So we are going to concentrate on the static method here. The access
control definition consists in a series of clauses that are studied in
turn in the order that they appear in the definition files. Access
clauses appearing before the database definitions are the Global
Access List and apply to all databases but only after considering
access clauses particular to those databases. Well, that's the
theory. In practice, notice that what is described here is what the
ldbm backend does and other backends will not do most of these checks.
The syntax of each access clause is as follows:
<access clause> ::= access to <what> [ by <who> <access> <control> ]+
Well, that was easy: we specify an access target, and then a list of
triplets composed of a subject specification, an access rights
specification to assign in case the subject matches and a control that
specifies what to do after a match. For the time being consider that
the control is stop that is the default (and the only
possibility in older OpenLDAP versions) and means that all access
control processing stops here: no further subjects will be considered
in this clause and no other clauses will be considered. In other
words, by default, all access control to some item is specified in
just one access clause: access rights you forgot to set here cannot be
set later, even if a later access clause would seem to include this
one. So in most cases you will work from the most specific to the
most general. We will see later that this is not the only
possibility, but is the most common and most examples are written this
way.
jsanchez@openldap.org |