Skip to content

LDAP Filters JSON Body syntax

Jump to bottom
Mike Garvey edited this page Apr 21, 2022 · 4 revisions

LDAP filters are specified in the request body sent to a /search/* API endpoint.

The keywords for the different operations are:

Keyword JSON Type Expected Values
And Object Any (but no duplicate keys)
Or Array Any
Not Object 1x - Name/Value Pair
Nor Array Any
Band Object 1x - Name/Value Pair
Bor Object 1x - Name/Value Pair
Recurse Object 1x - Name/Value Pair; Value must be distinguishedName

Name/Value Pairs

These are the typical <LDAP Property> = <Value> entries that you expect in a query. In the JSON body of a request, they would be normal property/value pairs in a JSON object. Wildcards are accepted on the same properties that accept them in LDAP.

{
  "name": "John Doe"
}

and its LDAP equivalent: (name=John Doe)

Null values

When you want to query for property with a null value, the JSON body should include that property with a null value as well. The API will serialize this:

{ "mail": null }

into -> (!(mail=*))

AND

Statements under must be ALL true.

{
  "and": {
    "name": "John Do*",
    "mail": "*@contoso.com"
  }
}

Serialized: (&(name=John Do*)(mail=*@contoso.com))

OR

An array of statements under where ANY are true.

{
  "or": [
    { "name": "*Doe" },
    { 
      "and": {
        "mail": "john@*",
        "physicalDeliveryOfficeName": "The Burbs"
      }
    }
  ]
}

Serialized: (|(name=*Doe)(&(mail=john@*)(physicalDeliveryOfficeName=The Burbs)))

NOT

An object which wraps a statement that must be NOT true.

{
  "and": {
    "co": "US",
    "not": { "name": "That guy" }
  }
}

Serialized: (&(co=US)(!(name=That guy)))

NOR

(NOT + AND) - An array of statements that must ALL be NOT true.

{
  "nor": [
    {
      "proxyAddresses": "*contoso.com"
    },
    {
      "proxyAddresses": "*doeindust*.com"
    },
    {
      "proxyAddresses": null
    }
  ]
}

Serialized: (&(!(proxyAddresses=*contoso.com))(!(proxyAddresses=*doeindust*.com))(!(!(proxyAddresses=*))))

BAND

Bitwise AND Operator - Each bit (flag) specified of the property must be present.

{
  "band": {
    "userAccountControl": 514   // Normal account AND Disabled
  }
}

Serialized: (userAccountControl:1.2.840.113556.1.4.803:=514)

BOR

Bitwise OR operator - Any bit (flag) specified of the property must be present.

{
  "bor": {
    "userAccountControl": 65538   // Password Never Expires OR Disabled
  }
}

Serialized: (userAccountControl:1.2.840.113556.1.4.804:=65538)

RECURSE

A unique Extensible Match that looks up the ancestry of an object. It is limited to filters that apply to a DistinguishedName (DN). The example below shows a recursive group membership check.

{
  "and": {
    "name": "John Doe",
    "recurse": {
      "memberOf": "CN=Some Group,OU=Security,DC=contoso,DC=com"
    }
  }
}

Serialized: (&(name=John Doe)(memberOf:1.2.840.113556.1.4.1941:=CN=Some Group,OU=Security,DC=contoso,DC=com))

Clone this wiki locally