Skip to content

Implement RootDSE support with LDAP attribute filtering per RFC 4512 #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
anishapant21 merged 7 commits into from
Feb 11, 2026
Merged

Implement RootDSE support with LDAP attribute filtering per RFC 4512 #134

anishapant21 merged 7 commits into from
Feb 11, 2026

Conversation

Copy link
Contributor

Copilot AI commented Feb 10, 2026
edited
Loading

Implementation Plan for RootDSE Support

Understanding the Issue

  • SSSD (System Security Services Daemon) is trying to query the LDAP server's RootDSE
  • RootDSE is a special LDAP entry with base DN of "" (empty string) and filter "(objectClass=*)"
  • Currently returns "No such object" (error 32)
  • Should return server capabilities information

Implementation Checklist

  • Add RootDSE search handler to LdapEngine.js
    • Create handler for empty base DN ("")
    • Return entry with proper attributes (objectClass, namingContexts, supportedLDAPVersion)
    • Ensure it's accessible without authentication (anonymous bind)
  • Implement LDAP attribute filtering for RootDSE
    • No attributes = return all attributes (default)
    • + = return operational attributes (namingContexts, supportedLDAPVersion)
    • * = return user attributes only (objectClass)
    • * with specific attributes = return user attributes + requested operational attributes (SSSD pattern)
    • Specific names = return only requested attributes
  • Create tests for RootDSE functionality
    • Test anonymous access to RootDSE
    • Verify returned attributes match spec
    • Test with actual ldapsearch command
    • Test attribute filtering with +, *, and specific attributes
    • Test SSSD's pattern: * with specific operational attributes
  • Manual verification with ldapsearch command
  • Run existing tests to ensure no regression
  • Code review and security check
Original prompt

This section details on the original issue you should resolve

<issue_title>SSSD Log error</issue_title>
<issue_description>```
(2026-02-10 16:05:07): [be[default]] [sdap_get_rootdse_done] (0x0040): [RID#24] RootDSE could not be retrieved. Please check that anonymous access to RootDSE is allowed


According to Gemini, this can be fixed by implementing the RootDSE LDAP spec. Essentially, we currently return this:

root@base-test:~# LDAPTLS_REQCERT=allow ldapsearch -H ldaps://ldap -x -s base -b "" "(objectClass=*)" +

extended LDIF

LDAPv3

base <> with scope baseObject

filter: (objectClass=*)

requesting: +

search result

search: 2
result: 32 No such object

numResponses: 1


We should instead return something like this:

dn:
objectClass: top
namingContexts: dc=example,dc=com
supportedLDAPVersion: 3


In the above example, namingContexts should equal the value of $LDAP_BASE_DN. This would also enable support for complete SSSD autoconfig.</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix SSSD log error with RootDSE LDAP spec Implement RootDSE support per RFC 4512 Feb 10, 2026
Copilot AI requested a review from runleveldev February 10, 2026 16:29
runleveldev
runleveldev requested changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@runleveldev runleveldev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot create a test and confirm that using ldap attributes in a search (such as namingContexts and supportdLDAPVersion) still return the attribute. In addition the special attribute "+" in a search should return all operational attributes. A standard search (attributes "*" requested) shouldn't return any operational attributes however.

Copy link
Contributor Author

Copilot AI commented Feb 10, 2026

@copilot create a test and confirm that using ldap attributes in a search (such as namingContexts and supportdLDAPVersion) still return the attribute. In addition the special attribute "+" in a search...

I've implemented attribute filtering for RootDSE searches and added comprehensive tests. The implementation now correctly handles:

  1. + selector - Returns operational attributes (namingContexts, supportedLDAPVersion) + objectClass
  2. * selector - Returns user attributes only (objectClass for RootDSE)
  3. Specific attributes - Returns only the requested attributes (e.g., namingContexts, supportedLDAPVersion)
  4. No attributes specified - Returns all attributes (default behavior)

All tests pass, including the new tests for attribute filtering. See commit ef55a6a.

Copilot AI changed the title Implement RootDSE support per RFC 4512 Implement RootDSE support with LDAP attribute filtering per RFC 4512 Feb 10, 2026
Copilot AI requested a review from runleveldev February 10, 2026 18:29
runleveldev
runleveldev requested changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@runleveldev runleveldev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot SSSD sends this request for RootDSE discovery, make sure it works:

debug: RootDSE Search - Filter: (objectclass=*), Scope: 0, Attributes: ["*","altServer","namingContexts","supportedControl","supportedExtension","supportedFeatures","supportedLDAPVersion","supportedSASLMechanisms","domainControllerFunctionality","defaultNamingContext","lastUSN","highestCommittedUSN"]

Copy link
Contributor Author

Copilot AI commented Feb 10, 2026

@copilot SSSD sends this request for RootDSE discovery, make sure it works:

debug: RootDSE Search - Filter: (objectclass=*), Scope: 0, Attributes: ["*","altServer","namingContexts","supportedContr...

Fixed in commit 2f1efee. The RootDSE handler now correctly handles SSSD's request pattern where * is combined with specific operational attribute names. When this pattern is detected, it returns user attributes (objectClass) plus any specifically requested operational attributes that we support (namingContexts, supportedLDAPVersion).

Added a test case that verifies this SSSD scenario works correctly.

Copilot AI requested a review from runleveldev February 10, 2026 18:52
Copilot AI and others added 5 commits February 10, 2026 14:11
@runleveldev
Initial plan for implementing RootDSE support
429ab58 
Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>

fix: update package-lock.json
@runleveldev
Implement RootDSE support per RFC 4512
4cb53b6 
Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>
@runleveldev
Address code review feedback: improve docs and reduce test duplication
8d5e50e 
Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>
@runleveldev
Add attribute filtering support for RootDSE searches
991800c 
- Implement LDAP attribute filtering for RootDSE per RFC 4512
- Support '+' selector for operational attributes
- Support '*' selector for user attributes only
- Support specific attribute requests
- Add tests for all attribute filtering scenarios
- Work around ldapjs attribute filtering by modifying res.attributes list

Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>
@runleveldev
Fix attribute filtering for SSSD: support '*' with specific operation…
1548c58 
…al attributes

- Handle SSSD's RootDSE query pattern: * with specific operational attribute names
- When * is present with specific attributes, return user attributes + requested operational attributes
- Add test for SSSD scenario with ['*', 'namingContexts', 'supportedLDAPVersion', ...]
- Update documentation to reflect correct behavior
- All 11 engine tests pass

Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>
@runleveldev runleveldev force-pushed the copilot/implement-rootdse-ldap-spec branch from 2f1efee to 1548c58 Compare February 10, 2026 19:12
runleveldev
runleveldev approved these changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@runleveldev runleveldev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@runleveldev runleveldev marked this pull request as ready for review February 10, 2026 19:30
anishapant21
anishapant21 reviewed Feb 11, 2026
View reviewed changes
@runleveldev runleveldev force-pushed the copilot/implement-rootdse-ldap-spec branch from 15ae273 to 1240650 Compare February 11, 2026 17:47
@anishapant21 anishapant21 merged commit 5102d83 into dev Feb 11, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anishapant21 anishapant21 anishapant21 approved these changes

+1 more reviewer

@runleveldev runleveldev runleveldev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@runleveldev runleveldev

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSSD Log error

3 participants

@runleveldev @anishapant21