[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP goes too deep with regex's (ITS#2174)
--On Monday, November 11, 2002 10:32 AM -0800 "Kurt D. Zeilenga"
<Kurt@OpenLDAP.org> wrote:
> Quanah,
>
> From this report and the follow-ups, it's a little unclear
> as to exactly what your problem is.
>
> Are you reporting that after finding one entry, slapd should
> not consider other possible candidates? If so, then I would
> say that, no, slapd should consider all possible candidates.
>
> Are you reporting that in the consideration of one particular
> entry, slapd doesn't short circuit the filter evaluation? If
> so, then I would ask that you provide additional information
> (such as detail logging) as the entry filter code is designed
> to support short cutting of AND and OR filter components.
Kurt,
I think I'm reporting the fact that after it considers my krb5PrincipalName
as what it wants, it continues without shortcircuiting the filter
evaluation.
>From the logs:
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 497692 local4.debug]
slap_sasl_regexp: converted SASL name to ldaps:///cn
=People,dc=stanford,dc=edu??sub?(|(krb5PrincipalName=quanah@stanford.edu)(s
uKrb5name=quanah@stanford.edu))
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 151145 local4.debug]
slap_parseURI: parsing ldaps:///cn=People,dc=stanfor
d,dc=edu??sub?(|(krb5PrincipalName=quanah@stanford.edu)(suKrb5name=quanah@s
tanford.edu))
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 950877 local4.debug]
str2filter "(|(krb5PrincipalName=quanah@stanford.edu
)(suKrb5name=quanah@stanford.edu))"
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 923158 local4.debug] =>
access_allowed: search access to "suRegID=85e4997
8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu" "krb5PrincipalName"
requested
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 704950 local4.debug] <=
check a_dn_pat: *
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 279303 local4.debug] <=
acl_mask: [4] applying search(=scx) (stop)
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 804284 local4.debug] <=
acl_mask: [4] mask: search(=scx)
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 384072 local4.debug] =>
access_allowed: search access granted by search(=
scx)
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 791166 local4.debug] <=
test_filter 5
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 344839 local4.debug] =>
test_filter
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 494872 local4.debug]
EQUALITY
Then, it continues on:
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 923158 local4.debug] =>
access_allowed: search access to "suRegID=85e4997
8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu" "suKrb5name"
requested
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 184944 local4.debug] =>
dn: [1]
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 967793 local4.debug] =>
acl_get: [2] check attr suKrb5name
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 155642 local4.debug] <=
acl_get: [2] acl suRegID=85e49978f61311d2ae662436
000baa77,cn=People,dc=stanford,dc=edu attr: suKrb5name
Nov 11 10:48:33 ldap3.Stanford.EDU slapd[1851]: [ID 971074 local4.debug] =>
acl_mask: access to entry "suRegID=85e49978f61311
d2ae662436000baa77,cn=People,dc=stanford,dc=edu", attr "suKrb5name"
requested
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 704950 local4.debug] <=
check a_dn_pat: *
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 279303 local4.debug] <=
acl_mask: [4] applying search(=scx) (stop)
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 804284 local4.debug] <=
acl_mask: [4] mask: search(=scx)
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 384072 local4.debug] =>
access_allowed: search access granted by search(=
scx)
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 791166 local4.debug] <=
test_filter 6
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 238222 local4.debug] <=
test_filter_or 6
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 791166 local4.debug] <=
test_filter 6
Nov 11 10:48:34 ldap3.Stanford.EDU slapd[1851]: [ID 241745 local4.debug]
====> bdb_cache_return_entry_r( 11 ): returned (0)
So, even though it received the EQUALITY for krb5PrincipalName, it did not
short-circuit the search, and continued with a check for suKrb5Name.
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html