| Author | Messages | |
matheesha
Posts:34
 | | 04/18/2006 5:01 AM |
| All
Could someone please explain how Non-indexed queries (e.g.
"objectClass=user") fall in this category? I saw this mentioned in
some slides by Gil and couldnt quite understand what he meant. Isn't
objectclass indexed as part of the partial attribute set?
Thanks
M@
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:977
| | 04/18/2006 5:50 AM |
| Not sure I understand the question fully, but, no objectClass is not
indexed. objectCategory is. So if you want to get all users you do:
(&(objectCategory=person)(objectClass=user))
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe
> Sent: Tuesday, April 18, 2006 1:00 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] stupid ldap queries
>
> All
>
> Could someone please explain how Non-indexed queries (e.g.
> "objectClass=user") fall in this category? I saw this mentioned in
some
> slides by Gil and couldnt quite understand what he meant. Isn't
> objectclass indexed as part of the partial attribute set?
>
> Thanks
>
> M@
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| matheesha
Posts:34
| | 04/18/2006 6:17 AM |
| | Message body was not found. | | | |
| matheesha
Posts:34
| | 04/18/2006 6:18 AM |
| | Message body was not found. | | | |
| matheesha
Posts:34
| | 04/18/2006 6:20 AM |
| RUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe
wrote:
Thanks for the reply. In that case why does
adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b.
ThanksM@On 4/18/06, Brian Desmond wrote:> Not sure I understand the question fully, but, no objectClass is not> indexed. objectCategory is. So if you want to get all users you do:
> > (&(objectCategory=person)(objectClass=user))> > Thanks,> Brian Desmond>
brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132
> > > > > -----Original Message-----> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To:
ActiveDir@xxxxxxxxxxxxxxxxxx> > Subject: [ActiveDir] stupid ldap queries> >> > All> >> > Could someone please explain how Non-indexed queries (e.g.> > "objectClass=user") fall in this category? I saw this mentioned in
> some> > slides by Gil and couldnt quite understand what he meant. Isn't> > objectclass indexed as part of the partial attribute set?> >> > Thanks> >> > M@
> > List info : http://www.activedir.org/List.aspx> > List FAQ :
http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-> >
archive.com/activedir%40mail.activedir.org/> List info :
http://www.activedir.org/List.aspx> List FAQ :
http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| darren.marelia@xxxx.yyy
| | 04/18/2006 6:35 AM |
| I think you are confusing indexed with "is in the global
catalog". They are not synonymous. You can have one without the other just
fine.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
WeerasingheSent: Tuesday, April 18, 2006 11:14 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap
queries
sorry that was meant to be adfind
-schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe matheesha@xxxxxxxxx> wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning
objectclass amongs the others? Doesn't this mean objectclass is indexed? The
reason I ask is because I wanted to make sure I didn't write stupid ldap
queries that load up the server. I am still learning so please be patient with
this n00b. Thanks
M@
On
4/18/06, Brian Desmond
brian@xxxxxxxxxxxxxxxx> wrote:> Not sure I understand the
question fully, but, no objectClass is not> indexed. objectCategory is.
So if you want to get all users you do: > >
(&(objectCategory=person)(objectClass=user))> >
Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132
> > > > > -----Original Message----->
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir- > > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM > >
To: ActiveDir@xxxxxxxxxxxxxxxxxx> > Subject:
[ActiveDir] stupid ldap queries> >> > All>
>> > Could someone please explain how Non-indexed queries
(e.g.> > "objectClass=user") fall in this category? I saw this
mentioned in > some> > slides by Gil and couldnt quite
understand what he meant. Isn't> > objectclass indexed as part of
the partial attribute set?> >> > Thanks>
>> > M@ > > List info : http://www.activedir.org/List.aspx> > List
FAQ : http://www.activedir.org/ListFAQ.aspx > > List
archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/> List
info : http://www.activedir.org/List.aspx> List
FAQ : http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| bdesmond
Posts:977
| | 04/18/2006 6:51 AM |
| No. isMemberOfPartialAttributeSet just means that the attribute
is replicated into the GC. Being in the GC does not imply that the attribute is
indexed. There™s an attribute (I think isIndexed) which
says the attribute should be indexed in the database.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind
-schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx> wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| lists1
Posts:6
| | 04/18/2006 7:10 AM |
| Hello
Matheesha,
if
you want to check if it is indexed you have to check if bit 1 of the searchFlags
Attribute is set.
You
can do this using an LDAP-Query like
(&(objectCategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))
Using
dsquery this would be
dsquery * cn=schema,cn=configuration,dc=example,dc=com -filter
"(&(objectCategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))"
-attr name
If
you want to set the index, verify that searchFlags AND 1 = 0, then add 1 to
seachFlags.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
WeerasingheSent: Tuesday, April 18, 2006 8:14 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap
queries
sorry that was meant to be adfind
-schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe matheesha@xxxxxxxxx> wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean
objectclass is indexed? The reason I ask is because I wanted to make sure I
didn't write stupid ldap queries that load up the server. I am still
learning so please be patient with this n00b. Thanks
M@
On
4/18/06, Brian Desmond
brian@xxxxxxxxxxxxxxxx> wrote:> Not sure I understand the
question fully, but, no objectClass is not> indexed. objectCategory
is. So if you want to get all users you do: > >
(&(objectCategory=person)(objectClass=user))> >
Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132
> > > > > -----Original Message----->
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir- > > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM > >
To: ActiveDir@xxxxxxxxxxxxxxxxxx> > Subject:
[ActiveDir] stupid ldap queries> >> > All>
>> > Could someone please explain how Non-indexed queries
(e.g.> > "objectClass=user") fall in this category? I saw this
mentioned in > some> > slides by Gil and couldnt quite
understand what he meant. Isn't> > objectclass indexed as part of
the partial attribute set?> >> > Thanks>
>> > M@ > > List info : http://www.activedir.org/List.aspx> > List
FAQ : http://www.activedir.org/ListFAQ.aspx > > List
archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/> List
info : http://www.activedir.org/List.aspx> List
FAQ : http://www.activedir.org/ListFAQ.aspx> List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| wooklee
Posts:2
| | 04/18/2006 8:47 AM |
| I never understood why Microsoft chose not
to index objectclass by default. I indexed it in our directory as soon as we
got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
No.
isMemberOfPartialAttributeSet just means that the attribute is replicated into
the GC. Being in the GC does not imply that the attribute is indexed. There™s
an attribute (I think isIndexed) which says the attribute should
be indexed in the database.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid
ldap queries
bummer! I meant adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe
wrote:
sorry that was meant to be adfind
-schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx> wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| MarcusOh
Posts:14
| | 04/18/2006 9:04 AM |
| I
did the same after I saw some of the activedir folks post about doing it¦
J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid ldap queries
I
never understood why Microsoft chose not to index objectclass by default. I
indexed it in our directory as soon as we got the go ahead from Microsoft that
it was supported. That was years ago.
Wook
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute
is replicated into the GC. Being in the GC does not imply that the attribute is
indexed. There™s an attribute (I think isIndexed) which
says the attribute should be indexed in the database.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind
-schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx> wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| bdesmond
Posts:977
| | 04/18/2006 9:18 AM |
| Yeah our SunONE environment is setup that way “ AD drives
the SunONE LDAP guy crazy. I suppose I could be generous and index it to save
him some trouble but then again that might squelch some of the Microsoft sucks
Sun sucks discussions and those are always amusing.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid ldap queries
I
never understood why Microsoft chose not to index objectclass by default. I
indexed it in our directory as soon as we got the go ahead from Microsoft that
it was supported. That was years ago.
Wook
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute
is replicated into the GC. Being in the GC does not imply that the attribute is
indexed. There™s an attribute (I think isIndexed) which
says the attribute should be indexed in the database.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind -schema
-f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx> wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| matheesha
Posts:34
| | 04/18/2006 9:43 AM |
| I
did the same after I saw some of the activedir folks post about doing it¦
J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid ldap queries
I
never understood why Microsoft chose not to index objectclass by default. I
indexed it in our directory as soon as we got the go ahead from Microsoft that
it was supported. That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute
is replicated into the GC. Being in the GC does not imply that the attribute is
indexed. There's an attribute (I think "isIndexed") which
says the attribute should be indexed in the database.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind
-schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)"
ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| JefTek
Posts:52
| | 04/18/2006 9:56 AM |
| It seems like an obvious idea to implement. Sad we never thought about it. :)
Has anyone done any tests to reveal what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: Marcus.Oh@xxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after I saw some of the activedir folks post about doing it¦ J
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 11:50 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There™s an attribute (I think isIndexed) which says the attribute should be indexed in the database.
Thanks,Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 2:15 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe wrote:
sorry that was meant to be adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe wrote:
Thanks for the reply. In that case why does adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks
M@
On 4/18/06, Brian Desmond wrote:> Not sure I understand the question fully, but, no objectClass is not> indexed. objectCategory is. So if you want to get all users you do: > > (&(objectCategory=person)(objectClass=user))> > Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132 > > > > > -----Original Message-----> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir- > > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM > > To: ActiveDir@xxxxxxxxxxxxxxxxxx> > Subject: [ActiveDir] stupid ldap queries> >> > All> >> > Could someone please explain how Non-indexed queries (e.g.> > "objectClass=user") fall in this category? I saw this mentioned in > some> > slides by Gil and couldnt quite understand what he meant. Isn't> > objectclass indexed as part of the partial attribute set?> >> > Thanks> >> > M@ > > List info : http://www.activedir.org/List.aspx> > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/> List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| wooklee
Posts:2
| | 04/19/2006 4:06 AM |
| Adding indices will start you down the
slippery slope that ultimately leads to custom schema extensions. Do you like
new OIDs? J
Wook
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of joe
Sent: Wednesday, April 19, 2006 4:19 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
Exactly, you can tell you AD to do it
efficiently versus trying to train everyone who writes a query that goes
against AD. I mean you want to try and train everyone because there are other
bad things they can do that you can't easily handle but this is a nice quick
easy thing to do to help.
I HIGHLY HIGHLY HIGHLY recommend folks use
adfind or ldp to test their queries and have the STATS output generated and
displayed when they are doing dev work to figure out how good their queries
are, in adfind, look at the -STATS* set of switches. Seriously, they are very
cool. You will learn a lot about how the queries are working whether you intend
to or not.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Marcus.Oh@xxxxxxx
Sent: Wednesday, April 19, 2006 12:34 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
It™d the same relative gain running
a query using objectcategory versus objectclass. Most of the time, I
would run into queries that people were using, utilizing objectclass instead of
objectcategory. Indexing objectclass made this moot.
:m:dsm:cci:mvp | marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jef Kazimer
Sent: Tuesday, April 18, 2006 5:55 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
It
seems like an obvious idea to implement. Sad we never thought about it. :)
Has
anyone done any tests to reveal what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid
ldap queries
Date: Tue, 18 Apr 2006 17:03:35 -0400
From: Marcus.Oh@xxxxxxx
To: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after I saw some of the
activedir folks post about doing it¦ J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
I never understood why Microsoft chose not
to index objectclass by default. I indexed it in our directory as soon as we
got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
No.
isMemberOfPartialAttributeSet just means that the attribute is replicated into
the GC. Being in the GC does not imply that the attribute is indexed. There™s
an attribute (I think isIndexed) which says the attribute should
be indexed in the database.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe
Sent: Tuesday, April 18, 2006 2:15 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid
ldap queries
bummer! I meant adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe matheesha@xxxxxxxxx>
wrote:
sorry that was meant to be adfind
-schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe matheesha@xxxxxxxxx>
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx>
wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| MarcusOh
Posts:14
| | 04/19/2006 4:36 AM |
| It™d the same relative gain running a
query using objectcategory versus objectclass. Most of the time, I would run
into queries that people were using, utilizing objectclass instead of
objectcategory. Indexing objectclass made this moot.
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Jef Kazimer
Sent: Tuesday, April 18, 2006 5:55
PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
It
seems like an obvious idea to implement. Sad we never thought about it. :)
Has
anyone done any tests to reveal what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid
ldap queries
Date: Tue, 18 Apr 2006 17:03:35 -0400
From: Marcus.Oh@xxxxxxx
To: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after I saw some of the
activedir folks post about doing it¦ J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, Wook
Sent: Tuesday, April 18, 2006 4:47
PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
I never understood why Microsoft chose not
to index objectclass by default. I indexed it in our directory as soon as we
got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006
11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] stupid
ldap queries
No.
isMemberOfPartialAttributeSet just means that the attribute is replicated into
the GC. Being in the GC does not imply that the attribute is indexed. There™s
an attribute (I think isIndexed) which says the attribute should be indexed
in the database.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe
Sent: Tuesday, April 18, 2006 2:15
PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] stupid
ldap queries
bummer! I meant adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe matheesha@xxxxxxxxx>
wrote:
sorry that was meant to be adfind
-schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
On 4/18/06, Matheesha
Weerasinghe matheesha@xxxxxxxxx>
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass is
indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b.
Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx>
wrote:
> Not sure I understand the question fully, but, no objectClass is not
> indexed. objectCategory is. So if you want to get all users you do:
>
> (&(objectCategory=person)(objectClass=user))
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
> > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Matheesha Weerasinghe
> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] stupid ldap queries
> >
> > All
> >
> > Could someone please explain how Non-indexed queries (e.g.
> > "objectClass=user") fall in this category? I saw this
mentioned in
> some
> > slides by Gil and couldnt quite understand what he meant. Isn't
> > objectclass indexed as part of the partial attribute set?
> >
> > Thanks
> >
> > M@
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> > archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| listmail
Posts:822
| | 04/19/2006 11:17 AM |
| 1. As mentioned, Partial Attribute Set (PAS) attributes are not necessarily
indexed. These are not related in AD. However if you put something in the
PAS because you want to do searches against that attribute, you will often
see the object indexed as well.
2. Most every query that only specifies objectclassΏ] in a default Active
Directory is inefficient because objectclass is not indexed and it means AD
will need to look at every object within the scope of the query to determine
whether or not an object matches. This means if you generate a subtree
search based at the domain NC down and you have 10,000 objects and you only
have 14 objects of the needed class (for arguments sake,
organizationalUnit), AD would have to look at 10,000 objects instead of 14
objects to figure out what to return.
3. I have had several discussions with folks on this on and offlist and
pretty much am very strongly for indexing objectclass. I haven't personally
seen a case where it turned out to be a bad thing. The more likely you are
to run LDAP apps either run from or ported from UNIX counterparts the more
likely this is going to help because objectclass usually appears to be
indexed in other directories. This also used to help with Exchange 2000
because there were several bad queries that used no indexed attributes and
indexing objectclass made it so those queries did use an indexed attribute,
to my knowledge, those have mostly all been fixed however I can't say I have
done a comprehensive study of all Exchange queries. Generating a list of all
queries going against AD is more of a pain than it needs to be right now
IMO. But anyway, I think that a general going in statement is that it is
good to index objectclass, the investment is generally quite minimal (I had
heard fear stories of possible DIT growth of 50% but have never seen
anything over about 10%). The worst problem is if you happen to have a
program that makes various assumptions based on an attribute being indexed
and starts acting a little odd in some cases afterward. There was a product
from a major vendor that used to do something unusual with how it displayed
information once you indexed objectclass and selected the objectclass column
for sorting (obviously sorting on a multivalue attribute is undefined and
therefor disallowed) but that was straightened out some time ago. If someone
from that company or someone who used to be with that company wants to out
themselves I will let them do so. I will say that once they saw the issue,
they responded quickly and well to it.
4. To determine if a specific attribute is indexed or not, you simply look
at bit 0 (value 1) on the searchFlags attribute. If you want to quickly find
indexed attributes in your directory, you can use ADFIND V01.31.00 do so
with
adfind -sc indexed
Or
adfind -sc indexedl
5. For completeness, if you want to quickly find PAS attributes in your
directory, you can do so with
adfind -sc pas
Or
adfind -sc pasl
Note that there is more than one way that an attribute could be specified to
be part of the PAS. There is the standard isMemberOfPartialAttributeSet=TRUE
but there is also a systemFlags bit that corresponds to it for things that
Microsoft wants in the PAS and doesn't want you changing. These switches
properly find both items. Run the commands and add the -po switch to see
exactly what it is querying for.
No you cannot combine those switches and get all indexed attributes that are
in the PAS. I stopped just short of inventing a new query language to ride
on top of LDAP, it kind of bothered me when I saw myself moving in that
direction. :) What would I call it? jQL?? joeLDAP??? RooBurgerΐ]????
6. Oh, one question sort of asked was WHY did MS do this? Well "as I
understand it"(tm), early pre-beta Windows 2000 AD revs did not handle
indexing of multivalue and non-unique value attributes well. The fact that
objectclass was both non-unique and multivalued is a double whammy if
neither of those is good. MSFT fixed both issues but no one ever went back
and corrected the schema def before release and I know some very bright
folks in MSFT were like, oops, we should have done that. You will often hear
this wives tale (or maybe urban legend) running around that you can't index
non-unique or multivalue attributes and it is completely bogus. You _may_
not get as much bang for your buck doing it but will get some benefit at
some level if you use that attribute to search with and don't have another
index in the query. I have even heard MCS folks spout this urban legend and
I usually ask them to join me in the corner for a quick chat for a moment
when they say it (MCS are people too). There is a rumour that the default
index state of objectclass may change in LongHorn Server, I recommend folks
check for themselves.
I think I have blogged on this once or twice and certainly the ADORG
archives will have more than one post on this topic from myself and others.
But again, if someone asks me if they should index objectclass, I will
usually respond with, you mean you haven't already??? Seriously, test it in
your lab, make sure non of your management or LOB apps have an issue with
it, specifically look for cases where they are using the fact that an
attribute is indexed or not as a indicator that you can sort on the
attribute because that is one issue I have personally seen. If you run into
that or some other issue, do not hesitate to tell the vendor, you can even
have them contact me if you want and I can explain. Most vendors will find I
am very easy to get along with if they are willing to change their evil ways
and I will explain the "better" ways to do things they may be running into.
I like doing it because it makes things better for me when I walk into
companies and know that vendor xyz "gets it" and I don't have to focus quite
so much on things they make when looking for problems. Plus I like having
various vendors being aware of me and being willing to listen because it
makes it easier to get their attention if I find a problem with their
products.
joe
Ώ] The exception here where this is ok is the EXISTS filter which is
objectclass=*, this is perfectly fine to use.
ΐ] In the tradition of naming something that has absolutely nothing to do
with anything about the thing....
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, April 18, 2006 1:00 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] stupid ldap queries
All
Could someone please explain how Non-indexed queries (e.g.
"objectClass=user") fall in this category? I saw this mentioned in some
slides by Gil and couldnt quite understand what he meant. Isn't objectclass
indexed as part of the partial attribute set?
Thanks
M@
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:822
| | 04/19/2006 11:21 AM |
| Exactly, you can tell you AD to do it efficiently versus
trying to train everyone who writes a query that goes against AD. I mean you
want to try and train everyone because there are other bad things they can do
that you can't easily handle but this is a nice quick easy thing to do to
help.
I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to
test their queries and have the STATS output generated and displayed when they
are doing dev work to figure out how good their queries are, in adfind, look at
the -STATS* set of switches. Seriously, they are very cool. You will learn a lot
about how the queries are working whether you intend to or
not.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Marcus.Oh@xxxxxxxSent: Wednesday, April 19, 2006 12:34
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
stupid ldap queries
It™d the same relative
gain running a query using objectcategory versus objectclass. Most of the
time, I would run into queries that people were using, utilizing objectclass
instead of objectcategory. Indexing objectclass made this
moot.
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jef
KazimerSent: Tuesday, April
18, 2006 5:55 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
It seems like an obvious idea to
implement. Sad we never thought about it. :)
Has anyone done any tests to reveal
what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid
ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From:
Marcus.Oh@xxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after
I saw some of the activedir folks post about doing it¦ J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Lee,
WookSent: Tuesday, April 18,
2006 4:47 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
I never understood
why Microsoft chose not to index objectclass by default. I indexed it in our
directory as soon as we got the go ahead from Microsoft that it was supported.
That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian
DesmondSent: Tuesday, April
18, 2006 11:50 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
No.
isMemberOfPartialAttributeSet just means that the attribute is replicated into
the GC. Being in the GC does not imply that the attribute is indexed. There™s
an attribute (I think isIndexed) which says the attribute should be indexed
in the database.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha
WeerasingheSent: Tuesday,
April 18, 2006 2:15 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap
queries
bummer! I meant adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)"
ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe matheesha@xxxxxxxxx>
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe matheesha@xxxxxxxxx>
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass
is indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b. Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx>
wrote:> Not sure I understand the question fully, but, no objectClass
is not> indexed. objectCategory is. So if you want to get all users you
do: > > (&(objectCategory=person)(objectClass=user))>
> Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx>
> c - 312.731.3132 > > > > >
-----Original Message-----> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir- >
> owner@xxxxxxxxxxxxxxxxxx] On Behalf
Of Matheesha Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx>
> Subject: [ActiveDir] stupid ldap queries> >> >
All> >> > Could someone please explain how Non-indexed
queries (e.g.> > "objectClass=user") fall in this category? I saw
this mentioned in > some> > slides by Gil and couldnt quite
understand what he meant. Isn't> > objectclass indexed as part of
the partial attribute set?> >> > Thanks>
>> > M@ > > List info : http://www.activedir.org/List.aspx>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| listmail
Posts:822
| | 04/20/2006 1:04 AM |
| Oi.
You may want to post your creative work so everyone is in
on the joke, I am sure some folks would really appreciate it.
:)
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee,
WookSent: Wednesday, April 19, 2006 11:48 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
Adding indices will
start you down the slippery slope that ultimately leads to custom schema
extensions. Do you like new OIDs? J
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, April 19, 2006 4:19 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
Exactly, you can tell
you AD to do it efficiently versus trying to train everyone who writes a query
that goes against AD. I mean you want to try and train everyone because there
are other bad things they can do that you can't easily handle but this is a nice
quick easy thing to do to help.
I HIGHLY HIGHLY HIGHLY
recommend folks use adfind or ldp to test their queries and have the STATS
output generated and displayed when they are doing dev work to figure out how
good their queries are, in adfind, look at the -STATS* set of switches.
Seriously, they are very cool. You will learn a lot about how the queries are
working whether you intend to or not.
joe
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of
Marcus.Oh@xxxxxxxSent: Wednesday, April 19, 2006 12:34 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
It™d the same relative
gain running a query using objectcategory versus objectclass. Most of the
time, I would run into queries that people were using, utilizing objectclass
instead of objectcategory. Indexing objectclass made this
moot.
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jef
KazimerSent: Tuesday,
April 18,
2006 5:55
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
It seems like an obvious idea to
implement. Sad we never thought about it. :)
Has anyone done any tests to reveal
what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid
ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From:
Marcus.Oh@xxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after
I saw some of the activedir folks post about doing it¦ J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Lee,
WookSent: Tuesday, April 18, 2006
4:47 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
I never understood
why Microsoft chose not to index objectclass by default. I indexed it in our
directory as soon as we got the go ahead from Microsoft that it was supported.
That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian
DesmondSent: Tuesday,
April 18,
2006 11:50
AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
No.
isMemberOfPartialAttributeSet just means that the attribute is replicated into
the GC. Being in the GC does not imply that the attribute is indexed. There™s
an attribute (I think isIndexed) which says the attribute should be indexed
in the database.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha
WeerasingheSent: Tuesday,
April 18,
2006 2:15
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap
queries
bummer! I meant adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe matheesha@xxxxxxxxx>
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe matheesha@xxxxxxxxx>
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass
is indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b. Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx>
wrote:> Not sure I understand the question fully, but, no objectClass
is not> indexed. objectCategory is. So if you want to get all users you
do: > > (&(objectCategory=person)(objectClass=user))>
> Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> >
c - 312.731.3132 > > > > > -----Original
Message-----> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir- > > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Matheesha Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx>
> Subject: [ActiveDir] stupid ldap queries> >> >
All> >> > Could someone please explain how Non-indexed
queries (e.g.> > "objectClass=user") fall in this category? I saw
this mentioned in > some> > slides by Gil and couldnt quite
understand what he meant. Isn't> > objectclass indexed as part of
the partial attribute set?> >> > Thanks>
>> > M@ > > List info : http://www.activedir.org/List.aspx>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| listmail
Posts:822
| | 04/20/2006 1:13 AM |
| Oh I love those! The app dev folks (or vendor) tell you
that your AD is broken because it is so slow... Yep I have been there.
Indexing is fine, just index things you regularly query on,
no reason to suck up resources and perf for indexes that aren't used. For
instance, indexing all attributes doesn't make sense but if you have a crit app
or a bunch of apps using a query with no indexed attributes or having a specific
attribute that could seriously help perf it is good to add.
Wook, I think, is being a trifle facetious and plugging his
creative work. :)
Schema updates are goodness when done correctly and
smartly. There is no reason to be scared of doing them, just be scared of doing
them wrong.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Marcus.Oh@xxxxxxxSent: Wednesday, April 19, 2006 10:32
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
stupid ldap queries
It™s only been that
one. Okay, maybe one other that was indexed, but that was because a very
large network/voip vendor that required a schema extension subsequently used one
of these attributes in all of their queries. In a large implementation
(which they clearly had never seen) the query would take a year to complete.
Of course, in their lab with 5 objects, it completed in
milliseconds.
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Lee, WookSent: Wednesday, April 19, 2006 11:48
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
Adding indices will
start you down the slippery slope that ultimately leads to custom schema
extensions. Do you like new OIDs? J
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, April 19, 2006 4:19 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
Exactly, you can tell
you AD to do it efficiently versus trying to train everyone who writes a query
that goes against AD. I mean you want to try and train everyone because there
are other bad things they can do that you can't easily handle but this is a nice
quick easy thing to do to help.
I HIGHLY HIGHLY HIGHLY
recommend folks use adfind or ldp to test their queries and have the STATS
output generated and displayed when they are doing dev work to figure out how
good their queries are, in adfind, look at the -STATS* set of switches.
Seriously, they are very cool. You will learn a lot about how the queries are
working whether you intend to or not.
joe
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of
Marcus.Oh@xxxxxxxSent: Wednesday, April 19, 2006 12:34 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
It™d the same relative
gain running a query using objectcategory versus objectclass. Most of the
time, I would run into queries that people were using, utilizing objectclass
instead of objectcategory. Indexing objectclass made this
moot.
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jef
KazimerSent: Tuesday,
April 18,
2006 5:55
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
It seems like an obvious idea to
implement. Sad we never thought about it. :)
Has anyone done any tests to reveal
what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid
ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From:
Marcus.Oh@xxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after
I saw some of the activedir folks post about doing it¦ J
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Lee,
WookSent: Tuesday, April 18, 2006
4:47 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
I never understood
why Microsoft chose not to index objectclass by default. I indexed it in our
directory as soon as we got the go ahead from Microsoft that it was supported.
That was years ago.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian
DesmondSent: Tuesday,
April 18,
2006 11:50
AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap
queries
No.
isMemberOfPartialAttributeSet just means that the attribute is replicated into
the GC. Being in the GC does not imply that the attribute is indexed. There™s
an attribute (I think isIndexed) which says the attribute should be indexed
in the database.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Matheesha
WeerasingheSent: Tuesday,
April 18,
2006 2:15
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap
queries
bummer! I meant adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe matheesha@xxxxxxxxx>
wrote:
sorry that was meant to be adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe matheesha@xxxxxxxxx>
wrote:
Thanks for the reply. In that case why does
adfind -schema -f
"&(objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)" ldapdisplayname -list
returning objectclass amongs the others? Doesn't this mean objectclass
is indexed? The reason I ask is because I wanted to make sure I didn't write
stupid ldap queries that load up the server. I am still learning so please be
patient with this n00b. Thanks
M@
On 4/18/06, Brian Desmond brian@xxxxxxxxxxxxxxxx>
wrote:> Not sure I understand the question fully, but, no objectClass
is not> indexed. objectCategory is. So if you want to get all users you
do: > > (&(objectCategory=person)(objectClass=user))>
> Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> >
c - 312.731.3132 > > > > > -----Original
Message-----> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir- > > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Matheesha Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx>
> Subject: [ActiveDir] stupid ldap queries> >> >
All> >> > Could someone please explain how Non-indexed
queries (e.g.> > "objectClass=user") fall in this category? I saw
this mentioned in > some> > slides by Gil and couldnt quite
understand what he meant. Isn't> > objectclass indexed as part of
the partial attribute set?> >> > Thanks>
>> > M@ > > List info : http://www.activedir.org/List.aspx>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| JefTek
Posts:52
| | 04/20/2006 2:08 AM |
| My recent favorite was a rather "popular" software vendor told me I needed to increase my maxIdleConnectionTime for the Directory higher than 900s (15 mins)because their connection was timing out while processing the first page of 1000 users, and having the connection dropped before they went back for the next. I basically told them if they can't process 1000 users in less than 15 minutes, then they surely could not handle my entire user population which they were trying to loop through. I think we calculated we would have to increase that time to to over 32 hours so their crapplication could complete. :)
I'll let you guess what did not happen in that situation. :)
Jef
From: listmail@xxxxxxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queriesDate: Thu, 20 Apr 2006 09:07:09 -0400
Oh I love those! The app dev folks (or vendor) tell you that your AD is broken because it is so slow... Yep I have been there.
Indexing is fine, just index things you regularly query on, no reason to suck up resources and perf for indexes that aren't used. For instance, indexing all attributes doesn't make sense but if you have a crit app or a bunch of apps using a query with no indexed attributes or having a specific attribute that could seriously help perf it is good to add.
Wook, I think, is being a trifle facetious and plugging his creative work. :)
Schema updates are goodness when done correctly and smartly. There is no reason to be scared of doing them, just be scared of doing them wrong.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Marcus.Oh@xxxxxxxSent: Wednesday, April 19, 2006 10:32 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
It™s only been that one. Okay, maybe one other that was indexed, but that was because a very large network/voip vendor that required a schema extension subsequently used one of these attributes in all of their queries. In a large implementation (which they clearly had never seen) the query would take a year to complete. Of course, in their lab with 5 objects, it completed in milliseconds.
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, WookSent: Wednesday, April 19, 2006 11:48 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
Adding indices will start you down the slippery slope that ultimately leads to custom schema extensions. Do you like new OIDs? J
Wook
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joeSent: Wednesday, April 19, 2006 4:19 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help.
I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Marcus.Oh@xxxxxxxSent: Wednesday, April 19, 2006 12:34 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
It™d the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot.
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jef KazimerSent: Tuesday, April 18, 2006 5:55 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
It seems like an obvious idea to implement. Sad we never thought about it. :)
Has anyone done any tests to reveal what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: Marcus.Oh@xxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxx
I did the same after I saw some of the activedir folks post about doing it¦ J
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 11:50 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There™s an attribute (I think isIndexed) which says the attribute should be indexed in the database.
Thanks,Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 2:15 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe wrote:
sorry that was meant to be adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe wrote:
Thanks for the reply. In that case why does adfind -schema -f "&(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks
M@
On 4/18/06, Brian Desmond wrote:> Not sure I understand the question fully, but, no objectClass is not> indexed. objectCategory is. So if you want to get all users you do: > > (&(objectCategory=person)(objectClass=user))> > Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132 > > > > > -----Original Message-----> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir- > > owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Matheesha Weerasinghe> > Sent: Tuesday, April 18, 2006 1:00 PM > > To: ActiveDir@xxxxxxxxxxxxxxxxxx> > Subject: [ActiveDir] stupid ldap queries> >> > All> >> > Could someone please explain how Non-indexed queries (e.g.> > "objectClass=user") fall in this category? I saw this mentioned in > some> > slides by Gil and couldnt quite understand what he meant. Isn't> > objectclass indexed as part of the partial attribute set?> >> > Thanks> >> > M@ > > List info : http://www.activedir.org/List.aspx> > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-> > archive.com/activedir%40mail.activedir.org/> List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
|
|