Matched Values Control


Matched Values Control is a supportedControl with an OID of 1.2.826.0.1.3344810.2.3


When reading an attribute from an entry using the Lightweight Directory Access Protocol version 3 (LDAPv3), it is normally only possible to read either the attribute type, or the attribute type and all its values. It is not possible to selectively read just a few of the attribute values.

If an attribute holds many values, for example, the userCertificate attribute, or the subschema publishing operational attributes objectClasses and attributeTypes, then it may be desirable for the user to be able to selectively retrieve a subset of the values, specifically, those attribute values that match some user defined selection criteria.

Without the Matched Values Control a client must read all of the attribute's values and filter out the unwanted values, necessitating the client to implement the matching rules.

Defined in RFC 3876


Matched Values Control Control allows clients to request a subset of attribute values from an entry that evaluate to TRUE. This control allows the user to selectively read a subset of attribute values without retrieving all values, and then scan for the desired set locally.

Run the ldapsearch command with the --matchedValuesFilter option.

$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b ou=groups,dc=example,dc=com --matchedValuesFilter "(uniquemember=uid=kvaughan*)" "(objectclass=*)"
dn: ou=Groups,dc=example,dc=com
dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com
uniqueMember: uid=kvaughan, ou=People, dc=example,dc=com
dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
dn: cn=HR Managers,ou=groups,dc=example,dc=com
uniqueMember: uid=kvaughan, ou=People, dc=example,dc=com
dn: cn=QA Managers,ou=groups,dc=example,dc=com
dn: cn=PD Managers,ou=groups,dc=example,dc=com
In the above Example, we are able to find the uniqueMember values that match only uid values starting with "kvaughan" within the ou=groups,dc=example,dc=com container. We are returned the DNs of the Groups that match along with the uniqueMember values.

More Information#

There might be more information for this subject on one of the following: