Platform SDK: Active Directory, ADSI, and Directory Services |
Before you search the directory, you need to consider what you want to find. It sounds trivial, but what you want to find and what properties you want to return affects where you bind to start your search, the depth of your search, your query filter, and search performance.
For example, if you are searching for all user objects with surname Smith, you need to first decide where you want to search: a specific container or OU within a domain, a specific domain, a specific domain tree, or the entire forest. If you are looking for objects within a specific container or domain, you will get better performance by binding directly to that container or domain—instead of performing a subtree search on a domain tree.
Next, if you are checking for the existence of, or retrieving the properties of a particular object that has a distinguished name (DN) you already know, you should do a base search, which searches only the object you have bound to. If you know an object is a direct descendant of a particular container, bind to that container and do a one-level search (attributeSchema and classSchema objects in the schema container and extended-right objects in the extended-rights container are good examples). If you don't know exactly where the object is, or if you want to search the object you've bound to and all the child objects below it in the directory hierarchy, do a subtree search.
Finally, if you are looking for a specific class of object, the query filter should have expressions that evaluate properties that are defined for that class. In addition, you should specify the objectCategory of the class of object you want to find as one of the expressions. You should use objectCategory instead of objectClass because objectCategory is indexed. Indexed attributes can increase the performance of the search. For example, to search for group objects, include the expression (objectCategory=group) in the filter. To search for user objects, you need to specify (&(objectClass=user)(objectCategory=person)) because the computer class derives from the user class, so (objectClass=user) would return both users and computers andalso because both contact and user objects have an objectCategory of person, so (objectCategory=person) would return both users and contacts. For more information, see Object Class and Object Category and Indexed Attributes.