[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dn[.<dnstyle>[,<modifier>]]=<pattern> in ACLs



Sean Champ wrote:

The slapd.access(5) manual page states that the following pattern is
valid as an expression for the <who> part of a slapd access-control
directive:

           dn[.<dnstyle>[,<modifier>]]=<pattern>

However, in section 5.3 of the OpenLDAP 2.1 Administrator's Guide
[http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control ]
where the BNF-style grammar for ACLs is written, there is no room,
anywhere, for a  [,<modifier>] part; there's

  dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]

...and that's all, for <who> values that may start with "dn.",
according to that grammar.


Not meaning to be pedantic, just wanting to make sure that the guide
is consistent with the manual pages, and with the application.


The admin guide is not aligned with th man page.
The <modifier> field is a mechanism to allow
fine tuning of the <dnstyle> options.  Currently
only "expand" is available, which means "expand
submatches from <what> clause even if <dnstyle>
is not "regex" (which implies automati expansion).
For instance, a clause of the form

access to dn.regex="ou=([^,]+),dc=example,dc=com"
   by dn.regex="cn=Manager,ou=$1,dc=example,dc=com" write

requires the cost of regex compilation and evaluation,
while a simple

access to dn.regex="ou=([^,]+),dc=example,dc=com"
   by dn.exact,expand="cn=Manager,ou=$1,dc=example,dc=com" write

allows exact dn match after submatch substitution.
This has not been properly documented; I'll fix it.

p.


thank you,

--
sean hamp