Re: deleting ACL

[Pierangelo Masarati <masarati@aero.polimi.it>]

Daniel Tiefnig wrote:
> 
> pps: what is the dn.exact thing about? is this kind of a speed
> optimization if there are no wildcards and thelike? (i.e. no regex-
> matching) i think dn="cn=Alejandra,dc=your,dc=org" should have the same
> result? or is there more about it?

ACLs in OpenLDAP 2.0 have been quite improved; their syntax
now supports a number of parameters aimed at optimizing the
behavior when special <what> and <who> clauses are used.

<what> allows the styles "regex" (that is the default)
and: "base" ("exact" is a synonim) for exact match,
"one" for onelevel children, "sub" for all the subtree 
including the <pattern> dn, and "children" for all the
subtree not including the <pattern> dn.

Thje <who> clause, when requesting a dn, allows the
"regex" style (usually the default), and the "exact"
(or "base") for exact matching.

You may appreciate how a direct or hyerarchical match
can be much more efficient than a regex match.  Of course
this does not introduce any new feature that couldn't
be achieved with appropriate regex patterns.

See slapd.access(5) and the FAQ for more detailed explanation
of each clause.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati