At 09:56 AM 7/4/2006, Forrest Gump wrote:
>"Kurt D. Zeilenga" <[EMAIL PROTECTED]> escreveu: At 11:47 AM 7/3/2006, Forrest >Gump wrote: >>Hi felows!!! >> >> I have a little doubt about how the ACL works with the flux control CONTINUE. >> I mean... the BREAK junps to the next matched clausule, and CONTINUE? >> to the next matched BY?? or just to the next?? >> >> An example: >> >> access to dn.subtree="dc=br" >> by dn.subtree="ou=house,dc=br" read continue >> by dn.base="uid=houseAdmin,ou=house,dc=br" write >> >> Let me explain what happens here: every object below "ou=house,dc=br" get >> mached when the first BY directive is checked and is granted the READ right, >> but because the flux control CONTINUE, will every object be allowed to WRITE >> on "dc=br" subtree?? or only "uid=houseAdmin,ou=house,dc=br"?? > >The access statement above is equivalent to: > access to dn.subtree="dc=br" > by dn.base="uid=houseAdmin,ou=house,dc=br" write > >That is, the subsequent statements assign either "write" or >"none" (implicit). > >It is pointless to use "continue" when the remaining clauses >assign rights (as opposed to increment rights). See >http://www.openldap.org/faq/index.cgi?file=454 for a example >point-full use. > > > >> >> thx for helping! >> >> > >But... instead "uid=houseAdmin,ou=house,dc=br", if another user try to access >an object below "ou=house,dc=br" will it have READ or WRITE access leve?? Neither. "none" is assigned by the implicit "by * none" clause. Your "by ... continue" clause is superfluous. Kurt
