[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACLs, groups, and regular expressions... oh my

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ace Suares

> I'm bewilderd !

So I see. Let me try to state it a bit differently...

Regexp matching compares a single regexp pattern with a single string. It
asks a yes or no question, does the string fit the pattern? Obviously, to
perform a matching operation, you must first have two expressions to compare.

In an ACL "group" clause, you only have the group DN in the clause. You
aren't comparing the group DN to the target DN, and you're not comparing the
group DN to the user's DN. There is nothing to match it against. As such, the
group DN does not undergo any regexp matching operation at all. It can
undergo string substitution using the results of the "to" clause's match.
That's all.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support