[Date Prev][Date Next]
OpenLDAP 2.0 beta and ACLs
I have a question to ACLs in the OpenLDAP 2.0 beta.
I'm currently trying to set up ACLs with OpenLDAP 2.0 they seem to have
change somhow since OpenLDAP 1.2 (and the slapd and slurpd adimisrators
guide). Especially I didn't manage do figure out how the new keywords
stop, brak and continue are supposed to work.
The following ACLs work somehow.
access to dn=".*,ou=a,dc=suse,dc=com|.*,ou=b,dc=suse,dc=com"
attrs=entry,objectclass,uid by dn=".*,ou=apps,dc=suse,dc=com"
access to dn=".*,ou=a,dc=t-online,dc=com|.*,ou=b,dc=suse,dc=com"
attrs=cn,sn by dn="cn=sampleapp,ou=apps,dc=suse,dc=com" read
access to *
by dn="cn=admin,dc=suse,dc=com" write stop
by * auth
The user "cn=sampleapp,ou=apps,dc=suse,dc=com" can bind to the directory
and read the attrubutes objectclass,uid,cn and sn from the objects below
ou=a,dc=suse,dc=com and ou=b,dc=suse,dc=com. However,
"cn=admin,dc=suse,dc=com" cannot read these objects (but all other
objects in the directory tree). Why is that the case?
If I move the last access statement to the beginning admin will get
access to everything but the other objects won't get any access. I think
that behaviour is right because of the "access to * by * auth stop" ACL
matches and prevents all other ACLs from being read.
However, if I replace the stop behind the auth with a continue, no one
can read anything at all. Is this the correct behaviour?
Maybe I misunderstood the whole concept of the stop, break and continue
keywords. Is there any documentation about it available? The manpage of
slapd.conf says only:
access to <what> [ by <who> <access> <control> ]+
Grant access (specified by <access>) to a set of
entries and/or attributes (specified by <what>) by
one or more requestors (specified by <who>). See
Developer's FAQ (http://www.openldap.org/faq/) for
How do I find anything about it in the developers FAQ?
Thanks in advance
Stephan Siano Mail: Stephan.Siano@suse.de
SuSE Linux Solutions AG Phone: 06196 50951 31
Mergenthalerallee 45-47 Fax: 06196 409607