[Freeipa-users] search filter with non-existent attribute
Petr Spacek
pspacek at redhat.com
Tue Jun 23 15:01:12 UTC 2015
On 23.6.2015 15:41, Tamas Papp wrote:
> hi,
>
> This works:
>
> $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn
> "(|(mail=admin*)(uid=admin))" uid
> dn: uid=admin,cn=users,cn=accounts,dc=cxn
> uid: admin
>
>
> This not:
>
> $ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=cxn
> "(|(aaa=admin*)(uid=admin))" uid
> $
>
>
> If there is search filter with non-existent attribute there is no result.
> Is that intentional? In CentOS 6.6 it worked just fine.
As far as I can tell this happens when the search is attempting to evaluate
the filter and access to that attribute is denied by ACI. In newer version of
FreeIPA everything is closed by default and access is allowed only to certain
subset of attributes.
What version of FreeIPA do you have? What version of 389-ds-base package do
you have?
$ rpm -q 389-ds-base freeipa-server ipa-server
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list