|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : What are the tips for using regular expressions in ACLs?|
Always use dn.regex=<pattern> when you intend to use regular expression matching. dn=<pattern> alone defaults to dn.exact<pattern> (in some historic versions, it used to default to dn.regex=<pattern>). As a consequence, an explicit style clears any doubt about what you're doing.
Use (.+) instead of (.*) when you want at least one char to be matched. (.*) matches the empty string as well.
Don't use regular expressions for matches that can be done otherwise in a safer and cheaper manner. Examples:
dn.regex=".*dc=example,dc=com"is unsafe and expensive:
Always use ^ and $ in regexes, whenever appropriate, because ou=(.+),ou=(.+),ou=adressbooks,o=basedn will match something=bla,ou=xxx,ou=yyy,ou=adressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org
Always use ([^,]+) to indicate exactly one RDN, because (.+) can include any number of RDNs; e.g. ou=(.+),dc=example,dc=com will match ou=My,o=Org,dc=example,dc=com, which might not be what you want.
Never add the rootdn to the by clauses. ACLs are not even processed for operations performed with rootdn identity (otherwise there would be no reason to define a rootdn at all).
Use shorthands. The user directive matches authenticated users
and the anonymous directive matches anonymous users.
Don't use the dn.regex form for <by> clauses if all you need is scoping and/or substring replacement; use scoping styles (e.g. exact, onelevel, children or subtree) and the style modifier expand to cause substring expansion.
access to dn.regex=".+,dc=([^,]+),dc=([^,]+)$" by dn.regex="^[^,],ou=Admin,dc=$1,dc=$2$$" writealthoug correct, can be safely and efficiently replaced by
access to dn.regex=".+,(dc=[^,]+,dc=[^,]+)$" by dn.onelevel,expand="ou=Admin,$1" writewhere the regex in the <what> clause is more compact, and the one in the <by> clause is replaced by a much more efficient scoping style of onelevel with substring expansion.
|[Append to This Answer]|
|Previous:||How do I give modify/delete permissions to an entry's creator only?|
|Next:||How do I grant/deny access based on security strength factors?|