Searching with LDAP Filters

Loom provides a built-in search feature that lets you find entries anywhere in your directory using LDAP filter syntax.

Quick Start

Open Search

Press F9 or / to focus the search input at the bottom of the screen.

Enter Filter

Type an LDAP filter using standard syntax:

(objectClass=person)

Execute Search

Press Enter to execute the search.Results appear in a popup overlay showing all matching entries.

Navigate to Entry

Use j/k or arrow keys to select a result, then press Enter to jump to that entry in the tree.

Searches are performed starting from your configured base DN and include all subtree entries.

LDAP Filter Syntax

LDAP filters use a prefix notation with parentheses. Here’s the basic syntax:

Simple Filters

Equality
Presence
Substring
Comparison

Match an exact attribute value:

(cn=Alice)

Finds entries where cn equals “Alice”.

Check if an attribute exists:

(mail=*)

Finds entries that have a mail attribute (any value).

Match part of a value:

(cn=Alice*)

Finds entries where cn starts with “Alice”.Wildcard positions:

(cn=Alice*) - Starts with “Alice”
(cn=*Smith) - Ends with “Smith”
(cn=*Alice*) - Contains “Alice”
(cn=*Alice*Smith*) - Multiple wildcards

Greater than or less than:

(uidNumber>=1000)

Finds entries where uidNumber is 1000 or greater.Operators:

>= - Greater than or equal
<= - Less than or equal

Comparison operators work with numeric and string attributes, but behavior depends on the attribute’s syntax defined in the schema.

Compound Filters

Combine multiple conditions with logical operators:

AND (&)
OR (|)
NOT (!)

All conditions must be true:

(&(objectClass=inetOrgPerson)(mail=*@example.com))

Finds entries that are both inetOrgPerson and have an email at example.com.Multiple conditions:

(&(objectClass=person)(cn=Alice*)(ou=engineering))

Any condition can be true:

(|(cn=Alice)(cn=Bob))

Finds entries where cn is “Alice” or “Bob”.Multiple conditions:

(|(department=sales)(department=marketing)(department=support))

Negates a condition:

(!(objectClass=organizationalUnit))

Finds entries that are not organizational units.Combined with AND:

(&(objectClass=person)(!(mail=*)))

Finds people without an email address.

Nested Filters

Combine operators for complex queries:

(&(objectClass=person)(|(department=engineering)(department=qa))(!(disabled=TRUE)))

This finds:

Entries that are persons AND
In engineering OR QA AND
Not disabled

Nested filters can be hard to read. Break complex queries into smaller tests, then combine them once you’ve verified each part works.

Common Search Examples

Find all people

(objectClass=person)

Or more specifically:

(objectClass=inetOrgPerson)

Find users by name

Exact match:

(cn=Alice Smith)

Starts with:

(cn=Alice*)

Contains:

(cn=*Smith*)

Find users by email domain

(mail=*@example.com)

Multiple domains:

(|(mail=*@example.com)(mail=*@example.org))

Find groups

(objectClass=groupOfNames)

Or for POSIX groups:

(objectClass=posixGroup)

Find group members

User is member of a group:

(memberOf=cn=admins,ou=groups,dc=example,dc=com)

Group contains a user:

(member=uid=alice,ou=users,dc=example,dc=com)

Find organizational units

(objectClass=organizationalUnit)

By name:

(&(objectClass=organizationalUnit)(ou=engineering))

Find entries with specific attributes

Has phone number:

(telephoneNumber=*)

Missing email:

(&(objectClass=person)(!(mail=*)))

Find POSIX accounts in UID range

(&(objectClass=posixAccount)(uidNumber>=1000)(uidNumber<=2000))

Find recently modified entries

(modifyTimestamp>=20240101000000Z)

Timestamp format is YYYYMMDDHHMMSSz. Requires the server to maintain modifyTimestamp operational attribute.

Find all entries

(objectClass=*)

This returns every entry under the base DN. Use with caution on large directories.

Search Results Interface

When search results appear, you’ll see a popup with:

┌─ Search: (objectClass=person) (42 results) ─────────┐
│                                                      │
│  cn=Alice Smith,ou=users,dc=example,dc=com          │
│  cn=Bob Jones,ou=users,dc=example,dc=com            │
│  cn=Carol White,ou=users,dc=example,dc=com          │
│  ...                                                 │
│                                                      │
│  ↑/↓:navigate  Enter:go to entry  e:edit filter  q:close
└──────────────────────────────────────────────────────┘

Key	Action
`j` / `k` / `↓` / `↑`	Navigate results
`PageDown` / `PageUp`	Jump 10 results
`Home` / `End`	Jump to first/last result
`Enter`	Go to selected entry in tree
`e`	Edit filter and search again
`Esc` / `q`	Close results

Press Enter on a result to jump to that entry in the tree panel. The tree will automatically expand to show the entry’s location.

Search Scope

Base DN

Searches start from your configured base DN and include all subtree entries:

base_dn = "dc=example,dc=com"

Finds entries under dc=example,dc=com and all children.

To search a specific subtree, you can temporarily change your base DN in the connection dialog or create a dedicated profile.

Attribute Selection

By default, searches return all user attributes. Some operational attributes (like createTimestamp, modifyTimestamp) may require explicit request.

The search results popup shows DNs only. Select an entry to view full attributes in the detail panel.

Performance Tips

Use specific filters

Narrow your search with specific object classes:Slower:

(cn=Alice*)

Faster:

(&(objectClass=person)(cn=Alice*))

Adding objectClass helps the server use indexes.

Avoid leading wildcards

Leading wildcards prevent index usage:Slower:

(cn=*Smith)

Faster:

(cn=Smith*)

If you must search for endings, consider using substring searches sparingly.

Use indexed attributes

Search on attributes that are indexed by the server:Common indexed attributes:

cn (common name)
uid (user ID)
mail (email)
objectClass

Check with your LDAP administrator which attributes are indexed.

Limit search scope

For large directories, use a more specific base DN:Instead of:

base_dn = "dc=example,dc=com"

Use:

base_dn = "ou=users,dc=example,dc=com"

Active Directory Specific

Common AD Filters

Users
Computers
Groups
Enabled accounts

(&(objectCategory=person)(objectClass=user))

Active Directory uses objectCategory for better performance.

(objectClass=computer)

(objectClass=group)

(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Uses bitwise AND filter to check if account is enabled.

AD Attribute Names

Active Directory uses different attribute names:

Standard LDAP	Active Directory
`uid`	`sAMAccountName`
`mail`	`mail` (same)
`cn`	`cn` (same)
`member`	`member` (same)
`memberOf`	`memberOf` (same)

Example:

(sAMAccountName=alice)

Troubleshooting

No results found

If your search returns no results:

Verify your filter syntax is correct (balanced parentheses)
Check that attribute names are spelled correctly
Ensure the base DN includes the entries you’re looking for
Test with a simple filter like (objectClass=*) to verify connectivity

Search timeout

If searches timeout:

Narrow your filter to reduce the number of matches
Increase timeout_secs in your connection profile
Check server load and network latency
Consider if the filter can use indexes better

Invalid filter error

Common syntax errors:

Missing parentheses: cn=Alice → (cn=Alice)
Unbalanced parens: (&(cn=Alice)(mail=*)) ✓
Wrong operator: Use & not &&, | not ||
Escaping: Use backslash for special chars: (cn=user\(test\))

Incomplete results

If you expected more results:

Check your base DN scope
Verify you have permission to see those entries
Some servers limit result size (check page_size)
Try a more general filter to test

Special Characters

Escape these characters in filter values:

Character	Escape Sequence
`*`	`\2a`
`(`	`\28`
`)`	`\29`
`\`	`\5c`
NUL	`\00`

Example:

(cn=user\28test\29)

Searches for cn value “user(test)”.

For wildcards in substring searches, use literal * without escaping.

Next Steps

Editing Entries

Modify search results or create new entries

Browsing

Navigate the directory tree

Schema Viewer

View object classes and attribute types

Export

Export search results to files

Get Started

User Guide

Features

Quick Start

LDAP Filter Syntax

Simple Filters

Compound Filters

Nested Filters

Common Search Examples

Search Results Interface

Results Navigation

Search Scope

Base DN

Attribute Selection

Performance Tips

Active Directory Specific

Common AD Filters

AD Attribute Names

Troubleshooting

Special Characters

Next Steps

Editing Entries

Browsing

Schema Viewer

Export

Build docs developers (and LLMs) love

Get Started

User Guide

Features

​Quick Start

​LDAP Filter Syntax

​Simple Filters

​Compound Filters

​Nested Filters

​Common Search Examples

​Search Results Interface

​Results Navigation

​Search Scope

​Base DN

​Attribute Selection

​Performance Tips

​Active Directory Specific

​Common AD Filters

​AD Attribute Names

​Troubleshooting

​Special Characters

​Next Steps

Editing Entries

Browsing

Schema Viewer

Export

Build docs developers (and LLMs) love

Quick Start

LDAP Filter Syntax

Simple Filters

Compound Filters

Nested Filters

Common Search Examples

Search Results Interface

Results Navigation

Search Scope

Base DN

Attribute Selection

Performance Tips

Active Directory Specific

Common AD Filters

AD Attribute Names

Troubleshooting

Special Characters

Next Steps