LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators.
AND Operation:
(& (…K1…) (…K2…)) or with more than two criteria:(&(…K1…)(…K2…)(…K3…)(…K4…))
OR Operation:
(| (…K1…)(…K2…)) or with more than two criteria:(|(…K1…)(…K2…)(…K3…)(…K4…))
Nested Operation:
Every AND/OR operation can also be understood as a single criterion:
(|(& (…K1…)(…K2…))(&(…K3…)(…K4…))) means:(K1 AND K2) OR (K3 AND K4)
The search criteria consist of a requirement for an LDAP attribute, e.g. (givenName=Sandra). Following rules should be considered:
Equality: (attribute=abc) , e.g. (&(objectclass=user)(displayName=Foeckeler)
Negation: (!(attribute=abc)) , e.g. (!objectClass=group)
Presence: (attribute=*) , e.g. (mailNickName=*)
Absence: (!(attribute=*)) , e.g. (!proxyAddresses=*)
Greater than: (attribute>=abc) , e.g. (mdbStorageQuota>=100000)
Less than: (attribute<=abc) , e.g. (mdbStorageQuota<=100000)
Proximity: (attribute~=abc) , e.g. (displayName~=Foeckeler) Caution: ~= is treated as = in ADS environments !!
Wildcards: e.g. (sn=F*) or (mail=*@cerrotorre.de) or (givenName=*Paul*)
