[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mixed ACL by group & peername



Pierangelo,

Thank you for the clarification.  I like the cleaner looking method.

Respectfully,


Gary


Pierangelo Masarati wrote:
Saket Sathe wrote:

Hi Gary,

Take a look. Hope it helps:
http://www.openldap.org/faq/data/cache/454.html



That FAQ is unnecessarily verbose (I might have written it myself, I'm not sure). The same result is obtained by simply listing all the requirements in the same "by" clause:


access to *
       by dn.exact="cn=foo" write *continue*
       by peername.ip="127.0.0.1" +0
is equivalent to

access to *
       by dn.exact="cn=foo" peername.ip="127.0.0.1" write


In terms of efficiency, they might be roughly equivalent, but the latter looks cleaner. However, note that in the latter case, the order in which "dn" and "peername" are evaluated in the "by" clause is not that indicated in the "access" rule, but it's hardcoded, i.e. "by" types in rules that use more than one like the above are evaluated in a fixed order (looking at the code, currently the order is: DN, sockurl, domain, peername, sockname, dnattr, group, set, {transport,tls,sasl}ssf, dynacl/aci. I'll fix the FAQ and other docs ASAP.


p.




SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497