What Are LDAP Equality Filters?

Updated on April 15, 2025

Finding specific information in a large database can be overwhelming, especially with LDAP (Lightweight Directory Access Protocol) directories. This is where LDAP equality filters are helpful. They make it easier to quickly locate the exact entries you need. 

In this blog, we’ll break down what these filters are, how they work, and how they can be used in your daily tasks.

What Are LDAP Equality Filters?

LDAP equality filters are one of the simplest yet most powerful tools within LDAP. At their core, they allow you to search for directory entries where a specific attribute matches a specified value. These filters deliver precise results, ensuring you locate exactly what you’re looking for within the directory.

Basic Syntax

The syntax of an LDAP equality filter is straightforward and follows the format: (attribute=value)

• Attribute refers to a named property or field within an LDAP entry, such as cn (common name) or uid (user ID).
• Value is the specific criterion you wish to match.

For example:

• (uid=johndoe) searches for entries where the user ID (uid) is “johndoe.”
• (cn=John Doe) retrieves entries where the common name (cn) is “John Doe.”

Key Characteristics

• Direct Matching: The filter bypasses partial matches and searches only for exact matches between the value you specify and an entry’s attribute.
• Case Sensitivity: Attribute names are typically case-insensitive (cn is treated the same as CN). However, case sensitivity for values depends on the attribute’s syntax as defined in the LDAP schema. For example:
  • Attributes with the Directory String syntax are often case-insensitive.
  • Attributes defined with CaseExactString syntax require matching the exact case of the value.

How Do LDAP Equality Filters Work?

Equality filters function through a structured search process:

1. Attribute Evaluation: The LDAP server evaluates the specified attribute for each entry within the search scope (e.g., a specific organizational unit or the entire directory).
2. Comparison Against Value: For each entry, the server compares the value of the attribute against the value specified in the filter.
3. Include Matching Entries: If a match is found for at least one of the attribute’s values (in the case of multi-valued attributes), that entry is included in the search results.

This efficient matching process makes equality filters one of the most commonly used tools in LDAP searches.

Syntax Details and Examples

Understanding the syntax and seeing examples helps clarify how LDAP equality filters are applied in real-world scenarios. Here’s a closer look:

Common Use Cases for Equality Filters

• Searching for a Specific User by Common Name:
  • Filter: (cn=John Doe)
  • Outcome: Retrieves any directory entries with a common name (cn) of “John Doe.”
• Locating a User by Unique Identifier:
  • Filter: (uid=johndoe)
  • Outcome: Fetches entries where the user ID exactly matches “johndoe.”
• Finding a Group by Name:
  • Filter: (cn=Sales Team)
  • Outcome: Returns the directory entry for the group “Sales Team.”
• Identifying a Device by Operating System:
  • Filter: (operatingSystem=Windows Server 2022)
  • Outcome: Retrieves entries representing computers running “Windows Server 2022.”
• Querying an Entry by Email Address:
  • Filter: ([email protected])
  • Outcome: Locates the user whose email address is “[email protected].”

Multi-Valued Attributes

Some LDAP attributes can store multiple values. For these, the equality filter will match any one value. For example:

• Filter: (memberOf=cn=Admin Group,ou=Groups,dc=example,dc=com)

 Matches entries that are members of the “Admin Group.”

Case Sensitivity Considerations 

LDAP equality filters interact closely with the directory schema, which determines how attributes behave:

• Case-Insensitive Matching: Attributes using the Directory String syntax (e.g., mail, cn) typically allow case-insensitive comparisons. For instance:
  • (cn=John Doe) and (cn=john doe) both will match an entry with cn set to “John Doe.”
• Case-Sensitive Matching: For attributes defined with the CaseExactString syntax, such as certain security settings, case sensitivity applies. For example:
  • (caseExactAttribute=Value) matches “Value” but not “value.”

Consult your LDAP schema documentation for confirmation of an attribute’s syntax.

Efficiency of Equality Filters

Equality filters are particularly efficient, primarily when applied to indexed attributes. Indexing allows the LDAP server to significantly reduce the number of entries it needs to evaluate during a query. Administrators often index frequently searched attributes (e.g., uid, cn, mail) to maximize search performance.

Because equality filters focus on exact matches, they are computationally lighter than more complex filters like substrings or logical operators, making them ideal for high-efficiency environments.