[Date Prev][Date Next]
Re: proposed semantics change in access control
At 07:25 AM 5/17/2003, Pierangelo Masarati wrote:
>> At 03:16 AM 5/17/2003, Pierangelo Masarati wrote:
>>>> I note that the default intended of regex'ing is that
>>>> the expression must match the whole DN, not just a part
>>>> of a DN. It seems that some users are reporting cases
>>>> where the expression is matching only of a DN. If so,
>>>> that would be a bug.
>>>> For instance,
>>>> to dn="cn=foo"
>>>> by dn="cn=foo"
>>>> can only match a DN which is CN=FOO (or diffs only by case).
>>>> It shouldn't match xCN=FOO nor CN=FOOx. That is, there is
>>>> an implicit ^ at the start of the expression and an implicit
>>>> $ at the end of the expression.
>>>In most regex implementations, if the pattern is a portion
>>>of the string, the match is successful; to require an exact
>>>match one must enforce "^pattern$". This should be clearly
>>>written in the docs.
>> Yes. IIRC, the code use to rewrite the pattern or otherwise
>> deal with that.
>Well, I think it doesn't any more, which, IMHO,
>is the correct behavior, because it might be intended;
>mucking with ACLs is not wise.
Well, I agree. I always thought our attempts to do
regex normalization was misguided.
Anyways, in this case, I was thinking what we did was just
check the match to be sure it matched all of the input. But
apparently I am wrong as I couldn't find any such code anywhere.
>My point is: let's leave as much freedom as possible
>to the users, but let's make them assume responsibility
>for this. They must know what they're doing, then they
>can do whatever they want. Let's give up with defaults,
>or use a conservative approach (this is where the
>engineer comes out :).
At this point, given our documentation and examples (FAQ)
are misleading, I suggest we do a few things.
One, in 2.2, make exact the default AND also remove any
and all regex mucking (no normalization, etc.). Leave
regexing completely to the admin.