[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems witch dynacl/now=<=...

> Hi,
> I am trying to use the
> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c>
> dynacl
> module with slapd 2.4.11 (from debian).
> The module seams to initialize correctly but the "now_dynacl_mask"
> function
> is never called.  my testing ACL looks like:
> access to dn.children="dc=dg-i,dc=net"
>         by dynacl/now=>=auditTimestamp none
>         by dynacl/now=<=auditTimestamp none
>         by group.exact="cn=Readers,...." read
> This should allways fail  but it does not. it read access is  grants to
> the
> object for members of the group.
> Is the module intended for use with 2.4 ?

Yes.  I think you did not understand the logic behind the ACI access
granting mechanism.  When you write

         by dynacl/now=>=auditTimestamp none

the "none" indicates how much privilege you allow this rule to give. 
Then, if the rule matches, the privilege is given, otherwise it is not. 
This was designed because ACIs were much more granular that the "now"
dynacl.  Think of this dynacl as something that gives a boolean
(match/nomatch).  If true, the access level will be granted, otherwise
denied.  So, if you have an attribute "validityStarts" and another
"validityEnds", and you want to allow "read" access to entries that are in
between the validity interval, you'd need to do

access to <what>
        by dynacl/now=">=validityStarts" <level> break

access to <what>
        by dynacl/now="<=validityEnds" <level>

note that <what> and <level> are the same in the two rules (if that's what
you want), and the "break" at the end of the first rule allows the second
to be processed in case the first matches.  If the first doesn't match,
you're out.