LDAP search filters

Search filters

LDAP search filter is a specially formed text. It is used to search for the entries within the directory. LDAP search request returns directory entries from the specified search scope satisfying to the filter.

The following table lists some examples of LDAP search filters:

Search filter Description
"(objectClass=*)" All objects.
"(&(objectCategory=person)(objectClass=user)(!cn=john))" All user objects but "john".
"(sn=sm*)" All objects with a surname that starts with "sm".
"(&(objectCategory=person)(objectClass=contact)(|(sn=Smith)(sn=Johnson)))" All contacts with a surname equal to "Smith" or "Johnson".

These search filters use one of the following formats:

  • (<attribute><operator><value>)
  • (<operator><filter1><filter2>...<filterN>)

Operators

The following table lists frequently used search filter operators.
Logical operator Description
= Equal to
~= Approximately equal to
<= Lexicographically less than or equal to
>= Lexicographically greater than or equal to
& AND
| OR
! NOT

Wildcards

You can also add wildcard characters and conditions to an LDAP search filter. The following examples show substrings that can be used to search the directory:
Example Description
(objectClass=*) Get all entries.
(cn=*bob*) Get entries containing "bob" somewhere in the common name.
(cn>='bob') Get entries with a common name greater than or equal to "bob".
(&(objectClass=user)(email=*)) Get all users with an e-mail attribute.
(&(sn=smith)(objectClass=user)(email=*)) Get all user entries with an e-mail attribute and a surname equal to "smith".
(&(objectClass=user)(|(cn=andy*)(cn=steve*)(cn=margaret*))) Get all user entries with a common name that starts with "andy","steve", or "margaret".
(!(email=*)) Get all entries without an e-mail attribute.