LDAP query prettifier

For some reason I have spent a lot of time looking at LDAP queries in the last few weeks. The simple queries are easy to "decode" but for the more complex ones you really need to format them properly to follow the flow. I wrote a little PowerShell script to do that, and I don't mind admitting that it was a little harder than I expected. Here is the code; save it as Prettify-LDAP.ps1 and it's ready for use.

param (

$tabLevel = 0
$formatted = [string]::Empty

# remove whitespace, convert to array, process each character
($ldapquery -replace "[\s\n]", '').ToCharArray() | ForEach-Object {
    if ($_ -eq '(') 
        $formatted += "`n$("  " * $tabLevel)("
    } elseif ($_ -eq ')') {
        $formatted += "$("  " * $tabLevel))`n" 
    } else {
        $formatted += $_

# remove extra empty lines after ending bracket, 
# then remove spaces before ending bracket IF there is non-whitespace before it
($formatted -replace '\)\n\n', ")`n") -replace "(\S)[ ]+\)", '$1)' -split "`n" 

It takes the LDAP query as a mandatory string argument. Next, whitespace is stripped because the script needs to insert its own.  To work with individual characters, I find it handy to convert the input string to an array of characters, and push those into the pipeline. For the output format each opening bracket starts on a new line, with its closing bracket lining up. To keep track of the indentation level the counter $tabLevel is used. As a final step, superfluous whitespace is stripped again. The regular expressions do look a bit like line noise, but I find them really handy for this sort of text manipulation.

On to an example. This one is unsurprisingly related to Exchange Server:

.\Prettify-LDAP -ldapquery "(&(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))(objectCategory=user)(department=IT)(physicalDeliveryOfficeName=Amsterdam)))"

The output:


Much better, isn't it? Almost comprehensible, even.

Comments (3)
  1. Nice work! 2 or 3 weeks ago I was given an LDAP filter that was 9 lines long! 🙁 (Don’t ask). To be able to understand it I had to prettify it first. This script would have helped with that. I just tried it on that filter and it gave me the exact same result I had. “Look John, it just works!” 😉

  2. BrianYx2 says:

    Just use Joeware’s adfind.exe with the -stats+only switch and it will break out the LDAP filter into how it is processed.

Comments are closed.

Skip to main content