On 10/8/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote: > > Again, doing a seach with (uniqueMember=uid*) is _not_ allowed by the > LDAP specification. At best, you should get an empty list. > > Substring search are valid for strings. A DN is not as string. >
This is hard to believe although I totally follow your reasoning. It just seems like a very common search to be performing to determine group membership. DN's btw do have a string representation defined in RFC's so I don't understand why the matching would not be conducted on the string representation. Also note that you cannot construct a DN with name components using attributeTypes that do not have support for equality matching. I don't think the same applies for substring matching. I'm afraid we may be quickly coming to the wrong conclusions on this topic. Perhaps we're lacking some additional knowledge. Perhaps we can post some questions on the umich LDAP mailing list to get to the bottom of this. Alex
