[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proposed semantics change in access control

At 07:25 AM 5/17/2003, Pierangelo Masarati wrote:

>> At 03:16 AM 5/17/2003, Pierangelo Masarati wrote:
>>>> I note that the default intended of regex'ing is that
>>>> the expression must match the whole DN, not just a part
>>>> of a DN.  It seems that some users are reporting cases
>>>> where the expression is matching only of a DN.  If so,
>>>> that would be a bug.
>>>> For instance,
>>>>         to dn="cn=foo"
>>>> or
>>>>         by dn="cn=foo"
>>>> can only match a DN which is CN=FOO (or diffs only by case).
>>>> It shouldn't match xCN=FOO nor CN=FOOx.  That is, there is
>>>> an implicit ^ at the start of the expression and an implicit
>>>> $ at the end of the expression.
>>>In most regex implementations, if the pattern is a portion
>>>of the string, the match is successful; to require an exact
>>>match one must enforce "^pattern$".  This should be clearly
>>>written in the docs.
>> Yes.  IIRC, the code use to rewrite the pattern or otherwise
>> deal with that.
>Well, I think it doesn't any more, which, IMHO,
>is the correct behavior, because it might be intended;
>mucking with ACLs is not wise.

Well, I agree.  I always thought our attempts to do
regex normalization was misguided.

Anyways, in this case, I was thinking what we did was just
check the match to be sure it matched all of the input.  But
apparently I am wrong as I couldn't find any such code anywhere.

>My point is: let's leave as much freedom as possible
>to the users, but let's make them assume responsibility
>for this.  They must know what they're doing, then they
>can do whatever they want.  Let's give up with defaults,
>or use a conservative approach (this is where the
>engineer comes out :).

At this point, given our documentation and examples (FAQ)
are misleading, I suggest we do a few things.

One, in 2.2, make exact the default AND also remove any
and all regex mucking (no normalization, etc.).  Leave
regexing completely to the admin.