On 10/23/18 1:45 PM, Ulrich Windl wrote:
A related interesting question: Are the ACL permissions for
to do the actual matching of entries, or are they only used to add the
attributes of the matched entries to the result set?
ACLs also affect the matching.
E.g. in Æ-DIR I have ACLs with val.regex only allowing read access to
those memberOf values pointing to group entries explicitly made visible
for a system.
I was wondering what "entry" actually is,
definition: If read access is granted to 'entry' the entry's DN
will be returned in the search result. Which is not quite the same like
granting read access to 'entryDN'.
and I imagine if LDAP search could return the count of
matching entries only (i.e. no attributes at all), that could be relevant....
Try yourself with the no-op search control.