mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Appendix A - LDAP - subentry

This note provides additional information about subentries (defined in RFC 3672 and referenced in RFC 4512 and RFC 4533).

A Directory Information Tree (DIT) consists of one or more Entries. Entries may be of three types; an object entry (the most common entry type) consisting of user data contained in attributes within objectClasses; an alias entry having the objectClass alias with the single attribute aliasedObjectName; a subentry which is used to store administrative or operational data related (in some way) to its parent entry.

Subentries obey the normal entry rules but always use the STRUCTURAL objectClass subentry which may be extended with a subordinate STRUCTURAL objectClass or more frequently with an AUXILLIARY objectClass appropriate to the contents of the subentry.

subentry objectClass definition:

# from RFC 3672
( NAME 'subentry'
  MUST ( cn $ subtreeSpecification ) )

Subentries are only displayed by default using a base search scope (they will not be displayed using a one or sub search scope).

The LDAP subentries control ( may be used to control visibility of subentries and entries.

Subentry Usage Example

Subentries can be quite confusing (we find most things in LDAP confusing) unless you either know they are there or are otherwise expecting them. The confusion is not helped by documentation references to administrative and/or operational subentries which are not, technically, subentries (they do not have a STRUCTURAL objectClass of subentry).

To illustrate the usage of subentries the subschema subentry is examined. The subschema subentry is defined to be supported by all LDAPv3 compliant servers. Its DN may be discovered by reading the subschemaSubentry from the rootDSE (using an anonymous read/search with a base DN of "" and search scope base). The subschema subentry is read using the discovered DN (typical value obtained from subschemaSubentry is cn=subschema) as base with a search scope of base (it will not be displayed if a search scope of one or sub is used). The subschema subentry uses the STRUCTURAL objectclass of subentry (shown above) and has an AUXILIARY objectclass of subschema:

# from RFC 4512
( NAME 'subschema' AUXILIARY
  MAY ( dITStructureRules $ nameForms $ ditContentRules $
   objectClasses $ attributeTypes $ matchingRules $ ldapSyntaxes $ matchingRuleUse ) )
Note: The above definition includes the attribute ldapSyntaxes which is typically present but which RFC 4512 only indicates may be present.

The search results will display the collections of all attributes, objectclasses, ldapSyntaxes and matching rules supported by the LDAP server. The resulting data, even in a modest LDAP server will typically exceed 90K.

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.


tech info
guides home
1 objectives
big picture
2 concepts
3 ldap objects
4 install ldap
5 samples
6 configuration
7 replica & refer
8 ldif
9 protocol
10 ldap api
11 howtos
12 trouble
13 performance
14 ldap tools
15 security
notes & info
ldap resources
rfc's & x.500
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




Icons made by Icomoon from is licensed by CC 3.0 BY
share page via facebook tweet this page


email us Send to a friend feature print this page Display full width page Decrease font size Increase font size



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2018 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: July 07 2017.