Geek Answers Handbook

Using DN in Search Filter

In my LDAP client program, sometimes you have to include the DN value in the search filter. But this DN often changes, and every one I have to change this filter in my code.

When I googled for this, I got something like this

Suppose you want to pull all users of ObjectType = Person from R & D and HR ous, but not all users from Marketing and PM. The filter will look like this:

(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))

Can someone explain this in more detail?

+7
source share
1 answer

You should check out RFC 2254 (String View for LDAP Search Filters).

LDAP filters use lacquer notation for Boolean operators. Thus, the operator is written before its operands:

 (&(condition1)(condition2)(condition3)...)

The above example means that you want all LDAP entries to satisfy condition1 AND condition2 AND condition3, etc.

Then there are the conditions themselves. They are very simple and can consist of only a few types:

  • Current state - (attrName=*)
  • a simple condition is (attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
  • substring condition - (attrName=*value*) / (attrName=*value) / (attrName=value*)
  • extensible condition - (attrName:dn:=value) / (attrName:matchingRule:=value)

An extensible clause with the keyword :dn: means that you must also consider the attributes from the record DN. So, for your input to the register cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com filter will match (ou:dn:=HumanResource) .

The translation of your filter example into an English sentence will be as follows:

Find all LDAP entries that have objectClass equal to person and have either ResearchAndDevelopment or HumanResources in their ou attribute or somewhere in their DN.

+8
source

More articles:


All Articles