Kurt Zeilenga wrote:
On Aug 4, 2012, at 9:08 AM, Howard Chu hyc@symas.com wrote:
Dora Paula wrote:
Iiuc, your acl permit search ( There are any entries of question type in term of search filter) to any authenticated user. If the user is also member of the group grant also read privilege ( give me the entries question type) .
That's what I've expected, too, and what is the standard behavior if you use "users" continued by "self" for example.
In case of a continued groupdn evaluation the behavior changes:
If the current bindDn is not a member of the group or the group's entry does not exist the previously granted search privilege (=s) is reset: The aclmask gets reset to =0 which means "none". Please have a look into the attached details (file "acl.txt" in my previous posting).
My question was: Is this the intended behavior? I would have expected the search privileges to stay untouched, even in case the group's entry does not exist.
I haven't looked at the code yet but it's possible this is a bug.
Not a bug. As documented, every access statement ends implicitly with a "by * none" clause.
Ah right. The "continue" control is only useful if a following "by" clause matches the subject *and* specifies incremental privileges.