[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems witch dynacl/now=<=...
> Am 10.04.10 00:03 schrieb "masarati@aero.polimi.it" unter
> <masarati@aero.polimi.it>:
>
>>> Hi,
>>>
>>> I am trying to use the
>>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c>
>>> dynacl
>>> module with slapd 2.4.11 (from debian).
>>>
>>>
>>> access to dn.children="dc=dg-i,dc=net"
>>> by dynacl/now=>=auditTimestamp none
>>> by dynacl/now=<=auditTimestamp none
>>> by group.exact="cn=Readers,...." read
>>
>> Yes. I think you did not understand the logic behind the ACI access
>> granting mechanism. When you write
>>
>> by dynacl/now=>=auditTimestamp none
>>
>> the "none" indicates how much privilege you allow this rule to give.
>> Then, if the rule matches, the privilege is given, otherwise it is not.
>> This was designed because ACIs were much more granular that the "now"
>> dynacl. Think of this dynacl as something that gives a boolean
>> (match/nomatch). If true, the access level will be granted, otherwise
>> denied. So, if you have an attribute "validityStarts" and another
>> "validityEnds", and you want to allow "read" access to entries that are
>> in
>> between the validity interval, you'd need to do
>>
>> access to <what>
>> by dynacl/now=">=validityStarts" <level> break
>>
>> access to <what>
>> by dynacl/now="<=validityEnds" <level>
>
> What I am trying to do is I want to deny access to for Users who either
> are
> noty yet valid or are expired.
>
> access to <what>
> by dynacl/now="<=validityStarts" none
> by dynacl/now=">=validityEnds" none
>
>
> Would this deny Users that are not valid or expired ?
If it were fine, it would work as expected. Do you see any resemblance
between this and what I wrote above? Personally, I don't. By setting
<level> to "none" you're telling dynacl to ignore those rules (line 1772
of slapd/acl.c). That's why now_dynacl_mask() is not even invoked.
p.