HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3332, November 2013)
to update the cache with any new, modified, or deleted entries that were changed while it
was disconnected.
• An attacker could open a large number of persistent searches to launch a denial of service
attack.
• A persistent search requires leaving open a TCP connection between the Directory Server and
client. This should only be done if the server is configured to allow a lot of client connections
and has a way to close idle connections.
An overview of persistent searches
The purpose of a persistent search is to provide a continuous list of changes to the directory entries
as well as the complete entries themselves, something like a hybrid search and changelog. Therefore,
the search command must specify what entries to return (the search parameters) and what changes
cause an entry to be returned (entry change parameters).
The persistent search command sets the change information in three aspects:
• Whether to return all the currently matching entries, then update the cache with changed
entries or whether to only send changed entries which match the search parameters. This is
the changesOnly setting.
• What kinds of changes, such as adds or modifies, to entries are returned. This is the
changeType setting.
• Whether to display within the entry what kind of modification was performed. This is the
entryChanges setting.
The persistent search command, then, has the following format:
ldapsearch -r -C PS:changeType:changesOnly:entryChanges
-b baseDN -s scope -D bindDN
-w password -p port -h host (filter)
A persistent ldapsearch takes the normal ldapsearch options, such as the server connection
information and bind credentials.
Additionally, the -C argument and the PS: signal that this is a persistent search. The -r argument
is a recommended ldapsearch argument that prints the entries immediately to the screen as soon
as they enter the buffer; this prevents the search command from hanging.
The term changeType:changesOnly:entryChanges is what defines the entry change
parameters.
• The only required term is the changeType, which sets what kinds of changes are returned
in the persistent search. The possible values are add, modify, modrdn (for modRDN
operations), delete, and any.
• changesOnly is optional. If this value is true (1), then no entries are returned in the initial
search, and entries are only returned as they are modified. If it is false (0), then all matching
entries are returned in the initial search, as well as sending updated entries. The default is
true.
• entryChanges is also optional. If this value is true (1), then the type of modification is
included in a changeType line in the returned entry. For example:
dn: uid=scarter,ou=People, dc=example,
dc=com
persistentSearch-changetype: modify
If the value is false (0), then only the entry is returned, without the type of change being noted.
The default is true.
Running a persistent search
To run a persistent search, simply run an ldapsearch with the -C and -r arguments and the
change parameters for the search. If no bind credentials are given, the Directory Server is accessed
by the anonymous user.
ldapsearch -r -C PS:any:1:0 -b dc=example,dc=com objectclass=person
Using persistent search 563