The LDAP (Lightweight Directory Access Protocol) can be used to search for and read LDAP entries. An LDAP entry is a record in the LDAP Directory, which comprises of a unique identifier called Distinguished Name (DN), a Relative Distinguished Name (RDN), and some attributes defined in a schema.

LDAP can be used to retrieve complete as well as partial copies of entries that match a certain set of search criteria. An LDAP search criteria is used to find an LDAP user account by authenticating it against the LDAP Directory. An LDAP search request has the following parameters:

ldap-diagram
pointer

Search Parameters

Search base DN

The search base DN is the base of the subtree in which the search operation is to be carried out. This must be provided, but it may also be a null DN.
 

Search scope

The search scope specifies the portion of the target subtree. The supported search scope values are:
baseObject

baseObject is often referred to as “base”. It indicates that the exact entry specified as the search base should be considered, but its subordinates should not be considered.

singleLevel

singleLevel is often referred to as “one”. It indicates that the children of the entry specified as the search base should be considered when searching. Neither the base entry nor the descendants of the immediate children of the base entry are to be considered.

wholeSubtree

wholeSubtree is often referred to as “sub”. It indicates that all the subordinates to any depth of the entry specified in the search base should be considered. In the special case, when the search base DN is the null DN, the root DSE should not be considered in the wholeSubtree search.

subordinateSubtree

subordinateSubtree is often referred to as “subordinates”. It indicates that all of the subordinates to any depth of the entry specified in the search base should be considered. However, the entry specified by the search base should not be considered.

Alias dereferencing behavior

The alias dereferencing behavior indicates how the server should treat the aliases encountered when processing the search operation. The supported alias dereferencing behavior values are:
neverDerefAliases

This indicates that aliases should not be dereferenced when processing the search operation.

derefInSearching

This indicates that the server should dereference the aliases encountered in the scope of the search, but should not dereference the search base entry as it is itself an alias.

derefFindingBaseObj

This indicates that the aliases encountered within the scope of the search should not be dereferenced, but if the entry specified in the search base is an alias, then the server should dereference it.

derefAlways

This indicates that all aliases, encountered in the entry specified as the search base, as well as the aliases encountered within the scope of the search, should be dereferenced.

Search size limit

The search size limit specifies the number of entries that should be returned from the search operation. Zero value means no limit. When the server also imposes a size limit for the search operation, then the smaller of the client-requested and server-imposed size limit is enforced.

codingb
figure-security

The types Only flag

If the value of the typesOnly flag is true, then the entries that match the search criteria should only return the attribute descriptions but not the actual values for the attributes of the entry. If the value is false, then it indicates that the attribute values too should be returned.

Search filter

The Search filter specifies the criteria used to identify the entries within the scope that should be returned. There are ten basic filter types:
Presence filters

To determine if an entry contains an attribute. If an entry contains at least one value for the attribute, then the entry marches the presence filter.

Equality filters

To determine if an entry contains a specified attribute value. If an entry contains the specified value, then the entry matches the equality filter regardless of the presence or absence of other values.

Greater-or-equal filters

To determine if an entry contains at least one value that is greater than or equal to a specified value.

Less-or-equal filters

To determine if an entry contains at least one value that is lesser than or equal to a specified value.

Substring filters

To determine if an entry contains at least one value for a specified attribute that matches a given substring.

Approximate match filters

To determine if an entry contains at least one value for an attribute, that is approximately equal to a given value.

Extensible match filters

To override the default matching rule, to determine whether a particular value exists in an attribute of the entry, and to determine if a particular value exists in the attributes used to comprise the DN for an entry.

AND filters

To evaluate to true if all of the filters that it encapsulates are true.

OR filters

To set to true if at least one of the filters it encapsulates is true.

NOT filters

To negate the result obtained out of the encapsulated filter. The encapsulated filter can either be an AND or OR filter.

Set of attributes

A set of attributes requests for the inclusion of entries that match the search. A listed, specific set of attribute descriptions are included in the matching entries.

  • "*" indicates that all attributes should be included.
  • “+” indicates that all operational attributes should be included.
  • "1.1" indicates that no attributes should be included.
  • An empty set of attributes denotes that the value "*" was specified.
figure-security

The search operation

When the directory server obtains a valid authorized request, then the entries within the specified scope is identified. All the matching entries are returned to the client.Each search result entry includes the DN of the matching entry along with the attributes contained in that entry, depending on the set of requested attributes.If the typesOnly value is true, then the attributes are returned without their values. If the typesOnly value is false, then the attributes will be returned with all the values that the requester is permitted to retrieve.

If there are more than one matching entries, the server may also return one or more search result reference messages.

Once all the appropriate search results and search result reference messages are returned by the server, then the server sends a search result done message to indicate the completion of the search operation. Some common search operations results include:
success result code

If the search operation is successful, the server returns the “success” result code.

noSuchObject result code

If the specified entry is non-existent, then the server returns the noSuchObject result code.

invalidDNSyntax result code

If the search base DN is malformed, then the server returns the invalidDNSyntax results code.

sizeLimitExceeded result code

If the search criteria match more entries than allowed in the client-requested or server-imposed limit, then the server returns the sizeLimitExceeded result.

timeLimitExceeded result code

If the time required to process the search operation exceeds the server-imposed or client-requested limit, then the server returns the timeLimitExceeded result code.

undefinedAttributeType result code

If the search filter includes an attribute type that is not defined in the server schema, then the server returns the undefinedAttributeType result code.

insufficentAccessRights result code

If the requester does not have permission to perform the search operation, then the server returns the insufficentAccessRights result code. This is different from the case when the user is allowed to perform the search operation but does not have the right to access the matching entries.