[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5852) ACL behaviour does not match Admin Guide

To: openldap-its@OpenLDAP.org
Subject: (ITS#5852) ACL behaviour does not match Admin Guide
From: andrew.findlay@skills-1st.co.uk
Date: Mon, 8 Dec 2008 19:33:24 GMT

Full_Name: Andrew Findlay
Version: HEAD 2008-12-05
OS: SuSE 10.2
URL: 
Submission from: (NULL) (88.97.25.132)


Section 7.2.5 Access Control Examples says:
...
Also note that if no access to directive matches or no by <who> clause, access
is denied. That is, every access to directive ends with an implicit by * none
clause and every access list ends with an implicit access to * by * none
directive.

The statement about access *lists* ending with a deny directive is wrong (or at
least misleading).

The truth is that the global access list is effectively appended to each
per-database list. If the resulting list is non-empty then a default deny is
appended. If there are *no* access directives applicable to a backend at all
then a default read is used.

slapd.access(5) is clearer about this but still not clear enough about the
default-deny case.
Sections 7.2.4 and 7.3.4 are fairly clear about the drop-though from backend
ACLs to global ACLs, but say nothing about the default-deny case.

Clearly the docs do not match the code in this area. In many ways I prefer the
idea that an access list should end with a default deny (and *not* get the
global list appended), but there may well be people depending on the current
behaviour.

Prev by Date: (ITS#5851) ACL behaviour does not match slapd.access(5)
Next by Date: Re: (ITS#5852) ACL behaviour does not match Admin Guide
Index(es):
- Chronological
- Thread