[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd acl.c aclparse.c slap.h

ando@OpenLDAP.org wrote:

> Log Message:
> various acl improvements/cleanups/speedups (need to be documented, though)

I'm trying to make ACLs more expressive and versatile; to this
purpose, I added a style-modifier field in the form

<who> ::= [<type[.<style>[,<modifier>]]=]<pattern>

where <modifier> at present is "expand"; this allows 
to call for match substitution even in base, one, subtree, 
children styles, without incurring in the overhead of 
regex (it may be slow on some architectures, and match
expansion and regex match are two different composition 
rules for pattern matching).

At present I enabled it only for "dn" and "domain" <type>s,
because there is some interesting application of dns-style
naming contexts and domain access control (think of

access to dn.regex=".*dc=([^,]+),dc=([^,]+)$"
	by domain.subtree,expand="$1.$2" read
	by * none

as an example; while this could be made with regex style,
the former should be slightly more efficient).

I also envisage precompilation of expansible patterns,
which should result in way better performing ACLs (the
same precompilation should apply to match expansion for
regex checks).

BTW, the number of substitutions has been raised above 9,
which are referenced as "${n}"; of course, if no curly 
brackets are used, a single digit is considered.


Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
via La Masa 34, 20156 Milano, Italy   |