https://bugs.openldap.org/show_bug.cgi?id=9664

Issue ID: 9664 Summary: Hiding namingContexts in the root DSE, when these are not in small letters Product: OpenLDAP Version: 2.5.6 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---

Below are the ACL for the frontend database. They are supposed to hide the cn=krbconfig from the namingContexts on the root DSE.

dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend #olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none olcAccess: to dn.base="" attrs=namingContexts val="cn=krbcontainer" by * none olcAccess: to dn.exact="" by * read

dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 10485760 olcSuffix: cn=krbcontainer olcRootDN: uid=zzz,cn=krbcontainer olcRootPW: zzz olcDbDirectory: ldap/uuu olcDbIndex: objectClass eq olcAccess: to dn.sub="cn=krbContainer" by * read

It does work!

However, if change the case in (container ⇒ Container): olcSuffix: cn=krbContainer

no matter how I set olcAccess in the frontend database, $ ldapsearch -xb "" -s base namingContexts

always prints dn: namingContexts: cn=krbContainer

In particular

olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none

does not hide it.

• It shall be possible to find olcSuffix from the DSE/namingContexts, even if the suffix is mixCased.

Since the case is known at the time, when the rules are written, OpenLDAP shall offer an option for exact match, without converting data to lowercase. (as shown by sladp -d -1 )