[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
On 5/6/2012 9:58 ÎÎ, Howard Chu wrote:
What you've posted is expected behavior. The single backslashes were
parsed by the slapd.conf parser. To actually get them into the regex
you need to escape those backslashes as well. This is already
documented in slapd.conf(5) and in the Admin Guide.
First I note that the regex I originally posted (in order to match
reverse IPv4 domains stored in LDAP) would not work for POSIX 2
-compatible regex'es (suitable for openldap ACLs), and I have changed it to:
to
dn.regex="^dc=([0-9]{1,3})[.]([0-9]{1,3}).([0-9]{1,3})\.in-addr\.arpa,ou=dns,dc=example,dc=com$"
which works.
So, ALL regex'es used within ACLs loaded in a slapd.conf should be with
double backslashes? I had not realized that. The statement "If an
argument contains a double quote ('"') or a backslash character ('\'),
the character should be preceded by a backslash character" which is
included slapd.conf(5) and in
http://www.openldap.org/doc/admin24/slapdconfig.html is - at least -
obscure to me with regard to regex'es used in ACLs. Moreover, nothing is
mentioned at http://www.openldap.org/doc/admin24/access-control.html or
at http://www.openldap.org/faq/data/cache/973.html (and I don't see any
examples with double backslashes either).
For example, should we ALWAYS use (in slapd.conf or in an ACL file
included therein):
access to
dn.regex="\\.1\\.0\\.0\\.0,dc=1\\.1\\.0\\.2\\.0\\.0\\.0\\.0\\.0\\.0\\.0\\.2\\.ip6\\.arpa,ou=dns,dc=example,dc=com$"
to denote that dots are simple dots and not wildcards?
Or we MUST use double backslashes ONLY when converting using slaptest?
(And what happens if we want to escape backslash itself in a regex?
Should we use "\\\\" ?)
I tested that the above form of ACLs with regex (using double
backslashes) is indeed converted correctly (it produces an ACL with
single backslashes in the regex for use in dynamic config) when using
slaptest.
I also found out that the regex works correctly (in a static config)
both with double and with single backslashes (tested escaping dots)!
It's just not converted correctly with slaptest when used with single
backslashes.
If the behavior of backslashes in ACL regex'es is in all cases as
described above, then slaptest should convert correctly ACLs using
regex'es with single backslashes.
Please advise.
Thanks,
Nick