Connect to the Purdue Home Page

Purdue University

Identity and Access Management

I2A2 LDAP Filters

LDAP filters define or augment the criteria for locating an entity in a directory. I2A2 LDAP supports LDAP filters.

A new Characteristic Expression (chx) filter attribute, defined in the I2A2 Schema, allows I2A2 authorization characteristic Boolean expressions to be represented in filters.

These attributes (with examples) can be used in I2A2 LDAP filters.

Characteristic Boolean expression: (chx=1234&8765)
Common name: cn=alfred e newman
Given name: givenName=alfred
PUID: puid=10284869
Surname: sn=newman
UserID: uid=foobar


The I2A2 LDAP Attributes are described here.

Using Characteristic Expression Filters When the chx attribute is used to supply an I2A2 authorization characteristic Boolean expression to the I2A2 authorizer DBM (ou=authorize), there are three basic rules that should be followed to achieve satisfactory results.

  • The PUID to be tested must be supplied in the RDN or in a filter component.

  • There should be only one chx filter component. Use the Boolean expression operators to form a complex expression instead of using the LDAP filter operators.

  • A chv result will be returned only if the full filter expression evaluates to TRUE (1). If only a chx component is specified and it evaluates to FALSE (0), no chv result will be returned, because the full filter value is FALSE. The easiest circumvention is to identify the PUID in a puid or uid filter component that is or'd with a chx component.

Here's a complete example that uses a puid filter component to make sure the chv result of the chx filter component is returned.

DN: puid=10284869,ou=authorize,dc=purdue,dc=edu
Filter: (|(puid=10284869)(chx=1234&8765))

Characteristic Expression Filter Return Value When a characteristic expression filter is specified and I2A2 LDAP finds the requested PUID, the characteristic expression's value will be returned in a chv attribute, provided the overall value of the full filter expression is TRUE (1).

If the characteristic expression filter component evaluates to FALSE, but some other filter component causes the full filter expression to evaluate TRUE, then the attributes of the specified PUID, including the FALSE value of the characteristic expression filter component, will be returned. Here's an example:

DN: puid=10284869,ou=authorize,dc=purdue,dc=edu
Filter: (|(puid=10284869)(chx=1234&8765))

Provided PUID 10284869 is known to the authorizer DBM, and even though the chx filter expression evaluates to FALSE, this chv attribute will be returned:


Other attributes will be returned as appropriate -- e.g., alias, common name, PUID, etc.

Filter Errors Following these basic filter construction rules is important to avoiding filter errors.

  • If you're searching by name, use the cn attribute.
  • A filter must be enclosed in parentheses and the parentheses in a filter must balance.
  • If a PUID is given in a filter, its check digit must be correct. (See Luhn Check Digit.)

When either of these rules is violated the most likely I2A2 LDAP protocol converter response will be "no search criteria. That response is given because the protocol converter's parsing of the filter didn't yield any keys that could be supplied in a DBM lookup request.

If your filter yields unexpected results, please send the filter in e-mail exactly as you supplied it to the I2A2 LDAP protocol converter.

Feedback | Contact Purdue
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at or (765) 494-4000.