LDAPv3 RootDSE Overview

SUMMARY

The RootDSE is a standard attribute defined in the LDAP 3.0 specification. The RootDSE contains information about the directory server, including its capabilities and configuration. The search response will contain a standard set of information that is defined in the following RFC:

RFC 2251 - Lightweight Directory Access Protocol (v3)

MORE INFORMATION

The LDAP protocol assumes there are one or more servers that jointly provide access to a Directory Information Tree (DIT). At the root of the DIT is a DSA-specific Entry (DSE) and it is not part of any naming context. Each server has different attribute values in the root DSE. (DSA is an X.500 term for the directory server.)

The root DSE (DSA-specific Entry) data can be retrieved from an LDAPv3 server by doing a base-level search with a null BaseDN and with filter ObjectClass=*. The root DSE publishes information about the LDAP server including which LDAP versions it supports, any supported SASL mechanisms, supported controls as well as the DN for its subschemaSubentry. In addition to server information, operational attributes may be exposed that allow for extended administration functionality.

For more information on this LDAPv3 requirement, please see Section 3.4 of RFC 2251 . This document will discuss the attributes exposed in the Active Directory RootDSE.

Section 5.2 of RFC 2252 defines a set of root DSE attributes that should be published by LDAPv3 servers that support them. In addition, Section 3.4 of RFC 2251 adds the subschemaSubentry to make a total of seven standard attributes published in the root DSE section of an LDAPv3 server.

These core attributes are defined as follows:
 

• namingContexts: The values of this attribute correspond to naming contexts which this server masters or shadows. If the server believes it contains the entire directory, the attribute will have a single value, and that value will be the empty string (indicating the null DN of the root). This attribute will allow a client to choose suitable base objects for searching when it has contacted a server.
  
   
• subschemaSubentry: The value of this attribute is the name of a subschema entry (or subentry if the server is based on X.500(93)) in which the server makes available attributes specifying the schema. Supported attributes are exposed in the attributeTypes property and supported classes in the objectClasses property. The subschemaSubentry property and subschema are defined in LDAPv3 (RFC 2251).
  
   
• altServer: The values of this attribute are URLs of other servers that may be contacted when this server becomes unavailable. If the server does not know of any other servers that could be used, this attribute will be absent. Clients may cache this information in case their preferred LDAP server later becomes unavailable.
  
   
• supportedExtension: The values of this attribute are Object Identifiers (OIDs) identifying the supported extended operations which the server supports. If the server does not support any extensions, this attribute will be absent.
  
   
• supportedControl: The values of this attribute are the Object Identifiers (OIDs) identifying controls that the server supports. If the server does not support any controls, this attribute will be absent.
  
   
• supportedSASLMechanisms: The values of this attribute are the names of supported SASL mechanisms which the server supports. If the server does not support any mechanisms, this attribute will be absent. By default, GSSAPI is supported.
  
   
• supportedLDAPVersion: The values of this attribute are the versions of the LDAP protocol that the server implements.
   

In addition, Active Directory supports the following 'informational' attributes:
 

• currentTime: The current time based on 'Zulu' time in the format xxxx(year)xx(month)xx(day)xxxxxx.x(hours,minutes,seconds military time)'Z'
  
   
• dsServiceName: NTDS Settings.
  
   
• defaultNamingContext: This is the default NC for a particular server. By default, the DN for the domain of which this directory server is a member.
  
   
• schemaNamingContext: DN for the Enterprise schema Naming Context.
  
   
• configurationNamingContext: DN Enterprise Configuration Naming Context.
  
   
• rootDomainNamingContext: This is the DN for the root of the Domain that this server is a DC for.
  
   
• supportedLDAPPolicies: Supported LDAP management policies.
  
   
• highestCommittedUSN: Highest USN commited to the database on this server.
  
   
• dnsHostName: The DNS name of this DC.
  
   
• ldapServiceName: Service Principal Name (SPN) for the LDAP server. Used for mutual authentication.
  
   
• serverName: DN for the server object for this directory server as defined in the Configuration container.
  
   
• supportedCapabilities: The values of this attribute are OBJECT IDENTIFIERs (OIDs) identifying the supported capabilities of the server.
   

Below is a network trace of a search request to the domain lcdom.com. The domain contoller is named rthomdc.lcdom.com. The transport layer and lower level protocols have been removed for clarity.

Search on RootDSE:

LDAP: ProtocolOp: SearchRequest (3)
    LDAP: MessageID
    LDAP: ProtocolOp = SearchRequest
        LDAP: Base Object = 
        LDAP: Scope = Base Object
        LDAP: Deref Aliases = Never Deref Aliases
        LDAP: Size Limit = No Limit
        LDAP: Time Limit = No Limit
        LDAP: Attrs Only = 0 (0x0)
        LDAP: Filter Type = Present
            LDAP: Attribute Type = objectClass

SearchResponse of RootDSE:

LDAP: ProtocolOp: SearchResponse (4)
    LDAP: MessageID
    LDAP: ProtocolOp = SearchResponse
        LDAP: Object Name = 
        LDAP: Attribute Type = currentTime
            LDAP: Attribute Value = 19990315231515.0Z
        LDAP: Attribute Type = subschemaSubentry
            LDAP: Attribute Value = CN=Aggregate,CN=Schema,CN=Configuration,DC=lcdom,DC=com
        LDAP: Attribute Type = dsServiceName
            LDAP: Attribute Value = CN=NTDS Settings, CN=RTHOMDC,CN=Servers,CN=Sites,CN=Configuration,DC=lcdom,DC=com
        LDAP: Attribute Type = namingContexts
            LDAP: Attribute Value = CN=Schema,CN=Configuration,DC=lcdom,DC=com
            LDAP: Attribute Value = CN=Configuration,DC=lcdom,DC=com
            LDAP: Attribute Value = DC=lcdom,DC=com
        LDAP: Attribute Type = defaultNamingContext
            LDAP: Attribute Value = DC=lcdom,DC=com
        LDAP: Attribute Type = schemaNamingContext
            LDAP: Attribute Value = CN=Schema,CN=Configuration,DC=lcdom,DC=com
        LDAP: Attribute Type = configurationNamingContext
            LDAP: Attribute Value = CN=Configuration,DC=lcdom,DC=com
        LDAP: Attribute Type = rootDomainNamingContext
            LDAP: Attribute Value = DC=lcdom,DC=com
        LDAP: Attribute Type = supportedControl
            LDAP: Attribute Value = 1.2.840.113556.1.4.319
            LDAP: Attribute Value = 1.2.840.113556.1.4.801
            LDAP: Attribute Value = 1.2.840.113556.1.4.473
            LDAP: Attribute Value = 1.2.840.113556.1.4.528
            LDAP: Attribute Value = 1.2.840.113556.1.4.417
            LDAP: Attribute Value = 1.2.840.113556.1.4.619
            LDAP: Attribute Value = 1.2.840.113556.1.4.841
            LDAP: Attribute Value = 1.2.840.113556.1.4.529
            LDAP: Attribute Value = 1.2.840.113556.1.4.805
            LDAP: Attribute Value = 1.2.840.113556.1.4.521
            LDAP: Attribute Value = 1.2.840.113556.1.4.970
            LDAP: Attribute Value = 1.2.840.113556.1.4.1338
            LDAP: Attribute Value = 1.2.840.113556.1.4.474
            LDAP: Attribute Value = 1.2.840.113556.1.4.1339
        LDAP: Attribute Type = supportedLDAPVersion
            LDAP: Attribute Value = 3
            LDAP: Attribute Value = 2
        LDAP: Attribute Type = supportedLDAPPolicies
            LDAP: Attribute Value = InitRecvTimeout
            LDAP: Attribute Value = MaxConnections
            LDAP: Attribute Value = MaxConnIdleTime
            LDAP: Attribute Value = MaxActiveQueries
            LDAP: Attribute Value = MaxNotificationPerConn
            LDAP: Attribute Value = MaxPageSize
            LDAP: Attribute Value = MaxQueryDuration
            LDAP: Attribute Value = MaxTempTableSize
            LDAP: Attribute Value = MaxResultSetSize
            LDAP: Attribute Value = MaxPoolThreads
            LDAP: Attribute Value = MaxDatagramRecv
        LDAP: Attribute Type = highestCommittedUSN
            LDAP: Attribute Value = 17878
        LDAP: Attribute Type = supportedSASLMechanisms
            LDAP: Attribute Value = GSSAPI
            LDAP: Attribute Value = GSS-SPNEGO
        LDAP: Attribute Type = dnsHostName
            LDAP: Attribute Value = RTHOMDC.lcdom.com
        LDAP: Attribute Type = ldapServiceName
            LDAP: Attribute Value =lcdom.com:RTHOMDC$@LCDOM.COM
        LDAP: Attribute Type = serverName
            LDAP: Attribute Value = CN=RTHOMDC,CN=Servers,CN=Sites,CN=Configuration,DC=lcdom,DC=com
        LDAP: Attribute Type = supportedCapabilities
            LDAP: Attribute Value = 1.2.840.113556.1.4.800