(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Answer) What are the tips for using regular expressions in ACLs?
Some tips:

Always use dn.regex=<pattern> when you intend to use regular expression matching. dn=<pattern> alone defaults to dn.exact<pattern> (in some historic versions, it used to default to dn.regex=<pattern>). As a consequence, an explicit style clears any doubt about what you're doing.

Use (.+) instead of (.*) when you want at least one char to be matched. (.*) matches the empty string as well.

Don't use regular expressions for matches that can be done otherwise in a safer and cheaper manner. Examples: 

    dn.regex=".*dc=example,dc=com"
is unsafe and expensive:
  • unsafe because any string containing dc=example,dc=com will match, not only those that end with the desired pattern; use ".*dc=example,dc=com$" instead.
  • unsafe also because it would allow any attributeType ending with dc as naming attribute for the first RDN in the string, e.g. a custom attributeType mydc would match as well. If you really need a regular expression that allows just dc=example,dc=com or any of its subtrees, use "^(.+,)?dc=example,dc=com$", which means: anything to the left of dc=..., if any (the question mark after the pattern within brackets), must end with a comma;
  • expensive because if you don't need submatches, you could use scoping styles, e.g. 
        dn.subtree="dc=example,dc=com"
    to include "dc=example,dc=com" in the matching patterns, 
        dn.children="dc=example,dc=com"
    to exclude "dc=example,dc=com" from the matching patterns, or 
        dn.onelevel="dc=example,dc=com"
    to allow exactly one sublevel matches only.

Always use ^ and $ in regexes, whenever appropriate, because ou=(.+),ou=(.+),ou=adressbooks,o=basedn will match something=bla,ou=xxx,ou=yyy,ou=adressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org

Always use ([^,]+) to indicate exactly one RDN, because (.+) can include any number of RDNs; e.g. ou=(.+),dc=example,dc=com will match ou=My,o=Org,dc=example,dc=com, which might not be what you want.

Never add the rootdn to the by clauses. ACLs are not even processed for operations performed with rootdn identity (otherwise there would be no reason to define a rootdn at all).

Use shorthands. The user directive matches authenticated users and the anonymous directive matches anonymous users.

Don't use the dn.regex form for <by> clauses if all you need is scoping and/or substring replacement; use scoping styles (e.g. exact, onelevel, children or subtree) and the style modifier expand to cause substring expansion.

For instance, 

        access to dn.regex=".+,dc=([^,]+),dc=([^,]+)$"
                by dn.regex="^[^,],ou=Admin,dc=$1,dc=$2$$" write
althoug correct, can be safely and efficiently replaced by 
        access to dn.regex=".+,(dc=[^,]+,dc=[^,]+)$"
                by dn.onelevel,expand="ou=Admin,$1" write
where the regex in the <what> clause is more compact, and the one in the <by> clause is replaced by a much more efficient scoping style of onelevel with substring expansion.
[Append to This Answer]
Previous: (Answer) How do I give modify/delete permissions to an entry's creator only?
Next: (Answer) How do I grant/deny access based on security strength factors?
This document is: http://www.openldap.org/faq/index.cgi?file=973
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org