16

In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code.

When I googled it for that I got something like this

Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:

(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))

Can anybody explain this more in detail?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Dungeon Hunter
  • 19,827
  • 13
  • 59
  • 82

3 Answers3

19

You should check RFC 2254 (The String Representation of LDAP Search Filters).

LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:

(&(condition1)(condition2)(condition3)...)

The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.

Then there are condition themselves. They are very simple and can consist only of few types:

  • present condition - (attrName=*)
  • simple condition - (attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
  • substring condition - (attrName=*value*) / (attrName=*value) / (attrName=value*)
  • extensible condition - (attrName:dn:=value) / (attrName:matchingRule:=value)

The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).

Translating your example filter to an English sentence would be:

Find me all LDAP entries which have objectClass equal to person and have either ResearchAndDevelopment or HumanResources in their ou attribute or somewhere on their DN.

Community
  • 1
  • 1
Pavel Horal
  • 17,782
  • 3
  • 65
  • 89
  • 4
    Note that support for these conditions varies by vendor. For example, Active Directory does not support extensible conditions and treats approximate equal (`~=`) and equal (`=`) identically. [Reference.](http://ldapwiki.com/wiki/ExtensibleMatch) – bishop Dec 18 '17 at 18:26
1

You can use dn into base and set search scope as base.

That is, set dn value into base, and set search scope as base(search scope is one of base, sub and one).

zyf0330
  • 41
  • 4
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Sep 29 '21 at 08:06
0

If you really need to search by the whole DN, you can search with:

(distinguishedName=CN=MyCommonName,OU=SomeEnv,...,DC=SomeDir)
Nick Kuznia
  • 1,698
  • 17
  • 27