[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Clarification of RootDSE information retrieval required
> I agree with your assessment -- most of the attributes commonly found in
> the root DSE are operational attributes and according to the RFCs they
> should not be returned unless listed by name.
>
> However, I would like to lobby for a change to the RFCs to relax this for
> the root DSE. I think it is useful and not harmful to return all root DSE
> attributes even when they are not named explicitly. This makes it easier
Mark,
There is a customer of yours who would like to disagree with you. (I know
because I was talking to him last week about this very point, before your
email). There is at least one operational attribute in your root DSE that is
related to the security of your DIT (access controls), and, according to the
customer, you always return this to the caller. This is a potential security
weakness. Therefore there may be some operational attributes that should not
be returned unless specifically named and the caller's access rights give him
permission to read them.
David
> for client implementors to discover what server meta information is
> available, is easier to debug, and so on. In the interest of full and
> fair disclosure, I will admit that Netscape's LDAP server implementation
> already behaves this way.
>
> --
> Mark Smith
> Directory Architect / Netscape Communications Corp.
> My words are my own, not my employer's. Got LDAP?
>
>
***************************************************
David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 370 957 287
Email D.W.Chadwick@iti.salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
***************************************************