全部博文(83)
分类:
2009-09-25 17:56:10
The text form of the search filter is defined by with a bit of help from and was significantly extended with () and Generic String Encoding Rules (GSER) ().
Note: Since component matching was defined significantly later than the original LDAPv3 specs and, since it is part of the basic specification, it does not require a LDAP extension OID (in the RootDSE) it is not clear either how widespread is the implementation or how, other than trying, one discovers whether an LDAP implementation supports the capability. Sigh.
The formal search string is defined by ASN.1 gobbledegook which would normally be encoded in . In an act of sanity the IETF chose to allow a string representation which allows mere mortals to read it.
OpenLDAP is evolving and is not always (rarely?) backward comptible - the following examples were tested with OpenLDAP 2.4.8 on FreeBSD.
( filter ) |
Filters are always enclosed in brackets (parentheses).
Simple Single Expression Filters
attr=value # equals (may include wildcards) |
Note: The type of comparison carried out, for example, case sensitive or case insensitive is defined by the properties of the attribute used in the comparison and the form of the search (may be , or . You will see references to a string used in a search being called a substring. This is only correct if it contain one or more wildcards. .
Where:
equals (=) performs either an EQUALITY match (no wildcards in value) or a SUBSTR match (one or more wildcards are included in value).
approx (~=) performs a match using one of two 'sounds-like' algorithms and requires an approx .
greater than (>=) performs a match of value against the contents of the defined attribute and returns all those that are lexicographically equal or higher. This form only works if the attribute has an and very few attributes do.
less than (<=) performs a match of value against the contents of the defined attribute and returns all those that are lexicographically equal or lower. This form only works if the attribute has an and very few do.
wildcards
The wildcard * may be used singly as a presence indicator (the attribute exists in the entry or the objectclass exists in the entry) or as a classic iteration value in which case it means '0 or more characters may occur in the position of the *'. Wildcards may only be used as a presence indicator with objectclass=obj form
(mail=*) # returns all entries which have a mail attribute (objectclass=*) # returns all entries |
Notes:
Two or more expressions may be combined (or nested) using & (AND), ! (NOT) and | (OR):
(&(exp1)(exp2)(exp3)) # exp1 AND exp2 AND exp3 |
NOT (!) is a tad problematic but logical (maybe) and only works in the form above. See also the examples below:
(&(mail=*)(cn=*r)(sn=s*)) # has mail attr AND cn ends with R AND |
If you need to search for a pattern that includes a special character (* ) ( \ or NULL) it must be escaped using the format '\code' (the code is actually the 2 hexadecimal characters representing the ASCII character). Similarly any binary value may be search for by using its hexadecimal value.
\2a replaces or escapes * |
Escaped Search Examples
(cn=*\2a*) # searches for * anywhere in the cn (file=d:\5cmyfile.html) # searches for d:\myfile (description=*\28*\29) # searches for both ( and ) anywhere and in that order (bin=\5b\04) # searches for binary values 5b04 |
The default search behaviour for any attribute is defined by its for the search TYPE (EQUALITY, SUBSTR or ODERING). This may be overridden by defining a replacement matching rule (either by name or by OID).
# default sn EQUALITY comparison behaviour |
Using the override process it is possible to define a search criteria that includes properties that are not defined by the Attribute such as ORDERING (which is very uncommon in attribute definitions).
It is possible to declare that any part of the base DN attribute data values may also be included in the search. This may be done using the keyword dn within the search expression as shown below:
# indicates the dc value of com may appear in the DN |
Component Matching is defined under the generic heading of Extensible Filters and is .