Full_Name: Rein Tollevik Version: 2.4.16 OS: Irrelevant URL: Submission from: (NULL) (2a01:600:0:1:21c:23ff:feab:61cd) Submitted by: rein

Using the expand style (as in "set.expand") in an ACL requires the <what> clause to include a dn.regex style. This is far too restrictive now that the other dn.* styles and attrs val.regex also provides submatches that can be expanded. The test could be extended to also include these cases, but should in that case never fail since there is always an implicit dn.regex=^.*$ <what> present when no DN is specified. So, I'd prefer to remove this check, as in the patch at the end.

As of now I use "set.regex=" and overlook the deprecated warning that gives me...

Rein Tollevik Basefarm AS

--- aclparse.c 15 May 2009 11:45:31 +0200 1.2 +++ aclparse.c 18 Jun 2009 16:21:02 +0200 @@ -851,16 +851,6 @@ } }

- /* expand in <who> needs regex in <what> */ - if ( ( sty == ACL_STYLE_EXPAND || expand ) - && a->acl_dn_style != ACL_STYLE_REGEX ) - { - Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: "expand" style " - "or modifier used in conjunction with a non-regex <what> clause.\n", - fname, lineno, 0 ); - goto fail; - } - if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) { is_realdn = 1; bdn = &b->a_realdn;