[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)




--On Monday, November 11, 2002 10:32 AM -0800 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

> Quanah,
>
>  From this report and the follow-ups, it's a little unclear
> as to exactly what your problem is.
>
> Are you reporting that after finding one entry, slapd should
> not consider other possible candidates?  If so, then I would
> say that, no, slapd should consider all possible candidates.
>
> Are you reporting that in the consideration of one particular
> entry, slapd doesn't short circuit the filter evaluation?  If
> so, then I would ask that you provide additional information
> (such as detail logging) as the entry filter code is designed
> to support short cutting of AND and OR filter components.

Kurt,

I think I'm reporting the fact that after it considers my krb5PrincipalName 
as what it wants, it continues without shortcircuiting the filter 
evaluation.

>From the logs:

Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 497692 local4.debug] 
slap_sasl_regexp: converted SASL name to ldaps:///cn
=People,dc=stanford,dc=edu??sub?(|(krb5PrincipalName=quanah@stanford.edu)(s
uKrb5name=quanah@stanford.edu))
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 151145 local4.debug] 
slap_parseURI: parsing ldaps:///cn=People,dc=stanfor
d,dc=edu??sub?(|(krb5PrincipalName=quanah@stanford.edu)(suKrb5name=quanah@s
tanford.edu))
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 950877 local4.debug] 
str2filter "(|(krb5PrincipalName=quanah@stanford.edu
)(suKrb5name=quanah@stanford.edu))"


Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 923158 local4.debug] => 
access_allowed: search access to "suRegID=85e4997
8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu" "krb5PrincipalName" 
requested

Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 704950 local4.debug] <= 
check a_dn_pat: *
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 279303 local4.debug] <= 
acl_mask: [4] applying search(=scx) (stop)
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 804284 local4.debug] <= 
acl_mask: [4] mask: search(=scx)
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 384072 local4.debug] => 
access_allowed: search access granted by search(=
scx)
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 791166 local4.debug] <= 
test_filter 5
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 344839 local4.debug] => 
test_filter
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 494872 local4.debug] 
EQUALITY

Then, it continues on:

Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 923158 local4.debug] => 
access_allowed: search access to "suRegID=85e4997
8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu" "suKrb5name" 
requested
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 184944 local4.debug] => 
dn: [1]
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 967793 local4.debug] => 
acl_get: [2] check attr suKrb5name
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 155642 local4.debug] <= 
acl_get: [2] acl suRegID=85e49978f61311d2ae662436
000baa77,cn=People,dc=stanford,dc=edu attr: suKrb5name
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 971074 local4.debug] => 
acl_mask: access to entry "suRegID=85e49978f61311
d2ae662436000baa77,cn=People,dc=stanford,dc=edu", attr "suKrb5name" 
requested


Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 704950 local4.debug] <= 
check a_dn_pat: *
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 279303 local4.debug] <= 
acl_mask: [4] applying search(=scx) (stop)
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 804284 local4.debug] <= 
acl_mask: [4] mask: search(=scx)
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 384072 local4.debug] => 
access_allowed: search access granted by search(=
scx)
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 791166 local4.debug] <= 
test_filter 6
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 238222 local4.debug] <= 
test_filter_or 6
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 791166 local4.debug] <= 
test_filter 6
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 241745 local4.debug] 
====> bdb_cache_return_entry_r( 11 ): returned (0)



So, even though it received the EQUALITY for krb5PrincipalName, it did not 
short-circuit the search, and continued with a check for suKrb5Name.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html