[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL processing: additive privs (using control continue)



Kurt Zeilenga wrote:
> 
> On Aug 4, 2012, at 9:08 AM, Howard Chu <hyc@symas.com> wrote:
> 
>> Dora Paula wrote:
>>>
>>>> Iiuc, your acl permit search ( There are any entries of question type
>>>> in term of search filter) to any authenticated user. If the user is
>>>> also member of the group grant also read privilege ( give me the
>>>> entries question type) .
>>>
>>> That's what I've expected, too, and what is the standard behavior if you 
>>> use "users" continued by "self" for example.
>>>
>>> In case of a continued groupdn evaluation the behavior changes:
>>>
>>> If the current bindDn is not a member of the group or the group's entry 
>>> does not exist the previously granted search privilege (=s) is reset: 
>>> The aclmask gets reset to =0 which means "none". Please have a look into 
>>> the attached details (file "acl.txt" in my previous posting).
>>>
>>> My question was: Is this the intended behavior? I would have expected 
>>> the search privileges to stay untouched, even in case the group's entry 
>>> does not exist.
> 
>>
>> I haven't looked at the code yet but it's possible this is a bug.
> 
> Not a bug.  As documented, every access statement ends implicitly with a "by * none" clause. 

Ah right. The "continue" control is only useful if a following "by" clause
matches the subject *and* specifies incremental privileges.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/