gmane.comp.ldap.umich

Re: Guessing root DNs for active directory

Justin Dearing — 2008-10-25T19:09:27

Mark, Finally got to give this a try, One small mistake on your part. It's _ldap._tcp.domain. Corrected queries below. Just pointing this out to not fustrate anyone that finds this thread later. On Mon, Oct 13, 2008 at 11:36 AM, Mark H. Wood public.gmane.org> wrote: _ldap._tcp.baz.bar.foo.xcorp.com SRV _ldap._tcp.bar.foo.xcorp.com SRV _ldap._tcp.foo.xcorp.com SRV _ldap._tcp.xcorp.com SRV

Re: newbie question: how to put company structure to ldap

Dustin Puryear — 2008-10-22T15:57:42

You should probably get a LDAP book or read a few online tutorials. That said, the approach depends on whether you use groups or roles. groups- Do a filter on (&(objectClass=groupOfNames)(cn=TEAM-NAME)) and grab all the member attributes. Then you have to scan through each member in a second pass. roles- Just do a filter on the role itself and you get the members in the first pass. On a side note, while there may be some disagreement on this list about the use of groupOfUniqueNames, the fact is it's used almost interchangeably with groupOfNames these days (I do it) and you should always be ready to support it. You can do that by writing the appropriate filters: (&(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(cn=TEAM-NAME)) And then determining how to read the entry (member vs. uniqueMember) or have a configuration file that specifies the filter and attribute to look at. thanks for answering. a lot :-) search for all members of a want to have a list of sn,mail,phone of all members of team a you are trying to do is just create a set of users and teams team (inetOrgPerson) bob a member of teama, then add cn=teama. Ditto for teamb. To remove it's how most of us do With roles, you would actually edit the user entry instead and add a role attribute. Also, if you are using an LDAP server that get the from the user entry). place for user started with an example found in the web. created email). correct way to build the "connect" each user to its team. I only "ou=" property of each person to setting. the team, do I have to update the person's really the way to implement such a company->team->person hierarchy appreciated....GERD.... objectclass: inetOrgPerson uid: dipsy Laa,ou=people,dc=example,dc=com inetOrgPerson userpassword: laa team MARKETING cn=marketing,ou=teams,dc=transporeon,dc=nil Laa,ou=people,dc=transporeon,dc=nil cn=support,ou=teams,dc=transporeon,dc=nil member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil member: cn=Dipsy,ou=people,dc=transporeon,dc=nil believed to be clean. report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= President and Information Technology, LLC Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=

Re: newbie question: how to put company structure to ldap

Dustin Puryear — 2008-10-22T15:27:03

What you are trying to do is just create a set of users and teams (groups of users). You can use LDAP groups or roles for the team implementation. Let's just use groups. root - users

Re: newbie question: how to put company structure to ldap

Gerd Koenig — 2008-10-22T15:38:06

Hello Dustin, thanks for answering. Nice to hear that I do not have to modify a lot :-) But there's one answer left. How can I search for all members of a certain team. e.g.: I want to have a list of sn,mail,phone of all members of team a I have no idea how to create this type of search ? any help appreciated.....GERD..... Am 22.10.2008 um 17:27 schrieb Dustin Puryear:

newbie question: how to put company structure to ldap

Gerd König — 2008-10-21T06:14:48

Hello again, in my first email there was an copy-paste error. The dn of the teams are also of the format dn=,ou=teams,dc=example,dc=com any help appreciated....GERD....

newbie question: how to put company structure to ldap

Gerd König — 2008-10-21T06:01:25

Hello, I'm going to create a ldap directory for the company to have a central place for user administration. I've started with an example found in the web. First of all I created the top level dc=example,dc=com and the manager (cn=manager,dc=example,dc=com). Afterwards I created 2 organizational units: ou=persons ou=teams and filled them with content (see at bottom of the email). I'm in doubt if this is the correct way to build the directory and "connect" each user to its team. I only set the "ou=" property of each person to its teamname, and added one "member=" entry for each person to the team-object. I'm not happy with such setting. What if a person changes the team, do I have to update the person's "ou=" and the "member=" section of the teams ?? Is this really the way to implement such a company->team->person hierarchy ? any help appreciated....GERD.... dn: cn=Tinky Winky,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Tinky cn: Tinky Winky uid: twinky userpassword: twinky ou: support dn: cn=Dipsy,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Dipsy cn: Dipsy uid: dipsy userpassword: dipsy ou: support dn: cn=Laa Laa,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Laa cn: Laa Laa uid: laa userpassword: laa ou: marketing ## team MARKETING dn: cn=marketing,ou=teams,dc=transporeon,dc=nil objectclass: groupofnames cn: marketing description: team marketing member: cn=Laa Laa,ou=people,dc=transporeon,dc=nil ## team SUPPORT dn: cn=support,ou=teams,dc=transporeon,dc=nil objectclass: groupofnames cn: support description: team support member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil member: cn=Dipsy,ou=people,dc=transporeon,dc=nil

Re: LDAP Error 32 v/s Empty Result Set

Hallvard B Furuseth — 2008-10-20T14:09:15

Sorry, no. It's irritating but normal for LDAP clients to try several searches until one succeeds, and to not offer a way to turn off searches that the user knows will find nothing. Furthermore "no such object" can mean user misconfiguration - "you must point the group base DN at an actual entry" while no search results is normal. Assuming that group DN is actually configured and necessary, of course. I've lost track of this discussion a bit, but anyway: Possibly it would help to point the group DN at the parent entry so that a search for the "group" will find users too. Depends on whether group searches use subtree scope and filter for groups.

Re: LDAP Error 32 v/s Empty Result Set

Mark H. Wood — 2008-10-20T13:26:59

WebLogic has a problem which is independent of the LDAP service's behavior: it is searching the wrong context. If this is not the result of misconfiguration by the customer, then they should fix that. I would simply refuse *any* arguments concerning the LDAP response to an incorrect query until the query is corrected. I would keep pointing to the error in WebLogic until it is acknowledged.

Re: LDAP Error 32 v/s Empty Result Set

Michael Ströder — 2008-10-17T14:50:59

In any case the LDAP client should also handle noSuchObject more gracefully. Although more thorough analysis should be done I think in this particular case noSuchObject could also be handled the same way like no group entry found. And that's exactly what I meant with "In most cases the handling is mainly the same". Ciao, Michael.

Re: LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad — 2008-10-17T14:46:18

LOL. You are right, BEA was purchased by Oracle. They are indeed both Oracle products. What I am not sure is whether Oracle Virtual Directory sends the LDAP Error 32 by default; or if it is the implementation of the product at our organization. I suspect it is the latter. Thanks, Sharad

Re: LDAP Error 32 v/s Empty Result Set

Emmanuel Lecharny — 2008-10-17T14:33:19

Looking back to the request's base: String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain"; if the ou=groups,ou=VgnLDAPRealm,dc=vgndomain branch does not exist in your LDAP DIT, then you will get a NoSuchObject resultcode. Your LDAP server is compliant if you get this result. Now the funiest part : WebLogic and Oracle Virtual Directory (AFAIR, OctetString product) ar _both_ Oracle products ;) Either Oracle or Oracle is not compliant somewhere...

Re: LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad — 2008-10-17T14:03:27

WebLogic is the application in question. WebLogic allows us to define Authenticators (code that connects to the LDAP server). Once an Authenticator is defined, WebLogic offers a UI where all users and groups can be listed. The group listing fails because of some code in WebLogic that tries to find the description of a group. They have a generic function getdescription() that is used for both users and groups. It ends up searching for the group in the user base DN. And our LDAP returns an Error 32. As far as I can tell, WebLogic should not be searching for the group in the user context. But it is doing that. By the same token, the LDAP should not return LDAP Error 32. But it is doing that. And, together, the twain are resulting in the user seeing a stack trace instead of the Group listing. This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user DN. And if it does, it should handle/ignore the error. All - I really appreciate the various pointers I have received from this wonderful community. Thank you, Sharad

Re: LDAP Error 32 v/s Empty Result Set

Michael Ströder — 2008-10-17T11:55:59

That's why I wrote "In most cases the handling is mainly the same". ^^^^ ^^^^^^ Most LDAP clients are not nifty interactive clients which try to guide the user what to do next. Most LDAP clients just log an error. While I'm pretty eager with fine-grained error handling in web2ldap I find myself writing the same application-level error handling for 1. noSuchObject and 2. empty result sets for simple cases. Only the log messages differ. So I'd be interested which LDAP clients the original poster is working with and which problems he experienced. Ciao, Michael.

Re: LDAP Error 32 v/s Empty Result Set

joe — 2008-10-15T16:18:34

Good example. I would say the LDAP server was sending back a non-standard response for that situation then. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: Agarwal, Sharad [mailto:Sharad.Agarwal-WAQBmITiDcc< at >public.gmane.org] Sent: Wednesday, October 15, 2008 12:17 PM To: joe; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Hi Joe, Thank you for elaborating on that. I think I was asking too generic a question. Here are two specific queries to the Oracle Virtual Directory server, both using the same bind information. One succeeds, the other fails. The only difference between the two is that one is searching for (uid=vgnadmin) and the other for (uid=foo). Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~ Output: ~~~~ LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet: LDAPAttribute: {type='cn', value='vgnadmin, VDS'} ~~~~ Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=foo)"; //FAILS ~~~~ Output: ~~~~ Error: LDAPException: No Such Object (32) No Such Object LDAPException: Server Message: LDAP Error 32 : No Such Object ~~~~ -----Original Message----- From: joe [mailto:joe-VdL7z5lOYoXR7s880joybQ< at >public.gmane.org] Sent: Wednesday, October 15, 2008 11:27 AM To: Agarwal, Sharad; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Does a base level search with a filter of objectclass=* return the base object or does it return an error? Alternately if you change your filter to objectclass=* and leave the rest of the query the same does it work? I could this being a problem with your search base as well as the DN specified for the uniqueMember match. Either of which not existing or you not having access rights to see them. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: bounce-ldap-5210650-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org [mailto:bounce-ldap-5210650-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org] On Behalf Of Agarwal, Sharad Sent: Wednesday, October 15, 2008 11:10 AM To: adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set Thanks Adam. My apologies, I should have been more clear on that front. Both the searchBase and bind information is valid. The only thing out of order (if we can call it that) is that the search is for something that does not exist. Put another way, we are searching for an item that does not exist in the searchBase. If the standard behavior for an LDAP server is to NOT give an error, can you please point me to an authoritative source that I could cite to the LDAP administrators? Thanks, Sharad -----Original Message----- From: bounce-ldap-5778666-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org [mailto:bounce-ldap-5778666-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org] On Behalf Of Adam Tauno Williams Sent: Wednesday, October 15, 2008 11:04 AM To: ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set I suppose, if the specified searchBase does not exist or potentially if the simple bind fails (the latter isn't "correct" AFAIK, but I've seen it in the wild). "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai

Re: LDAP Error 32 v/s Empty Result Set

Dieter Kluenter — 2008-10-15T16:20:15

RFC-4511, section 4.1.9 Result Message -Dieter

Re: LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad — 2008-10-15T16:22:27

Thanks Joe. Appreciate your patience. Is there some kind of authoritative source I could cite when I have this discussion with the LDAP administrators? They are just telling me that the application should handle the error and that LDAP Error 32 is 'No Such Object'. And since there is no (uid=foo) object, it is standards compliant behavior for the server to return LDAP Error 32. Thanks, Sharad -----Original Message----- From: joe [mailto:joe-VdL7z5lOYoXR7s880joybQ< at >public.gmane.org] Sent: Wednesday, October 15, 2008 12:19 PM To: Agarwal, Sharad; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Good example. I would say the LDAP server was sending back a non-standard response for that situation then. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: Agarwal, Sharad [mailto:Sharad.Agarwal-WAQBmITiDcc< at >public.gmane.org] Sent: Wednesday, October 15, 2008 12:17 PM To: joe; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Hi Joe, Thank you for elaborating on that. I think I was asking too generic a question. Here are two specific queries to the Oracle Virtual Directory server, both using the same bind information. One succeeds, the other fails. The only difference between the two is that one is searching for (uid=vgnadmin) and the other for (uid=foo). Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~ Output: ~~~~ LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet: LDAPAttribute: {type='cn', value='vgnadmin, VDS'} ~~~~ Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=foo)"; //FAILS ~~~~ Output: ~~~~ Error: LDAPException: No Such Object (32) No Such Object LDAPException: Server Message: LDAP Error 32 : No Such Object ~~~~ -----Original Message----- From: joe [mailto:joe-VdL7z5lOYoXR7s880joybQ< at >public.gmane.org] Sent: Wednesday, October 15, 2008 11:27 AM To: Agarwal, Sharad; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Does a base level search with a filter of objectclass=* return the base object or does it return an error? Alternately if you change your filter to objectclass=* and leave the rest of the query the same does it work? I could this being a problem with your search base as well as the DN specified for the uniqueMember match. Either of which not existing or you not having access rights to see them. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: bounce-ldap-5210650-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org [mailto:bounce-ldap-5210650-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org] On Behalf Of Agarwal, Sharad Sent: Wednesday, October 15, 2008 11:10 AM To: adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set Thanks Adam. My apologies, I should have been more clear on that front. Both the searchBase and bind information is valid. The only thing out of order (if we can call it that) is that the search is for something that does not exist. Put another way, we are searching for an item that does not exist in the searchBase. If the standard behavior for an LDAP server is to NOT give an error, can you please point me to an authoritative source that I could cite to the LDAP administrators? Thanks, Sharad -----Original Message----- From: bounce-ldap-5778666-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org [mailto:bounce-ldap-5778666-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org] On Behalf Of Adam Tauno Williams Sent: Wednesday, October 15, 2008 11:04 AM To: ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set I suppose, if the specified searchBase does not exist or potentially if the simple bind fails (the latter isn't "correct" AFAIK, but I've seen it in the wild). "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai

Re: LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad — 2008-10-15T16:16:55

Hi Joe, Thank you for elaborating on that. I think I was asking too generic a question. Here are two specific queries to the Oracle Virtual Directory server, both using the same bind information. One succeeds, the other fails. The only difference between the two is that one is searching for (uid=vgnadmin) and the other for (uid=foo). Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~ Output: ~~~~ LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet: LDAPAttribute: {type='cn', value='vgnadmin, VDS'} ~~~~ Query: ~~~~ String searchBase = "ou=People,dc=fmr,dc=com"; String searchFilter = "(uid=foo)"; //FAILS ~~~~ Output: ~~~~ Error: LDAPException: No Such Object (32) No Such Object LDAPException: Server Message: LDAP Error 32 : No Such Object ~~~~ -----Original Message----- From: joe [mailto:joe-VdL7z5lOYoXR7s880joybQ< at >public.gmane.org] Sent: Wednesday, October 15, 2008 11:27 AM To: Agarwal, Sharad; adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set Does a base level search with a filter of objectclass=* return the base object or does it return an error? Alternately if you change your filter to objectclass=* and leave the rest of the query the same does it work? I could this being a problem with your search base as well as the DN specified for the uniqueMember match. Either of which not existing or you not having access rights to see them. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: bounce-ldap-5210650-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org [mailto:bounce-ldap-5210650-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org] On Behalf Of Agarwal, Sharad Sent: Wednesday, October 15, 2008 11:10 AM To: adam-3SybyYu0gLN2ZeWMVSxU7w< at >public.gmane.org; ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set Thanks Adam. My apologies, I should have been more clear on that front. Both the searchBase and bind information is valid. The only thing out of order (if we can call it that) is that the search is for something that does not exist. Put another way, we are searching for an item that does not exist in the searchBase. If the standard behavior for an LDAP server is to NOT give an error, can you please point me to an authoritative source that I could cite to the LDAP administrators? Thanks, Sharad -----Original Message----- From: bounce-ldap-5778666-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org [mailto:bounce-ldap-5778666-JX7+OpRa80TPh+ypUGD3Ib+LScJ5NNVl< at >public.gmane.org] On Behalf Of Adam Tauno Williams Sent: Wednesday, October 15, 2008 11:04 AM To: ldap-63aXycvo3TyHXe+LvDLADg< at >public.gmane.org Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set I suppose, if the specified searchBase does not exist or potentially if the simple bind fails (the latter isn't "correct" AFAIK, but I've seen it in the wild). "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai

Re: LDAP Error 32 v/s Empty Result Set

Kurt Zeilenga — 2008-10-16T15:53:14

On Oct 16, 2008, at 1:19 AM, Emmanuel Lecharny wrote: Actually, there are cases where it is appropriate. For instance, when the user is not authorized to know if the searchBase exists. But this case doesn't seem to apply here. What should be clear is that by returning noSuchObject, the server is reporting that the baseObject of the search does not exist. This quite different than reporting there are no entries which match the search criteria.

Re: LDAP Error 32 v/s Empty Result Set

Paul Engle — 2008-10-16T15:03:15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, October 16, 2008 4:29 PM +0200 Pierangelo Masarati public.gmane.org> wrote: I agree. Client software should behave differently under an error condition than it would with an empty search result. That's why this discussion is not trivial or nonsense. Ah, but the expected behavior is *not* well explained in this case. Appendix A only has this for the description of noSuchObject: "Indicates that the object does not exist in the DIT." Well, *which* object? It's not too much of a stretch to interpret that as "the object for which you were searching does not exist". In which case the server developer might feel justified in returning noSuchObject for an empty search. I believe that the interpretation should be that an object for a supplied DN (i.e., the bind DN or the search base) doesn't exist. You don't know the DN of the object you are searching for, so you haven't supplied it. Therefore the noSuchObject shouldn't be returned. But just because I & others interpret it that way doesn't mean it's clear to everyone. There should either be wording to specify that an empty search should or must not return noSuchObject, or the definition of that result code should be worded more explicitly to remove the ambiguity. -paul - -- Paul D. Engle | Rice University Sr. Systems Adminstrator, RHCE | Information Technology - MS119 713-348-4702 | PO Box 1892 pengle-OhmvVRJSr/I< at >public.gmane.org | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFI91e6CpkISWtyHNsRAlTzAJ4l48g+/hPqHKRle511h9ON3wkkTgCgtXwu QLQUYn5flFQyPim22ZvCnMs= =guBu -----END PGP SIGNATURE-----

Re: LDAP Error 32 v/s Empty Result Set

Pierangelo Masarati — 2008-10-16T14:29:54

----- "Michael Ströder" public.gmane.org> wrote: Let me disagree: from an implementation point of view, it depends on what a client is supposed to do. If the client's task is over after the search response is returned, I might agree. But in any case, from a(n informed) user's perspective, the two responses are not the same. In case of "success", no entry matched the search criteria, while in case of "noSuchObject" one search criterium, the searchBase, was inappropriate. I concur that this whole discussion is a little nonsense, as I believe the expected behavior is so well explained in RFC 4511, which is the sole authoritative source of information for this topic, that there is no point in discussing it any further. Also, I believe many implementations 'round do not conform yet to RFC 451*, as they might still conform to RFC 225* (like OpenLDAP 2.3 itself). However, I don't see much difference with respect to this issue. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando-M4bTUdDEyImonA0d6jMUrA< at >public.gmane.org -----------------------------------

Re: LDAP Error 32 v/s Empty Result Set

Michael Ströder — 2008-10-16T08:37:43

I wonder why that's such a big issue at all. When implementing LDAP client software one has to handle noSuchObject and an empty result set anyway. In most cases the handling is mainly the same. Ciao, Michael.