[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: control continue on ACL
> hello,
>
> if I understand well, ACL works as a first match then stop !
> I want bind users and anonymous to read sn & givenName attributes (plus
> others ...)
>
> access to
> attr=uid,objectclass,entry,ou,automountInformation,sn,cn,givenName,mail
> by dn="cn=admin,dc=int-evry,dc=fr" write
> by dn="cn=replicator,ou=System,dc=int-evry,dc=fr" write
> by users read
> by anonymous read
>
> then, later on in the ACL list I want the RH group to have write access
> to those 2 attributes (sn & givenName) .
>
> access to
> attrs=employeeType,title,departmentNumber,givenName,sn,secretary
> by group="cn=RH,ou=Groups,dc=int-evry,dc=fr" write
> by dn.exact="cn=admin,dc=int-evry,dc=fr" write
> by dn.exact="cn=replicator,ou=System,dc=int-evry,dc=fr" write
> by users read
>
> However, as my binded users get match in the first rule (as users as
> suppose), the ACL parser never get to this latest "by
> group="cn=RH,ou=Groups,dc=int-evry,dc=fr" write" :-( .
>
> I don't want to move that lattest ACL before the 1st one, so I tried in
> the 1st one to put "by users read continue" but I still cannot have
> write access to sn&gn, worse, I cannot even read lots of things next
> (entry is dissalowed maybe ?), where "continue" goes ? to the next "by
> anonymous read" or to the next "acces to ..." or somewhere else ?
"continue" continues processing the "by" clauses in the order they are;
"break" jumps to the following rule. The style you're using looks a bit
confusing to me. I suggest you move the attributes that are present in
both rules in a third one, which allows both write by the RH group and
read by anonymous. Finally, note that the "by users read by anonymous
read" can be replaced by "by * read".
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497