[Date Prev][Date Next] [Chronological] [Thread] [Top]

RFC 2251 Root DSE non-standard



Kurt,

Regarding:

ldapsearch -x -h localhost -b "" -s base +

That is non-standard behavior. I am not saying it is WRONG; not at all.
What I am saying is that every other server I have access to (Active
Directory, iPlanet, and IBM secureWay) all provide rootDSE stuff with:

	ldapsearch -x -h <hostname> -b "" -s base "(objectClass=*)"

While OpenLDAP returns this:

	dn:
	objectClass: top
	objectClass: OpenLDAProotDSE

Which is totally useless. When I replace the "(objectClass=*)" with "+"
as you indicate, I get what I want from OpenLDAP. However, the "+"
breaks EVERY OTHER server so that they produce no results (or
referrals).

According to RFC 2251:

An LDAP server MUST provide information about itself and other
information that is specific to each server. This is represented as a
group of attributes located in the root DSE (DSA-Specific Entry), which
is named with the zero-length LDAPDN. These attributes are retrievable
if a client performs a base object search of the root with filter
"(objectClass=*)", however they are subject to access control
restrictions. The root DSE MUST NOT be included if the client performs a
subtree search starting from the root.

Doing that search DOES NOT tell a client anything about the server, so
as far as I can tell requiring the "+" does not adhere to the RFC.

Kevin

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Saturday, September 01, 2001 10:00 PM
To: Kevin J. McCarthy
Cc: openldap-software@OpenLDAP.org
Subject: Re: searches fail from all points above suffix (rootDSE)


At 05:13 PM 2001-09-01, Kevin J. McCarthy wrote:
>It seems impossible to start a subtree search at the root.

Yes.  A subtree base must be within a naming context else
noSuchObject (or referral) is returned.

>I can not
>locate any records at all (other than a practically useless rootDSE
>object that has no values other than objectClass:OpenLDAProotDSE)

The root DSE contains mostly operational attributes.  Per RFC2251,
servers must only return operational attributes when requested.
OpenLDAP supports the all operational attributes extension
for discovery purposes:

        ldapsearch -x -h localhost -b "" -s base +

Kurt