This project is read-only.

objectCategory and objectClass, do we need both?

Jan 14, 2012 at 10:16 PM
Edited Jan 14, 2012 at 10:19 PM

In the documentation (here) it shows that objectCategory is preferred over objectClass.  There are times when it would be useful, with Active Directory at least, to have both.

For example, if you have ObjectClass("user") and you have mapped an OU (maybe with sub-OUs) with users, inetOrgPersons and computers, all three types of objects will be returned.  Likewise, if you have ObjectCategory("person") and you have have mapped an OU (and sub-OUs) with contacts, inetOrgPersons, organizationalPersons, persons and users, all five types of objects will be returned.  This might not be what is required.  Is there a way to have both?

I considered putting this in as a feature request but thought it might be worth a discussion, first, in case I've missed something.

Jan 14, 2012 at 11:44 PM

If I understand you correctly, you need a way to specify multiple ObjectClasses, correct?  If that's the case I've merged GrantAdkins changes to support mapping and querying multiple ObjectClasses into the trunk.  This will also be available when I release 2.1.

Jan 15, 2012 at 7:57 AM

I don't think that's it but I'm not sure how that'll work on searches.  I'll have a look when I get a chance.

The problem for me is with searches from high up in the OU hierarchy, when sub-OUs will have all sorts of objects.

If you run a search with (objectCategory=person), AD will return contacts, persons, organizationalPersons, users and inetOrgPersons.  We only have contacts and users at the moment but I still get both classes of objects with this type of search.  Contacts don't have the same set of attributes as Users so that's going to present a problem when querying for user.

If you run a search with (objectClass=user), AD will return users, inetOrgPersons and computers. We don't have inetOrgPersons but we do have users and computers.  Since I'll be searching for users, and computer is a sub-class of user, we won't have attribute issues but I'll still get the wrong set of users.

I need (objectCategory=person) to exclude computers and (objectClass=user) to exclude contacts.  When I run a search against AD for users, I always specify both, e.g. (&(objectCategory=person)(objectClass=user)).

Jan 16, 2012 at 7:17 AM

Would (&(objectClass=person)(objectClass=user)) produce the same result?  My understanding is ObjectCategory is just the most specific ObjectClass for an entry.

Jan 16, 2012 at 9:09 AM

No, that doesn't give the same result, I'm afraid.

Here's objectCategory and objectClass for a computer (from a search run using ldp.exe, with your suggested search criteria):

 

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=JohnLewis,DC=co,DC=uk; 
objectClass (5): top; person; organizationalPerson; user; computer; 

 

You can see that as far as objectClass goes, a computer is a user and an organizationalPerson and a person and a top, so that search is the same as:

 

(objectClass=user)

If you look as objectCategory and objectClass for a user, you get:

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=JohnLewis,DC=co,DC=uk; 
objectClass (4): top; person; organizationalPerson; user; 
This came from the same search as above.  To restrict the search to users in Active Directory, you do need both objectCategory and objectClass.  My bible on this is Active Directory Forestry by John Craddock and Sally Storey, although it is rather old.

 

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=JohnLewis,DC=co,DC=uk;
objectClass (5): top; person; organizationalPerson; user; computer;
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=JohnLewis,DC=co,DC=uk; 
objectClass (5): top; person; organizationalPerson; user; computer; 
Jan 17, 2012 at 1:24 AM

Thanks for the explanation and the link.  I've created a feature request for this.

Apr 23, 2012 at 1:12 AM

This required quite a few changes.  Now when you map ObjectClass and ObjectCategory you can specify that they always or never be included in queries.  IgnoreOC now has an overload that takes an OC enum indicating to ignore ObjectClass, ObjectCategory, or both.  There's also an IncludeOC method that just does the reverse of IgnoreOC.  Please let me know if this solves the problem.