Kurt Zeilenga wrote: > > On Aug 4, 2012, at 9:08 AM, Howard Chu <[email protected]> wrote: > >> Dora Paula wrote: >>> >>>> Iiuc, your acl permit search ( There are any entries of question type >>>> in term of search filter) to any authenticated user. If the user is >>>> also member of the group grant also read privilege ( give me the >>>> entries question type) . >>> >>> That's what I've expected, too, and what is the standard behavior if you >>> use "users" continued by "self" for example. >>> >>> In case of a continued groupdn evaluation the behavior changes: >>> >>> If the current bindDn is not a member of the group or the group's entry >>> does not exist the previously granted search privilege (=s) is reset: >>> The aclmask gets reset to =0 which means "none". Please have a look into >>> the attached details (file "acl.txt" in my previous posting). >>> >>> My question was: Is this the intended behavior? I would have expected >>> the search privileges to stay untouched, even in case the group's entry >>> does not exist. > >> >> I haven't looked at the code yet but it's possible this is a bug. > > Not a bug. As documented, every access statement ends implicitly with a "by > * none" clause.
Ah right. The "continue" control is only useful if a following "by" clause matches the subject *and* specifies incremental privileges. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
