On Sat, Oct 22, 2016 at 09:02:33AM +0000, vvv jjj wrote:
My question is, does the access control order effect the behavior. That is, Is there any change in behavior for the below 2 access control commands. 1. access to * by users read by anonymous read access to dn.base=ACL by users read 2. access to dn.base=ACL by users read access to * by users read by anonymous read
Yes. The slapd.access(5) man page says: "Lists of access directives are evaluated in the order they appear". It goes on to say that "Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause."
In your examples above, assuming an attempt by anonymous to access your controlled 'ACL' entry:
Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there.
Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there.
Hope that helps.