Full_Name: Daniel Kauffman Version: 2.4.40 OS: Debian 8.1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.178.89.137)

Issue:

Using access control set=<setspec> to compare an attribute value against a string converts the attribute value to lower case but does not convert the string to lower case, so matching sometimes fails unexpectedly.

Expected behavior:

When an attribute value is compared against a string, matching should use the attribute equality matching rule to determine whether or not to do a case-sensitive match. An exact match would not convert either the attribute value or the string, and a case-insensitive matching rule would convert both the attribute value and the string for comparison.

Steps to reproduce:

Create a user objectclass with a roleName attribute and set the attribute value to "canBrowse". Note the mixed case.

Create an access control statement with mixed case:

olcAccess: to * by set="user/roleName & [canBrowse]" read

Because the roleName attribute value is converted to lower-case before comparison, the above will always fail, regardless of the case of the roleName attribute value.

However, this works, regardless of the case of the roleName attribute value:

olcAccess: to * by set="user/roleName & [canbrowse]" read