LDAP query basics

There are some basic concepts for creating LDAP queries.

LDAP queries typically include three parts:

  • Base distinguished name (DN) — Identifies the top level of the LDAP directory tree. For example, when querying users, you could create a base DN such as CN=Users,DC=us,DC=sso,DC=bmc,DC=com. This DN corresponds to the Users name in domain us.sso.bmc.com.
  • Filter — Specifies one or more attributes that must be fulfilled. If you are creating a query for user information, a typical filter might be objectClass=user. For a group, a typical filter is objectClass=group.
  • Attribute — Narrows the type of data for which the query is searching. If you are creating a query for user information, a typical attribute is userPrincipalName. For a group, a typical attribute is member.

For example, the following queries could be paired to obtain user information from ADsyncTestGroup and all of its subgroups.

Query components

Query results

Name: ADsyncTestGroup query
Base DN: CN=ADsyncTestGroup,OU=automation,OU=junit,DC=us,DC=sso,DC=bmc,DC=com
Filter: objectClass=group
Attribute: member

Queries for all subgroups of the group ADsyncTestGroup

Name: ADsyncTestGroup users query
Base DN: leave blank
Filter: objectClass=user
Attribute: userPrincipalName

Queries for all users of the groups identified in the associated query. If paired with the group query shown above, this query would obtain user information from ADsyncTestGroup and all of its sub-groups.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*