[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs, groups, and regular expressions... oh my

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: ACLs, groups, and regular expressions... oh my
From: Ace Suares <ace@suares.nl>
Date: Tue, 11 Mar 2003 08:42:26 +0400
In-reply-to: <002001c2e74e$76021af0$0e01a8c0@CELLO>
References: <002001c2e74e$76021af0$0e01a8c0@CELLO>
User-agent: KMail/1.4.3

I'm bewilderd !

Howard Chu wrote:

> Regexp matching is not the same as globbing/wildcard expansion, which seems
> to be what you want. Your ACL pattern has no meaning. The parentheses "()"
> can only be used to delineate patterns in the target specification, and are
> only useful if you actually refer to those patterns using numeric
> substitutions "$1" "$2" in the subject specs.

However, wether one uses backreferences ($1, $2 etc) shouldn't matter while 
the regex is evaluated.... and indeed, using () in the 'by' clause doesn't 
make sense, but it's a valid regex....

> > >>
> > >> access to *
> > >>    by group="cn=(.*),dc=example,dc=com read
> > >>    by anonymous bind
> > >>    by * none

if you have group entries like:

dn: cn=group1,dc=example,dc=com 
dn: cn=group2,dc=example,dc=com 
dn: cn=group999,dc=example,dc=com 

I would expect that the by clause 'by group="cn=(.*),dc=example,dc=com read'
would evaluate to any of these groups....  

Greetings,
ace

Follow-Ups:
- RE: ACLs, groups, and regular expressions... oh my
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: ACLs, groups, and regular expressions... oh my
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: Ldap ad with invalid structural object class error
Next by Date: Re: SASL External : only bind with existing dn
Index(es):
- Chronological
- Thread