Optimizing LDAP Directory Search

This topic describes how to efficiently perform searches for objects (such as users and user groups) in an Active Directory service.

In Active Directory, resources are organized into structures called classes.

Classes are logical groupings of objects such as:
  • User accounts
  • User groups
  • Computers
  • Domains
  • Organizational units

Some objects, referred to as 'containers', can hold other objects. For example, an organizational unit is a container object. Therefore, the organization of objects in Active Directory follows a hierarchical structure.

The following illustration depicts a hierarchical arrangement of a tree with three domains, each having its own set of organizational units (OUs) for users and groups.

User Search Base and Group Search Base

The User Search Base and Group Search Base set the scope for searching the respective objects in Active Directory's hierarchical structure. Therefore, it is recommended to select values in such a way that they are specific enough to reduce the scope of the search only to the intended area in the tree structure, while ensuring no intended User or Group is missed within the search scope.

Maximum Search Depth

The Max Filter parameter determines the maximum depth or level applied when searching the Active Directory hierarchy. This value specifies the number of recursive levels at which the search for contained Group objects is performed for each Group object encountered while searching in Active Directory's hierarchy structure.

Example: Consider a containment hierarchy consisting of a nested structure of user groups (UG1 to UG4) in a hierarchical format, wherein:
  • UG1 contains UG2
  • UG2 contains UG3
  • UG3 contains UG4
UG1                   
   └ UG2               
      └ UG3            
         └ UG4
If the logged-in user has direct group membership in UG4, and:
if Max Filter is set to 4 then, the search for the user’s group membership returns all groups in the hierarchy, including UG1, UG2, UG3, and UG4.
if Max Filter is set to 3 (or less) then, the user’s group membership returns only UG2, UG3, and UG4. It does not go beyond the third level in the hierarchy.
if Max Filter is set to 10 then, the search returns all groups (UG1 to UG4) as specified, but it involves unnecessary recursive calls (10 in total, out of which 6 are unnecessary). This can impact performance.
In summary:
  1. The default value for Max Filter is 10.
  2. It is recommended to choose a value aligned with the maximum nested level in your Active Directory's Group hierarchy to avoid unnecessary recursive calls and performance issues.
  3. Typically, customers choose values like '1' or '2' based on common nested level/depth of User Groups in most scenarios. However, the choice ultimately depends on your specific requirements.
Tip: You can use third-party tools like Softerra LDAP Browser or AD Explorer to check connectivity to the LDAP server. You can also explore the organizational hierarchy and locate specific Users and Groups within the directory.