On 25/5/2012 2:37 μμ, Andrew Findlay wrote:
No. From slapd.access(5): Access control checking stops at the first match of the <what> and<who> clause, unless otherwise dictated by the <control> clause.
In the example above, the first access statement does not have a <control> clause for dn.exact="cn=The Update DN,dc=example,dc=com" so it uses the default, which is 'stop'.
By the way, let me also ask:
Why when assigning access rights to "entry" and/or "children" attributes, in most cases - as I have seen from experience - we have to end with a "by * break" clause?
access to dn.subtree="ou=people,dc=example,dc=com" attrs=children,entry by dn.exact="uid=admin,ou=people,dc=example,dc=com" write by * break
The assignment of privileges to children and/or entry attributes on some branch, could cause problems if we terminate (and implicitly don't allow the evaluation of other access statements on this what/attrs combination)?
I tend to think that this is needed in case(s) where we want to be able to assign different privileges (for children/entry attributes) in subordinate branches, using ACLs following later. But if we follow the rule: "special access rules first, generic access rules last", i.e. if we place our ACLs for entry/children of the bottom branches first in the ACL sequence, then a "by * break" clause would not be required. Is my thinking right?
And a second question:
Are there any cases where access to "children" and "entry" attributes is determined implicitly, or in all cases (except, I guess, when we specify "access to *") we should declare access rights to these attributes explicitly?
Thanks, Nick