jspωiki
LDAP_MATCHING_RULE_IN_CHAIN

Overview#

LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) also known as LDAP_MATCHING_RULE_TRANSITIVE_EVAL is an Extensible Match used to provide a method to look up the ancestry of an object and is is limited to filters that apply to the DN.[1]

Many applications using Microsoft Active Directory and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Not using the LDAP_MATCHING_RULE_IN_CHAIN requires applications to perform transitive group expansion to figure out group membership which:

  • used too much network bandwidth
  • required applications needed to make multiple roundtrips to figure out if an object fell "in the chain" or a link is traversed through to the end.

LDAP_MATCHING_RULE_IN_CHAIN is a special Extensible Match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

Not all LDAP Server Implementations provide complete matching rules. The OID's shown here are Microsoft Active Directory specific and will probably not work on other server implementations.

We wish some of the other LDAP server vendors would add support for this Extensible Match Rules.

LDAP_MATCHING_RULE_IN_CHAIN Example#

Query All users that report to a department manager or their subordinates. (manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)

More Information#

There might be more information for this subject on one of the following:
[#1] - We obtained some of this information from http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx