On Wed, Oct 15, 2014 at 11:07 AM, Michael Ströder <[email protected]> wrote:
> Nikos Voutsinas wrote: > > This is an example of what would be convenient (but is currently not > > supported): > > olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" > attrs=entry,objectclass > > val.regex="account|simpleSecurityObject",uid,userPassword by > > dn="uid=joe,dc=foo,dc=com" read by * none stop > > > > As far as I understand the equivalent of the previous would be: > > olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass > > val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" > read > > by * none stop > > olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" > > attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none > > stop > > > > Now, the "break" control, would let subsequent ACLs evaluate access on > the > > same <what> clause, and if "break" was required for that reason in the > 1st > > ACL it would be needed also in the 2nd and 3rd ACL, but this is > irrelevant > > with the fact that we should split the original <what> clause, since the > > <what> clauses on 2nd and 3rd ACLs are different. Isn't that so? > > > Frankly I don't understand your thoughts. > > Mainly what you want is (line breaks for readability): > > access to > dn.subtree="ou=People,dc=foo,dc=com" > attrs=objectclass > val.regex="account|simpleSecurityObject" > by dn="uid=joe,dc=foo,dc=com" read > by * break > You are assuming that, there are subsequent ACLs that are going to process the same <what> clause or a superset of it, which might be true or not. However for our specific example, slapd will process the subsequent (2nd) ACL no matter which control was used in the 1st ACL because the two ACLs refer to different what clauses. So, yes break control might be useful but it is not required, at least not in our 2 lines example. Should I go back and read again? > > access to > dn.subtree="ou=People,dc=foo,dc=com" > attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read > by * none > > Note that ACL processing implicitly stops at every match and that each ACL > ends with implicit "by * none" if nothing else is defined with "by * foo" > to > match all the rest. > > Ciao, Michael. > >
