restrictions based off hash mechanisms (was: ITS#3446)

[Aaron Richton <richton@nbcs.rutgers.edu>]

I'd like to discuss mechanisms, either available today or possibly
available for the future, for access restrictions based off hash
mechanisms. My initial idea, which I believe should work by a reading of
RE22's docs, was

access to attr=userpassword val.regex=^[{]SMD5[}].*
        by * none

which does not work per the ITS I filed.


It seems that this was by design, for some as yet unrevealed reason. So,
for some initial discussion points:

1. Does anybody know the rationale behind why back-{h,b}db (and probably
others) disallow this? I realize that messing with passwords (maybe
rightly so) can be a bit nerve-bending, but what's worse about

access to attr=favouriteDrink val.exact="coke"
	by dn.exact="cn=pepsi" none
	by * read

versus userPassword, strictly speaking?

2. Should this go into "access" clauses, possibly using a syntax like the
ITS, or should there be other directives (limits etc.) and/or new
directives for this?

3. Comments on performance implications, as Pierangelo commented in
Followup 3.

4. Finally, if no unresolvable concerns come up, actual implementation
ideas. Is there anything in the roadmap (proposed overlays, perhaps?) that
would encompass this sort of work?