[Date Prev][Date Next] [Chronological] [Thread] [Top]

group.regex doesn't do regex (ITS#2788)

Full_Name: Ace SU-ares 
Version: 2.1.22
OS: Linux ?
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

when using group.regex in the 'by' clause of an ACL, the argument to group.regex
may NOT be a regular expression (regex). If the argument is a regex, the by
clause will be dropped without an error (i.e. when reading the configuration
file, no errors are triggered, and when using the clause while looking up
access, it is silently dropped with no trace in the logfiles (with spald -d

However, replacements may be used. If the 'to' clause containes parenthesized
regular expressions that are matched, they can be referenced in group.regex with
$1, $2 etc.

Example (WRONG)

access to dn.regex="cn=(.+),ou=people"
	by group.regex="manager=.*,ou=people" write

--> the by clause will be silently dropped during access_allowed evaluation

Example (RIGHT)

access to dn.regex="cn=(.+),ou=people"
	by group.regex="manager=$1,ou=people" write

--> altough a Silly Example(TM), the regex will evaluate properly.

It is suggested by Kurt Zeilenga during mailing list discussion that this needed
to be fixed in documentation. However, I would suggest that this would be fixed
in code and that groupr.regex will take any proper regex.

Note that 'group' without 'regex' will default to regex, adding to the