Re: ACL Question 'write stop' 'write break'

[Aaron Richton <richton@nbcs.rutgers.edu>]

Please keep replies on the list.

On Mon, 19 Oct 2009, Edward Capriolo wrote:
[...cut...]
> As you have said .*managed people are never able to auth, one that
> rule is put in place. So If I understand you correctly I should do
> this:
>
> access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> attrs=userPassword,accountstatus
> by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write stop
> by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write stop
> by * none break
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
> by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
> by * none
>
> ?

Sure, that's a reasonable first move, if I'm understanding your desires 
correctly. Personally I like being very very very explicit in my ACLs, so 
I might actually write out dn.exact and put the * in "access to 
attr=userPassword." But you can worry about that in version 5...