https://bugs.openldap.org/show_bug.cgi?id=9592
Issue ID: 9592 Summary: recursion operator (*) for acl “sets” does not work as documented Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: grapvar@gmail.com Target Milestone: ---
I have traced how the slapd computes recursion operator (*) in acl's “sets” and found out that it does not work as documented. IIUC, the reference documentation is:
“Sets in Access Controls” (http://www.openldap.org/faq/index.cgi?file=1133)
To make things simpler, I report the finding using the example provided by the documentation. Here it is:
entry "cn=Group" has attr "member" with values { "cn=User", "cn=Other" } entry "cn=Group2" has attr "member" with values { "cn=Group", "cn=Person" }
The documentation claims that the expression
“[cn=Group2]/member*” resolves to { "cn=User", "cn=Other", "cn=Person" }
In fact, it resolves to { "cn=Group", "cn=User", "cn=Other", "cn=Person" }.
To generalize: all intermediate dn's persist in a set, that's how set_chase( closure = 1 ) works, and this doesn't look like that's how it's supposed to work.
Be advised, please, that this issue has been reported by occasional visitor, from a developer point of view, not a user point of view, so I won't define, provide or construct any “valid use case”.