[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4253) val.regex broken


--On Thursday, December 08, 2005 9:16 AM -0800 Quanah Gibson-Mount 
<quanah@stanford.edu> wrote:

>
>
> --On Thursday, December 08, 2005 5:13 PM +0000 openldap-its@OpenLDAP.org
> wrote:
>
> And to note, if I change the ACL to not have any val.regex, I get all
> values of suprivilegegroup back, so there is definitely something wrong
> with val.regex.

Okay, I've isolated the behavior further.

I have a list of val.regex accesses to suprivilegegroup:

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^securemail:.+"
        by 
dn.base="cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^itss-smarts:.+"
        by 
dn.base="cn=smarts,cn=service,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by group.base="cn=smarts,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^maps:.+"
        by 
dn.base="cn=bonair,cn=webauth,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^facops:.+"
        by 
dn.base="cn=bonair,cn=webauth,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^stanford:.+"
        by 
group.base="cn=WebAuthPrivileged,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by 
group.base="cn=WebAuthGeneral,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^~jlavigne:.+"
        by 
dn.base="cn=dept-sul-library,cn=cgi,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^med-irt:.+"
        by 
dn.base="cn=irt-web-01,cn=webauth,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup 
val.regex="^med-publish:.+"
        by 
dn.base="cn=irt-web-01,cn=webauth,cn=applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break



Which ever of these is the *first* item in the list never works.  The rest 
of the regex's are applied correctly.  So there is something broken in what 
is generating the list of these to be evaluated.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html