Thanks Ryan.

Got clarity for my question.

Thanks again to the OpenLDAP team for providing a good support.

Regards
J.Visu




On Tuesday, 25 October 2016 6:42 AM, Ryan Tandy <ryan@nardis.ca> wrote:


On Sun, Oct 23, 2016 at 11:03:55AM +0000, vvv jjj wrote:
>Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there.
>In this case the "access to dn.base=ACL by users read" is not processed as the above the command "access to * by users read by anonymous read" is giving the user access to all attribute. Due to this the "access to dn.base=ACL by users read" is not processed.

Correct.


>Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there.
>I understood that the "access to dn.base=ACL" gives access to user. But I did not understand why the process stops. Since we have "access to * by users read by anonymous read", does the next line access command override the above access which is given.


Every rule implicitly ends with 'by * none stop', unless you specify
otherwise. Your rule for dn.base=ACL does not specify otherwise,
therefore anonymous is assigned 'none' and processing stops. The
following line is never reached. This is for the 'ACL' entry
specifically: for any other entry (i.e. 'to *'), the 'by anonymous read'
rule would indeed be applied.