[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP 2.0 beta and ACLs

I have a question to ACLs in the OpenLDAP 2.0 beta.

I'm currently trying to set up ACLs with OpenLDAP 2.0 they seem to have
change somhow since OpenLDAP 1.2 (and the slapd and slurpd adimisrators
guide). Especially I didn't manage do figure out how the new keywords
stop, brak and continue are supposed to work.

The following ACLs work somehow.
access to dn=".*,ou=a,dc=suse,dc=com|.*,ou=b,dc=suse,dc=com"
        attrs=entry,objectclass,uid by dn=".*,ou=apps,dc=suse,dc=com"
read continue
access to dn=".*,ou=a,dc=t-online,dc=com|.*,ou=b,dc=suse,dc=com"
        attrs=cn,sn by dn="cn=sampleapp,ou=apps,dc=suse,dc=com" read
access to *
        by dn="cn=admin,dc=suse,dc=com" write stop
        by * auth

The user "cn=sampleapp,ou=apps,dc=suse,dc=com" can bind to the directory
and read the attrubutes objectclass,uid,cn and sn from the objects below
ou=a,dc=suse,dc=com and ou=b,dc=suse,dc=com. However,
"cn=admin,dc=suse,dc=com" cannot read these objects (but all other
objects in the directory tree). Why is that the case?

If I move the last access statement to the beginning admin will get
access to everything but the other objects won't get any access. I think
that behaviour is right because of the "access to * by * auth stop" ACL
matches and prevents all other ACLs from being read.

However, if I replace the stop behind the auth with a continue, no one
can read anything at all. Is this the correct behaviour?

Maybe I misunderstood the whole concept of the stop, break and continue
keywords. Is there any documentation about it available? The manpage of
slapd.conf says only:
access to <what> [ by <who> <access> <control> ]+
              Grant  access  (specified  by <access>) to a set of
              entries and/or attributes (specified by <what>)  by
              one  or  more requestors (specified by <who>).  See
              Developer's FAQ (http://www.openldap.org/faq/)  for

How do I find anything about it in the developers FAQ?

Thanks in advance
Stephan Siano

Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn