What Are LDAP Wildcard Filters?

IT Index > What Are LDAP Wildcard Filters?

Share This Article

Updated on April 15, 2025

LDAP wildcard filters are a powerful but often overlooked tool for searching and managing directory entries. This post explains LDAP wildcard filters, focusing on how the asterisk (*) works as a wildcard, how to use substring filters, where they can be applied, and their limitations.

Core Concept: The Asterisk (*) as a Wildcard

The asterisk (*) is a key part of LDAP wildcard filters. In LDAP filters, the asterisk represents zero or more characters, making it essential for substring searches. 

Wildcards make it easier to perform flexible searches when exact matches aren’t possible. For instance, you can search for entries that start with certain characters, include a specific substring, or match any value for an attribute. This is especially helpful when dealing with large directories containing thousands or even millions of entries.

Example Use of the Wildcard

  • (cn=*son): Matches entries where the common name (cn) ends with “son.”
  • (mail=*@example.com): Matches entries where the email domain is “example.com.”

Substring Filter Syntax Recap

Before jumping into the types of wildcard usage, let’s revisit the basic syntax of an LDAP substring filter: The basic syntax of an LDAP substring filter is (attribute=value), where value can include one or more asterisks (*) to specify substrings.

Key Concepts in Substring Filters

  • subInitial: Matches when the beginning of the attribute value aligns with the specified characters (e.g., value*).
  • subAny: Matches when specified characters appear anywhere in the attribute value (e.g., (cn=*John*)).
  • subFinal: Matches when the end of the value aligns with the specified characters (e.g., *value).

Types of Wildcard Usage

Wildcard at the Beginning (*value)

When the asterisk precedes the specified value, the filter matches entries where the attribute value ends with the given string.

Example: 

  • Filter: (cn=*son)
  • Description: Finds entries where the common name ends with “son” (e.g., Johnson, Wilson).

Wildcard at the End (value*)

Placing the wildcard at the end matches entries where the attribute value starts with the specified string.

Example: 

  • Filter: (givenName=Jo*)
  • Description: Finds entries where the given name begins with “Jo” (e.g., John, Joanna).

Wildcard in the Middle (value*value)

When the asterisk appears between substrings, the filter matches entries containing a specific prefix and suffix, with any number of characters in between.

Example: 

  • Filter: (description=*printer*)
  • Description: Matches entries where the description includes the substring “printer” (e.g., network printer, color printer).

Multiple Wildcards

Using multiple asterisks enables complex pattern matching by including multiple substrings in one query.

Example: 

  • Filter: (cn=A*b*c*)
  • Description: Matches entries where the common name starts with ‘A,’ contains ‘b’ at some point after that, and ends with ‘c’ (e.g., Abc, Ab123bc).

Wildcard Only (attribute=*)

The special case of using only a wildcard indicates a presence filter. This matches any entry that has the specified attribute, regardless of its value.

Example: 

  • Filter: (telephoneNumber=*)
  • Description: Finds all entries that have a telephoneNumber attribute, regardless of its value.

Limitations and Cautions

While LDAP wildcards are powerful, they come with limitations. Understanding these constraints helps you avoid inefficiencies and errors.

Attribute Type

Wildcards are typically used with string-based attributes. Attempting to use wildcards on non-string attributes (e.g., integers) can result in syntax errors or unsupported behavior.

Wildcards are typically used with string-based attributes. However, the behavior is ultimately determined by the attribute’s matching rule as defined in the LDAP schema. While unusual, some non-string attributes might technically allow wildcard searches if stored as strings.

Performance Impact

Wildcard searches, particularly those starting with an asterisk (e.g., *value), can significantly impact query performance. These searches often require a full scan of the directory, which can slow down large-scale operations.

Context Specificity

Keep in mind that wildcards operate specifically within the context of substring filters. They cannot be used interchangeably with equality or range filters.

Distinguished Names (DNs)

Using wildcards with Distinguished Names (DNs) can be problematic or entirely unsupported in some LDAP implementations. Be cautious when attempting to use wildcards in such scenarios.

Use Cases for LDAP Wildcard Filters

To see the practical value of LDAP wildcards, here are some real-world scenarios where they excel:

  1. Finding Users by Surname Initial
    • Filter: (sn=J*) 
    • Use Case: Identify employees with last names starting with “J” for departmental updates.
  2. Searching for Descriptions Containing Keywords
    • Filter: (description=project
    • Use Case: Locate all directory entries linked to projects.
  3. Filtering Organizational Units
    • Filter: (ou=Finance)
    • Use Case: Find entries in organizational units (OUs) containing the word “Finance.”

Comparison with Equality Filters

To leverage LDAP wildcards effectively, it is essential to understand how they differ from equality filters:

  • Equality Filters: (attribute=value) 
    • Require an exact match between the attribute and the specified value.
    • Example: (cn=John) only matches “John.”
  • Wildcard Filters: Allow for partial matches or patterns using the asterisk (*).
    • Example: (cn=Jo*) matches “John,” “Joanna,” etc.

Equality filters are precise but less flexible, making them ideal for exact searches. Wildcard filters, on the other hand, provide flexibility for broad or partial matches.

Key Terms Appendix

  • LDAP: Lightweight Directory Access Protocol; used to access and manage directory information. 
  • Filter: A search criterion in an LDAP query. 
  • Attribute: A property of an LDAP entry (e.g., “cn” for common name, “mail” for email). 
  • Substring: A sequence of characters within a larger string. 
  • Wildcard: A character (in this case, “*”) that represents zero or more unspecified characters. 
  • Equality Filter: An LDAP filter requiring an exact match (e.g., (cn=John)). 
  • Presence Filter: An LDAP filter that matches entries with an attribute, regardless of its value.

Continue Learning with Related Posts

Continue Learning with our Newsletter