Emmanuel Dreyfus wrote:
Let us imagine an ACL like this:
access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/" ...
We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.
For now this is not possible, because slap_access_allowed() collect a single set of regmatch_t. If the <what> field of an ACL has multiple regex matches, the last one only will be retained.
I suggest the following change:
- In slap_access_allowed(), we would keep track of multiple set of
regmatch_t. matches would become something such as:
typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES]; regmatch_t val[MAXREMATCHES];
You forgot nmatches in each case.
} AclRegexMatches;
In slap_acl_get(), the two regexec() calls would be done with matches.dn or matches.val, depending on the situation.
This would probably be a good opportunity to define a common structure to be passed within ACL checking, as the list of arguments to those functions grew enough...
- In acl_string_exapand(), we would replace $1, $2, $3 by values from
matches.dn, therefore providing backward compatibility.
And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and ${d1}, ${d2}, ${d3}... by values from matches.dn
There is a problem with my proposal, on dynaic ACL. We cannot provide them values from attribute value without changing the API. I suggest we stick with the current API for now and improve that later if needed.
That would definitely deserve to be kept in sync with the built-in functions, although I understand it would break compatibility. We could define some means of versioning, and allow the old API for backward compatibility, while introducing a new API. Although, maybe it's not worth the effort.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------