3.1.1.3.1.3.4 Ambiguous Name Resolution

  • Artikel

msdn link

ANR is a search algorithm in Active Directory that permits a client to search multiple naming-related attributes on objects via a single clause in a search filter. A substring search against the aNR attribute is interpreted by the DC as a substring search against a set of attributes, known as the "ANR attribute set". The intent is that the attributes in the ANR attribute set are those attributes that are commonly used to identify an object, such as the displayName and name attributes, thereby permitting a client to query for an object when the client possesses some identifying material related to the object but does not know the attribute of the object that contains that identifying material. The ANR attribute set consists of those attributes whose searchFlags attribute contains the fANR flag (see section 3.1.1.2.3).

A server performs an ANR search by rewriting a search filter that contains one or more occurrences of the aNR attribute so that the filter no longer contains any occurrences of the aNR attribute, then performing a regular LDAP search using the rewritten search filter. The search filter is rewritten according to the following algorithm:

  1. If the ANR attribute set does not contain the attribute legacyExchangeDN, then let S be the ANR attribute set and let PLegacy be FALSE. Otherwise, let S be the ANR attribute set excluding legacyExchangeDN and let PLegacy be TRUE. In either case, S is a set containing attributes A1...An.

  2. Let P1 be the value of the fSupFirstLastANR heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2). Let P2 be the value of the fSupLastFirstANR heuristic of the dSHeuristics attribute.

  3. Let F be the search filter of the search request.

  4. For each LDAP search filter clause C of the form "(aNR=*)" in F, resolve the clause to "FALSE". (Such a clause tests for the presence of a value for the aNR attribute itself, and this attribute is not present on any object.)

  5. For each LDAP search filter clause C of the form "(aNR=substringFilter)", where substringFilter is an LDAP substring filter of the form "i*f", in F:

    1. If i is the empty string, resolve clause C to the value "Undefined" (see [RFC2251] section 4.5.1).

    2. If i is non-empty, replace clause C with the clause "(aNR=i)" and apply the rule for "(aNR=value) in the next step of this algorithm.

  6. For each LDAP search filter clause C of the form "(aNR=value)" or "(aNR~=value)" or "(aNR>=value)" or "(aNR<=value)" in F:

    1. If value's first non-space character is an equal sign ("=") similar to "=value1" or " =value1", it is used for an exact string search instead of a substring search. Set "value" to "value1", apply the following steps in rule 6, and replace all the "value*" with "value".

    2. If value does not contain any space characters, or if P1 is TRUE and P2 is TRUE, construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*))" if PLegacy is FALSE, or of the form "(|(A1=value*)...(An=value*)(legacyExchangeDN=value)" if PLegacy is TRUE. (This clause resolves to "TRUE" for an object if value is a prefix of the value of any attribute in the ANR set on that object, except an exact match is always performed on the legacyExchangeDN attribute.)

    3. If value does contain one or more space characters, then:

      1. Split value into two components, value1 and value2, at the location of the first space, discarding that space.

      2. If PLegacy is FALSE, do the following:

        1. If P1 is FALSE and P2 is FALSE, then construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*)(&(givenName=value1*) (sn=value2*)) (&(givenName=value2*)(sn=value1*)))". (This clause resolves to "TRUE" for an object if value is a prefix of the value of any attribute in the ANR set on that object, or if the two parts of the split value are prefixes of the givenName and sn attributes ([MS-ADA3] section 2.275) on that object, regardless of which part matches which attribute.)

        2. If P1 is TRUE and P2 is FALSE, then construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*)(&(givenName=value2*) (sn=value1*)))". (This clause will resolve to "TRUE" for an object if value is a prefix of the value of any attribute in the ANR set on that object, or if the first part of the split value is a prefix of the sn attribute and the second part is a prefix of the givenName attribute on that object.)

        3. If P1 is FALSE and P2 is TRUE, then construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*)(&(givenName=value1*) (sn=value2*)))". (This clause will resolve to "TRUE" for an object if value is a prefix of the value of any attribute in the ANR set on that object, or if the first part of the split value is a prefix of the givenName attribute and the second part is a prefix of the sn attribute on that object.)

      3. If PLegacy is TRUE, do the following:

        1. If P1 is FALSE and P2 is FALSE, then construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*)(legacyExchangeDN=value)(&(givenName=value1*) (sn=value2*)) (&(givenName=value2*)(sn=value1*)))". (This clause resolves to "TRUE" for an object if value equals the value of legacyExchangeDN on that object or value is a prefix of the value of any attribute in the ANR set on that object, or if the two parts of the split value are prefixes of the givenName and sn attributes on that object, regardless of which part matches which attribute.)

        2. If P1 is TRUE and P2 is FALSE, then construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*)(legacyExchangeDN=value) (&(givenName=value2*) (sn=value1*)))". (This clause will resolve to "TRUE" for an object if value equals the value of legacyExchangeDN on that object or value is a prefix of the value of any attribute in the ANR set on that object, or if the first part of the split value is a prefix of the sn attribute and the second part is a prefix of the givenName attribute on that object.)

        3. If P1 is FALSE and P2 is TRUE, then construct an LDAP search filter clause C' of the form "(|(A1=value*)...(An=value*)(legacyExchangeDN=value) (&(givenName=value1*) (sn=value2*)))". (This clause will resolve to "TRUE" for an object if value equals the value of legacyExchangeDN on that object or value is a prefix of the value of any other attribute in the ANR set on that object, or if the first part of the split value is a prefix of the givenName attribute and the second part is a prefix of the sn attribute on that object.)

    4. Remove clause C from F, and insert C' into F at the position vacated by C.

Note that the replacement clause C' always contains equality matches, regardless of the type of match in the original clause C.