[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL access control flux; CONTINUE



At 11:47 AM 7/3/2006, Forrest Gump wrote:
>Hi felows!!!
> 
> I have a little doubt about how the ACL works with the flux control CONTINUE.
> I mean... the BREAK junps to the next matched clausule, and CONTINUE?
> to the next matched BY?? or just to the next??
> 
> An example:
> 
> access to dn.subtree="dc=br"
>         by dn.subtree="ou=house,dc=br" read continue
>         by dn.base="uid=houseAdmin,ou=house,dc=br" write
> 
> Let me explain what happens here: every object below "ou=house,dc=br" get mached when the first BY directive is checked and is granted the READ right, but because the flux control CONTINUE, will every object be allowed to WRITE on "dc=br" subtree?? or only "uid=houseAdmin,ou=house,dc=br"??

The access statement above is equivalent to:
        access to dn.subtree="dc=br"
                by dn.base="uid=houseAdmin,ou=house,dc=br" write

That is, the subsequent statements assign either "write" or
"none" (implicit).

It is pointless to use "continue" when the remaining clauses
assign rights (as opposed to increment rights).  See
http://www.openldap.org/faq/index.cgi?file=454 for a example
point-full use.



> 
> thx for helping!
> 
>                
>---------------------------------
> Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz.