[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proposed semantics change in access control

To: ando@sys-net.it
Subject: Re: proposed semantics change in access control
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 17 May 2003 07:49:15 -0700
Cc: <hyc@OpenLDAP.org>, <openldap-devel@OpenLDAP.org>
In-reply-to: <2421.81.74.43.82.1053181516.squirrel@webmail.sys-net.it>
References: <5.2.0.9.0.20030517071239.028abd30@127.0.0.1> <5.2.0.9.0.20030516152142.02a5d8a0@127.0.0.1> <61390.81.72.89.40.1053076683.squirrel@webmail.sys-net.it> <5.2.0.9.0.20030516152142.02a5d8a0@127.0.0.1> <5.2.0.9.0.20030517071239.028abd30@127.0.0.1>

At 07:25 AM 5/17/2003, Pierangelo Masarati wrote:

>> At 03:16 AM 5/17/2003, Pierangelo Masarati wrote:
>>
>>>> I note that the default intended of regex'ing is that
>>>> the expression must match the whole DN, not just a part
>>>> of a DN.  It seems that some users are reporting cases
>>>> where the expression is matching only of a DN.  If so,
>>>> that would be a bug.
>>>>
>>>> For instance,
>>>>         to dn="cn=foo"
>>>> or
>>>>         by dn="cn=foo"
>>>>
>>>> can only match a DN which is CN=FOO (or diffs only by case).
>>>> It shouldn't match xCN=FOO nor CN=FOOx.  That is, there is
>>>> an implicit ^ at the start of the expression and an implicit
>>>> $ at the end of the expression.
>>>
>>>In most regex implementations, if the pattern is a portion
>>>of the string, the match is successful; to require an exact
>>>match one must enforce "^pattern$".  This should be clearly
>>>written in the docs.
>>
>> Yes.  IIRC, the code use to rewrite the pattern or otherwise
>> deal with that.
>
>Well, I think it doesn't any more, which, IMHO,
>is the correct behavior, because it might be intended;
>mucking with ACLs is not wise.

Well, I agree.  I always thought our attempts to do
regex normalization was misguided.

Anyways, in this case, I was thinking what we did was just
check the match to be sure it matched all of the input.  But
apparently I am wrong as I couldn't find any such code anywhere.

>My point is: let's leave as much freedom as possible
>to the users, but let's make them assume responsibility
>for this.  They must know what they're doing, then they
>can do whatever they want.  Let's give up with defaults,
>or use a conservative approach (this is where the
>engineer comes out :).

At this point, given our documentation and examples (FAQ)
are misleading, I suggest we do a few things.

One, in 2.2, make exact the default AND also remove any
and all regex mucking (no normalization, etc.).  Leave
regexing completely to the admin.

Kurt

References:
- Re: proposed semantics change in access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: proposed semantics change in access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- proposed semantics change in access control
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: proposed semantics change in access control
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: proposed semantics change in access control
Next by Date: Re: back-monitor requires non-builtin schema entities
Index(es):
- Chronological
- Thread