Overview#
Matched Values Control is a supportedControl with an OID of 1.2.826.0.1.3344810.2.3Useage#
When reading an attribute from an entry using the Lightweight Directory Access Protocol version 3 (LDAPv3), it is normally only possible to read either the attribute type, or the attribute type and all its values. It is not possible to selectively read just a few of the attribute values.If an attribute holds many values, for example, the userCertificate attribute, or the subschema publishing operational attributes objectClasses and attributeTypes, then it may be desirable for the user to be able to selectively retrieve a subset of the values, specifically, those attribute values that match some user defined selection criteria.
Without the Matched Values Control a client must read all of the attribute's values and filter out the unwanted values, necessitating the client to implement the matching rules.
Defined in RFC 3876
Example LDAPSEARCH#
Matched Values Control Control allows clients to request a subset of attribute values from an entry that evaluate to TRUE. This control allows the user to selectively read a subset of attribute values without retrieving all values, and then scan for the desired set locally.Run the ldapsearch command with the --matchedValuesFilter option.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b ou=groups,dc=example,dc=com --matchedValuesFilter "(uniquemember=uid=kvaughan*)" "(objectclass=*)" dn: ou=Groups,dc=example,dc=com dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com uniqueMember: uid=kvaughan, ou=People, dc=example,dc=com dn: cn=Accounting Managers,ou=groups,dc=example,dc=com dn: cn=HR Managers,ou=groups,dc=example,dc=com uniqueMember: uid=kvaughan, ou=People, dc=example,dc=com dn: cn=QA Managers,ou=groups,dc=example,dc=com dn: cn=PD Managers,ou=groups,dc=example,dc=com