[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values



Pierangelo Masarati wrote:
> michael@stroeder.com wrote:
> 
>> Looking at the logs slapo-constraint seems to generate a filter which is
>> considered bad by slapd:
>>
>> constraint_violation uri filter =
>> (&((objectClass=organizationalUnit))(|(ou=Abteilung 1)))
>>
>> This filter would work and finds the correct entry containing the valid
>> attribute value:
>> (&(objectClass=organizationalUnit)(|(ou=Abteilung 1)))
> 
> The overlay assumes you don't put brackets around your filter.  This is 
> now fixed in HEAD; please test.  p.

First this raises the question what to do if filters are not valid in 
configuration. I'd prefer if slapo-constraint would cause invalidFilter 
with an appropriate diagnosticMessage pointing to slapo-constraint 
configuration to be returned instead of silently assuming the attribute 
value is wrong.

Still it does not work for me. The filter seems to be ok now and returns 
the correct search result. But still the attribute value "Abteilung 1" 
is not accepted.

Ciao, Michael.

--------------------------------- snip ---------------------------------
==> constraint_violation uri filter = 
(&(objectClass=organizationalUnit)(|(ou=Abteilung 1)))
put_filter: "(&(objectClass=organizationalUnit)(|(ou=Abteilung 1)))"
put_filter: AND
put_filter_list "(objectClass=organizationalUnit)(|(ou=Abteilung 1))"
put_filter: "(objectClass=organizationalUnit)"
put_filter: simple
put_simple_filter: "objectClass=organizationalUnit"
put_filter: "(|(ou=Abteilung 1))"
put_filter: OR
put_filter_list "(ou=Abteilung 1)"
put_filter: "(ou=Abteilung 1)"
put_filter: simple
put_simple_filter: "ou=Abteilung 1"
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
=> hdb_search
bdb_dn2entry("ou=Departments,ou=schulung,dc=stroeder,dc=local")
=> hdb_dn2id("ou=Departments,ou=schulung,dc=stroeder,dc=local")
<= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found 
(-30989)
=> access_allowed: disclose access to "ou=schulung,dc=stroeder,dc=local" 
"entry" requested
<= root access granted
=> access_allowed: disclose access granted by manage(=mwrscxd)
send_ldap_result: conn=1 op=28 p=3
send_ldap_result: err=10 matched="ou=schulung,dc=stroeder,dc=local" text=""
==> constraint_violation uri rc = 32, found = 0
send_ldap_result: conn=1 op=28 p=3
send_ldap_result: err=19 matched="" text="modify breaks constraint on 
departmentNumber"
send_ldap_response: msgid=29 tag=103 err=19
ber_flush2: 58 bytes to sd 17
conn=1 op=28 RESULT tag=103 err=19 text=modify breaks constraint on 
departmentNumber