[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RFC 2251 Root DSE non-standard
- To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: RFC 2251 Root DSE non-standard
- From: "Kevin J. McCarthy" <kevin@kogz.com>
- Date: Sun, 2 Sep 2001 01:29:44 -0500
- Cc: <openldap-software@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcEzW3oIavici1z8QleY2hb4TZ46pwAGkjAw
- Thread-topic: searches fail from all points above suffix (rootDSE)
Kurt,
Regarding:
ldapsearch -x -h localhost -b "" -s base +
That is non-standard behavior. I am not saying it is WRONG; not at all.
What I am saying is that every other server I have access to (Active
Directory, iPlanet, and IBM secureWay) all provide rootDSE stuff with:
ldapsearch -x -h <hostname> -b "" -s base "(objectClass=*)"
While OpenLDAP returns this:
dn:
objectClass: top
objectClass: OpenLDAProotDSE
Which is totally useless. When I replace the "(objectClass=*)" with "+"
as you indicate, I get what I want from OpenLDAP. However, the "+"
breaks EVERY OTHER server so that they produce no results (or
referrals).
According to RFC 2251:
An LDAP server MUST provide information about itself and other
information that is specific to each server. This is represented as a
group of attributes located in the root DSE (DSA-Specific Entry), which
is named with the zero-length LDAPDN. These attributes are retrievable
if a client performs a base object search of the root with filter
"(objectClass=*)", however they are subject to access control
restrictions. The root DSE MUST NOT be included if the client performs a
subtree search starting from the root.
Doing that search DOES NOT tell a client anything about the server, so
as far as I can tell requiring the "+" does not adhere to the RFC.
Kevin
-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Saturday, September 01, 2001 10:00 PM
To: Kevin J. McCarthy
Cc: openldap-software@OpenLDAP.org
Subject: Re: searches fail from all points above suffix (rootDSE)
At 05:13 PM 2001-09-01, Kevin J. McCarthy wrote:
>It seems impossible to start a subtree search at the root.
Yes. A subtree base must be within a naming context else
noSuchObject (or referral) is returned.
>I can not
>locate any records at all (other than a practically useless rootDSE
>object that has no values other than objectClass:OpenLDAProotDSE)
The root DSE contains mostly operational attributes. Per RFC2251,
servers must only return operational attributes when requested.
OpenLDAP supports the all operational attributes extension
for discovery purposes:
ldapsearch -x -h localhost -b "" -s base +
Kurt