Directory Services › Get Object Operator › Input Parameters › LDAP Search Filter Basics

LDAP Search Filter Basics

The LDAP search filter syntax is a logical expression in prefix notation, where the logical operator appears before the associated arguments.

For example: (&(givenname=John)(sn=Green))

In the filter above & is the And operator and it appears before its arguments. In this example, we are searching for LDAP objects with John as the givenname (givenname is the LDAP attribute for first name), and sn as Green (sn is the LDAP attribute for last name).

Each item in the filter is composed using an LDAP attribute identifier and either an attribute value or symbols that denote the attribute value. Each item must also be enclosed within a set of parentheses, as in "(sn=Green)".

Items within a filter are combined together using logical operators to create logical expressions. Each logical expression can be further combined with other items that themselves are logical expressions, as in some of the filters used in CA Process Automation:

(&(|(objectclass=user)(objectclass=person))(!(objectclass=computer)))

In this filter, we are searching for all objects where the objectclass is either user OR person:

(|(objectclass=user)(objectclass=person))

AND the objectclass is not computer

(!(objectclass=computer))

Note the & at the beginning of the filter that combines these two segments together in a logical AND.

Note that the LDAP attribute objectclass stores the type(s) of an LDAP object in the LDAP directory.

Some of the logical operators used for creating filters are listed in the following table: