[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Case (in)sensitivity in 'by set' ACL?

To: "Matt Benjamin" <matt@linuxbox.com>
Subject: Re: Case (in)sensitivity in 'by set' ACL?
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 20 Apr 2006 10:25:51 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <444580B2.4070704@linuxbox.com>
References: <444580B2.4070704@linuxbox.com>
User-agent: SquirrelMail/1.4.3a-1

> We have a number of ACLs, in production on OpenLDAP 2.2.26, which are of
> the form:
>
>    by set="user/eduPersonAffiliation* & [Faculty]" read
>
> where the case of the attribute value in a given entry matches the ACL
> as shown, and the eduPersonAffiliation attribute is
> caseIgnoreMatch/caseIgnoreIA5SubstringsMatch.
>
> In testing these ACLs on 2.3.21, I found that the ACLs never match,
> because the bvals returned from the entry () are returned as downcased,

s/downcased/normalized/

> but the comparison apparently is done case sensitively.

/case sensitively/using octetStringMatch/

>
> I assume this behavior could be correct, although it seems illogical,
> and has apparently changed.

many things changed in sets since that; much like in the rest of slapd.

> In any case, is this the defined or
> intended behavior?

The intention is always to change for the better; typically, users that
find that things that used to work earlier don't work any more were
relying on incorrect assumptions.

Sets are weakly typed (actually, they're untyped) because they are
intended to mix up stuff in string form, much like regular expressions
(which are case insensitive by default).  Since there is no formal
specification of sets, their implementation uses the normalized value when
expanding stuff, while it uses case-sensitive comparison (actually,
octetStringMatch).  As a consequence, literals should be provided in
normalized form, whatever it is.  Simple case-insensitive comparison would
not suffice, as the normalized form of many matching rules implies much
more than case insensitivity (think of telephoneNumberMatch, for example).

There has been discussion, in the past, about the opportunity to have a
more formal specification of sets, and to extend their syntax to allow to
specify what matching rules should be used to compare values (much like in
extensible match filters).  Feel free to suggest improvements; however, I
believe that sets are so "specialized" that they require some deep
knowledge of the internals of slapd (consider that they're essentially
undocumented); this knowledge should imply the capability to provide
normalized strings as literals.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: Case (in)sensitivity in 'by set' ACL?
  - From: Matt Benjamin <matt@linuxbox.com>

References:
- Case (in)sensitivity in "by set" ACL?
  - From: Matt Benjamin <matt@linuxbox.com>

Prev by Date: Re: rewrite rule in slapd.conf
Next by Date: Re: Case (in)sensitivity in 'by set' ACL?
Index(es):
- Chronological
- Thread