[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access with filters fails to honor some valid filters (ITS#2495)

Full_Name: Quanah Gibson-Mount
Version: 2.1.18
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I have added the following ACL to my slapd.acl file:

access to dn.children="cn=people,dc=stanford,dc=edu"
filter=("suprivilegegroup=stanford:*") attr=uid,suprivilegegroup
by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu"
by * break

I know that the filter "suprivilegegroup=stanford:*" is a valid filter since I
can execute this from the command line without problem (note I've tried this
both with and without the ""'s).

However, when I access the server as cadabra:

BIND dn="uid=cadabra,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI (etc)

I see this from debug 5 in slapd:

bdb_cache_find_entry_id ( 182342 ) "SuRegID=8696e59cf61311d2a<etc>,
cn=People,dc=stanford,dc=edu" (found) (1 tries)
bdb_search: 182342 does not match filter
bdb_cache_return_entry_r ( 182342 ): returned 0

This is obviously incorrect... That entry does indeed match my filter:

ldapsearch uid=cadabra suprivilegegroup
suPrivilegeGroup: stanford:administrative