Samba misses support for LDAP_MATCHING_RULE_DN_WITH_DATA (oid 1.2.840.113556.1.4.2253) https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5bfc285-05b9-494e-a123-c5c4341c450e : 3.1.1.3.4.4.4 LDAP_MATCHING_RULE_DN_WITH_DATA This rule provides a way to match on portions of values of syntax Object(DN-String) and Object(DN-Binary). Let F be a filter of the form "(A: 1.2.840.113556.1.4.2253:=V)", where A is a link attribute and V is a value of syntax Object(DN-String) (section 3.1.1.2.2.2.1) or Object(DN-Binary) (section 3.1.1.2.2.2.3). This filter evaluates to True for an object whose DN is D if the method defined below, EvalDNWithDataFilter(A,V,D), returns true, and False if the method returns false. If A is not of syntax Object(DN-String) or Object(DN-Binary), the filter F evaluates to Undefined. EvalDNWithDataFilter(A: attribute, V: value, D: DN) For either syntax, let O be the DN portion of the value V and B be the string or binary portion of the value V. If the attribute is of syntax Object(DN-String), B is the value of the string considered strictly as the sequence of bytes of the string. Note that O can be the rootDSE. Note also that B can have 0 length. For every V' where V' is a value of attribute A on object D: Let O' be the DN portion of value V' and let B' be the string or binary portion of the value V'. If O is not equal to O' and O is not equal to the rootDSE, continue processing other values of V'. If B is not equal to the initial bytes of B', continue processing other values of V'. Note especially that only byte values are used in this comparison. No special handling of B as a string is performed (for example, no case-insensitivity, locale specific comparisons, etc.). Return true. If this method does not return true, it returns false.