[Freeipa-devel] Time-based account policies
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 10 16:18:34 UTC 2015
On Tue, 10 Mar 2015, John Dennis wrote:
>On 03/10/2015 11:06 AM, Jakub Hrozek wrote:
>>> We may need to use libraries for processing iCal rules, like libical
>>> (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
>>
>> Is that what Alexander said, though? In his reply, I see:
>> "Parsing event information would produce a rule definition we would
>> store and SSSD would apply as HBAC rule".
>>
>> I don't think iCal dependency is something we want in SSSD, the
>> rules should be converted from iCal to SSSD format in a layer atop
>> libipa_hbac..
>
>But doesn't the iCal rule have to be evaluated in SSSD? If so that
>requires linking against libical, right?
That's why I'm saying we import iCal in IPA, not that we keep using iCal
as internal representation of time/date information for HBAC rules.
I don't really want to impose iCal horror on HBAC rule parsing engine.
I believe we can do simpler and better, given HBAC is all about ALLOW
rules on the base of default DENY action.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list