Bug 543080

Summary: Bitwise plugin fails to return the exact matched entries for Bitwise search filter
Product: Red Hat Directory Server Reporter: Sankar Ramalingam <sramling>
Component: Server - PluginsAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9.0CC: jgalipea, vtsuryawanshi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-06 14:32:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 434914, 543590    
Description Flags
patch nhosoi: review+

Description Sankar Ramalingam 2009-12-01 16:56:29 UTC
Description of problem: Bitwise plugin doesn't return the exact matching entries for Bitwise AND & OR operators.

Steps to Reproduce:
1. Install RHDS 9.0 latest packages.
2. Create an instance and add custom schema to add users with custom attributes.
3. Add users with "testUserAccountControl" attribute.


dn: cn=schema
attributeTypes: ( NAME 'testUserAccountControl' DESC 'Attribute Bitwise filteri-Multi-Valued' SYNTAX )
attributeTypes: ( NAME 'testUserStatus' DESC 'State of User account active/disabled' SYNTAX )
objectClasses: ( NAME 'testperson' SUP top STRUCTURAL MUST ( sn $ cn $ testUserAccountControl $ testUserStatus )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) X-ORIGIN BitWise' )


dn: uid=btestuser1,dc=bitwise,dc=com
testUserAccountControl: 514
testUserStatus: Disabled

dn: uid=btestuser2,dc=bitwise,dc=com
testUserAccountControl: 512
testUserStatus: Enabled

dn: uid=btestuser3,dc=bitwise,dc=com
testUserAccountControl: 512
testUserStatus: Disabled

dn: uid=btestuse4,dc=bitwise,dc=com
testUserAccountControl: 514
testUserStatus: Enabled

Run ldapsearch with a bitwise search filter and verify the results.

ldapsearch -x -b "dc=bitwise,dc=com" "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=512))"
Actual results: It returns all 4 entries from the suffix.

Expected results: It should return only two entries which are enabled.
It should be 
dn: uid=btestuser2,dc=bitwise,dc=com
dn: uid=btestuser3,dc=bitwise,dc=com

Additional info:

"(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=512))"   -- to list only the enabled accounts.
"(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=514))"   ---  to list only the disabled accounts
"(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.804:=512))"   --- to list only the enabled accounts
"(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.804:=514))"   -- to list enabled as well as disabled accounts

All the above filters produce the same results irrespective of the operator(AND or OR).

Comment 1 Rich Megginson 2010-01-26 16:51:26 UTC
Created attachment 386875 [details]

Comment 2 Noriko Hosoi 2010-01-26 16:56:47 UTC
Comment on attachment 386875 [details]


Comment 3 Rich Megginson 2010-01-26 17:05:22 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   9b38ac3..73fdd3b  master -> master

commit 73fdd3b8945a34cc3d386c697e4e99560ba7997a
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Tue Jan 26 09:51:05 2010 -0700

    Reviewed by: nhosoi (Thanks!)
    Branch: HEAD
    Fix Description: The Microsoft Windows AD bitwise filters do not work exactl
    like the usual bitwise AND (&) and OR (|) operators.
    For the AND case the matching rule is true only if all bits from the value
    given in the filter value match the value from the entry.
    For the OR case, the matching rule is true if any bits from the value given
    in the filter match the value from the entry.
    For the AND case, this means that even though (a & b) is True,
    if (a & b) != b, the matching rule will return False.
    For the OR case, this means that even though (a | b) is True,
    this may be because there are bits in a.  But we only care
    about bits in a that are also in b.  So we do (a & b) - this
    will return what we want, which is to return True if any of
    the bits in b are also in a.
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no

Comment 8 Jenny Severance 2010-05-06 15:17:03 UTC
fix verified - thanks rich!  - redhat-ds-base-8.2.0-2010050604.el5dsrv - RHEL 5 32bit

ldapsearch -x -h jennyv2.bos.redhat.com -p 389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com"  "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=2))"
# extended LDIF
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=2))
# requesting: ALL

# btestuser1, example.com
dn: uid=btestuser1,dc=example,dc=com
mail: btestuser1@redhat.com
uid: btestuser1
givenName: bit
objectClass: top
objectClass: testperson
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: person
sn: testuser1
cn: bit testuser1
testUserAccountControl: 514
testUserStatus: Disabled
userPassword:: e1NTSEF9d2dSK1lEVGE3a3R6WWVxS2p3OTAyZnd3VStDY1h4QzZHRTJrYmc9PQ=

# btestuser4, example.com
dn: uid=btestuser4,dc=example,dc=com
mail: btestuser4@redhat.com
uid: btestuser4
givenName: bit
objectClass: top
objectClass: testperson
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: person
sn: testuser4
cn: bit testuser4
testUserAccountControl: 514
testUserStatus: Enabled
userPassword:: e1NTSEF9Qi80MW01d3NGK0N5eTdPWlZSaE15VGNUK0NMaUM2MTBkLzQrT1E9PQ=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2