jspωiki
ObjectClass vs ObjectCategory
ObjectClass vs ObjectCategory has information that is is specific to Microsoft Active Directory!

Overview [1]#

Each entry has a multi-valued objectClass property that identifies the class of which the object is an instance, as well as all structural or abstract superclasses from which that class is derived. Thus, the objectClass property of a user object would identify the top, person, organizationalPerson, and user classes.

objectClass Property#

The objectClass property (More LDAP people call these attributes) do not include Statically Linked Auxiliary Classes in the list. The system sets the objectClass value when the object instance is created and it cannot be changed.

Prior to Windows Server 2008, the objectClass attribute is not indexed. This is because it has multiple values and is highly non-unique; that is, every instance of the objectClass attribute includes the top class. This means an index would be very large and ineffective. To locate objects of a given class, use the objectCategory attribute, which is single-valued and indexed.

objectCategory Property#

Each instance of an object class also has an objectCategory property, which is a single-valued property that contains the distinguished name of either the class of which the object is an instance or one of its superclasses. When an object is created, the system sets its objectCategory property to the value specified by the defaultObjectCategory property of its object class. An object's objectCategory property cannot be changed.

Creating a Custom Object#

If you create a subclass from a structural class, the best practice is to set the defaultObjectCategory value of the new class to the same distinguished name of the superclass. This allows the standard UI to "find" the subclass.
Prior to Windows Server 2008, the objectClass attribute is not indexed. This is because it has multiple values and is highly non-unique; that is, every instance of the objectClass attribute includes the top class. This means an index would be very large and ineffective. To locate objects of a given class, use the objectCategory attribute, which is SINGLE-VALUE and indexed.

LDAP Filter Choices on objectCategory and objectClass#

When your filter clause includes the objectCategory attribute, LDAP does some magic to convert the values for your convenience.

The objectCategory attribute is a DN attribute. A typical value for an object in Active Directory might be "cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com". You coulld use a filter clause similar to the following:

(objectCategory=cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com)

However, Active Directory allows you to instead use the following shortcut:

(objectCategory=person)

The cobinations of the ObjectClass vs ObjectCategory are a little complex and not intuitive, the following table documents the result of various combinations of clauses specifying values for objectCategory and objectClass:

TABLLEHEADINGS
objectCategoryobjectClassResult
personuseruser objects
person user and contact objects
personcontactcontact objects
useruser and computer objects
computer computer objects
user user and contact objects
contactcontact objects
computercomputer objects
personuser, computer, and contact objects
contactuser and contact objects
group group objects
groupgroup objects
personorganizationalPersonuser and contact objects
organizationalPersonuser, computer, and contact objects
organizationalPerson user and contact objects

Use the filter that makes your intent most clear. Also, if you have a choice between using objectCategory and objectClass, usually is recommended that you use objectCategory. That is because objectCategory is both single valued and indexed, while objectClass is multi-valued and not indexed (except on Windows Server 2008 and above). A query using a filter with objectCategory will be more efficient than a similar filter with objectClass. Windows Server 2008 domain controllers (and above) have a special behavior that indexes the objectClass attribute.

You can take advantage of this if all of your domain controllers are Windows Server 2008, or if you specify a Windows Server 2008 domain controller in your query.

More Information#

There might be more information for this subject on one of the following: