--Boundary-00=_glFxL04kLcJl7l6 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable

Thanks for your quick answer Pierangelo,

On Monday, 12. April 2010, masarati@aero.polimi.it wrote:

...

[...] My guess is that you're trying to use ACIs with a non-local storage. In that case your analysis is correct. Can you provide your (sanitized) configuration?

I am using a local hdb backend.

In order to generate a minimal test case I found out, that it seems to be=20 related to the rwm overlay.

Although I have set rwm-rewriteEngine to off, rwm seems to be partially=20 active. Commenting out the rwm directives completely makes the searches work as=20 expected.

Please find attached a testcase with slapd.conf and ldif data. To experience the issue simply perform a search with e.g. attribute 1.1 as = one=20 of the users in the data. Then comment the rwm-... lines in slapd.conf, restart slapd and try again. Voil=E0 the difference.

...

[...]

=20 Automatically detecting what attributes need to be added to requests for proxying sounds like an overkill. Probably, a reasonable workaround could be to add a configuration directive that lists what attributes need to be added to requests. This directive should be honored by proxy backends and in general by all those backends that do not pass back complete entries to the frontend. In the case of proxy backends its use would be straightforward, since requested attrs need to be mapped anyway in the request. Adding some more would not be a big deal. =20

That would be absolutely sufficient for me.

Things might be a bit more complicated in case of, say, special configurations like proxycache, where ACIs would need to be added to all attribute templates, and so. Yet another reason to avoid ACIs :)

As much as I'd like to, but I fear I can't. I am trying to migrate from a non-OpenLDAP directory solution with a comple= x=20 permission structure in in-tree ACLs to OpenLDAP. Unfortunately the permissions are set up in a way that do not let them writ= e=20 as a short list of ACLs. Changing the permission structure is not possible as lots of applications=20 depend on it.

=2D-=20 Peter Marschall peter@adpm.de

--Boundary-00=_glFxL04kLcJl7l6 Content-Type: application/x-compressed-tar; name="testcase.tgz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="testcase.tgz"

H4sIAOZWxEsAA+1YbW/jNgzuV/tXCMkBa3duXtz0CqQItq7JDTcc0sOKfjp0gyzJiTZH8iS5Sfbr R8mOm+SSJn1bN8AEAtsUxYekSJqOTnBKG0SK+ODVqAX0odOy1/bZqbsCI8yvrVYHFg/a7ZMP7dZp q3MG/HZ42jo9QK3XM+meMm2wQuhggpUmY5xukwOx+BVj9FZUR01mSDOhOG3qMhfQ8TG6Spn43L/4 giaYC6SZumMK2UU+yhQ2XAoU84T5fh1xQZKMsg2riM0MExoedYAgvmyC4abRaPjFHm8J3i03iVSs kd8/JKS52C0GMkaqUcqUlmIhDQZPx0wxRCUyY4ZUJgyfMGevRiPpp5zae89r3mHVhOU8MkV8YNXH aqSdyEYJu2pREjkacTFChzVIHqNriGsUS4XsE9eGE33kg0zC7ljiORF0cfnZ7lQMU4QJYTrfgcU8 knSOjERKStO/HgCLouvcoVzQM9KjosFmmJhereZ70dz73mnaKEBEL4/HiqTD1kZxYvgdhIaPxmAV wMroD0bMZYLBImxAIMoMQzJGOEmKRb2EY0V0b2mTA1lBv6ATLgLZM4BXgyQTeMScVAa5pnNz7CMW UswnMgPczIy3W2i3fQGkqVR0l2HLsg5EsyRGvensEWau2ZUHEXiuItYDp6FG0OBq2OgPVk9DZ5FR jPVqBcIjDKBzgUnSxISjqeKGrZkQYfInE7QpoW4TPEcTSTOb4Hmo/PwxxWbsNTOtmgmP8tIpVhKJ qWd1/D6m0TJPTSc+6H8ZAjspNjjCGsqRxVxw2zr0i6n3F9o964WrfGyg8G0coPT7P9meZWyDOzQy RZHCAopC2/yx6/ZojnydxTGfeV55RusdpHRh0UJAm2VzBUcvFcQe3jLQCqHoj/ySmzePMu5WtdWM 7XmDJHRRqb7ToAVahRhlXI8ZRQJDp7K1ny7S1zYEKsC69VxxK+nU80pR0P5JUE7yLLB93boO7ZOy mZcnKrHFGjBh1Pzyepjf3Nx86nse+6sQJCLQIhhB9YkhWBOAniSQgcycjKtPl4+oyLwuIKUIyaz3 9bfg9n1hHrImoPzeLyQ9l1zwOy5UDAQ0UObJOF7mXsKRwXvFg4TBWWKWl37NbN+uHTbeB0c/AOKh gzwK1sDf1VDtXRuY78Kysmrd2iYQzbAi4488MUxtXx/YOPWHD5myAX8f5AtoWP0hdDOONdoKttgz wQbyl+6/QbGYKYWTHOYhCViFsx1cffTfemap6OXItq5GQvlrjrb5/N/ZOv93OmeL+T/sdNp2/j9p n1Tz/79Bdei8djzvoja8LOGy6Mj3b4MudOp0lQEzNRb8bzfn+xIE7JbFBwMMJF3UqrtXR30Eb1Rz rgIS6IAGs/Ovjn1bT7Mo4aReYGY9mPrTdvBocJxkMDL4Musip+H5RoTPNiJ8nhE3dvwNXiQkTtW6 NcXEuc2e/HVuB2TClOExJ9iw0sg9dS3mA1HOBwnIyCytw5Byaf0qvfzZsr/1d1+jYcq/PZ8G95wc LUglFGxCJGWBtjtNANPQZJhNIqbqdtrfEvDnHf9/N+DhloCHbxDwLUf+pIjnup5XcVsi8jb2wHmR RYEET2wH+f8dq7yVv0J8IoqGadX7y5/D3fsvC3uyS2I/uug0HL6G/WUd+2XqddEvkq34EW70Y88Y 7+9HuJ8f4TY/wl1+7GxYD3viavEqtt9LejX42p8wWyP7nvxjMmu1Th1MPf/34ZjT+n543xzmQ03k CUEINwZhR9q8eBB24FWfPBVVVFFFFVVUUUUVVVRRRRVVVNH/l/4B1nCcvQAoAAA=

--Boundary-00=_glFxL04kLcJl7l6--