On Aug 4, 2012, at 9:08 AM, Howard Chu <[email protected]> wrote: > Dora Paula wrote: >> >>> Iiuc, your acl permit search ( There are any entries of question type >>> in term of search filter) to any authenticated user. If the user is >>> also member of the group grant also read privilege ( give me the >>> entries question type) . >> >> That's what I've expected, too, and what is the standard behavior if you >> use "users" continued by "self" for example. >> >> In case of a continued groupdn evaluation the behavior changes: >> >> If the current bindDn is not a member of the group or the group's entry >> does not exist the previously granted search privilege (=s) is reset: >> The aclmask gets reset to =0 which means "none". Please have a look into >> the attached details (file "acl.txt" in my previous posting). >> >> My question was: Is this the intended behavior? I would have expected >> the search privileges to stay untouched, even in case the group's entry >> does not exist.
> > I haven't looked at the code yet but it's possible this is a bug. Not a bug. As documented, every access statement ends implicitly with a "by * none" clause. -- Kurt > Please > submit an ITS with your explanation and sample config/ldif. >> >> Thanks again. >> >> >>> Regards >>> >>> 2012/8/4, Dora Paula<[email protected]>: >>>> Hi list, >>>> >>>> just a short question about "continue" and additive privileges, given >>>> the following acl statement: >>>> >>>> access to dn.subtree="o=test" attrs=sn >>>> by users =s continue >>>> by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r >>>> >>>> If the current user's bindDn isn't a member of the group >>>> "cn=readers,..." or the group's entry does not exist, the previously set >>>> privilege "=s" will be reset to "none"? >>>> >>>> As the slapd.access man page just gives a "silly" and an "even more >>>> silly" example regarding "continue" I'm not sure this is the intended >>>> behavior. >>>> >>>> Attached you'll find my minimalistic testbed: >>>> slapd.conf >>>> sample ldif data >>>> two ldapsearch commands (including their slapd.log level 128) >>>> >>>> I'm using openldap MASTER. >>>> >>>> Thank you very much. >>>> >>>> Cheers >>>> Dora >>>> >>>> >> >> > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
