ldap returns on subtree and one level, but not base

Question

On active directory I can do a subtree and one level ldap search using the following filters:

base dn: CN=Users,DC=local,DC=tld
filter: (sAMAccountName=dummyaccount)

The dummyaccount is in the Users container. Can somebody explain to me why one-level and subtree work whereas base does not? Is there something I can do to get base to find the object?

Answer 1

When you perform a base ldap search, you are basically reading properties of the object that you specify as base DN, nothing else.

A base search is useful if you want to read properties of a single object and you know its DN. In that case, you set the base DN to the DN of the object, specify which attributes you'd like to be retrieved and provide a "dummy" search filter ( because filter cannot be ommited ) - like (objectclass=*).

You can of course use the filter to ensure that the DN you are reading conforms to some expectations: you might know the DN, but you want to ensure that the object you are reading is a user, i.e. Then, a search filter may also be used.

Answer 2

A one-level scope would only return the objects immediately subordinate to the base object of the search, but not the base object itself. A subtree-level search would return all objects subordinate to the base object including the base object to the complete depth of the tree underneath the base object, a base-level search would only return the base object itself.