Re: ACI/ACL based on entry attribute values

[Ugen <ugen@xonix.com>]

There are flags to regexps that can make it choose a 
"minimal" rather then greedy match, i haven't looked at gnu
regexp lib for a while but certainly perl lets you do this.

What you are suggesting is not exactly what i mean though. The
difference is in order. The substrings are taken from the target entry
data and matched against the user entry. I understand that this is tied into
how ACLs work (i.e. they first find all ACL entries that match the target
and
then try users against that). The reverse would do what i need.

I.e. - in your case (assuming a non-greedy match) you basically choose the
very last component of a tree (or in a greedy match the entire base dn).
In any
case only one entry will match, either the one on the very top or the one
right 
above target. 
In a reverse mode we take entire user entry dn as a substring and match against
the target. We then get the match for all user entries above the target,
in any level
(not only the top or the direct parent). 
This matching order would require a different ACL processing, that much is
true.

Thanx!
--Ugen


Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ugen
> >   
>
> > > Examples:
> > >
> > > access to targetattrmatch dn=".*$1$"
> > >    by attrpick dn="(.*)" write
> > >
> > > I just let anyone above any entry have write access to
> > > it's descendants.
> > >     
> >   
>
> This would be the equivalent
>
> 	access to dn=".*,(.*$)"
> 		by dn="$1" write
>
> But neither my example nor yours would work in a practical environment since
> regexp matches are greedy.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support