Re: regex in group ACL

[Pierangelo Masarati <ando@sys-net.it>]

François Beretti wrote:

> Pierangelo Masarati wrote:
>
> > well, the rest of my comments apply to 2.1; in that case, you need to do
> >
> > access to filter="(objectClass=enatelSSOStorage)" dn.regex=".*" 
> > attrs="entry"
> >  by 
> > group/enatelSSOAccountDelegation/enatelUserEntityObject.regex="cn=test1,cn=test2,$0" 
> > read
> Pierangelo, thank you for your answer.
>
> With 2.1.29, $0 in group.regex did not work for me, so I used 
> dn.regex="(.*)" and $1 in group.regex and  it worked. 


Sorry about that.  I think it should work, I'll investigate further (if 
2.2 behaves the same; 2.1 is not maintained any more)

> But the next step was to use wild cards in my group.regex line, and 
> they seem not to be interpreted by slapd. Am I right ?

They don't work by design.  That's why the (misleading) "regex" style 
name has been deprecated and removed in 2.2.
What happens in the pattern is regex __substring_expansion__, not 
__match__.  As such, the string resulting from pattern expansion must 
match exactly the identity DN that is authorized for that operation.  If 
you need further expansion and matching, you may look at sets, although 
I don't know if they can help you.

p.




   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497