[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question regarding LDAP_SCOPE_ONELEVEL


I am doing a OpenLDAP 2.2.18/Cyrus/Heimdal setup according to http://www.opentechnet.com/auth-howto/ar01s06.html.

At the point in chapter 6.2 where Jose advises to raise the scope of the ldap KDC database, all works fine.
(He starts out having ldap:ou=kerberos,dc=example,dc=com, and changes it to ldap:dc=example,dc=com because he stores kerberos only accounts (kadmin/admin, ldapmaster and the likes) in a different subtree than real people with real names (they go in ou=people,dc=example,dc=com). I like this approach, because it keeps the public tree clean.)

Anyways, after doing that, and starting
$ kadmin -l
> list *
I get nothing back.

My slapd server tells me that uidnumber=0+gidnumer=0,ou=kerberos,cn=peercred,cn=auth is looking with scope == 1.

Now, after digging in the heimdal code, I found that hdb-ldap.c indeed looks with LDAP_SCOPE_ONELEVEL inside LDAP__lookup_princ() and LDAP_firstkey().
Is there any reason for this, or might it be changed to LDAP_SCOPE_SUBTREE without breaking existing functionality?
(LDAP_SCOPE_SUBTREE according to www.openldap.org: search the object and all its descendants, LDAP_SCOPE_ONELEVEL: search the object's immediate children. So, as far as I can see, the change to LDAP_SCOPE_SUBTREE cannot do any harm.)
Are there other spots in the code that I might have missed (find . -type f | xargs grep ldap_search only yields hdb-ldap.c)?

Kindest regards,

(This mail was sent from my current employer's mail domain, although the company has nothing to do with my request. This request is purely private and expresses my personal thoughts.)