Fortinet black logo

Administration Guide

LDAP filter syntax

LDAP filter syntax

This chapter outlines some basic filter syntax that is used to select users and groups in LDAP User Import, Dynamic LDAP Groups, and Remote User Sync Rules.

Filters are constructed using logical operators:

= Equal to
~= Approximately equal to
<= Lexicographically less than or equal to
>= Lexicographically greater than or equal to
& AND
| OR
! NOT

Filters can consist of multiple elements, such as (&(filter1)(filter2)).

More information about the query syntax of AD filters, see the following web sites:

Examples

The following examples are for a Windows 2008 AD server with the domain corp.example.com, default domain administrators and users, and an additional group called FW_Admins:

  • Users (CN) = atano, pjfry, tleela, tbother
  • FW_Admins (Security Group) = atano, tbother

An unfiltered browse will return all results from the query, including system and computer accounts. To prevent this and only return user accounts, apply the filter (objectClass=person) or (objectCategory=user).

Even if unfiltered, only user accounts are imported, so this is only required to clean up the results that are displayed in the GUI.

To filter and return only members of the security group: (&(objectCategory=user)(memberOf=CN=FW_Admin,DC=corp,DC=example,DC=com)).

It is not possible to use the filter to limit results to CNs or OUs. To achieve this, you must change the Base DN in the LDAP Server configuration. For example, to return only users from the CompanyA OU, create an LDAP Server entry with the following Base DN: OU=CompanyA,DC=corp,DC=example,DC=com.

Caveats

Users do not always have a memberOf property for their primary group, this means that querying system groups, such as Domain Users, may return zero results. This can be confusing as these are often the first queries tried, and can lead the user to think the filter syntax is incorrect.

For example: (memberOf=CN=Domain Users,CN=Domain Admins,DC=corp,DC=example,DC=com) will return no valid results.

To return all users in such a group, the filter can be made against the ID value of the Primary Group. So, for Domain Users (Group ID = 513), the filter would be: (primaryGroupId=513).

LDAP filter syntax

This chapter outlines some basic filter syntax that is used to select users and groups in LDAP User Import, Dynamic LDAP Groups, and Remote User Sync Rules.

Filters are constructed using logical operators:

= Equal to
~= Approximately equal to
<= Lexicographically less than or equal to
>= Lexicographically greater than or equal to
& AND
| OR
! NOT

Filters can consist of multiple elements, such as (&(filter1)(filter2)).

More information about the query syntax of AD filters, see the following web sites:

Examples

The following examples are for a Windows 2008 AD server with the domain corp.example.com, default domain administrators and users, and an additional group called FW_Admins:

  • Users (CN) = atano, pjfry, tleela, tbother
  • FW_Admins (Security Group) = atano, tbother

An unfiltered browse will return all results from the query, including system and computer accounts. To prevent this and only return user accounts, apply the filter (objectClass=person) or (objectCategory=user).

Even if unfiltered, only user accounts are imported, so this is only required to clean up the results that are displayed in the GUI.

To filter and return only members of the security group: (&(objectCategory=user)(memberOf=CN=FW_Admin,DC=corp,DC=example,DC=com)).

It is not possible to use the filter to limit results to CNs or OUs. To achieve this, you must change the Base DN in the LDAP Server configuration. For example, to return only users from the CompanyA OU, create an LDAP Server entry with the following Base DN: OU=CompanyA,DC=corp,DC=example,DC=com.

Caveats

Users do not always have a memberOf property for their primary group, this means that querying system groups, such as Domain Users, may return zero results. This can be confusing as these are often the first queries tried, and can lead the user to think the filter syntax is incorrect.

For example: (memberOf=CN=Domain Users,CN=Domain Admins,DC=corp,DC=example,DC=com) will return no valid results.

To return all users in such a group, the filter can be made against the ID value of the Primary Group. So, for Domain Users (Group ID = 513), the filter would be: (primaryGroupId=513).