[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SLAPD: Should access checks take place before filter matching?
At 01:08 PM 6/22/2001, Simon Spero wrote:
>On Fri, 22 Jun 2001, Kurt D. Zeilenga wrote:
>
>> If one doesn't evaluate the ACL during filter matching, then
>> all entries matching the filter will be returned without the
>
>
>I'm talking about avoiding evaluating the ACL if the filter doesn't match
>the candidate. If test_filter returns anything other than
>LDAP_COMPARE_TRUE, nothing is send to the client.
>In the example given: In the current implementation, the backend call
>test_filter for each candidate, check for search access to userPassword,
>fail to find it, and LDAP_INSUFFICIENT_ACCESSM. The backend will compare
>this to LDAP_COMPARE_TRUE, and since it isn't that value, skip to the next
>candidate.
I believe your code doesn't account for proper evaluation of
the filters three-valued (True, False, Undefined) logic. Other
than with the most simple filters, returning False and returning
non-True are NOT equivalent.
That is, given the ACLs I previously provided)
(userPassword=secret) is Undefined and entry is not returned.
and
(!(userPassword=secret)) is Undefined and entry is not returned.
If I gather what you are suggesting correctly,
(userPassword=secret) is Undefined and entry is not returned.
(!(userPassword=secret)) is True and entry is returned.
Kurt