This note provides additional information about subentries (defined in RFC 3672 and referenced in RFC 4512 and RFC 4533).
A Directory Information Tree (DIT) consists of one or more Entries. Entries may be of three types; an object entry (the most common entry type) consisting of user data contained in attributes within objectClasses; an alias entry having the objectClass alias with the single attribute aliasedObjectName; a subentry which is used to store administrative or operational data related (in some way) to its parent entry.
Subentries obey the normal entry rules but always use the STRUCTURAL objectClass subentry which may be extended with a subordinate STRUCTURAL objectClass or more frequently with an AUXILLIARY objectClass appropriate to the contents of the subentry.
# from RFC 3672 ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
Subentries are only displayed by default using a base search scope (they will not be displayed using a one or sub search scope).
The LDAP subentries control (1.3.6.1.4.1.4203.1.10.1) may be used to control visibility of subentries and entries.
Subentries can be quite confusing (we find most things in LDAP confusing) unless you either know they are there or are otherwise expecting them. The confusion is not helped by documentation references to administrative and/or operational subentries which are not, technically, subentries (they do not have a STRUCTURAL objectClass of subentry).
To illustrate the usage of subentries the subschema subentry is examined. The subschema subentry is defined to be supported by all LDAPv3 compliant servers. Its DN may be discovered by reading the subschemaSubentry from the rootDSE (using an anonymous read/search with a base DN of "" and search scope base). The subschema subentry is read using the discovered DN (typical value obtained from subschemaSubentry is cn=subschema) as base with a search scope of base (it will not be displayed if a search scope of one or sub is used). The subschema subentry uses the STRUCTURAL objectclass of subentry (shown above) and has an AUXILIARY objectclass of subschema:
# from RFC 4512 ( 2.5.20.1 NAME 'subschema' AUXILIARY MAY ( dITStructureRules $ nameForms $ ditContentRules $ objectClasses $ attributeTypes $ matchingRules $ ldapSyntaxes $ matchingRuleUse ) )
The search results will display the collections of all attributes, objectclasses, ldapSyntaxes and matching rules supported by the LDAP server. The resulting data, even in a modest LDAP server will typically exceed 90K.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
Contents
tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 configuration
7 replica & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log
This work is licensed under a
Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox
Search
Share
Page
Resources
Systems
FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux
Software
LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns
Organizations
Open Source Initiative
Creative Commons
Misc.
Ibiblio - Library
Open Book Project
Open Directory
Wikipedia
Site
Copyright © 1994 - 2024 ZyTrax, Inc. All rights reserved. Legal and Privacy |
site by zytrax hosted by javapipe.com |
web-master at zytrax Page modified: January 20 2022. |