On 16.06.2016 12:21, Ludwig Krispenz wrote:
On 06/16/2016 12:14 PM, Petr Spacek wrote:
On 16.6.2016 12:12, Ludwig Krispenz wrote:
On 06/16/2016 12:00 PM, Petr Spacek wrote:
Hello,
Require 389-ds-base >= 1.3.5.6
Old DS handles LDAP filters incorrectly
no. Old DS handles filters strictly as documented in the admin guide,
requiring access rights to each attribute used in the search filter.
This was
known and applications had to adapt, in your case there would have
had to be
two searches one with the (&()()) filter and one with (|()()()()).
You know, it is quite hard to adapt when your application rely on one
SyncRepl
session ...
Anyway, feel free to send patch with rephrased commit message if you
wish, I'm
okay with superseding my patch with yours.
no, it's fine, only sometimes I need to defend DS a bit
Petr^2 Spacek
This was improved in the latest version and componets withou access are
ignored in filter evaluation to avoid the problems you did run into.
otherwise your fix is ok
Ludwig
and breaks bind-dyndb-ldap.
See
https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
https://fedorahosted.org/freeipa/ticket/2008
ACK
Pushed to master: 85d083c36651b15457af75e009f83bc6bb8114b0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code