On Fri, May 25, 2012 at 12:38:09PM +0300, Nick Milas wrote:
One useful application is to easily grant write privileges to an updatedn that is different from the rootdn. In this case, since the updatedn needs write access to (almost) all data, one can use access to * by dn.exact="cn=The Update DN,dc=example,dc=com" write by * break as the first access rule. As a consequence, unless the operation is performed with the updatedn identity, control is passed straight to the subsequent rules.
I have the following question. If below the above ACL we add another ACL like:
access to dn.subtree="ou=people,dc=example,dc=com" by dn.exact="cn=Some Other DN,dc=example,dc=com" by * none
...doesn't this mean that the second ACL will override the first, so that "The Update DN" will no longer have access to the whole DIT (as
No. From slapd.access(5): Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.
In the example above, the first access statement does not have a <control> clause for dn.exact="cn=The Update DN,dc=example,dc=com" so it uses the default, which is 'stop'.
Note that your second access statement does not specify any particular access for dn.exact="cn=Some Other DN,dc=example,dc=com" so it won't be much use.
Andrew