Hello.
I've been looking for a solution to define time-based ACL. e.g. a user can access certain entries only since now on until after 3 months. Is it possible?
Of course I can also set up a cron-job or simply mark on my calendar, to remove access of this entry after a period of time, e.g. 3 months. But I wonder if it's possible to let slapd manage it.
e.g. I want to make certain group of users not able to access all contact records in certain department after 2008-08-08 (but still can access other records).
Thank you very much in advance. Would be kind of you to just give me some links where I can get these knowledge myself (didn't seems to find related information in 2.4 admin manual)
Zhang Weiwu wrote:
I've been looking for a solution to define time-based ACL. e.g. a user can access certain entries only since now on until after 3 months. Is it possible?
Of course I can also set up a cron-job or simply mark on my calendar, to remove access of this entry after a period of time, e.g. 3 months. But I wonder if it's possible to let slapd manage it.
e.g. I want to make certain group of users not able to access all contact records in certain department after 2008-08-08 (but still can access other records).
Thank you very much in advance. Would be kind of you to just give me some links where I can get these knowledge myself (didn't seems to find related information in 2.4 admin manual)
I don't think anything like that is possible; however, I vaguely recall receiving a similar requirement from a customer. The suggested solution (not implemented, AFAIR, because the requirement was dropped) was to implement a "time" dynacl module that simply allowed/denied access based on some rule on the current time (it was intended to allow/deny access based on wallclock times, but it could be easily turned into any kind of condition with respect to current time). I think that's the way to go.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
I vaguely recall receiving a similar requirement from a customer. The suggested solution (not implemented, AFAIR, because the requirement was dropped) was to implement a "time" dynacl module that simply allowed/denied access based on some rule on the current time (it was intended to allow/deny access based on wallclock times, but it could be easily turned into any kind of condition with respect to current time). I think that's the way to go.
Thanks! However we don't have the resource to get that done because:
1. Own team doesn't know how to program in low level language like C/C++, only knows about web app, javascript, tcl, php, perl etc. 2. No resource planned to hire external team.
So maybe, still go for crontab solution. But I guess it's going to be un-reliable. emmm... problem.. As there are about hundred users whose access is going to be limited each by a different date, it is some a bit too much work to do manually.
On Wed, Jul 09, 2008 at 01:52:20PM +0800, Zhang Weiwu wrote:
I've been looking for a solution to define time-based ACL. e.g. a user can access certain entries only since now on until after 3 months. Is it possible?
Of course I can also set up a cron-job or simply mark on my calendar, to remove access of this entry after a period of time, e.g. 3 months. But I wonder if it's possible to let slapd manage it.
e.g. I want to make certain group of users not able to access all contact records in certain department after 2008-08-08 (but still can access other records).
I think the easiest way would be to create a group to control access to the data - write ACLs so that only members of the group can see it. You then add the user to the group and set a cron/at job to remove them again in three months.
If you do much of this sort of thing it might be worth defining a structure in LDAP or some other database that defines the rights and the time period, and making a regular job that updates groups based on that.
Another possibility might be to use a dynamic group (see slapo-dynlist) that expands to the set of users with expiry dates in the future and make the ACL dependent on that. Something will have to update the group definition each day. I don't know whether this overlay works with ACLs though.
Andrew
openldap-software@openldap.org
-
Andrew Findlay -
Pierangelo Masarati -
Zhang Weiwu