[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: root dse search

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, ietf-ldapbis@OpenLDAP.org
Subject: RE: root dse search
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Thu, 15 Mar 2001 15:56:42 +1100

Kurt,

The filter (objectClass=*) was meant to be special and to indicate that
retrieving the root DSE was intended. As regards extending this filter, I
note that the root DSE has no object class and so a literal interpretation
of the filter would not have the desired effect.

I think that the 4.5.1 statement regarding the return of operational
attributes was itself overridden in the case of the root DSE. For example,
namingContexts is an operational attribute but (is this Netscape's doing)
clients expect it to be returned. I changed my implementation for
interoperability. I think Mark Wahl has written on the LDAPext list that
operational attributes in the root DSE are treated as user attributes.

Ron.

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Thursday, 15 March 2001 10:20
To: ietf-ldapbis@OpenLDAP.org
Subject: root dse search


The RFC 2251, 3.4 statement:
   These attributes are retrievable if a client performs a base
   object search of the root with filter "(objectClass=*)", however
   they are subject to access control restrictions.

has been interpreted by some that the these attributes are not
subject to other restrictions.  It is clear that there are quite
a few other restrictions which are or may be placed upon these
attributes, including:
  - administrative limits,
  - applicability to client's context (certain SASL mechanisms,
    controls, and extensions may only be visible when available),
  - restrictions imposed by search controls, and
  - basic attribute usage semantics (including restrictions upon
    the return of operational attributes).

A simple clarifying replacement would be:
   These attributes are retrievable if a client performs a base
   object search of the root with filter "(objectClass=*)", however
   they are subject to access control and other restrictions.

However, I have also noticed that this statement has also been
interpreted by some that no other filters may not be used.  Some
implementations appear to ignore the filter completely
(returning the root DSE even when the filter clear doesn't
match).

Hence, I suggest this statement be replaced with:
   These attributes are retrievable if a client performs a base
   object search of the root DSE with a matching filter such as
   (objectClass=*).  These attributes, like other attributes,
   are subject to access control and other restrictions.

It might also be appropriate to reinterate the 4.5.1 statement
in regards to semantics of operational attributes as well:
  Furthermore, servers will not return operational attributes
  unless they are listed by name (see Section 4.5.1).

I also note that implementations may support operations upon
the Root DSE, so the additional of the following might be
appropriate as well:
  Implementations may support additional operations (e.g.
  compare, modify) upon the root DSE.

Kurt

Follow-Ups:
- other restrictions (RE: root dse search)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- filter (RE: root dse search)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: root dse search
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: Re: root dse search
Next by Date: Re: trimming listed syntaxes in RFC 2252bis
Index(es):
- Chronological
- Thread