Active Directory 如何“-approx"?过滤操作员工作? [英] How does the Active Directory "-approx" filter operator work?

问题描述

在今天早些时候讨论 AD Cmdlet -Filter 操作符时，我遇到了一个我以前从未见过的操作符:-approx.我可以在几个博客和一些 TechNet 文章中找到提到这个运算符，但我找不到任何解释这个运算符的用途.除了近似等于"或 ~= 的使用定义之外，我也找不到任何使用它的例子.我唯一一次在用 Ruby 编程时使用 ~= 运算符，它执行正则表达式匹配，但在这种情况下似乎不是如何使用正则表达式匹配.我让它返回任何东西的唯一方法是，如果我提供我正在过滤的属性的确切值，就像在这个例子中一样:

While going over the AD Cmdlet -Filter operators earlier today, I came across one I've not seen before: -approx. I can find this operator mentioned on several blogs, and in some TechNet articles, but nothing I find explains what this operator is used for. I also cannot find any examples of its use beyond its definition of use as "approxiomately equal to", or ~=. The only time I've used the ~= operator when programming is in Ruby, which does a regular expression match, but regex matching doesn't seem to be how it's used in this case. The only way I've gotten it to return anything is if I provide the exact value of the property I'm filtering on like in this example:

 Get-AdUser -Filter "samaccountname -approx 'myexactsamaccountname'"

此运算符的正确用法是什么，有哪些示例可以将其用作 Active Directory 管理员?

What is the proper usage of this operator, and what examples might there be of using it as an Active Directory administrator?

推荐答案

这可能并不像您希望的那样令人兴奋，但是...

来自 Active目录技术规范 §3.1.1.3.1.3.1:

Active Directory 支持 [RFC2251] 4.5.1 节的 approxMatch 过滤器子句.但是，它的实现与 equalityMatch 相同；例如，如果值相等，则过滤器为真.不执行近似."(X=Y)" 和 "(X~=Y)" 形式的过滤器子句可以自由替换.

Active Directory supports the approxMatch filter clause of [RFC2251] section 4.5.1. However, it is implemented identically to equalityMatch; for example, the filter is true if the values are equal. No approximation is performed. Filter clauses of the form "(X=Y)" and "(X~=Y)" can be freely substituted for each other.

^(强调)

所以，它之所以存在是因为 RFC2251 定义(和 RFC4511 描述)approxMath 作为 LDAPv3 中支持的运算符集的一部分 - 并且 Microsoft 希望能够声明 LDAP 服务器实现Active Directory 符合 LDAPv2 和 LDAPv3 - 因此他们在不改变其行为的情况下添加了它(相关 RFC 从未规定的实施细节).这符合 在 RFC4511 中找到的描述:

So, it is simply there because RFC2251 defines (and RFC4511 describes) approxMath as part of the supported set of operators in LDAPv3 - and Microsoft wanted to be able to claim that the LDAP server implementation in Active Directory conforms to both LDAPv2 and LDAPv3 - so they added it without changing its behavior (the implementation details of which the relevant RFCs never prescribe anyways). This is in line with the description found in RFC4511:

approxMatch 过滤器为 TRUE一些本地定义的属性类型或子类型近似匹配算法(例如，拼写变化、语音匹配等)返回 TRUE.如果一个值匹配相等，它也满足近似匹配.如果近似匹配是不支持该属性，应处理此过滤器项作为 equalityMatch.

An approxMatch filter is TRUE when there is a value of the attribute type or subtype for which some locally-defined approximate matching algorithm (e.g., spelling variations, phonetic match, etc.) returns TRUE. If a value matches for equality, it also satisfies an approximate match. If approximate matching is not supported for the attribute, this filter item should be treated as an equalityMatch.

最初的意图可能是允许通用或局部近似，或者可能允许跨多个字母表进行等价匹配，即.搜索:

The original intent was likely to allow common or local approximations, or possibly to allow for equivalence-matching across multiple alphabets, ie. a search for:

(givenName~=thorbjorn)

将返回给定名称为 Torbjorn、Þórrbjorn 或 Thorbjørn 的任何人

Would return anyone with the given name Torbjorn, Þórrbjorn, or Thorbjørn

这篇关于Active Directory 如何“-approx"?过滤操作员工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！