[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL control with break

To: Nick Milas <nick@eurobjects.com>
Subject: Re: ACL control with break
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Fri, 25 May 2012 08:44:35 -0700
Cc: Andrew Findlay <andrew.findlay@skills-1st.co.uk>, openldap-technical <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1337960680; bh=oBsmNgJfkFM3qckRgyuHemR557Kqp43MvEm4KJ0D59c=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=GCrGCeXRXcfMsC0U/fJYXpHvBcE2NbGOSlQR1xcda/86J6goXoX2hZv/sqUIcptNu sdRAPT7ayv71xPiKEhFPQf2aFHolbKDH0ib/7YvNH6Wjgagxmq3hnJ9cfSn+2jsAFe vqy5J4ZmplTq/ZyNusdobX3BfOD50zWeMuWb1uuQ=
In-reply-to: <4FBF8194.3010208@eurobjects.com>
References: <4FBF5301.7020408@eurobjects.com> <20120525113753.GA24056@slab.skills-1st.co.uk> <4FBF8194.3010208@eurobjects.com>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Fri, 25 May 2012, Nick Milas wrote:
> Why when assigning access rights to "entry" and/or "children" 
> attributes, in most cases - as I have seen from experience - we have to 
> end with a "by * break" clause?

Because that's a popular style of ACL processing logic to use for those 
attributes.  As you note, this is done in "most cases", i.e., not all, so 
obviously there nothing in the software that requires it.

I'm not sure why the ACLs for entry and children that you tend to see use 
that style, but if I recall correctly, they weren't part of the original 
ACL design but rather were added in OpenLDAP 2.2 (or maybe 2.3?), so this 
may be the result of ACL sets being retrofitted during upgrades.

...
> I tend to think that this is needed in case(s) where we want to be able 
> to assign different privileges (for children/entry attributes) in 
> subordinate branches, using ACLs following later. But if we follow the 
> rule: "special access rules first, generic access rules last", i.e. if 
> we place our ACLs for entry/children of the bottom branches first in the 
> ACL sequence, then a "by * break" clause would not be required. Is my 
> thinking right?

Yes, though you should review any rules without an attrs= clause carefully 
to check whether they're setting the rights for the children/entry 
pseudo-attributes unexpectedly.

> And a second question:
> 
> Are there any cases where access to "children" and "entry" attributes is 
> determined implicitly, or in all cases (except, I guess, when we specify 
> "access to *") we should declare access rights to these attributes 
> explicitly?

I'm not sure what you mean by "determined implicitly" here, so I can't 
answer that.

Philip

Follow-Ups:
- Re: ACL control with break
  - From: Nick Milas <nick@eurobjects.com>

References:
- ACL control with break
  - From: Nick Milas <nick@eurobjects.com>
- Re: ACL control with break
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: ACL control with break
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Re: Memory leak in 2.4.31 w/ hdb and MMR?
Next by Date: Re: ~*~ [spam] Re: OpenLDAP freeze
Index(es):
- Chronological
- Thread