| |
@@ -35,7 +35,7 @@
|
| |
void
|
| |
do_search(Slapi_PBlock *pb)
|
| |
{
|
| |
- Slapi_Operation *operation;
|
| |
+ Slapi_Operation *operation = NULL;
|
| |
BerElement *ber;
|
| |
int i, err = 0, attrsonly;
|
| |
ber_int_t scope, deref, sizelimit, timelimit;
|
| |
@@ -220,6 +220,34 @@
|
| |
send_ldap_result(pb, err, NULL, errtxt, 0, NULL);
|
| |
goto free_and_return;
|
| |
}
|
| |
+ if (r == FILTER_SCHEMA_WARNING) {
|
| |
+ /* A notes=F will be logged in access log
|
| |
+ * Anyway make it noisy with a log in error log
|
| |
+ * as the behavior will change in upcoming release =>
|
| |
+ * it needs to be fixed
|
| |
+ */
|
| |
+ if (config_get_verify_filter_schema() == FILTER_POLICY_WARNING) {
|
| |
+ /* A component with unknown attribute was possibly processed
|
| |
+ * with an unindexed scan
|
| |
+ */
|
| |
+ slapi_log_err(SLAPI_LOG_WARNING, "do_search",
|
| |
+ "Search filter \"%s\" contains unknown attribute. Possible performance impact (conn=%d op=%d).\n",
|
| |
+ fstr ? fstr : "NULL",
|
| |
+ operation ? operation->o_connid : "unknown",
|
| |
+ operation ? operation->o_opid : "unknown");
|
| |
+ } else if (config_get_verify_filter_schema() == FILTER_POLICY_PROTECT) {
|
| |
+ /* A component with unknown attribute was translated in
|
| |
+ * a idl=0 (no entry matching). It protects the server against
|
| |
+ * unindexed scan but the return result may ignore some
|
| |
+ * matching entries
|
| |
+ */
|
| |
+ slapi_log_err(SLAPI_LOG_WARNING, "do_search",
|
| |
+ "Search filter \"%s\" contains unknown attribute. Possible invalid result set (conn=%d op=%d).\n",
|
| |
+ fstr ? fstr : "NULL",
|
| |
+ operation ? operation->o_connid : "unknown",
|
| |
+ operation ? operation->o_opid : "unknown");
|
| |
+ }
|
| |
+ }
|
| |
|
| |
/* attributes */
|
| |
attrs = NULL;
|
| |
Bug Description:
A filter component containing unknown attribute will (1.4.3)
match no entry. It can return a truncated set of matching entries.
This is notify in access logs (notes=F) but not in error logs.
To help admin to detect these problematic filters it need to be
log in error logs as well
Fix Description:
add a log when schema checking leads to note=F (FILTER_SCHEMA_WARNING)
https://pagure.io/389-ds-base/issue/50789
Reviewed by: ?
Platforms tested: F30
Flag Day: no
Doc impact: no