[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group.regex doesn't do regex (ITS#2788)

To: openldap-its@OpenLDAP.org
Subject: Re: group.regex doesn't do regex (ITS#2788)
From: Kurt@OpenLDAP.org
Date: Thu, 23 Oct 2003 05:31:00 GMT

At 08:10 PM 10/22/2003, ace@suares.nl wrote:
>> >If the argument is a regex, the by
>> >clause will be dropped without an error (i.e. when reading the
>> > configuration file, no errors are triggered, and when using the clause
>> > while looking up access, it is silently dropped with no trace in the
>> > logfiles (with spald -d 128)
>>
>> Most skipping of by clauses is not logged.  You're welcomed to
>> submit a patch to provide more logging.
>
>If I could do that I wouldn't write an ITS but submit a patch.

I suspect you could write the code if you put your mind to it.  Adding
additional logging isn't rocket science.

>> I personally don't think it makes sense to support a regex here
>> as there is no reasonable string known to be associated with the
>> subject to be the target of the regex.
>
>Pesronally, I had the following in mind:
>
>access to somedn
>        by group.regex="qGroup=.*,qDomain=suares.an,qApp=qwido"
>
>this would give access to all members of all groups under qDomain=suares.an
>and this is a serious consideration on my side, since groups can have members 
>that come from anyplace inside the tree, so a simple regex for all members of 
>all groups could not exist.

That's not feasible.  Aside from the difficulties in determining all the
group DNs which the regex might match, the server would have to evaluate the
regex against each of these group DNs to see if it matched.  That would be
quite expensive even where the set was small. 

I continue to be inclined to reject this request.  

Kurt

Prev by Date: Re: new function: ldap_access (ITS#2789)
Next by Date: dn validity in 2.2.2beta (ITS#2790)
Index(es):
- Chronological
- Thread