However, I would like to lobby for a change to the RFCs to relax thisI agree with this sentiment. Nor would this be the first relaxation of how LDAP is being implemented compared to the RFCs (take a look at attribute syntax verification and client responsibilites there). Feedback of this nature keeps the RFCs worthwhile. I'd support this lobby.
for the root DSE. I think it is useful and not harmful to return all
root DSE attributes even when they are not named explicitly. This makes
it easier for client implementors to discover what server meta
information is available, is easier to debug, and so on. In the
interest of full and fair disclosure, I will admit that Netscape's LDAP
server implementation already behaves this way.--
Mark Smith
Directory Architect / Netscape Communications Corp.
My words are my own, not my employer's. Got LDAP?
The base search on the root object is a commonly used search and the returned attributes are of use to the client. For fullest flexibility in client/server interoperability it would be convenient not to have to list all operational attributes.
If there is any sensitivity to returning the attributes on the base object then they could be protected by object level security (ACLs).
In the interest of full and fair disclosure, we're glad the Netscape server behaves the way described.
Paul Dale
--
Product Development Manager
intracus ltd
www.intracus.com
pdale@intracus.com
tel: +44 (0)1635 529829
fax: +44 (0)1635 529830