djpohly@gmail.com wrote:

Full_Name: Devin J. Pohly Version: 2.4.23 OS: Linux URL: http://openldap.pastebin.com/gvswpxLX Submission from: (NULL) (98.235.33.55)

Thanks for the detailed report. This is now fixed in HEAD.

Description: I have set up an LDAP directory which contains users and flat groups (groupOfNames/member style). I want to use the access controls to only allow users to see their own groups and membership, so I defined the following controls:

access to dn.onelevel="ou=group,o=org" attrs=entry by dnattr=member read access to dn.onelevel="ou=group,o=org" attrs=member by dnattr=member selfread

Steps to reproduce:

1. Start a new instance of OpenLDAP with the slapd.conf file provided at

http://openldap.pastebin.com/gvswpxLX and an empty database. 2. Get grouptest.ldif fromhttp://openldap.pastebin.com/X1DUyGmf and add it to the directory: ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif This creates two users, foo and bar, and two groups, g1 and g2. Each user is in both groups. 3. Compare the outputs of: ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org

Expected results: Foo's query shows "member: foo" for both g1 and g2. Bar's query shows "member: bar" for both g1 and g2.

Actual results: Foo's query shows "member: foo" for both g1 and g2. Bar's query does not show any member attributes.

Note: Changing the order in which the users are listed changes the behavior; only the first user listed matches 'self'. Changing the 'selfread' privilege to 'read' behaves correctly: both queries display both users' memberships in the groups. So the problem lies somewhere in the way the 'self' modifier is implemented.