Compatibility Rule Matching

Because the names of resource access control rules and ACE actors can include wildcard sequences, the MLDAP ESM Module must examine all the matching rules and ACEs and decide which one best applies to a request. Version 2 of the Module, introduced in Enterprise Server 2.3, provides a new, simpler mechanism for this process, which tries to find the intuitively best match, the one that is closest to the resource, user, or group name being matched. This new algorithm is used by default (except in hotfix releases of Enterprise Server 2.2 Update 2 that include a version-2 MLDAP ESM Module).

Older versions of the MLDAP ESM Module used a more complex algorithm. In rare cases, a complicated, ambiguous set of resource rule definitions might have different results with the new algorithm, so the older mechanism is still supported and can be enabled in the Security Manager configuration using the Version 1 authentication option.

The topics below explain the older matching mechanism in more detail.