链接:

LDAP基本知识

https://technet.microsoft.com/zh-tw/library/dd159860.aspx

LDAP查询语法

https://www.google.com/support/enterprise/static/postini/docs/admin/en/dss_admin/prep_ldap.html

LDAP Queries

Syntax

Common LDAP Queries

The directory sync utility uses the LDAP query language to gather information from your directory server. The LDAP query language is a flexible standard that supports complex and powerful logical queries.

To build your LDAP queries, you will need to know your LDAP structure. The best way to collect directory server information is an LDAP browser. For more information, see Useful LDAP Tools.

Google Apps Directory Sync strictly adheres to RFC 2254, which defines international standards on LDAP filters.

Most of the search rules in the directory sync utility use LDAP queries for information. The only exception to this are Exception Rules, which use substring or regular expressions based on the text of email addresses, not LDAP fields.

Note: The support team cannot write LDAP queries for your environment or debug your LDAP queries. While this document lists the most common queries, every directory server is different, and many store information in different fields or formats. To develop these queries, consult standard LDAP documentation and review your LDAP structure with an LDAP browser.

Syntax

The following syntax is used in LDAP filters:

 

Name of Operator

Character

Use

Equals

=

Creates a filter which requires a field to have a given value.

Any

*

Wildcard to represent that a field can equal anything except NULL.

Parentheses

()

Separates filters to allow other logical operators to function.

And

&

Joins filters together. All conditions in the series must be true.

Or

|

Joins filters together. At least one condition in the series must be true.

Not

!

Excludes all objects that match the filter.

For examples of how these operators are used, see the common LDAP queries below.

Common LDAP Queries

The examples below show the most common LDAP queries. These queries are the most common queries used, and are designed to work with most directory server environments.

All objects (this may cause load problems):

objectclass=*.

All user objects that are designated as a “person”

(&(objectclass=user)(objectcategory=person))

Distribution Lists only

(objectcategory=group)

Public Folders only

(objectcategory=publicfolder)

All user objects except for ones with primary email addresses that begin with test

(&(&(objectclass=user)(objectcategory=person))(!(mail=test*)))

All user objects except for ones with primary email addresses that end with test

(&(&(objectclass=user)(objectcategory=person))(!(mail=*test)))

All user objects except for ones with primary email addresses that contain the word “test”

(&(&(objectclass=user)(objectcategory=person))(!(mail=*test*)))

All user objects (users and aliases) that are designated as a “person” and all group objects (distribution lists)

(|(&(objectclass=user)(objectcategory=person))(objectcategory=group))

All user objects that are designated as a “person”, all group objects and all contacts, except those with any value defined for extensionAttribute9:

(&(|(|(&(objectclass=user)(objectcategory=person))(objectcategory=group))(objectclass=contact))(!(extensionAttribute9=*)))

All users, but exclude disabled users:

(&(&(objectclass=user)(objectcategory=person))(!(userAccountControl=514)))

Active Directory LDAP: All users

(objectClass=person)

Active Directory LDAP: All email users (alternate)

(&(objectclass=user)(objectcategory=person))

OpenLDAP: All users

(objectClass=inetOrgPerson)

Lotus Domino LDAP: All users

(objectClass=dominoPerson)

Lotus Domino LDAP: All objects with a mail address defined that are designated as a “person “or “group”:

(&(|(objectclass=dominoPerson)(objectclass=dominoGroup)(objectclass=dominoServerMailInDatabase))(mail=*))