[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL processing: additive privs (using control continue)
Kurt Zeilenga wrote:
>
> On Aug 4, 2012, at 9:08 AM, Howard Chu <hyc@symas.com> wrote:
>
>> Dora Paula wrote:
>>>
>>>> Iiuc, your acl permit search ( There are any entries of question type
>>>> in term of search filter) to any authenticated user. If the user is
>>>> also member of the group grant also read privilege ( give me the
>>>> entries question type) .
>>>
>>> That's what I've expected, too, and what is the standard behavior if you
>>> use "users" continued by "self" for example.
>>>
>>> In case of a continued groupdn evaluation the behavior changes:
>>>
>>> If the current bindDn is not a member of the group or the group's entry
>>> does not exist the previously granted search privilege (=s) is reset:
>>> The aclmask gets reset to =0 which means "none". Please have a look into
>>> the attached details (file "acl.txt" in my previous posting).
>>>
>>> My question was: Is this the intended behavior? I would have expected
>>> the search privileges to stay untouched, even in case the group's entry
>>> does not exist.
>
>>
>> I haven't looked at the code yet but it's possible this is a bug.
>
> Not a bug. As documented, every access statement ends implicitly with a "by * none" clause.
Ah right. The "continue" control is only useful if a following "by" clause
matches the subject *and* specifies incremental privileges.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/