Hallvard B Furuseth a écrit :
elecharny@apache.org writes:
ldapsearch -h localhost -p 10389 -D "uid=Admin,ou=system" -w secret -b "dc=example,dc=com" -s sub "(objectClass=*)" person
will return all entries attributes, as if the 'person' was substituted by "*"
That is what RFC 4511 says. Section 4.5.1.8 (SearchRequest.attributes): "If an attribute description in the list is not recognized, it is ignored by the server." Ignoring "person" yields an empty list, which works like a "*".
I'm guessing that's not what it was intended to say though. RFC 1777 (LDAPv2) did not have it, so 'person' would work like '1.1' does now.
Well, RFC 4511 just states that if the attribute is unknow, then it is ignored, but say nothing about using '1.1' or '*' .
Ignoring the only attributes given by the user and substitute a '*' to it is a violation of user intent, IMHO (even if this user was wrong when selecting the attribute).
RFC 4511 authors didn't thought of such a case, I guess ;)
Anyway, OpenLdap behave differently if the attribute is unknown (9.9.9) and when it is known by the server (at least, the OID is known, even if it's not an attribute object), when it should returns always the same result : either '*' or '1.1'. This is not the case, and it's not consistent, whatever RFC 4511 says - or omits to say :) -.
Emmanuel
-
elecharny@apache.org