[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: control continue on ACL



> hello,
>
> if I understand well, ACL works as a first match then stop !
> I want bind users and anonymous to read sn & givenName attributes (plus
> others ...)
>
> access to
> attr=uid,objectclass,entry,ou,automountInformation,sn,cn,givenName,mail
>         by dn="cn=admin,dc=int-evry,dc=fr" write
>         by dn="cn=replicator,ou=System,dc=int-evry,dc=fr" write
>         by users read
>         by anonymous read
>
> then, later on in the ACL list I want the RH group to have write access
> to those 2 attributes (sn & givenName) .
>
> access to
>         attrs=employeeType,title,departmentNumber,givenName,sn,secretary
>         by group="cn=RH,ou=Groups,dc=int-evry,dc=fr" write
>         by dn.exact="cn=admin,dc=int-evry,dc=fr" write
>         by dn.exact="cn=replicator,ou=System,dc=int-evry,dc=fr" write
>         by users read
>
> However, as my binded users get match in the first rule (as users as
> suppose), the ACL parser never get to this latest "by
> group="cn=RH,ou=Groups,dc=int-evry,dc=fr" write" :-( .
>
> I don't want to move that lattest ACL before the 1st one, so I tried in
> the 1st one to put "by users read continue" but I still cannot have
> write access to sn&gn, worse, I cannot even read lots of  things next
> (entry is dissalowed maybe ?), where "continue" goes ?  to the next "by
> anonymous read" or to the next "acces to ..." or somewhere else ?

"continue" continues processing the "by" clauses in the order they are;
"break" jumps to the following rule.  The style you're using looks a bit
confusing to me.  I suggest you move the attributes that are present in
both rules in a third one, which allows both write by the RH group and
read by anonymous.  Finally, note that the "by users read by anonymous
read" can be replaced by "by * read".

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497