[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL control with break

On Fri, 25 May 2012, Nick Milas wrote:
> Why when assigning access rights to "entry" and/or "children" 
> attributes, in most cases - as I have seen from experience - we have to 
> end with a "by * break" clause?

Because that's a popular style of ACL processing logic to use for those 
attributes.  As you note, this is done in "most cases", i.e., not all, so 
obviously there nothing in the software that requires it.

I'm not sure why the ACLs for entry and children that you tend to see use 
that style, but if I recall correctly, they weren't part of the original 
ACL design but rather were added in OpenLDAP 2.2 (or maybe 2.3?), so this 
may be the result of ACL sets being retrofitted during upgrades.

> I tend to think that this is needed in case(s) where we want to be able 
> to assign different privileges (for children/entry attributes) in 
> subordinate branches, using ACLs following later. But if we follow the 
> rule: "special access rules first, generic access rules last", i.e. if 
> we place our ACLs for entry/children of the bottom branches first in the 
> ACL sequence, then a "by * break" clause would not be required. Is my 
> thinking right?

Yes, though you should review any rules without an attrs= clause carefully 
to check whether they're setting the rights for the children/entry 
pseudo-attributes unexpectedly.

> And a second question:
> Are there any cases where access to "children" and "entry" attributes is 
> determined implicitly, or in all cases (except, I guess, when we specify 
> "access to *") we should declare access rights to these attributes 
> explicitly?

I'm not sure what you mean by "determined implicitly" here, so I can't 
answer that.