[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6584) dynlist group expansion doesn't use internal serach

Full_Name: Quanah Gibson-Mount
Version: 2.4.22
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

When dynlist expands the group membership from a URI statement, it applies the
bind identity to the search to expand it.  This does not conform to the dyngroup
behavior as was requested.

Instead, dynlist should allow expansion by doing an internal search on the
specified URI value, so that the binding identity is not required to have
"compare" access on the attributes making up the query.  This was implemented in
dyngroup for security purposes, and those reasons still apply.