LDAP Search Filters

I thought of writing more about LDAP Search filters, with few examples. The main purpose of learning this is for investigating LDAP Server related problems. This will be useful if are planning to integrate LDAP Server with Peoplesoft application. The LDAP search filters are not a complete list here, but this will give you a quick intro on this topic.

Peoplesoft and LDAP Servers

LDAP is a Protocol Specification for Lightweight Directory Access Protocol. RFC 4511 defines the latest LDAP Version 3 specification. This is a Proposed LDAP Standard.

Peoplesoft supports LDAP Servers for the integration either for Single Sign On, or for deploying an Enterprise Directory. Following list of LDAP Directory Servers are generally integrated with Peoplesoft Applications:

–          Sun Java Directory Server (Previously iPlanet Directory Server)

–          Novell’s eDirectory

–          Microsoft’s Active Directory

Most of the examples below use Oracle Internet Directory as the LDAP Server. However, if you understand the general LDAP Directory Server concepts, then, search filter concept will work with majority of LDAP Directory Servers.

LDAP Search Operation

LDAP Search operation can be done using many ways. One of the way of querying an LDAP Server is using ldapsearch utility.The examples below assumes you are running this utility in Unix/Linux environments.

Similar to ldapsearch utility, you can also use the ldifde utility to query entries from the Active Directory.

If you don’t like to use the command line utility for LDAP Queries, you can use any of the LDAP Browsers. There are few tools available; you can use tools such as, JXplorer or Softerra LDAP Browser (you can choose the one you like).  Most of the LDAP Browsers support the LDAP Search filters on these utilities. You just need to know some basics of LDAP and basic knowledge about Search Filters to use them.

The ldapsearch Utility

The ldapsearch utility is used for querying the LDAP Server. This utility works as long as the the target system adheres to the LDAP Specification. This utility is similar to the sqlplus tool to an Oracle Database. However ldapsearch utility is command line based, rather than giving you an interface like sqlplus.

Basic usage of ldapsearch command:

ldapsearch  [options]  filter  [attributes…]

As you can see above, filter is a mandatory argument for ldapsearch.

Here is an example of using ldapsearch utility:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s base “(objectclass=*)” defaultnamingcontext

Result:

defaultNamingContext=DC=tserver,DC=com

This command example returns the default naming context for the LDAP Server. In this example above, “(objectclass=*)” is a LDAP Search filter. Here are the other options we used:

-h -> Hostname or IP Address of the LDAP Directory Server

-p -> Port Number for the LDAP Directory, default LDAP port is 389, LDAPS with SSL port is 636.

-D -> Bind DN – LDAP DN for connecting to LDAP Directory – Login User for Querying purposes.

-w -> Password for the Login User used with –D option.

-b -> Base DN for the search – here the query starts from the top level of the Directory Structure.

-s base -> Search Scope is here is “base” (other possible values are sub and one)

In above example, we are printing the value of defaultnamingcontext attribute. If this attribute is omitted in the query, then all the attributes with values for this entry will be printed as a result.

Search filters

The latest RFC 4515 provides a specification for the LDAP Search filters. Let’s explore few more examples of using search filters.

You should understand how your LDAP schema is defined.

Search Filter for querying particular User ID – prints the dn:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(uid=U10023456)” dn

Search for a particular First Name and Last Name – It uses AND filter:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(&(givenname=Vijay)(sn=Chinnasamy))” dn

Search for a Pattern or Substring– First Name starts with Vij – It uses wildcard characters for pattern matching:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(givenname=Vij*)” dn

Search for First Name NOT Vijay – Using NOT filter:

ldapsearch -h 192.168.1.11 -p 389 -D “CN=testuser,CN=Users,DC=tserver,DC=com”  -w “mypassword” -b “” -s sub “(!(givenname=Vijay))” dn

Note that above queries starts the query from the root context, that is top of the LDAP Directory. If you know the base location, then you should use the value with the “-b” option in ldapsearch utility.

Ok, that’s all for now. We will meet in another post. Until then

Vijay Chinnasamy

Posted by Vijayakumar Chinnasamy
Comments (0)
December 20th, 2010

Comments (0)