[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Lazy quantifiers in regex ACLs??
- To: Jon C Kidder <jckidder@aep.com>
- Subject: Re: Lazy quantifiers in regex ACLs??
- From: Philip Guenther <pguenther@proofpoint.com>
- Date: Wed, 2 Oct 2019 09:55:17 -0700
- Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=date : from : to : cc : subject : in-reply-to : message-id : references : mime-version : content-type; s=corp-2019-08-07; bh=6mo+0+2BwpropuFW1HEhxJacdej1PFO+aFXG8ldx6hQ=; b=ppRFuLVuF2AFsPXr47UUhHSCWRwXtL/1oqC1AH48VTsgL9NshE92O/JQQAAZG0dTrFA5 zscFdnAy1cRJTVAyDwOEkZ2ZEHOGuy5OcUQXBnpXmWXdnnYEOrlnWANdTuzvdQP3M/Ju OCJQTEqsLYRwVPPvA7Z83qCZIVa7akUAOLjjHjG6yFklcCw+aPy69jLvCaqfgmyZ67uZ ZmteX82LnvSXj/9ICMmiZvTZ15J7+8k5+3U5/sgNXAgel46cPTlk/gY+LKi9sV5euZV5 QRYczF/ZrA6D382ykXjUtsjYJdnjbd4XmAOnpiCyI9/e6SgaahWEWSe4eNoUCiVXQb1O 4Q==
- In-reply-to: <13f95b2c5d3b4349ab3fc77a0ea9de28@aep.com>
- References: <13f95b2c5d3b4349ab3fc77a0ea9de28@aep.com>
- User-agent: Alpine 2.21 (BSO 202 2017-01-01)
On Wed, 2 Oct 2019, Jon C Kidder wrote:
> Does the regex engine in OpenLDAP not support lazy quantifiers? Why
> does the ACL processing in this log show only one capture group as if
> the lazy quantifier in the first capture group isn't recognized? Every
> tester I plug this regex into produces 2 capture groups which is what I
> need. I need to carve off the leading OU as one capture group and
> capture the remaining chain of OUs as the second group then re-use both
> in my ACLs. Any suggestions for creating a regex that would produce the
> desired capture groups for use in my ACLs?
>
> 5d94aa15 => dnpat: [18] (ou=.+?,)?(ou=.+,)?ou=Delegated,ou=ApplicationData,dc=global,dc=aep,dc=com$ nsub: 2
Lazy quantifiers, (aka stingy or minimal matches) are a feature of
perl-compatible regexps and are not part of the regexp functions called by
openldap for ACL processing. Per the slapd.access(5) manpage:
If the <dnstyle> qualifier is regex, then <dnpattern> is a POSIX
(''extended'') regular expression pattern, as detailed in regex(7)
and/or re_format(7), matching a normalized string representation of the
entry's DN. The regex form of the pattern does not (yet) support
UTF-8.
POSIX extended regexps do not include minimal matching.
That said, minimal matches can often be more precisely written by putting
a less general regexp, one that matches a more specific set of inputs, to
the left of them. In this case, you probably want the ".+?" in
"(ou=.+?,)?" to never match a comma, as that would mean multiple DN
components were being included in that submatch. So, I would suggest
trying
(ou=[^,]+,)?(ou=.+,)?ou=Delegated,ou=ApplicationData,dc=global,dc=aep,dc=com$
This will have the same effect when the leading DN components are all 'ou'
types. It'll behave differently if you were to have a DN that had some
other type of component in there. For example, if the DN
ou=foo,l=home,ou=bar,ou=Delegated,ou=ApplicationData,dc=global,dc=aep,dc=com
was to be tested, and minimal match was actually supported, then your
original regexp would have *matched* with
$1 = ou=foo,l=home,
$2 = ou=bar,
while the regexp I suggest about will instead match
$1 =
$2 = ou=foo,l=home,ou=bar,
If you wouldn't want such a (weird) case to match at all then you would
want to tighten the second group as well, ala
(ou=[^,]+,)?(ou=[^,]+,)?ou=Delegated,ou=ApplicationData,dc=global,dc=aep,dc=com$
or maybe...
(ou=[^,]+,)?((ou=[^,]+,)+)?ou=Delegated,ou=ApplicationData,dc=global,dc=aep,dc=com$
...but it depends on what you want to happen when there are more than two
components before the ou=Delegated component.
Philip Guenther