Full_Name: Peter Marschall Version: 2.4.21 OS: Linux URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch Submission from: (NULL) (94.217.135.20)

Hi,

Playing around with dynacl/aci a bit I cam across the following issue:

Searches that do not contain the attribute OpenLDAPaci in the list of attribues queried, omit objects.

E.g. doing a base search for 1.1 on an object that has the following OpenDLAPaci value OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[entry]#public# OpenLDAPaci: 0#entry#grant;r,c,s,d,x;[all]#public# (no superior object has a subtree OpenLDAPaci) does not return the DN of the object, while doing the search without arguments returns the DN.

According to my experiments, it looks like the Entry *e passed as argument to dynacl_aci_mask() does not have OpenLDAPaci in its e->e_attrs. I wrote the patch ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch to verify my suspicions, and it seems to help, although at the cost of abysmally bad performance.

I guess there are better ways to fix the issue (e.g. "auto-adding" OpenLDAPaci to the attributes queried from the backend and stripping it before giving it back to the client), but my knowledge of the internal workings of OpenLDAP is too limited.