https://bugs.openldap.org/show_bug.cgi?id=9800
Issue ID: 9800 Summary: ACL with set.expand in <who> clause does not work with deref control Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: michael@stroeder.com Target Milestone: ---
This ACL returns correct values with a normal search requesting the attribute sudoUser:
access to dn.subtree="ou=ae-dir" attrs=sudoUser val.regex="^%(.+)$" by set.expand="(user/-1 | user/aeSrvGroup)/aeLoginGroups & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeGroup)(aeStatus=0)(cn=${v1}))]/entryDN" read by * none
But it does not work with a search like this using deref control:
ldapsearch -Q -E deref=aeVisibleSudoers:cn,sudoUser '(objectClass=aeSrvGroup)'
For completeness see docs and schema for aeSrvGroup:
https://www.ae-dir.com/docs.html#schema-oc-aeSrvGroup
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/master/fil...
https://bugs.openldap.org/show_bug.cgi?id=9800
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review |
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- sets are not an officially supported part of OpenLDAP, patch welcome.
-
openldap-its@openldap.org