Re: dn[.<dnstyle>[,<modifier>]]=<pattern> in ACLs

[Pierangelo Masarati <ando@sys-net.it>]

Sean Champ wrote:

> The slapd.access(5) manual page states that the following pattern is
> valid as an expression for the <who> part of a slapd access-control
> directive:
>
>            dn[.<dnstyle>[,<modifier>]]=<pattern>
>
> However, in section 5.3 of the OpenLDAP 2.1 Administrator's Guide
> [http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control ]
> where the BNF-style grammar for ACLs is written, there is no room,
> anywhere, for a  [,<modifier>] part; there's
>
>   dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
>
> ...and that's all, for <who> values that may start with "dn.",
> according to that grammar.
>
>
> Not meaning to be pedantic, just wanting to make sure that the guide
> is consistent with the manual pages, and with the application.
>  
The admin guide is not aligned with th man page.
The <modifier> field is a mechanism to allow
fine tuning of the <dnstyle> options.  Currently
only "expand" is available, which means "expand
submatches from <what> clause even if <dnstyle>
is not "regex" (which implies automati expansion).
For instance, a clause of the form

access to dn.regex="ou=([^,]+),dc=example,dc=com"
   by dn.regex="cn=Manager,ou=$1,dc=example,dc=com" write

requires the cost of regex compilation and evaluation,
while a simple

access to dn.regex="ou=([^,]+),dc=example,dc=com"
   by dn.exact,expand="cn=Manager,ou=$1,dc=example,dc=com" write

allows exact dn match after submatch substitution.
This has not been properly documented; I'll fix it.

p.

> thank you,
>
> --
> sean hamp
>