Samba misses support for LDAP_MATCHING_RULE_DN_WITH_DATA (oid 1.2.840.113522.214.171.1243)
This rule provides a way to match on portions of values of syntax Object(DN-String) and Object(DN-Binary).
Let F be a filter of the form "(A: 1.2.840.1135126.96.36.1993:=V)", where A is a link attribute and V is a value of syntax Object(DN-String) (section 188.8.131.52.2.2.1) or Object(DN-Binary) (section 184.108.40.206.2.2.3). This filter evaluates to True for an object whose DN is D if the method defined below, EvalDNWithDataFilter(A,V,D), returns true, and False if the method returns false. If A is not of syntax Object(DN-String) or Object(DN-Binary), the filter F evaluates to Undefined.
EvalDNWithDataFilter(A: attribute, V: value, D: DN)
For either syntax, let O be the DN portion of the value V and B be the string or binary portion of the value V. If the attribute is of syntax Object(DN-String), B is the value of the string considered strictly as the sequence of bytes of the string. Note that O can be the rootDSE. Note also that B can have 0 length.
For every V' where V' is a value of attribute A on object D:
Let O' be the DN portion of value V' and let B' be the string or binary portion of the value V'.
If O is not equal to O' and O is not equal to the rootDSE, continue processing other values of V'.
If B is not equal to the initial bytes of B', continue processing other values of V'. Note especially that only byte values are used in this comparison. No special handling of B as a string is performed (for example, no case-insensitivity, locale specific comparisons, etc.).
If this method does not return true, it returns false.