[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proposed semantics change in access control



I note that the default intended of regex'ing is that
the expression must match the whole DN, not just a part
of a DN.  It seems that some users are reporting cases
where the expression is matching only of a DN.  If so,
that would be a bug.

For instance,
        to dn="cn=foo"
or
        by dn="cn=foo"

can only match a DN which is CN=FOO (or diffs only by case).
It shouldn't match xCN=FOO nor CN=FOOx.  That is, there is
an implicit ^ at the start of the expression and an implicit
$ at the end of the expression.

At least there use to be... if now not, then that's a bug.

As far as changing the defaults, I think that would cause
far more problems then it would solve.

Kurt

At 02:18 AM 5/16/2003, Pierangelo Masarati wrote:
>I suggest changing the default for the "by"
>clause in access control from "regex" to "exact",
>maybe with the possibility to preserve the
>old behavior at compile time (but I strongly
>discourage this solution because it would require
>everybody to specify every time what flavour
>of ACL conf they're using).  As a good programming
>habit I usually explicitly set the dn "style"
>in ACLs, and in general I do not like "smart"
>defaults.
>
>In fact, problems like the one recently addressed
>by Kiran Bacche keep occurring very often,
>so I think a rule that implies lots of volume
>on the mailing list and security issues should
>require to be **explicitly** set to its most
>dangerous form.
>
>Any thoughts?
>
>Ando.
>-- 
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it