On 12/14/2015 11:16 PM, Frank Munsche wrote:

Hi Guys,

 

I'm trying to understand why ldapsearch returns some objects of the dit only 

when the dn is set to the object I'm looking for and the search scope has to 

be base, e.g.:

 

There is an object at the dn: cn=repl keep alive 1,dc=example,dc=org"

A search operation using dc=example,dc=org as base and the scope 'sub' will 

not return the entry. Setting the search base to the object itself does not 

work either:

 

ldapsearch -H ldap://ldap.example.org -D "cn=directory manager" -w secret -ZZZ 

-x   -s sub -b "cn=repl keep alive 1,dc=example,dc=org"

# extended LDIF

#

# LDAPv3

# base <cn=repl keep alive 1,dc=example,dc=org> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 3

result: 0 Success

But using the object's dn and setting the scope to 'base' does return the 

entry:

ldapsearch -H ldap://ldap.example.org -D "cn=directory manager" -w secret -ZZZ 

-x   -s base -b "cn=repl keep alive 1,dc=example,dc=org"

# extended LDIF

#

# LDAPv3

# base <cn=repl keep alive 1,dc=example,dc=org> with scope baseObject

# filter: (objectclass=*)

# requesting: ALL

#

# repl keep alive 1, example.org

dn: cn=repl keep alive 1,dc=example,dc=org

objectClass: top

objectClass: ldapsubentry

objectClass: extensibleObject

cn: repl keep alive 1

# search result

search: 3

result: 0 Success

 

 

Does someone have an explanation for this?


Yes.  This entry is an "ldapSubEntry".  Entries with this objectclass do not appear in regular searches.  They only appear if you a) include (objectclass=ldapsubentry) in your search filter or b) specify the DN exactly as the base DN.

 

thank you,

 

cheers, frank