LDAP search has some built-in rules, one of which is LDAP_MATCHING_RULE_IN_CHAIN.
From MSDN :
1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to DNs. This is a special “extended” match operator that moves the chain of ancestors in objects down to the root until it finds a match.
They continue to say how it is intended for a recursive search, rather than returning to the server:
LDAP_MATCHING_RULE_IN_CHAIN is an identifier for a matching rule that is designed to provide a way to search for a pedigree of an object .... Previously, applications performed transition group expansion to determine group membership that used too much network bandwidth; applications necessary in order to make several calls to the circle, to find out if the object fell "in the chain", if the link went to the end.
They also say that it has two obvious use cases:
- check if user "user1" is a member of group "group1"
- find all groups that "user1" are members
, many , LDAP_MATCHING_RULE_IN_CHAIN ( 10x) "" , , , LDAP_MATCHING_RULE_IN_CHAIN.
, LDAP_MATCHING_RULE_IN_CHAIN ? - ? , ? - - - LDAP_MATCHING_RULE_IN_CHAIN, , , ?