[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Mixed ACL by group & peername
Saket Sathe wrote:
Hi Gary,
Take a look. Hope it helps:
http://www.openldap.org/faq/data/cache/454.html
That FAQ is unnecessarily verbose (I might have written it myself, I'm
not sure). The same result is obtained by simply listing all the
requirements in the same "by" clause:
access to *
by dn.exact="cn=foo" write *continue*
by peername.ip="127.0.0.1" +0
is equivalent to
access to *
by dn.exact="cn=foo" peername.ip="127.0.0.1" write
In terms of efficiency, they might be roughly equivalent, but the latter
looks cleaner. However, note that in the latter case, the order in
which "dn" and "peername" are evaluated in the "by" clause is not that
indicated in the "access" rule, but it's hardcoded, i.e. "by" types in
rules that use more than one like the above are evaluated in a fixed
order (looking at the code, currently the order is: DN, sockurl, domain,
peername, sockname, dnattr, group, set, {transport,tls,sasl}ssf,
dynacl/aci. I'll fix the FAQ and other docs ASAP.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497