SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

ldapfilters

Notes, Tips & Tricks: LDAP Filters

This is a notes page, extended with tips & tricks. This page is not really documentation, just stuff for me to remember. Sometimes things will get removed from these pages and turned into real documentation, sometimes not. You might find these notes to come in hand, maybe not. For me, it's just things I don't want to forget.

Compound Filters (p140)

The filter syntax enables the use of AND and OR operators for joining filter elements together. These are prefix operators and can be followed by one or more filter elements. Each of the inner elements and the whole filter must be enclosed in parentheses.

AND. The AND operator is indicated by the & character and is usually used to further restrict search results. If I wanted to list only inetOrgPerson entries that had telephone numbers I could use this filter: (&(objectClass=inetOrgPerson)(telephoneNumber=*)). All inetOrgPerson objects which also have a telephoneNumber attribute will be listed. Notice that in this example (as with all compound LDAP search filters) the operator comes before the filter elements rather than between them. This is referred to as a preordered expression or a prefixed expression.

OR. The OR operator is indicated by the | character and is normally used to make a filter less restrictive. If you wanted to find the entry for Jim but couldn't remember if the common name began with Him or James, you could use the filter: (|(cn=jim*)(cn=james*)). Both and AND and the OR operators can have multiple filter elements following them. Additional examples of possible filters are: (&(objectClass=inetOrgPerson)(mail=*acme.com)(cn=mary*)) (|(cn=larry)(cn=moe)(cn=curley)). You will probably find reasons to mix the AND and OR operator in the same filter. Use parenthesis nesting to accomplish this. If you wanted to find inetOrgPerson objects which had a telephoneNumber beginning with either 555 or 556 you could use the filter: (&(objectClass=inetOrgPerson)(|(telephoneNumber=555*)(telephoneNumber=556*))).

NOT. The NOT operator is represented by the ! Character. It can precede just a single filter element. Here's an example of the NOT operator used in an inner filter element. If you wanted to find all of the Marys except Mary Jones you would try: (&(cn=mary*)(!(sn=jones))). This filter would find everyone whose name is not Mary Jones: (!(&(cn=mary)(sn=jones)).

Greater Than or Equal, Less Than or Equal. If an attributes uses a schema type that has defined a way to compare whether one value is greater than another, then you can use greater than or equals, and less than or equals in your filter. attrname>=value

      equal      = "="
      approx     = "~="
      greater    = ">="
      less       = "<="

Search for objects whose mail domain is example.com: “(mail=*@example.com)” Search for objects whose objectClass is inetOrgPerson or person: “(|(objectClass=inetOrgPerson)(objectClass=person))” Search for objects whos objectClass is inetOrgPerson and cn starts with 'p' and (anything): “(&(objectClass=inetOrgPerson)(cn=p*))” Search for objects whose mail attribute is not empty and the objectClass is inetOrgPerson or person: “(&(mail=*)(|(objectclass=person)(objectclass=inetorgperson)))” Search for objects whose objectClass is inetOrgPerson and mail is empty: “(&(objectclass=inetorgperson)(!(mail=*)))” Search for objects who's objectClass is inetOrgPerson and description is empty: “(&(objectclass=inetorgperson)(!(description=*)))”

Voorbeelden: LDAP filter om users met een titel beginnende met 2007 op te vragen: (&(objectclass=inetOrgPerson)(title=2007*))

LDAP filter om users met een titel beginnende met 2007 EN die disabled zijn op te vragen: (&(objectclass=inetOrgPerson)(title=2007*)(loginDisabled=TRUE))

LDAP filter om users die nooit hebben ingelogd op te vragen (&(objectclass=inetOrgPerson)(!(lastlogintime=*)))

LDAP filter om users die nooit hebben ingelogd en hebben ingelogd voor een bepaalde datum op te vragen (&(objectclass=inetOrgPerson)(|(lastlogintime⇐20070901000000Z)(!(lastlogintime=*))))

LDAP filter om users die nooit hebben ingelogd en hebben ingelogd voor een bepaalde datum en een bepaalde titel hebben en die disabled zijn op te vragen (&(objectclass=inetOrgPerson)(title=20071221_IDM_Cleanup)(loginDisabled=TRUE)(|(lastlogintime⇐20070901000000Z)(!(lastlogintime=*))))

LDAP OPERATIONAL ATTRIBUTES: eDirectory LDAP operational attributes listed in the developer kit:

  • createTimeStamp
  • creatorsName
  • entryFlags
  • federationBoundary
  • localEntryID
  • modifiersName
  • modifyTimeStamp
  • structuralObjectClass
  • subordinateCount
  • subschemaSubentry

LDAPsearch TLS LDAP search met als filter cn=sjoerd waarbij alle operationele attributen worden opgevraagd: ldapsearch -D cn=bofh,o=company -W -ZZ -b o=company “cn=sjoerd” + TLS LDAP search met als filter cn=sjohoo waarbij alle attributen worden opgevraagd: ldapsearch -D cn=bofh,o=company -W -ZZ -b o=company “cn=sjoerd” TLS proberen in een LDAP search: ldapsearch -D cn=bofh,o=company -W -Z -b “cn=sjoerd”

LDAP attributen lastlogintime : een na laatste login time logintime: laatste login time

You could leave a comment if you were logged in.
ldapfilters.txt · Last modified: 2021/09/24 00:24 (external edit)