[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: root dse search
At 10:41 AM 3/15/01 -0800, Kurt D. Zeilenga wrote:
>At 11:45 AM 3/15/01 -0500, Steve Miller wrote:
>>In terms of ease of interoperability, it may be easier to retain the
>>specific statement '...with filter (objectclass=*)...' instead of
>>'...such as (objectclass=*)...'. This makes it simpler to setup ACIs,
>>for example to allow anonymous access to read 'supportedSASLMechanisms'
>>as specified in RFC2831/RFC2829. (Having just done this on our
>>implementation!) Otherwise, you would either need to allow access to
>>more attributes, or the client would have to know or determine which
>>particular attribute to use in the filter. And it also preserves
>>backwards compatibility with clients that currently use
>>'(objectclass=*)'.
>
> From this I gather you believe the RFC 2251 text:
> These attributes are retrievable if a client performs a base
> object search of the root with filter "(objectClass=*), ...
>
>is somehow to be interpreted as only allowing a "list" (search
>with (objectClass=*)) operation upon the root DSE.
s/list/read/
>I stated a number of reasons why I believe this
>interpretation is not well founded in my post
>"filter (root dse search)". I'll add another here:
>
>Like in DAP, I believe it was intended that all DSEs in
>the server be visible through LDAP including the root DSE.
>This includes not only the "list" operation, but other
>searches, compare, modify, and other applicable operations.
s/list/read/
sorry for any confusion.