> Am 10.04.10 00:03 schrieb "masar...@aero.polimi.it" unter > <masar...@aero.polimi.it>: > >>> Hi, >>> >>> I am trying to use the >>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c> >>> dynacl >>> module with slapd 2.4.11 (from debian). >>> >>> >>> access to dn.children="dc=dg-i,dc=net" >>> by dynacl/now=>=auditTimestamp none >>> by dynacl/now=<=auditTimestamp none >>> by group.exact="cn=Readers,...." read >> >> Yes. I think you did not understand the logic behind the ACI access >> granting mechanism. When you write >> >> by dynacl/now=>=auditTimestamp none >> >> the "none" indicates how much privilege you allow this rule to give. >> Then, if the rule matches, the privilege is given, otherwise it is not. >> This was designed because ACIs were much more granular that the "now" >> dynacl. Think of this dynacl as something that gives a boolean >> (match/nomatch). If true, the access level will be granted, otherwise >> denied. So, if you have an attribute "validityStarts" and another >> "validityEnds", and you want to allow "read" access to entries that are >> in >> between the validity interval, you'd need to do >> >> access to <what> >> by dynacl/now=">=validityStarts" <level> break >> >> access to <what> >> by dynacl/now="<=validityEnds" <level> > > What I am trying to do is I want to deny access to for Users who either > are > noty yet valid or are expired. > > access to <what> > by dynacl/now="<=validityStarts" none > by dynacl/now=">=validityEnds" none > > > Would this deny Users that are not valid or expired ?
If it were fine, it would work as expected. Do you see any resemblance between this and what I wrote above? Personally, I don't. By setting <level> to "none" you're telling dynacl to ignore those rules (line 1772 of slapd/acl.c). That's why now_dynacl_mask() is not even invoked. p.
