This document describes a control for the Lightweight Directory
   Access Protocol version 3 that is used to return a subset of
   attribute values from an entry.  Specifically, only those values that
   match a "values return" filter.  Without support for this control, a
   client must retrieve all of an attribute's values and search for
   specific values locally.

           ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem

           SimpleFilterItem ::= CHOICE {
                   equalityMatch   [3] AttributeValueAssertion,
                   substrings      [4] SubstringFilter,
                   greaterOrEqual  [5] AttributeValueAssertion,
                   lessOrEqual     [6] AttributeValueAssertion,
                   present         [7] AttributeDescription,
                   approxMatch     [8] AttributeValueAssertion,
                   extensibleMatch [9] SimpleMatchingAssertion }

            SimpleMatchingAssertion ::= SEQUENCE {
                   matchingRule    [1] MatchingRuleId OPTIONAL,
                   type            [2] AttributeDescription OPTIONAL,
   --- at least one of the above must be present
                   matchValue      [3] AssertionValue}

   If the server supports this control, the server MUST make use of the
   control as follows:

   1) The Search Filter is first executed in order to determine which
      entries satisfy the Search criteria (these are the filtered
      entries).  The control has no impact on this step.

   2) If the typesOnly parameter of the Search Request is TRUE, the
      control has no effect and the Search Request is processed as if
      the control had not been specified.

   3) If the attributes parameter of the Search Request consists of a
      list containing only the attribute with OID "1.1" (specifying that
      no attributes are to be returned), the control has no effect and
      the Search Request is processed as if the control had not been
      specified.

   4) For each attribute listed in the attributes parameter of the
      Search Request, the server MUST apply the control as follows to
      each entry in the set of filtered entries:

      i)  Every attribute value that evaluates TRUE against one or more
          elements of the ValuesReturnFilter is placed in the
          corresponding SearchResultEntry.

      ii) Every attribute value that evaluates FALSE or undefined
          against all elements of the ValuesReturnFilter is not placed
          in the corresponding SearchResultEntry.  An attribute that has
          no values selected is returned with an empty set of values.

   Note.  If the AttributeDescriptionList is empty or
   comprises "*", then the control MUST be applied against every user
   attribute.  If the AttributeDescriptionList contains a "+", then the
   control MUST be applied against every operational attribute.

   dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
   cn: Sean Mullan
   sn: Mullan
   objectClass: organizationalPerson
   objectClass: person
   objectClass: inetOrgPerson
   mail: sean.mullan@hotmail.com
   mail: mullan@east.sun.com
   telephoneNumber: + 781 442 0926
   telephoneNumber: 555-9999

   ldap://<host>:<port>/dc=ac,dc=uk??sub?(sn=mullan)

 
    ((mail=*hotmail.com)(telephoneNumber=*))

   dn: cn=Sean Mullan,ou=people,dc=sun,dc=ac,dc=uk
   mail: sean.mullan@hotmail.com
   telephoneNumber: + 781 442 0926
   telephoneNumber: 555-9999

   dn: cn=subschema subentry,o=myorg
   cn: subschema subentry
   objectClass: subschema
   attributeTypes: ( 2.5.4.3 NAME 'cn' SUP name )
   attributeTypes: ( 2.5.4.6 NAME 'c' SUP name SINGLE-VALUE )
   attributeTypes: ( 2.5.4.0 NAME 'objectClass' EQUALITY obj
    ectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
   attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY gen
    eralizedTimeMatch ORDERING generalizedTimeOrderingMatch SYN
    TAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-
    MODIFICATION USAGE directoryOperation )
   attributeTypes: ( 2.5.21.6 NAME 'objectClasses' EQUALITY obj

    ectIdentifierFirstComponentMatch SYNTAX 1.3.
    6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )
   attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat
    ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.
    6.1.4.1.1466.115.121.1.44{64} )
   attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' EQUALITY obj
    ectIdentifierFirstComponentMatch SYNTAX 1.3.
    6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )
    ...

ldap:///cn=subschema subentry,o=myorg??base?(objectClass=subschema)

 
           ((attributeTypes=1.2.3.4.5))

   dn: cn=subschema subentry,o=myorg
   attributeTypes: ( 1.2.3.4.5 NAME 'gunk' EQUALITY caseIgnoreMat
      ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.
      6.1.4.1.1466.115.121.1.44{64} )