[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: <attrlist> syntax in ACLs





On Wed, Oct 15, 2014 at 11:07 AM, Michael Ströder <michael@stroeder.com> wrote:
Nikos Voutsinas wrote:
> This is an example of what would be convenient (but is currently not
> supported):
> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,objectclass
> val.regex="account|simpleSecurityObject",uid,userPassword by
> dn="uid=joe,dc=foo,dc=com" read by * none stop
>
> As far as I understand the equivalent of the previous would be:
> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass
> val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read
> by * none stop
> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
> attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none
> stop
>
> Now, the "break" control, would let subsequent ACLs evaluate access on the
> same <what> clause, and if "break" was required for that reason in the 1st
> ACL it would be needed also in the 2nd and 3rd ACL, but this is irrelevant
> with the fact that we should split the original <what> clause, since the
> <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?


Frankly I don't understand your thoughts.

Mainly what you want is (line breaks for readability):

access to
  dn.subtree="ou=People,dc=foo,dc=com"
  attrs=objectclass
  val.regex="account|simpleSecurityObject"
    by dn="uid=joe,dc=foo,dc=com" read
    by * break

You are assuming that, there are subsequent ACLs that are going to process the same <what> clause or a superset of it, which might be true or not. However for our specific example, slapd will process the subsequent (2nd) ACL no matter which control was used in the 1st ACL because the two ACLs refer to different what clauses. So, yes break control might be useful but it is not required, at least not in our 2 lines example. Should I go back and read again?
 

access to
  dn.subtree="ou=People,dc=foo,dc=com"
  attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read
  by * none

Note that ACL processing implicitly stops at every match and that each ACL
ends with implicit "by * none" if nothing else is defined with "by * foo" to
match all the rest.

Ciao, Michael.