Below are the ACL for the frontend database. They are supposed to hide the cn=krbconfig from the namingContexts on the root DSE. dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend #olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none olcAccess: to dn.base="" attrs=namingContexts val="cn=krbcontainer" by * none olcAccess: to dn.exact="" by * read dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 10485760 olcSuffix: cn=krbcontainer olcRootDN: uid=zzz,cn=krbcontainer olcRootPW: zzz olcDbDirectory: ldap/uuu olcDbIndex: objectClass eq olcAccess: to dn.sub="cn=krbContainer" by * read It does work! However, if change the case in (container ⇒ Container): olcSuffix: cn=krbContainer no matter how I set olcAccess in the frontend database, $ ldapsearch -xb "" -s base namingContexts always prints dn: namingContexts: cn=krbContainer In particular olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none does not hide it. • It shall be possible to find olcSuffix from the DSE/namingContexts, even if the suffix is mixCased. Since the case is known at the time, when the rules are written, OpenLDAP shall offer an option for exact match, without converting data to lowercase. (as shown by sladp -d -1 )
https://git.openldap.org/openldap/openldap/-/merge_requests/401
• 2958925c by Ondřej Kuzník at 2021-09-09T10:26:06+01:00 ITS#9664 Add normalised suffix into rootDSE for ACL, etc.
RE26: • 5eba9264 by Ondřej Kuzník at 2021-09-14T16:17:29+00:00 ITS#9664 Add normalised suffix into rootDSE for ACL, etc. RE25: • c0ccd606 by Ondřej Kuzník at 2021-09-14T16:17:46+00:00 ITS#9664 Add normalised suffix into rootDSE for ACL, etc.