[Freeipa-devel] Time-based account policies
Nathaniel McCallum
npmccallum at redhat.com
Mon Mar 9 13:02:56 UTC 2015
On Mon, 2015-03-09 at 08:00 +0100, Stanislav Láznička wrote:
> Hi!
>
> My name is Stanislav Laznicka and I am a student at Brno University
> of Technology. As a part of my Master's thesis, I am supposed to
> design and
> implement time-based account policies extensions for FreeIPA and
> SSSD.
>
> While going through the code, I noticed time-based access control
> was implemented in the past, but it was pulled. I would very much be
> interested to know why that was and what were the problems with that
> implementation (so that I don't repeat those again).
>
> The solution to the time-based account policies as I see it can be
> divided into two possible directions - having the time of the
> policies stored as a UTC time (which is what both Active Directory
> and 389 Directory Server do), or it can be just a time record that
> would be compared to the local time of each client.
>
> Each of the approaches above has its pros and cons. Basically, local
> time approach is much more flexible when it comes to multiple time
> zones, however it does not allow the absolute control of access as
> the UTC time based approach would (or at least, it does not allow it
> without
> some further additions). I would therefore also be interested to
> hear from you about which of these approaches corresponds more to
> the common use-case of the FreeIPA system.
I would be deeply worried about the unexpected security issues that
could arise if local time was used by default.
Nathaniel
More information about the Freeipa-devel
mailing list