[Date Prev][Date Next]
Re: proposed semantics change in access control
> I note that the default intended of regex'ing is that
> the expression must match the whole DN, not just a part
> of a DN. It seems that some users are reporting cases
> where the expression is matching only of a DN. If so,
> that would be a bug.
> For instance,
> to dn="cn=foo"
> by dn="cn=foo"
> can only match a DN which is CN=FOO (or diffs only by case).
> It shouldn't match xCN=FOO nor CN=FOOx. That is, there is
> an implicit ^ at the start of the expression and an implicit
> $ at the end of the expression.
In most regex implementations, if the pattern is a portion
of the string, the match is successful; to require an exact
match one must enforce "^pattern$". This should be clearly
written in the docs.
> At least there use to be... if now not, then that's a bug.
> As far as changing the defaults, I think that would cause
> far more problems then it would solve.
Agree; but then many ACL configuration bugs would become clear.
We might add a warning (which would be overkill and be ignored
by most) that notes when "^" and "$" are missing from dn
patterns which are not explicitly marked as regex.
I definitely agree with Howard that changing default
behavior is always bad; mine was a heads-up rather than
a real suggestion. Maybe I'll try to write all these
considerations in a clear manner in slapd.access(5).