[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ITS#1383
This syntax corrects the issue:
OpenLDAPaci:
1.2.3#entry#grant;r;[entry];r,s;cn,member#group#cn=group1...
The described behavior is not the same as that in practice. It appears
all rights not explicitly granted are implicitly denied, resulting in
every "by aci" directive ending necessarily in a stop, regardless of
whether the subject is matched by DN and/or group membership. A
non-matched subject results in no-access to [entry].
Granting access to [all] implies [entry], but granting access only to
attributes does not imply [entry]. I think that granting r to any
attribute should imply granting r to [entry], but I expect there are
reasons for the current interpretation.