[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: DN matching rules

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: DN matching rules
From: Chris Card <ctcard@hotmail.com>
Date: Fri, 16 Nov 2012 09:26:05 +0000
Importance: Normal
In-reply-to: <SNT129-W534BAC29D6BA476A6514D6CC520@phx.gbl>
References: <SNT129-W300E99282CF95F281561E3CC530@phx.gbl>, <20121114195111.07ede5b0@pink.avci.de>, <SNT129-W248C2EDD90F623322E1A90CC530@phx.gbl>, <20121115090911.262009d5@violet.avci.de>, <SNT129-W534BAC29D6BA476A6514D6CC520@phx.gbl>



> > > > > I see that openldap supports a number of matching rules for DNs,
> > > > > e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and
> > > > > dnSuperiorMatch.
> > > > >
> > > > > Please can someone point me to documentation about these matching
> > > > > rules? (Google doesn't seem to bring up much useful).
> > > >
> > > > RFC 4517, section 4.
> > > Thanks, but I don't see anything about these matching rules in
> > > Rfc4517 section 4.
> >
> > Substring assertion is discussed in section 3
>
> I'm not trying to awkward, but I don't see how that relates to my question.
>
> I understand how to use the matching rules syntactically, but
> I have not found documentation anywhere that describes how these matching rules work.
>
> I can try out examples and/or read the openldap source code to try and deduce their behaviour, but I'd
> prefer to see documentation.
I have done some more investigation and experiments, and this is what I've found:

1. there is no documentation that I can find online defining the behaviour of the matching rules dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and dnSuperiorMatch.
2. these matching rules are mentioned here: http://www.openldap.org/faq/data/cache/1101.html, and all have OIDs under 1.3.6.1.4.1.4203.666.
3. this page http://www.openldap.org/faq/data/cache/200.html, which describes OID 1.3.6.1.4.1.4203.666 says "OpenLDAP Experimental OIDs are assigned to protocol items with an evolving specification (e.g., a work in progress) under development by the OpenLDAP Project. The specification can be revised without assigning a new OID.
No released software should use an OID under this arc." 
4. an example using dnSubtreeMatch is given in the slapcat(8) man page, which seems to imply that these matching rules are no longer experimental.
5. from experiment I think I understand the behaviour of these matching rules, but that is not ideal:
    (a) A filter like (entrydn:dnOneLevelMatch:=<targetdn>) restricts the result to entries 1 level subordinate to targetdn.
    (b) (entrydn:dnSubtreeMatch:=<targetdn>) restricts the result to the subtree including and under targetdn
    (c) (entrydn:dnSubordinateMatch:=<targetdn>) restricts the result to the entries subordinate to targetdn (i.e. the same as dnSubtreeMatch, but excluding the targetdn)
    (d) (entrydn:dnSuperiorMatch:=<targetdn>) restricts the result to the entries superior to targetdn

Chris

Follow-Ups:
- Re: DN matching rules
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

References:
- DN matching rules
  - From: Chris Card <ctcard@hotmail.com>
- Re: DN matching rules
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- RE: DN matching rules
  - From: Chris Card <ctcard@hotmail.com>
- Re: DN matching rules
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- RE: DN matching rules
  - From: Chris Card <ctcard@hotmail.com>

Prev by Date: OpenLDAP-Client TLS
Next by Date: Re: DN matching rules
Index(es):
- Chronological
- Thread