LDAP Searching - Using Search Syntax

  Return to LDAP Resources Home Page.

The major feature of an LDAP directory is its ability to return search results on queries very rapidly. All SDKs provide methods for obtaining and handling search results from the directory. Many SDKs provide the ability for result sets from a search to be parsed to return entry names, and all or a subset of its attributes and values.

Before you can search an LDAP directory, you need certain information:

Host Name:

The host name directs the search to the machine where the directory resides. If you are at the console on the machine that is running the LDAP server, you can use the host name "localhost" or IP Address "127.0.0.1".

The port is the TCP port of the machine (indicated by the host name) where the directory server is listening for LDAP connections. The standard port for LDAP is port 389 for non-SSL connections and 636 for SSL connections.

The base distinguished name (DN) indicates where in the LDAP directory you wish to begin the search. An LDAP directory is arranged in tree fashion, with a root and various branches off this root. The base DN is used to indicate at which node the search should originate. For example, we could indicate a base of dc=comanage,dc=net for a search that starts at the top and proceeds downward. If instead we specified dc=comanage,dc=net then any entries above this tree would not be eligible for searching.

Scope is the stating point of a search and the depth from the base DN to which the search should occur. There are three options (values) for the scope:

1. BASE: Is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
2. ONE: Is used to indicate searching all entries one level under the base DN - but NOT including the base DN.
3. SUBTREE: Is used to indicate searching of all entries at all levels under and including the specified base DN.

The search filter is the query string. It is used to filter the entries in the directory and produce the desired set of matching records. Filters are built using parentheses and combinations of the symbols &, |, and !, which represent AND, OR and NOT, respectively. If you wanted to locate all people with "jhunter" at the beginning of their names, the following filter would do the trick:

(&(objectclass=person)(cn=jhunter*))

This expression represents a search for all entries with an object class of type person in which the common name begins with "jhunter". Like most other LDAP attributes, the cn attribute has case-insensitive syntax, so replacing jhunter* with JHunter* or JHUNTER* would yield the same results.

Search filters can be nested to any level

(&(objectclass=person)(|(cn=Jeff Hunter)(cn=mhunter*)))

This filter says to find all entries with object class person in which the common name is Jeff Hunter or begins with "mhunter*". A logical operator should appear before the parenthesis enclosing the group of compares it affects. You can specify the order for operators by nesting parentheses.