Re: SLAPD: Should access checks take place before filter matching?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:08 PM 6/22/2001, Simon Spero wrote:
>On Fri, 22 Jun 2001, Kurt D. Zeilenga wrote:
>
>> If one doesn't evaluate the ACL during filter matching, then
>> all entries matching the filter will be returned without the
>
>
>I'm talking about avoiding evaluating the ACL if the filter doesn't match
>the candidate. If test_filter returns anything other than
>LDAP_COMPARE_TRUE, nothing is send to the client.


>In the example given: In the current implementation, the backend call
>test_filter for each candidate, check for search access to userPassword,
>fail to find it, and LDAP_INSUFFICIENT_ACCESSM. The backend will compare
>this to LDAP_COMPARE_TRUE, and since it isn't that value, skip to the next
>candidate.

I believe your code doesn't account for proper evaluation of
the filters three-valued (True, False, Undefined) logic.  Other
than with the most simple filters, returning False and returning
non-True are NOT equivalent.

That is, given the ACLs I previously provided)
        (userPassword=secret) is Undefined and entry is not returned.
and
        (!(userPassword=secret)) is Undefined and entry is not returned.

If I gather what you are suggesting correctly,
        (userPassword=secret) is Undefined and entry is not returned.
        (!(userPassword=secret)) is True and entry is returned.

Kurt