PSD1069 – LDAP Search Filter



Several of the PhenixID products have extensive usage of LDAP search filters.
This document shows common search filters for different environments.
There is also a section with PhenixID search filter functionality built in to specific applications.
The text is a compilation from IETF RFC 4515, Wikipedia and usage from different PhenixID applications.

LDAP Common Terms

LDAP Schema

The schema of a Directory Server defines a set of rules that govern the kinds of information that the server can hold. Attributes are the elements responsible for storing information in a directory, and the schema defines the rules for which attributes may be used in an entry, the kinds of values that those attributes may have, and how clients may interact with those values.

Distinguished Names (DNs)

The LDAP directory server model is based on entries (which are also referred to as objects).
Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs, separated by commas, for example:
cn=John Smith,ou=internal,o=phenixid
The DN contains one component for each level of the directory hierarchy from the root down to the level where the entry resides. LDAP DNs begin with the most specific attribute (usually some sort of name), and continue with progressively broader attributes.

The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent.
In the examples above, the RDN “cn=John Smith” separates the first entry from any other entry at this level in the directory.

LDAP Port and LDAP Bind Errors

Normal LDAP ports:
389 Default
636 Secure LDAP, commonly known as “LDAP over SSL”

PSD1070 – Common Active Directory LDAP bind errors

LDAP Search Filter


Logical Operator Description
= Equal to. This LDAP argument means a certain attribute must be equal to a certain value to be true
~= Approximately equal to.
<= Less than or equal to
>= greater than or equal to
& AND. Use this syntax when you have more than one condition, and you want all conditions in the series to be true.
| OR. Use this syntax when you have more than one condition.
! NOT. This operator is used to exclude objects that have a certain attribute.

String Representation

If a value should contain any of the following characters they need to be escaped

Character ASCII value
* 0x2a
( 0×28
) 0×29
NUL 0×00

The character must be encoded as the backslash ” character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant.
For example, the filter checking whether the “cn” attribute contained a value with the character “*” anywhere in it would be represented as “(cn=*2a*)”.

Search Filter Examples

Search Filter Description
(objectClass=*) All objects
(cn=*John*) Get entries containing “John” somewhere in the common name
(sn=sm*) All objects with a surname that starts with “sm”
(&(objectClass=inetOrgPerson)(cn=*)) Get all user entries
(!(mail=*)) Get all entries without an e-mail attribute
Active Directory Specific Description
(&(objectClass=user)(email=*)) Get all users with an e-mail attribute
(&(objectClass=user) (|(cn=John*)(cn=Bob*)(cn=Christa*))) Get all user entries with a common name that starts with “John”, “Bob”, or “Christa”
(&(objectCategory=group)(cn=APP*)) Find all Groups that start with “APP”
(&(objectCategory=computer)(!(description=*))) Find all Computers that do not have a description
(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Find all Users with Password Never Expires set
(&(objectCategory=person)(|(lastLogon=0)(!(lastLogon=*)))) Find all Users that have never logged in
(&(objectclass=user)(directReports=*)) Show all managers
(&(objectCategory=group)(!(member=*))) Groups with zero members
(&(objectclass=user)(memberOf=CN=HR,OU=Templates,DC=phenixid,DC=local)) Find all users that are member of a specific group
Find all users that are member of a specific group. Direct and nested membership.
(|(homeMDB=*)(msExchHomeServerName=*)) Account is assigned an Exchange Mailbox
PhenixID Specific Description
Time format filters used in
PhenixID Identity Manager and PhenixID Provisioning
Use $$TODAY-10$$ or $$TODAY+10$$ to insert Generalized Time values, for days past and for days ahead.
(&(objectclass=inetOrgPerson)(loginTime>=$$TODAY-90$$)) User not logged in for 90 days time with Generalized Time format.
For Microsoft Time format values use:
$$MSTODAY-10$$ or $$MSTODAY+10$$
(&(objectcategory=User)(lastLogonTimestamp<=$$MSTODAY-90$$)) User not logged in for 90 days time with MS time format.
Used in PhenixID Provisioning

Get NOW filter, according to this format:

* $$NOW([-]dd:hh:mm:ss[,type])$$

* Where type is optional and could be one of the following:

* 1=Unix Time

* 2=MS Time

* A custom time format

* If type is omitted then Generalized time would be used.

$$NOW(-1:1:0:0)$$ Move time back 1 day and 1 hour in Generalized Time format
$$NOW(0:0:30:10)$$ Move time forward 30 minutes and 10 seconds in Generalized Time format
$$NOW(-0:3:0:0,1)$$ Move time back 3 hours in Unix Time format
$$NOW(2:0:20:0,1)$$ Move time forward 2 days and 20 minutes in Unix Time format
$$NOW(-0:2:0:0,2)$$ Move time back 2 hours in Microsoft time format
$$NOW(1:0:20:0,2)$$ Move time forward 1 day and 20 minutes in Microsoft time format
$$NOW(0:0:0:0,yyyy-MM-dd)$$ The date of today in format 2020-08-02
$$NOW(-0:0:0:20,mm:ss)$$ Move time back 30 seconds in format 10:32

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -