> by
dn.base="cn=replication_low_security,dc=organisation,dc=com" none
> by * break
>
> the break rule will be ignored, as 'none' is the implicit last rule.
No, "none" does not imply "this is the last rule". OTOH there is an
implicit last "by *
none", hidden by the "by * break".
to me it seems that if a "by * break" appears
* in the database acls, in my case slapd does not continue looking for global access
directives in the frontend.
* in the frontend acls, slapd continues evaluating statements from the global access
directives
http://www.openldap.org/doc/admin24/access-control.html
states "For each entry, access controls provided in the database which holds the
entry [...] apply first, followed by the global
access directives"
so my understanding is that what I am observing should not happen
> run slapd with -dacl
the interesting line here should be
"52c12415 => slap_access_allowed: no more rules" (although there are more in
the frontend)
dn: ACCESSLOG_DB
olcAccess: {0}to dn.subtree="cn=accesslog"
attrs=reqMod val.regex="^topSecretAttribute:.*"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" none
by * break
dn: ACCESSLOG_DB
olcAccess: {1}to dn.subtree="cn=accesslog"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" read
by * break
dn: FRONTEND
olcAccess: {0}to dn.subtree="cn=accesslog"
by dn.base="cn=provisioninguser,dc=organisation,dc=com" read
by * none
52c12415 => access_allowed: read access to
"reqStart=20131227145130.000001Z,cn=accesslog" "reqMod" requested
52c12415 => dn: [1] cn=accesslog
52c12415 => acl_get: [1] matched
52c12415 acl_get: valpat ^topSecretAttribute:.*
52c12415 => dn: [2] cn=accesslog
52c12415 => acl_get: [2] matched
52c12415 => acl_get: [2] attr reqMod
52c12415 => acl_mask: access to entry
"reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod"
requested
52c12415 => acl_mask: to value by
"cn=provisioninguser,dc=organisation,dc=com", (=0)
52c12415 <= check a_dn_pat: cn=replicationuser,dc=organisation,dc=com
52c12415 <= check a_dn_pat: cn=replication_public_user,dc=organisation,dc=com
52c12415 <= check a_dn_pat: *
52c12415 <= acl_mask: [3] applying +0 (break)
52c12415 <= acl_mask: [3] mask: =0
52c12415 <= acl_get: done.
52c12415 => slap_access_allowed: no more rules
52c12415 => access_allowed: no more rules
52c12415 send_search_entry: conn 1002 access to attribute reqMod, value #6 not allowed
###############################################################################
dn: FRONTEND
olcAccess: {0}to dn.subtree="cn=accesslog"
attrs=reqMod val.regex="^topSecretAttribute:.*"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" none
by * break
dn: FRONTEND
olcAccess: {1}to dn.subtree="cn=accesslog"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" read
by * break
dn: FRONTEND
olcAccess: {0}to dn.subtree="cn=accesslog"
by dn.base="cn=provisioninguser,dc=organisation,dc=com" read
by * none
52c12bbf => access_allowed: read access to
"reqStart=20131227145130.000001Z,cn=accesslog" "reqMod" requested
52c12bbf => dn: [24] cn=accesslog
52c12bbf => acl_get: [24] matched
52c12bbf acl_get: valpat ^topSecretAttribute:.*
52c12bbf => dn: [25] cn=accesslog
52c12bbf => acl_get: [25] matched
52c12bbf => acl_get: [25] attr reqMod
52c12bbf => acl_mask: access to entry
"reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod"
requested
52c12bbf => acl_mask: to value by
"cn=provisioninguser,dc=organisation,dc=com", (=0)
52c12bbf <= check a_dn_pat: cn=replicationuser,dc=organisation,dc=com
52c12bbf <= check a_dn_pat: cn=replication_public_user,dc=organisation,dc=com
52c12bbf <= check a_dn_pat: *
52c12bbf <= acl_mask: [3] applying +0 (break)
52c12bbf <= acl_mask: [3] mask: =0
52c12bbf => dn: [26] cn=accesslog
52c12bbf => acl_get: [26] matched
52c12bbf => acl_get: [26] attr reqMod
52c12bbf => acl_mask: access to entry
"reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod"
requested
52c12bbf => acl_mask: to value by
"cn=provisioninguser,dc=organisation,dc=com", (=0)
52c12bbf <= check a_dn_pat: cn=provisioninguser,dc=organisation,dc=com
52c12bbf <= acl_mask: [1] applying read(=rscxd) (stop)
52c12bbf <= acl_mask: [1] mask: read(=rscxd)
52c12bbf => slap_access_allowed: read access granted by read(=rscxd)
52c12bbf => access_allowed: read access granted by read(=rscxd)