From c4123bb61348bda6cc9e56ef5cf8ea14bb4266c8 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Wed, 6 Oct 2004 23:19:53 +0000 Subject: [PATCH] document submatches provided by non-regex clauses --- doc/man/man5/slapd.access.5 | 70 +++++++++++++++++++++++++++++++------ 1 file changed, 60 insertions(+), 10 deletions(-) diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index f2d9f3b647..00ed406810 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -296,7 +296,10 @@ dn.regex clause by using the form .BR $ , with .B digit -ranging from 1 to 9. +ranging from 0 to 9 (where 0 matches the entire string), +or the form +.BR ${+} , +for submatches higher than 9. Since the dollar character is used to indicate a substring replacement, the dollar character that is used to indicate match up to the end of the string must be escaped by a second dollar character, e.g. @@ -319,7 +322,7 @@ is not Note that the .B regex dnstyle in the above example may be of use only if the -.B by +.B clause needs to be a regex; otherwise, if the value of the second (from the right) .B dc= @@ -331,7 +334,7 @@ portion of the DN in the above example were fixed, the form .fi .LP could be used; if it had to match the value in the -.B what +.B clause, the form .LP .nf @@ -341,6 +344,43 @@ clause, the form .LP could be used. .LP +Forms of the +.B +clause other than regex may provide submatches as well. +The +.BR base(object) , +the +.BR sub(tree) , +the +.BR one(level) , +and the +.B children +forms provide +.B $0 +as the match of the entire string. +The +.BR sub(tree) , +the +.BR one(level) , +and the +.B children +forms also provide +.B $1 +as the match of the rightmost part of the DN as defined in the +.B +clause. +This may be useful, for instance, to provide access to all the +ancestors of a user by defining +.LP +.nf + access to dn.subtree="dc=com" + by dn.subtree,expand="$1" read +.fi +.LP +which means that only access to entries that appear in the DN of the +.B +clause is allowed. +.LP It is perfectly useless to give any access privileges to a DN that exactly matches the .B rootdn @@ -374,9 +414,19 @@ can be which means that .B will be expanded as a replacement string (but not as a regular expression) -according to regex (7), and +according to +.BR regex (7), +and .BR exact , which means that exact match will be used. +If the style of the DN portion of the +.B +clause is regex, the submatches are made available according to +.BR regex (7); +other styles provide limited submatches as discussed above about +the DN form of the +.B +clause. .LP For static groups, the specified attributeType must have .B DistinguishedName @@ -424,7 +474,7 @@ match of the corresponding connection parameters. The .B exact style of the -.BR peername +.BR clause (the default) implies a case-exact match on the client's .BR IP , including the @@ -474,7 +524,7 @@ prefix from the when connecting through a named pipe, and performs an exact match on the given pattern. The -.BR domain +.BR clause also allows the .B subtree style, which succeeds when a fully qualified name exactly matches the @@ -503,7 +553,7 @@ statement is strongly discouraged. By default, reverse lookups are disabled. The optional .B domainstyle qualifier of the -.B domain +.B clause allows a .B modifier option; the only value currently supported is @@ -514,7 +564,7 @@ the is not .BR regex , much like the analogous usage in -.B dn +.B clause. .LP The statement @@ -821,7 +871,7 @@ When writing submatch rules, it may be convenient to avoid unnecessary .B use; for instance, to allow access to the subtree of the user that matches the -.B what +.B clause, one could use .LP .nf @@ -831,7 +881,7 @@ clause, one could use .fi .LP However, since all that is required in the -.B by +.B clause is substring expansion, a more efficient solution is .LP .nf