Re: slapo-constraint negated regex

2020-11-17 Thread Quanah Gibson-Mount




--On Saturday, November 7, 2020 6:40 PM + David Barchiesi 
 wrote:



Hello,

After reading the slapo-constraint man page and searching online for a
possible solution it is clear that the overlay doesn't conveniently allow
setting a constraint with a negated regex.

The root cause is that negative lookahead isn't supported by extended
POSIX  regex. One could argue that the complement of a regular language
is itself  regular again and therefore it is certainly possible to write
a regex that  doesn't allow certain values, however any regex of this
sort quickly becomes  complex [1][2][3].

Taking grep as an example (i.e. --invert-match), I propose adding a
constraint  type that allows using a regex in a negated way. When a match
is found a  constraint error is raised. Looking at the constraint overlay
code it seems  pretty trivial and I am willing to submit myself a patch
that allows setting  something like:

constraint_attribute mail negregex ^.*@somedomain\.com$

I already have an initial implementation and first tests seem to work as
intended. Would such a patch be accepted? If so, could anyone guide me
with  getting the patch merged?


Hi David,

The project would be happy to accept such a contribution.  The contribution 
process is generally documented at 
 but:


a) File an ITS for this new functionality if one does not already exist at 



b) Create an account at https://git.openldap.org and fork the OpenLDAP 
repository


c) Create a working branch off of master (i.e., git checkout -b its)

d) Commit your work and git push

e) Submit an MR

f) Ensure you add a rights statement as documented in the contrib web page 
to the ITS so we have a history of it.


Thanks!

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:



slapo-constraint negated regex

2020-11-07 Thread David Barchiesi
Hello,

After reading the slapo-constraint man page and searching online for a 
possible solution it is clear that the overlay doesn't conveniently allow 
setting a constraint with a negated regex.

The root cause is that negative lookahead isn't supported by extended POSIX 
regex. One could argue that the complement of a regular language is itself 
regular again and therefore it is certainly possible to write a regex that 
doesn't allow certain values, however any regex of this sort quickly becomes 
complex [1][2][3].

Taking grep as an example (i.e. --invert-match), I propose adding a constraint 
type that allows using a regex in a negated way. When a match is found a 
constraint error is raised. Looking at the constraint overlay code it seems 
pretty trivial and I am willing to submit myself a patch that allows setting 
something like:

constraint_attribute mail negregex ^.*@somedomain\.com$

I already have an initial implementation and first tests seem to work as 
intended. Would such a patch be accepted? If so, could anyone guide me with 
getting the patch merged?

Thanks in advance,
David


[1] 
https://stackoverflow.com/questions/55190518/extended-posix-regular-expression-negation-of-multiple-strings-using
 
[2] 
https://stackoverflow.com/questions/15377469/posix-regular-expressions-excluding-a-word-in-an-expression
 
[3] https://stackoverflow.com/questions/38928863/posix-regex-not-match-a-word