A Directory Information Tree (DIT) consists of one or more Entries. Entries may be of three types; an object entry (the most common entry type) consisting of user data contained in attributes within objectClasses; an alias entry having the objectClass alias with the single attribute aliasedObjectName; a subentry which is used to store administrative or operational data related (in some way) to its parent entry.
Subentries obey the normal entry rules but always use the STRUCTURAL objectClass subentry which may be extended with a subordinate STRUCTURAL objectClass or more frequently with an AUXILLIARY objectClass appropriate to the contents of the subentry.
# from RFC 3672 ( 126.96.36.199 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
Subentries are only displayed by default using a base search scope (they will not be displayed using a one or sub search scope).
The LDAP subentries control (188.8.131.52.4.1.4184.108.40.206) may be used to control visibility of subentries and entries.
Subentries can be quite confusing (we find most things in LDAP confusing) unless you either know they are there or are otherwise expecting them. The confusion is not helped by documentation references to administrative and/or operational subentries which are not, technically, subentries (they do not have a STRUCTURAL objectClass of subentry).
To illustrate the usage of subentries the subschema subentry is examined. The subschema subentry is defined to be supported by all LDAPv3 compliant servers. Its DN may be discovered by reading the subschemaSubentry from the rootDSE (using an anonymous read/search with a base DN of "" and search scope base). The subschema subentry is read using the discovered DN (typical value obtained from subschemaSubentry is cn=subschema) as base with a search scope of base (it will not be displayed if a search scope of one or sub is used). The subschema subentry uses the STRUCTURAL objectclass of subentry (shown above) and has an AUXILIARY objectclass of subschema:
# from RFC 4512 ( 220.127.116.11 NAME 'subschema' AUXILIARY MAY ( dITStructureRules $ nameForms $ ditContentRules $ objectClasses $ attributeTypes $ matchingRules $ ldapSyntaxes $ matchingRuleUse ) )
The search results will display the collections of all attributes, objectclasses, ldapSyntaxes and matching rules supported by the LDAP server. The resulting data, even in a modest LDAP server will typically exceed 90K.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
3 ldap objects
4 install ldap
7 replica & refer
10 ldap api
14 ldap tools
notes & info
rfc's & x.500
This work is licensed under a Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox