Root DSE

The root DSE is the entry at the top of the LDAP server directory information tree. All the namingcontexts (suffixes) in the LDAP server are directly below the root DSE. The root DSE contains information about the LDAP server, including the namingcontexts that are configured and the capabilities of the server.

The root DSE can be searched by specifying a zero-length base distinguished name. The search scope can be either base or subtree (the one-level scope is not supported).

Root DSE search with base scope

A root DSE search with base scope returns the contents of the root DSE. The root DSE attributes describe the LDAP server. The only search filter that is supported is objectclass=*. There is no access control checking for the root DSE, but an anonymous bind fails if allowAnonymousBinds off is specified in the LDAP server configuration file. The supportedcontrol, supportedextension, and namingcontexts attributes may contain values that are contributed by plug-in extensions that are configured in the LDAP server.

The following example uses the ldapsearch utility to request a base search of the root DSE and shows sample output for the search:

ldapsearch -h ldaphost -p ldapport -s base -b "" "objectclass=*"

Following is an example of the information that the LDAP server reports on a search of the root DSE. A subset of these values might appear in your root DSE based on the server configuration choices you have made.

vendorname=International Business Machines (IBM)
vendorversion=z/OS V2R1
ibmdirectoryversion=z/OS V2R1
ibm-serverid=Master
altserver=ldap://host2.ibm.com:999
subschemasubentry=cn=schema
supportedldapversion=2
supportedldapversion=3
supportedcontrol=1.3.18.0.2.10.20
supportedcontrol=2.16.840.1.113730.3.4.3
supportedcontrol=2.16.840.1.113730.3.4.2
supportedcontrol=1.3.18.0.2.10.10
supportedcontrol=1.3.18.0.2.10.11
supportedcontrol=1.3.18.0.2.10.15
supportedcontrol=1.3.18.0.2.10.18
supportedcontrol=1.3.18.0.2.10.19
supportedcontrol=1.2.840.113556.1.4.319
supportedcontrol=1.2.840.113556.1.4.473
supportedcontrol=1.3.18.0.2.10.2
supportedcontrol=1.3.6.1.4.1.42.2.27.8.5.1
supportedcontrol=1.3.18.0.2.10.23
supportedcontrol=1.3.18.0.2.10.27
supportedcontrol=1.3.18.0.2.10.24
supportedextension=1.3.6.1.4.1.1466.20037
supportedextension=1.3.18.0.2.12.62
supportedextension=1.3.18.0.2.12.48
supportedextension=1.3.18.0.2.12.82
supportedextension=1.3.18.0.2.12.75
supportedextension=1.3.18.0.2.12.58
supportedextension=1.3.18.0.2.12.37
supportedextension=1.3.18.0.2.12.15
supportedextension=1.3.18.0.2.12.16
supportedextension=1.3.18.0.2.12.17
supportedextension=1.3.18.0.2.12.19
supportedextension=1.3.18.0.2.12.54
supportedextension=1.3.18.0.2.12.56
namingcontexts=CN=CONFIGURATION
namingcontexts=CN=IBMPOLICIES
namingcontexts=CN=CHANGELOG
namingcontexts=CN=MYRACF
namingcontexts=O=IBM,C=US
namingcontexts=SECAUTHORITY=DEFAULT
ibm-supportedcapabilities=1.3.18.0.2.32.24
ibm-supportedcapabilities=1.3.18.0.2.32.26
ibm-supportedcapabilities=1.3.18.0.2.32.30
ibm-supportedcapabilities=1.3.18.0.2.32.28
ibm-supportedcapabilities=1.3.18.0.2.32.7
ibm-supportedcapabilities=1.3.18.0.2.32.98
ibm-supportedcapabilities=1.3.6.1.4.1.4203.1.5.1
ibm-supportedcapabilities=1.3.18.0.2.32.3
ibm-supportedcapabilities=1.3.18.0.2.32.33
ibm-supportedcapabilities=1.3.18.0.2.32.34
ibm-supportedcapabilities=1.3.18.0.2.32.31
ibm-supportedcapabilities=1.3.18.0.2.32.63
ibm-supportedcapabilities=1.3.18.0.2.32.17
ibm-supportedcapabilities=1.3.18.0.2.32.19
ibm-supportedcapabilities=1.3.18.0.2.32.5
ibm-supportedcapabilities=1.3.18.0.2.32.54
ibm-supportedcapabilities=1.3.18.0.2.32.57
ibm-supportedcapabilities=1.3.18.0.2.32.77
ibm-supportedcapabilities=1.3.18.0.2.32.88
ibm-supportedCapabilities=1.3.18.0.2.32.68
ibm-supportedcapabilities=1.3.18.0.2.32.94
ibm-supportedcapabilities=1.3.18.0.2.32.1
ibm-supportedcapabilities=1.3.18.0.2.32.29
ibm-supportedcapabilities=1.3.18.0.2.32.18
ibm-supportedcapabilities=1.3.18.0.2.32.44
ibm-supportedcapabilities=1.3.18.0.2.32.51
ibm-supportedcapabilities=1.3.18.0.2.32.52
ibm-supportedcapabilities=1.3.18.0.2.32.56
ibm-supportedcapabilities=1.3.18.0.2.32.65
ibm-supportedcapabilities=1.3.18.0.2.32.43
ibm-supportedcapabilities=1.3.18.0.2.32.2
ibm-supportedcapabilities=1.3.18.0.2.32.95
ibm-supportedcapabilities=1.3.18.0.2.32.6
ibm-supportedcapabilities=1.3.18.0.2.32.99
ibm-enabledcapabilities=1.3.18.0.2.32.24
ibm-enabledcapabilities=1.3.18.0.2.32.26
ibm-enabledcapabilities=1.3.18.0.2.32.7
ibm-enabledcapabilities=1.3.6.1.4.1.4203.1.5.1
ibm-enabledcapabilities=1.3.18.0.2.32.98
ibm-enabledcapabilities=1.3.18.0.2.32.3
ibm-enabledcapabilities=1.3.18.0.2.32.33
ibm-enabledcapabilities=1.3.18.0.2.32.34
ibm-enabledcapabilities=1.3.18.0.2.32.31
ibm-enabledcapabilities=1.3.18.0.2.32.56
ibm-enabledcapabilities=1.3.18.0.2.32.2
ibm-enabledcapabilities=1.3.18.0.2.32.5
ibm-enabledcapabilities=1.3.18.0.2.32.54
ibm-enabledcapabilities=1.3.18.0.2.32.57
ibm-enabledcapabilities=1.3.18.0.2.32.77
ibm-enabledcapabilities=1.3.18.0.2.32.88
ibm-enabledCapabilities=1.3.18.0.2.32.68
ibm-enabledcapabilities=1.3.18.0.2.32.28
ibm-enabledcapabilities=1.3.18.0.2.32.17
ibm-enabledcapabilities=1.3.18.0.2.32.94
ibm-enabledcapabilities=1.3.18.0.2.32.6
ibm-enabledcapabilities=1.3.18.0.2.32.1
ibm-enabledcapabilities=1.3.18.0.2.32.29
ibm-enabledcapabilities=1.3.18.0.2.32.18
ibm-enabledcapabilities=1.3.18.0.2.32.44
ibm-enabledcapabilities=1.3.18.0.2.32.51
ibm-enabledcapabilities=1.3.18.0.2.32.52
ibm-enabledcapabilities=1.3.18.0.2.32.65
ibm-enabledcapabilities=1.3.18.0.2.32.43
ibm-enabledcapabilities=1.3.18.0.2.32.95
ref=ldap://hostk.ibm.com:391
supportedsaslmechanisms=CRAM-MD5
supportedsaslmechanisms=DIGEST-MD5
supportedsaslmechanisms=EXTERNAL
ibm-sasldigestrealmname=MYHOST.IBM.COM
changelog=cn=changelog
firstchangenumber=24213
lastchangenumber=24322

Following are Object Identifiers (OIDs) for supported and enabled capabilities:

Table 1. Object Identifiers (OIDs) for supported and enabled capabilities
OID assigned	Short name	Description
1.3.6.1.4.1.4203.1.5.1	Retrieval of operational attributes	Indicates that this server supports the + attribute on search requests to return operational attributes.
1.3.18.0.2.32.1	Advanced replication	Identifies that this server supports advanced replication which includes subtree and cascading replication.
1.3.18.0.2.32.2	Entry Checksum	Indicates that this server supports the ibm-entryCheckSum and ibm-entryCheckSumOp operational attributes.
1.3.18.0.2.32.3	Entry UUID	Identifies that this server supports the ibm-entryuuid operational attribute.
1.3.18.0.2.32.5	Password policy	Indicates that this server supports password policies.
1.3.18.0.2.32.6	Sort by DN	Indicates that this server supports using the ibm-slapdDN attribute to sort by DN.
1.3.18.0.2.32.7	System restricted ACL support	Indicates that the server supports specification and evaluation of ACLs on system and restricted attributes.
1.3.18.0.2.32.17	Group search limits	Indicates that this server supports using groups to specify search size and time limits.
1.3.18.0.2.32.18	cn=ibmpolicies advanced replication subtree	Indicates that this server supports the replication of the cn=ibmpolicies subtree. This support is only available when advanced replication is configured.
1.3.18.0.2.32.19	Max age ChangeLog entries	Specifies that the server can retain changelog entries based on age.
1.3.18.0.2.32.24	Monitor operation counts	The server provides monitor operation counts for initiated and completed operation types.
1.3.18.0.2.32.26	Null-based subtree search	Indicates that the server supports null-based subtree search operations, which search all the LDBM, TDBM, and CDBM entries in the server.
1.3.18.0.2.32.28	TLS capabilities	Specifies that the server can perform Transport Layer Security (TLS).
1.3.18.0.2.32.29	Non-blocking advanced replication	Indicates that this server can ignore some errors that are received from a consumer (replica) server that would normally cause an update to be retransmitted periodically until a successful return code is received.
1.3.18.0.2.32.30	Kerberos capability	Specifies that the server can perform Kerberos authentication.
1.3.18.0.2.32.31	ibm-allMembers and ibm-allGroups operational attributes	Indicates that a backend supports searching on the ibm-allGroups and ibm-allMembers operational attributes. The members of a static, dynamic, or nested group can be obtained by performing a search on the ibm-allMembers operational attribute. The static, dynamic, and nested groups that a member DN belongs to can be obtained by performing a search on the ibm-allGroups operational attribute.
1.3.18.0.2.32.33	Modify DN (subtree move)	Indicates that a subtree can be moved to another subtree, within a backend. This move uses a new superior. It can also use a new RDN.
1.3.18.0.2.32.34	Modify DN (subtree rename)	Indicates that a subtree can be renamed. The DN of each entry under the subtree is also changed. This rename uses a new RDN but not a new superior.
1.3.18.0.2.32.43	Advanced replication configuration	Indicates that this server supports configuration of supplier servers in an advanced replication environment.
1.3.18.0.2.32.44	Global updates support	Indicates that this server supports the advanced replication of global updates using the replication topology in the cn=ibmpolicies subtree in the CDBM backend.
1.3.18.0.2.32.51	Advanced replication conflict resolution maximum entry size	Indicates that this server supports the ibm-slapdReplConflictMaxEntrySize attribute on a CDBM entry with an objectclass of ibm-slapdReplicationConfiguration. This attribute value indicates the maximum number of bytes that an entry can contain and still can be resent to a target server as a result of advanced replication conflict resolution.
1.3.18.0.2.32.52	Lost and found log	Indicates that this server supports the lost and found log for archiving replaced entries as a result of the advanced replication conflict resolution.
1.3.18.0.2.32.54	Password policy account lockout	Indicates that this server supports the password policy account lockout feature.
1.3.18.0.2.32.56	Updated ibm-entryCheckSumOp operational attribute calculation	Indicates that this server supports an updated algorithm for the checksum calculation of the ibm-entryCheckSumOp operational attribute.
1.3.18.0.2.32.57	LDAP password global start time	Indicates that the server supports the ibm-pwdPolicyStartTime attribute in the cn=pwdpolicy,cn=ibmpolicies entry.
1.3.18.0.2.32.63	Salted SHA (SSHA)	Indicates that this server supports the Salted SHA hashing of password values.
1.3.18.0.2.32.65	Filter replication	Identifies that this server supports filtered replication which allows only required entries and a subset of attributes to be replicated. This support is only available when advanced replication is configured.
1.3.18.0.2.32.68	Administrative roles	Indicates that this server allows administrative roles to be defined and used for administrative group members.
1.3.18.0.2.32.77	Multiple password policies	Indicates that this server allows multiple password policy entries to be defined and used.
1.3.18.0.2.32.88	Password policy max consecutive repeated characters	Indicates that this server supports password policies that restrict the maximum number of consecutive repeated characters in password values.
1.3.18.0.2.32.94	Fine grained timestamps	Indicates that this server supports advanced replication with fine grained timestamps that include microseconds.
1.3.18.0.2.32.95	ibm-replicationWaitOnDependency attribute replication	Indicates that this server supports the replication of the ibm-replicationWaitOnDependency attribute from the advanced replication agreement entry.
1.3.18.0.2.32.98	ACL filter support	Indicates that this server supports specifying a filter in the access control attributes to further control access to an object.
1.3.18.0.2.32.99	SHA-2 and Salted SHA-2 hashing	Indicates that this server supports SHA-2 and Salted SHA-2 hashing.

Root DSE search with subtree scope (Null-based subtree search)

A root DSE search with subtree scope returns all the entries that match the search filter in the LDBM, TDBM, and CDBM backends configured in the LDAP server. This search is commonly referred to as a null-based subtree search. Note that the search does not include the root DSE itself, the LDAP server schema entry, SDBM entries, and GDBM entries (change log records). Alias entries are not dereferenced during the search, they are processed like normal entries and returned if they match the search filter. Referral entries in LDBM, TDBM, and CDBM return referrals to the client. Any filter can be specified for the subtree search. A sorted root DSE search with subtree scope sorts the entire result set after all entries have been retrieved from the backends.

A null-based subtree is implemented as a series of searches to each LDBM, TDBM, and CDBM suffix. These individual searches are each limited by the time limit and size limit options specified in the LDAP server configuration file or in the requestor's group search limits. If a time limit or size limit is specified on the root DSE search request, then the individual searches are also limited by the amount of time remaining and the number of entries left to return when that individual search is started. See the descriptions of the sizeLimit and timeLimit options in Customizing the LDAP server configuration for more information. See Managing group search limits for more information about group search limits. Each individual LDBM, TDBM, and CDBM search is subject to the normal LDBM, TDBM, and CDBM access control checking.

The following example uses the ldapsearch utility to request a subtree search of the root DSE for entries that have a cn value that begins with ken and shows sample output for the search.

ldapsearch -h ldaphost -p ldapport -D binddn -w passwd -s sub -b "" "cn=ken*"

cn=ken,o=ldbm
objectclass=person
objectclass=top
cn=ken
sn=smith

cn=kenx,o=tdbm
objectclass=person
objectclass=top
cn=kenx
sn=jones