[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8182) setspec matching fails unexpectedly

To: openldap-its@OpenLDAP.org
Subject: (ITS#8182) setspec matching fails unexpectedly
From: daniel.kauffman@rocksolidsolutions.org
Date: Wed, 01 Jul 2015 19:06:44 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Daniel Kauffman
Version: 2.4.40
OS: Debian 8.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.178.89.137)


Issue:

Using access control set=<setspec> to compare an attribute value against a
string converts the attribute value to lower case but does not convert the
string to lower case, so matching sometimes fails unexpectedly.

Expected behavior:

When an attribute value is compared against a string, matching should use the
attribute equality matching rule to determine whether or not to do a
case-sensitive match. An exact match would not convert either the attribute
value or the string, and a case-insensitive matching rule would convert both the
attribute value and the string for comparison.

Steps to reproduce:

Create a user objectclass with a roleName attribute and set the attribute value
to "canBrowse". Note the mixed case.

Create an access control statement with mixed case:

olcAccess: to * by set="user/roleName & [canBrowse]" read

Because the roleName attribute value is converted to lower-case before
comparison, the above will always fail, regardless of the case of the roleName
attribute value.

However, this works, regardless of the case of the roleName attribute value:

olcAccess: to * by set="user/roleName & [canbrowse]" read

Next by Date: (ITS#8183) ldap_init() failed at sub thread but runs ok at main.
Index(es):
- Chronological
- Thread