ldap filter to search for multiple values for an attribute

Question

In AD, I have multi valued attribute "departmentNumber" which may store multiple values like "dept1" and "dept2".

I am looking for ldap filter which should retrieve the users who has more than 1 departmentnumber.

I looked at other threads but that doesn't seems to work.

Any help is appreciated.

Answer 1

LDAP doesn't have filter to match attribute with multiple values, only a filter to match entries with a specific attribute present (or not) at least once.

I solved a similar issue extracting the attribute from all entries where it was present ((departmentNumber=*)) then searching them for multiple values (in the form of dept1|dept2).

Answer 2

The server will return each of the values of a multi-valued attribute for each entry which matches the search parameters (assuming the authorization state of the connection permits). The search response will be a list of objects which match the search parameters, and with each object all be a list of attributes (name and value pairs) which is specified in the requested attributes parameter of the search request. All values of a multi-valued attribute will be included in the search result.

If the client desires dept1 and dept2, then include those as assertions in the filter, for example:

(&(departmentNumber=dept1)(departmentNumber=dept2)(objectClass=whatever..))

demonstration

Given the follow entries from which only cn and departmentNumber are shown:

$ ldapsearch --baseDN 'ou=people,c=us' --searchScope one '(&)' cn departmentNumber

dn: cn=user.1,ou=People,C=us
cn: user.1
departmentNumber: dept1
departmentNumber: dept2

dn: cn=user.2,ou=People,C=us
cn: user.2
departmentNumber: dept2

Note that the search response included both entries, and both values of departmentNumber for cn=user.1,ou=people,c=us.