by dn.base="cn=replication_low_security,dc=organisation,dc=com" none by * break
the break rule will be ignored, as 'none' is the implicit last rule.
No, "none" does not imply "this is the last rule". OTOH there is an implicit last "by * none", hidden by the "by * break".
to me it seems that if a "by * break" appears * in the database acls, in my case slapd does not continue looking for global access directives in the frontend. * in the frontend acls, slapd continues evaluating statements from the global access directives
http://www.openldap.org/doc/admin24/access-control.html states "For each entry, access controls provided in the database which holds the entry [...] apply first, followed by the global access directives"
so my understanding is that what I am observing should not happen
run slapd with -dacl
the interesting line here should be "52c12415 => slap_access_allowed: no more rules" (although there are more in the frontend)
dn: ACCESSLOG_DB olcAccess: {0}to dn.subtree="cn=accesslog" attrs=reqMod val.regex="^topSecretAttribute:.*" by dn.base="cn=replicationuser,dc=organisation,dc=com" read by dn.base="cn=replication_low_security,dc=organisation,dc=com" none by * break
dn: ACCESSLOG_DB olcAccess: {1}to dn.subtree="cn=accesslog" by dn.base="cn=replicationuser,dc=organisation,dc=com" read by dn.base="cn=replication_low_security,dc=organisation,dc=com" read by * break
dn: FRONTEND olcAccess: {0}to dn.subtree="cn=accesslog" by dn.base="cn=provisioninguser,dc=organisation,dc=com" read by * none
52c12415 => access_allowed: read access to "reqStart=20131227145130.000001Z,cn=accesslog" "reqMod" requested 52c12415 => dn: [1] cn=accesslog 52c12415 => acl_get: [1] matched 52c12415 acl_get: valpat ^topSecretAttribute:.* 52c12415 => dn: [2] cn=accesslog 52c12415 => acl_get: [2] matched 52c12415 => acl_get: [2] attr reqMod 52c12415 => acl_mask: access to entry "reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod" requested 52c12415 => acl_mask: to value by "cn=provisioninguser,dc=organisation,dc=com", (=0) 52c12415 <= check a_dn_pat: cn=replicationuser,dc=organisation,dc=com 52c12415 <= check a_dn_pat: cn=replication_public_user,dc=organisation,dc=com 52c12415 <= check a_dn_pat: * 52c12415 <= acl_mask: [3] applying +0 (break) 52c12415 <= acl_mask: [3] mask: =0 52c12415 <= acl_get: done. 52c12415 => slap_access_allowed: no more rules 52c12415 => access_allowed: no more rules 52c12415 send_search_entry: conn 1002 access to attribute reqMod, value #6 not allowed
############################################################################### dn: FRONTEND olcAccess: {0}to dn.subtree="cn=accesslog" attrs=reqMod val.regex="^topSecretAttribute:.*" by dn.base="cn=replicationuser,dc=organisation,dc=com" read by dn.base="cn=replication_low_security,dc=organisation,dc=com" none by * break
dn: FRONTEND olcAccess: {1}to dn.subtree="cn=accesslog" by dn.base="cn=replicationuser,dc=organisation,dc=com" read by dn.base="cn=replication_low_security,dc=organisation,dc=com" read by * break
dn: FRONTEND olcAccess: {0}to dn.subtree="cn=accesslog" by dn.base="cn=provisioninguser,dc=organisation,dc=com" read by * none
52c12bbf => access_allowed: read access to "reqStart=20131227145130.000001Z,cn=accesslog" "reqMod" requested 52c12bbf => dn: [24] cn=accesslog 52c12bbf => acl_get: [24] matched 52c12bbf acl_get: valpat ^topSecretAttribute:.* 52c12bbf => dn: [25] cn=accesslog 52c12bbf => acl_get: [25] matched 52c12bbf => acl_get: [25] attr reqMod 52c12bbf => acl_mask: access to entry "reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod" requested 52c12bbf => acl_mask: to value by "cn=provisioninguser,dc=organisation,dc=com", (=0) 52c12bbf <= check a_dn_pat: cn=replicationuser,dc=organisation,dc=com 52c12bbf <= check a_dn_pat: cn=replication_public_user,dc=organisation,dc=com 52c12bbf <= check a_dn_pat: * 52c12bbf <= acl_mask: [3] applying +0 (break) 52c12bbf <= acl_mask: [3] mask: =0 52c12bbf => dn: [26] cn=accesslog 52c12bbf => acl_get: [26] matched 52c12bbf => acl_get: [26] attr reqMod 52c12bbf => acl_mask: access to entry "reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod" requested 52c12bbf => acl_mask: to value by "cn=provisioninguser,dc=organisation,dc=com", (=0) 52c12bbf <= check a_dn_pat: cn=provisioninguser,dc=organisation,dc=com 52c12bbf <= acl_mask: [1] applying read(=rscxd) (stop) 52c12bbf <= acl_mask: [1] mask: read(=rscxd) 52c12bbf => slap_access_allowed: read access granted by read(=rscxd) 52c12bbf => access_allowed: read access granted by read(=rscxd)