[Date Prev][Date Next]
Re: non-ascii in slapd.conf and ACL dn matching with non-ascii
At 02:48 PM 2002-08-17, Pierangelo Masarati wrote:
>ACL evaluation usually is applied agains entries. In entries
>we have the nornalized DN (e_nname structure member) but also
>the pretty DN (e_name structure member; they both result from
>applying dnPrettyNormal() to the supplied DN at some stage
>of entry addition). So whenever we need to do ACL evaluation
>we can use the pretty form as well, since ACL routines are passed
>entries, not strings.
Yes, the DN regex should match against e_name (without
regard to case).
>Another point is when parsing the ACL config directives.
>In this case, when reading all but regex matching, the supplied
>string is normalized (dnNormalize2(), I guess). All we need
>to do is to use dnPretty() instead. I note that dnPretty()
>leaves a few hex escaping (I need to check to be sure, but
>I'm positive ',', '+' and few more are hex escaped).
Yes. Pretty should do *minimal* escaping. So, if the e_name
is "CN=foo\2Bbar", then a regex "CN=foo\\\+bar" won't
match. One needs to use the regex CN=foo\\2Bbar" instead.