Assumption: the following ACL should result in $0 being expanded for the set:
access to dn.one="ou=hosts,dc=example,dc=com" attrs=authorizedService by set.expand="[cn=access,$0]/member* & user" compare by * =rsdx break
Reason for assumption: man slapd.access states: Forms of the <what> clause other than regex may provide submatches as well. The base(object), the sub(tree), the one(level), and the chil- dren forms provide $0 as the match of the entire string. The sub(tree), the one(level), and the children forms also provide $1 as the match of the rightmost part of the DN as defined in the <what> clause.
Bug: does not work as expected. The reason is that in slap.h slap_style_t starts with ACL_STYLE_REGEX = 0, so any structure that uses slap_style_t and uses memset to null out the structure will have its default style be ACL_STYLE_REGEX. In acl.c there are 4 places where you test for ACL_STYLE_REGEX on a->acl_attrval_style without checking if an actual attribute value was supplied. The patch below fixes those cases. The better (arguably) fix would be to change slap_style_t to start with ACL_STYLE_NONE = 0, and then explicitly set the style when it is encountered in aclparse.c. However, I did not want to change slap.h in case it changes some ABI and the change to aclparse.c is larger.
As things currently stand, dn.expand, set.expand and group.expand will not expand $0 and $1 as documented if you use dn.{base,one,sub,children} in the what clause.
If my assumptions are correct and this should work, I will file a proper bug in ITS.
Kean
--- acl.c.jkj 2010-04-13 07:06:12.000000000 -0500 +++ acl.c 2010-04-13 07:09:56.000000000 -0500 @@ -794,7 +794,8 @@ MATCHES_MEMSET( &tmp_matches ); tmp_data = &tmp_matches.dn_data[0];
- if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + if ( a->acl_attrval.bv_len && + ( a->acl_attrval_style == ACL_STYLE_REGEX ) ) tmp_matchesp = matches; else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: @@ -861,7 +862,8 @@ bv.bv_val = buf;
/* Expand value regex */ - if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + if ( a->acl_attrval.bv_len && + ( a->acl_attrval_style == ACL_STYLE_REGEX ) ) tmp_matchesp = matches; else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: @@ -1548,7 +1550,8 @@
rc = 0;
- if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + if ( a->acl_attrval.bv_len && + ( a->acl_attrval_style == ACL_STYLE_REGEX ) ) tmp_matchesp = matches; else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: @@ -1638,7 +1641,8 @@
rc = 0;
- if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + if ( a->acl_attrval.bv_len && + ( a->acl_attrval_style == ACL_STYLE_REGEX ) ) tmp_matchesp = matches; else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: