3

I have read about LDAP_MATCHING_RULE_IN_CHAIN do on https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx a few times and Googled but I can't get a grasp on what it does.

This is what MSDN says but I do not get it. What does "walks the chain of ancestry" mean?

This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

No matter what I do all of my searches return the same data.

<GC://DC=company,DC=com>;(&(objectClass=user)(memberof=CN=one,DC=some,DC=company,DC=com));name;subtree

or

<GC://DC=company,DC=com>;(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=one,DC=some,DC=company,DC=com));name;subtree

I understand that both of them will search the subtree of the GC for all user's that are a member of the group CN=one,DC=some,DC=company,DC=com. What I cannot figure out is what does the second one do differently?

IMTheNachoMan
  • 5,343
  • 5
  • 40
  • 89

1 Answers1

6

If I remember correctly, the first one only finds objects that have a direct membership, where as the second one will recursively find nested membership.

Given the following groups:

Group A is a member of Group B
Group B is a member of Group C

Querying Group A with the first method will just return Group B. Using the second method would return Group B and Group C

CodedBeard
  • 862
  • 8
  • 19