On Sun, 16 Aug 2009, Peter Schober wrote:
> Sorry to drag this further OT... I just wanted to point out that the
> advice given wasn't correct.
I didn't give any advice, I just presented what I did, in context.
I appreciate that things may have changed subsequently, which is why I was
quite clear to point out I was using an old version. Your follow-up to
Andy was very interesting to read, and I hope it helps him, since my
contributions haven't.
Even if my not-advice was correct on the day of issue, it doesn't make it
correct at any point in the future. Such is life, and they are the
hazards of searching the Internet for solutions, as anyone here will
recognise.
Jethro.
>
> * Jethro R Binks <[log in to unmask]> [2009-08-15 17:55]:
> > On Sat, 15 Aug 2009, Peter Schober wrote:
> > > No, operational attributes don't get returned unless explicitly
> > > asked for, i.e. implicitly asking for all attributes by not
> > > specifying any or explicitly asking for '*' won't get you
> > > operational atteributes.
> >
> > My very old OpenLDAP ldapsearch man page says:
> >
> > "If ldapsearch finds one or more entries, the attributes specified by
> > attrs are returned. If * is listed, all user attributes are returned. If
> > + is listed, all operational attributes are returned. If no attrs are
> > listed, all attributes are returned."
>
> Your interpretation of the above is and never was consistent with
> either the LDAPv3 standard or the OpenLDAP implementation, and the
> wording of that man page also has been changed to make this clearer.
> (In 2.4.16 -- which I just happen to have at hand -- this now reads:
> "If no attrs are listed, all *user* attributes are returned.",
> my emphasis.)
>
> > Since I want all attributes, I don't list any attrs (I wrote the nugget
> > about 8 years ago).
>
> Which, again, will not give you any operational attributes (with
> conforming implementations):
>
> "Some attributes, termed operational attributes, are used by servers
> for administering the directory system itself. They are not
> returned in search results unless explicitly requested by name."
> (RFC 2251 from 1997, essentially the same in current RFC 4512)
>
> See also RFC 3673, where the '+' notation was introduced to allow for
> the discovery of operational attributes (so you don't have to request
> them all by name). Something which wouldn't be necessary, if they'd be
> actually returned from a search for "" or "*".
>
> > I'm not sure I now know what an operational attribute is, even if I
> > did then ...
>
> http://tools.ietf.org/html/rfc4512#section-3.4
>
> I'll follow up to the OP in a seperate mail.
> cheers,
> -peter
>
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
|