[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Question 'write stop' 'write break'
- To: openldap-software@openldap.org
- Subject: ACL Question 'write stop' 'write break'
- From: Edward Capriolo <edlinuxguru@gmail.com>
- Date: Thu, 15 Oct 2009 11:22:21 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=E8me90TkydqMDV6VytLu7VSYPTVdj6liFZU+23gGtnI=; b=p5EB8NQwFgjrHpoIUMsoDg7qG7hCSEWu7mVRI5k/n6tGsuIs3ufYWeH+D8WjS5Ugtl l9TSqX7+iawT8TLk4RGjEQfv7Biy2piwaD+Js7TFb3IJMvnKm8kPQuBBp5TYCOCbdpe8 3rt5r8upTBmAEU2JBkYIdU9RxW+/Cwi2JWP6Q=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=NEpdN1Px7RVqRCt8rXCPugSFISSTwrdO0vBnm0aXcGoiVsZTeOgXTdgpL2BOF12lNE Tg3VFCWNL5d0huH4hRj6UL74A2RkUtWyeOvdYP9R1nwAIDT4wy9uESmYnUtSXUkgnNBD cDMYW71TFgJdYdEwAaXir+TYNgjMcnmf1kgvg=
Hello all,
We are currently migrating from a master-slave, to a multi-master
setup. All went well except for the fact that the access on the old
master node was more liberal then the access on the slave node. As a
result some applications were able to use this to their advantage and
now are not working quite correctly when each node is a read write
master.
here is my configuration:
#access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
# attrs=userPassword,accountstatus
# by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write break
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break
access to attr=userPassword
by self write
by anonymous auth
by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
read
by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
read
by * none
access to attrs=sambaLMPassword,sambaNTPassword
by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
read
by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
read
by self write
by * none
access to *
by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write
by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
write
by dnattr=manager write
by self write
by users read
by * none
My problem is the top commented lines, these rules are to allow sara
and john to administer all
"mail=.*.managed" users. This worked fine in the past because no read
queries hit the master, but now with multi-master
"mail=.*.managed" users have no access to the directory. The old rule was
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write stop
I also tried
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break
Which I was under the impression that "write break" would continue
evaluation, but I do not understand how this is working. Can anyone
help me with a suggestion for fixing this?
Thank you!