https://bugs.openldap.org/show_bug.cgi?id=9595

Issue ID: 9595 Summary: indeterminate result of matching AVA in filter Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: grapvar@gmail.com Target Milestone: ---

I have traced how test_ava_filter() matches an entry against an AVA and found out that result of matching may be indeterminate.

For concreteness, let us suppose an entry E is being matched against equality ava (A1=U). E has a few values for A1, in this particular order:

Attr Value (A1=U) match ---- ----- ------------ A1 V False A1 U True A1 @$%#^ #LDAP_INVALID_SYNTAX

overall matching result: TRUE.

But what if A1 values follow in other order?

Attr Value (A1=U) match ---- ----- ------------ A1 V False A1 @$%#^ #LDAP_INVALID_SYNTAX A1 U True

overall matching result: #LDAP_INVALID_SYNTAX.

But... wait, E has one more attribute A2, which subclasses A1. And their values happen to be in this order:

Attr Value (A1=U) match ---- ----- ------------ A1 V False A1 @$%#^ #LDAP_INVALID_SYNTAX A1 U True A2 U True A2 *%#$! #LDAP_INVALID_SYNTAX

overall matching result: TRUE again.

It seems rather unnatural and confusing that the given set of attributes and their values has indeterminate result of matching.

Be advised, please, that this issue has been reported by occasional visitor, from a developer point of view, not a user point of view, so I won't define, provide or construct any “valid use case”.