Overview#

These show some Search Filters Limitations that are specific to LDAP Server Implementations that we have discovered.

Microsoft Active Directory [1]#

Active Directory supports the approxMatch filter clause of RFC 2251 section 4.5.1. However, it is implemented identically to equalityMatch; for example, the filter is true if the values are equal. No approximation is performed. Filter clauses of the form "(X=Y)" and "(X~=Y)" may be freely substituted for each other.

Active Directory in Windows 2000 operating system does not implement three-value logic for search filter evaluation as defined in RFC 2251 section 4.5.1. In Windows 2000, filters evaluate to either "true" or "false". Filters that would evaluate to "Undefined", as per the RFC, are instead evaluated to "false".

However, Active Directory in Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system uses three-value logic for evaluating search filters, in conformance with the RFC.

Active Directory does not support constructed attributes[2] in search filters. When a search operation is performed with such a search filter, Active Directory fails with inappropriateMatching as defined in RFC 2251 section 4.1.10.

Extensible Match#

Active Directory does not support theExtensible Match rules defined in RFC 2252 section 8, RFC 2256 section 8, and RFC 2798 section 9.

Active Directory only exposes Microsoft Active Directory Extensible Match Rules. Other than these rules, the rules that are used for comparing values (for example, comparing two String(Unicode) attributes for equality or ordering) are not exposed as extensible match rules.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-5) was last changed on 30-Jan-2016 15:58 by jim