[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proposed semantics change in access control

To: ando@sys-net.it
Subject: Re: proposed semantics change in access control
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 17 May 2003 07:14:31 -0700
Cc: <hyc@OpenLDAP.org>, <openldap-devel@OpenLDAP.org>
In-reply-to: <1575.81.74.43.82.1053166614.squirrel@webmail.sys-net.it>
References: <5.2.0.9.0.20030516152142.02a5d8a0@127.0.0.1> <61390.81.72.89.40.1053076683.squirrel@webmail.sys-net.it> <5.2.0.9.0.20030516152142.02a5d8a0@127.0.0.1>

At 03:16 AM 5/17/2003, Pierangelo Masarati wrote:

>> I note that the default intended of regex'ing is that
>> the expression must match the whole DN, not just a part
>> of a DN.  It seems that some users are reporting cases
>> where the expression is matching only of a DN.  If so,
>> that would be a bug.
>>
>> For instance,
>>         to dn="cn=foo"
>> or
>>         by dn="cn=foo"
>>
>> can only match a DN which is CN=FOO (or diffs only by case).
>> It shouldn't match xCN=FOO nor CN=FOOx.  That is, there is
>> an implicit ^ at the start of the expression and an implicit
>> $ at the end of the expression.
>
>In most regex implementations, if the pattern is a portion
>of the string, the match is successful; to require an exact
>match one must enforce "^pattern$".  This should be clearly
>written in the docs.

Yes.  IIRC, the code use to rewrite the pattern or otherwise
deal with that.

Kurt

Follow-Ups:
- Re: proposed semantics change in access control
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- Re: proposed semantics change in access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- proposed semantics change in access control
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: proposed semantics change in access control
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: proposed semantics change in access control
Next by Date: Re: proposed semantics change in access control
Index(es):
- Chronological
- Thread