Hi OpenLDAP team,

Thanks for quick response Ryan Tandy.

Please correct me if I'm wrong.

As per my understanding the order of access control effect the access.

Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there.
In this case the "access to dn.base=ACL by users read" is not processed as the above the command "access to * by users read by anonymous read" is giving the user access to all attribute. Due to this the "access to dn.base=ACL by users read" is not processed.

Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there.
I understood that the "access to dn.base=ACL" gives access to user. But I did not understand why the process stops. Since we have "access to * by users read by anonymous read", does the next line access command override the above access which is given.

Please let me know if I missed anything or anything is not clear.

Thanks again.

Regards
J.Visu


On Sunday, 23 October 2016 6:38 AM, Ryan Tandy <ryan@nardis.ca> wrote:


On Sat, Oct 22, 2016 at 09:02:33AM +0000, vvv jjj wrote:

>My question is, does the access control order effect the behavior. That is, Is there any change in behavior for the below 2 access control commands.
>1.
>access to * by users read by anonymous read
>access to dn.base=ACL by users read
>
>2.
>access to dn.base=ACL by users read
>access to * by users read by anonymous read


Yes. The slapd.access(5) man page says: "Lists of access directives  are
evaluated in the order they appear". It goes on to say that "Access
control checking stops at the first match of the <what> and <who>
clause, unless otherwise dictated by the <control> clause."

In your examples above, assuming an attempt by anonymous to access your
controlled 'ACL' entry:

Using ruleset 1, 'access to *' will be evaluated first, anonymous will
be given read access, and processing stops there.

Using ruleset 2, 'access to dn.base=ACL' will be evaluated first,
anonymous will be given no access (because every rule ends with an
implicit 'by * none'), and processing stops there.

Hope that helps.