Hi OpenLDAP team,

Thanks for quick response Ryan Tandy.

Please correct me if I'm wrong.

As per my understanding the order of access control effect the access.

Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there. In this case the "access to dn.base=ACL by users read" is not processed as the above the command "access to * by users read by anonymous read" is giving the user access to all attribute. Due to this the "access to dn.base=ACL by users read" is not processed.

Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there. I understood that the "access to dn.base=ACL" gives access to user. But I did not understand why the process stops. Since we have "access to * by users read by anonymous read", does the next line access command override the above access which is given.

Please let me know if I missed anything or anything is not clear.

Thanks again.

Regards J.Visu

On Sunday, 23 October 2016 6:38 AM, Ryan Tandy ryan@nardis.ca wrote:

On Sat, Oct 22, 2016 at 09:02:33AM +0000, vvv jjj wrote:

My question is, does the access control order effect the behavior. That is, Is there any change in behavior for the below 2 access control commands.

access to * by users read by anonymous read access to dn.base=ACL by users read

access to dn.base=ACL by users read access to * by users read by anonymous read

Yes. The slapd.access(5) man page says: "Lists of access directives  are evaluated in the order they appear". It goes on to say that "Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause."

In your examples above, assuming an attempt by anonymous to access your controlled 'ACL' entry:

Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there.

Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there.

Hope that helps.

Thanks Ryan. Got clarity for my question. Thanks again to the OpenLDAP team for providing a good support. RegardsJ.Visu

On Tuesday, 25 October 2016 6:42 AM, Ryan Tandy ryan@nardis.ca wrote:

On Sun, Oct 23, 2016 at 11:03:55AM +0000, vvv jjj wrote:

Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there. In this case the "access to dn.base=ACL by users read" is not processed as the above the command "access to * by users read by anonymous read" is giving the user access to all attribute. Due to this the "access to dn.base=ACL by users read" is not processed.

Correct.

Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there. I understood that the "access to dn.base=ACL" gives access to user. But I did not understand why the process stops. Since we have "access to * by users read by anonymous read", does the next line access command override the above access which is given.

Every rule implicitly ends with 'by * none stop', unless you specify otherwise. Your rule for dn.base=ACL does not specify otherwise, therefore anonymous is assigned 'none' and processing stops. The following line is never reached. This is for the 'ACL' entry specifically: for any other entry (i.e. 'to *'), the 'by anonymous read' rule would indeed be applied.