[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6179) ACL expand style requres dn.regex in what clause



Full_Name: Rein Tollevik
Version: 2.4.16
OS: Irrelevant
URL: 
Submission from: (NULL) (2a01:600:0:1:21c:23ff:feab:61cd)
Submitted by: rein


Using the expand style (as in "set.expand") in an ACL requires the <what> clause
to include a dn.regex style.  This is far too restrictive now that the other
dn.* styles and attrs val.regex also provides submatches that can be expanded. 
The test could be extended to also include these cases, but should in that case
never fail since there is always an implicit dn.regex=^.*$ <what> present when
no DN is specified.  So, I'd prefer to remove this check, as in the patch at the
end.

As of now I use "set.regex=" and overlook the deprecated warning that gives
me...

Rein Tollevik
Basefarm AS

--- aclparse.c	15 May 2009 11:45:31 +0200	1.2
+++ aclparse.c	18 Jun 2009 16:21:02 +0200	
@@ -851,16 +851,6 @@
 					}
 				}
 
-				/* expand in <who> needs regex in <what> */
-				if ( ( sty == ACL_STYLE_EXPAND || expand )
-						&& a->acl_dn_style != ACL_STYLE_REGEX )
-				{
-					Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style
"
-						"or modifier used in conjunction with a non-regex <what> clause.\n",
-						fname, lineno, 0 );
-						goto fail;
-				}
-
 				if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
 					is_realdn = 1;
 					bdn = &b->a_realdn;