[Freeipa-devel] Time-based account policies

Alexander Bokovoy abokovoy at redhat.com
Mon Mar 9 15:13:58 UTC 2015 

On Mon, 09 Mar 2015, Martin Kosek wrote:
>On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
>> On Mon, 09 Mar 2015, Martin Kosek wrote:
>...
>> One of bigger issues we had was lack of versatile ical format parser to
>> handle calendar-like specification of events -- we need to allow
>> importing these ones instead of inventing our own.
>
>Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
>calendaring format. If we want to implement full support for it, it would be
>lot of code both on server side for setting it and on client side for
>evaluating it (CCing Jakub for reference).
>
>AD itself has much simpler UI for setting the access time, a table like that:
>http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
>
>IIRC, they only store the bits of "can login/cannot login" for the time slots.
>That's another alternative.
>
>> Another issue is that often rule does depend on a details about specific
>> service -- it is common to have web services to use different timezone
>> than the rest of processes running on the server. You would get an HBAC
>> rule where something like apache service is defined but you'd need to
>> associate timezone with it and have this association to be specific to a
>> server or group of servers rather than just a service itself.
>
>HBAC service is mostly only PAM service, not IPA service, so I do not think you
>can easily store this information. But we can certainly store time zone
>information in a host or a host group and let that help the hbactest-* or UI...
I don't understand why are you involving IPA services here. HBAC rules
are only about PAM services and PAM (HBAC) services are specific to
hosts where they are in use. We aren't *that* contextual yet because
we didn't need that in past but having a timezone info only per host is
wrong precisely because every single process on the host can be run
under different timezone as it is just a way of interpreting monotone
time source data we get from kernel.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list