[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL control with break
On Fri, May 25, 2012 at 12:38:09PM +0300, Nick Milas wrote:
> One useful application is to easily grant write privileges to an
> updatedn that is different from the rootdn. In this case, since the
> updatedn needs write access to (almost) all data, one can use
> access to *
> by dn.exact="cn=The Update DN,dc=example,dc=com" write
> by * break
> as the first access rule. As a consequence, unless the operation is
> performed with the updatedn identity, control is passed straight to
> the subsequent rules.
>
> I have the following question. If below the above ACL we add another
> ACL like:
>
> access to dn.subtree="ou=people,dc=example,dc=com"
> by dn.exact="cn=Some Other DN,dc=example,dc=com"
> by * none
>
> ...doesn't this mean that the second ACL will override the first, so
> that "The Update DN" will no longer have access to the whole DIT (as
No. From slapd.access(5):
Access control checking stops at the first match of the
<what> and <who> clause, unless otherwise dictated by the
<control> clause.
In the example above, the first access statement does not have a
<control> clause for dn.exact="cn=The Update DN,dc=example,dc=com" so
it uses the default, which is 'stop'.
Note that your second access statement does not specify any particular
access for dn.exact="cn=Some Other DN,dc=example,dc=com" so it won't
be much use.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------