Create LDAP search filters

Submit Search

Create LDAP search filters

Search filters enable you to define search criteria and provide more efficient and effective searches as part of the LDAP authentication for the web user interface. The Search Filter parameter provides greater flexibility in searching because it allows you to put the user's web login ID in any location within the search filter. A special substitution token, %UID%, indicates where the login ID should be inserted.

Most LDAP servers support LDAP search filters; however, since LDAP servers are not created equal, the type of LDAP search filter provided should be compliant with your LDAP server. For more information, see your LDAP server documentation.

To specify a prefix, you could enter the following into the Search Filter field on the LDAP Server Details page:

sAMAccount=%UID%

To specify a more sophisticated filter, you could enter the following:

(&(objectClass=person)(!(objectClass=user))(sAMAccount=%UID%))

Match attributes

The following example illustrates how you could match for users distinguished by two objectClass attributes (one equal to 'person' and another to 'user'):

(&(objectClass=person)(objectClass=user))

Notice the ampersand symbol (&) symbol at the start. Translated, this means: search for objectClass=person AND object=user. Alternatively, you could use:

(|(objectClass=person)(objectClass=user))

Translated, this means: search for objectClass=person OR object=user. The pipe symbol (|) denotes 'OR'. As this is not a special XML character, it should not need escaping.

Use wildcards

The following illustrates the use of wildcards:

(&(objectClass=user)(cn=*Marketing*))

This means: search for all entries that have objectClass=user AND a cn that contains the word 'Marketing'.

Exclude attributes

To exclude entities which match an expression, use an exclamation point (!). For example, the following will find all Chicago groups except those with a "Wrigleyville" OU component (note the extra parentheses around the expression to exclude):

(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))))