https://bugs.openldap.org/show_bug.cgi?id=9664
Issue ID: 9664 Summary: Hiding namingContexts in the root DSE, when these are not in small letters Product: OpenLDAP Version: 2.5.6 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
Below are the ACL for the frontend database. They are supposed to hide the cn=krbconfig from the namingContexts on the root DSE.
dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend #olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none olcAccess: to dn.base="" attrs=namingContexts val="cn=krbcontainer" by * none olcAccess: to dn.exact="" by * read
dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 10485760 olcSuffix: cn=krbcontainer olcRootDN: uid=zzz,cn=krbcontainer olcRootPW: zzz olcDbDirectory: ldap/uuu olcDbIndex: objectClass eq olcAccess: to dn.sub="cn=krbContainer" by * read
It does work!
However, if change the case in (container ⇒ Container): olcSuffix: cn=krbContainer
no matter how I set olcAccess in the frontend database, $ ldapsearch -xb "" -s base namingContexts
always prints dn: namingContexts: cn=krbContainer
In particular
olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none
does not hide it.
• It shall be possible to find olcSuffix from the DSE/namingContexts, even if the suffix is mixCased.
Since the case is known at the time, when the rules are written, OpenLDAP shall offer an option for exact match, without converting data to lowercase. (as shown by sladp -d -1 )