[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: <attrlist> syntax in ACLs



Nikos Voutsinas wrote:
> On Wed, Oct 15, 2014 at 11:07 AM, Michael Ströder <michael@stroeder.com>
> wrote:
> 
>> Nikos Voutsinas wrote:
>>> This is an example of what would be convenient (but is currently not
>>> supported):
>>> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
>> attrs=entry,objectclass
>>> val.regex="account|simpleSecurityObject",uid,userPassword by
>>> dn="uid=joe,dc=foo,dc=com" read by * none stop
>>>
>>> As far as I understand the equivalent of the previous would be:
>>> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass
>>> val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com"
>> read
>>> by * none stop
>>> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
>>> attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none
>>> stop
>>>
>>> Now, the "break" control, would let subsequent ACLs evaluate access on
>> the
>>> same <what> clause, and if "break" was required for that reason in the
>> 1st
>>> ACL it would be needed also in the 2nd and 3rd ACL, but this is
>> irrelevant
>>> with the fact that we should split the original <what> clause, since the
>>> <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?
>>
>>
>> Frankly I don't understand your thoughts.
>>
>> Mainly what you want is (line breaks for readability):
>>
>> access to
>>   dn.subtree="ou=People,dc=foo,dc=com"
>>   attrs=objectclass
>>   val.regex="account|simpleSecurityObject"
>>     by dn="uid=joe,dc=foo,dc=com" read
>>     by * break
>>
> 
> You are assuming that, there are subsequent ACLs that are going to process
> the same <what> clause or a superset of it, which might be true or not.

Indeed this is very usual in my setups.

> However for our specific example, slapd will process the subsequent (2nd)
> ACL no matter which control was used in the 1st ACL because the two ACLs
> refer to different what clauses. So, yes break control might be useful but
> it is not required, at least not in our 2 lines example.

Yes, you're right in your case.

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature