Description of problem: New python-ldap (python-ldap-2.4.6-2.fc17.x86_64) can no longer retrieve effective rights for an LDAP object. I get the following traceback when I try to retrieve effective rights: Traceback (most recent call last): File "/home/mkosek/bin/testaci.py", line 19, in <module> conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn']) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 552, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_SYNTAX: {'info': 'get-effective-rights: missing subject', 'desc': 'Invalid syntax'} Error in dirsrv error log: [13/Mar/2012:04:39:06 -0400] NSACLPlugin - get-effective-rights: missing subject [13/Mar/2012:04:39:06 -0400] - Failed to get effective rights for entry (uid=admin,cn=users, cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com), rc=21 Version-Release number of selected component (if applicable): python-ldap-2.4.6-2.fc17.x86_64 How reproducible: I have prepared a Python script to reproduce this issue: ./testaci.py: #!/usr/bin/python import ldap HOST = "ldap://vm-068.idm.lab.bos.redhat.com" USER_DN = "uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" USER_PWD = "ADMINPASSWORD" conn = ldap.initialize(HOST) conn.simple_bind_s(USER_DN, USER_PWD) print "test search" conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn']) print "test search with effective rights control" sctrl = [ldap.controls.LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: %s" % USER_DN)] conn.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn']) conn.set_option(ldap.OPT_SERVER_CONTROLS, []) conn.unbind_s() print "TEST OK" Steps to Reproduce: 1. Run the script against LDAP server 2. Check the result 3. Actual results: Operation fails with an exception. Expected results: Operation succeeds as it did before python-ldap upgrade (python-ldap-2.4.6-2.fc17.x86_64) Additional info:
With additional debug information enabled: test search with effective rights control *** <ldap.ldapobject.SimpleLDAPObject instance at 0x7f0cd7584440> ldap://localhost - SimpleLDAPObject.set_option ((18, [('1.3.6.1.4.1.42.2.27.9.5.2', True, None)]), {}) Indeed python-ldap is sending None as the dn subject to search for. Why not use GetEffectiveRightsControl from ldap.controls.simple? I'm closing this ticket for now, as it seems to satisfy the requirement from my tests.