h3.Definition: LDAP Search Operation
The LDAP search operation can be used to identify entries in the Directory Server that match a given set of criteria. It may return zero or more entries, and also zero or more referrals.
The search request protocol op is defined as follows:
{noformat} SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2),
... },
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeSelection } {noformat}
The elements of the search request include:
* The [base DN|Definition -- Search Base DN], which specifies the location in the [DIT|Definition -- Directory Information Tree] in which to perform the search.
* The [search scope|Definition -- LDAP Search Scope], which specifies the scope of entries at or below the base DN to consider when processing the search.
* The [dereference policy|Definition -- Dereference Policy] to use if any aliases are encountered during processing.
* The [size limit|Definition -- Size Limit], which specifies the maximum number of entries that should be returned from the search (or zero if there should not be any maximum number of entries).
* The [time limit|Definition -- Time Limit], which specifies the maximum length of time in seconds that the server should spend processing the search (or zero if there should not be a maximum number of entries).
* The [typesOnly|Definition -- TypesOnly Flag] flag, which indicates whether the entries returned should include attribute types only or both types and values.
* The [search filter|Definition -- LDAP Search Filter], which specifies the criteria to use to identify matching entries.
* The [search attributes|Definition -- Search Attributes] that indicate which attributes should be included in matching entries, or an empty list to indicate that all [user attributes|Definition -- User Attribute] should be returned.
There are three types of result elements that can be returned in response to a search request: zero or more [search result entries|Definition -- Search Result Entry], zero or more [search result references|Definition -- Search Result Reference], and exactly one [search result done|Definition -- Search Result Done] message. The entries and references can be returned in any order (and with search entries and references interspersed), and the search result done message will come last to indicate that there are no more results.
The search result entry protocol op is defined as follows:
{noformat} SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }
PartialAttributeList ::= SEQUENCE OF
partialAttribute PartialAttribute{noformat}
Each search result entry includes the DN of the entry and zero or more attributes (potentially including only the attribute type names without the values if the "typesOnly" element of the request is true) as defined in the search attribute list.
The search result reference protocol op is defined as follows:
{noformat} SearchResultReference ::= [APPLICATION 19] SEQUENCE
SIZE (1..MAX) OF uri URI{noformat}
Each search result reference includes one or more [LDAP URLs|Definition -- LDAP URL] specifying an alternate location in which the client may search for additional matching entries.
The search result done message is an [LDAP result|Definition -- LDAP Result] defined as follows:
{noformat} SearchResultDone ::= [APPLICATION 5] LDAPResult{noformat}
The LDAP search operation can be used to identify entries in the Directory Server that match a given set of criteria. It may return zero or more entries, and also zero or more referrals.
The search request protocol op is defined as follows:
{noformat} SearchRequest ::= [APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2),
... },
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3) },
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
typesOnly BOOLEAN,
filter Filter,
attributes AttributeSelection } {noformat}
The elements of the search request include:
* The [base DN|Definition -- Search Base DN], which specifies the location in the [DIT|Definition -- Directory Information Tree] in which to perform the search.
* The [search scope|Definition -- LDAP Search Scope], which specifies the scope of entries at or below the base DN to consider when processing the search.
* The [dereference policy|Definition -- Dereference Policy] to use if any aliases are encountered during processing.
* The [size limit|Definition -- Size Limit], which specifies the maximum number of entries that should be returned from the search (or zero if there should not be any maximum number of entries).
* The [time limit|Definition -- Time Limit], which specifies the maximum length of time in seconds that the server should spend processing the search (or zero if there should not be a maximum number of entries).
* The [typesOnly|Definition -- TypesOnly Flag] flag, which indicates whether the entries returned should include attribute types only or both types and values.
* The [search filter|Definition -- LDAP Search Filter], which specifies the criteria to use to identify matching entries.
* The [search attributes|Definition -- Search Attributes] that indicate which attributes should be included in matching entries, or an empty list to indicate that all [user attributes|Definition -- User Attribute] should be returned.
There are three types of result elements that can be returned in response to a search request: zero or more [search result entries|Definition -- Search Result Entry], zero or more [search result references|Definition -- Search Result Reference], and exactly one [search result done|Definition -- Search Result Done] message. The entries and references can be returned in any order (and with search entries and references interspersed), and the search result done message will come last to indicate that there are no more results.
The search result entry protocol op is defined as follows:
{noformat} SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName LDAPDN,
attributes PartialAttributeList }
PartialAttributeList ::= SEQUENCE OF
partialAttribute PartialAttribute{noformat}
Each search result entry includes the DN of the entry and zero or more attributes (potentially including only the attribute type names without the values if the "typesOnly" element of the request is true) as defined in the search attribute list.
The search result reference protocol op is defined as follows:
{noformat} SearchResultReference ::= [APPLICATION 19] SEQUENCE
SIZE (1..MAX) OF uri URI{noformat}
Each search result reference includes one or more [LDAP URLs|Definition -- LDAP URL] specifying an alternate location in which the client may search for additional matching entries.
The search result done message is an [LDAP result|Definition -- LDAP Result] defined as follows:
{noformat} SearchResultDone ::= [APPLICATION 5] LDAPResult{noformat}