Chris Card wrote:
I see that openldap supports a number of matching rules for DNs,
e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and
dnSuperiorMatch.
<snip>
I have not found documentation anywhere that describes how these matching rules
work.
I can try out examples and/or read the openldap source code to try and deduce
their behaviour, but I'd
prefer to see documentation.
This feature has been present in OpenLDAP since 2004.
https://www.openldap.org/its/private.cgi/Archive.Software%20Enhancements?id=3112;selectid=3112;usearchives=1
That link needs a login.
http://www.openldap.org/its/index.cgi/Archive.Software%20Enhancements?id=3112;selectid=3112;usearchives=1
Nobody has asked for docs thus far, because everybody recognizes that
subtree/onelevel/subordinate are the same as the corresponding LDAP search
scopes, and their behavior is already specified.
Ok, but there's no superior scope. Also, while it's possible to try and
deduce behaviour by similarity of names and by experiment, that's not a
foolproof method, which is why I asked for a link to documentation. What
little documentation I did find indicates that these matching rules are
'experimental' and shouldn't be used in released code
(http://www.openldap.org/faq/data/cache/200.html) - is that still the
case?
That FAQ says these OIDs shouldn't be used in released code. That's generally
true, but obviously we've broken those rules various times. The intent of
these rules is that we expect experimental features to either progress, in
which case a formal specification is published, using non-experimental OIDs,
or the experiments are deemed a failure and withdrawn/deleted. Either way, the
experiments actually need to be tested by actual users, which means the
corresponding code winds up in public releases.
The reality is that authors of experiments have moved on to other work,
leaving these features in limbo, and no one has stepped in to drive them
forward to completion (published status).
In this particular case, the features themselves were demonstrably stable
years ago.
If you're inclined to only use features that have published documentation,
you're welcome to forget everything you ever heard about dnSubtreematch and go
about your business. OpenLDAP is a volunteer based open source project - work
happens when a volunteer is interested in making it happen. The fact that what
you're asking for hasn't been written in the past 8 years indicates to me that
no one is interested.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
