[Freeipa-devel] Time-based account policies

Simo Sorce simo at redhat.com
Tue Mar 10 14:17:24 UTC 2015 

On Tue, 2015-03-10 at 15:00 +0100, Martin Kosek wrote:
> On 03/09/2015 07:22 PM, Alexander Bokovoy wrote:
> > On Mon, 09 Mar 2015, Jakub Hrozek wrote:
> >> On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote:
> >>> On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
> >>> > On Mon, 09 Mar 2015, Martin Kosek wrote:
> >>> ...
> >>> > One of bigger issues we had was lack of versatile ical format parser to
> >>> > handle calendar-like specification of events -- we need to allow
> >>> > importing these ones instead of inventing our own.
> >>>
> >>> Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
> >>> calendaring format. If we want to implement full support for it, it would be
> >>> lot of code both on server side for setting it and on client side for
> >>> evaluating it (CCing Jakub for reference).
> >>>
> >>> AD itself has much simpler UI for setting the access time, a table like that:
> >>> http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
> >>>
> >>>
> >>> IIRC, they only store the bits of "can login/cannot login" for the time slots.
> >>> That's another alternative.
> >>
> >> I don't think that's what Alexander meant, I don't think the client
> >> library should come anywhere close to the iCal format. We might want to
> >> provide a script to convert an external format, but that's about it.
> >>
> >> I thought we could simply reuse parts of the previous grammar, maybe
> >> simplified. But I agree with Nathaniel (as I stated also in the private
> >> thread) that we should use UTC where possible.
> > Yes and no. Let me go in details a bit.
> > 
> > We need iCal support to allow importing events created by external
> > tools. We don't need to use it as internal format.
> 
> Can you please share a bit what events you have in mind? We are talking about
> HBAC access rules, so I am not sure what you want to import.
> 
> Is this for use cases like - I have a recurring Linux learning lab, I want to
> all participants to be able to log in to this system during the lab run?

You still need this, if you really want time based rules, then pretty
soon you'll get requests to add special exceptions, like holidays, and
who knows what else.

Last time around we came to the conclusion that this was very
complicated and dropped it for that reason. A non-complicated tool is
too simple to be useful, a complete one was deemed too complicated to
implement.

Damned if you, damned if you don't.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list