[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control



> > Correctly, the ACL could be written as
> > 
> > access to
> >    dn=".*cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
> >    by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
> 
> Almost -- you don't want qqqcn=... to match at the start.

agreed !

> If anything comes before cn=... it should end in a comma, making it
>     dn="(.*,)?cn=..."
>     by dn="cn=$2,ou=..." write


I am wondering about the following:

I use: 	dn=".*,cn=(.*),..."
you use:	dn="(.*,)?cn=(.*),..."
tony uses:	..........cn=([^,]+)...."

what should we use !?

My thoughts:

.*,cn= matches anything before ,cn= even nothing
	(f.i. "qqqq,cn=" ; "u=1,cn=" ; "a=1,u=1,cn=" ; ",cn=" )

(.*,)?cn= matches anything ending in a "," before cn= even nothing 
	(f.i. "qqqq,cn=" ; "u=1,cn=" ; "a=1,u=1,cn=" ; ",cn=" ; "cn=")

[^,]+ matches any combination of 1 or more characters that are NOT 
comma's, i.e. "a" ; "aa" but not "" ; "," ",a" "a,"

My questions:
1. is it conceivable that part of a dn contains the character "," ?
2. is it conceivable that part of a dn contains the character "=" ?
3. is there any difference between ".*,cn=" and "(.*,)?cn=" EXCEPT 
that the latter would include not only all children, but also the 
entry itself ?

> 
> I didn't know we could do $1 and $2 stuff in LDAP.  Pretty cool.

It *is* pretty cool. It allows things like:

access to dn ="u=.*,d=(.*),a=(.*),oc=(.*),app=cc"
	by self read
	by group=          "group=managers,oc=$3,app=cc" write
	by group=     "group=managers,a=$2,oc=$3,app=cc" write
	by group="group=managers,d=$1,a=$2,oc=$3,app=cc" write

which made me very happy.

Thanks for your remarks,
ace