Full_Name: SEAK T.F. Version: 2.4.18 OS: Windows XP/7 & Ubuntu 9 URL: Submission from: (NULL) (213.41.124.254)

Currently it is possible to create a DIT with empty suffix and empty dn for root node! Side-note: Such DIT can be used for redirection.

I've no idea what LDAP standards state, but common sense tells me that name-less node doesn't make sense. It's as meaningless as creating a name-less directory or name-less file.

So, when such incorrect parameters are supplied in the conf file, OpenLDAP service should not start and should exit with error.

This issue should be discussed on openldap-technical rather than on the ITS, and should focus on the latest release. In any case, OpenLDAP allows to create an object with empty suffix for a specific technical reason, in two steps:

1) it allows the empty DN ("") to be used as the suffix of a database; the database cannot contain an entry with the empty DN, but it can contain immediate children of it.

2) in some versions, the database may technically contain an empty entry in order to store replication-related information (the contextCSN). I think this is now superseded by the use of a "cn=ldapsync" subentry of "" for this specific purpose.

In any case, this ITS will be closed.

p.