[Freeipa-devel] Time-based account policies

Gabe Alford redhatrises at gmail.com
Tue Mar 10 16:11:57 UTC 2015 

On Tue, Mar 10, 2015 at 9:51 AM, Stanislav Láznička <slaz at seznam.cz> wrote:

> On 03/10/2015 04:06 PM, Jakub Hrozek wrote:
>
>> On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote:
>>
>>> This is where importing iCal is helpful because it allows you to
>>>> outsource the task of creating such event to something else.
>>>>
>>>> Parsing event information would produce a rule definition we would store
>>>> and SSSD would apply as HBAC rule. However, we don't need ourselves to
>>>> provide a complex UI to define such rules. Instead, we can do a simple
>>>> UI to create rules plus a UI to import rules defined in iCal by some
>>>> other software. The rest is visualizing HBAC time/date rules which is
>>>> separate from dealing with complexity of creating or importing rules.
>>>>
>>>> Additionally, for iCal-based imports we can utilize participants
>>>> information from the iCal to automatically set up members of the rule
>>>> (based on mail attribute).
>>>>
>>>>  Ah, makes sense to me.
>>>
>>> With all the possibilities that iCal format offers, we would more or
>>> less end
>>> up storing iCal in HBAC rules (or our own format of iCal). I am just
>>> concerned
>>> it would make a bit complex processing on SSSD side, especially in the
>>> security
>>> sensitive piece for authorization rules.
>>>
>>> We may need to use libraries for processing iCal rules, like libical
>>> (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
>>>
>> Is that what Alexander said, though? In his reply, I see:
>>      "Parsing event information would produce a rule definition we would
>>      store and SSSD would apply as HBAC rule".
>>
> This is what kind of worried me, too. If I understand it well, this means
> you would have iCal events such as holidays (these were mentioned before),
> and you would like to generate HBAC rules based on these events. Those
> rules would, however, be different for each country (if this is still about
> holidays) and might collide among user and host groups. Therefore, you
> would have lots and lots of rules in the end, wouldn't you?
>
> I wonder if anyone does that. From what I've seen in AD and 389 Directory
> Server, time-based rules are being stored in a rather simple manner. I
> don't mind a more complex solution but I think such exceptions might be
> little too much. But I might have not understood the idea very well.


This is my understanding as well. If using AD as the example, there are two
ways that timebased rules are configured:
     1. Permit logon hours during specified timeframe on specified day(s)
of the week.
     2. Deny logon hours during specified timeframe on specified day(s) of
the week.

There is nothing about holidays. I think that implementing holidays and
special exemptions should be avoided.

Just my 2 cents.

Gabe


>  I don't think iCal dependency is something we want in SSSD, the
>> rules should be converted from iCal to SSSD format in a layer atop
>> libipa_hbac..
>>
>>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150310/e7553be8/attachment.htm>

More information about the Freeipa-devel mailing list