From: Pierangelo Masarati <ando@openldap.org>
Date: Mon, 28 Jun 2004 10:22:48 +0000 (+0000)
Subject: clarify the use of regex and expand in by dn clauses
X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~168
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=44e8ffd4fee407b54988b6da6c95554c75500147;p=openldap

clarify the use of regex and expand in by dn clauses
---

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 32cb9b72f6..763e449edf 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -261,8 +261,8 @@ the dollar character that is used to indicate match up to the end of
 the string must be escaped by a second dollar character, e.g.
 .LP
 .nf
-        access to dn.regex="^(.*,)?uid=([^,]+),dc=example,dc=com$"
-                by dn.regex="^uid=$1,dc=example,dc=com$$" write
+    access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
+        by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
 .fi
 .LP
 The style qualifier
@@ -275,6 +275,30 @@ even if
 .B dnstyle
 is not 
 .BR regex .
+Note that the 
+.I regex 
+dnstyle in the above example may be of use only if the 
+.B by
+clause needs to be a regex; otherwise, if the
+value of the second (from the right)
+.I dc=
+portion of the DN in the above example were fixed, the form
+.LP
+.nf
+    access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
+        by dn.exact,expand="uid=$2,dc=example,dc=com" write
+.fi
+.LP
+could be used; if it had to match the value in the 
+.B what
+clause, the form
+.LP
+.nf
+    access to dn.regex="^(.+,)?uid=([^,]+),dc=([^,]+),dc=com$"
+        by dn.exact,expand="uid=$2,dc=$3,dc=com" write
+.fi
+.LP
+could be used.
 .LP
 It is perfectly useless to give any access privileges to a DN 
 that exactly matches the