[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)



On 5/6/2012 9:58 ÎÎ, Howard Chu wrote:

What you've posted is expected behavior. The single backslashes were parsed by the slapd.conf parser. To actually get them into the regex you need to escape those backslashes as well. This is already documented in slapd.conf(5) and in the Admin Guide.

First I note that the regex I originally posted (in order to match reverse IPv4 domains stored in LDAP) would not work for POSIX 2 -compatible regex'es (suitable for openldap ACLs), and I have changed it to: to dn.regex="^dc=([0-9]{1,3})[.]([0-9]{1,3}).([0-9]{1,3})\.in-addr\.arpa,ou=dns,dc=example,dc=com$"
which works.

So, ALL regex'es used within ACLs loaded in a slapd.conf should be with double backslashes? I had not realized that. The statement "If an argument contains a double quote ('"') or a backslash character ('\'), the character should be preceded by a backslash character" which is included slapd.conf(5) and in http://www.openldap.org/doc/admin24/slapdconfig.html is - at least - obscure to me with regard to regex'es used in ACLs. Moreover, nothing is mentioned at http://www.openldap.org/doc/admin24/access-control.html or at http://www.openldap.org/faq/data/cache/973.html (and I don't see any examples with double backslashes either).

For example, should we ALWAYS use (in slapd.conf or in an ACL file included therein): access to dn.regex="\\.1\\.0\\.0\\.0,dc=1\\.1\\.0\\.2\\.0\\.0\\.0\\.0\\.0\\.0\\.0\\.2\\.ip6\\.arpa,ou=dns,dc=example,dc=com$"
to denote that dots are simple dots and not wildcards?

Or we MUST use double backslashes ONLY when converting using slaptest?

(And what happens if we want to escape backslash itself in a regex? Should we use "\\\\" ?)

I tested that the above form of ACLs with regex (using double backslashes) is indeed converted correctly (it produces an ACL with single backslashes in the regex for use in dynamic config) when using slaptest.

I also found out that the regex works correctly (in a static config) both with double and with single backslashes (tested escaping dots)! It's just not converted correctly with slaptest when used with single backslashes.

If the behavior of backslashes in ACL regex'es is in all cases as described above, then slaptest should convert correctly ACLs using regex'es with single backslashes.

Please advise.

Thanks,
Nick