[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4253) val.regex broken

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4253) val.regex broken
From: ando@sys-net.it
Date: Fri, 9 Dec 2005 09:28:46 GMT

I'm not yet sure I understand your issue; the tests I'm running (HEAD,
re23) don't show any issue.  Let me first state that I spotted a "bug"
in the "val" clause (the value had to be manually normalized for exact
match; now fixed in HEAD), which however doesn't affect the "regex"
style, so this is not the issue.

I've set up a simple test, starting from test003 data, which shows that
access to any of the two values of a multivalued attribute works
correctly, but I'm not sure I clearly understand your case.  I suggest
you setup a similar test case, possibly starting from the same data I'm
posting below, and clearly describe the operations you perform, the
behavior you obtain and the behavior you expect.

Instructions:

- run test003

- add to slapd.conf the ACLs:

<slapd.1.conf>
access to attrs=cn val.regex="Mark Elliot"
        by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
        by * break

access to attrs=cn val.regex="Mark A Elliot"
        by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
        by * break

access to attrs=cn
        by * search

access to *
        by * read
</slapd.1.conf>

- run the commands

(0) ldapsearch -x -H ldap://:9011 \
	-b 'cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com' \
	-D 'cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w bjensen \
	-LLL cn

dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
cn: Mark Elliot
cn: Mark A Elliot


(1) ldapsearch -x -H ldap://:9011 \
	-b 'cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com' \
	-D 'cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w bjensen \
	-LLL cn

dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
cn: Mark A Elliot

-H ldap://:9011 \
(2) ldapsearch -x -H ldap://:9011 \
	-b 'cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com' \
	-D 'cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' -w bjorn \
	-LLL cn

dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
cn: Mark Elliot

As you see, the attribute has to values; each regex is picking one, and
each identity has Access to just one of them.  Does it fit your case?

You may also try swapping the first two access rules, so that the first
rule actually matches the second value and the second rule matches the
first one; I get consistent results.

Please elaborate further if this does not fit the case you're observing.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: Update question with chain overlay of sync replica ?
Next by Date: (ITS#4255) ACL "exact" attrval clause needs normalized value
Index(es):
- Chronological
- Thread