Pierangelo Masarati wrote:
On a related note, I see that the current implementation of ACIs
relies on
the ordering of multivalued attributes; in fact, ACI values are
evalated
in the order they appear, and as soon as one matches, the checking
terminates.; of course, writing ACIs with different values of the
OpenLDAPaci attributes that overlap whould be considered wrong, but
in any
case it is possible and I guess in some cases it may also be considered
desirable (I didn't consider this enough to exclude that possibility).
I overlooked the design; the above is only partially true, in the sense
that all rules (i.e. all values) are evaluated for a single object;
what I
haven't understood yet is if the order in which they are evaluated is
irrelevant or may alter the resulting permissions.
Grabbed example data (and snipped lines) from
http://www.openldap.org/faq/data/cache/634.html:
OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=enterprise [..]
OpenLDAPaci: 2#entry#grant;r,w,s,c;[all]#group#cn=dallas [..]
OpenLDAPaci: 3#entry#grant;r,w,s,c;userPassword,mail; [..]
OpenLDAPaci: 4#entry#grant;r,s,c;[all]#group#cn=all [..]
^^^
AFAICS the prefixed numbers preserve the ACI evaluation order. So
there is an order defined for the values themselves together with
semantics. However there is no order how the values are stored or
transmitted over LDAP.
Didn't we have this topic before...?