[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Managing multiple regex matches

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: Managing multiple regex matches
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 20 Oct 2008 11:23:18 +0200
Cc: OpenLDAP Devel <openldap-devel@openldap.org>
In-reply-to: <1ip3tey.br7gsopc9edcM%manu@netbsd.org>
References: <1ip3tey.br7gsopc9edcM%manu@netbsd.org>
User-agent: Thunderbird 2.0.0.17 (X11/20081001)

Emmanuel Dreyfus wrote:

Let us imagine an ACL like this:

access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/"
  ...

We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.

For now this is not possible, because slap_access_allowed() collect a single
set of regmatch_t. If the <what> field of an ACL has multiple regex matches,
the last one only will be retained.

I suggest the following change:

1) In slap_access_allowed(), we would keep track of multiple set of
regmatch_t. matches would become something such as:

typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES]; regmatch_t val[MAXREMATCHES];


You forgot nmatches in each case.

} AclRegexMatches;

In slap_acl_get(), the two regexec() calls would be done with matches.dn or
matches.val, depending on the situation.

This would probably be a good opportunity to define a common structure to be passed within ACL checking, as the list of arguments to those functions grew enough...

2) In acl_string_exapand(), we would replace $1, $2, $3 by values from
matches.dn, therefore providing backward compatibility.

And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and
${d1}, ${d2}, ${d3}... by values from matches.dn


There is a problem with my proposal, on dynaic ACL. We cannot provide them
values from attribute value without changing the API. I suggest we stick with
the current API for now and improve that later if needed.

That would definitely deserve to be kept in sync with the built-in functions, although I understand it would break compatibility. We could define some means of versioning, and allow the old API for backward compatibility, while introducing a new API. Although, maybe it's not worth the effort.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: Managing multiple regex matches
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Managing multiple regex matches
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Managing multiple regex matches
Next by Date: Re: Managing multiple regex matches
Index(es):
- Chronological
- Thread