[Date Prev][Date Next]
Re: DN matching rules
On 11/16/2012 10:26 AM, Chris Card wrote:
I see that openldap supports a number of matching rules for DNs,
e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and
Please can someone point me to documentation about these matching
rules? (Google doesn't seem to bring up much useful).
RFC 4517, section 4.
Thanks, but I don't see anything about these matching rules in
Rfc4517 section 4.
Substring assertion is discussed in section 3
I'm not trying to awkward, but I don't see how that relates to my question.
I understand how to use the matching rules syntactically, but
I have not found documentation anywhere that describes how these matching rules work.
I can try out examples and/or read the openldap source code to try and deduce their behaviour, but I'd
prefer to see documentation.
I have done some more investigation and experiments, and this is what I've found:
1. there is no documentation that I can find online defining the behaviour of the matching rules dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and dnSuperiorMatch.
2. these matching rules are mentioned here: http://www.openldap.org/faq/data/cache/1101.html, and all have OIDs under 220.127.116.11.4.1.4203.666.
3. this page http://www.openldap.org/faq/data/cache/200.html, which describes OID 18.104.22.168.4.1.4203.666 says "OpenLDAP Experimental OIDs are assigned to protocol items with an evolving specification (e.g., a work in progress) under development by the OpenLDAP Project. The specification can be revised without assigning a new OID.
No released software should use an OID under this arc."
4. an example using dnSubtreeMatch is given in the slapcat(8) man page, which seems to imply that these matching rules are no longer experimental.
5. from experiment I think I understand the behaviour of these matching rules, but that is not ideal:
(a) A filter like (entrydn:dnOneLevelMatch:=<targetdn>) restricts the result to entries 1 level subordinate to targetdn.
(b) (entrydn:dnSubtreeMatch:=<targetdn>) restricts the result to the subtree including and under targetdn
(c) (entrydn:dnSubordinateMatch:=<targetdn>) restricts the result to the entries subordinate to targetdn (i.e. the same as dnSubtreeMatch, but excluding the targetdn)
(d) (entrydn:dnSuperiorMatch:=<targetdn>) restricts the result to the entries superior to targetdn
"experimental" in this context (being under the experimental OID arc)
means they are not in any standard track document. OpenLDAP software
occasionally provides and exploits (but does not advertise) features
that are not (yet) described in standard track documents and thus are
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano