[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI/ACL based on entry attribute values

There are flags to regexps that can make it choose a
"minimal" rather then greedy match, i haven't looked at gnu
regexp lib for a while but certainly perl lets you do this.

What you are suggesting is not exactly what i mean though. The
difference is in order. The substrings are taken from the target entry
data and matched against the user entry. I understand that this is tied into
how ACLs work (i.e. they first find all ACL entries that match the target and
then try users against that). The reverse would do what i need.

I.e. - in your case (assuming a non-greedy match) you basically choose the
very last component of a tree (or in a greedy match the entire base dn). In any
case only one entry will match, either the one on the very top or the one right
above target.
In a reverse mode we take entire user entry dn as a substring and match against
the target. We then get the match for all user entries above the target, in any level
(not only the top or the direct parent).
This matching order would require a different ACL processing, that much is true.


Howard Chu wrote:
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ugen


access to targetattrmatch dn=".*$1$"
   by attrpick dn="(.*)" write

I just let anyone above any entry have write access to
it's descendants.

This would be the equivalent

	access to dn=".*,(.*$)"
		by dn="$1" write

But neither my example nor yours would work in a practical environment since
regexp matches are greedy.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support