java - LDAP 过滤器中的近似相等性是什么？

Question

我将 JNDI 与 LDAP 和 Active Directory 结合使用。

根据filter page ，有一个符号 ~= 具有以下描述:

~=      approximate equality (according to the matching rule of the attribute)

这是什么意思？

我在想输入和 Active Directory 属性值之间存在类似 Levenshtein 的距离，并且该距离必须小于阈值，但它似乎无法以这种方式工作。

我尝试了以下示例:

NamingEnumeration<SearchResult> answer = ctx.search(
    "dc=x,dc=y,dc=z",    // name
    "(cn~=John Smith)",  // filter
    searchCtls           // controls
);

返回与

完全相同的条目

NamingEnumeration<SearchResult> answer = ctx.search(
    "dc=x,dc=y,dc=z",    // name
    "(cn=John Smith)",   // filter
    searchCtls           // controls
);

这很好，但如果我使用它，它不会返回任何内容:

    "(cn~=jJohn Smith)", // filter

或

    "(cn~=ohn Smith)",   // filter

或

    "(cn~=Gohn Smith)",  // filter

或

    "(cn~=JohnSmith)",   // filter

当我选择一个整数而不是那个字符串时，结果是相似的(例如:abc~=123 而不是 cn~=John Smith)。

所以，我看不出 = 和 ~= 之间的区别。

---

编辑:

我发现了差异，但这不是预期的差异。

这不会返回任何东西:

    "(cn~=J*n Smith)",   // filter

虽然这会返回 John Smith 条目:

    "(cn=J*n Smith)",   // filter

Answer 1

尽管 RFC 4511 中提到了 approxMatch，但没有定义如何实现或使用它的规范。因此，approxMatch 的工作原理留给 LDAP 服务器实现。

恕我直言，它“打算”用作“听起来像”的算法。

Approximate Match Filters

An approximate match filter may be used to determine whether an entry contains at least one value for a specified attribute that is approximately equal to a given value. The LDAP specifications do not define what exactly "approximately equal to" means, so that is left up to individual server implementations to determine. Many servers use a "sounds like" mechanism with an algorithm based on Soundex or one of the Metaphone variants.

The string representation of an approximate match filter is constructed as follows:

• An open parenthesis
• The attribute description (potentially including attribute options)
• A tilde character
• An equal sign
• The value to compare (aka the assertion value)
• A close parenthesis

For example, it might be reasonable to expect a filter of "(givenName~=John)" to match entries with givenName values of either John or Jon.

Although it seems like a significant oversight or omission, the LDAP specifications do not make any provision for approximate matching rules. A number of directory servers provide this capability anyway so that it may be possible to configure the approximate match behavior on a per-attribute basis, but the inconsistency of approximate matching capabilities between server implementations makes approximate matching something that is often avoided in LDAP-enabled applications.