[Date Prev][Date Next] [Chronological] [Thread] [Top]

Wide use of "expand" style in ACLs (ITS#3010)

Full_Name: Pierangelo Masarati
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

I've modified ACLs to extensively use/allow the "expand" style/modifier in lieu
of regex whenever possible.  I also updated the man page.  Please test and
provide feedback before it gets released, since ACLs strongly impact security.

- "group" does not allow "regex" style any more, since the only operation that
can be done on the group name is substring expansion from a previous regex DN
- "peername" allows "expand" style
- "sockname" allows "expand" style
- "sockurl" allows "expand" style
- "domain" allows "expand" style modifier for "exact" and "subtree" styles; if
"expand" is provided as a style, "exact" is implied, however this use is
deprecated, because I'd like to move towards a complete elimination of default
behavior in ACLs, since they strongly impact security.