Re: Searchbase Bug in slapd?

At 11:33 PM 10/7/00 +0000, Jim Hud wrote:
>If I use Outlook to run a search against slapd (which has defaultsearchbase
>configured) I get data back OK.

You've demonstrated that the defaultSearchBase kludge works for
clients which don't send an appropriate search base.

>If I then configure the Outlook search base
>to the correct base (same as set in defaultsearchbase) I still get data
>back, OK so far.

You've demonstrated that slapd responds with a properly configured

>However when I clear the Outlook search base to nothing I
>get no data back from slapd.

This is correct behavior for a server which doesn't hold the
root namingContext (or doesn't have a defaultSearchBase set).
If slapd cannot locate the base of the search, it cannot
return any entries.

>In fact the logs appear to say that Outlook is
>giving a base of "c=UK".

If the client requests "c=UK" and "c=UK" doesn't hold "c=UK", it
cannot return "c=UK".

>Restarting slapd makes no difference, nor does
>rebooting the slapd machine.  Looks like an Outlook problem doesn't it.
>BUT if I then do the same but instead of slapd I use an MS Exchange LDAP
>server then it resets OK.

What resets?  Outlook?  That's its business.

>Also if I create a new directory account on
>Outlook with no searchbase set it does not work until I stop and restart

You likely changed something, like setting a defaultSearchBase, to
change slapd behavior.

>My theory is that the logic of dealing with null search bases is wrong

Some clients expect servers to somehow guess at what they mean
when given an empty search base.  However, LDAP/X.500 prescribes
this behavior quite clearly.  If the server is not configured
to hold the root namingContext, it cannot return any entries
for a subtree or one-level search when an empty base DN (if
scope is base, the RootDSE is returned).

defaultSearchBase can be used to purposely break LDAP/X.500
semantics and specify a defaulting to some DN.  Whether you
use this mechanism or not is your choice.