On Wed, Jul 09, 2008 at 01:52:20PM +0800, Zhang Weiwu wrote:
I've been looking for a solution to define time-based ACL. e.g. a user can access certain entries only since now on until after 3 months. Is it possible?
Of course I can also set up a cron-job or simply mark on my calendar, to remove access of this entry after a period of time, e.g. 3 months. But I wonder if it's possible to let slapd manage it.
e.g. I want to make certain group of users not able to access all contact records in certain department after 2008-08-08 (but still can access other records).
I think the easiest way would be to create a group to control access to the data - write ACLs so that only members of the group can see it. You then add the user to the group and set a cron/at job to remove them again in three months.
If you do much of this sort of thing it might be worth defining a structure in LDAP or some other database that defines the rights and the time period, and making a regular job that updates groups based on that.
Another possibility might be to use a dynamic group (see slapo-dynlist) that expands to the set of users with expiry dates in the future and make the ACL dependent on that. Something will have to update the group definition each day. I don't know whether this overlay works with ACLs though.
Andrew