[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values
michael@stroeder.com wrote:
> ando@sys-net.it wrote:
>> michael@stroeder.com wrote:
>>> First this raises the question what to do if filters are not valid in
>>> configuration. I'd prefer if slapo-constraint would cause invalidFilter
>>> with an appropriate diagnosticMessage pointing to slapo-constraint
>>> configuration to be returned instead of silently assuming the attribute
>>> value is wrong.
>> AFAIK, an invalid filter in the configuration would prevent slapd from
>> starting, although right now checks are not that tight.
>
> ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit))
>
> obviously contains an invalid filter. But slapd starts without complaining.
OK, this type of error is not caught basically because no real check is
done besides parsing the URI. I was more concerned about erroneous
filters as a result of constructing the constraint filter. However, I
notice that even in case of an incorrect filter, str2filter() will not
fail, but rather generate a filter with erroneous terminal filters
marked as erroneous, without complaining. Moreover, the internal search
will return as successful but likely with no results. This is the
expected behavior for a real search. So tracing an incorrect filter is
not that obvious.
>>> Still it does not work for me. The filter seems to be ok now and returns
>>> the correct search result. But still the attribute value "Abteilung 1"
>>> is not accepted.
>> Can you provide the filter, the relevant data (or an excerpt of it) and
>> the operation you're trying to perform?
>
> I could provide a complete canned config in a personal e-mail if you want.
I'll let you know if that's needed. Maybe what you posted below is enough.
p.
> Just for the ITS:
>
> ---------------------- excerpt slapd.conf ----------------------
> overlay constraint
> constraint_attribute gender regex ^[0129]?$
> constraint_attribute departmentNumber uri
> ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit)
> constraint_attribute manager uri
> ldap:///ou=Managers,ou=schulung,dc=stroeder,dc=local?entryDN?one?(objectClass=inetOrgPerson)
> ---------------------- entry to be modified ----------------------
> dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local
> cn: Michael Stroeder
> givenName: Michael
> hasSubordinates: FALSE
> objectClass: inetOrgPerson
> sn: Stroeder
>
> ---------------------- modification operation ----------------------
> dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local
> changetype: modify
> add: departmentNumber
> departmentNumber: Abteilung 1
> -
>
> ---------------------- departments ----------------------
> dn: ou=Departments,ou=schulung,dc=stroeder,dc=local
> objectClass: organizationalUnit
> ou: Departments
>
> dn: ou=Abteilung 1,ou=Departments,ou=schulung,dc=stroeder,dc=local
> objectClass: organizationalUnit
> ou: Abteilung 1
>
> dn: ou=Abteilung 2,ou=Departments,ou=schulung,dc=stroeder,dc=local
> objectClass: organizationalUnit
> ou: Abteilung 2
>
> --------------------------------------------------------------
>
> Ciao, Michael
>
>
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: ando@sys-net.it
-----------------------------------