RootDSE Search on eDirectory

0 Likes
over 11 years ago

Product/Component Concerned: eDirectory / LDAP

Target Audience: Beginners

Platform: All (Demonstrated on Linux)



What is RootDSE?


RootDSE stands for Root DSA (Directory Service Agent) Specific Entry, which is the root of the LDAP server. This entry is a pseudo object in the tree, which means it's an unnamed entry at the root of the tree. This entry holds the configuration information about the connected eDirectory server. As mentioned, the rootDSE is an unnamed entry, a search against the eDirectory tree won't return you the rootDSE object.



What information does the RootDSE contain?


The following is list contains the most common information that a rootDSE holds.



  • The location of the schema

  • Supported Extensions

  • Supported Controls

  • Vendor name and version of the Server

  • The DSA Name of the server

  • Tree Name

  • Supported SASL Mechanisms

  • Versions of LDAP supported

  • LDAP server statistics (includes the number of operations happened, referral mechanism used etc)



How to get the information from the RootDSE?


All the above information can be read by doing a simple LDAP search against the RootDSE object using the following settings:



  • Set the search base to an empty string

  • Set the search filter to objectclass=* (which is the default filter of the ldapsearch tool)

  • Set the search scope to BASE


This can be done through the ldapsearch tool or even through a simple application written using any LDAP SDK.


So, the ldapsearch to do the RootDSE search would look like:


ldapsearch  -h <hostname>  -p <port number>  -b ""  -s base  "objectclass=*"



The following is the sample output of the RootDSE search:


subschemaSubentry: cn=schema 
supportedGroupingTypes: 2.16.840.1.113719.1.27.103.8
namingContexts:
supportedExtension: 2.16.840.1.113719.1.148.100.1
supportedExtension: 2.16.840.1.113719.1.148.100.3
supportedExtension: 2.16.840.1.113719.1.148.100.5
supportedExtension: 2.16.840.1.113719.1.148.100.7
supportedExtension: 2.16.840.1.113719.1.148.100.9
supportedExtension: 2.16.840.1.113719.1.148.100.11
supportedExtension: 2.16.840.1.113719.1.148.100.13
supportedExtension: 2.16.840.1.113719.1.148.100.15
supportedExtension: 2.16.840.1.113719.1.148.100.17
supportedExtension: 2.16.840.1.113719.1.39.42.100.1
supportedExtension: 2.16.840.1.113719.1.39.42.100.3
supportedExtension: 2.16.840.1.113719.1.39.42.100.5
supportedExtension: 2.16.840.1.113719.1.39.42.100.7
supportedExtension: 2.16.840.1.113719.1.39.42.100.9
supportedExtension: 2.16.840.1.113719.1.39.42.100.11
supportedExtension: 2.16.840.1.113719.1.39.42.100.13
supportedExtension: 2.16.840.1.113719.1.39.42.100.15
supportedExtension: 2.16.840.1.113719.1.39.42.100.17
supportedExtension: 2.16.840.1.113719.1.39.42.100.19
supportedExtension: 2.16.840.1.113719.1.39.42.100.21
supportedExtension: 2.16.840.1.113719.1.39.42.100.23
supportedExtension: 2.16.840.1.113719.1.39.42.100.25
supportedExtension: 2.16.840.1.113719.1.27.100.1
supportedExtension: 2.16.840.1.113719.1.27.100.3
supportedExtension: 2.16.840.1.113719.1.27.100.5
supportedExtension: 2.16.840.1.113719.1.27.100.7
supportedExtension: 2.16.840.1.113719.1.27.100.11
supportedExtension: 2.16.840.1.113719.1.27.100.13
supportedExtension: 2.16.840.1.113719.1.27.100.15
supportedExtension: 2.16.840.1.113719.1.27.100.17
supportedExtension: 2.16.840.1.113719.1.27.100.19
supportedExtension: 2.16.840.1.113719.1.27.100.21
supportedExtension: 2.16.840.1.113719.1.27.100.23
supportedExtension: 2.16.840.1.113719.1.27.100.25
supportedExtension: 2.16.840.1.113719.1.27.100.27
supportedExtension: 2.16.840.1.113719.1.27.100.29
supportedExtension: 2.16.840.1.113719.1.27.100.31
supportedExtension: 2.16.840.1.113719.1.27.100.33
supportedExtension: 2.16.840.1.113719.1.27.100.35
supportedExtension: 2.16.840.1.113719.1.27.100.37
supportedExtension: 2.16.840.1.113719.1.27.100.39
supportedExtension: 2.16.840.1.113719.1.27.100.41
supportedExtension: 2.16.840.1.113719.1.27.100.96
supportedExtension: 2.16.840.1.113719.1.27.100.98
supportedExtension: 2.16.840.1.113719.1.27.100.101
supportedExtension: 2.16.840.1.113719.1.27.100.103
supportedExtension: 2.16.840.1.113719.1.142.100.1
supportedExtension: 2.16.840.1.113719.1.142.100.4
supportedExtension: 2.16.840.1.113719.1.142.100.6
supportedExtension: 2.16.840.1.113719.1.27.100.9
supportedExtension: 2.16.840.1.113719.1.27.100.43
supportedExtension: 2.16.840.1.113719.1.27.100.45
supportedExtension: 2.16.840.1.113719.1.27.100.47
supportedExtension: 2.16.840.1.113719.1.27.100.49
supportedExtension: 2.16.840.1.113719.1.27.100.51
supportedExtension: 2.16.840.1.113719.1.27.100.53
supportedExtension: 2.16.840.1.113719.1.27.100.55
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 2.16.840.1.113719.1.27.100.79
supportedExtension: 2.16.840.1.113719.1.27.100.84
supportedExtension: 2.16.840.1.113719.1.27.103.1
supportedExtension: 2.16.840.1.113719.1.27.103.2
supportedControl: 2.16.840.1.113719.1.27.101.6
supportedControl: 2.16.840.1.113719.1.27.101.5
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113719.1.27.103.7
supportedControl: 2.16.840.1.113719.1.27.101.40
supportedControl: 2.16.840.1.113719.1.27.101.41
supportedSASLMechanisms: NMAS_LOGIN
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 2.16.840.1.113719.1.27.99.1
vendorName: Novell, Inc.
vendorVersion: LDAP Agent for Novell eDirectory 8.8 SP6 (20601.12)
dsaName: cn=PALSLES10,o=novell
directoryTreeName: PALEVT
outBytes: 95046447
inBytes: 119500
repUpdatesOut: 0
repUpdatesIn: 0
errors: 0
securityErrors: 0
chainings: 0
referralsReturned: 0
extendedOps: 1862
abandonOps: 0
wholeSubtreeSearchOps: 1862
oneLevelSearchOps: 0
searchOps: 1867
listOps: 0
modifyRDNOps: 0
modifyEntryOps: 0
removeEntryOps: 0
addEntryOps: 0
compareOps: 0
readOps: 5
inOps: 7466
bindSecurityErrors: 0
strongAuthBinds: 0
simpleAuthBinds: 1869
unAuthBinds: 1462



The following details can be inferred from the above output:











Location of the schema

cn=schema (the subschema subentry). This entry can be given as the 'BASE' of a LDAP search and the schema can be read



Supported Extensions

Extensions are in ASN.1OID format. Each OID corresponds to a different extension (like adding new replicas, refreshing the LDAP server, etc)



Supported Controls

Controls are in ASN.1OID format. Each OID corresponds to a different control (like paged results, server side sort etc)



Vendor name and version of the server

Novell, Inc is the vendor Name
LDAP Agent for Novell eDirectory 8.8 SP6 (20601.12) is the version



The DSA name of the server

cn=PALSLES10,o=novell



Tree Name

PALEVT



Supported SASL Mechanisms

NMAS_LOGIN



Versions of LDAP supported

2 and 3



LDAP server statistics (includes the number of operations happened, referral mechanism used etc)
Sample Data:

----------------

SearchOps: 1867 ? Specifies the number of searches that had been done on the server



simpleAuthBinds: 1869 ? Specifies the number of authenticated binds that had been done on the server



unAuthBinds: 1462? Specifies the number of anonymous binds that had been done on the server



Chainings: 0 ? Chaining Count



referralsReturned: 0 ? Referral Count



extendedOps: 1862 ? Specifies the number of extended operations that had been done on the server




Labels:

How To-Best Practice
Comment List
Anonymous
  • The LDAP server statistics, as returned in a RootDSE search, are not reliable.
  • iMonitor shows the server parameters under the pseudo server object. The attribute shows readable, but it doesn't look like there is an LDAP extension for the attribute.

    Customer has implemented ARC. It would be nice to do an ldap search to see what server parameters are configured on the box for reporting purposes. This way we could have an easy report of what servers have ARC configured and what ones don't.

    This would also be nice to have a tree wide iMonitor report for server parameters.

    Thanks,
    Fred
Related Discussions
Recommended