Sorry to drag this further OT... I just wanted to point out that the
advice given wasn't correct.
* Jethro R Binks <[log in to unmask]> [2009-08-15 17:55]:
> On Sat, 15 Aug 2009, Peter Schober wrote:
> > No, operational attributes don't get returned unless explicitly
> > asked for, i.e. implicitly asking for all attributes by not
> > specifying any or explicitly asking for '*' won't get you
> > operational atteributes.
>
> My very old OpenLDAP ldapsearch man page says:
>
> "If ldapsearch finds one or more entries, the attributes specified by
> attrs are returned. If * is listed, all user attributes are returned. If
> + is listed, all operational attributes are returned. If no attrs are
> listed, all attributes are returned."
Your interpretation of the above is and never was consistent with
either the LDAPv3 standard or the OpenLDAP implementation, and the
wording of that man page also has been changed to make this clearer.
(In 2.4.16 -- which I just happen to have at hand -- this now reads:
"If no attrs are listed, all *user* attributes are returned.",
my emphasis.)
> Since I want all attributes, I don't list any attrs (I wrote the nugget
> about 8 years ago).
Which, again, will not give you any operational attributes (with
conforming implementations):
"Some attributes, termed operational attributes, are used by servers
for administering the directory system itself. They are not
returned in search results unless explicitly requested by name."
(RFC 2251 from 1997, essentially the same in current RFC 4512)
See also RFC 3673, where the '+' notation was introduced to allow for
the discovery of operational attributes (so you don't have to request
them all by name). Something which wouldn't be necessary, if they'd be
actually returned from a search for "" or "*".
> I'm not sure I now know what an operational attribute is, even if I
> did then ...
http://tools.ietf.org/html/rfc4512#section-3.4
I'll follow up to the OP in a seperate mail.
cheers,
-peter
|