Thanks Ryan.
Got clarity for my question.
Thanks again to the OpenLDAP team for providing a good support.
RegardsJ.Visu
On Tuesday, 25 October 2016 6:42 AM, Ryan Tandy <[email protected]> wrote:
On Sun, Oct 23, 2016 at 11:03:55AM +0000, vvv jjj wrote:
>Regarding, Using ruleset 1, 'access to *' will be evaluated first, anonymous
>will be given read access, and processing stops there.
>In this case the "access to dn.base=ACL by users read" is not processed as the
>above the command "access to * by users read by anonymous read" is giving the
>user access to all attribute. Due to this the "access to dn.base=ACL by users
>read" is not processed.
Correct.
>Regarding, Using ruleset 2, 'access to dn.base=ACL' will be evaluated first,
>anonymous will be given no access (because every rule ends with an implicit
>'by * none'), and processing stops there.
>I understood that the "access to dn.base=ACL" gives access to user. But I did
>not understand why the process stops. Since we have "access to * by users read
>by anonymous read", does the next line access command override the above
>access which is given.
Every rule implicitly ends with 'by * none stop', unless you specify
otherwise. Your rule for dn.base=ACL does not specify otherwise,
therefore anonymous is assigned 'none' and processing stops. The
following line is never reached. This is for the 'ACL' entry
specifically: for any other entry (i.e. 'to *'), the 'by anonymous read'
rule would indeed be applied.
