[Date Prev][Date Next]
Re: OpenLDAP 2.0 beta and ACLs
At 10:17 AM 7/14/00 +0200, Stephan Siano wrote:
>I have a question to ACLs in the OpenLDAP 2.0 beta.
>I'm currently trying to set up ACLs with OpenLDAP 2.0 they seem to have
>change somhow since OpenLDAP 1.2 (and the slapd and slurpd adimisrators
>guide). Especially I didn't manage do figure out how the new keywords
>stop, brak and continue are supposed to work.
These are primarily meant to be used in conjunction with ACIs.
If you are not using ACIs, I suggest you do not specify a
control keyword (defaults to 'stop') which is 1.x behavior.
If you are using ACIs, I suggest you only use the control
keywords as needed to support ACIs.
The test suite contains some examples which might be instructive.
>The following ACLs work somehow.
>access to dn=".*,ou=a,dc=suse,dc=com|.*,ou=b,dc=suse,dc=com"
> attrs=entry,objectclass,uid by dn=".*,ou=apps,dc=suse,dc=com"
You've continued into the implicit "by * none". Use break
if you step out and continue out this access directive.
>access to dn=".*,ou=a,dc=t-online,dc=com|.*,ou=b,dc=suse,dc=com"
> attrs=cn,sn by dn="cn=sampleapp,ou=apps,dc=suse,dc=com" read
>access to *
> by dn="cn=admin,dc=suse,dc=com" write stop
> by * auth
>The user "cn=sampleapp,ou=apps,dc=suse,dc=com" can bind to the directory
>and read the attrubutes objectclass,uid,cn and sn from the objects below
>ou=a,dc=suse,dc=com and ou=b,dc=suse,dc=com. However,
>"cn=admin,dc=suse,dc=com" cannot read these objects (but all other
>objects in the directory tree). Why is that the case?
>If I move the last access statement to the beginning admin will get
>access to everything but the other objects won't get any access. I think
>that behaviour is right because of the "access to * by * auth stop" ACL
>matches and prevents all other ACLs from being read.
>However, if I replace the stop behind the auth with a continue, no one
>can read anything at all. Is this the correct behaviour?
>Maybe I misunderstood the whole concept of the stop, break and continue
>keywords. Is there any documentation about it available? The manpage of
>slapd.conf says only:
>access to <what> [ by <who> <access> <control> ]+
> Grant access (specified by <access>) to a set of
> entries and/or attributes (specified by <what>) by
> one or more requestors (specified by <who>). See
> Developer's FAQ (http://www.openldap.org/faq/) for
>How do I find anything about it in the developers FAQ?
Like I said in the Beta announcement... this release is not fully
>Thanks in advance
>Stephan Siano Mail: Stephan.Siano@suse.de
>SuSE Linux Solutions AG Phone: 06196 50951 31
>Mergenthalerallee 45-47 Fax: 06196 409607