Re: Permissions error

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Wednesday, April 06, 2005 4:32 PM -0500 Jon Roberts 
<jon@jonanddeb.net> wrote:

> Matt Juszczak wrote:
> > Here is my slapd access portion.  The members of the admin group aren't
> > able to write; however, even though I have a rule saying they can.  I
> > have to add a access to * by * to be able to write at all.  Any ideas?
> ...
> > access to *
> >        by group.exact="cn=admin,dc=dandy,dc=net" write
> >        by group.exact="cn=techs,dc=dandy,dc=net" read
> >        by self write
> >        by users read
> >        by anonymous auth
> >        by * break
> >
> > # Allow only user to change its password
> > access to attr=userPassword
> >        by group="cn=techs,ou=groups,dc=dandy,dc=net" write
> >        by self write
> >        by anonymous auth
> >        by * none
>
> This may not answer your question, but one thing you should do is reverse
> the order of these rules, otherwise the second will never be reached. See:
>
> http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control%20E
> valuation
>
> and note:
>
> "Slapd stops with the first <what> selector that matches the entry and/or
> attribute. The corresponding access directive is the one slapd will use
> to evaluate access."

Why would it stop?  He has "by * break" which means that slapd will 
continue to evaluate the next set of ACL's.  I use "by * break" extensively.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin