[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6513) dynacl/aci fails on searches with attributes

Full_Name: Peter Marschall
Version: 2.4.21
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
Submission from: (NULL) (


Playing around with dynacl/aci a bit I cam across the following issue:

Searches that do not contain the attribute OpenLDAPaci in the list of attribues
queried, omit objects.

E.g. doing a base search for 1.1 on an object that has the following OpenDLAPaci
  OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[entry]#public#
  OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[all]#public#
(no superior object has a subtree OpenLDAPaci)
does not return the DN of the object, while doing the search without arguments
returns the DN.

According to my experiments, it looks like the Entry *e passed as argument to
does not have OpenLDAPaci in its e->e_attrs.
I wrote the patch ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
to verify my suspicions,
and it seems to help, although at the cost of abysmally bad performance.

I guess there are better ways to fix the issue (e.g. "auto-adding" OpenLDAPaci
to the attributes queried from the backend and stripping it before giving it
back to the client), but my knowledge of the internal workings of OpenLDAP is
too limited.