[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: commit: ldap/servers/slapd acl.c aclparse.c slap.h
- To: OpenLDAP Commit <openldap-commit2devel@OpenLDAP.org>
- Subject: Re: commit: ldap/servers/slapd acl.c aclparse.c slap.h
- From: Pierangelo Masarati <masarati@aero.polimi.it>
- Date: Wed, 03 Apr 2002 16:11:34 +0200
- Organization: Dipartimento di Ingegneria Aerospaziale
- References: <200204031342.g33DgJQ45912@boole.openldap.org>
ando@OpenLDAP.org wrote:
>
> Log Message:
> various acl improvements/cleanups/speedups (need to be documented, though)
I'm trying to make ACLs more expressive and versatile; to this
purpose, I added a style-modifier field in the form
<who> ::= [<type[.<style>[,<modifier>]]=]<pattern>
where <modifier> at present is "expand"; this allows
to call for match substitution even in base, one, subtree,
children styles, without incurring in the overhead of
regex (it may be slow on some architectures, and match
expansion and regex match are two different composition
rules for pattern matching).
At present I enabled it only for "dn" and "domain" <type>s,
because there is some interesting application of dns-style
naming contexts and domain access control (think of
access to dn.regex=".*dc=([^,]+),dc=([^,]+)$"
by domain.subtree,expand="$1.$2" read
by * none
as an example; while this could be made with regex style,
the former should be slightly more efficient).
I also envisage precompilation of expansible patterns,
which should result in way better performing ACLs (the
same precompilation should apply to match expansion for
regex checks).
BTW, the number of substitutions has been raised above 9,
which are referenced as "${n}"; of course, if no curly
brackets are used, a single digit is considered.
Ando.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy |
http://www.aero.polimi.it/~masarati