Use the filter that makes your intent most clear.
The following table documents the result of various combinations of clauses specifying values for objectCategory and objectClass: objectCategory However, Active Directory allows you to instead use the following shortcut: (objectCategory=cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com) You can use a filter clause similar to the following: A typical value for an object in Active Directory might be "cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com". The objectCategory attribute is a DN attribute. When your filter clause includes the objectCategory attribute, LDAP does some magic to convert the values for your convenience. Filter clauses can be combined using the following operators: This filters on all objects where the value of the cn attribute (the common name of the object) is equal to the string "Jim Smith" If the attribute is multi-valued, then the condition is met if any of the values in the attribute match the filter. Do not enclose the DN value in parentheses (as is done erroneously in some documentation).
DIRECTORY LIST AND PRINT PRO FILTER ONLY ON DOCUMENT TYPE FULL
If the attribute is DN, then only the equality operator is allowed and you must specify the full distinguished name for the value (or the "*" character for all objects with any value for theĪttribute). Examples of DN attributes areĭistinguishedName, manager, directReports, member, and memberOf. The wildcard character "*" is allowed, except when the is a DN attribute. The value is not case sensitive and should not be quoted.
The in a clause will be the actual value of the Activeĭirectory attribute.
Another operator, ~= (which means approximately equal to) is supported, but no case has been found where this is useful in Active Directory. Note that the operators "" are not supported.