[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access-Control



At 09:15 PM 8/3/99 +0200, Frank Matthieß wrote:
>Samir Desai schrieb:
>> I am still trying to get the knack of building the acl's, since they are
>> very picky in OpenLDAP.  Not only is the access controls importants but even
>> their ordering.
>
>Right. But depends on the defaultaccess rights. If you set this to none, than
>the order is important. 

Order is always important.  The ACL have strict first match logic.
Only the first ACL with a matching "what" clause matters... of
which either the first matching "who" clause or default access is
granted.  If no "what" clause matches, the default access is granted.

It is also important to under the difference between "compare",
"search", and "read".

"compare" effects only COMPARE operations.  It allows the target
to be compared.

"search" effects only SEARCH operations.  It allows the target
to be examined as a search canditate.

"read" effects only SEARCH operations.  It allows the (assuming
target to be returned to the client.

"write" effects ADD, DELETE, MODIFY, and MODRDN.

Just yesterday I provided an example which allowed for an entry
to be search by either uid or cn but only allowed the "entry"
(ie: dn) to be returned.
  http://www.openldap.org/lists/openldap-software/9908/msg00025.html

Kurt