At slapd.access we read (about the control keywords):
One useful application is to easily grant write privileges to an
updatedn that is different from the rootdn. In this case, since the
updatedn needs write access to (almost) all data, one can use
access to *
by dn.exact="cn=The Update DN,dc=example,dc=com" write
by * break
as the first access rule. As a consequence, unless the operation is
performed with the updatedn identity, control is passed straight to
the subsequent rules.
I have the following question. If below the above ACL we add another ACL
access to dn.subtree="ou=people,dc=example,dc=com"
by dn.exact="cn=Some Other DN,dc=example,dc=com"
by * none
...doesn't this mean that the second ACL will override the first, so
that "The Update DN" will no longer have access to the whole DIT (as was
intended), since, based on the second ACL, "The Update DN"does not have
access to "ou=people" branch? If this is the case, then the first ACL is
not enough, but care must be taken to avoid any privilege revocation(s)
from "The Update DN", by following ACLs.
Or the existence of the former rule means that access has been
*definitively decided* for "The Update DN" (i.e. "by" clause match(es)
in the first ACL) and any subsequent access statements (later ACLs) can
affect *ONLY* other users (i.e. whatever "by" clause matches, *except*
"The Update DN")?? This is what I understand from the statement "As a
consequence, unless the operation is performed with the updatedn
identity, control is passed straight to the subsequent rules."
Can you please clarify which is the case?