On 10/23/18 1:45 PM, Ulrich Windl wrote:
A related interesting question: Are the ACL permissions for attributes needed to do the actual matching of entries, or are they only used to add the attributes of the matched entries to the result set?
ACLs also affect the matching.
E.g. in Æ-DIR I have ACLs with val.regex only allowing read access to those memberOf values pointing to group entries explicitly made visible for a system.
I was wondering what "entry" actually is,
My own definition: If read access is granted to 'entry' the entry's DN will be returned in the search result. Which is not quite the same like granting read access to 'entryDN'.
and I imagine if LDAP search could return the count of matching entries only (i.e. no attributes at all), that could be relevant....
Try yourself with the no-op search control.
Ciao, Michael.