LDAP root DSE attributes

LDAP clients, such as the NAMELookup/LDAP Gateway in Domino®, need to be able to determine special capabilities belonging to a given LDAP server. Once these capabilities are determined, LDAP clients can then decide whether to take advantage of them.

The NAMELookup/LDAP Gateway needs to be able to take advantage of the Domino® LDAP server's dominoAccessGroups capabilities. The LDAP server can now serve up new attributes in its root directory server entries (DSE) to directly support LDAP client detection of dominoAccessGroups capabilities.

Table 1. LDAP root DSE attributes

Attribute

Definition

ibm-enabledCapabilities
attributetypes:(
 1.3.18.0.2.4.2482
 NAME 'ibm-enabledCapabilities'
 DESC 'Lists capabilities that are enabled for use on this server'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 (directory string)
 NO-USER-MODIFICATION 
 USAGE directoryOperation
 )

This root DSE attribute conforms with the IBM® Tivoli® Directory Server capabilities schema. The possible values returned must be OIDs. The currently recognized values are:

  • 2.16.840.1.113678.2.2.2.2.1354 - Indicating the LDAP server is enabled to return dominoUNIDs
  • 2.16.840.1.113678.2.2.2.2.1355 - Indicating the LDAP server is enabled to return dominoAccessGroups

While these values are meant to be a subset of the ibm-supportCapabilities values, these two are always enabled if they are supported.

ibm-supportedCapabilities
attributetypes:(
 1.3.18.0.2.4.2481
 NAME 'ibm-supportedCapabilities'
 DESC 'Lists capabilities supported, but not necessarily enabled by this server'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 (directory string)
 NO-USER-MODIFICATION 
 USAGE directoryOperation
 )

This root DSE attribute conforms with the IBM® Tivoli® Directory Server capabilities schema. The possible values returned must be OIDs. The currently recognized values are:

  • 2.16.840.1.113678.2.2.2.2.1354 - Indicating the LDAP server supports returning dominoUNIDs
  • 2.16.840.1.113678.2.2.2.2.1355 - Indicating the LDAP server supports returning dominoAccessGroups
dominoMajMinVersion
attributetypes:(
 2.16.840.1.113678.2.2.2.2.1356
 NAME 'dominoMajMinVersion'
 DESC 'mmnnq where mm=major version, nn=minor version, q=QMR version (80000 = 8.0.0)'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 (integer)
 SINGLE-VALUE
 NO-USER-MODIFICATION 
 USAGE directoryOperation
 )

Returns precise version information for the release of the Domino® server in the integer form mmnnq where:

  • mm=major version
  • nn=minor version
  • q=QMR version
dominoVersionNumber
attributetypes:(
 2.16.840.1.113678.2.2.2.2.1357
 NAME 'dominoVersionNumber'
 DESC 'The release of Domino the LDAP server is running on (see @Version,lotus.domino.Session::getNotesVersion)'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 (integer)
 SINGLE-VALUE
 NO-USER-MODIFICATION 
 USAGE directoryOperation
 )

Returns the release number of Domino® on which the Domino® LDAP server is running. See @Version in the Domino® Designer Programming Guide for the table that maps numbers returned by @Version to each Notes® and Domino® version.

Table 2. Other Domino® LDAP root DSE attributes

Attribute

Description

subschemaSubentry
attributetypes:(
 2.5.18.10
 NAME 'subschemaSubentry'EQUALITY distinguishedNameMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
 SINGLE-VALUE
 NO-USER-MODIFICATION 
 USAGE directoryOperation
 )

(From [RFC4512] 4.2) The value of the 'subschemaSubentry' attribute is the name of the subschema (sub)entry holding the subschema controlling the entry.

The Domino® LDAP server returns:

  • cn=schema
namingContexts
attributetypes:(
 1.3.6.1.4.1.1466.101.120.5
 NAME 'namingContexts'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
 USAGE dSAOperation 
 )

(From [RFC4512] 5.1.2) The 'namingContexts' attribute lists the context prefixes of the naming contexts the server masters.

The Domino® LDAP server returns the empty string indicating the root of the DIT.

supportedExtension
attributetypes:(
 1.3.6.1.4.1.1466.101.120.7 
 NAME 'supportedExtension'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
 USAGE dSAOperation 
 )

(From [RFC4512] 5.1.4) The 'supportedExtension' attribute lists object identifiers identifying the extended operations [RFC4511] that the server supports.

The Domino® LDAP server returns these values:

  • 1.3.6.1.4.1.1466.20037 - Start TLS (See RFC 2830)
  • LanguageCodes
supportedSASLMechanisms
attributetypes:(
 1.3.6.1.4.1.1466.101.120.14
 NAME 'supportedSASLMechanisms'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 USAGE dSAOperation 
 )

(From [RFC4512] 5.1.7) The 'supportedSASLMechanisms' attribute lists the SASL mechanisms [RFC4422] that the server recognizes and/or supports [RFC4513].

The Domino® LDAP server returns this value:

  • EXTERNAL
supportedLDAPVersion
attributetypes:(
 1.3.6.1.4.1.1466.101.120.15
 NAME 'supportedLDAPVersion' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 USAGE dSAOperation 
 )

(From [RFC4512] 5.1.6) The 'supportedLDAPVersion' attribute lists the versions of LDAP that the server supports.

The Domino® LDAP server returns these values:

  • 2
  • 3
vendorName
attributetypes:(
 1.3.6.1.1.4
 NAME 'vendorName'   
 EQUALITY        1.3.6.1.4.1.1466.109.114.1SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 SINGLE-VALUE
 NO-USER-MODIFICATION 
 USAGE dSAOperation 
 )

(From [RFC3045] 2.1) This attribute contains a single string that represents the name of the LDAP server implementer.

The Domino® LDAP server returns the value:

  • IBM® Software
vendorVersion
attributetypes:(
 1.3.6.1.1.5  
 NAME 'vendorVersion'
 EQUALITY        1.3.6.1.4.1.1466.109.114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 SINGLE-VALUE
 NO-USER-MODIFICATION 
 USAGE dSAOperation 
 )

(From [RFC3045] 2.2) This attribute contains a string that represents the version of the LDAP server implementation.

The Domino® LDAP server returns a value similar to this:

  • Build V703_10102006