[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)

To: openldap-technical@openldap.org
Subject: Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
From: Nick Milas <nick@eurobjects.com>
Date: Wed, 06 Jun 2012 13:40:29 +0300
In-reply-to: <4FCE56E4.1000101@symas.com>
References: <4FCE1D0B.9000305@eurobjects.com> <4FCE22EB.8020301@eurobjects.com> <4FCE56E4.1000101@symas.com>
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

On 5/6/2012 9:58 ÎÎ, Howard Chu wrote:

What you've posted is expected behavior. The single backslashes wereparsed by the slapd.conf parser. To actually get them into the regexyou need to escape those backslashes as well. This is alreadydocumented in slapd.conf(5) and in the Admin Guide.

First I note that the regex I originally posted (in order to matchreverse IPv4 domains stored in LDAP) would not work for POSIX 2-compatible regex'es (suitable for openldap ACLs), and I have changed it to:todn.regex="^dc=([0-9]{1,3})[.]([0-9]{1,3}).([0-9]{1,3})\.in-addr\.arpa,ou=dns,dc=example,dc=com$"

which works.

So, ALL regex'es used within ACLs loaded in a slapd.conf should be withdouble backslashes? I had not realized that. The statement "If anargument contains a double quote ('"') or a backslash character ('\'),the character should be preceded by a backslash character" which isincluded slapd.conf(5) and inhttp://www.openldap.org/doc/admin24/slapdconfig.html is - at least -obscure to me with regard to regex'es used in ACLs. Moreover, nothing ismentioned at http://www.openldap.org/doc/admin24/access-control.html orat http://www.openldap.org/faq/data/cache/973.html (and I don't see anyexamples with double backslashes either).

For example, should we ALWAYS use (in slapd.conf or in an ACL fileincluded therein):access todn.regex="\\.1\\.0\\.0\\.0,dc=1\\.1\\.0\\.2\\.0\\.0\\.0\\.0\\.0\\.0\\.0\\.2\\.ip6\\.arpa,ou=dns,dc=example,dc=com$"

to denote that dots are simple dots and not wildcards?

Or we MUST use double backslashes ONLY when converting using slaptest?

(And what happens if we want to escape backslash itself in a regex?Should we use "\\\\" ?)

I tested that the above form of ACLs with regex (using doublebackslashes) is indeed converted correctly (it produces an ACL withsingle backslashes in the regex for use in dynamic config) when usingslaptest.

I also found out that the regex works correctly (in a static config)both with double and with single backslashes (tested escaping dots)!It's just not converted correctly with slaptest when used with singlebackslashes.

If the behavior of backslashes in ACL regex'es is in all cases asdescribed above, then slaptest should convert correctly ACLs usingregex'es with single backslashes.


Please advise.

Thanks,
Nick

Follow-Ups:
- Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
  - From: Howard Chu <hyc@symas.com>

References:
- slaptest conversion of acl regex's drops backslashes
  - From: Nick Milas <nick@eurobjects.com>
- Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
  - From: Nick Milas <nick@eurobjects.com>
- Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ACL rule match if client certificate was used?
Next by Date: Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
Index(es):
- Chronological
- Thread