Re: root DSE

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:49 PM 9/13/00 +0530, Anand Raman wrote:
>I read that ldap v3 servers can queried for the types of authentication
>support, and schemas they support.. For this the root dse needs to be
>queried

The root DSE contains a number of operational attributes.  If
you're after supported SASL mechanisms, supported controls,
supported extensions, etc., you're application can request
the appropriate attribute which provide the information.

(OpenLDAP 2.x usage, 1.2 does have a root DSE):

ldapsearch -x -b '' -s base '(objectclass=*)' \
  supportedSASLMechanisms supportedControl supportedExtension

If you want to "discover" the available attributes, use:

ldapsearch -x -b '' -s base '(objectclass=*)' '+' '*'

Note: this should work on most LDAPv3 servers.  Applications
(excepting maybe general purpose browsers) should just request
desired attributes as use of + (and *) may return MANY attributes
which are not needed.

To discover the schema controlling a particular entry, you
need to obtain the value of the subschemaSubentry operational
attribute of the entry and use this value, a DN, as a target
of the search.  The search must be scope base with a filter
of "(objectclass=subschema)" and you must list the operational
attributes types you desire.  Where the subschemaSubentry value
is $DN:

ldapsearch -x -b $DN -s base '(objectclass=subschema)' \
        attributeTypes objectClasses ...

would obtain the attribute types and object classes.  Be
prepared for the return of many values...

Note that the subschemaSubentry of the root DSE is the schema
controlling the root DSE itself.  In OpenLDAP 2.0, there is
only one subschema... but other servers (and future versions
of OpenLDAP) may support multiple subschemas.  So, use the above
procedure to be safe.

Kurt