[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with break keyword in ACLs

To: Wout van Albada <wout@science.uva.nl>
Subject: Re: Problem with break keyword in ACLs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 18 Dec 2003 20:06:32 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20031217092824.GA11304@init.science.uva.nl>
References: <20031217092824.GA11304@init.science.uva.nl>

At 01:28 AM 12/17/2003, Wout van Albada wrote:
>Going back to the first set of ACLs:
>
>access to *
>    by * =csr break
>
>access to dn.children=ou=admin,dc=science,dc=uva,dc=nl
>    by * none stop
>
>My interpretation of the 'break' keyword is that it amends the
>access bits (=csr in this case) but allows other ACLs to apply
>as well.

including the implicit:
        access to * by * none

at the end of the list.  If you want =csr to have effect,
add to end of your ACLs:
        access to * by * -w

or +0 if you like (the latter may not be properly documented).

>is skipped and thus the first ACL is not effective.

Yes, because implicit last rule:
        access to * by none

>Is break meant to behave this way?

Yes.

References:
- Problem with break keyword in ACLs
  - From: Wout van Albada <wout@science.uva.nl>

Prev by Date: Re: multiple conditions in ACL
Next by Date: Re: Running slapd and user authentication
Index(es):
- Chronological
- Thread