`
songxh2
  • 浏览: 132524 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

LDAP查询过滤语法 LDAP Filter Syntax

阅读更多

LDAP Filter Syntax

This topic deals with the syntax and rules for an LDAP filter, which is a normal string which expresses the criteria for the filter. You need knowledge about LDAP filters if you want to search objects and filter objects in the LDAP browser LEX.

You can get even more information about LDAP filters in the SelfADSI scripting Tutorial article about LDAP filters.


Basic LDAP Filter Syntax and Operators


LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e. the criteria). This is the so-called 'Polish Notation'.

The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.



AND Operation:

(& (...K1...) (...K2...))   or with more than two criteria:   (& (...K1...) (...K2...) (...K3...) (...K4...))


OR Operation:


(| (...K1...) (...K2...))   or with more than two criteria:     (| (...K1...) (...K2...) (...K3...) (...K4...)) 



Nested Operation:

Every AND/OR operation can also be understood as a single criterion:


(|(& (...K1...) (...K2...))(& (...K3...) (...K4...)))        means:        (K1 AND K2) OR (K3 AND K4)



The search criteria consist of a requirement for an LDAP attribute, e.g. (givenName=Sandra). Following rules should be considered:

 

Equality: (attribute=abc)     , e.g. (&(objectclass=user)(displayName=Foeckeler)
Negation: (!(attribute=abc))     , e.g. (!objectClass=group)
Presence: (attribute=*)        , e.g. (mailNickName=*)
Absence: (!(attribute=*))        , e.g. (!proxyAddresses=*)
Greater than: (attribute>=abc)    , e.g. (mdbStorageQuota>=100000)
Less than: (attribute<=abc)    , e.g. (mdbStorageQuota<=100000)
Proximity: (attribute~=abc)    , e.g. (displayName~=Foeckeler) Caution: ~= is treated as = in ADS environments !!
Wildcards: e.g. (sn=F*) or (mail=*@cerrotorre.de) or (givenName=*Paul*)



Further rules:

 

Real attributes only Only standard attributes can be used for LDAP filters. When specifying an LDAP search filter, you cannot use object properties of the ADSI objects that aren't LDAP database attributes but interface properties of the regarding object. A list of the affected properties can be viewed in the SelfADSI Scripting Tutorial under the topic 'Object Properties of ADSI Objects'.


No quotation marks Comparative strings do NOT appear in quotation marks. A filter for the displayName 'Philipp Foeckeler' would read as follows: (displayName=Philipp Foeckeler).


Upper/lower case If you want to filter boolean attributes the consideration of the upper/ lower case will be crucial. The use of TRUE or FALSE is absolutely necessary for filtering such booleans. However, most other string attributes are case-insensitiv, i.e. a hit will be found even if the upper and lower case differs from your search filter.

Especially in Exchange 5.5 directories most of the attributes are case sensitive. There are only few exceptions which can be viewed under the SelfADSI Scripting Tutorial topic 'Directory Attributes with CaseIgnoreString Syntax'.


DN-String attributes Regarding match algorithms of LDAP filters, LDAP directory systems comply with the specifications of the original X.500 standards. According to these matching rules you can't use wildcards in LDAP filters for attributes containing LDAP distinguished names (attributes with DN-string syntax / ADSI attribute data type ADSTYPE_DN_STRING = 1). The same applies for ADS: Filters in which DN attributes are searched with wildcards do not work.

This can be quite irritating. You can't e.g. search for all users that are members in groups that contain a certain string in their group names. The reason for this is that the user attribute memberOf has the data type DN-string.

Even more important could be the search for objects in a specific OU. Especially, when only the declaration of a pure filter string is allowed and when there is no possibility to specify the search base of an LDAP search. This might well be so e.g. for the definition of recipient policies in Microsoft Exchange environments. Thus, the following filter won't work!

   (distinguishedName=*,ou=Sydney,dc=cerrotorre,dc=org)

In this case we have to use a script-based solution which provides a workaround for this LDAP filter limitation.


Special characters LDAP filters can be specified by unicode characters. You may, for example, use German umlauts - if it makes sense (if the filtered attribute is an unicode string). However, the characters ( ) & | = ! > < ~ * / \ play a special role for the declaration of LDAP filters.

If you search for or want to compare these characters within an attribute string, you'll have to use a prefixed backslash and the corresponding hexadecimal ASCII code:

( \28   ) \29   & \26
| \7c   = \3d   > \3e
< \3c   ~ \7e   * \2a
/ \2f   \ \5c      

An example: We want to retrieve all objects whose attributes "displayName" start with "*" :

   (displayName=\2a)

The character zero (\00) may also be required occasionally.


Multivalued attributes.... It's also possible to filter for certain values in multivalue attributes. An example is the attribute objectClass. Due to the hierarchical structure of the directory schema, an object will always be an instance of several object classes. An ADS user e.g. is an object of the class types top, person, organizationalPerson und user. Thus, a filter could be:

   (objectClass=user)

However, you need to take into consideration that such filtering always costs more server performance than an ordinary 'one-dimensional' attribute search does.




Filtering for Hex Numbers and Binary Values

 

Hex Numbers In cases where attributes of the type integer or long integer are compared and filtered for specific hex numbers, the correspondent decimal coded number has always to be used in the LDAP filter. An example: If you look for local security groups in the ADS following two flags will have to be set for the groupType attribute:

ADS_GROUP_TYPE_LOCAL_GROUP (0x00000004)
ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000)

The addition of these values is the hex value 0x80000004, calculated in the decimal number 2147483652 - this has to be used in the LDAP filter:

   (groupType=2147483652)


Binary Values It's a completely different thing if you want to compose filters for attributes whose data types appear as binary hex values (the according data type is often referred to as 'Octet String').

If you are going to filter for such binary attributes, it is mandatory to declare every single byte that has to be compared in hex code. For instance, if you search for objects with the attribute 'Inventory' which has the value 0x01AAF5EF, then the appropriate filter will have to read:

   (Inventory=\01\aa\f5\ef)

Unfortunately, wildcard search is not allowed when searching for binary attributes!

 


Filtering for Bit Fields


By using LDAP filters it's also possible to find objects for which a specific bit either is or is not set within a bit field. In this case, an strange looking syntax has to be followed:

 

   <Attribute name>:<BitFilterRule-ID>:=<decimal comparative value>

 

There are exactly two BitFilterRule IDs: One for bit-wise AND comparisons and one for bit-wise OR comparisons:

 

   LDAP_MATCHING_RULE_BIT_AND           1.2.840.113556.1.4.803
   LDAP_MATCHING_RULE_BIT_OR             1.2.840.113556.1.4.804 



An example:

For the attribute 'groupType' following bit mask is important in ADS group objects:

ADS_GROUP_TYPE_GLOBAL_GROUP     = 0x00000002
ADS_GROUP_TYPE_LOCAL_GROUP      = 0x00000004
ADS_GROUP_TYPE_UNIVERSAL_GROUP  = 0x00000008
ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000


A filter for universal groups has to search for those objects in whose attributes the 4th least significant bit is set. This can be checked by equating the attribute of the value 0x00000008 (this represents the 4th bit) in an AND filter:

'All universal groups:

(groupType:1.2.840.113556.1.4.803:=8)

 

Caution: In LDAP filters the hex value of the bit filter must be decimal at this point! So if all security groups (and not the distribution groups) are to be found, it has to be filtered for the 8th bit (0x80000000 = 2147483648):

 

'All security enabled groups:

(groupType:1.2.840.113556.1.4.803:=2147483648)


An example for an OR filter: We search all users which don't need a password (userAccountControl is set on 0x20 - 32) or whose passwords never expires (userAccountControl is set on 0x10000 = 65536). So we have to build a filter with the value 65568 (=65536 + 32):

 

'All users which don't need a password OR whose passwords don't expire:

(userAccountControl:1.2.840.113556.1.4.804:=65568)      

 

 

Please note that bit-wise filtering is a much more complex procedure for a server. For this reason you should take into consideration the use of normal equity criteria. If looking e.g. for universal security groups, the two flags 0x80000000 and 0x00000008 can be added up and then be filtered for the according decimal value 2147483656:

 

'All universal security groups:

(groupType=2147483656)                                  

Please note that the LEX dialogs for editing LDAP Filters let's you set such bitmap filter syntaxes very easily.


Filtering with Ambiguous Name Resolution (ANR)

 

The Ambiguous Name Resolution is able to find users or contacts in Active Directory environments whose names are only partly known. In this case not only the object name but also the display name, first and last name as well as the diverse mail addresses are involved in the search. As an Outlook user you can have a look at the ANR filtering search by using e.g. the option 'Check names' for getting the best hit while searching for an address.

 

Which attributes are integrated exactly in the ANR search is specified by the attribute search flags in the directory schema. By doing so, a so-called ANR set of attributes is declared. Following attributes are part of the ANR set by default:

  • Relative Distinguished Name (RDN), this could be for example the values for cn=.... or ou=...
  • givenName (first name)
  • sn (last name)
  • displayName (display name)
  • legacyExchangeDN (after migrations the Exchange 5.5 directory name of the old mailbox is shown here)
  • proxyAddresses (mail addresses)
  • physicalDeliveryOfficeName (office address)

The syntax of ANR filters is as follows:

 

   (anr=Philipp) or (anr=p f) or (anr=Foeck)

All these filters would find the user 'Foeckeler, Philipp'. The second one is able to find 'Philipp Foeckeler' as well as 'Fritz Paul'. This is because the ANR filter checks the first name and last name in both directions.

分享到:
评论

相关推荐

    RFC2254LDAP查询过滤器的字符串表示法中文版

    **RFC2254 LDAP查询过滤器的字符串表示法中文版** 在信息技术领域,特别是网络目录服务中, Lightweight Directory Access Protocol (LDAP) 是一个广泛使用的协议,用于访问和管理分布式目录信息。RFC2254是IETF...

    RFC2254LDAP查询过滤器的字符串表示法

    LDAP RFC2254LDAP查询过滤器的字符串表示法,中文版。 LDAPChina经典原创。

    ldap域信息查询工具.zip

    总结来说,"ldap域信息查询工具.zip"包含了一个关于如何使用LDP工具进行LDAP查询的文档和实际的LDP执行程序。通过这个工具,IT管理员可以高效地管理他们的LDAP目录,包括查询信息、调试问题和更新数据,这对于维护...

    LDAP 查询指定目录-所有活动用户

    #### LDAP查询语法 在进行LDAP查询时,我们使用过滤器来指定搜索条件。过滤器遵循特定的语法,允许我们精确地查找满足条件的对象。例如,在查询指定目录中的所有活动用户时,我们可能需要查找所有属于“用户”类别...

    LdapBrowser282.rar_LdapBrows_LdapBrowser.282_ldap_ldapBrowser_op

    2. **搜索与过滤**:提供强大的搜索功能,允许用户根据特定条件查找目录中的信息,支持使用 LDAP 查询过滤器。 3. **编辑与创建**:用户可以创建新的目录条目,编辑现有条目的属性,或者删除不再需要的条目。 4. **...

    eLdap-Ldap-Search-and-Filter:eLdap是一种工具,可帮助用户在Ldap环境中搜索和过滤查询

    eLdap-Ldap搜索和过滤器eLdap是一个工具,可以帮助用户在Ldap环境中搜索和过滤查询。 Ldap搜索和过滤器选项已添加。 添加Ldap注入有效负载。 将添加Ldap注射。 Ldap漏洞将被添加。安装git clone ...

    用sql语句的方式操作ldap

    尽管直接的SQL查询不适用于LDAP,但有些工具和库提供了一种SQL-like语法来操作LDAP,如OpenLDAP的SLAPD服务器支持LDAP延伸操作,允许执行类似SQL的查询。这通常涉及将SQL语句转换为LDAP过滤器,例如,"SELECT * FROM...

    RFC1558_LDAP研究过滤器的字符串表达 .doc

    LDAP搜索过滤器是用于定义查询条件的结构化数据,它允许应用程序根据特定的属性和值来筛选目录中的条目。过滤器基于ASN.1(抽象语法标记)的语法构建,由一系列逻辑操作(如AND、OR、NOT)和比较操作(如相等性匹配...

    LdapBrowser2.82版和LDAP使用手册

    4. **过滤器支持**:允许使用标准的LDAP过滤语法进行复杂查询。 5. **属性编辑**:对每个条目的属性进行可视化编辑。 6. **脚本支持**:通过内置的JavaScript引擎,用户可以编写脚本来自动化执行一些任务。 **LDAP...

    Google Doc:常用LDAP查询

    - **Filter**:用于在查询时筛选出特定的对象。 #### 三、常用查询示例解析 1. **所有对象**: ``` objectclass=* ``` - **解析**:此查询返回所有对象,但由于可能会返回大量的数据,可能导致性能问题。 2....

    LdapBrowser282.zip

    - **了解过滤语法**:掌握LDAP过滤语法能更高效地进行搜索,例如,使用“(&)”进行逻辑与,“(|)”进行逻辑或,以及“*”通配符等。 - **理解DN和RDN**:DN(Distinguished Name)是每个条目的唯一标识,而RDN...

    对LDAP的基本操作(Spring-ldap)+Ext实现显示LDAP的树状结构

    rar包:一个Web工程, 主要有,利用Spring-ldap对LDAP的基本操作(查询,增删改);Extjs实现的对Ldap的树状结构的显示,结构有点类似Softerra LDAP;一个测试类。 pdf:spring-ldap-reference.pdf Extjs.pdf ...

    基本LDAP语法

    =(等于)此 LDAP 参数表明某个属性等于某个值的条件得到满足。例如,如果希望查找“名“属性为“John”的所有对象,可以使用: (givenName=John) 这会返回“名”属性为“John”的所有对象。圆括号是必需的,以便...

    LDAP编辑器:可以连接LDAP和编辑LDAP数据

    **LDAP编辑器:连接与编辑LDAP数据** LDAP(Lightweight Directory Access Protocol)是一种轻量级目录访问协议,常用于组织和管理分布式身份信息。它提供了一种标准的方式来存储和检索用户、组、服务等对象的数据...

    LdapAdmin---LDAP工具

    5. **多种操作**:支持连接到多个LDAP服务器,可以浏览、搜索、添加、编辑和删除条目,同时提供过滤器功能,帮助精准定位所需信息。 6. **安全连接**:LdapAdmin支持SSL/TLS加密,确保在传输敏感数据时的数据安全。 ...

    ldap-escape:LDAP过滤器和专有名称的转义功能可防止LDAP注入攻击

    " \" = \= SPC (前导或尾随) \模板文字标签功能ldapEscape.filter 转义输入以用作LDAP过滤器。ldapEscape.dn 转义输入以用作LDAP专有名称。例子转义搜索过滤器"use strict";const ldapEscape = require('ldap-...

    LDAP error code 一览表

    **LDAP_FILTER_ERROR (87)** **描述:** 过滤器错误。 **处理方式:** 检查搜索过滤器的语法是否正确。 ##### 44. **LDAP_USER_CANCELLED (88)** **描述:** 用户取消了操作。 **处理方式:** 无需特殊处理。 #...

    jdbc连接 ldap jar 包

    此外,对于复杂查询,可能需要更深入理解LDAP的查询语法——过滤器(Filter),以及属性(Attribute)和对象类(Object Class)的概念。 总结来说,"jdbc连接 ldap jar 包"提供了一种使用Java和JDBC来操作LDAP目录...

    ldap安装与客户端ldapadmin windows

    这一步可能需要一些对LDAP语法的理解。 ### 2. 客户端工具LdapAdmin #### 2.1 下载并安装LdapAdmin 找到LdapAdmin的Windows版本,下载`LdapAdmin.exe`,然后执行安装程序。LdapAdmin是一个强大的图形界面工具,用于...

Global site tag (gtag.js) - Google Analytics