[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)

To: ando@sys-net.it
Subject: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 22 Nov 2004 10:36:14 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <34533.81.74.43.82.1101113970.squirrel@81.74.43.82>
References: <200411191051.13403.misty@borkholder.com> <m37johequh.fsf@marin.l4b.de> <419E876D.5050804@worldpac.com> <41A19CAE.2040302@stroeder.com> <33821.81.74.43.82.1101113045.squirrel@81.74.43.82> <34533.81.74.43.82.1101113970.squirrel@81.74.43.82>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

Pierangelo Masarati wrote:

On a related note, I see that the current implementation of ACIs relies on
the ordering of multivalued attributes; in fact, ACI values are evalated
in the order they appear, and as soon as one matches, the checking
terminates.; of course, writing ACIs with different values of the
OpenLDAPaci attributes that overlap whould be considered wrong, but in any
case it is possible and I guess in some cases it may also be considered
desirable (I didn't consider this enough to exclude that possibility).

I overlooked the design; the above is only partially true, in the sense
that all rules (i.e. all values) are evaluated for a single object; what I
haven't understood yet is if the order in which they are evaluated is
irrelevant or may alter the resulting permissions.

Grabbed example data (and snipped lines) from http://www.openldap.org/faq/data/cache/634.html:

OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise [..] OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas [..] OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail; [..] OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all [..] ^^^ AFAICS the prefixed numbers preserve the ACI evaluation order. So there is an order defined for the values themselves together with semantics. However there is no order how the values are stored or transmitted over LDAP.

Didn't we have this topic before...?

Ciao, Michael.

Follow-Ups:
- Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: Howard Chu <hyc@symas.com>

References:
- ACL questsion about "by group"
  - From: Misty Stanley-Jones <misty@borkholder.com>
- Re: ACL questsion about "by group"
  - From: Dieter Kluenter <dieter@dkluenter.de>
- are mulivalued attributes really unordered?
  - From: John Woodell <woodie@worldpac.com>
- Re: are mulivalued attributes really unordered?
  - From: Michael Ströder <michael@stroeder.com>
- ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: ACIs rely on multivalue attribute order (Was: are mulivalued attributes really unordered?)
Next by Date: RE: Building openldap with overlays
Index(es):
- Chronological
- Thread