Nikos Voutsinas wrote:
> This is an example of what would be convenient (but is currently not
> supported):
> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=entry,objectclass
> val.regex="account|simpleSecurityObject",uid,userPassword by
> dn="uid=joe,dc=foo,dc=com" read by * none stop
>
> As far as I understand the equivalent of the previous would be:
> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass
> val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com" read
> by * none stop
> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
> attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none
> stop
>
> Now, the "break" control, would let subsequent ACLs evaluate access on the
> same <what> clause, and if "break" was required for that reason in the 1st
> ACL it would be needed also in the 2nd and 3rd ACL, but this is irrelevant
> with the fact that we should split the original <what> clause, since the
> <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?
Frankly I don't understand your thoughts.
Mainly what you want is (line breaks for readability):
access to
dn.subtree="ou=People,dc=foo,dc=com"
attrs=objectclass
val.regex="account|simpleSecurityObject"
by dn="uid=joe,dc=foo,dc=com" read
by * break
access to
dn.subtree="ou=People,dc=foo,dc=com"
attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read
by * none
Note that ACL processing implicitly stops at every match and that each ACL
ends with implicit "by * none" if nothing else is defined with "by * foo" to
match all the rest.
Ciao, Michael.