michael@stroeder.com wrote:
ando@sys-net.it wrote:
michael@stroeder.com wrote:
First this raises the question what to do if filters are not valid in configuration. I'd prefer if slapo-constraint would cause invalidFilter with an appropriate diagnosticMessage pointing to slapo-constraint configuration to be returned instead of silently assuming the attribute value is wrong.
AFAIK, an invalid filter in the configuration would prevent slapd from starting, although right now checks are not that tight.
ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit))
obviously contains an invalid filter. But slapd starts without complaining.
OK, this type of error is not caught basically because no real check is done besides parsing the URI. I was more concerned about erroneous filters as a result of constructing the constraint filter. However, I notice that even in case of an incorrect filter, str2filter() will not fail, but rather generate a filter with erroneous terminal filters marked as erroneous, without complaining. Moreover, the internal search will return as successful but likely with no results. This is the expected behavior for a real search. So tracing an incorrect filter is not that obvious.
Still it does not work for me. The filter seems to be ok now and returns the correct search result. But still the attribute value "Abteilung 1" is not accepted.
Can you provide the filter, the relevant data (or an excerpt of it) and the operation you're trying to perform?
I could provide a complete canned config in a personal e-mail if you want.
I'll let you know if that's needed. Maybe what you posted below is enough.
p.
Just for the ITS:
---------------------- excerpt slapd.conf ---------------------- overlay constraint constraint_attribute gender regex ^[0129]?$ constraint_attribute departmentNumber uri ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit) constraint_attribute manager uri ldap:///ou=Managers,ou=schulung,dc=stroeder,dc=local?entryDN?one?(objectClass=inetOrgPerson) ---------------------- entry to be modified ---------------------- dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local cn: Michael Stroeder givenName: Michael hasSubordinates: FALSE objectClass: inetOrgPerson sn: Stroeder
---------------------- modification operation ---------------------- dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local changetype: modify add: departmentNumber departmentNumber: Abteilung 1
---------------------- departments ---------------------- dn: ou=Departments,ou=schulung,dc=stroeder,dc=local objectClass: organizationalUnit ou: Departments
dn: ou=Abteilung 1,ou=Departments,ou=schulung,dc=stroeder,dc=local objectClass: organizationalUnit ou: Abteilung 1
dn: ou=Abteilung 2,ou=Departments,ou=schulung,dc=stroeder,dc=local objectClass: organizationalUnit ou: Abteilung 2
Ciao, Michael
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
-
ando@sys-net.it