[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#4253) val.regex broken

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4253) val.regex broken
From: ando@sys-net.it
Date: Sat, 10 Dec 2005 09:18:43 GMT
On Fri, 2005-12-09 at 19:04 +0000, quanah@stanford.edu wrote:
> I can't duplicate my exact bug, but I can clearly illustrate with test003 
> that there is a bug in how the first val.regex ACL is treated.
> Using the following set of ACL's with test003, I can produce even yet 
> *another* bug:
> 
> access to attrs=cn val.regex="Mark.+"

note that "Mark.+" is equivalent to "Mark.", and matches any string
__containing__ "Mark" followed by a char; so "My name is Mark!" and
"Hello Mark, how's it going?" will match.

>         by dn.exact="cn=Bjorn Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com" read
>         by * break
> 
> access to attrs=cn val.regex="James.+"
>         by dn.exact="cn=Barbara Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com" read
>         by * break
> 
> access to attrs=cn
>         by * search
> 
> access to *
>         by * read
> 
> 
> 
> Now, we know that "Mark Elliot" has two cn's, "Mark Elliot" and "Mark A 
> Elliot", so the first regex should allow *both* values to be returned for 
> "Bjorn", but it doesn't!
> 
> ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Bjorn 
> Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w 
> bjorn -LLL cn
> 
> dn: cn=Manager,dc=example,dc=com
> 
> dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
> cn: Mark Elliot
> 
> dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
> 
> 
> The search with Barbara doing something similar with "James" works as 
> expected:
> 
> ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Barbara 
> Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w 
> bjensen -LLL cn
> 
> 
> dn: cn=ITD Staff,ou=Groups,dc=example,dc=com
> 
> dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
> cn: James A Jones 1
> cn: James Jones
> 
> dn: cn=James A Jones 2,ou=Information Technology 
> Division,ou=People,dc=example
>  ,dc=com
> cn: James A Jones 2
> cn: James Jones
> 
> dn: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
> 
> 
> 
> Now, if we reverse the ACL's, we get the same erroneous behavior with 
> Barbara, but it is now correct for Bjorn!
> 
> access to attrs=cn val.regex="James.+"
>         by dn.exact="cn=Barbara Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com" read
>         by * break
> 
> access to attrs=cn val.regex="Mark.+"
>         by dn.exact="cn=Bjorn Jensen,ou=Information Technology 
> Division,ou=People,dc=example,dc=com" read
>         by * break
> 
> access to attrs=cn
>         by * search
> 
> access to *
>         by * read
> 
> 
> ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Barbara 
> Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w 
> bjensen -LLL cn
> 
> 
> dn: cn=ITD Staff,ou=Groups,dc=example,dc=com
> 
> dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
> cn: James A Jones 1
> 
> dn: cn=James A Jones 2,ou=Information Technology 
> Division,ou=People,dc=example
>  ,dc=com
> cn: James A Jones 2
> 
> dn: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
> 
> 
> 
> Here it is correct for Bjorn now:
> 
> ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' -D 'cn=Bjorn 
> Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w 
> bjorn -LLL cn
> 
> dn: cn=Manager,dc=example,dc=com
> 
> dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
> cn: Mark Elliot
> cn: Mark A Elliot
> 
> dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com

I have set up exactly the same ACLs you presented above, and I
consistently get both values regardless of the order I place ACLs.  I'm
using HEAD, and I compile without optimization, which means automatic
vars get set to 0; I'll recompile with optimization and try with re23 as
well, just in case.  Note that I'm using the rxspencer regex library.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------
Prev by Date: (ITS#4257) Recurrance of ITS 4077
Next by Date: Re: (ITS#4253) val.regex broken
Index(es):
- Chronological
- Thread