https://bugs.openldap.org/show_bug.cgi?id=9402
--- Comment #3 from Howard Chu hyc@openldap.org --- (In reply to Vincent Danjean from comment #2)
Hi,
It is very difficult to find documentation about dnSubtreeMatch. Based on what I read and try, it seems to allows one to match an entire subtree (i.e. all entries below a specific dn).
I do not see how it relates to LDAP_MATCHING_RULE_IN_CHAIN but I would be very pleased to be wrong.
The description you linked says this feature matches the values of a DN-valued attribute against all its superiors, all the way up to the root of the DIT.
That means it's used to ascend the DIT hierarchy. It says nothing about behavior with nested groups. If you have an official M$ document defining how it is used with nested groups, please provide a link.
I've read lots of question about managing nested groups with ldap. On internet, I only saw people telling about LDAP_MATCHING_RULE_IN_CHAIN when using MS software or people implementing the recursive research in software (ldap client side) when using openldap. If a solution based on dnSubtreeMatch exists, I would be very please (and also lots of other people).
Regards, Vincent