RE: extended acl

["Ivan Leong" <ivanl@pacific.net.sg>]

yes, initial thoughts did fall on regex and $1..$9
substitutions. but i wasn't sure slapd src code
would relay the connection from ([^,]+) to the
$1 substitution.

other aspects of slapd's use of regex also
worries me:
   access to dn=.*,mail=([^,]+)

won't the ".*" match the succeeding ","?
shouldn't all such cases of ".*" be replaced
by "[^,]*"?

what abt "^" and "&" match begin line and end line?
aren't they needed?


i should probably read the src code ..
:)


> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Tuesday, June 15, 1999 1:42 PM
> To: Ivan Leong
> Cc: OpenLDAP-devel@OpenLDAP.Org
> Subject: Re: extended acl
> 
> 
> At 11:18 AM 6/15/99 +0800, Ivan Leong wrote:
> >each user can only look/search/write to his record
> >and his records in his addr book subtree.
> 
> Regex to the rescue...  (please excuse minor syntax errors)
> 
> # user can write to mail entries below self
> access to dn=mail=[^,]+,mail=([^,]+)
> 	by dn=mail=$1 write
> 
> # user can write to ANY entries below self
> access to dn=.*,mail=([^,]+)
> 	by dn=mail=$1 write
> 
> Both of these would still require a self write rule.
> Or you could:
> 
> access to dn=(.*,)?mail=([^,]+)
> 	by dn=mail=$2 write
> 
> >my question is, is anyone extending on openldap's
> >acl?
> 
> As needed, yes.  But you're more than welcomed to
> contribute.
> 
> >support a new keyword "parent" might do it.
> 
> I think regex handles this simple case well.
> 
> Kurt
> 
>