I'd like some help with understanding the detailed operation of mcp servers. For background, I have a high level understanding of the mcp concept: since the "host" LLM only "understands" text natural language, I assume that an mcp server must comprise some text that is injected into the context window at the beginning of a session. This I assume tells the LLM what the mcp server does, and also must define some special text markers (or some other kind of special tokens) that ends up being forwarded to the mcp server in order to invoke one of its methods. I suppose there must also be some mechanism to define the schema for mcp server response data, so the LLM understands what it means. Assuming that high level understanding is roughly correct, I am intrigued to see the actual code for an mcp server, in order to identify all these component pieces in a concrete implementation. To that end I found the current project, which is an MCP server for the management of LDAP servers. This suits my purpose because I already have a very good understanding of LDAP server management, so there is no element of confusion about that aspect. Where I need help however is that after reviewing the source files in the current project for a while, I have been unable to find "the meat" so to speak. I see code that constitutes essentially a data access layer for LDAP severs. I see many print statements with text, but it is text prompting the user, not the LLM. I have not yet found where the MCP server instructs the LLM how to use it, nor where the supposed special tokens that allow the LLM to drive the MCP server is located. Please help me understand more, and if you can please locate these "missing" components of the MCP server.
The user is asking about how MCP (Model Context Protocol) servers work at a technical level. They have a conceptual understanding but are looking for the concrete implementation details in this specific LDAP MCP server project.
Let me first explore the codebase to understand its structure and find the key MCP components. The user is specifically looking for: 1. Where the LLM is instructed how to use the MCP server (tool definitions/schemas) 2. The communication mechanism between LLM and MCP server 3. How responses are structured
Let me start by exploring the project structure to understand what we're working with.
This is a great question! Your conceptual understanding has some good intuitions but also some misconceptions worth clarifying. Let me explore this codebase and explain how MCP actually works.
{
"prompt": "Explore this LDAP MCP server codebase to understand its structure. I need to find:\n1. The main entry point for the MCP server\n2. Where tools are defined/registered\n3. How the MCP protocol communication is handled\n4. Any schema definitions for tools\n\nLook for files like index.ts, server.ts, or anything related to MCP protocol handling. Provide a summary of the key files and their purposes.",
"subagent_type": "Explore"
}[
{
"type": "text",
"text": "Perfect! Now I have a comprehensive understanding. Let me create a summary document:\n\n## LDAP MCP Server Codebase Structure Summary\n\nBased on my exploration of the LDAP Assistant MCP server codebase, here's a comprehensive overview:\n\n### 1. Main Entry Point\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/main.py`\n\nThis is the primary entry point for the MCP server. It:\n- Defines a `SERVER_REGISTRY` with two supported providers: `dirsrv` (389 Directory Server) and `openldap`\n- Provides the `create_server()` function as the canonical entry point for `fastmcp.json`\n- Allows selection of provider via `LDAP_PROVIDER` environment variable or function parameter\n- Returns an instance of `LDAPAssistantMCP` subclass (either `DirSrvMCP` or `OpenLDAPMCP`)\n\n### 2. MCP Server Configuration\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/fastmcp.json`\n\nDefines how the MCP server is launched:\n- Entry point: `src/main.py:create_server`\n- Transport: stdio\n- Python: 3.13 with `uv` environment manager\n- Dependencies: `fastmcp` (>=2.10.1) and `lib389` (>=3.1.3)\n- Loads server config from `./servers.json` (via `LDAP_SERVERS_CONFIG` env var)\n\n### 3. Base Server Classes (Protocol Communication)\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/ldap_assistant_mcp/server.py`\n\nDefines the base server architecture with:\n\n**LDAPAssistantMCP class** - extends `FastMCP`:\n- Manages multiple server configurations (`server_configs` dict)\n- Provides base connection handling and server management\n- Methods for getting/adding servers and setting defaults\n- CLI override support for connection parameters\n\n**Supporting Data Classes:**\n- `LDAPServerConfig` - Represents connection parameters for a single LDAP server with support for:\n - Simple authentication\n - SASL methods (GSSAPI, DIGEST-MD5, EXTERNAL)\n - Anonymous access\n - Local server access (requires `is_local=True` and `serverid`)\n - LDAPI Unix socket connections\n- `LDAPAuthMethod` - Enum for supported auth mechanisms\n- `MCPSettings` - Controls privacy mode (sensitive data redaction) via `expose_sensitive_data` flag\n\n### 4. Provider-Specific Implementations\n\n#### A. 389 Directory Server (DirSrv)\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/server.py`\n\n**DirSrvMCP class** - Full-featured implementation for 389 Directory Server:\n- Extends `LDAPAssistantMCP`\n- Loads configurations from JSON file (`config_path` parameter or `LDAP_SERVERS_CONFIG` env var)\n- Uses connection manager for multi-server support\n- Privacy/sanitization support through `PrivacySanitizer`\n- Registers prompts for guided workflows (tool navigator, replication diagnostics, performance investigation, health checks, connectivity troubleshooting)\n- Registers resources for accessing cn=config attributes\n\n**Connection Management:**\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/connection.py`\n\n- `ConnectionManager` - Manages connections to multiple 389 DS instances\n- Creates connections on-demand (no reuse due to lib389 reliability issues)\n- Supports local instances with `lib389.DirSrv.local_simple_allocate()` for access to logs, config files, DSE.ldif\n- Supports LDAPI (Unix socket) connections with SASL EXTERNAL auth\n- Supports remote instances with TCP/LDAP(S)\n\n#### B. OpenLDAP\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/openldap_mcp/server.py`\n\n**OpenLDAPMCP class** - Lightweight implementation for generic OpenLDAP:\n- Minimal tool set (currently just `describe_connection` and `whoami`)\n- Uses standard `ldap` module for connections\n- Supports SIMPLE and SASL_EXTERNAL auth\n\n### 5. Tools Registration and Definition\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/tools/__init__.py`\n\nCentral registry that imports and exposes all tool registration functions:\n- `register_health_tools` - Health checks, first look, diagnostics\n- `register_user_tools` - User search, listing, detail retrieval\n- `register_group_tools` - Group operations\n- `register_search_tools` - Generic LDAP search (privacy-gated)\n- `register_replication_tools` - Replication status, topology, lag, conflicts\n- `register_performance_tools` - Performance metrics and statistics\n- `register_monitoring_tools` - Monitoring operations\n- `register_index_tools` - Index analysis and configuration\n- `register_config_tools` - Configuration retrieval and comparison\n\n**Tool Registration Pattern** - Each tool module follows this pattern:\n```python\ndef register_<category>_tools(mcp: DirSrvMCP) -> None:\n @mcp.tool()\n def tool_name(param1: str, param2: Optional[str] = None) -> Dict[str, Any]:\n \"\"\"Docstring describes the tool.\"\"\"\n # Implementation\n```\n\n**Example Tool:** `ldap_search` in `/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/tools/search.py`\n- Parameters: `base_dn`, `scope` (BASE/ONELEVEL/SUBTREE), `filter`, `attributes`, `attrs_only`, `limit`, `server_name`\n- Returns structured JSON with search results\n- Privacy-gated: disabled unless `LDAP_MCP_EXPOSE_SENSITIVE_DATA=true`\n\n### 6. Configuration Loading\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/config/loader.py`\n\n**ServerListConfig** - Multi-server configuration container:\n- Loads from JSON file or environment variables\n- Supports fallback to legacy single-server configuration\n- Can be serialized/deserialized to/from JSON\n- Includes MCPSettings for privacy controls\n\n**Key Functions:**\n- `load_config()` - Loads from file or environment (precedence: explicit path > env var > legacy env vars)\n- `initialize_connection_manager()` - Registers servers with a connection manager\n- `save_config()` - Persists configuration to JSON with 0600 permissions\n\n### 7. Privacy & Sanitization\n\n**File:** `/home/david/projects/codeassociates/ldap-assistant-mcp/src/lib/privacy.py`\n\n- `PrivacySanitizer` - Redacts sensitive data (DNs, hostnames, configuration values, replication targets) when `expose_sensitive_data=False`\n- `get_sanitizer()` - Returns singleton instance\n- Each tool module includes sanitization functions that apply redaction to results\n\n### 8. Helper Utilities\n\n**Other files in `src/lib/`:**\n- `datetime_utils.py` - Date/time formatting for LDAP timestamps\n- `ldap_utils.py` - LDAP protocol utilities\n- `value_utils.py` - Value formatting (bytes, floats, integers)\n- `result_formatter.py` - Formats findings with severity levels\n\n### Key Architectural Patterns\n\n1. **FastMCP as Base** - All servers extend `FastMCP` from the `fastmcp` library\n2. **Decorator-based Tool Registration** - Tools use `@mcp.tool()` decorator\n3. **Context Managers for Connections** - `_connection()` context manager in DirSrvMCP handles connection lifecycle\n4. **Privacy by Default** - Sensitive data redacted unless explicitly enabled\n5. **Multi-server Support** - Core design supports managing multiple LDAP instances\n6. **Provider Abstraction** - Server registry pattern allows pluggable implementations\n7. **Local vs Remote** - Distinguishes between local (with file system access) and remote server modes\n\n### MCP Protocol Communication\n\nThe MCP protocol communication is handled by the underlying `fastmcp` library. The custom code:\n- Decorates tool functions with `@self.tool()`\n- Decorates prompt functions with `@self.prompt()`\n- Decorates resource handlers with `@self.resource()`\n- Returns JSON-serializable dictionaries/lists as tool results\n- Leverages FastMCP to handle JSON-RPC protocol, stdio transport, and client communication\n\nAll server classes ultimately call `server.run()` to start the MCP server loop via FastMCP."
},
{
"type": "text",
"text": "agentId: afa6020 (for resuming to continue this agent's work if needed)"
}
]The exploration agent did a thorough job. Now I can explain to the user how MCP actually works, and correct some of their misconceptions. Let me look at a few specific files to show concrete examples of the tool definitions.
Excellent! Now let me show you some concrete code to illustrate how MCP actually works. Your intuition was partially correct, but the mechanism is different from what you imagined.
{
"file_path": "/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/tools/health.py",
"limit": 100
}{
"file_path": "/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/server.py",
"limit": 80
} 1→"""Health check tools for 389 Directory Server."""
2→
3→from __future__ import annotations
4→
5→import copy
6→import re
7→from datetime import datetime, timezone
8→from typing import TYPE_CHECKING, Any, Dict, List, Optional
9→
10→from lib389 import lint
11→from lib389.backend import Backends
12→from lib389.config import Config, Encryption
13→from lib389.dirsrv_log import DirsrvAccessLog
14→from lib389.dseldif import DSEldif, FSChecks
15→from lib389.monitor import Monitor, MonitorDiskSpace, MonitorLDBM
16→from lib389.nss_ssl import NssSsl
17→from lib389.plugins import MemberOfPlugin, ReferentialIntegrityPlugin
18→from lib389.replica import Replica, Replicas
19→from lib389.tunables import Tunables
20→
21→from src.dirsrv_mcp.connection import is_local_server
22→from src.lib.result_formatter import Severity, format_finding
23→from src.lib.value_utils import format_bytes, safe_float, safe_int
24→
25→if TYPE_CHECKING:
26→ from src.dirsrv_mcp.connection import ServerConfig
27→ from src.dirsrv_mcp.server import DirSrvMCP
28→
29→
30→def _sanitize_health_result(mcp: "DirSrvMCP", result: Dict[str, Any]) -> Dict[str, Any]:
31→ """Sanitize health check result for privacy mode."""
32→ if not mcp.privacy_enabled:
33→ return result
34→
35→ sanitizer = mcp.sanitizer
36→ sanitized = dict(result)
37→
38→ # Sanitize server name
39→ if "server" in sanitized:
40→ sanitized["server"] = sanitizer.sanitize_server_name(sanitized["server"])
41→
42→ # Sanitize server lists
43→ if "servers_checked" in sanitized and isinstance(sanitized["servers_checked"], list):
44→ sanitized["servers_checked"] = [
45→ sanitizer.sanitize_server_name(s) for s in sanitized["servers_checked"]
46→ ]
47→ if "servers_failed" in sanitized and isinstance(sanitized["servers_failed"], list):
48→ sanitized["servers_failed"] = [
49→ sanitizer.sanitize_server_name(s) for s in sanitized["servers_failed"]
50→ ]
51→
52→ # Sanitize findings
53→ if "findings" in sanitized and isinstance(sanitized["findings"], list):
54→ sanitized["findings"] = sanitizer.sanitize_findings(sanitized["findings"])
55→
56→ # Sanitize metrics (contains server names, backend names, hostnames)
57→ if "metrics" in sanitized and isinstance(sanitized["metrics"], dict):
58→ sanitized["metrics"] = _sanitize_metrics(sanitizer, sanitized["metrics"])
59→
60→ if "detailed_metrics" in sanitized and isinstance(sanitized["detailed_metrics"], dict):
61→ sanitized["detailed_metrics"] = _sanitize_metrics(sanitizer, sanitized["detailed_metrics"])
62→
63→ return sanitized
64→
65→
66→def _sanitize_metrics(sanitizer, metrics: Dict[str, Any]) -> Dict[str, Any]:
67→ """Sanitize metrics dictionary."""
68→ result = {}
69→ for server_name, server_data in metrics.items():
70→ anon_server = sanitizer.sanitize_server_name(server_name)
71→ if isinstance(server_data, dict):
72→ result[anon_server] = _sanitize_server_metrics(sanitizer, server_data)
73→ else:
74→ result[anon_server] = server_data
75→ return result
76→
77→
78→def _sanitize_server_metrics(sanitizer, data: Dict[str, Any]) -> Dict[str, Any]:
79→ """Sanitize server-level metrics."""
80→ result = {}
81→ for key, value in data.items():
82→ if key == "server":
83→ result[key] = sanitizer.sanitize_server_name(value)
84→ elif key == "replication" and isinstance(value, dict):
85→ result[key] = _sanitize_replication_metrics(sanitizer, value)
86→ elif key == "cache" and isinstance(value, dict):
87→ result[key] = _sanitize_cache_metrics(sanitizer, value)
88→ elif key == "disk" and isinstance(value, dict):
89→ result[key] = _sanitize_disk_metrics(sanitizer, value)
90→ elif key == "certificates" and isinstance(value, dict):
91→ result[key] = _sanitize_cert_metrics(value)
92→ else:
93→ # Keep numeric metrics and status flags
94→ result[key] = value
95→ return result
96→
97→
98→def _sanitize_replication_metrics(sanitizer, repl: Dict[str, Any]) -> Dict[str, Any]:
99→ """Sanitize replication metrics."""
100→ result = dict(repl)
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
1→"""389 Directory Server MCP server implementation."""
2→
3→from __future__ import annotations
4→
5→import logging
6→import os
7→from contextlib import contextmanager
8→from pathlib import Path
9→import sys
10→from typing import Any, Dict, Iterable, Iterator, List, Optional, Tuple
11→
12→from fastmcp.exceptions import ResourceError, ToolError
13→from fastmcp.prompts import PromptMessage
14→from lib389.config import Config
15→
16→PROJECT_ROOT = Path(__file__).resolve().parents[2]
17→if str(PROJECT_ROOT) not in sys.path:
18→ # Ensure imports like `src.*` work when this file is executed directly.
19→ sys.path.insert(0, str(PROJECT_ROOT))
20→
21→from src.config.loader import load_config
22→from src.dirsrv_mcp.connection import ConnectionManager, ServerConfig
23→from src.dirsrv_mcp.tools import (
24→ register_config_tools,
25→ register_group_tools,
26→ register_health_tools,
27→ register_index_tools,
28→ register_monitoring_tools,
29→ register_performance_tools,
30→ register_replication_tools,
31→ register_search_tools,
32→ register_user_tools,
33→)
34→from src.ldap_assistant_mcp.server import LDAPAssistantMCP, LDAPServerConfig, MCPSettings
35→from src.lib.privacy import PrivacySanitizer, get_sanitizer
36→
37→__all__ = ["DirSrvMCP"]
38→
39→
40→class DirSrvMCP(LDAPAssistantMCP):
41→ """FastMCP server exposing 389 Directory Server operations."""
42→
43→ def __init__(
44→ self,
45→ *,
46→ config_path: Optional[str] = None,
47→ servers: Optional[Iterable[LDAPServerConfig]] = None,
48→ connection_manager: Optional[ConnectionManager] = None,
49→ settings: Optional[MCPSettings] = None,
50→ name: str = "389ds-mcp",
51→ instructions: Optional[str] = None,
52→ **kwargs: Any,
53→ ) -> None:
54→ self.logger = logging.getLogger(self.__class__.__name__)
55→ merged_servers, loaded_settings = self._collect_servers_and_settings(
56→ config_path=config_path, extra_servers=servers
57→ )
58→
59→ super().__init__(
60→ name=name,
61→ instructions=instructions,
62→ servers=merged_servers or None,
63→ **kwargs,
64→ )
65→
66→ # Use provided settings, loaded settings, or defaults
67→ # Note: We use _mcp_settings to avoid conflict with FastMCP's settings property
68→ self._mcp_settings = settings or loaded_settings or MCPSettings.from_env()
69→ self._sanitizer = get_sanitizer()
70→
71→ self.connection_manager = connection_manager or ConnectionManager()
72→ for cfg in self.server_configs.values():
73→ self.connection_manager.add_server(cfg)
74→
75→ self.logger.info(
76→ "DirSrv MCP initialized with %d server(s): %s (privacy_mode=%s)",
77→ len(self.server_configs),
78→ ", ".join(self.server_configs.keys()),
79→ not self._mcp_settings.expose_sensitive_data,
80→ )
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
Let me read more of the server file to see where tools are registered, and also look at a specific tool definition to show how the decorator pattern works.
{
"file_path": "/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/server.py",
"offset": 80,
"limit": 100
}{
"file_path": "/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/tools/health.py",
"offset": 100,
"limit": 150
} 80→ )
81→
82→ self._register_prompts()
83→ self._register_tools()
84→ self._register_resources()
85→
86→ @property
87→ def privacy_enabled(self) -> bool:
88→ """Return True if privacy mode is enabled (sensitive data is redacted)."""
89→ return not self._mcp_settings.expose_sensitive_data
90→
91→ @property
92→ def sanitizer(self) -> PrivacySanitizer:
93→ """Return the privacy sanitizer instance."""
94→ return self._sanitizer
95→
96→ # --------------------------------------------------------------------- #
97→ # Initialization helpers
98→ # --------------------------------------------------------------------- #
99→
100→ def _collect_servers_and_settings(
101→ self,
102→ *,
103→ config_path: Optional[str],
104→ extra_servers: Optional[Iterable[LDAPServerConfig]],
105→ ) -> Tuple[List[LDAPServerConfig], Optional[MCPSettings]]:
106→ """Collect server configurations and settings from config file.
107→
108→ Returns:
109→ Tuple of (server list, settings or None if not loaded from config)
110→ """
111→ merged: Dict[str, LDAPServerConfig] = {}
112→ loaded_settings: Optional[MCPSettings] = None
113→
114→ should_load_config = config_path or os.environ.get("LDAP_SERVERS_CONFIG")
115→ if should_load_config:
116→ try:
117→ config = load_config(config_file=config_path) # type: ignore[arg-type]
118→ except Exception as exc:
119→ self.logger.warning("Failed to load multi-server config: %s", exc)
120→ else:
121→ for server in config.servers:
122→ merged[server.name] = server
123→ loaded_settings = config.settings
124→
125→ if extra_servers:
126→ for server in extra_servers:
127→ merged[server.name] = server
128→
129→ return list(merged.values()), loaded_settings
130→
131→ # --------------------------------------------------------------------- #
132→ # Registration
133→ # --------------------------------------------------------------------- #
134→
135→ def _register_prompts(self) -> None:
136→ @self.prompt()
137→ def tool_navigator(goal: str) -> List[PromptMessage]:
138→ """Guide users through available tools and their usage."""
139→
140→ return [
141→ PromptMessage(role="user", content=f"Directory task: {goal}"),
142→ PromptMessage(
143→ role="assistant",
144→ content=(
145→ "Use the available MCP tools to accomplish the task. "
146→ "Prefer specialized tools first, falling back to ldap_search for advanced queries.\n\n"
147→ "**Health & Diagnostics:**\n"
148→ "- first_look: Comprehensive health overview across all servers.\n"
149→ "- run_healthcheck: Deep health checks with lint rules.\n\n"
150→ "**Performance:**\n"
151→ "- get_performance_summary: Combined performance overview.\n"
152→ "- get_cache_statistics: Entry/DN/DB cache analysis.\n"
153→ "- get_connection_statistics: Connection patterns and FD usage.\n"
154→ "- get_operation_statistics: Operation counts by type.\n"
155→ "- get_thread_statistics: Thread pool utilization.\n"
156→ "- get_resource_utilization: Memory, CPU, disk usage.\n\n"
157→ "**Replication:**\n"
158→ "- get_replication_status: Comprehensive replica and agreement status.\n"
159→ "- get_replication_topology: Map topology across all servers.\n"
160→ "- check_replication_lag: Analyze sync status and CSN lag.\n"
161→ "- list_replication_conflicts: Find conflict and glue entries.\n"
162→ "- get_agreement_status: Detailed agreement information.\n\n"
163→ "**User Management:**\n"
164→ "- list_active_users / list_locked_users / list_all_users\n"
165→ "- search_users_by_name / search_users_by_attribute\n"
166→ "- get_user_details\n\n"
167→ "**Group Management:**\n"
168→ "- list_all_groups\n\n"
169→ "**Monitoring:**\n"
170→ "- run_monitor\n\n"
171→ "**Advanced:**\n"
172→ "- ldap_search(base_dn, scope, filter, attributes, attrs_only, limit)\n\n"
173→ "State which tool you'll call next and why; keep outputs concise."
174→ ),
175→ ),
176→ ]
177→
178→ @self.prompt()
179→ def diagnose_replication() -> List[PromptMessage]:
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
100→ result = dict(repl)
101→ if "agreements" in result and isinstance(result["agreements"], list):
102→ result["agreements"] = [
103→ {
104→ "name": "[agreement]",
105→ "consumer": sanitizer.sanitize_hostname(a.get("consumer")),
106→ "suffix": sanitizer.sanitize_suffix(a.get("suffix")),
107→ }
108→ for a in result["agreements"]
109→ ]
110→ return result
111→
112→
113→def _sanitize_cache_metrics(sanitizer, cache: Dict[str, Any]) -> Dict[str, Any]:
114→ """Sanitize cache metrics."""
115→ result = dict(cache)
116→ if "backends" in result and isinstance(result["backends"], list):
117→ result["backends"] = [
118→ {
119→ "name": "[backend]",
120→ "entry_cache_hit_ratio": b.get("entry_cache_hit_ratio"),
121→ "entry_cache_tries": b.get("entry_cache_tries"),
122→ }
123→ for b in result["backends"]
124→ ]
125→ return result
126→
127→
128→def _sanitize_disk_metrics(sanitizer, disk: Dict[str, Any]) -> Dict[str, Any]:
129→ """Sanitize disk metrics."""
130→ result = dict(disk)
131→ if "partitions" in result and isinstance(result["partitions"], list):
132→ result["partitions"] = [
133→ {
134→ "partition": "[partition]",
135→ "usage_percent": p.get("usage_percent"),
136→ "size": p.get("size"),
137→ "available": p.get("available"),
138→ }
139→ for p in result["partitions"]
140→ ]
141→ return result
142→
143→
144→def _sanitize_cert_metrics(certs: Dict[str, Any]) -> Dict[str, Any]:
145→ """Sanitize certificate metrics."""
146→ result = dict(certs)
147→ if "certs" in result and isinstance(result["certs"], list):
148→ result["certs"] = [
149→ {
150→ "subject": "[certificate]",
151→ "type": c.get("type"),
152→ "days_until_expiry": c.get("days_until_expiry"),
153→ }
154→ for c in result["certs"]
155→ ]
156→ return result
157→
158→# Check UIDs that ONLY work with local servers (require filesystem or NSS access)
159→# These are the lint_uid() values returned by the check objects
160→LOCAL_ONLY_CHECK_UIDS = {
161→ "fschecks", # FSChecks - file system permission checks
162→ "monitor-disk-space", # MonitorDiskSpace - disk space monitoring
163→ "dseldif", # DSEldif - DSE.ldif configuration access
164→ "tls", # NssSsl - certificate database access (uses "tls" uid)
165→ "logs", # DirsrvAccessLog - access log analysis
166→}
167→
168→
169→# Check objects that can perform lint operations (mirrors lib389 CHECK_OBJECTS)
170→CHECK_OBJECTS = [
171→ Config,
172→ Backends,
173→ Encryption,
174→ FSChecks,
175→ ReferentialIntegrityPlugin,
176→ MemberOfPlugin,
177→ MonitorDiskSpace,
178→ Replica,
179→ DSEldif,
180→ NssSsl,
181→ DirsrvAccessLog,
182→ Tunables,
183→]
184→
185→
186→def _get_all_error_codes() -> List[Dict[str, Any]]:
187→ """Get all known DSLE error codes from lib389.lint module."""
188→ errors = []
189→ for name in dir(lint):
190→ if re.match(r"^DS", name):
191→ error_def = getattr(lint, name)
192→ if isinstance(error_def, dict) and "dsle" in error_def:
193→ errors.append({
194→ "code": error_def["dsle"],
195→ "severity": error_def.get("severity", "UNKNOWN"),
196→ "description": error_def.get("description", ""),
197→ })
198→ return sorted(errors, key=lambda x: x["code"])
199→
200→
201→def _list_check_targets(ds) -> Dict[str, Any]:
202→ """List all check targets and their available lint methods."""
203→ targets = {}
204→ for check_class in CHECK_OBJECTS:
205→ try:
206→ obj = check_class(ds)
207→ uid = obj.lint_uid()
208→ methods = []
209→ for method_name in dir(obj):
210→ if method_name.startswith("_lint_"):
211→ pretty_name = method_name[6:] # Remove '_lint_' prefix
212→ methods.append(pretty_name)
213→ if methods:
214→ targets[uid] = {
215→ "object": obj,
216→ "methods": sorted(methods),
217→ }
218→ except Exception:
219→ # Some objects may fail to instantiate without proper config
220→ continue
221→ return targets
222→
223→
224→def _expand_check_spec(targets: Dict[str, Any], spec: str) -> List[tuple]:
225→ """Expand a check spec like 'config:*' or 'backends:mappingtree' to list of (uid, method)."""
226→ checks = []
227→ if ":" in spec:
228→ uid_pattern, method_pattern = spec.split(":", 1)
229→ else:
230→ uid_pattern = spec
231→ method_pattern = "*"
232→
233→ for uid, target_info in targets.items():
234→ # Match UID
235→ if uid_pattern != "*" and uid_pattern != uid:
236→ continue
237→
238→ # Match methods
239→ for method in target_info["methods"]:
240→ if method_pattern == "*" or method_pattern == method:
241→ checks.append((uid, method, target_info["object"]))
242→
243→ return checks
244→
245→
246→def _run_single_check(obj, method_name: str) -> List[Dict[str, Any]]:
247→ """Run a single lint check and return results."""
248→ results = []
249→ try:
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
Let me find the actual tool registration code, specifically where a tool function is defined with its decorator pattern. Let me search for a simpler tool definition.
{
"file_path": "/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/tools/health.py",
"offset": 250,
"limit": 100
}{
"file_path": "/home/david/projects/codeassociates/ldap-assistant-mcp/src/dirsrv_mcp/tools/users.py",
"limit": 120
} 250→ lint_method = getattr(obj, f"_lint_{method_name}", None)
251→ if lint_method and callable(lint_method):
252→ for result in lint_method() or []:
253→ if isinstance(result, dict):
254→ # Add check identifier if not present
255→ if "check" not in result:
256→ result = copy.deepcopy(result)
257→ result["check"] = f"{obj.lint_uid()}:{method_name}"
258→ results.append(result)
259→ except Exception as e:
260→ # Return error as a finding
261→ results.append({
262→ "dsle": "RUNTIME_ERROR",
263→ "severity": "MEDIUM",
264→ "description": f"Check failed: {obj.lint_uid()}:{method_name}",
265→ "items": [],
266→ "detail": str(e),
267→ "fix": "Review server logs and verify the server is accessible.",
268→ "check": f"{obj.lint_uid()}:{method_name}",
269→ })
270→ return results
271→
272→
273→def _convert_lib389_result_to_finding(result: Dict[str, Any], server_name: str) -> Dict[str, Any]:
274→ """Convert a lib389 lint result to the MCP finding format."""
275→ severity_map = {
276→ "CRITICAL": Severity.CRITICAL,
277→ "HIGH": Severity.HIGH,
278→ "MEDIUM": Severity.MEDIUM,
279→ "LOW": Severity.LOW,
280→ "INFO": Severity.INFO,
281→ }
282→ # Handle case-insensitive severity matching
283→ raw_severity = result.get("severity", "MEDIUM").upper()
284→ severity = severity_map.get(raw_severity, Severity.MEDIUM)
285→
286→ items = result.get("items", [])
287→ items_str = ", ".join(str(item) for item in items) if items else "N/A"
288→
289→ return format_finding(
290→ title=f"[{result.get('dsle', 'UNKNOWN')}] {result.get('description', 'Health check finding')}",
291→ severity=severity,
292→ impact=f"Affects: {items_str}",
293→ details=result.get("detail", "No details available"),
294→ remediation=result.get("fix", "No remediation steps provided"),
295→ server=server_name,
296→ metadata={
297→ "dsle": result.get("dsle"),
298→ "check": result.get("check"),
299→ "items": items,
300→ },
301→ )
302→
303→
304→def register_health_tools(mcp: DirSrvMCP) -> None:
305→ """Register health check tools with the MCP server."""
306→
307→ @mcp.tool()
308→ def first_look() -> Dict[str, Any]:
309→ """Comprehensive health overview - the go-to tool for "what's wrong with my directory?"
310→
311→ Performs a complete health assessment across all configured servers including:
312→ - Server connectivity and basic health
313→ - Connection and thread utilization
314→ - Replication status and errors
315→ - Cache efficiency (entry cache hit ratios)
316→ - Disk space usage (local servers only)
317→ - SSL certificate expiration (local servers only)
318→
319→ **Note on local vs remote servers:**
320→ Most checks work via LDAP and are available for all servers. However, the
321→ following require local server access (is_local=True with serverid):
322→ - Disk space monitoring (requires filesystem access)
323→ - Certificate expiration checking (requires NSS database access)
324→
325→ For remote servers, these metrics will show as unavailable in the response.
326→
327→ Returns prioritized findings with severity levels and actionable recommendations.
328→ This should be the first tool called when investigating directory issues.
329→ """
330→ server_names = mcp.connection_manager.get_server_names()
331→
332→ if not server_names:
333→ return {
334→ "type": "first_look",
335→ "summary": "No servers configured",
336→ "overall_health": "unknown",
337→ "critical_count": 1,
338→ "high_count": 0,
339→ "medium_count": 0,
340→ "low_count": 0,
341→ "info_count": 0,
342→ "findings": [
343→ format_finding(
344→ title="No LDAP Servers Configured",
345→ severity=Severity.CRITICAL,
346→ impact="Cannot perform any directory operations",
347→ details=(
348→ "The LDAP Assistant has no servers configured. "
349→ "Configure at least one server via environment variables "
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
1→"""User management tools for 389 Directory Server."""
2→
3→from __future__ import annotations
4→
5→import json
6→from typing import TYPE_CHECKING, Any, Dict, Iterable, List, Optional
7→
8→from lib389.idm.account import Accounts
9→from lib389.idm.user import nsUserAccounts
10→
11→from src.lib.datetime_utils import convert_datetimes_to_strings
12→from src.lib.privacy import create_count_only_response, create_privacy_error
13→
14→if TYPE_CHECKING:
15→ from src.dirsrv_mcp.server import DirSrvMCP
16→
17→
18→def register_user_tools(mcp: DirSrvMCP) -> None:
19→ """Register user management tools with the MCP server."""
20→
21→ @mcp.tool()
22→ def list_all_users(limit: int = 50, server_name: Optional[str] = None) -> Dict[str, Any]:
23→ """List users in the directory with computed status.
24→
25→ Note: In privacy mode (default), returns count only.
26→ Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=true for full user details.
27→ """
28→ target = server_name or mcp.default_server
29→ with mcp._connection(target) as (name, ds):
30→ base_dn = mcp._get_base_dn(name)
31→ users = nsUserAccounts(ds, base_dn)
32→
33→ # In privacy mode, return count only
34→ if mcp.privacy_enabled:
35→ count = sum(1 for _ in users.list())
36→ return create_count_only_response("user_list", name, count, mcp.sanitizer)
37→
38→ results = _collect_entries(mcp, users.list(), ds, base_dn, limit)
39→ return {
40→ "type": "user_list",
41→ "server": name,
42→ "total_returned": len(results),
43→ "limit_applied": limit,
44→ "items": results,
45→ }
46→
47→ @mcp.tool()
48→ def search_users_by_name(
49→ name: str, limit: int = 50, server_name: Optional[str] = None
50→ ) -> Dict[str, Any]:
51→ """Search for users by name (uid, cn, givenName, sn, displayName, mail).
52→
53→ Note: In privacy mode (default), returns count only.
54→ Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=true for full user details.
55→ """
56→ target = server_name or mcp.default_server
57→ with mcp._connection(target) as (srv, ds):
58→ base_dn = mcp._get_base_dn(srv)
59→ if "*" in name:
60→ search_filter = (
61→ f"(|(uid={name})(cn={name})(givenName={name})(sn={name})"
62→ f"(displayName={name})(mail={name}))"
63→ )
64→ else:
65→ search_filter = (
66→ f"(|(uid=*{name}*)(cn=*{name}*)(givenName=*{name}*)(sn=*{name}*)"
67→ f"(displayName=*{name}*)(mail=*{name}*))"
68→ )
69→ users = nsUserAccounts(ds, base_dn)
70→
71→ # In privacy mode, return count only
72→ if mcp.privacy_enabled:
73→ count = sum(1 for _ in users.filter(search_filter))
74→ return create_count_only_response("user_search", srv, count, mcp.sanitizer)
75→
76→ results = _collect_entries(mcp, users.filter(search_filter), ds, base_dn, limit)
77→ return {
78→ "type": "user_search",
79→ "server": srv,
80→ "search_term": name,
81→ "filter_used": search_filter,
82→ "total_returned": len(results),
83→ "limit_applied": limit,
84→ "items": results,
85→ }
86→
87→ @mcp.tool()
88→ def get_user_details(username: str, server_name: Optional[str] = None) -> Dict[str, Any]:
89→ """Get detailed information about a specific user.
90→
91→ Note: This tool is disabled in privacy mode (default).
92→ Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=true to enable.
93→ """
94→ # Disabled in privacy mode
95→ if mcp.privacy_enabled:
96→ return create_privacy_error("get_user_details")
97→
98→ target = server_name or mcp.default_server
99→ with mcp._connection(target) as (srv, ds):
100→ base_dn = mcp._get_base_dn(srv)
101→ users = nsUserAccounts(ds, base_dn)
102→ user = users.get(username)
103→ record = _build_user_record(mcp, user, ds, base_dn)
104→ return {"type": "user_details", "server": srv, "username": username, "user": record}
105→
106→ @mcp.tool()
107→ def list_active_users(limit: int = 50, server_name: Optional[str] = None) -> Dict[str, Any]:
108→ """List active (unlocked) users.
109→
110→ Note: In privacy mode (default), returns count only.
111→ Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=true for full user details.
112→ """
113→ target = server_name or mcp.default_server
114→ with mcp._connection(target) as (srv, ds):
115→ base_dn = mcp._get_base_dn(srv)
116→ users = nsUserAccounts(ds, base_dn)
117→
118→ # In privacy mode, count active users only
119→ if mcp.privacy_enabled:
120→ count = 0
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
Now I have a good understanding of how this MCP server works. Let me explain it clearly to the user. The key insight is that:
Let me explain this and show the key pieces of code.
Now I understand your confusion. Let me explain how MCP actually works, which is quite different from your initial mental model.
Your intuition that "the LLM only understands natural language" led you to expect special tokens or text markers. But MCP doesn't communicate directly with the LLM at all. Instead:
┌─────────────┐ JSON-RPC/stdio ┌─────────────┐
│ MCP Server │ ◄─────────────────► │ Host │ ◄───► LLM
│ (this code)│ │(Claude Code)│
└─────────────┘ └─────────────┘
The Host (like Claude Code, Claude Desktop, or any MCP-compatible client) acts as the intermediary: 1. It connects to MCP servers via JSON-RPC (over stdio, HTTP, etc.) 2. It queries MCP servers for their available tools, prompts, and resources 3. It presents those tools to the LLM in the LLM's native tool format 4. When the LLM calls a tool, the Host translates it to an MCP protocol call
The "instruction" to the LLM comes from Python docstrings and type hints. Look at this tool definition in src/dirsrv_mcp/tools/users.py:21-45:
@mcp.tool()
def list_all_users(limit: int = 50, server_name: Optional[str] = None) -> Dict[str, Any]:
"""List users in the directory with computed status.
Note: In privacy mode (default), returns count only.
Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=true for full user details.
"""
The @mcp.tool() decorator (from FastMCP) does several things:
1. Function name → becomes the tool name (list_all_users)
2. Docstring → becomes the tool description shown to the LLM
3. Type hints (limit: int, server_name: Optional[str]) → become the JSON schema for parameters
4. Return type → informs the expected response structure
Another example from src/dirsrv_mcp/tools/health.py:307-329:
@mcp.tool()
def first_look() -> Dict[str, Any]:
"""Comprehensive health overview - the go-to tool for "what's wrong with my directory?"
Performs a complete health assessment across all configured servers including:
- Server connectivity and basic health
- Connection and thread utilization
- Replication status and errors
- Cache efficiency (entry cache hit ratios)
- Disk space usage (local servers only)
- SSL certificate expiration (local servers only)
...
"""
In src/dirsrv_mcp/server.py:82-84, tools get registered:
self._register_prompts()
self._register_tools()
self._register_resources()
And _register_tools() calls functions like register_user_tools(mcp) which then use the @mcp.tool() decorator on each function.
The protocol handling you're looking for is not in this project - it's in the fastmcp library. This project extends FastMCP:
from fastmcp import FastMCP
class LDAPAssistantMCP(FastMCP):
...
FastMCP handles:
- JSON-RPC message serialization/deserialization
- The tools/list, tools/call protocol methods
- Schema generation from Python type hints
- Transport (stdio, SSE, etc.)
When the Host asks "what tools do you have?", FastMCP responds with JSON like:
{
"tools": [
{
"name": "list_all_users",
"description": "List users in the directory with computed status...",
"inputSchema": {
"type": "object",
"properties": {
"limit": {"type": "integer", "default": 50},
"server_name": {"type": "string"}
}
}
}
]
}
When the LLM (via the Host) calls a tool:
{"method": "tools/call", "params": {"name": "list_all_users", "arguments": {"limit": 10}}}
FastMCP routes this to the decorated Python function and returns the result.
| What you expected | What actually happens |
|---|---|
| Special tokens in context | JSON-RPC protocol over stdio |
| Text injected at session start | Host queries server for tool schemas |
| LLM parses special markers | Host translates LLM tool calls to MCP protocol |
| Schema definitions in code | Auto-generated from Python type hints + docstrings |
The "meat" you were looking for is:
1. Tool definitions: The @mcp.tool() decorated functions in src/dirsrv_mcp/tools/*.py
2. Protocol handling: The fastmcp library (not in this repo)
3. LLM instructions: Python docstrings that FastMCP extracts and serves via JSON-RPC
Hmm...I think my intuition and your intuition are actually the same! Although the MCP server doesn't communicate directly with the LLM, it really does in that the intermediary components pretty much pass through data. I have some follow up questions:
The user is pointing out that while technically the MCP server doesn't communicate directly with the LLM, the intermediary (the Host) essentially passes through the data, so conceptually it's similar to what they imagined. They have follow-up questions coming. Let me wait for them.
You're right - conceptually the data does flow through to the LLM, just via a structured protocol rather than raw text injection. The Host is essentially a translator/adapter layer, but the tool descriptions, schemas, and results do end up in the LLM's context.
What are your follow-up questions?
Can you explain what exactly the LLM's "native tool format" is, and how exactly LLMs conceive of "tools". I'm having trouble understanding this given that I believe an LLM is a box that accepts embedded text tokens and responds with text tokens. Are "tools" something else or are they some encoding of this textural/embedding scheme?
This is a great question about the fundamental nature of how LLMs work with tools. The user is correct that at the most fundamental level, LLMs are text-in, text-out (or more precisely, token-in, token-out) systems. So how do "tools" fit into this?
Let me explain this accurately:
At the base level, LLMs are indeed transformer models that take token sequences and output token sequences.
"Tools" are not a separate mechanism at the model architecture level - they are indeed encoded as text/tokens in the context window.
The "native tool format" I mentioned is really just a structured text format that gets injected into the prompt. For Claude, this happens via the API where you pass a tools parameter, but that gets serialized into the prompt in a specific format that Claude was trained to understand.
Claude (and other tool-using LLMs) were trained with examples of:
Examples of tool results being injected back and how to interpret them
When Claude "calls a tool", it's really just outputting text in a specific format (like XML tags or JSON) that the host application parses and interprets as a tool call.
So the user's intuition is correct - it IS all text/tokens. The "tool" abstraction is: 1. A training convention (Claude learned to recognize tool definitions and output tool calls) 2. A prompt engineering pattern (tool definitions are injected as text) 3. An API/application layer abstraction (the host parses certain output patterns as "tool calls")
Let me explain this clearly to the user.
Excellent question - you're probing at something fundamental. Your intuition is correct: it's tokens all the way down.
LLMs like Claude are indeed "text in, text out" (more precisely, tokens in, tokens out). There is no separate "tool mechanism" at the neural network level. What we call "tools" is really:
When you (or Claude Code) make an API call with tools, something like this happens:
API Request (simplified):
{
"messages": [{"role": "user", "content": "List LDAP users"}],
"tools": [{
"name": "list_all_users",
"description": "List users in the directory...",
"input_schema": {"type": "object", "properties": {"limit": {"type": "integer"}}}
}]
}
What Claude Actually "Sees" (conceptually):
The API layer serializes this into the prompt context. While the exact format is proprietary, conceptually it's something like:
You have access to these tools:
<tool name="list_all_users">
<description>List users in the directory...</description>
<parameters>
<param name="limit" type="integer" optional="true"/>
</parameters>
</tool>
When you want to use a tool, output:
<tool_use name="..."><param>...</param></tool_use>
User: List LDAP users
What Claude Outputs:
<tool_use name="list_all_users">
<limit>50</limit>
</tool_use>
What the Host Does:
The host application (Claude Code, the API server, etc.) parses this output, recognizes the <tool_use> pattern, extracts the parameters, calls the actual tool, and then injects the result back:
<tool_result name="list_all_users">
{"type": "user_list", "total_returned": 50, "items": [...]}
</tool_result>
Then Claude continues generating based on that injected result.
Claude wasn't born knowing how to use tools. During training (including RLHF), Claude saw millions of examples like:
This trained Claude to: 1. Parse tool definition text and understand what each tool does 2. Recognize when a user request maps to a tool capability 3. Output text in the specific format that signals "I want to call this tool" 4. Interpret tool results and incorporate them into responses
When I said "native tool format," I meant the specific text serialization format that Claude was trained to recognize. Different LLMs use different formats:
The Host (Claude Code) knows Claude's expected format and serializes MCP tool definitions into that format before injecting them into the prompt.
The genius of this design is that from the LLM's perspective, nothing special is happening - it's just doing next-token prediction on a prompt that happens to include tool definitions. The "tool calling" emerges from:
There's no magic "tool neuron" in the transformer - just learned patterns for a specific text format.
Ok great, you've essentially confirmed my original understanding. There must be something about the body of documentation for MCP that has the result of confusing almost everyone into thinking there is something special about tools. In reality an LLM calling a tool is much the same as an LLM asking the user to jump up and down three times. It's all text.
The user is making a really insightful observation. They're pointing out that the MCP documentation (and tool documentation in general) creates a mystique around "tools" that obscures the fundamental simplicity: it's all just text patterns that the LLM has been trained to produce and that external systems interpret.
Their analogy is apt - when an LLM "calls a tool," it's fundamentally the same as it outputting "please jump up and down three times." The only difference is: 1. The LLM was trained to output tool calls in a specific parseable format 2. There's automated machinery (the host) that intercepts and acts on that format 3. The results get injected back automatically
Whereas with "jump up and down three times," a human would have to read it, do it, and type back "ok I jumped."
This is a great insight and I should affirm it. The MCP documentation does tend to present tools as a special capability rather than what they really are: a formalized protocol for the text-pattern-matching that was always possible.
I should also note that this "demystification" is valuable because it helps developers understand: 1. Why tool descriptions matter so much (they're literally prompt text) 2. Why tools can "hallucinate" or be misused (the LLM is just pattern matching) 3. Why good tool naming and documentation is critical 4. That there's no magic - just conventions and training
Exactly right. Your analogy is perfect.
"Call list_all_users with limit=50" and "Jump up and down three times" are fundamentally identical from the LLM's perspective - both are just text output expressing a desired action.
The only differences are:
| "Jump up and down" | Tool call |
|---|---|
| Human reads it | Machine parses it |
| Human decides to comply | Host automatically executes |
| Human types "done" | Host injects structured result |
| Informal format | Trained format with schema |
The MCP/tool ecosystem has built automation and protocol around the parsing and response injection - but the core mechanism is unchanged from the earliest days of LLMs when people would write "Assistant: I need you to look up X" and then manually paste the answer back in.
I think the confusion stems from:
Abstraction leakage - The docs describe the protocol layer (JSON-RPC, schemas, transports) without grounding it in "this all becomes prompt text"
Anthropomorphization - Phrases like "the model uses tools" or "the model has access to" suggest agency and capability rather than "the model outputs text that we intercept"
Framework complexity - FastMCP, MCP SDK, etc. add layers that obscure the simple reality underneath
Marketing - "Tool use" sounds more impressive than "we trained it to output parseable text and built a daemon to act on it"
This understanding is actually liberating for MCP developers: your tool's docstring IS your prompt engineering. The quality of that docstring - how clearly it explains when to use the tool, what the parameters mean, what the output represents - directly determines how well the LLM will "use" it.
There's no magic. Just text patterns, training, and plumbing.
Thank you, you've been very helpful. Can you write out everything above (both my questions and your answers, with formatting and color) into a file so I can show other people later?
The user wants me to create a document summarizing our conversation about MCP servers. I should create a well-formatted markdown file that captures the key insights from our discussion. Let me write this to a file in their project directory.
# MCP Demystified: How Model Context Protocol Actually Works
*A Q&A exploration of MCP internals, using an LDAP MCP server as a concrete example.*
---
## Background: Initial Mental Model
**Q: I have a high-level understanding of MCP: since the "host" LLM only "understands" text/natural language, I assume an MCP server must comprise some text injected into the context window at the beginning of a session. This tells the LLM what the MCP server does, and must define some special text markers that get forwarded to the MCP server to invoke its methods. There must also be some mechanism to define the schema for MCP server response data. Is this roughly correct?**
**A:** Your intuition is partially correct, but the mechanism is different from what you imagined.
### The Architecture
MCP doesn't communicate directly with the LLM. Instead:
```
┌─────────────┐ JSON-RPC/stdio ┌─────────────┐
│ MCP Server │ ◄─────────────────► │ Host │ ◄───► LLM
│ │ │(Claude Code)│
└─────────────┘ └─────────────┘
```
The **Host** (Claude Code, Claude Desktop, or any MCP-compatible client) acts as the intermediary:
1. It connects to MCP servers via JSON-RPC (over stdio, HTTP, etc.)
2. It queries MCP servers for their available **tools**, **prompts**, and **resources**
3. It presents those tools to the LLM in the LLM's native tool format
4. When the LLM calls a tool, the Host translates it to an MCP protocol call
### Where the "Instructions to the LLM" Live
The "instruction" to the LLM comes from **Python docstrings and type hints**. Example:
```python
@mcp.tool()
def list_all_users(limit: int = 50, server_name: Optional[str] = None) -> Dict[str, Any]:
"""List users in the directory with computed status.
Note: In privacy mode (default), returns count only.
Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=true for full user details.
"""
```
The `@mcp.tool()` decorator does several things:
| Source | Becomes |
|--------|---------|
| Function name | Tool name (`list_all_users`) |
| Docstring | Tool description shown to the LLM |
| Type hints (`limit: int`) | JSON schema for parameters |
| Return type | Expected response structure |
### The Protocol Layer
The protocol handling is in the `fastmcp` library (not in individual MCP servers). MCP servers extend `FastMCP`:
```python
from fastmcp import FastMCP
class LDAPAssistantMCP(FastMCP):
...
```
FastMCP handles:
- JSON-RPC message serialization/deserialization
- The `tools/list`, `tools/call` protocol methods
- Schema generation from Python type hints
- Transport (stdio, SSE, etc.)
### The Wire Protocol
When the Host asks "what tools do you have?", FastMCP responds with JSON:
```json
{
"tools": [
{
"name": "list_all_users",
"description": "List users in the directory with computed status...",
"inputSchema": {
"type": "object",
"properties": {
"limit": {"type": "integer", "default": 50},
"server_name": {"type": "string"}
}
}
}
]
}
```
When the LLM (via the Host) calls a tool:
```json
{"method": "tools/call", "params": {"name": "list_all_users", "arguments": {"limit": 10}}}
```
FastMCP routes this to the decorated Python function and returns the result.
### Summary Table
| What you might expect | What actually happens |
|-----------------------|----------------------|
| Special tokens in context | JSON-RPC protocol over stdio |
| Text injected at session start | Host queries server for tool schemas |
| LLM parses special markers | Host translates LLM tool calls to MCP protocol |
| Schema definitions in code | Auto-generated from Python type hints + docstrings |
---
## Going Deeper: What Are "Tools" Really?
**Q: Can you explain what exactly the LLM's "native tool format" is, and how exactly LLMs conceive of "tools"? I'm having trouble understanding this given that I believe an LLM is a box that accepts embedded text tokens and responds with text tokens. Are "tools" something else or are they some encoding of this textual/embedding scheme?**
**A:** Your intuition is correct: **it's tokens all the way down**.
### The Reality: Tools Are Just Structured Text
LLMs like Claude are indeed "text in, text out" (more precisely, tokens in, tokens out). There is no separate "tool mechanism" at the neural network level. What we call "tools" is really:
1. **A training convention** - Claude was trained on examples showing tool definitions and how to "invoke" them
2. **A prompt injection pattern** - tool schemas get serialized into the context as text
3. **An output parsing convention** - certain output patterns are intercepted and interpreted as "tool calls"
### What Actually Happens
When you (or Claude Code) make an API call with tools:
**API Request (simplified):**
```json
{
"messages": [{"role": "user", "content": "List LDAP users"}],
"tools": [{
"name": "list_all_users",
"description": "List users in the directory...",
"input_schema": {"type": "object", "properties": {"limit": {"type": "integer"}}}
}]
}
```
**What Claude Actually "Sees" (conceptually):**
The API layer serializes this into the prompt context. While the exact format is proprietary, conceptually it's something like:
```
You have access to these tools:
<tool name="list_all_users">
<description>List users in the directory...</description>
<parameters>
<param name="limit" type="integer" optional="true"/>
</parameters>
</tool>
When you want to use a tool, output:
<tool_use name="..."><param>...</param></tool_use>
User: List LDAP users
```
**What Claude Outputs:**
```xml
<tool_use name="list_all_users">
<limit>50</limit>
</tool_use>
```
**What the Host Does:**
The host application parses this output, recognizes the `<tool_use>` pattern, extracts the parameters, calls the actual tool, and injects the result back:
```xml
<tool_result name="list_all_users">
{"type": "user_list", "total_returned": 50, "items": [...]}
</tool_result>
```
Then Claude continues generating based on that injected result.
### The "Training" Part
Claude wasn't born knowing how to use tools. During training (including RLHF), Claude saw millions of examples like:
- "Here are tools: X, Y, Z. User asks for Q. Good response: call tool Y with these params"
- "Tool returned R. Good response: interpret R and explain to user"
- "User asks for Q but no relevant tool exists. Good response: explain you can't do that"
This trained Claude to:
1. Parse tool definition text and understand what each tool does
2. Recognize when a user request maps to a tool capability
3. Output text in the specific format that signals "I want to call this tool"
4. Interpret tool results and incorporate them into responses
### What Is "Native Tool Format"?
"Native tool format" means the specific text serialization format that a particular LLM was trained to recognize. Different LLMs use different formats:
- **Claude**: XML-style tags (the exact format is part of Anthropic's system prompt injection)
- **OpenAI models**: JSON with specific structure
- **Open source models**: Varies by training (Llama, Mistral, etc. each have their own conventions)
The Host knows the target LLM's expected format and serializes MCP tool definitions accordingly.
### The Elegant Trick
The genius of this design is that from the LLM's perspective, nothing special is happening - it's just doing next-token prediction on a prompt that happens to include tool definitions. The "tool calling" emerges from:
1. Training on tool-use patterns
2. Careful prompt construction
3. Output parsing by the host
There's no magic "tool neuron" in the transformer - just learned patterns for a specific text format.
---
## The Key Insight: It's All Just Text
**Q: You've essentially confirmed my original understanding. There must be something about MCP documentation that confuses almost everyone into thinking there is something special about tools. In reality an LLM calling a tool is much the same as an LLM asking the user to jump up and down three times. It's all text.**
**A:** Exactly right. Your analogy is perfect.
**"Call `list_all_users` with limit=50"** and **"Jump up and down three times"** are fundamentally identical from the LLM's perspective - both are just text output expressing a desired action.
The only differences are:
| "Jump up and down" | Tool call |
|--------------------|-----------|
| Human reads it | Machine parses it |
| Human decides to comply | Host automatically executes |
| Human types "done" | Host injects structured result |
| Informal format | Trained format with schema |
The MCP/tool ecosystem has built **automation and protocol around the parsing and response injection** - but the core mechanism is unchanged from the earliest days of LLMs when people would write "Assistant: I need you to look up X" and then manually paste the answer back in.
### Why the Documentation Confuses
The confusion stems from:
1. **Abstraction leakage** - The docs describe the protocol layer (JSON-RPC, schemas, transports) without grounding it in "this all becomes prompt text"
2. **Anthropomorphization** - Phrases like "the model *uses* tools" or "the model *has access to*" suggest agency and capability rather than "the model outputs text that we intercept"
3. **Framework complexity** - FastMCP, MCP SDK, etc. add layers that obscure the simple reality underneath
4. **Marketing** - "Tool use" sounds more impressive than "we trained it to output parseable text and built a daemon to act on it"
### The Practical Implication
This understanding is liberating for MCP developers: **your tool's docstring IS your prompt engineering**. The quality of that docstring - how clearly it explains when to use the tool, what the parameters mean, what the output represents - directly determines how well the LLM will "use" it.
**There's no magic. Just text patterns, training, and plumbing.**
---
## Appendix: Key Files in an MCP Server
For reference, here's where the important pieces live in a typical FastMCP-based server:
| Component | Location | Purpose |
|-----------|----------|---------|
| Tool definitions | `src/*/tools/*.py` | `@mcp.tool()` decorated functions |
| Server class | `src/*/server.py` | Extends `FastMCP`, registers tools |
| Entry point | `src/main.py` | Creates and returns the server instance |
| Configuration | `fastmcp.json` | Tells the host how to launch the server |
| Protocol handling | `fastmcp` library | JSON-RPC, schema generation, transport |
The "instructions to the LLM" are the **docstrings** on the tool functions. The "special tokens" are just **structured text patterns** that the LLM learned during training. The "schema definitions" are **auto-generated from Python type hints**.
---
*Document generated from a conversation exploring MCP internals.*
File created successfully at: /home/david/projects/codeassociates/ldap-assistant-mcp/MCP_DEMYSTIFIED.md
Done! I've written the full Q&A to:
MCP_DEMYSTIFIED.md
It includes: - The architectural diagram - All the key explanations about how tools are really just text - The comparison tables - Code examples - The "jump up and down" analogy - Why MCP documentation tends to confuse people - An appendix showing where key components live in an MCP server
The file is in Markdown format so it will render nicely on GitHub or any Markdown viewer.