[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proposed semantics change in access control

> At 03:16 AM 5/17/2003, Pierangelo Masarati wrote:
>>> I note that the default intended of regex'ing is that
>>> the expression must match the whole DN, not just a part
>>> of a DN.  It seems that some users are reporting cases
>>> where the expression is matching only of a DN.  If so,
>>> that would be a bug.
>>> For instance,
>>>         to dn="cn=foo"
>>> or
>>>         by dn="cn=foo"
>>> can only match a DN which is CN=FOO (or diffs only by case).
>>> It shouldn't match xCN=FOO nor CN=FOOx.  That is, there is
>>> an implicit ^ at the start of the expression and an implicit
>>> $ at the end of the expression.
>>In most regex implementations, if the pattern is a portion
>>of the string, the match is successful; to require an exact
>>match one must enforce "^pattern$".  This should be clearly
>>written in the docs.
> Yes.  IIRC, the code use to rewrite the pattern or otherwise
> deal with that.

Well, I think it doesn't any more, which, IMHO,
is the correct behavior, because it might be intended;
mucking with ACLs is not wise.

My point is: let's leave as much freedom as possible
to the users, but let's make them assume responsibility
for this.  They must know what they're doing, then they
can do whatever they want.  Let's give up with defaults,
or use a conservative approach (this is where the
engineer comes out :).

Pierangelo Masarati