Hi,
I used slaptest to convert a set of ACLs from standard to dynamic format using slaptest. I noticed that backslashes (used to escape characters) in regexes are silently dropped after conversion.
For example: access to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=noa,dc=gr" write
Is this expected behavior? Or am I doing something wrong?
Please advise.
Thanks, Nick
On 5/6/2012 5:51 μμ, Nick Milas wrote:
becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames
Sorry, I copied the wrong string. I re-send:
For example: access to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write becomes: to dn.regex="^dc=bd{1,3}b,dc=bd{1,3}.d{1,3}.d{1,3}b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=noa,dc=gr" write
Is dropping backslashes from regex'es expected behavior by slaptest?
Thanks, Nick
On 5/6/2012 5:51 μμ, Nick Milas wrote:
becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames
In the end, I might manage to send the *actual* converted regex :( :
access to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write becomes: to dn.regex="^dc=bd{1,3}.d{1,3}.d{1,3}b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=noa,dc=gr" write
Please advise.
Thanks, Nick
Nick Milas wrote:
On 5/6/2012 5:51 μμ, Nick Milas wrote:
becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames
In the end, I might manage to send the *actual* converted regex :( :
access todn.regex="^dc=\b\d{1,3}.\d{1,3}.\d{1,3}\b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write becomes: to dn.regex="^dc=bd{1,3}.d{1,3}.d{1,3}b.in-addr.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=noa,dc=gr" write
Please advise.
What you've posted is expected behavior. The single backslashes were parsed by the slapd.conf parser. To actually get them into the regex you need to escape those backslashes as well. This is already documented in slapd.conf(5) and in the Admin Guide.
On 5/6/2012 9:58 μμ, Howard Chu wrote:
What you've posted is expected behavior. The single backslashes were parsed by the slapd.conf parser. To actually get them into the regex you need to escape those backslashes as well. This is already documented in slapd.conf(5) and in the Admin Guide.
First I note that the regex I originally posted (in order to match reverse IPv4 domains stored in LDAP) would not work for POSIX 2 -compatible regex'es (suitable for openldap ACLs), and I have changed it to: to dn.regex="^dc=([0-9]{1,3})[.]([0-9]{1,3}).([0-9]{1,3}).in-addr.arpa,ou=dns,dc=example,dc=com$" which works.
So, ALL regex'es used within ACLs loaded in a slapd.conf should be with double backslashes? I had not realized that. The statement "If an argument contains a double quote ('"') or a backslash character (''), the character should be preceded by a backslash character" which is included slapd.conf(5) and in http://www.openldap.org/doc/admin24/slapdconfig.html is - at least - obscure to me with regard to regex'es used in ACLs. Moreover, nothing is mentioned at http://www.openldap.org/doc/admin24/access-control.html or at http://www.openldap.org/faq/data/cache/973.html (and I don't see any examples with double backslashes either).
For example, should we ALWAYS use (in slapd.conf or in an ACL file included therein): access to dn.regex="\.1\.0\.0\.0,dc=1\.1\.0\.2\.0\.0\.0\.0\.0\.0\.0\.2\.ip6\.arpa,ou=dns,dc=example,dc=com$" to denote that dots are simple dots and not wildcards?
Or we MUST use double backslashes ONLY when converting using slaptest?
(And what happens if we want to escape backslash itself in a regex? Should we use "\\" ?)
I tested that the above form of ACLs with regex (using double backslashes) is indeed converted correctly (it produces an ACL with single backslashes in the regex for use in dynamic config) when using slaptest.
I also found out that the regex works correctly (in a static config) both with double and with single backslashes (tested escaping dots)! It's just not converted correctly with slaptest when used with single backslashes.
If the behavior of backslashes in ACL regex'es is in all cases as described above, then slaptest should convert correctly ACLs using regex'es with single backslashes.
Please advise.
Thanks, Nick
Nick Milas wrote:
On 5/6/2012 9:58 μμ, Howard Chu wrote:
What you've posted is expected behavior. The single backslashes were parsed by the slapd.conf parser. To actually get them into the regex you need to escape those backslashes as well. This is already documented in slapd.conf(5) and in the Admin Guide.
So, ALL regex'es used within ACLs loaded in a slapd.conf should be with double backslashes? I had not realized that. The statement "If an argument contains a double quote ('"') or a backslash character (''), the character should be preceded by a backslash character" which is included slapd.conf(5) and in http://www.openldap.org/doc/admin24/slapdconfig.html is - at least - obscure to me with regard to regex'es used in ACLs.
Obscure? Are those ACL statements in slapd.conf or aren't they? Do backslashes in slapd.conf need to be escaped or don't they? It's not like it says "backslashes must escaped except on alternate Tuesdays."
On 6/6/2012 2:19 μμ, Howard Chu wrote:
Obscure? Are those ACL statements in slapd.conf or aren't they? Do backslashes in slapd.conf need to be escaped or don't they? It's not like it says "backslashes must escaped except on alternate Tuesdays."
Thanks for the humor. [ I guess I had success with non-escaped backslashes cos it was an alternate Tuesday yesterday :-) ]
It was obscure, because regex'es DO work with single backslashes...
So I will conclude that the use of single backslashes in slapd.conf in ACL regex'es is unsupported.
Thanks, Nick
openldap-technical@openldap.org
-
Howard Chu -
Nick Milas