Hello,
After reading the slapo-constraint man page and searching online for a possible solution it is clear that the overlay doesn't conveniently allow setting a constraint with a negated regex.
The root cause is that negative lookahead isn't supported by extended POSIX regex. One could argue that the complement of a regular language is itself regular again and therefore it is certainly possible to write a regex that doesn't allow certain values, however any regex of this sort quickly becomes complex [1][2][3].
Taking grep as an example (i.e. --invert-match), I propose adding a constraint type that allows using a regex in a negated way. When a match is found a constraint error is raised. Looking at the constraint overlay code it seems pretty trivial and I am willing to submit myself a patch that allows setting something like:
constraint_attribute mail negregex ^.*@somedomain.com$
I already have an initial implementation and first tests seem to work as intended. Would such a patch be accepted? If so, could anyone guide me with getting the patch merged?
Thanks in advance, David
[1] https://stackoverflow.com/questions/55190518/extended-posix-regular-expressi... [2] https://stackoverflow.com/questions/15377469/posix-regular-expressions-exclu... [3] https://stackoverflow.com/questions/38928863/posix-regex-not-match-a-word
--On Saturday, November 7, 2020 6:40 PM +0000 David Barchiesi david@barchie.si wrote:
Hello,
After reading the slapo-constraint man page and searching online for a possible solution it is clear that the overlay doesn't conveniently allow setting a constraint with a negated regex.
The root cause is that negative lookahead isn't supported by extended POSIX regex. One could argue that the complement of a regular language is itself regular again and therefore it is certainly possible to write a regex that doesn't allow certain values, however any regex of this sort quickly becomes complex [1][2][3].
Taking grep as an example (i.e. --invert-match), I propose adding a constraint type that allows using a regex in a negated way. When a match is found a constraint error is raised. Looking at the constraint overlay code it seems pretty trivial and I am willing to submit myself a patch that allows setting something like:
constraint_attribute mail negregex ^.*@somedomain.com$
I already have an initial implementation and first tests seem to work as intended. Would such a patch be accepted? If so, could anyone guide me with getting the patch merged?
Hi David,
The project would be happy to accept such a contribution. The contribution process is generally documented at https://www.openldap.org/devel/contributing.html but:
a) File an ITS for this new functionality if one does not already exist at https://bugs.openldap.org
b) Create an account at https://git.openldap.org and fork the OpenLDAP repository
c) Create a working branch off of master (i.e., git checkout -b its####)
d) Commit your work and git push
e) Submit an MR
f) Ensure you add a rights statement as documented in the contrib web page to the ITS so we have a history of it.
Thanks!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
-
David Barchiesi -
Quanah Gibson-Mount