[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP subtree search with zero-length DN for baseObject?

To: IETF ldapext WG <ietf-ldapext@netscape.com>
Subject: LDAP subtree search with zero-length DN for baseObject?
From: RL 'Bob' Morgan <rlmorgan@washington.edu>
Date: Thu, 10 Feb 2000 09:43:42 -0800 (PST)
Resent-date: Thu, 10 Feb 2000 09:43:27 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <5F18tD.A.Q5B.0ivo4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

RFC 2251 says, in section 3.4:

   An LDAP server MUST provide information about itself and other
   information that is specific to each server.  This is represented as
   a group of attributes located in the root DSE (DSA-Specific Entry),
   which is named with the zero-length LDAPDN.  These attributes are
   retrievable if a client performs a base object search of the root
   with filter "(objectClass=*)", however they are subject to access
   control restrictions.  The root DSE MUST NOT be included if the
   client performs a subtree search starting from the root.

It isn't clear to me, though, what the expected result should be from a
subtree search where the baseObject is the zero-length DN.  It mustn't
include the root DSE info, but what should it include?  Should this mean
"the subtree rooted at root of the global DIT"?  Presumably, if so, in
existing cases this would typically fail since the DSA doesn't know how to
contact a DSA for "the root".  Or can a DSA interpret it as "search all
the naming contexts you have locally?"  By experiment I find that servers
I've tried this on report "no such object".

Thanks,

 - RL "Bob"

Follow-Ups:
- Re: LDAP subtree search with zero-length DN for baseObject?
  - From: Mark Wahl <M.Wahl@INNOSOFT.COM>
- Re: LDAP subtree search with zero-length DN for baseObject?
  - From: Helmut Volpers <helmut.volpers@icn.siemens.de>

Prev by Date: Re: Question on Extensible Match Filter
Next by Date: RE: Notification: Inbound Mail Failure
Index(es):
- Chronological
- Thread