https://bugs.openldap.org/show_bug.cgi?id=9664 Issue ID: 9664 Summary: Hiding namingContexts in the root DSE, when these are not in small letters Product: OpenLDAP Version: 2.5.6 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- Below are the ACL for the frontend database. They are supposed to hide the cn=krbconfig from the namingContexts on the root DSE. dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend #olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none olcAccess: to dn.base="" attrs=namingContexts val="cn=krbcontainer" by * none olcAccess: to dn.exact="" by * read dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 10485760 olcSuffix: cn=krbcontainer olcRootDN: uid=zzz,cn=krbcontainer olcRootPW: zzz olcDbDirectory: ldap/uuu olcDbIndex: objectClass eq olcAccess: to dn.sub="cn=krbContainer" by * read It does work! However, if change the case in (container ⇒ Container): olcSuffix: cn=krbContainer no matter how I set olcAccess in the frontend database, $ ldapsearch -xb "" -s base namingContexts always prints dn: namingContexts: cn=krbContainer In particular olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none does not hide it. • It shall be possible to find olcSuffix from the DSE/namingContexts, even if the suffix is mixCased. Since the case is known at the time, when the rules are written, OpenLDAP shall offer an option for exact match, without converting data to lowercase. (as shown by sladp -d -1 ) -- You are receiving this mail because: You are on the CC list for the issue.