[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8528) Incorrect results on replace op for olcAccess
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8528) Incorrect results on replace op for olcAccess
- From: quanah@symas.com
- Date: Thu, 03 Nov 2016 23:43:58 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
--On Friday, November 04, 2016 12:41 AM +0000 openldap-its@OpenLDAP.org
wrote:
Here's the full text, since the web form apparently ate it:
When doing a full replace on all values for olcAccess, things work
incorrectly if the values provided are not in numeric sorted order. This
is problematic when using tools like ldapvi who do alphabetic sort. It is
trivial to reproduce the problem using the following example LDIFs:
cat > replace_ordered.ldif <<EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to dn.exact="cn=0" by * none
olcAccess: {1}to dn.exact="cn=1" by * none
olcAccess: {2}to dn.exact="cn=2" by * none
olcAccess: {3}to dn.exact="cn=3" by * none
olcAccess: {4}to dn.exact="cn=4" by * none
olcAccess: {5}to dn.exact="cn=5" by * none
olcAccess: {6}to dn.exact="cn=6" by * none
olcAccess: {7}to dn.exact="cn=7" by * none
-
EOF
cat > replace_ordered_mixup.ldif <<EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {7}to dn.exact="cn=7" by * none
olcAccess: {1}to dn.exact="cn=1" by * none
olcAccess: {4}to dn.exact="cn=4" by * none
olcAccess: {3}to dn.exact="cn=3" by * none
olcAccess: {5}to dn.exact="cn=5" by * none
olcAccess: {0}to dn.exact="cn=0" by * none
olcAccess: {6}to dn.exact="cn=6" by * none
olcAccess: {2}to dn.exact="cn=2" by * none
-
EOF
With the initial config as:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
When the ordered version is done, the correct result occurs:
olcAccess: {0}to dn.exact="cn=0" by * none
olcAccess: {1}to dn.exact="cn=1" by * none
olcAccess: {2}to dn.exact="cn=2" by * none
olcAccess: {3}to dn.exact="cn=3" by * none
olcAccess: {4}to dn.exact="cn=4" by * none
olcAccess: {5}to dn.exact="cn=5" by * none
olcAccess: {6}to dn.exact="cn=6" by * none
olcAccess: {7}to dn.exact="cn=7" by * none
However, when the unordered replaced is done, an incorrect result occurs:
olcAccess: {0}to dn.exact="cn=0" by * none
olcAccess: {1}to dn.exact="cn=7" by * none
olcAccess: {2}to dn.exact="cn=2" by * none
olcAccess: {3}to dn.exact="cn=1" by * none
olcAccess: {4}to dn.exact="cn=4" by * none
olcAccess: {5}to dn.exact="cn=3" by * none
olcAccess: {6}to dn.exact="cn=5" by * none
olcAccess: {7}to dn.exact="cn=6" by * none
Since we are doing a replace of all values, it should not be trying to
reweight the operation. Instead, the values should just be numeric sorted
and then written out accordingly, so one ends up with the same result as in
the ordered case.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>