[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6513) dynacl/aci fails on searches with attributes
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#6513) dynacl/aci fails on searches with attributes
- From: peter@adpm.de
- Date: Sun, 11 Apr 2010 17:03:46 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Peter Marschall
Version: 2.4.21
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
Submission from: (NULL) (94.217.135.20)
Hi,
Playing around with dynacl/aci a bit I cam across the following issue:
Searches that do not contain the attribute OpenLDAPaci in the list of attribues
queried, omit objects.
E.g. doing a base search for 1.1 on an object that has the following OpenDLAPaci
value
OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[entry]#public#
OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[all]#public#
(no superior object has a subtree OpenLDAPaci)
does not return the DN of the object, while doing the search without arguments
returns the DN.
According to my experiments, it looks like the Entry *e passed as argument to
dynacl_aci_mask()
does not have OpenLDAPaci in its e->e_attrs.
I wrote the patch ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
to verify my suspicions,
and it seems to help, although at the cost of abysmally bad performance.
I guess there are better ways to fix the issue (e.g. "auto-adding" OpenLDAPaci
to the attributes queried from the backend and stripping it before giving it
back to the client), but my knowledge of the internal workings of OpenLDAP is
too limited.