Full_Name: Peter Marschall Version: 2.4.21 OS: Linux URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch Submission from: (NULL) (94.217.135.20)
Hi,
Playing around with dynacl/aci a bit I cam across the following issue:
Searches that do not contain the attribute OpenLDAPaci in the list of attribues queried, omit objects.
dynacl/aci (as the original aci code it's based on) relies on the fact that the entry is complete. This is the case when the entry is stored locally, e.g. in back-bdb/hdb. Otherwise, no mechanism is in place to retrieve operational attributes. Please note that in the latter case, even ACL rules based on, say, createTimestamp or so would operate incorrectly.
My guess is that you're trying to use ACIs with a non-local storage. In that case your analysis is correct. Can you provide your (sanitized) configuration?
The "right" solution is much more general, not only related to dynacl. Slapd needs to know in advance what (operational) attributes are required for policy enforcing, and they need to be added to requested attrs when entries are collected from remote storage. Your patch seems to fix your specific need, but it is clearly inefficient.
Automatically detecting what attributes need to be added to requests for proxying sounds like an overkill. Probably, a reasonable workaround could be to add a configuration directive that lists what attributes need to be added to requests. This directive should be honored by proxy backends and in general by all those backends that do not pass back complete entries to the frontend. In the case of proxy backends its use would be straightforward, since requested attrs need to be mapped anyway in the request. Adding some more would not be a big deal. Things might be a bit more complicated in case of, say, special configurations like proxycache, where ACIs would need to be added to all attribute templates, and so. Yet another reason to avoid ACIs :)
p.