Full_Name: Michael Str�der Version: RE24 6f33e2c OS: Debian Squeeze URL: Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f) This is tested with RE24 built for Debian Squeeze: It seems that ACLs are not correctly evaluated when processing a search request if the assertion type is not requested in the search request. Example: access to dn.subtree="o=example" attrs=sambaNTPassword filter="(organizationalStatus=0)" by group="uid=samba_dc,o=example" write by group="cn=slapd Admins,ou=groups,o=example" =sw by self =w by * none The following search correctly returns attribute sambaNTPassword of the entry: ldapsearch -LLL -X "dn:uid=samba_dc,o=example" "(&(objectclass=sambaSamAccount)(uid=wtester))" organizationalStatus sambaNTPassword But this search does not return sambaNTPassword: ldapsearch -LLL -X "dn:uid=samba_dc,o=example" "(&(objectclass=sambaSamAccount)(uid=wtester))" sambaNTPassword I cannot find any hint in slapd.access(5) that this is expected behaviour.
Sorry for the confusion caused by editing what I've copied from the real system before which uses a group for several Samba DC instances. In this example the ACL part should be more simple like this: access to dn.subtree="o=example" attrs=sambaNTPassword filter="(organizationalStatus=0)" by dn.exact="uid=samba_dc,o=example" write by group="cn=slapd Admins,ou=groups,o=example" =sw by self =w by * none Ciao, Michael.
Cannot reproduce on RedHat Linux, x86_64. But then, the info was rather brief. (E.g. which backend? Was that a per-backend or global ACL? Might some overlays or other access statements interefere?) Anyway, please provide a complete config and preferably LDIF which demonstrates the problem.
Hallvard B Furuseth wrote: > Cannot reproduce on RedHat Linux, x86_64. But then, the info was > rather brief. (E.g. which backend? Was that a per-backend or global > ACL? Might some overlays or other access statements interefere?) > > Anyway, please provide a complete config and preferably LDIF which > demonstrates the problem. Thanks for looking it this. As usual this is a more complex customer setup with many ACLs and several overlays. I tried to provide a simple example but I also see that this does not show the issue on my local machine. I will try to strip down the complex config. But this will take a while. Ciao, Michael.
changed state Open to Feedback moved from Incoming to Software Bugs
Try to put organizationalStatus in olcExtraAttrs aka extra_attrs. Though ITS#7422 says that does not always work either. The doc should mention extra_attrs in places like 'filter' in slapd.access(5), since people who don't read the entire config manpage may not know to look for this option otherwise.
Using extra_attrs would be a possible work-around (tested). Unfortunately it seems to trigger a seg fault in slapo-rwm in my setup which is hard to track down to a certain cause. slapd starts ok but quite soon a seg fault message is written to syslog. Just before the seg fault I see the usual search requests of sssd in the logs... Ciao, Michael.