[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: RFC 2251 Root DSE non-standard
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kevin J.
> McCarthy
> Kurt,
Excuse me for butting in here...
> Regarding:
>
> ldapsearch -x -h localhost -b "" -s base +
This is an invalid search. I'm surprised you get a response from it.
>
> That is non-standard behavior. I am not saying it is WRONG; not at all.
> What I am saying is that every other server I have access to (Active
> Directory, iPlanet, and IBM secureWay) all provide rootDSE stuff with:
>
> ldapsearch -x -h <hostname> -b "" -s base "(objectClass=*)"
>
> While OpenLDAP returns this:
>
> dn:
> objectClass: top
> objectClass: OpenLDAProotDSE
>
> Which is totally useless. When I replace the "(objectClass=*)" with "+"
> as you indicate, I get what I want from OpenLDAP. However, the "+"
> breaks EVERY OTHER server so that they produce no results (or
> referrals).
You should not be replacing "(objectclass=*)", that is the search filter.
You
are required to provide a filter with your search request. The "+" specifies
the attribute list, i.e., the list of attributes you're interested in. In
this
case, "+" is a wildcard that stands for all of the operational attributes.
Your request should have been
ldapsearch -x -h <hostname> -b "" -s base "(objectClass=*)" +
> According to RFC 2251:
>
> An LDAP server MUST provide information about itself and other
> information that is specific to each server. This is represented as a
> group of attributes located in the root DSE (DSA-Specific Entry), which
> is named with the zero-length LDAPDN. These attributes are retrievable
> if a client performs a base object search of the root with filter
> "(objectClass=*)", however they are subject to access control
> restrictions. The root DSE MUST NOT be included if the client performs a
> subtree search starting from the root.
>
> Doing that search DOES NOT tell a client anything about the server, so
> as far as I can tell requiring the "+" does not adhere to the RFC.
>
> Kevin
The "+" is not *required*, it's just a convenient shorthand, simpler than
typing
out "namingcontexts supportedLDAPversion ..." But, an attribute list of some
form
or another *is* required.
The information in the root DSE that you are looking for consists of
operational attributes. A server that returns operational attributes when
they have not been requested is violating the LDAP protocol. See RFC2251
the end of section 4.5.1. It's also stated in section 3.2.1.
Client implementors should note that even if all user attributes are
requested, some attributes of the entry may not be included in
search results due to access control or other restrictions.
*** Furthermore, servers will not return operational attributes, such
as objectClasses or attributeTypes, unless they are listed by name,
since there may be extremely large number of values for certain
operational attributes. (A list of operational attributes for use
in LDAP is given in [5].)
ps: [5] above is RFC2252, LDAPv3 Attributes...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc