HEADS UP: ACL CHANGES

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

I've just committed some experimental changes to the ACL code
to add better support for multiple listeners and TLS.

The new ACL grammer is:

<access clause> ::= access to <what> [ by <who> <access> ]+ \n"
<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
<attrlist> ::= <attr> | <attr> , <attrlist>\n"
<attr> ::= <attrname> | entry | children\n"
<who> ::= [ * | anonymous | self | dn=<regex> ]
	[dnattr=<attrname>]
	[group[/<objectclass>[/<attrname>]]=<regex>]
	[peername=<regex>] [sockname=<regex>]
	[domain=<regex>] [sockurl=<regex>]
<access> ::= [self]{none|auth|compare|search|read|write}

("by" seems a bit odd now... maybe "when" would be more
appropriate...)

peername/sockname are of the form "ip=addr:port" where
address:port describe the endpoint returned by get{peer,sock}name.
The address is in dot (".") format and the port is numeric.
(example: "ip=10.0.0.1:123").  The address=<regex> who clause
is obsoleted by peername.  I have not attempted to provide
mapping to peername because I care not to rewrite the regex
(nor provide a separate address pattern clause).

sockurl is the listener URL which this session originates
from (as provided on the command line).  This can be used
to match "^ldaps://.*$" vs "^ldap://.*$";.

This allows ACL like:

access to attr=userPassword
	by sockurl="^ldaps://.*" self write
	by peername="^ip:10\..*" self write
	by * auth

Feedback encouraged.
	Kurt