'Why not always use (objectClass=*) in the LDAP search filter?
I created the following filter for search users in Active Directory:
(&(objectClass=*)(|(sAMAccountName=u)(userPrincipalName=u))
It is possible to create more qualified filter:
(&(objectClass=person)(|(sAMAccountName=u)(userPrincipalName=u))
The question is why?
What benefits of using specified class person?
Is it possible that the same directory contain object where objectClass is not person but the following is true (|(sAMAccountName=u)(userPrincipalName=u))?
Why not always use (objectClass=*) in the LDAP search filter?
Solution 1:[1]
It is probably a holdover from generic LDAP services, where in priniciple any object could share the same attribute with the same value, but be of different object classes.
However, Active Directory has a limitation that sAMAccountName must be unique within the domain, across all object classes. And only 4 object classes should have the attribute? (Users, groups, printers, and workstations I think).
So you could most likely just query for
(|(sAMAccountName=u)(userPrincipalName=u))
without the objectclass filter at all.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | geoffc |