https://bugzilla.redhat.com/show_bug.cgi?id=688182
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 When searching using ServerSideSearch control and VirtualListView control it does not seem to take into account some configured ACIs (for example, when returning the contentCount field of the VirtualListView response control). Sometimes it returns event empty entries with only dn attribute. Reproducible: Always Steps to Reproduce: 1. Install the 389 server. I used our production version which is 1.2.6.1 but the problem exists for some time and some reports on the list suggest it is still present in 1.2.7.x, i think in 1.2.8.x also. 2. setup-ds-admin.pl with dc=example,dc=com 3. /etc/init.d/dirsrv stop 4. vi dse.ldif -> add the right to anonymous user to use the VLV feature : dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config ... aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read , search, compare, proxy ) userdn = "ldap:///anyone";) ... 5. ldif2db -n userRoot -i /tmp/example-VLV.ldif . The file example-VLV.ldif will is attached to this bug. 6. Run the test script (attached to this bug) : ./VLVSearch-Bug.pl 7. Everything is ok for the moment : [root@ldap-model DEVEL]# ./VLVSearch-Bug.pl ...Bound... CN is Achal Hlady, login: AHlady28 CN is Adda Au, login: AAu93 CN is Adorne Jee, login: AJee41 CN is Afzal Ruban, login: ARuban19 CN is Alice Benefits, login: ABenefits88 CN is Arlene Biard, login: ABiard98 CN is Ashlie Coordinator, login: ACoordina73 CN is Azar Kalaichelvan, login: AKalaiche17 CN is Belle Tahamont, login: BTahamont34 CN is Betty McTurner, login: BMcTurner5 Empty entry! Count: 10 CN is Carin Talis, login: CTalis15 CN is Catlaina Capretta, login: CCapretta78 CN is Charita Sheffield, login: CSheffiel62 CN is Charmine Quizmaster, login: CQuizmast14 CN is Ciaran Koren, login: CKoren89 CN is Clareta Dufresne, login: CDufresne91 CN is Claribel Molnar, login: CMolnar25 CN is Conrad Stadelmeier, login: CStadelme81 CN is Correy Felczak, login: CFelczak49 CN is Cristine Buchko, login: CBuchko53 Empty entry! Count: 10 CN is Cristine Buchko, login: CBuchko53 CN is Daffie Colquette, login: DColquett26 CN is Dalip Neifert, login: DNeifert16 CN is Danette Vexler, login: DVexler47 CN is Darci Kigyos, login: DKigyos55 CN is Debbi Fouillard, login: DFouillar86 CN is Debera Subissati, login: DSubissat3 CN is Devan Brungardt, login: DBrungard68 CN is Diego Laurent, login: DLaurent72 CN is Dodi Starks, login: DStarks35 Empty entry! Count: 10 CN is Dre Sarlos, login: DSarlos63 CN is Earnest Diersch, login: EDiersch31 CN is Eirik Milstead, login: EMilstead57 CN is Eleanor Sym, login: ESym96 CN is Elex Jamieson, login: EJamieson60 CN is Fastmer Momon, login: FMomon13 CN is Giralda Schreiner, login: GSchreine20 CN is Ike Amelkar, login: IAmelkar74 CN is Irena Hailes, login: IHailes18 CN is Jagdish Dunnion, login: JDunnion44 Empty entry! Count: 10 CN is Janice Scissons, login: JScissons71 CN is Jeniece Tookey, login: JTookey69 CN is Jonthan Lilleniit, login: JLillenii36 CN is Joon Oshinski, login: JOshinski2 CN is Jurg Monet, login: JMonet77 CN is Kwok Mikelonis, login: KMikeloni43 CN is Lapkin Feddeman, login: LFeddeman12 CN is Layney Grubbs, login: LGrubbs24 CN is Letti Uchiyama, login: LUchiyama75 CN is Lionel Thibeault, login: LThibeaul92 Empty entry! Count: 10 Quitting... 8. Add the following ACI to ou=PayRoll (in order to hide the people in PayRoll from the public directory): 1 ou=Payroll,dc=example,dc=com aci: (targetattr="*")(version 3.0;acl "Deny the read of all the attributes";deny(read,search,compare) (userdn="ldap:///anyone");) 9. Re-launch the test script ./VLVSearch-Bug.pl Actual Results: The data are rather scramblede with empty entries sometimes returned and the number of returned entries not corresponding to "after" filed in the vlv object: [root@ldap-model DEVEL]# ./VLVSearch-Bug.pl ...Bound... CN is Achal Hlady, login: AHlady28 CN is Adda Au, login: AAu93 CN is Adorne Jee, login: AJee41 CN is Afzal Ruban, login: ARuban19 CN is Alice Benefits, login: ABenefits88 CN is Arlene Biard, login: ABiard98 CN is Ashlie Coordinator, login: ACoordina73 CN is Azar Kalaichelvan, login: AKalaiche17 CN is Belle Tahamont, login: BTahamont34 CN is Betty McTurner, login: BMcTurner5 Empty entry! Count: 10 CN is Catlaina Capretta, login: CCapretta78 CN is Charita Sheffield, login: CSheffiel62 CN is Charmine Quizmaster, login: CQuizmast14 CN is Ciaran Koren, login: CKoren89 CN is Claribel Molnar, login: CMolnar25 CN is EMPTY! dn: uid=CFelczak49,ou=Payroll,dc=example,dc=com CN is Cristine Buchko, login: CBuchko53 Empty entry! Count: 7 CN is Cristine Buchko, login: CBuchko53 CN is Daffie Colquette, login: DColquett26 CN is Dalip Neifert, login: DNeifert16 CN is Danette Vexler, login: DVexler47 CN is Darci Kigyos, login: DKigyos55 CN is Debbi Fouillard, login: DFouillar86 CN is Debera Subissati, login: DSubissat3 CN is Devan Brungardt, login: DBrungard68 CN is Dodi Starks, login: DStarks35 Empty entry! Count: 9 CN is Earnest Diersch, login: EDiersch31 CN is Eleanor Sym, login: ESym96 CN is Elex Jamieson, login: EJamieson60 CN is Fastmer Momon, login: FMomon13 CN is Giralda Schreiner, login: GSchreine20 CN is Ike Amelkar, login: IAmelkar74 CN is Irena Hailes, login: IHailes18 CN is Jagdish Dunnion, login: JDunnion44 Empty entry! Count: 8 CN is Jeniece Tookey, login: JTookey69 CN is Jonthan Lilleniit, login: JLillenii36 CN is EMPTY! dn: uid=JMonet77,ou=Payroll,dc=example,dc=com CN is Kwok Mikelonis, login: KMikeloni43 CN is Layney Grubbs, login: LGrubbs24 CN is Letti Uchiyama, login: LUchiyama75 CN is Lionel Thibeault, login: LThibeaul92 Empty entry! Count: 7 Quitting... Expected Results: The VLV search should return the same type of info as in the absence of ACI, i.e. by pages of ten and only the visible entries... I also added the index, it does not help. The index, just in case (t corresponds to MS Outlook directory browsing) : dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: Outlook Browse objectClass: vlvsearch aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow(read, search,compare) userdn = "ldap:///anyone";) vlvBase: dc=example,dc=com vlvFilter: (&(mail=*)(cn=*)) vlvScope: 2 dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: Outlook Browse Index objectClass: top objectClass: vlvindex aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow(read, search,compare) userdn = "ldap:///anyone";) vlvEnabled: 1 vlvSort: cn service dirsrv stop vlvindex -n userRoot -T "Outlook Browse Index" service dirsrv start I think it's a bug though i am not the expert in VLV...
set default ticket origin to Community
Added initial screened field value.
This is working as expected. Once you add the deny aci for payroll, those "payroll" entries are not returned from the searches.
$ ~/vlv-script.pl | grep -i payroll | wc -l 11 $ ~/vlv-script.pl | grep CN | wc -l 50
Add deny aci:
$ ~/vlv-script.pl | grep -i payroll | wc -l 0 $ ~/vlv-script.pl | grep CN | wc -l 39
You can see that the 11 payroll entries are not present. Closing ticket/bug.
Metadata Update from @nkinder: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.6.0
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/60
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.