Re: ACL control with break

[Nick Milas <nick@eurobjects.com>]

On 25/5/2012 2:37 ÎÎ, Andrew Findlay wrote:

> No. From slapd.access(5):
> 	Access  control checking stops at the first match of the
> 	<what>  and<who>  clause, unless otherwise dictated by the
> 	<control>   clause.
>
> In the example above, the first access statement does not have a
> <control>  clause for dn.exact="cn=The Update DN,dc=example,dc=com" so
> it uses the default, which is 'stop'.

By the way, let me also ask:

Why when assigning access rights to "entry" and/or "children" 
attributes, in most cases - as I have seen from experience - we have to 
end with a "by * break" clause?

access to dn.subtree="ou=people,dc=example,dc=com" attrs=children,entry
   by dn.exact="uid=admin,ou=people,dc=example,dc=com" write
   by * break

The assignment of privileges to children and/or entry attributes on some branch, could cause problems if we terminate (and implicitly don't allow the evaluation of other access statements on this what/attrs combination)?

I tend to think that this is needed in case(s) where we want to be able to assign different privileges (for children/entry attributes) in subordinate branches, using ACLs following later. But if we follow the rule: "special access rules first, generic access rules last", i.e. if we place our ACLs for entry/children of the bottom branches first in the ACL sequence, then a "by * break" clause would not be required. Is my thinking right?

And a second question:

Are there any cases where access to "children" and "entry" attributes is determined implicitly, or in all cases (except, I guess, when we specify "access to *") we should declare access rights to these attributes explicitly?

Thanks,
Nick