[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7964) overlay rwm escape issue with more the 9 rules / rewrite statements
- To: uwe.werler@retiolum.eu
- Subject: Re: (ITS#7964) overlay rwm escape issue with more the 9 rules / rewrite statements
- From: Ryan Tandy <ryan@openldap.org>
- Date: Mon, 07 Sep 2015 04:36:32 +0000
- Auto-submitted: auto-replied (OpenLDAP-ITS)
Uwe Werler wrote:
> If I have rewrite rules like this:
>
> 23 olcOverlay={1}rwm,olcDatabase={3}hdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcRwmConfig
> olcOverlay: {1}rwm
> olcRwmRewrite: {0}rwm-rewriteEngine on
> olcRwmRewrite: {1}rwm-rewriteContext searchFilter
> olcRwmRewrite: {2}rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)"
"$1d%d=dlmsapr3$2"
> olcRwmRewrite: {3}rwm-rewriteRule "(.*\\()uid=sdb(\\).*)" "$1uid=sdb$2"
> olcRwmRewrite: {4}rwm-rewriteRule
> "(.*\\()uid=sapadm(\\).*)" "$1uid=dlmsapadm$2"
> olcRwmRewrite: {5}rwm-rewriteRule "(.*\\()uid=sapmnt(\\).*)" "$1uid=sapmnt$2"
> olcRwmRewrite: {6}m-m-rewriteRule "(.*\\()uid=[a-z0-9]{3}adm(\\).*)"
> "$1uid=dlmsidadm$2"
> olcRwmRewrite: {7}rwm-rewriteRule "(.*\\()uid=sqd[a-z0-9]{3}(\\).*)"
> "$1uid=dlmsqdsid$2"
> olcRwmRewrite: {8}rwm-rewriteRule "(.*\\()uid=ora[a-z0-9]{3}(\\).*)"
> "$1uid=dlmorasid$2"
> olcRwmRewrite: {9}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}(\\).*)"
> "$1uid=dlmsapr3$2"
> olcRwmRewrite: {10}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}db(\\).*)"
> "$1uid=dlmsapr3db$2"
> olcRwmRewrite: {11}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}(\\).*)"
> "$1uid=dlmdb2sid$2"
> olcRwmRewrite: {12}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}ap(\\).*)"
> "$1uid=dlmdb2sid$2"
>
> then the ninth rule / statent f failes to escape. In this example ora***
get's
> not correctly rewritten d dlmora***: See loglevel trace:
>
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapr3(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sdb(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapadm(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapmnt(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=[a-z0-9]{3}adm(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sqd[a-z0-9]{3}(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\\()uid=ora[a-z0-9]{3}(\\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sap[a-z0-9]{3}(\).2929'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sap[a-z0-9]{3}db(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=db2[a-z0-9]{3}(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=db2[a-z0-9]{3}a28%5\).*'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
>
> If I insert a dummy statement like this:
>
> olcRwmRewrite: {0}rwm-rewriteEngine on
> olcRwmRewrite: {1}rwm-rewriteContext searchFilter
> olcRwmRewrite: {2}rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)"
"$1uid=dlmsapr3$2"
> olcRwmRewrite: {3}rwm-rewriteRule "(.*\\()uid=sdb(\\).*)" "$1uid=sdb$2"
> olcRwmRewrite: {4}rwm-rewriteRule "(.*\\()uid=sapadm(\\).*)"
> "$1uid=dlmsapadm$2"
> olcRwmRewrite: {5}rwm-rewriteRule "(.*\\()uid=sapmnt(\\).*)" "$1uid=sapmnt$2"
> olcRwmRewrite: {6}rwm-rewriteRule "(.*\\()uid=[a-z0-9]{3}adm(\\).*)"
> "$1uid=dlmsidadm$2"
> olcRwmRewrite: {7}rwm-rewriteRule "(.*\\()uid=sqd[a-z0-9]{3}(\\).*)"
E E "$1uid=dlmsqdsid$2"
> olcRwmRewrite: {8}rwm-rewriteRule "(.*\\()uid=ora[a-z0-9]{3}(\\).*)"
> "$1uid=dlmorasid$2"
> olcRwmRewrite: {9}rwm-rewriteContext placeHolder alias searchFilter
> olcRwmRewrite: {10}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}(\C%C).*)"
> "$1uid=dlmsapr3$2"
> olcRwmRewrite: {11}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}db(\\).*)"
> "$1uid=dlmsapr3db$2"
> olcRwmRewrite: {12}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}(\\).*)"
> "$1uid=dlmdb2sid$2"
> olcRwmRewrite: {13}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}ap(\\).*)"
> "$1uid=dlmdb2sid$2"
>
> then the escapes are working properly.
>
> Sometimes this occurs with the last rule too.
It seems to me that this happens with the rule most recently inserted. If slapd
was recently restarted,
this would be the last rule in the list.
The parsing rules are slightly different for slapd.conf vs ldif. Notable is that
ldif parsing does not
perform escape processing. So this slapd.conf line:
rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)" "$1uid=dlmsapr3$2"
should actually correspond to this cn=config attribute:
olcRwmRewrite: rwm-rewriteRule "(.*\()uid=sapr3(\).*)" "$1uid=dlmsapr3$2"
This is exactly the output of conversion with, for example, slaptest -f
slapd.conf -F slapd.d.
When a new rwm rule is added, existing rules are reloaded. The bug is that the
existing rules were being
passed through the slapd.conf line processor, which dropped backslashes on the
way, while the rule
actually being inserted was passed to the rewrite routines untouched.
Fixed in git master by removing the extra escaping on insert. You will have to
adjust your rules to use a
single backslash instead of two.
(bonus: rwm is needlessly reloading existing rules when appending with valx >=
last, while it could be