Like any file system, the name for an object in an LDAP container must be unique. Thus, CN=Kate uniquely identifies this object within its container, OU=CustomerSupport. As a result, the entire DN uniquely identifies this particular object in the entire directory tree.

    

Search Operation

The most important operation in LDAP is the ability to search. This is how objects are found in the directory tree and how values are read. The syntax is somewhat different from more familiar query syntaxes such as SQL. However, LDAP is also much simpler than SQL with SQL's joins, sub-queries, ordering, and grouping. An LDAP query is composed of four basic parts: a search root, a search scope, a filter, and a list of attributes to return. There are more parameters and options, but these basic four are enough for most cases.


Search Root

The search root determines the place in the tree from which the search will start. This value is passed as a DN in string format. To search the entire directory, pass the DN of the object that is the root of the tree. To search lower in the hierarchy, specify a lower-level DN.


Search Filter

The search filter determines which objects will be returned in the query. It is analogous to the Where clause in a SQL statement. Each object in the scope of the query will be evaluated against the filter to determine whether or not it matches. Objects that do not meet the filter criteria are eliminated from the search.

 

Basic LDAP Syntax

 

The following table outlines basic operators for use with LDAP:

 

Operator

Operator Definition

Definition

Example

=

Equal to

This argument means an attribute must be equal to a certain value to be true.

(givenName=Kate)

This will return all objects that have the first name of "Kate."

Note: Because there is only one argument in this example, it is surrounded with parentheses for illustration.

&

And

Use & when you have more than one condition and you want all conditions to be true. For example, if you want to find all of the people that have the first name of Kate and live in Austin, you would use the example in the right-hand column.

(&(givenName=Kate)(l=Austin))

!

Not

The ! operator is used to exclude objects that have a certain attribute. If you need to find all objects except those that have the first name of Kate, you would use the example in the right-hand column. This would find all objects that do not have the first name of Kate.

Note: The ! operator goes directly in front of the argument and inside the argument's set of parentheses.

(!givenName=Kate)

Note: Because there is only one argument in this example, it is surrounded with parentheses for illustration.

*

Wildcard

Use the * operator to represent a value that could be equal to anything. If you wanted to find all objects that have a value for title, you would then use the example in the right-hand column. This would return all objects that have the title attribute populated with any value.

(title=*)

*

Wildcard (Example 2)

This would apply to all objects whose first name starts with "Ka."

(givenName=Ka*)


Advanced Examples of LDAP Syntax:

  • You need a filter to find all objects that are in NYC or Austin, and that have the first name of "Kate." This would be: 
    (&(givenName=Kate)(|(l=NYC)(l=Austin)))
  • You have received 9,360 events in the Application log and you need to find all of the objects that are causing this logging event. In this case, you need to find all of the disabled users (msExchUserAccountControl=2) that do not have a value for msExchMasterAccountSID. This would be:

    (&(msExchUserAccountControl=2)(!msExchMasterAccountSID=*))

Note: Using the ! operator with the * operator will look for objects where that attribute is not set to anything.

 

SolarWinds SAM makes use of LDAP by having its own built-in LDAP User Experience Monitor.