Appendix A - LDAP - subentry
This note provides additional information about subentries (defined in RFC 3672 and referenced in RFC 4512 and RFC 4533).
A Directory Information Tree (DIT) consists of one or more Entries. Entries may be of three types; an object entry (the most common entry type) consisting of user data contained in attributes within objectClasses; an alias entry having the objectClass alias with the single attribute aliasedObjectName; a subentry which is used to store administrative or operational data related (in some way) to its parent entry.
Subentries obey the normal entry rules but always use the STRUCTURAL objectClass subentry which may be extended with a subordinate STRUCTURAL objectClass or more frequently with an AUXILLIARY objectClass appropriate to the contents of the subentry.
subentry objectClass definition:
# from RFC 3672
( 2.5.17.0 NAME 'subentry'
SUP top STRUCTURAL
MUST ( cn $ subtreeSpecification ) )
Subentries are only displayed by default using a base search scope (they will not be displayed using a one or sub search scope).
The LDAP subentries control (1.3.6.1.4.1.4203.1.10.1) may be used to control visibility of subentries and entries.
Subentry Usage Example
Subentries can be quite confusing (we find most things in LDAP confusing) unless you either know they are there or are otherwise expecting them. The confusion is not helped by documentation references to administrative and/or operational subentries which are not, technically, subentries (they do not have a STRUCTURAL objectClass of subentry).
To illustrate the usage of subentries the subschema subentry is examined. The subschema subentry is defined to be supported by all LDAPv3 compliant servers. Its DN may be discovered by reading the subschemaSubentry from the rootDSE (using an anonymous read/search with a base DN of "" and search scope base). The subschema subentry is read using the discovered DN (typical value obtained from subschemaSubentry is cn=subschema) as base with a search scope of base (it will not be displayed if a search scope of one or sub is used). The subschema subentry uses the STRUCTURAL objectclass of subentry (shown above) and has an AUXILIARY objectclass of subschema:
# from RFC 4512
( 2.5.20.1 NAME 'subschema' AUXILIARY
MAY ( dITStructureRules $ nameForms $ ditContentRules $
objectClasses $ attributeTypes $ matchingRules $ ldapSyntaxes $ matchingRuleUse ) )
Note: The above definition includes the attribute ldapSyntaxes which is typically present but which RFC 4512 only indicates may be present.
The search results will display the collections of all attributes, objectclasses, ldapSyntaxes and matching rules supported by the LDAP server. The resulting data, even in a modest LDAP server will typically exceed 90K.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
