In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code.
When I googled it for that I got something like this
Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:
(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))
Can anybody explain this more in detail?
You should check RFC 2254 (The String Representation of LDAP Search Filters).
LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:
(&(condition1)(condition2)(condition3)...)
The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.
Then there are condition themselves. They are very simple and can consist only of few types:
- present condition -
(attrName=*) - simple condition -
(attrName>=value)/(attrName<=value)/(attrNamevalue=value)/(attrName~=value) - substring condition -
(attrName=*value*)/(attrName=*value)/(attrName=value*) - extensible condition -
(attrName:dn:=value)/(attrName:matchingRule:=value)
The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).
Translating your example filter to an English sentence would be:
Find me all LDAP entries which have
objectClassequal topersonand have eitherResearchAndDevelopmentorHumanResourcesin theirouattribute or somewhere on their DN.
来源:https://stackoverflow.com/questions/7472994/using-dn-in-search-filter