Re: configure ACL: allow access until after a period of time?

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Wed, Jul 09, 2008 at 01:52:20PM +0800, Zhang Weiwu wrote:

> I've been looking for a solution to define time-based ACL. e.g. a user
> can access certain entries only since now on until after 3 months. Is it
> possible?
> 
> Of course I can also set up a cron-job or simply mark on my calendar, to
> remove access of this entry after a period of time, e.g. 3 months. But I
> wonder if it's possible to let slapd manage it.
> 
> e.g. I want to make certain group of users not able to access all
> contact records in certain department after 2008-08-08 (but still can
> access other records).

I think the easiest way would be to create a group to control access
to the data - write ACLs so that only members of the group can see it.
You then add the user to the group and set a cron/at job to remove
them again in three months.

If you do much of this sort of thing it might be worth defining a
structure in LDAP or some other database that defines the rights and
the time period, and making a regular job that updates groups based on
that.

Another possibility might be to use a dynamic group (see
slapo-dynlist) that expands to the set of users with expiry dates in
the future and make the ACL dependent on that. Something will have to
update the group definition each day. I don't know whether this
overlay works with ACLs though.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------