On 23.6.2015 15:41, Tamas Papp wrote:
> hi,
> 
> This works:
> 
> $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn
> "(|(mail=admin*)(uid=admin))" uid
> dn: uid=admin,cn=users,cn=accounts,dc=cxn
> uid: admin
> 
> 
> This not:
> 
> $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn
> "(|(aaa=admin*)(uid=admin))" uid
> $
> 
> 
> If there is search filter with non-existent attribute there is no result.
> Is that intentional? In CentOS 6.6 it worked just fine.

As far as I can tell this happens when the search is attempting to evaluate
the filter and access to that attribute is denied by ACI. In newer version of
FreeIPA everything is closed by default and access is allowed only to certain
subset of attributes.

What version of FreeIPA do you have? What version of 389-ds-base package do
you have?

$ rpm -q 389-ds-base freeipa-server ipa-server

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to