[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Question regarding LDAP_SCOPE_ONELEVEL
I am doing a OpenLDAP 2.2.18/Cyrus/Heimdal setup according to http://www.opentechnet.com/auth-howto/ar01s06.html.
At the point in chapter 6.2 where Jose advises to raise the scope of the ldap KDC database, all works fine.
(He starts out having ldap:ou=kerberos,dc=example,dc=com, and changes it to ldap:dc=example,dc=com because he stores kerberos only accounts (kadmin/admin, ldapmaster and the likes) in a different subtree than real people with real names (they go in ou=people,dc=example,dc=com). I like this approach, because it keeps the public tree clean.)
Anyways, after doing that, and starting
$ kadmin -l
> list *
I get nothing back.
My slapd server tells me that uidnumber=0+gidnumer=0,ou=kerberos,cn=peercred,cn=auth is looking with scope == 1.
Now, after digging in the heimdal code, I found that hdb-ldap.c indeed looks with LDAP_SCOPE_ONELEVEL inside LDAP__lookup_princ() and LDAP_firstkey().
Is there any reason for this, or might it be changed to LDAP_SCOPE_SUBTREE without breaking existing functionality?
(LDAP_SCOPE_SUBTREE according to www.openldap.org: search the object and all its descendants, LDAP_SCOPE_ONELEVEL: search the object's immediate children. So, as far as I can see, the change to LDAP_SCOPE_SUBTREE cannot do any harm.)
Are there other spots in the code that I might have missed (find . -type f | xargs grep ldap_search only yields hdb-ldap.c)?
(This mail was sent from my current employer's mail domain, although the company has nothing to do with my request. This request is purely private and expresses my personal thoughts.)