On Fri, 25 May 2012, Nick Milas wrote:
Why when assigning access rights to "entry" and/or "children" attributes, in most cases - as I have seen from experience - we have to end with a "by * break" clause?
Because that's a popular style of ACL processing logic to use for those attributes. As you note, this is done in "most cases", i.e., not all, so obviously there nothing in the software that requires it.
I'm not sure why the ACLs for entry and children that you tend to see use that style, but if I recall correctly, they weren't part of the original ACL design but rather were added in OpenLDAP 2.2 (or maybe 2.3?), so this may be the result of ACL sets being retrofitted during upgrades.
...
I tend to think that this is needed in case(s) where we want to be able to assign different privileges (for children/entry attributes) in subordinate branches, using ACLs following later. But if we follow the rule: "special access rules first, generic access rules last", i.e. if we place our ACLs for entry/children of the bottom branches first in the ACL sequence, then a "by * break" clause would not be required. Is my thinking right?
Yes, though you should review any rules without an attrs= clause carefully to check whether they're setting the rights for the children/entry pseudo-attributes unexpectedly.
And a second question:
Are there any cases where access to "children" and "entry" attributes is determined implicitly, or in all cases (except, I guess, when we specify "access to *") we should declare access rights to these attributes explicitly?
I'm not sure what you mean by "determined implicitly" here, so I can't answer that.
Philip