Is there way to use ObjectGuid instead of dn in ldap api?

Question

We have an application which use ldap protocol. We use unboundId library for that

// ldap
implementation("com.unboundid:unboundid-ldapsdk:6.0.9")

We found out that most api calls use dn as argument.

For example:

ldapConnectionPool.getEntry(dn)

But we also found out that dn is not immutable identifier (it could be changed if we move the object from one location to another one or if we rename it (change CN) but it is not good to have mutable identifiers for many reasons. So we started to look for immutable identifier and found out objectGuid.

But the problem here that I can't find any method which allow me to

1. Get entry by objectGuid

I've found only this way but I am not sure about performance:

SearchRequest searchRequest = new SearchRequest(
                searchBase, 
                SearchScope.SUB, 
                Filter.createEqualityFilter("objectGuid", objectGuid)
        );

2. Extract objectGuid from creation request:

    LDAPResult addResult = ldapConnectionPool.add(addRequest)

So my question is:

Is it a good idea to use objectGuid as identifier in our application or not ? performance matters.

From the first glance it looks really attractive but looks like library is not designed for that. What do you think ?

Answer 1

That looks fine; performance shouldn't be an issue.

1. LDAP does not actually have a "get entry by DN" operation in the first place – under the hood, your LDAP client emulates it by performing a search with SearchScope.BASE and with the DN as base. So you're not changing anything in that regard; you had a search returning 1 entry previously, and you have a search returning 1 entry now.

2. The objectGUID attribute is indexed – the server will optimize the search query into a fast index lookup and will instantly retrieve the matching entry. It doesn't need to actually scan the entire subtree for this.