Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎05-19-2021 07:23 AM Edited on ‎04-23-2025 09:06 AM By Moderator

Article Id 193190

Technical Tip: LDAP filter syntax for groups and remote user sync rules

Description

 

This article explains some common syntax and provides some examples of LDAP filters which may be used in configuring groups or setting remote user synchronization rules in FortiAuthenticator.

 

Scope

 

FortiAuthenticator.

Solution

 

FortiAuthenticator allows for setting LDAP filters when querying LDAP filters for a variety of reasons, most commonly for remote user sync rules and groups.
When constructing a filter, it may be as broadly or as narrowly defined as necessary, by setting broad matches or combining multiple attributes

LDAP filters are constructed in this manner:

 

(<and/or>(condition1)(condition2)(condition3)(etc))

 

These can also be nested and negated.
Wildcards are supported for some attributes like CN (common name), but not supported with negated conditions, and not supported for the ‘memberOf’ attribute.

Filter examples.

Find all users of a particular group:

 

(&(objectClass=user)(memberOf=cn=group1,ou=users,dc=test,dc=lab))

 

  • Find all objects of type 'user' AND member of 'cn=group1,ou=users,dc=test,dc=lab'
  • Note: this does NOT find nested users.

 

Find all users with ‘admin’ in their common name (CN):

 

(&(objectClass=user)(cn=*admin*))

 

  • Find all objects of type 'user' AND with 'admin' somewhere in their common name.

Find all users or computers:

 

(|(objectClass=user)(objectClass=computer))

 

  • Find all objects of type ‘user’ OR type 'computer'.

Find a user with only partial information of their name:

 

(anr=<name string)

 

  • This works only with Active Directory.
  • ADR stands for Ambiguous Name Resolution; the supplied string will be matched against common identity fields like FirstName, LastName, or Email.

Find all but one user in a group:

 

(&(objectClass=user)(memberOf=cn=group1,ou=users,dc=test,dc=lab)(!(sAMAccountName=testuser)))

 

  • Note the extra parentheses: (!(sAMAccountName=testuser)).
  • Find all objects of type 'user' AND member of 'cn=group1,ou=users,dc=test,dc=lab' AND NOT 'testuser'.

Find all users in a group with 'svc' or 'service' in their common name (CN):

 

(&(objectClass=user)(memberOf=cn=group1,ou=users,dc=test,dc=lab)(|(cn=*svc*)(cn=*service*)))

 

  • Find all objects of type 'user' AND member of group1 AND (*svc* OR *service*) in their name.

Find users in groups AND nested groups (only in Active Directory environments):

 

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=group1,ou=users,dc=test,dc=lab)

 

  • Find all objects of type ‘user’ AND member of group1 or member of a group which is itself a member of group1.

Common LDAP attributes to use in filters:

  • objectClass: The type of object; commonly 'user', ‘person’, ‘computer’
  • cn: The common name of an object: CN=Smith\,John.
  • dn: The distinguished (full) name of an object: DN=CN=Smith\,John,OU=users,DC=test,DC=lab.
  • memberOf: An attribute indicating what groups this object is a member of.
  • displayName: The display name of the object, usually consists of first name and last name, like 'John Smith'.
  • sAMAccountName: Usually the account name and email prefix, like 'jsmith'.
10379
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.