[Freeipa-devel] Time-based account policies
Simo Sorce
simo at redhat.com
Mon Mar 9 19:45:29 UTC 2015
On Mon, 2015-03-09 at 18:13 +0100, Jakub Hrozek wrote:
> On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote:
> > On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
> > > On Mon, 09 Mar 2015, Martin Kosek wrote:
> > ...
> > > One of bigger issues we had was lack of versatile ical format parser to
> > > handle calendar-like specification of events -- we need to allow
> > > importing these ones instead of inventing our own.
> >
> > Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
> > calendaring format. If we want to implement full support for it, it would be
> > lot of code both on server side for setting it and on client side for
> > evaluating it (CCing Jakub for reference).
> >
> > AD itself has much simpler UI for setting the access time, a table like that:
> > http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
> >
> > IIRC, they only store the bits of "can login/cannot login" for the time slots.
> > That's another alternative.
>
> I don't think that's what Alexander meant, I don't think the client
> library should come anywhere close to the iCal format. We might want to
> provide a script to convert an external format, but that's about it.
>
> I thought we could simply reuse parts of the previous grammar, maybe
> simplified. But I agree with Nathaniel (as I stated also in the private
> thread) that we should use UTC where possible.
Simplified == Kinda Broken.
We've been through this a few times already, it just doesn't work.
At a minimum you need to be able to select between UTC and "Local Time"
and it is a rathole down there (What time is it *here* may be a hard
question to answer :-/)
> >
> > > Another issue is that often rule does depend on a details about specific
> > > service -- it is common to have web services to use different timezone
> > > than the rest of processes running on the server. You would get an HBAC
> > > rule where something like apache service is defined but you'd need to
> > > associate timezone with it and have this association to be specific to a
> > > server or group of servers rather than just a service itself.
> >
> > HBAC service is mostly only PAM service, not IPA service, so I do not think you
> > can easily store this information. But we can certainly store time zone
> > information in a host or a host group and let that help the hbactest-* or UI...
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list