https://bugs.openldap.org/show_bug.cgi?id=10022
Issue ID: 10022 Summary: OlcAccess (META) Product: OpenLDAP Version: 2.5.7 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs@openldap.org Reporter: bourguijl@gmail.com Target Milestone: ---
Dears,
I've configured a META ldap instance pointing to a LDAP backend. In this backend, there are a few ACLs but which ones don't restrict ldapsearch that I perform from the META frontend. I just have an issue when I set some ACLs on the META frontend and more specially when I insert attrs=xxx in the ACL.
ACL = OK
{0}to dn.one="ou=staff,o=mobistar.be" by dn="uid=a0621004,ou=ObeExternalITOnGcp,ou=partners,o=mobistar.be" read
ACL NOT OK
{0}to dn.one="ou=staff,o=mobistar.be" attrs=uid by dn="uid=a0621004,ou=ObeExternalITOnGcp,ou=partners,o=mobistar.be" read
Can you explain why when I restrict to an attribute, my ldapsearch didn't provide me any response as expected ? Is it a bug ?
Thx in advance, J-L.
https://bugs.openldap.org/show_bug.cgi?id=10022
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Can you please provide a configuration and sample script that replicates the issue with test data?
https://bugs.openldap.org/show_bug.cgi?id=10022
--- Comment #2 from Jean-Luc bourguijl@gmail.com --- Hello Quanah,
By modifying my OlcAccess as following, I get entries as expected (added "entry" in attrs list).
{0}to dn.one="ou=staff,o=mobistar.be" attrs=entry,uid by dn="uid=a0621004,ou=ObeExternalITOnGcp,ou=partners,o=mobistar.be" read
This is strange, because in all my ldap instances installed under same version, I didn't have to use "entry" in all my the OlcAccess configured on them. The only difference is that ldap DB is META (+ entry in attrs) and MDB (no entry in attrs).
Could it be because it's a filter for output coming from the backend in opposite of the MDB ones which are doing search directly on its DB ?
If it's so, it's not well defined (written) in DOC's.
So, this is not a bug but a configuration issue.
Brgds, J-L.
https://bugs.openldap.org/show_bug.cgi?id=10022
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Jean-Luc from comment #2)
If it's so, it's not well defined (written) in DOC's.
So, this is not a bug but a configuration issue.
Hi,
the requirements for access to the pseudo attribute "entry" are documented extensively in the "slapd.access(5)" man page.
Regards, Quanah
https://bugs.openldap.org/show_bug.cgi?id=10022
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=10022
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review |
-
openldap-its@openldap.org