[Date Prev][Date Next]
Re: Regular expressions in access control lists (ACLs)
At 05:36 AM 4/2/99 +0200, Hallvard B Furuseth wrote:
>do you use regular expressions in ACLs in slapd.conf, as in
One of my personal favorite (excuse me if it's off slightly,
I'm doing this from memory):
access to dn="(.*,)?dc=([:alnum:]+),dc=([:alnum:]+)"
by "group="cn=(Administrators|PrivServices),ou=Groups,dc=$2,dc=$3" write
by * none
>Regular expressions in ACLs are bug-prone because
>- they can't handle DNs that contain both case-sensitive and
> case-insensitive attributes,
DN, itself, is case insensitive string. We could (and maybe
should) uppercase the dn/group regex's on input and then match
them against the entry's normalized, uppercased dn.
>- it's hard to "normalize" a regular expression matching a DN (e.g.
> remove spaces i front of the "," between RDNs, convert to uppercase
> when necessary, and so on).
We only require the spaces be eliminated. The regex are applied
insensitive to case. This works because dn, hostnames, and
addresses are all case insensitive.
> The ACL won't work properly when that's
> done wrong - unless the ACL already matches the DN's normalized form.
The fact that a some folks cannot write a regex to match a normalized
DN is poor reason to remove the functionality used by others.