[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: extended acl
yes, initial thoughts did fall on regex and $1..$9
substitutions. but i wasn't sure slapd src code
would relay the connection from ([^,]+) to the
$1 substitution.
other aspects of slapd's use of regex also
worries me:
access to dn=.*,mail=([^,]+)
won't the ".*" match the succeeding ","?
shouldn't all such cases of ".*" be replaced
by "[^,]*"?
what abt "^" and "&" match begin line and end line?
aren't they needed?
i should probably read the src code ..
:)
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Tuesday, June 15, 1999 1:42 PM
> To: Ivan Leong
> Cc: OpenLDAP-devel@OpenLDAP.Org
> Subject: Re: extended acl
>
>
> At 11:18 AM 6/15/99 +0800, Ivan Leong wrote:
> >each user can only look/search/write to his record
> >and his records in his addr book subtree.
>
> Regex to the rescue... (please excuse minor syntax errors)
>
> # user can write to mail entries below self
> access to dn=mail=[^,]+,mail=([^,]+)
> by dn=mail=$1 write
>
> # user can write to ANY entries below self
> access to dn=.*,mail=([^,]+)
> by dn=mail=$1 write
>
> Both of these would still require a self write rule.
> Or you could:
>
> access to dn=(.*,)?mail=([^,]+)
> by dn=mail=$2 write
>
> >my question is, is anyone extending on openldap's
> >acl?
>
> As needed, yes. But you're more than welcomed to
> contribute.
>
> >support a new keyword "parent" might do it.
>
> I think regex handles this simple case well.
>
> Kurt
>
>