User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 When a search on an attribute contained in ACL with ldap://self is performed with sub scope the entry is not returned. The same search with base scope correctly returns the entry. Reproducible: Always Steps to Reproduce: 1. Import the bug-acl.ldif (attachment) 2. With openldap utilities : [root@ldap-model /]# ldapsearch -x -D "uid=TVradmin0,ou=Accounting,dc=example,dc=com" -w 'toto' -h ldap-model.polytechnique.fr -s sub -b 'uid=TVradmin0,ou=Accounting,dc=example,dc=com' carLicense=* # extended LDIF # # LDAPv3 # base <uid=TVradmin0,ou=Accounting,dc=example,dc=com> with scope subtree # filter: carLicense=* # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@ldap-model /]# ldapsearch -x -D "uid=TVradmin0,ou=Accounting,dc=example,dc=com" -w 'toto' -h ldap-model.polytechnique.fr -s base -b 'uid=TVradmin0,ou=Accounting,dc=example,dc=com' carLicense=* # extended LDIF # # LDAPv3 # base <uid=TVradmin0,ou=Accounting,dc=example,dc=com> with scope baseObject # filter: carLicense=* # requesting: ALL # # TVradmin0, Accounting, example.com dn: uid=TVradmin0,ou=Accounting,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Teena Vradmin sn: Vradmin uid: TVradmin0 givenName: Teena telephoneNumber: +1 303 703-2147 carLicense: ZSN6DM3 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 3. Actual Results: The base search correctly returns the entry and the sub search with the same filter and base does not return the entry. Expected Results: The sub scope search should return the entry. The ACL is clearly calculated differently for base and sub scope searches. The bug may be caused by the new entryrdn model, though i have not tested it on previous versions.
Created attachment 448655 [details] LDIF test case for the bug
Created attachment 448824 [details] git patch file (master) Thank you so much, Andrey. This bug is pretty bad for the search when the basedn is a leaf in DIT as you discovered. Not just for the ACL, but there should have been a performance impact in such cases. As you guessed, it was introduced with the entryrdn. So, 389 v1.2.6 contains this bug (not 1.2.5 and older). Description: When a basedn has no descendants, the code to take an intersection of idl (which was returned from the filter search -- filter_candidates) and the basedn was skipped in subtree_candidates (ldbm_search.c). Regardless of descendants, the intersection should be taken for the idl and a tree starting with the basedn. Note: This bug was introduced with entryrdn.
Reviewed by Rich (Thanks!!!) Pushed to master. $ git merge 635987 Updating 62cc84c..8ac525e Fast-forward ldap/servers/slapd/back-ldbm/ldbm_search.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) $ git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 896 bytes, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 62cc84c..8ac525e master -> master
Created attachment 449487 [details] revised git patch file (master) Thanks to Rich for analysing the bug introduced by the previous commit. The attached patch should fix it. Description: This commit made for the bug 635987 introduced a bug to replication. commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5 Author: Noriko Hosoi <nhosoi> Date: Tue Sep 21 15:12:07 2010 -0700 subtree_candidates (ldbm_search.c) If you do have a tombstone filter, descendants will be NULL, and idl_intersection of candidates and descendents will wipe out all of the candidates, leaving just the one entry, e->ep_id. Changed to call idl_intersection only when the filter is not for tombstone or entryrdn_get_noancestorid (false, by default).
Reviewed by Rich (Thank you!!!) Pushed to master. $ git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.04 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git dcfd94b..a7de5f2 master -> master
Since nightly GER acceptance test passes 100%, mark verified. Ger run(o=ace industry,c=us) Tests PASS : 100% (360/360)