Dora Paula wrote: > >> Iiuc, your acl permit search ( There are any entries of question type >> in term of search filter) to any authenticated user. If the user is >> also member of the group grant also read privilege ( give me the >> entries question type) . > > That's what I've expected, too, and what is the standard behavior if you > use "users" continued by "self" for example. > > In case of a continued groupdn evaluation the behavior changes: > > If the current bindDn is not a member of the group or the group's entry > does not exist the previously granted search privilege (=s) is reset: > The aclmask gets reset to =0 which means "none". Please have a look into > the attached details (file "acl.txt" in my previous posting). > > My question was: Is this the intended behavior? I would have expected > the search privileges to stay untouched, even in case the group's entry > does not exist.
I haven't looked at the code yet but it's possible this is a bug. Please submit an ITS with your explanation and sample config/ldif. > > Thanks again. > > >> Regards >> >> 2012/8/4, Dora Paula<[email protected]>: >>> Hi list, >>> >>> just a short question about "continue" and additive privileges, given >>> the following acl statement: >>> >>> access to dn.subtree="o=test" attrs=sn >>> by users =s continue >>> by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r >>> >>> If the current user's bindDn isn't a member of the group >>> "cn=readers,..." or the group's entry does not exist, the previously set >>> privilege "=s" will be reset to "none"? >>> >>> As the slapd.access man page just gives a "silly" and an "even more >>> silly" example regarding "continue" I'm not sure this is the intended >>> behavior. >>> >>> Attached you'll find my minimalistic testbed: >>> slapd.conf >>> sample ldif data >>> two ldapsearch commands (including their slapd.log level 128) >>> >>> I'm using openldap MASTER. >>> >>> Thank you very much. >>> >>> Cheers >>> Dora >>> >>> > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
