[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3921) authzTo/authzFrom syntax

Howard Chu wrote:

> ando@sys-net.it wrote:
>> Full_Name: Pierangelo Masarati
>> Version: HEAD
>> OS: irrelevant
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> Submitted by: ando
>> authzTo/authzFrom should have a specific syntax, so that they can be 
>> validated
>> (early detection of configuration errors) and possibly 
>> prettified/normalized to
>> ease and speed up their parsing any time they're evaluated (e.g., 
>> avoid repeated
>> DN normalizations and so).
> I don't think this is practical, but feel free to prove me wrong. The 
> same issue arises with authz-regexp, as well as ACL clauses that 
> accept regexp's. We don't really know what it means to normalize a 
> regexp.

I'm not concerned about __normalizing__ regexps, but about 
__sanitizing__ data (verification, plus normalization of DN).

Currently, authzTo/authzFrom can have the form:

1) <DN>
2) dn[.{exact|onelevel|children|subtree}]:<DN>
3) dn.regex:<regex>
4) u:<ID>
5) group[/groupClass[/groupMember]]:<DN>

I'd normalize only the <DN> portion in cases (1), (2) and (5), and maybe 
turn case (1) into case (2), so that a run-time strchr( string, ':') 
__must__ succeed.

This would trap most of the syntax errors once for all when data is 
written to the directory, and avoid many DN normalizations during authz 
evaluation (not those related to dn.regex, though).


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497