Hi,

I am trying to use the ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c dynacl module with slapd 2.4.11 (from debian).

The module seams to initialize correctly but the "now_dynacl_mask" function is never called. my testing ACL looks like:

access to dn.children="dc=dg-i,dc=net" by dynacl/now=>=auditTimestamp none by dynacl/now=<=auditTimestamp none by group.exact="cn=Readers,...." read

This should allways fail but it does not. it read access is grants to the object for members of the group.

Is the module intended for use with 2.4 ?

Yes. I think you did not understand the logic behind the ACI access granting mechanism. When you write

by dynacl/now=>=auditTimestamp none

the "none" indicates how much privilege you allow this rule to give. Then, if the rule matches, the privilege is given, otherwise it is not. This was designed because ACIs were much more granular that the "now" dynacl. Think of this dynacl as something that gives a boolean (match/nomatch). If true, the access level will be granted, otherwise denied. So, if you have an attribute "validityStarts" and another "validityEnds", and you want to allow "read" access to entries that are in between the validity interval, you'd need to do

access to <what> by dynacl/now=">=validityStarts" <level> break

access to <what> by dynacl/now="<=validityEnds" <level>

note that <what> and <level> are the same in the two rules (if that's what you want), and the "break" at the end of the first rule allows the second to be processed in case the first matches. If the first doesn't match, you're out.

p.