[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC 2251 Root DSE non-standard

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kevin J.
> McCarthy

> Kurt,

Excuse me for butting in here...

> Regarding:
> ldapsearch -x -h localhost -b "" -s base +

This is an invalid search. I'm surprised you get a response from it.
> That is non-standard behavior. I am not saying it is WRONG; not at all.
> What I am saying is that every other server I have access to (Active
> Directory, iPlanet, and IBM secureWay) all provide rootDSE stuff with:
> 	ldapsearch -x -h <hostname> -b "" -s base "(objectClass=*)"
> While OpenLDAP returns this:
> 	dn:
> 	objectClass: top
> 	objectClass: OpenLDAProotDSE
> Which is totally useless. When I replace the "(objectClass=*)" with "+"
> as you indicate, I get what I want from OpenLDAP. However, the "+"
> breaks EVERY OTHER server so that they produce no results (or
> referrals).

You should not be replacing "(objectclass=*)", that is the search filter.
are required to provide a filter with your search request. The "+" specifies
the attribute list, i.e., the list of attributes you're interested in. In
case, "+" is a wildcard that stands for all of the operational attributes.
Your request should have been
	ldapsearch -x -h <hostname> -b "" -s base "(objectClass=*)" +

> According to RFC 2251:
> An LDAP server MUST provide information about itself and other
> information that is specific to each server. This is represented as a
> group of attributes located in the root DSE (DSA-Specific Entry), which
> is named with the zero-length LDAPDN. These attributes are retrievable
> if a client performs a base object search of the root with filter
> "(objectClass=*)", however they are subject to access control
> restrictions. The root DSE MUST NOT be included if the client performs a
> subtree search starting from the root.
> Doing that search DOES NOT tell a client anything about the server, so
> as far as I can tell requiring the "+" does not adhere to the RFC.
> Kevin
The "+" is not *required*, it's just a convenient shorthand, simpler than
out "namingcontexts supportedLDAPversion ..." But, an attribute list of some
or another *is* required.

The information in the root DSE that you are looking for consists of
operational attributes. A server that returns operational attributes when
they have not been requested is violating the LDAP protocol. See RFC2251
the end of section 4.5.1. It's also stated in section 3.2.1.

     Client implementors should note that even if all user attributes are
     requested, some attributes of the entry may not be included in
     search results due to access control or other restrictions.
***  Furthermore, servers will not return operational attributes, such
     as objectClasses or attributeTypes, unless they are listed by name,
     since there may be extremely large number of values for certain
     operational attributes. (A list of operational attributes for use
     in LDAP is given in [5].)

ps: [5] above is RFC2252, LDAPv3 Attributes...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc