It depends on the entry in question: does it have a DN attribute, i.e.,
does it have attributes that use DN syntax, e.g., seeAlso?
OK, I'm being deliberate pedantic and obtuse. I'll smarten up now.
The DN of an entry is not an attribute of the entry; rather, it is
composed of distinguished attributes from its entry, and every one of its
ancestor entries. This means that you cannot perform searches using an
entry's DN as you have done; you need to do it another way (see footnote a
para or two down).
In the example you cite, try search for "cn=Joe" with search base <o=xyz,
c=us> and scope set to single level, or for "cn=Joe" or "objectClass=*",
search base <cn=Joe, o=xyz, c=ca> and scope set to base object; in either
case, you should find the entry in question.
Footnote 1: X.500(1993) allows you to specify, as a service control, that
attributes of the DN should be considered as attributes of the entry when
searching; this would you to search for something like
"(&(cn=joe)(o=xyz)). Unfortunately, the current version of LDAP (V2, RFC
1777), does not support this service extension, you'll have to wait for V3
(now an Internet draft, being worked on even as we speak).
Footnote 2: with slapd, it is trivial to cause the attributes of the DN
to be added to the entry as its own attributes, so that the search
described in footnote 1 could be done by default, no protocol changes
required; we are thinking of adding this to our slapd (it's just more
work, and we have a product to ship).
In the case of both footnotes, you would still break the DN into
individual AVAs to build your filter, and not search on the DN as a whole.
There are attributes (seeAlso, for one), that have DN syntax, but that is
a whole other kettle of sea animals.
pww