using wildcards in LDAP search filters/queries

filter active-directory ldap wildcard
130,043

Solution 1

A filter argument with a trailing * can be evaluated almost instantaneously via an index lookup. A leading * implies a sequential search through the index, so it is O(N). It will take ages.

I suggest you reconsider the requirement.

Solution 2

Your best bet would be to anticipate prefixes, so:

"(|(displayName=SEARCHKEY*)(displayName=ITSM - SEARCHKEY*)(displayName=alt prefix - SEARCHKEY*))"

Clunky, but I'm doing a similar thing within my organization.

Solution 3

This should work, at least according to the Search Filter Syntax article on MSDN network.

The "hang-up" you have noticed is probably just a delay. Try running the same query with narrower scope (for example the specific OU where the test object is located), as it may take very long time for processing if you run it against all AD objects.

You may also try separating the filter into two parts:

(|(displayName=*searchstring)(displayName=searchstring*))

Solution 4

The @user207421's answer is partially correct: by default, median search of the displayName attribute will cause full directory scan and thus will be slow and resource-intensive.

However, the AD Schema Admins can change that by implementing tuple index - specifically designed to improve performance of searches with the leading *. They need to modify the searchFlags attribute of the schema object - ref. https://docs.microsoft.com/en-us/windows/win32/adschema/a-searchflags

Share:
130,043
AnimaSola
Author by

AnimaSola

Updated on September 21, 2021

Comments

  • AnimaSola
    AnimaSola over 2 years

    I have very limited knowledge in AD and LDAP queries so I have a simple question on how to use wildcards.

    Supposed there is object with a displayName of "ITSM - Problem Management"

    My current implementation of the filter with a wildcard is as such:

    (displayName=SEARCHKEYWORD*)

    If a user would enter a keyword of "Problem", he wouldn't be able to find the object since it needs the first part of the name, that is "ITSM - "

    I would like to implement the wildcard on both ends like below:

    (displayName=*SEARCHKEYWORD*)

    Ideally, this would allow the entry of "Problem" and have it search for "ITSM - Problem Management". But the wildcard doesn't seem to work when you put it at the start. When I tried it, it just seems to hang-up and not return any results.

    Any ideas or thoughts on how I can resolve this? Any input would be highly appreciated. Thanks!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PHP - ldap_search() filter. How to search for user
What are the other alternative to test a LDAP connection on linux machine
How best to recursively query AD Group membership in ASP.NET (using vb)
LDAP Error "User Name Not Found"
Adding users to AD using LDAP
LDAP: How to add a new user to a group inside an OU
How to retrieve DirectoryEntry from a DirectoryEntry and a DN
Query active directory to get a user's roles in .NET
Using LDAP functions to get Active Directory tokenGroups attribute in PHP
LDAP exclude sub OU from search