My Oracle Support Banner

ODSEE / OUD - Search Filters Containing Attributes That Are Not Included in an Allow ACI Fail To Return Any Entries (Doc ID 1917825.1)

Last updated on MAY 02, 2019

Applies to:

Oracle Directory Server Enterprise Edition - Version and later
Oracle Unified Directory - Version and later
Information in this document applies to any platform.


A search filter has been constructed that includes an attribute that the binding DN does not have access privileges to.  When this is the case, no entries are returned even if the search filter components are all joined by the OR operator such that some of the search components do match entries within the database.

Here is a simple example to illustrate the behavior...

The following search will return an entry since the binding DN of anonymous has read privileges to the uid and cn attributes...

# ./ldapsearch -b "dc=<SUFFIX>,dc=com" "(|(uid=<UID>)(cn=<CN>))"
version: 1
dn: uid=<UID>,ou=people,dc=<SUFFIX>,dc=com
sn: <SN>
givenName: <GIVENNAME>
uid: <UID>

However, if the filter uses an attribute that the binding DN does not have privileges to, then no result is returned even if one of the filter components has matching entries.  In the example below, anonymous does not have any privileges to the attribute alterEgo...

# ./ldapsearch -b "dc=<SUFFIX>,dc=com" "(|(uid=<UID>)(alterEgo=<CN>))"

Shouldn't the second search have returned the same entry since one of the search components in the OR search filter (uid=<UID>) does match the entry?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.