This is an example of what would be convenient (but is currently not supported):
olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,objectclass val.regex="account|simpleSecurityObject",uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop

As far as I understand the equivalent of the previous would be:
olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read by * none stop
olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop

Now, the "break" control, would let subsequent ACLs evaluate access on the same <what> clause, and if "break" was required for that reason in the 1st ACL it would be needed also in the 2nd and 3rd ACL, but this is irrelevant with the fact that we should split the original <what> clause, since the <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?


On Tue, Oct 14, 2014 at 9:12 PM, Michael Ströder <michael@stroeder.com> wrote:
Nikos Voutsinas wrote:
> Besides the obvious workaround, i.e. split the rule into two ACLs, one with
> the val.regex and another without, I am not sure that I understand how the
> other special controls (break, continue) can help with this case. Am I
> missing sth?

Each ACL implicitly ends with "by * none" which would stop ACL processing. So
you need to add an explicit "by * break" if you want to pass the control flow
to the next ACL.

Ciao, Michael.