Description of problem: Bitwise plugin doesn't return the exact matching entries for Bitwise AND & OR operators. Steps to Reproduce: 1. Install RHDS 9.0 latest packages. 2. Create an instance and add custom schema to add users with custom attributes. 3. Add users with "testUserAccountControl" attribute. Schema.ldif dn: cn=schema attributeTypes: ( NAME 'testUserAccountControl' DESC 'Attribute Bitwise filteri-Multi-Valued' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributeTypes: ( NAME 'testUserStatus' DESC 'State of User account active/disabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectClasses: ( NAME 'testperson' SUP top STRUCTURAL MUST ( sn $ cn $ testUserAccountControl $ testUserStatus ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) X-ORIGIN BitWise' ) User.ldif dn: uid=btestuser1,dc=bitwise,dc=com testUserAccountControl: 514 testUserStatus: Disabled dn: uid=btestuser2,dc=bitwise,dc=com testUserAccountControl: 512 testUserStatus: Enabled dn: uid=btestuser3,dc=bitwise,dc=com testUserAccountControl: 512 testUserStatus: Disabled dn: uid=btestuse4,dc=bitwise,dc=com testUserAccountControl: 514 testUserStatus: Enabled Run ldapsearch with a bitwise search filter and verify the results. ldapsearch -x -b "dc=bitwise,dc=com" "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=512))" Actual results: It returns all 4 entries from the suffix. Expected results: It should return only two entries which are enabled. It should be dn: uid=btestuser2,dc=bitwise,dc=com dn: uid=btestuser3,dc=bitwise,dc=com Additional info: "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=512))" -- to list only the enabled accounts. "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=514))" --- to list only the disabled accounts "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.804:=512))" --- to list only the enabled accounts "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.804:=514))" -- to list enabled as well as disabled accounts All the above filters produce the same results irrespective of the operator(AND or OR).
Created attachment 386875 [details] patch
Comment on attachment 386875 [details] patch ack.
To ssh://git.fedorahosted.org/git/389/ds.git 9b38ac3..73fdd3b master -> master commit 73fdd3b8945a34cc3d386c697e4e99560ba7997a Author: Rich Megginson <rmeggins> Date: Tue Jan 26 09:51:05 2010 -0700 Reviewed by: nhosoi (Thanks!) Branch: HEAD Fix Description: The Microsoft Windows AD bitwise filters do not work exactl like the usual bitwise AND (&) and OR (|) operators. For the AND case the matching rule is true only if all bits from the value given in the filter value match the value from the entry. For the OR case, the matching rule is true if any bits from the value given in the filter match the value from the entry. For the AND case, this means that even though (a & b) is True, if (a & b) != b, the matching rule will return False. For the OR case, this means that even though (a | b) is True, this may be because there are bits in a. But we only care about bits in a that are also in b. So we do (a & b) - this will return what we want, which is to return True if any of the bits in b are also in a. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
fix verified - thanks rich! - redhat-ds-base-8.2.0-2010050604.el5dsrv - RHEL 5 32bit ldapsearch -x -h jennyv2.bos.redhat.com -p 389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" "(&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=2))" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (&(objectclass=testperson)(testUserAccountControl:1.2.840.113556.1.4.803:=2)) # requesting: ALL # # btestuser1, example.com dn: uid=btestuser1,dc=example,dc=com mail: btestuser1 uid: btestuser1 givenName: bit objectClass: top objectClass: testperson objectClass: organizationalPerson objectClass: inetorgperson objectClass: person sn: testuser1 cn: bit testuser1 testUserAccountControl: 514 testUserStatus: Disabled userPassword:: e1NTSEF9d2dSK1lEVGE3a3R6WWVxS2p3OTAyZnd3VStDY1h4QzZHRTJrYmc9PQ= = # btestuser4, example.com dn: uid=btestuser4,dc=example,dc=com mail: btestuser4 uid: btestuser4 givenName: bit objectClass: top objectClass: testperson objectClass: organizationalPerson objectClass: inetorgperson objectClass: person sn: testuser4 cn: bit testuser4 testUserAccountControl: 514 testUserStatus: Enabled userPassword:: e1NTSEF9Qi80MW01d3NGK0N5eTdPWlZSaE15VGNUK0NMaUM2MTBkLzQrT1E9PQ= = # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2