[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4253) val.regex broken
--On Friday, December 09, 2005 9:28 AM +0000 ando@sys-net.it wrote:
> - add to slapd.conf the ACLs:
>
> <slapd.1.conf>
> access to attrs=cn val.regex="Mark Elliot"
> by dn="cn=Bjorn Jensen,ou=Information Technology
> Division,ou=People,dc=example,dc=com" read by * break
>
> access to attrs=cn val.regex="Mark A Elliot"
> by dn="cn=Barbara Jensen,ou=Information Technology
> Division,ou=People,dc=example,dc=com" read by * break
>
> access to attrs=cn
> by * search
>
> access to *
> by * read
> </slapd.1.conf>
Pierangelo,
I can't duplicate my exact bug, but I can clearly illustrate with test003
that there is a bug in how the first val.regex ACL is treated.
Using the following set of ACL's with test003, I can produce even yet
*another* bug:
access to attrs=cn val.regex="Mark.+"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,dc=example,dc=com" read
by * break
access to attrs=cn val.regex="James.+"
by dn.exact="cn=Barbara Jensen,ou=Information Technology
Division,ou=People,dc=example,dc=com" read
by * break
access to attrs=cn
by * search
access to *
by * read
Now, we know that "Mark Elliot" has two cn's, "Mark Elliot" and "Mark A
Elliot", so the first regex should allow *both* values to be returned for
"Bjorn", but it doesn't!
ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Bjorn
Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w
bjorn -LLL cn
dn: cn=Manager,dc=example,dc=com
dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
cn: Mark Elliot
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
The search with Barbara doing something similar with "James" works as
expected:
ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Barbara
Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w
bjensen -LLL cn
dn: cn=ITD Staff,ou=Groups,dc=example,dc=com
dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
cn: James A Jones 1
cn: James Jones
dn: cn=James A Jones 2,ou=Information Technology
Division,ou=People,dc=example
,dc=com
cn: James A Jones 2
cn: James Jones
dn: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
Now, if we reverse the ACL's, we get the same erroneous behavior with
Barbara, but it is now correct for Bjorn!
access to attrs=cn val.regex="James.+"
by dn.exact="cn=Barbara Jensen,ou=Information Technology
Division,ou=People,dc=example,dc=com" read
by * break
access to attrs=cn val.regex="Mark.+"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,dc=example,dc=com" read
by * break
access to attrs=cn
by * search
access to *
by * read
ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Barbara
Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w
bjensen -LLL cn
dn: cn=ITD Staff,ou=Groups,dc=example,dc=com
dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
cn: James A Jones 1
dn: cn=James A Jones 2,ou=Information Technology
Division,ou=People,dc=example
,dc=com
cn: James A Jones 2
dn: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
Here it is correct for Bjorn now:
ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Bjorn
Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w
bjorn -LLL cn
dn: cn=Manager,dc=example,dc=com
dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
cn: Mark Elliot
cn: Mark A Elliot
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html