directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Icky Dude" <>
Subject [ApacheDS] RootDSE Operational attributes
Date Thu, 06 Mar 2008 23:54:49 GMT

Using "bigbang" I've found that ApacheDS does not respond properly to
Root DSE searches for both "+" (all operational) and "*" (all
non-operational) attributes".  I believe that the following  change
fixes the problem:

$ svn diff
---  (revision 634445)
+++  (working copy)
@@ -1002,7 +1002,7 @@
                         serverEntry.put( attribute );
-                    else if ( containsPlus && ( type.getUsage() ==
+                    else if ( containsPlus && ( type.getUsage() !=
                         serverEntry.put( attribute );

Without this fix, ApacheDS treats the following ldap searches return
identical responses (neither will return operational attributes):

$ ldapsearch -x -h localhost -p10389 -s base -b "" '+'
$ ldapsearch -x -h localhost -p10389 -s base -b "" '*'

With the fix, ApacheDS responds correctly -- or as least as correct
with respect to the attribute usage assigned to the rootDSE

As a side note, I believe that ApacheDS is technically correct in
treating Root DSE attributes as operational (see RFC 2252 section
5.2).  However, it's worth noting that many directories do not
correctly distinguish between operational and non-operational
attributes of the root DSE.  The most notable is ActiveDirectory which
 will not return any attributes for Root DSE searches for "+".
ActiveDirectory will only return RootDSE attributes if requested
explicitly by name or with "*".

ActiveDirectory isn't exactly the best LDAP canon out there, but it
popular enough to have a strong following. It's a bit of a nitpick,
but for rootDSE searches its might be worth thinking about adjusting
ApacheDS so that rootDSE searches for "*" return all attributes.  I'm
not strongly recommending this, but it might be worth some discussion
since there are applications out there that are likely to be coded
this way.  Thoughts?

View raw message