3.1.1.2.2.4 Supported Comparison Operations

  • Article

In addition to determining what can be stored in an attribute, the syntaxes determine what comparison operations the server permits on an attribute in an LDAP search filter, as well as how the server performs those comparisons. The following table maps each of the LDAP syntaxes to a comparison rule. All syntaxes of the same comparison rule support the same comparison operations and are compared using the same comparison rules.

LDAP syntax

Comparison rule

Boolean

Bool

Enumeration

Integer

Integer

Integer

LargeInteger

Integer

Object(Access-Point)

DN-String

Object(DN-String)

DN-String

Object(OR-Name)

DN-Binary

Object(DN-Binary)

DN-Binary

Object(DS-DN)

DN

Object(Presentation-Address)

PresentationAddress

Object(Replica-Link)

Octet

String(Case)

CaseString

String(IA5)

CaseString

String(NT-Sec-Desc)

SecDesc

String(Numeric)

CaseString

String(Object-Identifier)

OID

String(Octet)

Octet

String(Printable)

CaseString

String(Sid)

Sid

String(Teletex)

NoCaseString

String(Unicode)

UnicodeString

String(UTC-Time)

Time

String(Generalized-Time)

Time

The following table (split into three parts for readability) shows which of the choices in an LDAP filter (that is, which comparison operations) are supported for each comparison rule. The LDAP filter structure is defined in [RFC2251] section 4.5.1. Each comparison rule (for example, the rule for comparing two Bool values) is discussed following the table. The "and", "or", and "not" choices in an LDAP filter are not included in this table because they are not comparisons performed against an attribute value. Active Directory treats approxMatch as equivalent to equalityMatch. For details on the three extensible matching rules, see section 3.1.1.3.4.4.

Comparison rule

present

equalityMatch

approxMatch

Bool

X

X

X

Integer

X

X

X

DN-String

X

X

X

DN-Binary

X

X

X

DN

X

X

X

PresentationAddress

X

X

X

Octet

X

X

X

CaseString

X

X

X

SecDesc

X

OID

X

X

X

Sid

X

X

X

NoCaseString

X

X

X

UnicodeString

X

X

X

Time

X

X

X

Comparison rule

lessOrEqual

greaterOrEqual

substrings

Bool

X

X

Integer

X

X

DN-String

DN-Binary

DN

PresentationAddress

Octet

X

X

X

CaseString

X

X

X

SecDesc

OID

Sid

X

X

X

NoCaseString

X

X

X

UnicodeString

X

X

X

Time

X

X

Note In the following table, the constant names in the headers for the extensibleMatch columns are prefixed with "LDAP_MATCHING_RULE_". For example, "...BIT_AND" is actually "LDAP_MATCHING_RULE_BIT_AND".

Comparison rule

extensibleMatch: ...BIT_AND

extensibleMatch: ...BIT_OR

extensibleMatch: ...TRANSITIVE_EVAL

Bool

Integer

X

X

DN-String

X*

DN-Binary

X*

DN

X*

PresentationAddress

Octet

CaseString

SecDesc

OID

Sid

NoCaseString

UnicodeString

Time

* Supported only if the attribute is a link attribute. Evaluates to Undefined otherwise.