[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL access control flux; CONTINUE




"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> escreveu: At 11:47 AM 7/3/2006, Forrest Gump wrote:
>Hi felows!!!
> 
> I have a little doubt about how the ACL works with the flux control CONTINUE.
> I mean... the BREAK junps to the next matched clausule, and CONTINUE?
> to the next matched BY?? or just to the next??
> 
> An example:
> 
> access to dn.subtree="dc=br"
>         by dn.subtree="ou=house,dc=br" read continue
>         by dn.base="uid=houseAdmin,ou=house,dc=br" write
> 
> Let me explain what happens here: every object below "ou=house,dc=br" get mached when the first BY directive is checked and is granted the READ right, but because the flux control CONTINUE, will every object be allowed to WRITE on "dc=br" subtree?? or only "uid=houseAdmin,ou=house,dc=br"??

The access statement above is equivalent to:
        access to dn.subtree="dc=br"
                by dn.base="uid=houseAdmin,ou=house,dc=br" write

That is, the subsequent statements assign either "write" or
"none" (implicit).
 
It is pointless to use "continue" when the remaining clauses
assign rights (as opposed to increment rights).  See
http://www.openldap.org/faq/index.cgi?file=454 for a example
point-full use.



> 
> thx for helping!
> 
>                

But... instead "uid=houseAdmin,ou=house,dc=br", if another user try to access an object below "ou=house,dc=br" will it have READ or WRITE access leve??
 		
---------------------------------
 Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora!