The optional field <control> controls the flow of access rule
application. It can have the forms
stop
continue
break
where stop, the default, means access checking stops in case of
match. The other two forms are used to keep on processing access
clauses. In detail, the continue form allows for other <who>
clauses in the same <access> clause to be considered, so that
they may result in incrementally altering the privileges, while
the break form allows for other <access> clauses that match the
same target to be processed. Consider the (silly) example
access to dn.subtree="dc=example,dc=com" attrs=cn
by * =cs break
access to dn.subtree="ou=People,dc=example,dc=com"
by * +r
which allows search and compare privileges to everybody under the
"dc=example,dc=com" tree, with the second rule allowing also read
in the "ou=People" subtree, or the (even more silly) example
access to dn.subtree="dc=example,dc=com" attrs=cn
by * =cs continue
by users +r
which grants everybody search and compare privileges, and adds
read privileges to authenticated clients.
One useful application is to easily grant write privileges to an
updatedn that is different from the rootdn. In this case, since
the updatedn needs write access to (almost) all data, one can use
access to *
by dn.exact="cn=The Update DN,dc=example,dc=com" write
by * break
as the first access rule. As a consequence, unless the operation
is performed with the updatedn identity, control is passed
straight to the subsequent rules.
