R
real attributes only control
The real attributes only control is a control that may be used
to request that the server only include real attributes in matching entries.
That is, virtual attributes are excluded from search result entry.
The real attributes only control has a request OID of 2.16.840.1.113730.3.4.17 and
no value.
In the following search, the numsubordinates virtual attribute is requested and returned:
$ ldapsearch -D "cn=directory manager" -w password -b "ou=people,dc=example,dc=com" \
-s base "objectclass=*" numsubordinates
version: 1
dn: ou=People,dc=example,dc=com
numSubordinates: 50
In the following search, the numsubordinates virtual attribute is requested but is not
returned because the real attributes only control is used:
$ ldapsearch -D "cn=directory manager" -w password -J "2.16.840.1.113730.3.4.17" \
-b "ou=people,dc=example,dc=com" -s base "objectclass=*" numsubordinates
version: 1
dn: ou=People,dc=example,dc=com
referential integrity
Referential integrity is a mechanism for ensuring that any references to an entry
are updated whenever that entry is removed or altered. Historically, referential integrity
is primarily used to ensure that attributes with a distinguished name syntax (especially group
membership attributes like member and uniqueMember) are properly maintained in the event
of delete operation and modify DN operation operations. For a delete operation, any references to
the target entry will be removed. For modify DN operations, any references
to the target entry will be renamed accordingly.
The directory server provides a configurable referential integrity plug-in that you can install
using the dsconfig command.
referral
A referral provides a reference to an alternate location in which an operation
may be processed. A referral may be included in an LDAP
result object with a result code of 10 and an appropriate set of
LDAP URLs. It may also be returned to clients in a
search result reference.
relative distinguished name
A relative distinguished name, or RDN, is a single component within a distinguished name.
It comprises one or more name-value pairs, in which the name and
the value are separated by an equal sign (for example, for an
RDN of uid=ann, the name is uid and the value is ann),
and if there are multiple name-value pairs then they should be separated by
plus signs (for example, for an RDN of cn=Jon Doe+employeeNumber=12345, the name-value pairs
are cn=John Doe and employeeNumber=12345). In practice, RDNs containing multiple name-value pairs (called
“multivalued RDNs”) are rare, but they can be useful at times when either
there is no unique attribute in the entry or you want to ensure
that the entry's DN contains some useful identifying information.
Even though a DN may be composed of multiple RDN components, the
leftmost component is typically referred to as the entry's RDN. For example,
in a DN of uid=john.doe,ou=People,dc=example,dc=com, the RDN would be uid=john.doe. The attribute values
specified in an entry's RDN must be contained in that entry, so the
entry uid=john.doe,ou=People,dc=example,dc=com must have a uid value of john.doe.
replica
A replica is a Directory Server instance that participates in replication.
replication
Replication is a form of data synchronization that is used to ensure that
changes in the directory environment are reflected in each instance of the server.
That is, whenever a change is made in one Directory Server
instance, that same change is also made in every other instance.
replication repair control
The replication repair control is a control that can be used to
resolve replication inconsistencies on a single server in a topology.
The replication repair control has a request OID of 1.3.6.1.4.1.26027.1.5.2 and no
value.
For an example of using the replication repair control, see Detecting and Resolving Replication Inconsistencies in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.
request for comments
A request for comments (RFC) is an IETF specification that has been
promoted from an Internet Draft and may be considered significantly more stable than drafts.
restore
A restore operation provides a mechanism for replacing the contents of a Directory
Server back end with information taken from a previous backup. It can
serve as a disaster recovery mechanism, and in some cases can be used
for binary copy initialization of a replica.
result
See LDAP result.
result code
A result code is an integer value that provides general information about the
result of the operation. Defined result codes include:
|
|
|
|---|
0 |
Success |
This is used to
indicate that the associated operation completed successfully. |
1 |
Operations Error |
This is used to
indicate that the associated request was out of sequence with another operation in
progress (for example, a non-bind request in the middle of a multi-stage SASL
bind). |
2 |
Protocol Error |
This is used to indicate that the client sent data to
the server that did not comprise a valid LDAP request. |
3 |
Time Limit Exceeded |
This is
used to indicate that processing on the associated request was terminated because it
took too long to complete. For a search operation, it is possible
that some of the matching entries had been returned when the time limit
was reached. |
4 |
Size Limit Exceeded |
This is used to indicate that there were more
entries matching the criteria contained in a search operation than were allowed to
be returned by the size limit configuration. |
5 |
Compare False |
This is used to indicate that
a compare operation completed successfully, but the provided attribute value assertion did not
match the target entry. |
6 |
Compare True |
This is used to indicate that a compare
operation completed successfully, and the provided attribute value assertion matched the target entry. |
7 |
Auth
Method Not Supported |
This is used to indicate that the Directory Server does
not support the requested authentication method. |
8 |
Strong Auth Required |
This is used to indicate that
the Directory Server requires that the client use a strong authentication mechanism. |
10 |
Referral |
This is
used to indicate that the requested operation could not be processed in the
target server but may be attempted in elsewhere. |
11 |
Admin Limit Exceeded |
This is used
to indicate that processing on the requested operation could not be completed because
an administrative limit was reached. For a search operation, it is possible
that some of the matching entries had been returned when the administrative limit
was reached. |
12 |
Unavailable Critical Extension |
This is used to indicate that the request included
a critical control that could not be processed by the server. |
13 |
Confidentiality Required |
This is
used to indicate that the requested operation requires a secure communication channel between
the client and the server. |
14 |
SASL Bind In Progress |
This is used to indicate
that a SASL bind operation requires multiple stages and the response containing this
result code is one of the intermediate stages. |
16 |
No Such Attribute |
This is used to
indicate that the associated request targeted an attribute or attribute value that does
not exist in the specified entry. |
17 |
Undefined Attribute Type |
This is used to indicate
that the associated request included an attribute type that is not defined in
the server schema. |
18 |
Inappropriate Matching |
This is used to indicate that the associated search
request included a filter with a component targeting an attribute type for which
no appropriate matching rule is defined. |
19 |
Constraint Violation |
This is used to indicate that the
requested operation could not be completed because it would have violated some constraint
defined in the server (for example, it would have duplicated a value for
a unique attribute). |
20 |
Attribute or Value Exists |
This is used to indicate that an
operation attempted to create an attribute value in an entry that already existed
in the entry, or that it attempted to create an additional value for
a single-valued attribute. |
21 |
Invalid Attribute Syntax |
This is used to indicate that requested operation
attempted to specify a value that violated the syntax for the associated attribute
type. |
32 |
No Such Object |
This is used to indicate that the requested operation targeted
an entry that does not exist in the server. |
33 |
Alias Problem |
This is used to
indicate that an operation targeted an alias entry and that operation is not
allowed on alias entries. |
34 |
Invalid DN Syntax |
This is used to indicate that the
requested operation included an entry DN that was malformed. |
35 |
Is Leaf |
This is used to
indicate that the requested operation targeted a leaf entry but the operation requires
a non-leaf entry. |
36 |
Alias Dereferencing Problem |
This is used to indicate that the associated
search operation encountered an alias that could not be properly dereferenced. |
48 |
Inappropriate Authentication |
This is
used to indicate that the client attempted to bind in a manner that
is inappropriate for the target user (for example, the user attempted simple authentication
but does not have a password). |
49 |
Invalid Credentials |
This is used to indicate that
the client attempted to authenticate with invalid credentials (for example, the target DN
or password was incorrect). |
50 |
Insufficient Access Rights |
This is used to indicate that the
client was not allowed to perform the requested operation. |
51 |
Busy |
This is used to indicate
that the server is too busy to process the requested operation. |
52 |
Unavailable |
This is used
to indicate that the server is unavailable for processing operations. |
53 |
Unwilling to Perform |
This is
used to indicate that the server is unwilling to perform the requested operation
for some reason. |
54 |
Loop Detect |
This is used to indicate that the server encountered
a loop of some type (for example, a chaining loop or an alias
loop). |
60 |
Sort Control Missing |
This is used to indicate that the client requested a
search operation containing the virtual list view control that did not also include
the server-side sort control. |
61 |
Offset Range Error |
This is used to indicate that the request
included a virtual list view control that specified an invalid offset (for example,
one that was beyond the end of the result set). |
64 |
Naming Violation |
This is used
to indicate that the operation attempted to create an entry with a DN
that violated a naming constraint (for example, using an RDN attribute that is
not allowed by the associated name form). |
65 |
Object Class Violation |
This is used to
indicate that the operation attempted to create or modify an entry so that
the set of attributes it contained were in violation of the associated object
class definitions (for example, it included an attribute that was not allowed or
was missing a required attribute). |
66 |
Not Allowed On Nonleaf |
This is used to indicate
that the associated operation was not allowed on non-leaf entries (for example, an
attempt to delete an entry that has one or more subordinate entries). |
67 |
Not Allowed
On RDN |
This is used to indicate that the associated operation is not
allowed on the RDN attribute for an entry. |
68 |
Entry Already Exists |
This is used to
indicate that the add or modify DN operation would have resulted in an
entry with a DN that already exists in the server. |
69 |
Object Class Mods
Prohibited |
This is used to indicate that the requested operation attempted to alter the
structural object class for the entry in a manner that was not
allowed. |
71 |
Affects Multiple DSAs |
This is used to indicate that the requested operation would
have impacted multiple servers (for example, a modify DN operation would have moved
an entry from one server to another through a chained back end). |
76 |
Virtual List
View Error |
This is used to indicate that the associated search operation could not
be completed successfully because a problem occurred while processing the virtual list view
request. |
80 |
Other |
This indicates that the operation failed for some reason that is not more
appropriately classified by any other defined result code. |
81 |
Server Down |
This is a client-side
result code that is used to indicate that the client detected that an
established connection was no longer available. |
82 |
Local Error |
This is a client-side result code
that is used to indicate that some client-side problem occurred that prevented it
from completing the associated processing successfully. |
83 |
Encoding Error |
This is a client-side result code that
is used to indicate that an error occurred while attempting to encode the
request to send to the server. |
84 |
Decoding Error |
This is a client-side result code
that is used to indicate that an error occurred while attempting to decode
the response received from the server. |
85 |
Timeout |
This is a client-side result code that
is used to indicate that the client did not receive a response in
an acceptable length of time. |
86 |
Authentication Type Unknown |
This is a client-side result code
that is used to indicate that the client does not support the requested
authentication method. |
87 |
Filter Error |
This is a client-side result code that is used to
indicate that a provided filter string could not be parsed as a valid
filter. |
88 |
User Canceled |
This is a client-side result code that is used to indicate
that the client canceled the request. |
89 |
Parameter Error |
This is a client-side result code that
is used to indicate that there was a problem with a parameter provided
for a request element. |
90 |
No Memory |
This is a client-side result code that is
used to indicate that the client ran out of memory while attempting to
process the requested operation (for example, while queueing the search result entries). |
91 |
Connect Error |
This
is a client-side result code that is used to indicate that the client
could not establish a connection to the target server. |
92 |
Not Supported |
This is a
client-side result code that is used to indicate that the requested operation is
not supported by the client. |
93 |
Control Not Found |
This is a client-side result code
that is used to indicate that a response did not include an expected
control. |
94 |
No Results Returned |
This is a client-side result code that is used to
indicate that the server did not return any results for a search request
when at least one was expected. |
95 |
More Results to Return |
This is a client-side result
code that is used to indicate that there are more results to return
than those that have already been retrieved. |
96 |
Client Loop |
This is a client-side result
code that is used to indicate that the client detected a referral loop. |
97 |
Referral
Limit Exceeded |
This is a client-side result code that is used to indicate
that the client received too many referrals in the course of processing a
request. |
100 |
Invalid Response |
This is a client-side result code that is used to indicate
that the result received for the associated operation is invalid. |
101 |
Ambiguous Response |
This is a
client-side result code that is used to indicate that the result received from
the server was ambiguous (for example, there was more than one response received
fro the associated operation). |
112 |
TLS Not Supported |
This is used to indicate that the
server does not support the StartTLS extended operation. |
113 |
Intermediate Response |
This result code is used
for intermediate response messages sent by the server in the course of processing
the request. |
114 |
Unknown Type |
This is used to indicate that the server received a
request with an invalid or unknown protocol op type. |
118 |
Canceled |
This is used to indicate
that the server canceled processing on the request at the request of the
client. |
119 |
No Such Operation |
This is used to indicate that the client attempted to
cancel a request that was unknown to the server (for example, because it
had already completed processing). |
120 |
Too Late |
This is used to indicate that the client attempted
to cancel a request that had already been processed beyond a point at
which it could no longer be canceled. |
121 |
Cannot Cancel |
This is used to indicate that
the client attempted to cancel an operation that could not be canceled (for
example, a bind, unbind, abandon, cancel, or StartTLS request). |
122 |
Assertion Failed |
This is used to
indicate that the associated operation was not processed because the request included an
LDAP assertion control with an assertion filter that did not match the target
entry. |
123 |
Authorization Denied |
This is used to indicate that the associated operation was not
processed because the request included a proxied authorization control but the client was not
allowed to use that control. |
|
root DN
A root DN (or root user) is a type of account that
exists in the Directory Server which is generally given full access to all
data in the server, much like the root user in UNIX systems.
Root users by default will be allowed to bypass access control evaluation, will
have full access to the server configuration, and perform most other types of
operations.
The directory server is different from most other servers with regard to root
users in two key ways:
-
The directory server can be configured with multiple root users. This is a good thing because it allows each root user to have a different set of credentials so that each administrator can have a separate root account that is independent from the others rather than a single account that is shared by all administrators.
-
All of the rights given to root users are assigned through privileges. Using the privilege subsystem, it is possible to create non-root users with some or all of the capabilities normally available only to root users. It is also possible to take away privileges from root users if so desired.
For more information on root users and the privilege subsystem, see the Chapter 6, Directory Server Root Users and the Privilege Subsystem, in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory
document.
root DSE
The root DSE is a special entry that provides information about the
contents and capabilities of the server. The distinguished name is a zero-length
string with no RDN components, also called the null DN.
The attribute contained in the root DSE include:
- namingContexts
Lists the naming context for the server
- supportedAuthPasswordSchemes
Lists the OID of the supported password storage schemes using the authentication password syntax
- supportedControl
Lists the OIDs of the supported controls in the server
- supportedExtension
Lists the OIDs of the supported extended operations in the server
- supportedFeatures
Lists the OIDs of the supported features in the server
- supportedSASLMechanisms
Lists the OIDs of the supported SASL mechanisms in the server
- vendorName
Provides the name of the vendor for the server
- vendorVersion
Provides a product version string
The following example demonstrates how to use the ldapsearch command to read the
root DSE. In this example the file /tmp/pwd.txt contains the Directory Manager password.
The server is listening for LDAP requests on port 1389.
$ ldapsearch -D "cn=Directory Manager" -j /tmp/pwd.txt -p 1389 -b "" \
-s base "(objectclass=*)" +
dn:
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.26027.1.6.1
supportedExtension: 1.3.6.1.4.1.26027.1.6.3
supportedExtension: 1.3.6.1.4.1.26027.1.6.2
supportedExtension: 1.3.6.1.1.8
supportedExtension: 1.3.6.1.4.1.1466.20037
vendorName: Oracle Corporation
entryDN:
ds-private-naming-contexts: cn=admin data
ds-private-naming-contexts: cn=ads-truststore
ds-private-naming-contexts: cn=backups
ds-private-naming-contexts: cn=config
ds-private-naming-contexts: cn=monitor
ds-private-naming-contexts: cn=schema
ds-private-naming-contexts: cn=tasks
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.3.6.1.1.12
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.26027.1.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.1.10.2
supportedControl: 1.3.6.1.4.1.7628.5.101.1
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.9
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
subschemaSubentry: cn=schema
hasSubordinates: true
entryUUID: d41d8cd9-8f00-3204-a980-0998ecf8427e
numSubordinates: 1
namingContexts: dc=example,dc=com
vendorVersion: Oracle Unified Directory 11.1.1.5.0
supportedAuthPasswordSchemes: MD5
supportedAuthPasswordSchemes: SHA1
supportedAuthPasswordSchemes: SHA256
supportedAuthPasswordSchemes: SHA384
supportedAuthPasswordSchemes: SHA512
For more information on how to search the root DSE entry, see
Using Advanced Search Features in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.
route
In proxy mode, the path on which requests are sent to the
remote LDAP server when using a load balancing algorithm.
