[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: proposed semantics change in access control
I note that the default intended of regex'ing is that
the expression must match the whole DN, not just a part
of a DN. It seems that some users are reporting cases
where the expression is matching only of a DN. If so,
that would be a bug.
For instance,
to dn="cn=foo"
or
by dn="cn=foo"
can only match a DN which is CN=FOO (or diffs only by case).
It shouldn't match xCN=FOO nor CN=FOOx. That is, there is
an implicit ^ at the start of the expression and an implicit
$ at the end of the expression.
At least there use to be... if now not, then that's a bug.
As far as changing the defaults, I think that would cause
far more problems then it would solve.
Kurt
At 02:18 AM 5/16/2003, Pierangelo Masarati wrote:
>I suggest changing the default for the "by"
>clause in access control from "regex" to "exact",
>maybe with the possibility to preserve the
>old behavior at compile time (but I strongly
>discourage this solution because it would require
>everybody to specify every time what flavour
>of ACL conf they're using). As a good programming
>habit I usually explicitly set the dn "style"
>in ACLs, and in general I do not like "smart"
>defaults.
>
>In fact, problems like the one recently addressed
>by Kiran Bacche keep occurring very often,
>so I think a rule that implies lots of volume
>on the mailing list and security issues should
>require to be **explicitly** set to its most
>dangerous form.
>
>Any thoughts?
>
>Ando.
>--
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it