On Wed, Oct 15, 2014 at 11:07 AM, Michael Ströder michael@stroeder.com wrote:
Nikos Voutsinas wrote:
This is an example of what would be convenient (but is currently not supported): olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
attrs=entry,objectclass
val.regex="account|simpleSecurityObject",uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop
As far as I understand the equivalent of the previous would be: olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com"
read
by * none stop olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none stop
Now, the "break" control, would let subsequent ACLs evaluate access on
the
same <what> clause, and if "break" was required for that reason in the
1st
ACL it would be needed also in the 2nd and 3rd ACL, but this is
irrelevant
with the fact that we should split the original <what> clause, since the <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?
Frankly I don't understand your thoughts.
Mainly what you want is (line breaks for readability):
access to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read by * break
You are assuming that, there are subsequent ACLs that are going to process the same <what> clause or a superset of it, which might be true or not. However for our specific example, slapd will process the subsequent (2nd) ACL no matter which control was used in the 1st ACL because the two ACLs refer to different what clauses. So, yes break control might be useful but it is not required, at least not in our 2 lines example. Should I go back and read again?
access to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none
Note that ACL processing implicitly stops at every match and that each ACL ends with implicit "by * none" if nothing else is defined with "by * foo" to match all the rest.
Ciao, Michael.