Hide Forgot
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 When searching using ServerSideSearch control and VirtualListView control it does not seem to take into account some configured ACIs (for example, when returning the contentCount field of the VirtualListView response control). Sometimes it returns event empty entries with only dn attribute. Reproducible: Always Steps to Reproduce: 1. Install the 389 server. I used our production version which is 1.2.6.1 but the problem exists for some time and some reports on the list suggest it is still present in 1.2.7.x, i think in 1.2.8.x also. 2. setup-ds-admin.pl with dc=example,dc=com 3. /etc/init.d/dirsrv stop 4. vi dse.ldif -> add the right to anonymous user to use the VLV feature : dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config ... aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read , search, compare, proxy ) userdn = "ldap:///anyone";) ... 5. ldif2db -n userRoot -i /tmp/example-VLV.ldif . The file example-VLV.ldif will is attached to this bug. 6. Run the test script (attached to this bug) : ./VLVSearch-Bug.pl 7. Everything is ok for the moment : [root@ldap-model DEVEL]# ./VLVSearch-Bug.pl ...Bound... CN is Achal Hlady, login: AHlady28 CN is Adda Au, login: AAu93 CN is Adorne Jee, login: AJee41 CN is Afzal Ruban, login: ARuban19 CN is Alice Benefits, login: ABenefits88 CN is Arlene Biard, login: ABiard98 CN is Ashlie Coordinator, login: ACoordina73 CN is Azar Kalaichelvan, login: AKalaiche17 CN is Belle Tahamont, login: BTahamont34 CN is Betty McTurner, login: BMcTurner5 Empty entry! Count: 10 CN is Carin Talis, login: CTalis15 CN is Catlaina Capretta, login: CCapretta78 CN is Charita Sheffield, login: CSheffiel62 CN is Charmine Quizmaster, login: CQuizmast14 CN is Ciaran Koren, login: CKoren89 CN is Clareta Dufresne, login: CDufresne91 CN is Claribel Molnar, login: CMolnar25 CN is Conrad Stadelmeier, login: CStadelme81 CN is Correy Felczak, login: CFelczak49 CN is Cristine Buchko, login: CBuchko53 Empty entry! Count: 10 CN is Cristine Buchko, login: CBuchko53 CN is Daffie Colquette, login: DColquett26 CN is Dalip Neifert, login: DNeifert16 CN is Danette Vexler, login: DVexler47 CN is Darci Kigyos, login: DKigyos55 CN is Debbi Fouillard, login: DFouillar86 CN is Debera Subissati, login: DSubissat3 CN is Devan Brungardt, login: DBrungard68 CN is Diego Laurent, login: DLaurent72 CN is Dodi Starks, login: DStarks35 Empty entry! Count: 10 CN is Dre Sarlos, login: DSarlos63 CN is Earnest Diersch, login: EDiersch31 CN is Eirik Milstead, login: EMilstead57 CN is Eleanor Sym, login: ESym96 CN is Elex Jamieson, login: EJamieson60 CN is Fastmer Momon, login: FMomon13 CN is Giralda Schreiner, login: GSchreine20 CN is Ike Amelkar, login: IAmelkar74 CN is Irena Hailes, login: IHailes18 CN is Jagdish Dunnion, login: JDunnion44 Empty entry! Count: 10 CN is Janice Scissons, login: JScissons71 CN is Jeniece Tookey, login: JTookey69 CN is Jonthan Lilleniit, login: JLillenii36 CN is Joon Oshinski, login: JOshinski2 CN is Jurg Monet, login: JMonet77 CN is Kwok Mikelonis, login: KMikeloni43 CN is Lapkin Feddeman, login: LFeddeman12 CN is Layney Grubbs, login: LGrubbs24 CN is Letti Uchiyama, login: LUchiyama75 CN is Lionel Thibeault, login: LThibeaul92 Empty entry! Count: 10 Quitting... 8. Add the following ACI to ou=PayRoll (in order to hide the people in PayRoll from the public directory): 1 ou=Payroll,dc=example,dc=com aci: (targetattr="*")(version 3.0;acl "Deny the read of all the attributes";deny(read,search,compare) (userdn="ldap:///anyone");) 9. Re-launch the test script ./VLVSearch-Bug.pl Actual Results: The data are rather scramblede with empty entries sometimes returned and the number of returned entries not corresponding to "after" filed in the vlv object: [root@ldap-model DEVEL]# ./VLVSearch-Bug.pl ...Bound... CN is Achal Hlady, login: AHlady28 CN is Adda Au, login: AAu93 CN is Adorne Jee, login: AJee41 CN is Afzal Ruban, login: ARuban19 CN is Alice Benefits, login: ABenefits88 CN is Arlene Biard, login: ABiard98 CN is Ashlie Coordinator, login: ACoordina73 CN is Azar Kalaichelvan, login: AKalaiche17 CN is Belle Tahamont, login: BTahamont34 CN is Betty McTurner, login: BMcTurner5 Empty entry! Count: 10 CN is Catlaina Capretta, login: CCapretta78 CN is Charita Sheffield, login: CSheffiel62 CN is Charmine Quizmaster, login: CQuizmast14 CN is Ciaran Koren, login: CKoren89 CN is Claribel Molnar, login: CMolnar25 CN is EMPTY! dn: uid=CFelczak49,ou=Payroll,dc=example,dc=com CN is Cristine Buchko, login: CBuchko53 Empty entry! Count: 7 CN is Cristine Buchko, login: CBuchko53 CN is Daffie Colquette, login: DColquett26 CN is Dalip Neifert, login: DNeifert16 CN is Danette Vexler, login: DVexler47 CN is Darci Kigyos, login: DKigyos55 CN is Debbi Fouillard, login: DFouillar86 CN is Debera Subissati, login: DSubissat3 CN is Devan Brungardt, login: DBrungard68 CN is Dodi Starks, login: DStarks35 Empty entry! Count: 9 CN is Earnest Diersch, login: EDiersch31 CN is Eleanor Sym, login: ESym96 CN is Elex Jamieson, login: EJamieson60 CN is Fastmer Momon, login: FMomon13 CN is Giralda Schreiner, login: GSchreine20 CN is Ike Amelkar, login: IAmelkar74 CN is Irena Hailes, login: IHailes18 CN is Jagdish Dunnion, login: JDunnion44 Empty entry! Count: 8 CN is Jeniece Tookey, login: JTookey69 CN is Jonthan Lilleniit, login: JLillenii36 CN is EMPTY! dn: uid=JMonet77,ou=Payroll,dc=example,dc=com CN is Kwok Mikelonis, login: KMikeloni43 CN is Layney Grubbs, login: LGrubbs24 CN is Letti Uchiyama, login: LUchiyama75 CN is Lionel Thibeault, login: LThibeaul92 Empty entry! Count: 7 Quitting... Expected Results: The VLV search should return the same type of info as in the absence of ACI, i.e. by pages of ten and only the visible entries... I also added the index, it does not help. The index, just in case (t corresponds to MS Outlook directory browsing) : dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: Outlook Browse objectClass: vlvsearch aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow(read, search,compare) userdn = "ldap:///anyone";) vlvBase: dc=example,dc=com vlvFilter: (&(mail=*)(cn=*)) vlvScope: 2 dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: Outlook Browse Index objectClass: top objectClass: vlvindex aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow(read, search,compare) userdn = "ldap:///anyone";) vlvEnabled: 1 vlvSort: cn service dirsrv stop vlvindex -n userRoot -T "Outlook Browse Index" service dirsrv start I think it's a bug though i am not the expert in VLV...
Don't know whether the same bug applies to paged searches, i haven't tested. But it should not be difficult to change the script and test. There should be some similarities - tracking the state, absence of some entries because of ACIs etc
Created attachment 485759 [details] LDIF Test case LDIF Test case
Created attachment 485760 [details] Test script Test script
I've made a quick test with paging and sorting - it does not seem to be affected by this bug. So it's only VLV...
Upstream ticket: https://fedorahosted.org/389/ticket/60
This is working as expected. Once you add the deny aci for payroll, those "payroll" entries are not returned from the searches. $ ~/vlv-script.pl | grep -i payroll | wc -l 11 $ ~/vlv-script.pl | grep CN | wc -l 50 Add deny aci: $ ~/vlv-script.pl | grep -i payroll | wc -l 0 $ ~/vlv-script.pl | grep CN | wc -l 39 You can see that the 11 payroll entries are not present. Closing bug.