The Root DSE and Extension Discovery

Previous page
Table of content
Next page
   

Suppose that an LDAP client wants to use an LDAPv3 control, extended operation, or SASL mechanism. How does the client know whether the server supports the required extension? All LDAPv3 extensions supported by a server are advertised in a special LDAP entry called the root DSE . The root DSE is a directory entry that contains operational information about the server. Among other things, the root DSE contains a list of every LDAP control, extended operation, and SASL mechanism that the server supports.

Clients that plan to use an LDAP extension mechanism can read the root DSE to learn whether the server they've connected to supports the required extension. If so, the operation(s) can proceed. However, if the server doesn't support the required extension, the client program has a decision to make. If the application cannot function without the LDAP extension, the client has no choice but to abort the operation and inform the user . In other cases, the client may be able to use an alternative approach.

For example, if a client wants the results of a search operation to be sorted, it can check whether the server supports the Server-Side Sorting control and use the control if it is available. If not, it can fall back to an alternative approach of retrieving the unsorted list of entries from the server and sorting the list itself. Graceful degradation of service is possible if clients read the root DSE to determine the available extensions supported by a server. Controls and extended operations are advertised in the root DSE by their unique OID. SASL mechanisms are identified by a unique identifying string that must be registered with the Internet Assigned Numbers Authority (IANA), a standards body that registers names and ensures that every name assigned for a particular purpose is unique.

Let's look at a typical root DSE. This example is from Netscape Directory Server 6. To retrieve the root DSE of a directory server, you must perform a base-level search with a search base of "" (the empty string) and a filter of "(objectclass=*)" , as shown in Listing 3.1.

Listing 3.1 Discovering Extensions, Controls, and SASL Mechanisms Supported by a Server 
 ldapsearch h ldap.example.com s base b "" "(objectclass=*)" supportedExtension  supportedControl supportedSASLMechanisms dn: supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.4 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5

The supportedExtension , supportedControl , and supportedSASLMechanisms attribute values indicate that the server supports the given extended operation, control, or SASL mechanism. For example, the root DSE shown previously, from Netscape Directory Server 6, contains the attribute supportedControl: 2.16.840.1.113730.3.4.2 , which indicates that the server supports the ManageDSAIT control. Clients that read the root DSE can test for the presence of the attribute values corresponding to the extensions they want.

Although reading the root DSE is the recommended approach, another method that clients can use to discover whether a server supports a given LDAPv3 extension is simply to try to use a critical control, extended operation, or SASL mechanism and check whether the server returns a result code indicating that the extension is not supported. For example, if a control is not supported, or if it can't be used with the requested operation, the server will return the result code unavailableCriticalExtension .

   

Previous page
Table of content
Next page
Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 2002
Pages: 242
Authors: Timothy A. Howes, Mark C. Smith, Gordon S. Good
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
WebLogic: The Definitive Guide
FileMaker 8 Functions and Scripts Desk Reference
Python Standard Library (Nutshell Handbooks) with
Understanding Digital Signal Processing (2nd Edition)
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy