[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: regex in group ACL

François Beretti wrote:

Pierangelo Masarati wrote:

François Beretti wrote:

One of my access control command in slapd.conf does not work. I would like to know why.
access to filter="(objectClass=enatelSSOStorage)" dn.regex="*" attrs="entry"
by group/enatelSSOAccountDelegation/enatelUserEntityObject.regex="cn=test1,cn=test2,$1" read

Assuming you're using OpenLDAP 2.2, "group.regex" is no longer supported (as it was doing something completely different from regexec'ing). See slapd.access(5) for details (and a replacement of what you intend it to do).
Note that even the dn.regex="*" doesn't look so correct to me; I'd rather use dn.regex=".*".
Finally, in case of match, you should rather use "$0", because "$1" refers to the first submatch (i.e. enclosed between brackets, and you don't use any brackets in the dn regex.
So your rule should rather look like

access to filter="(objectClass=enatelSSOStorage)" dn.regex=".*" attrs="entry"
by group/enatelSSOAccountDelegation/enatelUserEntityObject.expand="cn=test1,cn=test2,$0" read

Thank you very much for your answer, Pierangelo

I am using openldap 2.1.29 as it is packaged for fedora. The "expand" keyword doesn't seem to be supported in this version. Is it possible to do what I want ?

I know, you're going to tell me "you should consider upgrading to 2.2.17". But I am writing software for customers who often use OpenLDAP 2.1.x, and I would really like my ACL to work with it.

well, the rest of my comments apply to 2.1; in that case, you need to do

access to filter="(objectClass=enatelSSOStorage)" dn.regex=".*" attrs="entry"
by group/enatelSSOAccountDelegation/enatelUserEntityObject.regex="cn=test1,cn=test2,$0" read


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497