[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Managing multiple regex matches

Emmanuel Dreyfus wrote:
Let us imagine an ACL like this:

access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/"

We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.

For now this is not possible, because slap_access_allowed() collect a single
set of regmatch_t. If the <what> field of an ACL has multiple regex matches,
the last one only will be retained.

I suggest the following change:

1) In slap_access_allowed(), we would keep track of multiple set of
regmatch_t. matches would become something such as:

typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES];
regmatch_t val[MAXREMATCHES];

You forgot nmatches in each case.

} AclRegexMatches;

In slap_acl_get(), the two regexec() calls would be done with matches.dn or
matches.val, depending on the situation.

This would probably be a good opportunity to define a common structure to be passed within ACL checking, as the list of arguments to those functions grew enough...

2) In acl_string_exapand(), we would replace $1, $2, $3 by values from
matches.dn, therefore providing backward compatibility.

And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and
${d1}, ${d2}, ${d3}... by values from matches.dn

There is a problem with my proposal, on dynaic ACL. We cannot provide them values from attribute value without changing the API. I suggest we stick with the current API for now and improve that later if needed.

That would definitely deserve to be kept in sync with the built-in functions, although I understand it would break compatibility. We could define some means of versioning, and allow the old API for backward compatibility, while introducing a new API. Although, maybe it's not worth the effort.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it