[Freeipa-devel] Time-based account policies
Martin Kosek
mkosek at redhat.com
Mon Mar 9 15:08:46 UTC 2015
On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
> On Mon, 09 Mar 2015, Martin Kosek wrote:
...
> One of bigger issues we had was lack of versatile ical format parser to
> handle calendar-like specification of events -- we need to allow
> importing these ones instead of inventing our own.
Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
calendaring format. If we want to implement full support for it, it would be
lot of code both on server side for setting it and on client side for
evaluating it (CCing Jakub for reference).
AD itself has much simpler UI for setting the access time, a table like that:
http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
IIRC, they only store the bits of "can login/cannot login" for the time slots.
That's another alternative.
> Another issue is that often rule does depend on a details about specific
> service -- it is common to have web services to use different timezone
> than the rest of processes running on the server. You would get an HBAC
> rule where something like apache service is defined but you'd need to
> associate timezone with it and have this association to be specific to a
> server or group of servers rather than just a service itself.
HBAC service is mostly only PAM service, not IPA service, so I do not think you
can easily store this information. But we can certainly store time zone
information in a host or a host group and let that help the hbactest-* or UI...
More information about the Freeipa-devel
mailing list