[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6627) Empty suffix and dn for root node should be avoided

> Full_Name: SEAK T.F.
> Version: 2.4.18
> OS: Windows XP/7 & Ubuntu 9
> URL:
> Submission from: (NULL) (
> Currently it is possible to create a DIT with empty suffix and empty dn
> for root
> node!  Side-note: Such DIT can be used for redirection.
> I've no idea what LDAP standards state, but common sense tells me that
> name-less
> node doesn't make sense.  It's as meaningless as creating a name-less
> directory
> or name-less file.
> So, when such incorrect parameters are supplied in the conf file, OpenLDAP
> service should not start and should exit with error.

This issue should be discussed on openldap-technical rather than on the
ITS, and should focus on the latest release.  In any case, OpenLDAP allows
to create an object with empty suffix for a specific technical reason, in
two steps:

1) it allows the empty DN ("") to be used as the suffix of a database; the
database cannot contain an entry with the empty DN, but it can contain
immediate children of it.

2) in some versions, the database may technically contain an empty entry
in order to store replication-related information (the contextCSN).  I
think this is now superseded by the use of a "cn=ldapsync" subentry of ""
for this specific purpose.

In any case, this ITS will be closed.