[Date Prev][Date Next] [Chronological] [Thread] [Top]

2.3.1alpha and ACL set matching

In 2.3.1alpha (and HEAD), set matching is no longer case insensitive like it 
is in 2.2.x versions.  I am not sure if this is intended or not--the only 
documentation I am aware of claims that "operators are case sensitive" ( 
http://www.openldap.org/faq/index.cgi?_highlightWords=sets&file=1133).

If case sensitive matching is intended, set matching can be thrown off by 
attribute matching rules defined in the schema.  For instance, if I have an 
attribute called 'accountState' that has caseIgnoreMatch equality matching 
and use a similar ACL (excerpt):

	by set="user/accountState & [INACTIVE]" none

, 2.3 will never be able to match it as backend_attribute always returns the 
value in lower case.  Of course, the matching will work if INACTIVE is lower 
case in the ACL.  If this behavior is by design, I think it should be noted 
in the documentation so users are at least aware of it.

If case sensitive matching is not intended, a patch like the following should 
restore 2.3.1alpha to do case insensitive matching (please note that this 
patch is only for the '&' operator):

 --- openldap-2.3.1alpha/servers/slapd/sets.c    Thu Jan 20 13:03:56 2005
+++ openldap-2.3.1alpha-patch/servers/slapd/sets.c  Thu Mar 17 12:25:16 2005
@@ -201,7 +201,7 @@
            last = slap_set_size( set ) - 1;
            for ( i = 0; !BER_BVISNULL( &set[ i ] ); i++ ) {
                for ( j = 0; !BER_BVISNULL( &rset[ j ] ); j++ ) {
-                   if ( bvmatch( &set[ i ], &rset[ j ] ) ) {
+                   if ((ber_bvstrcasecmp(&set[ i ], &rset[ j ])) == 0 ) {
                        break;
                    }

Thanks,

dave