[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL processing: additive privs (using control continue)

Sorry for the top posting.

Iiuc, your acl permit search ( There are any entries of question type
in term of search filter) to any authenticated user. If the user is
also member of the group grant also read privilege ( give me the
entries question type) .


Regards

2012/8/4, Dora Paula <deepee@gmx.net>:
> Hi list,
>
> just a short question about "continue" and additive privileges, given
> the following acl statement:
>
> access to dn.subtree="o=test" attrs=sn
>   by users =s continue
>   by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
>
> If the current user's bindDn isn't a member of the group
> "cn=readers,..." or the group's entry does not exist, the previously set
> privilege "=s" will be reset to "none"?
>
> As the slapd.access man page just gives a "silly" and an "even more
> silly" example regarding "continue" I'm not sure this is the intended
> behavior.
>
> Attached you'll find my minimalistic testbed:
>    slapd.conf
>    sample ldif data
>    two ldapsearch commands (including their slapd.log level 128)
>
> I'm using openldap MASTER.
>
> Thank you very much.
>
> Cheers
> Dora
>
>

-- 
Inviato dal mio dispositivo mobile