[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD: Should access checks take place before filter matching?

At 01:08 PM 6/22/2001, Simon Spero wrote:
>On Fri, 22 Jun 2001, Kurt D. Zeilenga wrote:
>> If one doesn't evaluate the ACL during filter matching, then
>> all entries matching the filter will be returned without the
>I'm talking about avoiding evaluating the ACL if the filter doesn't match
>the candidate. If test_filter returns anything other than
>LDAP_COMPARE_TRUE, nothing is send to the client.

>In the example given: In the current implementation, the backend call
>test_filter for each candidate, check for search access to userPassword,
>fail to find it, and LDAP_INSUFFICIENT_ACCESSM. The backend will compare
>this to LDAP_COMPARE_TRUE, and since it isn't that value, skip to the next

I believe your code doesn't account for proper evaluation of
the filters three-valued (True, False, Undefined) logic.  Other
than with the most simple filters, returning False and returning
non-True are NOT equivalent.

That is, given the ACLs I previously provided)
        (userPassword=secret) is Undefined and entry is not returned.
        (!(userPassword=secret)) is Undefined and entry is not returned.

If I gather what you are suggesting correctly,
        (userPassword=secret) is Undefined and entry is not returned.
        (!(userPassword=secret)) is True and entry is returned.