[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] Re: Version of Netscape Directory Service portocol

To: "Natarajan SK" <sknatarajan@novell.com>
Subject: Re: [ldap] Re: Version of Netscape Directory Service portocol
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 18 May 2000 02:09:19 -0700
Cc: <darrylp@earthlink.net>, <ietf-ldapext@netscape.com>, "Naveen C" <CNaveen@novell.com>, <ernest@cs.umb.edu>
In-reply-to: <s9233502.056@prv-mail20.provo.novell.com>

At 12:10 AM 5/18/00 -0600, Natarajan SK wrote:
>Something still stranger ( or maybe I'm missing something ) is that I used to think operational attributes are not returned in search results unless explicitly stated.  RFC 2252 states rootDSE attributes as operational attributes (which means they shouldn't be returned in ordinary searches). 

Yes. As any given entry may have many operational attributes, some
with a large number of values, "they are not to be returned unless
in search results unless explicitly requested by name."  This
makes sense especially for the root DSE and other such entries.

> However in two different ldap v3 servers I've seen...
>that rootDSE attributes(the same which are deemed in rfc 2252
> as operational) are returned without explicitly needing to state the
> attributes. This goes against rfc2251.  So my guess is either the
> specification is flawed or the implementation of the ldap servers is flawed.

The implementation.  RFC 2251 is quite clear on the matter.

It has been suggested by some that an exception should be allowed
for the Root DSE.  I would argue that such is inappropriate as
the Root DSE is quite likely to hold many of the operational
values which may have large number of values (though I hope
some, like supportedLDAPversion, only has a two or three :-).

As raised by Roger, there is no specification for the
structural objectclass of the root DSE.  The E in DSE stands
for Entry and entries must be of a structural object class.
However, this underspecification is a minor flaw which isn't
breaking anything and can easily be resolved through clarification
in LDAPv3bis documents.

Note, however, that the existance of an objectclass doesn't help
much as no objectclass is likely to list all the possible operational
attributes that may be in the rootDSE.  This is not a problem,
clients which need operational attributes have apriori knowledge
of such attributes (their implementor read RFC 2251-56).  And a
browser which really wanted to know everything it could, could
get everything by requesting each and every operational attribute
type (as listed in the controlling subschema).  (This is what
such a browser would have to do to find operational attributes
of any other entry, the root DSE shouldn't be special in this
regard)

Kurt

References:
- Re: [ldap] Re: Version of Netscape Directory Service portocol
  - From: "Natarajan SK" <sknatarajan@novell.com>

Prev by Date: Re: [ldap] Re: Version of Netscape Directory Service portocol
Next by Date: Re: [ldap] Re: Version of Netscape Directory Service portocol
Index(es):
- Chronological
- Thread