elecharny@apache.org wrote:

Full_Name: Emmanuel Lecharny Version: 2.3.32 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.236.207.89)

When searching for entries using attributes to filter the result, you get all the entries attributes if you give a wrong attribute :

ldapsearch -h localhost -p 10389 -D "uid=Admin,ou=system" -w secret -b "dc=example,dc=com" -s sub "(objectClass=*)" 9.9.9

will correctly returns only the DNs of all found entries, as if the 9.9.9 attribute was 1.1

but

ldapsearch -h localhost -p 10389 -D "uid=Admin,ou=system" -w secret -b "dc=example,dc=com" -s sub "(objectClass=*)" person

will return all entries attributes, as if the 'person' was substituted by "*"

Of course, 'person' is not an attribute, but an objectClass, but the user intent was to get only one single attribute value, so I don't think that returning everything is correct.

This is obviously not a serious issue.

This works as designed - requesting an objectclass means to request all of the attributes included in that objectclass. In current revisions we expect objectClass names to be prefixed with "@" but the original behavior is still supported for backward compatibility.