Red Hat Bugzilla – Bug 1044194
Complex filter in a search request doen't work as expected.
Last modified: 2015-03-05 04:32:53 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47521 Hi, Please find below the reproducer details with the examples. Complex filter example: "(&(&(uid=test1)(cn=t1 est))(&(gidnumber=20))(uidnumber=2558)(&(sn=est)))" In the above filter as you can see, the "uidnumber=2558" sub filter is not associated with ant Boolean operator ( AND or OR or NOT) which results in missing this sub filter from the filter after decoding process. The error log details are given below. ====== [23/Sep/2013:04:42:58 +051800] index_subsys_assign_filter_decoders - before: (&(&(uid=test1)(cn=t1 est))(&(gidNumber=20))(uidNumber=2558)(&(sn=est))) ====== >>> The index subsystem takes the complex filter as argument for the decoding. [23/Sep/2013:04:42:58 +051800] - slapi_filter_free type 0xA0 [23/Sep/2013:04:42:58 +051800] - slapi_filter_free type 0xA0 [23/Sep/2013:04:42:58 +051800] - slapi_filter_free type 0xA0 ===== [23/Sep/2013:04:42:58 +051800] index_subsys_assign_filter_decoders - after: (&(uid=test1)(cn=t1 est)(gidNumber=20)(sn=est)) ===== >>> After decoding as you can see in the above line, the "uidnumber=2558" is missing which is not going to be considered during the database search. Here, as the whole of complex filter is preceded by a outer "&" operator, Why the sub filter in this case is being ignored from the search request?.
[root@dhcp201-126 ~]# ldapadd -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: uid=test1,dc=example,dc=com > cn: t1 est > sn: est > givenname: ams > gidnumber: 20 > uidnumber: 2558 > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > objectClass: posixAccount > uid: test1 > mail: ams@example.com > homeDirectory: /home/test1 > userpassword: Secret123 > EOF adding new entry "uid=test1,dc=example,dc=com" [root@dhcp201-126 ~]# ldapsearch -LLL -D "cn=directory manager" -w Secret123 -p 389 -h localhost -b "dc=example,dc=com" "(&(&(uid=test1)(cn=t1 est))(&(gidnumber=20))(uidnumber=2558)(&(sn=est)))" dn: uid=test1,dc=example,dc=com cn: t1 est sn: est givenName: ams gidNumber: 20 uidNumber: 2558 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: test1 mail: ams@example.com homeDirectory: /home/test1 userPassword:: e1NTSEF9bVBaTldhRTl0dGRiZ3pLZ1FsQzFzczR2OUJ6bkNQang5QU1heXc9PQ= worked as expected, hence VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html