At slapd.access we read (about the control keywords):
One useful application is to easily grant write privileges to an updatedn that is different from the rootdn. In this case, since the updatedn needs write access to (almost) all data, one can use access to * by dn.exact="cn=The Update DN,dc=example,dc=com" write by * break as the first access rule. As a consequence, unless the operation is performed with the updatedn identity, control is passed straight to the subsequent rules.
I have the following question. If below the above ACL we add another ACL like:
access to dn.subtree="ou=people,dc=example,dc=com" by dn.exact="cn=Some Other DN,dc=example,dc=com" by * none
...doesn't this mean that the second ACL will override the first, so that "The Update DN" will no longer have access to the whole DIT (as was intended), since, based on the second ACL, "The Update DN"does not have access to "ou=people" branch? If this is the case, then the first ACL is not enough, but care must be taken to avoid any privilege revocation(s) from "The Update DN", by following ACLs.
Or the existence of the former rule means that access has been *definitively decided* for "The Update DN" (i.e. "by" clause match(es) in the first ACL) and any subsequent access statements (later ACLs) can affect *ONLY* other users (i.e. whatever "by" clause matches, *except* "The Update DN")?? This is what I understand from the statement "As a consequence, unless the operation is performed with the updatedn identity, control is passed straight to the subsequent rules."
Can you please clarify which is the case?
Thanks, Nick