Programmers should use LDAP matching rules to compare attribute values, for example, when matching candidate entries in search requests. Avoid comparing values that were retrieved from a directory on a character by character basis. The directory server uses matching rules to match values and distinguished names, and application code must do likewise, or unexpected results may occur. APIs that do not support matching rules when interacting with LDAP servers should be avoided.
An example of where software can get it wrong is the case of space significance in a distinguished name. Some directory servers preserve spaces in distinguished names, others do not. By way of example, consider the following DN:
uid=user.0,ou=people,dc=example,dc=com
and
uid=user.0, ou=people, DC=example, DC=com
These two DNs are equivalent, differing outwardly by case and spaces, but an application executing a character-by-character comparison would not consider the two to refer to the same DN. The use of the distinguishedNameMatch
matching rule would prevent this error.
MatchingRuleDemo.java uses the UnboundID LDAP SDK to demonstrate how to use matching rules to compare the values of an attribute in two entries.
Pingback: LDAP: Programming Practices « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: Using ldapsearch « Diaries, Triumphs, Failures, and Rants