jspωiki
Microsoft Active Directory Extensible Match Rules

Overview#

Microsoft Active Directory has Search Filters Limitation in regards to Extensible Match Rules support.

Microsoft Active Directory is limited to the following:

Capability nameOIDAD Version Support
LDAP_MATCHING_RULE_BIT_AND1.2.840.113556.1.4.8032000 2008 2012
LDAP_MATCHING_RULE_BIT_OR1.2.840.113556.1.4.8042000 2008 2012
LDAP_MATCHING_RULE_TRANSITIVE_EVAL1.2.840.113556.1.4.19412008 2012 R2
LDAP_MATCHING_RULE_DN_WITH_DATA1.2.840.113556.1.4.22532012 R2

The supported comparison rules are documented for each syntax type in section 3.1.1.2.2.4.

When performing an extensible match search against Active Directory, if the type field of the MatchingRuleAssertion is not specified (RFC 2251 section 4.5.1), the extensible match filter clause is evaluated to "Undefined". The dnAttributes field of the MatchingRuleAssertion is ignored and always treated as if set to false.

We have several Microsoft Active Directory Extensible Match Rules Examples Filtering for Bit Fields

More Information#

There might be more information for this subject on one of the following: