New subject: [Issue 9592] recursion operator (*) for acl “sets” does not work as documented

24 Jun 2021


      https://bugs.openldap.org/show_bug.cgi?id=9592
Issue ID: 9592
           Summary: recursion operator (*) for acl “sets” does not work as
                    documented
           Product: OpenLDAP
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: bugs@openldap.org
          Reporter: grapvar@gmail.com
  Target Milestone: ---
I have traced how the slapd computes recursion operator (*) in acl's “sets” and
found out that it does not work as documented. IIUC, the reference
documentation is:
“Sets in Access Controls”
   (http://www.openldap.org/faq/index.cgi?file=1133)
To make things simpler, I report the finding using the example provided by the
documentation. Here it is:
entry "cn=Group"  has attr "member" with values { "cn=User", "cn=Other" }
 entry "cn=Group2" has attr "member" with values { "cn=Group", "cn=Person" }
The documentation claims that the expression
“[cn=Group2]/member*” resolves to { "cn=User", "cn=Other", "cn=Person" }
In fact, it resolves to { "cn=Group", "cn=User", "cn=Other", "cn=Person" }.
To generalize: all intermediate dn's persist in a set, that's how set_chase(
closure = 1 ) works, and this doesn't look like that's how it's supposed to
work.
Be advised, please, that this issue has been reported by occasional visitor,
from a developer point of view, not a user point of view, so I won't define,
provide or construct any “valid use case”.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9592] New: recursion operator (*) for acl “sets” does not work as documented