LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) also known as LDAP_MATCHING_RULE_TRANSITIVE_EVAL is an Extensible Match used to provide a method to look up the ancestry of an object and is is limited to filters that apply to the DN.[1]

Many applications using Microsoft Active Directory and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Not using the LDAP_MATCHING_RULE_IN_CHAIN requires applications to perform transitive group expansion to figure out group membership which:

  • used too much network bandwidth
  • required applications needed to make multiple roundtrips to figure out if an object fell "in the chain" or a link is traversed through to the end.

LDAP_MATCHING_RULE_IN_CHAIN is a special Extensible Match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

LDAP_MATCHING_RULE_IN_CHAIN will only work when used with Distinguished Names (DN) type attributes. This is an ExtensibleMatch operator that walks the chain of ancestry in LDAP Entries all the way to the root until it finds a match. This reveals group nesting. LDAP_MATCHING_RULE_IN_CHAIN is available only on Domain Controllers with Windows Server 2003 R2 (or above).

LDAP_MATCHING_RULE_IN_CHAIN Microsoft Active Directory ONLY?#

Not all LDAP Server Implementations provide complete matching rules. The OID's shown here are Microsoft Active Directory specific and will probably not work on other server implementations.

We wish some of the other LDAP server vendors would add support for this Extensible Match Rules.


Query All users that report to a department manager or their subordinates.
As far as we know this could be used with any attribute which has an even numbered LinkID which implies it is a (forward link)

More Information#

There might be more information for this subject on one of the following:
[#1] - We obtained some of this information from http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx