RE: ACL questions. Answered (long)

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: Diego Julian Remolina [mailto:dijuremo@math.gatech.edu]

> Actually what you suggested is not really working, see my 2 cases.  I
> still need anonymous access to read entries for things like
> phone numbers,
> addresses, etc.
>
> Case 1. Using by * auth break on ou=People which you say
> makes no sense
> actually works.
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * auth
>
> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=sambaSamAccount
>         by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
> write
>         by * auth break
>
> access to *
>         by * read

This is a completely different situation from the ACL you posted before. If
you want "by * read" then you should state that explicitly. Liberal use of
"break" statements makes the flow of control difficult to understand, and you
will regret it months from now when you need to make an update to your rules.

 access to attrs=userPassword
	by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
	by * auth

 access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=sambaSamAccount
	by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
	by * read

 access to *
	by * read

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support