Let us imagine an ACL like this:
access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/" ...
We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.
For now this is not possible, because slap_access_allowed() collect a single set of regmatch_t. If the <what> field of an ACL has multiple regex matches, the last one only will be retained.
I suggest the following change:
1) In slap_access_allowed(), we would keep track of multiple set of regmatch_t. matches would become something such as:
typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES]; regmatch_t val[MAXREMATCHES]; } AclRegexMatches;
In slap_acl_get(), the two regexec() calls would be done with matches.dn or matches.val, depending on the situation.
2) In acl_string_exapand(), we would replace $1, $2, $3 by values from matches.dn, therefore providing backward compatibility.
And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and ${d1}, ${d2}, ${d3}... by values from matches.dn
There is a problem with my proposal, on dynaic ACL. We cannot provide them values from attribute value without changing the API. I suggest we stick with the current API for now and improve that later if needed.
Opinions? Did I miss something?