[Date Prev][Date Next] [Chronological] [Thread] [Top]

What is difference between basic search and search fired by ACL check.

To: openldap-technical@openldap.org
Subject: What is difference between basic search and search fired by ACL check.
From: Tio Teath <tioteath@gmail.com>
Date: Mon, 11 Feb 2013 16:21:16 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:date:x-google-sender-auth:message-id :subject:from:to:content-type; bh=rv99/La8RynsLP8M5hXwawlG3mL3Id/3J+SlGi9WfXk=; b=AurCK3kk+R9gM7v/uORruw8vS6N5jDz9lJPH80yX1xmEMhmlLDZIdaMSnwHUwiNdlC dw+3OivBGTIlNO+VLw67hvbYArMfa78GNju9pHL4kEvwfdumNSrAiV3NwCUe+RmU7jEI m4N1sDMJ8giyuBjL3qFOaZPzcgZtSMlMaKVfW3MMOkr3gOyFdE+w7DWtIguajroGCq66 GXXnijkTve54NMS/oUDqBqXdmZ2Bk78Z+5yPRF+9Zzgr3jJ7gk4iebHGsKGsQHmANoBm XA+Ozcztwjw1HN5lMx1Aselir5lOz0vOA80PNq2wmyegBPluNGQkK2jUU7mLCi/g93SN mZ0A==

I'm trying to setup Set ACL via ldap proxy with proxy cache.
Problem is that proxy cache are not used during ACL checking.

For example, I have next ACL to the local database:
 olcAccess: {0}to * by self write by
set="[cn=test2,ou=group,dc=remote]/member & user" write by anonymous
auth by * none

And at the remote LDAP server I have next entry:
dn: cn=test2,ou=group,dc=remote
objectClass: groupOfNames
member: uid=user,ou=user,dc=local
member: uid=j_doe,ou=people,dc=remote

Proxy cache works perfectly when fired by basic search request, I can
see it in the debug log. But when search are fired by ACL check (i.e.
search to local entry, which handled by Set ACL), proxy cache are
completely ignored. And I am sure about that, because I have added
'Debug( pcache_debug ...' entry in every function from
servers/slapd/overlays/pcache.c and could not see any of them in the
trace output, during ACL check and could see them perfectly during
basic search.

Here are log entries from the remote server for cache search(1) and
ACL search(2):
1)
5118f601 conn=1003 op=1 SRCH base="cn=test2,ou=group,dc=remote"
scope=2 deref=0 filter="(objectClass=*)"
5118f601 conn=1003 op=1 SRCH attr=member objectClass

2)
5118f706 conn=1000 op=1 SRCH base="cn=test2,ou=group,dc=remote"
scope=0 deref=0 filter="(objectClass=*)"
5118f706 conn=1000 op=1 SRCH attr=member

For (1), seems search are fired by pcache  itself, hence  attr=member
objectClass. Proper search request, which are fired by myself does not
contain objectClass in the requested attribute list.

I have not managed to find the place in the code, where the search are
fired by ACL, seems it is servers/slapd/overlays/sets.c, but there is
no direct search  invocation there.

Could you please give me a clue how to fix this issue?

P.S.
I have googled this post
http://www.openldap.org/lists/openldap-devel/200908/msg00018.html.
Seems, it is somehow related to the issue, only in my case entry is
not in hand.

Prev by Date: integrating open ldap with kerberos and ssl
Next by Date: weighted valsort for telephone Numbers
Index(es):
- Chronological
- Thread