Full_Name: John Alex. Version: 2.4.39 OS: FreeBSD 9.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (37.6.134.63)
Values of reqAttr in accesslog entries are not searchable the normal way if they contain at least an uppercase character.
Even though the reqAttr attribute has a caseIgnoreMatch search rule, the only way to search for values containing uppercase characters is to explicitly use a caseExactMatch rule.
Consider this accesslog entry for example:
dn: reqStart=20140905054555.000001Z,cn=accesslog objectClass: auditSearch reqAttr: givenName reqAttrsOnly: FALSE reqAuthzID: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth reqDerefAliases: never reqDN: dc=example,dc=com reqEnd: 20140905054555.000002Z reqEntries: 9 reqFilter: (objectClass=*) reqResult: 0 reqScope: sub reqSession: 1268 reqSizeLimit: 500 reqStart: 20140905054555.000001Z reqTimeLimit: 3600 reqType: search
Searching with "(reqAttr=givenName)" will not return results, while using "(reqAttr:caseExactMatch:=givenName)" will return the above entry. Accesslog entries where values of reqAttr contain only lowercase characters are returned correctly with the "(reqAttr=givenName)" filter.
The same behavior can be observed with reqFilter (and probably other attributes as well but I didn't test).
This applies to entries added to the db by the accesslog overlay and not to entries otherwise inserted.