> > > > I see that openldap supports a number of matching
rules for DNs,
> > > > e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and
> > > > dnSuperiorMatch.
> > > >
> > > > Please can someone point me to documentation about these matching
> > > > rules? (Google doesn't seem to bring up much useful).
> > >
> > > RFC 4517, section 4.
> > Thanks, but I don't see anything about these matching rules in
> > Rfc4517 section 4.
> Substring assertion is discussed in section 3
I'm not trying to awkward, but I don't see how that relates to my question.
I understand how to use the matching rules syntactically, but
I have not found documentation anywhere that describes how these matching rules work.
I can try out examples and/or read the openldap source code to try and deduce their
behaviour, but I'd
prefer to see documentation.
I have done some more investigation and experiments,
and this is what I've found:
1. there is no documentation that I can find online defining the behaviour of the matching
rules dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and dnSuperiorMatch.
2. these matching rules are mentioned
, and all have OIDs
3. this page http://www.openldap.org/faq/data/cache/200.html
, which describes
OID 126.96.36.199.4.1.4203.666 says "OpenLDAP Experimental OIDs are assigned to protocol
items with an evolving specification (e.g., a work in progress) under development by the
OpenLDAP Project. The specification can be revised without assigning a new OID.
No released software should use an OID under this arc."
4. an example using dnSubtreeMatch is given in the slapcat(8) man page, which seems to
imply that these matching rules are no longer experimental.
5. from experiment I think I understand the behaviour of these matching rules, but that is
(a) A filter like (entrydn:dnOneLevelMatch:=<targetdn>) restricts the result to
entries 1 level subordinate to targetdn.
(b) (entrydn:dnSubtreeMatch:=<targetdn>) restricts the result to the subtree
including and under targetdn
(c) (entrydn:dnSubordinateMatch:=<targetdn>) restricts the result to the entries
subordinate to targetdn (i.e. the same as dnSubtreeMatch, but excluding the targetdn)
(d) (entrydn:dnSuperiorMatch:=<targetdn>) restricts the result to the entries
superior to targetdn