[Freeipa-devel] Time-based account policies
Jakub Hrozek
jhrozek at redhat.com
Tue Mar 24 07:20:07 UTC 2015
On Tue, Mar 24, 2015 at 08:07:53AM +0100, Martin Kosek wrote:
> On 03/24/2015 07:16 AM, Jan Cholasta wrote:
> > Dne 23.3.2015 v 20:17 Standa Láznička napsal(a):
> ...
> >>> Given the above, HBAC rules could contain (time, anchor), where anchor
> >>> is "UTC", "user local time" or "host local time".
> >> Truth is, it was not really clear to me from the last week's discussion
> >> whose "Local Time" to use - do we use host's or do we use user's? It
> >> would make sense to me to use the user's local time. But then you would
> >> need to really store at least the timezone information with each user
> >> object. And that information should probably change with user moving
> >> between different timezones. That's quite a pickle I am in right here.
> >
> > IMO whether to use user or host local time depends on organization local
> > policy, hence my suggestion to support both.
>
> I am bit confused, I would like to make sure we are on the same page with
> regards to Local Time. When the Local Time rule is created, anchor will be set
> to "Local Time". Then SSSD would simply use host's local time, in whichever
> time zone the HBAC host is.
Yes, that was my understanding also.
>
> So this is the default host enforcement. For the user, you want to let SSSD
> check authenticated user's entry, to see if there is a timezone information?
> This would of course depend on the information being available. For AD users,
> you would need to set it in ID Views or similar.
Yes, also in a previous e-mail, there was a suggestion to change
timezones by admin when the user changes timezones -- I didn't like that
part, it seems really error prone and tedious. *If* there was this
choice, it should not be the default, rather the default should also be
host local time IMO.
More information about the Freeipa-devel
mailing list