Bug 14314 - LDAP_MATCHING_RULE_DN_WITH_DATA oid 1.2.840.113556.1.4.2253 unsupported
Summary: LDAP_MATCHING_RULE_DN_WITH_DATA oid 1.2.840.113556.1.4.2253 unsupported
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-03-05 13:22 UTC by Björn Jacke
Modified: 2020-03-11 08:46 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2020-03-05 13:22:48 UTC
Samba misses support for LDAP_MATCHING_RULE_DN_WITH_DATA (oid 1.2.840.113556.1.4.2253)

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5bfc285-05b9-494e-a123-c5c4341c450e : LDAP_MATCHING_RULE_DN_WITH_DATA

This rule provides a way to match on portions of values of syntax Object(DN-String) and Object(DN-Binary).

Let F be a filter of the form "(A: 1.2.840.113556.1.4.2253:=V)", where A is a link attribute and V is a value of syntax Object(DN-String) (section or Object(DN-Binary) (section This filter evaluates to True for an object whose DN is D if the method defined below, EvalDNWithDataFilter(A,V,D), returns true, and False if the method returns false. If A is not of syntax Object(DN-String) or Object(DN-Binary), the filter F evaluates to Undefined.

EvalDNWithDataFilter(A: attribute, V: value, D: DN)

    For either syntax, let O be the DN portion of the value V and B be the string or binary portion of the value V. If the attribute is of syntax Object(DN-String), B is the value of the string considered strictly as the sequence of bytes of the string. Note that O can be the rootDSE. Note also that B can have 0 length.

    For every V' where V' is a value of attribute A on object D:

        Let O' be the DN portion of value V' and let B' be the string or binary portion of the value V'.

        If O is not equal to O' and O is not equal to the rootDSE, continue processing other values of V'.

        If B is not equal to the initial bytes of B', continue processing other values of V'. Note especially that only byte values are used in this comparison. No special handling of B as a string is performed (for example, no case-insensitivity, locale specific comparisons, etc.).

        Return true.

    If this method does not return true, it returns false.