[Date Prev][Date Next] [Chronological] [Thread] [Top]

Managing multiple regex matches

Let us imagine an ACL like this:

access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/"

We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.

For now this is not possible, because slap_access_allowed() collect a single
set of regmatch_t. If the <what> field of an ACL has multiple regex matches,
the last one only will be retained.

I suggest the following change:

1) In slap_access_allowed(), we would keep track of multiple set of
regmatch_t. matches would become something such as:

typedef struct AclRegexMatches {        
        regmatch_t dn[MAXREMATCHES];
        regmatch_t val[MAXREMATCHES];
} AclRegexMatches;

In slap_acl_get(), the two regexec() calls would be done with matches.dn or
matches.val, depending on the situation.

2) In acl_string_exapand(), we would replace $1, $2, $3 by values from
matches.dn, therefore providing backward compatibility.

And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and
${d1}, ${d2}, ${d3}... by values from matches.dn

There is a problem with my proposal, on dynaic ACL. We cannot provide them
values from attribute value without changing the API. I suggest we stick with
the current API for now and improve that later if needed.

Opinions? Did I miss something?

Emmanuel Dreyfus