[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8182) setspec matching fails unexpectedly

Full_Name: Daniel Kauffman
Version: 2.4.40
OS: Debian 8.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


Using access control set=<setspec> to compare an attribute value against a
string converts the attribute value to lower case but does not convert the
string to lower case, so matching sometimes fails unexpectedly.

Expected behavior:

When an attribute value is compared against a string, matching should use the
attribute equality matching rule to determine whether or not to do a
case-sensitive match. An exact match would not convert either the attribute
value or the string, and a case-insensitive matching rule would convert both the
attribute value and the string for comparison.

Steps to reproduce:

Create a user objectclass with a roleName attribute and set the attribute value
to "canBrowse". Note the mixed case.

Create an access control statement with mixed case:

olcAccess: to * by set="user/roleName & [canBrowse]" read

Because the roleName attribute value is converted to lower-case before
comparison, the above will always fail, regardless of the case of the roleName
attribute value.

However, this works, regardless of the case of the roleName attribute value:

olcAccess: to * by set="user/roleName & [canbrowse]" read