[Date Prev][Date Next]
(ITS#8182) setspec matching fails unexpectedly
Full_Name: Daniel Kauffman
OS: Debian 8.1
Submission from: (NULL) (22.214.171.124)
Using access control set=<setspec> to compare an attribute value against a
string converts the attribute value to lower case but does not convert the
string to lower case, so matching sometimes fails unexpectedly.
When an attribute value is compared against a string, matching should use the
attribute equality matching rule to determine whether or not to do a
case-sensitive match. An exact match would not convert either the attribute
value or the string, and a case-insensitive matching rule would convert both the
attribute value and the string for comparison.
Steps to reproduce:
Create a user objectclass with a roleName attribute and set the attribute value
to "canBrowse". Note the mixed case.
Create an access control statement with mixed case:
olcAccess: to * by set="user/roleName & [canBrowse]" read
Because the roleName attribute value is converted to lower-case before
comparison, the above will always fail, regardless of the case of the roleName
However, this works, regardless of the case of the roleName attribute value:
olcAccess: to * by set="user/roleName & [canbrowse]" read