Quanah,
you don't have to go through many examples --- your problem is clear and well posed. It's the solution: if the user has enough privilege to check membership but, for implementation-related reasons, the software requires higher privileges while gathering data, the solution is not to hack the software raising the privileges of whom does internal data gathering, because that would gather also data the user wouldn't be allowed to check.
The solution rather consists in making the software require as much privilege as actually required for the actual operation, anything more anything less, even during internal operations used to gather the data. The software was using an internal search as is, i.e. requiring "search" on the filter and "read" on the data while actually gathering data for a "compare", and the software was wrong (I guess there are many more places where internal searches are used like that, sigh). The fix is making the software require "compare" in all those phases, since as soon as they're a mere technicalism to gather data for a compare, that's the privilege they should require.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------