1:08 p.m.
Daniel schrieb:
> masarati(a)aero.polimi.it schrieb:
>>> What kind of alternative solutions exist or do you see?
>>
>> I'd rather define a new ordering matching rule for time-valued attrs
>> that
>> checks how a given value compares with "now"; something like
>> "greaterThanNow" and "lessThanNow". This would allow to do
something
>> like
>>
>> access to attrs=validnow val/greaterThanNow=19700101000000Z
>>
>> or
>>
>> access to filter=(validnow:greaterThanNow:=19700101000000Z)
>>
>> where 19700101000000Z (the epoch) is used as a placeholder for the
>> asserted value, which would be ignored.
After some experiments with MRs I think that I have not understood your
suggestion the right way or your suggestion is misleading...
In case the two new MRs "earlierThanNow" and "laterThanNow" are new
ORDERING MRs they have to be compared using lt- or gt-operators, haven't
they?
No, you need to use an extensible filter, which is sort of a generalized
assertion. What you use is "attr:mr:=value". Then, it's the purpose of
"mr", your custom matching rule, to perform something that is equivalent
to an ordering match. Your attributes do not need to have anything
special about matching rules. They could even have no matching rule
defined. All they need is to have "generalizedTime" syntax, so that your
custom matching rule can be applied.
This leads me to the question why are there two MRs needed if the
operator could be used to tell the difference... (e.g. earlierThanNow:
"<" and laterThanNow: ">")?
Because you need two separate assertions for earlierThanNow and laterThanNow.
Another question concerns the schema-definition of the two dead-end
attributes "validNotBefore" and "validNotAfter": In my current
definition both are of type "generalizedTime", EQUALITY is
"generalizedTimeMatch" but what should I use for ORDERING?
See above. Nothing is needed about equality.
From the results of my MR-tests I think I should/could:
1. define ORDERING using "generalizedTimeOrderingMatch" (to make
standard LE/GE ldapsearch filtering using "<=" and ">=" work
out of the
box)
That makes sense, although it would be orthogonal to using the
earlierThanNow/laterThanNow rules through extensible filters.
2. use the two additional MRs on-demand (replacing the above
"default"
ORDERING by the new ones), e.g.:
(validNotBefore:earlierThanNow:<epoch) or/and
(validNotBefore:earlierThanNow:>epoch)
The above string representations do not conform to LDAP search filters.
See RFC 4515 for a definition of extensible match.
Would this be possible or ok? What alternatives do you possibly see
or
suggest?
Stick with the original plan, implement it correctly.
p.
2:01 p.m.
New subject: slapd/acl.c: using "filter=()" in an acl does not trigger an overlay's search callback
masarati(a)aero.polimi.it schrieb:
> Daniel schrieb:
>
>> masarati(a)aero.polimi.it schrieb:
>>
>>>> What kind of alternative solutions exist or do you see?
>>>>
>>> I'd rather define a new ordering matching rule for time-valued attrs
>>> that
>>> checks how a given value compares with "now"; something like
>>> "greaterThanNow" and "lessThanNow". This would allow to
do something
>>> like
>>>
>>> access to attrs=validnow val/greaterThanNow=19700101000000Z
>>>
>>> or
>>>
>>> access to filter=(validnow:greaterThanNow:=19700101000000Z)
>>>
>>> where 19700101000000Z (the epoch) is used as a placeholder for the
>>> asserted value, which would be ignored.
>>>
> After some experiments with MRs I think that I have not understood your
> suggestion the right way or your suggestion is misleading...
>
> In case the two new MRs "earlierThanNow" and "laterThanNow" are
new
> ORDERING MRs they have to be compared using lt- or gt-operators, haven't
> they?
>
No, you need to use an extensible filter, which is sort of a generalized
assertion. What you use is "attr:mr:=value". Then, it's the purpose of
"mr", your custom matching rule, to perform something that is equivalent
to an ordering match. Your attributes do not need to have anything
special about matching rules. They could even have no matching rule
defined. All they need is to have "generalizedTime" syntax, so that your
custom matching rule can be applied.
That was a very helpful explanation - thanks a lot!
> From the results of my MR-tests I think I should/could:
> 1. define ORDERING using "generalizedTimeOrderingMatch" (to make
> standard LE/GE ldapsearch filtering using "<=" and ">="
work out of the
> box)
>
That makes sense, although it would be orthogonal to using the
earlierThanNow/laterThanNow rules through extensible filters.
ok.
> 2. use the two additional MRs on-demand (replacing the above
"default"
> ORDERING by the new ones), e.g.:
> (validNotBefore:earlierThanNow:<epoch) or/and
> (validNotBefore:earlierThanNow:>epoch)
>
The above string representations do not conform to LDAP search filters.
See RFC 4515 for a definition of extensible match.
Ahhh I see, the "ordering matching rule" has led me into the
completely
wrong direction. Now it's clear. Thank again.
5167
days inactive
5167
days old
1 comments
2 participants
participants (2)
-
Daniel -
masaratiļ¼ aero.polimi.it