[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
"continue" in access control directives
This email is a bit long. In essence I want to know what the <control>
does in access directives (access to <what> [by <who> <access>
<control>]+), since it doesn't seem to be explained anywhere. The
following is an explanation of why I'd like to know. If anyone has a
better idea to accomplish my goal please feel free to tell me to stop
being stupid...
I would like to set up access control to DNs based on group membership
(Not *by* a group of admins, but *to* groups of objects. One way I
thought of doing this is to create a "memberOfGroups" attribute and
access by filter controls like this:
# rule 1
access to filter=memberOfGroup=group1
by dn="cn=group1-admin,dc=example,dc=com" write
by self write
by users read
by anonymous auth
# rule 2
access to filter=memberOfGroup=group2
by dn="cn=group2-admin,dc=example,dc=com" write
by self write
by users read
by anonymous auth
# rule 3
access to *
by self write
by users read
by anonymous auth
This works fine for objects in only one group, but there is an obvious
problem when considering the following object:
dn: cn=memberofboth,dc=example,dc=com
objectclass: top
objectclass: person
cn: memberofboth
sn: Example
userPassword: <snip>
memberOfGroup: group1
memberOfGroup: group2
The problem is that access to this object is determined by rule1 even if
group2-admin binds to the LDAP server. This is all perfectly fine and
according to the description of how access control works: it stops with
the first rule that matches.
I was going to give up completely on this when I noticed that there can
be a control part of access directives ( access to <what> [by <who>
<access> <control>]+ ). One of the possible controls is temptingly
called "continue" - does anyone know what this does? What I'd like is a
statement which moves on to the next access control directive and starts
parsing again. This would allow me to do something like:
access to filter=memberOfGroup=group1
by dn="cn=group1-admin,dc=example,dc=com" write continue
which would then grant write access to group1-admin and move on to the
other rules for anyone else.
--
Colin Higgs,
Chemical Engineering
University of Edinburgh Email: colin.higgs@ed.ac.uk
King's Buildings, Mayfield Road, Tel: +44 (0)131 6508557
Edinburgh, Scotland, EH9 3JL Fax: +44 (0)131 6506551