Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47761 A recent change in schema parsing ahd the side effect of changing the behavior of rootdse so that now it does not return all atributes by default. Although this is more standards complaint it may break clients that are primarily tested against Active Directory. In FreeIPA we feel we need a way to change the behavior through a cn=config option so that we can return to the old behavior and return all attributes that were previously returned (but not things like modifyTimestamps and such).
Operational attributes are no longer returned by default in rootDSE searches. verify by ldapsearch ... -b "" -s base and check that operational attributes like supportedcontrol or namincontexts are not returned. To change default behaviour modify the rootDSE entry "dn: " ldapmodify dn: changetype: modify add:nsslapd-return-default-opattr nsslapd-return-default-opattr: namingContexts nsslapd-return-default-opattr:supportedControl repeat the above search
[root@vm-idm-035 MMR_WINSYNC]# ldapsearch -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base dn: objectClass: top defaultnamingcontext: dc=example,dc=com dataversion: 020141120112723020141120112723 netscapemdsuffix: cn=ldap://dc=vm-idm-035,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=co m:1189 [root@vm-idm-035 MMR_WINSYNC]# ldapmodify -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: changetype: modify add:nsslapd-return-default-opattr nsslapd-return-default-opattr: namingContexts nsslapd-return-default-opattr:supportedControl EOF modifying entry "" [root@vm-idm-035 MMR_WINSYNC]# ldapsearch -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base dn: objectClass: top namingContexts: dc=example,dc=com namingContexts: dc=passsync,dc=com defaultnamingcontext: dc=example,dc=com supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 SupportedControl and naminContexts information is not shown default. After adding "nsslapd-return-default-opattr" attribute, the ldapsearch shows the values for SupportedControl and naminContexts. Hence, marking the bug as Verified. Build tested: [root@vm-idm-035 MMR_WINSYNC]# rpm -qa 389-ds-base 389-ds-base-1.3.3.1-9.el7.x86_64
Changed the bug summary since the feature is actually to deny all rootdse attributes by default. You need to explicitly request or modify this attribute "nsslapd-return-default-opattr" to view rootdse entries.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html