So The Direct Project strikes again. I'm no expert in LDAP, but I'm trying to set up a test environment since the standard requires any package to support getting certificates from LDAP as well as DNS CERT, regardless of which method is implemented by the package.
According to the documentation, the prescribed sequence of events (trimmed for relevance) from section "3.3.3 LDAP query":
* Discover the Base DNs
Branches in LDAP must be defined by a “Base DN”. The list of Base DNs that are
provided by a LDAP directory are found by doing a LDAP Query with a NULL (i.e.
“”) Base DN, and ObjectClass=”DN”.
* Query across the Base DN for entries where "Mail" contains the endpoint address
I'm trying to implement this process in php, using the ldap_* functions, but their way doesn't seem to work. Obviously, NULL is not the same as an empty string (the latter makes any call to ldap_search return a "No such object" error), and "DN" isn't a valid value for an ObjectClass attribute.
So, TL;DR, is there another way an anonymous remote user retrieve the (list of?) base DNs that I'm missing?
UPDATE: Reworded the title to reflect the root cause of my problem: Reading the rootDSE from PHP when the ldap_* api doesn't allow you to specify 'base' scope.
So another read through the docs answered my question for me.
Apparently, the only difference between ldap_search(), ldap_list(), and ldap_read() are the scopes (LDAP_SCOPE_SUBTREE (sub), LDAP_SCOPE_ONELEVEL (one), and LDAP_SCOPE_BASE (base), respectively). So using ldap_read() instead of the others will allow one to get the rootDSE.