[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values



michael@stroeder.com wrote:
> ando@sys-net.it wrote:
>> michael@stroeder.com wrote:
>>> First this raises the question what to do if filters are not valid in 
>>> configuration. I'd prefer if slapo-constraint would cause invalidFilter 
>>> with an appropriate diagnosticMessage pointing to slapo-constraint 
>>> configuration to be returned instead of silently assuming the attribute 
>>> value is wrong.
>> AFAIK, an invalid filter in the configuration would prevent slapd from 
>> starting, although right now checks are not that tight.
> 
> ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit))
> 
> obviously contains an invalid filter. But slapd starts without complaining.

OK, this type of error is not caught basically because no real check is 
done besides parsing the URI.  I was more concerned about erroneous 
filters as a result of constructing the constraint filter.  However, I 
notice that even in case of an incorrect filter, str2filter() will not 
fail, but rather generate a filter with erroneous terminal filters 
marked as erroneous, without complaining.  Moreover, the internal search 
  will return as successful but likely with no results.  This is the 
expected behavior for a real search.  So tracing an incorrect filter is 
not that obvious.

>>> Still it does not work for me. The filter seems to be ok now and returns 
>>> the correct search result. But still the attribute value "Abteilung 1" 
>>> is not accepted.
>> Can you provide the filter, the relevant data (or an excerpt of it) and 
>> the operation you're trying to perform?
> 
> I could provide a complete canned config in a personal e-mail if you want.

I'll let you know if that's needed.  Maybe what you posted below is enough.

p.

> Just for the ITS:
> 
> ---------------------- excerpt slapd.conf ----------------------
> overlay constraint
> constraint_attribute gender regex ^[0129]?$
> constraint_attribute departmentNumber uri 
> ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit)
> constraint_attribute manager uri 
> ldap:///ou=Managers,ou=schulung,dc=stroeder,dc=local?entryDN?one?(objectClass=inetOrgPerson)
> ---------------------- entry to be modified ----------------------
> dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local
> cn: Michael Stroeder
> givenName: Michael
> hasSubordinates: FALSE
> objectClass: inetOrgPerson
> sn: Stroeder
> 
> ---------------------- modification operation ----------------------
> dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local
> changetype: modify
> add: departmentNumber
> departmentNumber: Abteilung 1
> -
> 
> ---------------------- departments ----------------------
> dn: ou=Departments,ou=schulung,dc=stroeder,dc=local
> objectClass: organizationalUnit
> ou: Departments
> 
> dn: ou=Abteilung 1,ou=Departments,ou=schulung,dc=stroeder,dc=local
> objectClass: organizationalUnit
> ou: Abteilung 1
> 
> dn: ou=Abteilung 2,ou=Departments,ou=schulung,dc=stroeder,dc=local
> objectClass: organizationalUnit
> ou: Abteilung 2
> 
> --------------------------------------------------------------
> 
> Ciao, Michael
> 
> 



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------