[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Another 2.2.23 oddity
>
> On 6 Oct 2005, at 10:07, Pierangelo Masarati wrote:
>
>> I guess you're using some ACL that performs "regex" patch on a pattern
>> computed using submatches;
>
> Ahah. Well spotted :)
>
>> if this is the case, the second regex matching
>> interprets the brackets in the value as part of the pattern.
>> submatches
>> may need regex-escaping before being used in buildning patterns for
>> further regex matching, unless building submatch-dependent patterns is
>> intended.
>>
>> A sample of your access rules would be of help.
>
> access to dn.regex="cn=(.*),cn=(.*),ou=users,dc=foo" filter=
> (visibility=private)
> by dn.regex="cn=$2,ou=users,dc=foo" write
> by * none
>
> access to dn.regex="cn=(.*),cn=(.*),ou=users,dc=foo" filter=
> (visibility=friends)
> by dn.regex="cn=$2,ou=users,dc=foo" write
> by group/gameUser/friend.expand="cn=$2,ou=users,dc=foo" read
> by * none
>
> access to dn.regex="cn=(.*),cn=(.*),ou=users,dc=foo" filter=
> (visibility=public)
> by dn.regex="cn=$2,ou=users,dc=foo" write
> by * read
There are a few mistakes, or at least ingenuities, in your ACLs; they're
described in the "CAVEATS" section of slapd.access(5). Changing them to
access to dn.regex="cn=(.*),cn=(.*),ou=users,dc=foo"
filter=(visibility=private)
by dn.exact,expand="cn=$2,ou=users,dc=foo" write
by * none
access to dn.regex="cn=(.*),cn=(.*),ou=users,dc=foo"
filter=(visibility=friends)
by dn.exact,expand="cn=$2,ou=users,dc=foo" write
by group/gameUser/friend.expand="cn=$2,ou=users,dc=foo" read
by * none
access to dn.regex="cn=(.*),cn=(.*),ou=users,dc=foo"
filter=(visibility=public)
by dn.exact,expand="cn=$2,ou=users,dc=foo" write
by * read
will solve your issue. If 2.2.23 does not yet support the "exact,expand"
style, you already know the answer...
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497