This is an example of what would be convenient (but is currently not supported): olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,objectclass val.regex="account|simpleSecurityObject",uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop
As far as I understand the equivalent of the previous would be: olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read by * none stop olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop Now, the "break" control, would let subsequent ACLs evaluate access on the same <what> clause, and if "break" was required for that reason in the 1st ACL it would be needed also in the 2nd and 3rd ACL, but this is irrelevant with the fact that we should split the original <what> clause, since the <what> clauses on 2nd and 3rd ACLs are different. Isn't that so? On Tue, Oct 14, 2014 at 9:12 PM, Michael Ströder <[email protected]> wrote: > Nikos Voutsinas wrote: > > Besides the obvious workaround, i.e. split the rule into two ACLs, one > with > > the val.regex and another without, I am not sure that I understand how > the > > other special controls (break, continue) can help with this case. Am I > > missing sth? > > Each ACL implicitly ends with "by * none" which would stop ACL processing. > So > you need to add an explicit "by * break" if you want to pass the control > flow > to the next ACL. > > Ciao, Michael. > >
