Re: ACL control with break
On Fri, May 25, 2012 at 12:38:09PM +0300, Nick Milas wrote:
One useful application is to easily grant write privileges to an
updatedn that is different from the rootdn. In this case, since the
updatedn needs write access to (almost) all data, one can use
access to *
by dn.exact="cn=The Update DN,dc=example,dc=com" write
by * break
as the first access rule. As a consequence, unless the operation is
performed with the updatedn identity, control is passed straight to
the subsequent rules.
I have the following question. If below the above ACL we add another
ACL like:
access to dn.subtree="ou=people,dc=example,dc=com"
by dn.exact="cn=Some Other DN,dc=example,dc=com"
by * none
...doesn't this mean that the second ACL will override the first, so
that "The Update DN" will no longer have access to the whole DIT (as
No. From slapd.access(5):
Access control checking stops at the first match of the
<what> and <who> clause, unless otherwise dictated by the
<control> clause.
In the example above, the first access statement does not have a
<control> clause for dn.exact="cn=The Update DN,dc=example,dc=com" so
it uses the default, which is 'stop'.
Note that your second access statement does not specify any particular
access for dn.exact="cn=Some Other DN,dc=example,dc=com" so it won't
be much use.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------