Using DN in Search Filter

Question

In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code

Answer 1

You should check RFC 2254 (The String Representation of LDAP Search Filters).

LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:

(&(condition1)(condition2)(condition3)...)

The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.

Then there are condition themselves. They are very simple and can consist only of few types:

• present condition - (attrName=*)
• simple condition - (attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
• substring condition - (attrName=*value*) / (attrName=*value) / (attrName=value*)
• extensible condition - (attrName:dn:=value) / (attrName:matchingRule:=value)

The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).

---

Translating your example filter to an English sentence would be:

Find me all LDAP entries which have objectClass equal to person and have either ResearchAndDevelopment or HumanResources in their ou attribute or somewhere on their DN.