[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP subtree search with zero-length DN for baseObject?

To: RL 'Bob' Morgan <rlmorgan@washington.edu>
Subject: Re: LDAP subtree search with zero-length DN for baseObject?
From: Helmut Volpers <helmut.volpers@icn.siemens.de>
Date: Sun, 13 Feb 2000 14:36:48 +0100
Cc: IETF ldapext WG <ietf-ldapext@netscape.com>
Organization: Siemens
References: <Pine.LNX.4.19.99.0002080043140.19935-100000@perq.cac.washington.edu>
Resent-date: Sun, 13 Feb 2000 05:40:49 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <toq0cB.A.X9B.FRrp4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I have seen a lot of simple clients which doesn't read the root
to get information about the server. They make a subtree search with
root 
as base object and they can live with a result which doesn't include the 
root but all the local entries in the server which match the filter.

So for a standalone server you can configure ROOT as CP in our DSA and
you 
can use root as base in every search. The root is only returned
in a base-level search (read).
In all the other cases we use the modell that the name resolution 
is finished and "search all the naming contexts you have locally" plus
referralls to all the references the server holds.

Can all your LDAP enabled applications can work with "noSuchObject"
for a search with ROOT as BaseObject ?

Helmut

RL 'Bob' Morgan schrieb:
> 
> RFC 2251 says, in section 3.4:
> 
>    An LDAP server MUST provide information about itself and other
>    information that is specific to each server.  This is represented as
>    a group of attributes located in the root DSE (DSA-Specific Entry),
>    which is named with the zero-length LDAPDN.  These attributes are
>    retrievable if a client performs a base object search of the root
>    with filter "(objectClass=*)", however they are subject to access
>    control restrictions.  The root DSE MUST NOT be included if the
>    client performs a subtree search starting from the root.
> 
> It isn't clear to me, though, what the expected result should be from a
> subtree search where the baseObject is the zero-length DN.  It mustn't
> include the root DSE info, but what should it include?  Should this mean
> "the subtree rooted at root of the global DIT"?  Presumably, if so, in
> existing cases this would typically fail since the DSA doesn't know how to
> contact a DSA for "the root".  Or can a DSA interpret it as "search all
> the naming contexts you have locally?"  By experiment I find that servers
> I've tried this on report "no such object".
> 
> Thanks,
> 
>  - RL "Bob"

begin:vcard 
n:Volpers;Helmut
tel;fax:+49-89-636-45860
tel;work:+49-89-636-46713
x-mozilla-html:FALSE
url:http://www.siemens.com/bus-com
org:Siemens AG
adr:;;;Munich;;81730;Germany
version:2.1
email;internet:Helmut.Volpers@icn.siemens.de
title:Directory Server Architect
fn:Helmut Volpers
end:vcard

References:
- LDAP subtree search with zero-length DN for baseObject?
  - From: RL 'Bob' Morgan <rlmorgan@washington.edu>

Prev by Date: RE: RFC2251: RootDSE subschemasubentry issue
Next by Date: FW: LDAP in a 24x7 NAS environment?
Index(es):
- Chronological
- Thread