Ticket 50349 - filter schema validation
Bug Description: 389 Should assert that all attributes in a filter
are present and valid in schema. If there are attributes in a filter
that are not in schema, this can lead to DOS due to fall-back to
un-indexed scans, and it also can mask and cover-up application and
development issues with queries. For example, the referenced case was
caused by IPA mistakenly searching an attribute that can never be
satisfied by ACI/filter. If we warned or rejected filters in this case
we would have quickly communicated to the developer that they had caused
a mistake - feedback, being a vital component of psychology and usability
theory.
This should optionally be allowed to be disabled, due to some sites that
use things like extensibleObject that by nature, bypass and violate schema
checks.
Fix Description: We now have a configuration item that has three levels:
off, warn, on. The idea is that with "on" we'll reject the filter and
won't execute it. "warn", we evaluate the filter, but we map invalid
attributes empty IDL. And "off" we have the "previous" behiavour. We
default to "warn" which is the rfc compliant behaviour.
https://pagure.io/389-ds-base/issue/50349
Author: William Brown <william@blackhats.net.au>
Review by: tbordaz, lkrispen (Thanks!)