Product/Component Concerned: eDirectory / LDAP
Target Audience: Beginners
Platform: All (Demonstrated on Linux)

What is RootDSE?

RootDSE stands for Root DSA (Directory Service Agent) Specific Entry, which is the root of the LDAP server. This entry is a pseudo object in the tree, which means it’s an unnamed entry at the root of the tree. This entry holds the configuration information about the connected eDirectory server. As mentioned, the rootDSE is an unnamed entry, a search against the eDirectory tree won’t return you the rootDSE object.

What information does the RootDSE contain?

The following is list contains the most common information that a rootDSE holds.

  • The location of the schema
  • Supported Extensions
  • Supported Controls
  • Vendor name and version of the Server
  • The DSA Name of the server
  • Tree Name
  • Supported SASL Mechanisms
  • Versions of LDAP supported
  • LDAP server statistics (includes the number of operations happened, referral mechanism used etc)

How to get the information from the RootDSE?

All the above information can be read by doing a simple LDAP search against the RootDSE object using the following settings:

  • Set the search base to an empty string
  • Set the search filter to objectclass=* (which is the default filter of the ldapsearch tool)
  • Set the search scope to BASE

This can be done through the ldapsearch tool or even through a simple application written using any LDAP SDK.

So, the ldapsearch to do the RootDSE search would look like:

ldapsearch  -h <hostname>  -p <port number>  -b ""  -s base  "objectclass=*"

The following is the sample output of the RootDSE search:

subschemaSubentry: cn=schema 
supportedGroupingTypes: 2.16.840.1.113719.1.27.103.8 
namingContexts: 
supportedExtension: 2.16.840.1.113719.1.148.100.1 
supportedExtension: 2.16.840.1.113719.1.148.100.3 
supportedExtension: 2.16.840.1.113719.1.148.100.5 
supportedExtension: 2.16.840.1.113719.1.148.100.7 
supportedExtension: 2.16.840.1.113719.1.148.100.9 
supportedExtension: 2.16.840.1.113719.1.148.100.11 
supportedExtension: 2.16.840.1.113719.1.148.100.13 
supportedExtension: 2.16.840.1.113719.1.148.100.15 
supportedExtension: 2.16.840.1.113719.1.148.100.17 
supportedExtension: 2.16.840.1.113719.1.39.42.100.1 
supportedExtension: 2.16.840.1.113719.1.39.42.100.3 
supportedExtension: 2.16.840.1.113719.1.39.42.100.5 
supportedExtension: 2.16.840.1.113719.1.39.42.100.7 
supportedExtension: 2.16.840.1.113719.1.39.42.100.9 
supportedExtension: 2.16.840.1.113719.1.39.42.100.11 
supportedExtension: 2.16.840.1.113719.1.39.42.100.13 
supportedExtension: 2.16.840.1.113719.1.39.42.100.15 
supportedExtension: 2.16.840.1.113719.1.39.42.100.17 
supportedExtension: 2.16.840.1.113719.1.39.42.100.19 
supportedExtension: 2.16.840.1.113719.1.39.42.100.21 
supportedExtension: 2.16.840.1.113719.1.39.42.100.23 
supportedExtension: 2.16.840.1.113719.1.39.42.100.25 
supportedExtension: 2.16.840.1.113719.1.27.100.1 
supportedExtension: 2.16.840.1.113719.1.27.100.3 
supportedExtension: 2.16.840.1.113719.1.27.100.5 
supportedExtension: 2.16.840.1.113719.1.27.100.7 
supportedExtension: 2.16.840.1.113719.1.27.100.11 
supportedExtension: 2.16.840.1.113719.1.27.100.13 
supportedExtension: 2.16.840.1.113719.1.27.100.15 
supportedExtension: 2.16.840.1.113719.1.27.100.17 
supportedExtension: 2.16.840.1.113719.1.27.100.19 
supportedExtension: 2.16.840.1.113719.1.27.100.21 
supportedExtension: 2.16.840.1.113719.1.27.100.23 
supportedExtension: 2.16.840.1.113719.1.27.100.25 
supportedExtension: 2.16.840.1.113719.1.27.100.27 
supportedExtension: 2.16.840.1.113719.1.27.100.29 
supportedExtension: 2.16.840.1.113719.1.27.100.31 
supportedExtension: 2.16.840.1.113719.1.27.100.33 
supportedExtension: 2.16.840.1.113719.1.27.100.35 
supportedExtension: 2.16.840.1.113719.1.27.100.37 
supportedExtension: 2.16.840.1.113719.1.27.100.39 
supportedExtension: 2.16.840.1.113719.1.27.100.41 
supportedExtension: 2.16.840.1.113719.1.27.100.96 
supportedExtension: 2.16.840.1.113719.1.27.100.98 
supportedExtension: 2.16.840.1.113719.1.27.100.101 
supportedExtension: 2.16.840.1.113719.1.27.100.103 
supportedExtension: 2.16.840.1.113719.1.142.100.1 
supportedExtension: 2.16.840.1.113719.1.142.100.4 
supportedExtension: 2.16.840.1.113719.1.142.100.6 
supportedExtension: 2.16.840.1.113719.1.27.100.9 
supportedExtension: 2.16.840.1.113719.1.27.100.43 
supportedExtension: 2.16.840.1.113719.1.27.100.45 
supportedExtension: 2.16.840.1.113719.1.27.100.47 
supportedExtension: 2.16.840.1.113719.1.27.100.49 
supportedExtension: 2.16.840.1.113719.1.27.100.51 
supportedExtension: 2.16.840.1.113719.1.27.100.53 
supportedExtension: 2.16.840.1.113719.1.27.100.55 
supportedExtension: 1.3.6.1.4.1.1466.20037 
supportedExtension: 2.16.840.1.113719.1.27.100.79 
supportedExtension: 2.16.840.1.113719.1.27.100.84 
supportedExtension: 2.16.840.1.113719.1.27.103.1 
supportedExtension: 2.16.840.1.113719.1.27.103.2 
supportedControl: 2.16.840.1.113719.1.27.101.6 
supportedControl: 2.16.840.1.113719.1.27.101.5 
supportedControl: 1.2.840.113556.1.4.319 
supportedControl: 2.16.840.1.113730.3.4.3 
supportedControl: 2.16.840.1.113730.3.4.2 
supportedControl: 2.16.840.1.113719.1.27.103.7 
supportedControl: 2.16.840.1.113719.1.27.101.40 
supportedControl: 2.16.840.1.113719.1.27.101.41 
supportedSASLMechanisms: NMAS_LOGIN 
supportedLDAPVersion: 2 
supportedLDAPVersion: 3 
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 
supportedFeatures: 2.16.840.1.113719.1.27.99.1 
vendorName: Novell, Inc. 
vendorVersion: LDAP Agent for Novell eDirectory 8.8 SP6 (20601.12) 
dsaName: cn=PALSLES10,o=novell 
directoryTreeName: PALEVT 
outBytes: 95046447 
inBytes: 119500 
repUpdatesOut: 0 
repUpdatesIn: 0 
errors: 0 
securityErrors: 0 
chainings: 0 
referralsReturned: 0 
extendedOps: 1862 
abandonOps: 0 
wholeSubtreeSearchOps: 1862 
oneLevelSearchOps: 0 
searchOps: 1867 
listOps: 0 
modifyRDNOps: 0 
modifyEntryOps: 0 
removeEntryOps: 0 
addEntryOps: 0 
compareOps: 0 
readOps: 5 
inOps: 7466 
bindSecurityErrors: 0 
strongAuthBinds: 0 
simpleAuthBinds: 1869 
unAuthBinds: 1462 

The following details can be inferred from the above output:

Location of the schema cn=schema (the subschema subentry). This entry can be given as the ‘BASE’ of a LDAP search and the schema can be read
Supported Extensions Extensions are in ASN.1OID format. Each OID corresponds to a different extension (like adding new replicas, refreshing the LDAP server, etc)
Supported Controls Controls are in ASN.1OID format. Each OID corresponds to a different control (like paged results, server side sort etc)
Vendor name and version of the server Novell, Inc is the vendor Name
LDAP Agent for Novell eDirectory 8.8 SP6 (20601.12) is the version
The DSA name of the server cn=PALSLES10,o=novell
Tree Name PALEVT
Supported SASL Mechanisms NMAS_LOGIN
Versions of LDAP supported 2 and 3
LDAP server statistics (includes the number of operations happened, referral mechanism used etc) Sample Data:
—————-
SearchOps: 1867 ? Specifies the number of searches that had been done on the server

simpleAuthBinds: 1869 ? Specifies the number of authenticated binds that had been done on the server

unAuthBinds: 1462? Specifies the number of anonymous binds that had been done on the server

Chainings: 0 ? Chaining Count

referralsReturned: 0 ? Referral Count

extendedOps: 1862 ? Specifies the number of extended operations that had been done on the server

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

  • fpatterson says:

    iMonitor shows the server parameters under the pseudo server object. The attribute shows readable, but it doesn’t look like there is an LDAP extension for the attribute.

    Customer has implemented ARC. It would be nice to do an ldap search to see what server parameters are configured on the box for reporting purposes. This way we could have an easy report of what servers have ARC configured and what ones don’t.

    This would also be nice to have a tree wide iMonitor report for server parameters.

    Thanks,
    Fred

  • hvaughan says:

    The LDAP server statistics, as returned in a RootDSE search, are not reliable.

May 12, 2010
4:11 pm
Reads:
2,170
Score:
Unrated