The result of a search or read operation involving an alias entry differs depending on whether or not you dereference the alias. Alias dereferencing is specified by the LDAP client. There are four possible settings for the alias dereference flag:
Never dereference alias
All operations apply to the entry with the given DN, even though the entry is an alias entry. This is the default setting.
Dereference alias when finding base object
The base object identifies the top of the subtree of entries to be searched. This setting means that if you specify an alias as the base object it will be dereferenced, but no other aliases encountered during the search are dereferenced.
Dereference alias when searching
If the operation being carried out is a search, all alias entries specified or used in the search are dereferenced, except the base object. If the result of the search is an alias entry, the aliased object is returned to the user, not the alias entry. This can sometimes lead to unexpected results from searches based on DN content, where the requested information is not present in the entries returned because the entry that contains the requested DN term is an alias entry that has been dereferenced.
Always dereference alias
All alias entries specified or used in the operation are dereferenced.
For example, suppose your directory contains the following pair of entries:
cn=Stan Smith, role=Personnel Administrator, ou=Personnel, o=XYZ, c=US |
|
with attributes: |
objectclass=orgPerson |
|
cn=Stan Smith |
|
telephoneNumber=123 456 7890 |
|
mail=dtmail |
|
|
cn=personnel, o=XYZ, c=US |
|
with attributes: |
objectclass=alias objectclass=aliasObject |
|
cn=personnel aliasedObjectName="cn=Stan Smith, role=Personnel Administrator, ou=Personnel, o=XYZ, c=US" |
With alias dereferencing when searching, if you search for the telephone number of cn=personnel in the subtree o=XYZ, c=US, you will see Stan Smith's telephone number. With no alias dereferencing, you would not see any telephone number.
Defining aliases for roles is particularly useful when the person occupying a role changes frequently (the duty network manager for out-of-hours calls, for example), so that users always query the same entry. You can change the value of the aliasedObjectName with a script that runs on a schedule and calls ldapmodify to make the changes.
See the ldapsearch(1) man page for details of how to specify how alias dereferencing is used in ldapsearch.