LDAP Filter

This topic explains how an LDAP filter is used to optimize the user selection and synchronization results.

Define the search criteria for an LDAP filter.

Examples Description
(objectClass=*) All objects
(&(objectCategory=person) (objectClass=user)(!cn=john)) All user objects except “john”
(sn=sm*) All objects with a surname that starts with “sm”
(&(objectCategory=person) (objectClass=contact) (|(sn=Smith)(sn=Johnson))) All contacts with a surname that is equal to “Smith” or “Johnson”

Matching components of directory numbers:

  • (& (objectClass=group) (| (ou:dn:=Chicago) (ou:dn:=Miami)))
  • (& (objectClass=group) (& (ou:dn:=Chicago) (! (ou:dn:=Boston))))

You can configure only five search agreements. If you need more than five search agreements, you must point the search agreement to the root domain in combination with LDAP filters. With these filters you can, for example, only import users from certain subdomains or from certain locations. Filters give you more scalability for importing users from large LDAP directories with many subdomains and organizational units.

The figure describes the search filter syntax that can be used for the LDAP filter in the LDAP directory configuration. Search filters allow the definition of search criteria and provide more efficient and effective searches. Unicode strings represent these search filters. The figure lists some examples of LDAP search filters. The following table lists frequently used search filter operators.

Search Filter Operators
Operator Description
= Equal to
~= Approximately equal to
<= Less than or equal to
>= Greater than or equal to
| OR

To match a part of a directory number (for example, to look for the groups in two subtrees), use a filter such as the following:

  • (&(objectClass=group)(|(ou:dn:=Chicago)(ou:dn:=Miami)))
  • This filter will find groups that have an organizational unit component in the DN, which is either Chicago or Miami.

To exclude entities that match an expression, use an exclamation point (!):

  • (&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Boston))))
  • This filter will find all Chicago groups except those that have a Boston organizational unit component. Note the extra parentheses: (!(<expression>)).

After creating the filter, apply the filter in the LDAP directory configuration. Because only one filter can be chosen in the LDAP directory configuration, more organizational units or other objects must be added to the filter. The filter can contain a maximum length of 2048 characters. Enclose the filter text within parentheses ( ).

The LDAP filter filters the results of LDAP searches. LDAP users that match the filter are imported into the Cisco Unity Connection database; LDAP users that do not match the filter are not imported. The filter text that is entered must comply with the regular LDAP search-filter standards that are specified in RFC 4515. You should verify the LDAP search filter against the LDAP directory and search base.


You can test the filter with LDAP browsers, for example, with Softerra LDAP Administrator at http://www.ldapadministrator.com/.


Author: drbabbers

ccieme.wordpress.com - my personal journey to ccie