[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems witch dynacl/now=<=...

> Am 10.04.10 00:03 schrieb "masarati@aero.polimi.it" unter
> <masarati@aero.polimi.it>:
>>> Hi,
>>> I am trying to use the
>>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c>
>>> dynacl
>>> module with slapd 2.4.11 (from debian).
>>> access to dn.children="dc=dg-i,dc=net"
>>>         by dynacl/now=>=auditTimestamp none
>>>         by dynacl/now=<=auditTimestamp none
>>>         by group.exact="cn=Readers,...." read
>> Yes.  I think you did not understand the logic behind the ACI access
>> granting mechanism.  When you write
>>          by dynacl/now=>=auditTimestamp none
>> the "none" indicates how much privilege you allow this rule to give.
>> Then, if the rule matches, the privilege is given, otherwise it is not.
>> This was designed because ACIs were much more granular that the "now"
>> dynacl.  Think of this dynacl as something that gives a boolean
>> (match/nomatch).  If true, the access level will be granted, otherwise
>> denied.  So, if you have an attribute "validityStarts" and another
>> "validityEnds", and you want to allow "read" access to entries that are
>> in
>> between the validity interval, you'd need to do
>> access to <what>
>>         by dynacl/now=">=validityStarts" <level> break
>> access to <what>
>>         by dynacl/now="<=validityEnds" <level>
> What I am trying to do is I want to deny access to for Users who either
> are
> noty yet valid or are expired.
> access to <what>
>     by dynacl/now="<=validityStarts" none
>     by dynacl/now=">=validityEnds" none
> Would this deny Users that are not valid or expired ?

If it were fine, it would work as expected.  Do you see any resemblance
between this and what I wrote above?  Personally, I don't.  By setting
<level> to "none" you're telling dynacl to ignore those rules (line 1772
of slapd/acl.c).  That's why now_dynacl_mask() is not even invoked.