[Date Prev][Date Next]
Re: openldap access control order behavior
On Sun, Oct 23, 2016 at 11:03:55AM +0000, vvv jjj wrote:
Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous will be given read access, and processing stops there.
In this case the "access to dn.base=ACL by users read" is not processed as the above the command "access to * by users read by anonymous read" is giving the user access to all attribute. Due to this the "access to dn.base=ACL by users read" is not processed.
Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first, anonymous will be given no access (because every rule ends with an implicit 'by * none'), and processing stops there.
I understood that the "access to dn.base=ACL" gives access to user. But I did not understand why the process stops. Since we have "access to * by users read by anonymous read", does the next line access command override the above access which is given.
Every rule implicitly ends with 'by * none stop', unless you specify
otherwise. Your rule for dn.base=ACL does not specify otherwise,
therefore anonymous is assigned 'none' and processing stops. The
following line is never reached. This is for the 'ACL' entry
specifically: for any other entry (i.e. 'to *'), the 'by anonymous read'
rule would indeed be applied.