Description

This article discuses about LDAP filter syntax.

Scope

FortiAuthenticator.

Solution

Basic filter syntax that is used to select users and groups in LDAP user import, dynamic LDAP Groups,and remote user sync rules filters are constructed using logical operators.

=Equalto
~=Approximatelyequalto
<=Lexicographicallylessthanorequalto
>=Lexicographicallygreaterthanorequalto
&AND
|OR
!NOT

Filters can consist of multiple elements, such as(&(filter1)(filter2)).

The following examples are for a Windows 2008 AD server with the domain corp.example.com, default domain administrators and users, and an additional group called FW_Admins.

Users (CN) = atano, pjfry, tleela, tbother
FW_Admins (Security Group) = atano, tbother

An unfiltered browse will return all results from the query, including system and computer accounts.

To prevent this and only return user accounts, apply the filter (objectClass=person) or (objectCategory=user).

To filter and return only members of the security group: (&(objectCategory=user)(memberOf=CN=FW_Admin,DC=corp,DC=example,DC=com)).

It is not possible to use the filter to limit results to CNs or OUs.
To achieve this, change the Base DN in the LDAP Server configuration.

For example, to return only users from the CompanyA OU, create an LDAP Server entry with the following Base DN: OU=CompanyA,DC=corp,DC=example,DC=com.

Some  additional example:

"(&(objectCategory=person)(objectClass=user)(!(cn=gimi)))"  ---  Get all user objects but "gimi".

"(&(objectClass=user)(| (cn=andy*)(cn=steve*)(cn=margaret*)))" ------- Get all user entries with a common name that starts with "andy", "steve", or "margaret"

" (!(email=*))"  ----  Get all entries without an email attribute

Related document:

LDAP filter syntax