[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mixed ACL by group & peername

To: Saket Sathe <saket@cc.iitb.ac.in>
Subject: Re: Mixed ACL by group & peername
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 29 Mar 2005 23:04:03 +0200
Cc: "Gary C. New" <garycnew@yahoo.com>, openldap-software@OpenLDAP.org
In-reply-to: <4249AA1E.8040001@cc.iitb.ac.in>
References: <d2b7ng$1tb$1@sea.gmane.org> <4249AA1E.8040001@cc.iitb.ac.in>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Saket Sathe wrote:

Hi Gary,

Take a look. Hope it helps:
http://www.openldap.org/faq/data/cache/454.html

That FAQ is unnecessarily verbose (I might have written it myself, I'm not sure). The same result is obtained by simply listing all the requirements in the same "by" clause:

access to * by dn.exact="cn=foo" write *continue* by peername.ip="127.0.0.1" +0

is equivalent to

access to *
       by dn.exact="cn=foo" peername.ip="127.0.0.1" write

In terms of efficiency, they might be roughly equivalent, but the latter looks cleaner. However, note that in the latter case, the order in which "dn" and "peername" are evaluated in the "by" clause is not that indicated in the "access" rule, but it's hardcoded, i.e. "by" types in rules that use more than one like the above are evaluated in a fixed order (looking at the code, currently the order is: DN, sockurl, domain, peername, sockname, dnattr, group, set, {transport,tls,sasl}ssf, dynacl/aci. I'll fix the FAQ and other docs ASAP.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Mixed ACL by group & peername
  - From: "Gary C. New" <garycnew@yahoo.com>

References:
- Mixed ACL by group & peername
  - From: "Gary C. New" <garycnew@yahoo.com>
- Re: Mixed ACL by group & peername
  - From: Saket Sathe <saket@cc.iitb.ac.in>

Prev by Date: [SOLVED] Re: can't build ldapdb auxprop plugin in cyrus-sasl 2.1.20 source tree
Next by Date: Ldap kerberos ticket - GSSAPI
Index(es):
- Chronological
- Thread