Re: root dse search

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:41 AM 3/15/01 -0800, Kurt D. Zeilenga wrote:
>At 11:45 AM 3/15/01 -0500, Steve Miller wrote:
>>In terms of ease of interoperability, it may be easier to retain the
>>specific statement '...with filter (objectclass=*)...' instead of
>>'...such as (objectclass=*)...'. This makes it simpler to setup ACIs,
>>for example to allow anonymous access to read 'supportedSASLMechanisms'
>>as specified in RFC2831/RFC2829. (Having just done this on our
>>implementation!) Otherwise, you would either need to allow access to
>>more attributes, or the client would have to know or determine which
>>particular attribute to use in the filter. And it also preserves
>>backwards compatibility with clients that currently use
>>'(objectclass=*)'.
>
> From this I gather you believe the RFC 2251 text:
>   These attributes are retrievable if a client performs a base
>   object search of the root with filter "(objectClass=*), ...
>
>is somehow to be interpreted as only allowing a "list" (search
>with (objectClass=*)) operation upon the root DSE.

s/list/read/


>I stated a number of reasons why I believe this
>interpretation is not well founded in my post
>"filter (root dse search)".  I'll add another here:
>
>Like in DAP, I believe it was intended that all DSEs in
>the server be visible through LDAP including the root DSE.
>This includes not only the "list" operation, but other
>searches, compare, modify, and other applicable operations.

s/list/read/

sorry for any confusion.