[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6513) dynacl/aci fails on searches with attributes

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6513) dynacl/aci fails on searches with attributes
From: masarati@aero.polimi.it
Date: Sun, 11 Apr 2010 17:15:32 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> Full_Name: Peter Marschall
> Version: 2.4.21
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
> Submission from: (NULL) (94.217.135.20)
>
>
> Hi,
>
> Playing around with dynacl/aci a bit I cam across the following issue:
>
> Searches that do not contain the attribute OpenLDAPaci in the list of
> attribues
> queried, omit objects.

dynacl/aci (as the original aci code it's based on) relies on the fact
that the entry is complete.  This is the case when the entry is stored
locally, e.g. in back-bdb/hdb.  Otherwise, no mechanism is in place to
retrieve operational attributes.  Please note that in the latter case,
even ACL rules based on, say, createTimestamp or so would operate
incorrectly.

My guess is that you're trying to use ACIs with a non-local storage.  In
that case your analysis is correct.  Can you provide your (sanitized)
configuration?

The "right" solution is much more general, not only related to dynacl. 
Slapd needs to know in advance what (operational) attributes are required
for policy enforcing, and they need to be added to requested attrs when
entries are collected from remote storage.  Your patch seems to fix your
specific need, but it is clearly inefficient.

p.

Prev by Date: (ITS#6513) dynacl/aci fails on searches with attributes
Next by Date: Re: (ITS#6194) Patch - Enhancement - provide LDIF support as libldif
Index(es):
- Chronological
- Thread