Re: root dse search

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:45 AM 3/15/01 -0500, Steve Miller wrote:
>In terms of ease of interoperability, it may be easier to retain the
>specific statement '...with filter (objectclass=*)...' instead of
>'...such as (objectclass=*)...'. This makes it simpler to setup ACIs,
>for example to allow anonymous access to read 'supportedSASLMechanisms'
>as specified in RFC2831/RFC2829. (Having just done this on our
>implementation!) Otherwise, you would either need to allow access to
>more attributes, or the client would have to know or determine which
>particular attribute to use in the filter. And it also preserves
>backwards compatibility with clients that currently use
>'(objectclass=*)'.

 From this I gather you believe the RFC 2251 text:
   These attributes are retrievable if a client performs a base
   object search of the root with filter "(objectClass=*), ...

is somehow to be interpreted as only allowing a "list" (search
with (objectClass=*)) operation upon the root DSE.

I stated a number of reasons why I believe this
interpretation is not well founded in my post
"filter (root dse search)".  I'll add another here:

Like in DAP, I believe it was intended that all DSEs in
the server be visible through LDAP including the root DSE.
This includes not only the "list" operation, but other
searches, compare, modify, and other applicable operations.

Kurt