An LDAP compare operation may be used to determine whether a specified entry has a particular attribute value. The elements contained in a compare request include:

  • The DN of the entry for which the determination is to be made.
  • The attribute description (the attribute type name and zero or more attribute options) of the attribute for which to make the determination.
  • The assertion value for which to make the determination.

When the compare operation completes, the server will return a basic response that includes a result code, and optional matched DN, diagnostic message, referrals, and/or response controls. Some of the most common types of responses for a compare operation include:

  • If the target entry exists and does contain the specified attribute value, then the server should return a “compareTrue” result.
  • If the target entry exists and does not contain the specified attribute value, then the server should return a “compareFalse” result.
  • If the target entry does not exist, then the server should return a “noSuchObject” result. If any of the ancestors of the target entry does exist, then the result may include a matched DN element with the DN of the most subordinate ancestor.
  • If the specified entry DN is malformed, then the server should return an “invalidDNSyntax” result.
  • If the target attribute type is not defined in the server schema, then the server should return an “undefinedAttributeType” result.
  • If the requester does not have permission to make the determination, then the server should return an “insufficientAccessRights” result.

Note that it is possible to accomplish a similar result with a search operation (by specifying a search base of the target entry DN, a baseObject scope, and a filter like “(attributeDescription=assertionValue)”). However, the compare operation may be able to accomplish this more efficiently than a search because if the filter matches, then the search operation will have two response messages (a search result entry message containing some or all of the matching entry, and a search result done message to indicate that the search is complete) whereas the compare operation needs only a single response message. In addition, it is conceivable that a server’s access control configuration may allow a client to perform a compare operation even if it would not allow the client to retrieve the target entry. But if the client will need to retrieve attributes from the target entry, then a search operation is the better choice because the compare operation does not return any information from the target entry.