This document outlines how to go about constructing a more sophisticated filter for the userSearchFilter and groupSearchFilter attributes in your AtlassianUser LDAP config file.
 | Once you have constructed your search filter using this document, you must escape the ampersand symbol and the exclamation mark symbol before adding to your XML file. So for example,
(&(objectClass=person)(!(objectClass=user))) becomes (&(objectClass=person)(!(objectClass=user))) Refer to this external documentation on other XML characters that need escaping. |
How do I match more than one attribute?
For example, if my users are distinguished by having two objectClass attributes (one equal to 'person' and another to 'user'), this is how I would match for it:
(&(objectClass=person)(objectClass=user))
Notice the ampersand symbol '&' symbol at the start. Translated this means: search for objectClass=person AND object=user.
Alternatively,
(|(objectClass=person)(objectClass=user))
Translated this means: search for objectClass=person OR object=user.
The pipe symbol '|' denotes 'OR'. As this is not a special XML character, then it should not need escaping.
Wildcards
(&(objectClass=user)(cn=*Marketing*))
This means: search for all entries that have objectClass=user AND cn that contains the word 'Marketing'.
How do I match 3 attributes?
This gets a little tricky:
(&(&(objectClass=user)(objectClass=top))(objectClass=person))
Notice how we weave one query into another. For 4 attributes, this would be:
(&(&(&(objectClass=top)(objectClass=person))(objectClass=organizationalPerson))(objectClass=user))
And so on.
Matching Components of Distinguished Names
You may want to match part of a DN, for instance when you need to look for your groups in two subtrees of your server.
(&(objectClass=group)(|(ou:dn:=Chicago)(ou:dn:=Miami)))
will find groups with an OU component of their DN which is either 'Chicago' or 'Miami'.
Using 'not'
To exclude entities which match an expression, use '!'. Note that this must be represented as the entity '!' in your XML file.
So
(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))))
will find all Chicago groups except those with a Wrigleyville OU component.
Note the extra parentheses: (!(<expression>))
Comments (13)
May 15, 2006
Brian Yakura says:
So the question is how to you do a NOT since in AD LDAP there is user defined a...So the question is how to you do a NOT
since in AD LDAP there is user defined as objectClass=top,organizationalPerson,user,person and computer is defined as objectClass=top,organizationalPerson,user,person,computer
May 16, 2006
Brian Yakura says:
Ok, I guess the way around this is to use <userSearchFilter>(sAMAccountTy...Ok, I guess the way around this is to use
<userSearchFilter>(sAMAccountType=805306368)</userSearchFilter>
Jun 24, 2006
Bob Vandehey says:
To write an AD query to limit the users to a particular group, add the following...To write an AD query to limit the users to a particular group, add the following user search filter:
<userSearchFilter>(&(objectCategory=user)(memberOf=CN=Employees,OU=Security Groups,DC=yourdomain,DC=com))</userSearchFilter>In this particular query, the group is Employees. You will need to change this value to your target group. You will also need to update the DC.
Jul 21, 2006
Philip Misiowiec says:
To be able to limit your search to users in a collection containing both users a...To be able to limit your search to users in a collection containing both users and computers, you can also do this:
(&(objectClass=person)(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=subdomain,DC=domain))
...this is because "computers" usually have the following objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=subdomain,DC=domain
JXplorer was very helpful in finding these differences.
Sep 20, 2006
Alex Holtz says:
NOT notation: I wanted to filter based on users and exclude locked AD accounts,...NOT notation:
I wanted to filter based on users and exclude locked AD accounts, to do this required the use of the NOT expression. Just as the 'and' operation requires you to specify the HTML code for ampersand, so does the not operation require you to specify the HTML code for exclamation.
Example:
Mar 19, 2007
Andy Brook says:
Checking for account disablement should really use bitwise checks, because the U...Checking for account disablement should really use bitwise checks, because the UAC flag is a bitwise representation. If one other flag is present, the previous query will fail.
The correct method is to use the bitwise operator for disabled users (decimal value 2).
see : UserAccountControl flag usage
Feb 17, 2008
Philip Parkinson says:
MS Active Directory and LDAP integration has a limitation with it. It seems the ...MS Active Directory and LDAP integration has a limitation with it.
It seems the MS implementation of LDAP does not support search filters based on OU. In my case I had a large AD tree and I only wanted to connect to 3 OUs and no matter what I tried I couldn't get the search filter to filter on the basis of OU.
Further reading and playing around with Saved Queries in the AD Management console confirmed it couldn't be done with a single search filter. You need to point the base of your search at the OU which negates the ability to search multiple OUs at the same level of a tree.
i.e (&(objectClass=user)(ou=Chicago) doesn't work.
The upshot of this is you need to follow the "Two connections to the Same Server" in the Configuring Multiple LDAP repositories method to add multiple OUs.
Jun 20, 2008
Andrew Droffner says:
See "Matching Components of Distinguished Names" on this page. It matches users ...See "Matching Components of Distinguished Names" on this page. It matches users in two city groups.
You may be able to search group terms in the USER DNs. This works for our OpenLDAP server.
For example, to find the group "ou=Newspapers", match the User DN string.
# roach, Newspapers
dn: uid=roach,ou=Newspapers,dc=company,dc=com
Oct 09, 2008
Wim Deblauwe says:
If you need to write complex queries, you might be better of using JExplorer. It...If you need to write complex queries, you might be better of using JExplorer. It allows you to construct queries in a graphical way. Once you have it ok there, you can ask it the textual representation of the filter and put that in your atlassian-user.xml.
regards,
Wim
Nov 07, 2008
Brian Yakura says:
Can we have a quick list of the XML attributes concat symbol XML A...Can we have a quick list of the XML attributes
looking for OR
Nov 07, 2008
Brian Yakura says:
Is it 124?Is it 124?
Mar 23
Dick Visser says:
Small typo in the title, it should read "an LDAP filter" instead of "a LDAP filt...Small typo in the title, it should read "an LDAP filter" instead of "a LDAP filter"...
May 13
Mark says:
I need a little help getting my search filter to work, i need to get all users t...I need a little help getting my search filter to work, i need to get all users there is at member of a group. The filter i'm trying to use is looking lige this:
mySearcher.Filter = "(&(objectClass=user)(memberOf=CN=cs-2007))";
But it dosn't return any values, but if I put in all the groups one member have, it returns the correct answer.
The group which the users belong to is called cs-2007
if i use this one it returns the righ:
mySearcher.Filter = "(&(objectClass=user)(memberOf=CN=cs-2007, cn=users, dc=cliff-test, dc=com))";
any way i don't have to write all of that??