Re: (ITS#6513) dynacl/aci fails on searches with attributes

[masarati@aero.polimi.it]

> --Boundary-00=_glFxL04kLcJl7l6
> Content-Type: Text/Plain;
>   charset="iso-8859-15"
> Content-Transfer-Encoding: quoted-printable
>
> Thanks for your quick answer Pierangelo,
>
> On Monday, 12. April 2010, masarati@aero.polimi.it wrote:
>> > [...]
>> > My guess is that you're trying to use ACIs with a non-local storage.
>> In
>> > that case your analysis is correct.  Can you provide your (sanitized)
>> > configuration?
>
> I am using a local hdb backend.
>
> In order to generate a minimal test case I found out, that it seems to
> be=20
> related to the rwm overlay.
>
> Although I have set rwm-rewriteEngine to off, rwm seems to be partially=20
> active.
> Commenting out the rwm directives completely makes the searches work as=20
> expected.
>
> Please find attached a testcase with slapd.conf and ldif data.
> To experience the issue simply perform a search with e.g. attribute 1.1 as
> =
> one=20
> of the users in the data.
> Then comment the rwm-... lines in slapd.conf, restart slapd and try again.
> Voil=E0 the difference.

I see.  probably, a relatively "quick" fix would be to allow to define a
list of attributes, specific for a database, that is available to all
implementations that need to muck with requested attrs (e.g. slapd-ldap,
slapd-meta, slapo-rwm).  They are supposed to be added to the list of
requested attrs whenever appropriate.  It's up to the administrato to keep
it updated with everything that may be needed by special features like
ACI.  Something like

required_attrs OpenLDAPACI

In the future, we might be able to figure out a clever way to self-detect
what attributes need to be treated this way.  I'll work at that, time
permitting.

Thanks for reporting.  p.