Support Center

Filtering by User or Group in LDAP (Search Filters)

LDAP has strong search capabilities built-in to the client and server. You can create search filters both simple and complex to narrow down your users or groups to just the ones you want see. This article includes a couple of examples of searches you can perform with JumpCloud's LDAP, and includes pointers to some articles to help you write LDAP search filters.

These examples assume that you've already got your LDAP client configured properly to query the JumpCloud LDAP service, and that your query is returning everything in:

ou=Users,o=<your-organization-id>,dc=jumpcloud,dc=com

The examples are search filters that apply to the data returned by querying this search base.


Finding a Specific User


There are several ways to query for a specific user account. you'll see a pattern as you compare the search filter to the LDIF output (which you can get via ldapsearch).


By distinguished name (DN):

(uid=john,ou=Users,o=<your-organization-id>,dc=jumpcloud,dc=com)

By full name (cn):

(cn=John Doe)

By last name (sn):

(sn=Doe)

By given name (givenName):

(givenName=John)

By uid only (uid):

(uid=john)

By UID number (uidNumber):

(uid=1000)


Finding Users in a Specific Group


When a group of users is bound to LDAP, a groupOfNames object is created in LDAP. In the case of JumpCloud's hosted LDAP service, this consists of one or more member attributes, and those attributes are the distinguished names of the users in group. For example, here's what a group called "Admins" looks like:
# Admins, Users, <org-id>, jumpcloud.com
dn: cn=Admins,ou=Users,o=<org-id>,dc=jumpcloud,dc=com
member: uid=john,ou=Users,o=<org-id>,dc=jumpcloud,dc=com
member: uid=mary,ou=Users,o=<org-id>,dc=jumpcloud,dc=com
objectClass: top
objectClass: groupOfNames
description: tagGroup
cn: Admins
ou: Admins
In this case, "john" and "mary" are both in the the "Admins" group.


Getting the Contents of a Specific Group

(&(objectClass=groupOfNames)(cn=Admins))
The above query says, show me only LDAP records where objectClass=groupOfNames (a group), and where the common name (cn) equal "Admins".

Getting the Users in a Specific Group

(&(objectClass=inetOrgPerson)(memberOf=cn=Admins,ou=Users,o=<org>,dc=jumpcloud,dc=com))
The above query says, give me only users (objectClass=inetOrgPerson) where the users are a member of the Admins groups.

Note that in the above queries, the queries are surrounded by (&(filter1)(filter2)). This is called "prefix" notation, and is exactly the same as the "infix" notation that you may be more used to, which would look like: (filter1) and (filter2).

 

 

Last Updated: Dec 10, 2018 10:00AM MST

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete