[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6513) dynacl/aci fails on searches with attributes

To: openldap-its@OpenLDAP.org
Subject: (ITS#6513) dynacl/aci fails on searches with attributes
From: peter@adpm.de
Date: Sun, 11 Apr 2010 17:03:46 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Peter Marschall
Version: 2.4.21
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
Submission from: (NULL) (94.217.135.20)


Hi,

Playing around with dynacl/aci a bit I cam across the following issue:

Searches that do not contain the attribute OpenLDAPaci in the list of attribues
queried, omit objects.

E.g. doing a base search for 1.1 on an object that has the following OpenDLAPaci
value
  OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[entry]#public#
  OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[all]#public#
(no superior object has a subtree OpenLDAPaci)
does not return the DN of the object, while doing the search without arguments
returns the DN.

According to my experiments, it looks like the Entry *e passed as argument to
dynacl_aci_mask()
does not have OpenLDAPaci in its e->e_attrs.
I wrote the patch ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
to verify my suspicions,
and it seems to help, although at the cost of abysmally bad performance.

I guess there are better ways to fix the issue (e.g. "auto-adding" OpenLDAPaci
to the attributes queried from the backend and stripping it before giving it
back to the client), but my knowledge of the internal workings of OpenLDAP is
too limited.

Prev by Date: Re: (ITS#6194) Patch - Enhancement - provide LDIF support as libldif
Next by Date: Re: (ITS#6513) dynacl/aci fails on searches with attributes
Index(es):
- Chronological
- Thread