Search Filters
By using search filters, you can define search criteria that provide better control to achieve more effective and efficient searches. For example, you might be interested in all the users whose surname is "Smith," or you might want to find out all the team members who report to the manager named "Mary Jones." ADSI supports LDAP search filters as defined in RFC 2254. These search filters are represented by UTF-8 strings. Table 3.1 illustrates some commonly used search filter strings.
Table 3.1 Common LDAP Search Filters
Filter |
Description |
|---|---|
(objectCategory=*) |
All objects. |
(&(objectClass=user)(!(cn=susan))) |
All user objects except "susan". |
(cn=sm*) |
All objects with a surname that starts with "sm". |
(&(objectClass=contact)(|(sn=Smith) (sn=Johnson))) |
All contacts with a surname equal to "Smith" or "Johnson". |
The search filters shown in Table 3.1 use one of the following formats:
( <attribute><operator><value> )
– Or –
( <operator> ( <filter1> )( <filter2> )...)
Table 3.2 shows some of the most frequently used search filter operators.
Table 3.2 Commonly Used LDAP Search Filter Operators
Operator |
Description |
|---|---|
= |
Equal to |
~= |
Approximately equal to |
<= |
Lexicographically less than or equal to |
>= |
Lexicographically greater than or equal to |
& |
AND |
| |
OR |
! |
NOT |
For more information about the LDAP search query syntax and operators, see the Microsoft Platform SDK link and the Request for Comments (RFC) link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources . On the Request for Comments (RFC) site, follow the links to RFC 2254.
ObjectCategory vs. ObjectClass in a Search Filter
Because of the existence of the class inheritance hierarchy in the schema every object in Active Directory is in fact a member of many classes — four or five on the average. For this reason, the objectClass index is prohibitively large (for example, 4 n , where n is the number of objects in the system). In addition, objectClass has poor selectivity for many possible class values. For example, a search filter of ( objectClass = securityPrincipal ) returns every user and group object in the system.
On the other hand, objectCategory usually refers to the most specific class in the object's class hierarchy. Although objectClass can have multiple values, the attribute objectCategory has only one. Every Active Directory object has an objectCategory attribute whose value is a classSchema object.
Every classSchema object has an attribute called defaultObjectCategory , which is the object category of an instance of the class if none is specified by the user. For most classes, the defaultObjectCategory value is the class itself. In the search filter, you can specify objectCategory = X , where X is the ldapDisplayName of a class, and LDAP automatically expands the filter to objectCategory =< defaultObjectCategory of class X >. The objectCategory attribute has a syntax of distinguished name, and LDAP automatically converts the value for objectCategory to the distinguished name format. For example, if you use objectCategory =contact in the filter, the filter changes to objectCategory =cn=person,cn=schema,cn=configuration,dc=< ForestRootDomain > ("person" is the defaultObjectCategory for the class contact ).
For more information about class inheritance, see "Active Directory Schema" in this book.