Re: search request not blocked by ACLs

[Quanah Gibson-Mount <quanah@symas.com>]

--On Tuesday, September 10, 2019 10:52 AM +0200 Manuela Mandache 
<manuela3mandache@gmail.com> wrote:
> E.g.:
>
> - there are three branches in the directory, ou=people,dc=example,dc=com,
> ou=dogs,dc=... and ou=carpets,...;
> - a user has read rights on ou=dogs and none on the two other branches;
> - this user makes a search with -b dc=example,dc=com and no filter.
> As far as I understand, the whole content is recovered, then the people
> and the carpets are dropped and only the dogs are returned.
> I expected the request to be parsed against the ACLs before performing
> the actual search in the directory, and so this search to be done only on
> ou=dogs.

Potential targets are gathered, and ACLs applied to those results for 
exclusion.

---Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>