[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL control with break



On Fri, May 25, 2012 at 12:38:09PM +0300, Nick Milas wrote:

>    One useful application is to easily grant write privileges to an
>    updatedn that is different from the rootdn. In this case, since the
>    updatedn needs write access to (almost) all data, one can use
>         access to *
>         by dn.exact="cn=The Update DN,dc=example,dc=com" write
>         by * break
>    as the first access rule. As a consequence, unless the operation is
>    performed with the updatedn identity, control is passed straight to
>    the subsequent rules.
> 
> I have the following question. If below the above ACL we add another
> ACL like:
> 
> access to dn.subtree="ou=people,dc=example,dc=com"
>   by dn.exact="cn=Some Other DN,dc=example,dc=com"
>   by * none
> 
> ...doesn't this mean that the second ACL will override the first, so
> that "The Update DN" will no longer have access to the whole DIT (as

No. From slapd.access(5):
	Access  control checking stops at the first match of the
	<what> and <who> clause, unless otherwise dictated by the
	<control>  clause.

In the example above, the first access statement does not have a
<control> clause for dn.exact="cn=The Update DN,dc=example,dc=com" so
it uses the default, which is 'stop'.

Note that your second access statement does not specify any particular
access for dn.exact="cn=Some Other DN,dc=example,dc=com" so it won't
be much use.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------