On 23.6.2015 15:41, Tamas Papp wrote: > hi, > > This works: > > $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn > "(|(mail=admin*)(uid=admin))" uid > dn: uid=admin,cn=users,cn=accounts,dc=cxn > uid: admin > > > This not: > > $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn > "(|(aaa=admin*)(uid=admin))" uid > $ > > > If there is search filter with non-existent attribute there is no result. > Is that intentional? In CentOS 6.6 it worked just fine.
As far as I can tell this happens when the search is attempting to evaluate the filter and access to that attribute is denied by ACI. In newer version of FreeIPA everything is closed by default and access is allowed only to certain subset of attributes. What version of FreeIPA do you have? What version of 389-ds-base package do you have? $ rpm -q 389-ds-base freeipa-server ipa-server -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project