Nikos Voutsinas wrote:
This is an example of what would be convenient (but is currently not supported): olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,objectclass val.regex="account|simpleSecurityObject",uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop
As far as I understand the equivalent of the previous would be: olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read by * none stop olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop
Now, the "break" control, would let subsequent ACLs evaluate access on the same <what> clause, and if "break" was required for that reason in the 1st ACL it would be needed also in the 2nd and 3rd ACL, but this is irrelevant with the fact that we should split the original <what> clause, since the <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?
Frankly I don't understand your thoughts.
Mainly what you want is (line breaks for readability):
access to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read by * break
access to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none
Note that ACL processing implicitly stops at every match and that each ACL ends with implicit "by * none" if nothing else is defined with "by * foo" to match all the rest.
Ciao, Michael.