[Date Prev][Date Next] [Chronological] [Thread] [Top]

dn.regex in ACLs, and in the admin guide


I have some questions about slapd access-control directives.

In http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control
there's the a BNF grammar, containing this set of expressions:

	<what> ::= * |
                [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
                [filter=<ldapfilter>] [attrs=<attrlist>]

	<basic-style> ::= regex | exact

        <scope-style> ::= base | one | subtree | children

However, in the slapd.access(5) manual page, there's the following

	 "base or exact (an alias of base)" 

...within the paragraph that starts as so:

       For all other qualifiers, the pattern is a string
       representation of the entry's DN.  base or exact (an alias of
       base) indicates the entry whose DN is equal to the pattern.

If "exact" is an alias of "base", and "base" is a member of
<scope-style>, then :

  1)  dn.exact=<DN>

      rather than dn.exact=<regex> which is how the grammar, above,
      says it would be.

  2) "exact" does not belong  in the definition of <basic-style>,
      within the BNF grammar.

...assuming that slapd.access(5) is the authoriative work, on it.

Sounds right?

sean champ