Use LDAP search rules to synchronize data

Operator	Character	Use
Equals	=	Creates a filter that requires a field to have a given value.
Any	*	Represents a field that can equal anything except NULL.
Parentheses	( )	Separates filters to allow other logical operators to function.
And	&	Joins filters together. All conditions in the series must be true.
Or	|	Joins filters together. At least one condition in the series must be true.
Not	!	Excludes all objects that match the filter.

 

You can create any custom LDAP search query as long as it complies with RFC 2254

The example shows how to add a user search rule. You can apply the steps to any type of search rule.

1. In Configuration Manager go to User Accounts > Search Rules.
2. Click Add Search Rule.
3. Select the Scope of the search rule. From the drop-down menu, select one of the following:
   • Sub-tree: The rule applies to all objects matched by the search and anything under those objects.
   • One-level: The rule applies to all objects matched by the search, and anything one level underneath.
   • Object: The rule only applies to objects directly matched by the search. The object scope is rarely used, due to load issues.
4. Enter the user search rule. For example, to match all LDAP entities, enter objectClass=*
5. (Optional) Select the Base DN.
6. Click OK.

Returns all objects, which can cause load problems:
objectClass=*

Returns all user objects that are designated “person”:
(&(objectClass=user)(objectCategory=person))

Returns only mailing lists:
(objectCategory=group)

Returns only public folders:
(objectCategory=publicfolder)

Returns all user objects except those with primary email addresses that begin with “test”:
(&(&(objectClass=user)(objectCategory=person))(!(mail=test*)))

Returns all user objects except those with primary email addresses that end with “test”:
(&(&(objectClass=user)(objectCategory=person))(!(mail=*test)))

Returns all user objects except those with primary email addresses that contain the word “test” :
(&(&(objectClass=user)(objectCategory=person))(!(mail=*test*)))

Returns all user and alias objects that are designated “person” and part of a group or distribution list:
(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))

Returns all user objects that are designated as a “person”, all group objects, and all contacts but excludes those with any value defined as "extensionAttribute9":
(&(|(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))(objectClass=contact))(!(extensionAttribute9=*)))

Returns all users who are members of the group identified by the DN “CN=Group,OU=Users,DC=Domain,DC=com”:
(&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com)) 

Returns all users:

• For a Microsoft^® Active Directory^® LDAP server: (&(objectCategory=person)(objectClass=user))
• For a OpenLDAP™ server: (objectClass=inetOrgPerson)
• For an IBM^® Notes^® Domino LDAP server: (objectClass=dominoPerson)

Searches a IBM Notes Domino LDAP for all objects with the mail address designated as a “person" or “group”:
(&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*))

Active Directory: Return all active (not disabled) users that have email addresses:
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Returns all users who are members of either Group_1 or Group_2 as defined by the Group DN.
(&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users,DC=Domain,DC=com)))

Returns all users who have the extensionAttribute1 value of “Engineering” or “Sales”
(&(objectCategory=user)(|(extensionAttribute1=Engineering)(extensionAttribute1=Sales)))