[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: extended acl

To: "Ivan Leong" <ivanl@pacific.net.sg>
Subject: RE: extended acl
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 15 Jun 1999 09:26:26 -0700
Cc: <OpenLDAP-devel@OpenLDAP.org>
In-reply-to: <NDBBJCODHKOEMPLCNOFGCEIDCBAA.ivanl@pacific.net.sg>
References: <3.0.5.32.19990614224150.0099de20@localhost>

At 02:21 PM 6/15/99 +0800, Ivan Leong wrote:
>yes, initial thoughts did fall on regex and $1..$9
>substitutions. but i wasn't sure slapd src code
>would relay the connection from ([^,]+) to the
>$1 substitution.
>
>other aspects of slapd's use of regex also
>worries me:
>   access to dn=.*,mail=([^,]+)
>
>won't the ".*" match the succeeding ","?

No, the expression requires that comma to be present.
Removing the ',' might have undesirable side effects
	dn=.*mail=([^,]+)

would match "mymail=foo".  Using a question operator
resolves that issue:
	dn=(.*,)?mail=([^,]+)

This of course, matches entries than
	access to dn=.*,mail=([^,]+)

>shouldn't all such cases of ".*" be replaced
>by "[^,]*"?

no. commas are allowed within certain attribute
values and is rdn deliminator.  I only use [^,]
in special cases (such as matching an email
address in the example of above).

>what abt "^" and "&" match begin line and end line?
You mean ^ and $, I assume.
>aren't they needed?

They might be... I'd have to read the code myself.  :-)
In fact, careful use of ^ and $ can enhance ACL
performance.

Kurt

References:
- Re: extended acl
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: extended acl
  - From: "Ivan Leong" <ivanl@pacific.net.sg>

Prev by Date: which database backend
Next by Date: Re: index files grow with repeated add and delete (ITS#186)
Index(es):
- Chronological
- Thread