When importing LDAP users, you can include or exclude users whose LDAP attributes satisfy the filter criteria. This feature makes it easy to import specific users rather than all of the users defined in the LDAP directory.
The filter syntax, which conforms to RFC 2254, is a logical expression that uses prefix notation (the operator must occur before the arguments being evaluated). For example, the following filter would import only those users who belonged to the organizationalPerson object class and had family names beginning with the letter R, S, or T:
(&(objectClass=organizationalPerson)(|(sn=R*)(sn=S*)(sn=T*)))
Use the following table as a guideline for entering user filter criteria.
| Filter | Symbol | Description | Example |
|---|---|---|---|
| Approximate | ~= | The LDAP attribute value can match the filter criterion exactly or match variations in spelling. | (sn~=Jones) |
Equality |
= | The LDAP attribute value must match the filter criterion exactly. | (sn=Jones) |
| Greater than or equal | >= | The LDAP attribute value must match or be greater than the filter criterion. | (sn>=Jones) |
| Less than or equal | <= | The LDAP attribute value must match or be less than the filter criterion. | (sn<=Jones) |
| Presence | =* | The LDAP attribute must exist, such as all entries with the family name attribute. | (sn=*) |
| Substring | The LDAP attribute value must contain, begin with, or end with the filter criterion. | (sn=J*) (sn=*on*) (sn=Jo*n*) | |
| And | & | Joins two expressions. A user entry in the LDAP directory must meet both criteria. | (&(sn=Jones)(ou=People)) |
| Or | | | Joins two expressions. A user entry in the LDAP directory can match either criterion. | (|(sn=Jones)(sn=Smith)) |
| Not | ! | The LDAP attribute value cannot match the filter criterion. | (!(sn=Jones)) |
