From: Pierangelo Masarati Date: Tue, 16 Dec 2003 11:20:59 +0000 (+0000) Subject: more clarifications on dnstyle usage X-Git-Tag: OPENLDAP_REL_ENG_2_1_MP~169 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=947f41832ee6f0cd925560ebbe7c67daf8a4fa87;p=openldap more clarifications on dnstyle usage --- diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index e1496e29f2..8e48197957 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -591,8 +591,7 @@ access to the attribute holding the referral information attribute). .SH CAVEATS It is strongly recommended to explicitly use the most appropriate -DN -.BR style , +.BR , to avoid possible incorrect specifications of the access rules as well as for performance (avoid unrequired regex matching when an exact match suffices) reasons. @@ -624,6 +623,40 @@ For performance reasons, it would be better to use the subtree style. by ... .fi .LP +When writing submatch rules, it may be convenient to avoid unnecessary +.B regex +.B +use; for instance, to allow access to the subtree of the user +that matches the +.B what +clause, one could use +.LP +.nf + access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$" + by dn.regex="^uid=$1,dc=example,dc=com$$" write + by ... +.fi +.LP +However, since all that is required in the +.B to +clause is substring expansion, a more efficient solution is +.LP +.nf + access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$" + by dn.exact,expand="uid=$1,dc=example,dc=com" write + by ... +.fi +.LP +In fact, while a +.B +of +.B regex +implies substring expansion, +.BR exact , +as well as all the other DN specific +.B +values, does not, so it must be explicitly requested. +.LP .SH FILES .TP ETCDIR/slapd.conf