What Are Comparison and Logical LDAP Filters?

IT Index > What Are Comparison and Logical LDAP Filters?

Share This Article

Updated on April 15, 2025

LDAP (Lightweight Directory Access Protocol) is a useful tool for accessing and managing directory information. One of its key features is the ability to perform accurate searches using filters. The two main types of filters that can improve LDAP searches are comparison filters and logical filters. Knowing how these filters work and how to use them is important for anyone managing LDAP directories. 

This blog will explain how comparison and logical filters work, show you their syntax, and provide clear examples to help you get started.

Comparison LDAP Filters: Matching Attribute Values

Comparison filters are designed to test the relationship between an attribute of an LDAP entry and a specified value. These filters help you narrow down your search criteria to retrieve only the entries that meet specific conditions. Here’s a closer look at common comparison operators:

Equality (=)

The equality filter retrieves entries where an attribute’s value exactly matches the specified value. It’s one of the most basic and commonly used filters.

Syntax Example: (cn=John Doe)

This filter retrieves entries with a commonName attribute equal to “John Doe.”

Greater Than (>) and Greater Than or Equal To (>=)

These filters work for attributes with lexicographic or numeric ordering, allowing you to retrieve entries where the attribute’s value exceeds or matches a certain threshold.

Syntax Example: (age>=30)

This filter matches entries with an age attribute of 30 or above.

Less Than (<) and Less Than or Equal To (<=)

Similarly, these filters allow you to match entries where an attribute’s value is less than (or equal to) the specified value.

Syntax Example: (yearsOfExperience<5)

This filter will find entries with fewer than five years of experience.

Approximate Match (~=)

The approximate match filter retrieves entries with attribute values that are “close enough” to the specified value. The criteria for approximate similarity can vary by LDAP implementation but often include phonetic or case-insensitive matches.

Syntax Example: (sn~=Smyth)

This filter may match entries with the surname attribute set to “Smith,” “Smythe,” or similar spellings.

Substring Match (=value* , *=value , =value)

Substring filters use the * wildcard to match partial attribute values. You can search for entries that start with, end with, or contain specific strings.

Syntax Examples:

  • Starts with “Smith”: (sn=Smith*)
  • Ends with “Manager”: (title=*Manager)
  • Contains “Admin”: (department=Admin)

Presence (=*)

The presence filter identifies entries that have a specified attribute, regardless of its value.

Syntax Example: (mail=*)

This filter retrieves entries with a mail attribute, even if the value isn’t specified.

Logical LDAP Filters: Combining Search Criteria

While comparison filters excel at testing specific conditions, logical filters are used to combine multiple filters for more complex searches. Three primary logical operators help achieve this:

AND (&)

The AND operator ensures that all enclosed filters must be true for an entry to qualify as a match.

Syntax Example: (&(title=Manager)(l=New York))

This filter matches entries where the title is “Manager” and the location is “New York.”

OR (|)

The OR operator matches entries when at least one enclosed filter evaluates as true.

Syntax Example: (|(ou=Sales)(ou=Marketing))

This filter retrieves entries belonging to either the “Sales” or “Marketing” organizational units.

NOT (!)

The NOT operator excludes entries that meet a specified condition.

Syntax Example: (!(userAccountControl=Inactive))

This filter retrieves all entries where the userAccountControl attribute does not equal “Inactive.”

Syntax and Structure of LDAP Filters

LDAP filters use parenthesized prefix notation, which may seem counterintuitive at first. However, this format is both concise and scalable, making it ideal for building complex queries.

Basic Syntax for Comparison Filters

A comparison filter is structured as: (attributeOperatorValue)

For instance: (cn=John Doe)

Syntax for Logical Filters

Logical filters use parentheses to group components, with the operator preceding its filters:

  • AND example: (&(filter1)(filter2))
  • OR example: (|(filterA)(filterB))
  • NOT example: (!(filterC))

Nesting Logical Filters

For complex searches, logical filters can nest within each other: (&(|(department=IT)(department=DevOps))(!(status=Inactive)))

This example:

  1. Matches entries in the “IT” or “DevOps” departments.
  2. Excludes entries where the status is “Inactive.”

Practical Examples and Use Cases

To solidify the concepts introduced above, here are some real-world examples of LDAP filters in action:

  • Find a user with a specific common name (Equality): (cn=John Doe)
  • Find users with a last name starting with “Smith” (Substring): (sn=Smith*)
  • Find users who have an email address (Presence): (mail=*)
  • Find users who are either in the “Sales” or “Marketing” organizational unit (OR): (|(ou=Sales)(ou=Marketing))
  • Find users who are managers in “New York” (AND): (&(title=Manager)(l=New York))
  • Find users who are not disabled (Active Directory example) (NOT with Extensible Match): (!(userAccountControl:1.2.840.113556.1.4.803:=2))

Continue Learning with Related Posts

Continue Learning with our Newsletter