Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-8079

targattrsfilters expression does not work with 2 filters but permits 1 or more than 2 filters

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Fixed
    • 7.1.0
    • 7.2.0, 2021.8
    • access control
    • Reported on 7.1.0. Reproducible in previous version(s) too.

    Description

      Steps to reproduce:

       
      One objectClass in targattrfilters expression => No errors.

      ldapmodify...
      aci: (target="ldap:///ou=badn,*")
      (targetattr="userCertificate")
      (targattrfilters="add=objectClass:(objectClass=trustedUser)")
      (version 3.0;acl "Comment for ACI";allow (write)(groupdn = "ldap://cn=baadmins,o=example,c=BA || "ldap://cn=ldapadmins,o=example,c=BA");)# 
      
      MODIFY operation successful for ....
      

      Two objectClass in targattrfilters expression => Error pointing to the following:

      ldapmodify...
      aci: (target="ldap:///ou=badn,*")
      (targetattr="userCertificate")
      (targattrfilters="add=objectClass:(objectClass=trustedUser),(objectClass=pkiUser)")
      (version 3.0;acl "Comment for ACI";allow (write)(groupdn = "ldap://cn=baadmins,o=example,c=BA || "ldap://cn=ldapadmins,o=example,c=BA");)
      
      # The LDAP modify request failed: 21 (Invalid Attribute Syntax)
      ... was found to be invalid according to the associated syntax: The provided Access Control Instruction (ACI) targattrfilter expression value add=objectClass:(objectClass=entrustUser),(objectClass=pkiUse) is invalid because it is not in the correct format.A valid targattrsfilters expression value must be in the following format: "add=attr1: F1 && attr2: F2 ... && attrN: FN,del= attr1: F1 && attr2: F2 ... && attrN: FN"
      

      Three objectClass in targattrfilters expression => No errors.

      ldapmodify ...
      aci: (target="ldap:///ou=badn,*")
      (targetattr="userCertificate")
      (targattrfilters="add=objectClass:(objectClass=trustedUser),(objectClass=pkiUser),(objectClass=top)")
      (version 3.0;acl "Comment for ACI";allow (write)(groupdn = "ldap://cn=baadmins,o=example,c=BA || "ldap://cn=ldapadmins,o=example,c=BA");) 
      
      #MODIFY operation successful for ....

       
      Expectation is to fail the operation if more than 1 filter is provided.

      Attachments

        Issue Links

          Activity

            People

              ondrej.fuchsik Ondrej Fuchsik
              nuruddin.mazlan Nuruddin Mazlan
              Jean-Noël Rouvignac Jean-Noël Rouvignac
              Ondrej Fuchsik Ondrej Fuchsik
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: