[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DN matching rules

Chris Card wrote:

I see that openldap supports a number of matching rules for DNs,
e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and
I have not found documentation anywhere that describes how these matching rules work.

I can try out examples and/or read the openldap source code to try and deduce their behaviour, but I'd
prefer to see documentation.

This feature has been present in OpenLDAP since 2004.


That link needs a login.


Nobody has asked for docs thus far, because everybody recognizes that
subtree/onelevel/subordinate are the same as the corresponding LDAP search
scopes, and their behavior is already specified.

Ok, but there's no superior scope. Also, while it's possible to try and
deduce behaviour by similarity of names and by experiment, that's not a
foolproof method, which is why I asked for a link to documentation. What
little documentation I did find indicates that these matching rules are
'experimental' and shouldn't be used in released code
(http://www.openldap.org/faq/data/cache/200.html) - is that still the

That FAQ says these OIDs shouldn't be used in released code. That's generally true, but obviously we've broken those rules various times. The intent of these rules is that we expect experimental features to either progress, in which case a formal specification is published, using non-experimental OIDs, or the experiments are deemed a failure and withdrawn/deleted. Either way, the experiments actually need to be tested by actual users, which means the corresponding code winds up in public releases.

The reality is that authors of experiments have moved on to other work, leaving these features in limbo, and no one has stepped in to drive them forward to completion (published status).

In this particular case, the features themselves were demonstrably stable years ago.

If you're inclined to only use features that have published documentation, you're welcome to forget everything you ever heard about dnSubtreematch and go about your business. OpenLDAP is a volunteer based open source project - work happens when a volunteer is interested in making it happen. The fact that what you're asking for hasn't been written in the past 8 years indicates to me that no one is interested.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/