[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Question 'write stop' 'write break'



Hello all,

We are currently migrating from a master-slave, to a multi-master
setup. All went well except for the fact that the access on the old
master node was more liberal then the access on the slave node. As a
result some applications were able to use this to their advantage and
now are not working quite correctly when each node is a read write
master.

here is my configuration:

#access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
#  attrs=userPassword,accountstatus
#  by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write break
#  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break
access to attr=userPassword
  by self write
  by anonymous auth
  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
read
  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
read
  by * none
access to attrs=sambaLMPassword,sambaNTPassword
  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
read
  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
read
  by self write
  by * none
access to *
  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write
  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
write
  by dnattr=manager write
  by self write
  by users read
  by * none

My problem is the top commented lines, these rules are to allow sara
and john to administer all
"mail=.*.managed" users. This worked fine in the past because no read
queries hit the master, but now with multi-master
"mail=.*.managed" users have no access to the directory. The old rule was

#  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write stop

I also tried

#  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break

Which I was under the impression that "write break" would continue
evaluation, but I do not understand how this is working. Can anyone
help me with a suggestion for fixing this?

Thank you!