SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


ldapfilters
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ldapfilters [2013/05/01 10:25] (current)
sjoerd created
Line 1: Line 1:
 += Notes, Tips & Tricks: LDAP Filters
  
 +This is a notes page, extended with tips & tricks. This page is not really documentation,​ just stuff for me to remember. Sometimes things will get removed from these pages and turned into real documentation,​ sometimes not. You might find these notes to come in hand, maybe not. For me, it's just things I don't want to forget. ​
 +
 += Compound Filters (p140)
 +The filter syntax enables the use of AND and OR operators for joining filter elements together. ​ These are prefix operators and can be followed by one or more filter elements. ​ Each of the inner elements and the whole filter must be enclosed in parentheses.
 +
 +AND.  ​
 +The AND operator is indicated by the & character and is usually used to further restrict search results. ​ If I wanted to list only inetOrgPerson entries that had telephone numbers I could use this filter: (&​(objectClass=inetOrgPerson)(telephoneNumber=*)). ​ All inetOrgPerson objects which also have a telephoneNumber attribute will be listed. ​ Notice that in this example (as with all compound LDAP search filters) the operator comes before the filter elements rather than between them.  This is referred to as a preordered expression or a prefixed expression.
 +
 +OR.  ​
 +The OR operator is indicated by the | character and is normally used to make a filter less restrictive. ​ If you wanted to find the entry for Jim but couldn'​t remember if the common name began with Him or James, you could use the filter: (|(cn=jim*)(cn=james*)). ​ Both and AND and the OR operators can have multiple filter elements following them.  Additional examples of possible filters are: (&​(objectClass=inetOrgPerson)(mail=*acme.com)(cn=mary*)) (|(cn=larry)(cn=moe)(cn=curley)). ​  You will probably find reasons to mix the AND and OR operator in the same filter. ​ Use parenthesis nesting to accomplish this.  If you wanted to find inetOrgPerson objects which had a telephoneNumber beginning with either 555 or 556 you could use the filter: (&​(objectClass=inetOrgPerson)(|(telephoneNumber=555*)(telephoneNumber=556*))).
 +
 +NOT.  ​
 +The NOT operator is represented by the ! Character. ​ It can precede just a single filter element. ​ Here's an example of the NOT operator used in an inner filter element. ​ If you wanted to find all of the Marys except Mary Jones you would try: (&​(cn=mary*)(!(sn=jones))). ​ This filter would find everyone whose name is not Mary Jones: (!(&​(cn=mary)(sn=jones)).
 +
 +Greater Than or Equal, Less Than or Equal.
 +If an attributes uses a schema type that has defined a way to compare whether one value is greater than another, then you can use greater than or equals, and less than or equals in your filter.
 +attrname>​=value
 +        equal      = "​="​
 +        approx ​    = "​~="​
 +        greater ​   = ">​="​
 +        less       = "<​="​
 +
 +Search for objects whose mail domain is example.com:​
 +"​(mail=*@example.com)"​
 +Search for objects whose objectClass is inetOrgPerson or person:
 +"​(|(objectClass=inetOrgPerson)(objectClass=person))"​
 +Search for objects whos objectClass is inetOrgPerson and cn starts with '​p'​ and (anything):
 +"​(&​(objectClass=inetOrgPerson)(cn=p*))"​
 +Search for objects whose mail attribute is not empty and the objectClass is inetOrgPerson or person:
 +"​(&​(mail=*)(|(objectclass=person)(objectclass=inetorgperson)))"​
 +Search for objects whose objectClass is inetOrgPerson and mail is empty:
 +"​(&​(objectclass=inetorgperson)(!(mail=*)))"​
 +Search for objects who's objectClass is inetOrgPerson and description is empty:
 +"​(&​(objectclass=inetorgperson)(!(description=*)))"​
 +
 +Voorbeelden:​
 +LDAP filter om users met een titel beginnende met 2007 op te vragen:
 +(&​(objectclass=inetOrgPerson)(title=2007*))
 +
 +LDAP filter om users met een titel beginnende met 2007 EN die disabled zijn op te vragen:
 +(&​(objectclass=inetOrgPerson)(title=2007*)(loginDisabled=TRUE))
 +
 +LDAP filter om users die nooit hebben ingelogd op te vragen
 +(&​(objectclass=inetOrgPerson)(!(lastlogintime=*)))
 +
 +LDAP filter om users die nooit hebben ingelogd en hebben ingelogd voor een bepaalde datum op te vragen
 +(&​(objectclass=inetOrgPerson)(|(lastlogintime<​=20070901000000Z)(!(lastlogintime=*))))
 +
 +LDAP filter om users die nooit hebben ingelogd en hebben ingelogd voor een bepaalde datum en een bepaalde titel hebben en die disabled zijn op te vragen
 +(&​(objectclass=inetOrgPerson)(title=20071221_IDM_Cleanup)(loginDisabled=TRUE)(|(lastlogintime<​=20070901000000Z)(!(lastlogintime=*))))
 +
 +LDAP OPERATIONAL ATTRIBUTES:
 +eDirectory LDAP operational attributes listed in the developer kit:
 +    * createTimeStamp
 +    * creatorsName
 +    * entryFlags
 +    * federationBoundary
 +    * localEntryID
 +    * modifiersName
 +    * modifyTimeStamp
 +    * structuralObjectClass
 +    * subordinateCount
 +    * subschemaSubentry
 +
 +LDAPsearch
 +TLS LDAP search met als filter cn=sjoerd waarbij alle operationele attributen worden opgevraagd:
 +ldapsearch -D cn=bofh,​o=company -W -ZZ -b o=company "​cn=sjoerd"​ +
 +TLS LDAP search met als filter cn=sjohoo waarbij alle attributen worden opgevraagd:
 +ldapsearch -D cn=bofh,​o=company -W -ZZ -b o=company "​cn=sjoerd"​
 +TLS proberen in een LDAP search:
 +ldapsearch -D cn=bofh,​o=company -W -Z -b "​cn=sjoerd"​
 +
 +LDAP attributen
 +lastlogintime : een na laatste login time
 +logintime: laatste login time
 +
 +{{tag>​notes ldap dutch}}
ldapfilters.txt ยท Last modified: 2013/05/01 10:25 by sjoerd