[Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6
thierry bordaz
tbordaz at redhat.com
Thu Jun 16 10:18:50 UTC 2016
On 06/16/2016 12:14 PM, Petr Spacek wrote:
> On 16.6.2016 12:12, Ludwig Krispenz wrote:
>> On 06/16/2016 12:00 PM, Petr Spacek wrote:
>>> Hello,
>>>
>>> Require 389-ds-base >= 1.3.5.6
>>>
>>> Old DS handles LDAP filters incorrectly
>> no. Old DS handles filters strictly as documented in the admin guide,
>> requiring access rights to each attribute used in the search filter. This was
>> known and applications had to adapt, in your case there would have had to be
>> two searches one with the (&()()) filter and one with (|()()()()).
> You know, it is quite hard to adapt when your application rely on one SyncRepl
> session ...
>
> Anyway, feel free to send patch with rephrased commit message if you wish, I'm
> okay with superseding my patch with yours.
Note that https://fedorahosted.org/freeipa/ticket/5944 (patch 0019 still
under review) has the same requirement on DS >=1.3.5.5.
So the requirement >=1.3.5.6 makes me happy.
thanks
thierry
>
> Petr^2 Spacek
>
>> This was improved in the latest version and componets withou access are
>> ignored in filter evaluation to avoid the problems you did run into.
>>
>> otherwise your fix is ok
>>
>> Ludwig
>>> and breaks bind-dyndb-ldap.
>>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>>>
>>> https://fedorahosted.org/freeipa/ticket/2008
More information about the Freeipa-devel
mailing list