конфигурация доступа для slapd, автономного демона LDAP (access configuration for slapd, the stand-alone LDAP daemon)
Предостережение (Caveat)
It is strongly recommended to explicitly use the most appropriate
<dnstyle> in <what> and <who> clauses, to avoid possible
incorrect specifications of the access rules as well as for
performance (avoid unnecessary regex matching when an exact match
suffices) reasons.
An administrator might create a rule of the form:
access to dn.regex="dc=example,dc=com"
by ...
expecting it to match all entries in the subtree
"dc=example,dc=com". However, this rule actually matches any DN
which contains anywhere the substring "dc=example,dc=com". That
is, the rule matches both "uid=joe,dc=example,dc=com" and
"dc=example,dc=com,uid=joe".
To match the desired subtree, the rule would be more precisely
written:
access to dn.regex="^(.+,)?dc=example,dc=com$"
by ...
For performance reasons, it would be better to use the subtree
style.
access to dn.subtree="dc=example,dc=com"
by ...
When writing submatch rules, it may be convenient to avoid
unnecessary regex <dnstyle> use; for instance, to allow access to
the subtree of the user that matches the <what> clause, one could
use
access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
by dn.regex="^uid=$2,dc=example,dc=com$$" write
by ...
However, since all that is required in the <by> clause is
substring expansion, a more efficient solution is
access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
by dn.exact,expand="uid=$2,dc=example,dc=com" write
by ...
In fact, while a <dnstyle> of regex implies substring expansion,
exact, as well as all the other DN specific <dnstyle> values,
does not, so it must be explicitly requested.
