Nikos Voutsinas wrote: > This is an example of what would be convenient (but is currently not > supported): > olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,objectclass > val.regex="account|simpleSecurityObject",uid,userPassword by > dn="uid=joe,dc=foo,dc=com" read by * none stop > > As far as I understand the equivalent of the previous would be: > olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass > val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read > by * none stop > olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" > attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none > stop > > Now, the "break" control, would let subsequent ACLs evaluate access on the > same <what> clause, and if "break" was required for that reason in the 1st > ACL it would be needed also in the 2nd and 3rd ACL, but this is irrelevant > with the fact that we should split the original <what> clause, since the > <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?
Frankly I don't understand your thoughts.
Mainly what you want is (line breaks for readability):
access to
dn.subtree="ou=People,dc=foo,dc=com"
attrs=objectclass
val.regex="account|simpleSecurityObject"
by dn="uid=joe,dc=foo,dc=com" read
by * break
access to
dn.subtree="ou=People,dc=foo,dc=com"
attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read
by * none
Note that ACL processing implicitly stops at every match and that each ACL
ends with implicit "by * none" if nothing else is defined with "by * foo" to
match all the rest.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
