[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: <attrlist> syntax in ACLs

To: openldap-technical@openldap.org
Subject: Re: <attrlist> syntax in ACLs
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 15 Oct 2014 11:15:53 +0200
In-reply-to: <CAJoHRii_D59h=g3s=2VecqL-Ep_=3oeGRsh=8mLwbtoZy8i6fA@mail.gmail.com>
References: <CAJoHRig7FvOSuQ-tGV2dOOCZBZks-aUc12sCAoS=0c6vu5voWA@mail.gmail.com> <543CD240.70905@polimi.it> <543CD786.5070003@polimi.it> <alpine.SOC.2.02.1410141116240.4827@toolbox.rutgers.edu> <CAJoHRijDSxLG=H+yevF-VsV7NbKWfLh5cG9SYU0WgU_nF3W8Jg@mail.gmail.com> <543D67A5.1070100@stroeder.com> <CAJoHRiixiUEPj=WeOJ5tCqd8CQsgQntc8zWY=r6wiD7UdwEoQA@mail.gmail.com> <543E2B3E.9000006@stroeder.com> <CAJoHRii_D59h=g3s=2VecqL-Ep_=3oeGRsh=8mLwbtoZy8i6fA@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1

Nikos Voutsinas wrote:
> On Wed, Oct 15, 2014 at 11:07 AM, Michael Ströder <michael@stroeder.com>
> wrote:
> 
>> Nikos Voutsinas wrote:
>>> This is an example of what would be convenient (but is currently not
>>> supported):
>>> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
>> attrs=entry,objectclass
>>> val.regex="account|simpleSecurityObject",uid,userPassword by
>>> dn="uid=joe,dc=foo,dc=com" read by * none stop
>>>
>>> As far as I understand the equivalent of the previous would be:
>>> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com" attrs=objectclass
>>> val.regex="account|simpleSecurityObject" by dn="uid=joe,dc=foo,dc=com"
>> read
>>> by * none stop
>>> olcAccess: to dn.subtree="ou=People,dc=foo,dc=com"
>>> attrs=entry,uid,userPassword by dn="uid=joe,dc=foo,dc=com" read by * none
>>> stop
>>>
>>> Now, the "break" control, would let subsequent ACLs evaluate access on
>> the
>>> same <what> clause, and if "break" was required for that reason in the
>> 1st
>>> ACL it would be needed also in the 2nd and 3rd ACL, but this is
>> irrelevant
>>> with the fact that we should split the original <what> clause, since the
>>> <what> clauses on 2nd and 3rd ACLs are different. Isn't that so?
>>
>>
>> Frankly I don't understand your thoughts.
>>
>> Mainly what you want is (line breaks for readability):
>>
>> access to
>>   dn.subtree="ou=People,dc=foo,dc=com"
>>   attrs=objectclass
>>   val.regex="account|simpleSecurityObject"
>>     by dn="uid=joe,dc=foo,dc=com" read
>>     by * break
>>
> 
> You are assuming that, there are subsequent ACLs that are going to process
> the same <what> clause or a superset of it, which might be true or not.

Indeed this is very usual in my setups.

> However for our specific example, slapd will process the subsequent (2nd)
> ACL no matter which control was used in the 1st ACL because the two ACLs
> refer to different what clauses. So, yes break control might be useful but
> it is not required, at least not in our 2 lines example.

Yes, you're right in your case.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- <attrlist> syntax in ACLs
  - From: Nikos Voutsinas <nvoutsin@gmail.com>
- Re: <attrlist> syntax in ACLs
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
- Re: <attrlist> syntax in ACLs
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
- Re: <attrlist> syntax in ACLs
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: <attrlist> syntax in ACLs
  - From: Nikos Voutsinas <nvoutsin@gmail.com>
- Re: <attrlist> syntax in ACLs
  - From: Michael Ströder <michael@stroeder.com>
- Re: <attrlist> syntax in ACLs
  - From: Nikos Voutsinas <nvoutsin@gmail.com>
- Re: <attrlist> syntax in ACLs
  - From: Michael Ströder <michael@stroeder.com>
- Re: <attrlist> syntax in ACLs
  - From: Nikos Voutsinas <nvoutsin@gmail.com>

Prev by Date: Re: <attrlist> syntax in ACLs
Next by Date: Re: Segmentation fault in s23_clnt.c when used in a library
Index(es):
- Chronological
- Thread