Writing LDAP Search Filters

By Ismail on Sep 9, 2023
Writing LDAP Search Filters

LDAP (Lightweight Directory Access Protocol) search filters are essential for configuring user and group synchronization in Atlassian applications like Jira, Confluence, and Bitbucket. In this guide, we’ll dive into the fundamentals of LDAP search filters, explain their syntax, and provide examples to help you construct sophisticated filters for your LDAP configuration.

Understanding LDAP Filters

LDAP filters are used to specify criteria for searching and retrieving objects from a directory service, such as Active Directory or OpenLDAP. These filters allow you to narrow down search results based on specific attributes and conditions.

Components of LDAP Filters:

Attribute Identification: LDAP filters begin by identifying the attribute(s) to search. Common attributes include “objectClass,” “sAMAccountName,” and “memberOf.”

OID Match Strings: OID (Object Identifier) match strings define rules for matching bit values with attributes. They specify how LDAP should interpret and compare attribute values.

Logical Operators: LDAP filters can utilize logical operators such as ”&” (AND), ”|” (OR), and ”!” (NOT) to combine multiple search criteria and conditions.

Writing LDAP Filters:

Constructing LDAP filters involves specifying the attributes to search and defining the conditions for matching objects. Let’s break down the key aspects of writing LDAP filters:

Matching Single Attributes:

Search for objects that have both “person” and “user” as their object classes.

 (&(objectClass=person)(objectClass=user))

Matching Multiple Attributes:

Search for objects that have either “person” or “user” as their object classes.

 (|(objectClass=person)(objectClass=user))

Using Wildcards: Search for all entries with the object class “user” and a common name (cn) containing the word “Marketing.”

 (&(objectClass=user)(cn=*Marketing*))

Matching Components of Distinguished Names:

Find groups with organizational unit (OU) components in their distinguished names that match “Chicago” or “Miami.”

(&(objectClass=group)(|(ou:dn:=Chicago)(ou:dn:=Miami)))

Excluding Objects:

Find groups excluding those with the organizational unit “Wrigleyville” in their distinguished names.

(&(objectClass=group)(!(ou:dn:=Wrigleyville)))

Sample LDAP Filters for Atlassian Applications:

Here are some example LDAP filters tailored for Atlassian applications:

Sync users from the “CaptainPlanet” group:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com))

Import users from multiple CNs:

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=Jira Administrators)(memberOf=CN=jira-users)(memberOf=CN=confluence-administrators)))

Conclusion:

LDAP search filters play a crucial role in configuring user and group synchronization in Atlassian applications. By understanding LDAP filter syntax and leveraging logical operators, you can construct sophisticated filters to tailor LDAP synchronization to your organization’s needs.

References:

https://confluence.atlassian.com/

Read my other blogs at this page.

Once Again, Feel Free to Contact Me :)
Linkedin icondiscord icon
Built with ♥