https://bugs.openldap.org/show_bug.cgi?id=9664
Issue ID: 9664
Summary: Hiding namingContexts in the root DSE, when these are
not in small letters
Product: OpenLDAP
Version: 2.5.6
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Below are the ACL for the frontend database. They are supposed to hide the
cn=krbconfig from the namingContexts on the root DSE.
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#olcAccess: to dn.base="" attrs=namingContexts
val/distinguishedNameMatch="cn=krbcontainer" by * none
olcAccess: to dn.base="" attrs=namingContexts val="cn=krbcontainer" by * none
olcAccess: to dn.exact="" by * read
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 10485760
olcSuffix: cn=krbcontainer
olcRootDN: uid=zzz,cn=krbcontainer
olcRootPW: zzz
olcDbDirectory: ldap/uuu
olcDbIndex: objectClass eq
olcAccess: to dn.sub="cn=krbContainer"
by * read
It does work!
However, if change the case in (container ⇒ Container):
olcSuffix: cn=krbContainer
no matter how I set olcAccess in the frontend database,
$ ldapsearch -xb "" -s base namingContexts
always prints
dn:
namingContexts: cn=krbContainer
In particular
olcAccess: to dn.base="" attrs=namingContexts
val/distinguishedNameMatch="cn=krbcontainer" by * none
does not hide it.
• It shall be possible to find olcSuffix from the DSE/namingContexts, even if
the suffix is mixCased.
Since the case is known at the time, when the rules are written, OpenLDAP shall
offer an option for exact match, without converting data to lowercase. (as
shown by sladp -d -1 )
--
You are receiving this mail because:
You are on the CC list for the issue.
