[Freeipa-devel] Time-based account policies
Jakub Hrozek
jhrozek at redhat.com
Mon Mar 9 17:13:18 UTC 2015
On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote:
> On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
> > On Mon, 09 Mar 2015, Martin Kosek wrote:
> ...
> > One of bigger issues we had was lack of versatile ical format parser to
> > handle calendar-like specification of events -- we need to allow
> > importing these ones instead of inventing our own.
>
> Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
> calendaring format. If we want to implement full support for it, it would be
> lot of code both on server side for setting it and on client side for
> evaluating it (CCing Jakub for reference).
>
> AD itself has much simpler UI for setting the access time, a table like that:
> http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
>
> IIRC, they only store the bits of "can login/cannot login" for the time slots.
> That's another alternative.
I don't think that's what Alexander meant, I don't think the client
library should come anywhere close to the iCal format. We might want to
provide a script to convert an external format, but that's about it.
I thought we could simply reuse parts of the previous grammar, maybe
simplified. But I agree with Nathaniel (as I stated also in the private
thread) that we should use UTC where possible.
>
> > Another issue is that often rule does depend on a details about specific
> > service -- it is common to have web services to use different timezone
> > than the rest of processes running on the server. You would get an HBAC
> > rule where something like apache service is defined but you'd need to
> > associate timezone with it and have this association to be specific to a
> > server or group of servers rather than just a service itself.
>
> HBAC service is mostly only PAM service, not IPA service, so I do not think you
> can easily store this information. But we can certainly store time zone
> information in a host or a host group and let that help the hbactest-* or UI...
More information about the Freeipa-devel
mailing list