LDAP Syntax/Semantics: Filter vs. Base DN?

This is probably pretty stupid, but I'm still green to LDAP. So I hope someone can lend me a hand.

I am using Apache Directory Studio to do my searches and I am confused about when I should be using a filter or when I should be breaking up my filter into two, using one part as the filter and the other as my search base.

Here's开发者_JAVA百科 an example where I'm trying filter out a group.

Filter: CN=JohnTestGroup,OU=TECH,DC=lab,DC=ing
Base:   DC=lab,DC=ing

This yielded zero results. I realized that perhaps I am being redundant as part of the base is in the filter, so I got rid of that part in the filter.

Filter: CN=JohnTestGroup,OU=TECH
Base:   DC=lab,DC=ing

This still did not yield anything. So I tried this:

Filter: CN=JohnTestGroup
Base:   OU=TECH,DC=lab,DC=ing

I moved the OU parameter into the Base. This worked, but I don't understand why the first or second attempts didn't. Someone care to drop some knowledge on me?

This is probably a matter of syntax/semantics, so if anyone could point me to a resource, I'd be more than willing to read more about it.

Read about Scopes there: http://www.idevelopment.info/data/LDAP/LDAP_Resources/SEARCH_Setting_the_SCOPE_Parameter.shtml

If you set you search scope to SUBTREE both (2 and 3), possible 1 variants start work, but searching by subtree works slower

I think you are misunderstanding how the filter works. It is meant to be key=value pairings.

So (objectClass=iNetOrgPerson) as an example.

If you wish a filter to find a DN, then you pick an identifying chracteristic like CN, and filter (CN=JohnTestGroup) or perhaps (mail=John@mail.net).

The base tells the LDAP server where to start looking, as seriyPS notes in his/her answer, the SCOPE is the next question. How deep should the server search, as that adds overhead and performance issues. Subtree is simplist conceptually. Just keep looking from here down, till you run out of tree to look through.

That is why your last one works.

Now, if you want to find a specific object and you know its DN, you do an ENTRY scope query for the base of the specific DN.