Discussion:
Problems witch dynacl/now=<=...
Manon Goo
2010-04-07 04:04:38 UTC
Permalink
Hi,

I am trying to use the
<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c> dynacl
module with slapd 2.4.11 (from debian).

The module seams to initialize correctly but the "now_dynacl_mask" function
is never called. my testing ACL looks like:

access to dn.children="dc=dg-i,dc=net"
by dynacl/now=>=auditTimestamp none
by dynacl/now=<=auditTimestamp none
by group.exact="cn=Readers,...." read


This should allways fail but it does not. it read access is grants to the
object for members of the group.

Is the module intended for use with 2.4 ?


Thanks Manon








Manon Goo
Dembach Goo Informatik GmbH & Co KG
Untersachsenhausen 33
D-50667 Köln
Tel: +49 221 801483 0
Mobil: +49 177 8091974
Fax: +49 221 801483 20
Email: ***@dg-i.net
Emergency: +49 180 555 4992

Amtsgericht Köln HRA 22794, UST ID: DE242 159 527
GeschÀftsfÌhrer: Manon Goo, Andreas Dembach
Haftende Gesellschafterin: Dembach Goo Verwaltungs GmbH
m***@aero.polimi.it
2010-04-09 22:03:54 UTC
Permalink
Post by Manon Goo
Hi,
I am trying to use the
<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c> dynacl
module with slapd 2.4.11 (from debian).
The module seams to initialize correctly but the "now_dynacl_mask" function
access to dn.children="dc=dg-i,dc=net"
by dynacl/now=>=auditTimestamp none
by dynacl/now=<=auditTimestamp none
by group.exact="cn=Readers,...." read
This should allways fail but it does not. it read access is grants to the
object for members of the group.
Is the module intended for use with 2.4 ?
Yes. I think you did not understand the logic behind the ACI access
granting mechanism. When you write

by dynacl/now=>=auditTimestamp none

the "none" indicates how much privilege you allow this rule to give.
Then, if the rule matches, the privilege is given, otherwise it is not.
This was designed because ACIs were much more granular that the "now"
dynacl. Think of this dynacl as something that gives a boolean
(match/nomatch). If true, the access level will be granted, otherwise
denied. So, if you have an attribute "validityStarts" and another
"validityEnds", and you want to allow "read" access to entries that are in
between the validity interval, you'd need to do

access to <what>
by dynacl/now=">=validityStarts" <level> break

access to <what>
by dynacl/now="<=validityEnds" <level>

note that <what> and <level> are the same in the two rules (if that's what
you want), and the "break" at the end of the first rule allows the second
to be processed in case the first matches. If the first doesn't match,
you're out.

p.
m***@aero.polimi.it
2010-04-09 23:52:29 UTC
Permalink
Post by m***@aero.polimi.it
Post by Manon Goo
Hi,
I am trying to use the
<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-05.1.c>
dynacl
module with slapd 2.4.11 (from debian).
access to dn.children="dc=dg-i,dc=net"
by dynacl/now=>=auditTimestamp none
by dynacl/now=<=auditTimestamp none
by group.exact="cn=Readers,...." read
Yes. I think you did not understand the logic behind the ACI access
granting mechanism. When you write
by dynacl/now=>=auditTimestamp none
the "none" indicates how much privilege you allow this rule to give.
Then, if the rule matches, the privilege is given, otherwise it is not.
This was designed because ACIs were much more granular that the "now"
dynacl. Think of this dynacl as something that gives a boolean
(match/nomatch). If true, the access level will be granted, otherwise
denied. So, if you have an attribute "validityStarts" and another
"validityEnds", and you want to allow "read" access to entries that are
in
between the validity interval, you'd need to do
access to <what>
by dynacl/now=">=validityStarts" <level> break
access to <what>
by dynacl/now="<=validityEnds" <level>
What I am trying to do is I want to deny access to for Users who either
are
noty yet valid or are expired.
access to <what>
by dynacl/now="<=validityStarts" none
by dynacl/now=">=validityEnds" none
Would this deny Users that are not valid or expired ?
If it were fine, it would work as expected. Do you see any resemblance
between this and what I wrote above? Personally, I don't. By setting
<level> to "none" you're telling dynacl to ignore those rules (line 1772
of slapd/acl.c). That's why now_dynacl_mask() is not even invoked.

p.

Loading...