Writing LDAP queries can prove quite difficult because of its odd search filter syntax and the (mostly) non-relational nature of the LDAP data store. Even once you get your query in place, performance issues can plague your query if you don’t set it up correctly. Efficient queries with LDAP search filters are important for performance considerations.
The articles below should help you create efficient LDAP queries. One key is to make sure attributes you search on often are indexed in Active Directory. You can also save a lot of cycles by sorting on the client and searching by objectCategory instead of objectClass.
- Creating Efficient Filters and Other Tips: http://msdn.microsoft.com/en-us/library/windows/desktop/ms808539.aspx#efficientadapps_topic01e
Nested Filter Tips for Efficient Queries with LDAP Search Filters
Avoid deeply nested complex filters when you can. When you must use complex filters, place the most specific filters first to narrow the list of candidate entries the directory must check. For best results, use not, !, only with and, &, for example (&(cn=Barbara)(!(sn=Jensen))). When you use not with or in a filter, the directory must construct a candidate list of everything except what your filter specifies.
-From http://blogs.oracle.com/marginNotes/entry/ldap_client_application_development
If you set the port for OpenDS to 389, it means that you must run OpenDS as root. Or your regular user must have the pglriieves to open ports under 1024, which requires afaik specific configuration on Linux. May be you could explain how you do configure the regular user ?RegardsLudo
We work with Microsoft Active Directory and the AD services typically run under a privileged security context. As for other directory services like OpenDS, I don’t have any experience with them so I can’t advise you. Regular user accounts in Active Directory can bind and search in the directory, though, and special privileges are required only when updating an object’s data in the directory.
Great article. thanks for posting.