'Re: access list order'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    Re: access list order
From:       Kai Qu <ee_kuq () sal ! lamar ! edu>
Date:       1998-05-27 18:53:03
[Download RAW message or body]


hi, 

very right! thanks. 

I know your analysis is right because when I put more access clause, I can
exchange the relative position (within the constrain of the 
"specific-ness rule", of course) of other clauses, but not the first one.
Also, if I use "defaultaccess read", everything is also fine.

So, I conludes that if I keep the first clause always having "by * read" as
the last item (if no one, I can always make one, it is more restrictive 
than "defaultaccess read").

However, this raises another question: why "read entry" is enough for 
write? On the other hand, why "compare" does not need "compare entry"?
--as your suggestion implies.  


thanks!!

Kai


On Wed, 27 May 1998, Kurt Spanier wrote:

> Hi,
> 
> I know from the UMich slapd that 'entry' in the acl clause is used like
> any other attribute for defining access rights. Secondly, the first
> matching rule is taken, and nothing else. That means, having 'compare
> entry' (that is the interpretation of the 'entry,userpassword' rule!) 
> will prevent entries from beeing searched for any other attribute.
> Delete the entry-'attribute' from the compare clause, and anything will
> work as you might expect. Userpassword will not be compromised by the
> deletion!
> 
> 
> Hope that helps,
> 
> Kurt
> 
> 
> On Wed, 27 May 1998, Kai Qu wrote:
> 
> > Date: Wed, 27 May 1998 11:59:54 -0500 (CDT)
> > From: Kai Qu <ee_kuq@sal.lamar.edu>
> > To: ldap@UMICH.EDU
> > Subject: access list order
> > 
> > hi, 
> > 
> > can anybody explain why it works: 
> > 
> > *******************************
> > defaultaccess none
> > 
> > access to * attrs=entry,mail,telephonenumber
> >       by self write
> >       by dn="cn=Manager,o=Lamar University,c=US" write
> >       by * read
> > 
> > access to * attrs=entry,userpassword
> >      by self write
> >      by dn="cn=Manager,o=Lamar University,c=US" write
> >      by * compare
> > *******************************
> > 
> > 
> > but it does not work if the order is reversed: 
> > (I can not get mail an telephonenumber anymore by anonymous serach)
> > 
> > *******************************
> > defaultaccess none
> > 
> > access to * attrs=entry,userpassword
> >      by self write
> >      by dn="cn=Manager,o=Lamar University,c=US" write
> >      by * compare
> > 
> > access to * attrs=entry,mail,telephonenumber
> >       by self write
> >       by dn="cn=Manager,o=Lamar University,c=US" write
> >       by * read
> > *******************************
> > 
> > 
> > thanks!!!
> > 
> > Kai
> > 
> 
> 
> ----------==========#########>>>>>ZDV<<<<<#########==========----------
> 
> X.500:                                              Tel.:
>    Kurt Spanier, Zentrum fuer Datenverarbeitung,      +49 7071 29-70334
>    Universitaet Tuebingen, DE
> SMTP-Mail:                                          FAX.:
>    kurt.spanier@zdv.uni-tuebingen.de                   +49 7071 29-5912
> Snail-Mail:
>    Dr. Kurt Spanier, Zentrum fuer Datenverarbeitung,
>    Universitaet Tuebingen, Waechterstrasse 76, D-72074 Tuebingen
> PGP-Public-Key:
>    finger "Kurt Spanier"@x500.uni-tuebingen.de
> 
> ----------==========##########>>>>>@<<<<<##########==========----------
> 
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic