(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Category) More information about Access Control : (Answer) Controls or what to do after a match
After having processed the <access> specification, you can specify how to proceed. These are the options: 
<control> ::= [ stop | continue | break ]

The default is stop and means access control processing is finished, whatever access we got so far is the access that will be granted.

If, however, continue is specified instead, other <who> clauses will be considered.

You can also request that further analysis of this access clause (the <who>) be stopped here but keep on reading other access clauses. You do this by specifying break. This is useful if you have clauses that match this target later in your configuration and want to be able to add or remove privileges.

Each access rule ends with an implicit by * none stop. Thus, absent explicit break <control>'s, the first access with a matching <what> is the only access rule used, and if there's no matching <who> in this rule then no access is granted.
To join two by clauses with a logical AND, one can use the builtin AND capability of access control: 
    access to *
        by dn.exact="cn=foo" peername.ip="127.0.0.1" write
        by * auth
The above rule gives write privileges to the identity "cn=foo" only if the connection comes from the IP "127.0.0.1".

However, if one of the two clauses should give a fraction of the privileges that are given when both match simultaneously, if for instance the identity "cn=foo" should be given read privileges, plus write privileges when operating from IP "127.0.0.1", the <control> clause can be of use: 

    access to *
        by peername.ip="127.0.0.1" =w continue
        by dn.exact="cn=foo" +rcsx
        by * auth
The above rule gives connections coming from IP "127.0.0.1" only write privileges. The following by clause is then checked; if the identity of the connection is "cn=foo", then read, compare, search and auth privileges are added, and the checking ends. Otherwise, the checking continues on the last by clause, which resets the permissions and only gives auth privileges.

Note that when multiple clauses in a by clause are ANDed, they are not evaluated in the order given in the access rule, but in a fixed order. Only one clause type per by clause can appear.

Currently (2.3beta), the clause types are evaluated in the order:

  • DN pattern
  • sockurl
  • domain
  • peername
  • sockname
  • dnattr
  • group
  • set
  • [transport,tls,sasl]ssf
  • dynacl/ACI (if enabled/configured at compile time)

[Append to This Answer]
jsanchez@openldap.org, ando@sys-net.it, kpinc@artic.edu
Previous: (Answer) Rights and privileges
This document is: http://www.openldap.org/faq/index.cgi?file=454
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org