RE: DN matching rules

Fri, 16 Nov 2012 01:27:37 -0800 


> > > > > I see that openldap supports a number of matching rules for DNs,
> > > > > e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and
> > > > > dnSuperiorMatch.
> > > > >
> > > > > Please can someone point me to documentation about these matching
> > > > > rules? (Google doesn't seem to bring up much useful).
> > > >
> > > > RFC 4517, section 4.
> > > Thanks, but I don't see anything about these matching rules in
> > > Rfc4517 section 4.
> >
> > Substring assertion is discussed in section 3
>
> I'm not trying to awkward, but I don't see how that relates to my question.
>
> I understand how to use the matching rules syntactically, but
> I have not found documentation anywhere that describes how these matching 
> rules work.
>
> I can try out examples and/or read the openldap source code to try and deduce 
> their behaviour, but I'd
> prefer to see documentation.
I have done some more investigation and experiments, and this is what I've 
found:

1. there is no documentation that I can find online defining the behaviour of 
the matching rules dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch 
and dnSuperiorMatch.
2. these matching rules are mentioned 
here: http://www.openldap.org/faq/data/cache/1101.html, and all have OIDs 
under 1.3.6.1.4.1.4203.666.
3. this page http://www.openldap.org/faq/data/cache/200.html, which describes 
OID 1.3.6.1.4.1.4203.666 says "OpenLDAP Experimental OIDs are assigned to 
protocol items with an evolving specification (e.g., a work in progress) under 
development by the OpenLDAP Project. The specification can be revised without 
assigning a new OID.
No released software should use an OID under this arc." 
4. an example using dnSubtreeMatch is given in the slapcat(8) man page, which 
seems to imply that these matching rules are no longer experimental.
5. from experiment I think I understand the behaviour of these matching rules, 
but that is not ideal:
    (a) A filter like (entrydn:dnOneLevelMatch:=<targetdn>) restricts the 
result to entries 1 level subordinate to targetdn.
    (b) (entrydn:dnSubtreeMatch:=<targetdn>) restricts the result to the 
subtree including and under targetdn
    (c) (entrydn:dnSubordinateMatch:=<targetdn>) restricts the result to the 
entries subordinate to targetdn (i.e. the same as dnSubtreeMatch, but excluding 
the targetdn)
    (d) (entrydn:dnSuperiorMatch:=<targetdn>) restricts the result to the 
entries superior to targetdn

Chris  

                                          























					Reply via email to