Filtering for Bit Fields


These are bit field related LDAP SearchFilters which show LDAP Query Examples that can be used to find information specific to the bit field within LDAP using Bitwise operations.

Microsoft Active Directory specific#

Not all LDAP server vendors provide complete matching rules. The OID's shown here are Microsoft Active Directory specific and will probably not work on other LDAP Server Implementations. We wish some of the other LDAP Server Implementations would.

Microsoft documents this usage here: http://support.microsoft.com/kb/269181

To perform filters to search on bit fields, a strange looking syntax has to be followed:

   <Attribute name>:<BitFilterRule-ID>:=<decimal comparative value>

There are two Bitwise operation Extensible Match Rules#

One for bitwise AND comparisons and one for bitwise OR comparisons:

Some examples#

Microsoft Active Directory utilizes a lot of bit fields which are efficient for data storage but difficult for human understanding. For an example, the attribute 'groupType' following Bitmask is important in Group-AD objects:
ADS_GROUP_TYPE_LOCAL_GROUP      = 0x00000004

A Search filter for Universal Groups#

A filter for universal groups has to search for those objects in whose attributes the 4th least significant bit is set. This can be checked by equating the attribute of the value 0x00000008 (this represents the 4th bit) in an LDAP_MATCHING_RULE_BIT_AND:
(groupType:1.2.840.113556.1.4.803:=8)    'All universal groups

A Search filter for all Security Groups (and not the distribution groups)#

Caution: In LDAP filters the hex value of the bit filter MUST be decimal at this point! So if all Security Groups (and not the distribution groups) are to be found, it has to be filtered for the 8th bit
(0x80000000 = 2147483648):

(groupType:1.2.840.113556.1.4.803:=2147483648)  'All security enabled groups

A Search filter for universal security groups#

Please note that bit-wise filtering is a much more complex procedure for a server. For this reason you should take into consideration the use of normal equity criteria. If looking e.g. for universal security groups, the two flags 0x80000000 and 0x00000008 can be added up and then be filtered for the according decimal value 2147483656:
(groupType=2147483656)                          'All universal security groups

More Information#

There might be more information for this subject on one of the following: