Full_Name: Michael Ströder Version: RE24 6f33e2c OS: Debian Squeeze URL: Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
This is tested with RE24 built for Debian Squeeze: It seems that ACLs are not correctly evaluated when processing a search request if the assertion type is not requested in the search request.
Example:
access to dn.subtree="o=example" attrs=sambaNTPassword filter="(organizationalStatus=0)" by group="uid=samba_dc,o=example" write by group="cn=slapd Admins,ou=groups,o=example" =sw by self =w by * none
The following search correctly returns attribute sambaNTPassword of the entry:
ldapsearch -LLL -X "dn:uid=samba_dc,o=example" "(&(objectclass=sambaSamAccount)(uid=wtester))" organizationalStatus sambaNTPassword
But this search does not return sambaNTPassword:
ldapsearch -LLL -X "dn:uid=samba_dc,o=example" "(&(objectclass=sambaSamAccount)(uid=wtester))" sambaNTPassword
I cannot find any hint in slapd.access(5) that this is expected behaviour.