LDAP Filters


As discussed in the article "Creating Access Rules," search filters are necessary for defining classifications of users that an Access Rule will apply to.

One type of search filter is a Lightweight Directory Access Protocol (LDAP) Filter, which is used for creating LDAP search queries that can be used within an Active Directory Identity Source.  These search queries can be used to help apply different access rules to different users.

An LDAP Filter is defined by a text string comprised of macros and attributes that can be entered in a text field under Who in an Access Rule (Access Rule creation is explained here) after clicking on the purple plus button that says LDAP Filter.

By default, the {{username}} macro will be populated into the LDAP Filter text field, but that can be cleared if necessary.

Some LDAP attributes include:

cn ("common name"), which is the actual name (usually first and last) of a user, such as "John Smith."

uid ("user ID"), which is the username of a user such as "jsmith."

ou ("organizational unit"), which would be the organizational unit where the user's account resides.

dc ("domain component"), which defines your domain name.  Notated by the top level domain and second level domain being listed separately.  For example, "clearlogin.com" would be dc=clearlogin,dc=com since "clearlogin" is a second level domain and "com" is a first level domain.

Example strings:

(&(uid={{username}})(cn=John Smith)) would be used for finding all users with the name John Smith.

(&(uid=jsmith)(uid={{username}})) would be used for identifying a single user.

(&(uid={{username}})(memberOf=cn=Admins,ou=TestGroup,dc=clearlogin,dc=com)) would be used to check if a user in the Admins container is a member of the TestGroup group.

For more information on LDAP filters, click here.

Have more questions? Submit a request


Powered by Zendesk