Menu
In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code.
When I googled it for that I got something like this
Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:
(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))
Can anybody explain this more in detail?
738
The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas. An RDN is an attribute with an associated value in the form attribute=value; normally expressed in a UTF-8 string format.
Base Distinguished NameThe base DN is often referred to as the search base. For example, if you specify a base DN of OU=people, O=siroe.com for a client, the LDAP search operation initiated by the client examines only the OU=people subtree in the O=siroe.com directory tree.
LDAP Authentication Search Filter is a basic LDAP Query for searching users based on mapping of username to a particular LDAP attribute. 2. The following are some commonly used Search Filters. You will need to use a search filter which uses the attributes specific to your LDAP environment.
Test the external (LDAP) group name search filter. In the LDAP group name field, type the name of an existing external group, for example g1-10 , and click Test LDAP query. If the query is successful, a check mark displays beside the Test LDAP query button. If the query is not successful, an error message displays.
You should check RFC 2254 (The String Representation of LDAP Search Filters).
LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:
(&(condition1)(condition2)(condition3)...)
The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.
Then there are condition themselves. They are very simple and can consist only of few types:
(attrName=*)
(attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
(attrName=*value*) / (attrName=*value) / (attrName=value*)
(attrName:dn:=value) / (attrName:matchingRule:=value)
The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).
Translating your example filter to an English sentence would be:
Find me all LDAP entries which have
objectClassequal topersonand have eitherResearchAndDevelopmentorHumanResourcesin theirouattribute or somewhere on their DN.
74
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
