Chris Card wrote:
I see that openldap supports a number of matching rules for DNs, e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and dnSuperiorMatch.<snip>I have not found documentation anywhere that describes how these matching rules work. I can try out examples and/or read the openldap source code to try and deduce their behaviour, but I'd prefer to see documentation.This feature has been present in OpenLDAP since 2004. https://www.openldap.org/its/private.cgi/Archive.Software%20Enhancements?id=3112;selectid=3112;usearchives=1
That link needs a login.
http://www.openldap.org/its/index.cgi/Archive.Software%20Enhancements?id=3112;selectid=3112;usearchives=1
Nobody has asked for docs thus far, because everybody recognizes that subtree/onelevel/subordinate are the same as the corresponding LDAP search scopes, and their behavior is already specified.Ok, but there's no superior scope. Also, while it's possible to try and deduce behaviour by similarity of names and by experiment, that's not a foolproof method, which is why I asked for a link to documentation. What little documentation I did find indicates that these matching rules are 'experimental' and shouldn't be used in released code (http://www.openldap.org/faq/data/cache/200.html) - is that still the case?
That FAQ says these OIDs shouldn't be used in released code. That's generally true, but obviously we've broken those rules various times. The intent of these rules is that we expect experimental features to either progress, in which case a formal specification is published, using non-experimental OIDs, or the experiments are deemed a failure and withdrawn/deleted. Either way, the experiments actually need to be tested by actual users, which means the corresponding code winds up in public releases.
The reality is that authors of experiments have moved on to other work, leaving these features in limbo, and no one has stepped in to drive them forward to completion (published status).
In this particular case, the features themselves were demonstrably stable years ago.
If you're inclined to only use features that have published documentation, you're welcome to forget everything you ever heard about dnSubtreematch and go about your business. OpenLDAP is a volunteer based open source project - work happens when a volunteer is interested in making it happen. The fact that what you're asking for hasn't been written in the past 8 years indicates to me that no one is interested.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/