Re: proposed semantics change in access control

["Pierangelo Masarati" <ando@sys-net.it>]

> I note that the default intended of regex'ing is that
> the expression must match the whole DN, not just a part
> of a DN.  It seems that some users are reporting cases
> where the expression is matching only of a DN.  If so,
> that would be a bug.
>
> For instance,
>         to dn="cn=foo"
> or
>         by dn="cn=foo"
>
> can only match a DN which is CN=FOO (or diffs only by case).
> It shouldn't match xCN=FOO nor CN=FOOx.  That is, there is
> an implicit ^ at the start of the expression and an implicit
> $ at the end of the expression.

In most regex implementations, if the pattern is a portion
of the string, the match is successful; to require an exact
match one must enforce "^pattern$".  This should be clearly
written in the docs.

>
> At least there use to be... if now not, then that's a bug.
>
> As far as changing the defaults, I think that would cause
> far more problems then it would solve.

Agree; but then many ACL configuration bugs would become clear.
We might add a warning (which would be overkill and be ignored
by most) that notes when "^" and "$" are missing from dn
patterns which are not explicitly marked as regex.

I definitely agree with Howard that changing default
behavior is always bad; mine was a heads-up rather than
a real suggestion.  Maybe I'll try to write all these
considerations in a clear manner in slapd.access(5).

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it