> Date: Fri, 10 Feb 2006 12:05:52 -0700 > From: Richard Megginson <rmeggins at redhat.com> > > Glenn W. Bach wrote: > > >>>> I'm replacing an ldap server with Fedora Directory. The old one >>>> allows searches with >>>> the base dn empty. Is there a way to allow searches with a blank >>>> base dn in Fedora >>>> Directory? >>>> >>> I'm assuming you mean the ability to perform a subtree search with a >>> base dn of "". No, >>> you cannot do this with Fedora DS. What is your old directory server? >>> Does it do this >>> by default or do you have to configure it to do so? >>> >> Yes, -b '' >> >> We are actually replacing an Exchange 5.5 system that is pretending to >> be an ldap server. >> The unfortunate thing is that hundreds of users have their base dn >> blank, which is >> something Exchange can apparently deal with. I am not sure if it had >> to be specifically configured to allow this. >> > > No, that explains it. > > >> So the bottom line sounds like we need to touch several hundred >> desktops if we want to transition away from Exchange. Sigh... >> > > Perhaps not. OpenLDAP has the ability to act as an LDAP proxy and > rewrite the base DN. I'm not sure how to do this, but probably someone > on the openldap lists would know. > OpenLDAP has a more relevant solution here: you can set a defaultsearchbase on slapd that is used when a search request comes in with an empty baseDN and non-base scope. This feature exists in OpenLDAP precisely because of all those misconfigured clients in the world. > Alternately, you could write a plug-in (datainterop) that maps incoming > requests for base "" and sub scope to your real suffix. > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
