[Date Prev][Date Next] [Chronological] [Thread] [Top]

"continue" in access control directives



This email is a bit long. In essence I want to know what the <control>
does in access directives (access to <what> [by <who> <access>
<control>]+), since it doesn't seem to be explained anywhere. The
following is an explanation of why I'd like to know. If anyone has a
better idea to accomplish my goal please feel free to tell me to stop
being stupid... 

I would like to set up access control to DNs based on group membership
(Not *by* a group of admins, but *to* groups of objects. One way I
thought of doing this is to create a "memberOfGroups" attribute and
access by filter controls like this:

# rule 1
access to filter=memberOfGroup=group1
	by dn="cn=group1-admin,dc=example,dc=com" write
	by self write
	by users read
	by anonymous auth

# rule 2
access to filter=memberOfGroup=group2
	by dn="cn=group2-admin,dc=example,dc=com" write
	by self write
	by users read
	by anonymous auth

# rule 3
access to *
	by self write
	by users read
	by anonymous auth

This works fine for objects in only one group, but there is an obvious
problem when considering the following object:

dn: cn=memberofboth,dc=example,dc=com
objectclass: top
objectclass: person
cn: memberofboth
sn: Example
userPassword: <snip>
memberOfGroup: group1
memberOfGroup: group2

The problem is that access to this object is determined by rule1 even if
group2-admin binds to the LDAP server. This is all perfectly fine and
according to the description of how access control works: it stops with
the first rule that matches.

I was going to give up completely on this when I noticed that there can
be a control part of access directives ( access to <what> [by <who>
<access> <control>]+ ). One of the possible controls is temptingly
called "continue" - does anyone know what this does? What I'd like is a
statement which moves on to the next access control directive and starts
parsing again. This would allow me to do something like:

access to filter=memberOfGroup=group1
	by dn="cn=group1-admin,dc=example,dc=com" write continue

which would then grant write access to group1-admin and move on to the
other rules for anyone else.


-- 
Colin Higgs,
Chemical Engineering
University of Edinburgh                 Email:  colin.higgs@ed.ac.uk
King's Buildings, Mayfield Road,        Tel:    +44 (0)131 6508557
Edinburgh, Scotland, EH9 3JL            Fax:    +44 (0)131 6506551