[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 beta and ACLs

To: Stephan Siano <Stephan.Siano@suse.de>
Subject: Re: OpenLDAP 2.0 beta and ACLs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 14 Jul 2000 08:44:39 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <396ECC9B.703AD34F@suse.de>

At 10:17 AM 7/14/00 +0200, Stephan Siano wrote:
>I have a question to ACLs in the OpenLDAP 2.0 beta.
>
>I'm currently trying to set up ACLs with OpenLDAP 2.0 they seem to have
>change somhow since OpenLDAP 1.2 (and the slapd and slurpd adimisrators
>guide). Especially I didn't manage do figure out how the new keywords
>stop, brak and continue are supposed to work.

These are primarily meant to be used in conjunction with ACIs.
If you are not using ACIs, I suggest you do not specify a
control keyword (defaults to 'stop') which is 1.x behavior.
If you are using ACIs, I suggest you only use the control
keywords as needed to support ACIs.

The test suite contains some examples which might be instructive.


>The following ACLs work somehow.
>access to dn=".*,ou=a,dc=suse,dc=com|.*,ou=b,dc=suse,dc=com"
>        attrs=entry,objectclass,uid by dn=".*,ou=apps,dc=suse,dc=com"
>read continue

You've continued into the implicit "by * none".  Use break
if you step out and continue out this access directive.

>access to dn=".*,ou=a,dc=t-online,dc=com|.*,ou=b,dc=suse,dc=com"
>        attrs=cn,sn by dn="cn=sampleapp,ou=apps,dc=suse,dc=com" read
>stop
>access to *
>        by dn="cn=admin,dc=suse,dc=com" write stop
>        by * auth
>stop                                                                                           
>
>The user "cn=sampleapp,ou=apps,dc=suse,dc=com" can bind to the directory
>and read the attrubutes objectclass,uid,cn and sn from the objects below
>ou=a,dc=suse,dc=com and ou=b,dc=suse,dc=com. However,
>"cn=admin,dc=suse,dc=com" cannot read these objects (but all other
>objects in the directory tree). Why is that the case?
>
>If I move the last access statement to the beginning admin will get
>access to everything but the other objects won't get any access. I think
>that behaviour is right because of the "access to * by * auth stop" ACL
>matches and prevents all other ACLs from being read.
>
>However, if I replace the stop behind the auth with a continue, no one
>can read anything at all. Is this the correct behaviour?
>
>Maybe I misunderstood the whole concept of the stop, break and continue
>keywords. Is there any documentation about it available? The manpage of
>slapd.conf says only:
>access to <what> [ by <who> <access> <control> ]+
>              Grant  access  (specified  by <access>) to a set of
>              entries and/or attributes (specified by <what>)  by
>              one  or  more requestors (specified by <who>).  See
>              Developer's FAQ (http://www.openldap.org/faq/)  for
>              details. 
>
>How do I find anything about it in the developers FAQ?

Like I said in the Beta announcement... this release is not fully
documented.


>Thanks in advance
>Stephan Siano
>
>-- 
>Stephan Siano                           Mail:  Stephan.Siano@suse.de
>SuSE Linux Solutions AG                 Phone: 06196 50951 31
>Mergenthalerallee 45-47                 Fax:   06196 409607
>D-65760 Eschborn

References:
- OpenLDAP 2.0 beta and ACLs
  - From: Stephan Siano <Stephan.Siano@suse.de>

Prev by Date: Re: OpenLDAP 2.0 beta on NT
Next by Date: Re: Another observation about the beta release ...
Index(es):
- Chronological
- Thread