[Date Prev][Date Next]
Re: ACL access control flux; CONTINUE
At 09:56 AM 7/4/2006, Forrest Gump wrote:
>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> escreveu: At 11:47 AM 7/3/2006, Forrest Gump wrote:
>> I have a little doubt about how the ACL works with the flux control CONTINUE.
>> I mean... the BREAK junps to the next matched clausule, and CONTINUE?
>> to the next matched BY?? or just to the next??
>> An example:
>> access to dn.subtree="dc=br"
>> by dn.subtree="ou=house,dc=br" read continue
>> by dn.base="uid=houseAdmin,ou=house,dc=br" write
>> Let me explain what happens here: every object below "ou=house,dc=br" get mached when the first BY directive is checked and is granted the READ right, but because the flux control CONTINUE, will every object be allowed to WRITE on "dc=br" subtree?? or only "uid=houseAdmin,ou=house,dc=br"??
>The access statement above is equivalent to:
> access to dn.subtree="dc=br"
> by dn.base="uid=houseAdmin,ou=house,dc=br" write
>That is, the subsequent statements assign either "write" or
>It is pointless to use "continue" when the remaining clauses
>assign rights (as opposed to increment rights). See
>http://www.openldap.org/faq/index.cgi?file=454 for a example
>> thx for helping!
>But... instead "uid=houseAdmin,ou=house,dc=br", if another user try to access an object below "ou=house,dc=br" will it have READ or WRITE access leve??
Neither. "none" is assigned by the implicit "by * none" clause.
Your "by ... continue" clause is superfluous.