Directory Services

Deciding What to Find

Before you search a directory, consider what data to search for. The data and properties to be returned affect where you bind to start a search, the depth of your search, your query filter, and search performance.

For example, if you search for all user objects with surname Smith, first decide where to search: a specific container or organizational unit (OU) within a domain, a specific domain, a specific domain tree, or the entire forest. If you search for objects within a specific container or domain, the search query will perform better by binding directly to that container or domain — instead of performing a subtree search on a domain tree.

Next, if you verify the existence of, or retrieve the properties of a particular object that has a distinguished name (DN) you already know, you should perform a base search, which searches only the object you have bound to. If you know an object is a direct descendant of a particular container, bind to that container and do a one-level search (attributeSchema and classSchema objects in the schema container and extended-right objects in the extended-rights container are good examples). If you do not know exactly where the object is, or if you want to search the object you have bound to and all the child objects below it in the directory hierarchy, perform a subtree search.

Finally, if you look for a specific class of object, the query filter should have expressions that evaluate properties that are defined for that class. In addition, you should specify the objectCategory of the class of object you want to find as one of the expressions. Use objectCategory instead of objectClass because objectCategory is indexed. Indexed attributes can increase the performance of the search. For example, to search for group objects, include the expression (objectCategory=group) in the filter. To search for user objects, specify (&(objectClass=user)(objectCategory=person)) because the computer class derives from the user class, so (objectClass=user) would return both users and computers and also because both contact and user objects have an objectCategory of person, so (objectCategory=person) would return both users and contacts. For more information, see Object Class and Object Category and Indexed Attributes.