Re: Regular expressions in access control lists (ACLs)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:36 AM 4/2/99 +0200, Hallvard B Furuseth wrote:
>People,
>
>do you use regular expressions in ACLs in slapd.conf, as in
>	(cn=John|Abel)*,o=somewhere

One of my personal favorite (excuse me if it's off slightly,
I'm doing this from memory):

access to dn="(.*,)?dc=([:alnum:]+),dc=([:alnum:]+)" 
 by "group="cn=(Administrators|PrivServices),ou=Groups,dc=$2,dc=$3" write  
 by * none

>Regular expressions in ACLs are bug-prone because
>- they can't handle DNs that contain both case-sensitive and
>  case-insensitive attributes,

DN, itself, is case insensitive string.  We could (and maybe
should) uppercase the dn/group regex's on input and then match
them against the entry's normalized, uppercased dn.

>- it's hard to "normalize" a regular expression matching a DN (e.g.
>  remove spaces i front of the "," between RDNs, convert to uppercase
>  when necessary, and so on).

We only require the spaces be eliminated.  The regex are applied
insensitive to case.  This works because dn, hostnames, and
addresses are all case insensitive.

>  The ACL won't work properly when that's
>  done wrong - unless the ACL already matches the DN's normalized form.

The fact that a some folks cannot write a regex to match a normalized
DN is poor reason to remove the functionality used by others.

Kurt