Am 10.04.10 00:03 schrieb "masarati@aero.polimi.it" unter masarati@aero.polimi.it:
Hi,
I am trying to use the ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c dynacl module with slapd 2.4.11 (from debian).
access to dn.children="dc=dg-i,dc=net" by dynacl/now=>=auditTimestamp none by dynacl/now=<=auditTimestamp none by group.exact="cn=Readers,...." read
Yes. I think you did not understand the logic behind the ACI access granting mechanism. When you write
by dynacl/now=>=auditTimestamp nonethe "none" indicates how much privilege you allow this rule to give. Then, if the rule matches, the privilege is given, otherwise it is not. This was designed because ACIs were much more granular that the "now" dynacl. Think of this dynacl as something that gives a boolean (match/nomatch). If true, the access level will be granted, otherwise denied. So, if you have an attribute "validityStarts" and another "validityEnds", and you want to allow "read" access to entries that are in between the validity interval, you'd need to do
access to <what> by dynacl/now=">=validityStarts" <level> break
access to <what> by dynacl/now="<=validityEnds" <level>
What I am trying to do is I want to deny access to for Users who either are noty yet valid or are expired.
access to <what> by dynacl/now="<=validityStarts" none by dynacl/now=">=validityEnds" none
Would this deny Users that are not valid or expired ?
If it were fine, it would work as expected. Do you see any resemblance between this and what I wrote above? Personally, I don't. By setting <level> to "none" you're telling dynacl to ignore those rules (line 1772 of slapd/acl.c). That's why now_dynacl_mask() is not even invoked.
p.