Common LDAP search strings used with the ILST

This article highlights some commonly used <SearchString> filters that you can use when constructing LDAP search queries for the ILST. Although shown individually, you can combine these filters to make more complex queries. 

Sections in this article:   

Select all users in an OU

You cannot specify an OU in an LDAP search query. Instead, identify the OU in your <BaseDN>.

Here's an example of identifying the employeesOU in the <BaseDN>:

<SearchString>(&amp;(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</SearchString>
<BaseDN>OU = employees, OU=Users,DC=company,DC=com</BaseDN>

Select the immediate users of a group

You can sync the immediate users of a group by including a memberOf filter in your <SearchString>. Users of groups nested under this one will not be returned.

Here's an example query that includes a filter for the immediate users of the CaptainPlanet  group:

<SearchString>(&amp;(objectclass=user)(mail=*)(memberOf=CN=CaptainPlanet,OU=groupsOU,DC=company,DC=com))</SearchString>

Select the users of a group and all nested groups

You can sync all users of a group, including the users of all nested groups, by including the LDAP chain matching rule OID of 1.2.840.113556.1.4.1941 in the memberOfilter of your <SearchString>

Here's an example query that includes a filter for all users of the CustomerExperience  group and its nested groups: 

<SearchString>(&amp;(objectclass=user)(mail=*)(memberof:1.2.840.113556.1.4.1941:=CN=CustomerExperience,OU=groupsOU,DC=x))</SearchString>

Select users based on attribute values

You can select users based on attribute values by using the attribute name and desired value in your <SearchString>.

Here's an example query that includes a filter for users with a value of Manager in their Title attribute:

<SearchString>(&amp;(objectclass=user)(mail=*)(Title=Manager))</SearchString>

Exclude deactivated users

You can exclude deactivated users by including the userAccountControl filter in your <SearchString>. You should include this filter in all search queries to ensure deactivated users aren't returned.

Here's an example query that includes a filter for deactivated users:

<SearchString>(&amp;(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</SearchString>