I have read about LDAP_MATCHING_RULE_IN_CHAIN do on https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx a few times and Googled but I can't get a grasp on what it does.
This is what MSDN says but I do not get it. What does "walks the chain of ancestry" mean?
This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
No matter what I do all of my searches return the same data.
<GC://DC=company,DC=com>;(&(objectClass=user)(memberof=CN=one,DC=some,DC=company,DC=com));name;subtree
or
<GC://DC=company,DC=com>;(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=one,DC=some,DC=company,DC=com));name;subtree
I understand that both of them will search the subtree of the GC for all user's that are a member of the group CN=one,DC=some,DC=company,DC=com. What I cannot figure out is what does the second one do differently?
If I remember correctly, the first one only finds objects that have a direct membership, where as the second one will recursively find nested membership.
Given the following groups:
Group A is a member of Group B
Group B is a member of Group C
Querying Group A with the first method will just return Group B. Using the second method would return Group B and Group C