Why not always use (objectClass=*) in the LDAP search filter?

Question

I created the following filter for search users in Active Directory:

(&(objectClass=*)(|(sAMAccountName=u)(userPrincipalName=u)) 

It is possible to create more qualified filter:

(&(objectClass=person)(|(sAMAccountName=u)(userPrincipalName=u)) 

The question is why?

What benefits of using specified class person?

Is it possible that the same directory contain object where objectClass is not person but the following is true (|(sAMAccountName=u)(userPrincipalName=u))?

Why not always use (objectClass=*) in the LDAP search filter?

Answer 1

(objectClass=*) is a present filter used to filter out objects that have no populated objectClass ... which is none, since all LDAP objects have at least one structural objectClass, hence the filter component in the first filter is unnecessary and may even slow down the search, depending on the server configuration.

The first filter in your question might cause the server to make comparisons using matching rules that are unnecessary. The second filter is a better filter from a performance perspective, assuming that an index for objectClass equality has been created on the server.

Answer 2

It is probably a holdover from generic LDAP services, where in priniciple any object could share the same attribute with the same value, but be of different object classes.

However, Active Directory has a limitation that sAMAccountName must be unique within the domain, across all object classes. And only 4 object classes should have the attribute? (Users, groups, printers, and workstations I think).

So you could most likely just query for (|(sAMAccountName=u)(userPrincipalName=u))

without the objectclass filter at all.