[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap access control order behavior

To: vvv jjj <vvvjjj0@yahoo.co.in>
Subject: Re: openldap access control order behavior
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 24 Oct 2016 18:10:16 -0700
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=9ww2qLS4K4uCwYNUyMnzamhbYA7apuURYyWKq3cSmJM=; b=gQsqTmlGsKM5sxelp5z+05zZblJW3MV33M81tqfaZrxuxBa+YvaQ7YVRdQ24d/uf1w vmhgufonur37AMdJRWhxgoPgZEJjWBYum1NOV9i2/iejZHPA68I/h3UofRl0Vq0cVfWZ nvEiQEVV4MET+kcw5Ae5VhkPCnhO3e5G9KS6U=
In-reply-to: <1240444484.616379.1477220635209@mail.yahoo.com>
Mail-followup-to: vvv jjj <vvvjjj0@yahoo.co.in>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
References: <1605808706.275200.1477126953906.ref@mail.yahoo.com> <1605808706.275200.1477126953906@mail.yahoo.com> <20161023010608.GA722@kiwi.nardis.ca> <1240444484.616379.1477220635209@mail.yahoo.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On Sun, Oct 23, 2016 at 11:03:55AM +0000, vvv jjj wrote:

Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there.
In this case the "access to dn.base=ACL by users read" is not processed as the above the command "access to * by users read by anonymous read" is giving the user access to all attribute. Due to this the "access to dn.base=ACL by users read" is not processed.


Correct.

Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there.
I understood that the "access to dn.base=ACL" gives access to user. But I did not understand why the process stops. Since we have "access to * by users read by anonymous read", does the next line access command override the above access which is given.

Every rule implicitly ends with 'by * none stop', unless you specifyotherwise. Your rule for dn.base=ACL does not specify otherwise,therefore anonymous is assigned 'none' and processing stops. Thefollowing line is never reached. This is for the 'ACL' entryspecifically: for any other entry (i.e. 'to *'), the 'by anonymous read'rule would indeed be applied.

Follow-Ups:
- Re: openldap access control order behavior
  - From: vvv jjj <vvvjjj0@yahoo.co.in>

References:
- openldap access control order behavior
  - From: vvv jjj <vvvjjj0@yahoo.co.in>
- Re: openldap access control order behavior
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: openldap access control order behavior
  - From: vvv jjj <vvvjjj0@yahoo.co.in>

Prev by Date: openldap 2.4.40 ppolicy module and shadowInactive equivalent
Next by Date: Re: delta-synrepl consumer randomly delete objects
Index(es):
- Chronological
- Thread