Understanding LDAP Search Filters

Here are some tips to help you define and evaluate LDAP search filters.

Kieran McCorry

December 11, 2000

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Lightweight Directory Access Protocol (LDAP) search filters use the prefix notation in the definition of an expression, unlike everyday mathematical expressions, which use infix notation. In prefix notation, the operator precedes the operands, and the precedence of operators is implicit within the expression.

For example, with infix notation, you represent the expression that adds 3 to 4 as (3 + 4). With prefix notation, you represent this concept as (+ 3 4).

LDAP search filters use the following symbols to represent logical operators: a vertical bar (|) represents the logical OR operator, an ampersand (&) represents the logical AND operator, and an exclamation point (!) represents the logical NOT operator.

Understanding what an LDAP search filter defines when it appears as a long string of text can be difficult. To make interpretation easier—when defining search filters or evaluating existing search filters—you can format the text into separate lines with horizontal tabs. For example, I find this representation of the search filter

(|(objectclass=remote-address)(objectclass=groupOfNames)(&(objectclass=organizationalperson)(physicalDeliveryOfficeName=Valbonne)))

easier to read and understand than this representation:

(|(objectclass=remote-address)(objectclass=groupOfNames)(&(objectclass=organizationalperson)(physicalDeliveryOfficeName=Valbonne)))

The Internet Engineering Task Force (IETF) Request for Comments (RFC) 2254 fully defines the syntax for LDAP search filters. I recommend taking a look at this RFC if you intend to build complex search filters to achieve sophisticated Active Directory Connector (ADC) synchronization.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like