ACI not matching attributes properly (ITS#1383)

[mccarthy@chipdata.com]

Full_Name: Kevin McCarthy
Version: 2.0.15
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (63.149.158.90)


ACI is only working only atomically per object and not per attribute.

Here is an example.

Goal 1: allow group 2, 3 full access to matched DN
Goal 2: allow group 1 to only read cn, member attributes

access.conf file:
access to dn="(.*),ou=groups,o=(.*),o=our_company"
         by aci                   write
         by *                     auth

ACI info:
  OpenLDAPaci: 1.2.3#entry#grant;r,s;cn,member#group#cn=group1...
  OpenLDAPaci: 1.2.3#entry#grant;r,w;[all];#group#cn=group2...
  OpenLDAPaci: 1.2.3#entry#grant;r,w;[all];#group#cn=group3...

groups 2 and 3 do in fact get full access but group 1 has no access whatsoever.
After consulting the author (mark valence), line 1 was rewritten the following
ways:

rewrite1: separate attributes so that each directive had only 1 attr:
  OpenLDAPaci: 1.2.3#entry#grant;r,s;cn#group#cn=group1...
  OpenLDAPaci: 1.2.3#entry#grant;r,s;member#group#cn=group1...

rewrite2: re-specify perms for each attribute:
  OpenLDAPaci: 1.2.3#entry#grant;r,s;cn;r,s;member#group#cn=group1...

rewrite3: add '$' between directives:
  OpenLDAPaci: 1.2.3#entry#grant;r,s;cn$grant;r,s;member#group#cn=group1...

After all these failed, I tried to grant [all] then prune attributes.
   OpenLDAPaci: 1.2.3#entry#grant;r,s;[all];;objectclass#group#cn=group1...

This DID grant r,s to [all] but failed to remove r,s from 'objectclass' as it
was included in the result set.

Similar rewrites were done to try to remove attributes from [all] and all
failed.

My feeling is that no per-attribute directives are functioning properly, but the
[all] case works fine.

Kevin