Re: regex in group ACL

[Pierangelo Masarati <ando@sys-net.it>]

François Beretti wrote:

> Pierangelo Masarati wrote:
>
> > François Beretti wrote:
> >
> > > One of my access control command in slapd.conf does not work. I 
> > > would like to know why.
> > > access to filter="(objectClass=enatelSSOStorage)" dn.regex="*" 
> > > attrs="entry"
> > >    by 
> > > group/enatelSSOAccountDelegation/enatelUserEntityObject.regex="cn=test1,cn=test2,$1" 
> > > read 
> >
> >
> > Assuming you're using OpenLDAP 2.2, "group.regex" is no longer 
> > supported (as it was doing something completely different from 
> > regexec'ing). See slapd.access(5) for details (and a replacement of 
> > what you intend it to do).
> > Note that even the dn.regex="*" doesn't look so correct to me; I'd 
> > rather use dn.regex=".*".
> > Finally, in case of match, you should rather use "$0", because "$1" 
> > refers to the first submatch (i.e.  enclosed between brackets, and 
> > you don't use any brackets in the dn regex.
> > So your rule should rather look like
> >
> > access to filter="(objectClass=enatelSSOStorage)" dn.regex=".*" 
> > attrs="entry"
> >   by 
> > group/enatelSSOAccountDelegation/enatelUserEntityObject.expand="cn=test1,cn=test2,$0" 
> > read
> Thank you very much for your answer, Pierangelo
>
> I am using openldap 2.1.29 as it is packaged for fedora. The "expand" 
> keyword doesn't seem to be supported in this version. Is it possible 
> to do what I want ?
>
> I know, you're going to tell me "you should consider upgrading to 
> 2.2.17". But I am writing software for customers who often use 
> OpenLDAP 2.1.x, and I would really like my ACL to work with it.

well, the rest of my comments apply to 2.1; in that case, you need to do

access to filter="(objectClass=enatelSSOStorage)" dn.regex=".*" 
attrs="entry"
 by 
group/enatelSSOAccountDelegation/enatelUserEntityObject.regex="cn=test1,cn=test2,$0" 
read

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497