LDAP: The Subtree Delete Control


The LDAP directory information model prescribes that a directory resembles a upside-down tree-like structure, much like a file-system with a root, branches, and leaves. The root is known as the “suffix”or “naming context”, or “prefix”. Modern, professional-quality directory servers can support more than one prefix or root, but that does not concern us here.

From time to time, operators, developers and administrators may need to delete a branch and all entries under the branch (if a branch needs to be moved, see Moving and Renaming Entries). This is accomplished with the subtree delete request control. To determine whether your directory server supports the subtree delete request control, query the root DSE for the supportedControl attribute whose value is "1.2.840.113556.1.4.805":

ldapsearch --hostname 0 --port 1389 \
 --searchScope base --baseDn '' '(&)' supportedControl | \
 perl -lane 'print if /1.2.840.113556.1.4.805/'
supportedControl: 1.2.840.113556.1.4.805

The same search using the old OpenLDAP ldapsearch
client:

/usr/bin/ldapsearch -x -h 0 -p 1389 \
 -b '' -s base '(&)' supportedControl | \
 perl -lane 'print if /1.2.840.113556.1.4.805/'
supportedControl: 1.2.840.113556.1.4.805

For more information about the root DSE see “LDAP: The Root DSE”.

To demonstrate the use of the LDAP subtree delete control, create a branch using the following LDIF:

dn: ou=branch,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: branch

dn: cn=entry-1,ou=branch,dc=example,dc=com
objectClass: top
objectClass: person
cn: entry-1
sn: whatever

dn: cn=entry-2,ou=branch,dc=example,dc=com
objectClass: top
objectClass: person
cn: entry-2
sn: whatever

To delete the branch ou=branch,dc=example,dc=com and every entry underneath it, use the following command:

#
# Verify the test branch is in place (the '1.1' is
# the OID of an attribute that can never exist, and so
# no attributes are returned):
#
ldapsearch --hostname localhost --port 1389 \
 --baseDn ou=branch,dc=example,dc=com \
--searchScope one '(objectClass=*)' 1.1
dn: cn=entry-1,ou=branch,dc=example,dc=com

dn: cn=entry-2,ou=branch,dc=example,dc=com
#
ldapdelete --bindDn 'cn=directory manager' \
 --bindPassword password --hostname localhost \
 --port 1389 --deleteSubtree ou=branch,dc=example,dc=com
Processing DELETE request for ou=branch,dc=example,dc=com
DELETE operation successful for DN ou=branch,dc=example,dc=com
#
# alternatively:
#
ldapdelete --bindDn 'cn=directory manager' --bindPassword password \
 --hostname localhost --port 1389 \
 --control 1.2.840.113556.1.4.805 ou=branch,dc=example,dc=com
Processing DELETE request for ou=branch,dc=example,dc=com
DELETE operation successful for DN ou=branch,dc=example,dc=com

Check that the entry is gone:

ldapsearch --hostname localhost --port 1389 \
 --baseDn ou=branch,dc=example,dc=com \
--searchScope base '(objectClass=*)' 1.1
The search base entry 'ou=branch,dc=example,dc=com' does not exist
Result Code:  32 (No Such Entry)
Diagnostic Message:  The search base entry 'ou=branch,dc=example,dc=com' does not exist
Matched DN:  dc=example,dc=com

The old OpenLDAP client can also perform a similar mechanism, however, this mechanism used by the old tool is a recursive delete, which is much less efficient than the use of the subtree delete control.

/usr/bin/ldapdelete -r \
 -D 'cn=directory manager' -w password \
 -h localhost -p 1389 \
 ou=branch,dc=example,dc=com

For a complex, stand-alone example, see LdapTreeDelete.java. This class demonstrates:

  • how to construct a stand-alone client using the UnboundID LDAP SDK
  • how to use the tree delete request control

See also:

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, Java, LDAP and tagged , , , , , , . Bookmark the permalink.

One Response to LDAP: The Subtree Delete Control

  1. Pingback: LDAP: Using ldapmodify « Diaries, Triumphs, Failures, and Rants

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s