| title | LDAP Search Filter Cheatsheet |
|---|---|
| author | Jon LaBelle |
| date | January 1, 2021 |
| source | https://jonlabelle.com/snippets/view/markdown/ldap-search-filter-cheatsheet |
| notoc | false |
The following comparison operators can be used in a filter:
| Operator | Description |
|---|---|
= |
Equal |
>= |
More or equal |
<= |
Less or equal |
~= |
Approximately equal |
For example, the following filter returns all objects with cn (common name) attribute value Jon:
(cn=Jon)
Filters can be combined using boolean operators when there are multiple search conditions
| Operator | Description |
|---|---|
& |
AND --- all conditions must be met |
| ` | ` |
! |
NOT --- the condition must not be met |
For example, to select objects with cn equal to Jon and sn (surname/last name) equal to Brian:
(&(cn=Jon)(sn=Brian))
(sAMAccountName=<SomeAccountName>)
(&(objectClass=<person>)(objectClass=<user>))
(|(objectClass=<person>)(objectClass=<user>))
(&(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))
(!(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))
(&(objectClass=<user>)(cn=<*Marketing*>))
To retrieve user account names (sAMAccountName) that are a member of a particular group (SomeGroupName):
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=<SomeGroupName>,ou=<users>,dc=<company>,dc=<com>))
To retrieve user account names (sAMAccountName), and nested user account names that are a member of a particular group (SomeGroupName):
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=<SomeGroupName>,ou=users,dc=company,dc=com))
To retrieve user account names (sAMAccountName) that are a member of any, or all the 4 groups (fire, wind, water, heart):
(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=<fire>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<wind>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<water>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<heart>,ou=<users>,dc=<company>,dc=<com>)))
To search Active Directory for users that must change their password at next logon:
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!userAccountControl:1.2.840.113556.1.4.803:=2)
To search user objects that start with Common Name Brian (cn=Brian*):
(&(objectClass=user)(cn=<Brian*>))
To find all users with a job title starting with Manager (Title=Manager*):
(&(objectCategory=person)(objectClass=user)(Title=<Manager*>))
Search filters supported only by Microsoft Active Directory.
To search for administrators in groups Domain Admins, Enterprise Admins:
(objectClass=user)(objectCategory=Person)(adminCount=1)
To search all users except for blocked ones:
(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)
To list only disabled user accounts:
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=16)
(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
(objectCategory=person)(!mail=*)
To search users in a particular department:
(&(objectCategory=person)(objectClass=user)(department=<Sales>))
Hi. Need to be corrected: https://gist.github.com/jonlabelle/0f8ec20c2474084325a89bc5362008a7#to-match-three-attributes-or
Perhaps you should write "|" instead of "!"