3

While going over the AD Cmdlet -Filter operators earlier today, I came across one I've not seen before: -approx. I can find this operator mentioned on several blogs, and in some TechNet articles, but nothing I find explains what this operator is used for. I also cannot find any examples of its use beyond its definition of use as "approxiomately equal to", or ~=. The only time I've used the ~= operator when programming is in Ruby, which does a regular expression match, but regex matching doesn't seem to be how it's used in this case. The only way I've gotten it to return anything is if I provide the exact value of the property I'm filtering on like in this example:

 Get-AdUser -Filter "samaccountname -approx 'myexactsamaccountname'"

What is the proper usage of this operator, and what examples might there be of using it as an Active Directory administrator?

codewario
  • 19,553
  • 20
  • 90
  • 159

1 Answers1

2

This is probably not as exciting as you'd hoped, but...

From the Active Directory Technical Specification §3.1.1.3.1.3.1:

Active Directory supports the approxMatch filter clause of [RFC2251] section 4.5.1. However, it is implemented identically to equalityMatch; for example, the filter is true if the values are equal. No approximation is performed. Filter clauses of the form "(X=Y)" and "(X~=Y)" can be freely substituted for each other.

(emphasis added)

So, it is simply there because RFC2251 defines (and RFC4511 describes) approxMath as part of the supported set of operators in LDAPv3 - and Microsoft wanted to be able to claim that the LDAP server implementation in Active Directory conforms to both LDAPv2 and LDAPv3 - so they added it without changing its behavior (the implementation details of which the relevant RFCs never prescribe anyways). This is in line with the description found in RFC4511:

An approxMatch filter is TRUE when there is a value of the attribute type or subtype for which some locally-defined approximate matching algorithm (e.g., spelling variations, phonetic match, etc.) returns TRUE. If a value matches for equality, it also satisfies an approximate match. If approximate matching is not supported for the attribute, this filter item should be treated as an equalityMatch.

The original intent was likely to allow common or local approximations, or possibly to allow for equivalence-matching across multiple alphabets, ie. a search for:

(givenName~=thorbjorn)

Would return anyone with the given name Torbjorn, Þórrbjorn, or Thorbjørn

Community
  • 1
  • 1
Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206