From c8a6d52e0423f9366aa6fc064566295ef5f4f46d Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sat, 17 May 2003 18:37:40 +0000 Subject: [PATCH] Rework CAVEATS --- doc/man/man5/slapd.access.5 | 40 ++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index 34afa8e692..215357e9aa 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -429,42 +429,36 @@ privileges to authenticated clients. It is strongly recommended to explicitly use the most appropriate DN .BR style , -for performance (avoid unrequired regex matching when -an exact match suffices) but also to avoid possible -misimplementations of the access rules. -In fact, a rule of the form +to avoid possible +incorrect specifications of the access rules as well +as for performance (avoid unrequired regex matching when +an exact match suffices) reasons. +.LP +An adminisistrator might create a rule of the form: .LP .nf access to dn="dc=example,dc=com" by ... .fi .LP -implies that all the subtree "dc=example,dc=com" matches, and the -match is done using a regex. -.LP -.nf -access to dn.subtree="dc=example,dc=com" - by ... -.fi -.LP -would be far more appropriate. +expecting it to match all entries in the subtree "dc=example,dc=com". +However, this rule actually matches any DN which contains anywhere +the substring "dc=example,dc=com". That is, the rule matches both +"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe". .LP -Another quirk is related to the -.B by -clause: -a rule of the form +To match the desired subtree, the rule would be more precisely +written: .LP .nf - access to * - by dn="cn=User,dc=example,dc=com" write + access to dn.regex="^(.+,)?dc=example,dc=com$$" + by ... .fi .LP -gives write access to every DN below "cn=User,dc=example,dc=com"; -if only that DN should have write access, the correct rule would be +For performance reasons, it would be better to use the subtree style. .LP .nf - access to * - by dn.exact="cn=User,dc=example,dc=com" write +access to dn.subtree="dc=example,dc=com" + by ... .fi .LP .SH FILES -- 2.39.5