The simplest Lightweight Directory Access Protocol (LDAP) filter is (attributeName operator value)—for example, (cn=John Calvin). In addition to the equals (=) operator, you can use the greater than or equal to value (>=) operator and the less than or equal to value (<=) operator. You can use the wildcard character, an asterisk (*), for wildcard comparisons such as (cn=John*) or (cn=*amy*). For example, (telephoneNumber=*) returns all objects where the telephoneNumber attribute has been set.
What if you need to build a filter that looks at more than one attribute (e.g., you want to return all user objects with a surname of Smith)? To build such a filter, you need to create two simple filters, (sn=Smith)(objectClass=user), and enclose them with the LDAP Boolean operator and, which is (&conditionList), where conditionList is two or more conditions, each surrounded by parenthesis. For our surname example, you’d specify (&(sn=Smith)(objectClass=user)).
You can specify or conditions with the LDAP Boolean or operator, which is (|conditionList). For example, if you want to find all objects where displayName begins with Smi* or John*, you’d specify (|(displayName=Smi*)(displayName=John*)). To specify the not operator, use (!condition). Notice that LDAP’s not operator is unary (i.e., it takes just one argument); however you can specify multiple conditions with nested parenthesis. For example, (!(|(displayName=Smi*)(displayName=John*))) returns all records except for those where the surname begins with Smi* or John*.