[Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6
Ludwig Krispenz
lkrispen at redhat.com
Thu Jun 16 10:21:28 UTC 2016
On 06/16/2016 12:14 PM, Petr Spacek wrote:
> On 16.6.2016 12:12, Ludwig Krispenz wrote:
>> On 06/16/2016 12:00 PM, Petr Spacek wrote:
>>> Hello,
>>>
>>> Require 389-ds-base >= 1.3.5.6
>>>
>>> Old DS handles LDAP filters incorrectly
>> no. Old DS handles filters strictly as documented in the admin guide,
>> requiring access rights to each attribute used in the search filter. This was
>> known and applications had to adapt, in your case there would have had to be
>> two searches one with the (&()()) filter and one with (|()()()()).
> You know, it is quite hard to adapt when your application rely on one SyncRepl
> session ...
>
> Anyway, feel free to send patch with rephrased commit message if you wish, I'm
> okay with superseding my patch with yours.
no, it's fine, only sometimes I need to defend DS a bit
>
> Petr^2 Spacek
>
>> This was improved in the latest version and componets withou access are
>> ignored in filter evaluation to avoid the problems you did run into.
>>
>> otherwise your fix is ok
>>
>> Ludwig
>>> and breaks bind-dyndb-ldap.
>>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>>>
>>> https://fedorahosted.org/freeipa/ticket/2008
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
More information about the Freeipa-devel
mailing list