[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL access control flux; CONTINUE



At 09:56 AM 7/4/2006, Forrest Gump wrote:


>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> escreveu: At 11:47 AM 7/3/2006, Forrest Gump wrote:
>>Hi felows!!!
>> 
>> I have a little doubt about how the ACL works with the flux control CONTINUE.
>> I mean... the BREAK junps to the next matched clausule, and CONTINUE?
>> to the next matched BY?? or just to the next??
>> 
>> An example:
>> 
>> access to dn.subtree="dc=br"
>>         by dn.subtree="ou=house,dc=br" read continue
>>         by dn.base="uid=houseAdmin,ou=house,dc=br" write
>> 
>> Let me explain what happens here: every object below "ou=house,dc=br" get mached when the first BY directive is checked and is granted the READ right, but because the flux control CONTINUE, will every object be allowed to WRITE on "dc=br" subtree?? or only "uid=houseAdmin,ou=house,dc=br"??
>
>The access statement above is equivalent to:
>        access to dn.subtree="dc=br"
>                by dn.base="uid=houseAdmin,ou=house,dc=br" write
>
>That is, the subsequent statements assign either "write" or
>"none" (implicit).
> 
>It is pointless to use "continue" when the remaining clauses
>assign rights (as opposed to increment rights).  See
>http://www.openldap.org/faq/index.cgi?file=454 for a example
>point-full use.
>
>
>
>> 
>> thx for helping!
>> 
>>                
>
>But... instead "uid=houseAdmin,ou=house,dc=br", if another user try to access an object below "ou=house,dc=br" will it have READ or WRITE access leve??

Neither.  "none" is assigned by the implicit "by * none" clause.
Your "by ... continue" clause is superfluous.

Kurt