Jay,

Thank you for your response.

Unfortunately, my previous example was not very descriptive. In fact, we serve .com, .ru and .su domains, so the example should look like:

cn=John,ou=People,dc=foo,dc=ru cn=Mary,ou=People,dc=bar,dc=su cn=Jack,ou=People,dc=baz,dc=com

so the lowest common subtree is empty.

Searching OpenLDAP with empty base DN won't give us much, because: - it is reserved for querying on different internal data, such as namingContexts (ldapsearch -h ldaphost -b "" -s base "(objectClass=*)" "namingContexts"); - OpenLDAP pays more attention to the notion of "base DN" than it would pay to just a textual DN suffix. For example, ldapsearch -b "dc=ru" -s sub gives me nothing, and I'm not sure this should be considered as misbehaviour, as "dc=ru" is not a registered base within OpenLDAP configurations, while "dc=foo,dc=ru" is. I.e., OpenLDAP draws a parallel between "base" as in "database" and "base" as "beginning".

Tell me please, what happens if we search Novell eDirectory with empty base and scope = sub? And could you please comment on the two alternate ways described in the previous post?

Thank you! Dimitri