[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Access Control

To: "Tony Earnshaw" <tonni@billy.demon.nl>, "Frank Swasey" <Frank.Swasey@uvm.edu>
Subject: RE: LDAP Access Control
From: "Howard Chu" <hyc@symas.com>
Date: Thu, 19 Sep 2002 13:26:24 -0700
Cc: "Daniel Tiefnig" <daniel.tiefnig@infonova.com>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1032462925.6967.108.camel@billy.demon.nl>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw

> tor, 2002-09-19 kl. 17:21 skrev Frank Swasey:
>
> > > I don't understand the following regex, by the way, after having read
> > > the necessary: It doesn't make sense to me, but it obviously works:
> > > [^,]+
> > > To me it says: "Everything of one character or more, but not
> including a
> > > comma." As I said, it works (so does [^,]*), while .+ or .* doesn't.
> > > What's the difference?
>
> > Well, the difference is that "but not including a comma" part.  Without
> > preventing the comma from being included, your regex would match
> > something like
> > cn=Jo Bob,cn=Jim Bob,ou=people ... (can't remember what I snipped)
> > Also, the * instead of + would allow
> > cn=,ou=people ...
>
> Thanks for the trouble, but clear as mud, Frank.
>
> If you'd be so kind as to look at the quotes that I ... hrrrm ...
> quoted, you'll see that there are *no commas* in the bit that has the
> no-comma regex, whereas there are commas in the one without the no-comma
> regex, although the commas in the latter get ignored.
>
> I'm coming more and more to the conclusion that only the code writers
> here (mainly Kurt and Howard) know what they're talking about when it
> comes to regex. The rest say they do, but with them it's rather like
> with your local priest or mullah promising you eternal life if you do
> what he says.

I thought Frank's explanation was pretty clear. Perhaps you need to spend
some more time working with regular expressions in ed, sed, vi, or grep. More
cramming...

Remember that regexp matches are "greedy" - a pattern will go for the longest
possible match in a string. So a pattern "cn=.*,ou=foo" will match
	cn=joe,ou=sub,dc=xyz,ou=foo
	cn=bob,ou=foo
	cn=,ou=foo
etc...

A pattern that excludes commas gives you a finer degree of control. A pattern
that uses '+' instead of '*' will exclude matches with empty components. (Of
course, such a DN shouldn't have gotten into your DIT in the first place.)

Your original example of create/maintain apps should have worked with a
single rule:

access to dn.sub="cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
        attrs=entry,children
        by anonymous auth
        by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: LDAP Access Control
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- RE: LDAP Access Control
  - From: "Ace Suares" <ace@suares.com>

References:
- Re: LDAP Access Control
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: RE: Problems with OpenLDAP 2.1.4 and Kerberos
Next by Date: RE: Problems with OpenLDAP 2.1.4 and Kerberos
Index(es):
- Chronological
- Thread