You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2008/07/31 18:40:31 UTC
[jira] Created: (DIRSERVER-1214) Searches done with an empty baseDN
are not accepted, except for the rootDSE
Searches done with an empty baseDN are not accepted, except for the rootDSE
---------------------------------------------------------------------------
Key: DIRSERVER-1214
URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 1.5.3
Reporter: Emmanuel Lecharny
Fix For: 2.0.0
We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
We should consider that such a search is spreaded on all the partitions.
This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari resolved DIRSERVER-1214.
---------------------------------------
Resolution: Fixed
Assignee: Kiran Ayyagari
Fixed here http://svn.apache.org/viewvc?rev=917683&view=rev
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Assignee: Kiran Ayyagari
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838864#action_12838864 ]
Alex Karasulu commented on DIRSERVER-1214:
------------------------------------------
This really does not make protocol sense to me. Why? Well because the descent from the root DSE may not be one level down. Let me explain further: partitions can have a suffixes with more than one RDN component like dc=example,dc=com. When conducting search with anything other than base object scope this may become a problem since the returned set of entries will be disjoint (some will not have parents returned below the search base). This might mess up some clients.
I think this issue should be closed and forgotten but we can implement it if need be. It's not that hard. However again it does not make protocol sense to me.
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Quanah Gibson-Mount (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838973#action_12838973 ]
Quanah Gibson-Mount commented on DIRSERVER-1214:
------------------------------------------------
So, at least with sub, the behavior is fairly clear, it returns whatever it has access to. But with OpenLDAP, using a scobe of "one", using separate databases for the contexts (rather than using ""), I get:
[zimbra@freelancer ~]$ ldapsearch -x -b "" -s one -h freelancer
# extended LDIF
#
# LDAPv3
# base <> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
So if there is no "" database, a one-level search says no such object. I don't know if that's really the correct behavior or not, it's an interesting question.
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838903#action_12838903 ]
Emmanuel Lecharny commented on DIRSERVER-1214:
----------------------------------------------
What if ONE_LEVEL search done on rootDSE simply return each context entry for all the namingContexts ? Pretty simple to implement , as we know that we are searching from root and that it's a ONE_LEVEL search...
wdyt ?
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1214) Searches done with an empty baseDN
are not accepted, except for the rootDSE
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1214:
-----------------------------------------
Fix Version/s: (was: 2.0.0)
1.5.6
Let's fix that in 1.5.6
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12619071#action_12619071 ]
Alex Karasulu commented on DIRSERVER-1214:
------------------------------------------
Can create an OR cursor over all partitions in the system to implement this btw. Should not be that hard.
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 2.0.0
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838870#action_12838870 ]
Emmanuel Lecharny commented on DIRSERVER-1214:
----------------------------------------------
RFC 4512, par. 5.1 stipulates that "The root DSE SHALL NOT be included if the client performs a subtree search starting from the root." and that implicitely implies that you *can* do a search with an empty baseDN
AFAICT, there is nothing specific about ONE_LEVEL search based on rootDSE, and NamingContexts, in the RFC. My interpretation is :
The ONE level should start on NamingContext, not on the RDN forming their DN (ie, if a NamingContext is dc=example,dc=com, we should start at dc=example, not at dc=com).
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Quanah Gibson-Mount (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838986#action_12838986 ]
Quanah Gibson-Mount commented on DIRSERVER-1214:
------------------------------------------------
So ignore my first bit on Stanford.edu. They have a "defaultsearchbase" value set, which redirects queries to "" to the dc=stanford,dc=edu base. A subtree search when that is not set also returns error 32, no such object.
Not that this is necessarily the *correct* behavior. ;)
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DIRSERVER-1214) Searches done with an empty baseDN
are not accepted, except for the rootDSE
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny closed DIRSERVER-1214.
----------------------------------------
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Assignee: Kiran Ayyagari
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838892#action_12838892 ]
Alex Karasulu commented on DIRSERVER-1214:
------------------------------------------
That is an implicit suggestion and I do think that subtree search may be performed but one level search would be really ugly. Think this way. If you do a one level search you are supposed to get everything subordinating to the base dn based on namespace. However because the namingContexts may have any number of RDNs greater than zero, then you cannot just returen each namingContent. You'll have to at least check if the namingContext suffix has 1 and only 1 namingContext before returning it.
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1214) Searches done with an empty
baseDN are not accepted, except for the rootDSE
Posted by "Quanah Gibson-Mount (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838939#action_12838939 ]
Quanah Gibson-Mount commented on DIRSERVER-1214:
------------------------------------------------
This is a very real issue, and ignoring it doesn't make it go away. :)
I can show you the behavior for OpenLDAP (For ldap.stanford.edu, which has a root of "dc=stanford,dc=edu"
tribes:~> ldapsearch -x -h ldap -b "" | more
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# stanford.edu
dn: dc=stanford,dc=edu
objectClass: dcObject
objectClass: organization
o: Stanford University
dc: stanford
l: Palo Alto
(etc)
More importantly, is how are you going to handle people who have databases rooted at ""? That's what we do at Zimbra, as we support ISP's, and thus multiple domains that could exist across org, com, edu, etc. You should *always* be able to do a subtree search on "", and it should simply return the databases as they exist (according to ACL rules, etc, of course).
It is the same as any other subtree search.
--Quanah
> Searches done with an empty baseDN are not accepted, except for the rootDSE
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-1214
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1214
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.3
> Reporter: Emmanuel Lecharny
> Fix For: 1.5.6
>
>
> We can't do a search with an empty baseDN, when it's not specifically a rootDSE search (ie, (objectClass=*) and scope=OBJECT).
> We should consider that such a search is spreaded on all the partitions.
> This is not easy to implement without the nested partitions, as the current existing partitions are potentially stoed in different backends.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.