michael@stroeder.com wrote:

Take note of this:

authz-regexp "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth" "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)" [..] access to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local" by * auth

See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):

As indicated in OpenLDAP 2.4's man page, now the LDA search operation requires "search" privileges on the "entry" pseudo-attribute of the searchBase. This was introduced to be able to honor the "disclose" privilege (or, at least, in conjunction with code that is used to honore the "disclose" privilege). The man page is erroneous in stating that this requirement and that feature were introduced in OpenLDAP 2.3: the code is indeed present in OpenLDAP 2.3, but actually #ifdef'd; it only became the default behavior in OpenLDAP 2.4.

This requirement, as usual, is downgraded to "auth" when performing authc/authz related lookups.

I'd take this ITS as a request to fix the documentation (indicate the change since 2.4 and not since 2.3) and to better notify the different behavior since 2.3.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------