Overview#LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.1135184.108.40.2061) also known as LDAP_MATCHING_RULE_TRANSITIVE_EVAL is an Extensible Match used to provide a method to look up the ancestry of an object and is is limited to filters that apply to the DN.
Many applications using Microsoft Active Directory and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Not using the LDAP_MATCHING_RULE_IN_CHAIN requires applications to perform transitive group expansion to figure out group membership which:
- used too much network bandwidth
- required applications needed to make multiple roundtrips to figure out if an object fell "in the chain" or a link is traversed through to the end.
LDAP_MATCHING_RULE_IN_CHAIN is a special Extensible Match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
More Information#There might be more information for this subject on one of the following:
- Active Directory Group Related Searches
- Active Directory User Related Searches
[#1] - We obtained some of this information from http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx