Published May 28, 2013 by

Basic LDAP Filter Syntax and Operators

LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators.

AND Operation:
(& (...K1...) (...K2...)) or with more than two criteria:(&(...K1...)(...K2...)(...K3...)(...K4...))

OR Operation:
(| (...K1...)(...K2...)) or with more than two criteria:(|(...K1...)(...K2...)(...K3...)(...K4...))

Nested Operation:

Every AND/OR operation can also be understood as a single criterion:

(|(& (...K1...)(...K2...))(&(...K3...)(...K4...))) means:(K1 AND K2) OR (K3 AND K4)

The search criteria consist of a requirement for an LDAP attribute, e.g. (givenName=Sandra). Following rules should be considered:

Equality:         (attribute=abc)      , e.g. (&(objectclass=user)(displayName=Foeckeler)
Negation:         (!(attribute=abc))   , e.g. (!objectClass=group)
Presence:         (attribute=*)        , e.g. (mailNickName=*)
Absence:         (!(attribute=*))     , e.g. (!proxyAddresses=*)
Greater than:         (attribute>=abc) , e.g. (mdbStorageQuota>=100000)
Less than:         (attribute<=abc)     , e.g. (mdbStorageQuota<=100000)
Proximity:         (attribute~=abc)     , e.g. (displayName~=Foeckeler) Caution: ~= is treated as = in ADS environments !!
Wildcards:         e.g. (sn=F*) or ([email protected]) or (givenName=*Paul*)

More information
Kenio Carvalho

Kenio Carvalho