About the Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) is an industry standard protocol for accessing and viewing information about users and devices. LDAP enables you to organize and store this information in a directory. An LDAP directory is dynamic in that it can be updated as necessary, and it is distributed, protecting it from a single point of failure.

The following examples show LDAP queries that can be used to search the directory:

Get all entries: (objectClass=*)
Get entries containing 'bob' somewhere in the common name: (cn=*bob*)
Get entries with a common name greater than or equal to 'bob': (cn>='bob')
Get all users with an e-mail attribute: (&(objectClass=user)(email=*))
Get all user entries with an e-mail attribute and a surname equal to 'smith': (&(sn=smith)(objectClass=user)(email=*))
Get all user entries with a common name that starts with 'andy', 'steve', or 'margaret': (&(objectClass=User)(| (cn=andy*)(cn=steve*)(cn=margaret*)))
Get all entries without an e-mail attribute: (!(email=*))

The formal definition of the search filter is as follows (from RFC 1960):

<filter> ::= '(' <filtercomp> ')'
<filtercomp> ::= <and> > <or> > <not> > <item>
<and> ::= '&' <filterlist>
<or> ::= '|' <filterlist>
<not> ::= '!' <filter>
<filterlist> ::= <filter> > <filter> <filterlist>
<item> ::= <simple> > <present> > <substring>
<simple> ::= <attr> <filtertype> <value>
<filtertype> ::= <equal> > <approx> > <ge> > <le>
<equal> ::= '='
<approx> ::= '~='
<ge> ::= '>='
<le> ::= '<='
<present> ::= <attr> '=*'
<substring> ::= <attr> '=' <initial> <any> <final>
<initial> ::= NULL > <value>
<any> ::= '*' <starval>
<starval> ::= NULL > <value> '*' <starval>
<final> ::= NULL > <value>

The token <attr> is a string representing an AttributeType. The token <value> is a string representing an AttributeValue whose format is defined by the underlying directory service.

If a <value> must contain one of the characters * or ( or ), precede the character with the slash (\) escape character.