https://bugs.openldap.org/show_bug.cgi?id=9592
Issue ID: 9592
Summary: recursion operator (*) for acl “sets” does not work as
documented
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
I have traced how the slapd computes recursion operator (*) in acl's “sets” and
found out that it does not work as documented. IIUC, the reference
documentation is:
“Sets in Access Controls”
(http://www.openldap.org/faq/index.cgi?file=1133)
To make things simpler, I report the finding using the example provided by the
documentation. Here it is:
entry "cn=Group" has attr "member" with values { "cn=User", "cn=Other" }
entry "cn=Group2" has attr "member" with values { "cn=Group", "cn=Person" }
The documentation claims that the expression
“[cn=Group2]/member*” resolves to { "cn=User", "cn=Other", "cn=Person" }
In fact, it resolves to { "cn=Group", "cn=User", "cn=Other", "cn=Person" }.
To generalize: all intermediate dn's persist in a set, that's how set_chase(
closure = 1 ) works, and this doesn't look like that's how it's supposed to
work.
Be advised, please, that this issue has been reported by occasional visitor,
from a developer point of view, not a user point of view, so I won't define,
provide or construct any “valid use case”.
--
You are receiving this mail because:
You are on the CC list for the issue.
