[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: non-ascii in slapd.conf and ACL dn matching with non-ascii



At 02:48 PM 2002-08-17, Pierangelo Masarati wrote:
>ACL evaluation usually is applied agains entries.  In entries
>we have the nornalized DN (e_nname structure member) but also
>the pretty DN (e_name structure member; they both result from
>applying dnPrettyNormal() to the supplied DN at some stage
>of entry addition).  So whenever we need to do ACL evaluation
>we can use the pretty form as well, since ACL routines are passed
>entries, not strings. 

Yes, the DN regex should match against e_name (without
regard to case).

>Another point is when parsing the ACL config directives.
>In this case, when reading all but regex matching, the supplied
>string is normalized (dnNormalize2(), I guess).  All we need
>to do is to use dnPretty() instead.  I note that dnPretty()
>leaves a few hex escaping (I need to check to be sure, but
>I'm positive ',', '+' and few more are hex escaped). 

Yes. Pretty should do *minimal* escaping.  So, if the e_name
is "CN=foo\2Bbar", then a regex "CN=foo\\\+bar" won't
match.  One needs to use the regex CN=foo\\2Bbar" instead.

Kurt