Understanding LDAP Filter Syntax

IT Index > Understanding LDAP Filter Syntax

Share This Article

Updated on April 14, 2025

The Lightweight Directory Access Protocol (LDAP) is a key part of enterprise IT, providing a standard way to access and manage directory-based information. 

This guide explains LDAP filter syntax in a clear, straightforward way, with examples and practical uses included.

What Are LDAP Filters? 

LDAP filters define search criteria when querying an LDAP directory. By specifying attributes, operators, and values, LDAP filters allow clients to retrieve specific entries from the directory. They help narrow down search results by focusing on subsets of entries based on precise conditions.

For example, if you’re looking for users in a specific department or all objects updated within a particular date range, proper use of filters makes these tasks efficient and accurate. Effective filters can reduce server load, speed up queries, and ensure relevant results.

Key takeaway? Understanding LDAP filter syntax is a critical skill for anyone working with directory-based applications or identity services.

Basic Structure of LDAP Filters 

At its core, an LDAP filter follows this structure: (attributeOperatorValue)

Here are the essential components:

  • Attribute refers to the specific LDAP field you’re targeting (e.g., cn for common name, mail for email address).
  • Operator specifies the kind of comparison (e.g., equal to, not equal to).
  • Value is the data you’re searching for.

Examples:

  • (cn=John Doe): Finds an entry where the cn (common name) is exactly “John Doe.”
  • (mail=*@example.com): Matches all email addresses under example.com.

Now, let’s explore operators in more detail.

Key Operators in LDAP Filters 

LDAP supports a variety of operators, which allow for flexible searches. Below are the most common ones:

Comparison Operators 

  • = (Equal to): Matches exact values.
    • Example: (uid=user123) finds entries where uid is “user123.”
  • != (Not equal to): Finds entries that don’t match a specific value. (Less common with LDAP implementations.)
  • > or < (Greater than, Less than): Used to compare numeric values.
    • Example: (age>30) retrieves entries where age is greater than 30.
  • ~= (Approximate match): Matches values that are phonetically similar.
    • Example: (sn~=Smith) might return “Smyth” or “Smithe” depending on implementation.

Wildcards (*) for Substring Matching 

The * wildcard is a powerful tool for flexible string matches:

  • Starts With: (cn=John*) matches values like “John,” “Johnny,” or “Johnathan.”
  • Ends With: (mail=*@gmail.com) searches for email addresses ending in “@gmail.com.”
  • Contains: (cn=Doe) finds entries with “Doe” anywhere in the value.

These operators make it easy to query incomplete or uncertain data. However, note that wildcards may lead to slower queries, so use them judiciously.

Boolean Operators for Complex Conditions 

When searching with multiple criteria, Boolean operators allow you to combine and refine conditions.

AND (&)

Use & when you need all specified conditions to be true. For example: (&(objectClass=person)(department=Engineering))

This filter retrieves entries where objectClass is “person” and the department is “Engineering.”

NOT (!)

The ! operator excludes entries that meet a specific condition: (!(department=HR))

This matches all entries except those in the “HR” department.

Tip: These operators follow Polish notation, meaning the operator precedes its conditions. Each Boolean filter must also be enclosed in parentheses for proper syntax.

Special Features of LDAP Filters 

Presence and Absence Filters 

To identify whether an attribute exists, use:

  • Presence: (attribute=*)
    • Example: (mail=*) finds all entries with an email address.
  • Absence: (!(attribute=*))
    • Example: (!(phone=*)) retrieves entries without a phone number.

These filters help ensure no key attributes are missing from directory entries.

Extensible Matching 

For advanced searches, extensible matching leverages matching rule OIDs (Object Identifiers). This feature is supported in some LDAP implementations for niche use cases.

Syntax: (attribute:<OID>:=value)

Example: (uidNumber:1.2.840.113556.1.4.803:=1000)

This searches for entries where uidNumber matches a specific rule. Keep in mind that extensible matching requires understanding LDAP schema and OIDs.

Escaping Special Characters 

Certain characters must be escaped in attribute values to avoid syntax errors:

  • Example characters: (, ), *, /, \
  • Escape format: Use a backslash (\) followed by the hexadecimal representation of the character.

Failing to escape these characters correctly can lead to invalid filters or unintended results.

Practical Examples of LDAP Filters 

These example use cases highlight the power of LDAP query filters:

  1. Finding a User by Common Name (CN): (cn=Mary Johnson)
  2. Retrieving All Members of a Group: (memberOf=cn=Marketing,ou=Groups,dc=example,dc=com)
  3. Finding All Entries in a Specific Organizational Unit (OU): (ou=Finance)
  4. Searching for Email Addresses with a Specific Domain: (mail=*@example.org)
  5. Combining Criteria to Find Specific User Types: (&(objectClass=inetOrgPerson)(sn=Smith))

Key Terms Appendix 

  • LDAP (Lightweight Directory Access Protocol): A protocol for directory service queries and management.
  • Filter: A string defining criteria for LDAP search.
  • Attribute: A field in an LDAP entry (e.g., cn, mail).
  • Value: Data associated with an attribute.
  • Operator: Defines relationships (e.g., equal to, contains).
  • Boolean Operator: Combines conditions with &, |, or !.
  • Wildcard (*): Enables flexible string matches.
  • Matching Rule OID: Identifiers for specialized comparisons.

Continue Learning with Related Posts

Continue Learning with our Newsletter