I'm trying to setup Set ACL via ldap proxy with proxy cache. Problem is that proxy cache are not used during ACL checking.
For example, I have next ACL to the local database: olcAccess: {0}to * by self write by set="[cn=test2,ou=group,dc=remote]/member & user" write by anonymous auth by * none
And at the remote LDAP server I have next entry: dn: cn=test2,ou=group,dc=remote objectClass: groupOfNames member: uid=user,ou=user,dc=local member: uid=j_doe,ou=people,dc=remote
Proxy cache works perfectly when fired by basic search request, I can see it in the debug log. But when search are fired by ACL check (i.e. search to local entry, which handled by Set ACL), proxy cache are completely ignored. And I am sure about that, because I have added 'Debug( pcache_debug ...' entry in every function from servers/slapd/overlays/pcache.c and could not see any of them in the trace output, during ACL check and could see them perfectly during basic search.
Here are log entries from the remote server for cache search(1) and ACL search(2): 1) 5118f601 conn=1003 op=1 SRCH base="cn=test2,ou=group,dc=remote" scope=2 deref=0 filter="(objectClass=*)" 5118f601 conn=1003 op=1 SRCH attr=member objectClass
2) 5118f706 conn=1000 op=1 SRCH base="cn=test2,ou=group,dc=remote" scope=0 deref=0 filter="(objectClass=*)" 5118f706 conn=1000 op=1 SRCH attr=member
For (1), seems search are fired by pcache itself, hence attr=member objectClass. Proper search request, which are fired by myself does not contain objectClass in the requested attribute list.
I have not managed to find the place in the code, where the search are fired by ACL, seems it is servers/slapd/overlays/sets.c, but there is no direct search invocation there.
Could you please give me a clue how to fix this issue?
P.S. I have googled this post http://www.openldap.org/lists/openldap-devel/200908/msg00018.html. Seems, it is somehow related to the issue, only in my case entry is not in hand.
openldap-technical@openldap.org