Re: LDAP BUG

Eric Rosenquist (rosenqui@strataware.com)
Fri, 9 Aug 1996 17:50:55 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Eyal Schwartz: "What is the root of the DS?"
Previous message: MALCOLM BOFF: "LDAP BUG"
Maybe in reply to: MALCOLM BOFF: "LDAP BUG"

On 9 Aug 96 at 14:37, MALCOLM BOFF wrote:

> ...
> Also I have been requested to implement the X500 'LIST' function and I have a
> number of queries with respect to LDAPD for a starter do the LDAP_REQ_xxx values
> have any specific meanings or are they arbitrary. Any help that you can give me
> would be greatly appreciated.

As you'll see in the ldap.h file, the LDAP_REQ_XXX values are the actual
ASN.1 tags for the different PDUs. See RFC1777 for the ASN.1 definitions
leading to these, for example, LDAP_REQ_BIND is really an ASN.1
[APPLICATION 0] tag, which happens to have a hex value of 0x40 with the
0x20 (constructed) bit set due to the structure of the BindRequest PDU.

#define LDAP_REQ_BIND 0x60L /* application + constructed */
#define LDAP_REQ_UNBIND 0x42L /* application + primitive */
#define LDAP_REQ_SEARCH 0x63L /* application + constructed */
#define LDAP_REQ_MODIFY 0x66L /* application + constructed */
#define LDAP_REQ_ADD 0x68L /* application + constructed */
#define LDAP_REQ_DELETE 0x4aL /* application + primitive */
#define LDAP_REQ_MODRDN 0x6cL /* application + constructed */
#define LDAP_REQ_COMPARE 0x6eL /* application + constructed */
#define LDAP_REQ_ABANDON 0x50L /* application + primitive */

If you go ahead and implement a true LIST operation you'll have a fair bit
of work to do in both the LDAP client library and in the LDAP server, plus
you'll make your application dependent on your (non-standard) library and
require it to talk to your server. There's nothing wrong with that
approach, just be aware of the consequences.

> (I am aware of the workaround using SEARCH as used in the web browser
> code but this is horrendously slow on IBM's very large dictionary).

You can fake a list by doing a one-level search with a filter of
objectClass=* (an always TRUE filter) and asking for the attribute "0.10"
(or some other legal but unused OID). Performance-wise a one-level search
should not be much different than a true list operation, just make sure
you're not doing a sub-tree search. The only important difference I've
run across in real-world usage is that some X.500 sites have an access
control list that governs what can be searched/listed, and the list one is
usually fairly open, but the search one sometimes precludes the one-level
objectClass=* list-like search.

Eric
---------------------------------------------------------------------
Eric Rosenquist, Strata Software Limited http://www.strataware.com/
Email: rosenqui@strataware.com Tel: 613-591-1922 Fax: 613-591-3485
Quote: First you didn't want me to get the pony, now you want me to
take it back. Make up your mind!
-- Homer to Marge
---------------------------------------------------------------------

Next message: Eyal Schwartz: "What is the root of the DS?"
Previous message: MALCOLM BOFF: "LDAP BUG"
Maybe in reply to: MALCOLM BOFF: "LDAP BUG"