[Date Prev][Date Next] [Chronological] [Thread] [Top]

dn.regex in ACLs, and in the admin guide



Hello,

I have some questions about slapd access-control directives.


In http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control
there's the a BNF grammar, containing this set of expressions:

	<what> ::= * |
                [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
                [filter=<ldapfilter>] [attrs=<attrlist>]

	<basic-style> ::= regex | exact

        <scope-style> ::= base | one | subtree | children


However, in the slapd.access(5) manual page, there's the following
statement:

	 "base or exact (an alias of base)" 

...within the paragraph that starts as so:

       For all other qualifiers, the pattern is a string
       representation of the entry's DN.  base or exact (an alias of
       base) indicates the entry whose DN is equal to the pattern.



If "exact" is an alias of "base", and "base" is a member of
<scope-style>, then :

  1)  dn.exact=<DN>

      rather than dn.exact=<regex> which is how the grammar, above,
      says it would be.

  2) "exact" does not belong  in the definition of <basic-style>,
      within the BNF grammar.



...assuming that slapd.access(5) is the authoriative work, on it.


Sounds right?

--
sean champ