Description of problem: This is in the context of IPA. I have an extended operation plugin that implements password policy using the kerberos password policy attributes. I wanted to add a Class of Service template so I could do per-group policy based on memberOf. So I created the CoS templates and verified that a user in the group had the right value. The CoS looks like this: dn: cn=Password Policy,cn=accounts,dc=example,dc=com description: Password Policy based on group membership objectClass: top objectClass: ldapsubentry objectClass: cosSuperDefinition objectClass: cosClassicDefinition cosTemplateDn: cn=cosTemplates,cn=accounts,dc=example,dc=com cosAttribute: krbPwdPolicyReference cosSpecifier: memberOf dn: cn="cn=group1,cn=groups,cn=accounts,dc=example,dc=com", cn=cosTemplates,cn=accounts,dc=example,dc=com objectClass: top objectClass: cosTemplate objectClass: extensibleobject objectClass: krbContainer krbPwdPolicyReference: cn="cn=group1,cn=groups,cn=accounts,dc=example,dc=com", cn=nsPwPolicyContainer,dc=example,dc=com cosPriority: 1 And to be sure that the attr is there: % ldapsearch -x -b "dc=example,dc=com" uid=tuser1 krbPwdPolicyReference dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com krbPwdPolicyReference: cn="cn=group1,cn=groups,cn=accounts,dc=example,dc=com", cn=nsPwPolicyContainer,dc=example,dc=com Ok. So in my extended op plugin I want to pull the right policy so I first look in the entry for the krbPwdPolicyReference attribute. I'm getting the entry with slapi_search_internal_get_entry() and explicitly including the attribute in the attrlist. I've tried both with the attribute as operational and not. It appears that CoS isn't getting fired off on internal searches. Note that I also tried with nsAccountLock but we have a similar CoS template for that. I had the same results, no attribute returned. Version-Release number of selected component (if applicable): 389-ds-base-1.2.1-1.fc11.i586
After reviewing the code, I think this is not a bug. In order to get the value of virtual attributes, you have to use the vattr interfaces like slapi_vattr_values_get()/slapi_vattr_values_free(). Closing as not a bug. Please reopen it if necessary.