Include cn=config and cn=monitor in namingContexts

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux

https://www.port389.org/

Other

211 stars 91 forks source link

Include cn=config and cn=monitor in namingContexts #2689

Open 389-ds-bot opened 4 years ago

389-ds-bot commented 4 years ago

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49630

Created at 2018-04-04 10:11:04 by cheimes
Assigned to nobody

Tools like Apache Directory Studio use namingContexts on root DSE to show all available trees. In 389-DS, the multi-valued attribute doesn't contain cn=config and cn=monitor.

$ ldapsearch -x -s base -b '' namingContexts
dn:
namingContexts: cn=changelog
namingContexts: dc=ipa,dc=example
namingContexts: o=ipaca

Please consider to include both in-memory databases in namingContexts. The lack of cn=config in namingContexts makes rather inconvenient to explore 389-DS configuration with Apache Directory Studio.

389-ds-bot commented 4 years ago

Comment from firstyear (@Firstyear) at 2018-04-05 14:41:34

I'm on the fence about this. On one hand the standard says all backends should be in the namingContexts section for discoverability.

On the other, these are internal details of the server, which are not real backends - they are "implementation details". Think of it as the "operational attribute" of backends.

I'm erring to standards correctness however, because I think we should do the "right thing", as obscurity does not add security or other niceness, and this is generally only use by applications like apache dirstudio.

389-ds-bot commented 4 years ago

Comment from firstyear (@Firstyear) at 2018-04-05 14:41:35

Metadata Update from @Firstyear:

Custom field component adjusted to None
Custom field origin adjusted to None
Custom field reviewstatus adjusted to None
Custom field type adjusted to None
Custom field version adjusted to None

389-ds-bot commented 4 years ago

Comment from tbordaz (@tbordaz) at 2018-04-05 15:43:49

In the sense of https://tools.ietf.org/html/rfc4512#section-5, cn=config and cn=monitor being root of subordinates entries are namingcontext of the server. So I tend to agree with the proposal. I do not see special difficulty to implement it. The only non namingcontext being the root DSE.

389-ds-bot commented 4 years ago

Comment from mreynolds (@mreynolds389) at 2018-04-05 17:38:18

Metadata Update from @mreynolds389:

Issue set to the milestone: 1.4 backlog

tacerus commented 3 years ago

Hi, is there an update on this?