))(& (...K3...) (...K4...))) 
    (K1 AND K2) OR (K3 AND K4)

LDAP Filter Choices#

LDAP Filter Choices operate on individual operands for an LDAP attribute, e.g. (givenName=Sandra).

The LDAP Filter Choices specifies the conditions that must be met for a record to be included in the recordset (or collection) that results from a query. An LDAP filter has one or more clauses, each enclosed in parentheses. Each clause evaluates to either True or False.

Upper/lower case#

Most other string attributes are case-insensitive and a hit will be found even if the upper and lower case differs from your search filter.

There are various MatchingRules which may be case-sensitive.

Boolean Match#

Boolean attributes are in general case-sensitive. The use of uppercase, TRUE or FALSE, is usually necessary for filtering boolean syntax attributes. Some LDAP Server Implementations are NOT case-sensitive for booleans, eDirectory as an example.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-21) was last changed on 22-Jul-2016 12:03 by jim