Re: commit: ldap/doc/man/man5 slapd.access.5

["Pierangelo Masarati" <ando@sys-net.it>]

> ando@OpenLDAP.org writes:
>> fix further ITS#3830 issues; allow to specify a matching rule for
>> non-DN match
>
> Neat.  But the syntax
>
>    attrs=<attr> val[/matchingRule][.<attrstyle>]=<attrval>
>
> isn't quite right - only the "exact" attrstyle can be used
> with a matching rule.  I suggest
>
>    attrs=<attr> val[/matchingRule|.<attrstyle>]=<attrval>
>
> and C code to match.

That would be too simple ;) according to the current code the following
cases may occur:

- a generic attr is used; then <style> can be "exact" or "regex"; of
course, in this case the matching rule can be specified only with "exact"
style;
- a DN-valued attr is used; then <style> can be "exact"/"base", or
"subtree" or "children" or "one" and so on.  In all of these cases a
matching rule can be specified.  Maybe this is useless, because I'm afraid
that (at present) only distinguishedNameMatch can be used.  I've
introduced this for symmetry, although for DN-valued attrs value_match()
is not actually invoked, but a string comparison on the normalized
relevant portion of the DN is used.  In fact, one thing that was happening
before was that this ACL was usable with those DN-valued attrs that do not
define an EQUALITY rule, which sounds like an inconsistency.

I agree that the docs may be changed to reflect all the above, as soon as
an accurate wording is used to avoid introducing extra confusion.  I'd
pass it to someone else, though...

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497