[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)

Let me elaborate just a bit more: I'm not saying the code is wrong;
actually, the current behavior never looked even strange to me because
when I usually design ACLs I don't happen to trigger this type of
problems.  I was playing with my new slapacl toy, and I noticed
this behavior was a bit counterintuitive for my usual ACL coding

Usually I do:

access to *
  by * read

database xxx
suffix <namingContext>

access to <specific>
  by <who> <level>

# ...

access to <namingContext>
  by <who> <level>

so there's never any problem, because all database rules stop at
<namingContext>.  I had one when as last database rule I used

access to *
  by * read

which shadowed the global rules when accessing "cn=subschema", but it's
not something I'm going to exploit in real deployments.  If I don't add
this rule, then global rules catch all at the end.  What disturbs me is
when I'm testing access to something that's outside the namingContext the
database rules were designed for.


Pierangelo Masarati